The problem isn't that it's displaying an important security setting in a way that forces users to notice it. Kudos to Microsoft for finally having the courage to do so. Rather, the problem is that they haven't surfaced a method for expert users to disable the warning.
I think I found that method.
Run `gpedit.msc`. Navigate to:
Computer Policy > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
Set the following two policies to Disabled:
Allow Secure Boot for integrity validation
Use enhanced Boot Configuration Data validation profile
It's all wrapped up in the same technology platform - SecureBoot and BitLocker work together/are the same thing in some cases during the boot process. There are differences, but I don't want to be pedantic.
As a non-microsoft employee I'd never know that drive encryption and secure boot settings would be the same 'technology' or even under 'bitlocker'. As bitlocker to me is the same as os x filefault or truecrypt.
Why wouldn't you just put bitlocker, anti-virus, secure boot, UAC, ...etc under one menu called 'Comp. Security'.
Because then there'd be hundreds of settings in the same folder. This isn't a user-visible menu or a wizard for configuring security settings, this is something for expert users to really modify how their OS is designed.
Your suggestion is akin to putting every RHEL/SLED/Ubuntu security setting into one flat configuration file. IPSec, Sudo (and gksudo and friends), anti-virus, cryptfs, apparmor / selinux, ufw / iptables, package signing requirements (including repositories to use), etc.
Something like that would never happen even if Red Hat did control all of the pieces of the puzzle. Now contrast Linux versus Windows here: if you want to configure those things you have to discover the tools or file formats for each security layer configuration manually, versus going into "gpedit.msc" and having categorized settings for the whole OS.
BitLocker is basically its own concept[1], separate from something like Filevault or Truecrypt, and it requires Secure Boot to really do what it does.
BitLocker, although it can be used to encrypt external/data volumes, is primarily a technology for encrypting the boot volume and then storing the encryption key in the TPM chip. That encryption key can itself be encrypted using some combination of a passphrase, a biometric signature, and a smart card, which must be presented at startup.
In the TPM chip, along with the boot-volume encryption key, there is stored a manifest of SHA signatures for important OS files (specifically, the kernel and drivers required to bring up policy-based security like ACLs and domain authentication.) This manifest is signed by that same encryption key. Thus, the bootstrap loader, having retrieved the credentials necessary to make use of the TPM, can then verify the manifest with the key, and then use the manifest to verify that the OS it's going to boot into can be trusted, and will continue to protect the security of the files stored on the drive when control is passed to it.
This whole setup basically means that there's no way to get data off a BitLocker+Secure Boot computer without it allowing it (or, in limited cases, doing tricks with sticking RAM chips in liquid nitrogen.) If you didn't have BitLocker, you could just read the data "at rest"; if you didn't have Secure Boot, you could just install a rootkit and grab the data "in motion."
---
[1] Really, I think the only reason the two technologies (BitLocker and Secure Boot) ended up with different names is that they were supposed to be two subfeatures of one initiative -- Microsoft Palladium or http://en.wikipedia.org/wiki/Next-Generation_Secure_Computin... -- but that initiative was shelved (likely due to the huge public backlash), leaving just these few practical remnants behind. (It's pretty obvious that the BitLocker Settings panel was originally the Palladium Settings panel; it's where you go to reset TPM keys et al.)
Then it should be readily available from the Control Panel and not through GPO.
MS hides things in GPO or registry settings when it wants to alleviate the concerns of network administrators while still managing to infuriate the end users who have no business touching 'their' operating system.
> they haven't surfaced a method for expert users to disable the warning
In the most user-hostile move ever, I wanted to disable the "automatic restart in 15 minutes" thing on Windows 8 (Home). It required adding a registry key(!) I hope there's an easier way that I just somehow missed...
It's been changed in Windows 8 to not have that automatic restart as bad. There's also a Group Policy which lets you disable the forced update. It just tells you there's updates that require you to restart.
I believe the Group Policy requires Pro though. And this was Windows 8: a full-screen banner would pop up saying the computer would restart in 15 minutes, with no option to permanently dismiss it.
I can't tell you how many times I've had my system automatically reboot while i was in the middle of working, once during a presentation. There is a "hide this notice" button, but not "Please don't shutdown right now" button.
Really, really, horrible experience.
During the beta phase, they had mentioned that updates wouldn't do that, that they would auto apply the next time you rebooted.
I really think that all they should do is display a message that says, "New security updates have been installed. To ensure your computer is secure, please reboot your computer."
Updates do auto-apply the next time you reboot--provided you do reboot, at some point.
The problem Microsoft is balancing against is people who never ever reboot their computers no matter what--and thus never update, and become infection vectors. They have to force these people to update against their will to ensure the digital equivalent of herd immunity. And it's really quite hard to tell whether the user trying to "permanently" dismiss the "REBOOT NOW GOSH DARNIT" popup really has something urgent they're doing, or is just a "power user" who thinks they know better than the computer.
But then people won't do it. You have to force security update installs. There's really no better way around it. I think you have 2 days after the updates install to before it forces you to reboot. That should be enough time right?
Perhaps a better question is why a reboot is needed in so many circumstances. Windows users have been trained to accept reboots as normal over many, many years. We used to need to reboot after every single application install. Very few OS pieces should actually require a full reboot instead of merely restarting a process or two.
Windows cannot delete/replace files, that are open. That's the cause of most reboots, it will replace them before services or apps that use them start again.
Not that I'm apologizing it's behavior - it was a design decision that Windows team made in the past, when it was deemed not important and worth reduction in complexity. Now just it comes and bites them back.
>Windows cannot delete/replace files, that are open.
Not exactly. Its up to the application which opens files to control whether the file can be modified externally. It can do this in two ways. (1) Open the file in some FILE_SHARE_* mode and let the OS sort it out. (2) use opportunistic locks that will detect external access and then let the app decide how to react - anti-virus programs use this when they are scanning files.
>That's the cause of most reboots, it will replace them before services or apps that use them start again.
Actually the cause for reboots is much more mundane. Files replaced on disks means new programs using those files get the new version, however, processes which are already running keep using the older version in memory and are thus open to being exploited by bugs that are already patched.
On servers, things are a bit different. To prevent downtime you can 'hotpatch' the update and thus avoid the reboot.
Linux doesn't solve the problem either, with the ability to replace open files. It just means you run into potential compatibility issues if you modify a shared lib and then two processes try to perform IPC that might rely on false assumptions (I believe this is exceedingly rare in practice) and to update kernel components, long-lived services you still need to restart them.
You can perform hot updates to a system but it can be complex and there are a number of restrictions on the types of updates that can be done.
I've recently got a laptop with secure boot enabled by default (an Asus Zenbook), and man that was a pain. I wanted to install Linux on a second partition, and it wouldn't let me boot anything from a removable medium until I turned off secure boot.
But of course the option to disable secure boot was grayed out, and it took me some searching on the Internet to find a solution: first you have to go to the key management window, and delete all the keys there. Then you're allowed to turn off secure boot.
If they wanted it to be usable, they'd just offer me an option 'boot once without secure boot' (and ask for the BIOS/EFI administrator password if set).
After this experience, my hypothesis is that the main purpose of "secure boot" is to discourage the user from installing anything non-default (aka Linux).
I routinely wipe all partitions and start fresh when setting up a new laptop. What you describe seems to indicate I would have to boot into Windows initially in order to delete those keys. Is there any other way around that? Can anyone else comment as well?
OK, once again that article seems to just be making stuff up. Its references don't say anything aside from the fact that MS wants OEMs to put Windows on Android phones, which probably just means offering all Android-exclusive devices with an optional Windows version instead.
There are plenty of other security features, that I'd argue are more important than secure boot, which don't result in a watermark being displayed when disabled.
In any case the most likely group of people who will see this message are people who know what they are doing. Off the shelf Windows 8 certified computers will have secure boot as default therefore the message won't be displayed. People who are likely to see this message are:
- Those who manually disabled secure boot
- Those who purchased components individually and built their PC as most individually purchased motherboards come with secure boot in setup mode (disabled).
I'd say people in those two groups are highly likely to know what secure boot is and don't need a reminder about it.
Also, let's say your average user somehow sees this message. They are not going to be able to solve the problem themselves. They've most likely never heard of secure boot let alone know how to enter the BIOS and enable it.
>There are plenty of other security features, that I'd argue are more important than secure boot, which don't result in a watermark being displayed when disabled.
Um.. Okay, Name 5?
>I'd say people in those two groups are highly likely to know what secure boot is and don't need a reminder about it.
>Also, let's say your average user somehow sees this message. They are not going to be able to solve the problem themselves. They've most likely never heard of secure boot let alone know how to enter the BIOS and enable it.
Okay, good, your arguments are valid - BUT - only if your premises is valid. I see - "likely" , "most likely" , "highly likely". How have you established this to be the case?
DEP, UAC, Security related updates not installed, using built in administrator (technically enabling rather than disabling), or even having your anti-virus disabled.
All those help prevent a situation where the boot up sequence is somehow compromised. Whereas secure boot is only reactive - it won't do anything to prevent the malicious software from installing itself in the first place.
Also, no, I have not gone out and done a survey to find out how many people understand secure boot. However, if you just use common sense and apply your experiences with interacting with an average user (might be your parents, co-workers, relatives, friends, etc.) then how likely do you think the majority of average users will have even heard of secure boot? I'd be willing to bet money on the answer to that.
>DEP, UAC, Security related updates not installed, using built in administrator (technically enabling rather than disabling), or even having your anti-virus disabled.
DEP is already on by default, so is UAC. Updates not being installed shows up as a warning on the Win 8 login screen. Next, Win 8 AFAIK creates a non-admin account by default, so if you are logged in as admin, you have jumped through some hoops to create one. And there is some kind of "action center" warning on not having an anti-virus installed.
Remember, secure boot needs to be enabled outside the OS. If the OS could enable it by default, it already would have been enabled. It could be that the user has knowingly disabled it. The OS has no way of knowing the intent of the user, hence the warning. Assuming the worst-case scenario in security matters is nothing new.
>All those help prevent a situation where the boot up sequence is somehow compromised
DEP primarily prevents "fishing" expeditions for remote-attack scenarios where the attacker blows through the stack, writes to some random region in memory and attempt to execute code from there. DEP defaults to pages being either executable or writable but not both. UAC has nothing to do with the bootup sequence, nor has anything else you mentioned.
> Whereas secure boot is only reactive - it won't do anything to prevent the malicious software from installing itself in the first place.
Nothing can prevent an user from running executable code he wants to run. Secureboot implements a method to counter an Admin account compromise. It is not needed if the user is running as a non-admin.
You've missed the point. If they are enabled by default or display a message elsewhere is irrelevant, the fact is they don't display a watermark when the user is using the less secure option. Also I specifically referred to the built-in administrator which is not like a normal administrator account as everything it executes has elevated privileges.
Yes, all of those have nothing to do directly with the boot sequence. But again, that is not the point. They all help prevent the malware from executing or gaining hold in the first place, before it has the chance to compromise the boot sequence. Secure boot does nothing to stop the malware in the first instance, just prevents it from messing with anything at boot. In my view, I'd say that actively defending from the malware is far better than reacting after the event to limit the impact. I'm not saying secure boot is not helpful but rather the current level of notification you get when it is disabled is disproportionate.
All those settings are controlled from inside the OS. The OS can track whether the user has intentionally changed them. Secure boot has to be enabled outside the OS. In which case the OS has no way of knowing whether the user has intentionally disabled it. Assuming the worst-case scenario can be a good thing when it comes to security.
Personally, unless I can get it to work with CentOS, I wont be using Secure Boot since I ship products on Linux. However, I don't think the warning is disproportionate.
The above user's incredulous response probably warranted some downvote or two, but ksk is correct in the spirit of his response. What portion of users ever go to the control panel, let alone desire to view basic information about their computer?
That's a dark pattern itself, hiding important settings in places where users can't see it.
Well, there was nothing incredulous about my response. I found the article devoid of any substance. Its one of those articles that shows up on HN just to spark a few circle-jerks.
And what user that never goes to the control panel is able to enable Secure Boot (firmware menu?!?), and to debug issues like mentioned in the article (VGA card with an option ROM that comes without Microsoft signature) if they follow Microsoft's advice?
And the douchey part is that Microsoft doesn't even acknowledge issues such as the unsigned option ROM thing.
Microsoft used an existing UEFI feature to guard against attacks even when your Admin account is compromised. I consider it to be a good thing. I'd want as many clueless people to enable secure boot as possible.
The parent is referring to the ability to disable the messaging, not the ability to disable secure boot.
The only time the messaging is useful is when someone has unintentionally disabled secure boot. In this case they can go enable it again (or bring it to geek squad, etc).
If the user intentionally disabled it, then the it should be possible to suppress any warning messages about it.
If malicious software somehow disabled it, it can probably also make the registry settings tweaks required to hide the messaging so the user won't know anyway.
OK, so it is UEFI setting. That does not mean that the OS has to bug the user about this permanently. What about providing button "OK, got it, now get dismissed"?
That's interesting. When Intel was developing speech hardware one of the FAEs was given a Ford Thunderbird with speech enabled to 'try out'. When ever you were driving faster than 55[1] it would say about once every 10 seconds "Speed limit exceeded!" The FAE decided that maybe speech wasn't everything it was cracked up to be :-).
In this case there is a valid use case for not having secure boot enabled, but I can see where Microsoft might not recognize any of them as the 'general case.' Another step in the process of appliancizing computers into application platforms.
[1] At the time federal law stated that no speed limit could be higher than 55 MPH so exceeding 55 was by definition 'speeding' anywhere in the US.
On my Lenovo laptop, I have Windows 8.1 dual-booting with Arch Linux, and I don't see this message. Pretty sure I have secure boot (UEFI) disabled in my BIOS.
"the same method of displaying a watermark is also done if you are not running a genuine copy of Windows"
Maybe that's because a prominent reason to disable secure boot is to use Windows Loader to pirate Windows. Of course, there may be an updated version soon that tricks Windows into thinking it booted securely.
Except no - the amount of MS Whining about piracy is disproportionate about the real situation - the majority of laptops that a person can buy already come with some form of windows license. To the point that it is actually hard to buy a PC without windows. Sadly the self assembled laptop was never a thing.
Microsoft's products have long had broken security models close to their core, mostly owing to the fact that they pre-date the net and were originally not multi-user.
Instead of fixing this -- and to maintain backward compatibility -- they've always applied security models further up the tree, closer to the apps and the user. As a result MS has more and more complex security controls but is less secure. This complexity and security bloat results from trying to patch a boat that's full of holes in its fundamental design.
Secure boot is needed for the same reason lots of other controls are needed-- to make it harder to permanently screw the system once you've gotten malware onto it. This is so important because it is historically so easy to get malware onto Windows.
Everything. I mean literally everything. Every single sentence.
First of all.. calling NT 'not multi-user' is laughable. Anyone who knows anything about OS design knows that NT was designed from the ground up to be muti-user - with an extremely well thought out token/object security model that was hands down superior to any other general purpose mainstream OS at the time.
Secondly secureboot is not an active security model. It is a one-time validation of a chained-loading sequence from the uefi/bios to the OS kernel. It has nothing to do with "patching holes" in NT. NT is already a highly secure operating system. Infact, there have only been a very small amount of kernel vulnerabilities ever found in NT compared to most other widely used OSs.
Secure boot is also nothing new. They have been using something similar on the xbox 360 for years. In any case, Secure Boot is an OS agnostic general security 'best practice'. Many Linux distributions are also adopting it.
I wouldn't call NT security model hands down superior to any other general purpose mainstream OS at the time. Much more complex and fine-grained, yes. However, it is the same complexity that is killing it. Nobody has the time to learn it properly and secure the system appropriately.
So in the end, worse is better, because it is usable in practice by people with deadlines.
Similarly, in the Linux world, SELinux provides much better security. But then again, very few people know how it works and how to configure it, so even when it is enabled, it relies on policies supplied by OS vendor.
I don't agree with your comparison. NT's security model does not have to be exposed to every single end-user for it to be useful. For e.g. things like taking a process token and stripping its rights to adding a layer of security to the processes is much superior to a chroot type hack. Modern UNIXs have added apparmor, but then again I was comparing NT with the OS landscape in the early 90s. Also file system ACLs is another place where NT was superior. There was nothing comparable elsewhere at the time.
The problem is you're comparing two unequal things and calling it even. Linux clearly has had to deal with several challenges in improving its design due to its UNIX heritage (time-sharing OS, synchronous I/O, blocking syscalls, etc), while NT did not because it was a fresh design.
Frankly this type of discussion is more suited for a comparative analysis type paper than the comments section. Also, FWIW - I don't claim any special expertise or knowledge on OS design, its simply a topic of general interest of mine.
This kind of what's-a-good-word-for-it behavior is what makes me wish upon a star that microsoft would slide into irrelevance already and leave the software industry alone.
I think the point he is trying to make is that MS falling into irrelevancy correlates with something else replacing their products, thus, the alternatives in this scenario are better.
It's a nice thought, and not en entirely pointless one. The more population that migrates to alternatives, the better those alternatives become. Of course it's not linear, but right now it's all likely positive gains.
The author seems busy trying to put out small fires, instead of focusing on what's really burning: Windows. There is, for most people, very little reason to stay on Windows.
In todays world of wonderfully powerful machine, a WindowsXP or Windows7 installation in a seamless Virtualbox machine will solve most Windows-related problems: proprietary apps at work, a photobook creation Windows app or maybe an old game or so. For everything else there's at least one Linux distribution that works.
I install Mint 15 Mate for my retirees and with it they can surf, bank, write e-mail and word process. After installing it I never hear about viruses, trojans or weird popups telling them that something is out of date.
Now if only younger people would have the courage to try something other than Windows for once. Unfortunately you're going to be playin the latest Call of Duty or Madden 2047, but them's the breaks.
Have your retirees tried installing something them selves?
I, today, had a very quick look at installing Libre Office on a Fedora VM. Windows: download exe file, double click, it installs. Now go look up the instruction for Linux. So absurdly, hilariously complicated. I thought of Linux fanbois, and began to laugh, then cry. Right there is one reason Linux has a long, long way to go.
Yeah, fine for geeks and great for running server services, as I have been doing for decades, but as a general desk top for normal human beings? No way. Not even slightly. Sure Windows has its issues, but you know what? It works.
But, I'll give your Mint a go. See if that is as easy as Windows. You never know....
The biggest problem I have is what to do when a newer version of something comes out. Sure I run 3rd party repos for things like Node.js... but getting Postgres 9.2 on Ubuntu is an exercise I can't imagine a normal GIS person undertaking. Sure a developer or sysadmin would dive right in. But on Windows, it's download exe and run. Mac it's download DMG and double click. For linux it's "hope they have the release I want to use in their packaging system".
I don't use Postgres, but on their website they tell you that 9.2 is the default on Ubuntu, and how to downoad other versions. Trolling? Or is there a real issue here?
It's hard to argue that secure boot, on which your machine comes with keys installed by Microsoft (I don't trust them) and requires the user to know how to a: install another set of keys to run Ubuntu (or b: disable the feature entirely and forsake bootloader signing)... should be blessed
... but that users installing a piece of software as complex as a database server, on a system where packages are cryptographically signed, can't be arsed to follow the instructions on this page provided by the vendor, that was the first search result on Google, to install the vendor key and to download vendor packages from the vendor's own PPA repos.
Now try latest PostgreSQL with latest PostGIS, especially when a new release is out, but the Windows binary is still missing. Building PostGIS for Windows is not for the faint of heart.
Isn't LibreOffice in Fedoras' repository? It should be GUI-clickable to install it. (In Ubuntu, it is. I would be very surprised, if Fedora didn't have something similar.)
Young people are trying something other than Windows. It goes by the name OSX.
For most people, there is also very little reason to make the effort of switching from Windows (or OSX - whichever they're on) to a Linux distro. Do you also think regular people would understand the concept of a VM well?
I think you're getting a little ahead of yourself.
Anecdotal evidence but yes - whomever I have shown cool things with virualization likes them a lot and has no problem with the whole windows inside windows thing.
I think I found that method.
Run `gpedit.msc`. Navigate to:
Set the following two policies to Disabled: Should disappear the watermark.