What to do about UEFI?

Woke up in a minor panic this morning.

If I don't tell the world about the inherent vulnerabilities in UEFI, the world will fall apart!

Yeah, I have these attacks, sometimes -- the "clarity" of the dreaming mind. I suppose I should post a rant about that clarity sometime. But I have three posts in suspended animation, and I really have two other, paying, jobs that I should be putting first, especially if I'm going to be working on Sunday.

(I'll pretend this is service instead of work. ;-) (erk. No, that's not really a valid defense, either. If I'm wrong here, I'm wrong.)

After the morning chores, I still feel inclined to post this, so I'll post the short version here, and (probably after I finish a translation job I've been letting slide too long) unpack it later on my defining computers blog.

So, some primary inherent vulnerabilities in UEFI, at least, as Microsoft is pushing it for MSW8:

• Microsoft owns the keys to your computer (including MSWindows "smart phones").

Think about that. Would you be comfortable with GM owning the keys to your car? I'm going to leave a lot of questions begging on that one, because that question should be enough to get you thinking.

• You cannot re-tool the keys to your computer without breaking the "license" Microsoft issues for your computer running their OS, starting from MSWindows 8.

So, if you decide you don't want Microsoft to own your computer, and install your own keys in precedence over Microsoft keys, you cannot legally run MSWindows 8 OS stuff. On ARM processors, you aren't even supposed to be physically able to re-tool the keys at all. Maybe you think you don't mind now, but if you ever change your mind, you can't to anything about it without "breaking the law". (See DMCA for how bad that is in the US.)

•  Microsoft's master key works on everyone's computer, as I understand it.

So, let's use the automotive analogy again: GM would have the master key to your car. And it would be the same key for every car made by GM. (Not a perfect analogy, but when you get into the details, it's close enough.) Are you comfortable with the idea that anyone who can duplicate or reverse-engineer that master key could now drive away with your car?

More to the point, are you comfortable with the fact that someone could duplicate or reverse-engineer the Microsoft key and, without any notice to you, put a trojan horse, password logger, and all sorts of other evil stuff on your computer. Your bank information, your job information, your private letters, whatever -- all easy pickings.

• The manufacturers all have master keys, and, as far as I know, those keys are the same for all the computers they manufacture.

So, not just Microsoft, but (for example) DELL also has a master key for your DELL manufactured PC or computer device. It's not the same as the one Microsoft has, but it is a master key, and, as far as I know, there is only one key for all the computers DELL makes. At any rate, it's not one key per computer. Likewise, Lenovo, etc.

• You are out of the loop. No master key for you. Microsoft and your manufacturer have their own master keys and those take precedence over any master key you can set -- at least any you can set without breaking Microsoft's contracts. And, in the case of ARM-based portable MSWindows devices, any you can set without reverse engineering, which would also put you in breach of the DMCA law in the US.

Fundamentally flawed. Fatally so. What else do you expect from Microsoft and Intel?

Note, that, while Microsoft's and Intel's power games kill your security and create other problems, they also make it much more difficult to run community-developed OSses like Ubuntu or RedHat Enterprise. And they may may make it impossible to legally run them on the same machine you run MSWindows junk on.

Of course, you really have no reason to run MSW8, because all the stuff that keeps you in the MSWindows universe runs on MSW2k, but not on MSW8. Which leads to the proper solution:

1. Keep your old machines that you have to run the legacy stuff on.
2. Keep them off the network, or in isolated segments.
3. Don't let anyone use those old machines as workstations.
4. In fact, don't let anyone touch them, except to use the legacy programs.
5. Move all your day-to-day-use workstations to RedHat, Cent, Ubuntu, Mint, FreeBSD, openBSD, etc., now.
6. Don't buy MSW8. 
7. Don't buy any software or hardware that is dependent on MSWindows 8.

That solves the Microsoft problem, although it doesn't solve the Intel problem.

Nor does it solve the problem of write-protecting your BIOS in a meaningful way.

But it lets you keep operating for now.

There is much more to be said on this, hopefully I'll get a chance to do so before summer ends.