Security features introduced in Windows Vista will make setting up PCs to boot in either Linux or Windows far more difficult, according to security guru Bruce Schneier. Vista is due to feature hardware-based encryption, called BitLocker Drive Encryption, which acts as a repository to protect sensitive data in the event of a PC being either lost or stolen. This encryption technology also has the effect of frustrating the exchange of data needed in a dual boot system.
that these drive/memory encryption technologies are also getting a big push from the music and movie industries. This is not about protecting your content from theft, but protecting industry content from you, the pirate *cough* valued consumer. In fact, some of the on-drive encryption systems in development are being done specifically to protect content. The benefit for you the consumer for securing your own data, is completely secondary. I for one don’t like the direction that this is headed.
ahhh yet another reason for WinXP to have been the last MSFT product I ever purchased and be 100% Linux.
and this is a feature?
No, it’s a bug
NTFS drive encryption does the same thing. Just turn it off on a dual-boot machine.
Does hardware mean anything to you ?
Does optional to you? Just because it’s implemented in hardware doesn’t mean you have to enable it – it just means that encrypted data will be difficult to decrypt, though no more difficult than that encrypted by software using the same algorithm. Hardware usually just means faster. But if you don’t enable the encryption, the data never gets encrypted in the first place, no problem.
I wouldn’t say ‘no problem’. You’re placing a religious level of faith in a Redmond product. What of maintenance? What of a rootkit that tweaks that supposedly-sealed hardware encryption?
IT is best when it resembles a chess game more than a poker match. When it’s poker, you become the pokee.
You can probably turn it off, so who cares. Apple has FileVault which does the same, and I’ve never heard a single complaint about it.
Double standards, as usual. It’s so hypocrit.
Double standards from whom? The article you linked to, or the posters? Double standards between what and what?
Thom, you should be careful not to sound too aggressive in your replies. Maybe it’s the language barrier, but as an editor you should still display a certain amount of decorum.
That said, it’s quite normal to have double standards towards Microsoft. Being a monopoly, they are already subjected to different laws and standards. If the IT industry was a level playing field, then double standards would be bad, but as it is, they’re perfectly acceptable.
Edited 2006-04-27 21:57
Good call.
And aside from YellowDog Linux, NetBSD, and a very old BeOS, what few other OS’s even bother with PowerPC Apples?
Apple has always been an exception (maybe not now with the IntelMacs). So few Apple users dual-boot (until the recent bootcamp, at least) that sharing partitions wasn’t much of an issue.
The PC, on the other hand, by it’s very nature – is generally built on open standards that promote interoperability. Until the recent Intel/Microsoft fiascos involving harware-based platform checking, PCs were meant to be multi-bootable. There’s many different bootloaders, hard disk partitioning up-the-whazoo, and lots of little details that IBM built into the original PC design that make it ideal for many OSes. Apple, on the other hand, doesn’t want ANY competition on their hardware (until bootcamp, of course) – and this is mostly the result of constant nagging for Windows compatability, not PC compatability.
FileVault is not enabled by default
and it could be agued that the Mac is not suposed to be “Open hardware” like PC clones are when one buys a Mac one has to play apple’s way
How does this frustrate dual boot? The current implementation of mounting NTFS from Linux frustrates that already by corrupting data on the NTFS partition, making your Windows side unusable anyway. The safest way to dual boot is to not mount Windows partitions anyway.
I know where you should go today. Go educate yourself. There are people who dual/triple/… boot and still manage to use the data on other partitions, including ntfs. Writing is still picky and better not touched, I admit, still, there’s absolutely no peril in using it to read and use the data on it. I have at least as much data on ntfs as on reiser and xfs, no problems whatsoever, it’s just handy to have a partition which every os can handle for data transfer (i.e. fat32 or ext2).
Saying that “making your Windows side unusable anyway” is something that can fairly easily scare off quite a number of people.
Even if there’s some truth in what you say, you should state your opinion by telling the whole truth not just the parts that fit you well, like most bad politicians do. Truth can be harder to bend when people are listening.
“Saying that “making your Windows side unusable anyway” is something that can fairly easily scare off quite a number of people.”
Agreed, and maybe I should have put more detail into it. I triple boot myself, so I am educated on that. You are correct in there is no peril with reading your NTFS partitions. The problem I mentioned exists however as using Fedora Core 5 automatically mounts your NTFS RW, with no way to change it until AFTER the installation is complete and the damage is done, and alters permissions settings on windows files. That is what I was referring to. I don’t bend the truth, I state what I can reproduce and is known to me to be the truth. In actuality people should be scared of it, as they need to know what CAN happen if they are not careful.
I understand what you were getting at DrillSgt. dunno why others were confused about it. oh well.
Bitlocker-type technologies have been around for a long time, and they will continue to evolve. I fail to see how this really affects dual-boot systems in such an adverse way though. If you need absolute security, it’s unlikely that you’re going to be dual-booting. In the event that you need to use multiple operating systems with lots of security, you’re much more likely to be using virtualization and/or emulation to access the second OS. Too few people know enough to adequately lock down multiple host operating systems with satisfactory security results.
Those who want to use Linux with Windows in a dual-boot environment are generally better off using a file system that wasn’t created by Microsoft anyway. Ext2/3 can easily be accessed by both Linux and Windows by adding a driver to Windows, and it’s much better than FAT while giving reliable write access to both systems unlike NTFS on Linux.
It’s OP-TIO-NAL!
Ok, there will be no temptation to come back to Windows:)
My thought exactly, If Microsoft ever tries to force me to choose they’d better be ready to loose me altogether.
This could be optional as some have said, I haven’t read the article, if it is the only place I really see this being used is on single-boot laptops.
Just use seagate full drive encryption on hardware without the OS knowing about it.
On this web site was an article saying a patent for FAT filesystem was in limbo. I removed FAT support from LoseThos as a result. Why does Linux get away with it? Do they have a license? I checked for licensing FAT with Microsoft and discovered they charge $0.26 just to format a Flash memory stick.
LoseThos has it’s own filesystem and files are compressed, but not encrypted. I used to have encryption but decided if you don’t make efforts in the entire operating system to support security, it’s pointless and deceptive. For a secure system, for example, you need to wipe memory of stuff all over the place in case it might be secret, etc.
On this web site was an article saying a patent for FAT filesystem was in limbo. I removed FAT support from LoseThos as a result. Why does Linux get away with it?
Off-topic, but so be it: Linux gets away with it because the patent is still uncertain (rules been overturned 3 times now?) and Microsoft isn’t actively persecuting anyone over it. I would like to see them try, but MS wouldn’t want the PR nightmare anyway.
There have always been incompatibilities between multi booting and drive encryption – it is by design with all products! Look at what Control Break offer with SafeBoot (and others, including PointSec), it’s exactly the same technology… hard disc encryption done below the OS, at the lowest layer where providing a driver interface is possible.
This is not Microsoft Evil, this is just the solution as it is implemented today by 3rd party vendors.
We have 110,000 laptops and desktops already running disk encryption courtesy of SafeBoot. Being able to run that sort of low level data protection with the added bonus of Group Policy control and true OS integration etc will be a *positive* thing with Vista.
Edited 2006-04-27 22:36
“the current implementation of mounting NTFS from Linux frustrates that already by corrupting data on the NTFS partition”
What complete and utter cr*p, i do it all the time and I never have any corruption
As I said in another reply, it happens when you enable RW, which for some distros is automatic. It is not utter crap as it can be replicated consistently. Reading only is not a problem though. I just was not clear in my post, so for that I will take the beating.
You should try the “Edit” button now and again
Most distros mount an ntfs partition read-only. This is perfectly safe. If you want read/write, you need ntfsmount:
http://wiki.linux-ntfs.org/doku.php?id=ntfsmount
It’s also safe, though it doesn’t full write access of every file. The article explains it pretty well.
Ever hear of owning two computers? One for linux testing, the other for Windows? There’s this great invention called the KVM switch. Google it!
“You can probably turn it off, so who cares.”
If noone cares why does it warrant being a news item?
“Apple has FileVault which does the same, and I’ve never heard a single complaint about it.”
The keyword here is “hardware”. Also, FileVault only encrypts your home folder.
From the Bitlocker overview:
“During the boot process, the key that unlocks the encrypted partition is released from the TPM.
The key is only released after operating system integrity has been established. This assures that no offline system tampering or attempts to boot another operating system have taken place.”
Interesting, to say the least.
http://www.microsoft.com/technet/windowsvista/library/help/b7931dd8…
Well, see it in the countewise direction.
I could also say that plain Windows cannot mount nearly any of fs supported by Linux (with most notable exceptions of FAT and FAT32), but that doesn’t prevent me to use Windows and Linux on the same machine.
Switch the world “Windows” and “Linux” and you have the article.
Is system A requires (or give as option, or would run better with…) fsA and system B requires (or…) fsB, I’ll plainly install A on fsA, B on fsB and go for a third filesystem fsC for the data.
BTW even using a single system it would be a very lame thing to do having a single partition for system, temp files and data (for plenty reasons), and since we are talking of multibooting, unless we are not talking of booting a live eval from CD, we should give credit to the user to be capable to repartitioning the disk(s).
I respect Schneier but I think this thing of BitLocker was a bit too much overstimated (or inflated by The Register?), a storm in a glass.
Interesting comments from Schneier, who is supposed to be a security expert.
I really hope those comments are only taken out of context and that he’s not as stupid as these comments make him sound.
“Interesting comments from Schneier, who is supposed to be a security expert.”
Schneier *is* a security expert and is one of the greatest contemporary cryptographer, maybe the greatest living cryptographer (and personally I strongly prefer his Twofish design over Rijndael and Serpent, however even if AES commission tought different Blowfish and Twofish works are enough for me to say he is a genious in this field).
However I don’t see a mayor risk in BitLocker for multibooting, people who multiboot are accustomed to vendor and patent lockin (i.e. MS will not allow Windows to mount *x traditional filesystem nor disclose enough of NTFS to allow the contrary) and there are several reasons because all those things cannot and may not stop the users from multibooting.
And even in the worst imaginable scenario the user could boot from an external storage like a firewire or usb disk or even (on a desktop PC) form a traditional disk using a disk switching box. This second physical unit may come with installed Linux, BSD, Darwin, Zeta, etc… AFAIK some vendors indeed sell bootable usbdisk with preinstalled Linux, would be reasonable to think the whole IT industry will agree to disallow any booting device different from first disk, first partition (and this, with Vista hardcored on it)?
And moreover whith computing paradigm that is shifting toward virtualization (not needing access to actual hardware) a locked drive is less than an issue: if Vista can access the hardware, then the virtual machines running on it will access the hardware too trough virtualization, unless MS decide to frustrate Intel and AMD efforts toward bringing virtualization to desktop (worthy idea for plenty reasons) making Vista one of the few system not capable to support any third part virtualization software, that seem quite not probable to me.
Edited 2006-04-28 10:15
Schneier’s “You could look at BitLocker as anti-Linux because it frustrates dual boot” is what I have issues with and like I wrote in my first post, I hope that’s just taken out of context.
MS will not allow Windows to mount *x traditional filesystem
Really? I saw no such clause in the license to the file system sdk for Windows.
You’re right.
http://digg.com/linux_unix/Windows_Ext2_3_Filesystem_Driver
There are others out there too. I love when people talk about things they have no idea about
“You’re right.
http://digg.com/linux_unix/Windows_Ext2_3_Filesystem_Driver ”
It’s not written from MS, it’s not supported from MS, it’s not bundled by MS into Windows, the implementation you linked lacks access rights (a major flaw), well, I must agree:
“I love when people talk about things they have no idea about
”
What I was saying is that multibooters aren’t new to vendors (expecially MS) tecniques to make their lives hard, in this case MS doesn’t provide nor gives support to means to work with Ext*, Reiser, JFS, XFS, etc… partitions.
I never said that doesn’t exist and cannot exist means to do that, however those tools are written by third part developers and not supported or financed by MS, nor included on Windows distribution.
That means that MS really doesn’t care if someone has hard life in working in dual boot with Windows and Linux (otherwise will develope those tools, or finance those developers, or offer support that tird part developers cannot afford, or include those free package in Windows as an optional utility, or…).
Indeed MS cares that things are as hard as they can, using dubious patent claims (in the case of FAT) to cast doubt on the future of the support of open source community to it, or doesn’t disclose enough (on NTFS) to slow the development of an appropriate tool.
It’s very different from the situation in *x world, were tools for working with a lot of fs (even MS’s ones) exist and are actively supported by the community and usually come installed on the system (or easily selectable in the installation stage) so the Average Joe could “just” use them.
That’s my point of view, multibooters are accustomed to some vendors (expecially MS) that likes to make things harder for them, this new thing is not different from previous MS politics, was not unexpected and definitely is not a big hit for MS agains multibooters (as I said, there is virtualization gaining importance, there are usb and fw bootable devices, even actually sold with Linux preinstalled, there are HD excanging boxes etc).
What I think is that the worlds of Schenier, that are right, were a bit inflated in the public fantasy and become a storm in a glass.
Edited 2006-04-28 16:06
But they provide the SDK neccesary to write an interface to another file system. Do you really expect *them* to write drivers for ext3/etc? People would just bitch about “embrace, extend, extinguish”.
I think what they offer is the best way.
With Linux, it’s a community thing, so there are technically no “third party developers”. So you can’t really compare the two.
And by the way, in regards to:
“I never said that doesn’t exist and cannot exist means to do that,”
you said:
“ MS will not allow Windows to mount *x traditional filesystem”
Which was proven wrong.
Edited 2006-04-28 19:58
“And by the way, in regards to:
“I never said that doesn’t exist and cannot exist means to do that,”
you said:
” MS will not allow Windows to mount *x traditional filesystem”
Which was proven wrong.”
Ok, now I got what are you saying and I must admit my thoughts were poorly written.
Whith “not allow” I would liked to stress the difference between Windows vendor and Linux vendors (community and vendors, that are corporate beings as well as MS, imho), while Linux vendors support that kind of tools (writing, distributing, embedding into the distros etc) MS doesn’t support those kind of interactivity but rather try to boycott it as they can: legal issues on FAT, non disclosures about NTFS, they doesn’t write nor distribute those drivers etc… read the “not allow” as the “don’t want and try to do everything they can to avoid it” (I bet you guessed that I’m not an English native speaker before now…)
Probably (I would say certainly) they had to provide the SDK neccesary to write an interface to those fs and will always need to do so because of corporate users (and all we know how MS struggled to enter those high marginal profit market in last 10 years!), so I don’t see anything strange that they will do everithing they can do, without risking to loose corporate market users, to continue the “embrace, extend, extinguish” strategy.
You’re not talking about the same thing here. You’re talking about FAT and NTFS in this post.
But it’s about writing drivers for OTHER file systems on Windows and MS DOES support that.
belongs on the controller, use your smartcard reader on your laptop along with Seagate FULL DISK ENCRYPTION 2.5″ drives, software sector crypto performs up tp 40% less. Why bother with this software crap? You can always use CompuSec’s http://www.ce-infosys.com.sg/CeiNews_FREECompuSec.asp for FREE is you really want a badly performing system. Its better to just bey a seagate FDE.
>> Overexposure to messages will lead many consumers to ignore them and blindly agree to what applications are seeking to do, he added.
That like six months ago? Hell, it’s how people react to ActiveX now!