Why The Windows Secure Boot Hack Is a Good Thing

If you even casually follow security news, you’re aware that the key governing Microsoft Secure Boot has been found, exploited, and Secure Boot as a “feature” has been rendered meaningless. I’m here to tell you that this is a good thing. Also read: GTX 1070 Ethereum Mining Review Most coverage of the subject has been […]
If you even casually follow security news, you’re aware that the key governing Microsoft Secure Boot has been found, exploited, and Secure Boot as a “feature” has been rendered meaningless. I’m here to tell you that this is a good thing. Also read: GTX 1070 Ethereum Mining Review Most coverage of the subject has been […]

If you even casually follow security news, you’re aware that the key governing Microsoft Secure Boot has been found, exploited, and Secure Boot as a “feature” has been rendered meaningless. I’m here to tell you that this is a good thing.

Also read: GTX 1070 Ethereum Mining Review

Most coverage of the subject has been written in that panicky, alarmist prose that makes for exciting news, but the problem is that the invalidation of Secure Boot is a very positive development for everyone concerned, except for Microsoft. Yes, it shows why backdoors for “the good guys” are a terrible idea — yes, it even has far-reaching implications for every piece of computing technology using the UEFI standard. However, I maintain that it will have a positive influence on the direction of security and tech standards moving forward.

Secure Boot Was Never About Security

Secure Boot
ROL, The Group that found the hack

You read that correctly.

Never you mind that “secure” is right there in the title: Secure Boot is hardly a security feature in the traditional sense. It was conceived as an anti-competitive measure that locks down devices running Microsoft Windows, adding an additional level of complexity to installing open source software on x86 devices.

There are several other ways Microsoft could have achieved functionally similar security for devices running their software, like a sane permission system, or implementing device-wide encryption. It isn’t a coincidence they chose a methodology that wrests ownership away from their users and keeps FLOSS out of their previously-open platform. They gave an ultimatum to manufacturers of UEFI capable hardware when the standard was still being ironed out: Want Windows on your hardware? Ship it with Secure Boot.

In fact, before the leak, many phones and tablets did not come with the option to disable Microsoft’s monopolistic earmark to the UEFI standard, meaning the owners of the hardware had no real control over their device’s software or security.

Sure, Secure Boot made it (very temporarily as we’ve found out) harder to write rootkits and boot sector malware for the Windows platform, but at the price of locking up hardware tighter than Apple does on their worst day. The only entity this methodology really serves is Microsoft, as they transfer their business model to “Everything-as-a-Service.”

Speaking of which:

Microsoft Will be Forced to Dial Back Their Recent Bad Business

The beauty of the Secure Boot Key leak is that it’s incredibly difficult for Microsoft to rectify. The feature integrates itself to a very low-level system that interfaces directly with hardware, outside of the influence of the OS. In fact, Secure Boot is in the one place Microsoft can’t force you to update. Even if they do release a revised key management subsystem, the vast majority of people do not voluntarily flash their BIOS if they don’t have to.

I see this playing out one of two ways: Microsoft just ignores the problem until the next wave of malware starts to hit their user base, or they implement security measures that every other OS has been using for decades. The two are not mutually exclusive. Either way, they’re going to have to do some serious restructuring to fix this problem, and Secure Boot will serve as an excellent example of why centralized trust models run counter to good Security.

In the meantime:

Hackers Tend to Be More Curious Than Malicious

Secure BootThere are already people executing arbitrary code on Secure Boot-enabled systems, so there’s no doubt that this flaw will be exploited. However, I expect just as much good to come from it as bad.

Want to run Sailfish OS on that old Nokia Windows Phone? Before the breach, this wasn’t even a possibility. Want to breathe new life into that old surface tablet with Remix OS or Linux? Go for it.

Sure, there will be new malware all over the place, but no one ever accused Windows of adhering to best practices in the first place, and it’ll keep security software vendors in the black more than it’ll harm Windows users.

I have explicitly disabled Secure Boot on every system I have owned since its inception, and as a BSD and open source software enthusiast, I can’t help but have a schadenfreude-fueled chuckle at the situation Microsoft has put itself in. It’s clear that from the perspective of a consumer, it’s a good thing — at least more than it is bad. Heck, maybe it’ll get dropped entirely in future revisions of UEFI. Either way, Optimism is the best view to take on it, unless you happen to be employed at a certain Redmond-based software giant.

Questions about Secure Boot? Be Sure to Leave Them In the Comments!


Images Courtesy of Microsoft, Ring of Lightning.