The Register gleaned some details about Windows 10 Device Guard at RSA but there is still a lot we do not know about it. It is an optional service that can be enabled by an administrator and it checks every application launched to see if it has been signed by Microsoft as a trusted binary before letting it run. While certainly good for security it may cause some issues for developers who have not gone through the vetting process to have your app approved for the Microsoft Store. Device Guard is also separated from the WinX kernel, if your machine does become infected, Device Guard will still not allow unsigned apps to run. You will need hardware which supports input/output memory management unit (IOMMU) to use Device Guard, thankfully that technology is present on most current PC hardware, though not so prevalent on the mobile front.
"The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC."
Here is some more Tech News from around the web:
- Ubuntu 15.04 Released, First Version To Feature systemd @ Slashdot
- Intel to help vendors launch inexpensive tablets, say Taiwan makers @ DigiTimes
- iTunes goes to borksville for Windows XP holdouts @ The Inquirer
- Apple throws out iOS apps that declare Pebble smartwatch support @ The Inquirer
- Microsoft profits decimated: And it's YOUR FAULT for not buying PCs @ The Register
Device guard, because we
Device guard, because we would not want just any code running in the walled garden, be it malevolent or competing. Just more Sandbox(walls) wrapping around your hardware to keep the bad guys(competition) outside and the software lock-in IN. And You though that you owned your PC/laptop hardware, how very last year, now that M$ controls the horizontal(decades now) software ecosystem, and soon it will control the vertical software ecosystem. You can have any application you desire, as long as it come through M$’s hands, and that’s what is called free choice in the halls of Redmond. Please sit back and enjoy your servitude.
Edit: You though
To: You
Edit: You though
To: You thought
I totally get where you are
I totally get where you are coming from, people like us, people who go to sites like this want our systems as open and close to the metal as possible, we want all the freedom to do whatever we want, but recently I had a big eye opening. In a short amount of time I used, not fixed but used several computers belonging to several non-savvy pc users. Simply said, I have no hope in the average consumers ability to protect them selves, their computers or their personal information. I now want them all on locked systems, ChromeOS all the way, no options, no choices, no. I have a cousin who payed 2 bitcoin in a encryption-scam to get back his collection of not backed up pirated videos, and the key didn;t work, and he hasn’t formated or cleaned or even deleted, just keep watching porn and bitching how slow boot is. My mother has 18 (most malicious) browsers installed (no exageration) because it took that many to “Find a search I like.” My Sisters laptop has so much extra crap installed that the processor is at 100% almost all the time, so the exaust and fan are like a hair dryer. Her soloution? only use it on a metal table so “There’s no fire risk” I have a friend who, no matter how much I told him, bought a $2400 alienware laptop for video streaming, and now he tells everyone “Alienware sucks, the fuckin batery doesnt even last 1 hour, piece of shit, scamer garbage!”
I don’t want to be locked down, You dont wana be locked down, they can not be trusted with their own security. The wolves are smart, and most people want their internet to be like their couch. It’s there, it works, dont think about it. If M$ can make them safe, it’s kinda better for everyone, no?
Look You are not the one to
Look You are not the one to be commenting, this has nothing to do with security and everything to do with the locking down of third party hardware to a M$ closed ecosystem. If the Keys for the code, for this and UEFI secure boot, were being issued through a third party independent authority, then I would be more trusting, But allowing M$ control over the key issuing for the UEFI secure boot, and now this “Device guard” then it’s not very hard to imagine M$’s real goal.
M$ is free to brand and sale laptops, and PCs and to do whatever with its branded hardware, BUT on third party hardware the Key signing authority needs to be placed in in independent issuing authority’s hands. If the PC, and laptop industry needs a type ONE hypervisor running in its own secure memory space as a secure code verification for the hosted OS then the whole VM system needs to be open sourced based for the hypervisor, and not a hypervisor from closed source M$ code.
Under no circumstances should M$ be allowed to retain the key signing authority over the UEFI secure boot system, or this newer system security layer, and OEMs need to be required to make the secure boot always able to be turned off, and unsigned OSs/code run on any third party PC/Laptop hardware as a user/owner’s option! I see where these “Trust Zone” imbedded processors like AMD’s embedded security cores/other makers systems are going to lead if the issuing authority for the keys in not placed under an independent third party’s control, and I will stick with the older hardware.
The open source community, including the open source OS community needs to be all over this like the Comcast merger with Time warner cable. It’s too important for the owners of third party hardware to let a monopoly in the OS market, illegally try to force a vertical integration of the third party laptop/PC OEM hardware, via control over the device’s OS/software, and hardware’s ability to have other OSs/software run. I do not mind the extra security, I do mind the security keys issuing authority in the hands of a monopoly.
This whole UEFI BIOS secure boot, and now Device Guard via Hypervisor/other, or dedicated security processor, if under the control of a single monopoly interest is bad for competition. Having a required Hypervisor, or dedicated security processor running under any M$ code, and having the independently produced hardware forced to run under a M$ proprietary VM, or OS, should be prohibited for third party OEM PC/Laptop hardware. Let the independent third party OEMs and PC/laptop processor industry players create an open standards based open source hypervisor/supervisor to run under these new security processors/other based secure environments, and let an open Industry Standards organization be in control of the hypervisor’s code base and the software’s/OSs security key issuing authority. I will not buy any hardware tied only to a closed software/OS ecosystem, and sure as hell would not ever trust M$ to impartially handle any security key authority over the entire independent OS/third party application software ecosystem.
P.S. and Just because the enterprise customers may always have the option to have Their UEFI secure boot turned off, or customized for enterprise use, does not mean that the consumer market will have the same options, but with the advances in security, especially with the introduction of dedicated security processors embedded on die with the application/OS processor cores, there needs to be some regulations designed to level the playing field, to keep the open source OS, and third party proprietary, as well as open source software makers from being locked out of opportunity of obtaining the signed keys that will be needed for both UEFI/BIOS, and application software to run on the restricted hardware.
If the slack jaws can not be responsible for their own security, I should not be the one to suffer, just make damn sure the UEFI secure boot can be turned off in the UEFI BIOS, something that the slack jaws will not have to worry about, same goes for any security based Hypervisors/other running in secured memory, or on a dedicated security processor, give me the final say over the choice to run/enable the level of security on any code/OSs that I may use or write for personal use. I will only purchase hardware that I can wholly own and control.
” this has nothing to do with
” this has nothing to do with security and everything to do with the locking down of third party hardware to a M$ closed ecosystem”
Nope. Security is definitely the reason here, aimed at enterprise customers (the ones that actually PAY Microsoft for their OS). The ones that use EMET (which is what this is really the successor to), who want UEFI Secure Boot to stay on. Security is a massive headache for Enterprise clients, so everything that can lock down a machine is welcome.
For home users this is less useful, and I’d be surprised if anyone outside of Enterprises ever bothered enabling this feature. So much consumer software is unsigned that it would be unworkable for most.
The early 90’s ‘M$’-bashing is good for a laugh, but you’re a couple of decades behind the times.