Yes, even though this occurs on a regular occasion, we are to be shocked that another secret backdoor into a security product has been discovered, exploited and published. In this case it is Microsoft's Secure Boot which has been unlocked and even better news is that it probably cannot be completely repaired without rendering previous backups and installations incompatible. On the positive side, devices which are locked down even for those with administrative privileges such as ARM-based Windows RT tablets can be unlocked and you can chose a different OS to install. The negatives will have more of an effect on businesses and system builders who relied on it to prevent modified Windows installs from booting, preventing infections and questionably sourced Windows images from being used.
The Register has links to more information on Secure Boot and Microsoft's response and you can read some information about the group which found and released the information about this over at The Inquirer.
"Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder."
Here is some more Tech News from around the web:
- Next Generation of Wireless — 5G — Is All Hype @ Slashdot
- US couple sues after IP address fingers them for thousands of crimes @ The Inquirer
- Toshiba flashes 100TB QLC flash drive, might release within months. Really @ The Register
- An ATM hack and a PIN-pad hack show chip cards aren’t impervious to fraud @ Ars Technica
Maybe they will hack Windows
Maybe they will hack Windows 10 next.
Ah the golden keys to
Ah the golden keys to unlimited Linux devotion for some locked down to only RT tablets, provided they have not had any “Security” Updates from M$ lately! [Captain Trips playing in the background!]
So sad to see this
So sad to see this misreported in so many places: there is no ‘backdoor’ built in. Instead, there is a bug in the signature checking chain for a particular loader designed for testing unsigned OSes. The bug means that the loader (which when working correctly can only work with a specific DeviceID) will apply a policy that can ignore the DeviceID, because the check on the policy occurs before merging rather than after merging. No ‘keys leaked’, instead a bunch of keys were GENERATED that are DeviceID agnostic due to this signing check bug.
And really, Microsoft don’t need to build in a backdoor, they hold the root signing key in the first place!
Law of averages says this is
Law of averages says this is bound to happen. If golden keys/signatures exist they will be hacked.
It is time for a conspiracy
It is time for a conspiracy theory! How’s this?
“The FBI is working for Putin, to help the Russians post all of America’s secrets to Wikileaks!”
So misleading…
I forget the
So misleading…
I forget the specifics but I believe it does NOT apply to desktops and also that you need LOCAL access to the device so you can’t get hacked over a network.