Dual Boot Not Trusted, Rejected By Vista SP1 525
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
But what if... (Score:5, Interesting)
What happens on systems without a TPM?
Re:But what if... (Score:5, Funny)
It will detect the lack of a TPM and notify the FBI that you are probably a terrorist.
Re:But what if... (Score:5, Funny)
Probably?
Re:But what if... (Score:5, Funny)
Probably?
Close enough for government work.
Re:But what if... (Score:4, Funny)
Re:But what if... (Score:5, Informative)
Re:But what if... (Score:5, Informative)
Informative gives Karma but Funny doesn't. Therefore, people who appreciate the post and wish to give the user some karma will choose Informative.
What I don't understand is why anyone would care... Slashdot Karma is competing with Kool-Aid Fun Points for score that has the least impact on my life.
Re:But what if... (Score:4, Informative)
Re:But what if... (Score:5, Informative)
Oh, well heh, I think modding someone funny for being funny is nice enough for a little o' that real life karma. :)
Re:But what if... (Score:4, Informative)
It's because what people are really saying is +1 satire./P
Re:But what if... (Score:5, Funny)
If you want karma, be informative rather than funny.
This comment is informative, not funny.
Re:But what if... (Score:5, Funny)
Why?
Re:But what if... (Score:4, Informative)
Dear sir, if you find my posts funny, please mark them funny so that I know you got the joke and don't think you got confused and took me serious.
I don't give a fuck about karma. Anyone willing to make the effort can have theirs pegged at the cap if they wanted, anyway. (Karma whores don't deserve it, and those that don't care about karma and just post things that are interesting and informative are always at the cap anyway.)
Re:But what if... (Score:4, Informative)
It's kind of a huge karma circleje-..dependency.
Re:But what if... (Score:5, Informative)
Re:But what if... (Score:5, Informative)
So "informative" is the new "funny"?
Damn!
Re:But what if... (Score:4, Informative)
Re:But what if... (Score:5, Informative)
Re:But what if... (Score:5, Interesting)
Or it could just be a subtle, intentional way of censoring what somebody considers a really sensitive topic. The way it works is that first page of the posts are basically offtopic throwaway posts that get modded up by the gatekeepers to force any ontopic comments (if any) into the second page. Thus, any noobs or stray readers will not even find out why anyone would care about the topic, will be distracted by what seems a stupid, nonsensical discussion and go read something else. Thus, the extent of any negative public reaction is effectively controlled.
Re:But what if... (Score:5, Informative)
Uh. Mods are now definitely literally on crack. Not behaving in an incomprehensible and unpredictable manner, they are putting the pipe to their lips and inhaling the smoke from burning crack cocaine.
Name a better way to spend a Thursday morning with mod points in your account!
Re:But what if... (Score:4, Informative)
I've also suspected this is possible a number of times. Companies like Sony, for example, have been shown up for using such tactics as Gorilla Marketing, to get their message across and employing bloggers to appear to be independent reviewers, when in fact they are working as part of an organized PR campaign So its well within the concepts of Gorilla Marketing style behavior to work to manipulate popular forum discussions. I wouldn't be at all surprised if many big companies and even some governments could be playing these same disinformation style games. Its interesting how manipulations to the Wikipedia have been detected and proven to be occurring. Forum style discussions need some way to detect organized disinformation/manipulation campaigns, but that's not going to be so easy to detect, but over time, at least more people are becoming aware of these disinformation games.
Re:But what if... (Score:5, Informative)
Re:But what if... (Score:5, Funny)
You missed that thread above about how Informative is the new Funny. :)
Re:But what if... (Score:5, Informative)
Not at all....
Booting is handled by the EFI, and any operating system booted under the legacy BIOS emulation wouldn't be able to do a thing about it!
Re:But what if... (Score:5, Insightful)
MOST Microsoft customers will be perfectly happy with that level of intrusive control, and won't even realize it's there. It's only that lunatic fringe that thinks that they actually *own* the computer that they paid money for, and want to dual-boot, that will realize that something is amiss at the Circle K.
Re:But what if... (Score:5, Insightful)
Of course, the article says the problem exists even if you don't have the encryption enabled.... However it looks like what happens in that case is the same as what's always happened when a windows update contains a MBR change: It overwrites your third party bootloader. (Or in this latest case, forces you to do it yourself manually).
I'm failing to see why this is a big deal. Software is in place to check for a piece of third party code intercepting your encryption key... It successfully detects GRUB as such software, and stops. So what?
Re:But what if... (Score:4, Insightful)
When you don't have the choice to disable this "option", it IS a big deal.
Re:But what if... (Score:5, Insightful)
Re:But what if... (Score:5, Interesting)
Not at all true. Security isn't binary. Bitlocker alone will stop 99% of attackers who try to get at your data through physical access. The rest probably won't bother with a trojan bootloader--they'll either use rubber hose cryptanalysis or a hardware keylogger, depending upon how stealthy they want to be.
I don't see a problem with Bitlocker using TPM in this way at all. But it should allow me to disable the bootloader check if I so choose.
Re:But what if... (Score:5, Insightful)
[...]they'll either use rubber hose cryptanalysis[...]
So that's just DoJ thugs coming to your house and whipping you with a rubber hose until you tell them the password, right?
I'm so glad we torture now. I feel so much safer knowing we've got that weapon at our disposal.
Re: (Score:3, Insightful)
No. Common sense would say it's a bug. Tin-foil-hat sense would say, "it is there for the purpose of limiting consumer choice."
Re:But what if... (Score:5, Insightful)
Re: (Score:3, Informative)
The bug would be in the enforcement of the check when it does not apply, not in the very existence of it.
Do you agree that a full disk encryption product needs to protect the data from unauthorized access in every way possible?
If you agree to the above, do you assert that despite that, it should allow access to the data when the environment is verifiably NOT what it expects?
I'm not suggesting that the Windows boot loader is infallible (far from it), but it seems like you are suggesting that the FDE solution
Re:But what if... (Score:5, Informative)
Re:But what if... (Score:4, Funny)
Yes, just buy a 486dx, I'm pretty sure those don't have a TPM module.
Affects crack? (Score:4, Interesting)
Does one of the more popular Vista cracks not rely on booting Grub4Dos to load a bit of code to patch the kernel after boot?
I am thinking this will be affect the crack.
Before anyone says it, no, I am not running a pirate version of Vista, so I cannot check. In fact... not running any version of Vista, joy!
Re:Affects crack? (Score:5, Insightful)
You know, I had to use that crack to get my copy of Vista reinstalled (all the partitions got wiped out, including the OEM one), because it refused to use my OEM key without the OEM partition, and simply wouldn't active. So, I had to crack my already-paid-for copy of Vista. Oh, sure, I could have gone and sent it back (to Acer, yeah right), or called Microsoft, but isn't it funny that I get a better "customer service experience" from cracked software?
Posting anonymous for the above reasons.
Vista and Mac OS? (Score:5, Interesting)
Has anyone tried this with Boot Camp? I had no problems with Mac OS X and FileVault dual-booting with either XP SP2 or Vista base.
Re:Vista and Mac OS? (Score:5, Informative)
Intel Macs use EFI instead of a BIOS, and EFI uses GUID Partition Tables (GPT) instead of MBR.
The space that the MBR used to sit in is reserved in GPT, so when a legacy system reads, uses, or modifies the partition table, it only changes the old MBR partition table, which is not actually used to boot. In contrast, Boot Camp's dual-boot features only use the GPT, which means that as far as Vista knows, it IS the only boot loader involved.
Re:Vista and Mac OS? (Score:4, Informative)
Respectively... No. Yes. No. Maybe.
Whew (Score:5, Funny)
Good thing I'm running Mojave and not Vista.
It has a bootloader update. (Score:5, Insightful)
So... yeah. Anyone technical enough to change their bootloader should know how to put it back temporarily so it can get updated.
If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L.
I thought that was the entire point of BitLocker - don't unlock things unless you know that you're not running on top of some evil VM.
Not trusted for a reason (Score:5, Interesting)
If you are using BitLocker then you want your data to be secure. There are probably ways that a compromised boot loader can allow an attacker access to your data. Vista closes this security hole by requiring the boot loader to be a cryptographically signed binary that it trusts. If it didn't, this story would instead be "Vista BitLocker encryption not secure on dual boot systems".
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
Re:Not trusted for a reason (Score:5, Insightful)
That's great...
Except for the fact that it happens on any system that CAN run BitLocker, rather than any system ACTUALLY running BitLocker.
So if you're trying to dual-boot between Linux and Vista Business/Ultimate and you have a TPM-capable machine, forget it: you're locked out until you restore the Vista bootloader.
Even if you're not using BitLocker.
Even if you've never even installed BitLocker.
Re:Not trusted for a reason (Score:5, Insightful)
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
That's exactly what's wrong with the Trusted Computing initiative that the major players (Microsoft, Intel, etc) are implementing: they don't trust YOU to make those kinds of decisions to trust 3rd parties.
http://www.againsttcpa.com/ [againsttcpa.com]
Re:Not trusted for a reason (Score:5, Informative)
No, they do. I think a lot of people here misunderstand what TPM is meant to actually do and what it's supposed to be good for; and what it is useless for. (Frankly, I'm not sure Microsoft fully understood.)
It's because the MBR has *changed* that means the chain isn't signed with something that will allow the system state register to authenticate with the TPM key storage; the register contents will have changed because the SHA-1 fingerprints changed, so you're not going to be able to get a coherent response from the TPM regarding any keys you've stored in it if you've taken ownership already. Without resetting the token and destroying the keys, that is.
You want another way of doing this? Don't take ownership of the TPM to store the keys, but put 'em on a thumbdrive and use a secure passphrase (10 word Diceware, for example) to unlock them; this is also a supported mode of operation under BitLocker (assuming you trust the Elephant diffuser as being part of a reasonable cipher mode; frankly, I'm not that happy with it and prefer OCB or XTS modes, or failing that Linux's aes-cbc-essiv:sha256)... doing it the "thumbdrive way" is highly recommended when a TPM isn't available or wanted. Putting the hard disk encryption keys in the TPM isn't necessarily a good idea; they are recoverable given some effort, and that's not really what the TPM tech is for.
This is all entirely by design; it's closing an actual security hole whereby a trojaned MBR could capture your encryption keys. Obviously this is unsuitable for any dual-booting setup. TPM just isn't designed to work with that kind of scenario; it's really more of a system for verifying extremely stable system images such as you might find on a server or tightly-controlled corporate workstation that you want to be able to have a reasonable degree of confidence hasn't had the MBR tampered with because it's a trusted client that handles classified data (and any tampering with the software whatsoever would decertify it).
You control the chain of trust when you take ownership of the TPM; they do work just fine with Linux, and Linux does have support for them - if you want to know and prove to another system that the bootloader, BIOS, and kernel haven't changed since the state you knew was good, you can do that (although the proof is only as good as the integrity of the TPM).
They're just hardware tokens coupled with a signed BIOS/bootloader/kernel, really. Handling the actual key management that results from that, or what you do with it, is entirely up to you.
Vista using the TPM for BitLocker is hardly plug-and-play, and quite unsuitable for many scenarios (many TPMs out there don't even support TCG1.2); there's always TrueCrypt or PGP Whole Disk Encryption or one of the many other solutions available if you want a little more flexibility and control.
In particular, it's not really about DRM. None of the DRM systems proposed or deployed have ever used it, or are likely to ever use any part of it, as a key storage blackbox, because an entirely homogeneous image just isn't something you can guarantee on any consumer box (that's one reason it's not even on or in the vast majority of OEM and consumer motherboards/chips). It's perhaps a bit more practical for laptops...
Also, TPM implementations are quite breakable where the attacker has physical access and ownership of the machine and plenty of time. PCs aren't even consoles, and look what we've done to those...
It's meant to be one interlocking part of a whole enterprise security solution. It sure as heck isn't a "magic crypto chip" that will lock up your PC, and it shares none of the common criteria with DRM scenarios (which are, of course, just as doomed if they use a hardware blackbox as if they use a software blackbox, because the plaintext is always available...). In fact, having a TPM around if you're running Linux, will at least make sure you always have a secure entropy source for /dev/random...
Re:Not trusted for a reason (Score:4, Informative)
Does TrueCrypt enforce a chain of trust down to the hardware?
I believe it does. You can load any OS you want or put the disk in another machine and still not be able to decrypt the "hidden" partition, even if you know of its existence.
You misunderstood the question. TPM and full disk encryption, used in this way, ensures that every piece of software from the bootloader on up is either considered trusted or not. It starts this chain of trust in the hardware, which is considered much harder to trojan than software (like the bootloader or OS.)
Put another way, TPM conceivably protects you from software keyloggers by verifying the signature of the bootloader, the OS loader, and the OS itself before allowing you to decrypt your data. If anything in the chain has been modified, it won't release the keys, thus protecting your data. Unless Truecrypt interfaces with TPM, merely knowing the key is enough to decrypt the data, regardless of the computer that you put the disk in. Truecrypt adds a layer of deniability, but that's not the same thing.
hi2u, article from March... (Score:3, Insightful)
Are so few people dual booting Vista and Linux that this story hasn't hit Slashdot until now? Is it even still applicable?
Re: (Score:3, Funny)
Vista AND Linux ... aren't these something like matter and anti-matter ?
Install on the same drive and the universe implodes !
Summary Needs Re-writing (Score:5, Informative)
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
Instead, how about testing the open source BIOS stack? Most of you have an unused box of recent vintage and I'm sure the projects can use the feedback.
FYI: An open sourced bios is an Achilles heel for Microsoft. Mobo OEM's will **jump** on a Free bios because it saves them money and elminating TPM saves them much more money.
Get involved!!
http://www.coreboot.org/Welcome_to_coreboot [coreboot.org]
http://openbios.info/Welcome_to_OpenBIOS [openbios.info]
Re:Summary Needs Re-writing (Score:4, Informative)
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
I wrote the summary.
Service Pack 1 refuses to install, even if you are not running BitLocker.
Service Pack 1 refuses to install, even if the TPM is in a disabled state.
Service Pack 1 refuses to install, even if you you do not have a TPM.
If you are running a Windows version with support for the Trust system at all - currently Vista Enterprise and Vista Ultimate - then the service pack sees the install is going to invalidate the Trust chain, will cause the lock you out of and and all keys of this sort. Not merely your BitLocker keys, but your keys to any other existing or future software which activates this Trust system. Right now that pretty much just means BitLocker - but applying the service pack can and will result in the Trust chip nuking any and all software built on this Trusted system.
Trusted Computing was intended to be a fully implemented "feature" of Vista, but dropped in the massive feature cuts. If/when Microsoft resumes and fully implements that plan in Windows 7 or whatever, then there isn't much possibility for any workaround. You won't be able to install/run service packs at all, you won't be able to install/run core elements of the operating systems at all, if you have any such unapproved modifications. If Trusted Computing is implemented as they planned, it becomes a strict either-or situation. Either you run an unmodified Trusted Windows install exactly as Microsoft dictates and locked in Microsoft handcuffs, or you can run what you like while absolutely you are locked out of Windows and locked out of any of your own data secured under the Windows Trust system.
-
FDISK (Score:5, Funny)
c:\> FDISK /MBR /dev/hda1
Out of Memory
c:\> format c:
Out of Disk Space
c:\> edlin config.sys
File not found
c:\> set PROMPT=$
$ mke2fs
How is this news? (Score:5, Insightful)
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
The ONLY flaw I see in the entire Vista/TPM system is that users don't seem to have a way of manually trusting things they genuinely want to trust. If it hasn't been blessed by MS its not trusted -- that's a fine policy for general users, but if I, as the hardware want to trust a specific bit of code (e.g. the linux boot loader) then I should be able to manually sign it somehow, and add my personal key to my personal install of Vista. And then the grub bootloader I signed will be trusted on my (and only my) PC.
All the 'chatter on the internets' is currently centered around how to disable UAC, how to disable driver signing, how to go back to running windows as insecurely as possible. i would prefer to see the discussion take a more intelligent direction -- how to obtain keys/certificates, how to add them to Vista's chain of trust on a per PC or per domain basis, and how how sign code with them.
Signed drivers are a FANTASTIC idea. not being able to sign drivers myself for my own hardware is EVIL. But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC... its just that most of the discussion surround the issue is how to disable it, and how evil MS for deciding what is blessed and what is not.
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
Re: (Score:3)
Untrusted? I trust GRUB, at least more than the bootloader MS provides.
Yes, I know what "trusted" means in MS jargon. And MS isn't alone, it's a general development in our newspeak world. Basically it means that MS, not you, trust the bootloader. DRM "manages the rights" of the creator of the content, but it ignores your rights. "Value editions" are of high value to those dumping them onto the market, they're usually of little value to you, the person supposed to buy it. Essentially, all those "good" words
Re:How is this news? (Score:5, Insightful)
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
Right which is the antithesis of what "trusted computing" is all about. Trusted computing is all about allowing vendors like microsoft to trust the computer to work in thier partners interests rather than the users.
Re:How is this news? (Score:5, Informative)
First, note that Iam the story submitter.
Second, and more important, note that I am a programmer and have I read the Trusted Platform Module technical specification from cover to cover. The 332 page technical spec.
The goal is to allow you to trust that your computer has not been compromised by a third party
Demonstrably incorrect. That is NOT the fundamental design criteria of the Trust chip.
You could get all of that functionality from a virtually identical design that did not secure the computer AGAINST the owner. If you are up for the technical details, you could for example have an identical chip with identical capabilities, except that you permit the owner to get a printed copy of his PrivEK when he buys the system. That alone would be minimally sufficient to grant the owner ultimate control of his system, but for technical reasons the chip should also have the capability to export the RootStorageKey encrypted to the PrivEK, as this makes things massively simpler benefiting security.
I forget the page number, but at one point somewhere in the latter half, the technical spec EXPLICITLY refers to the the owner as an "attacker". The specification explicitly details the measures that must be taken to secure the system AGAINST THE OWNER.
AGAINST
THE
OWNER.
Q.E.D. The fact that the technical specification for the chip repeatedly places the HIGHEST PRIORITY of forbidding the owner to ever obtain his own key (which would provide him ultimate control of his own computer) demonstrates that in fact the purpose of the design is to secure the computer against the owner. As the grandparent put it:
Trusted computing is all about allowing vendors like microsoft to trust the computer to work in thier partners interests rather than the users.
Of course, if you pour concrete over my house and take other insane measures to lock me out of my own home, yeah.... that does also incidentally have the effect of keeping other people out of my home too. The point here is that the owner is denied the key to his own house. Trying to advertise that as a security system securing the home FOR the owner is obviously a comically bogus argument.
-
Re:How is this news? (Score:4, Interesting)
Exactly. I see nothing wrong with third-party boot loaders not being trusted by Vista/TPM by default. If nothing else, the system has no way of knowing if you installed them yourself or if they're part of some sort of root kit. What I don't like is that there isn't a way for the person who owns the computer to override this. As several other posters have commented, this just shows that "trusted" means "trusted by Microsoft not to let users do anything except what Microsoft wants them to."
Re:How is this news? (Score:5, Insightful)
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
If the attacker can install a bootloader, that means you were rooted and your precious data can be grabbed from the memory of the program that happens to be using it.
If the bootloader is installed while the OS is not running, that means you do not have adequate physical security.
Re: (Score:3)
If you're not using Bitlocker (and therefore presumably don't care about a trusted bootloader) you are still unable to install SP1.
Would you prefer that it did install, and trashed your bootloader when it tried to update it?
And what if another Quicken fiasco? (Score:4, Interesting)
Does anyone else remember when Quicken a few years ago would overwrite the MBR or something like that, and break dual-boot systems?
What would that do in this case? Brick windows until reinstall?
I thought it was bad of Microsoft to intentionally not read Mac floppy disks. I feel the dual-boot issues (minus BitLocker security issues in this specific case) with windows and linux (or any other OS) are just another example of that same mentality: Make it difficult to work with other systems, to try and keep people locked into the MS trash can for as long as possible.
Re: (Score:3, Informative)
Quicken's cock-up was that it was writing to parts of the MBR that DOS/Windows didn't use - but GRUB/LILO did. In this case, it would do the same thing, since it's unlikely that Vista has changed how such things work.
Microsoft's choice to 'intentionally not read Mac floppy disks' likely involves not having support for MFS/HFS, and not seeing any real need to reverse-engineer them to implement them.
That's why I don't use Vista (Score:3, Informative)
I won't use it. I just bought a laptop on Ebay, brand new, out of box, that came with the Home edition, great bargain at $421. First thing I did with it was actually start it up and say "No" on the AUP acceptance page. I immediately powered it off, put in my trust Ubuntu Hardy 64-bit install cd, wiped the disk, and installed a real operating system that will stay the fuck out of my way.
Sorry, Microsoft, but I'd call this Epic Fail. Trusted computing causes me to lose control of *my* computer. Problem is, Microsoft don't understand the definition of computer ownership.
Re:That's why I don't use Vista (Score:5, Insightful)
No, they just disagree who the owner is :)
Integrated TPM on newest Intel platforms. (Score:4, Informative)
It is by design... (Score:5, Insightful)
This is by design. If you are into the secure boot stuff you'll know why.
This is not about DRM and such (but may be) but about *your* data encrypted by BitLocker (the DRM is about protecting *somebody else's* data from you - that is why it is flawed concept).
Right now there are some kinds of attacks that let you compromise the entire system right from boot (using other than approved bootloader and unsecure boot proces) puting it into hypervisor and thus being able to retrive keys and such directly from memory.
In fact I don't see any other option as to control entire boot proces. And if you wish to control it you need to use tools that support it.
So in fact it is not a Bad Thing. It could be a bad thing if you are casual-security user - but this 'casual security' is not so secure isn't it?
I bet BitLocker documentation covers that. But why bother checking? It is better to set the "secure" option to "on" and dumbly belive it.
I thought I was missing something because on my... (Score:3, Interesting)
...dual boot Vista Ultimate 32-bit/OpenSUSE dev box at the office, I've got SP1 installed and haven't had to touch my bootloader (which works just fine by the way) and Vista works fine as well (in other words it works the same as before ;)...) I thought I was missing something so I read the actual article and it claims (unless I did miss something) that the problem occurs whether you use Bitlocker or not.
People seem to be missing the point (Score:4, Insightful)
Software like Vista Ultimate with BitLocker is aimed at the corporate environment. If I'm a network admin, I don't want some jack hole dual-booting anything on my network. He doesn't need a Linux partition on his workstation. I might want laptops with TPM and BitLocker for the sales staff so that when they get drunk and lose their laptops with the customer list on it, I can rest relatively soundly knowing that the data is secure.
It is obvious that Microsoft does not care about the individual end user who wants complete control over their computer. That is okay with me. Maybe I've been drinking too much of the Kool Aid but I'm happy with HP hardware running a Microsoft OS. I like the fact that they make it a complete PITA for the end user to do anything to their workstation. It makes my job easier. 95% of the corporate computing world can get by with an office suite, a web browser and access to a couple of custom apps (financial, inventory, manufacturing, and what not). They don't need to be playing stolen mp3s that they got from Pirate Bay, watching DVDs on their lunch breaks, or dual-booting their damn desktops.
Where are all the gripes about how Server 2003 sucks? How about the gripes about IIS6 getting owned all over the place? They aren't there because Microsoft is focusing their attention where they need to focus it... on the administrators responsible for hundreds and thousands of workstations and servers. Does anyone really think that the folks at Microsoft stay up late at night wringing their hands over corporation versions of their workstation software not dual-booting a third party OS? Seriously guys... what portion of the Vista Ultimate/Enterprise user base do you think is negatively impacted by the change? 1%? 3%? I'm not talking about the developers who need ten thousand OSes on their machines "for development purposes." I'm talking about the cubicle drones who work 8-5 running a couple of applications.
Re:You can use the Vista boot loader (Score:5, Insightful)
Re:You can use the Vista boot loader (Score:5, Funny)
It's only Windows that doesn't give choice
I have heard that is a feature that we pay extra for.
Comment removed (Score:5, Interesting)
Re:You can use the Vista boot loader (Score:5, Interesting)
Re:You can use the Vista boot loader (Score:5, Insightful)
Put windows on the first hard drive, then install linux on the second hard drive. Setup grub so it chainloads the windows boot record (for one of the options), and finally make your bios boot off the second hard drive.
Then Windows is happy and ignorant of its true surroundings.
Thats how my dualboot desktop at home is setup.
Re: (Score:3, Insightful)
Re:You can use the Vista boot loader (Score:4, Informative)
Re:You can use the Vista boot loader (Score:5, Interesting)
Because their customers want them to.
Using the Windows boot loader to chainload code off another partition is, AFAIK, impossible.
Besides, in Vista the nice, easy-to-modify boot.ini file is gone. It is replaced by yet another binary registry-like database. Typical Microsoft.
Re:You can use the Vista boot loader (Score:5, Informative)
Date of article you reference: October 13, 2006
Date of KB935509 [microsoft.com] update which breaks this: January 7, 2008
Re:You can use the Vista boot loader (Score:5, Insightful)
That's nice. The Windows idea of supporting it is "go look on technet" versus
the Linux version where it's already built-in and configuration is done for
you automatically.
This precisely the stupidity that Windows trolls like to accuse Linux of
subjecting the end user to.
Re:You can use the Vista boot loader (Score:5, Informative)
Windows allows multi-OS booting; yes, even Vista allows it. You just have to know how to do it; just like any dual boot scenario.
False. Your solution requires hackery, while many Linux distros together with most things except Vista takes care of setting up dual-boot during the installation process.
Linux under windows = untrusted too (Score:5, Insightful)
In which case you can no longer trust linux.
Re:You can use the Vista boot loader (Score:5, Funny)
I'm hoping some joker with the next viable vista virus uses it to trigger trusted computing into locking machines.
Lets see vista's adoption rate when word gets out it bricks your entire system if you get a virus.
Re: (Score:3, Interesting)
I'm confuse why anyone would dual-boot Vista. Dual booting Windows to have a game machine is simply practical, but Vista sucks vs XP as a game platform - it's slower and takes far more resources to run at all (and if you didn't have resource limits, you'd just have 2 boxes). Why would you do this?
Re: (Score:3, Insightful)
Because most new machines come with Vista preinstalled. Not XP.
Re:You can use the Vista boot loader (Score:5, Informative)
Just games? There are lots of people who run windows as their primary OS (because it's what they are used to after spending 15+ years on a MS platform, or maybe because there are apps they rely on that aren't available elsewhere), and they dual boot Linux because they want to be able to hack around, learn more, and generally have fun.
Taking an interest in Linux does not automatically mean somebody will abandon Windows the next morning.
Re: (Score:3, Informative)
Yes, our family laptop is Vista Ultimate and Ubuntu, set up this way, and took Vista SP1 without a hiccup. Have Vista's bootup load the linux GRUB bootloader.
Ubuntu's Wifi is much more reliable on the same hardware, but Ubuntu won't run Adobe CS3 properly.
Re: (Score:3, Informative)
And no TPM in the laptop.
That's the whole point of the problem, TPM has begun causing issues. You don't have TPM, so you are not affected.
Re:Except that... (Score:5, Interesting)
Our lab technicians were upgrading vISTA PC's to use the department's standard linux build. For whatever reason, the BIOS wouldn't allow the LINUX install DVD to BOOT. So they had to remove the hard disk drives out of the PC's with built-in TRUSTED SECURITY BIOS'S, pop them into an older untrusted XP system, and then install the linux build and put the hard disk drive pack in again. IT's a pain, but if OS vendors are going to install security measures without consulting their users, this is what is going to happen. Everyone is going to think of ways of getting around these "security measures".
Re:Only a problem if you have TPM? (Score:5, Informative)
Re:Only a problem if you have TPM? (Score:5, Informative)
I have Vista Enterprise on a dual boot laptop with a TPM that I have never enabled. Installing SP1 did nothing adverse to the dual boot capability.
Re:Only a problem if you have TPM? (Score:5, Interesting)
(I, however, use the Windows boot loader.)
Re:Only a problem if you have TPM? (Score:5, Informative)
http://port25.technet.com/archive/2006/10/13/Using-Vista_2700_s-Boot-Manager-to-Boot-Linux-and-Dual-Booting-with-BitLocker-Protection-with-TPM-Support.aspx [technet.com]
Re:Only a problem if you have TPM? (Score:4, Informative)
I have Vista Enterprise in a dual-boot laptop with TPM and grub as the primary boot loader, and SP1 installed without any problems at all, and never altered the boot loader. It's 64-bit Vista, which is typically even more stringent with the code checks than 32-bit.
Were Microsoft not attaching it to a KB article, I'd have called it FUD, but I will say that I have not experienced it at all.
Re:Only a problem if you have TPM? (Score:5, Insightful)
> Never Trust Trustworthy computing. it hasn't earned it.
Trusted Computing.
There's a big difference between Trusted and Trustworthy. As this update proves.
Re:Only a problem if you have TPM? (Score:5, Interesting)
Trusted? Not hardly. (Score:5, Funny)
Also, never trust any technology that rhymes with "busted".
Re:Only a problem if you have TPM? (Score:5, Funny)
If I read TFA correctly, you need to have been using your TPM to experience this problem?
I have not been using my TPM and I was scolded on Monday about not using TPS report coversheets. Are the two related?
Thanks, Peter Gibbons
Re:Only a problem if you have TPM? (Score:4, Funny)
That's TBD. A meeting is TBA.
TTFN.
Re:WTF is S.O.L.? (Score:4, Informative)
I thought it was: Shit Out of Luck
which is not in your list.
Re: (Score:3, Interesting)
Native hardware support. You can't use specialized hardware (like tuner cards, but there are others). In particular, you can't use 3D acceleration at all unless you fork over for VMWare, and at that it's nowhere near perfect.
Re:Who cares? (Score:5, Informative)
Re:Who cares? (Score:5, Informative)
Two words: filesystem support.
Boot up Linux and all the stuff on your NTFS partition is read-only.
What? You know, Linux has had full NTFS Read/Write support for a while now, see :
http://www.linux-ntfs.org/ [linux-ntfs.org]
Also, ever heard about WUBI [wubi-installer.org] ?
jdb2