[alainv]

I'll bite. The original article is from the Register. If you work at Microsoft and read HN I'd expect you have a reasonable idea of their average article quality.

I don't think they were trying to make any particular point rather than generate pageviews with a combination of "haha M$" and righteous anti-backdoor anger.

That said, I myself agree with other commenters that your stance "this isn't a backdoor because it requires physical access; if you've given up physical access you're already screwed" is beyond disingenuous. Disregarding a login screen bypass by the same logic would be rightly pilloried. Yes, physical security is the hardest to improve, but that's exactly the carrot Microsoft has used to try and convince the world Secure Boot isn't a pure anti-consumer move.

[bradford]

> "...your stance "this isn't a backdoor because it requires physical access; if you've given up physical access you're already screwed" is beyond disingenuous. "

Ok, I'm open to the possibility that my views might be dated on this.

But, to be fair:

1) the 'physical access' rule was an absolute given in training that I've taken. (I'll let you draw your own conclusions since that the training was hosted by Microsoft). I guess I've had it drilled into my head for so long that I didn't even think the assertion would be controversial here.

2)Schneier commented on here (https://www.schneier.com/blog/archives/2009/10/evil_maid_att...) stating: "As soon as you give up physical control of your computer, all bets are off."

Granted, Schneier's comment was in 2009, and it's possible that expectations on security have changed since then, but

3) this stackexchange question (http://security.stackexchange.com/questions/19334/what-can-a...) is a bit more recent. Some quotes:

"Physical security is a critical (arguably the most critical) part of IT Security. At the end of the day, almost anything can be overridden with local access to the hardware."

"If a "hacker" with any real experience or skill has physical access to a PC, I would just throw away the hard drive and start fresh."

4) even some other comments in this thread (https://news.ycombinator.com/item?id=12264137) don't paint my notion as disingenuous as you might.

Again, I'm not a security expert, but do you think I could be forgiven for making such an assertion?

[13of40]

Not to split hairs, but there's physical access and there's physical access. I've got a Windows RT device up there in my livingroom, but as much as I can pick it up, heft it at the wall, or poke my pinkie into its USB port, I'm not the kind of dude who can crack it open and steal an encryption key that's being transmitted across a bus on the third layer down of its motherboard. I can, however, log in as administrator, download a CMD script (or whatever), and run it. Which one of those is physical access? I guarantee that if you asked one of those greybeards who told you about physical access, they'd back up to the stealing-a-key-from-a-bus scenario, which is out of bounds of reality for most of us. The exploit at hand is not, and I think that's the difference.

> Again, I'm not a security expert, but do you think I could be forgiven for making such an assertion?

Yeah, I forgive you.

[13of40]

The "backdoor" isn't the package that got leaked, it's the private key that signed the package. Without the key, the deployed packages wouldn't be serviceable in case a real exploit was found. Without a serviceability plan, they couldn't have released Secure Boot. So the question isn't whether there was a back door - there had to be a back door - it's whether Secure Boot is a legitimate thing to have.