frfr

!

ur looking kinda insecure, no cap, get a yubyub

ur looking kinda insecure, no cap. get a yubyub

i c u, i aplod u klapklap

Try "year"

"Year" is more accurate, add SSH vulnerability to the mix

xz backdoor

gay furries

The GamersNexus Disappointment Tour shirt this year is going to be amazing

you can buy it first then test the mobo and curse when you find its affected then refund it as long as you didnt bend pins :P

The mentioned article has a list of 215 devices at the end.

@@vaikjsf34a Only for a Newegg RMA center employee to drag a flathead screwdriver over the pins and blame you for it.

@@pwnmeisterage just RMA it :)

200+ models that have been tested. Sounds like a list we need of which aren't vulnerable.

As a dev, am I surprised? Hell no!

I'm not a software dev but could this be what happens if you write a comment instead of opening a ticket/issue?

@@ゾカリクゾ wat

@@ゾカリクゾthis is why you are not a software dev

@@fullfungo can u explain?

Yet plenty of security people genuinely believe that being able to see the source code makes you more vulnerable. It's one of the reasons companies like GlobalProtect are able to sell their proprietary VPN solution. :(

Sometime ago, I would have totally agreed. Open source never guarantees security, it's all up to you to to implement it properly.

Oh, so you prefer when nobody knows who own the keys you use ?

having code validated by public is always better, implementing it in a way that even if breached risk and exposure will be reduced thats the other thing, from my experience its best to use both when You deploy something really critical

ascension spotted

DVD Jon, where are you today?

See you next week

That probably shouldn't have made me laugh

These massive breaches, failures, and outages are going to turn this into a weekly news channel 😔

You forgot the "ahh shit"

The real tragedy here is that many such people exist :')

Yeah, we had one of those UV EEPROM burners at work in the 90's. I loved the sound made when burning all of those gates again.

You got 7 thumbs up in 4 hours so there's your answer. Dinosaurs remember. Nobody else does.

When exactly did it become possible to write to "firm"ware without that kind of physical setup, anyway? And why?

The promise: "We can add new features and fix bugs in hardware you already own." The reality: "We can sell unfinished products with the carrot on a stick of potentially being finished.. some day."

The flash parts that can be erased and rewritten in-system and from within the system are due to updatability. The physical extra parts make it hard for people to upgrade when there are already bugs in the firmware, which happens often. And yes, it is not as "firm" as the name suggests - especially with UEFI bringing a whole other OS on its own. Bryan Cantrill calls firmware the "software that is hard to get to". Anyway, secondly, part of the flash is used for storage, where user settings, EFI variables and such are stored, like volatile data from other platform components, like the CSME, possibly EC, ethernet adapter, etc..

Throw in a little increased rate of adoption of AI in software development and I'm not opposed to accepting that explanation.

@@thewalrusdragon9579 A.I and lay offs + stupid CeOs. They always get the wrong man innthe place with no expertises wtf, this way he will fuck the company and the industry

No, firmware has been a dumpster fire for decades. This is largely due to the ecosystem behind it. See the UEFI Forum whitepaper from August 2023 on embargo / disclosure periods for security issues. They demand a *year* because they are so slow and complex.

​@@CyReVoltyou meant to write "yes". Yes it is a coincidence.

@@hashbrown777 I'm saying that this isn't new. :-)

Rogue nation states have obtained +12.5% melee damage buff for more than the allotted thirty seconds

Not sure why game cheaters would, because cheats don't run on the firmware and in some cases there are even peripherals they can plug in that cheat for them. I think they can still run an executable even if secure boot is there, they just cant flash the firmware no? not too familiar with secure boot or TPM I think they trash.

​@@vaikjsf34ait would be a very difficult thing to do, but you could inject your own bootloader into the boot process, that then injects a custom kernel patch into the kernel. From there, it'd be trivial to hide anything you want from the anticheat

Easy fix - Just ban all devices with said vulnerability the same way RUST banned all a4tech hardware due to the powerful macro software that some people used to make anti recoil macros. Sure, you will piss a lot of people off, but hey, all in the name of security

@@vaikjsf34a Because kernel-level anti cheats like Vanguard which is required to play Valorant require secure boot to be enabled.

You can (usually) enroll your own secure boot keys *IF* your board's UEFI supports it... In which case it's up to you to sign the bootloader and/or kernel. I 100% agree that these companies should not hold the keys and determine what it is "secure" to boot from on OUR hardware.

Maid and catgirl attacks.

@@SterileNeutrino need

@@SterileNeutrino I'm gonna start calling it an Evil Catgirl attack now.

@@SterileNeutrino when you put it that way

"rather than 'all devices from 200 manufacturers affected', there's a huge difference." - True, but on the other hand, we don't know how many devices currently have unknown/undisclosed vulnerabilities. The ONLY reason we know about this vulnerability is because someone posted the key on Github.

Tbh, I think you can add the signature or hash of your custom kernel.

Same lol

@@tablettablete186 You can, but i don't think its worth 15 minutes out of my day because that 15 minutes will always become 5 hours

@@tablettablete186 Yeah its super easy, at least on arch to enroll your own keys and automatically sign your kernels and stuff.

​@@tablettablete186signature: "1234"

Secure boot is super important, especially on mobile devices. On many Android phones (where it is called Verified Boot) it is often disabled when rooting the device. This means anyone with access to the phone can run any code they want, such as a bruteforcer for a PIN (assuming no hardware limiting) With it on, only updates/code signed by the registered private key can be used. This ensures that if someone steals your phone, your data & phone are fully inaccessible.

_except as making Open Source bootloaders hard or impossible to use and disallowing tweaking/analyzing manufacturers firmware aka. "locking the system down like a Playstation", and maybe make money on the side with "signing services"._ That's exactly the only value proposition. It was a way for Microsoft to keep it's technically illegal monopoly and they sold it as a "security feature".

​@@probablypablitocelebrites various services show this doesnt reslly help though doesnt it. Samsung even have a bunch of knox tech and theyre one of the most vunerable.

@@probablypablito This is not perfectly accurate. Though they achieve basically the same goal as you mentioned, AVB and Secure Boot are two completely distinct thing: most Android devices don't support UEFI which is needed for Secure Boot. Also, all SB/AVB "guarantees" is that you don't execute a bootloader that hasn't been signed by whatever keys are enrolled on the device. Once you've executed that bootloader, arbitrary code can be executed by other means. It's not much about bruteforcing: with physical access, one could extract your eMMC and try bruteforcing from there (as I don't think the master key is stored in a "secure device", correct me if I'm wrong though). You *should* be expecting RCE exploits on your phone anyways if someone has physical access to it: the safety of your full disk encryption should not rely on the ability of the attacker to execute arbitrary code on your device. However, SB/AVB prevents installing and executing a rogue bootloader that would, for example, keylog the decryption password when user unlocks the device.

It really doesn't make open source bootloaders impossible at all, just load your own keys into the BIOS.

"I'm not even supposed to be here today!"

@@NatetheAceOfficial It's sad how Smith decided to end Clerks III. I guess he finally wanted to put that franchise to bed.

Well, it is there to authenticate the bootloader binary. And they wrote it. Arguably you want to check their private key at least before you would self-sign it, and had they not leaked their keys in a git-repo it would have been perfectly good way to verify the binary is written by the author it was supposed to be written by. How I see it is that when you use your own key, you have no way of actually knowing what you sign, as it is proprietary code. You can however sign a state you trust, to ensure that state hasn’t changed.

It is perfectly reasonable and actually a good idea for a company to ship products with their trusted root key and use it to verify signed software upgrades. BUT they must protect the private key by using real hardware security modules which make leaking the private root key impossible but they are expensive and painful to use so many companies don't bother.

You know you can resign or add another signature to the binary correct? If you remove the companies PK from secure boot you're not just blindly signing completely unknown code and there are open source bootloaders right?

@@Maxjoker98 now we know why they are the ones who hold the keys and not us :)

@@Maxjoker98 This would be a plausibly deniable leak. Just try to remember, your government made an agreement with at least 14 other governments that they were allowed to spy on you as long as they "promise" to share the information they gather. I think we can *fingers crossed* be sure, that they aren't using that agreement for their own gain or sharing the information with US citizens inside the country with direct lineage to foreign intelligence so they can have an advantage in love, economics and war.

​@@Maxjoker98They might have one of Microsofts private keys. Or who knows, maybe they don't even need them...

@@Maxjoker98 Honestly yeah the NSA is far more likely to show up and tell them they need their keys and here is their court orders for it. They don't really have a lot of need to be sneaky when they have government backing.

To be fair, literally everything is a Microsoft conspiracy to stop Linux to certain groups. I've started calling it "Windows Derangement Syndrome", since the symptoms are so similar.

@@eadweard. so, you're older than a few years?...

@@NJ-wb1cz I am.

@@eadweard. wow

@@NJ-wb1cz Bar burpates.

No, it means "vendor remains in control of _your_ computer".

@@benhetland576 Those two things aren’t mutually exclusive. Study formal logic.

@@NinjaRunningWild Fair enough, but notice also that safe isn't the same as secure, and neither implies the other.

Buffalo

@@benhetland576 until they inevitably slip up, so every hacker in the world can use the vendors' backdoors

Secure boot is useful, you just need to disable vendor keys and enroll your own.

Secure boot protects important data, it's very useful.

The fact that a way to bypass secure boot has been found, and one or two viruses are designed to be able to do so does *not* mean that you're better off letting all other malware easily insert code at boot by disabling secure boot. Having it enabled doesn't affect you detrimentally in any way. Unless you use a custom unsigned Linux kernel, keep secure boot on. It's like disabling Windows Defender because some malware found a way to bypass it.

That's a really bad fallacy in cybersec, just because there's ways to bypass some security measure doesn't mean that you shouldn't use it. Defence in depth is one of the most fundamental security principles.

@@firewalldaprotogen more like insecure boot, amiright?... Right?... Yeah it wasn't that funny

Broken PowerShell scripts are par for the course. Somehow, scripted OOP breaks peoples' minds.

@@RokeJulianLockhart.s13ouq Yeah, being primarily designed with less tech-savvy, non-developer sysadmins in mind (hence the verbose verb-noun naming conventions of cmdlets), a lot of PowerShell scripts tend to be written quite poorly. And in this case, the script is essentially just a .NET API call, which could just as well be written in C#. But this is just straight up invalid syntax. The author of the article didn't even bother copy-pasting the script into the shell and executing it before publishing the article.

Is this correct? [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"

@@stefanalecu9532 Indeed, I do that regularly. Although in my experience, the code quality of C# code tends to be greater than that of PowerShell.

How do you know my password?😢

@@susugar3338 because you said it

How do you know my area's power station's controller's password? 😢

I vote "test"

​@@jalil2985Yeah, given the content of the "Issuer" field, that seems pretty likely.

Probably part of the "UEFI Feature" standard...

lmao

A secure boot ensures the part of the bootloader that prompts you for your encryption key to unlock the encrypted boot drive hasn't been replaced with code that steals your password.

@@darrennew8211 nope

@@itsTyrion Yep. Secure boot is designed to protect all the parts of the operating system that aren't protected by the OS authentication systems. I.e., it protects everything you can get to without a password. In theory.

​@@darrennew8211Secure Boot doesn't encrypt anything. TPM does. Secure Boot itself only lets verified code run at boot. This prevents evil maid attacks such as modifying the bootloader to put a keylogger on it and steal the encryption key.

i don't completely understand secure boot and what its associated with (if its just a windows thing or a motherboard thing) but if i get mint linux will i neeed to worry

I mean, same goes for HTTPS, you need a central list of trusted CAs. Better than not having it, plus, you can turn it off.

you can roll your own keys

​@@junzhengca I agree, but I trust ICANN more than I do Dell.

Is there any evidence of this actually being bad or is it just more conspiracy and fearmongering by people who would force me to use Linux at gunpoint?

@@junzhengca no you absolutely do not.

@@XerrolAvengerII Well it is, until it isnt'.

It just seems like branding right now... pepsi is really just flavored carbonated water... secure boot is really mostly secure until it isn't.

Secure boot is secure as long as you: 1. enroll your own keys, and 2. aren't being threatened by a state actor. This problem is caused by irresponsible manufacturers who don't know how to do proper secret management, not by broken secure boot implementations

That's why you should never buy any computer with a firmware and design, code and deploy the boot, kernel and OS yourself, deciding by yourself how to interpret and possibly execute every single software you get access to. Same for your car: you don't design the fuel you put in it, you don't decide of the design of the airbag: nothing but ownership issues ! Build you car yourself from raw mineral : THAT is ownership and security ! 🤣

​Imagine if your manufacturer had the key to your car (or, more accurately, a key that opens all the same models of that car) and someone just carelessly leaves it somewhere in public. And I have to argue, you only truly own your device when you've manufactured all the chips with your own billion dollar fab of course

@@emjizone There is a big huge jump from _having the only and only keys of your own vehicle,_ to "building it yourself from raw minerals". Your analogy is just plain bad and wrong.

​@@emjizoneCringe take

is UEFI now synonymous with RBMK ? 🤔☢️

UEFI was also the password

There is now a project developing an open source U2F dongle (part of what the yubikey does)... tricky part is getting a dongle that works U2F and SSH and GPG... and now they want us to use discoverable device resident crednetials called Passkeys which used to be called Password-less FIDO2 discoverable credentials. I dislike device resident creds for so many reasons including these dongles have VERY limited key storage space, and also U2F uses the same math and has same security as Passkeys but lets the host store a wrapped key (only the correct U2F dongle can decrypt the secret portion with its master key) which means they can be used for an unlimited number of logins on unlimited website (literally unlimited), but also an attacker with your key has to first find by trial and error which account that key opens and where... discoverable credentials are less good because the attacker now has the key and a list of what it opens... bypass the PIN (If one was set anyhow) and you're in.

And then all the clueless weniees blame Microsoft, just like with CrowdStrike.

This message brought to you by the Department of Redundancy Department.

That is most cyber security. as long as someone doesn't have the key/password your safe enough but, if the secret gets leaked Pandoras box is opened.

Most encryption works by the keys not being known by everyone - that is, obscurity.

@@throwaway6478No, “the adversary doesn’t know the keys” is *not* “security by obscurity” . “Security by obscurity” is when the security is based on adversaries not knowing how the system works, and is *specifically in contrast to* security based on adversaries not knowing the secret keys.

this isn't security by obscurity this is security by password authentication with a stupidly low amount of bits of entropy so it was easy to crack security by obscurity is when you use a reversible, simple cypher such as the alphabet +2 where A=C B=D and so on, or you hide passwords by checking the "show hidden files" box to unchecked or you take the first half and append it to the second half so ABCD becomes CDAB, THAT'S obscurity

Once you conflate "obscurity" with "secret" you realize that all security rests on a foundation of secrets, or obscurity.

if none of you worked, stuff like that wouldnt happen

This is correct. You can generate your own set of secure boot keys and if your motherboard isn't shit enroll it into your firmware