Email or username:

Password:

Forgot your password?
1 post total
Aaron Rainbolt

#Ventoy Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. github.com/ventoy/Ventoy/issue

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of youtube.com/watch?v=QiSXClZauX

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

#linux #boot #security #malicious #backdoor

#Ventoy Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test...

Show previous comments
Mikle_Bond

@arraybolt3 @untsuki @vkc

This is... not anything I've seen users of ANY open-source project do, [...]

Try telling neovim people that you've tried it, but liked vim more. I've witnessed this statement to ignite at least twice.

On a less sarcastic note: I don't see anything suspicious in the comments section on YouTube. Did the offensive comments sink too far into the timeline, or were they deleted by now? As of now, most of them are praises and mentions of Rufus/Etcher.

「羽飛やこう:最不調和の化身」

@arraybolt3@theres.life @vkc@linuxmom.net The comments may look like a replay of the Jia Tan incident, but it isn't like forcing someone to hand out their maintenance role to another like last time. I can see where those people are coming from, because just like them, I'm somewhat a Ventoy fan booting several ISOs for system installations and repairs. If I watched her video, I'm likely to leave a comment on why leaving Ventoy out too, and I also see avid fans of certain pieces of products bombarding recommendations when they see a list doesn't contain what they love.
The solution you recommended requires purchasing a separate piece of hardware is sadly not feasible in a broader context. Where thumb drives could be obtained relatively cheaply, those pieces of hardware you recommended cost around 50 euros for a single one. On the cost front alone, the temporary solution offered isn't likely to attract a crowd of any significance.
I must admit however the binary blobs are indeed quite questionable, as I also went through the nightmare of manually downgrading the packages on a fleet of servers myself during that xz incident, writing a call-out post after that. I can't say I'll be stopping using Ventoy at all in the foreseeable future until another all-software solution makes its scene, but I'll keep this disturbing fact in mind.

Edit: Sifting through the comment section, I found @attilax@framapiaf.org mentioning MultiSystem (use machine translation if you cannot read French), which was sadly discontinued over two years ago.

@arraybolt3@theres.life @vkc@linuxmom.net The comments may look like a replay of the Jia Tan incident, but it isn't like forcing someone to hand out their maintenance role to another like last time. I can see where those people are coming from, because just like them, I'm somewhat a Ventoy fan booting several ISOs for system installations and repairs. If I watched her video, I'm likely to leave a comment on why leaving Ventoy out too, and I also see avid fans of certain pieces of products bombarding...

:babyrapereenactment: bill [figger]
@arraybolt3 @vkc shitty win10 install now infected with chinese spyware i guess
Go Up