In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
@dangoodin It's a shame only one of the many keys were revealed, so while you can now at least boot whatever free software you want, the UEFI itself cannot be freed.
@dangoodin Thank Darwin that was the only blunder compromising Secure Boot and we can absolutely trust it otherwise.
(Are typewriters still being made? I had a very fine electric typewriter with small edit buffer I gave away in the 90s. Now it would be worth thousands :-)
@netzpolitik_feed@pretix Hätte gerne teilgenommen, aber an einem Freitag hieße für mich, dass ich zwei Tage Urlaub (für Anreise und Konferenz) nehmen müsste. Schade.
Nachdem die re:publica schon vor Corona zu einer Kindergeburtstagsfeier geworden ist, und ich deshalb aus Frust nicht mehr teilnahm (kein Mehrwert), freue ich mich auf 'was Neues!
"Linux would have prevented this!" literally true because my former colleague KP Singh wrote a kernel security module that lets EDR implementations load ebpf into the kernel to monitor and act on security hooks and Crowdstrike now uses that rather than requiring its own kernel module that would otherwise absolutely have allowed this to happen, so everyone please say thank you to him
@mjg59 I find these recent takes by the Linux “Master Race” / Community extremely toxic and damaging to the community. Open Source Software is not the answer and has shared it’s own number of recent controversies (ie XC, OpenSSL) but these seem to be forgotten about pretty quickly - just because it’s open doesn’t mean it’s secure. As a software developer and user of MacOS, Windows 11 and Debian 12, I find all 3 OS’s have their place, purpose and reason to co-exist
This is the most glorious thing I have seen in some time. WiFi at 35,000ft, tunnelled through the "first name" field of an air miles account. https://robertheaton.com/pyskywifi/
@aallan I stopped at “I’d forgotten to charge my headphones so Limp Bizkit started playing out of my laptop speakers. Fortunately no one else on the plane seemed to mind so we all rocked out together,” because it means either it’s a lie, and so probably the rest of the post is too, or he’s a dickhead.
Offensichtlich herrschen in Sachsen Zustände die nicht mehr mit einem demokratischen Rechtsstaat vereinbar sind, sondern blanke Willkür. Ohne ausgeprägten Rassimus ist das nicht zu erklären.
Ein Staat der rassistische Angestellte nicht rauswirft schafft sich selbst ab.
Offensichtlich herrschen in Sachsen Zustände die nicht mehr mit einem demokratischen Rechtsstaat vereinbar sind, sondern blanke Willkür. Ohne ausgeprägten Rassimus ist das nicht zu erklären.
Ein Staat der rassistische Angestellte nicht rauswirft schafft sich selbst ab.
>>Ein Marokkaner wurde aus Chemnitz abgeschoben, obwohl das Verwaltungsgericht dies untersagt hatte. Nach Angaben seiner Anwältin haben sich die Verantwortlichen der Stadt Chemnitz und der Landesdirektion Sachsen dem Gerichtsbeschluss widersetzt. Die Sachbearbeiterinnen erklärten, sie fühlten sich nicht an den Beschluss gebunden und weigerten sich, ihn an die Bundespolizei weiterzuleiten.<<
“On the day of the attempted assassination of Trump, at least 59 shootings took place in the United States, according to the Gun Violence Archive. They killed 34 people, including Trump supporter Corey Comperatore, and injured 80, including Trump. The bloodiest such incident was at a nightclub in Birmingham, Ala., where four people died and at least 10 were injured in a drive-by shooting. You probably didn’t even hear about it.” https://apple.news/AOw5QAyuxRUW5-MQoq__4ng
And this is why listening to folx with lived experiences of harm is essential when doing liberation work because I have to admit that until I read the caption, I thought that this was a “good” thing
This is why we all need to continually ask ourselves “what am I missing?”
@KimCrayton1 first time I saw one of these I thought wouldn't a wheelchair user just park to the side or front of the bench at a comfortable distance and angle for chatting?
Backing into that space would have the effect of being in different rows of seating. Going forward into the gap would be better for talking to someone on the bench but then the bars are just awkward and useless. Which is true in any case.
No way this was ever designed with wheelchairs in mind.
Immer wieder verwunderlich, wofür dann auf einmal doch Geld da ist. Während die Finanzierung des 49-Euro-Tickets wackelt, gibt es im neuen Bundeshaushalt offenbar zusätzliche Steuermittel für Dienstwagen.
So soll die Bemessungsgrenze für elektrische Dienstwagen von 70.000 auf 95.000 € erhöht werden.
Überraschung: Davon profitieren ausschließlich besserverdienende Autofahrer*innen.
Immer wieder verwunderlich, wofür dann auf einmal doch Geld da ist. Während die Finanzierung des 49-Euro-Tickets wackelt, gibt es im neuen Bundeshaushalt offenbar zusätzliche Steuermittel für Dienstwagen.
So soll die Bemessungsgrenze für elektrische Dienstwagen von 70.000 auf 95.000 € erhöht werden.
Überraschung: Davon profitieren ausschließlich besserverdienende Autofahrer*innen.
@quincy
Dann kennst du Eduard den Haschischhund? Und kannst mir vielleicht sagen an wen ich mich wenden müsste um einem Drogenspürhund im Ruhestand ein Zuhause bieten zu können? Ich liebe nämlich Hunde und auch wenn ich selbst nicht mehr Kiffe stelle ich mir das sehr praktisch vor wenn mal wieder ein Genosse sein Dope verlegt hat... @GundelPundel
@b0rk I also came to the Emacs strokes late, as a Vim user. one great thing about learning them is that they work in a lot of macOS UIs too. In particular ctrl-p/ctrl-n
Nicht zu fassen: Der von Stark-Watzinger installierte neue Staatssekretär Philippi äußert intern, dass er nichts gegen eine Selbstzensur aus Sorge um eine BMBF-Förderung hätte. Diese Ministerin ist eine Bedrohung für die Meinungs- und Forschungsfreiheit. https://www.jmwiarda.de/2024/07/10/brisante-chats/
It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage
You can test it out by pasting the following into your Chrome DevTools console on any Google page:
It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage
You can test it out by pasting the following into your Chrome DevTools console on any Google page:
@simon friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.
If you don't want to do that, the paid version of #netguard can at least lock down your phone's network traffic app by app and web address by web address.
@simon friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.
Dauerthema 49-Euro-Ticket: Erst will die Hessen-CDU aussteigen, dann knüpft Lindner die Bahnsanierung an eine Preiserhöhung, und jetzt zieht die Verkehrsministerkonferenz nach. Es drohen teurere Tickets und/oder ein neuer Flickenteppich.
Der VCD kämpft dafür, das Ticket preisstabil zu halten und zu verbessern. Dafür braucht es ein neues Regionalisierungs-Gesetz und Zusagen vom Bund!
Dauerthema 49-Euro-Ticket: Erst will die Hessen-CDU aussteigen, dann knüpft Lindner die Bahnsanierung an eine Preiserhöhung, und jetzt zieht die Verkehrsministerkonferenz nach. Es drohen teurere Tickets und/oder ein neuer Flickenteppich.
Der VCD kämpft dafür, das Ticket preisstabil zu halten und zu verbessern. Dafür braucht es ein neues Regionalisierungs-Gesetz und Zusagen vom Bund!
@VCDeV Das Deutschland-Ticket für 49 Euro darf einfach nicht gewinnen. Zu sehr klingt es den Konservativen Bremsern sozialer Politik wie Kommunismus. Und das wurde in der Deutschen Nachkriegspolitik Bonner Prägung schon immer aufs Schärfste Bekämpft ...
@dangoodin
I'm not sure UEFI with its large attack surface is better, security-wise, than good old BIOS which was at least easily auditable.
@dangoodin Thank Darwin that was the only blunder compromising Secure Boot and we can absolutely trust it otherwise.
(Are typewriters still being made? I had a very fine electric typewriter with small edit buffer I gave away in the 90s. Now it would be worth thousands :-)