Select models of:
Acer
Dell
Gigabyte
Intel
Supermicro
aopen
formelife
You’re welcome.
Even Intel lmao
Damn, Acer. You used to be cool. (a very long time ago)
They were always a pretty cheap brand IMO, but pretty reliable.
Source: typing this on an Acer monitor that I’ve had for… 10 years? It kind of looks like crap, but it works and no dead pixels, so that’s cool.
I had a nicer Acer monitor that I replaced with a similar Samsung model about a year ago. I still kinda miss the Acer. Both were 32" curved LCD and 1440p. The Acer had a much more uniform curve to it, and the Samsung has a bunch of firmware issues that sometimes can only be worked around by unplugging it and power cycling it that way. The only reason I “upgraded” was the Samsung had better support for PS5 and scaling 4K inputs down to the native 1440p without artifacts.
o7
You’re missing the additional list mentioned later on, also includes Lenovo and some others
Doing the lord’s work here!
Secure Boot is a broken concept by design.
To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
You dare question a monopoly corporation and the spymasters of this country??
(/s)
industrial control and enterprise networks
That’s doing a lot of work here.
Yes, it’s important in certain situations, but for consumer devices, it’s just another thing that can go wrong when using alternative operating systems. Regular users don’t have the physical risk these other systems do, and making it more difficult for users to install more secure operating systems goes against the bigger threat.
Linux is compatible with Secure Boot (source: I exclusively run Linux, and use Secure Boot on my systems), but some distros or manufacturers screw it up. For example, Google Pixel devices warn you about alternative ROMs on boot, and this makes GrapheneOS look like sketchy software, when it’s really just AOSP with security patches on top (i.e. more secure than what ships with the device). The boot is still secure, it’s just that the signature doesn’t match what the phone is looking for.
It’s just FUD on consumer devices, but it’s totally valid in other contexts. If I was running a data center or enterprise, you bet I’d make sure everything was protected with secure boot. But if I run into any problems on personal devices, I’m turning it off. Context matters.
Yes, surely randoms on Lemmy know better than Microsoft and the NSA in regards to security.
Oh anyone who doesn’t trust Microsoft with their life is a complete idiot. And the NSA only illegally spied on everyone until Bush the II made it legal! So of course we should unquestioningly follow their configuration guides. I mean - haha - we don’t wanna get disappeared! Haha ha. Not. Not that that’s ever happened. That we know of. For sure. Probably.
in regards to security
in regards to security
in regards to security
in regards to security
Just wanted to make sure you saw it this time because you went off on a tangent there.
It doesn’t matter if they know about security (which they do). A burglar could know about locks and home security systems, would you take his advice?
Their positions on security of others is dismissed on grounds of trust not of competence.
The NSA has two jobs.
The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.
The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.
I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.
Exploits don’t care if you are actually the NSA or not. The NSA certainly knowns that yet they keep exploits secret at least from the public.
They have argued for key escrow for God’s shake.
They are primarily an intelligence agency. If you are not likely to be targeted by the NSA you are also unlikely to be targeted by any of their adversaries. They don’t give a shit if you get scammed, they are not the FBI, who also keep secret exploits and are anti-encryption.
Additionally using their “best” exploits on more simple targets still poses a risk to them being discovered and fixed. Therefore it’s beneficial to them for everybody’s security to be compromised. It also provides deniability.
A burglar could know about locks and home security systems, would you take his advice?
Literally, yes. There was even a TV show about it.
Do you have any evidence those two people are still committing burglaries? The NSA is not an ex-intelligence agency.
I get my advice from LockPickingLawyer on YouTube. He’ll demonstrate the weaknesses of various locks, and say which to avoid and which are probably okay (“okay” is a really strong recommendation from him). He’ll still break into really secure locks in <2 min, but he’ll describe the skills necessary to break in and let you decide on what your threat level.
Basically, as long as it’s bump and bypass resistant, you’re good. Burglars aren’t going to pick locks, they’ll either break a window or move on if the lock stops them. A good lock doesn’t keep out a burglar, it just slows them down enough that they’ll give up.
So yes, get advice from people who have the skills to break the protection they’re recommending, they’ll be able to separate things into threat categories. If you want OPSec advice, visit black hat hacking forums and whatnot, you’ll get way better advice than sticking with the normie channels.
A burglar could know about locks and home security systems, would you take his advice?
If they were an expert burglar, I might
Source: I’m an expert burglar and all of the others on my burglar crew are very helpful when people ask about home security stuff.
Exactly, they have a clear conflict of interest
Hey what is that, some kinda tangent
Security is the last thing NSA and Micro$oft care about. NSA wants to be sure they can do all they need to with your devices, and M$ just wants to discourage you from switching to linux.
This is obviously insane
Lol, if you say so
Microsoft a key player in security ?
lol at the DO NOT TRUST keys.
I’ve learnt over the years that you have to make the example code fail to compile or print out huge user-visible warnings or something like that, otherwise people can and will use it as-is in production, hard-coded keys and all.
Even if you make it print out a huge message, some manufacturers will just comment that out while keeping all the other dummy example data.
I’ve seen several production OAuth/OpenID servers that accepted an app ID and secret from a “how to set up an OAuth server” tutorial, and in one case the company was using that app ID for all their production services.
That’s on the company for paying pennies for their dev and production roles.
What is Secure Boot actually good for? Serious question.
It’s supposed to prevent unsigned files from being loaded by the UEFI (AFAIK) which could possibly help with rootkits, if it doesn’t somehow sign itself. However, these are pretty rare if you don’t allow sketchy software to access your boot partition, and will often cause issues with non major Linux distros.
I had dell pc refuse to boot Linux mint because of secure boot
I’ve been wary of secure boot and pluton chips for this reason.
Then you haven’t set it up right
Nah man, it didn’t even allowed to boot iso from ventoy until i disabled secure boot
With Debian I think I was able to load the appropriate keys after installing the OS and then re-enable secureboot in the bios. Might be worth checking into.
I just don’t bother with secure boot as its not in my threat model. I turn it off
Well of course, thats the setup. Disabling secure boot. If it didn’t stop you from booting a third party OS without you toggling that BIOS option, then the security feature would be pointless.
Imagine if in the future that option becomes untouchable
Then it would be an issue and I would not suggest anyone buy those machines
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text.
It’s like installing a top-of-the-line alarm system for your house with camera, motion detector, alarm, and immobilizing gas, then leaving the unlock password on a PostIt under the welcome mat.
immobilizing gas
BRB, setting up a new automation in Homeassistant…
Send yaml
For anyone interested, that 4 characters is the lowercase in alphabet order, starts from index 0.
200+ models from 5 big device makers
Nearly 500 device models use them anyway.
Bleeping Computer reports 813 products from 10 vendors.
Checked the BIOS update file of a Gigabyte motherboard I have here (Z170X - Gaming 7):
DETECTED PKfail untrusted certificateIssuer: CN=DO NOT TRUST - AMI Test PKK-rapy garboge!:
There’s little that users of an affected device can do other than install a patch if one becomes available from the manufacturer.
Gentoo gives extensive instructions:
Arch:
NIST (US government guides cover POSIX/Windows with a layperson explanation and guide):
- https://csrc.nist.gov/projects/key-management
- https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf
The technical documentation about Secure Boot says that SB is not a mechanisms to steal ownership of your device. It is a spurious claim because the design specification is only a reference and not a requirement. Gentoo has further documentation that can be found describing KeyTool, a package that enables booting directly into UEFI to change the keys manually if your implemented UEFI bootloader lacks the functional implementation required to sign your own keys. I’ve never tried it personally. I merely know of its existence.
Clearly, the solution is to just abandon all
hopehigher level abstraction. Pedal to the metal with Assembly (and maybe LISP and Forth) straight from booti like how the manufacturers who responded to the author’s queries basically said ‘tough shit, that product is out of support’
i heard that linux users dont rlly like secure boot
I don’t speak for all Linux users, but it’s not like we don’t like the tech or the concept… We don’t like it because a lot of the time it’s just another way for Microsoft to throw around their weight, you need a valid key to sign your kernel images with to be able to boot another OS instead of Windows, and some motherboards don’t support installing your own keys as trusted keys. But usually there are ways around that issue nowadays.
And also it’s not an easy process if you’re not an advanced user of sorts. You have to know what is entailed, what to use, where to store your keys safely, have a script to re-sign the kernel image every kernel update(which happens every week on something like Arch), etc.
ngl i got fedora secure boot working with microsoft uefi keys it required some tinkering
They don’t like it because it’s mostly implemented in microsofts favor. It’s shipped with microsoft keys by default and needs to be disabled to boot a lot of linux distros. If there was a more unbiased way to load a new os like a default key setup routine at first boot or a preinstalled key for major linux distros they wouldn’t be so hostile towards secure boot. The technology isn’t bad and it’s the only way to not have somebody temper with your system at rest without TPM.
i agree and makes sense
Which is dumb. Secure Boot does make sense (if handled correctly, unlike here).
agree???
