from the one-person's-insecurity-is-another-person's-opportunity dept.
MSI accidentally disables Secure Boot on hundreds of its motherboards:
One of the latest MSI UEFI updates accidentally disabled Secure Boot technology on hundreds of its motherboards, reports Bleeping Computer. As a consequence, over 290 motherboards for AMD and Intel processors can run insecure operating systems, which can be harmful.
MSI's firmware update version 7C02v3C released on January 18, 2022, comes with Image Execution Policy set to 'Always Execute' by default, which allows the PC to boot an operating system that lacks proper signature by its developer. This means that a computer can boot an OS that may have been tampered with, which is an insecure policy as the operating system may be infected or have malicious intent.
The discovery was recently made by Polish security researcher named Dawid Potocki. The researcher noted that he contacted MSI, but did not receive any response, which essentially means that so far the motherboard maker has not fixed its Secure Boot.
See article for a list of motherboard models.
(Score: 5, Insightful) by Anonymous Coward on Friday January 20 2023, @10:30PM (20 children)
don't let those penguin-loving mongrels in the door!
microsoft is your only salvation!
(Score: 3, Funny) by corey on Friday January 20 2023, @10:34PM (6 children)
Was going to say the same.
The article reads like FUD. Who installs their own operating systems these days? The average chump? Or geeks who kinda know what they’re doing (and get images from legit sources and might even check the MD5 sum?
(Score: 2) by mcgrew on Saturday January 21 2023, @02:51PM (5 children)
It IS FUD! Clearly anti-freedom propaganda from one of America's premier Fascist corporations.
Yes, Fascist. Under Fascism, business rules government, exactly how the American government has operated since Reagan.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by RS3 on Saturday January 21 2023, @07:23PM (4 children)
Fed chair Alan Greenspan [wikipedia.org] infamously used to say "let the markets work it out", which kind of obviously sets the foundation for Facsism. Right after the big financial crisis of 2008 he completely reversed himself on that, saying he regretted that philosophy (which led to "too big to fail"). Too bad society doesn't learn from its own history.
I firmly believe that if economics was taught in school the world could change for the much better.
(Score: 3, Insightful) by mcgrew on Thursday January 26 2023, @08:06PM (3 children)
I firmly believe that if economics was taught in school the world could change for the much better.
Perhaps it's my own ignorance, but it seems to me that there isn't a single economist in the world that another isn't calling him a gold-studded liar. If there were any validity to that field, how in the hell did the "trickle down theory" happen, when it should be obvious to anyone that wealth flows up? Wealth is created by engineers, farmers, and factory workers, not CEOs and board members. The working class earns the rich's money for them.
Maybe they should teach simple arithmetic, like in 1965 the federal minimum wage was $1.50 and a McDonald's hamburger was 15¢, today that wage is $7.50 and that burger is $2.49. That formula says the minimum wage should be $24.90.
Or history. In 1940, the lowest federal tax bracket was over four times the median income.
The rich are robbing us blind and we're too stupid to stop them.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by RS3 on Thursday January 26 2023, @08:43PM (2 children)
You're agreeing with me more than you know, and thank you. I agree with you. That's what I was trying to say- keeping people ignorant of economics is why the disparity is happening. If everyone learned a lot of economics in school, "trickle down economics" would have trickled down the toilet drain.
It's very easy to commingle finance and economics. People much more easily think of money. Economics is more conceptual. Like you alluded to, I prefer to think about productivity. But then you equate it with money, and the greedy get into the stream.
Strong capitalists will argue that greed, the love of money, drives increased productivity, investment, marketing, sales, commerce, ...
A huge factor is rent and land prices in general. Landowners are getting richer and richer, and working people paying higher and higher rents and mortgages. It's off the charts in far too many areas.
I don't know how to fix it. Like most things, I don't think it's a black or white thing, but I'm very sure if people learned economics from an early age, they'd make better decisions with their time and money, and we'd have less disparity.
All that said, there are many premises on which many economic theories are based. An example: 2 gasoline sales places, very close to each other, one has a higher price, yet just as busy as the lower-priced one. Sure, there are myriad factors, but it breaks the "law of supply and demand". So you go deeper into economics, learn about elasticity and many other factors. Again, I think if it was taught much more, there would be more people who are expert, better understanding, more thought would go into laws, policies, taxes, interest rates, caps on interest, individual decisions. It's not a panacea, and I don't think there is one, just that things could be much better if everyone had better understanding of the machine of economics.
(Score: 3, Insightful) by mcgrew on Saturday January 28 2023, @07:30PM (1 child)
I don't know how to fix it.
We can't. Congress could, but won't. All they would have to do would be to raise the minimum wage to 1965's buying power when the federal minimum was $1.50 and a McDonald's hamburger was 15¢ (24.90 per hour) and then tie the minimum wage to inflation, like Social Security is.
As to the gas station guys, the higher priced, more busy one may be easy to get in and out of, the other not. Or it could be like the two gas stations down the street. The cheap one is run by assholes, and who wants to enrich assholes? If the prices were comparable he wouldn't get any business at all. I won't get gas there.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 3, Interesting) by RS3 on Saturday January 28 2023, @09:30PM
Absolutely agree on all points.
As to gasoline sales, yes, there are many many factors. My point was that (too) much economic theory is based on simple supply-demand curves, as if price was the only factor.
When things like 2008's "too big to fail" happen, it lets you know how little anyone is minding the store (the entire economy).
I always use one of the gas price watching websites. I'm at least trying to work the economic system! :)
A few years ago I went into a small convenience store / gasoline retailer, plunked down my $50, and the gentleman said "whew, you just made it. I have to watch the gas station down the street and change our price whenever they change theirs, and they just raised it $0.15 / gallon".
(Score: 3, Touché) by darkfeline on Saturday January 21 2023, @12:03AM (12 children)
Are you implying that Linux can't use Secure Boot? You should be using it even if you use Linux, as it prevents evil maid attacks.
Join the SDF Public Access UNIX System today!
(Score: 4, Funny) by Anonymous Coward on Saturday January 21 2023, @12:40AM
I wish I would have known that before an evil maid attacked me.
(Score: 3, Funny) by RS3 on Saturday January 21 2023, @01:47AM
I'm trying to learn. I understand what an "evil maid attack" is.
Is UEFI also "secure boot"?
How does either make me more secure?
If I use normal non-UEFI BIOS and encrypt my hard drive / SSD, how would UEFI / secure boot be different / better?
(Score: 5, Insightful) by coolgopher on Saturday January 21 2023, @02:27AM (1 child)
I'll consider it if you start hiring a maid for me.
Right now, if there's unauthorised physical access to my desktop then I have much bigger problems.
(Score: 3, Informative) by tangomargarine on Saturday January 21 2023, @03:46PM
Yeah, I thought Rule Zero of computer security was "if they have physical access, you're fucked"?
Unless of course you start doing things like Secure Boot that are extremely invasive and a pain for the customer if they ever go wrong...
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Informative) by Anonymous Coward on Saturday January 21 2023, @07:57AM (4 children)
How does secure boot prevent the evil maid from cloning the drives and/or secretly installing usb keyloggers, cameras, microphones[1] etc?
Sure it prevents booting up an unapproved/tampered OS. But the other attacks would be more likely. Why the heck would the evil maid bother tampering with the drive's system files when she could do so many other things?
If she was evil and wanted to tamper with the drives and they are unencrypted, she should tamper with the documents which could have far worse impacts. Secure boot doesn't prevent that from happening.
If the drives are all encrypted it would be safer for her to doing the other attacks than to tamper with the boot stuff - because someone who uses full drive encryption might be using other ways of detecting that the system files have been tampered with.
[1] https://www.newscientist.com/article/dn7996-keyboard-sounds-reveal-their-words/ [newscientist.com]
(Score: 3, Interesting) by RS3 on Saturday January 21 2023, @07:26PM
You and I and most here know all of that, but the point of FUD is to confound and confuse the non-technical who actually make technical decisions that get foisted on us poor techs who waste time spinning our wheels because UEFI and "secure boot" fight us tooth and nail when we're just trying to recover someone's broken computer. (yes, very recent experience with it)
(Score: 1, Informative) by shrewdsheep on Saturday January 21 2023, @09:40PM (2 children)
Secure boot forces an attacker to use an exploit of an authorized OS. Arguably, that makes attacks more difficult. Using a usb keylogger, for example, is non-trivial when secure boot is active. I do use secure boot when available (Linux) and I had to disable it when I needed to install an unsigned kernel module for a docking station. The authorization chain therefore includes drivers making everything hardware vetted territory.
(Score: 0) by Anonymous Coward on Tuesday January 24 2023, @02:42AM (1 child)
(Score: -1, Redundant) by Anonymous Coward on Tuesday January 24 2023, @01:26PM
Are you referring to Windows OS or third party malicious software?
(Score: 2) by Ingar on Saturday January 21 2023, @12:18PM (2 children)
Linux doesn't "use" secure boot, that is not now how it works. Secure Boot boots Linux, if it decides you're allowed to boot it.
If it detects your startup files have been tampered with, you're already screwed because it means some process was able to access and alter your boot files.
(Score: 1, Interesting) by Anonymous Coward on Saturday January 21 2023, @02:49PM (1 child)
Then what is the point, other than to make it harder to install linux? The only related matter is a warning that I can't use some drivers as secure boot is.not enabled. Which is a serious wtf. Why would loading drivers ever be related to how the OS boots. If I want to trust a driver I should be able to install it. Otherwise, why bother having it.
(Score: 0) by Anonymous Coward on Tuesday January 31 2023, @12:17AM
The people who devise this crap, like "secure boot", are maybe 1/4 as smart as the attackers.
To make it worse, the people who devise this stuff are much better at convincing others that their hairbrained ideas are the be-all and end-all of security.
tl;dr: "Security" people are usually much better at posturing and selling than innovating security.
(Score: 4, Informative) by janrinok on Saturday January 21 2023, @08:57AM
MSI has assured users on Reddit that the company will soon deploy a fix for a Secure Boot bug affecting a plethora of AMD and Intel motherboards. The new firmware will rectify the error and enforce tighter security settings.
Although MSI's new firmware will fully restore Secure Boot's function, users can still go into the BIOS and fiddle with the individual settings themselves. Unfortunately, the motherboard vendor didn't specify an exact date on when the new firmware will be available to users. However, given the severity of the issue, it shouldn't be long before the rollout commences.
(Score: 1, Touché) by Anonymous Coward on Saturday January 21 2023, @02:55PM
In my experience "secure boot" should be disabled.
(Score: 4, Insightful) by tangomargarine on Saturday January 21 2023, @03:50PM (2 children)
We survived until 2011 without this SecureBoot nonsense, dude. I have a hard time believing that anybody who isn't in Microsoft's pocket and knows what they're talking about actually thinks this crap is necessary.
(admittedly satisfying both those conditions eliminates about 90% of anybody who uses a computer but that's not my problem)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by RS3 on Saturday January 21 2023, @07:30PM (1 child)
What I'm not sure about: if you disable "secure boot", will Windows 10 / 11 know and cause problems? Like will it refuse to allow you to install something, or change something, because it "detects an insecure system"??
If it's not doing that now, will MS release a "security patch" to brick computers that didn't "securely boot"??
(Score: 0) by Anonymous Coward on Tuesday January 24 2023, @01:23PM
How does a computer running Windows 10 with this option apply the Windows 11 patches and just keep working? Or does it just allow anything signed by microsoft?
What if I want to make and run my own OS?