Bonum Certa Men Certa

[Video] UEFI Insecure Boot: Another Nail in the Coffin

posted by Roy Schestowitz on Jul 29, 2024

Video download link | md5sum dd9c634b1416f67902406317d73b9009
Insecure Boot Strikes Again
Creative Commons Attribution-No Derivative Works 4.0

Preview for Insecure Boot Strikes Again

THE small bunch (borderline fringe) of 'Secure Boot' Microsofters are not talking about the latest blunder. They just have nothing to say in their defence. They've been proven wrong. So let's discuss the matter. We don't just let it pass.

12 years ago they told us adoption of 'bootlocks' is fine and that this is perfectly OK. To oppose this would be to oppose security. Well, patience is a virtue here because over the past 12 years we've repeatedly been proven right and we can howl from rooftops now. The lesson is, do not believe anything Microsofters say. As an associate put it recently, there will "be a few long-form series later on in the indefinite future on the details."

The time seems right to respond to over a decade of mindless propaganda from Microsofters. They're hired professional censors in an effort to suppress information and intimidate women.

Some have dubbed this latest scandal "InSecure Boot" and security gurus are deeply concerned ("This isn’t good"). IDG said:

Security research firm Binarly reports that leaked cryptographic keys have compromised hardware from several major vendors in the PC industry, including Dell, Acer, Gigabyte, Supermicro, and even Intel. Eight percent of firmware images released in the last four years are compromised, with 22 untrusted keys discovered immediately.

This is also discussed in some GNU/Linux forums. One commenter said: "It's security done by Microsoft... that's all that needs to be said, eh?" Another one said: "Yeah, enough said. I'm grateful that I was able to switch off secure boot on my new T14 Thinkpad to install Linux. I'm glad that Windows isn't on my home LAN."

This additional report says "Secure Boot key compromised in 2022 is still in use in over 200 models — an additional 300 more use keys are marked ‘DO NOT TRUST’". To quote from the summary:

>Software security firm Binarly discovered that over 200 device models used a compromised security key, while an additional 300 more used default test keys shared with nearly all of AMI's customers.

Finally, for the time being, this one mentions another "brand name" for this issue:

A vulnerability dubbed PKfail can allow attackers to run malicious code during the boot process, which can be used to deliver UEFI bootkits.

No matter what one calls it - e.g. "PKfail" or "InSecure Boot" - this is a black eye to Microsofters.

Iris Flower Art Vintage

We already added some of these stories to Daily Links or had them linked to the originals in the sister site, but on Saturday we did a video about it. The first piece that everyone linked to (also in IRC) was Ars Technica's and it sort of speaks for itself. An associate called for "a Tomi Ahonen style "I told you so" article," arguing that "even short series is warranted because the public had been warned in detail in advance of just these kinds of problems."

We've repeatedly written about this since 2012.

"There are other problems too which have manifested," the associate said, "this is not the first."

There are also more serious warnings (warranting further precautions) which have not yet come to pass, so the other shoe has yet to drop - so to speak - on UEFI.

The politics which the UEFI patches and shim allowed Microsoft can be re-examined in this context.

Microsoft is meanwhile pushing the media to pretend no option exists other than Windows (and Office) for new laptops and desktops. What is this, 2004? Citing this as an example, the associate said "Microsoft pursues trapping people into a the sunk cost fallacy to prevent upgrading the OS to Linux or, worse from their perspective, using open formats for documents."

The way Microsoft sees things, anything other than Windows is not trustworthy or is "piracy". People who object to Windows are being bullied and vilified, even if the facts are on their side all the time.

Other Recent Techrights' Posts

Someone Should Remind Microsoft Lunduke That Microsoft Hires Many Sexual Criminals and Pedophiles as Well
Microsoft Lunduke on an "expedition" to find one or more perverts, then generalise to everyone in the "community"
Cash Machines (ATMs) Make Mistakes and They're Proprietary Software
Correcting mistakes is a colossal challenge
Yes, Microsoft is the Problem
"I am no MS shill."
Another Failed Use Case for Chatbots (LLM): Legal Advice and Analysis
They're just some self-discrediting toy that costs way too much to operate
Nonfree Software in My Bank, by Richard Stallman
Updated 8 hours ago
 
Links 29/07/2025: Data Brokers Gone Wrong/Rogue and "Copyright Thicket"
Links for the day
Slopwatch: Linuxconfig.org, Linuxsecurity.com, Fagioli, The Register
Today's "Slopwatch" isn't the first article about LLM slop
We Cover Topics Other Sites Are Too Afraid to Cover (Even When They Know the Facts)
It's not that they doubt the truth, they just realise there may be consequences for talking about it
They Try to Tell Us the Free Software Foundation Inc is Dying, But Its Revenue Doubled Since the Dot-Com Bubble Burst
Being in "Activism" is never easy; but it does positive things for society
It's About the Cost of Workers, Not the Fictional Skills Shortage (That Does Not Exist, the Media Spreads False and Sometimes Self-Fulfilling Narratives)
This issue isn't limited to computing, some dub it "globalism"
Links 29/07/2025: More Pushbacks Against Slop and More Praises of Tom Lehrer
Links for the day
Gemini Links 29/07/2025: Purple Yarrow and Understanding Op Amps
Links for the day
This Monday WebProNews Absolutely Flooded the Web With Fake (LLM Slop) 'Articles' About "Linux", Google News Promoted Them as Legitimate
All of the following are fake articles attributed to pseudonyms or authors that don't exist; the images are also slop. Why does Google promote these?
Linuxiac is Not a Slopfarm, But at Least Some of Its Articles Are Machine-Generated Fakes
what we said about it was correct
Expect More Microsoft Layoffs
"Are more job cuts coming?"
Microsoft Behaving Like It's Running Out of Money to Pay Salaries
Does that seem like the behaviour expected from a company which claims it is "worth" trillions?
LWN Downtime Due to Linode, Not LLM Bots
"I’ve received an email letting me know that there is a potential for data loss."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, July 28, 2025
IRC logs for Monday, July 28, 2025
Links 28/07/2025: Science, Health, and Conflicts
Links for the day
Gemini Links 28/07/2025: Healthy Self-Image With Autism and a "New Life"
Links for the day
Links 28/07/2025: COVID-19 Sped up Brain Aging, "Circumvention is More Popular Than Compliance"
Links for the day
Richard Stallman is Usually Right Because He Thinks "Outside the Box"
he is able to observe society (mores and norms) as somewhat of an outsider
LWN Has Been Down for a Long Time, Another Casualty of LLM Bots?
Time will tell. How much time though?
Slopfarms Versus 'Linux' (and Against People Who Write Real Articles About GNU/Linux)
LLM slop in slopfarms by Brian Fagioli and Redazione RHC
Gemini Links 28/07/2025: Bila Yarrudhanggalangdhuray and Running pkgsrc in a FreeBSD Jail
Links for the day
Microsoft Turns News Sites Into Spamfarms
Is the site The Register MS the next IDG?
The Register MS/The Register US
On Saturday I contacted them for a comment (before issuing criticism)
Hacking revelations at Vatican Jubilee of Digital Missionaries
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, July 27, 2025
IRC logs for Sunday, July 27, 2025
The Week to Come
Planning ahead
LLM Slop Has Only Been a Boon for Misinformation Online
The very same companies that were supposed to maintain quality (again, not limited to Google with PageRank) are now actively participating in generating and spreading slop
When They Tell You It's Free, Does That Mean No Charges (If So, Who's Paying and Why)?
there's "no free lunch"
We're Going to Focus Less on the Molotov Cocktail-Throwing Microsofters and More on Patents
We can get back to focusing on what we wanted to focus on all along
Just Trying to Keep Web Sites Honest (Journalistic Integrity)
the latest articles in LinuxIac are real
Links 27/07/2025: Political Affairs, Data Breaches, Attacks on Freedom of the Press
Links for the day
Gemini Links 27/07/2025: Hot in Japan and Terminal Escape Codes
Links for the day
Links 27/07/2025: More Microsoft Layoffs Coming, Science and Hardware News
Links for the day
Links 27/07/2025: FSF Hackathon and "Hulk Hogan Was a Very Bad Man"
Links for the day
Gemini Links 27/07/2025: DAW Mixer Chains and Simple Software
Links for the day
The Register MS is Inventing or Giving Air Time to New Conspiracy Theories so as to Distort the Narrative As High-Profile Agencies Fall Prey to Microsoft Holes
But the problem is holes, i.e. Microsoft making bad products; the problem is Microsoft
Most Editors at The Register Are American, Including the Editor in Chief, a Decade-Long Microsoft Stenographer (Writing Prose to Sell Microsoft)
It's not easy to tell where the site is based (we tried) because it's hiding behind ClownFlare and CrimeFlare hasn't been well lately
Pushers of systemd Rewrite History (Richard Stallman Said UNIX "Was Portable and Seemed Fairly Clean")
Unlike systemd
"New Techrights" Soon Turns 2 (A Few Days Before the FSF Turns 40)
We have a lot more to say about LLM bots
When Silence Says So Much
Garrett, a 'secure' boot pusher, will need to defend himself in the UK High Court
The Register in Trouble
There is not much that can be done at this point
Trajectory of The Register: From News Site/s Into "B2B"... and Into Microsoft Salespeople
Something isn't right at The Register
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 26, 2025
IRC logs for Saturday, July 26, 2025
Misinformation in Social Control Media
Social control media passes around all sorts of tropes
Slopwatch: Fake Linux 'Articles' and Slopfarms With "Linux" in Their Names/Domains
throwing bots at "Linux" to make some fake articles