Bonum Certa Men Certa

Another Reason to Boycott UEFI and Proprietary Software From Microsoft: Insecurity

Summary: Some blobs like Microsoft's Windows patches and the binary-level UEFI 'validation' do not and cannot provide real security, only insecurity in disguise

THE 'PROMISE' of UEFI 'secure' boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:



A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.

Bromium researcher Rafal Wojtczuk and MITRE Corp's Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.


According to other news, as told (spun) by a Microsoft booster.,"Microsoft's advance security notification service no longer publicly available". The booster says that "Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications." Microsoft sure tells the NSA about ways to hijack/wiretap Microsoft software, so it's a matter of privilege, not some company-wide policy.

How does the above serve users? It doesn't. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, "There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot."

Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don't ever trust security at binary level, such as large blobs being sent that are supposedly 'patched' or some opaque board giving 'approval' before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one's own programs (or rely on others to do so using their specialised skills).

"Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it's at there's always going to be a sequel needed to fix the major bugs and security flaws in the last version?"

--Unknown

Recent Techrights' Posts

Professor Eben Moglen on How Social Control Media Metabolises Humans and Constrains Freedom of Thought
Nothing of value would be lost if all these data-harvesting giants (profiling people) vanished overnight
Debian Left Twitter (MElon "X"), We Think the Free Software Foundation (FSF) Should Do the Same
What would the FSF really lose if it stopped posting there?
 
Links 07/02/2025: Amazon’s Stock Collapses and US Government Being Dismantled (Still)
Links for the day
Gemini Links 07/02/2025: Mid-level Details and Simple Code
Links for the day
Links 07/02/2025: US 'Demolition Crew', e-ID Loopholes, and Sanctions
Links for the day
Social Control Media is Narcissism
Nowadays there's a lot more literature and even press coverage explaining the harms of Social Control Media
statCounter Sees GNU/Linux Share Doubling in China Over the Past Year
It'll be interesting to see what data in the coming months shows
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, February 06, 2025
IRC logs for Thursday, February 06, 2025
Richard Stallman (RMS) Confirms Next Week's Talk in Europe
He gave at least 2 talks in Europe last month
Nationalism As A Service (NaaS) by Microsoft Azure, Gutting the US Government for Profit
Will Microsoft be receiving bailouts as a reward for all this?
Rumours of IBM Layoffs Apparently Confirmed Yesterday, IBM Canada Consulting Impacted (as Rumoured)
when IBM has layoffs we must also read it as Red Hat layoffs
Tons of Anti-Linux 'Articles' Published by Bots (LLMs), Maybe Microsoft's
Upon closer inspection, all this FUD turned out to be LLM garbage
Gemini Links 06/02/2025: Voicemail Sucks and Night of Lights
Links for the day
Ubuntu Desktop Director of Engineering Has Only One Blog Post. It Promotes Microsoft Windows.
Remember that even 15 years ago (more or less, maybe 16 years ago) Canonical appointed a a 'former' Microsoft manager (Spencer) to lead Ubuntu on the desktop
Links 06/02/2025: YouTube Takedowns Out of Control, 'DOGE' Breaking Laws
Links for the day
IBM Red Hat on "era of cloud computing", pushing "hey hi" (AI) hype in Microsoft Azure
LLM slop might actually be more benign than Microsoft promotion
Corruption and Rule-Breaking Prevail at the European Patent Office (EPO), Europe's Second-Largest Institution
The law does not really exist at the EPO; it can be perceived as merely a "recommendation"
statCounter: More Countries Where Windows is Around 1% "Market Share" (People Have Moved to Android/Linux)
in some nations Windows is already 1% or less
404 Media Says "Workers at NASA Told to Drop Everything to Scrub Mentions of Indigenous People, Women from Its Websites" But There's Also Accessibility in the Firing Line
In the case of abandoning accessibility, everyone stands to be hurt and proprietary software can be brought in to replace standards
When BetaNews Writes Real Articles About "Linux" They Promote Windows
The Web is in a bad state. We need to at least try to correct this.
Gemini Links 06/02/2025: Cynicism and "Real Magic on the C64"
Links for the day
Links 06/02/2025: New Sanctions, Layoffs, and Executive Orders
Links for the day
Distros and Desktop Environments, Devices
GNU/Linux focused
New Rumours of IBM Layoffs in 2025, IBM Consulting Still Struggles, Based on Management
"Hey hi" (AI) has been a common excuse for business failure
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, February 05, 2025
IRC logs for Wednesday, February 05, 2025
Links 05/02/2025: Kessler Syndrome and News Online
Links for the day
statCounter: Monaco Now 7% GNU/Linux ("Proper")
GNU/Linux, not counting Chromebooks, is on the rise
Many Parts of Google Lose Money
It's quite apparent that many parts of Google - even some that rely on ad revenue or push ads - aren't profiting
European Internet Forum (EIF) is Dominated by American Corporations and Microsoft Lobbyists, Staff Take the Lead
Should the officials over here or the European Parliament pay attention to these people?
Links 05/02/2025: Connection without Connectivity and Unionised Grocery Workers
Links for the day
Just Because People on Top of the Microsoft Pyramid Made a Lot of Money Doesn't Mean Microsoft is Wealthy
The bigger they are the harder they fall
Gemini Links 05/02/2025: Learning, Madman Ruling a Mad Country, Back in Geminispace
Links for the day
statCounter Shows "WIntel" Chasing a Dying Market
Microsoft acts as if it's running out of money
Free Software Foundation, Inc. (FSF) Still Raising Money, Richard Stallman Contributes
total exceeding $430k
A Lot of Stuff About "Linux" in Google News is LLM Slop, Fake 'Articles'
It seems to be getting worse
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, February 04, 2025
IRC logs for Tuesday, February 04, 2025