Post AkfPv1wku3gLd51fiC by arraybolt3@theres.life
(DIR) More posts by arraybolt3@theres.life
(DIR) Post #AkfPv1wku3gLd51fiC by arraybolt3@theres.life
2024-08-05T18:36:38Z
2 likes, 5 repeats
#Ventoy Security Concerns (please boost for visibility)Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. https://github.com/ventoy/Ventoy/issues/2795Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of https://www.youtube.com/watch?v=QiSXClZauXA&t=3sIf you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (https://www.iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.#linux #boot #security #malicious #backdoor
(DIR) Post #AkfPv2jJzUWw3hkSPY by feld@bikeshed.party
2024-08-05T19:52:55.105951Z
0 likes, 0 repeats
@arraybolt3 @vkc this IODD is a rebaged Zalman! I have one on my desk, but I have had issues with it on UEFI machineshttps://www.iodd.shop/IODD-2531-USB-30-external-HDD-SSD-Enclosure
(DIR) Post #AkfQomWjQ7xE1SRCbI by enshroudedshrew@mastodon.social
2024-08-05T19:37:17Z
0 likes, 0 repeats
@arraybolt3 pardon my ignorance, but is the paid device you are linking the only alternative to Ventoy‘s ability to have an usb stick with multiple ISOs on it to boot from?
(DIR) Post #AkfQonQ26WBqmyJMnY by arraybolt3@theres.life
2024-08-05T19:39:12Z
0 likes, 0 repeats
@enshroudedshrew It's the only "drop-in replacement" I personally know of. With some Linux ISOs you can mimic the functionality somewhat using GRUB, but it's a lot more work than Ventoy and doesn't work universally.(FWIW I have no connection to IODD, this is just something I remembered the Ubuntu Studio team lead showing me.)
(DIR) Post #AkfQoo8hQRv31VD2Q4 by vascorsd@mastodon.social
2024-08-05T19:55:10Z
0 likes, 0 repeats
@arraybolt3 @enshroudedshrew there was some years ago at least a way to make an android phone emulate a usb device when plugged and mount any isos. But it required an unlocked device with root which is impossible for most people.
(DIR) Post #AkfQtfRvA78xWHW8fY by feld@bikeshed.party
2024-08-05T20:03:53.734083Z
1 likes, 1 repeats
@arraybolt3 @vkc I followed the Ventoy's author in this Github issue about some files being detected as viruses, compiled their busybox/xzcat from upstream as instructed, and it does still get detected as a virus. So that's fun.https://github.com/ventoy/Ventoy/issues/660#issuecomment-748475849
(DIR) Post #Akh281i956ey4ymBw8 by kirby@cum.salon
2024-08-06T14:35:51.929515Z
0 likes, 0 repeats
@arraybolt3 @vkc shitty win10 install now infected with chinese spyware i guess