Post AlF76ZfexCVByDNURc by cvtsi2sd@hachyderm.io
(DIR) More posts by cvtsi2sd@hachyderm.io
(DIR) Post #AlF76XRPFDud3Qh4wy by mjg59@nondeterministic.computer
2024-08-22T08:53:29Z
0 likes, 0 repeats
What the fuck is SBAT, why did it break your dual-boot setup, it's not strictly my fault but if you need a scapegoat whatever: https://mjg59.dreamwidth.org/70348.html
(DIR) Post #AlF76YAQXpvPJ3l27k by ljrk@todon.eu
2024-08-22T09:08:59Z
0 likes, 0 repeats
@mjg59 Thank you for this.> But also distributions shipping signed bootloaders should make sure that they're updating those and updating the security generation to match, because otherwise they're shipping a vector that can be used to attack other operating systems and that's kind of a violation of the social contract around all of this.I was getting deeply frustrated about the reporting on this which verged on "Microsoft pushing update to gatekeep Linux for no reason at all". The articles even went so far as to lightly hint that there is some security issue involved but completely missed the fact that distributions could quite easily have avoided this mess by keeping their bootloaders up to date (seriously, why isn't *this* the headline: multiple Linux distributions with 2yo security issue in the bootloader refuse to boot after signature update?). I am a bit shocked that this doesn't apply only to older and niche distros but quite recent and supported ones.If Mozilla finally revokes a certificate we cheer on them, even if this breaks some websites. And we blame the websites that they didn't switch to a good CA in time.And yes, MS should've done more testing too. But that stuff has been said now thousands of times and I'm just super annoyed at the reporting.
(DIR) Post #AlF76YhkXwa0yPLe40 by cvtsi2sd@hachyderm.io
2024-08-22T09:24:06Z
0 likes, 0 repeats
@ljrk @mjg59 > If Mozilla finally revokes a certificate we cheer on them, even if this breaks some websites.I don't think the comparison is fair, though... a broken SSL certificate can be worked around easily if you really need to access that website; breaking the boot bricks the entire machine (there's no "continue anyway" button), and is an order of magnitude more complex to fix for the user. Also, an update of an OS breaking the other is not something you expect.
(DIR) Post #AlF76ZFQWjWCer6XYW by mjg59@nondeterministic.computer
2024-08-22T09:26:45Z
0 likes, 0 repeats
@cvtsi2sd @ljrk I think the right metaphor for TLS is a CA is compromised and issues an invalid cert for your domain to a hostile government. What do you want to happen next?
(DIR) Post #AlF76ZfexCVByDNURc by cvtsi2sd@hachyderm.io
2024-08-22T10:04:46Z
0 likes, 0 repeats
@mjg59 @ljrk mm more like "this site uses an obsolete TLS protocol/cyphersuite, that has known vulnerabilities"
(DIR) Post #AlF76a6FMLllIfoisy by mjg59@nondeterministic.computer
2024-08-22T10:06:25Z
0 likes, 0 repeats
@cvtsi2sd @ljrk Not really, obsolete TLS suites are generally difficult to crack rather than impossible to crack, obsolete bootloaders are already cracked
(DIR) Post #AlF76ax4By1JwUWuDQ by neverpanic@chaos.social
2024-08-22T11:03:16Z
1 likes, 0 repeats
@mjg59 @cvtsi2sd @ljrk Microsoft could have detected that situation and prompted the user saying "your grub is vulnerable, this breaks secure boot's guarantees, go shout at your distro, do you want to apply the update anyway and break booting into your other OS?". They didn't. Not a great look for the company that ships so much legacy cruft for backwards compatibility. Most home users don't care about secure boot at all.
(DIR) Post #AlG4O69NLPlivBtxiK by Suiseiseki@freesoftwareextremist.com
2024-08-23T12:15:54.638420Z
0 likes, 0 repeats
@mjg59 Making the mistake of dual-booting windows is what broke your dual-boot setup.