GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 07-Dec-2023 08:11:33 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial

    UEFI getting owned by the vendor logo parser code is extremely on brand.

    Tons of time and effort put into securing platform stuff and it gets popped anyway because execs want the laptop to show the user a Dell logo for 3 seconds on boot even though it's already printed *right there on the fucking laptop*.

    In conversation Thursday, 07-Dec-2023 08:11:33 JST from chaos.social permalink
    • NeonPurpleStar :heart_bi:, feld and James Morris like this.
    • Embed this notice
      Ian Douglas Scott (ids1024@fosstodon.org)'s status on Thursday, 07-Dec-2023 17:45:43 JST Ian Douglas Scott Ian Douglas Scott
      in reply to
      • Moffin'tosh
      • LisPi

      @lispi314 @moffintosh @gsuberland Something like Ada SPARK would be suitable. Though for buffer overflows (like this seems to be) essentially every contemporary programming language would allow writing a parser without issues like that... except C and C++.

      It's not especially hard to do better here.

      In conversation Thursday, 07-Dec-2023 17:45:43 JST permalink
    • Embed this notice
      Sexy Moon (moon@shitposter.club)'s status on Thursday, 07-Dec-2023 17:45:43 JST Sexy Moon Sexy Moon
      in reply to
      • Moffin'tosh
      • Ian Douglas Scott
      • LisPi
      @ids1024 @lispi314 @moffintosh @gsuberland replace UEFI with a BIOS that only boots the machine, like Coreboot.
      In conversation Thursday, 07-Dec-2023 17:45:43 JST permalink
    • Embed this notice
      LisPi (lispi314@udongein.xyz)'s status on Thursday, 07-Dec-2023 17:45:46 JST LisPi LisPi
      in reply to
      • Moffin'tosh
      @gsuberland @moffintosh This seems mostly useful as a persistence option.

      It also shouldn't be able to affect a #QubesOS system that hasn't been entirely pwn'd.

      It also vindicates my dislike of most image parsers & codec implementation choices, again, even more damningly than libwebp did.

      > The results raise a vexing question: If fuzzers identified so many exploitable vulnerabilities, why hadn’t the developers of the UEFIs (often called IBVs or independent BIOS vendors) and the OEMs selling the devices already used these tools and fixed the underlying bugs?
      Because they largely don't give a shit. We've known this for a while now.

      Literally none of those bugs would work if they'd written the firmware in strict Ada SPARK like they should've for something as security-critical.
      In conversation Thursday, 07-Dec-2023 17:45:46 JST permalink
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 07-Dec-2023 17:45:48 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to
      • Moffin'tosh

      @moffintosh https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

      In conversation Thursday, 07-Dec-2023 17:45:48 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: cdn.arstechnica.net
        Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack
        UEFIs booting Windows and Linux devices can be hacked by malicious logo images.
    • Embed this notice
      Tony Hoyle (tony@toot.hoyle.me.uk)'s status on Thursday, 07-Dec-2023 17:45:48 JST Tony Hoyle Tony Hoyle
      in reply to
      • penguin42

      @penguin42 @gsuberland Also.. PNG and JPEG parsers do not belong in early stage boot.

      In conversation Thursday, 07-Dec-2023 17:45:48 JST permalink
      Sexy Moon likes this.
    • Embed this notice
      Moffin'tosh (moffintosh@berserker.town)'s status on Thursday, 07-Dec-2023 17:45:49 JST Moffin'tosh Moffin'tosh
      in reply to

      @gsuberland ...context?👁️🗨️

      In conversation Thursday, 07-Dec-2023 17:45:49 JST permalink
    • Embed this notice
      penguin42 (penguin42@mastodon.org.uk)'s status on Thursday, 07-Dec-2023 17:45:50 JST penguin42 penguin42
      in reply to

      @gsuberland IMHO it's more broken than that; it's not the vendors logo that's the problem (they can do that at image build time); it's that there's a way to replace that logo - e.g. for your company to do it when they buy you a laptop or for you to do it.

      In conversation Thursday, 07-Dec-2023 17:45:50 JST permalink
    • Embed this notice
      Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 07-Dec-2023 17:46:09 JST Wolf480pl Wolf480pl
      in reply to

      @gsuberland hey, I'm using that feature too! I want *my* logo, or a cool anime picture, to show up for 3 seconds during boot.

      In conversation Thursday, 07-Dec-2023 17:46:09 JST permalink
      Sexy Moon likes this.
    • Embed this notice
      ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Thursday, 07-Dec-2023 17:48:11 JST ?? Humpleupagus ?? ?? Humpleupagus ??
      in reply to
      • penguin42
      I wonder who wanted vendors to build that feature into their machines? Probably the same company that pushed secureboot.
      In conversation Thursday, 07-Dec-2023 17:48:11 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.