GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:27 JST H. Faust H. Faust
    Microsoft is doing a hit piece on GRUB2 and shilling its AI https://www.microsoft.com/en-us/security/blog/2025/03/31/analyzing-open-source-bootloaders-finding-vulnerabilities-faster-with-ai/
    In conversation about a month ago from shitposter.world permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: www.microsoft.com
      Analyzing open-source bootloaders: Finding vulnerabilities faster with AI | Microsoft Security Blog
      from Microsoft Threat Intelligence
      Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders.
    • pistolero and soberano like this.
    • Embed this notice
      H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:27 JST H. Faust H. Faust
      in reply to
      "Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation" Fuck you
      In conversation about a month ago permalink
      pistolero and soberano like this.
    • Embed this notice
      H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:38 JST H. Faust H. Faust
      in reply to
      «While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot" Good, nobody wants that piece of garbage
      In conversation about a month ago permalink
      pistolero and soberano like this.
    • Embed this notice
      mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:56 JST mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
      in reply to
      @hfaust
      Aside a marketing stunt, one must ask himself why would Microsoft analyses anything but itself ?
      In conversation about a month ago permalink
      翠星石 and soberano like this.
    • Embed this notice
      H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:56 JST H. Faust H. Faust
      in reply to
      • mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
      @mangeurdenuage Microsoft has investigated itself and found no wrong.
      In conversation about a month ago permalink
      pistolero and soberano like this.
    • Embed this notice
      mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Friday, 04-Apr-2025 11:14:03 JST mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
      in reply to
      @hfaust
      In conversation about a month ago permalink

      Attachments


      1. https://media.shitposter.world/shitposter.club/82/89/9d/82899dee46a0e34f9a7f2ecb664522e6cf556527702a7e482928ec6039e6c4b1.jpg?name=Z14FR7Tl_YSctQ.jpg
      pistolero and soberano like this.
    • Embed this notice
      H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:36:54 JST H. Faust H. Faust
      in reply to
      The "vulnerabilities" they listed occur in filesystems like ReiserFS and JFS... who the fuck uses those filesystems?
      In conversation about a month ago permalink
      soberano likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:05:10 JST 翠星石 翠星石
      in reply to
      @hfaust You can tell it's a hit piece from the title, considering the massive insult of calling GNU Grub an "open source" bootloader.
      In conversation about a month ago permalink
      pistolero likes this.
      SuperDicq repeated this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:21:14 JST 翠星石 翠星石
      in reply to
      • 翠星石
      @hfaust Of course they never name the GNU (there would be no mention of GNU if it wasn't for the 2 gnu.org URLs).

      >extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2
      Considering you cannot combine GPLv3-or-later with GPLv2-only, this doesn't seem correct.

      They also write about "saving a weeks worth of time", but they've clearly wasted more than a weeks worth of time filing pointless CVEs (which are only useful if you want to embarrass a proprietary software developer into fixing bugs).

      >The dangers of a GRUB2
      >Since bootloaders run before operating systems run
      Of course it's sooo dangerous to run GRUB and GRUB isn't an OS.

      If you want NX, ASLR, pointer authentication or stack cookies/canaries, it's simply a matter of enabling that in GCC or implementing it in the GRUB OS.

      >Suggestion of completely junk integer overflow detection like; if (size + 1 < size)
      It looks convincing, but those sort of checks *do not work*.

      The only working way to detect integer overflow is to use a compiler built-in like; __builtin_add_overflow https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

      https://git.savannah.gnu.org/cgit/grub.git/tree/include/grub/safemath.h#n29
      In conversation about a month ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: www.gnu.org
        The GNU Operating System and the Free Software Movement
        from mailto:webmasters@gnu.org
        Since 1983, developing the free Unix style operating system GNU, so that computer users can have the freedom to share and improve the software they use.
      2. No result found on File_thumbnail lookup.
        Integer Overflow Builtins (Using the GNU Compiler Collection (GCC))
        Integer Overflow Builtins (Using the GNU Compiler Collection (GCC))
      3. Domain not in remote thumbnail source whitelist: git.savannah.gnu.org
        safemath.h\grub\include - grub.git - GNU GRUB
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 15:28:52 JST pistolero pistolero
      in reply to
      • 翠星石
      @Suiseiseki @hfaust

      > The only working way to detect integer overflow is to use a compiler built-in

      On gcc, anyway.
      In conversation about a month ago permalink
    • Embed this notice
      御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 04-Apr-2025 15:32:14 JST 御園はくい 御園はくい
      in reply to
      • 翠星石
      @Suiseiseki @hfaust "open source" is the "latinx" of free software huh
      In conversation about a month ago permalink
      翠星石, Phantasm and pistolero like this.
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 15:32:56 JST pistolero pistolero
      in reply to
      • 翠星石
      • 御園はくい
      @hakui @Suiseiseki @hfaust

      > "open source" is the "latinx" of free software huh

      It's more like "You're *Mexican*?"
      youremexican.mp4
      In conversation about a month ago permalink

      Attachments


      Phantasm likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:44:15 JST 翠星石 翠星石
      in reply to
      • pistolero
      @p @hfaust Why would you use an inferior compiler?
      In conversation about a month ago permalink
    • Embed this notice
      SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:47:27 JST SuperDicq SuperDicq
      in reply to
      • 翠星石

      @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world They used LLM to detecta bunch of very obvious on the nose buffer overflows (var + 1) to mitigate using (var + 1 < size).

      Most of these can not exploited in practise and require physical access to the hardware.

      Nobody cares and it's a literal nothing burger and only displays that "AI" can do baby's first C programming stuff.

      You could've easily found these without Microsoft's Copilot garbage if people actually cared about fixing obscure bugs that never are a problem are in practise.

      In conversation about a month ago permalink
      翠星石 likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:51:06 JST 翠星石 翠星石
      in reply to
      • SuperDicq
      @SuperDicq @hfaust >to mitigate using (var + 1 < size).
      GCC's optimizer is so good it will detect that there's no way var + 1 will be smaller than var (signed integer overflow is undefined), therefore it optimizes out such check.

      In the case where you have to add something to a variable from an input file that can be crafted by an attacker, you must use either use unsigned integers, or use __builtin_add_overflow() to avoid overflows.
      In conversation about a month ago permalink
    • Embed this notice
      SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:55:08 JST SuperDicq SuperDicq
      in reply to
      • 翠星石

      @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world The funniest line in this article is the following:
      Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation.I wonder which language Windows is mostly written with :thinkerman:

      In conversation about a month ago permalink
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:56:59 JST 翠星石 翠星石
      in reply to
      @hfaust Note how they fail to mention that "Secure Boot" and UEFI has made security much worse than BIOS, as it allows crafting a single bootkit in an image file that will work across architectures, as well everyone uses the same UEFI implementation with the same vulnerable jpeg library (while an attacker had to craft an attack per BIOS implementation at least).
      In conversation about a month ago permalink
      soberano likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:58:17 JST 翠星石 翠星石
      in reply to
      • SuperDicq
      @SuperDicq @hfaust Windows is mostly written in C++ (which explains why it's so garbage), with some C and some C#.

      Now they've started to write things in Rust.
      In conversation about a month ago permalink
    • Embed this notice
      SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:59:57 JST SuperDicq SuperDicq
      in reply to
      • 翠星石

      @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world Doesn't C++ have the same memory-safety "issues" that C has?

      I assume Microsoft's bootloader and bitloader and such is written in C/C++ and not Rust.

      In conversation about a month ago permalink
    • Embed this notice
      snacks (snacks@netzsphaere.xyz)'s status on Friday, 04-Apr-2025 16:09:15 JST snacks snacks
      in reply to
      • 翠星石
      • SuperDicq
      @SuperDicq @Suiseiseki @hfaust not necessarily, but i'd guess they don't exclusively use reference counting smart pointers
      In conversation about a month ago permalink
      Phantasm likes this.
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 16:38:54 JST pistolero pistolero
      in reply to
      • 翠星石
      @Suiseiseki @hfaust

      :kenbw: > :rms:
      In conversation about a month ago permalink
      Phantasm likes this.
    • Embed this notice
      WeAreTheOil (begsby@liberdon.com)'s status on Friday, 04-Apr-2025 17:16:47 JST WeAreTheOil WeAreTheOil
      in reply to
      • 翠星石
      • 御園はくい
      • pistolero

      @p @Suiseiseki @hfaust @hakui Opsite In spain no one is spain they basque, gallego, ...

      In conversation about a month ago permalink
      pistolero likes this.
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 17:17:36 JST pistolero pistolero
      in reply to
      • 翠星石
      • 御園はくい
      • WeAreTheOil
      @begsby @Suiseiseki @hfaust @hakui Well, the joke is, like, people just assuming everyone is Mexican.
      In conversation about a month ago permalink
    • Embed this notice
      WeAreTheOil (begsby@liberdon.com)'s status on Friday, 04-Apr-2025 17:26:56 JST WeAreTheOil WeAreTheOil
      in reply to
      • 翠星石
      • 御園はくい
      • pistolero

      @p @Suiseiseki @hfaust @hakui but in real they are all spain

      In conversation about a month ago permalink
      pistolero likes this.
    • Embed this notice
      御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 04-Apr-2025 17:27:29 JST 御園はくい 御園はくい
      in reply to
      • 翠星石
      • WeAreTheOil
      • pistolero
      @begsby @p @Suiseiseki @hfaust but spain is just portugal
      In conversation about a month ago permalink
      pistolero likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:18:39 JST 翠星石 翠星石
      in reply to
      • nachtrabe
      @nachtrabe @hfaust Sure, but every motherboard manufacturer made quite a few changes to make their own custom versions, meaning a generic rootkit wasn't really possible.
      In conversation about a month ago permalink
    • Embed this notice
      nachtrabe (nachtrabe@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 19:18:40 JST nachtrabe nachtrabe
      in reply to
      • 翠星石
      @Suiseiseki @hfaust true
      But to be fair, there were only about two vendors for bios implementation at the end.
      In conversation about a month ago permalink
    • Embed this notice
      eliseo (eliseo01@fe.disroot.org)'s status on Friday, 04-Apr-2025 19:19:12 JST eliseo eliseo
      in reply to
      @hfaust

      Security nuts do not understand that when you run free software only, "memory safety" is an afterthought, most of us would rather stick with a truly free, matured, reliable and performant software written in C than adopt proprietary, slow and unreliable Rust codebase.
      In conversation about a month ago permalink
      翠星石 likes this.
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:19:50 JST 翠星石 翠星石
      in reply to
      • pistolero
      @p @hfaust A proprietary compiler that is much worse functionally in every way is worse, not better.
      In conversation about a month ago permalink
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:36:58 JST 翠星石 翠星石
      in reply to
      • SuperDicq
      @SuperDicq @hfaust If you use it wrong, C++ is worse than C when it comes to "memory-safety", as it has many more bloated features.

      "C/C++" isn't a thing - both are different languages.

      I believe m$'s bootloader is partly C and mostly C++.
      In conversation about a month ago permalink
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 20:03:43 JST pistolero pistolero
      in reply to
      • 翠星石
      @Suiseiseki @hfaust

      > proprietary compiler

      ...GPLv3 is not proprietary. Ken's compiler is pure.

      > worse functionally in every way

      It's a nice compiler, it's comfortable, and it's a tool instead of some product of a committee of UB-Nazis trying to shove their opinion into your program. It is also fast, it produces good machine code, and cross-compilation is *trivial*.

      :kenbw: > :rms:
      new_c_compiler.pdf
      In conversation about a month ago permalink

      Attachments


    • Embed this notice
      Phantasm (phnt@fluffytail.org)'s status on Friday, 04-Apr-2025 20:15:36 JST Phantasm Phantasm
      in reply to
      • 翠星石
      • pistolero
      @p @Suiseiseki @hfaust
      Plan 9:
      >compile quickly, load slowly, and produce medium quality object code.

      gcc:
      >produce bad machine code until Apple pours millions into you
      >fragile codebase, a lot of tech debt
      >cross-compiling can be a pain depending on how esoteric your target is (literally anything that isn't a Linux host)
      In conversation about a month ago permalink
      pistolero likes this.
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 20:22:19 JST pistolero pistolero
      in reply to
      • 翠星石
      • Phantasm
      @phnt @Suiseiseki @hfaust

      > (literally anything that isn't a Linux host)

      And God help you if you want to statically link the program.
      In conversation about a month ago permalink
      Phantasm likes this.
    • Embed this notice
      Phantasm (phnt@fluffytail.org)'s status on Friday, 04-Apr-2025 20:23:48 JST Phantasm Phantasm
      in reply to
      • 翠星石
      • pistolero
      @p @Suiseiseki @hfaust Hey, I saw you passed --disable-shared to the autotools script. Therefore I'll dynamically link against the libc on your system, or if you are crosscompiling I'll link to the sysroot libc with headers I broke during the fix-includes target.
      In conversation about a month ago permalink
      pistolero and Johnny Peligro like this.
    • Embed this notice
      Johnny Peligro (mischievoustomato@tsundere.love)'s status on Friday, 04-Apr-2025 22:51:50 JST Johnny Peligro Johnny Peligro
      in reply to
      @hfaust i mean, they're not wrong
      In conversation about a month ago permalink
    • Embed this notice
      Kerosene ~suya~ CEO of DarkFedi (kerosene@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 23:04:45 JST Kerosene ~suya~ CEO of DarkFedi Kerosene ~suya~ CEO of DarkFedi
      in reply to
      • 翠星石
      • 御園はくい
      • pistolero
      @p @hakui @Suiseiseki @hfaust I'm technically not but yesterday I ate a burrito so that's fixed. I'm mexican now.
      In conversation about a month ago permalink
      Phantasm and pistolero like this.
    • Embed this notice
      eliseo (eliseo01@fe.disroot.org)'s status on Friday, 04-Apr-2025 23:06:25 JST eliseo eliseo
      in reply to
      @hfaust

      Rust itself is arguably proprietary already due to the compiler and the usual corporate trademark shenanigans.
      In conversation about a month ago permalink
      翠星石 likes this.
    • Embed this notice
      H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 23:06:26 JST H. Faust H. Faust
      in reply to
      • eliseo
      @eliseo01 That's why I don't trust when people push for a Rust rewrite, every time they do, you find a piece of software licensed in MIT just they will be able to close it later.
      In conversation about a month ago permalink
    • Embed this notice
      pistolero (p@fsebugoutzone.org)'s status on Saturday, 05-Apr-2025 08:20:13 JST pistolero pistolero
      in reply to
      • 翠星石
      • 御園はくい
      • Kerosene ~suya~ CEO of DarkFedi
      @kerosene @Suiseiseki @hakui @hfaust Gotta get some more burritos, honkeytown doesn't have any options.
      pmexican.jpg
      In conversation about a month ago permalink

      Attachments


      1. https://media.freespeechextremist.com/rvl/full/058a0b4690398b6eb1d8868fd8aaab51b85e36213e4b2ac2b5dc5a9a9b8a5073?name=pmexican.jpg

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.