Conversation

Notices

1. Embed this notice
   H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:27 JST H. Faust
   Microsoft is doing a hit piece on GRUB2 and shilling its AI https://www.microsoft.com/en-us/security/blog/2025/03/31/analyzing-open-source-bootloaders-finding-vulnerabilities-faster-with-ai/
   • pistolero and soberano like this.
   • Embed this notice
     H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:27 JST H. Faust

     in reply to
     "Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation" Fuck you
     pistolero and soberano like this.
   • Embed this notice
     H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:38 JST H. Faust

     in reply to
     «While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot" Good, nobody wants that piece of garbage
     pistolero and soberano like this.
   • Embed this notice
     mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:56 JST mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:

     in reply to
     @hfaust
     Aside a marketing stunt, one must ask himself why would Microsoft analyses anything but itself ?
     翠星石 and soberano like this.
   • Embed this notice
     H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:13:56 JST H. Faust

     in reply to

     • mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
     @mangeurdenuage Microsoft has investigated itself and found no wrong.
     pistolero and soberano like this.
   • Embed this notice
     mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Friday, 04-Apr-2025 11:14:03 JST mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:

     in reply to
     @hfaust
     pistolero and soberano like this.
   • Embed this notice
     H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 11:36:54 JST H. Faust

     in reply to
     The "vulnerabilities" they listed occur in filesystems like ReiserFS and JFS... who the fuck uses those filesystems?
     soberano likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:05:10 JST 翠星石

     in reply to
     @hfaust You can tell it's a hit piece from the title, considering the massive insult of calling GNU Grub an "open source" bootloader.
     pistolero likes this.
     SuperDicq repeated this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:21:14 JST 翠星石

     in reply to

     • 翠星石
     @hfaust Of course they never name the GNU (there would be no mention of GNU if it wasn't for the 2 gnu.org URLs).
     
     >extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2
     Considering you cannot combine GPLv3-or-later with GPLv2-only, this doesn't seem correct.
     
     They also write about "saving a weeks worth of time", but they've clearly wasted more than a weeks worth of time filing pointless CVEs (which are only useful if you want to embarrass a proprietary software developer into fixing bugs).
     
     >The dangers of a GRUB2
     >Since bootloaders run before operating systems run
     Of course it's sooo dangerous to run GRUB and GRUB isn't an OS.
     
     If you want NX, ASLR, pointer authentication or stack cookies/canaries, it's simply a matter of enabling that in GCC or implementing it in the GRUB OS.
     
     >Suggestion of completely junk integer overflow detection like; if (size + 1 < size)
     It looks convincing, but those sort of checks *do not work*.
     
     The only working way to detect integer overflow is to use a compiler built-in like; __builtin_add_overflow https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
     
     https://git.savannah.gnu.org/cgit/grub.git/tree/include/grub/safemath.h#n29
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 15:28:52 JST pistolero

     in reply to

     • 翠星石
     @Suiseiseki @hfaust
     
     > The only working way to detect integer overflow is to use a compiler built-in
     
     On gcc, anyway.
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 04-Apr-2025 15:32:14 JST 御園はくい

     in reply to

     • 翠星石
     @Suiseiseki @hfaust "open source" is the "latinx" of free software huh
     翠星石, Phantasm and pistolero like this.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 15:32:56 JST pistolero

     in reply to

     • 翠星石
     • 御園はくい
     @hakui @Suiseiseki @hfaust
     
     > "open source" is the "latinx" of free software huh
     
     It's more like "You're *Mexican*?"
     youremexican.mp4
     Phantasm likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:44:15 JST 翠星石

     in reply to

     • pistolero
     @p @hfaust Why would you use an inferior compiler?
   • Embed this notice
     SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:47:27 JST SuperDicq

     in reply to

     • 翠星石

     @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world They used LLM to detecta bunch of very obvious on the nose buffer overflows (var + 1) to mitigate using (var + 1 < size).
     
     Most of these can not exploited in practise and require physical access to the hardware.
     
     Nobody cares and it's a literal nothing burger and only displays that "AI" can do baby's first C programming stuff.
     
     You could've easily found these without Microsoft's Copilot garbage if people actually cared about fixing obscure bugs that never are a problem are in practise.

     翠星石 likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:51:06 JST 翠星石

     in reply to

     • SuperDicq
     @SuperDicq @hfaust >to mitigate using (var + 1 < size).
     GCC's optimizer is so good it will detect that there's no way var + 1 will be smaller than var (signed integer overflow is undefined), therefore it optimizes out such check.
     
     In the case where you have to add something to a variable from an input file that can be crafted by an attacker, you must use either use unsigned integers, or use __builtin_add_overflow() to avoid overflows.
   • Embed this notice
     SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:55:08 JST SuperDicq

     in reply to

     • 翠星石

     @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world The funniest line in this article is the following:
     Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation.I wonder which language Windows is mostly written with :thinkerman:

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:56:59 JST 翠星石

     in reply to
     @hfaust Note how they fail to mention that "Secure Boot" and UEFI has made security much worse than BIOS, as it allows crafting a single bootkit in an image file that will work across architectures, as well everyone uses the same UEFI implementation with the same vulnerable jpeg library (while an attacker had to craft an attack per BIOS implementation at least).
     soberano likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:58:17 JST 翠星石

     in reply to

     • SuperDicq
     @SuperDicq @hfaust Windows is mostly written in C++ (which explains why it's so garbage), with some C and some C#.
     
     Now they've started to write things in Rust.
   • Embed this notice
     SuperDicq (superdicq@minidisc.tokyo)'s status on Friday, 04-Apr-2025 15:59:57 JST SuperDicq

     in reply to

     • 翠星石

     @Suiseiseki@freesoftwareextremist.com @hfaust@shitposter.world Doesn't C++ have the same memory-safety "issues" that C has?
     
     I assume Microsoft's bootloader and bitloader and such is written in C/C++ and not Rust.

   • Embed this notice
     snacks (snacks@netzsphaere.xyz)'s status on Friday, 04-Apr-2025 16:09:15 JST snacks

     in reply to

     • 翠星石
     • SuperDicq
     @SuperDicq @Suiseiseki @hfaust not necessarily, but i'd guess they don't exclusively use reference counting smart pointers
     Phantasm likes this.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 16:38:54 JST pistolero

     in reply to

     • 翠星石
     @Suiseiseki @hfaust
     
     :kenbw: > :rms:
     Phantasm likes this.
   • Embed this notice
     WeAreTheOil (begsby@liberdon.com)'s status on Friday, 04-Apr-2025 17:16:47 JST WeAreTheOil

     in reply to

     • 翠星石
     • 御園はくい
     • pistolero

     @p @Suiseiseki @hfaust @hakui Opsite In spain no one is spain they basque, gallego, ...

     pistolero likes this.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 17:17:36 JST pistolero

     in reply to

     • 翠星石
     • 御園はくい
     • WeAreTheOil
     @begsby @Suiseiseki @hfaust @hakui Well, the joke is, like, people just assuming everyone is Mexican.
   • Embed this notice
     WeAreTheOil (begsby@liberdon.com)'s status on Friday, 04-Apr-2025 17:26:56 JST WeAreTheOil

     in reply to

     • 翠星石
     • 御園はくい
     • pistolero

     @p @Suiseiseki @hfaust @hakui but in real they are all spain

     pistolero likes this.
   • Embed this notice
     御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 04-Apr-2025 17:27:29 JST 御園はくい

     in reply to

     • 翠星石
     • WeAreTheOil
     • pistolero
     @begsby @p @Suiseiseki @hfaust but spain is just portugal
     pistolero likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:18:39 JST 翠星石

     in reply to

     • nachtrabe
     @nachtrabe @hfaust Sure, but every motherboard manufacturer made quite a few changes to make their own custom versions, meaning a generic rootkit wasn't really possible.
   • Embed this notice
     nachtrabe (nachtrabe@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 19:18:40 JST nachtrabe

     in reply to

     • 翠星石
     @Suiseiseki @hfaust true
     But to be fair, there were only about two vendors for bios implementation at the end.
   • Embed this notice
     eliseo (eliseo01@fe.disroot.org)'s status on Friday, 04-Apr-2025 19:19:12 JST eliseo

     in reply to
     @hfaust
     
     Security nuts do not understand that when you run free software only, "memory safety" is an afterthought, most of us would rather stick with a truly free, matured, reliable and performant software written in C than adopt proprietary, slow and unreliable Rust codebase.
     翠星石 likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:19:50 JST 翠星石

     in reply to

     • pistolero
     @p @hfaust A proprietary compiler that is much worse functionally in every way is worse, not better.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 19:36:58 JST 翠星石

     in reply to

     • SuperDicq
     @SuperDicq @hfaust If you use it wrong, C++ is worse than C when it comes to "memory-safety", as it has many more bloated features.
     
     "C/C++" isn't a thing - both are different languages.
     
     I believe m$'s bootloader is partly C and mostly C++.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 20:03:43 JST pistolero

     in reply to

     • 翠星石
     @Suiseiseki @hfaust
     
     > proprietary compiler
     
     ...GPLv3 is not proprietary. Ken's compiler is pure.
     
     > worse functionally in every way
     
     It's a nice compiler, it's comfortable, and it's a tool instead of some product of a committee of UB-Nazis trying to shove their opinion into your program. It is also fast, it produces good machine code, and cross-compilation is *trivial*.
     
     :kenbw: > :rms:
     new_c_compiler.pdf
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 04-Apr-2025 20:15:36 JST Phantasm

     in reply to

     • 翠星石
     • pistolero
     @p @Suiseiseki @hfaust
     Plan 9:
     >compile quickly, load slowly, and produce medium quality object code.
     
     gcc:
     >produce bad machine code until Apple pours millions into you
     >fragile codebase, a lot of tech debt
     >cross-compiling can be a pain depending on how esoteric your target is (literally anything that isn't a Linux host)
     pistolero likes this.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 20:22:19 JST pistolero

     in reply to

     • 翠星石
     • Phantasm
     @phnt @Suiseiseki @hfaust
     
     > (literally anything that isn't a Linux host)
     
     And God help you if you want to statically link the program.
     Phantasm likes this.
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 04-Apr-2025 20:23:48 JST Phantasm

     in reply to

     • 翠星石
     • pistolero
     @p @Suiseiseki @hfaust Hey, I saw you passed --disable-shared to the autotools script. Therefore I'll dynamically link against the libc on your system, or if you are crosscompiling I'll link to the sysroot libc with headers I broke during the fix-includes target.
     pistolero and Johnny Peligro like this.
   • Embed this notice
     Johnny Peligro (mischievoustomato@tsundere.love)'s status on Friday, 04-Apr-2025 22:51:50 JST Johnny Peligro

     in reply to
     @hfaust i mean, they're not wrong
   • Embed this notice
     Kerosene ~suya~ CEO of DarkFedi (kerosene@fsebugoutzone.org)'s status on Friday, 04-Apr-2025 23:04:45 JST Kerosene ~suya~ CEO of DarkFedi

     in reply to

     • 翠星石
     • 御園はくい
     • pistolero
     @p @hakui @Suiseiseki @hfaust I'm technically not but yesterday I ate a burrito so that's fixed. I'm mexican now.
     Phantasm and pistolero like this.
   • Embed this notice
     eliseo (eliseo01@fe.disroot.org)'s status on Friday, 04-Apr-2025 23:06:25 JST eliseo

     in reply to
     @hfaust
     
     Rust itself is arguably proprietary already due to the compiler and the usual corporate trademark shenanigans.
     翠星石 likes this.
   • Embed this notice
     H. Faust (hfaust@shitposter.world)'s status on Friday, 04-Apr-2025 23:06:26 JST H. Faust

     in reply to

     • eliseo
     @eliseo01 That's why I don't trust when people push for a Rust rewrite, every time they do, you find a piece of software licensed in MIT just they will be able to close it later.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Saturday, 05-Apr-2025 08:20:13 JST pistolero

     in reply to

     • 翠星石
     • 御園はくい
     • Kerosene ~suya~ CEO of DarkFedi
     @kerosene @Suiseiseki @hakui @hfaust Gotta get some more burritos, honkeytown doesn't have any options.
     pmexican.jpg