WingNews logo WingNews GitHub [2]

invokestatic's comments

invokestatic | 28 days ago | on: Exploiting signed bootloaders to circumvent UEFI Secure Boot (2019)

No, this is not true at all. Microsoft requires their system vendors (Dell, HP, etc) to allow users to enroll their own Secure Boot keys through their “Designed for Windows” certification.

Further, many distributions are already compatible with Secure Boot and work out of the box. Whether or not giving Microsoft the UEFI root of trust was a good idea is questionable, but what they DO have is a long, established history of supporting Linux secure boot. They sign a UEFI shim that allows distributions to sign their kernels with their own, distribution-controlled keys in a way that just works on 99% of PCs.

invokestatic | 1 month ago | on: We X-Rayed a Suspicious FTDI USB Cable

Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.

As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.

invokestatic | 1 month ago | on: We X-Rayed a Suspicious FTDI USB Cable

I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.

I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.

invokestatic | 1 month ago

Calling it a “kill switch” buries the lede here. What these politicians call a kill switch is technology to passively detect drunk driving. In 2021, Congress passed a law (HALT Drunk Driving Act) requiring NHTSA to eventually require auto makers to install passive drunk driver detection systems. NHTSA missed their statutory November 2024 deadline to finalize the regulations on this so it’s not like this amendment failing has a substantial impact. This technology is still many model years (maybe 2029? 2030?) away. I make no claims to the merits of this technology, I just feel the need to clarify the current situation.

invokestatic | 1 month ago | on: "Anyone else out there vibe circuit-building?"

This is conceptually interesting to me because I see this as almost a more generic TI Webench. I’m curious why your focus in the sized “grid” blocks (presumably for placement directly on the PCB layout) instead of doing the same but for the schematic. That way I still have the flexibility of laying out the board how I want to meet eg mechanical constraints instead of working around a 12.7mm grid.

invokestatic | 1 month ago | on: OpenAI to begin testing ads on ChatGPT in the U.S.

I’ve been paying for Google Workspace for my custom domain for years basically just so I can use Gmail. For just $7 more dollars a month, I upgraded my plan to access Gemini Pro, which has guaranteed enterprise-grade privacy controls. I think this is currently the best value platform for anyone who values their privacy for LLMs. If Apple and the DoD trust Google’s internal controls, I do too.

invokestatic | 2 months ago | on: Linux kernel security work

Because Red Hat pays the salaries of dozens (hundreds?) of kernel maintainers all over different subsystems. So they’re subject matter experts, and know exactly which ones are relevant to Red Hat.

invokestatic | 2 months ago | on: 10 Years of Let's Encrypt

I have an almost identical story except the state in question was Nevada. I’m curious what “dubious” domain it was, for me it was video game cheats. Maybe I’m actually the co-owner you’re talking about. :)

invokestatic | 6 months ago | on: ICEBlock handled my vulnerability report in the worst possible way

Checking version numbers usually isn’t a good way of determining whether software on Linux is vulnerable to CVEs. Big distros (especially Red Hat derivatives) lock software versions but back port security patches. Reporting “vulnerabilities” solely based on reported version number is pure noise.

invokestatic | 8 months ago | on: Game Hacking – Valve Anti-Cheat (VAC)

Actually, VAC handles Cheat Engine and the like very well. You won’t get banned for simply having them open, only for having them attached to the game, which I think is reasonable.

invokestatic | 10 months ago | on: De minimis: US small parcels loophole closes pushing up Shein, Temu prices

I ordered an FPGA development board from China last month that unfortunately didn’t make it out of the country before tariffs/end of de minimis set in. So it’s now sitting in a consolidation warehouse overseas while I figure out what to do with it. Paying almost double its value in taxes alone just kills its viability as a hobby, and sourcing it overseas is the only way to get hands on hardware without shelling out $2,000+.

There’s a whole cottage industry over there where they harvest semiconductors from junk/e-waste and turn them in to usable products again. I assume that’s where the actual FPGA chip came from.

invokestatic | 1 year ago | on: US judge throws out FTC's ban on non-compete agreements

There are a ton of federal agencies that have the power to make regulations and then enforce them. This power is specifically delegated by Congress. It’s hard to imagine a functioning government without this. For example, Congress recognizes it is not a subject matter expert at radio signals, so it delegates the technical details of regulating the electromagnetic spectrum to the FCC. Same thing for the FDA. Congress isn’t an expert on how clinical trials should be designed so it delegates that to the FDA. A huge one is the DEA, which can both determine how drugs are scheduled and can also enforce it. Congress has the power to overrule the agency when it sees fit.

invokestatic | 2 years ago | on: Spark – A web micro framework for Java and Kotlin

Another vote for Micronaut. I’ve moved a Vert.x project to it recently. I love it. I will say though there are a lot of footguns and the wide variety of choices e.g. for persistence, views, etc make it hard to figure out the “right” way to do things. But the framework just really clicks for me.

invokestatic | 2 years ago | on: Ask HN: As a self-taught developer, what are your self-directed learning tips?

I’m one of those kids who have been programming since they were 10 years old. My biggest tip is to work on personal projects that you are genuinely passionate about or would use yourself. It’s a great way to experiment with new technologies with practically zero risk. For example, I’m currently working on a web app that started out as a SvelteKit SPA and with two backend “micro services”. I just recently finished rearchitecting the project into a monolith and using Hotwire for the front end. I was able to get experience using both of these technologies risk-free.

As a result of being curious and working on things that interest me, there’s practically no area of software development that I haven’t touched. I’ve written Windows device drivers, firmware for an IoT product, hacked on the LLVM source, wrote a (really basic) hypervisor, and made countless web apps. All with no CS degree.

invokestatic | 2 years ago | on: Flatpak is not the future (2021)

I just want to point out that Windows actually has similar packaging problems. For some reason, Windows didn’t ship with C/C++/.NET runtimes. So practically every app ships with either a copy of the runtime DLLs or an installer to install those runtimes globally. Every Windows installation inevitably gets a million msvcrt dlls across random places, never getting any security updates. I believe this situation is a lot better on recent versions of Windows 10/11.
page 1
more