| ▲ | arcfour 2 hours ago |
| I strongly disagree on the Secure Boot front. It's necessary for FDE to have any sort of practical security, it reduces malicious/vulnerable driver abuse (making it nontrivial), bootkits are a security nightmare and would otherwise be much more common in malware typical users encounter, and ultimately the user can control their secure boot setup and enroll their own keys if they wish. Does that mean that Microsoft doesn't also use it as a form of control? Of course not. But conflating "Secure Boot can be used for platform control" with "Secure Boot provides no security" is a non-sequitur. |
|
| ▲ | whatevaa 17 minutes ago | parent | next [-] |
| Full disk encryption protects from somebody yanking a hard drive from running server (actually happens) or stealing a laptop. Calling it useless because it doesn't match your threat model... I hate todays security people, can't threat model for shit. |
|
| ▲ | serf an hour ago | parent | prev | next [-] |
| >It's necessary for FDE to have any sort of practical security why? do you mean because evil maid attacks exist? anyone that cared enough about that specific vector just put their bootloader on a removable media. FDE wasn't somehow enabled by secure boot. >bootkits are a security nightmare and would otherwise be much more common in malware why weren't they more common before? serious question. Back in the 90s viruses were huge business, BIOS was about as unprotected as it would ever possibly be, and lots of chips came with extra unused memory. We still barely ever saw those kind of malware. |
| |
| ▲ | arcfour an hour ago | parent | next [-] | | > anyone that cared enough about that specific vector just put their bootloader on a removable media. FDE wasn't somehow enabled by secure boot. Sure, but an attacker could still overwrite your kernel which your untouched bootloader would then happily run. With SB at least in theory you have a way to validate the entire boot chain. > why weren't they more common before? Because security of the rest of the system was not at the point where they made sense. CIH could wipe system firmware and physically brick your PC - why write a bootkit then? Malware then was also less financially motivated. When malware moved from notoriety-driven to financially-driven in the 2000s, bootkits did become more common with things like Mebroot & TDL/Alureon. More recently, still before Secure Boot was widespread, we had things like the Classic Shell/Audacity trojan which overwrote your MBR: https://www.youtube.com/watch?v=DD9CvHVU7B4 and Petya ransomware. With SB this is an attack vector that has been largely rendered useless. It's also a lot more difficult to write a malicious bootloader than it is to write a usermode app that runs itself at startup and pings a C2 or whatever. | |
| ▲ | cyberax an hour ago | parent | prev [-] | | > serious question. Back in the 90s viruses were huge business, No, they were not. They were toys written for fun and/or mischief. The virus authors did not receive any monetary reward from writing them, so they were not even a _business_. So they were the work of individuals, not large teams. The turning point was Bitcoin. Suddenly it provided all those nice new business models that can be scaled up: mining, stealing cryptowallets, ransomware, etc. |
|
|
| ▲ | kelseyfrog 2 hours ago | parent | prev [-] |
| Anything that restricts user freedom is entirely bad, even if it's at the expense of security. |
| |
| ▲ | arcfour an hour ago | parent | next [-] | | But...it doesn't restrict user freedom. If the user wishes to do so, they can disable SB. | | |
| ▲ | kelseyfrog an hour ago | parent | next [-] | | They shouldn't _have_ to do anything. The point is that no demands should be placed upon users. Same problem with age gating. It's fine, as long as zero additional demands are placed upon users. | | |
| ▲ | robotresearcher an hour ago | parent | next [-] | | Freedom from the consequences of malware is more valuable than the low cost of turning SecureBoot off if you don’t want it. We shouldn’t need the hassle of locks on our home and car doors, but we understand they are probably worthwhile for most people. | | |
| ▲ | aeternum 24 minutes ago | parent | next [-] | | What's the improved security argument for terminating VeraCrypt's account though? SB does have clear benefits but what is unclear is the motivation for the account termination. What's the likelihood that this account ban provides zero security benefit to users and was instead a requirement from the gov because Veracrypt was too hard to crack/bypass. | |
| ▲ | thisislife2 28 minutes ago | parent | prev [-] | | Do you lock your house or car and permanently handover the keys to some stranger, who you then have to depend on always to lock or unlock it for you? | | |
| ▲ | dwattttt 17 minutes ago | parent [-] | | No? I have locks on my house and car that I have the keys for. That an argument _for_ secure boot. |
|
| |
| ▲ | UrMomsRobotLovr an hour ago | parent | prev | next [-] | | Are the demands that users become experts in provider their own security against more advanced actors not significantly worse? The control part is unfortunate but the defaults should make it so users can focus on sharing pictures of cats without fear or need for advanced cyber security knowledge. | |
| ▲ | bigfatkitten 11 minutes ago | parent | prev [-] | | Users who care enough to do so can enrol their own keys using the extremely well documented process to do that. Users who don’t care about the runtime integrity of their machine can just turn it off. Both options are so easy that you could’ve learned how to do them on your machine in the time that you spent posting misinformation in this thread. |
| |
| ▲ | CodesInChaos an hour ago | parent | prev [-] | | And will then be locked out from an increasing amount of Applications, Media, and eventually even Websites. | | |
| ▲ | arcfour an hour ago | parent [-] | | I run Linux with Secure Boot and I don't feel locked out of any media, applications, or websites. My mom uses Secure Boot with Windows and doesn't know or care that it's enabled at all. |
|
| |
| ▲ | brookst an hour ago | parent | prev | next [-] | | So like banks requiring you to have a PIN on your ATM card, even if you don’t want one… that’s bad? Seatbelt laws are bad? | |
| ▲ | 2 hours ago | parent | prev [-] | | [deleted] |
|
