this post was submitted on 17 Jul 2026
267 points (98.2% liked)

Technology

86413 readers
3449 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 3 years ago
MODERATORS
top 21 comments
sorted by: hot top controversial new old
[–] wrinkle2409@lemmy.cafe 18 points 10 hours ago (1 children)

I thought the point of secure boot was to make it harder to install linux

[–] boonhet@sopuli.xyz 2 points 15 minutes ago
[–] friend_of_satan@lemmy.world 15 points 10 hours ago (1 children)

"Complexity is the enemy" is a great quote. Definitely keeping that in my pocket for a future design doc review.

[–] 0x0@lemmy.dbzer0.com 4 points 9 hours ago* (last edited 9 hours ago)

The Eternal Enemy: Complexity

apex predator of grug is complexity

complexity bad

say again:

complexity very bad

you say now:

complexity veryvery bad

https://grugbrain.dev/

[–] pelya@lemmy.world 26 points 13 hours ago

You simply sign a corporate contract and pay a corporate fee, and MICROS~1 will sign any shitty broken and backdoored bootloader that you send to them with zero quality control, and it was like that with Windows drivers for years.

[–] SaharaMaleikuhm@feddit.org 5 points 10 hours ago

No problem, I turned it off the day I bought this motherboard. It just gets in the way of me running linux

[–] Reygle@lemmy.world 77 points 17 hours ago* (last edited 17 hours ago)

If it says Microslop on it, it's broken.

BY DESIGN

[–] InnerScientist@lemmy.world 66 points 17 hours ago (1 children)

tldr: Either use your own keys or don't trust secure boot.

[–] BladeFederation@piefed.social 12 points 16 hours ago (1 children)

I am not a hacker, but what I gathered from the article is that this is due to shims with vulnerabilities being left as trusted instead of being revoked. If that's the case, wouldn't the hacker be using a modified version of a compromised shim? It shouldn't have to be a shim that you actually use right? Or does the signed shim have to correspond to thr correct OS that signed it?

[–] InnerScientist@lemmy.world 16 points 14 hours ago* (last edited 14 hours ago) (1 children)

There exists shims that are signed by Microsoft and were not revoked. Normally this would be fine but these shims had weaknesses that allowes hackers to load any code using them. Normally the shims should only run other signed/trusted code. These vulnerable shims can be used to bypass secure boot by replacing your existing bootloader with the shim and then running rootkits/hackerOS/whatever and bypass bitlocker using TPM or just running a level 0 virus that can't be detected by the OS on any PC which trusts Microsoft's keys (99% of all PCs)

To prevent this you'd have to not trust the vulnerable shims by either adding them manually to the exclusions list or using your own secure boot keys which would only trust the few bootloader files your pc uses and no other files.

Worst case: it behaves as if secure boot wasn't on. Without secure boot you wouldn't need this exploit cause then you can replace the bootloader with whatever you want anyways. With or without secure boot you need administrative permission to replace the bootloader so this is only an issue after your PC is already compromised or if someone had physical access to your PC.

[–] 0x0@infosec.pub 5 points 12 hours ago* (last edited 12 hours ago)

For anyone that hate microslop more than themself and enjoy pain i will provide this to aide in making your own pki, with blackjack and hookers:

https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#creatingkeys

https://blastrock.github.io/posts/fde-tpm-sb-ng/

[–] EnsignWashout@startrek.website 47 points 16 hours ago* (last edited 16 hours ago) (1 children)

Microsoft has yet to explain how or why the lapse occurred.

Highly skilled technical staff are expensive, and it turns out that some people still use Windows when Microsoft doesn't hire the talent necessary to keep Windows working.

Edit: Also, bribes from three letter government agencies are probably pretty nice.

[–] atomicbocks@sh.itjust.works 18 points 14 hours ago (2 children)

The number of times I’ve seen a fix not get pushed because somebody got laid off is a lot higher than you might think.

[–] GreenBeard@lemmy.ca 7 points 12 hours ago

Holy hell yes. It's actually alarming how many security holes are out there simply because management had no clue what people did and canned the last guy responsible for maintaining something. Zombie functions that are holding up the whole stack, but no one has had a clue what they did in 15 years, and we all just look away and hope they keep holding until they're someone else's problem.

[–] iknewitwhenisawit@fedinsfw.app 5 points 13 hours ago

I cannot make certain teams at my work give a shit about known security vulnerabilities in libraries they use, since they don't trip our internal scanners. People have their own priorities. ¯\_(ツ)_/¯

[–] dan1101@lemmy.world 13 points 14 hours ago

Or, like me, they never trusted it to begin with.

[–] sfxrlz@lemmy.world 31 points 17 hours ago

No wonder no three letter agency has ever complained about it

[–] spaghettiwestern@sh.itjust.works 6 points 15 hours ago

The gaffe is the result of the failure by Microsoft, which oversees the signing of shims, to revoke the publicly available images once vulnerabilities were found in them.

[–] ms_lane@lemmy.world 6 points 16 hours ago* (last edited 16 hours ago) (1 children)

no one noticed

Did that get Berenstained? I distinctly remember it being broken a decade a ago...

[–] 9tr6gyp3@lemmy.world 1 points 16 hours ago* (last edited 16 hours ago) (1 children)

Its been broken multiple times, which is why its important to update your BIOS firmware if your motherboard manufacturer says they have patched security issues.

[–] cecilkorik@lemmy.ca 2 points 9 hours ago

Yes it's important to always update to make sure you also have the newest security holes in addition to the old ones that nobody's noticed. /s