Eclypsium calls out Microsoft over bootloader security woes

Eclypsium researchers criticized Microsoft for its response to the discovery of three new bootloader vulnerabilities that could be exploited to gain control of systems during the boot process. During a DEF CON 30 session Friday, security platform provider Eclypsium's researchers delved into the vulnerabilities, which were disclosed in Microsoft's Patch Tuesday release this week. The three vulnerabilities exist in third-party bootloaders: Eurosoft Ltd. (CVE-2022-34301); New Horizon Datasys, Inc. (CVE-2022-34302); and Kidan's CryptoPro Secure Disk for BitLocker (CVE-2022-34303). If exploited, threat actors could bypass Secure Boot, a security protocol used by OEMs and operating system vendors to ensure bootloaders and Unified Extensible Firmware Interface (UEFI) drivers are authenticated through valid digital signatures. Bypassing the Secure Boot checks would allow threat actors to commit attacks, such as modifying the OS, disabling security controls and installing backdoors. Read on

What’s New in GNOME 43?

GNOME is one of the most popular graphical desktop environments on Linux. Practically every distribution has a release featuring GNOME. Imagine the impact then, when the GNOME developers shook things up—to put it mildly—with GNOME 40. It changed the desktop paradigm from a vertical one to a horizontal one and changed the look, feel, and functionality of, amongst other things, the dock, the activities view, and workplaces. Releases 41 and 42 were much smaller in impact, concentrating on polishing the interface and ironing out wrinkles that remained after the iconoclastic changes to GNOME 40. GNOME 43 is more of the same. Don’t expect major changes this time round. That’s not to say it is inconsequential. There are the expected subtle cosmetic touches, with more applications adopting a deeper integration with the libadwaita theming engine. But there’s also new functionality, including the Files file browser being enhanced. It is now adaptive and will give a better user experience on mobile devices. Although GNOME 43 beta is available, it won’t be rolled out to the public until its actual launch date of September 21, 2022. Fedora 37 is slated to use GNOME 43. Ubuntu 22.10 probably won’t. Rolling distributions based on Arch such as Garuda Linux, Manjaro Linux, and EndeavourOS will pick it up shortly after its release date. Although this isn’t the finished product, looking at the beta is still worthwhile. Even if small changes may still be made between now and the launch date, all the big elements are already in place. The release candidate build is the one when the portcullis drops and no more changes can be made. This is slated for September 3, 2022. Read on

today's leftovers

• WARNING! Always Read Scripts Before Running Them (Including AUR Package Builds) - Invidious

  One of the things that we often warn computer users is "Don't grab a script and run it without reading it first!" But many users complain that they don't read scripts before running them because they wouldn't understand the script anyway. I challenge that! I think most Linux users can read basic scripts, such as AUR PKGBUILDs.

• XMPP and the effect of providers.xmpp.net

  Some of you may already know that I’m operating an XMPP server. So far there are several domains running on that XMPP server and two domains are open for public registration. Namely these domains are hookipa.net and xmpp.social. You can find the service under the main domain on https://hookipa.net.

  Interesting in this is, that for some time xmpp.social seemed to be the domain of choice for many users, maybe because of “xmpp” and “social” in the domain name – or because it is easier to name it than “hookipa” with “double-oh” and “kay”… who knows…

• How old our servers are (as of 2022)

  Back in 2016, I wrote about how old our servers were at the time. They were rather older than people might have expected, because universities are generally cheap and so usually run servers much longer than many people do. My group no longer quite runs servers into the ground, but we still can come close. Today, for reasons beyond the scope of this entry, I'm going to do a 2022 version of my old entry.

  My group only handles general departmental infrastructure on the non-undergraduate side of things, although these days we have some big servers that are mostly in our compute cluster. However, most of the most modern and powerful servers are in research groups, and get turned over much faster than we do (in fact we just recently got rid of some vintage 2011 'compute' servers we inherited that way).

  Our normal servers remain almost entirely 1U Dell servers, although we've wound up with some ultra-short Supermicro servers as well that we use for firewalls. What we consider our current generation of Dell 1U servers are R340s and R240s; these are what we use for new installs of machines that we particularly care about. Since we're in the process of upgrading a bunch of machines from Ubuntu 18.04 to 22.04, the number of these servers in production use is likely to go up. Somewhat older than that are Dell R230s, which it looks like we started using in 2017 or maybe 2018, and then we have quite a number of R210 IIs and R310s still in service, although we're rotating those out of service as we upgrade machines to Ubuntu 22.04. We're still reusing some of these old Dells for test servers or unimportant things, although we've decided that a number of them have CPUs that are now just too slow for modern Linux.

• Thinking aloud about web engagement

  Last Wednesday I talked about the growing trend of superficial Linux distro reviews, both on YouTube and in thousands of cookie-cutter websites. Michael Dexter has lamented the fact that site wrapping software announcement with ads places higher in search results than the announcements themselves.

  I have intimate experience with this. Software and writing I once published under my (now retired) alias would routinely get picked up and disseminated, usually without attribution. My primary blog here is now big and old enough that its harder to get away with this, but I still find people wrapping my words wholesale so they can get cents of ad revenue. I still continue to publish full articles in my RSS feeds, but I’m starting to understand why others only want to include summaries.

  [...]

  As I said in that Linux desktop review post, I don’t think everyone is guilty of this. But it does go part of the way to explain why we’re seeing so many more of these mass-farmed videos and blogs, all saying broadly the same thing. Substance has been replaced with SEO (an abbreviation I’ve long thought a red herring), quality with quantity, and search engines like Google are, at best, enablers. There’s a reason everyone thinks search results aren’t as good now as they used to be.

  [...]

  The web seems to be cleaving in two directions: rubbish, and paywalls. I’d guess there are just as many people sharing knowledge, experience, and ideas as ever before, but they’re being drowned out by an increasing tide of churnalism, theft, and low-effort spam. Sandy demonstrates as much when doing some basic geographic and health searches in the first linked post, some of which has already cost lives.

Steam Deck Is Surprisingly Great As A PC—Here’s How To Do It

From setup, to software tips, to must-have peripherals, here’s how to use your Steam Deck as an excellent personal computer... Read on