Posts
1255Following
HiddenFollowers
Hidden
repeated
Ars headline: "Found in the wild: The world’s first unkillable UEFI bootkit for Linux"
Article then proceeds to describe a toy GRUB wrapper bootkit that has nothing to do with UEFI firmware (other than running on UEFI systems like any other UEFI bootloader), does not persist in UEFI firmware whatsoever (it just is installed in the ESP partition on disk), and can be killed by not just a drive swap, but any OS reinstall, and even simply a GRUB update/reinstall.
And which looks like a toy demo from every angle, that any experienced security researcher could have cooked up in a couple afternoons. Hardcoded kernel patch offsets for a single specific Ubuntu kernel build and all. No novel techniques in use. This could have even been a homework exercise as far as I'm concerned.
In fact, it has an obvious mistake, touched on by the original article: LD_PRELOAD is set to a string trailing with " /init", no doubt a copy+paste of the command line used to achieve the same execution during testing. The correct string would have omitted the " /init", and the mistake would have caused an error message like this to be printed for every executable launched until LD_PRELOAD is overridden:
ERROR: ld.so: object '/init' from LD_PRELOAD cannot be preloaded (invalid ELF header): ignored.
Furthermore, this bootkit is incomplete, since it relies on chaining into components installed via another mechanism (e.g. /opt/injector.so in the initramfs). A true bootkit only relies on its own first stage to drop all subsequent stages. That's the whole point of setting up a boot chain compromise like this. Otherwise you can defeat it by removing any of the stages, even if the bootkit stage is intact. As it stands, this bootkit isn't really a bootkit, it's just a module signing side-step that allows a traditional rootkit to be loaded on a system with Secure Boot enabled (and, since the Secure Boot is still working as intended, that results in a prompt on the first reboot asking the user to install the "bootkit"'s certificate into the UEFI trusted certificate store, since it is obviously not trusted by default). So it can't even be installed without clear warning to the user that something is wrong.
Come on, @dangoodin. I expect better than this from Ars, and I expect a correction, because this is just inexcusable misinformation. The original article clearly mentions how to kill this "unkillable" bootkit, which tells me you didn't even read the original article all the way.
A simple remedy tip to get rid of the bootkit is to move the legitimate /EFI/ubuntu/grubx64-real.efi file back to its original location, which is /EFI/ubuntu/grubx64.efi.
Update: article & headline have been updated.
Update 2: It was a student project after all. Lol.
8
4
1
repeated
Michał "rysiek" Woźniak · 🇺🇦
rysiek@mstdn.socialJ.K Rowling attacks another cis female athlete implying she's Trans (via @muiren) https://sfba.social/@muiren/113559844889410473
This may shock you, but this cis female athlete, just like the previous cis female athlete attacked this way by Rowling, Imane Khelif, is a person of color, and comes from Africa.
Apparently for Rowling, you are only a woman until somebody thinks you're too buff and refuses to sign a form:
https://apnews.com/article/zambia-banda-womens-world-cup-79520a0f06bf1c91a18fbeacfdd2fbec
1
3
0
repeated
Chris Trottier
atomicpoet@atomicpoet.orgPeople who complain about wokeness in new video games don’t actually care about the past, just their imagined version of it.
So this is worth saying:
- the Fairchild Channel F, the first cartridge-based video game console, was invented by a Black man who taught himself electrical engineering
- Sierra, the most important American computer game publisher of all time, was co-founded by a woman
- Baldur’s Gate II, KOTOR, and Dragon Age—the most influential RPGs of all time—was narratively written by a gay man
The games we all love are made by diverse people, many who remain unseen, who put their hearts and souls into these works.
Just because you’re unaware of them doesn’t mean they don’t exist.
1
8
1
repeated
repeated
repeated
repeated
repeated
Foone🏳️⚧️
foone@digipres.clubIf you're a wizard and you cast plane shift, can you target the Basic Multilingual Plane?
0
1
1
repeated
the orange represents the orange wire
the green represents the green wire
the blue represents the blue wire
the brown represents the brown wire
the striped wires represent their respective striped wires
the crossover one represents a crossover cable
1
9
1
repeated
Jasper Fox 
Redfuchs@furries.club
Today is a good day to reject humanity
🎨 Sherat - https://linktr.ee/Sherat
#RedfuchsArtwork #Furry #FurryArt #Feral #Fox #TF #TFTuesday #TFEveryday
0
4
0
repeated
repeated
repeated
Jess 🌺
&
roxy@chitter.xyz
1
2
0
repeated
Piko Starsider 
starsider@valenciapa.ws
From time to time people say that devs should be forced to use an old PC so they have to optimize their stuff.
I'd say they should be forced to run out of disk space from time to time. Some stuff is *completely wrecked* when that happens. Many applications crashing at best, and having corrupted data at worst. Firefox logs me out of most websites. Jellyfin with some luck gets a corrupted XML that I can just delete, but sometimes the database is unsavageable and I have to hunt for all places where it saves stuff to delete it and reconfigure it from scratch once again.
Mastodon fortunately just seems to stop doing anything until there's space again.
1
2
0
repeated
luna, friend of eggbug
luna@pony.socialA lot of people don’t know this one weird trick — much like JavaScript, C also lets you perform arithmetic with mixed types:
5
8
4
repeated
repeated
Nebula
NebulaNursery@cubhub.socialShow content
Considering I don't post too much to my other account at all.. I'm going to try putting everything under one name. So expect to see some non-babyfur (& related groups) on this account
This one is for Myst!
1
2
0
repeated
Botch Frivarg
deetwenty@todon.nlBig inflates for a big wolf!
Fursuit: Sarah Cat Fursuits (https://www.sarahcatfursuits.com/ )
#SarahCatSunday #Fursuit #Furry #Photography #Inflatable
0
2
0
repeated
ENG. Tretron 🐲
tretron@bark.lgbtMy feed: *hyperfocuses about sealing fans*
Uhm I wonder if @TechConnectify uploaded a new video......let me check...oh hello yes.
This is not a complaint through, I wouldn't have it any other way
0
1
0
repeated
Technology Connections
TechConnectify@mas.toI'm answering the important questions.
https://www.youtube.com/watch?v=6Ea6jf-9Czo
4
2
0