Nu merge, probabil e o smecherie cu userul ala de Microsoft sign in.
Eu in control panel am dezactivat UAC ca ma enerveaza notificarile alea...
Unde sa mai umblu?
__________________
| MSI X570 Unify | 5900x WB Heatkiller |F4-4266C17D-32GTZRB | Gigabyte RTX 3080 OC Bykski WB |Crucial P5 2TB x 2 | Seagate 12TB | Custom case & Seasonic X-750 | Predator XB271HU | | G Pro X Superlight & EVGA Z20
The "supplemental" policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don't contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!! A backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!
Quote:
Windows 10 has more built-in security protections to help safeguard you against viruses, phishing, and malware, it’s the most secure Windows ever.
Nu merge, probabil e o smecherie cu userul ala de Microsoft sign in.
Eu in control panel am dezactivat UAC ca ma enerveaza notificarile alea...
Unde sa mai umblu?
E incredibil cum suna boxele alea si pe youtube. Nu pot sa le folosesc decat pe un laptop pentru ca compul principal face nasoale. Astept sa vina DAC-ul.
In alta ordine de idei, doar nu crezi ca imi opresc muzica pentru un video de 10 secunde.
Epic shit: Chrome & Firefox se deschid mai greu in Win 10 (lag-ul de la click la intrarea pe site-ul lab501) decat in Win XP.
Daca imi spunea cineva asta pana sa testez cu mana mea, ziceam sigur ca e tampit.
Am testat pur si simplu pntru ca, facand ordine prin sertarele cu maimute, am dat de imaginea cu XP de pe PC-ul in cauza.
PS: acelasi HW (PC+retelistica) si acelasi ISP
am descoperit si eu lucrul asta acum vreo 4 luni ... trecand de pe 7 pe 10 ....
Quote:
Originally Posted by [Wanted]
Suna din ce in ce mai bine Ubuntu pt navigare ) mai ales ca pe el chrom-ul se misca instant fata de windows 10
Eu pe sistem am un ssd de 250 cu dual boot de win 10 pro si 7 ultimate ( pe win 10 nu merg anumite softuri) si un hdd de 2tb pt stocare + un ssd de 32 cu Ubuntu 16.04 LTS pe care il folosesc in general pt navigare .... pe siteuri mai putin prietenoase cu Win
E incredibil cum suna boxele alea si pe youtube. Nu pot sa le folosesc decat pe un laptop pentru ca compul principal face nasoale. Astept sa vina DAC-ul.
In alta ordine de idei, doar nu crezi ca imi opresc muzica pentru un video de 10 secunde.
Parca ziceai ca asculti muzica clasica, rock alea alea
__________________ Ne nastem pe rand si murim pe sarite.
Sa-ti dea iubita papucii spunand ca puteti ramane prieteni e ca si cum ti-ar muri cainele si maica-ta iti spune ca poti sa-l pastrezi.
Da, man am inteles cum se face numai ca RealTempGt- ul nu porneste odata cu windowsul dupa restart !!
Nu ar fi o solutie sa creezi un utilizator local cu drepturi admin si sa-l pornesti cu ala prin batch?
Sau sa-i dai un run as service cu ceva Local System Account (sau chiar cu cel creat)?
__________________ Ne nastem pe rand si murim pe sarite.
Sa-ti dea iubita papucii spunand ca puteti ramane prieteni e ca si cum ti-ar muri cainele si maica-ta iti spune ca poti sa-l pastrezi.
Acel "golden key" de care zic toți e cheia privată din semnăturile digitale. Aia oricum e folosită în masă pentru că UEFI-ul verifică autenticitatea a ce bootează folosind public key-ul pe care îl stocat. A pierde cheia e prostie, nu backdoor, pentru că alții pot crea o semnătură digitală aparent inocentă.
Partea complicată nu e schimbatul cheii private, ci a celei publice, pentru că trebuie updatate UEFI-urile.
There seems to be a mix of people using "key" in the cryptographic sense, and "key" in a more layman's sense. This difference is pretty important. In cryptography, a key is for encrypting and decrypting data. It's a very specific thing. People using "key" in this leak are describing a "way" for disabling cryptography.
e: I just really want to emphasize here that the more I read comments around Reddit about this, the more confusing it is because people keep saying "key", "golden key", and "backdoor". In a cryptographic sense, no key was leaked. This does not give a person unobstructed access to the contents of your computer. This does not allow a person to view encrypted data.
Microsoft didn't actually leak a key
What they leaked is a "policy" that's signed by Microsoft's private key. The policy was meant for debugging purposes and it disables Secure Boot's signature verification. Practically speaking, this isn't very different as far as security risk goes. What this means is that once this policy is loaded, Secure Boot will no longer verify software is properly signed. They made two major mistakes here: they released the policy to production and they signed it with a production private key. If they had actually leaked the key, then attackers could use it to sign their own code and Secure Boot would load it as trusted. Instead, this flaw could allow attackers to simply disable Secure Boot from verifying signatures.
Ultimately I agree with the article's point that this demonstrates why the government's insistence on backdoors is a bad idea. However, it's important to understand that the article and OP's title isn't 100% correct which seems to be a common problem with people talking about encryption.
Overly detailed ELI5 explanation about what this all means
Just to clear up possible confusion. Secure Boot or this leak is not about backdoors. Secure Boot is a feature that prevents unsigned/untrusted software from booting on your machine. From a security standpoint, this means that it's much harder for a root kit to work. From a business standpoint, this gives Microsoft control over what runs on a machine. For most PCs, Secure Boot can be shut off in your BIOS. Some devices, however, cannot disable Secure Boot meaning they have to run Microsoft signed code.
The simple explanation for how this works is that Microsoft made two keys that are mathematically linked. One is "private" and one is "public." Thanks to limitations of modern computers and what we know about computational complexity, it's not possible to derive one key from the other without some godly amount of computing power. Obviously from the names, public keys are shared and anyone can have them. Overall, they're pretty much worthless to anyone with malicious intents. The private keys have to remain private. The purpose of the private key is to "sign" code, which is then "verified" with the public key.
Signing in this case just means that a small message is encrypted, and verification is decrypting that message and checking to see if it's what we expect. Say Alice wants to send Bob a message saying "Hi, Bob" and she wants Bob to know for sure that she sent that message. Alice would write her message "Hi, Bob" and then hash it (hasing is a 1 way encryption of data, there is no decrypting). She would then use her private key to encrypt the hash, and send it with her message to Bob. Bob would use Alice's public key to decrypt the hash and then hash Alice's message to verify it's from her. This does two things: it ensures that Bob is receiving a message from Alice and that no one interfered with the message at some point. Say an attacker intercepted the message and changed it to "Bob, I need $50 for an emergency" then Bob's hash would not match the encrypted hash.
This technology is just public key cryptography. You use it every day. When you go to a website starting with "https", you're using it. It's how you know the website/server you're attempting to reach is the actual website/server you're talking to. The same principles are used to only run "trusted" code. In the case of Secure Boot, they put this in the firmware of the computer to ensure untrusted software can't boot. It basically does what I described above to only load what it considers is "safe".
The issue here isn't that Microsoft has a private key. Again, this is completely normal. This is not evidence of some sort of backdoor or Microsoft being malicious. They have to have a private key in order to sign code. The issue here is that Microsoft couldn't keep the private key, well, private. This is not unheard of. Microsoft has done it before, Yahoo has done it, root CA's (the people that are paid a lot of money to keep their keys private) have done it, DVDs have done it, and BluRay as well. It's not excusable at all, it's a mistake that simply shouldn't happen. As far as what this means for the average user: not a whole lot. Root kits could possibly be made that overcome Secure Boot. However, this leak doesn't just unlock your entire system for them. They'll still need to exploit other weaknesses to infect your machine. So ultimately, if you don't have another reason, you should keep Secure Boot enabled. Disabling it simply removes any protection it might still have.
Is this the end for Secure Boot? Nah, not at all. It's almost certainly not easily fixable and would require BIOS updates as far as I know to revoke the public keys allowing the policy to be verified. I'm still doing some research to figure out how Microsoft can or plans to fix it and I'm not certain if a BIOS update is actually required. If I figure that out, I'll update this post.
Viziteaza-ne pe Facebook
Urmareste-ne pe Twitter
Vezi ce facem pe YouTube