Hacker News new | past | comments | ask | show | jobs | submit login

<Tinfoil hat> I think there's more than meets the eye here. I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve. </Tinfoil hat>

When it comes to the realities of dual-booting, I had tons of problems with Win7/8/10 with suspend-to-hiberfile.sys issues and updates 10 years ago breaking grub. 10 years ago I finally decided, "You know what, I'm just going to run Linux, if I really need Windows or Mac, I can run a VM or use a separate spare computer."

Since then I have successfully setup Secure Boot for my distro, learned how to tweak QEMU for performance and passthrough, got a working QEMU macOS VM (although having to update every few months to keep XCode working is a pain), and generally pretty happy with the state of affairs.




> widespread rootkit level malware and they are trying to stay ahead of the curve

Microsoft is within US-legislation. So a three-letter agency already has the keys and their spyware is a signed UEFI module.


[flagged]


The German government caused Let's Encrypt to issue fraudulent certificates to xmpp.ru and jabber.ru by physically intercepting the server's network connection. https://news.ycombinator.com/item?id=37961166


IMHO, those aren't fraudulent certificates; they established effective control of the hostname, which is all a certificate implies. They didn't have authorization from the owner of the domain, but Let's Encrypt doesn't include ownership information, so there's no fraud there. Of course, this means someone who can MITM a whole server can also have a certificate issued to show everyone they're authentic.

You could potentially protect against this by cert pinning to a CA that won't issue to an interloper, or possibly using CAA records in DNS if you can be confident your DNS won't be MITMed or changed out from under you buy your registry. DNSSEC helps, if your registry (and the root) won't fold under pressure, but not if they do ... and DNSSEC is in the top 3 causes of high profile DNS failures in my estimation.


That's not the same as OP'a claim, which asserts three letter agencies have access to the private keys.


Certificate transparency is intended to solve this issue.


Why would an agency wanting to MITM you publish data about the MITM certificates?


Because browsers can require certificates to be in the certificate transparency logs to be valid. Chrome already does this. If a government convinces a CA to create a malicious certificate and publishes this cert to the CT logs to perform MITM, it will get found out and that CA can close its doors.


Also, if someones DOES have this ability and gets found out, e.g. someone finds the certificate, it makes it clear someone had that ability. You'll know that root CA is compromised one way or another and it potentially gets burnt.

Thus, they'll only use it under the strictest smallest of circumstances where the reward outweighs the risk, in a high profile scenario, rather than rolling it out willy nilly.

Similar to when threat actors use a 0day.. if they use it all the time it eventually gets discovered and fixed. If they save it for a special case they may manage to use it a couple of times before it gets patched.


How does the MITM victim get a non-MITM connection to the CT logs so they can be sure to get the correct ones?


Browsers enforce that certificates are signed by two independent CT logs. The public keys of which is shipped by the browser. So a MITM would need to compromise a trusted CA and two CT logs to be able to pull off an attack undetected. Maybe not impossible but much more difficult than just a single CA compromise.


By using pinned certificates which are hardcoded into all the major browsers.


Yeah for some reason I don't feel confident about Mogadishu Internet Trust Corp and many others.


Why wouldn't the TLA override that as well? Perhaps by leaning on the company that supposedly owns the domain.


The browser is verifying that the certificate appears in public certificate logs. So if a TLA forges a certificate (whether with the cooperation of a certificate provider, DNS provider or domain owner) that is now part of the public record. And if they do it with any domain that has enough eyeballs, someone would presumably notice. Not to mention that it's an easy way for agencies from rival countries to tip a reporter or security researcher off that it happened.

Of course in reality most browsers don't actually check the certificate logs but only require timestamps signed by certificate logs that prove that at least two certificate logs know of the certificate. A TLA that can pressure at least two logs to provide those timestamps without actually publishing the certificates isn't really stopped. But at least that widens the circle of people who have to be in on the conspiracy.

In a perfect world browsers would do spot checks against the actual certificate logs, and require that the signed timestamps are from logs that are unlikely to be influenced by the same actor (e.g. a Western, a Russian-sphere and a Chinese-sphere certificate log). Your guess why we don't do either is as good as mine


That would be compromising the domain owner, rather than the threat model of Certificate Transparency which is compromised Certificate Authorities, especially given the number of government owned, publicly trusted (sub-)CAs.


[flagged]


The Snowden leaks made it clear that so long as the government has the means and motive to perform some kind of surveillance, they'll do exactly that. It may not be through the exact methods people are suggesting, but rest assured it is happening.


That’s another foundation of conspiracy theory: one specific example can serve as evidence for universal truth. Sure, the specific claims of theory A might collapse, but it might as well be true because it could be true because of past example B that is along the same lines.

I don’t doubt there is secret government surveillance we’d all be upset about. I’m not willing to use that general belief to assert the truth of specific unsupported claims.


The Snowden leaks weren't one specific example, they were dozens, involving every single big US tech company of any significance, and involving tons of different methods of surveillance.


Sure. Does that mean I should believe every random unsupported imagining now?


[flagged]


I think you underestimate how close big tech and telecom companies are to three letter agencies. See the "Protect America Act" of 2007 which covered everyone's asses for warrantless spying.


Ahh memories: Long before Snowden there was good ole 641a

https://en.wikipedia.org/wiki/Room_641A


Even better when said companies are (secretly) owned by said three leter agencies: https://en.wikipedia.org/wiki/Crypto_AG


Wasn't it the FISA Amendments Act of 2008? Or did the Protect America Act of 2007 also have immunity provisions?

edit: oh I see, the immunity provisions were first introduced with the Protect America Act of 2007 but they had a sunset date under that law so they were later made permanent by the FISA Amendments Act of 2008.


Congress already granted retroactive immunity for telecoms acting in cooperation with the US government with the FISA Amendments Act of 2008. I don't see why they couldn't do the same for Microsoft (assuming the law doesn't already apply to them).

> Release from liability - No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

- Section 702, subsection h, paragraph 3;

> Release from liability - No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with an order or request for emergency assistance issued pursuant to subsection (c) or (d), respectively.

- Section 703, subsection e.

https://www.govtrack.us/congress/bills/110/hr6304/text


"any information" suggests wrong information wont evoke cause of action in any court.


I would be shocked if a judge interpreted that to include essentially willful perjury (or at least false statements) to a national security agency.


id be shocked as well, but the small paragraph doesnt seem to preclude it.

people make mistakes, equipment can have unexpected behaviour, and people lie. im curious, about if this would be considered compelled speech if someone said no you cant MITM my service unless there is an extant activity of concern.

its gotta be addressed in other section or paragraph.


I lost all illusion this was the case after hushmail https://www.wired.com/2007/11/encrypted-e-mai/


Oh, you mean like the time Microsoft was the first company in the Prism program uncovered by Snowden, later followed by Yahoo, Google, Facebook, YouTube, Skype, AOL, and Apple? The program allowing the NSA to decrypt any traffic* or data of these vendors? The publication of which had, like, no consequences for Microsoft or the others?

Yeah. I don't think they're really afraid of repeating that.


Those exact Snowden documents detailed how Microsoft refused to backdoor Bitlocker despite major pressure from the NSA.


Would like to hear more about this, seems so out of character. Have any links?


> When it comes to the realities of dual-booting

The sad and depressing part is that along the way we lost all possibilities of running coreboot or libreboot as an open alternative.

The only real option is to buy a used laptop from before the T44x generation (if you really want it secure)... or newer machines that come with other perks like soldered-on batteries that destroy the mainboard along with them when they leak out eventually.

I am not sure what the consumer rights protection agencies on the planet are doing, but seemingly they've been asleep at the wheel for way too long now.

> (Tinfoil hat) (...) I think part of the reason MS is enforcing TPM2.0 and now this SBAT update is that there is widespread rootkit level malware and they are trying to stay ahead of the curve.

The only vendors that seem to do something against it are somewhat System76, Frame.Work, Purism and maybe Starlabs. But the huge majority of devices is under the absolute control of Microsoft's signing process now. So I would argue that this isn't a tinfoil conspiracy, but a strategical decision that MS made to re-grab their lost power on x86 systems.


Framework comes with Intel ME enabled, not able to be disabled, and barely updates their firmware. For example, they left logofail unpatched for a year.


As I said, the better option would be a pre-Haskell era CPU so that you can flash libreboot on it and don't have to worry so much about intel-ucode, but that would also imply a more than 10 years old laptop.

I just wish there would be more free and open options.

The RISC V meme of the Hackers movie from the 90s is now so old that it's never gonna happen anyways. Those CPUs are nice and all, but you're even better off using a Pentium CPU performance wise, and that's a 20 years old CPU.


>Those CPUs are nice and all, but you're even better off using a Pentium CPU performance wise, and that's a 20 years old CPU.

This is out of date information. Currently purchasable RISC-V CPUs (in e.g. Milk-V Jupiter) are already the level of Intel Core 2, with the important difference that Jupiter has 8x of them, whereas the top Core 2 chips were only quad-core.

Cores expected to ship in early 2025 on 16-core Milk-V Oasis are at the level of Intel Haswell or AMD Zen 1.

Akeana, Tenstorrent, SiFive and Ventana have IP available for licensing which performance is similar or above Apple M1.

There isn't much of a performance gap left to close.


Novacustom in the EU offers laptops with modern (Intel FSP binary blob) coreboot and optional HAP-disable of Intel ME.


> [...] there is widespread rootkit level malware and they are trying to stay ahead of the curve.

There literally is. BlackLotus bootkit actively abuses a vulnerability Microsoft has been trying to patch (by updating the blacklist the vulnerable bootloaders) for the past two years and it's still ongoing AFAIK.


Ubuntu regularly locks up and black screens when I try to sleep/hibernate. It's a very common problem that has nothing to do with Windows or Microsoft. I also have had 0 issues with dual booting for roughly 10 years now. HN wouldn't be HN without some baseless MS bashing.


I have had occasional issues with Windows and various flavors of Linux hibernating but nothing that happens with any regularity - at all - and nothing that can't be solved by simply rebooting.


I shouldn't have to reboot in order to fix sleep or hibernate. Their reason for existence is to avoid the need to shut down and restart.


Did you read anything else in my comment?


I was grumpy, not at you. But my experience is different. Linux hibernate and sleep is broken in 2024. For me, anyway.



>tweak QEMU for performance and passthrough Any guide you could link to that covers all of this? I would like to setup a very performant windows VM.


https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF

Note that it requires a second graphics card to work.


Or a single GPU that supports SR-IOV, but AFAIK no consumer-grade GPU provides it.


IIRC Intel iGPUs support it and I read somewhere that their dGPUs do as well, but I might be misremembering.


Well that's one big feature that would entice me to buy an intel gpu in the future


This is also the only reason I ever thought of buying an Intel GPU, but then I realized "Wait, if I am buying a new GPU I can just use my old GPU for host/passthrough. I don't need a new GPU that is roughtly as good as my current one just for SR-IOV, I'd want one at least much better than my current one" (RX 5600XT, not really top but it does its job)


Intel 11th generation (Tiger Lake) clients onward have Xe* iGPUs with SR-IOV.


It would be entirely unsurprising if most TPMs had a clipper chip[0] like backdoor.

[0] https://en.wikipedia.org/wiki/Clipper_chip


hibernate always have been more trouble than it's worth. and specially now when boots takes less time than loading your webmail.

it just screams you have no data hygiene. it's the extra step after living years with 723 open tabs.

qemu passtrhu is the way. and if you don't own expensive hardware (i.e. only integrated graphics like all feasible laptops), just dual boot with your own signing keys so you don't have yo worry about revocation crap. either its signed or not. revocation is just replacing the root PK keys.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: