this post was submitted on 25 Jul 2024
315 points (99.1% liked)

Technology

58115 readers
3932 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
315
Secure Boot is completely broken on 200+ models from 5 big device makers (arstechnica.com)
submitted 1 month ago by Xatolos@reddthat.com to c/technology@lemmy.world
78 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] capital@lemmy.world 1 points 1 month ago (1 children)

in regards to security

in regards to security

in regards to security

in regards to security

Just wanted to make sure you saw it this time because you went off on a tangent there.

[–] freeman@sh.itjust.works 16 points 1 month ago (5 children)

It doesn't matter if they know about security (which they do). A burglar could know about locks and home security systems, would you take his advice?

Their positions on security of others is dismissed on grounds of trust not of competence.

[–] mriguy@lemmy.world 8 points 1 month ago* (last edited 1 month ago) (1 children)

The NSA has two jobs.

The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.

The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.

I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.

[–] freeman@sh.itjust.works 4 points 1 month ago (1 children)

Exploits don't care if you are actually the NSA or not. The NSA certainly knowns that yet they keep exploits secret at least from the public.

They have argued for key escrow for God's shake.

They are primarily an intelligence agency. If you are not likely to be targeted by the NSA you are also unlikely to be targeted by any of their adversaries. They don't give a shit if you get scammed, they are not the FBI, who also keep secret exploits and are anti-encryption.

Additionally using their "best" exploits on more simple targets still poses a risk to them being discovered and fixed. Therefore it's beneficial to them for everybody's security to be compromised. It also provides deniability.

[–] sugar_in_your_tea@sh.itjust.works 1 points 1 month ago

Right. Their advice for the general public is a mix of "best practice" and risk. If an exploit is not actively exploited in the wild, they'll probably sit on it for intelligence purposes and instead recommend best practices (which are good) that doesn't impact their ability to use the exploit.

So trust them when they say do X, but don't take silence to mean you're good.

[–] capital@lemmy.world 4 points 1 month ago (2 children)

A burglar could know about locks and home security systems, would you take his advice?

Literally, yes. There was even a TV show about it.

[–] freeman@sh.itjust.works 4 points 1 month ago

Do you have any evidence those two people are still committing burglaries? The NSA is not an ex-intelligence agency.

[–] sugar_in_your_tea@sh.itjust.works 2 points 1 month ago

I get my advice from LockPickingLawyer on YouTube. He'll demonstrate the weaknesses of various locks, and say which to avoid and which are probably okay ("okay" is a really strong recommendation from him). He'll still break into really secure locks in <2 min, but he'll describe the skills necessary to break in and let you decide on what your threat level.

Basically, as long as it's bump and bypass resistant, you're good. Burglars aren't going to pick locks, they'll either break a window or move on if the lock stops them. A good lock doesn't keep out a burglar, it just slows them down enough that they'll give up.

So yes, get advice from people who have the skills to break the protection they're recommending, they'll be able to separate things into threat categories. If you want OPSec advice, visit black hat hacking forums and whatnot, you'll get way better advice than sticking with the normie channels.

[–] Emerald@lemmy.world 4 points 1 month ago* (last edited 1 month ago)

A burglar could know about locks and home security systems, would you take his advice?

If they were an expert burglar, I might

Source: I'm an expert burglar and all of the others on my burglar crew are very helpful when people ask about home security stuff.

[–] Cosmicomical@lemmy.world 3 points 1 month ago

Exactly, they have a clear conflict of interest

[–] homesweethomeMrL@lemmy.world 1 points 1 month ago

Hey what is that, some kinda tangent