Microsoft terminates VeraCrypt account, halting Windows updates

Most RATs are signed, that's a hurdle but it's clearly not a big deal to bypass for criminals, many "SSL companies" provide them, just have to use fake docs and you'll be issued it, many shady services sell those signatures as well and it doesn't look like it cost more than $15 per binary, so obviously, not so secure in practice.

All PKI topologies have tradeoffs. The main benefit to a centralized certification/signing authority is that you don't have to delegate the complexity of trust to peers in the system: a peer knows that a signature is valid because it can chain it back to a pre-established root of trust, rather than having to establish a new degree of trust in a previously unknown party.

The downside to a centralized authority is that they're a single point of failure. PKIs like the Web PKI mediate this by having multiple central authorities (each issuing CA) and forcing them to engage in cryptographically verifiable audibility schemes that keep them honest (certificate transparency).

It's worth noting that the kind of "small trusted keyring" topology used by Debian, Arch, etc. is a form of centralized signing. It's just an ad-hoc one.

While agree that this is a problem if becoming an attack vector, FDoid does already do central signing of their own builds. With reproducible builds actually the attack vector would be minimal and actually maybe there could be multiple of such entities, which would make this even more robust. I just think the answer to power is not always decentralization. Alternatively government actors could also build open source for their citizens. Here would have at least democratically mandated corruption. IMHO this is much better than the current quasi government of the internet by a few powerful gatekeepers.

There is ossign.org, Certum offers a cheap certificate for FOSS [1], and Comodo offers relatively cheap (but still expensive) certs as well [2]. Not affiliated with either service, but these are the ones I remember last time I had to dig into this mess, so there might be even more services that I don't recall at the moment.

[1] https://shop.certum.eu/open-source-code-signing.html

[2] https://comodosslstore.com/code-signing/comodo-individual-co...

Yeah but consider that if something is cheap or free (having Microsoft do it), what is the product? It's a tradeoff, pay for independence or be at the mercy of in this case Microsoft.

(there is probably a third, fourth, fifth option but this is an internet comment section)

Having a fee that's trivial for serious software developers but too high for script kiddies shipping trash is a good thing.

Wireguard will get fixed.

Microsoft is building things on top of it:

https://learn.microsoft.com/en-us/azure/aks/container-networ...

> Full disk encryption protects from somebody yanking a hard drive from running server (actually happens) or stealing a laptop.

Both of these are super easy to solve without secure boot: The device uses FDE and the key is provided over the network during boot, in the laptop case after the user provides a password. Doing it this way is significantly more secure than using a TPM because the network can stop providing the key as soon as the device is stolen and then the key was never in non-volatile storage anywhere on the device and can't be extracted from a powered off device even with physical access and specialized equipment.

I (the commenter you responded to) am a security engineer by trade and I'm arguing that SB is useful. I'm not sure if the parent commenter is or isn't a security person but my interactions with other people in the security field have given me the impression that most of them think it's good, too.

So I'm a little confused about the "can't threat model for shit part," I think these sorts of attacks are definitely within most security folks threat models, haha

> anyone that cared enough about that specific vector just put their bootloader on a removable media. FDE wasn't somehow enabled by secure boot.

Sure, but an attacker could still overwrite your kernel which your untouched bootloader would then happily run. With SB at least in theory you have a way to validate the entire boot chain.

> why weren't they more common before?

Because security of the rest of the system was not at the point where they made sense. CIH could wipe system firmware and physically brick your PC - why write a bootkit then? Malware then was also less financially motivated.

When malware moved from notoriety-driven to financially-driven in the 2000s, bootkits did become more common with things like Mebroot & TDL/Alureon. More recently, still before Secure Boot was widespread, we had things like the Classic Shell/Audacity trojan which overwrote your MBR: https://www.youtube.com/watch?v=DD9CvHVU7B4 and Petya ransomware. With SB this is an attack vector that has been largely rendered useless.

It's also a lot more difficult to write a malicious bootloader than it is to write a usermode app that runs itself at startup and pings a C2 or whatever.

> serious question. Back in the 90s viruses were huge business,

No, they were not. They were toys written for fun and/or mischief. The virus authors did not receive any monetary reward from writing them, so they were not even a _business_. So they were the work of individuals, not large teams.

The turning point was Bitcoin. Suddenly it provided all those nice new business models that can be scaled up: mining, stealing cryptowallets, ransomware, etc.

So everyday users should be vulnerable to bootkits and kernel-mode malware...why, exactly? That is useful security. The fact that people do not pursue this type of malware very frequently is an effect of SB proliferation. If it were not the default then these attacks would be more popular.

You can also use SB with your own keys (or even just hashes)...just because Microsoft is the default included with most commercially sold PCs—since most people use Windows on their PCs—doesn't mean SB is controlled by them. You can remove their signing cert entirely if you want. I have done this and used my own.

Plus they signed the shim loader for Linux anyways so they almost immediately gave up any "control" they might have had through SB.

But...it doesn't restrict user freedom. If the user wishes to do so, they can disable SB.

So like banks requiring you to have a PIN on your ATM card, even if you don’t want one… that’s bad? Seatbelt laws are bad?

Its a simple solution in law to enable. Force manufacturers to allow owners of computer to put any signing key in the BIOS.

We need this law. Once we have this law, consumers csn get maximum benefit of secure boot withiut losing contorl

I make the analogy with a company, because on that front, ownership seems to matter a lot in the Western world. It's like it had to have unfaithful management appointed by another company they're a customer of, as a condition to use their products. Worse, said provider is also a provider for every other business, and their products are not interoperable. How long before courts jump in to prevent this and give back control to the business owner?

This gets tricky. If I click on a link intending to view a picture of a cat, but instead it installs ransomware, is that abiding by its owner or not? It did what I told it to do, but not at all what I wanted.

Well, that's a different market. What I say is that there are markets in which customers wants to be sure that the firmware is from "us".

And those markets are certainly not IoT gizmos, which I suspect induce some knee-jerk reactions and I understand that cause I'm a consumer too.

But big/serious customers actually look at the wealthiness of the company they buy from, and would certainly consider running their own firmware on someone else's product; they buy off-the-shelf products because it's not their domain of expertise (software development and/or whatever the device does), most of the times.

you click the box to turn off secure boot

Tradeoffs. Which is more likely here?

1. A customer wants to run their own firmware, or

2. Someone malicious close to the customer, an angry ex, tampers with their device, and uses the lack of Secure Boot to modify the OS to hide all trace of a tracker's existence, or

3. A malicious piece of firmware uses the lack of Secure Boot to modify the boot partition to ensure the malware loads before the OS, thereby permanently disabling all ability for the system to repair itself from within itself

Apple uses #2 and #3 in their own arguments. If your Mac gets hacked, that's bad. If your iPhone gets hacked, that's your life, and your precise location, at all times.

Then that customer shouldn't buy a device that doesn't allow for their use case. Exercise some personal agency. Sheesh.

In my case a firmware provider went out of business, and in one particular device the firmware gets stuck in an endless boot loop. It tries to calibrate some led's, but forgets to round some differences, so it can never converge to a proper calibration.

Device is bricked, firmware is secured with a signing key, refactoring a new device is pretty hard. The current one needed 10 years of development. I'm on the wait to either patch the firmware by finding the problematic byte (if it's patchable, round() needs much more), or to wait for the original dev willing to release an update on his own. BTW Claude opus got much better than ghidra lately. It's perfect.

I see the value of protected firmware updates, but business has to survive also.

Frankly: that's stupid. In case you didn't figure it out, I work in the field and I can tell you that this is was not the mindset at the places where I worked.

You can set up custom SecureBoot keys on your firmware and configure Linux to boot using it.

There's also plenty of folks combining this with TPM and boot measurements.

The ugly part of SecureBoot is that all hardware comes with MS's keys, and lots of software assume that you'll want MS in charge of your hardware security, but SecureBoot _can_ be used to serve the user.

Obviously there's hardware that's the exception to this, and I totally share your dislike of it.

+1

An unsigned hash is plenty guard to against tampering. The supply chain and any secret sauce that went into that firmware is just trust. Trust that the blob is well intentioned, trust that you downloaded from the right URL, checked the right SHA, trust that the organization running the URL is sanctioned to do so by Microsoft...

Once all of that trust for every piece of software is concentrated in one organization, Microsoft, Apple or Google, is has become totally meaningless.

I happen to like knowing that my mobile device did not have a ring 0 backdoor installed before it left the factory in Asia. SecureBoot gives me that confidence.

A few competitive online games do, but most don't. That's why nowadays so many games run great on Linux.

It's not free at all. If you buy Windows through the official channels it's quite expensive. If you buy it on the grey market, it's dirt cheap, though.

Well, the hope was always that those of us inconvenienced by M$ would all collectively contribute to making Linux distros more convenient for everyone. But we can't ever seem to get inconvenienced enough to actually sufficiently mobilize and/or coordinate such an effort.

I mean, the super-easy option would be to just use BitLocker for FDE. No hassles, just works. But I fugured since everyone here on HN hates MS I wouldn't even bring that up. Don't trust MS? Enroll yourown keys

Make sure that she setup a PKI infrastructure to manage certificate revocation as well, wouldn't want a bad grandson to mess with it.

Why would you put Grandma on VeriCrypt in the first place? It's the more 'difficult' option for FDE.

your grandma is probably fine with BitLocker....