Yeah, more like “cringe deez nuts.”

It’s almost as if the “aRtIfiCiAl iNtElLiGenCe” is as big a cult as blockchain is, isn’t it?

Blaster Master was an underrated metroidvania. I’m a little bummed they didn’t mention that in the article.

Most games were never made to be modded. The communities are hacking mods into these games, many of which were even designed to make modding harder. (Because mods compete against sequels or something? I dunno. Intellectual property is a mental illness.) It’s not terribly surprising that games that weren’t meant to be modded have confusingly inconsistent methods for loading mods. Because those mods work fundamentally differently from game to game. If a mod happens to be easy-ish to install, chances are it’s either quite a simple mod (a model/texture replacement or some such, or just something that’s not terribly hard to mod) or a lot of work has been put into making it easier.

My solution is scp with termux. I can’t suggest any better alternative.

I wasn’t saying anything about who bears “fault”. My aim with that post (and honestly all the posts I’ve made in this thread) was about understanding the details of the vulnerability well enough for folks to be able to ascertain a) whether they’re affected and b) how to remediate.

About “fault”, I’m not sure I really agree that’s the best way to talk about these things in general unless they did them purposefully. (WEI, for instance, was malicious bullshit. But I don’t have any particular reason to think in this specific situation Microsoft didn’t handle responsible disclosure properly or anything.)

Clearly Microsoft made a boo boo in choosing to trust the vulnerable tools in the first place, but vulnerabilities are inevitable.

I’ll definitely say I don’t consider Microsoft “trustworthy” enough to protect my stuff. If only because Microsoft stuff is bloated and has a huge amount of attack surface. But also because their history make it clear they’ll perpetrate really shitty things against their users on purpose. The former could only really be addressed by them slimming down their technology stack. The latter by abolishing the profit motive.

And also, in general UEFI is apparently a cluster fuck of poor, buggy implementations. So there’s that.

In all, this is one doesn’t strike me as terribly high on the “blameworthy” meter unless you just consider it a symptom of Microsoft being assholes, which is undeniably true.

Yes! Screen capture! Standardize it! Standardize it! Then get FFMPEG and Zoom to adopt the new standard!

Also, that Simon guy sounds like a good and nice guy.

Uninstall it and make the world a slightly better place?

They don’t even have to be signed…

Yeah. My understanding is that Microsoft has signed several tools made by other companies that boot as UEFI PE executables and aren’t supposed to allow loading arbitrary (including unsigned and malicious) UEFI PE binaries, but due to security vulnerabilities in the tool, they’ll load any old UEFI PE binary you give them.

The payload/malicious UEFI PE binaries don’t have to be signed. But the third-party tools that contain the vulnerabilities have to be signed by a signer your UEFI firmware trusts. (And the tools are signed by Microsoft, which your UEFI firmware almost definitely trusts, unless you’ve already applied a fix).

(And I don’t know exactly what sort of tools they are. Maybe they’re like UEFI Shell software or something? Not sure. Not sure it matters that much for purposes of understanding the impact or remediation strategy for this vulnerability.)

The fix, I’d imagine is:

• Everyone should untrust the certificates used to sign those vulnerable tools. (And by “untrust”, I really mean they need to apply the revocations.)
• Microsoft needs to issue new certificates to replace the ones with which they signed the vulnerable tools.
• The companies who made those tools need to release new, fixed, not-vulnerable versions of the same tools.
• …and get Microsoft to sign those new versions with the replacement keys.
• And users need to migrate from the vulnerable versions to the new versions of the tools in question.

Now, I’m not 100% sure if there needs to be yet another step in there where individual users explicitly install/trust the replacement certs. Those replacement certs are signed by Microsoft’s root certificate, right? As long as all the certificates in the chain from the root certifcate down to the signature are included with the UEFI PE binary, the firmware should be able to verify the new binary? Or maybe having chains of certs is not how UEFI PE binaries work. Not sure.

Here is an example of something similar that disables Windows Platform Binary Table…(I’m not advocating that anybody actually use this).

Yuck. Thanks for letting me know of that. I’m still firmly in the “learning” phase when it comes to this UEFI stuff. It’s good to be aware of this.

As drspod said, no, Linux is not invulnerable. For Linux users using legacy BIOS boot or using UEFI but not secure boot, this vulnerability doesn’t make anything any more insecure than it was already. But any user, Linux or Windows, who is affected by this vulnerability (which is basically everyone who hasn’t revoked permissions to the Microsoft keys in question), if they’re using secure boot, no they’re not. (That is to say, they can no longer depend on any of the guarantees that secure boot provides until they close the vulnerability.)

If I’m understading what I’ve been able to glean about this just by googling, it looks like the vulnerability is in certain tools that Microsoft has decided to sign with some of its UEFI secure boot keys. It’s not a vulnerability in your UEFI firmware itself, except insofar as your UEFI firmware comes already configured to trust Microsoft’s certificates. So even though the vulnerability isn’t in your UEFI firmware per se, the fix will require revoking trust to keys that are almost definitely pre-installed in your UEFI firmware.

I imagine sabots would do pretty well against graphics cards.

I… doubt it?

I took the liberty of looking in the developer tools as it failed, and there was a 500 response. The connection to Hulu’s servers was all over HTTPS and I didn’t get any certificate warning, so unless my ISP managed to get Hulu’s private key or got with a corrupt registrar willing to issue a valid replacement certificate, no ISP should be able to change response codes on a man-in-the-middle basis or a redirecting-traffic-to-a-hostile-server basis.

And given how many people have reported issues, I doubt it’s specific to any particular ISPs.

Net neutrality being dead is a huge bummer, but I don’t think this can be blamed on that.

Hot take: BotW > TotK

So it would be pretty hard for them to hide a backdoor or something??

It happens, though.

Yeah, I’m planning to switch from Arch to Gentoo. Systemd isn’t the only reason, but it’s a big one.

(Yes, I know about Artix, but it’s… kindof a Frankenstein’s monster, still mostly depending on the Arch repos and still with certain relics of Systemd. Or at least it was when I last tried it.)

I’m literally in the process of switching my main from Arch to Gentoo now. (Yes it’s taking a while.) And I intend to be even more smug. Bwahahaha!

Too little too late. The damage is already done.

And even on that page, they’re still being assholes about Open Source (“Our use of the term ‘open source’ thus far has been not out of carelessness, but out of disdain for OSI approved licenses which nevertheless allow developers to be exploited by large corporate interests.”) while pretending what they’ve done with the FUTO license is some boon to consumer rights (“Fundamentally, our goals are to build great products that don’t abuse people, beat the tech oligopoly, and elevate the rights of programmers developing software that has source code open to public scrutiny and tinkering.”). And they’re still not dropping the effort to dilute the term “Open Source” (“The OSI, an organization with confidential charter members and large corporate sponsors, does not have any legal right to say what is and is not ‘open source’. It is arrogant of them to lay claim to the definition.”).

Also, just as an aside, as page that the words “legal right” in that last quote link to says, the OSI attempted to trademark “Open Source.” I’m not sure why FUTO seems to think the same reasons why the “Open Source” trademark was rejected won’t apply just as much to the term “Source First” (but they do seem to think that: “we will be making our own term and trademarking it.”)

To speak of AI models being “made public domain” is to presuppose that the AI models in question are covered by some branch of intellectual property. Has it been established whether AI models (even those trained on properly licensed content) even are covered by some branch of intellectual property in any particular jurisdiction(s)? Or maybe by “public domain” the author means that they should be required to publish the weights and also that they shouldn’t get any trade secret protections related to those weights?

Can you name any real-world examples of this happening?

Actually, I can. I know before Minetest (a FOSS Minecraft clone (they’d bristle at being called that, but anyway) that has since renamed itself to “Luanti” - I reccommend it, actually) officially supported Android, somebody ported it to Android (I don’t remember what they called the clone) and put it on the play store for money. Now, Minetest wasn’t under a copyleft license, so the clone wasn’t even FOSS (nor was it legally required to be.) I don’t remember any malware being involved. The Minetest community did all heave a collective groan when a wave of clueless people who didn’t realize it was FOSS started joining Minetest servers. People in the Minetest community definitely resented the clone. But beyond that, no real harm came to the game or its players. Some folks paid for an Android Minetest client that didn’t afford them the freedoms guaranteed by the Free Software Definition or Open Source Definition, but at the time the official Minetest client didn’t support Android. Aside from that, I don’t know of any harm that came from any of that. And had Minetest been under a copyleft license, even less harm would have come of that.

Also, in practice, anyone who’s only out to get a quick buck is going to either avoid copylefted code like the plague or just blatantly violate the terms of the license. They’re unlikely to actually put forth the effort to compose a proper GPL compliance plan. (In fact, the ongoing U.S. court case “SFC v. Visio” is very apropos. Visio is named as a defendnt in that suit specifically for blatantly violating the terms of the GPL. Specifically the copyleft portions.)

And if someone who does just want to make a quick buck clones some GPLd code and sells it in compliance with the license, I’m still not convinced that does anyone any harm. The GPL was also designed with non-programmer empowerment in mind, specifically allowing the use case where if a non-coder wants a feature added to a piece of GPL’d code, they can commission a coder to add it. But I’m not sure the Grayjay license would allow that even if it would allow one to make changes themselves noncommercially.

I dunno. You seem to be really hung up on “contrubuting nothing”. And mind you, I don’t think that’s uncommon. That’s a big part of the whole “post-open-source” thing Parens is involved with these days. If FOSS as a whole was floundering right now in a way that money could solve, I maybe could get on board with the idea that there might be improvements that could be made to the existing FOSS paradigm. (Though something like legally-preserved nag screens in source-available software seems at best a clueless and ham-handed approach to that problem.)

Much more concerning to me is that software respect users’ rights. I mostly won’t use software I don’t feel I can trust (either legally or security-wise.) And FOSS is software I can virtually always trust. When I’m publishing software, I do so under the AGPL v3 because I kinda don’t care if anyone sells it. (Though they can always get a free version from my GitLab (yeah, I switched to GitLab before Codeberg was a thing).) I do care if someone distributes (for money or gratis) my code in a way that doesn’t afford the end user the four freedoms. Which is why I use AGPL v3 over other options like non-copyleft FOSS licenses or noncommercial licenses.

And, just to repeat this, again, I’m not angry at FUTO for releasing their code under non-FOSS licenses. That’s enough to make me not want to use their software. But not enough to make me resent them the way I do. The anger is at the way they’ve been sabotaging Open Source to the best of their ability while misrepresenting themselves as consumer rights advocates.