• Optional@lemmy.world
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    5
    ·
    5 months ago

    To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

    You dare question a monopoly corporation and the spymasters of this country??

    (/s)

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      17
      ·
      5 months ago

      industrial control and enterprise networks

      That’s doing a lot of work here.

      Yes, it’s important in certain situations, but for consumer devices, it’s just another thing that can go wrong when using alternative operating systems. Regular users don’t have the physical risk these other systems do, and making it more difficult for users to install more secure operating systems goes against the bigger threat.

      Linux is compatible with Secure Boot (source: I exclusively run Linux, and use Secure Boot on my systems), but some distros or manufacturers screw it up. For example, Google Pixel devices warn you about alternative ROMs on boot, and this makes GrapheneOS look like sketchy software, when it’s really just AOSP with security patches on top (i.e. more secure than what ships with the device). The boot is still secure, it’s just that the signature doesn’t match what the phone is looking for.

      It’s just FUD on consumer devices, but it’s totally valid in other contexts. If I was running a data center or enterprise, you bet I’d make sure everything was protected with secure boot. But if I run into any problems on personal devices, I’m turning it off. Context matters.

    • Bjornir
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Microsoft a key player in security ?

    • capital@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      21
      ·
      5 months ago

      Yes, surely randoms on Lemmy know better than Microsoft and the NSA in regards to security.

      • Optional@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        5
        ·
        5 months ago

        Oh anyone who doesn’t trust Microsoft with their life is a complete idiot. And the NSA only illegally spied on everyone until Bush the II made it legal! So of course we should unquestioningly follow their configuration guides. I mean - haha - we don’t wanna get disappeared! Haha ha. Not. Not that that’s ever happened. That we know of. For sure. Probably.

        • capital@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          11
          ·
          5 months ago

          in regards to security

          in regards to security

          in regards to security

          in regards to security

          Just wanted to make sure you saw it this time because you went off on a tangent there.

          • azuth@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            16
            ·
            5 months ago

            It doesn’t matter if they know about security (which they do). A burglar could know about locks and home security systems, would you take his advice?

            Their positions on security of others is dismissed on grounds of trust not of competence.

            • mriguy@lemmy.world
              link
              fedilink
              English
              arrow-up
              8
              ·
              edit-2
              5 months ago

              The NSA has two jobs.

              The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.

              The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.

              I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.

              • azuth@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                4
                ·
                5 months ago

                Exploits don’t care if you are actually the NSA or not. The NSA certainly knowns that yet they keep exploits secret at least from the public.

                They have argued for key escrow for God’s shake.

                They are primarily an intelligence agency. If you are not likely to be targeted by the NSA you are also unlikely to be targeted by any of their adversaries. They don’t give a shit if you get scammed, they are not the FBI, who also keep secret exploits and are anti-encryption.

                Additionally using their “best” exploits on more simple targets still poses a risk to them being discovered and fixed. Therefore it’s beneficial to them for everybody’s security to be compromised. It also provides deniability.

                • sugar_in_your_tea@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  5 months ago

                  Right. Their advice for the general public is a mix of “best practice” and risk. If an exploit is not actively exploited in the wild, they’ll probably sit on it for intelligence purposes and instead recommend best practices (which are good) that doesn’t impact their ability to use the exploit.

                  So trust them when they say do X, but don’t take silence to mean you’re good.

            • Emerald@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              edit-2
              5 months ago

              A burglar could know about locks and home security systems, would you take his advice?

              If they were an expert burglar, I might

              Source: I’m an expert burglar and all of the others on my burglar crew are very helpful when people ask about home security stuff.

              • azuth@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                4
                ·
                5 months ago

                Do you have any evidence those two people are still committing burglaries? The NSA is not an ex-intelligence agency.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                5 months ago

                I get my advice from LockPickingLawyer on YouTube. He’ll demonstrate the weaknesses of various locks, and say which to avoid and which are probably okay (“okay” is a really strong recommendation from him). He’ll still break into really secure locks in <2 min, but he’ll describe the skills necessary to break in and let you decide on what your threat level.

                Basically, as long as it’s bump and bypass resistant, you’re good. Burglars aren’t going to pick locks, they’ll either break a window or move on if the lock stops them. A good lock doesn’t keep out a burglar, it just slows them down enough that they’ll give up.

                So yes, get advice from people who have the skills to break the protection they’re recommending, they’ll be able to separate things into threat categories. If you want OPSec advice, visit black hat hacking forums and whatnot, you’ll get way better advice than sticking with the normie channels.

      • Cosmicomical@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        5 months ago

        Security is the last thing NSA and Micro$oft care about. NSA wants to be sure they can do all they need to with your devices, and M$ just wants to discourage you from switching to linux.