>2015
>open sores shitware
Microsoft Windows master race. Lincucks btfo.
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
>authentication by your bootloader
literally says right there it's already been patched
if this was a closed source system, how would you even know? or contribute your own solution?
oh wait, you couldn't because it's up to the maintainer of the closed source software to do that
>>51904479
So? Muh open source, muh everyone can study the source and shit
>then there's shit like this that goes unnoticed for /seventeen/ fucking years
If you have access to the bootloader, you have physical access to the system
Nothing can stop a determined intruder with physical access to the system unless the box is inside a bank vault and the terminal's on the other side of the wall or something
>using the bootloader to secure access to the OS
if you do this, you are retarded
>still using grub like some ubuntu user
topcuck, stay pleb
>>51904344
So? From the looks of it, you can only exploit it by being in front of the system. Considering /g/ probably doesn't share their computer I don't think it will matter. I'm not even going to bother patching this.
also
>using grub
>2015
>>51904604
>>51904344
samefagging this hard...
>>51904689
how can I into dual booting without grub?
>>51904969
https://wiki.archlinux.org/index.php/Boot_loaders
Any of these are good options (minus grub)
personally rEFInd is my waifu
>>51904689
you have no idea how easy it is to walk into a building and gain access to a local device.
In a business this would be a big security issue. However nobody gives a fuck about your midget porn collection at home.
>2015
>not having full disk encryption
>>51905023
>in a business this would be a big security issue
If you are using a GRUB password as your sole protection, then YOU are the security issue.
>>51905054
I was just giving a scenario. If grub was installed they are most likely using multiple operating systems.
Chances are a windows/linux combination.
It would easily be possible to steal the windows password and install a rootkit, if grub had a password protection for a security measure and left vulnerable it would be possible to the person breaking into the system to bypass it.
At no point however in what I said did I mention it being the sole protection. If you want to argue something don't make assumptions and put words into other peoples mouths. Are you a politician in training or something?
>>51904344
top kek
>>51905093
>It would easily be possible to steal the windows password and install a rootkit, if grub had a password protection for a security measure and left vulnerable it would be possible to the person breaking into the system to bypass it.
How would that be any less secure than a straight Windows install? At least GNU/Linux distros use FDE. Windows "Passwords" have been laughably insecure for a very long time.
>>51904344
>sudo apt-get update
oh would you look at that, debian already released security patches for grub.
If this was on windows, you would never even have known about the exploit
>>51904344
Syslinux.
Problem solved.
>>51905309
>If this was on windows, you would never even have known about the exploit
fuck you, faggot. I hope you die in a hail of gunfire and damnation. You're a real peace of shit turbo artist. Go rape a cow faggot.
>>51905265
If the bios has been blocked with a password and its boots to grub which also has a password.
Sure you can reset the bios by taking out the battery for a while but a guy randomly opening a pc in the middle of an office has more chance of being caught than a guy who just sits at the desk.
You get onto the bootloader and it has a password, you want to change it so you can add a usb to the boot list. You bypass the password, add the usb to the list. Use the software to steal the windows password and logon,install rootkit. Or just boot into your own o/s and install a rootkit that way, what ever way you want to do it.
It's not hard to think of these scenarios. At the end of the day you would rather have access to the windows partition than the linux as most likely the domain will be a windows domain and a locked down linux is more of a pain to gain admin rights than windows.
>>51905354
terrible bait
>>51905007
mein nigger, I include rob smith in my prayers before I sleep.
>>51904969
use it anon
http://www.rodsbooks.com/refind/
documentation might scare you at first, read a few times, before proceeding to install it. IF you still find it hard, just install it from windows by pasting about 7 commands in the command prompt
>>51904344
I dont get it. Was the purpose of this thread to imply that closed source operating systems don't have vulnerabilities and backdoors?
>>51905533
based! im running that theme
>to lazy to find minimalist android and arch icons
>Wangblows users reading the user agreement ever
https://www.youtube.com/watch?v=CrvKyR9DGUY
If you did and still use it you are the definition of the c u c k word
>>51905550
Yes, it's low quality bait. /v/ users love doing this every time a bug is found in free software.
>>51905603
pic is the one in the github page of the theme not mine, but the arch icon came with the default repo
>>51905637
Awesome thank you
this is about as enlightening as a security bulletin that says you can clear most bios passwords by using the cmos clear jumper, or that one can use chntpw to clear windows passwords
>>51905533
>>51905603
Is this a grub theme?
I've been wanting to rice my boot screen even tho it only appears for 2 seconds every several weeks.
>>51905745
https://github.com/EvanPurkhiser/rEFInd-minimal
No its for the rEFInd bootloader, grub should be considered legacy now and avoided, there are better alternatives.
Burg was a project to give grub a similar themeable gui but its dead now
uh, last i checked the windows bootloader has no authentication system, so why are you touting superiority here?
>>51904520
You're point is what? I have 138 Windows 10 zero days piled up vs 4 for Linux and those were a real pain to implement. Server 2008 left me with 452 unpatched over the years. Closed source security is a joke.
>>51905786
>UEFI
kill yourself
>>51905911
>le new stuff is the devil meme
uefi is objectively better
>>51905031
This
and
>>51904569
This, why do people complain about these stuff when there is already a better and foul proof security available to them?
>>51904569
I think OP believes this will grant full access to whichever OS you decide to boot into. I wasn't even aware you could set up password authentication for Grub. I guess I learned something new today.
>>51906018
>I wasn't even aware you could set up password authentication for Grub.
this, but at the same time i'm not surprised, grub had plugins/modules for all kinds of things
unlike the windows bootloader, which doesn't even HAVE an authentication system to compare to
it's funny how the article goes on to get a root shell and make some changes, as if that has anything to do with grub whatsoever (the moment the kernel is executed, grub is done and out of the picture)
>>51905834
>You're point is what? I have 138 Windows 10 zero days piled up
Are u le security researcher man?
>>51904344
This is the shittiest shitpost I've seen on here in a while. Your home country would be proud Rajeesh.
Shit bait desu, it appears /v/'s cancer has spread again.
Who the fuck doesn't have full disk encryption in linux in the year 2015?
>>51904344
Remember how you used to be able to bypass login on Windows 95/98?
>>51904520
>unnoticed for /seventeen/ fucking years
2015 - 2009 = 17?
Better practice that math skills.
>using grub
found your problem.
SYSTEMD WILL TAKE OVER THE WORLD
>>51906018
>>51906214
I dont think thats what the article means, the recovery shell is giving the root access to the filesystem, i dont think grub has any authentication (i dont think it makes much sense to have it anyway)
>>51907475
Not OP but I am a employed vulnerability researcher.
My advice is to avoid windows but linux is not perilously friendly to idiots.
>>51910719
the issue with grub is about dropping to its internal recovery shell, and using its functionality to bypass a normal mode authentication module
past that is unrelated to grub entirely, this issue or otherwise
the only way to protect a filesystems' contents *locally* is via encryption
this is an interesting find, but useless, a bootloader password is about as useful as a bios password, usually even less so
grub is also about the only bootloader to even have this feature, so shitting on grub for it not being secure is silly, it's like comparing an easily picked lock on a door to a door with no lock at all
>>51910796
i totally agree obviously. Bootloaders i guess are misinterpreted as a locked gate to the OS(as demonstrated by this thread)
>>51904344
at least read it before you post
>>51904344
>authenticating by the bootloader
your NSA/wangblows can do that, right?
Because my Gentoo GNU/Linux can, and does not have this problem. Withess the power of open source, fgt. Pic related.
>>51905093
if you do not use FDE and think you're secure, regardless of OS, then you're a fucking idiot.
abort yourself
>>51910726
b-but muh games!
>>51910796
> dropping to its internal recovery shell, and using its functionality
It's hardly possible. If you don't have an encryption, you're screwed anyway. If you store private keys on unencypted /boot (and it should be unencrypted to boot), you don't have an encryption.
Yes, it's possible to sneak into a server room, boot to a recovery shell with this exploit and do dd if=/dev/zero of=/dev/sda, but... Isn't it faster to pull out disks and use a hammer?
Why use grub when you can dualboot with uefi bios? (yeah lol, imply that you hare enough stupid to install windows.)
>Windows
all the best proprietary software + windows binaries of Gannoo/linsucks programs + cygwin
>Gannoo/linsucks
no proprietary software, broken gpu drivers, broken wine emulation
linux is a meme guys and only autistic sperglords insist on using it full time as a desktop OS
>>51912807
Don't forgot, donating cpu&gpu time to American Agency. Only real American patriots can understand this satisfaction.
>>51913099
>being this butthurt about being saved from TERRORIST attacks
also checked
>>51905360
Why would a business keep a computer with sensitive info accessible to the public? Why would that computer have 2 OS installed? Why would they use GRUB with a password? Why wouldn't they use a BIOS pass if that computer has sensitive info and is easily accessible to the public.
>It's not hard to think of these scenarios
Sure if you create a perfect scenario where this could be exploited in a world where updating your system is not possible you would be right.
>>51904344
>using grub2
>for authentication