Highguard - Concord 2.0?

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
1771899629077.png
 
Just a random little slice-of-life illustration why "Secure Boot" is horseshit and no fucking game is worth entertaining its nonsense.

I ordered a used HP EliteDesk 705 G4 DM (little bitty PC box w/a decent AMD GPU suitable for hardware video encoding, for my various sundry purposes) to join a fleet of others I've been slowly accumulating over the past few months. $70 for a 4-core Ryzen 5 w/on-silicon Radeon, 8GB RAM, 256GB SSD. Tiny form factor.

Unlike the other three I already have, this one came "locked down" from the seller and Windows 11 pre-installed. It wouldn't boot a Ventoy USB flash drive (it's a multi-boot loader thingy -- you install it on a flash drive, stuff a bunch of ISOs on it, and it gives you a handy boot menu to let you pick which ISO to use from the pile you've added), claiming it wasn't "authorized." Wouldn't boot the Debian USB/ISO either. BIOS admin password was set (and not documented either). So!
  1. Disconnect power
  2. Pop the hood
  3. Pull the CMOS battery
  4. Hold a CMOS reset button for 5-10 seconds to drain any lingering juice
  5. Move a motherboard jumper (normally shorting two pins; move it to remove the short temporarily) to force-clear BIOS admin password on next powerup
  6. Reconnect power
  7. Power on
  8. Endure post-reset lecture from BIOS
  9. Endure "intrusion detection alert" lecture from BIOS
  10. Disable Secure Boot
  11. Disable "security management console"
  12. Reboot
  13. Enter four-digit code (provided on console) to confirm disabling Secure Boot
  14. Enter four-digit code (provided on console) to confirm disabling security management console
  15. Attempt to boot from USB device, get lecture about unregistered "key"
  16. Install the key (Ventoy provides it, on-disk, lol) even though it won't be needed after this
  17. Install Debian 13
  18. Power off
  19. Replace jumper
  20. Put the case back together
  21. Boot into Debian and proceed as normal
This process took an hour. Installing Debian 13 took literally 6 minutes (I timed it). Defanging the horseshit "you don't really own me, bitch" attitude the fucker brought with it from its previous owner took the other 54 minutes. It is my computer. It will obey my commands and no others.

Nothing about Secure Boot is about securing your system or protecting yourself. None of what the machine did prior to its deactivation served me or my needs. Instead, it tried to prevent me from using my equipment as I want to. No fucking video game is worth enabling that garbage. Does any of the above process or inconvenience sound like something that's necessary to "prevent cheating"?

The big lie with Secure Boot is that your system is "safe" if some third-party with industry muscle can "vouch" that you're running an "officially-sanctioned" OS installation. The trouble is, a fully "validated" and "attested" installation of Windows 11 is still vulnerable as fuck because it's Windows -- famously insecure by default. "Oh that's cute, you've promised me via BIOS verification that your kernel image is official. Neat. So all the known/published CVEs affecting that official kernel are guaranteed to affect this fucking machine too? Great. Thanks for the reassurance."

All Secure Boot actually does is lock down a PC to run only Windows and make it harder (slightly) to run anything else on it. It was designed to make sure the streamlined 6-minute Debian installation I performed on this PC actually took an hour instead.

I still won. There's no Windows on that machine anymore, and it's running my dumb shit on it instead. I'm confident it's running the software I want it to be running, because I put it there myself. No hand-holding required, and it's a far cry more secure than Windows will ever be.

Also, fuck you HP. Quit crippling good hardware with this Microsoft-spoonfed bullshit.
 
moocow said:
Nothing about Secure Boot is about securing your system or protecting yourself.
Click to expand...
You just described yourself how Secure Boot protects you. You could not have done any of that stuff remotely. You needed physical access to the machine to change boot-level software components. It doesn't protect your hardware vendor against you, though.


moocow said:
The trouble is, a fully "validated" and "attested" installation of Windows 11 is still vulnerable as fuck because it's Windows -- famously insecure by default.
Click to expand...

You're talking about different attack surfaces, and you just broadened your low-level attack surface because you think your high-level surface has you covered.

moocow said:
So all the known/published CVEs affecting that official kernel are guaranteed to affect this fucking machine too? Great. Thanks for the reassurance."
Click to expand...

Linux CVEs: 22K
Windows CVEs: 17K
Debian CVEs: 11K
Windows 11 CVEs: 7K

moocow said:
All Secure Boot actually does is lock down a PC to run only Windows and make it harder (slightly) to run anything else on it.
Click to expand...
Most Linux distros have supported Secure Boot for about 10 years now. I don't want malware compromising my Linux kernel any more than I want it compromising my Windows installation.

moocow said:
I still won. There's no Windows on that machine anymore, and it's running my dumb shit on it instead. I'm confident it's running the software I want it to be running, because I put it there myself.
Click to expand...
Since you disabled Secure Boot, it could be running software an attacker put there by compromising your system at the kernel level (e.g. rootkit + compromised bootloader), and you would have no way to know.
 
Last edited:
How does the game's thread have more posts in it than actual players in the game?
Screenshot_20260223_191159_Chrome.jpg
 
The Ugly One said:
Most Linux distros have supported Secure Boot for about 10 years now.
Click to expand...
Sure, but not all of them have it working out of the box and involve extra steps that can cause problems during kernel updates. Of the ones that do work out of the box, they have to use shim which is its own can of worms that is far outside the point of this thread.
 
Holy fuck we've got one on the kool-aid. I haven't met a live FUD dispenser in years!

The Ugly One said:
You just described yourself how Secure Boot protects you. You could not have done any of that stuff remotely. You needed physical access to the machine to change boot-level software components. It doesn't protect your hardware vendor against you, though.
Click to expand...
It didn't "protect" me. It inconvenienced me. It got in the way of running the software on the unit that I wanted to run on it. I own it. I'm in physical control of it. It obeys me, not the other way 'round.

The Ugly One said:
You're talking about different attack surfaces, and you just broadened your low-level attack surface because you think your high-level surface has you covered.
Click to expand...
You mean the "low-level" attack surface that was so "secure" it just offered to load and accept the key stored on the device it was refusing to boot because it didn't recognize the key by default? Boy I'm in real trouble if that's my low-level door lock.

The Ugly One said:
Linux CVEs: 22K
Windows CVEs: 17K
Debian CVEs: 11K
Windows 11 CVEs: 7K
Click to expand...
And every one of them affects every system whether "Secure Boot"-encumbered or not. Whoops. And you're not really going to argue Windows is more secure than Linux, are you? Because I don't have the energy for that kind of laughter tonight.

The Ugly One said:
Most Linux distros have supported Secure Boot for about 10 years now. I don't want malware compromising my Linux kernel any more than I want it compromising my Windows installation.
Click to expand...
Then don't install malware or allow unauthorized persons to use your equipment. Secure boot prevents neither of these. It also does nothing to stop malware that doesn't touch the kernel.

The Ugly One said:
Since you disabled Secure Boot, it could be running software an attacker put there by compromising your system at the kernel level (e.g. rootkit + compromised bootloader), and you would have no way to know.
Click to expand...
The Debian 13 netinst image (as of this writing) is not infected with any known malware or other rootkit. Nice try though.

This reminds me of when any time you booted a Windows Server 2002 installation CD on an internet-connected system to install a server, it was literally infected with a rootkit before the installation was finished. But nah, Windows is super-secure and I'm sure Secure Boot would have totally protected against that. Oh wait. No it wouldn't. It was an official image running an official kernel. That slime would have oozed straight through anyway.

Fuck literally any "security measure" endorsed by Microsoft and foisted onto hardware vendors. Fuck it deep and hard, and fuck every asshole who gobbles their cocks for trying to foist it on us.

Oh, and also, "protects games from cheaters" how, again?
 
Day of the Cope said:
Sure, but not all of them have it working out of the box
Click to expand...

The ones that 90% of enterprises use do. The niche distros that serve no purpose other than enable the user to brag about using Linux don't. Any CISO who approves Arch should be fired.

Day of the Cope said:
and involve extra steps that can cause problems during kernel updates. Of the ones that do work out of the box, they have to use shim which is its own can of worms that is far outside the point of this thread.
Click to expand...

Yes, securing your computer involves extra steps compared to just leaving your front door open.

moocow said:
It didn't "protect" me. It inconvenienced me.
Click to expand...

You literally described how it was impossible to modify boot-level binaries without being able to physically manipulate your machine, something no malware can do.

moocow said:
And you're not really going to argue Windows is more secure than Linux, are you? Because I don't have the energy for that kind of laughter tonight.
Click to expand...

You brought up CVEs, not me.

moocow said:
Then don't install malware
Click to expand...

Ah yes. The foolproof way of securing a system.

moocow said:
And you're not really going to argue Windows is more secure than Linux, are you? Because I don't have the energy for that kind of laughter tonight.
Click to expand...

Given that you don't know what Secure Boot does and think "just don't install malware bro" is foolproof security, I don't think you're even capable of having this argument.

moocow said:
Fuck literally any "security measure" endorsed by Microsoft and foisted onto hardware vendors.
Click to expand...

Secure Boot is also on Apple silicon and Power, which don't support Windows. Cybersecurity isn't a Microsoft conspiracy to stop you from running some crumbly hobbyist distro on your $300 micro PC.
 
Last edited:
The Ugly One said:
Secure Boot is also on Apple silicon and Power, which don't support Windows. Cybersecurity isn't a Microsoft conspiracy to stop you from running some crumbly hobbyist distro on your $300 micro PC.
Click to expand...
Secure Boot was literally developed by Microsoft, Intel and AMD via the UEFI Forum (and preceding that, the Intel Boot Initiative), you disingenuous faggot. One of its first major goals was to make it harder for Linux to boot on "secure" hardware and it was broadly criticized for that from the outset. The EU only chose not to fine Microsoft for antitrust violations because of their eventual promise to "allow" users to disable the feature (how "gracious" of them, right?), the neutered feds considered (but abandoned -- thanks Obama) further antitrust action, and plenty of other vendors raised complaints too.

Suck Microsoft's cock all you like. Secure Boot stays off my systems.
 
I posted this in another thread, but figured I'd post it here, too.
This has to be one of the worst fucking attempts at shilling this game I've ever seen. Ignores all the technical issues and hypes up all the "potential". This comment really sums up how I feel about all this:
1771933311154.png
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom