Author Topic: 270 Gigabyte mainboards affected by insecure downloader in UEFI  (Read 2463 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7876
  • Country: de
  • A qualified hobbyist ;)
The insecure downloader is part of the UEFI firmware and is run at each Windows startup. It's a good idea to disable “APP Center Download & Install" in the UEFI setup and also to set a BIOS password.

Supply Chain Risk from Gigabyte App Center Backdoor: https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
 
The following users thanked this post: SiliconWizard

Offline Infraviolet

  • Super Contributor
  • ***
  • Posts: 1058
  • Country: gb
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #1 on: June 05, 2023, 01:49:58 am »
Yet another reason why computers ought to be manufactured with a hardware switch or jumper which blocks any changes to UEFI/BIOS/firmware unless it is physically pressed by the user.
 
The following users thanked this post: MMMarco

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #2 on: June 05, 2023, 03:48:20 am »
Yet another reason why computers ought to be manufactured with a hardware switch or jumper which blocks any changes to UEFI/BIOS/firmware unless it is physically pressed by the user.

It's what happens when MS believes that the OS owns the boot sector, not you.
iratus parum formica
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 6860
  • Country: pl
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #3 on: June 05, 2023, 06:58:26 am »
Yet another reason why computers ought to be manufactured with a hardware switch or jumper which blocks any changes to UEFI/BIOS/firmware unless it is physically pressed by the user.
Not gonna work with idiots.

Which is why I insist that nobody in the industry should feel sorry for idiots and try to help them with anything other than teaching not to be idiots, if they can. Nor sell anything to idiots specifically. Steve Jobs was as much a disaster to computing as Hitler was to Europe.

It's what happens when MS believes that the OS owns the boot sector, not you.
I remember times MS didn't give a fuck. If anything, they cared about MAFIAA.

MS has always been about copying competitors and outdoing them. Hence, they only really went all out nuts when Rotten Fruit and Goolag showed them the way.
« Last Edit: June 05, 2023, 07:01:28 am by magic »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 6860
  • Country: pl
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #4 on: June 05, 2023, 07:04:41 am »
It's a good idea to disable “APP Center Download & Install" in the UEFI setup and also to set a BIOS password.
It's also a good idea to stay away from UEFI. It's a neverending shitshow.
 

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 6431
  • Country: fi
    • My home page and email address
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #5 on: June 05, 2023, 06:25:03 pm »
The "You own nothing" world is already here, and has been for quite a while, eh?

Access, possession, having use of ≠ ownership.
 
The following users thanked this post: MMMarco

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14681
  • Country: fr
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #6 on: June 05, 2023, 09:14:43 pm »
The "You own nothing" world is already here, and has been for quite a while, eh?

Access, possession, having use of ≠ ownership.

Yes, and it's happening with most people seemingly not caring whatsoever.
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #7 on: June 05, 2023, 09:38:15 pm »
The "You own nothing" world is already here, and has been for quite a while, eh?

Access, possession, having use of ≠ ownership.

Yes, and it's happening with most people seemingly not caring whatsoever.

Why indeed would you want to own a Gigabyte mobo that lets whomever wedge what ever crapware into the bootup process?
iratus parum formica
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7876
  • Country: de
  • A qualified hobbyist ;)
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #8 on: June 06, 2023, 09:02:34 am »
Gigabyte's answer:

GIGABYTE Fortifies System Security with Latest BIOS Updates and Enhanced Verification: https://www.gigabyte.com/us/Press/News/2091
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14681
  • Country: fr
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #9 on: June 06, 2023, 08:11:32 pm »
Gigabyte's answer:

GIGABYTE Fortifies System Security with Latest BIOS Updates and Enhanced Verification: https://www.gigabyte.com/us/Press/News/2091

Hopefully it does even more "calling home" than the previous version. ;)
 

Offline MMMarco

  • Regular Contributor
  • *
  • Posts: 69
  • Country: ch
  • Hobbyist. ⚠️ Opinionated
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #10 on: June 06, 2023, 09:06:31 pm »
Steve Jobs was as much a disaster to computing as Hitler was to Europe.

I urge you to take back that statement. Do you realize how silly this makes you look?

Maybe you know about what Hitler did, but I spent a considerable time researching what happened during that time.

Not to be a moral apostle but you shouldn't make comparisons you don't understand.

Really, really unnecessary inclusion of the person Hitler.
27 year old Software Engineer (mostly JavaScript) from Switzerland with a taste for low level stuff like electronics 😊

 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #11 on: June 06, 2023, 09:08:40 pm »
It wasn't Steve Jobs. It was Bill Gates.
iratus parum formica
 

Offline MMMarco

  • Regular Contributor
  • *
  • Posts: 69
  • Country: ch
  • Hobbyist. ⚠️ Opinionated
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #12 on: June 06, 2023, 09:24:02 pm »
The "You own nothing" world is already here, and has been for quite a while, eh?

Access, possession, having use of ≠ ownership.

Yeah it's quite sad. The thing that makes me angry is that the same applies to software as well.

A good (and recent) example would be EAGLE. I wanted to buy their software but not for a subscription.

It's just insanity that promotes companies to not improve their software but cash-in every month or so.

Before subscriptions were a thing, companies would actually need to make substantial improvements to their software for customers to upgrade.

Subscriptions are OKAY if you need the support etc., but not for tools you don't need or want the assistance.
« Last Edit: June 06, 2023, 09:26:18 pm by MMMarco »
27 year old Software Engineer (mostly JavaScript) from Switzerland with a taste for low level stuff like electronics 😊

 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #13 on: June 06, 2023, 10:18:39 pm »
The "You own nothing" world is already here, and has been for quite a while, eh?

Access, possession, having use of ≠ ownership.

Yeah it's quite sad. The thing that makes me angry is that the same applies to software as well.

A good (and recent) example would be EAGLE. I wanted to buy their software but not for a subscription.

It's just insanity that promotes companies to not improve their software but cash-in every month or so.

Before subscriptions were a thing, companies would actually need to make substantial improvements to their software for customers to upgrade.

Subscriptions are OKAY if you need the support etc., but not for tools you don't need or want the assistance.

The idea from a business standpoint is to have a steady influx of cash to pay for on-going development rather than say, three yearly major version updates. That's the theory anyway. The real problem for users of a software packages such as circuit designers is the most if not all users absolutely do not want something that morphs every other week.

Redhat has a proven working model of offering simultaneous approaches and the user base of each is a fairly even mix. Forcing the subscription model down everyone throats looks great on monthly managerial report cards but it just annoys it's users in a segment that requires stability.
iratus parum formica
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14681
  • Country: fr
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #14 on: June 06, 2023, 10:19:19 pm »
Steve Jobs was as much a disaster to computing as Hitler was to Europe.

I urge you to take back that statement. Do you realize how silly this makes you look?

Was it even worth replying to? :-DD
magic keeps trolling, and you never quite know when he is actually trolling and when he's not. Which I guess is what makes the trolling fun for the troller. :popcorn:
 

Offline MMMarco

  • Regular Contributor
  • *
  • Posts: 69
  • Country: ch
  • Hobbyist. ⚠️ Opinionated
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #15 on: June 06, 2023, 11:15:50 pm »
Steve Jobs was as much a disaster to computing as Hitler was to Europe.

I urge you to take back that statement. Do you realize how silly this makes you look?

Was it even worth replying to? :-DD
magic keeps trolling, and you never quite know when he is actually trolling and when he's not. Which I guess is what makes the trolling fun for the troller. :popcorn:

It's ... just ... unnecessary. I don't know if it was worth replying to, but I wanted to have voiced myself about this.

Anyway.

The idea from a business standpoint is to have a steady influx of cash to pay for on-going development rather than say, three yearly major version updates. That's the theory anyway.

It's definitely a theory, software companies existed before subscription models existed and I think it's a pretty lame excuse for them to collect consumers money on a regular basis.
27 year old Software Engineer (mostly JavaScript) from Switzerland with a taste for low level stuff like electronics 😊

 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #16 on: June 06, 2023, 11:22:15 pm »

The idea from a business standpoint is to have a steady influx of cash to pay for on-going development rather than say, three yearly major version updates. That's the theory anyway.

It's definitely a theory, software companies existed before subscription models existed and I think it's a pretty lame excuse for them to collect consumers money on a regular basis.

Yep.

Software product aside, the business idea of releasing a product every 2-3 years is as old-fashioned as believing in moon landings.  ;)

New modern way is to keep your company current and sexy.
iratus parum formica
 

Offline MMMarco

  • Regular Contributor
  • *
  • Posts: 69
  • Country: ch
  • Hobbyist. ⚠️ Opinionated
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #17 on: June 06, 2023, 11:28:47 pm »
Software product aside, the business idea of releasing a product every 2-3 years is as old-fashioned as believing in moon landings.  ;)

lol - every time someone tells me that they don't believe in the moon landing I tell them to think about what they're carrying in their pocket (a smartphone).

People who think the moon landing didn't happen are ignorant of todays and yesterdays technology - it's a lost cause.  :-DD

New modern way is to keep your company current and sexy.

Hasn't that always been the case?  ;)
27 year old Software Engineer (mostly JavaScript) from Switzerland with a taste for low level stuff like electronics 😊

 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #18 on: June 06, 2023, 11:33:41 pm »
Hasn't that always been the case?  ;)

The smart money understands that people are very fickle now. IBM were notorious for being big and slow. Google are finding out that they missing the boat with AI.

As for phones, the American FBI has just admitted that they have UFOs in their possession. That's were the smartphone tech came from.  ;)
iratus parum formica
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #19 on: June 06, 2023, 11:51:57 pm »
People who think the moon landing didn't happen are ignorant of todays and yesterdays technology - it's a lost cause.  :-DD

Have you noticed that many of the moon landing deniers will also claim that there are govt bases installed on the far side of the moon.

Need to loosen the tin foil hat a bit.
iratus parum formica
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1690
  • Country: au
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #20 on: June 07, 2023, 12:18:10 am »
Guys, this isn't about government conspiracies.

Back on topic, I will never buy or own another Gigabyte product after this.While they call it an "Update" service the fact that it's effectively forced on you and injected into your OS should be a massive cause for concern even if it wasn't being abused by third parties.

Companies do not invest in things that do not earn them a profit in some way, they could just do what every MB and hardware MFG has done since the dawn of firmware, provide updates for the user to apply, if they choose. The real reason for such junk to be pushed on people is to track the proliferation of their hardware in the market. IMO this being forced into your OS, especially in a corporate environment where all software has to be checked and vetted should be seen as a malicious act.
 
The following users thanked this post: MMMarco

Offline magic

  • Super Contributor
  • ***
  • Posts: 6860
  • Country: pl
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #21 on: June 07, 2023, 08:59:33 am »
It wasn't Steve Jobs. It was Bill Gates.
It wasn't Bill Gates, it was Silicon Valley. Bill Gates found a way to channel his greed into fucking up several IBM's attempts at establishing monopoly (PC, DOS, OS/2) and created free for all competition of hardware vendors and the standard PC platform which not only outgrew IBM, but essentially obliterated all the other locked in proprietary shit (Apple famously barely survived that apocalypse, regrettably). And shitty as it was, the PC was big and standardized enough that Microsoft couldn't fully control it and other operating systems managed to find a niche there. Hell, even Apple was forced to sell their own brand of customized PCs for over a decade to remain competitive.

(Gates going batshit after retiring from M$ as a billionaire is, of course, another story.)

Windows of the past didn't install shit on your computer without permission. It wasn't always designed to cater to the most retarded idiots. It didn't report your every click to the mothership. This sort of business practices have been introduced by the likes of Apple, Google and the assorted asocial media and then adopted by MS (post Gates, by the way). And the consumer cattle got used to them and here we are.

magic keeps trolling, and you never quite know when he is actually trolling and when he's not.
It's a way of hiding my insanity. You may think I'm kidding, even if I'm not :D

And seriously, WW2 wasn't that bad. 80 years later one can hardly tell that it happened, even living here. I wonder if in 2100 the same could be said about the mass brain damage caused by social media and smartphones and the erosion of any semblance of ethics in the computing industry.
« Last Edit: June 07, 2023, 09:11:04 am by magic »
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #22 on: June 07, 2023, 09:15:49 am »
I'd be interested how you all think the Gigabyte situation compares with Lenovo dodgy bios saga.

iratus parum formica
 

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 6085
  • Country: ca
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #23 on: June 07, 2023, 10:44:11 am »
or Asus fiasco too .. Router and mobos ...

and thks to M$oft  who push bios updates thru windows updates ....
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7876
  • Country: de
  • A qualified hobbyist ;)
Re: 270 Gigabyte mainboards affected by insecure downloader in UEFI
« Reply #24 on: June 07, 2023, 11:44:01 am »
Back on topic, I will never buy or own another Gigabyte product after this.While they call it an "Update" service the fact that it's effectively forced on you and injected into your OS should be a massive cause for concern even if it wasn't being abused by third parties.

Is there any mainboard manufacturer without a BIOS/UEFI security incident? Asus, Lenovo, MSI and so on, all joined the club.
 
The following users thanked this post: MMMarco


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf