• 0 Posts
  • 36 Comments
Joined 2 months ago
Cake day: February 5th, 2025
  • Xanza@lemm.eetolinuxmemes@lemmy.worldVentoy my beloved.English
    11·
    18 days ago

    Binary supply-chain attacks are not “minor security issues”.

    Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.

    Not having a security first posture on these kinds of attacks is how the xz event happened

    No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…

    It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.

  • Xanza@lemm.eetolinuxmemes@lemmy.worldVentoy my beloved.English
    46·
    20 days ago

    The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities… Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.

    Ventoy is not the only way to create a bootable drive… If you don’t trust the blobs then don’t run the software.

    Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it’s complexity, and simultaneously significantly narrowing its usability…

    I said it before and I’ll say it again it’s such a bad fucking argument. It’s not mature software. It’s a literal confluence of hacks… And if you’re not comfortable with using it then don’t use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.

    Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.

  • Xanza@lemm.eetolinuxmemes@lemmy.worldVentoy my beloved.English
    4012·
    20 days ago

    No. But the argument itself is so stupid to me.

    Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.

    If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.

    Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”

    It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.

    The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?

    Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.

  • Xanza@lemm.eetoTechnology@lemmy.mlYou're Being Lied to About 5GEnglish
    616·
    1 month ago

    You’re not being lied to, people just don’t know what 5G is.

    Only mmW is 5G. When you see “5G” on your phone, it’s Gen5 network over 4G LTE, which is not 5G. It’s a nomenclature issue. No one is being lied to.

    mmW is 5G. Everything else is 4G even though it’s advertised on your phone as 5G–because it’s a Gen5 network over 4G LTE. And if it sounds confusing, yeah. It is. Which is why they just call it 5G and 5G UWB (actual 5G). Because most people would be so fucking confused its not worth it.