Readit News logoReadit News
invokestatic commented on How kernel anti-cheats work   s4dbrd.github.io/posts/ho... · Posted by u/davikr
matheusmoreira · 2 days ago
Never forget the risks of trusting game companies with this sort of access to your machine.

https://www.vice.com/en/article/fs-labs-flight-simulator-pas...

Company decides to "catch pirates" as though it was police. Ships a browser stealer to consumers and exfiltrates data via unencrypted channels.

https://old.reddit.com/r/Asmongold/comments/1cibw9r/valorant...

https://www.unknowncheats.me/forum/anti-cheat-bypass/634974-...

Covertly screenshots your screen and sends the image to their servers.

https://www.theregister.com/2016/09/23/capcom_street_fighter...

https://twitter.com/TheWack0lian/status/779397840762245124

https://fuzzysecurity.com/tutorials/28.html

https://github.com/FuzzySecurity/Capcom-Rootkit

Yes, a literal privilege escalation as a service "anticheat" driver.

Trusting these companies is insane.

Every video game you install is untrusted proprietary software that assumes you are a potential cheater and criminal. They are pretty much guaranteed to act adversarially to you. Video games should be sandboxed and virtualized to the fullest possible extent so that they can access nothing on the real system and ideally not even be able to touch each other. We really don't need kernel level anticheat complaining about virtualization.

invokestatic · 2 days ago
The privacy points in general are valid, but what irritates me is using this rationale against kernel mode anti cheats specifically.

You do not need kernel access to make spyware that takes screenshots. You do not need a privileged service to read the user’s browser history.

You can do all of this, completely unprivileged on Windows. People always seem to conflate kernel access with privacy which is completely false. It would in fact be much harder to do any of these things from kernel mode.

invokestatic commented on How kernel anti-cheats work   s4dbrd.github.io/posts/ho... · Posted by u/davikr
halayli · 2 days ago
That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).
invokestatic · 2 days ago
Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.
invokestatic commented on How kernel anti-cheats work   s4dbrd.github.io/posts/ho... · Posted by u/davikr
edoceo · 2 days ago
Can a TPM be faked in a QEMU VM?
invokestatic · 2 days ago
Technically yes, but it would produce an untrusted remote attestation signature (quote). This is roughly equivalent to using TLS with a self-signed certificate — it’s not trusted by anyone else. TPMs have a signing key that’s endorsed by the TPM vendor’s CA.
invokestatic commented on Exploiting signed bootloaders to circumvent UEFI Secure Boot (2019)   habr.com/en/articles/4462... · Posted by u/todsacerdoti
Bratmon · a month ago
It's really funny to me that Microsoft's attempt to finally stamp out desktop Linux once and for all failed because one of Microsoft's antivirus vendor partners couldn't write secure software to save their lives.

The continued Linux desktop solely relies on antivirus vendors writing crappy insecure software. So we'll be fine forever.

invokestatic · a month ago
No, this is not true at all. Microsoft requires their system vendors (Dell, HP, etc) to allow users to enroll their own Secure Boot keys through their “Designed for Windows” certification.

Further, many distributions are already compatible with Secure Boot and work out of the box. Whether or not giving Microsoft the UEFI root of trust was a good idea is questionable, but what they DO have is a long, established history of supporting Linux secure boot. They sign a UEFI shim that allows distributions to sign their kernels with their own, distribution-controlled keys in a way that just works on 99% of PCs.

invokestatic commented on We X-Rayed a Suspicious FTDI USB Cable   eclypsium.com/blog/xray-c... · Posted by u/aa_is_op
userbinator · 2 months ago
I don't want Boot Guard or any of that DRM crap. I want freedom.

I want to make a persistent implant/malware that survives OS reinstalls.

Look up Absolute Computrace Persistence. It's there by default in a lot of BIOS images, but won't survive a BIOS reflash with an image that has the module stripped out (unless you have the "security" of Boot Guard, which will effectively make this malware mandatory!)

I’m more interested in demonstrating how important hardware root of trust is.

You mean more interested in toeing the line of corporate authoritarianism.

invokestatic · 2 months ago
Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.

As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.

invokestatic commented on We X-Rayed a Suspicious FTDI USB Cable   eclypsium.com/blog/xray-c... · Posted by u/aa_is_op
Nextgrid · 2 months ago
> persistent implant/malware that survives OS reinstalls

Try attacking NIC, server BMC or SSD firmware. You will achieve your goal without any hardware replacement needed.

invokestatic · 2 months ago
Yeah, but that doesn’t give me a reason to use the hot air station and hot plate collecting dust on my desk ;)
invokestatic commented on We X-Rayed a Suspicious FTDI USB Cable   eclypsium.com/blog/xray-c... · Posted by u/aa_is_op
invokestatic · 2 months ago
I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.

I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.

invokestatic commented on     · Posted by u/tokyobreakfast
invokestatic · 2 months ago
Calling it a “kill switch” buries the lede here. What these politicians call a kill switch is technology to passively detect drunk driving. In 2021, Congress passed a law (HALT Drunk Driving Act) requiring NHTSA to eventually require auto makers to install passive drunk driver detection systems. NHTSA missed their statutory November 2024 deadline to finalize the regulations on this so it’s not like this amendment failing has a substantial impact. This technology is still many model years (maybe 2029? 2030?) away. I make no claims to the merits of this technology, I just feel the need to clarify the current situation.
invokestatic commented on "Anyone else out there vibe circuit-building?"   twitter.com/beneater/stat... · Posted by u/thetrustworthy
mikeayles · 2 months ago
Been working on this exact problem for a while now. The core issue isn't that LLMs are bad at circuits, it's that we're asking them to do novel design when they should be doing selection and integration.

My project (https://phaestus.app/blog) takes a different approach: pre-validated circuit blocks on a fixed 12.7mm grid with standardized bus structures. The LLM picks which blocks you need and where they go, but the actual circuit design was done by humans and tested. No hallucinated resistor values, no creative interpretations of datasheets.

It's the same insight that made software dependencies work. You don't ask ChatGPT to write you a JSON parser from scratch, you ask it which library to use. Hardware should work the same way.

Still WIP and the block library needs expanding, but the constraint-based approach means outputs are manufacturable by construction rather than "probably fine, let's see what catches fire."

invokestatic · 2 months ago
This is conceptually interesting to me because I see this as almost a more generic TI Webench. I’m curious why your focus in the sized “grid” blocks (presumably for placement directly on the PCB layout) instead of doing the same but for the schematic. That way I still have the flexibility of laying out the board how I want to meet eg mechanical constraints instead of working around a 12.7mm grid.
invokestatic commented on OpenAI to begin testing ads on ChatGPT in the U.S.   cnbc.com/2026/01/16/open-... · Posted by u/koolba
invokestatic · 2 months ago
I’ve been paying for Google Workspace for my custom domain for years basically just so I can use Gmail. For just $7 more dollars a month, I upgraded my plan to access Gemini Pro, which has guaranteed enterprise-grade privacy controls. I think this is currently the best value platform for anyone who values their privacy for LLMs. If Apple and the DoD trust Google’s internal controls, I do too.
i

u/invokestatic

KarmaCake day1100December 16, 2014
About
Brendan Heinonen heinonen.co
View Original