On Tue, 05 Sep 2023 13:54:49 -0500, casey@invalid.com wrote:

>On Mon, 04 Sep 2023 16:23:09 -0600, KenW
><ken1943@invalid.net> wrote:
>
>>Trying to decide what to use for disk imaging after Reflect Free.
>>Testing Hasleo Backup at this point.
>>I have used Acronis and Paragon in the past.
>>I guess Free, as programs for four machines gets expensive.
>>
>>Any opinions ?
>>
>>Thanks
>>
>>
>>KenW
>
>I've been using the simple freebie Standard Edition of AOMEI for
>years.
>
>https://www.aomeitech.com/aomei-backupper.html
>
>If you want all the bells and whistles of fancier ones, this ain't it.

I used AOMEI until a system image restore left me with a secure boot
error and an unbootable machine (on Win11). Both of two AOEMEI images
failed. Luckily I also had a Windows system image. Which worked. It was
the oldest of the three system images.

I have since dropped it for Macrium Reflect Free. I haven't tried
restoring a Macrium image yet. Don't know what happened but YMMV.

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On Tue, 5 Sep 2023 15:10:22 -0500, VanguardLH <V@nguard.LH> wrote:

>Zaghadka <zaghadka@hotmail.com> wrote:
>
>> On Tue, 5 Sep 2023 06:19:06 -0400, Paul <nospam@needed.invalid> wrote:
>>
>>>My copies of the Free version are not going anywhere.
>>>They are not time bombed, as far as I know.
>>
>> Microsoft is making changes to secure boot to combat BlackLotus.
>> Pre-patch bootloaders won't work after it is activated.
>>
>> https://petri.com/microsoft-fix-secure-boot-flaw-windows/
>>
>> So it hasn't been enabled yet, but when it is you will have to remake all
>> of your boot media. No idea if Macrium Reflect is getting this, but I
>> think it downloads the boot image from Microsoft, so fingers crossed.
>>
>> Full implementation is Q1 2024, after support for Reflect Free is
>> discontinued. Some day in 2024 we might have some interesting support
>> cases. Restoring backups made prior to May 9, 2023 will fail with an
>> unbootable machine.
>>
>> You can manually activate it now with the steps in the linked article and
>> see if it changes anything:
>>
>> https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#enable5025885
>>
>> Good luck.
>
>That only affects computers where secure boot is enabled in the BIOS. I
>wasn't going to multi-boot on my home PC, so I enabled secure boot in
>BIOS, but ran afoul of secure boot (forget the details), and disabled it
>which somehow fucked the security key which then made the mobo unusable.
>Asrock sent me a new mobo since it was their firmware that screwed up
>the removal/disable of Secure Boot.
>
The Microsoft articles say you will need new boot media. It specifically
mentions making a new recovery drive. So, I'm assuming it's in software,
not hardware.

Why do you think it only affects a hardware secure boot scenario?

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On Tue, 05 Sep 2023 13:00:58 -0700, Ken Blake <Ken@invalid.news.com>
wrote:

>On Tue, 5 Sep 2023 14:05:48 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>Paul <nospam@needed.invalid> wrote:
>>
>>> On 9/4/2023 6:23 PM, KenW wrote:
>>>> Trying to decide what to use for disk imaging after Reflect Free.
>>>> Testing Hasleo Backup at this point.
>>>> I have used Acronis and Paragon in the past.
>>>> I guess Free, as programs for four machines gets expensive.
>>>>
>>>> Any opinions ?
>>>>
>>>> Thanks
>>>>
>>>> KenW
>>>
>>> My copies of the Free version are not going anywhere.
>>> They are not time bombed, as far as I know.
>>>
>>> If Microsoft makes incompatible changes to NTFS, then
>>> that would be the kind of event which would kick
>>> older versions of Macrium to the curb (We can't use Macrium 5 for
>>> W10 or W11 for example). Thus, it will be
>>> a Microsoft event, that kills off your Free. Rather than
>>> Macrium being evil and doing it.
>>>
>>> Offering the Free version was a sales gimmick, one which
>>> they do not feel they need to do any more. They do not
>>> seem to be the kind of people who time bomb software and
>>> make it drop dead somehow. Any sort of evil behavior would
>>> be detrimental to future sales. There are more than twenty
>>> companies making backup software, and it is a competitive
>>> environment, where your reputation as a prick, matters.
>>>
>>> *******
>>>
>>> Since Microsoft made "Win7 backup" utilities, companies
>>> like Macrium, AOMEI, and Easeus offered free versions
>>> that could match the "Full Backup" capability of the
>>> Windows offering.
>>>
>>> Normally, Incremental or Incremental Forever modes, those
>>> are commercial offerings and why we buy the third-party software.
>>> Microsoft does not offer Incremental with theirs.
>>>
>>> Whether Differential backups are offered for free, varies from
>>> product to product.
>>>
>>> Full [very wasteful of space] <=== big hard drives are expensive now
>>> Differential [less wasteful of space]
>>> Incremental [very efficient, suited to automatic backups on a schedule]
>>>
>>> Microsoft only offered Full, because that way, they would not
>>> "disadvantage" any of their Partners.
>>>
>>> Paul
>>
>>A problem with using a full backup and incrementals thereafter is the
>>chain gets more fragile the longer it gets. The incrementals are based
>>on prior incrementals. Lose an incremental, and all following
>>incrementals are also lost. Keep the chain short. Differentials help
>>shorten the incremental chain, but without having to use as much space
>>as full backups. Differentials are based off the full backups, so don't
>>keep making differentials off one old full backup, because the
>>differentials will eventually get to nearly as big as a full backup.
>
>
>That's exactly why I prefer full backups to either incremental or
>differential.

Yup. Full system image ftw. Diffs are fine. Incremental is just asking
for it, IMO.

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On Tue, 05 Sep 2023 13:00:58 -0700, Ken Blake <Ken@invalid.news.com>
wrote:

>On Tue, 5 Sep 2023 14:05:48 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>Paul <nospam@needed.invalid> wrote:
>>
>>> On 9/4/2023 6:23 PM, KenW wrote:
>>>> Trying to decide what to use for disk imaging after Reflect Free.
>>>> Testing Hasleo Backup at this point.
>>>> I have used Acronis and Paragon in the past.
>>>> I guess Free, as programs for four machines gets expensive.
>>>>
>>>> Any opinions ?
>>>>
>>>> Thanks
>>>>
>>>> KenW
>>>
>>> My copies of the Free version are not going anywhere.
>>> They are not time bombed, as far as I know.
>>>
>>> If Microsoft makes incompatible changes to NTFS, then
>>> that would be the kind of event which would kick
>>> older versions of Macrium to the curb (We can't use Macrium 5 for
>>> W10 or W11 for example). Thus, it will be
>>> a Microsoft event, that kills off your Free. Rather than
>>> Macrium being evil and doing it.
>>>
>>> Offering the Free version was a sales gimmick, one which
>>> they do not feel they need to do any more. They do not
>>> seem to be the kind of people who time bomb software and
>>> make it drop dead somehow. Any sort of evil behavior would
>>> be detrimental to future sales. There are more than twenty
>>> companies making backup software, and it is a competitive
>>> environment, where your reputation as a prick, matters.
>>>
>>> *******
>>>
>>> Since Microsoft made "Win7 backup" utilities, companies
>>> like Macrium, AOMEI, and Easeus offered free versions
>>> that could match the "Full Backup" capability of the
>>> Windows offering.
>>>
>>> Normally, Incremental or Incremental Forever modes, those
>>> are commercial offerings and why we buy the third-party software.
>>> Microsoft does not offer Incremental with theirs.
>>>
>>> Whether Differential backups are offered for free, varies from
>>> product to product.
>>>
>>> Full [very wasteful of space] <=== big hard drives are expensive now
>>> Differential [less wasteful of space]
>>> Incremental [very efficient, suited to automatic backups on a schedule]
>>>
>>> Microsoft only offered Full, because that way, they would not
>>> "disadvantage" any of their Partners.
>>>
>>> Paul
>>
>>A problem with using a full backup and incrementals thereafter is the
>>chain gets more fragile the longer it gets. The incrementals are based
>>on prior incrementals. Lose an incremental, and all following
>>incrementals are also lost. Keep the chain short. Differentials help
>>shorten the incremental chain, but without having to use as much space
>>as full backups. Differentials are based off the full backups, so don't
>>keep making differentials off one old full backup, because the
>>differentials will eventually get to nearly as big as a full backup.
>
>
>That's exactly why I prefer full backups to either incremental or
>differential.

+1

KenW

On Tue, 05 Sep 2023 15:43:24 -0500, Zaghadka <zaghadka@hotmail.com>
wrote:

>On Tue, 05 Sep 2023 13:54:49 -0500, casey@invalid.com wrote:
>
>>On Mon, 04 Sep 2023 16:23:09 -0600, KenW
>><ken1943@invalid.net> wrote:
>>
>>>Trying to decide what to use for disk imaging after Reflect Free.
>>>Testing Hasleo Backup at this point.
>>>I have used Acronis and Paragon in the past.
>>>I guess Free, as programs for four machines gets expensive.
>>>
>>>Any opinions ?
>>>
>>>Thanks
>>>
>>>
>>>KenW
>>
>>I've been using the simple freebie Standard Edition of AOMEI for
>>years.
>>
>>https://www.aomeitech.com/aomei-backupper.html
>>
>>If you want all the bells and whistles of fancier ones, this ain't it.
>
>I used AOMEI until a system image restore left me with a secure boot
>error and an unbootable machine (on Win11). Both of two AOEMEI images
>failed. Luckily I also had a Windows system image. Which worked. It was
>the oldest of the three system images.
>
>I have since dropped it for Macrium Reflect Free. I haven't tried
>restoring a Macrium image yet. Don't know what happened but YMMV.

Reflect worked twice for me. One Windows mess up & one Ransomware

KenW

Zaghadka <zaghadka@hotmail.com> wrote:

> On Tue, 5 Sep 2023 15:10:22 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>Zaghadka <zaghadka@hotmail.com> wrote:
>>
>>> On Tue, 5 Sep 2023 06:19:06 -0400, Paul <nospam@needed.invalid> wrote:
>>>
>>>>My copies of the Free version are not going anywhere.
>>>>They are not time bombed, as far as I know.
>>>
>>> Microsoft is making changes to secure boot to combat BlackLotus.
>>> Pre-patch bootloaders won't work after it is activated.
>>>
>>> https://petri.com/microsoft-fix-secure-boot-flaw-windows/
>>>
>>> So it hasn't been enabled yet, but when it is you will have to remake all
>>> of your boot media. No idea if Macrium Reflect is getting this, but I
>>> think it downloads the boot image from Microsoft, so fingers crossed.
>>>
>>> Full implementation is Q1 2024, after support for Reflect Free is
>>> discontinued. Some day in 2024 we might have some interesting support
>>> cases. Restoring backups made prior to May 9, 2023 will fail with an
>>> unbootable machine.
>>>
>>> You can manually activate it now with the steps in the linked article and
>>> see if it changes anything:
>>>
>>> https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#enable5025885
>>>
>>> Good luck.
>>
>>That only affects computers where secure boot is enabled in the BIOS. I
>>wasn't going to multi-boot on my home PC, so I enabled secure boot in
>>BIOS, but ran afoul of secure boot (forget the details), and disabled it
>>which somehow fucked the security key which then made the mobo unusable.
>>Asrock sent me a new mobo since it was their firmware that screwed up
>>the removal/disable of Secure Boot.
>>
> The Microsoft articles say you will need new boot media. It specifically
> mentions making a new recovery drive. So, I'm assuming it's in software,
> not hardware.
>
> Why do you think it only affects a hardware secure boot scenario?

Are there more details on just how the BlackLotus vulnerability is
implemented, and how Microsoft is going to mitigate it?

Does corrupting the bootloader policy in UEFI involve WPBT at all, or is
it just having the UEFI select a different bootloader than for the OS in
the partition? The flaw seems to allow a different bootloader to be
specified because the signing code was not properly validated.
Self-signed code and code with expired certs were allowed to load as the
bootloader pointed to by UEFI.

If users do NOT use Secure Boot, how can this affect them? In the hosts
that I've setup, Secure Boot was NOT enabled by default. Without Secure
Boot, a malicious bootloader could be specified. However, exploitation
requires physical access to the computer, or local admin privileges.
Once malware has ran, you can't be sure any security software prevented
its effects. Prevention is the cure, not retro action.

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#update5025885

That's to ensure the bootable media cannot be subverted by the Secure
Boot vulnerability. That there is a vulnerability does not guarantee it
will be exercised.

Seems all these updates are to revoke self-signed or expired signed code
similar to how some updates get pushed to revoke falsely registered
certificates (you can see in certmg.msc).

Since Macrium Reflect uses Microsoft's PE image to create bootable
media, it will be up to Microsoft to update their PE image. So, you may
have to redo the boot media for Reflect, but I'm not sure the old boot
media will not work, especially if you are NOT using Secure Boot.
Updating the PE image in the Macrium boot media is very easy via menu
choices, but it may catch some users by surprise. Any backup software
that employs bootable media, or even the .dat boot image that the
Windows loader will present as a boot choice, should issue an update
that then alerts the user there is an update, and to apply it.

When I try to run the update in Macrium Reflect v8, it reports a timeout
on the Internet connection. There are no rules on Reflect in the
Windows firewall. After several retries, the updater found a new
version issued Sept 4, 2023. Did not see anything about to recreate the
boot image, but then the patches have not yet been issued. Trying to
pre-install changes by Microsoft is a betting game: sometimes Microsoft
says it will do somthing, but change their mind, so all the dev work to
incorporate the changes was wasted. Also, since Macrium uses the
Windows PE (pre-installation environment) image for booting, perhaps
Macrium can't do anything, not even inform, until Microsoft updates the
PE image.

Do you have Secure Boot enabled in your UEFI on your computer? I don't
on mine. You may not have a choice on a work-owned computer, and your
company's IT folks will be responsible for the transition. However,
I've been many workplaces where Secure Boot was never enabled in the
firmware. I think it is the folks buying pre-built computers with
Windows 10/11 pre-installed who get stuck with Secure Boot enabled by
default. Well, that's probably a hefty share of Win10/11 users. I hear
for some computers, like HP, there is no option to disable Secure Boot.
You don't get a choice. They decided it's for your own good. Well,
those distributors are assholes, because they've locked you into one OS
instead of letting you multi-boot. To check if Secure Boot is enabled
in the firmware, open the Start Menu and enter "system information".
For me under the Summary node, "Secure Boot State" is off.

What is unclear is if the Secure Boot vulnerabilty involves WPBT. The
articles mention a policy, but don't mention where it is defined or what
enforces it and when. Perhaps they expect their readers to be deeply
and well versed on the operation of Secure Boot. To me, it's crap I
don't want. Microsoft mitigating the vulnerability sounds like a patch
job instead of relegating the responsibility to UEFI, but getting the
UEFI spec change would take many years.

On 9/5/2023 2:18 PM, VanguardLH wrote:
> Paul <nospam@needed.invalid> wrote:
>
>> Char Jackson wrote:
>>
>>> Paul <nospam@needed.invalid> wrote:
>>
>>>> Full [very wasteful of space] <=== big hard drives are expensive now
>>>
>>> If someone were to ask me, I'd say that big hard drives have never
>>> been less expensive than they are now. On a daily basis, I see ads
>>> for 20TB Seagates that cost just a bit over $200. OK, they're
>>> Seagate drives, but still.
>>
>> I can see some refurbs at that price. Are you looking at internals,
>> or external USB ? I usually use internals here. I control the cooling.
>
> https://www.newegg.com/p/pl?N=100167523%20601398066%204814&Order=1
> (desktop internal spinners)
>
> Newegg doesn't have rock bottom prices, but they are a reliable vendor,
> and their prices are usually close to rock bottom. Typically the
> vendors at rock bottom are unknown and untrusted.

Unless you are a thrill seeker, I recommend that when you buy something
from the Newegg website that you ensure you are buying from Newegg;
exceptions allowed if you have some reasonably trusted encouraging
information about the actual vendor. Newegg does not follow the Amazon
protocol where they try to fix all problems.
-- Jeff Barnett

On Tue, 5 Sep 2023 14:03:49 -0400, Paul <nospam@needed.invalid> wrote:

>On 9/5/2023 12:13 PM, Char Jackson wrote:
>> On Tue, 5 Sep 2023 06:19:06 -0400, Paul <nospam@needed.invalid> wrote:
>
>>> Full [very wasteful of space] <=== big hard drives are expensive now
>>
>> If someone were to ask me, I'd say that big hard drives have never been less
>> expensive than they are now. On a daily basis, I see ads for 20TB Seagates that
>> cost just a bit over $200. OK, they're Seagate drives, but still.
>
>I can see some refurbs at that price. Are you looking at internals,
>or external USB ? I usually use internals here. I control the cooling.

I get the Newegg Hot Deals email every day and while I don't study it, it's hard
to miss the blaring headlines. Looking at the latest one, I see a Seagate 20TB
for $280, (they claim the normal price is $700), and a WDC Red 14TB for $260,
normal price listed as $480. I've seen better prices than those, but those are
already pretty good.

Those are both internal drives. I think you can do better with externals. The
last two drives that I picked up were WDC 14TB externals that I shucked. I'm
starting to think that prices are low enough that I should be looking at a pair
of WDC 18TB externals to replace a couple of too-small WDC 4TB drives.

Jeff Barnett <jbb@notatt.com> wrote:

> On 9/5/2023 2:18 PM, VanguardLH wrote:
>> Paul <nospam@needed.invalid> wrote:
>>
>>> Char Jackson wrote:
>>>
>>>> Paul <nospam@needed.invalid> wrote:
>>>
>>>>> Full [very wasteful of space] <=== big hard drives are expensive now
>>>>
>>>> If someone were to ask me, I'd say that big hard drives have never
>>>> been less expensive than they are now. On a daily basis, I see ads
>>>> for 20TB Seagates that cost just a bit over $200. OK, they're
>>>> Seagate drives, but still.
>>>
>>> I can see some refurbs at that price. Are you looking at internals,
>>> or external USB ? I usually use internals here. I control the cooling.
>>
>> https://www.newegg.com/p/pl?N=100167523%20601398066%204814&Order=1
>> (desktop internal spinners)
>>
>> Newegg doesn't have rock bottom prices, but they are a reliable vendor,
>> and their prices are usually close to rock bottom. Typically the
>> vendors at rock bottom are unknown and untrusted.
>
> Unless you are a thrill seeker, I recommend that when you buy something
> from the Newegg website that you ensure you are buying from Newegg;
> exceptions allowed if you have some reasonably trusted encouraging
> information about the actual vendor. Newegg does not follow the Amazon
> protocol where they try to fix all problems.

Newegg, like Amazon and eBay, allow 3rd-party sellers to sell at those
sites. That it, the sites provide a front-end to the 3rd-party sellers.
If you want to ensure you are buying from Newegg, select the Seller
option in search to be Newegg. If you only want new stuff, also be sure
to select Condition option, and select New. Usually I also go under
Availability, and select In Stock. I'm not wasting my time deciding the
candidate products only to find out I can't get it, and waiting for
out-of-stock items to become in-stock items means you'll be waiting a
long time, or indefinitely if the item never comes back into stock.

Newegg will fix problems (wrong item, broken item, etc) when you buy
from Newegg. If you buy from a 3rd-party vendor using Newegg as a
front-end etail shop, you have to deal with the 3rd-party seller. Same
at Walmart: if you don't select Walmart as the retailer, problems are
resolved through the actual seller. Unless Walmart doesn't carry an
item, I stay away from 3rd-party sellers using Walmart as a front-end.

On 9/5/2023 5:28 PM, KenW wrote:
> On Tue, 05 Sep 2023 15:43:24 -0500, Zaghadka <zaghadka@hotmail.com>
> wrote:
>
>> On Tue, 05 Sep 2023 13:54:49 -0500, casey@invalid.com wrote:
>>
>>> On Mon, 04 Sep 2023 16:23:09 -0600, KenW
>>> <ken1943@invalid.net> wrote:
>>>
>>>> Trying to decide what to use for disk imaging after Reflect Free.
>>>> Testing Hasleo Backup at this point.
>>>> I have used Acronis and Paragon in the past.
>>>> I guess Free, as programs for four machines gets expensive.
>>>>
>>>> Any opinions ?
>>>>
>>>> Thanks
>>>>
>>>>
>>>> KenW
>>>
>>> I've been using the simple freebie Standard Edition of AOMEI for
>>> years.
>>>
>>> https://www.aomeitech.com/aomei-backupper.html
>>>
>>> If you want all the bells and whistles of fancier ones, this ain't it.
>>
>> I used AOMEI until a system image restore left me with a secure boot
>> error and an unbootable machine (on Win11). Both of two AOEMEI images
>> failed. Luckily I also had a Windows system image. Which worked. It was
>> the oldest of the three system images.
>>
>> I have since dropped it for Macrium Reflect Free. I haven't tried
>> restoring a Macrium image yet. Don't know what happened but YMMV.
>
> Reflect worked twice for me. One Windows mess up & one Ransomware
>
> KenW

When it works, the Boot Repair on the Macrium Rescue CD can work really well.
(For those at home, you make the Macrium Rescue CD, right after you install
the Free version on your C: partition.)

Yesterday, I took a disk with a botched install on it, and I pieced some
bits and pieces together, suited for repair (copied a /boot from a botched ESP
to another OS partition). The Windows DVD troubleshooting and repair, it
spun the "Attempting repair" juggling balls for over an hour. Popping out the
Windows DVD from the optical drive, it finally snapped to attention with the bad
news that "a file is missing". It does not say what file is missing, because...
that would be telling.

I used my Macrium USB stick, used the boot repair from there, and it used virtually
all of the commands at its disposal. And it was able to build me a nicely repaired
boot menu, all functional. So no complaints yesterday :-) Sometimes, when you ask
Macrium to do "more trivial" fixes, you're greeted by a failure.

*******

You had a Ransomware ?

We like to hear stories about such, because it's important to keeping
track of attack surfaces.

The only USENETter to get hit by Ransomware, it was a phishing email with
an EXE as an attachment. It leveled his entire computer room (so must have
had worm code for the LAN). He thought the email was a GoDaddy domain renewal,
or that's what the Black Hats used for phishing. He double clicked the attachment
and boom, fun begins.

That wasn't a delayed attack, which is a more popular method today. An attack today,
can be "planted like a mine", and a month later, it levels stuff and puts up the
red dialog asking for Bitcoins. It may be looking, specifically, for backup resources
and checking to see what defenses the user has. That's why it lays in wait,
so it can be "more effective" at ruining your day.

Paul

On 9/5/2023 5:34 PM, VanguardLH wrote:
> Zaghadka <zaghadka@hotmail.com> wrote:
>
>> On Tue, 5 Sep 2023 15:10:22 -0500, VanguardLH <V@nguard.LH> wrote:
>>
>>> Zaghadka <zaghadka@hotmail.com> wrote:
>>>
>>>> On Tue, 5 Sep 2023 06:19:06 -0400, Paul <nospam@needed.invalid> wrote:
>>>>
>>>>> My copies of the Free version are not going anywhere.
>>>>> They are not time bombed, as far as I know.
>>>>
>>>> Microsoft is making changes to secure boot to combat BlackLotus.
>>>> Pre-patch bootloaders won't work after it is activated.
>>>>
>>>> https://petri.com/microsoft-fix-secure-boot-flaw-windows/
>>>>
>>>> So it hasn't been enabled yet, but when it is you will have to remake all
>>>> of your boot media. No idea if Macrium Reflect is getting this, but I
>>>> think it downloads the boot image from Microsoft, so fingers crossed.
>>>>
>>>> Full implementation is Q1 2024, after support for Reflect Free is
>>>> discontinued. Some day in 2024 we might have some interesting support
>>>> cases. Restoring backups made prior to May 9, 2023 will fail with an
>>>> unbootable machine.
>>>>
>>>> You can manually activate it now with the steps in the linked article and
>>>> see if it changes anything:
>>>>
>>>> https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#enable5025885
>>>>
>>>> Good luck.
>>>
>>> That only affects computers where secure boot is enabled in the BIOS. I
>>> wasn't going to multi-boot on my home PC, so I enabled secure boot in
>>> BIOS, but ran afoul of secure boot (forget the details), and disabled it
>>> which somehow fucked the security key which then made the mobo unusable.
>>> Asrock sent me a new mobo since it was their firmware that screwed up
>>> the removal/disable of Secure Boot.
>>>
>> The Microsoft articles say you will need new boot media. It specifically
>> mentions making a new recovery drive. So, I'm assuming it's in software,
>> not hardware.
>>
>> Why do you think it only affects a hardware secure boot scenario?
>
> Are there more details on just how the BlackLotus vulnerability is
> implemented, and how Microsoft is going to mitigate it?
>
> Does corrupting the bootloader policy in UEFI involve WPBT at all, or is
> it just having the UEFI select a different bootloader than for the OS in
> the partition? The flaw seems to allow a different bootloader to be
> specified because the signing code was not properly validated.
> Self-signed code and code with expired certs were allowed to load as the
> bootloader pointed to by UEFI.
>
> If users do NOT use Secure Boot, how can this affect them? In the hosts
> that I've setup, Secure Boot was NOT enabled by default. Without Secure
> Boot, a malicious bootloader could be specified. However, exploitation
> requires physical access to the computer, or local admin privileges.
> Once malware has ran, you can't be sure any security software prevented
> its effects. Prevention is the cure, not retro action.
>
> https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#update5025885
>
> That's to ensure the bootable media cannot be subverted by the Secure
> Boot vulnerability. That there is a vulnerability does not guarantee it
> will be exercised.
>
> Seems all these updates are to revoke self-signed or expired signed code
> similar to how some updates get pushed to revoke falsely registered
> certificates (you can see in certmg.msc).
>
> Since Macrium Reflect uses Microsoft's PE image to create bootable
> media, it will be up to Microsoft to update their PE image. So, you may
> have to redo the boot media for Reflect, but I'm not sure the old boot
> media will not work, especially if you are NOT using Secure Boot.
> Updating the PE image in the Macrium boot media is very easy via menu
> choices, but it may catch some users by surprise. Any backup software
> that employs bootable media, or even the .dat boot image that the
> Windows loader will present as a boot choice, should issue an update
> that then alerts the user there is an update, and to apply it.
>
> When I try to run the update in Macrium Reflect v8, it reports a timeout
> on the Internet connection. There are no rules on Reflect in the
> Windows firewall. After several retries, the updater found a new
> version issued Sept 4, 2023. Did not see anything about to recreate the
> boot image, but then the patches have not yet been issued. Trying to
> pre-install changes by Microsoft is a betting game: sometimes Microsoft
> says it will do somthing, but change their mind, so all the dev work to
> incorporate the changes was wasted. Also, since Macrium uses the
> Windows PE (pre-installation environment) image for booting, perhaps
> Macrium can't do anything, not even inform, until Microsoft updates the
> PE image.
>
> Do you have Secure Boot enabled in your UEFI on your computer? I don't
> on mine. You may not have a choice on a work-owned computer, and your
> company's IT folks will be responsible for the transition. However,
> I've been many workplaces where Secure Boot was never enabled in the
> firmware. I think it is the folks buying pre-built computers with
> Windows 10/11 pre-installed who get stuck with Secure Boot enabled by
> default. Well, that's probably a hefty share of Win10/11 users. I hear
> for some computers, like HP, there is no option to disable Secure Boot.
> You don't get a choice. They decided it's for your own good. Well,
> those distributors are assholes, because they've locked you into one OS
> instead of letting you multi-boot. To check if Secure Boot is enabled
> in the firmware, open the Start Menu and enter "system information".
> For me under the Summary node, "Secure Boot State" is off.
>
> What is unclear is if the Secure Boot vulnerabilty involves WPBT. The
> articles mention a policy, but don't mention where it is defined or what
> enforces it and when. Perhaps they expect their readers to be deeply
> and well versed on the operation of Secure Boot. To me, it's crap I
> don't want. Microsoft mitigating the vulnerability sounds like a patch
> job instead of relegating the responsibility to UEFI, but getting the
> UEFI spec change would take many years.
>

One thing I caught a whiff of in my travels, is there was some deal
about the Linux shim needing replacement (the one signed by Microsoft).
And presumably that would be for someone using Secure Boot in Linux.
The Linux shim was presumably used, to bypass situations where the
situation would not allow Linux to install (Secure Boot only machine).

We've been promised, that the next generation of machines will be
Secure Boot only, and CSM legacy will be gone. Such a great thing
to look forward to.

Paul

On Wed, 6 Sep 2023 08:43:40 -0400, Paul <nospam@needed.invalid> wrote:

>On 9/5/2023 5:28 PM, KenW wrote:
>> On Tue, 05 Sep 2023 15:43:24 -0500, Zaghadka <zaghadka@hotmail.com>
>> wrote:
>>
>>> On Tue, 05 Sep 2023 13:54:49 -0500, casey@invalid.com wrote:
>>>
>>>> On Mon, 04 Sep 2023 16:23:09 -0600, KenW
>>>> <ken1943@invalid.net> wrote:
>>>>
>>>>> Trying to decide what to use for disk imaging after Reflect Free.
>>>>> Testing Hasleo Backup at this point.
>>>>> I have used Acronis and Paragon in the past.
>>>>> I guess Free, as programs for four machines gets expensive.
>>>>>
>>>>> Any opinions ?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> KenW
>>>>
>>>> I've been using the simple freebie Standard Edition of AOMEI for
>>>> years.
>>>>
>>>> https://www.aomeitech.com/aomei-backupper.html
>>>>
>>>> If you want all the bells and whistles of fancier ones, this ain't it.
>>>
>>> I used AOMEI until a system image restore left me with a secure boot
>>> error and an unbootable machine (on Win11). Both of two AOEMEI images
>>> failed. Luckily I also had a Windows system image. Which worked. It was
>>> the oldest of the three system images.
>>>
>>> I have since dropped it for Macrium Reflect Free. I haven't tried
>>> restoring a Macrium image yet. Don't know what happened but YMMV.
>>
>> Reflect worked twice for me. One Windows mess up & one Ransomware
>>
>> KenW
>
>When it works, the Boot Repair on the Macrium Rescue CD can work really well.
>(For those at home, you make the Macrium Rescue CD, right after you install
>the Free version on your C: partition.)
>
>Yesterday, I took a disk with a botched install on it, and I pieced some
>bits and pieces together, suited for repair (copied a /boot from a botched ESP
>to another OS partition). The Windows DVD troubleshooting and repair, it
>spun the "Attempting repair" juggling balls for over an hour. Popping out the
>Windows DVD from the optical drive, it finally snapped to attention with the bad
>news that "a file is missing". It does not say what file is missing, because...
>that would be telling.
>
>I used my Macrium USB stick, used the boot repair from there, and it used virtually
>all of the commands at its disposal. And it was able to build me a nicely repaired
>boot menu, all functional. So no complaints yesterday :-) Sometimes, when you ask
>Macrium to do "more trivial" fixes, you're greeted by a failure.
>
>*******
>
>You had a Ransomware ?
>
>We like to hear stories about such, because it's important to keeping
>track of attack surfaces.
>
>The only USENETter to get hit by Ransomware, it was a phishing email with
>an EXE as an attachment. It leveled his entire computer room (so must have
>had worm code for the LAN). He thought the email was a GoDaddy domain renewal,
>or that's what the Black Hats used for phishing. He double clicked the attachment
>and boom, fun begins.
>
>That wasn't a delayed attack, which is a more popular method today. An attack today,
>can be "planted like a mine", and a month later, it levels stuff and puts up the
>red dialog asking for Bitcoins. It may be looking, specifically, for backup resources
>and checking to see what defenses the user has. That's why it lays in wait,
>so it can be "more effective" at ruining your day.
>
> Paul

It was an email about something I was waiting for. Looked like I was
waiting for. When something does wrong for me, I don't wait to see
what, I attack. So usually don't keep records or much information.
From my telephone days, just get the trouble fixed for the customer
FAST.

KenW

Big Al wrote:
> Acronis has made a few bucks outta me over the years.  2014 to 2020.  I
> try to pick up a new copy when they hit a special like $9.99 or maybe
> $19.99.   2020 still works on my Windows 10, and my wife is using my old
> 2019 on Windows 11.

2022 and later is all subscription ware.

ATI 2021 is(was) the last perpetual, available non-subsription version.
- 2021 was sold as a perpetual and also as a subscription version. The
latter had three subscription versions - Essential, Advanced and Premium
- 2021 perpetual was discontinued in the Acronis online store in Mar
2021. Resellers continued until the inventory dried up. While rare, and
not recently I've seen a 2021 perpetual show up(not at Ebay or other
reseller inflated pricing) as NOS.

Afaics, after testing repeatedly - even ATI2017(a bit outdated in the
version and bug fix patches) still works on imaging Windows 11. 2015 was
the first version with Win10 support.

--
....w¡ñ§±¤ñ

Ken Blake wrote:
> On Tue, 5 Sep 2023 15:13:12 -0400, "...winston" <winstonmvp@gmail.com>
> wrote:
>> 20TB for ~$200+
>> - quite reasonable
>>
>> Have not seen any 20TB in the close to $200 range as new, not
>> re-burbushed/re-certified.
>
> Depends on what's meant to "close to." I just went to Amazon and see a
> couple for around $240
>

My original reply to Char Jackson was a reply and reference to Seagate

If you've a link for Seagate 20TB around $240 new(not
refurbed/recertified) post it.

--
....w¡ñ§±¤ñ

On Wed, 6 Sep 2023 11:04:17 -0400, "...winston" <winstonmvp@gmail.com>
wrote:

>Ken Blake wrote:
>> On Tue, 5 Sep 2023 15:13:12 -0400, "...winston" <winstonmvp@gmail.com>
>> wrote:
>>> 20TB for ~$200+
>>> - quite reasonable
>>>
>>> Have not seen any 20TB in the close to $200 range as new, not
>>> re-burbushed/re-certified.
>>
>> Depends on what's meant to "close to." I just went to Amazon and see a
>> couple for around $240
>>
>
>My original reply to Char Jackson was a reply and reference to Seagate
>
>If you've a link for Seagate 20TB around $240 new(not
>refurbed/recertified) post it.

No, what I saw wasn't Seagate.

However I just saw a 20TB Seagate on Newegg for $280 and an 18TB
(almost 20TB) Seagate for only $180.

On 9/6/2023 12:17 PM, Ken Blake wrote:
> On Wed, 6 Sep 2023 11:04:17 -0400, "...winston" <winstonmvp@gmail.com>
> wrote:
>
>> Ken Blake wrote:
>>> On Tue, 5 Sep 2023 15:13:12 -0400, "...winston" <winstonmvp@gmail.com>
>>> wrote:
>>>> 20TB for ~$200+
>>>> - quite reasonable
>>>>
>>>> Have not seen any 20TB in the close to $200 range as new, not
>>>> re-burbushed/re-certified.
>>>
>>> Depends on what's meant to "close to." I just went to Amazon and see a
>>> couple for around $240
>>>
>>
>> My original reply to Char Jackson was a reply and reference to Seagate
>>
>> If you've a link for Seagate 20TB around $240 new(not
>> refurbed/recertified) post it.
>
>
> No, what I saw wasn't Seagate.
>
> However I just saw a 20TB Seagate on Newegg for $280 and an 18TB
> (almost 20TB) Seagate for only $180.
>

But if you check the reviews, you'll likely find the customers
discovered they're refurbs. The Power-On-Hours would not be zero
when you checked in HDTune SMART screen.

If they were new and EXOS Enterprise drives, they should
have an Enterprise price.

I could understand if they were DiamondMax tradename,
the price could be that low :-)

There aren't a lot of ways to cut corners on those
big drives, when they manufacture them. The density is
so high, you have to use good motors for NRRO. They might
even need to use two-of-three levels of positioner (voice coil
is one level, piezo positioner near the head, for fine tuning
per revolution). There is a third level of positioner, to make
them more vibration resistant (the motor vibrations of seven
other big drives). At 20TB capacity, they likely need to reach
a bit deeper into their bag of tricks. The thermal positioner
on writes (Z-axis) does not count as a positioner (all drives need
that now, just to work). The ones in question are in the X-Y plane
(all three levels work in the X-Y plane as far as I know).

If you buy a WD Blue at Best Buy, chances are that just has a
voice coil, and the chassis is light-as-a feature. The lower
density of such drives, provides slack for engineering economy.

Paul

On 9/6/2023 9:45 AM, KenW wrote:

>
> It was an email about something I was waiting for. Looked like I was
> waiting for. When something does wrong for me, I don't wait to see
> what, I attack. So usually don't keep records or much information.
> From my telephone days, just get the trouble fixed for the customer
> FAST.
>
>
> KenW
>

I suspect this is the most common method, a phishing email and attachment.

I don't know if any ransomwares have been delivered via browser exploit.

For all of their bloat, the browsers are getting better weapons inside.
Like a stack smashing detector, in code. That is a method an AV tool might use.

To give some idea how crazy the browser people are getting, this happens:

1) Browser has multiple entries in Task Manager. One of those, is for movie playback.
2) Movie playback task crashes.
3) Browser starts reporting utility (an internal utility the browser carries with it).
4) Reporting utility gives the machine a few pokes, asking "what kinda CPU ya got?".
"What other processes were running?". But the browser also has some AV code, which
interprets the poking "as an attack" :-) And it dumps some scary messages in
a terminal window (if you launched the browser via shell command).

At first I thought the scary messages, were a real attack. I even had a
web site scanned with virustotal.com , to see if there was anything on there.
Which was negative. It was only later I thought about an "own goal" situation,
where the stupid thing fingers itself :-)

Paul

On 9/6/2023 10:40 AM, ...winston wrote:
> Big Al wrote:
>> Acronis has made a few bucks outta me over the years.  2014 to 2020.  I try to pick up a new copy when they hit a special like $9.99 or maybe $19.99.   2020 still works on my Windows 10, and my wife is using my old 2019 on Windows 11.
>
> 2022 and later is all subscription ware.
>
> ATI 2021 is(was) the last perpetual, available non-subsription version.
>  - 2021 was sold as a perpetual and also as a subscription version. The latter had three subscription versions - Essential, Advanced and Premium
>  - 2021 perpetual was discontinued in the Acronis online store in Mar 2021. Resellers continued until the inventory dried up. While rare, and not recently I've seen a 2021 perpetual show up(not at Ebay or other reseller inflated pricing) as NOS.
>
>
> Afaics, after testing repeatedly - even ATI2017(a bit outdated in the version and bug fix patches) still works on imaging Windows 11. 2015 was the first version with Win10 support.
>

The Macrium incident (6.3.1865 minimum version) was caused by checking
"data on disk, for metadata accuracy".

Other backup companies, only checked metadata info kept in system
memory, by some windows subsystem. And they did not detect a problem
as a result.

Paul

Paul <nospam@needed.invalid> wrote:
> On 9/5/2023 5:28 PM, KenW wrote:
[...]

> > Reflect worked twice for me. One Windows mess up & one Ransomware

[...]

> You had a Ransomware ?
>
> We like to hear stories about such, because it's important to keeping
> track of attack surfaces.

In June 2019, we had fake ransomware on my wife's computer.

'fake' because it wasn't really ransomware, but just looked like it.

It pretended to be a Microsoft webpage and threathened with damage if
you didn't a do '[Scan Now >>]' within X minutes and Y seconds.

It looked genuine ransomware, because the browser was locked.

Later it turned out that the browser was just hijacked, but could
still be closed from Task Manager.

Apparently it was triggered by some malicious link on some webpage.

If you want know more, the main message on the page was "Your system
is infected with 3 viruses", where the '3' is variable. And the real
culprit site was rackcdn.com. If you really want to know more, I can try
to dig up some URLs or/and do some searches. I still have a screenshot,
but sofar I haven't needed to use image-hosting sites.

> The only USENETter to get hit by Ransomware, it was a phishing email
> with an EXE as an attachment. It leveled his entire computer room (so
> must have had worm code for the LAN). He thought the email was a
> GoDaddy domain renewal, or that's what the Black Hats used for
> phishing. He double clicked the attachment and boom, fun begins.
>
> That wasn't a delayed attack, which is a more popular method today. An
> attack today, can be "planted like a mine", and a month later, it
> levels stuff and puts up the red dialog asking for Bitcoins. It may be
> looking, specifically, for backup resources and checking to see what
> defenses the user has. That's why it lays in wait, so it can be "more
> effective" at ruining your day.

Paul <nospam@needed.invalid> wrote:
> On 9/6/2023 9:45 AM, KenW wrote:
>
> >
> > It was an email about something I was waiting for. Looked like I was
> > waiting for. When something does wrong for me, I don't wait to see
> > what, I attack. So usually don't keep records or much information.
> > From my telephone days, just get the trouble fixed for the customer
> > FAST.
> >
> > KenW
>
> I suspect this is the most common method, a phishing email and attachment.
>
> I don't know if any ransomwares have been delivered via browser exploit.

See my other response of a little while ago. That was fake ransomware,
but could have been real ransomware or cause the user to trigger real
ransomware.

[...]

Paul wrote:
> On 9/6/2023 12:17 PM, Ken Blake wrote:
>> On Wed, 6 Sep 2023 11:04:17 -0400, "...winston" <winstonmvp@gmail.com>
>> wrote:
>>
>>> Ken Blake wrote:
>>>> On Tue, 5 Sep 2023 15:13:12 -0400, "...winston" <winstonmvp@gmail.com>
>>>> wrote:
>>>>> 20TB for ~$200+
>>>>> - quite reasonable
>>>>>
>>>>> Have not seen any 20TB in the close to $200 range as new, not
>>>>> re-burbushed/re-certified.
>>>>
>>>> Depends on what's meant to "close to." I just went to Amazon and see a
>>>> couple for around $240
>>>>
>>>
>>> My original reply to Char Jackson was a reply and reference to Seagate
>>>
>>> If you've a link for Seagate 20TB around $240 new(not
>>> refurbed/recertified) post it.
>>
>>
>> No, what I saw wasn't Seagate.
>>
>> However I just saw a 20TB Seagate on Newegg for $280 and an 18TB
>> (almost 20TB) Seagate for only $180.
>>
>
> But if you check the reviews, you'll likely find the customers
> discovered they're refurbs. The Power-On-Hours would not be zero
> when you checked in HDTune SMART screen.
>
> If they were new and EXOS Enterprise drives, they should
> have an Enterprise price.

Makes sense that Enterprise pricing would be the expectation and norm.

The confusion starts with that disk's(20TB Exos, web page) showing two
options (Buy New and Buy Used). For that specific offer, the 'Buy New'
is pre-selected thus implying the disk is *new*.

The reviews(only 2 iirc) while recent, don't exactly indicate the
reviewer's disk was the 20TB drive of the same model or when the
reviewer purchased the disk.

>
> I could understand if they were DiamondMax tradename,
> the price could be that low :-)

>
> Paul
>

--
....w¡ñ§±¤ñ

On Tue, 5 Sep 2023 16:34:09 -0500, VanguardLH <V@nguard.LH> wrote:

>Zaghadka <zaghadka@hotmail.com> wrote:
>
>> On Tue, 5 Sep 2023 15:10:22 -0500, VanguardLH <V@nguard.LH> wrote:
>>
>>>Zaghadka <zaghadka@hotmail.com> wrote:
>>>
>>>> On Tue, 5 Sep 2023 06:19:06 -0400, Paul <nospam@needed.invalid> wrote:
>>>>
>>>>>My copies of the Free version are not going anywhere.
>>>>>They are not time bombed, as far as I know.
>>>>
>>>> Microsoft is making changes to secure boot to combat BlackLotus.
>>>> Pre-patch bootloaders won't work after it is activated.
>>>>
>>>> https://petri.com/microsoft-fix-secure-boot-flaw-windows/
>>>>
>>>> So it hasn't been enabled yet, but when it is you will have to remake all
>>>> of your boot media. No idea if Macrium Reflect is getting this, but I
>>>> think it downloads the boot image from Microsoft, so fingers crossed.
>>>>
>>>> Full implementation is Q1 2024, after support for Reflect Free is
>>>> discontinued. Some day in 2024 we might have some interesting support
>>>> cases. Restoring backups made prior to May 9, 2023 will fail with an
>>>> unbootable machine.
>>>>
>>>> You can manually activate it now with the steps in the linked article and
>>>> see if it changes anything:
>>>>
>>>> https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#enable5025885
>>>>
>>>> Good luck.
>>>
>>>That only affects computers where secure boot is enabled in the BIOS. I
>>>wasn't going to multi-boot on my home PC, so I enabled secure boot in
>>>BIOS, but ran afoul of secure boot (forget the details), and disabled it
>>>which somehow fucked the security key which then made the mobo unusable.
>>>Asrock sent me a new mobo since it was their firmware that screwed up
>>>the removal/disable of Secure Boot.
>>>
>> The Microsoft articles say you will need new boot media. It specifically
>> mentions making a new recovery drive. So, I'm assuming it's in software,
>> not hardware.
>>
>> Why do you think it only affects a hardware secure boot scenario?
>
>Are there more details on just how the BlackLotus vulnerability is
>implemented, and how Microsoft is going to mitigate it?
>
>Does corrupting the bootloader policy in UEFI involve WPBT at all, or is
>it just having the UEFI select a different bootloader than for the OS in
>the partition? The flaw seems to allow a different bootloader to be
>specified because the signing code was not properly validated.
>Self-signed code and code with expired certs were allowed to load as the
>bootloader pointed to by UEFI.
>
>If users do NOT use Secure Boot, how can this affect them? In the hosts
>that I've setup, Secure Boot was NOT enabled by default. Without Secure
>Boot, a malicious bootloader could be specified. However, exploitation
>requires physical access to the computer, or local admin privileges.
>Once malware has ran, you can't be sure any security software prevented
>its effects. Prevention is the cure, not retro action.
>
>https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#update5025885
>
>That's to ensure the bootable media cannot be subverted by the Secure
>Boot vulnerability. That there is a vulnerability does not guarantee it
>will be exercised.
>
>Seems all these updates are to revoke self-signed or expired signed code
>similar to how some updates get pushed to revoke falsely registered
>certificates (you can see in certmg.msc).
>
>Since Macrium Reflect uses Microsoft's PE image to create bootable
>media, it will be up to Microsoft to update their PE image. So, you may
>have to redo the boot media for Reflect, but I'm not sure the old boot
>media will not work, especially if you are NOT using Secure Boot.
>Updating the PE image in the Macrium boot media is very easy via menu
>choices, but it may catch some users by surprise. Any backup software
>that employs bootable media, or even the .dat boot image that the
>Windows loader will present as a boot choice, should issue an update
>that then alerts the user there is an update, and to apply it.
>
>When I try to run the update in Macrium Reflect v8, it reports a timeout
>on the Internet connection. There are no rules on Reflect in the
>Windows firewall. After several retries, the updater found a new
>version issued Sept 4, 2023. Did not see anything about to recreate the
>boot image, but then the patches have not yet been issued. Trying to
>pre-install changes by Microsoft is a betting game: sometimes Microsoft
>says it will do somthing, but change their mind, so all the dev work to
>incorporate the changes was wasted. Also, since Macrium uses the
>Windows PE (pre-installation environment) image for booting, perhaps
>Macrium can't do anything, not even inform, until Microsoft updates the
>PE image.
>
>Do you have Secure Boot enabled in your UEFI on your computer? I don't
>on mine. You may not have a choice on a work-owned computer, and your
>company's IT folks will be responsible for the transition. However,
>I've been many workplaces where Secure Boot was never enabled in the
>firmware. I think it is the folks buying pre-built computers with
>Windows 10/11 pre-installed who get stuck with Secure Boot enabled by
>default. Well, that's probably a hefty share of Win10/11 users. I hear
>for some computers, like HP, there is no option to disable Secure Boot.
>You don't get a choice. They decided it's for your own good. Well,
>those distributors are assholes, because they've locked you into one OS
>instead of letting you multi-boot.

So not a fan of HP. Yeah, I can see that as a healthy thing.

>To check if Secure Boot is enabled
>in the firmware, open the Start Menu and enter "system information".
>For me under the Summary node, "Secure Boot State" is off.
>
>What is unclear is if the Secure Boot vulnerabilty involves WPBT. The
>articles mention a policy, but don't mention where it is defined or what
>enforces it and when. Perhaps they expect their readers to be deeply
>and well versed on the operation of Secure Boot. To me, it's crap I
>don't want. Microsoft mitigating the vulnerability sounds like a patch
>job instead of relegating the responsibility to UEFI, but getting the
>UEFI spec change would take many years.

No idea about any of those particulars. I do have secure boot enabled.
It's default on fresh Win11 installations if you have an active TPM and
my two machines are fairly new. The trick is to not have an active TPM
and install Windows 10 then upgrade to 11. But since Windows 11 dropped,
BIOSes have been updated to have TPM be opt-out rather than opt-in. All
my TPMs are on die with the CPU.

I personally had to opt-in my TPM to update to Windows 11 on my
home-built machine. After I did and upgraded, secure boot was not
enabled. However, I just turned it all on to run in enhanced security
mode. I figured if they wanted a TPM for 11, I had better learn how to
support it.

The other machine is an HP laptop and I am screwed.

I have a few machines for my family that do not use secure boot and are,
AFAIK, unaffected. This is all about secure boot machines, and the secure
boot vuln.

So, to be very specific, if a user has secure boot enabled, Microsoft is
saying that the bootloaders are going to change and you need to create
new recovery media. New install media too, probably, if you want to
refresh the system off of media.

If you do not have secure boot, then it's not going to affect you. At
least until MS makes secure boot mandatory. Then it's going to be fun.

Thank you for answering that Macrium uses WinPE. I thought it did, but
wasn't sure. If that's the case, then I'm guessing this will come to the
PE image, and all that will be required is to create a new thumb drive.

I regret putting secure boot on my home-build machine. I already had a
problem where restoring a backup locked me out of the system with a
secure boot warning. That was not fun. Try Googling it, there isn't a
process to get around it other than reinstalling the OS. You want access
to your data? Sorry. It's as bad as ransomware, especially if you're
encrypting your harddrive.

Luckily, I had an old Windows System Image image lying around, and that
restored the system. Either that or I had finally managed to turn secure
boot off. I'm not sure which.

On 6 Sep 2023 18:48:10 GMT, Frank Slootweg <this@ddress.is.invalid>
wrote:

>Paul <nospam@needed.invalid> wrote:
>> On 9/5/2023 5:28 PM, KenW wrote:
>[...]
>
>> > Reflect worked twice for me. One Windows mess up & one Ransomware
>
>[...]
>
>> You had a Ransomware ?
>>
>> We like to hear stories about such, because it's important to keeping
>> track of attack surfaces.
>
> In June 2019, we had fake ransomware on my wife's computer.
>
> 'fake' because it wasn't really ransomware, but just looked like it.
>
> It pretended to be a Microsoft webpage and threathened with damage if
>you didn't a do '[Scan Now >>]' within X minutes and Y seconds.
>
> It looked genuine ransomware, because the browser was locked.
>
> Later it turned out that the browser was just hijacked, but could
>still be closed from Task Manager.
>
> Apparently it was triggered by some malicious link on some webpage.
>
> If you want know more, the main message on the page was "Your system
>is infected with 3 viruses", where the '3' is variable. And the real
>culprit site was rackcdn.com. If you really want to know more, I can try
>to dig up some URLs or/and do some searches. I still have a screenshot,
>but sofar I haven't needed to use image-hosting sites.
>
Truly, the only time my machine has come close to infected was a driveby
attack delivered by an ad in a browser. Sometimes the AV kicked in and
rejected a file, even.

The best antivirus you can get is an adblocker.

First thing I do when I see something like that in a browser is
CTRL-SHIFT-ESC and nuke it from the "details" tab. I don't click another
damned thing in the browser.

--
Zag

No one ever said on their deathbed, 'Gee, I wish I had
spent more time alone with my computer.' ~Dan(i) Bunten

On Mon, 04 Sep 2023 18:35:55 -0600, KenW wrote:

> Because Macrium killed it.

You can still use the last (not latest) version of 8.x. If I'm not
mistaken that is v8.0.7279. That's the one I'm using.

--
s|b

Zaghadka <zaghadka@hotmail.com> wrote:
[...]

[About Microsoft making changes to secure boot to combat BlackLotus:]

> Thank you for answering that Macrium uses WinPE. I thought it did, but
> wasn't sure. If that's the case, then I'm guessing this will come to the
> PE image, and all that will be required is to create a new thumb drive.

Do you use a supported (still in support) version of Macrium Reflect
or the no longer in support Free version?

If the latter, how will the WinPE component included in Macrium
Reflect Free be updated? Microsoft can't do it, because they don't know
(where) it exists and Macrium no longer provides updates.

FYI, yes, I have an HP laptop and yes, 'Secure Boot State: On' (Don't
know if it can be turned off.).

[...]