Hi, this is Wayne again with a topic “GIGABYTE Leaves Backdoor Unlocked”.
Secret gigabyte back door, security, researchers at eclipsium release, findings showing millions of gigabyte motherboards were sold with a UEFI boot kit containing an insecure back door. Eclipsium says the hidden code is meant to be an innocuous tool to keep the motherboard’s firmware updated, but it’s been implemented in securely, potentially allowing the mechanism to be hijacked on Windows machines. The program writes a windows.exe embed into the firmware to in the firmware to disk. In the system32 folder and runs it, the exe sets itself up as a Windows service and attempts to fetch and an executable from one of the URLs. That is, the that is brutal. One URL uses HTTP, which is easily for an attacker to intercept and other links which do use https are similarly vulnerable due to poorly implemented remote server certificate validation routes.
Okay. So, let’s uh – let’s, let’s do a real, quick summary here in the firmware yeah on this motherboard. They have, they have a tool that allows them to update and keep updated the UEFI bios, which sounds cool, which is really cool.
Yes, but the firmware actually can just write an exe to the system. 3D folder. I want to know how Microsoft allows random exes to be written to the system32 folder. To be clear, I’m not I’m not saying gigabyte is innocent here, yeah, I’m just that’s amazing. I’M saying that this is clearly a breakdown that has multiple contributing actors here: yeah, oh wow, okay, so one note which is probably understood by most, but because this program is within the firmware, it is difficult for consumers to remove okay, but the next note at least 271 different models of motherboard are affected, including the most recent z790 and x670 skus holy crap there’s no current evidence of the vulnerability being exploited. This is a pretty Niche thing. I wouldn’t be surprised if most places were unaware that it existed a day after the story broke, gigabyte has apparently rolled out updated firmware to mitigate the issue, including updates for older motherboards that are affected.
The problem is that there’s going to be literally tons of people that don’t update, because people very very rarely Millions, if not hundreds of thousands of Boards out there – that will never get these updates and never even know. This is a problem I mean I I have to well wait. Could they use their? Could they use their updater tool? Oh to like force an update, that’s a good question. They might actually be able to kind of solve the problem. That’S a that’s a really good! That’S a really good question: um guys, uh, that’s not in our dock.
Let us know, float plane, chat uh. In the meantime, though, our discussion question here is: how would you rate gigabytes handling of the issue? I mean the issue has existed for years, but they probably didn’t know they mitigated it really quickly. What I’m assuming happened is eclipsium found it told gigabyte allowed gigabyte to fix it, but then still wanted to break the news. That makes sense so they launched the fix and the news at the same time, but they did fix it, yeah, which is which is good, yeah um, but they put in a back door, which is which is bad yeah, but the back door was not.
For you know sending your data to the CCP, it was for helping keep your firmware up to date, yeah, which is Noble enough good yeah, but they didn’t tell us, which is bad yeah. The good. The good part is that they fixed it. Stuff like this is gon na happen. I I don’t want to be the that guy, that’s just like excusing it, but um. I think we also have to be somewhat realistic.
I feel like a lot of the time coverage of problems with products forgets. The human element: do you kind of get what I mean by that yeah yeah like this seems. Like I mean it seems like a mistake.
It’S not good. I wouldn’t be happy about it if I was a consumer of a gigabyte motherboard that this affected um, but like it’s also fixed immediately. So it’s not like it’s not like gigabyte was like yeah, that’s um, 271 models of motherboard. We don’t feel like supporting some of these old motherboards. As far as I can tell at least from the notes in here, they updated everything and as long as you do your own due diligence or maybe this thing can auto update itself yeah, but I mean huh. That’S a really good point, because that’s one of those things that worked out this time, but wouldn’t necessarily have I mean look at Spectrum meltdown yeah Intel is basically just like yeah. It’S been a long time that stuff’s Legacy.
Forget it and that’s not cool. I get it, but that’s not cool um, and if this, if we hadn’t found this for another five years, would they have gotten updated, probably not probably not, probably not, and so yeah get. You know good guy gigabyte, you know dealing with it, but also it’s far better to just not do that in the first place. For sure I just like. I don’t know it’s good if a company exists for a long enough period of time. Something like this is going to happen. Yeah we’ve uh on inFamous Alex, says we forget the human element because we’re treated so poorly um anti-consumer Market, it’s become uh. Yoda is spreading into the financial here, and you know what yeah I you know, I I get it uh and I think that’s you know, I think that’s pretty.
I think that’s pretty fair in a lot of cases, but I also think that you know what maybe part of it is just that I I get to I get to be face to face with the people who build these products sometimes and knowing that they’re. Trying really hard makes me more appreciative of the things that do go well sometimes, and it’s not in like uh, it’s it’s not in a like a oh I’m. You know compromised kind of way like it’s, it’s not about money. Changing hands, like I remember, getting a pretty different perspective on Intel when I went to the optane launch event, it was super data center focused, but some of the gaming folks who were involved like directly involved in bringing skull Trail to Market.
That was their super cool. Like dual socket Enthusiast thing that was really expensive and like kind of dumb, it was awesome, though, but very cool uh we’re there and just talking about how hard they push internally for these cool Skunk Works projects and stuff like that and it just they didn’t. They didn’t pay me any money or anything like that. It just you know when you meet people and you get a better understanding of what they’re about, and you learn that even these soulless companies and the shareholders I I have not changed how I feel about shareholders. Yeah yeah yeah yeah at all, yeah shareholders are, are there a necessary evil? I think is the nicest thing I can say about shareholders uh for public companies in particular, where the only the only outcome they want. Typically speaking is more money right um, so I haven’t changed how I feel about them, but the actual workers, the actual people, the engineers, the the designers, the janitors. It doesn’t matter the people who are working on bringing us these products a lot of the time. They’Re really passionate they actually love.
What they do. Another really surprising moment for me was when I went to micron, and that was a sponsored video, so you know take this for whatever, whatever you can talk about what a shill I am or whatever, but that’s it has nothing to do with it um. I was just blown away by how excited these people were to make better memory and to get a chance to talk about it. Yeah, that’s the other thing guys, that’s the big one.
These are not professional actors who are pretending to be so happy dappy working at Micron, so that I’ll make a nice video about them. It’S not! It’S not like that. These were. These were like the people who actually work on this stuff and you can tell when someone’s passionate, because you ask a question and they talk for 10 minutes, they’re gon na say they won’t stop talking about it yeah.
Finally, someone has asked me this yeah. Do you know how long I toiled on this particular problem and you know other than my direct manager, everyone else in my life, I’m Bound by MBA right, like I’m just so thrilled to be talking to somebody about this. You know, and it’s it’s so cool right and like it was the same at the Intel Design Lab um that I visited in um in Tel Aviv right like it. These people were just you know.
In some cases, the products were honestly, not ones that I personally enjoyed sure yeah, but they were really proud of how they, you know, set a Target, and you know, in collaboration with management, who’s, beholding, the shareholders, but this team, you know, damn it. They couldn’t control that, but they set a Target and dang it. They hit it. You know time and time again, um and this. This isn’t a Fab team, so Intel’s had a lot of challenges shrinking their process nodes, but this was uh like a chip, design, team and, and they were just proud – they were just proud of the work they were doing. I’M, like that’s cool. You know, that’s really! Cool and I wan na, I wan na support that, and I’ve got to understand that there’s a lot of people watching when we make a video and some of them are the consumers and we need to talk to them about whether you should or shouldn’t actually buy. This thing, and some of them are the shareholders um, and some of them are the people who actually designed these products, and you know I just I want to show respect, and I think we’ve taken some criticism recently for how we, how we show both sides of A product, but I think that’s really important. We should appreciate, what’s good, I mean do we do we want to get so jaded and cynical that we that we just can’t appreciate the good of the tech that we can’t just take joy in how cool this stuff is anymore. There’S also – and I I’ve talked to you about this – but this is actually something that is consumed. Uh, surprisingly, large amount of my thoughts lately, which is I’ve, noticed this feel like it’s surprisingly recent, but maybe I just haven’t been super tuned in, but I’ve noticed a trend where a lot of the audience is very intent on all of the reviewers, whether written or Or video or whatever all saying the same thing, they want everyone to say the exact same thing. I think that’s super bad and very dangerous interesting.
My reasoning for this group think going on right now. I think there is definitely too much group thing going on right. Now my reason for that is, I think, it’s beneficial not only to the audience but to all the reviewers as well, regardless of what medium they have to have reviewers, taking different approaches, trying different things coming to slightly different conclusions, and then you, as the audience check Out a bunch of different pieces of content and make up your own mind based on these different approaches. That is how I think it should work.
That is how I think it has worked for a really long time. So when you absorb some piece of content, really reading it or watching or listening to it or whatever and then go to a different one and see a slightly different take and all of a sudden, one of them has to be right. Yeah and one of them has to be wrong yeah, I don’t think that’s good right. I think that’s bad um, so just want to throw that out there.
I think that’s like actually extremely bad, and I think this is one of those situations and I I Hazard to say this type of stuff, but, like you don’t want that yeah, like I think, you’re you’re chasing the wrong thing. I I think that if you get to the result of what this thing is it’s going to be just bad for everybody, because we’re going to get crazy consolidation, there will be less reviewers there will be, and then that will result in less things being found, and It’S just I mean, I think it’s a pretty clear. I think I’ve always been consistent.
More competition is more better. Yes and we can’t say that about Hardware manufacturers and then go oh, but but but but but we need to be the only reviewer that you uh. Listen to yeah, no one voice should ever ever be the only one in your ear. That’S always bad every single time it will. It will never work out well and that’s one of the reasons that we have tried to be so collaborative with the rest of the Tech Community.
I mean I think recently, we’ve talked about how, obviously you know we’re trying to build our organization to build the best possible content yeah we can you have to, and you know, if uh, if people are finding it hard to deliver the same quality of content, then, Like sorry uh, you know you should find a different angle right. You know, and you know, let’s go, but we’ve also tried to work hard to. You know build a spirit of collaboration in the Tech Community as well. I mean you name a tech Creator and we’ve probably collaborated with them at some point or if we haven’t, we’ve probably invited them to LTX this year.
There’S actually a lot of creators that I have never even met that are coming to LTX this year and I’m super excited we want to bring people together. We want to. I want to see collabs. I think it’s going to be really exciting.
It’S going to be really fun um and that’s because we’re putting our money where our mouth is. We’Re literally spending six figures on Creator, travel and hotels for LTX, we’re spending a freaking lot of money, um to put our money where our mouth is and and show that we actually do care about this. You guys should have as many voices as possible uh when you’re trying to evaluate what to spend your hard-earned money on, because nobody is going to see things exactly the way you do and if they do, you got to kind of look in the mirror and go Are these actually my thoughts? Are these just someone else’s thoughts and I’m just parroting them? Am I actually doing any critical thinking here? That’S something! Never stop critically. Thinking for yourself.
.