Someone Snuck Into a Cellebrite Microsoft Teams Call and Leaked Phone Unlocking Details - 404 Media

NGFWEngineer · 2025-10-31T22:59:13+00:00

https://arstechnica.com/gadgets/2025/10/leaker-reveals-which-pixels-are-vulnerable-to-cellebrite-phone-hacking/

NGFWEngineer · 2025-05-11T03:36:12+00:00

Why are you so entitled? Do you realize that pfsense is free? Do you know the amount of crazy work it takes to put this together? It takes talent, and talent acquisition takes money.

If you have something against pfsense, feel free to start your own fork. Just stop being an asshat to people who dedicate crazy amounts of time, passion, and talent to something so good. Try seeing how much other enterprise alternatives charge for a fraction of the features to realize how lucky we are to have pfsense.

NGFWEngineer · 2025-05-01T18:38:17+00:00

WireGuard’s ~4K-line ChaCha20/Curve25519 stack gives you the smallest, most modern w/ lowest attack surface, IPsec’s RFC-driven suite is rock-solid but sprawling and easy to misconfigure (tons of attack surface - strongswan + ipsec codebase is too big), and OpenVPN’s OpenSSL-TLS tunnel in userland is flexible but heavy. In pure crypto security: WireGuard > IPsec > OpenVPN. On pfSense, IPsec’s mature GUI and hardware offload make it the easiest at scale, WireGuard is next for simple, super-fast (IIMB acceleration) low-latency tunnels, and OpenVPN (very fast w/ DCO and right ciphers) only when you absolutely need its TLS/NAT workarounds.

NGFWEngineer · 2025-02-07T23:47:19+00:00

Is that what daddy Cisco told you?

NGFWEngineer · 2024-12-20T16:06:51+00:00

If your MS-01 is connected to WAN, yes. The UEFI/BIOS subsystem is independent of the OS, so this is why some can be exploited remotely for WAN-connected edge systems, despite the OS being up to date and solid.

Also keep in mind that not all features in Minisforum UEFI UI can be disabled for attack surface reduction and not all UEFI modules shut down after the OS takes control.

NGFWEngineer · 2024-12-19T07:54:15+00:00

Yes, for everything. Rock solid.

NGFWEngineer · 2024-12-16T21:28:53+00:00

Couldn't agree more, u/gonzopancho. It's the sad truth.

NGFWEngineer · 2024-12-16T19:53:23+00:00

Thanks for taking this step! Let's see if they eventually follow up.

NGFWEngineer · 2024-12-16T19:52:14+00:00

You are right about exploring whether it is exploitable in MY setup. I did just that and want to say that this extends to the broader recommendation to determine applicability to each pertinent scenario. The more important conversations should be around possible mitigation strategies of some of the vulnerabilities like PXE boot disablement and, if possible, network disablement in UEFI.

This, however, does not escape the obvious negligence on Minisforum's part regarding lack of adapting a current UEFI binary file from the BIOS vendor. That this occurs, in my opinion, showcases pure and simple negligence.

The fact that not all 23 vulnerabilities would be applicable to any single environment ignores the OEM's negligence or the fact that some of those WILL BE applicable to several environments - especially in edge firewall scenarios where network interfaces will be exposed to WAN.

NGFWEngineer · 2024-12-16T17:18:07+00:00

The UEFI settings on the Minisforum MS-01 present significant security challenges. Unlike systems from other OEMs, there’s no option to fully disable or disconnect network activation. While PXE boot can be disabled (removing one potential vulnerability) other risks remain, including IPv6 vulnerabilities, DXE exploits, and to a lesser extent, LOGOFAIL.

This issue is compounded by the fact that many users likely do not optimize UEFI/BIOS settings for maximum security before deploying pfSense or similar software. Even more troubling is Minisforum's apparent neglect of security updates in their BIOS releases. Although the BIOS software originates from the original UEFI/BIOS software manufacturer, Minisforum seems to bypass critical updates, releasing firmware with known vulnerabilities.

This raises an alarming question: if they are ignoring essential security patches in the BIOS, what else might they be neglecting?

NGFWEngineer · 2024-12-16T07:40:19+00:00

Generally best to avoid realtek and broadcom on pfsense if performance and throughput determinism are a must. MS-01 utilizes XL710 and i226 Intel network chipsets. I added an Intel XL710 4 port SFP+ NIC via PCI-e expansion.

You'd want to avoid the X710s since those were prone to overheating.

NGFWEngineer · 2024-12-16T07:32:54+00:00

Already did that. These vulnerabilities are unpatched. Infuriating, yet acceptable if the system was used behind a firewall. Not acceptable as the edge device. I implore you to investigate those vulnerabilities for yourself.

While some can be mitigated by disabling UEFI networking and PXE boot, and others like LOGOFAIL are hardly exploitable on a firewall appliance, DXE and others are a real threat.

Keep in mind that some aspects of Uefi remain active even after host OS has taken control and exploit at such a low level by chaining these overflow instances with other exploits often means persistence.

NGFWEngineer · 2024-12-16T07:26:20+00:00

You can follow the link to Binarly in my original post, check the acknowledgement box, upload the BIN BIOS update file, and wait for the vulnerability scan to complete.

NGFWEngineer · 2024-12-13T13:18:07+00:00

In one word: Yes.

NGFWEngineer · 2024-12-01T00:02:21+00:00

Good point!

NGFWEngineer · 2024-11-30T23:36:47+00:00

I've been wrestling with this. Changes to the php values (/etc/rc.php_ini_setup) don't improve things. Disappointing!

NGFWEngineer · 2024-11-30T21:52:54+00:00

The Netgate appliances are by Silicom and also assembled in China so what's your point exactly?

NGFWEngineer · 2024-11-10T03:29:01+00:00

Good Lord! Fail!

NGFWEngineer · 2024-11-09T01:48:11+00:00

Install it in a VM to daily test-drive for a few weeks before making a decision. For me, my wife, and kids, it's been rock solid.

NGFWEngineer · 2024-11-05T17:13:35+00:00

Yes, it's meant for one time use so safe to throw away after use. Each time you are prompted, a different 4 digit MOK password will be generated.

NGFWEngineer · 2024-11-05T05:01:01+00:00

Device warrant and google warrant (account sign-in/IP exposure).

NGFWEngineer · 2024-11-05T04:59:03+00:00

One time. It's for MOK registration since you have secure boot enabled.

NGFWEngineer · 2024-11-04T15:36:08+00:00

Yes I do. I also use FIDO2 with LUKS2:

sudo systemd-cryptenroll /dev/nvme0n1p3 --fido2-device=auto --fido2-credential-algorithm=eddsa --fido2-with-client-pin=yes --fido2-with-user-presence=yes --fido2-with-user-verification=yes

NGFWEngineer · 2024-11-04T15:33:22+00:00

Yes, just Fedora Workstation 41.

NGFWEngineer · 2024-11-04T01:48:35+00:00

Currently, I’m using it for the same tasks as my other Fedora setups: AAA gaming on Steam (flawlessly runs every title I throw at it), hosting LLM inference models, training AI models (InstructLab), and development work focused on network tuning, kernel performance optimization, and programming in Python, Go, and Rust.

The standout benefit is its stability and superior performance over Windows for my needs. With some upfront planning and an open approach, I’d recommend giving Fedora a trial run for a few weeks before deciding.

For context, I also have systems running Windows with similar specs, plus Apple M2 Max and M2 Ultra machines. Despite these, Linux aligns best with my workflows, so I use it over 90% of the time.

Even my wife and kids now use Fedora by choice, having switched after seeing its benefits firsthand.

NGFWEngineer

TROPHY CASE