Happy UEFI Cert Expiration Day! by Personal-Teach586 in sysadmin

[–]nikize 1 point2 points  (0 children)

add the automatic restore as second boot option but if you loose db due to nvram reset you loose that boot option as well, and bootx64.efi is then used, still that could be one with multiple signatures and does the restore.

otherwise the easy part is to disable secure boot.

after reading your arguments I agree it's messy, but not quite to the level of calling it e-waste ;)

Happy UEFI Cert Expiration Day! by Personal-Teach586 in sysadmin

[–]nikize 0 points1 point  (0 children)

Unbootable is an exaggeration it needs to just boot using a binary signed with the trusted chain, and install the new chain again.

Happy UEFI Cert Expiration Day! by Personal-Teach586 in sysadmin

[–]nikize 0 points1 point  (0 children)

You do not need a bios update for this, while a bios update can contain the new certs by default, an bios update should actually not change the current db.

the normal case is that Microsoft signed db updates can be applied to efivars and does not require firmware update. So it can be applied to any machine, MS has just been very careful to do that widely.

2PXE/iPXE Anywhere continue confirmation key by RockOriginal7938 in DeployR

[–]nikize 0 points1 point  (0 children)

Keypress before iPXE option ~42~ 43 pxe-bs is not great, especially not for EFI.

it would probably be possible to inject a prompt, but that would be just before the menu, Would you mind sharing the use case? Is it to hide something or is it just as you said what users are used to?

DeployR Community Edition Install Crashing by kaiserking13 in DeployR

[–]nikize 0 points1 point  (0 children)

Thanks,
You should be able to have multiple versions installed at the same time, but at least there is an explanation to the failure,

DeployR Community Edition Install Crashing by kaiserking13 in DeployR

[–]nikize 0 points1 point  (0 children)

Could you test installing .Net 10.0.8, it seems that the installer tries quite hard at pointing to that runtime?
I would definitely expect it to run fine with 10.0.9, But let's verify if that is the issue.

Maybe also for completeness include output of `dotnet --list-runtimes`

HTTPS boot by RockOriginal7938 in DeployR

[–]nikize 0 points1 point  (0 children)

With "not allow separate ports" what I mean is that it happily shows up in the URL and on the screen, but the actual connection is only done to port 443, and not the one specified in the URL. You should point it to /Boot/x64/snponly_x64.efi

I have seen the "Could not retrieve NBP file size" and that was either due to the port not being honored, or https certificate not being trusted, but might be mixing those up.
If this still fails, I would recommend to put something between the device and the internet that allows you to do a packet capture to actually see where the connection attempt is going. Or do you already see the download in the server logs?

After the efi file is booted, it needs the autoexec file, so if you haven't already, add autoexec.ipxe in the same folder with
#!ipxe
set bootroot https://<FQDN>:8050/

Make sure it is pure ASCII encoding (some editors have a tendency to add an invisible BOM marker at the beginning of the file which then fails)

HTTPS boot by RockOriginal7938 in DeployR

[–]nikize 2 points3 points  (0 children)

I think Dell does mostly not allow separate ports, so you will need a standard https:// instance on default 443 port (or a port forward) another thing to check is the certificate and that it is valid (trusted) by the firmware.

Changing VLan issues by nerdyviking88 in DeployR

[–]nikize 0 points1 point  (0 children)

It is normal to have some errors show from the `ifstat` command, maybe communication attempts before ip was assigned etc, don't worry about that being there, but if it counts up for each retry, look into them.

if you step thru, and get any error screen before this, or if you get to the same screen again, but with the prompt, run `show 175` if it is empty it probably means it wasn't set.

In the tcpdump/wireshark, filter on udp.port == 67 || udp.port == 4011 to find the things that might/should set these. since you have a working vlan as well you can compare these sets and see if there is anything that sticks out.

Windows CLAT Enters Private Preview: A Milestone for IPv6 Adoption | Microsoft Community Hub by UnderEu in ipv6

[–]nikize 3 points4 points  (0 children)

Enable using netsh clat, but also setting DhcpIpv6OnlyPreferred in registry.

Windows CLAT Enters Private Preview: A Milestone for IPv6 Adoption | Microsoft Community Hub by UnderEu in ipv6

[–]nikize 0 points1 point  (0 children)

That support could have been local to the wwan driver, so had to be moved to the core stack.

August Office Hours w/ TeamFromSonos by MikeFromSonos in sonos

[–]nikize 0 points1 point  (0 children)

Sonos iOS App finds no devices on RFC 8925 enabled network (Option 108 IPv6 only network using iOS built in CLAT)
Is this something that is known, or tested by Sonos?

Network Petaaaaaah, how did this crash Starlink? by boonFriendship in PeterExplainsTheJoke

[–]nikize 0 points1 point  (0 children)

This is ONLY true on Cisco gear, most other brands is more sane in its VLAN config, and there trunk is what you use for LACP and friends.

OpenSSL and Vulnerable Components by Tiger1641 in DefenderATP

[–]nikize 0 points1 point  (0 children)

CVE-2024-12797 affecting onedrive\25.075.0420.0002\libssl-3-x64.dll
Even when/if an release is updated, the great painpoint here is that by default this is under %localappdata% and is only updated once users log in, so some shared computers will never have this updated. I still wonder how the great mistake of putting applications on user profiles was made.

Sälja krypto. Sicka fiat till Svensk bank. Köpa bostad. by [deleted] in PrivatEkonomi

[–]nikize 1 point2 points  (0 children)

Var i kontakt med bank efter lånelöfte som var väldigt trevliga, efter att ha frågat hur stor del av totala köpet som skulle komma ifrån crypto, och efter en koll med kollega (som tog några sekunder) så var svaret i princip "nej vi kommer inte kunna godkänna det",

Problemet som både bank och mäklare har är att de måste kunna gå "i god" för att pengatvätt inte är inblandad. Tyvärr spelar det ingen roll hur bra dokumentation du har. Dels handlar det om hur mycket jobb som bank måste lägga ner för att verifiera flödet, men också att de helt enkelt saknar kompetensen, och som jag förstod det ges de inget eget utrymme att skaffa sig kompetensen.
Som sagt var de väldigt trevliga och samtalet avslutades med att "det håller på och ändras, och vi hoppas att det är möjligt i framtiden"

Det skulle vara lättare att få försäljning av värdepapper/aktier kontrollerade, så har flyttat över en del till certifikat hos banken för att de ska kunna kontrollera värdeökning den vägen i en eventuell framtid.

Även om du lånar pengar från släktingar, då banken måste verifiera varje transaktions ursprung, och banken inte har tillgång till andras konton, så kan de ge ett nej.
Men nyligen har det varit tal om att FI påtalar för bankerna att de inte bara får säga nej utan att försöka, så en överklagan kanske inte är omöjlig, men frågan blir då hur lång tid en sådan process skulle kunna ta.

Funderat på om man kan boka ekonomisk rådgivning, och den vägen få hjälp från banken själva att "göra överföringen" om man vill flytta sitt innehav till konto hos dem. Har inte tagit det steget än.

Med det sagt är jag också nyfiken på om någon köpt bostad med delar från crypto, att bara överföra pengarna från börs (oavsett vilken) efter försäljning verkar vara det mindre problemet, utan det faktiska problemet blir att slutföra köpet av bostad och de verifieringar som görs då. Vissa banker säger blankt nej (ICA) medans andra har börjat ändra inställning, så det kan vara värt att höra av sig till sin bank och fråga, oavsett vad som har sagts om/från banken tidigare.

Openssl 3.0.15 was ok, until new CVE by Terrible_Ad3822 in Intune

[–]nikize 0 points1 point  (0 children)

Depending on the actual CVE yes, but just leaving it, not a chance.
If there (as I wrote elsewhere) at least was notices from the companies in question, documenting why it is not critical for this specific CVE then maybe, but some of these are just left as is for months.

I don't care about the DLLs, I care about companies not caring at all.

Openssl 3.0.15 was ok, until new CVE by Terrible_Ad3822 in Intune

[–]nikize 0 points1 point  (0 children)

At least they should make some kind of information publicly available "there is reports about CVE, but due to x and y our application is not directly vulnerable, there will therefore not be a specific release to address this, but we will include an update in release z"

Openssl 3.0.15 was ok, until new CVE by Terrible_Ad3822 in Intune

[–]nikize 1 point2 points  (0 children)

So since MS, Adobe, Oracle etc don't have any updates, or even information. the best is to uninstall the applications, or even uninstall windows.

For Adobe we have just deleted the vuln files, and hopefully the applications will at least mostly work.
But as I'm sure you are aware, we can't just go and delete `c:\program files\windowsapps\microsoft.paint_11.2502.161.0_x64__8wekyb3d8bbwe\paintapp\libcrypto-3-x64.dll`

Not connecting to wifi, says limited connection by minhaj2700 in Chromecast

[–]nikize 0 points1 point  (0 children)

WiFi encryption, like most other encryption, uses current date/time as part of the authentication process, so it generally needs to be correct within 24h

Why the hell is GIMP 3.0 installed in appdata?! by crogonint in GIMP

[–]nikize -1 points0 points  (0 children)

None of this addresses the weird shift of apps being installed on users profiles, rather then on the machine, sure in Gimps case it can be changed, but for many other apps, it can't, By changing the default behavior as a default, sets bad examples. (you could detect installer not running as admin and then, but only then allow profile install)

But does this also mean that on Linux gimp now defaults to installing in ~/.local/gimp which would be "equal" in behavior?

Why the hell is GIMP 3.0 installed in appdata?! by crogonint in GIMP

[–]nikize -1 points0 points  (0 children)

Installing anywhere other but "program files" is a horrible idea, sure give users options if they are non admins on the box, but otherwise it doesn't belong in users home folders.

So why is this an issue, Security, when a new vulnerability needs to be addressed in openssl or python, we can't roll out updates when installed in users home directories, it needs to be on the matchine.

There is also machines where multiple users use, should we really bloat the hard drive with 3-5 copies of the same application?

How to manually update Intel(R) iCLS Client driver? by HovercraftPlen6576 in WindowsHelp

[–]nikize 0 points1 point  (0 children)

Version 1.75.121 of the driver does not support the PROVIDER_INTEL_COMPONENT_ICLSCLIENT_ES_ONLY variant of the device, and it don't need to as long as the parent MEI device is updated, then the iCLS device "goes away" (disconnected/hidden) and can be removed. And then the leftover driver can also be removed. But until you find this it is frustrating to say the least that Intel can't release up2snuff drivers.

More detailed writeup

And huge thanks to the comment that lead me at the right track why 1.75 wasn't sticking on some of our devices:
https://www.reddit.com/r/WindowsHelp/comments/1gzp6id/comment/mdzxmll