Strange problem when imaging new machine

rbahr · 07 Jan 2022

Hi All,

I posted this in the 'general' category, but it may be better off in this sub-group!

I just got a new to me machine - Asus Z170-AR based machine. New hard drives, clean (reset bios).
I went through the process of updating the Win 7 installation (OEM MS) disk to add the USB 3 drivers - that went well, and I imaged the machine. Then I went to run the Simplix UpdatePack 7 / 2008 R2 21.12.15 and I got a secure boot violation and the maching refused to boot. about 1/2 way through the update process. I chose to ignore this (for now), deleted the various keys, and changed to 'other operating systems' in the UEFI boot choices.
That said, before I go live with this system - it will be replacing my current Win 7 box, did I do something dumb by ignoring the warning, or is this to be expected. I wanted to roll in the non-telemetry, non win-10 upgrade nonsense that MS was peddling, which is why I was using Simplex.
Comments?
Thanks
Ray

file3456 · 08 Jan 2022

If it were me, I'd take the ISO (or DVD) of Windows 7 SP1 and use NTLite to customize and add the updates in slipstream fashion. Features – NTLite

I wouldn't bother with this current install if it were me. Something is all messed up. Especially having to boot via another boot method. Better to start over while the OS is fresh and new. It is new, correct?

I don't use UEFI ( I have BIOS and UEFI options). Since I roll this way I also turn off secure boot. I'm thinking now, can't remember, but that may be an issue with Windows 7. It's been a long time since I read about that. Maybe turning that off in BIOS will fix the issue.

- - - Updated - - -

And found the answer.

Windows 7
Secure boot is not supported by Windows 7. UEFI boot is supported but many IT departments prefer to leave UEFI boot disabled to preserve compatibility with operating system images.

What is Secure Boot? What is UEFI Boot? - Stone Computers :: Knowledgebase

IMO, Secure Boot ain't, and UEFI I think is loaded with funny business. But that's a massive essay for another time. LOL

rbahr · 08 Jan 2022

Thanks F22,

I saw that Win 7 is not part of the secure boot 'campaign'

I know a fair ammount about computers, embedded systems, etc, but nothing about this secure boot process. Seems like a move towards closeing the platform to SW out of MS' control

SIW2 · 08 Jan 2022

Win 7 does not support secure. Turn secure boot off no problem.

Installing win7 then running simplix afterwards is fine.

Or the win 7 installation media can have the updates integrated
Update your Win 7 installation media

file3456 · 09 Jan 2022

rbahr said:

Seems like a move towards closeing the platform to SW out of MS' control

That's kinda my assumption. It's basically like a signed driver I guess for security purposes. So on its face it sounds great. But to those with a more scrutinizing mindset it raises some "conspiracy" red flags. Or maybe a secondary color...

UEFI is also right up there. And I have some reservations about 2FA. Again, while great on the surface, the inner workings can be more sinister for lack of a proper term.

I remember this story years and years ago. Yet here we are today with today's technology. Unreal. A serial number! LOL!

Interesting article from 2017.

And from the NSA.

Some systems feature boot speed adjustments. Systems placed in a “fast boot” or “minimal boot” mode may skip all
firmware-related Secure Boot checks. See figure 1 for a comparison. Use the “full boot” or “thorough boot” mode to ensure
all firmware binaries are checked. Some systems also feature a legacy/CSM fallback mode. Disable fallback mode to
prevent unknown binaries from bypassing Secure Boot checks.

Code:

https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-boot-security-modes-and-recommendations.pdf

For what it's worth. LOL VirusTotal

Many may not know this, but there's a glorious network stack in UEFI. What is UEFI

Strange problem when imaging new machine-redhgd.jpg

- - - Updated - - -

Just yet one more reason why everyone should roll pfSense and learn the IDS Snort. IMO anyway. pfSense - Wikipedia

Great thing about the community version is that it's open source so that the code can't be jacked with. Well, compiling from source will ensure that. Can't really trust someone's pre-compiled binary.

rbahr · 09 Jan 2022

I worked at a large DoD contractor and had a lab where I was using a LOT of 10Ge traffic - 10-12 years ago, so back when it was a bigger deal. I accidentally leaked some traffic when I was doing some stress testing and caused the corporate network to 'not have a good day'. So, they isolated the lab network. I figured out my problems, shut things down and asked the wonks to re-enable the connections - I was told that there was still traffic. I got the relevant traffic information. Now, these servers were powered on but quiescent, so there should have been no traffic of any type - Linux boxes so I did have some control - I just shut the interfaces down. So for the next couple of days, I ran Nmap and found a complete Linux OS with a network stack ostensibly used for maintenance. The OS used a virtual MAC address, and could not be disabled. I finally found that I could change the IP address, so in went 0.0.0.0!

This was a Supermicro server, yep made in China, in a DoD facility with full access to their network. I wrote this up and gave it to the security and networking people, and heard absolutely nothing!

People really don't care or ???

I worked at a LARGE networking company - problems were fixed by new software releases not by addressing them Exactly like we see with MS, Android, and IOS - 'shiny penny' culture

file3456 · 10 Jan 2022

Yep, I know damn well there is is much perversion and lackluster attitudes out there on cybersecurity it's absolutely sickening. Here's just one example. Something I knew was probably the case going back some 14 years. The firmware and what not in routers, phones, etc? Probably the same shenanigans I reckon. Well, maybe more so with Huawei. It'll take people with actual intellect and Congress to pass laws that deal with this stuff.

I feel the issue is monumental due to the dependence on the Internet and the electrical grid. So, I wrote then, President-elect Trump a letter about it. There are many single points of failure, and we've already seen that with an oil company(?) out east go down and something else I can't remember. Could have been Russian backed hackers behind it all. Then there was SolarWinds. If you read the book The Secret Sentry and learn about NSA set backs, all this has me wondering. And not just with the NSA, but the CIA, FBI, Customs, State Department, you freaking name it.

Australia is having issues with Huawei and because of it China is punishing Australia since they can't get their sneaky ass in over there. Australia is a major exporter of mining products and I think makes up a good chunk of the GDP. I watch news all around the world via M3U streams and listen via shortwave radio SDR tuners. CIA does the same thing. I had an online friend (no longer with us) work at the CIA, and my former neighbor worked there as well.

GitHub - iptv-org/awesome-iptv: A curated list of resources related to IPTV

websdr.org

Yeah, Nmap is a nice little program. They have books on it. One written by the Nmap Dev I believe. I was thinking of buying that book. There's also Zmap. Planning on spinning up a Linode server and requesting research usage rights to use the collected data for a firewall project I'm a member of a Github. Been on the back burner though.

I think in order to mitigate the vulnerabilities in things requires a dedicated red team working on pentesting and bug bounty hunting on a 40 hour shift as far as I'm concerned. But that would of course be for classified or close sourced projects. Others use hackerone to allow the whole world to find the vulnerabilities while at the same time not having to pay for the constant research and only a single lump sum when found. There can be some good money doing it. I follow a guy on Twitter that bought his house just ethically hacking finding bugs in software. It could be Twitter, Microsoft, Apple or some product. HAHA I found a bug in Bitwarden and ran to hackerone to post it and hopefully collect some cash. While at the same time I figured someone already beat me. Yep! It was already posted.

This is also true being an inventor like I am. Damn near everything I can think of has or will be patented. And it's scary because I have ideas withen the realm of the military and if I can think of it someone else probably has. I have the concepts though, not whole the whole thing would work. When I was about 9 during Desert Storm and learned about GPS for the first time, I also learned we were using laser guided bombs. I immediately thought we should attach a GPS to those bombs. Well, today we call them a JDAM which is just a kit to a dumb bomb! How many 9 year olds think of crap like that? HAHAHA

I'm now 41 and the things I have on my mind deal with quantum mechanics and what not. I don't think I want to be around in the next 50 years, lets just put it that way... Well, I probably won't, and mankind may not either. We shall see.