ASUS Zephyrus S19

My special interest is computers. Let's talk geek here.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

I understand how you arrived at your characterization of Microsoft. We all have different experiences with the same things I must say.

The issues I'm currently having with EFI and secure boot are not unexpected. The whole point of Windows 11 is security that never existed in the old systems. That's the reason why they are hiding the EFI directory, but they can't stop you totally without breaking the way it operates. It seems as if what I observed yesterday is more true than ever today. That EFI directory can be accessed from outside of the Windows environment. It's not much easier than doing it from inside Windows, but apparently there is no way to disable access entirely. I got down to the nitty gritty and found a few commands that can be executed from the Windows terminal to run a script that displays the content of that EFI directory. Displaying that content, however is restricted to the "system" having the only access permissions. That means administrators can't get at it, not to mention ordinary users. Fortunately Microsoft provides a security tab in its permissions folder and I can add my own self to it. I did not do that because I am not yet familiar enough with secure booting to mess with system level permissions.

The main reason for the lock on that EFI directory is due to the fact that is where all the encrypted access keys are kept in a small database for that purpose. That means Windows, nor any other software not built into Windows, will not boot unless that access key is known and compiled into the binary of the program. This approach effectively stops anything not part of Windows from running. A good feature if you want to stop hackers.

My current challenge is not with Windows but with Linux. I was able to run a Linux Mint version of Linux On A Stick in one of my first experiments. This was done on a removable media (the stick memory) and the EFI boot directory was created on the stick next to the Mint partition. In addition to that, since I put this stick into a Windows 11 secure boot machine, the Windows EFI directory also recorded the fact that there is a device called ... are you ready for this ... UBUNTU that is on a stick memory and will be allowed to boot from the Windows boot manager. All went well with Mint/Ubuntu and last night I decided to try Ubuntu 20.10 on a stick. Well, it did the same thing as did Mint, i.e., created a boot entry in the Windows EFI directory can called itself ... UBUNTU. Thus when I try to boot Linux on a stick, I have a choice of two identical entries called UBUNTU. Guess which one is real and which one is Mint. I have to tell you that it is not Microsoft who created this particular chaos. It's all due to some crazed Linux developers who refused to pay the price of developing their own Grub with a name that is not a clone of an existing distro.

The above mess is the real reason I want access to the Windows EFI directory. All I want to do is rename the directory with Mint in it. I can delete it, but there is no other way than doing it manually to rename it.

I put that problem aside because it turns out that LINUX has another problem that I want to resolve first. Neither Mint nor the real Ubuntu can access my NAS. Neither one had a problem on any of the other computers, but now on this secure boot machine Linux suddenly can't resolve the name of Windows network shares. I played with Samba most of today but could not get Ubuntu to recognize the network shares. I'm at a point where I don't believe it is a Samba problem. I'm guessing it has to do with secure networks.

Speaking of which I ran into a second LINUX problem when I tried to switch from the native video driver to the Nvidia driver offered by Ubuntu (and others) in their additional drivers section. It seems that ... can you believe this ... Nvidia is proprietary. That is to say it is not open source. As such it will not run in a secure system unless it has one of those keys from the EFI directory embedded into it's binary code. Of course the driver does not come with an access key, thus Linux provides a way to add it to the EFI database. Well that's the theory at least. I tried to complete the instructions and was given a myriad of choices that I knew nothing about. This is not unusual for anybody who wants to configure any Linux system above and beyond the defaults. A college degree is needed just to understand their walk through on how to set things up.

As of this writing I have reinstalled Ubuntu to a new stick and will try again. I can't believe that Linux made it so difficult to do something so simple. I know Microsoft did the same thing, but they did it without any intervention from me. It just works.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

Are you sure it is not Windoze making it difficult to use Linux Distro's on the machines THEY CONTROL.

I have three generations of Ubuntu, and two generations of Linux Mint, all running on a computer with all Debian versions since Debian 8. Seems I never delete an old install after creating a partition for a new install, and Grub takes the time to find them all, including an old WinXPPro on a second drive, which I don't know if it will boot since I never tried to boot it up, hi hi.
The downside to having all of them, is it takes Grub a good 20 minutes or longer to upgrade after I added a new Kernel.

When Debian or Linux Mint comes out with a new version, and I do a clean install, it just works fine.
I don't have any of the problems you have because of Windows wanting to be God, hi hi.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

None of my Linux On A Stick installations of a Linux OS can find network storage anymore. None of my Linux virtual machines can find it either, but I do admit Windows is the host machine in those cases. And, none of the Linux distros that I have installed stand alone on a hard drive can find the network storage either, which is totally independent of anything directly controlled by Windows. Plus, in every case Grub is the bootloader for Linux. All the Windows boot manager does is call up Grub to do its job - there is no problem doing that (other than the deliberate confusion induced by non-Ubuntu OS's calling themselves Ubuntu).

My only response to your Windows God characterization is that Windows knows what to do with Linux, but apparently Linux has no clue about Windows. The sad part of that story is that Linux developers do not want to know.

I haven't had a lot of time to experiment overnight, but I did discover that at least all the Ubuntu based Linux operating systems no longer are distributed with Samba installed. Nobody ever explained why they stopped doing it, but I know for a fact that Samba, version 1, has been deprecated and Microsoft stopped using it. We are now up to Samba 3 and while I haven't been able to prove it yet, it looks as if (Ubuntu) Linux hasn't figured out how to handle it yet. Thus they don't provide a means to automatically access Windows shares. I can mount the shares manually so that I know Linux is capable. It cannot, however, do any network discovery now and days. It used to have that ability, but somehow lost its memory.

And, I will concede that all this is preliminary observation. I'm still working on discovering a solution.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

You have to remember Windoze is a PROPRIETARY program, CLOSED SOURCE, so nobody other than ms knows what's where doing what inside. They give hardware manufacturers secret inside info so they can make drivers for their stuff, but it only works if you do it the ms way using the doors they provided, and a map of the hallway inside so they know where to go.

Linux Distro's are not privy to this kind of information, so everything done in Linux is done by trial and error when it comes to dealing with Windoze. And if Windoze does not provide a door and a map, you are basically SOL.

If you used Linux as the Host, instead of Windoze, everything might be a little easier for you to accomplish!

You have said many times you like Windoze because of the vast support structure.
Why don't you ask Windoze support how to connect to a NAS from Ubuntu? I'll bet they won't tell you!
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

I'm getting closer to a solution, but real world activities are slowing me down. Here is a summary of what I have learned so far.

The issue I am dealing with involves connecting to a file server that hosts Windows shares. The server is run by a tiny Linux operating system and runs my NAS. Kudos to Linux for being able to host something other operating systems can access and perform file transfers.

There are multiple ways of accessing Windows server shares. In my case, as well as in most computers equipped with Windows, it's done over a LAN via Samba network software. Samba is not a Microsoft invention. It's a standard developed for non-Windows servers; basically is a domain controller. We know that Linux is the star player in the network server world because, well, you told me so. LOL My point is that Samba is not anything proprietary, invented for Windows, or whose standards are controlled by Microsoft. It's all UNIX or LINUX targeted. That is not to say Samba is restricted to those kind of networks. In fact it is often used to control and act within Windows domains. Given the nature of the beast, network (domain) servers are not proprietary. And, It's been around since 1992.

As you would expect, software from 1992 would not work in a 2021 world. Thus Samba has been updated a few times. We are now seeing Samba v4 out on the networks. The new versions are updates of the original to accommodate new technology, such as gigabyte networks that did not exist in the nineties. That means the older versions, 1, 2, and 3 are/were still around for folks who have old equipment. This multiple version situation just adds confusion to the network formula, but that's generally a problem for network administrators and not for people like you and me. Then, only a couple years ago, that version #1 of Samba suddenly did become our problem.

It seems that state sponsored cyber warriors found a way to corrupt network file transfers that were carried out by Samba v1. It went beyond corruption. They found a way to take control of any network connected device that used Samba v1. Just about every computer in the world has Samba v1 available, if not installed and operating, because it became a classic method for accessing file servers. The long and the short of it is that there was no fix for the vulnerability in Samba v1. There was a patch put into place by Microsoft and others, but it did not eliminate the vulnerability. Thus, the consensus was to stop using Samba v1. This is the identical situation as we have seen with Adobe's Flash player. It could not be fixed and made bulletproof so that the only alternative was to deprecate and abandon it.

Given Microsoft's dominance in the PC world, and all the bad publicity directed at them from Linux-land enthusiasts, Samba v1 was disabled in every Windows machine that did the update. It was not eliminated, but simply disabled to allow people to play Russian Roulette if they so chose to do so. The new low level Samba standard thusly became Samba v2.

Folks that don't use Windows software were unaffected by all this. They have no need to go prying into Windows shares on any server, usually. There were a lot of problems when the change occurred and I personally noted a few in the beta testing of Windows I was doing at the time. I even posted about it in the Feedback hub. Windows was having a hard time "seeing" it's own Windows shares on a network server. There was no problem mounting said shares manually, but if you tried to use Samba to get there, a ton of errors were displayed. After a few months of this, and a lot of complaints, Microsoft quietly fixed the issue. Windows 10/11 once again flawlessly can find Windows shares remotely located on a Linux server.

None of the Linux operating systems that I have installed in various venues can mount the Windows shares on the NAS Linux based server. While I am not certain at the moment, I do know the NAS software was updated about a month ago. That is most likely when the current problem arose in exactly the same way the problem came about earlier with Windows machines. Linux servers have now fully disabled, but not eliminated, Samba v1. The lowest level Samba now in the repositories is Samba v2. And, the fix is to not include Samba of any version with the iso for any given Linux distribution. That's one way to eliminate the vulnerability in Samba v1, but now accessing Windows shares is a complicated mess (if it can even be done anymore) when trying to do it from a Linux machine.

So, until the developers in Linux land can catch up to where Micorsoft is already, accessing Windows shares on a Linux server seems to require manual mounting of the share. The automatic access allowed by Samba has been eliminated. They claim it has all been fixed by updating the file manager so that Samba is no longer needed. Well, I beg to differ. It has not been fixed.

You know, all that's understandable. What I don't get is why they stopped supplying Samba of any version and did not bother to tell anyone. They just assumed the file manager would take care of it. The Windows support people told me right away what they were doing to fix this problem. I have yet to hear from Linux which can only lead me to believe they are not interested in fixing anything with a Windows tag on it.

And ... just because I know you think I'm talking sour grapes from behind a Windows desktop, check out this article by a well known and respected LINUX consultant and adviser : https://www.dedoimedo.com/computers/ubu ... hares.html
Dedoimedo's fix is to enable Samba v1 (NT1) via the Samba configuration file. That might work in some cases, but MY server, the updated NAS, does not have Samba v1 as an option. That was the update, to eliminate it. Even the so called Linux experts are sending out misleading signals.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

[SOLVED] Linuix SMB Issues

Post by yogi »

You must be getting tired of me ranting on as I do when I run into Linux problems that should not exist. The good news is that this will be my final criticism regarding the network discovery, Windows file sharing, and how Linux handles it.

This morning I received an email from the NAS server alerting me to an update to the DSM software, which is what Synology calls their particular version of Linux. I looked at the announced fixes and SMB was one of the things they fixed. My suspicions all along have been that either the NAS or Linux in general created a gross fault somewhere in recent history so that this update was welcome news.

The update to the SMB service was simple. Synology simply added the option to use SMB v1 along with the already existing options to use v2 and/or v3. If you didn't fall asleep reading my previous rants you will recall that I pointed out SMB v1 has been banned from most computers (servers and clients) due to a vulnerability that cannot be fixed. I also pointed out that a couple months ago Microsoft panicked when this vulnerability became known and issued some emergency patches. They disabled SMB v1 in all their Windows systems which in turn created the identical problem I am having today with Linux network discovery. It took the Redmond gang a couple months to fix things, but now all Windows versions from 7 to 11 work as expected. No need to run SMB v1 anymore.

I don't know how widespread this is but all the Linux distros I have on HDD, SDD, VM's, and flash memory sticks fail to mount any Windows shares residing on my Linux server. Since I could not configure any Linux OS to run on SMB v2, I wanted to make SMB v1 available on my NAS, just to see what happens. I could not do that until this morning after the NAS software update. Despite the warnings and threats from my server, I enabled SMB v1, and ... Linux was now able to discover Windows shares on it's own servers. This tells me in no uncertain terms that Linux developers have not fixed the SMB vulnerability problem. They choose to leave themselves open to an SMB hostile attack because ... well I can't imagine why. I guess they don't want to look like Windows and just work.

There are other ways to get into Windows shares from Linux, all of which involve manually mounting them or dickering around with the fstab config file (which smacks of being a Windows registry edit) to make it more or less automatic. That's a bit risky considering I use DHCP to assign IP addresses on my network; those IP's can change without warning. Being security conscious and in fear of ransomware attacks that might occur, I set the NAS server back to SMB v1 being disabled. I now have to log into my Windows shares manually whenever I use a Linux operating system. I don't know how to say it nicely, but Linux once again is showing how much better it is to use something else.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

I just checked the Silver Yogi, it accesses the NAS and other Windows machines just fine, and vice versa.
The Samba version on this machine is Samba 4.9.5-Debian.

But when I have a lot of things to move I usually use SSH now, since it is faster and easier.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

The problems with Samba are not present in old systems such as the ones you tell me you run. The latest versions of Linux have the security fix, or they should. It's that so called fix that causes the problem because it drops the use of the oldest version of Samba. Likewise if you did not update the NAS server anytime recently, you won't see the problem because they default to the old version 1 Samba. This is one of those situations in which you need to worry if you don't have any problems. It is likely to mean your system is vulnerable and an easy target.

Also, the problem is not with Samba, although I might have made it sound that way with my tale of trying to adjust it properly. I had to do a little studying to get some details about how and why Samba works before I could determine exactly where the problem originated. I was perplexed by the fact that as far as I could tell Samba was configured correctly in all the clients and on the NAS server. The failure originates in the Nautilus file manager that Ubuntu and all it's derivatives like to use. Just because Samba is working and configured properly does not mean the file management system is using it correctly. That is what happened when version 1 was dropped. They did fix the file manager but not every aspect of it. The Windows share part was pretty much ignored. I would not expect less from a Linux crowd.

Like everything else in the world of Linux there are multiple ways to do the same thing. Thus there is more than one file manager. I don't know what Debian is using nor Fedora, but the only Debian based OS that I have works. Fedora failed the test. This bring me to my basic objection regarding open source software, which Samba is by the way. Read that to mean not controlled by Microsoft. The fact that file managers are not standardized and can be manipulated by any hacker means that some work and some don't. I guess that's fine if you like operating systems that can be configured to your own personal taste. Unfortunately, when your own personal taste, or incompetence, gets distributed widely then a lot of people suffer for the mistakes. I can see why Windows shares are not a high priority for Linux developers. I ran into the same thing with EFI booting. Some Linux developers didn't realize Linux can be booted from Windows and thus avoided that entire scenario. All this is rather ironic because one of the dreams many Linux developers have is to replace the Windows desktop. Good luck with that. You don't need to be an old fart like me to know Linux doesn't work as well as the high priced proprietary operating system from Redmond, WA.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

All I can say Yogi is I've been using Debian now for probably over a decade and have never had any problems to speak of.
I can connect to all of my computers, the NAS, and to Debi's Windows computers if it has a shared file I can see it in my list, and it opens if I click on it.
I have had a few minor network problems after a power outage, but if I just waited it would eventually correct itself.

Now, going back a few years, I had to boot up the computers in a certain order so as to not have problems. But those days are long past now.

In a way, I'm more like a Windows user, I don't know all that much about what goes on under the hood. I turn on my machine and it works like I want it to. For that I'm as happy as a Lark, hi hi.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

You make a good case for not bothering to upgrade your high tech toys. If' it's not broken, why fix it? My answer would be that it is broken and you don't realize it. LOL But, in the end, you have what you want and need. Who am I to say you should change? Be that all as it may, I'm sailing a different ocean and you are my captive audience. Thus you get to read about my adventures. :mrgreen:

When my previous laptop stopped performing to my expectations I decided the mission was to get a replacement so that I could simply revert back to where things were previously. That old laptop isn't very old, but the world has moved on by leaps and bounds since I made the purchase. The new laptop is in a whole different class of computers than the old one. Some of the things I experimented with were not all that conventional. You've read about a lot of my trials and tribulations right here. It must sound like a lot of unnecessary trouble to you, but to me I enjoy the challenge. I like to solve these kind of problems. But, the world is full of problems that have no solution. LOL

As you know I love to put Linux, any Linux, on a USB memory stick and boot into it from there. Of course that stick is only a memory device and needs a computer to do it's thing. Back in the old days that was simple. Not so anymore. I used to be able to create a live CD, or USB in my case, from within a virtual machine. That live OS would typically be plugged into my laptop which would boot up from it. Then I'd install the (Linux) OS onto a second USB memory stick. That bootable Linux On A Sick would then be plugged into the laptop and boot up as if it were installed inside the computer's hard drive. I could test out a lot of variations of Linux OS's that way and not pollute the laptop in the process.

All the above was easily done with Windows 10 being the host. In fact when I switched to Windows 11 to do the beta testing, nothing changed as far as the boot process was concerned. Only Windows itself was different. The new laptop came with Windows !0 and I upgraded that to Windows 11 so that the environment on the laptop was identical to the old laptop in all but one single regard. The new laptop has secure boot enabled because that is what Microsoft prefers. I don't want to get into why they prefer it here, but I accepted it as a given. Linux doesn't have a problem with secure booting just as Windows has no problem. But mixing the two together could be a problem. And mixing is what I'm doing here.

In the past I would use the laptop to make an iso copy of the Linux OS of interest. I can still do that with no problem. Then I'd leave that iso in it's USB port and boot from it so that I could install the OS onto a separate USB memory stick. Linux Ubuntu crashed in a very unusual way when I tried that last night. The live USB booted up but when I hit the "Install" button a Linux generate error message filled the screen. It claimed that it detected Intel's RST technology to be running on my laptop and I need to shut that off if I intend to install Linux on a stick. That was a first for me so I had to ask my friend Google about RST and how to turn it off.

RST is Rapid Start Technology that comes with a lot of the latest CPU chips from Intel. They got together with Microsoft so that when you boot into Windows, it comes on almost instantly. In fact it is instant after the login/Enter button is pressed. Booting cold is just a matter of seconds so that the whole process of getting to the desktop in Windows 11 from a cold start shouldn't take more than 10 seconds. I really love that feature, but Ubuntu hates it. I don't know why Ubuntu hates it, but it won't even begin to install unless I shut off RST. Well there is a setting in BIOS that says RST is installed, but it can't be turned off from there. It can be uninstalled, or actually disabled. It can't be uninstalled because it is firmware inside the CPU. Disabling it, however, is not a straight forward and simple process. Plus, it may cause Windows to fail because Micorsoft depends on that specific technology to do a lot of fancy stuff in Windows 11.

Well, that's Ubuntu and might not be a problem elsewhere. I have yet to find that out.

So, in my attempt to find a work around, I decided that perhaps if I installed Oracle's VirtualBox on the laptop I might be able to get around this seemingly major obstacle. Would you believe that as of this moment VirtualBox cannot be installed in Windows 11? Well, it's true. It's true because of that requirement unique to Windows 11 to have that security module on the motherboard. Virtual boxes of any sort don't have that TPM module. Oracle is working on a simulation of one, so they say, but it's not available yet.

As it so happens, also due to a favor granted by Intel, ever since Windows 10 was released, Microsoft's core operating system included a virtual machine function called Hyper-V. I knew about it but never tried to use it because, well, I have VirtualBox from Oracle. This seemed like a propitious time to learn more about Hyper-V, and I did. It's not too convoluted and might even be simple if you have prior knowledge of virtual machines, which, of course, I do. To make a long story short, the Hyper-V virtual machine can only run three versions of Linux natively. Two happen to be Ubuntu LTS releases and one is a penetration testing Linux OS called Kali.

It IS POSSIBLE to make other virtual boxes for any other operating system, but that can only happen if those other systems have secure boot capability. Secure boot capability means the EFI database must have an encryption key that matches the encryption key embedded into the software of the operating system you are interested in virtualizing. Ubuntu has such software available but only two of those keys are in the EFI database of Windows computers. To do a secure boot from elsewhere means getting that key and installing it into the EFI directory. And, you do remember that Microsoft locks you out of that directory, right?

On a positive note I must say that there isn't any way ransomware or any other hacker will have an easy way to hack Windows 11.

There are alternatives for accomplishing what I'm trying to do, but it is becoming apparent that I cannot return to life as it was before the old laptop gave up on the letter "L" key on it's keyboard. :cry:
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

What would you say if I told you that the street electric stop signals here were still using msDOS to control them?

Yes, I remember all the Linux Distro's you had placed on USB sticks and go them all to work.
Plus much of the other fancy things you were able to do.

That RST you mentioned sounds like yet another thing designed to cause problems rather than fix them.

Well, I suppose it is good that Windows has Hyper-V and allows a couple of Linux Distro's to use it.

On the bright side of the coin, I'm glad to hear Windows has made itself hackerproof. But we'll wait to see if that is so or not.

I used to have programs that worked great on Windows 98, and on Windows XP, but would not run on the Windows XP Pro MCE edition. And is one of the reasons I kept an old XP machine around for so long. It is currently overheating and shutting off on me, but I'm sure it is just dust build-up on the CPU cooling fins and fan.

Although Linux does have a FreeCell game, it is not the same as the Windows version that lets you pick the number of the game. I was up to like 15,000 on it, it is supposed to go up to a million, hi hi.
Don't know why, but I started over at game #1 a few years ago, and was up to 7115 when that computer started overheating.

I'm sure you have a lot of phun playing around making your computers do all the things you do with them.

Me, I just wish I had the time to even blow the dirt out of them, hi hi.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

In spite of all the ranting I do here, yes I do have fun with my computers. Basically that's the only active hobby I have left. There is nobody here for me to share my stories with. Just about all the people I know have no idea there is anything in the computer world other than Windows and Android. Most of them think those are the same thing anyway. So, hopefully you will continue to indulge in my narratives. You might not understand it all, but I know you understand a good part of it.

I learned a little bit more about secure booting since I last wrote here. And, unfortunately, I learned a bit more about yet another shortcoming Linux seems to have. Secure booting is made possible by using some standard encryption techniques. That is to say digital keys are needed in order to tell the good guys apart from the bad guys. Those keys are locked away inside the EFI directory. Any disk that is formatted in GPT must have an EFI directory, and the appropriate UEFI software is placed in there. Thus it makes sense that Microsoft, or anybody else, would take extra care to protect the contents of that EFI directory. The critical keys, however, are encrypted in a database so that it really doesn't matter if anybody can get to them or not. Nobody but Microsoft knows what those keys are, and of course the people who want to secure boot their own brainchild of an operating system must also know what those keys are, or have a way to store them in the database should Microsoft not be present on the computer of interest. It should come as no surprise then, that because Linux is FOSS to it's roots not every OS with a Linux kernel has gone through the trouble of creating secure boot keys. All the popular ones seem to have done it, but there are way more less popular distros that need to catch up.

As is the intention of secure booting, any software, be it an OS or a third party app, without a key will get kicked out of the system. That is what happened to two of my Linux on a Stick OS's. The scenario is slightly different for each computer set up, but in all cases access to the computer is denied to any binary that isn't keyed properly. In my ASUS laptop it's not just a matter of denying access. Once a not secured piece of software attempts to execute, the hard drive shuts down. That is to say it goes to something like a blue screen and announces that a security violation has occurred. It doesn't stop there. When the offender is removed and you try to boot into Windows again, another BSOD appears saying you need to provide the Bit Locker encryption key in order to unlock the drive. This is very close to what ransomware people do, only worse. Fortunately, Microsoft does not ask for BitCoin to be deposited into their digital wallet. All they want is the encryption code which looks to be in the range of 32 characters long. They even tell you where to go looking for it. To my utter shock and amazement they sent me to my Micorsoft account that I have registered with my universal login credentials. In that account, which I can only access by using two-factor authentication, is a page with the s/n of my hard drive and the necessary Bit Locker key. It was breath taking to say the least. I entered the key manually because there is no way to do a cut and paste on that BSOD. After that I was able to boot back into the regular Windows session.

There are enough flaws in Linux for me to want to steer clear of them even now after I have been exposed to the security paranoia being propagated by Microsoft. We are at a point where Linux developers are slowly getting on the bandwagon and cooperating with Microsoft with regard to secure boot. Today I learned that Grub2 has had a critical vulnerability up until rather recently. It would allow under certain circumstances anybody to gain access to the system just by using Grub2 as a bootloader. That access included getting through the Windows blockade. I found that particular glitch with Grub2 early this morning and that is why my hard drive was locked. So, now, not only do I need to find Linux distributions that can secure boot, and have their key in the EFI database, but a Linux with a Grub2 that has been patched recently must also be procured. This Grub2 issue does not only affect Windows. It is a flaw in the bootloader, for any system with or without Windows.

Did I mention that the Windows Boot Manager will not boot any file system using BTRFS? That happens to be the standard Linux devs are trying to establish to replace ext4. But, that's another story for another time.

After I'm done here I'll try to boot that errant Linux (Sparky, by the way) to see if the latest version has all the fixes it needs to boot on my laptop. I already verified that it will boot on the Windows 7 tower, but secure boot has been disabled there.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

I actually love hearing what all you are doing with computers, and the challenges you are placing on them.

I've studied about public and private keys until I'm blue in the face.
You encrypt something using your secret private key, but anyone with a public key can then read it.
Something created with a public key can be read using your secret key.

The only way I can see this method as having any value is if there was a secret key at both ends only known to both ends.

Seems like all a hacker has to do is create a key for themselves that is recognized by the key in the EFI file.

OK, your hard drive got locked and you had to go to Mickey$oft in order to get it unlocked.
You think that is a good thing, while I think it is once again Mickey$oft trying to play god over your own equipment.
What happens if Mickey$oft suddenly disappeared and you need to gain access to your hard drive and do so without them?

I look at it this way. I have my computers in my house. Most are set to reboot after a power failure now.
But I do have to enter my password to log into the OS I want to use.
I have a separate password for Root access, a Password for Administrative access, and a Password for User space access.
I'm sure hackers coming in over the Internet connection have a way of bypassing passwords.
So it seems to me, it is the Internet you need protection from, more so than access to your own computer and its programs when you boot up the computer.
So to me, secure boot is a ridiculous way to go about things.
How about making anyone wanting to send data to you over the Internet can only be done by request?
OK, so you request a hackers site and it downloads their crap. THAT is what needs to be addressed, no automatic downloads just from visiting a website. Only download the screen text as text, and images as non-executable images, they can only be displayed within a safe container that does not allow access to the computer system.
Seems that would be much easier to develop than all this secure boot mumbo jumbo.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

I am elated to know that you enjoy reading my computer adventure blogs. I have much more to say than I have time to put into these posts, plus I know your time is limited as well. I do try to condense things without omitting pertinent information, but sometimes the subject is too complicated for even me to explain.

Take encryption as an example. :mrgreen:

Let's assume that you have a top secret document that you created and encrypted. That encryption is done using a digital key which must be known in order to view the document. As long as you are the only person in the universe who knows the secret key, you will be the only living creature that can read that file. But then, say, you want me to see it too. We are separated by a few hundred miles so we agree that putting that document in The Cloud is the best way to share it's contents. You have an account in the cloud and I have one, and both of us have login credentials just to get into that account. If it happens to be a public file server, our personal accounts would be the access mechanism, and even public accounts have login credentials. So, this secret file was put into an account that anybody who knows the login credentials can access - that's the public key. Anybody can see your secret file but only you can read it because you know the private key. Well, in this example you sent me a copy of that key via USPS. Thus I can log into that public server, download that document, and read it on my desktop because I have the private key.

That's the basics of public encryption in a nutshell.

Secure boot is similar. Those private keys are stashed away in the /EFI directory. Anybody and their cousin can get to those keys, but they are encrypted and nobody can see them literally. However, that secret key can be embedded into the binary code of any software, such as a simple app or a complicated operating system. Thus the secure boot process involves matching the key embedded in the software against the key buried in the /EFI directory. The keys are not exposed by the way, but the encryption hash is what is compared for authenticity. So, if your embed code hash matches the /EFI secret hash, voila. Otherwise, in Microsoft's case, they shut down access to the machine. I have since learned that it's only a temporary lockout, but long enough to frustrate any hacker's needs.

The public network must remain free and open in order to be effective. Prohibiting any kind of traffic from flowing for any reason whatsoever places a restriction and a burden on the utility of the network. It's there in the form it is in because, well, it's free and open all the time. The public network, the Internet, must remain neutral (you have heard of net neutrality, right?) in order to be useful to everybody. Security is not a network problem because it's only purpose for existing is to transmit data. The smooth and continuous flow of data traffic is the responsibility of public network administrators, not security. Security is a matter only important to end users. Unfortunately some of those end users are not upright citizens and take advantage of the lack of security other end users maintain. So, when Microsoft goes whole hog on secure boot, it's because they are attempting to protect themselves from the bad actors on the other end. If there were no deep dive nefarious actors using the public network, then there would be no need for secure booting. Does that place a burden on you and me? Yes, of course it does. But even complaining to Putin himself won't fix it.

All this secure boot is good, but it's giving me a headache. I now know enough about it to know I don't like it any more than you do. Earlier in this thread I stated that my current mission is to return to the normal state that existed before my laptop gave up the ghost. I now know that can never happen as long as I'm using Windows 11. There are hacks and work arounds that will disable the secure boot, and I have them in my file of information. I might as well just use Linux instead of trying to defeat the security of Windows 11. I'm thinking about it, but I probably will just redefine what is normal here in the Command and Control Center.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

You hit what I've been saying in your opening comment.
I would have to mail you a Key that allowed reading of my document via the USPS.

We were doing something similar before computers were even invented.
We would write a coded letter to send to someone. But for them to read it, they needed to know how to decode it.
In our case, we used a book that we both had, and took a certain page and paragraph from that book as our first substitution guide, then a page and a paragraph from elsewhere in the book as our second substitution guide, however, the second substitution guide was only used for every other word.
We did it this way because anyone who is good at working Cryptograms from puzzle books could figure out what we said to each other. We weren't doing anything top secret, just playing around really.

OK, I have a secret key of my own, which is used to encrypt my document or file as it is transmitted, using a public key to the cloud. Now anyone can download that file from the cloud, and may have a secret key of their own that uses the same public key. How does the intended person for the file decrypt the file?
Now I know when I visit a website, I can see everything they wanted me to see, even though the transmission itself was encrypted. So the public key somehow has to line up with my own keys. But how would it know? I mean there are millions of people on the internet, and any one of them can go read what's on the website. So what is the purpose of encryption?
Whether the file is HTTP or HTTPS I can still see and read it.

And also I don't know the purpose of secure boot at all. Maybe we need a more secure firewall instead.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

To address your easy question first, a firewall is a security measure. I blocks certain types of traffic from specific sources. It can't stop anything already past the firewall from executing. Some protection is better than none, but firewalls are very limited in what they can do.

Encrypted data cannot be read by visual inspection. Well, it could but it would not make any sense. There are many ways to encrypt data but in the end it all requires knowing how it was encrypted in order unencrypt it. That "how" is the secret behind the private key. One possible scenario for how to encrypt data is to use a program to generate the key. As input you would give the program some prime number - the more digits the better. That prime number in turn is used to generate the key which if you ever looked at them would make your head spin. They can fill up an entire page or two with numbers. Then the program that actually encrypts the data takes that key and does its thing. It could use the whole key or just predetermined parts of it to encode the data. Then there is salting of data which is close to what you did with two paragraphs from separate books. Random parts of the message could be encrypted differently based on the information in the original key. So, you have this encrypted file because you got the public key. The public key only tells you that it came from where you think it did. Those public keys can be spoofed but that doesn't help decode the encrypted data.

On the receiving end that public key is merged with the private key and the resulting key is fed into the counterpart of the machine that encrypted the data in the first place. Thus to see the encrypted data you got to have that decryption machine in addition to the keys. As far as Internet encryption goes it's all transparent. Keys are generated randomly, and to be honest with you I don't know how they are passed end to end, but they are. Nobody in the middle can see the keys. Only the sender and the receiver can see the keys and thus read the data.

Where web browsers are concerned, you and I are left out of the loop. We never see any of the keys. It's all done behind the scenes. That letter 's' at the end of the HTTP specification is what puts all this into action transparently. Thus it becomes critical to know exactly who is the originating point and who is the receiving point. The receiving end point could be Google if you use their Chrome browser. It might be your ISP. It could be your smartphone, if you had one to use for this purpose. Or, if you follow the example I gave in the preceding post, you personally are the end point and only you (with the key I mailed to you) can read what was sent over the (encrypted?) Internet. Also, consider that each transmission of data over the Internet has it's own keys for encryption. Any given webpage consists of several transmissions to get the data to you. I don't know if each packet is encrypted or an entire string, but I do know it's not just one key we are talking about.

In all cases the success of decoding depends on the secrecy of the private key. If I give you that key then it's not a secret anymore. You might give it to somebody behind my back. Or maybe your computer has a key logger buried in it without your knowledge and some guy in a suburb of Moscow is seeing you type in that key.

There are a lot of possible leak points and that is why Microsoft is doing what it's doing. Secure boot does not address encrypted data that could be saved to your hard drive. The name says it all, secure boot. This method of security stops anything that is not authorized from running in Windows. Not only that, it prevents anything that is not authorized from booting up your computer. All this is similar to what I already described. The secrets, however, are in the /EFI directory. Those EFI keys identify what is trusted as far as software is concerned. That extra hardware they want on your motherboard, or buried inside the CPU, is used in conjunction with the /EFI secrets to determine if it's safe to execute whatever it is you want to execute. In a way it's like Two Factor Authentication. Just having one key isn't good enough.

The bulk of this security and encryption is not needed by people like you and I. It should stop ransomware in its tracks, but if you and I lose a computer to a Bit Coin Bandit, it's not as significant as some hospital computer network going down for lack of security. Very few of us peasants need all this high powered protection, but the likes of Microsoft are thinking well beyond any one individual.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

I'll be honest here Yogi, it is all totally above my head!
I know there are a few keys on my computer, placed there by the repositories, and my doctors offices.

My one doctor who gives me access to my medical reports has a crazy process.
I have to log into the website, enter my password and some other info.
Then it will e-mail me a code, not a link back to them, I have to copy this code and paste it into the box on the website.
The code expires in like 30 minutes.
After I paste the code into the box, a window will open asking for my birth date, and once I enter that, I'm into the system to see my reports. I cannot copy or print anything from that screen. But I did figure out using PrtScr will let me make a copy that way, although it is only a small section of the report.

Now my other doctor, his is much simpler. I just log in to the website, answer a couple of questions, and I get access to my report. But here too I cannot copy or print from that screen. However, I can request a copy be e-mailed to me. Which I've never done.

I've done some web searches about how HTTPS works, but the explanation is very unclear and doesn't answer the questions I'm thinking about.

FWIW: I know a fellow who encrypted his hard drive. He never had a problem until his computer went south and he moved the HD to a new computer. It was unreadable, and he never did find out how to make it readable again.
Everyone he talked to said he should have made a copy of his encryption key and put it in a safe place.
He said he did that, but it doesn't work, and that he has three copies of it too.
He had some of his most important stuff backed up to an external drive that was not encrypted, but was very lax in updating it. Even so, he lost about 80% of things he wanted to keep, but didn't do it.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

I think part of the problem with understanding encryption has to do with its dual purpose. In today's world some form of encryption is used to authenticate an identity and another form of encryption is used to obfuscate content. The two tend to get mixed up in the general view, and that is one reason it's difficult to fathom. Let it suffice to know that it just works. :mrgreen:

Your two stories are good examples of the two types of encryption of which I speak. Quite a few websites that handle what could be sensitive information have resorted to what is called two factor authentication. That means you need to supply two items of proof that it is you, and one of them should not be generally known. That set of numbers they mail to you, or text message, or give you via a phone call, is a random number that is needed in order to view the sensitive data. Since your e-mail, text messaging program, and home phone are things that are unique to you, those are good media for getting the code to you and only you. The expiration time for the code just assures that it's not intercepted and used again later on. When you feed that code to the website, that constitutes one of the two factors for authentication. Some of those following questions are designed to contain information that only you would know, such as "what is your maternal grandmothers maiden name?" Most people give her real name as an answer, but that is not required. The question is only there for ascertaining you are the one giving the answers. When you initially set up those questions you can give a bogus name to your grandma. Just be sure you answer with that bogus name when you are asked. Somebody, like a stalker on Facebook, might actually know your grandmother's maiden name which is the reason for setting up bogus answers. Regardless, the code and the correct answer to the question provides the two factors of authentication (keys) necessary to enter the portal. I can see why a doctor would also want your birth date. I think they are required by law to verify it.

My bank has a slightly different approach to that two factor authentication whenever I fire up computers (virtual machines) that they have not associated with me yet. Banks have access to a lot of public records because they tend to give loans to creditworthy people. Thus they can look up a lot of things in public records that the normal identity thief would not know. For example, in what county was the first house you purchased? They toss four or five of those type questions to me and if I answer them all correctly that is good enough for them to think it is actually me trying to break into my account via a different computer. My credit card company and once in a while my stock brokers do the same thing.

So, the moral to this story is that you need to provide "keys" regarding your identity to verify it is really you.

Encrypting hard drives is how Microsoft secure boot works. They have a program called Bit Locker that will do the job. All you need to do is call up the program and supply a password similar to a login for a website. And, for similar reasons, you best not forget that password if you ever want to see your encrypted data again. Well, as you might suspect, Bit Locker has been the target of many a hacker. It's still a damned good way to encrypt hard drives, but it has been broken in the past. That is why in today's world of secure boot the password, and encryption key generated thereby, are also tied to the computer hardware on which it resides. I really don't know what they are using, but I do know the hard drive encryption is only good on the specific system in which it was encrypted. Even if you have the password and the encryption key, that won't get you into a Bit Locker hard drive that is not in it's original hardware environment. So this in effect is three factor authentication; your password, the encryption key, and the hardware ID must all match.

The OEM is the one who does the encryption, by the way. That's how it all get tied together, back at the factory. Put the drive in a different computer, and you lost the key to entry.

Microsoft has redeemed itself to some degree as far as I'm concerned. The bulk of my ranting here has involved all this secure booting that Microsoft is forcing upon users of Windows 11. It is the secure boot requirement that has been preventing me from recreating what I had before. Read that to mean most of Linux OS's cannot boot securely and thus won't play on my laptop. It's been very frustrating because I like the idea of security, but it was stopping me from accomplishing a simple goal. Last night it occurred to me that my old semi-broken laptop does not secure boot even though it has Windows 11 installed on it. In fact I did a fresh install without secure boot enabled and it's working fine. Not only that, but that is the computer that has two versions of Linux installed along with Windows. All was and still is working fine in that laptop.

So, as the old saying goes, "When all else fails, read the directions." I went into my new laptop settings and found the section for configuring secure boot. Lo and behold they explain how to disable it should you want to use 3rd party hardware or ... run Linux. OMG What has this world come to??? Micorsoft is telling me I can run Linux and gave me instructions on how to do it. I nearly fainted. All one has to do is go into UEFI and turn off the secure boot. That's it. Well, almost. Turning off secure boot means those hardware keys I mentioned above are no longer automatically issued. I have to supply the encryption key (only the first time I log in) in order to access the drive. That's the key they conveniently put into my Microsoft account should I ever need to use it. Which I did when I first ran into the problem. I disabled the secure boot in BIOS, entered the 32 digit encryption key, and I'm the most happy camper of all time. Nearly all my Linux On A Stick machines now boot on this formerly secure laptop. :banana:

The moral of THIS story is that Microsoft requires your hardware to have that TPM module and to be able to secure boot. Just because you are able to secure boot does not mean you must do it. Windows 11 works either way.

Yes I am a happy camper, but I also came to the realization of how far Linux is behind the security curve. Anybody who tells me now that Linux is way more secure than Windows will lose all credibility they might have had. And, no, Microsoft does not have the ultimate answer with it's convoluted scheme of secure boot. They are way ahead of the competition, however.
User avatar
Kellemora
Guardian Angel
Guardian Angel
Posts: 7494
Joined: 16 Feb 2015, 17:54

Re: ASUS Zephyrus S19

Post by Kellemora »

Almost all doctors file systems, using your birthdate brings you up fast during their records search. Trying to spell folks names properly has always been a challenge.

I would get weird questions like, what is 2124 California Avenue. It was one of the houses I bought for renovation purposes. Sometimes they will ask if I ever lived at 2124 California Avenue, and if I say NO, I get disconnected, hi hi.
When they do that it bugs me to no end, hi hi.

That's a very good reason for me NOT to USE something like BitLocker or equivalent.
I do different things on different computers, and some of them are old and up and die on me, so I have to move to a different computer. So if a HD is matched to the computer I'm on, I'm SOL as far as moving it to a different computer.

Most folks have traditionally run Windows computers in Administrative Mode, not in User Space, and Hackers had a hayday because of it.
Even now, I think most people still run their computers in Administrative Mode, or else set up their User Space with Administrative access.

Linux doesn't work that way. You have the Root level access, the Administrative level access, and the User Space, which is where all of your programs and daily usage takes place.
It is pretty hard for a Hacker to get a malware program installed on a Linux computer, but it can be done.
They usually don't mess with home users much, because it is the big corporations and their servers they really want to get into.
The one and only time we got hit with Ransomware it came in through Debi's Windows computer and was able to hit the hard drives I had shared with her computer, even though they were connected to Linux computers.
We did lose a lot of stuff, but I was able to recover a lot of it too, because of my off-line backups.

Did I mention our local LUG, LInux Users Group, has grown about 5 times larger this year already.
They have classes for Windows users to come and learn all about Linux 3 nights a week now too.
It used to be only once a week for years, they made it two nights a week last year.
Lot's of new people are coming to each event, and many of them are moving on to the training phases of the group.

I went to a few of their normal meetings and learned a few things myself. But most of the guys there use Linux and do programming, and most are CLI oriented as well. But the training groups early lessons are all done using GUI.
Most of the LUG's in our area are satellite groups all headed up by the master group out at Oak Ridge National Laboratory.
Where the biggest computers in the world are located, hi hi.
User avatar
yogi
Posts: 9978
Joined: 14 Feb 2015, 21:49

Re: ASUS Zephyrus S19

Post by yogi »

You are indeed a "special" case on many levels. LOL Encryption would not be all that hard for you to deploy but you could not do it the way it is done today with systems such as Bit Locker. When you are a businessman and perhaps have company secrets that could affect your future, that would be a good case for encrypting your business computers. Anything else would be a waste of time. The emphasis on security these days is due to attacks on large business entities. I've not heard of an individual computer being hacked any time recently, and certainly not any vintage systems. The would be hackers don't even want to practice on the kind of equipment you are running. When you think about it, that alone is an excellent method of avoiding trouble. Keep your visibility below the radar.

There is a lot of confusion and frustration every time changes must be made. This is particularly true when it comes to things people don't understand fully, like computers. The LUG's in your neighborhood are doing a great service for those lost souls who know not how to respond to change. That won't stop the need for those changes, but at least life can go in in a semi-normal fashion until the Linux community comes to an understanding of how important security is and does something about it. Then where will those lost souls go?

As far as Linux permissions go, you are kidding yourself if you think that's a barrier to anyone who is serious about breaching your system. Some of the most highly protected financial systems in this country have been compromised. Government agencies at the federal and civil level are favorite targets because they are relatively easy to break into. I don't suppose all those business and government computers are relying on Linux permissions for protection. If that is the case every one of those system administrators need to be fired on the spot. The focus today is on entry. Once the hacker gets past the gatekeeper, the system is toast. And there is A LOT of avacado toast being passed around these days.


My ASUS story for today's reading enjoyment has to do with customer service. Yes, I already found reason to do battle with the experts at ASUS. I will say that I admire their system. They have installed a rather sophisticated and user friendly computer maintenance program on the notebook. When that fails they direct you to their website which I found incredibly detailed and filled with useful information. It's an atrocious site to try and navigate, but the pain is worth it ... sometimes.

I told you one of the spiffy features of my notebook has to do with the touch pad that also serves as a number entry keypad. A keyboard switch just above the touch pad will switch the function between touch and key entry. For some reason that button stopped working. During power up the number pad would light up but shortly after the Windows desktop stabilizes it goes out and stays out. The keyboard switch does nothing at that point. An e-mail went off to customer support and a reply came back the next day. It too had a lengthy description of exactly how to fix the problem, which amounted to being sure BIOS was updated and all the windows programs as well. They also directed me to the built in troubleshooting app called MyASUS. There was a keyboard firmware update waiting for me to install. All I had to do is say yes, and it happened automatically. I was really impressed.

However, that new firmware did not fix the problem. In fact it created an additional one, just as minor as the original but still irritating. The Caps Lock key has an LED that lights up when it is engaged. That's how you know if Caps Lock is on, right? Well that doesn't happen now after they "fixed" the firmware. So I wrote back to the ace customer support person and told her about it. She wrote back to say she needs to talk to some engineers before she can give me an answer. The very next day I got the answer. Go back to Windows 10, or to the previous restore point. In other words, they don't have a clue how to fix it even though they do know how to break it further. I may not reply to them at this point because I will be very nasty if I do. Why do I need to change operating systems just because they don't know how to write firmware for the newest one? grrrr

ASUS still ranks high as far as effort is concerned. As far as solutions to problems go ... might as well look it up in a Linux community forum.
Post Reply