theres.life is one of the many independent Mastodon servers you can use to participate in the fediverse.
A family-friendly social network (Mastodon instance) devoted to the new life found in Christ.

Administered by:

Server stats:

64
active users

Aaron Rainbolt

Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. github.com/ventoy/Ventoy/issue

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of youtube.com/watch?v=QiSXClZauX

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...
GitHub[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/VentoyBy FairyTail2000
Charlie
Public

@arraybolt3 @vkc

ah HA! I was trying to remember WTF that device was called! I remember seeing it in passing but couldn't remember what it was called when I went to look for it again.

Since it's just a mass storage device, I'm assuming it supports Linux out-of-the-box right? No silly windows-only binaries needed?

Aaron Rainbolt
Public

@cdp1337 @vkc The Ubuntu Studio team lead (@eickmeyer) uses or at least used one for installing Ubuntu Studio on devices for testing, so yeah, pretty sure it works with Linux (and works for installing Linux too).

Erich Eickmeyer
Public

@arraybolt3 @cdp1337 @vkc

It's a product by iODD, and I now have the improved version: amazon.com/IODD-ST400-Enclosur

However, lately I've been using Ventoy for just simple multi-booting, but the iODD ST400 is still great for hardware encryption and booting an ISO as a CD/DVD, although it uses NTFS storage unfortunately, which is the biggest drawback.

www.amazon.comAmazon.com
Aaron Rainbolt
Public

@eickmeyer @cdp1337 @vkc You may want to read the first post in this thread - Ventoy has suspicious activity surrounding it that have multiple people (some of them notable) concerned as to its safety.

(Part of me is thinking seriously about attempting to crack open some of the binaries in Ventoy and find out what they're hiding, if anything)

Aaron Rainbolt
Public

@eickmeyer @cdp1337 @vkc Curiosity got the better of me. I've now downloaded the full blob-laden Ventoy source code and all release artifacts from the latest release for safe-keeping and future analysis.

Does anyone have good suggestions for tools? I know about but am interested in other suggestions too.

Charlie
Public

@arraybolt3 @eickmeyer @vkc

hex-rays.com/ida-free/

is the only product I've used for this type of work. I generally don't do much reverse engineering though as I find it annoyingly tedious.

One thought; if you know the original source repo of the binary files, you can compare the hash of the compiled files from the authoritative source to see if they've been modified / recompiled before uploading to Ventoy's repo.

hex-rays.comIDA FreeA powerful disassembler and a versatile debugger
Fritz Adalis
Public

@arraybolt3 @eickmeyer @cdp1337 @vkc
Rather than just start disassembling, try to reproduce the blobs that are documented, then see what's different. Then start doing the same with the handful of ones without docs.

Erich Eickmeyer
Public

@FritzAdalis @arraybolt3 @cdp1337 @vkc

That's actually an excellent idea.

Aaron Rainbolt
Public

@FritzAdalis @eickmeyer @cdp1337 @vkc That's more or less what I had planned. Reverse engineering tools were what I hoped to use for investigating how things changed from the original source code, if they changed.

Codrus 🇺🇲
Quiet public

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc

Look for strings contained in the blob first—sometimes you can learn a lot that way.

coucouf ⏚
Quiet public

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc diffoscope is an excellent tool for analysing differences in binaries. It will dive down i into any format it knows (including ELF) to extract meaningful diffs.

diffoscope.org/

diffoscope.orgdiffoscope: in-depth comparison of files, archives, and directories
Adam ♿
Public

@arraybolt3 @eickmeyer @cdp1337 @vkc /bin/strings (no really)

Charlie
Public

@eickmeyer @arraybolt3 @vkc

Perfect! I'll think about getting an ST300 ordered today.

I saw they have the ST400 but for the purposes of a dummy boot drive from ISO; encryption is way overkill. The ST300 lists that it supports exFAT too, so I don't have to resort to NTFS.

And yeah, I read the original thread; ever since I discovered that application I've been leery of it; (just skeezy vibes from the website and project as a whole, but it was the only utility I was able to find which allowed me to boot ISO images without a pocket full of USB sticks).

Lalufu
Public

@cdp1337 @arraybolt3 @vkc I have a 400, and I seem to recall that I had to resort to Windows to create the NTFS file system on the drive, none of the Linux tools seemed to create it just so that the firmware would like it
Similar with virtual disk images (for USB stick emulation), while qemu-img can make these the firmware doesn't seem to like them, ones made from Windows work.
Apart from this its a great tool, and I wish I had known about it 10 years ago.

Charlie
Public

@Lalufu @arraybolt3 @vkc
@eickmeyer

My ST300 just came in today; slapped in a spare 1TB drive and it fired right up in Gnome Disks. Seems to be working just fine, though we'll see how usable it is when something blows up and I have to load up gparted while in a panic. :P

enshroudedshrew
Public

@arraybolt3 pardon my ignorance, but is the paid device you are linking the only alternative to Ventoy‘s ability to have an usb stick with multiple ISOs on it to boot from?

Aaron Rainbolt
Public

@enshroudedshrew It's the only "drop-in replacement" I personally know of. With some Linux ISOs you can mimic the functionality somewhat using GRUB, but it's a lot more work than Ventoy and doesn't work universally.

(FWIW I have no connection to IODD, this is just something I remembered the Ubuntu Studio team lead showing me.)

vascorsd
Quiet public

@arraybolt3 @enshroudedshrew there was some years ago at least a way to make an android phone emulate a usb device when plugged and mount any isos. But it required an unlocked device with root which is impossible for most people.

vascorsd
Quiet public

@Zekah @arraybolt3 @enshroudedshrew could be. Not sure. Seems to check all the features I was thinking about. I'm mostly sure it was something I saw in fdroid, but could be wrong.

Zekah
Quiet public

@vascorsd @arraybolt3 @enshroudedshrew it is in f-droid I think, it is in mine

feld
Public
@arraybolt3 @vkc this IODD is a rebaged Zalman! I have one on my desk, but I have had issues with it on UEFI machines



https://www.iodd.shop/IODD-2531-USB-30-external-HDD-SSD-Enclosure
feld
Public
@arraybolt3 @vkc I followed the instructions by Ventoy's author in this Github issue about some files being detected as viruses, compiled their busybox/xzcat from upstream as instructed, and it does still get detected as a virus. So that's fun.

https://github.com/ventoy/Ventoy/issues/660#issuecomment-748475849
mmu_man
Public
Vortec Space
Public

@arraybolt3 The enclosure doesn't have blobs??

Aaron Rainbolt
Public

@babble_endanger "The enclosure"?

txt.file
Public

@arraybolt3 the enclosure (suggested iODD device) pretty much runs closed source software on its microcontroller. @babble_endanger

Aaron Rainbolt
Public

@txt_file @babble_endanger ah that. Fair enough, though to my awareness the manufacturer of the enclosure hasn't used social engineering tactics against viewers of any particular YouTube channel.

ejim
Public

@arraybolt3 @txt_file @babble_endanger
Hey, there is no proof that there the dev used social engineering in this videos comments. Till now there are only accusations, however it's interesting, that many comments about ventoy have been removed - not by Veronica.
But maybe people read these ventoy warnings and deleted their endorsements.

ejim
Public

@arraybolt3 @txt_file @babble_endanger
I always found Blena Etcher way sketchier, since it should be way more code & obfuscations and way less functionality. And I am wondering why people like it and endorse it also under this video.

Aaron Rainbolt
Public

@ejim @txt_file @babble_endanger Not sure where you see them removed? They all ended up at the bottom of the comment list but I counted a full twenty of them earlier this morning.

ejim
Public

@arraybolt3 @txt_file @babble_endanger
Okay, Veronica said in the top YT Comment that some were removed.

Adam ♿
Public

@arraybolt3 @vkc Let me just audit the firmware on the iodd... wait.

(strong agree re: Ventoy security concerns though)

Alexia :neocat_flag_trans:
Public

@arraybolt3

Whilst I appreciate the fact you linked an alternative...the starting price is at ~100 EUR, which isn't exactly an alternative to a free piece of software

Is there any other software alternative you know of? Maybe someone mentioned something in the thread?

Aaron Rainbolt
Public

@cyrus The functionality in Ventoy is pretty close to one-of-a-kind. You can kind of mimic it with GRUB though. There's also a tool called Glim (github.com/thias/glim) that apparently makes setting up GRUB in this fashion easy. I haven't audited the code and can't vouch for its safety, but it might be worth looking at.

GRUB Live ISO Multiboot. Contribute to thias/glim development by creating an account on GitHub.
GitHubGitHub - thias/glim: GRUB Live ISO MultibootGRUB Live ISO Multiboot. Contribute to thias/glim development by creating an account on GitHub.
Alexia :neocat_flag_trans:
Public

@arraybolt3 I mean...Ventoy is based on GRUB2 soo... :blobcatthinkingglare:

Aaron Rainbolt
Public

@cyrus Is it though? I believe it has GRUB binary blobs in the source code tree, but from my research it appears to have a lot of additional functionality (such as the ability to boot Windows ISOs, which generally don't take to the GRUB approach so well).

Alexia :neocat_flag_trans:
Public

@arraybolt3 it is GRUB2, they have a bunch of custom scripts to extract and boot the required files from Windows ISOs manually

Robin B.
Quiet public

@cyrus @arraybolt3

Ventoy uses github.com/ValdikSS/Super-UEFI to boot unsigned ISOs on SecureBoot-Devices.
I haven't researched how to make it work with my own key - so I'm careful to delete the key afterwards or to not use the feature at all.

Using a grub2-solution like glim is sufficient for 99% of my use-cases, so I'm switching away from ventoy.
Making wimboot work with glim seems to be possible but experimental.. fortunately I don't need it.

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot - ValdikSS/Super-UEFIinSecureBoot-Disk
GitHubGitHub - ValdikSS/Super-UEFIinSecureBoot-Disk: Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure BootSuper UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot - ValdikSS/Super-UEFIinSecureBoot-Disk
Lien Rag
Public

@cyrus

I've used many other softwares before discovering Ventoy (I only remember the name of Multisystem) but #Ventoy is way better than all of them, I'm really sad to learn this problem as I use it a lot.

@arraybolt3 @enshroudedshrew

Dec.tar.gz
Public

@cyrus @arraybolt3
I have used Rufus. It can create multi-boot ISO drives. It only runs on Windows.

moonlight_seashell
Public

@arraybolt3 @vkc
and some of the exes still looks suspicious to virustotal

lutoma
Quiet public

@arraybolt3

> This is... not anything I've seen users of ANY open-source project do

I see you've never interacted with the Matrix community 😅 Some of the most irritating 'evangelists' in the open source world.

Aaron Rainbolt
Quiet public

@lutoma lol, I actually use Matrix heavily enough that I'm one of the mods of the entire Ubuntu Community there. Yes, we are pushy, but... not to the point of launching what looks like a staged invasion on someone's YouTube channel to push it :P

DelegateVoid
Public

@arraybolt3 @vkc Ok on the dubious blobs... but then you link to a paid proprietary product.. smells

Aaron Rainbolt
Public

@delegatevoid @vkc It was the only alternative I knew of at the time, and it was something an Ubuntu dev had showed me.

iXô
Public

@arraybolt3@theres.life @vincib@mamot.fr There is another issue : if you use iVentoy (ventoy for pxe), it can inject some « thing » into the media, as for exemple it allow net booting windows by creating a fake second drive for the iso.

Morten Linderud
Quiet public

@arraybolt3 @vkc

While the lack of reply is concerning, the binary blobs are not strictly speaking weird in this context.

Grub and BusyBox binaries for different architectures is annoying to build and including them as binaries is a practical choice.

It would be better if they included some description where they are taken from though.

Lou (now allergens-free!) 🥜🚫
Quiet public
@arraybolt3 man your profile is sus, is this about trump ?
https://theres.life/@arraybolt3/112783544335740451
Aaron Rainbolt
Quiet public

@kouett lol, yes it is, but only because he's the one who actually nearly got killed. I'd say the exact same thing if it were Biden who had been shot and survived.

Hobson Lane
Quiet public

@arraybolt3
I had the same feeling (without all the analysis to back up my suspicions). Thank you for the SSD enclosure alternative!
@vkc @Siph

Jak2k 🐧🦀
Quiet public

@arraybolt3 @vkc
For some blobs, the sources have been found.

Aaron Rainbolt
Quiet public

@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.

I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.

ejim
Quiet public

@arraybolt3 @robin @jak2k @vkc
so far nothing?

Aaron Rainbolt
Quiet public

@ejim @robin @jak2k @vkc Been very busy, also set up a new dev laptop yesterday. Still got this planned and have some of the tools set up for it.

Pete / Syllopsium
Public

@arraybolt3 @vkc It's possible this is an issue, but having read the thread the overwhelming impression I get is of people trying to shove effort onto the developer, and being unwilling to help. There are comments that most of the blobs have now located scripts for building, and a comment within the last day that the GRUB related blobs are from other distributions. I'm not seeing anyone e.g. doing a CRC check on the blob vs other sources, or submitting diffs to fetch the files from another project.

The latest comment takes the biscuit 'I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same.'

haha. hahahahahahahaha. bonk. They tried that before, it didn't work.

Good point on the CDROM emulator though, I use a Zalman VE300 for that purpose.