@norodix6857
I also dislike telemetry and disable it everywhere, but what I really like about valve's approach is they actually ask you if you want to send this telemetry, and they show you exactly what they will send if you agree. That is actually informed consent, that is really good.
@cad_enc
ASUS used to be my go-to choice for motherboards. Sad to see how far they've fallen. (Seriously, no bug bounty for RCE??)
@FaultyTwo
Man found a RCE and ASUS decided to give a middle finger as a reward. Whelp. Next time, to the black hat forums, I guess.
@CypherpunkSamurai
The fact that you need an electron app (Armoury Crate) that you only run on Windows, to manage your PC, and it has 50+ services is already enough to tell ASUS to fire their management and developers.
@Colehkxix
You learn over time that most people honestly do not know what they're doing
@SXZ-dev
ASUS doing shout outs and no bug bounties is a massive security issue and screams of a company that couldn't care less about security, i can imagine multiple people just holding on to these vulnerabilities and handing them to people willing to pay for them, ASUS is entirely unsafe. Companies and governments using ASUS PCs should be notified immediately
@CaptTerrific
didn't even give him credit on the CVE... that's LOW
@Savitarax
GAMERS NEXUS MENTIONED THIS LIKE A YEAR OR TWO AGO! Holy Cow. He flat out predicted, âthat this will totally not be a perfect day 0 exploitâ EDIT: Video in question I mentioned âUnhinged Rant About Motherboardsâ From GamerNexus at minute 13:00
@arkaikus
imagine always online bios, certainly dystopian
@rycona9878
As such a small company, they couldn't afford to maintain all four letters anymore and decided to drop the 'A'.
@looseleaf7367
I feel like not paying bug bounties is a good way to turn white hats to gray or even black hats, not the best course of action in the long run....
@zimmerderek
Asus has been bad across the board on software security for quite some time. I'd love to sponsor an audit of their router OS someday soon. It's just DD-WRT with a bunch of poorly coded extra jank.
@tonexum
For 7:27, I do have to mention that the Steam Hardware survey isnt spyware by purpose. Its a survey to help developers decide whether targeting a certain platform is worth it or not. I do take part it these surveys, mostly just to boost Linux in the OS share lol.
@nodrance
It's amazing how many giant security holes are just "i noticed something weird and messed around until I got way more access than i should have"
@odw32
"I expect UEFI/BIOS devs to be highly skilled [...]" It's very likely that the UEFI devs, driverhub devs, driver devs and web devs are 4 different teams, maybe even in different departments, maybe parts even outsourced to a different company. Feature requirements got passed through layers of product managers, and questions/protests were answered with a "shut up this is going to be a convenient feature for end users"
@ryan.crosby
The scary thing is Armoury Crate autoinstall simply exploits Windows Update driver installation. All the BIOS option does is create a virtual hardware device. Windows sees that device, and automatically installs the driver software package for the device. The driver software has to be WHQL certified, but apparently that doesn't mean much. This is why Razer Synapse pops up on your PC the moment you plug in a Razor mouse. This means that any manufacturer that can get a driver package onto Windows Update can basically run code as administrator on almost any internet connected PC by simply plugging in some hardware with their matching hardware ID. The security implications for this are kind of wild.
@hymnsfordisco
Armory crate (and a few other similar vendor softwares) are the worst. Go through a suspiciously long multi-stage gauntlet of loading screens and reboots to install the application, then further loading screens (again, sometimes minutes long on fast hardware and gigabit connection) to install plugins and packages to get the utility you actually want. All of this just to access a basic utility like fan speed or RGB selection, which could easily have been a portable executable of <10 MB.
@HansvanSchoot
I think we left the "it is very complex, so they know what they are doing" a long time ago. Anything complex nowadays is tackled by whoever is enthusiastic enough to just keep tinkering, and as soon as they tell "wow, I got something to work!", management takes over and puts it in prod. The tinkerer will probably yell a lot about it being unfinished, not safe, and unstable, and will then be ignored.
@caseyriley1014
This is my experience with why bug bounties are a pita, you find out the core systems used by a megacorp are total garbage, and sometimes they'll give you "a shoutout", or even get mad and try to go after you for finding it in the first place
@LowLevelTV