Unrelated, but Uber seems to have gotten breached in a big way. Social engineering to gain entry to VPN, then finding complete user credentials in a script on their intranet. Looks painful! It’s a dangerous world out there - and some companies’ security practices seem less than optimal.
1 Like
Unfortunately, as is ever more the case nowadays, the recommendation is appreciated but impossible to watch because I don’t happen to subscribe to that service (Peacock) out of literally dozens of such services, for which it is exclusive. 
I don’t have the wealth necessary to subscribe to them all so there are many good shows I will never get to watch.
1 Like
And we are hearing that the NSA tools that got out were among those used.
NSA Hack, How Was The NSA Hacker Tools Leaked - IDStrong
In other news, I just had another one of those scary “crash to boot logo” situations. The previous one was about two months ago. No suspicious websites open, just Ars Technica and Zoom.com.
I’m beginning to wonder if it’s not actually a security issue, but “just” a hardware error. Like an electrical or overheat issue with my Hynix SSD. FWIW when the crash happened I heard the soft beepbeep that I now associate with powerdowns of the SLS. An application was running that has a very powerful indexing function that hammers the SSD and CPU. So maybe there’s something there, too much power draw or too much heat.
Finally bit the bullet to get rid of my security concerns, started from an early disk image from February. Funny thing: same freaking errors in the Event Viewer! FML 
So whatever those are, they’re not related to the crash that got me so nervous.
So the good news: seems like there’s “just” something wrong with online stored keys, leading to an occasional burst of over two hundred errors complaining about corruption of data type Windows.Data.Security.Vault.WebCredentials. Might even have been me, I manually deleted a ton of old web credentials in the credential manager at some point. Which hopefully also means the risk that I’ve lost all my saved browser passwords is less than I imagined. But not zero. Never zero. 
So the going theory is that the Hynix SSD occasionally does something that makes the SLS go “gulp” and crash to boot (while making a faint power-state-change beep/chirp). Either that or something else is going on with the firmware. To be safe (and wasteful…) I’m now using a Samsung 980 SSD, so let’s see if the crash recurs. On the Hynix I got a crash-to-boot every two months so this test will be slow. Fingers crossed that it’s fixed, hope to never see that again!
2 Likes
So it looks like you still have something going on and trust store write outs are normally supposed to be immediate but I’m wondering if they are getting delayed and thus showing as error/invalid.
We have seen something like I’ve described when we update the SSD hardware with a model that is “new” to Windows.
Have you tried temporarily turning off delayed writes? Not suggesting this as a long-term fix, but as diagnostic.
Where I’m headed with all this; and your swapping to a Samsung drive, which is a “blessed” drive for Surface devices might also reveal a lot, is that there is a chance that you have corrupted firmware in the Hynix.
That’s quite rare, but it does happen.
The other thing remotely possible and I don’t want to overly alarm you, but there is some malware out there that can actually embed itself in device firmware to circumvent attempts to remove it by reinstalling the OS. It’s EXTREMELY RARE, but it’s not zero either, as last year one of our customers in Vietnam had some affected systems that got it via a bogus system firmware update.
Regardless I would strongly recommend installing the Hynix disk tools, as it was finally what led to us and the customer figuring out the root cause of the issue as their drive manager would crash with weird errors when attempting to manage /configure the drive.
Download – SK hynix SSD
BTW use caution with this as with any low level tools as it’s possible accidentally bork the drive.
PS: Allegedly you can thank the NSA for figuring out the trick of embedding malware in device firmware instead of the OS
Thanks for the continued engagement with this thread! The Hynix drive is out of the picture, I’m all in on the Samsung which is more of a known quantity for me, it’s probably less likely to have firmware issues.
As for corrupted/infected firmware, yeah, it’s crossed my mind since this unit is actually a Best Buy “open box”. When I got it I was presented with the standard Win11 OOB experience, and I didn’t question it. Yesterday I imaged the original “Best Buy” 256GB drive onto the Samsung SSD, so if the original Win11 was infected, I’m still in the same situation.
Note that I did not (of course) manually download firmware from some suspicious site, so unless the prior owner was doing this (unlikely), I don’t see how it could have gotten onto this machine. I mean if the bad guys are able to inject things into the normal Windows Update process we’re all screwed.
But. The entire security freakout was because of a hard crash much later, followed by the (always dangerous) peeking at the logs. :vb-grin: I truly think it’s more likely that the hard crash was SSD firmware/hardware related, and that the errors were due to me doing nonstandard things.
Example nonstandard thing: I set up windows with the username as an old main outlook alias, and afterward switched my alias back to a new one. Say my old email was JoeS@outlook so my user folder was set up as c:\users\joes but now I’m logging in as josephs@outlook (now the main alias on my accout). I can imagine that MS hasn’t made all corners of Windows resilient to that kind of user behavior.
I’m happy to offer any insight or info I can, and reciprocally, I almost always learn things from relatively esoteric issues like these as they often occur to other “advanced” users in our customer base too.
And again, some of the stuff I’ve talked about is extremely unlikely, but OTOH it’s never zero and the fact that you are knowledgeable ironically raises the possibility that it is something rare.
And I’m definitely perturbed by examples in our customer base like the one I mentioned awhile back in the thread where a customer’s service provider was the ultimate source of some malware.
1 Like
More as a note to myself than anything, as I’m pondering whether the crash to boot is not the fault of the SSD but instead SLS power circuitry related, specific to my unit.
I’ve seen the crash-to-boot twice, in both cases connected to a Lenovo TB3 dock. These are two different docks at different locations, so it’s not that one specific power supply is causing problems. I’ve been having issues with Anker USB-C docks as well (two different models), with ‘USB unplugged’ sounds at random moments.
What these issues have in common is that they’ve always happened with some kind of power delivery/passthrough going on, either PD via the Anker docks, or PD via the TB3 dock. So I wonder if there’s something there. Hard to troubleshoot, so for now I’m leaving things as is, and see if it reproduces.
In the meantime I’ve got myself a nice Hynix NVMe external SSD backup solution into the bargain. Sure I lost most of my Sunday and about $200, but I’m trying hard to ignore that.
Well that’s intriguing actually, and you know how often I go off about how common it is for the myriad docks and adapters not be “up to spec” in one way or another.
And it is very much a "Surface " issue to reset the power bus when it gets in error state. That’s the primary reason we still have a surface dock and several genuine MS power supplies in our test lab, they server as a “known good” test base to troubleshoot other issues.
Though as an aside, the Surface dock does have a couple of odd edge case HDMI issues…
Speaking of which, and off-topic (equally off topic as the previous few posts…), yesterday after I booted off the original 256GB SLS SSD, as I was imaging the drive to my 2TB Samsung SSD (connect in external caddy to my Anker USB-C dock) the HDMI dock output to my my monitor started flickering terribly.
Looks like whatever components Anker went with didn’t anticipate data rates getting high enough to squeeze out display info over the same connection. Doesn’t seem to have damaged the drive image, but initially a bit unnerving nonetheless.
1 Like
Yup seen that as well (dell’s docks are notoriously prone to it) though disk read/writes should have priority over anything else, to preserve data integrity
1 Like
By the way, if anyone knows of a clean solution to glue the decorative plastic strip back under the edge of the SLS, I’d be interested. Photo glue or double sided tape, that is the question. I mean it’s mostly back on, but it could be more secure.
This looks more than a bit disturbing even taking into account ARS propensity for hyperbole. Especially due to its cross platform nature and the ability to embed itself in routers which will facilitate transmission
Never-before-seen malware has infected hundreds of Linux and Windows devices | Ars Technica
1 Like
So I’m thinking my tinfoil hat is on so tight that it’s restricting bloodflow to my head, but…
Today I went to my MS account info online to see if I could reset any saved passwords, and in one of the settings I found that the languages associated with my account were English (US) and Ethiopian. Wait, what??? Now I’m getting even more paranoid…
Finally they acknowledge your polyglotism.
Hmm, your post made me take a look at mine and my wife’s out of curiosity. Mine has Portuguese and hers has French associated with them.
Makes me wonder if there is some arcane backend reason, and that all accounts have a secondary language associated for some non -obvious reason.
1 Like
Another day another hack. This one as with most of the very successful ones, has a large social engineering component to it.
According to our own security consultant, the Red Cross and Salivation Army were among the more notable affected.
Numerous orgs hacked after installing weaponized open source apps | Ars Technica
Hey, thanks for checking! Makes me feel a little better. Something that doesn’t make me feel better: (failed) attempts from China to use IMAP to sync to my email account…
@Desertlap I think what those mean is that my email was in a password breach, with some password for whatever service was breached, and people see if that password also works on my email account. It shouldn’t because I don’t reuse important passwords. Still a little unnerving, I wonder if using IMAP is a way to get around 2FA.