HN Reader

Motiff is Figma with AI [video] (youtube.com)

1 points by taro666 2m ago 0 comments

Hugo Administrators Resign in Wake of ChatGPT Controversy (gizmodo.com)

1 points by doctoboggan 5m ago 0 comments

Pegasus spyware creator ordered to pay WhatsApp $168M for 2019 hack (ft.com)

1 points by KnuthIsGod 6m ago 0 comments

How to Ask Questions the Smart Way (catb.org)

1 points by OuterVale 9m ago 0 comments

"Vibe Coding" by Emergent Garden [video] (youtube.com)

1 points by todsacerdoti 11m ago 0 comments

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years (wired.com)

1 points by JohnTHaller 18m ago 1 comments

X402 - HTTP based payments from Coinbase (github.com)

1 points by kentf 19m ago 0 comments

Usenix Announces the Discontinuation of ATC Conference (usenix.org)

1 points by septicmk 19m ago 0 comments

Show HN: Tired of checking 10 sites for AI info? I built a one-stop feed (infobuzz.ai)

1 points by Johnnyang66 23m ago 0 comments

A tiny super fast RDBMS supports replication (github.com)

2 points by jcwang 26m ago 0 comments

Corpspeak: Infinite Corporate BS Generator (lurkertech.com)

2 points by mesarvagya 39m ago 0 comments

Reddit will tighten verification to keep out human-like AI bots (techcrunch.com)

3 points by badmonster 48m ago 2 comments

GPT-2 attention weights, visualized (amanvir.com)

1 points by venusgirdle 48m ago 0 comments

What's New in Grafana v12.0 (grafana.com)

1 points by tanelpoder 56m ago 0 comments

Rahul Goel (NordSpace) – Building Canada's Sovereign Space Launch Capability [video] (youtube.com)

1 points by Olshansky 1h ago 0 comments

News Literacy Project (newslit.org)

1 points by mooreds 1h ago 0 comments

More NIH workers laid off, including cuts at the National Cancer Institute (fiercebiotech.com)

11 points by bbzjk7 1h ago 0 comments

$360k, ultraluxury EV Cadillac Celestiq (theverge.com)

1 points by andrewstetsenko 1h ago 0 comments

We created another Kafka client for Node.js (blog.platformatic.dev)

1 points by andyfleming 1h ago 0 comments

Don't Guess (jakeworth.com)

1 points by mooreds 1h ago 0 comments

Email and password authentication should be a last resort (rant) (smudge.ai)

2 points by aaossa 1h ago 1 comments

Is Your Company Prepared for FTC's May 14 "Click-to-Cancel" Compliance Deadline? (jdsupra.com)

2 points by yawaramin 1h ago 0 comments

White House “Accelerating” Nuclear Power With Executive Orders (axios.com)

8 points by CGMthrowaway 1h ago 4 comments

An Investigation into Probabilities of Streaks in Online Chess (hdsr.mitpress.mit.edu)

1 points by aw1621107 1h ago 0 comments

Meta faces lawsuit that could dismantle it (unionrayo.com)

11 points by nreece 1h ago 1 comments

Microsoft Unveils Smaller Surfaces (engadget.com)

3 points by xgdgsc 1h ago 0 comments

Luna Parc Home and Studio (lunaparc.com)

1 points by NaOH 1h ago 0 comments

Glossary Web Component (dbushell.com)

3 points by todsacerdoti 1h ago 0 comments

Scaling Python task queues is hard (judoscale.com)

5 points by wordsaboutcode 1h ago 1 comments

Novel High Resolution 3D Printing Method for Metals and Ceramics [video] (youtube.com)

5 points by grugagag 1h ago 0 comments

Show HN: I vibe-coded some unusual transformer models (github.com)

1 points by killerstorm 1h ago 0 comments

Show HN: Agents.erl (AI Agents in Erlang) (github.com)

2 points by arthurcolle 1h ago 0 comments

NM (pienkzuit.blogspot.com)

3 points by 13hours 1h ago 1 comments

Spyware maker NSO ordered to pay $167M for hacking WhatsApp (washingtonpost.com)

5 points by elies 1h ago 0 comments

WhatsApp: Winning the Fight Against Spyware Merchant NSO (about.fb.com)

3 points by elies 1h ago 0 comments

Pg_tracing: Distributed Tracing for PostgreSQL (github.com)

2 points by tanelpoder 1h ago 0 comments

Loss of dance and infant-directed song among the Northern ACHé (cell.com)

2 points by PaulHoule 2h ago 0 comments

Uber CEO says changing employee benefits 'is a risk we decided to take' (cnbc.com)

7 points by donsupreme 2h ago 4 comments

Effects of lifestyle changes on cognitive impairment due to Alzheimer's (2024) (alzres.biomedcentral.com)

3 points by chillpenguin 2h ago 1 comments

How does Jami work on mobile without a server? (jami.net)

5 points by dotcoma 2h ago 0 comments

AI Slop Is Polluting Bug Bounty Platforms with Fake Vulnerability Reports (socket.dev)

8 points by feross 2h ago 2 comments

Show HN: Gravity Bombing: Recursive Resonance in Multi-Expert Systems"

1 points by cgi-os 2h ago 0 comments

Ghost in the Machine: A Q&A with SatoshiAI (bitcoinmagazine.com)

1 points by sagitta_on_hn 2h ago 0 comments

Age Verification in the European Union: The Commission's Age Verification App (eff.org)

3 points by Sami_Lehtinen 2h ago 0 comments

AI of Dead Road Rage Victim Addresses Killer in Court (theguardian.com)

10 points by hdk 2h ago 0 comments

Wrote a detailed playbook for incorporating security in Gen AI systems (adityarohilla.com)

2 points by nerdy_aditya 2h ago 1 comments

Cornish tin was sold all over Europe 3k years ago, say archaeologists (theguardian.com)

2 points by pseudolus 2h ago 0 comments

NSO Group must pay more than $167M in damages to WhatsApp for spyware campaign (techcrunch.com)

6 points by impish9208 2h ago 0 comments

Sincerity Adds to Drift (overcomingbias.com)

2 points by paulpauper 2h ago 0 comments

WeightWatchers Files for Bankruptcy (abc7.com)

11 points by lxm 2h ago 2 comments

iVentoy tool injects malicious certificate and driver during Win install

12 josephernest 5 5/6/2025, 9:26:35 PM github.com ↗

Comments (5)

sn0n · 24m ago
So... If I use ventoy should I worry?

*Starts looking for alternatives just cuz*

josephernest · 6h ago
(I am not the person who found it, but I reproduced and I confirm his finding)

Another source:

https://security.stackexchange.com/questions/281238/iventoy-...

josephernest · 5h ago
Up to now, I confirm I can reproduce the following steps:

- download of official "iventoy-1.0.20-win64-free.zip"

- extraction of "iventoy.dat"

- conversion back to "iventoy.dat.xz" thanks to @ppatpat's Python code

- confirm that "wintool.tar.xz" is recognized by VirusTotal as something that injects fake root certificates

The next steps are scary, given the popularity of Ventoy/iVentoy :

> Analyzing "iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe" we see it includes a self signed certificate named "EV" certificate "JemmyLoveJenny EV Root CA0" at offset=0x0002C840 length=0x70E. > vtoypxe64.exe programmatically installs this certificate in the registry as a "trusted root certificate"

Maxious · 3h ago
JemmyLoveJenny still lives!

https://www.bleepingcomputer.com/news/security/hackers-explo...

josephernest · 3h ago
Playing devil's advocate, could it be that they require a temporary access to a customized Windows driver (and thus they fake a trusted root certificate) to make Ventoy work? If that's the case, they should have documented it properly in the source...

Or do you think it's 100% malicious?