Seriously or "FUD"?

Non release banter
donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#1 by donald » 30 Aug 2017, 13:57

If I understand this correctly, we no longer have control
over what is happening on our computers.
(Have we ever been in control?)

be warned, much text
https://chiefio.wordpress.com/2017/02/0 ... rocessors/

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#2 by donald » 31 Aug 2017, 14:47

Hi

So far, I've been lucky. I have always used AMD processors
and production years before 2012/13 do not seem to be affected by this.

I found some technical articles about it and also some videos where people were speaking
about it at hacker conferences.

But why is it so quiet in the community?
I would have expected a "shitstorm".
Doesn't anybody know or does nobody care anymore?

OK,as a windows user one might think, who cares, the system is open anyway.
But the Linux / BSD guys..??
Only the libreboot guys have a clear opinion about how to proceed.

Or is it all just half as bad in the end? - I'm not so sure about that.

amity88
Ronin
Ronin
Posts: 3
Joined: 29 Sep 2017, 21:26
Distribution: Gentoo Slackware FreeBSD

Seriously or "FUD"?

Post#3 by amity88 » 30 Sep 2017, 04:52

@donald,
Joanna Rutkowska (the one who's quoted in your link) is a respected security researcher. She even has created a distro that uses virtualization to isolate vulnerable processes.

This is kinda like a rumour, there is a bit of truth to it but it's not entirely true. From what I understand, the Intel ME gives an array of features for enterprise admins to remotely manage user systems. This is a kinda like a double edged knife, one one hand it's convenient while on the other there is a new attack vector.

In my opinion, there is no need to panic but ensure that your systems are configured properly. Restrict local access with locks/passwords etc, restrict remote accesses with a decent peripheral firewall and most importantly disable features that you don't need like the Management Engine (ME).

From what I've seen, security is a process rather than something that has a quick fix. As convenience increases, security usually reduces (kinda why Windows is relatively less secure by default). You need to find a balance depending on the threat model (are you defending against an annoying sibling vs protecting against a malware writer)

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Seriously or "FUD"?

Post#4 by brokenman » 30 Sep 2017, 20:15

amity88 wrote:
30 Sep 2017, 04:52
From what I've seen, security is a process rather than something that has a quick fix. As convenience increases, security usually reduces (kinda why Windows is relatively less secure by default). You need to find a balance depending on the threat model (are you defending against an annoying sibling vs protecting against a malware writer)
This is the most sensible statement I've seen for ages. You guys should listen to amity88. Sage advice. :good:
How do i become super user?
Wear your underpants on the outside and put on a cape.

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#5 by donald » 30 Sep 2017, 22:49

All well and good and right, but the feeling that you can't trust
any hardware nowadays is growing.
Be it routers with hidden hardcoded admin access or undocumented
closed source firmware blobs.
Even if there is a documentation, I'm not convinced that every function
is described in it.
And just because there is an option to disable the Management Engine doesn't
mean that it is truly switched off.
Anyhow, a thing with network/remote access which runs before anything else and
cannot be scanned/reviewed is suspicious by default.imo

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Seriously or "FUD"?

Post#6 by brokenman » 01 Oct 2017, 16:05

Anyhow, a thing with network/remote access which runs before anything else and cannot be scanned/reviewed is suspicious by default.imo
Yeah, that was exactly my thought. What is the point of this? The answers are rather limited.

As computers get smaller and cheaper we're less likely to build our own as it was in the days before laptops. I built all my own boxes part by part. I researched each part, bought them, tested them and installed them. It was part of the fun. Now we buy integrated. Pre-rolled and potentially (as the person in the article puts it) buggered.

One of the reasons I got into Porteus was so I could run a system that I knew. A system that I controlled what was going on behind the curtains. Now it's the hardware we have to worry about? Sheeesh.
How do i become super user?
Wear your underpants on the outside and put on a cape.

amity88
Ronin
Ronin
Posts: 3
Joined: 29 Sep 2017, 21:26
Distribution: Gentoo Slackware FreeBSD

Seriously or "FUD"?

Post#7 by amity88 » 02 Oct 2017, 12:53

@donald,
While I understand your concern, it still feels very speculative. A flaw in the ME was discovered and it's getting drummed up into a big conspiracy theory. Let's look at it objectively, there are 3 points:

1. It runs on hardware before any OS starts
2. It has network access and can control the device
3. There's no real documentation


Pt1 means that you have very limited options to truly control it from the device in question.
Pt3 means that you don't know if a workaround can be found. Also causes a trust-deficit.
Now Pt2 is the real kicker but its is also dependent on other devices outside of your ME enabled Intel box. If this is a remote attack, they need to get the control packets into this specific device. Possible.... but you can definitely control this with a good peripheral firewall/rules. The other scenario is an attack happening from the device itself, iow a malware running on your OS, in this case do they really need to use the ME as a roundabout way to attack?

Also, if it's enabled and listening for remote commands. Shouldn't you be able to discover it by sniffing the packets from your PC and/or maybe with a port scan?

@brokenman,
I actually think that we have to worry about the whole system (hardware + software + firmware). H/w because of the same observations that you've made. Systems are getting complex, we're in the era of complex SoC. Things are made cheaper so there is less time/money in designing & testing them well.

Firmware, cause at the end of the day you need to use the proprietary blobs to use stuff like WiFi. We're worrying about the ME when the NIC itself could have a backdoor :wall:

And finally there is the software. I think this is actually the most vulnerable of the three. Sure, Linux is open and you have many eyes watching etc but practically how many of them look at the right parts of the code? and of the ones who do, how many are actually competent enough to discover the hidden backdoor?
Case in point: Debian maintainer introduces a subtle but that made SSL insecure
Compile time introduction of backdoors. You won't find it when auditing the source code

Linux development is so rapid & decentralized and parts of it are so complex that it doesn't seem very hard to introduce such subtle differences. I feel that as code gets more mature, these things get caught but as I said earlier, the development is rapid. So, you'd have new features that introduces more bugs and also takes away time that could be spent for code audit.

Linux Kernel vulnerabilites
Vulnerabilities in Windows base install
Vulnerabilities in FreeBsd base install

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#8 by donald » 02 Oct 2017, 20:59

@ amity88

I tend to look at it from a different angle.
What is the ME good for for a typical home-user -- nothing imo,
so why do they plant it on every cheap consumer motherboard/PC?

As for the "conspiracy theory", remember what the "tinfoil heads"
told us before snowden? - and yep, they have been right...

In a worst case scenario one has a (ME enabled) PC protected by a Cisco router/firewall,
then you have already lost,no?

Sniffing the traffic might be a way to go, but this thing has a timer included;
so when exactly does it wake up? - once in a month?, who knows.

To be honest,I'm not as much concerned as it may sound.
But i still believe that the meaning of life is not becoming
a slave to the corporations which decide for me what I need and what I need not.

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#9 by donald » 28 Oct 2017, 11:54

Google wants servers without Intel ME and UEFI
https://www.phoronix.com/scan.php?page= ... UEFI-Linux

.....they probably have good reasons....

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#10 by donald » 09 Nov 2017, 06:27

Ron Minnich -- Software Engineer at Google
provides some interesting insights about intels ME and UEFI
https://www.youtube.com/watch?v=iffTJ1vPCSo

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Seriously or "FUD"?

Post#11 by donald » 21 Nov 2017, 16:59

Whoever still doesn't believe, read
https://www.intel.com/content/www/us/en ... tware.html

No comment...

Post Reply