cpu backdoor within a intel cpu?

[Red Squirrel]

I just realized how annoying it is when people keep on bringing up "tinfoil" after snowden.

Yeah it's pretty much been proven now and even the government has admitted to all this spying stuff. That's what we know, it's probably even worse than what we know. Then just look at how companies like google and FB are collecting so much data on us too, those are pretty much facts at this point, not conspiracies. The sad part is most people seem to just accept it.

Hopefully someone will figure something out to disable this thing, it might be something as simple as bridging or cutting some pins or something. But then how do you know it really worked...

 

[Keljian]

Ok - so let's look at it this way:

If you have something to hide, and you hide yourself/make yourself as anon as possible, you start losing functionality - ads get less targeted (knew you wanted a Russian bride) and you end up chasing your tail and sniffing every packet that goes in either direction on your net connection.

If you do not have something to hide, you give up some anonymity for features. You can't have it both ways.

I draw the line at blocking based on blocklists (including some ad trackers) and blocking certain types of traffic.

Am I completely secure? nope. Every driver, every piece of software, every non plaintext file (eg ppt/doc/zip/etc) is a threat surface. It's not about protecting against every threat, it's about protecting against the threats you can within reason.

Do I care what the government(s) see? really I don't have anything of great value to the government(s) and don't pose any kind of threat to anyone, for the most part, I don't care and I don't need to

As an aside: there is not as single OS out there that doesn't potentially have a kernel backdoor, linux, BSD, MacOS .. you name it, all have potential backdoors. When you start getting THAT paranoid - overkill.

 

[Red Squirrel]

Ok - so let's look at it this way:

If you have something to hide, you start losing functionality - ads get less targeted (knew you wanted a Russian bride) and you end up chasing your tail and sniffing every packet that goes in either direction on your net connection

If you do not have something to hide, you give up some anonymity for features. You can't have it both ways.

I draw the line at blocking based on blocklists (including some ad trackers) and blocking certain types of traffic.

Am I completely secure? nope. Every driver, every piece of software, every non plaintext file (eg ppt/doc/zip/etc) is a threat surface. It's not about protecting against every threat, it's about protecting against the threats you can within reason.

Do I care what the government(s) see? really I don't have anything of great value to the government(s) and don't pose any kind of threat to anyone, for the most part, I don't care and I don't need to

And that's the kind of attitude that is dangerous. We should not just wilfully share our info just because we have nothing to hide. I don't want anybody getting into my life. It's the same reason I have curtains on my windows at home.

 

[SinOfLiberty]

Like 980TI owners who say pascal does not OC well. Butthurt that they got spanked by nvidia, again!


Threadcrapping and trolling are not allowed
Markfw900

 

[imported_ats]

I think it's time to start using FPGAs for computers or something...Maybe the open source community can get such a project going. Getting ridiculous, bad enough that you can't trust software but at least you can move to open source, but now we can't trust hardware either. Is there even anything that can be done to block this at the firewall? Problem is the firewall cpu will probably have this too...

TYL that FPGAs have a hardware engine that is 100% proprietary and controls everything that is loaded into the FPGA. Or that FPGAs build sets are generally 100% opaque.

 

[cytg111]

It is not JUST about IME, it is the sum of things profiling and looking over our shoulders.

The argument: "are you using a smartphone? cause then you're already effed" - is a monumental error in judgement imo.
Do I use apps? Yes those that don’t pry. If I facebook on the phone it is in chrome, not the app. Small things you can do to gain a lot, but of course not all. The premise that I should just give up on my rights because “I am allready using a smartphone” is, well, maybe those kind of arguments really serves to put some spotlight on the poster rather than the issue itself. Shrugs.

Everybody has something to hide. Their privacy. There is a reason we have laws for this. On a fundamental level I don’t mind my government spying on me based on the knowledge that the day they come knocking on my door it is cause im cooking a nuclear device in my basement or something similar sinister. The problem here is that I dont trust the goverment with my data. I KNOW they're gonna leak it at some point. My government can have it, google ms facebook and apple can not.

Surveillance and big data. You have got to understand what is going on right now. Companies, google, Microsoft, facebook is listening in on your phone calls, scraping your messaging history, watching you over the cam, listening to your keystrokes, track everything you do online and offline, everything short of ramming a cam up your collective beeps and out the other end JUST to watch what the hell you are watching right now.
For what? To gain a 0.2% edge in serving you an ad up where they allready put a camera.
Now take all this big data and put machine learning on top.
At some point these big data constructs, intelligence factors will reach a point where they know you better than you know yourself. What does that mean? Really? Loss. Off. Freedom. You’re not driving the car anymore buddy. Compare it to the bad girlfriend experience, I bet we have all had it, the one where after the breakup you go “why the hell did I do all that”.
THAT is what you, we all, stand to loose, you ign.. nice and good people

 

[Phynaz]

^ Has nothing to do with vPro :^/

 

[Madpacket]

From the lovely Joanna Rutkowska, who any self respecting geek must have a little crush on, has a few things to say on the matter ;

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

her paper

http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

summa sumarum

"Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressing, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not.
The author considers this as probably the biggest mistake the PC industry has got itself into she has every witnessed.
"

And to get infront of the fan based culture blowback ;

"But is the situation much different on AMD-based x86 platforms? It doesn’t seem so! The problems related to boot security seem to be similar to those we discussed in this paper. And it seems AMD has an equivalent of Intel ME also, just disguised as Platform Security Processor"

But the whole read is excellent.

Thanks for the links. Very helpful.

I encourage others to read her paper. For me Intel ME (and other tech like it) is easily the most worrisome aspect (can't disable it, can't audit the code, can't really monitor it, can't really reverse engineer it and if you could you still wouldn't know exactly what it does).

I still stick by last statement. If paranoid use an older Core 2 Duo or equivalent CPU without any sort of management engine on die, reflash with open source firmware / auditable code and stick to OS's like Qubes or TailsOS.

For the really paranoid no internet connectivity at alll and work inside a faraday cage

 

[Keljian]

Ok, you review every piece of code which runs on your computer including the uefi- I have better things to do with my time

 

[ehume]

I don't run a server. Why would I want remote management? Seems that Intel is spending money to give me something I don't need or want.

So what if Intel hides the ME code? NSA physical spies make their way into into where the code is hidden . . . or Russian, or Chinese, or Indian or Israeli spies?

I think we will all have to adopt the transparency mode that Ben Franklin used in France. John Adams despised it (and Franklin), but it reassured the King of France enough that he bankrupted his government supporting ours. In a time of Snowden, it seems to me that this is the only approach that will work.

Of course, BF was a genius.

 

[Keljian]

It's laughable that you think you use apps that don't pry.

 

[Mike64]

If you are, then you should stop using computers at all. Or just keep your computer off the internet.

Or just don't put anything that sensitive** on your computers in the first place. (Or if you have "information" you really must work with on a computer at some point like spreadsheet or analytic data, or media files) keep it on a flash drive (preferably several, as backups) and wipe the relevant cache/temp files every time you work with it while your machine is physically disconnected from your ISP connection.) I realize that most people under the age of roughly 30 only dimly understand the concept, but paper, manual writing implements, photocopiers, and for that matter fax machines, do in fact still exist:biggrin:, and a computer printer without wifi or a built-in cache couldn't betray you no matter what nefarious firmware anyone might theoretically manage to slip onto it.

________________________________________
** I say this keeping mind that 90% of the people who post about this on the Interwebz don't have anything sensitive enough on their computers for anyone with a brain to worry about it in the first place. (No one, except maybe the copyright owners, gives even half a dead rat's ass about your collections of illegally downloaded porn.) Of the remaining 10%, maybe 9% are people who have reasonable concerns about proprietary business/trade data not falling into competitors' hands (not likely given the nature of the security issues being discussed here), and maybe, just maybe, 1% of them really have anything worth hiding from the types who're in a position to utlize the backdoors at issue here. (The vast majority of the latter sort of people presumably know better than to even hint at their vulnerability by pointlessly ranting about it - even "anonymously" - on public websites.)

 

[cytg111]

For the really paranoid no internet connectivity at alll and work inside a faraday cage

Indeed, allready thought about that , if one were tinfoil inclined you could at least shutdown the 3G modem with a faraday cage in the casing.

 

[ShintaiDK]

Google for example is a company that lives by selling your privacy, that's their entire business. So if you use Chrome, Google search, Gmail etc you are on that boat. Same applies for so many others that people use everyday. Any "theoretical" hardware spying would be the least of my concerns in terms of privacy. Also there is no need to spy on you via hardware, when you got much better options via software. So even if you go by the tinfoil route, its still a bad way of getting the data.

 

[cytg111]

Yea sure, if you are Google. If you are government? If you are a russian hacker?

http://www.trendmicro.com/vinfo/us/...y-series/global-black-market-for-stolen-data/

Black market big data is a growing industry.

You could easily put forth an argument that the best 'paying off' malware is that which do not cause immediate harm to a system(as opposed to ransomware) but 'just' listens in, collecting that ripe big data.
The IME would be a good place for such a silent partner would it not?
How many botnets allready do this?

And if that big data is ripe enough I have no illusions that a company like google or apple or facebook or otherwise will find a way to buy/aquire it somehow.

 

[ShintaiDK]

IME/PSP is a terrible vector for it. UEFI is a better place for that matter.

Everyone use social engineering for a good reason.

 

[Phynaz]

IME/PSP is a terrible vector for it. UEFI is a better place for that matter.

Everyone use social engineering for a good reason.

Exactly, there are much softer targets.

 

[Loser Gamer]

If you have something to hide don't do it on a computer and don't tell anyone. Also try not to even think about it because they may be able to transfer your brain frequency into words. And yes they can steal the frequency from a PC when it's offline and get readings from it. The secret is everything has a frequency including your body, the atmosphere and the earth.

Also they can see through your walls so you can't write on paper. Why do you think lead paint was banned? because it hindered their way into the homes. Yes that's a chunk of lead on your chest when you get a tooth ex ray.

 

[TeknoBug]

What's bad about this is when some hackers (a matter of time) figures out how to get control of these. There's already a handful of supposedly well secured websites and services being broken into.

My job involves security, it's becoming a little less comfortable by the day to have encrypted data on whatever media I have because it's going to be on a system with such a backdoor.

 

[cytg111]

IME/PSP is a terrible vector for it. UEFI is a better place for that matter.

Everyone use social engineering for a good reason.

Last round, I promise. You use social engineering when you go spear hunting ie. not big data.(kevin mitnick the art of deception, great read too.)

 

[DrMrLordX]

The only solution to reduce government spying are things like open hardware initiatives.

Makes you wonder what OpenPOWER platforms look like wrt privacy concerns. OpenPOWER hardware + POWER Linux = how many potential backdoors?

I think it's time to start using FPGAs for computers or something...Maybe the open source community can get such a project going.

My general impression of FPGAs is that they tend to be pretty expensive and that for "general purpose" computing they're pretty slow. We'd be paying out the yin-yang for a device that could be configured to run any kind of x86 code we're used to using on our desktop at an acceptable speed.

I don't run a server. Why would I want remote management? Seems that Intel is spending money to give me something I don't need or want.

Intel does this in many ways, such as by providing special features on Xeons designed for select customers but present and enabled for everyone. Documentation? Forgetaboutit. You don't know what that silicon is capable of doing.

What's bad about this is when some hackers (a matter of time) figures out how to get control of these. There's already a handful of supposedly well secured websites and services being broken into.

My job involves security, it's becoming a little less comfortable by the day to have encrypted data on whatever media I have because it's going to be on a system with such a backdoor.

When you consider how many contractors are employed by Federal military and intelligence agencies, you have to think that at least a few of them have already figured out a number of backdoors which they have quietly socked away for a rainy day.

As for privacy . . . what was once seen as a right in the United States is now seen as a threat. You could buy a small parcel of land, set up a utilitarian building featuring a Faraday cage and lead lining, set up noise generators, and make sure some layer of the exterior was hardened against undetectable physical breach (if concrete + rebar, would have to be thick) and get on all kinds of watch lists even if the building were empty and had nothing going on inside. The mere fact that much if not all of the building's interior would be resistant to CIA/NSA/FBI monitoring would raise alarm bells all across the Federal security sector.

It doesn't matter what you are doing. It matters if you are trying to make it difficult for someone to know what you are doing.

The entire idea that the ME/IME is a "hard target" is a joke. All that the NSA has to do is issue a National Security Letter to Intel demanding access to a particular generation of MEs to conduct an investigation. What is Intel going to do about that? Nothing. Everything will be conducted either without court approval or with a rubber-stamp from a secret court.

 

[bystander36]

And that's the kind of attitude that is dangerous. We should not just wilfully share our info just because we have nothing to hide. I don't want anybody getting into my life. It's the same reason I have curtains on my windows at home.

The reality is, there is nothing we can do about it. You can let it consume you, or accept it.

 

[Red Squirrel]

The reality is, there is nothing we can do about it. You can let it consume you, or accept it.

That's like saying you should just accept the reality that someone just broke into your house and move on and not do anything about it.

Accepting violation of privacy should not be something we just accept. Something needs to be done. I don't know what, but something needs to be done. We need to fight this. Everywhere you look now, you have companies and government wanting to know our every move and having full access to everything in our lives, it's ridiculous.

 

[ReignQuake]

That's like saying you should just accept the reality that someone just broke into your house and move on and not do anything about it.

Where I am the police dont attend for car thefts or theft recovered cars that are severely damaged. The police also have a policy of only attending house break-ins if you have an odd house number. That is the reality and you can do nothing but accept it.

Nobody is ever going to abide by our rules, laws, or wishes. Ever. Even the German Chancellor is directly spied on. Some countries spy on everyone just for the advantages. These computer features are never going away and we'll never have the choice to be rid of them, how much choice do we have in selecting an x86 processor?

I highly doubt companies like Intel and AMD have a choice. The technology laws they have to comply with in each country would suggest that these features are already abused. Computers are the modern Trojan horse.

 

[SarahKerrigan]

Makes you wonder what OpenPOWER platforms look like wrt privacy concerns. OpenPOWER hardware + POWER Linux = how many potential backdoors?

OpenPower's firmware ecosystem is fully open-source and available on GitHub, all the way down to things like the power management controller. Raptor Engineering is planning to release an OpenPower workstation board oriented at users with high security/auditability requirements.

https://www.raptorengineering.com/TALOS/prerelease.php