cpu backdoor within a intel cpu?

[jihe]

So glad I'm still using Core2

 

[ShintaiDK]

So glad I'm still using Core2

That still got IME in the chipsets for that matter if you join the tinfoil crowd.

 

[boozzer]

I just realized how annoying it is when people keep on bringing up "tinfoil" after snowden.

 

[asendra]

1+ :thumbsup:



And this :thumbsup:

Drama sells, reality doesn't.

So It's not reality to say that Intel/AMD (and whomever Intel/AMD shares the keys with) has a way to access any modern x86 CPU and do whatever the hell they want, if they ever need to?

Guess I didn't get that memo.

 

[JimmiG]

It's just a tech for LOM/Out-of-Band management. There's nothing secret about it. In fact Intel advertises it openly with the vPro logo. Great to have in a corporate environment. Sure Intel could limit it to Xeon processors or something, but most organizations deploy bog standard standard i3/i5 etc. laptops/desktops to their users. Instead of employing someone to run around updating the BIOS of tens of thousands of PCs, why not centralize it just like you do with Windows updates?
There's even a VNC server built in

Sure, a security breach would be quite harmful, especially for Intel. I wouldn't call 2048-bit encryption "security through obscurity", though.

 

[jhu]

That still got IME in the chipsets for that matter if you join the tinfoil crowd.

It can be disabled on Core 2 computers. It can't be disabled after and including Nehalem.

 

[frozentundra123456]

So It's not reality to say that Intel/AMD (and whomever Intel/AMD shares the keys with) has a way to access any modern x86 CPU and do whatever the hell they want, if they ever need to?

Guess I didn't get that memo.

Do you run Windows? Do you think MS cannot do "whatever the hell they want", especially with all the new "features" of the spyware relabelled Windows 10?

 

[Madpacket]

The only solution to reduce government spying are things like open hardware initiatives. Similar to open source software, we need solutions for hardware. Sure we know open source software also has back doors but at least we can audit the code. The same should be available for hardware.

There's some progress going on in this space but we're years probably years away from anything of relevance.

http://www.oshwa.org/

The best middle ground at the moment is to buy an old IBM laptop like an X200 with a Core 2 Duo, and reflash the BIOS with a compatible Open BIOS:

https://libreboot.org/docs/hcl/x200.html

And then run something like TailsOS on it.

https://tails.boum.org/

Also here's a decent link with good basic security principles that really everyone should follow.

https://www.privacytools.io

Unfortunately the tinfoil hats are justified. Ignorance of these issues will not make things better.

 

[Phynaz]

All that needs to break the security is a key which can be shared with other parties like the NSA. And then the ME is a general purpose cpu which has full access to every component, instead of just being a minimal microcode bug patcher. That was the main point that the article is trying to get across.


No. The article states that the ME code is stored in a non-standard (aka proprietary) format which has been partially decoded for some versions of ME.

That's why the article author is a dumbass. The code is not in a nonstandard format, it's Java that is Huffman compressed, which has been known for years.

Seriously, ignore the article, most of it is just plain wrong.

Edit :

If you are really interested in this stuff, here's the source for the clickbait article
https://www.slideshare.net/mobile/codeblue_jp/igor-skochinsky-enpub

Edit 2
Cytg beat me to it.

 

[dark zero]

Seems that negacionist are just as blind as tinfoil people. Its called politics. So deal with it guys. Politics are taking on tech, that is the new trend.

 

[FIVR]

The ME is your friend. It just wants to watch, and make sure everything is OK with your data while you use your computer. It's not "surveillance" so much as friendly happy-time eyes watching... all time. It is good for you, it makes you self-reflect on your opinions and ideas to see if they are socially and politically appropriate. You wouldn't want to have those opinions and ideas, right? I mean... you're not a terrorist, right?


Then you have nothing to worry about. Nothing at all

 

[superstition]

Politics are taking on tech, that is the new trend.

New?

friendly happy-time eyes watching

lol

 

[cytg111]

From the lovely Joanna Rutkowska, who any self respecting geek must have a little crush on, has a few things to say on the matter ;

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

her paper

http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

summa sumarum

"Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressing, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not.
The author considers this as probably the biggest mistake the PC industry has got itself into she has every witnessed.
"

And to get infront of the fan based culture blowback ;

"But is the situation much different on AMD-based x86 platforms? It doesn’t seem so! The problems related to boot security seem to be similar to those we discussed in this paper. And it seems AMD has an equivalent of Intel ME also, just disguised as Platform Security Processor"

But the whole read is excellent.

 

[asendra]

Do you run Windows? Do you think MS cannot do "whatever the hell they want", especially with all the new "features" of the spyware relabelled Windows 10?

No, I don't use windows. And what the hell that has to do with Intel adding hardware to gain access to any computer using one of their new cpus, without a killswitch.

You can choose what software you use, unfortunately, you don't have much choice in what x86 cpu you can use, since Intel won't allow any company to create them besides AMD, which seems to be doing the same.

And If this is a governent mandated "feature" in every new CPU like someone has said, even more reason to be upset about it.

 

[Keljian]

Oh for heaven's sake, just get an Odroid and run Ubuntu(or arch) if you are that concerned. 512gb sd card + 64 gig Emmc plus a Samsung exynos.

 

[cytg111]

To some of you guys your own privacy is a joke.. I cannot begin to express how funny that is to me . It is what it is, lets get on with it, im out

 

[jhu]

Oh for heaven's sake, just get an Odroid and run Ubuntu(or arch) if you are that concerned. 512gb sd card + 64 gig Emmc plus a Samsung exynos.

How do you know the SD Card isn't compromised?

 

[daxzy]

The only solution to reduce government spying are things like open hardware initiatives. Similar to open source software, we need solutions for hardware. Sure we know open source software also has back doors but at least we can audit the code. The same should be available for hardware.

There's some progress going on in this space but we're years probably years away from anything of relevance.

http://www.oshwa.org/

The best middle ground at the moment is to buy an old IBM laptop like an X200 with a Core 2 Duo, and reflash the BIOS with a compatible Open BIOS:

https://libreboot.org/docs/hcl/x200.html

And then run something like TailsOS on it.

https://tails.boum.org/

Also here's a decent link with good basic security principles that really everyone should follow.

https://www.privacytools.io

Unfortunately the tinfoil hats are justified. Ignorance of these issues will not make things better.

There was a fatal flaw (which was so obvious that you can consider it a backdoor) in OpenSSL for 2 years that went unnoticed. Unless you or someone you know and personally trust has looked at all the code for the above, then the whole idea of using open-source software as a security mechanism is moot. Being someone who deals with open-source daily, there is a huge amount of "But someone else must've looked a this!" mentality (e.g. the Bystander Effect).

I'll also let you consider this point. If an individual sees a fatal flaw in open-source software (that is used by millions of people), they would profit FAR more from exploiting it than from issuing a patch and fixing it. At least with closed source software, unscrupulous individuals (or crime organizations) do not have access to the code.

If you want to be "spy-free", then use a non-Internet connected PC and a dumb phone. Or better yet, write your own OS and firmware for all the hardware you need.

 

[Phynaz]

To some of you guys your own privacy is a joke.. I cannot begin to express how funny that is to me . It is what it is, lets get on with it, im out

Says the guy posting on public forum that was recently hacked.

 

[frozentundra123456]

Says the guy posting on public forum that was recently hacked.

They must have used the intel back door.

 

[Phynaz]

They must have used the intel back door.

Lol!

 

[Xpage]

really? Do you think you are important enough for somebody to want to spy on. nobody cares unless you do high level government work, are a spy, or work in a high tech industry and are a key player

 

[boozzer]

really? Do you think you are important enough for somebody to want to spy on. nobody cares unless you do high level government work, are a spy, or work in a high tech industry and are a key player

it is about total control. it is 2016. information is everything. it doesn't really affect nobodies/peasants. but if you ever become a somebody, you are 100% boned.

to the guys cracking tasteless jokes, I hope you never become a somebody. no matter how minuscule of a chance that is.

 

[daxzy]

it is about total control. it is 2016. information is everything. it doesn't really affect nobodies/peasants. but if you ever become a somebody, you are 100% boned.

to the guys cracking tasteless jokes, I hope you never become a somebody. no matter how minuscule of a chance that is.

The amount of ignorance regarding "spying" is just mind-boggling in this thread. It does show that people are much more inclined to believe that their PC's (and Microsoft/Intel) are the predominant spying vector when its not.

Some thoughts to ponder:
Do you use a smartphone? Far easier attack vector. I've seen countless people tape the webcam on their laptops. Yet their phones have built in cameras, GPS, and a microphone (of course taping your new iPhone/Android whatever doesn't make it look cool).

Do you use smartphone apps? Have you seen the amount of permissions that a typical Android/iOS app wants (literally everything). Lets take a look at Pandora. It wants your Calendar and Contacts access. Same with snapchat, except it wants unfettered access to your GPS and camera.

Do you use cloud services (Google Services, I'm looking at you)? They parse your email and ALL your documents to build their advertising profile of you. Think you can turn it off? Try an experiment between you and your friend's gmail by talking about how you want to buy a car (e.g. Honda Civic). Watch the how the dealerships or car ads conveniently show up.

Do you use the same ISP/cellular provider? Guess what? They have the ability (with deep packet inspection) to know everything you do.

 

[Red Squirrel]

I think it's time to start using FPGAs for computers or something...Maybe the open source community can get such a project going. Getting ridiculous, bad enough that you can't trust software but at least you can move to open source, but now we can't trust hardware either. Is there even anything that can be done to block this at the firewall? Problem is the firewall cpu will probably have this too...