cpu backdoor within a intel cpu?

[Nothingness]

I'd be curious if the biggest distros, like Ubuntu, don't have it somewhere where it's so deeply embedded that only the inner circle can tell it's there. It seems like the kernel is the best place for it. Isn't that something that Torvalds and such continue to have control over?

I think the kernel is the safest place... at least in its source form. You can never know what ends in pre-compiled kernel, but given that all distros give you the possibility to recompile your kernel, there's little risk the widely used distros kernel is infected.

More generally any software that is openly developed by many people has little chance to be infected by backdoors for a long time.

But I agree with you that broken standards or encryption algorithms are good attack vector.

 

[Madpacket]

Privacy has been dead for years. I'm not sure it really ever existed since the dawn of the desktop computer. There's a real resistance going on, just in a different format. Public facing Blockchain technology allows for real privacy and decentralized distributed computing. This stuff is here now (started with Bitcoin, but much more advanced tech such as Monero, Ethereum now exist) and is likely be the most disruptive technology until advanced AI and real Quantum computers come along.

Just have a look at some of the projects going on..

https://medium.com/@ConsenSys/an-introduction-to-ipfs-9bba4860abd0#.pbqxxyx1z
https://github.com/ethersphere/swarm
http://akasha.world
https://getmonero.org

Open hardware platforms are coming along as well albeit at a much slower pace.

I don't see the backdoor CPU tech as that much of an issue with a lot of computing becoming distributed, decentralized, anonymous. Five Eyes will have its hands full with things like Monero with Ring-CT, or Ethereum with ZK-Snarks. This is a global phenomenon, not limited to countries doing their best to follow Orwellian fiction.

Fun times!

 

[superstition]

Privacy has been dead for years. I'm not sure it really ever existed since the dawn of the desktop computer.

The Internet, not the desktop computer. Printers that watermark pages existed before that and such but nothing erodes privacy like the Internet.

I don't see the backdoor CPU tech as that much of an issue with a lot of computing becoming distributed, decentralized, anonymous. Five Eyes will have its hands full with things like Monero with Ring-CT, or Ethereum with ZK-Snarks. This is a global phenomenon, not limited to countries doing their best to follow Orwellian fiction.

Privacy is becoming harder, not easier, to maintain. The huge resources governments have to pour into spying greatly outclass whatever tech various regular people can come up with. Corporations also want as much data as possible because knowledge is power.

The government is a cute barometer, though. The outrage over Trump using an Android phone and over Clinton's e-mail server show how little concern there is over the privacy of regular people — the total double standard that exists in the minds of the elite and those who gravitate around them. Clever writers try to disguise the duplicity by referring to Trump's "older" version of Android, as if that's really the heart of it.

It's a problem for one of them to have insecure tech but all of us are supposed to happily use it without questioning.

 

[Madpacket]

That's the beautiful thing about crypto, open source code and pissed of mathematicians. It doesn't matter how much money or resources the government has, there's really nothing practical they can do to attack the confidentially, integrity and availability (CIA) of mature Blockchains.

I guess with BlackBerry moving to Android there's no reason for Trump to carry a BB10 device like Obama.

 

[Red Squirrel]

Linux Torvalds has been asked by the NSA before to add a backdoor. As far as I know, he pretty much tells them where to go, he's not afraid and he won't take shit from anyone. Can't help but wonder if any of the other core devs have ever been forced at gun point to do it though. I don't think they'd go after Linus at gun point, they'd go after someone who has the same level of power/access as him, but is less likely to say something due to fear of death. Basically they'd be forced to write a backdoor that is hard enough to spot even by Linus then it ends up being committed and forgotten about. A good backdoor would basically be some code that is purposely buggy/vulnerable but hard to spot. Look at how long it took to find Heartbleed or Shell Shocker.

Open source is still better than closed though, as chances are decent that a backdoor would be found at some point or the other. I imagine the community and 3rd party devs watch this stuff like a hawk too. There may even be a warranty canary built into the code so if someone is forced at gun point to add a backdoor they can "Activate" the warranty canary without it being obvious. Like fixing a misspelled variable name or something.

 

[Red Squirrel]

On subject of CPU, I wonder how viable it would be to design usable CPUs at the component level. I would not be against the idea of going back to physically larger machines if it meant more privacy. Ex: 4U cases where you insert long cards in it. Could go to a computer platform that is based on cards, you have CPU cards, ram cards, various expansion cards etc. Chassises could be chained together to build more powerful machines too. The cards would have tons of transistors and other jelly bean parts and mostly be simple. Once the design is made it would be super cheap to whip these out in the millions. Go back to proper coding and micro optimization of code, and even if you can only do like 100Mhz or so due to physical size you could grow parallel instead. So you want a beefy computer, then you just insert more of those CPU cards. You want a computer with tons of ram, but don't need as much cpu, then insert more ram cards. Could be fully modular and all based on mostly jelly bean parts. Maybe some microcontrolers and stuff too for certain functions. FPGAs might also be an option but as someone said earlier I think those are fairly closed too, could easily be a backdoor added to those over time. Basically if parts could be built in a way that an EE can literally reverse engineer by looking at it, it would be hard to add any kind of backdoor. Only thing though I would imagine such a platform would be very power hungry.

Then again, nothing stops the government from adding backdoors to individual transistors, like a separate IC in the same package that then communicates on a common bus at a different voltage. But that would get really complicated as the only thing the backdoor could do is know when the transistor is told to turn on or off. The backdoors would need to communicate with each other to get an overall picture of what's going on. Could purposely use transistors from different manufacturers throughout a single cpu to make it harder for any backdoors to talk to each other.

 

[superstition]

Linux Torvalds has been asked by the NSA before to add a backdoor. As far as I know, he pretty much tells them where to go, he's not afraid and he won't take shit from anyone.

Seriously? You think Torvalds or anyone else has the power to say no?

Can't help but wonder if any of the other core devs have ever been forced at gun point to do it though. I don't think they'd go after Linus at gun point, they'd go after someone who has the same level of power/access as him, but is less likely to say something due to fear of death. Basically they'd be forced to write a backdoor that is hard enough to spot even by Linus then it ends up being committed and forgotten about. A good backdoor would basically be some code that is purposely buggy/vulnerable but hard to spot. Look at how long it took to find Heartbleed or Shell Shocker.

People "commit suicide" all the time (e.g. Palfrey). Or their airplane runs out of fuel (e.g. Connell). Or, they get invited for a private ride on Air Force One (e.g. Kucinich).

In a high building there is so much to do.

Open source is still better than closed though, as chances are decent that a backdoor would be found at some point or the other.

My guess is that something big like Ubuntu would be more of a target than all Linux distros. The risk of exposure of your attack vector is lower when you're dealing with distros that are less low-level like Gentoo.

 

[superstition]

On subject of CPU, I wonder how viable it would be to design usable CPUs at the component level. I would not be against the idea of going back to physically larger machines if it meant more privacy. Ex: 4U cases where you insert long cards in it.

Surveillance devices can be so small now and can even power themselves from wifi radiation. It's really game over for privacy unless you can afford billions to make some sort of underground lead-lined bunker. lol

 

[SarahKerrigan]

Big-Little seems to be another way of keeping the telemetry going. Even if you "turn off" your computer the little processor will be a busy little bee.

related discussions:

Will SME SEV and hardware SHA be CPU game-changers?
How long before PC desktop CPUs are sold, with 3G or better internet, built-in?
New CPUs will require Windows 10
[TheReg] Intel Management Engine
Ivy-Bridge Hardware Trojan?
3g chip inside intel vpro skus
Nvidia adds telemetry to its driver (not linked since it's the GPU forum)


I tried to find the topic about AMD's embedded module but can't seem to locate it in the search. I think it's some sort of ARM-type processor that will be inside Zen CPUs.

What you're looking for is called the Platform Security Processor, a Cortex-A5 running an RTOS with TrustZone sitting on top of it for applications. It exists today in Carrizo and, per my recollection, Beema/Mullins (but not Kaveri or Kabini.)

For what it's worth, there is real demand for this kind of technology from companies wanting to do remote management on employee systems and similar use cases. That being said, I don't think the people talking about how great it is have thought through the implications of having a magical black box with minimal owner control and full access to everything on the system. Thankfully, there's always me_cleaner (for compatible Intel hardware.)

 

[beginner99]

So there was some truth to this after all:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

 

[BradC]

So there was some truth to this after all:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Is this as bad as it looks at first glance? From where I'm sitting this looks catastrophic.

 

[beginner99]

Is this as bad as it looks at first glance? From where I'm sitting this looks catastrophic.

I don't think so because it mostly affects business laptops only (eg vPro enabled and consumer CPUs don't support that at all as is mentioned in the article) and second point being that in corporate environment you are behind probably several layers of security.

 

[nopainnogain]

I bought my i7-4771 at a retail store and now it's not being considered a "consumer CPU" anymore?

I'll reboot now in order to disable vPro in the bios.

 

[BradC]

and second point being that in corporate environment you are behind probably several layers of security.

Until you take your business laptop home, or to a hotel, or a conference, or coffee shop....

I'm more thinking about all the poorly set up servers out there sitting in closets inside small to medium sized businesses set up by well meaning IT shops that have this stuff enabled for "ease of remote assistance" and who have not firewalled any of the management features because nobody told them it needed doing, and "hey if it was firewalled we couldn't get in to help you when things go wrong."

I've seen many more catastrophically implemented "layers of security" than well implemented. Don't even want to talk about the plethora of 3G dongles I've found plugged into the back of machines inside "secure networks" because "the CCTV contractor needs remote access and IT won't give him a login".

 

[SarahKerrigan]

Is this as bad as it looks at first glance? From where I'm sitting this looks catastrophic.

It's really, really bad. And "it's all good, companies, you're only going to have a gaping hole for the next few weeks until you get the opportunity to roll a firmware update out across tens of thousands of machines! If your OEM decides to give you one, that is..." is going to leave a bad taste in a lot of folks' mouth. I also have yet to see a statement from Intel of whether this affects servers, and if so, to what extent - if it does, that's an even bigger problem.

Intel has some explaining to do.

 

[iBoMbY]

I don't think so because it mostly affects business laptops only (eg vPro enabled and consumer CPUs don't support that at all as is mentioned in the article) and second point being that in corporate environment you are behind probably several layers of security.

It effects all OEM systems with Q57, Q67, Q77, Q87, Q170 and Q270, and possibly also Q65, B65, Q75, B75, Q85, B85, Q150, B150, Q250 and B250, chipsets. They have also sold Xeon CPUs using the same cores and software (the small ones).

And this is a real security nightmare for all corporation who use these systems (like probably almost every company in the world), no matter how secure they think their networks are.

 

[LTC8K6]

If we look up our CPU, and it doesn't support vPro, then we don't need to worry?

My i5-3330 does not, my 4790K does not, but my E3-1231-V3 does.

 

[LTC8K6]

Quite a few regular desktop chips have vPro.

List of Intel chips with vPro:
http://ark.intel.com/Search/FeatureFilter?productType=processors&VProTechnology=true

 

[sm625]

On subject of CPU, I wonder how viable it would be to design usable CPUs at the component level. I would not be against the idea of going back to physically larger machines if it meant more privacy. Ex: 4U cases where you insert long cards in it. Could go to a computer platform that is based on cards, you have CPU cards, ram cards, various expansion cards etc.

There is no need for any of that. You can use a fully modern machine. Just dont connect it to a network. Keep it offline and encrypted. Transfer data onto / off it in a secure manner. It doesnt matter how many backdoors a system has, if it cannot be accessed.

 

[Shivansps]

You need both a vPRO supporting CPU and Q chipset to be affected.

This can also be fixed by a firmware update, but man, that has to be hard to do when you have hundreds or thousands of them.

 

[DrMrLordX]

They have also sold Xeon CPUs using the same cores and software (the small ones).

Are we talking Xeon-D or . . . ?

 

[Red Squirrel]

There is no need for any of that. You can use a fully modern machine. Just dont connect it to a network. Keep it offline and encrypted. Transfer data onto / off it in a secure manner. It doesnt matter how many backdoors a system has, if it cannot be accessed.

Except when these backdoors use something other than your own network, such as 3G, or some backdoor that uses your network at the physical level, bypassing any firewall. Ex: a separate modulation that rides on top of ethernet. Of course the NIC itself would need to support that, so probably a bad idea to use Intel nics now...

Speaking of Intel's backdoor.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Exploited. Nice.....

 

[wahdangun]

what the... hell,

i have several HP and dell server, and it will pain to upgrade all the bios, and not counting we have several dell desktop pc with vpro.

i will not trusting intel again, thankfully AMD is on the roll right now, and its not affected by this.

napples can't come soon enough


ps: sorry for my bad English.

 

[LTC8K6]

Can't you just turn off vPro in BIOS or in whatever program controls it?

 

[Shivansps]

what the... hell,

i have several HP and dell server, and it will pain to upgrade all the bios, and not counting we have several dell desktop pc with vpro.

i will not trusting intel again, thankfully AMD is on the roll right now, and its not affected by this.

napples can't come soon enough


ps: sorry for my bad English.

You are saying AMD dosent has the built-in Security Processor like Intel?