Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian Security ~ Intels' ME and likewise
Debian Security ~ Intels' ME and likewise
Hi
Processors, modern Bios, and mother boards, and may be others, seem to have potential for numerous threats to the Linux and User privacy.
In Electronics, some circuits and cabling involves a technique of shielding. This is used for technically protecting the electrons to keep on doing as they should do, under no outside disturbances.
Is there any project of Linux like Grsecurity or hardened linux kernel or similar, working in this respect to keep the OS and the network ports safe? Will it make up into the debian, soon?
Thankyou
Processors, modern Bios, and mother boards, and may be others, seem to have potential for numerous threats to the Linux and User privacy.
In Electronics, some circuits and cabling involves a technique of shielding. This is used for technically protecting the electrons to keep on doing as they should do, under no outside disturbances.
Is there any project of Linux like Grsecurity or hardened linux kernel or similar, working in this respect to keep the OS and the network ports safe? Will it make up into the debian, soon?
Thankyou
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
Re: Debian Security ~ Intels' ME and likewise
Intel ME is powered by separate dedicated small CPU cores running MINIX with a small stack of executables. This means, Debian, MS Windows, whatever, do not have much chance to do anything about it. For the main CPU cores to function, the ME must be offering a few basic functions implying trying to kill the ME results in a broken processor.
As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. I say this, as purchasing hardware that is guarateed to be entirely libre, is often prized exorbitantly. For instance, on DNG mailing list such a machine was said to cost around $7000! Myself including many other are not willing to spend that much to have ourselves guaranteed to run completely libre hardware.
As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. I say this, as purchasing hardware that is guarateed to be entirely libre, is often prized exorbitantly. For instance, on DNG mailing list such a machine was said to cost around $7000! Myself including many other are not willing to spend that much to have ourselves guaranteed to run completely libre hardware.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
Re: Debian Security ~ Intels' ME and likewise
I believe that there are some other cheaper options, at least in theory. For example the Asus chromebook c201. In the ARM architecture the full instruction set is done in electronics, not software, so there is no "microcode". Futhermore, this chip can boot libreboot and does not have the ARC coprocessor that intel x86 has (Management engine). If you install a fully libre install on it, it cannot do any hardware accelerated 3D graphics (that is, you have to do 3D graphics on the main CPU which is slow), but other than that, I believe it works. (https://libreboot.org/docs/hardware/c201.html)
The same goes for Beagleboard dev boards. These use the use the TI OMAP family of SoCs. These have free firmware/start up software and free mainline kernel modules. However:
The same goes for Beagleboard dev boards. These use the use the TI OMAP family of SoCs. These have free firmware/start up software and free mainline kernel modules. However:
https://www.fsf.org/resources/hw/single-board-computers wrote:...the graphics accelerator (GPU) and the video decoding hardware for formats such as MPEG-2 are nonfunctional, because they require nonfree blobs to be installed into them.
-
- Posts: 29
- Joined: 2017-08-30 21:09
Re: Debian Security ~ Intels' ME and likewise
Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?
Re: Debian Security ~ Intels' ME and likewise
No. For sure no, if you mean something like iptables on the kernel running on the machine with the ME. If you mean an external box working as a gateway/firewall, then it sounds like it would be difficult to separate the noise from the signal, given that the ME has full access to the device.zerubbabel wrote:Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?
see: https://www.bestvpn.com/privacy-news/in ... nt-engine/
If it can "Access all areas of your computer’s memory, without the CPU’s knowledge." and "Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not." then why couldn't it communicate over the network through whatever means your normal network traffic does?
W.r.t to the AMT "empty password bug":
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/ wrote:"It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware – possibly in the firmware – and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys.
"Disable AMT today. Mobilize whomever you need. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.
"If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised."
-
- Posts: 29
- Joined: 2017-08-30 21:09
Re: Debian Security ~ Intels' ME and likewise
Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.
Re: Debian Security ~ Intels' ME and likewise
Hiedbarx wrote:... As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. ...
I heard: it was said by Emperor Minko Khan: The one who trusts his enemy, loses.
Theres a quote in our language:
(It is an approximate translation). But you do get it, when the Experienced Debian Gurus (here), "again and again advise" not to install anything outside from repos.one bad fish makes the whole pond bad.
I do hope that either Arm or IBM or other, launches a privacy based Microprocessors for the desktop/laptop, especially, which can be used by the ones who prefer FOSS and privacy, and also not run into this new closed-source technology of "MINIX Inside".
I hope that this hardware issue gets some good and permanent solution, soon.
Last edited by makh on 2017-11-16 12:17, edited 1 time in total.
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
Re: Debian Security ~ Intels' ME and likewise
If this is some how possible, a tagged bit can be used to check that it is the main CPU streaming the data to the world or some other. It can then be blocked for communication.zerubbabel wrote:Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.
Just a thought...
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
-
- Posts: 29
- Joined: 2017-08-30 21:09
Re: Debian Security ~ Intels' ME and likewise
Who would buy a house if he knew that the builder reserved the "right" to build a hidden chamber below the apparent foundation, having a control panel with which to monitor everything that happens in the house, and having a secret tunnel connecting it to some other unknown realm?
-
- Posts: 29
- Joined: 2017-08-30 21:09
Re: Debian Security ~ Intels' ME and likewise
Hmmm. I wonder if I can replace the NIC in my Dell laptop with a non-Intel device, or if I added a USB NIC, could I disable the internal WIFI device...
Re: Debian Security ~ Intels' ME and likewise
If I am not mistaken, the USB based attack that has been demonstrated against the ME does not need networking nor AMT at all, however.
After reading some of the links in this post, I am not very convinced about the not having an Intel NIC makes you safe
http://forums.debian.net/viewtopic.php? ... 57#p658708
After reading some of the links in this post, I am not very convinced about the not having an Intel NIC makes you safe
http://forums.debian.net/viewtopic.php? ... 57#p658708
Re: Debian Security ~ Intels' ME and likewise
Hi
Theoretically, if any thing comes into interface with Minix Inside, ... it will do its play. There goes the security... theres not even a check and balance for what will happen, or what happened in the past. Intel even surpasses the proprietary OSes.
Theoretically, if any thing comes into interface with Minix Inside, ... it will do its play. There goes the security... theres not even a check and balance for what will happen, or what happened in the past. Intel even surpasses the proprietary OSes.
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
Re: Debian Security ~ Intels' ME and likewise
Intel itself:
http://www.zdnet.com/article/intel-weve ... -millions/
http://www.zdnet.com/article/intel-weve ... -millions/
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
- alan stone
- Posts: 269
- Joined: 2011-10-22 14:08
- Location: In my body.
Re: Debian Security ~ Intels' ME and likewise
Intel crawling out of the closet, dragging its feet...
Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.
EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch.
Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.
EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch.
Re: Debian Security ~ Intels' ME and likewise
alan stone wrote:Intel crawling out of the closet, dragging its feet...
Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.
EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch.
OK. So anybody still think that this management engine thing isn't 'bad'?
- sunrat
- Administrator
- Posts: 6470
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 117 times
- Been thanked: 474 times
Re: Debian Security ~ Intels' ME and likewise
Sounds bad but so is Coca-Cola and land mines. The world goes on, somehow.pylkko wrote:OK. So anybody still think that this management engine thing isn't 'bad'?
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: Debian Security ~ Intels' ME and likewise
Some people opinioned that it isn't a security risk. I'm just saying that if Intel thinks it is, then I'm not convinced it isn't. No comment on the world or coca cola.
Re: Debian Security ~ Intels' ME and likewise
it can be neutralized, depending on your hardware: https://github.com/corna/me_cleaner
i have also seen people suggest not to use the onboard pci wifi, as somehow the me is programmed to communicate only through the pci. anecdotally, a usb dongle for wifi would be a superior replacement.
(don't know how true that is, I've not tested the theory myself as I don't fully understand the inner workings of the me [just enough to know i don't want it] & I've only seen it mentioned once or twice.. you'd think if such were viable it would be widely spread)
AMD also have their own version of me: https://libreboot.org/faq.html#amdpsp so its inescapable, for now (short of building your own).
purism have also been working to neuter the me: https://puri.sm/learn/avoiding-intel-amt/ (though from my understanding, they're just running the me_cleaner tool on their hardware)
i have also seen people suggest not to use the onboard pci wifi, as somehow the me is programmed to communicate only through the pci. anecdotally, a usb dongle for wifi would be a superior replacement.
(don't know how true that is, I've not tested the theory myself as I don't fully understand the inner workings of the me [just enough to know i don't want it] & I've only seen it mentioned once or twice.. you'd think if such were viable it would be widely spread)
AMD also have their own version of me: https://libreboot.org/faq.html#amdpsp so its inescapable, for now (short of building your own).
purism have also been working to neuter the me: https://puri.sm/learn/avoiding-intel-amt/ (though from my understanding, they're just running the me_cleaner tool on their hardware)
- ticojohn
- Posts: 1284
- Joined: 2009-08-29 18:10
- Location: Costa Rica
- Has thanked: 21 times
- Been thanked: 44 times
Re: Debian Security ~ Intels' ME and likewise
Just checked my motherboard specs (GA-H81M-H rev 2.1) and it indicated that my motherboard does not use vPro, which in part is Active Management Technology. From what I have read, if AMT is not incorporated then the ME vulnerability is low to non-existent. Anybody have thoughts on that assumption?
I am not irrational, I'm just quantum probabilistic.
Re: Debian Security ~ Intels' ME and likewise
Hi
Intel seems to have launched their utility. But I want to know that if Debian Developers are going to provide any such utilities, in any way, now or in coming days...?
Intel seems to have launched their utility. But I want to know that if Debian Developers are going to provide any such utilities, in any way, now or in coming days...?
ThinkPad E14: Arch, Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable
GUI: Xfce
For new: Try MX Linux, Linux Mint; later join Debian Stable