Debian Security ~ Intels' ME and likewise

Here you can discuss every aspect of Debian. Note: not for support requests!

Debian Security ~ Intels' ME and likewise

Postby makh » 2017-11-13 17:24

Hi

Processors, modern Bios, and mother boards, and may be others, seem to have potential for numerous threats to the Linux and User privacy.

In Electronics, some circuits and cabling involves a technique of shielding. This is used for technically protecting the electrons to keep on doing as they should do, under no outside disturbances.

Is there any project of Linux like Grsecurity or hardened linux kernel or similar, working in this respect to keep the OS and the network ports safe? Will it make up into the debian, soon?

Thankyou
HP Probook 440 G2: Arch, Debian Stable
Server: none
Past: Debian, Centos, Ubuntu, Opensuse
GUI: Openbox, Cinnamon
Chroot: Debian, Ubuntu
VM: Devuan

Employing the best:
Arabic
Debian
Homeopathic

For new: Try Linux Mint
User avatar
makh
 
Posts: 543
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

Postby edbarx » 2017-11-14 17:26

Intel ME is powered by separate dedicated small CPU cores running MINIX with a small stack of executables. This means, Debian, MS Windows, whatever, do not have much chance to do anything about it. For the main CPU cores to function, the ME must be offering a few basic functions implying trying to kill the ME results in a broken processor.

As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. I say this, as purchasing hardware that is guarateed to be entirely libre, is often prized exorbitantly. For instance, on DNG mailing list such a machine was said to cost around $7000! Myself including many other are not willing to spend that much to have ourselves guaranteed to run completely libre hardware.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5388
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: Debian Security ~ Intels' ME and likewise

Postby pylkko » 2017-11-15 09:31

I believe that there are some other cheaper options, at least in theory. For example the Asus chromebook c201. In the ARM architecture the full instruction set is done in electronics, not software, so there is no "microcode". Futhermore, this chip can boot libreboot and does not have the ARC coprocessor that intel x86 has (Management engine). If you install a fully libre install on it, it cannot do any hardware accelerated 3D graphics (that is, you have to do 3D graphics on the main CPU which is slow), but other than that, I believe it works. (https://libreboot.org/docs/hardware/c201.html)

The same goes for Beagleboard dev boards. These use the use the TI OMAP family of SoCs. These have free firmware/start up software and free mainline kernel modules. However:

https://www.fsf.org/resources/hw/single-board-computers wrote:...the graphics accelerator (GPU) and the video decoding hardware for formats such as MPEG-2 are nonfunctional, because they require nonfree blobs to be installed into them.
User avatar
pylkko
 
Posts: 1177
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

Postby zerubbabel » 2017-11-15 17:15

Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?
zerubbabel
 
Posts: 9
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

Postby pylkko » 2017-11-15 18:08

zerubbabel wrote:Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?


No. For sure no, if you mean something like iptables on the kernel running on the machine with the ME. If you mean an external box working as a gateway/firewall, then it sounds like it would be difficult to separate the noise from the signal, given that the ME has full access to the device.
see: https://www.bestvpn.com/privacy-news/in ... nt-engine/

If it can "Access all areas of your computer’s memory, without the CPU’s knowledge." and "Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not." then why couldn't it communicate over the network through whatever means your normal network traffic does?

W.r.t to the AMT "empty password bug":
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/ wrote:"It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware – possibly in the firmware – and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys.

"Disable AMT today. Mobilize whomever you need. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.

"If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised."
User avatar
pylkko
 
Posts: 1177
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

Postby zerubbabel » 2017-11-15 21:34

Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.
zerubbabel
 
Posts: 9
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

Postby makh » 2017-11-16 12:11

edbarx wrote:... As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. ...

Hi
I heard: it was said by Emperor Minko Khan: The one who trusts his enemy, loses.

Theres a quote in our language:
one bad fish makes the whole pond bad.
(It is an approximate translation). But you do get it, when the Experienced Debian Gurus (here), "again and again advise" not to install anything outside from repos.

I do hope that either Arm or IBM or other, launches a privacy based Microprocessors for the desktop/laptop, especially, which can be used by the ones who prefer FOSS and privacy, and also not run into this new closed-source technology of "MINIX Inside".

I hope that this hardware issue gets some good and permanent solution, soon.
Last edited by makh on 2017-11-16 12:17, edited 1 time in total.
HP Probook 440 G2: Arch, Debian Stable
Server: none
Past: Debian, Centos, Ubuntu, Opensuse
GUI: Openbox, Cinnamon
Chroot: Debian, Ubuntu
VM: Devuan

Employing the best:
Arabic
Debian
Homeopathic

For new: Try Linux Mint
User avatar
makh
 
Posts: 543
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

Postby makh » 2017-11-16 12:13

zerubbabel wrote:Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.

If this is some how possible, a tagged bit can be used to check that it is the main CPU streaming the data to the world or some other. It can then be blocked for communication.

Just a thought... :idea:
HP Probook 440 G2: Arch, Debian Stable
Server: none
Past: Debian, Centos, Ubuntu, Opensuse
GUI: Openbox, Cinnamon
Chroot: Debian, Ubuntu
VM: Devuan

Employing the best:
Arabic
Debian
Homeopathic

For new: Try Linux Mint
User avatar
makh
 
Posts: 543
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

Postby zerubbabel » 2017-11-16 13:39

Who would buy a house if he knew that the builder reserved the "right" to build a hidden chamber below the apparent foundation, having a control panel with which to monitor everything that happens in the house, and having a secret tunnel connecting it to some other unknown realm?
zerubbabel
 
Posts: 9
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

Postby wizard10000 » 2017-11-16 14:08

One of the requirements for Intel's AMT is that networking hardware has to be Intel. Got a non-Intel NIC? If so, ME isn't gonna be communicating with anybody :)
we see things not as they are, but as we are.
-- anais nin
User avatar
wizard10000
 
Posts: 1204
Joined: 2011-05-09 20:02
Location: everywhere i go, there i am!

Re: Debian Security ~ Intels' ME and likewise

Postby zerubbabel » 2017-11-16 15:30

Hmmm. I wonder if I can replace the NIC in my Dell laptop with a non-Intel device, or if I added a USB NIC, could I disable the internal WIFI device...
zerubbabel
 
Posts: 9
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

Postby pylkko » 2017-11-16 16:46

If I am not mistaken, the USB based attack that has been demonstrated against the ME does not need networking nor AMT at all, however.

After reading some of the links in this post, I am not very convinced about the not having an Intel NIC makes you safe

viewtopic.php?f=3&t=135264&p=658757#p658708
User avatar
pylkko
 
Posts: 1177
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

Postby makh » 2017-11-17 01:51

Hi

Theoretically, if any thing comes into interface with Minix Inside, ... it will do its play. There goes the security... theres not even a check and balance for what will happen, or what happened in the past. Intel even surpasses the proprietary OSes.
HP Probook 440 G2: Arch, Debian Stable
Server: none
Past: Debian, Centos, Ubuntu, Opensuse
GUI: Openbox, Cinnamon
Chroot: Debian, Ubuntu
VM: Devuan

Employing the best:
Arabic
Debian
Homeopathic

For new: Try Linux Mint
User avatar
makh
 
Posts: 543
Joined: 2011-10-09 09:16


Return to General Discussion

Who is online

Users browsing this forum: nvakada and 10 guests

fashionable