Page 1 of 2

Debian Security ~ Intels' ME and likewise

Posted: 2017-11-13 17:24
by makh
Hi

Processors, modern Bios, and mother boards, and may be others, seem to have potential for numerous threats to the Linux and User privacy.

In Electronics, some circuits and cabling involves a technique of shielding. This is used for technically protecting the electrons to keep on doing as they should do, under no outside disturbances.

Is there any project of Linux like Grsecurity or hardened linux kernel or similar, working in this respect to keep the OS and the network ports safe? Will it make up into the debian, soon?

Thankyou

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-14 17:26
by edbarx
Intel ME is powered by separate dedicated small CPU cores running MINIX with a small stack of executables. This means, Debian, MS Windows, whatever, do not have much chance to do anything about it. For the main CPU cores to function, the ME must be offering a few basic functions implying trying to kill the ME results in a broken processor.

As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. I say this, as purchasing hardware that is guarateed to be entirely libre, is often prized exorbitantly. For instance, on DNG mailing list such a machine was said to cost around $7000! Myself including many other are not willing to spend that much to have ourselves guaranteed to run completely libre hardware.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-15 09:31
by pylkko
I believe that there are some other cheaper options, at least in theory. For example the Asus chromebook c201. In the ARM architecture the full instruction set is done in electronics, not software, so there is no "microcode". Futhermore, this chip can boot libreboot and does not have the ARC coprocessor that intel x86 has (Management engine). If you install a fully libre install on it, it cannot do any hardware accelerated 3D graphics (that is, you have to do 3D graphics on the main CPU which is slow), but other than that, I believe it works. (https://libreboot.org/docs/hardware/c201.html)

The same goes for Beagleboard dev boards. These use the use the TI OMAP family of SoCs. These have free firmware/start up software and free mainline kernel modules. However:
https://www.fsf.org/resources/hw/single-board-computers wrote:...the graphics accelerator (GPU) and the video decoding hardware for formats such as MPEG-2 are nonfunctional, because they require nonfree blobs to be installed into them.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-15 17:15
by zerubbabel
Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-15 18:08
by pylkko
zerubbabel wrote:Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?
No. For sure no, if you mean something like iptables on the kernel running on the machine with the ME. If you mean an external box working as a gateway/firewall, then it sounds like it would be difficult to separate the noise from the signal, given that the ME has full access to the device.
see: https://www.bestvpn.com/privacy-news/in ... nt-engine/

If it can "Access all areas of your computer’s memory, without the CPU’s knowledge." and "Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not." then why couldn't it communicate over the network through whatever means your normal network traffic does?

W.r.t to the AMT "empty password bug":
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/ wrote:"It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware – possibly in the firmware – and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys.

"Disable AMT today. Mobilize whomever you need. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.

"If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised."

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-15 21:34
by zerubbabel
Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-16 12:11
by makh
edbarx wrote:... As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. ...
Hi
I heard: it was said by Emperor Minko Khan: The one who trusts his enemy, loses.

Theres a quote in our language:
one bad fish makes the whole pond bad.
(It is an approximate translation). But you do get it, when the Experienced Debian Gurus (here), "again and again advise" not to install anything outside from repos.

I do hope that either Arm or IBM or other, launches a privacy based Microprocessors for the desktop/laptop, especially, which can be used by the ones who prefer FOSS and privacy, and also not run into this new closed-source technology of "MINIX Inside".

I hope that this hardware issue gets some good and permanent solution, soon.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-16 12:13
by makh
zerubbabel wrote:Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.
If this is some how possible, a tagged bit can be used to check that it is the main CPU streaming the data to the world or some other. It can then be blocked for communication.

Just a thought... :idea:

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-16 13:39
by zerubbabel
Who would buy a house if he knew that the builder reserved the "right" to build a hidden chamber below the apparent foundation, having a control panel with which to monitor everything that happens in the house, and having a secret tunnel connecting it to some other unknown realm?

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-16 15:30
by zerubbabel
Hmmm. I wonder if I can replace the NIC in my Dell laptop with a non-Intel device, or if I added a USB NIC, could I disable the internal WIFI device...

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-16 16:46
by pylkko
If I am not mistaken, the USB based attack that has been demonstrated against the ME does not need networking nor AMT at all, however.

After reading some of the links in this post, I am not very convinced about the not having an Intel NIC makes you safe

http://forums.debian.net/viewtopic.php? ... 57#p658708

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-17 01:51
by makh
Hi

Theoretically, if any thing comes into interface with Minix Inside, ... it will do its play. There goes the security... theres not even a check and balance for what will happen, or what happened in the past. Intel even surpasses the proprietary OSes.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-22 11:31
by makh

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-22 13:29
by alan stone
Intel crawling out of the closet, dragging its feet...

Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.

EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch. :roll:

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-22 18:57
by pylkko
alan stone wrote:Intel crawling out of the closet, dragging its feet...

Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.

EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch. :roll:

OK. So anybody still think that this management engine thing isn't 'bad'?

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-22 22:30
by sunrat
pylkko wrote:OK. So anybody still think that this management engine thing isn't 'bad'?
Sounds bad but so is Coca-Cola and land mines. The world goes on, somehow.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-23 07:16
by pylkko
Some people opinioned that it isn't a security risk. I'm just saying that if Intel thinks it is, then I'm not convinced it isn't. No comment on the world or coca cola.

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-24 01:10
by fmp
it can be neutralized, depending on your hardware: https://github.com/corna/me_cleaner

i have also seen people suggest not to use the onboard pci wifi, as somehow the me is programmed to communicate only through the pci. anecdotally, a usb dongle for wifi would be a superior replacement.
(don't know how true that is, I've not tested the theory myself as I don't fully understand the inner workings of the me [just enough to know i don't want it] & I've only seen it mentioned once or twice.. you'd think if such were viable it would be widely spread)

AMD also have their own version of me: https://libreboot.org/faq.html#amdpsp so its inescapable, for now (short of building your own).

purism have also been working to neuter the me: https://puri.sm/learn/avoiding-intel-amt/ (though from my understanding, they're just running the me_cleaner tool on their hardware)

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-24 18:46
by ticojohn
Just checked my motherboard specs (GA-H81M-H rev 2.1) and it indicated that my motherboard does not use vPro, which in part is Active Management Technology. From what I have read, if AMT is not incorporated then the ME vulnerability is low to non-existent. Anybody have thoughts on that assumption?

Re: Debian Security ~ Intels' ME and likewise

Posted: 2017-11-24 21:11
by makh
Hi
Intel seems to have launched their utility. But I want to know that if Debian Developers are going to provide any such utilities, in any way, now or in coming days...?