Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian Security ~ Intels' ME and likewise

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Debian Security ~ Intels' ME and likewise

#1 Post by makh »

Hi

Processors, modern Bios, and mother boards, and may be others, seem to have potential for numerous threats to the Linux and User privacy.

In Electronics, some circuits and cabling involves a technique of shielding. This is used for technically protecting the electrons to keep on doing as they should do, under no outside disturbances.

Is there any project of Linux like Grsecurity or hardened linux kernel or similar, working in this respect to keep the OS and the network ports safe? Will it make up into the debian, soon?

Thankyou
ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: Debian Security ~ Intels' ME and likewise

#2 Post by edbarx »

Intel ME is powered by separate dedicated small CPU cores running MINIX with a small stack of executables. This means, Debian, MS Windows, whatever, do not have much chance to do anything about it. For the main CPU cores to function, the ME must be offering a few basic functions implying trying to kill the ME results in a broken processor.

As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. I say this, as purchasing hardware that is guarateed to be entirely libre, is often prized exorbitantly. For instance, on DNG mailing list such a machine was said to cost around $7000! Myself including many other are not willing to spend that much to have ourselves guaranteed to run completely libre hardware.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

#3 Post by pylkko »

I believe that there are some other cheaper options, at least in theory. For example the Asus chromebook c201. In the ARM architecture the full instruction set is done in electronics, not software, so there is no "microcode". Futhermore, this chip can boot libreboot and does not have the ARC coprocessor that intel x86 has (Management engine). If you install a fully libre install on it, it cannot do any hardware accelerated 3D graphics (that is, you have to do 3D graphics on the main CPU which is slow), but other than that, I believe it works. (https://libreboot.org/docs/hardware/c201.html)

The same goes for Beagleboard dev boards. These use the use the TI OMAP family of SoCs. These have free firmware/start up software and free mainline kernel modules. However:
https://www.fsf.org/resources/hw/single-board-computers wrote:...the graphics accelerator (GPU) and the video decoding hardware for formats such as MPEG-2 are nonfunctional, because they require nonfree blobs to be installed into them.

zerubbabel
Posts: 29
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

#4 Post by zerubbabel »

Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

#5 Post by pylkko »

zerubbabel wrote:Wouldn't a good firewall be able to guard against Intel's MINIX level sending and receiving packets on the WAN?
No. For sure no, if you mean something like iptables on the kernel running on the machine with the ME. If you mean an external box working as a gateway/firewall, then it sounds like it would be difficult to separate the noise from the signal, given that the ME has full access to the device.
see: https://www.bestvpn.com/privacy-news/in ... nt-engine/

If it can "Access all areas of your computer’s memory, without the CPU’s knowledge." and "Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not." then why couldn't it communicate over the network through whatever means your normal network traffic does?

W.r.t to the AMT "empty password bug":
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/ wrote:"It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware – possibly in the firmware – and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys.

"Disable AMT today. Mobilize whomever you need. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.

"If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised."

zerubbabel
Posts: 29
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

#6 Post by zerubbabel »

Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.

User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

#7 Post by makh »

edbarx wrote:... As things stand, having to be contented with a CPU with a hidden small computer running a complete OS without knowing what it is doing is the least of evils. ...
Hi
I heard: it was said by Emperor Minko Khan: The one who trusts his enemy, loses.

Theres a quote in our language:
one bad fish makes the whole pond bad.
(It is an approximate translation). But you do get it, when the Experienced Debian Gurus (here), "again and again advise" not to install anything outside from repos.

I do hope that either Arm or IBM or other, launches a privacy based Microprocessors for the desktop/laptop, especially, which can be used by the ones who prefer FOSS and privacy, and also not run into this new closed-source technology of "MINIX Inside".

I hope that this hardware issue gets some good and permanent solution, soon.
Last edited by makh on 2017-11-16 12:17, edited 1 time in total.
ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

#8 Post by makh »

zerubbabel wrote:Yes, I wondered about a firewall external to the computer, but if there would be no way to recognize the packets to and from the Minix level, obviously that wouldn't work.
If this is some how possible, a tagged bit can be used to check that it is the main CPU streaming the data to the world or some other. It can then be blocked for communication.

Just a thought... :idea:
ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

zerubbabel
Posts: 29
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

#9 Post by zerubbabel »

Who would buy a house if he knew that the builder reserved the "right" to build a hidden chamber below the apparent foundation, having a control panel with which to monitor everything that happens in the house, and having a secret tunnel connecting it to some other unknown realm?

zerubbabel
Posts: 29
Joined: 2017-08-30 21:09

Re: Debian Security ~ Intels' ME and likewise

#10 Post by zerubbabel »

Hmmm. I wonder if I can replace the NIC in my Dell laptop with a non-Intel device, or if I added a USB NIC, could I disable the internal WIFI device...

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

#11 Post by pylkko »

If I am not mistaken, the USB based attack that has been demonstrated against the ME does not need networking nor AMT at all, however.

After reading some of the links in this post, I am not very convinced about the not having an Intel NIC makes you safe

http://forums.debian.net/viewtopic.php? ... 57#p658708

User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

#12 Post by makh »

Hi

Theoretically, if any thing comes into interface with Minix Inside, ... it will do its play. There goes the security... theres not even a check and balance for what will happen, or what happened in the past. Intel even surpasses the proprietary OSes.
ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

#13 Post by makh »

ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

User avatar
alan stone
Posts: 269
Joined: 2011-10-22 14:08
Location: In my body.

Re: Debian Security ~ Intels' ME and likewise

#14 Post by alan stone »

Intel crawling out of the closet, dragging its feet...

Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.

EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch. :roll:

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

#15 Post by pylkko »

alan stone wrote:Intel crawling out of the closet, dragging its feet...

Intel has released a downloadable detection tool which will analyze your system for the vulnerabilities identified & links to system manufacturer pages concerning the issue. See here.

EDIT: just noticed this information was published in the article provided through the previous post. Anyway, above is the straight link to Intel's burp. Who knows which shenaningans are in this patch. :roll:

OK. So anybody still think that this management engine thing isn't 'bad'?

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: Debian Security ~ Intels' ME and likewise

#16 Post by sunrat »

pylkko wrote:OK. So anybody still think that this management engine thing isn't 'bad'?
Sounds bad but so is Coca-Cola and land mines. The world goes on, somehow.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Debian Security ~ Intels' ME and likewise

#17 Post by pylkko »

Some people opinioned that it isn't a security risk. I'm just saying that if Intel thinks it is, then I'm not convinced it isn't. No comment on the world or coca cola.

fmp
Posts: 40
Joined: 2017-09-09 04:01

Re: Debian Security ~ Intels' ME and likewise

#18 Post by fmp »

it can be neutralized, depending on your hardware: https://github.com/corna/me_cleaner

i have also seen people suggest not to use the onboard pci wifi, as somehow the me is programmed to communicate only through the pci. anecdotally, a usb dongle for wifi would be a superior replacement.
(don't know how true that is, I've not tested the theory myself as I don't fully understand the inner workings of the me [just enough to know i don't want it] & I've only seen it mentioned once or twice.. you'd think if such were viable it would be widely spread)

AMD also have their own version of me: https://libreboot.org/faq.html#amdpsp so its inescapable, for now (short of building your own).

purism have also been working to neuter the me: https://puri.sm/learn/avoiding-intel-amt/ (though from my understanding, they're just running the me_cleaner tool on their hardware)

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Debian Security ~ Intels' ME and likewise

#19 Post by ticojohn »

Just checked my motherboard specs (GA-H81M-H rev 2.1) and it indicated that my motherboard does not use vPro, which in part is Active Management Technology. From what I have read, if AMT is not incorporated then the ME vulnerability is low to non-existent. Anybody have thoughts on that assumption?
I am not irrational, I'm just quantum probabilistic.

User avatar
makh
Posts: 651
Joined: 2011-10-09 09:16

Re: Debian Security ~ Intels' ME and likewise

#20 Post by makh »

Hi
Intel seems to have launched their utility. But I want to know that if Debian Developers are going to provide any such utilities, in any way, now or in coming days...?
ThinkPad E14: Arch, Debian Stable
GUI: Xfce

For new: Try MX Linux, Linux Mint; later join Debian Stable

Post Reply