Trusting Intel…

“ME has access to everything that is important. It has unconstrained access to DRAM, to the actual CPU, to GPU, it can also talk to your networking card, especially your Ethernet card, the controller for which is also in the Southbridge in the processor. It also has its own dedicated partition on the SPI Flash which can be used to store whatever ME wants to store there. This is really problematic, and we don’t know what it runs.”
 
See Trustworthy x86 laptops? There is a way, says system-level security ace
Software, firmware, hardware, they are all powerful and essential… but can you trust them? In the wrong hands all of them can be tools of those who are out to get you one way or another. With governments and corporations abounding that want to snoop or copy or sabotage there are plenty of bad apples in the barrel. We can do something about this with FLOSS, that’s one of many reason to love FLOSS. Firmware is another matter if we just accept binary blobs without understanding. Then there’s the hardware.

What if your CPU, the all-knowing, singing, dancing CPU that can do thousands of things at once with access to your hardware, software, data and networks is compromised by the maker? Do you feel lucky? Well, do you, punk? (Dirty Harry). Intel has been the big maker of PC and server CPUs. They want to add their own binary blob right into their CPUs. It’s their leverage, their way of “adding value”, but is it good for your security to have a back door deliberately installed in the heart of your hardware? Do you trust ultimately Intel, the corporation that used to pay OEMs not to install a competitor’s CPUs? They do lack a certain morality, far below the bare minimum we require of any supplier. AMD may be no better even though they were Intel’s victim. They are struggling. Would they be willing to do the same given a sweet deal by some government or criminal organization? We just don’t know.

ARM may be a bit better because of their openness but they don’t produce chips directly. They provide building blocks. Any malware can be built into units containing the ARMed hardware we all love.

Thin clients can help by keeping important data away from the CPUs but that still leaves in doubt the hardware of the servers and even the networking chips. At any stage malware can be given a free ride on stuff you own. Is it hopeless? Not quite. We still have the possibility of having open hardware right down to the masks used in the fabrication of chips. That has to happen before all this IT can be fully trusted. Given the present climate, I expect to see cloud-funded masks for FABs within a few years. We’ll have to render binary blobs in firmware also transparent. It will happen. We have the power. Just stop buying that other stuff until the required transparency is available.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , , , , . Bookmark the permalink.

12 Responses to Trusting Intel…

  1. DrLoser says:

    Security by obscurity uses as why closed source could be more secure has got security by fear around the wrong way. If software developers have nothing to make them fear being detected the code quality will not be in the code base.

    Ignorant, meaningless, stupidity.

    Try again, Princess.

  2. Wizard Emeritus says:

    “kurkosdr a fully trusted system from a security point of view depends on the means to Audit. ”

    And yet you are an admitted liar, so why should your words mean anything sir?

  3. Wizard Emeritus says:

    “Tinfoil hat could in fact allow you to get sleep if where you are has a electromagnetic ELF or VLF problem.”

    HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA.

    Thank you for the entertainment sir.

  4. oiaohm says:

    There is a saying security by fear is something true. 90 percent plus of security is bluff.

    So security stickers advertising security system, Fake security cameras and on on work 90 percent of the time just as effectively as having real ones.

    Same with software security. If the person providing you stuff knows the fact you can in fact properly audit what they are providing 90 percent of the time they will not attempt anything under handed. If you perform the audit or not that is a completely different matter.

    The belief that the item could Audited is the biggest deterrent to under handed actions. Not that Audit is performed. Performing the audit against a party that believes the item could be properly audited you are looking at catching less than 10 percent of the problem.

    Security by obscurity uses as why closed source could be more secure has got security by fear around the wrong way. If software developers have nothing to make them fear being detected the code quality will not be in the code base.

  5. oiaohm says:

    kurkosdr a fully trusted system from a security point of view depends on the means to Audit. Having code running in a blackbox that you cannot see what is being executed fails the means to audit. Now you can have the means to fully audit system without having the means to change code in a secured section.

    Sorry kurkosdr with an arm processor you can pay the money to see the reference design from arm have your own staff inspect it. After make of chip use inspection tech to make sure the chip is in fact made to spec. Then run your own software on it as a government. Problem here is how to make phones/computer tech simple to validate as safe to normal users.

    Trust some one is the first thing you learn about security. Proper hardened security is not based on trust but the means to audit actions.

    Otherwise you ‘ll end up ripping off the bezel of your TV for hidden cameras and ripping apart your car’s upholstery for hidden microphones, with a tinfoil hat and “I want to believe” posters in your walls.
    If you do most of that you are a idiot. Some TV come with cameras built in always watching who is sitting in front of them.

    http://www.instructables.com/id/How-to-locate-pinhole-cameras/?ALLSTEPS
    Interesting enough for those who know what they are doing searching a room for hidden cameras is simple. No ripping stuff apart.

    Electronic based microphones in fact give off a RF signal unless properly shield. Properly shield also means putting in enough metal findable with an ultrasonic search. Again non destructive.

    Passive microphone devices are far harder to find. They work on either fiber optic line picking up sound or some metal object that when hit with a radio signal becomes active and sound causes the object to alter the radio signal reflected back. Yes this could be as simple as a food cover brought into room. Of course in car upholstery there is no need to rip it apart to check if it to spec.

    http://mic.com/articles/91091/a-mysterious-sound-is-driving-people-insane-and-nobody-knows-what-s-causing-it

    Tinfoil hat could in fact allow you to get sleep if where you are has a electromagnetic ELF or VLF problem. Yes putting on a Tinfoil hat and attempting to sleep is a test for environmental problems. If you cannot move out it can be quite a suitable solution to allow you mind to operate properly. Ok looks stupid but its better to look stupid than be sleep deprived and be a hazard to yourself and everyone else.

    Sleep labs have very thick walls of sound proofing for many reasons. Yes tinfoil hat does not allow you to sleep next stop sleep lab to find out if you have a problem and if you don’t have a problem you are then looking a sound based ELF/VLF what is a lot harder to deal with.

    Yes the joke made over tinfoil hats complete ignore the medial usages of them. Yes even in a sleep lab due to the cameras and everything else in the room there might be electromagnetic noise in the room disturbing you sleep if suspected they give you a conductive ski-mask that does basically the same job as tin foil hat. Advantage they have conductive and non conductive masks so blind testing on your part.

    Lack of sleep for along time could explain how some people end up massively nutty.

    Yes the –“I want to believe” posters in your walls– on walls and the destructiveness caused by a idiot who does not know better could be the direct result of ELF/VLF exposure causing lack of sleep so crippled thinking. Only thing with any merit todo out of the list was the tin foil hat.

  6. oiaohm says:

    ram
    http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/
    Advances in tech people have in pocket make air gapping many times harder.

    shielded rooms and so on all depend on person not bringing something as simple as a phone with battery in. Of course person leaving their phone in a locker could be another risk as tracking software could be added to phone to aid in kidnapping.

    Most of the documents on making a harden setup are open to the public because a lot of it needs third party review to make sure nothing has been over looked.

    Its like the fact you get can past Ultrasonic and PIR motion detectors with something as simple as a bed sheet of the right materials so harden security set up are not to depend on these alone.

  7. ram says:

    If someone has had physical access to your hardware you can forget about security. Those who have worked in “secure computing environments” are well familiar with the measures taken: air-gaps, shielded rooms, hardware in transparent cases so security cleared operators could spot any changes, security seals, guards, alarm systems, special reduced instruction set “Unix like” operating systems, ancient hardware bridges to the outside world, …

    The list goes on. Unfortunately, most of it is classified. But back to the first statement.
    Never forget it!

  8. Ivan wrote, “Buy whatever the hell you want, just don’t do mental gymnastics to justify it.”

    That’s OK for the usual consumer who doesn’t know better but I am a sentient being with a conscience. I’m old enough to regret a lot of things I’ve done. Choosing FLOSS is not one of them.

  9. Ivan says:

    What if that steak you just ate was from a super intelligent space cow that would have taught mankind to live in peace and harmony before it was mistaken for a normal cow and slaughtered for that steak?

    Can you live with yourself? Does it matter?

    Of course not. Buy whatever the hell you want, just don’t do mental gymnastics to justify it.

  10. kurkosdr says:

    it’s the corp that has your data but you = it’s not the corp that has your data but you

  11. kurkosdr says:

    unlime = unlike

  12. kurkosdr says:

    Dear Pog, how do you trust that your ethernet card’s chip, or the cellular modem of your beloved android phone, are not sending duplicates of your packets (or at least the most interesting ones) to a third party IP, coverty without your OS knowing it? Same question for your router.

    Do you trust the chip just because it’s a chip and not firmware? Do you trust that current Northbridges and CPU are not doing what you describe in your post?

    At some point, you have to trust someone. Otherwise you ‘ll end up ripping off the bezel of your TV for hidden cameras and ripping apart your car’s upholstery for hidden microphones, with a tinfoil hat and “I want to believe” posters in your walls.

    Also, chill out. The NSA (boooo!) got info from cloud Microsoft, Google etc accounts because there is a clause in the TOS that allows MS and Google to do that.

    You get no such TOS when buying hardware. And you won’t because unlime the cloud, it’s the corp that has your data but you, hence they don’t have responsibility for them.

Leave a Reply

Your email address will not be published. Required fields are marked *