Slashdot Mirror

Dude, it is going to get so much worse.

Amazon’s Home Surveillance Chief Declared War on “Dirtbag Criminals” as Company Got Closer to Police

Amazon's Ring Police Portal For Mass Surveillance

The doorbells have eyes: The privacy battle brewing over home security cameras

But if you really want to read an informative thread about the issue, hop on over to Hacker News https://news.ycombinator.com/item?id=19239940

The paywall can be circumvented by using, ironically in this case, Facebook.

I had read that HTML + CSS together are Turing-complete, but there seems to be some contention:

CSS3 proven to be Turing complete?

I don't see any 'BSD people' complaining about this....

There's lots of it around, though it's mostly on mailing lists or conference discussions. This Ycombinator story is a good place to start. I think that, with a few exceptions like Theo De Raadt, most people who have contributed long term to BSD projects that became large scale successful in other people's projects have ended up disillusioned.

This whole thing came from a single hacker news post, and where does it say he's an intern?
https://news.ycombinator.com/i...

Google GREATLY encourages "launches" - releasing something publicly. And keep in mind - no penalties if the shit is half baked, not working, only works on chrome, or some such nonsense! This is the norm! Why? Promotion. You cannot get promoted beyond a certain level in this place unless you "launch" something big. So what do you get when you add of all these perverse incentives? Nine thousand, eight hundred, and eighty-three chat apps, and a never-ending chain of redesigns and relaunches so some people can get promoted.

Kinda handy actually; didn't have to bother hitting pause

Thanks for the confirmation and the additional anecdote. In hindsight, a better term than "urban legend" would have been more adequate for my GP comment. I haven't experienced it myself, but can think of "known issue"... unfortunately I've been lurking lots on Hackernews and sub-consciously avoided what there would have been a sure-fire citation-needed reply :)

I laughed at the happy note on your workflow. It reminds me of what happens when software fixes this kind of thing in an un-skippable update. Couldn't find the exact XKCD I had in mind but this one is funny too https://xkcd.com/1172/

I've wrote a comment with some background information on Hacker News: https://news.ycombinator.com/i...

Copying the content here for ease-of-use:

The vulnerability is a combination of Apache v.2.3.9's default setting to not read .htaccess files and my mistake of relying on .htaccess to enforce security of the sample PHP upload component.

To give you some context on how this could happen:

• As the project name implies, this started as a client-side jQuery plugin, with a dummy PHP script to echo out the uploaded file
• Over time, I added a couple of sample server-side upload components, including two for Google App Engine (Python + Golang) - which I used for the demo - and one for PHP, which I never used myself in production
• I used the PHP component for local tests with various possible file uploads, including very large files and chunked uploads, which required enabling all file types for upload. My thinking was that allowing all file types for upload is not critical as long as the handling of those files is properly configured.
• Prior to adding the .htaccess file, I mistakenly assumed developers would configure their Apache server themselves so that no PHP scripts would be executed in the uploads folder. It was only added in this commit: https://github.com/blueimp/jQu...
• The Apache servers I tested with always had support for .htaccess enabled, so I never bothered to check that the default Apache configuration since version 2.3.9 actually disabled it
• The original .htaccess configuration didn't even prevent script execution in all Apache configurations and had to be fixed, see: https://github.com/blueimp/jQu...

Looking back, there are a couple of things that I should have done differently:

• Move out the server-side components into separate repositories
• Inform users better about file upload security - see https://github.com/blueimp/jQu...
• Never assume people actually read information about security
• Never rely on .htaccess for security configurations in Apache
• Make sure that published code is secure in all default configurations
• Never allow all file types for upload by default, even if it is secure in your configuration
• Recommend users to not upload files in the same root as their executable web application
• Always follow security best practices, even if it makes setup for users more difficult

I wanted to make it really simple for users to install a generic and secure file upload service with a great user interface. Unfortunately, security best practices and ease-of-use are often at odds to each other.

Bonus info:

• The client-side component had a cross-site scripting vulnerability in the Iframe Transport HTML site back in 2012: https://github.com/blueimp/jQu...
• The App Engine components had an open redirect vulnerability back in 2015: https://github.com/blueimp/jQu...

This is even more interesting. Running .NET on nearly bare metal using a NetBSD rump kernel.

I'm not taking a "stupid" from someone who can't recognize the difference between a MMORPG with thousands of players in a realm

Private fucking wow servers you stupid fuck AKA you're so stupid you don't know how stupid you are, you are reasoning by your feelings not facts. The fact that wow can exist without subscriptions means you were all taken for a big ride. In the 90's RPG's came with both single player and multiplayer combined, it doesn't matter how many players a game has it doesn't make it special or require it to be managed by the company as private wow servers prove. So go back to your cave troll.

https://news.ycombinator.com/i...

I don't think I've ever read a more confusing summary.

It might have helped if the first part of this had appeared on Slashdot. But yes, the summary, particular the title, is hopeless. A better title might be: "ARM beclowns itself with FUD against RISC-V"

This is about ARM FUD against RISC-V that appeared yesterday on a new site setup by ARM marketing creeps. It was a shock to people that respect ARM, so much so that some argued it was a hoax. It took some investigation into the FUD site and its origins to convince people.

The fact is that what ARM sells is being commoditized. It's being commoditized because what they sell isn't all that novel any longer. The core of an ARM based integrated circuit is a small fraction of the value of these devices today; they real value is in the peripherals.

Google gives you the results it thinks you want, not what you're asking for.

No, Google gives you the results Google wants you to see, hoping they are close enough to what you were looking for that you do not realize the difference.

This is exactly right. When Google downranks or delists sites because of piracy/hate/etc, it's not giving you what it thinks you want. It knows what you want, it just refuses to give it to you and gives you other stuff in hopes you don't care.

https://news.ycombinator.com/i...

" DEDA is a new tool for Linux that researchers have created to read and decode the forensic information, and to anonymize information to protect against tracking.

The Electronic Frontier Foundation discovered in 2008 that nearly all major color laser printer manufacturers added tracking dots to any printed document. The yellow tracking dots were invisible to the eye and apparently added to printouts on request of the U.S. government."

Earlier discussion of this and more sophisticated printer tracking codes [src]

" DEDA is a new tool for Linux that researchers have created to read and decode the forensic information, and to anonymize information to protect against tracking.

The Electronic Frontier Foundation discovered in 2008 that nearly all major color laser printer manufacturers added tracking dots to any printed document. The yellow tracking dots were invisible to the eye and apparently added to printouts on request of the U.S. government."

Earlier discussion of this and more sophisticated printer tracking codes [src]

The smallest projects, like OpenBSD, were left in the cold to fend off for themselves. Theo and other developpers asked Intel if they could be a part of the embargo. They never received a response.

Maybe because Theo and other developers are selfish, and have abused the embargo in the past?

Coincidentally I posted some ideas just the other day: https://news.ycombinator.com/i...

=====

We could have a Basic Income for all so that anyone who wanted to create FOSS could without having to take a paying job. The basic income would also recognize all the contributions to society many people make which they are not compensated for (e.g. caring for sick relatives instead of sending them to nursing homes).

Or we could have better 3D printers, gardening robots, materials extractors, portable recycling equipment, and printable solar panels so that programmers making FOSS would not need to engage with the exchange economy much.

Or we could expand the gift economy (which FOSS is part of) to more of the material world (e.g. Freecycle).

Or the US government could repeal most drug laws and convert freed-up prisons into places where FOSS programmers or others who wanted to make free public digital works could hang out and get free room and board and so on (or maybe build nicer accommodations to the same goals).

Or the filing or holding of non-freely-licensed copyrights by non-profits (e.g. most universities who already employ a lot of people to do programming) could be determined to be "self-dealing" by Congress or maybe just the IRS:
https://pdfernhout.net/open-le...
"Foundations, other grantmaking agencies handling public tax-exempt dollars, and charitable donors need to consider the implications for their grantmaking or donation policies if they use a now obsolete charitable model of subsidizing proprietary publishing and proprietary research. In order to improve the effectiveness and collaborativeness of the non-profit sector overall, it is suggested these grantmaking organizations and donors move to requiring grantees to make any resulting copyrighted digital materials freely available on the internet, including free licenses granting the right for others to make and redistribute new derivative works without further permission. It is also suggested patents resulting from charitably subsidized research research also be made freely available for general use. The alternative of allowing charitable dollars to result in proprietary copyrights and proprietary patents is corrupting the non-profit sector as it results in a conflict of interest between a non-profit's primary mission of helping humanity through freely sharing knowledge (made possible at little cost by the internet) and a desire to maximize short term revenues through charging licensing fees for access to patents and copyrights. In essence, with the change of publishing and communication economics made possible by the wide spread use of the internet, tax-exempt non-profits have become, perhaps unwittingly, caught up in a new form of "self-dealing", and it is up to donors and grantmakers (and eventually lawmakers) to prevent this by requiring free licensing of results as a condition of their grants and donations."

Or in the absence of such a legal ruling, foundations and other donors could require grantees to sign a pledge to only create free and open source works:
"Pledge to only fund and create free software and free content"
https://pdfernhout.net/pledge-...

Or programmers could keep creating FOSS in their spare time both for its own sake and in the hopes the growing quantitative mass of FOSS eventually leads to a qualitative shift towards a post-scarcity society.

=====

Or something I posted around 2004:

"How to Find the Financing for Achieving the Star Trek Society"
https://www.kurtz-fernhout.com...
"This essay shows how a total of $14000 billion up front and at least another $2085 billion per year can be made available for creative investment in the USA

You do understand the concept of a persistent multiplayer world, yes? MMOs are nothing like FPS shooters. In an FPS the "world" starts over with every new game.

A subscription-based MMO... of fucking course they're not going to give you the server software so that you can run your own and not pay them.

You do understand the concept that "persistant multiplayer world" is PR speak to con gullible people like you right? Oh wait theres some private wow servers over here to disprove your notion that you can't have an "mmo" (pr speak for rpg with multiplayer with dedicated server) you buy as a one off purchase.

Private servers:

https://news.ycombinator.com/i...

"MMO" is a PR speak term for idiots who don't think logically, otherwise private wow servers would be impossible. The fact that private wow servers exists, prove you and the gaming public are idiots.

Here's what the game industry did during the 90's, during the 90's PC rpg's were growing in cost to produce and CEO's floated the idea of conning the gullible public out of its money by rebranding the single player PC rpgs /w multiplayer component and rebranding them mmo's. That's all the term mmo is - a PR shell game to get you to pay monthly to what have would been a fully normal game with multiplayer in the 90's. They realized they could make much more money and steal the software from a gullible public by just shifting words around because you reason by emotion not truth.

See the science, your brain does not reason nor see reality as it is:

On reason

That's marketing bullshit son, if that wasn't the case private wow servers wouldn't exist. see below:

https://news.ycombinator.com/i...

Well that was the whole point my long pos (past the 2 lines of introduction you cited)t:
- To make this "bullshit" (as you call it) explanation valid, efforts are needed to make 3rd party servers acceptable.
But currenlty that not the case everywhere.
  - That *is* the case with Minecraft. (Pay a recurring subscription only if you want access to their servers. Pay the blob once and then play with your friends on your own personal server if you want isntead).
  - That is *definitely not* the case with Blizzard given their trigger-happy lawyer ready to shut down any attempt to third party servers.

^- We even used the same example (WoW, Blizzard) actually in our respective posts.

So no the fact that you believe that corporate propaganda means you're stupid.

Personally, I don't even pay attention to "corporate propaganda" : I don't even play MMOs. (Or any subscription-based game)
I like to play point'n'click games which (since the fall of Sierra On-line and LucasArt) has completely exited the radar of corporation and is currently more an indie thing. (So mostly financed through crowd funding).

you can have an mmo you own as a complete single player game with multiplayer server integrated.

Please elaborated how you could "have an mmo " (given that these letter stand for respectively Massive, Multriplayer and Online) as a "complete single player game". It kind of contradicts the whole purpose of the genre.

I fully understand and support the "own {... a ...} multiplayer server integrated" part, that's why I was saying that not preventing the gamers to play on a 3rd party server is just as important as allowing mods was in the last 90s.
I should be able to have fun with my friends on just any MMO as I could on Minecraft, without fear of judicial action.

I just don't understand the MMO being single player part.

There's no difference other than people like you being stupid.

Yup, I'm sure that calling random people on the internet "stupid" is the best solution ever to make your point understood.
So much eloquence !
Such persuasion !

Technically, the idea is that for MMO you aren't paying for the game itself.
You're paying for the "online experience" of playing together "with thousands of other people".

That's marketing bullshit son, if that wasn't the case private wow servers wouldn't exist. see below:

https://news.ycombinator.com/i...

So no the fact that you believe that corporate propaganda means you're stupid. That's the whole point I was making the word "MMO" is a scam word you can have an mmo you own as a complete single player game with multiplayer server integrated. There's no difference other than people like you being stupid.

No it hasn't lol https://news.ycombinator.com/i...

The new owners removed the deceptive ads and the bundled adware in 2016. At least SF has a revenue model that will keep them around indefinitely, unlike GitHub https://news.ycombinator.com/i...

You think *Trump* will be pissed about a botnet being offline? Why exactly?

Even if you believe the line being peddled Trump and the Russians had any connection (long since disproven by Trumps antagonizing moves towards Russia, if you really want something interesting look to Trump and China...) remember it wasn't any bot net that got into the DNC, it was phishing and social engineering...

I think Ruby is almost clever enough. There's no concise way to send a method as a signal to a collection with the intent that it be applied recursively to any contained collections, one can only curry arguments in one direction, and of course there's no homoiconicity. Still, it's almost lispy. Python is slightly more influenced by the C-derivatives rather than Smalltalk.

What evidence do you have at this point of increasing NoSQL adoption? Most of the HN coverage is pretty negative, e.g. Why SQL is beating NoSQL. I don't think we otherwise have much difference of opinion on the general course of future events.

I think Ruby is almost clever enough. There's no concise way to send a method as a signal to a collection with the intent that it be applied recursively to any contained collections, one can only curry arguments in one direction, and of course there's no homoiconicity. Still, it's almost lispy. Python is slightly more influenced by the C-derivatives rather than Smalltalk.

What evidence do you have at this point of increasing NoSQL adoption? Most of the HN coverage is pretty negative, e.g. Why SQL is beating NoSQL. I don't think we otherwise have much difference of opinion on the general course of future events.

Yup, and that is pretty much the port that is worn out already. The thing that gets me is, I thought durability was one of the selling points of USB-C?? I plug my android phone in every day with micro-usb and it is showing no signs of wear.

That's likely what the connector salesman told Apple, HP, Microsoft. Acer, Lenovo, etc., about USB-C connectors, too.

I DO know that Apple doesn't put cheap-shit connectors in their products (because they don't HAVE to); but, since USB-C is a relatively new standard in the wild, perhaps some unanticipated wearout mechanisms in the overall USB-C connector designs are now coming to light.

If so, that wouldn't be Apple's fault, per se. It would be an industry-wide problem.

There are also common, fairly prosaic, issues, like an accumulation of LINT in the connector (no fooling!) that make it SEEM like a USB-C port is "wearing out", when it isn't:

https://forums.oneplus.net/thr...

Here's another forum poster suggesting a "de-linting" fix:

https://www.reddit.com/r/Nexus...

The Spec. is 10,000 insertion/extraction cycles. So you haven't worn out the Connector:

https://news.ycombinator.com/i...

More than likely, there is lint that is keeping the connector from being fully-inserted, and thus the spring-clip that holds the "plug" into the "jack" isn't able to actuate.

Someone accidentally wiping your developer-mode Chromebook is a valid concern. But you can reflash the firmware with something like MrChromebox's Firmware Utility Script to prevent that. I did that on the Acer 15" Chromebook I am using to write this post. It now runs GalliumOS (based on Xubuntu) and applications like Visual Studio Code and Minecraft. See: https://wiki.galliumos.org/Ins...

I did replace the flash memory with a 128GB module -- but that isn't strictly necessary. More details on all that in my comments here: https://news.ycombinator.com/i...

For under $400 total with the new drive plus some of my time, I am happy with it as my main personal machine these days for web browsing and some FOSS development. A centered trackpad with a 15" screen is otherwise a hard combination to find at the low end since so many companies add a numeric pad and offset the trackpad for terrible in-lap ergonomics. It's obviously not a MacBook Pro (which I use in my day job), and I do miss a backlit keyboard and a retina display, but it is a heck of a lot cheaper.

Probably the biggest limitation is you can't run Windows-only games or anything requiring intensive graphics processing. Steam's remote streaming from a desktop does work but is laggy.

It is also true that if you update the firmware you are out of the Google security ecosystem -- with both good and bad implications. So for the casual user, plain ChromeOS is probably a better choice (ignoring Google privacy issues). And web services like Cloud9 IDE can do a lot. And many of the latest Chrombooks can run Android apps.

And I can see why security professionals going to conferences would prefer the stock ChromeOS firmware and being able to powerwash back to a known good install -- with their data is stored elsewhere on the network.

Thanks.
Here's some footnotes to your advice: https://news.ycombinator.com/i... .

Via Google Search for comcast injecting javascript , I found this, this, this, and this.

I got to thinking about Google's clever Retpoline from the other day.
Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique

The problem is, this is not invariant under peephole optimization. These instruction sequences need to be handled by the compiler through a very literal minded end-game code generation pass.

Which got me to thinking about RETGUARD gadgets.

RETGUARD, the OpenBSD next level in exploit mitigation, is about to debut
Retguard: OpenBSD/Clang

I know, both of those sites are horrible, but Google fails me here.

Are speculative gadgets a problem here? If so, Google's clever patch is going to need a sump pump bolted on the side.

And then you get into the whole problem of deterministic compilation in order to be certain that the executable you build contains the necessary mitigations (or some tricky post-compile analysis I sure don't wish to develop myself).

What a giant mess.

Trust might be an issue.

Not at all. You only need voltage/current limiters built into the basic switch. After that, you're invincible. Still need ad hoc networking to make it real though. "Server/Client" is just as offensive as "Master/Slave"

The issue with zerotier is that its code is "preconfigured" to use their servers (ie its hardcoded everywhere), and they advertise (spam?) very aggresively (last year on HN). So instead of repeating it, here goes what others said:

https://news.ycombinator.com/i...

Naive ideas like zerotier depend on central "tracker" nodes, not the torrent kind, but more like DNS. Sure, you can run DNS alt roots, but nobody will use those, because DNS isn't federated, DNS authority is a hiearchy.

People should know better than DNS these days. Networks like cjdns and tinc can achieve same effect like zerotier, with far less "need" for central ownership of the network.

It now competes head to head in performance and features, and offers an alternative with improved privacy.

The improved privacy is bullshit. WebExtensions breaks a large number of privacy plugins that blocked fingerprinting (Stop Fingerprinting), stopped redirects (NoRedirect), provided control over cross-site requests (RequestPolicy Continued), self-destructed cookies, super-cookie safeguards (BetterPrivacy), and these won't be ported. David Teller of the Mozilla Foundation has stated "some of our priorities with WebExtensions are - improving privacy. ..." Want to guess how he responded when he was asked how these privacy enhancing addons will be reintroduced to FF57? He went silent.

Then there is the Mozilla Cliqz partnership and the October experiment. "In August 2016, Mozilla ... made a strategic investment in Cliqz. Cliqz plans to eventually monetize the software through a program known as Cliqz Offers, which will deliver sponsored offers to users based on their interests and browsing history." "Mozilla is experimenting with including the Cliqz plug-in by default in its open source Firefox browser." Decide for yourself whether or not any of this is in the interest of privacy. Mozilla is drowning in its own bullshit.

Funny enough, you often see the same people (or at a minimum the same behaviors) behind the destruction. It's not just Adria Richards and Anita Sarkeesian and Zoe Quinn shitting up the things computer nerds love, it's gone fucking mainstream and can be seen everywhere, from the Eich excommunication debacle to the fuckheads Sarah Sharp and Matthew Garrett (mjg59) technicolor poop-spraying on Linux. The staunchly anti-political technology field has become not only politicized but strongly polarized. We need to cut out the social justice cancer without apologies.

CoralineAda (Coralina Ada Ehmke) or at least connections to "her" via "her" hot dumpster file "Contributor Covenant" seem to pop up often in places that subsequently find themselves embroiled in identity politics/feminist/SJW "live and let live as long as you live like we tell you to" controversies. Codes of conduct like hers are often used to marginalize white and male individuals under a patently false veil of equality.

krainboltgreene (Kurtis Rainbolt-Greene) is an aggressive "male feminist" that also makes an occasional appearance when something shitty and smeared with identity politics goes down.

Here, have some links for more reading. I'm getting depressed looking this trash can up and I don't want to dredge up more memories. Read for yourself.

https://github.com/opal/opal/i...
https://github.com/opal/opal/i...
https://www.reddit.com/r/Mozil...
https://news.ycombinator.com/i...
http://esr.ibiblio.org/?p=6918
http://paul-m-jones.com/archiv...

Also, before they get around to replying, fuck AmiMoJo and PopeRatzo in particular. They are prime examples of the burnt crust that needs to be scraped off the Pyrex dish of computing.

If you haven't read it please consider doing so, it contains solid insights:

https://blog.ycombinator.com/a...

Many of the engineers agree with certain aspects of the original memo while respectfully debunking the logical fallacies it presented.

Enjoy.

This comment was copied verbatim from the same story on Hacker News.

I can't really see why you'd buy an iMac and run something other than OS-X on it. Apple hardware is nicely designed but it is overpriced, And it works well running OS-X but it's likely to be subpar running anything else. E.g. lots of people have pointed out that Macs have poor battery life running Windows in Boot Camp. That's because Apple do some clever stuff like run the keyboard and trackpad in SPI mode, not USB. But that only works in OS-X. In other OSs they might just run them in USB mode.

https://news.ycombinator.com/i...

If you want to run WIndows go to your favourite laptop/desktop OEM(s) and buy a machine/parts. It'll be cheaper than a Mac. If you want to run Linux go to your favourite OEM(s) and make sure all the parts have decent Linux support.

Now on my Mac I still occasionally need to run Visual Studio for Windows to build stuff. And for that there's Parallels Desktop. Parallels Desktop's Coherence mode where you can have Visual Studio running in a window on the same desktop as native Mac applications is a thing of beauty.

And it looks like they support it for Ubuntu virtual machines too -

http://kb.parallels.com/en/112...

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is in the CPU/Bridge, and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with t

All Intel did was added another hidden switch only they know how to switch on, like a unique wifi signal or magic packet on the onboard nic.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

TheCarp opined:

A solid show maybe but, there was less Star Trek in the free episode I saw than in the first five minutes of the average Orville episode.

Agreed. And you're far from alone in that assessment ...

I have to agree on the HW point, but I think it is too simple to say 'avoid crap'. The larger issue is that your experience will with distro X be *extremely* variable depending on hardware choices. Spending more can help- I will give you a concrete example, since you ask: I had an HP Elitebook 8440w that was the absolute best mobile Linux experience I have ever had. I noted battery life was a little poorer than on Win7, but it was close. Sadly, I followed up with a Zbook 15 and it was bad- poor wifi range, regressions (screen brightness problems) and much poorer battery life than on Windows (could not easily switch between nvidia and intel graphics). Neither of those were crap HW, but experience was highly variable.

Of course, this is a tiny dataset, and only a couple of experiences (if you want a few more views, and folks trying to deal with the issue, see here) A colleague just obtained an XPS13 'sputnik' edition (Ubuntu as installed by Dell) and has trouble with font scaling when he connects his external display. All small data points, but indicates to me that it might be relatively rare for someone to install a current distro on a notebook computer and have everything work flawlessly (even after significant hacking).

Ways forward? Dunno. Make sure we all check the Linux compatability database? I still think it Linux on mobile is very worth it due tot he spyware issues UnknownSolider mentioned above. While MacOS does not seem to have these problems to the same extent as MS Windows, I feel there won't be much movement due to the other tradeoffs.

Good discussion including moxie here.

Purism exceeds $1 million in funding for Librem 5 Linux-based smartphone

"The most popular mobile operating system on the planet, Android, is already based on Linux, but with Google in charge of it, many consumers cannot depend on it for privacy. With that said, Purism is planning to fight the impossible fight against Android and iOS with the "Librem 5" smartphone. This is a device that will run a privacy-focused Linux-based OS called "Pure OS," but the hardware is wide open for any OS, really. Purism is trying to raise $1.5 million through crowdfunding, and earlier today, it reached a significant milestone -- $1 million! Maybe the fight isn't impossible after all..." - via BetaNews

In the news:

https://puri.sm/shop/librem-5/
https://news.ycombinator.com/i...
https://news.ycombinator.com/i...
https://www.reddit.com/r/linux...
https://www.reddit.com/r/linux...

Purism exceeds $1 million in funding for Librem 5 Linux-based smartphone

"The most popular mobile operating system on the planet, Android, is already based on Linux, but with Google in charge of it, many consumers cannot depend on it for privacy. With that said, Purism is planning to fight the impossible fight against Android and iOS with the "Librem 5" smartphone. This is a device that will run a privacy-focused Linux-based OS called "Pure OS," but the hardware is wide open for any OS, really. Purism is trying to raise $1.5 million through crowdfunding, and earlier today, it reached a significant milestone -- $1 million! Maybe the fight isn't impossible after all..." - via BetaNews

In the news:

https://puri.sm/shop/librem-5/
https://news.ycombinator.com/i...
https://news.ycombinator.com/i...
https://www.reddit.com/r/linux...
https://www.reddit.com/r/linux...

Yes you need the Google earbuds. It was done that way for "UX reasons". https://news.ycombinator.com/item?id=15404918

The earbuds send the data to the phone which sends it to Google which translates everything into "my hovercraft is full of eels" and then sends it back to your phone which sends it to the earbuds.

The only new part here is of course the earbuds.

...but the Hackers did not care: https://news.ycombinator.com/i...

Seriously, is there still a real hacker newssite out there? Something that really is about hacking, not about pushing yCombinator investments?

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically loca

It sounds like Google specifically requested this from all browser makers - Safari may just have been the first to implement.

Perhaps the request came about because of this flaw?

Yes.

Entire categories of errors are simply not present in strongly typed languages, which are present in weakly types languages. The example of PHP is the worst, as this may be a retardedly typed language, but the example still is applicable.

I've also noticed that there is a tendency is for weakly typed languages to be interpreted, while strongly typed languages are compiled. This is another language attribute that moves the bug detection from compile time to run time, and introduces an entire category of run time only bugs which compiled languages do not have.

All of these are reasons that weakly typed languages allow for more bugs, which are detected later. I am not saying that strongly typed compiled languages are better than weakly typed interpreted languages, but they are different.

A crappy programmer with a good type system is not better than a good programmer with a crappy type system. I'm pretty sure this is a paraphrasing of something Donald Knuth must have said...

Today's your lucky day! I was just reading a thread about this very problem.

https://news.ycombinator.com/i...