Slashdot Mirror
EFF Warns Most Of Intel's Chipsets Contain 'A Security Hazard' (eff.org)
The EFF is issuing a warning about the "tiny homunculus computer" in most of Intel's chipsets -- the largely-undocumented "Management Engine" which houses more than just the AMT module. An anonymous reader quotes their report:
While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one....vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes... It should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user's interests, and should never be installed in a Management Engine by default...
While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."
While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."
I've read about security issues with Intel chips. Makes me think I should go with AMD. But then I wonder, since AMD has a smaller market share, maybe they just aren't scrutinized as much.
Does anybody really know how 'safe' AMD chips are'? This is not a rhetorical question, and I'm not advocating or editorializing, just wondering.
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
this black box has been around for years. probably a CIA backdoor with a gag order preventing them from documenting.
It's a purposefully built backdoor for the authorities that you should not try to use as a mortal. Only NSA and GCHQ should know about it. Now get in this black truck with us, we got a couple of questions to ask you.
yum install nsa-backdoor gchq-backdoor
Nobody wanted to believe it was bad or real. The few who agreed it existed and was probably an issue immediately countered with "well, they all have backdoors I'm sure..." -but is that true? Do AMD x86 chips have backdoor subsystems on par with Intel ME? Complete with compartmentalized always-on internet subsystem, access to everything even when the OS is offline and the machine is "off"? If we're going to say this is serious enough to avoid Intel chipsets can we be reasonably assured that the major alternative isn't also as bad in that regard? It seems like a good thing to clear up off the bat.
If all major chipsets do contain backdoors then it's pick your poison. If not, why the heck isn't this more widely known?
How many times will this same old info keep popping up. To the same discredit aspects about how it has to be enabled and so on...
-Yawn
This is the reason I will NEVER put one of these in my body!!
Yes. We know this. We've known this for years. Nobody cares.
If you don't want a backdoor in your processor, you'll need to use an ancient processor. That's the deal, due to the widespread apathy and tech companies that are in the pocket of government. Live with it.
So use VIA processors if you want security?
yes.
ARM, SPARC, POWER, IDT, ATOM.
DEC Alpha Forever yeahhh!
CPUs we've got, DEC Alpha. It's just Rick and DEC Alpha. Rick and DEC Alpha and their adventures, DEC Alpha. Rick and DEC Alpha, forever and forever, a hundred years Rick and DEC Alpha, s... things. Me and Rick and DEC Alpha runnin' around and Rick and DEC Alpha time. Aaall day long forever. All, a hundred days Rick and DEC Alpha forever a hundred times. Over and over Rick and DEC Alpha adventures dot com W W W dot Rick and DEC Alpha dot com W W W Rick and DEC Alpha adventures all hundred years. Every minute Rick and DEC Alpha dot com W W W hundred times Rick and DEC Alpha dot com.
According to the article:
So, which computers have "Remote Configuration" with OEM Setup? These are the computers that are vulernable the moment you take them out of the box and plug them in.
For example, are Lenovo ThinkCentres vulnerable out-of-the-box? I recently read a report of an indivual complaining that his ThinkCentre M58P is affected by this vulnerability:
http://openbsd-archive.7691.n7.nabble.com/How-are-people-dealing-with-the-Intel-AMT-BIOS-vulnerability-backdoor-td318400.html
".. presently no way to disable or limit the Management Engine in general.
Now this is the feature that screams of interference by a spy agency. If this feature was for Management, then YOU COULD MANAGE IT!
It would be turned off by default. You could turn it off. You could permanently disable it. I have been asking for these capabilities for years. I know I am not the only one. When I talk to other security folks and IT admins, the majority of them want to be able to manage and control the possibility of remote management.
See, I think this is the fundamental misapprehension, these days. :)
Don't just stand there, get that other dog!
This just reiterates the reason EOMA68 came about and why ThinkPenguin has funded its development for years. EOMA68 aims to reduce the cost of designing and manufacturing devices that are in the users control by modularizing critical components (CPU/RAM/etc). By taking these core components and putting them onto a card it reduces the cost of designing and manufacturing systems. By basing designs on open modular standards the user and community can retain control. And by basing on open modular standards anyone can design systems and devices around chipsets and SoCs we the community are in complete control of as we will have the complete corresponding source code for everything. So far there is a laptop and desktop design around EOMA68 and the first EOMA68 card is an AllWinner A20 dual-core with 2GB of ram, but there is a 4GB card with a Rockchip quad-core CPU in the works... and obviously much faster cards will follow.
A remote--triggered anti-theft system automatically precludes a complete factory-reset, at least while it is on.
After all, what good would a remote-trigger anti-theft system do if a theif could just "reset" a stolen laptop before selling it?
In a perfect world, enabling anti-theft would "lock out" a factory-reset and disabling the anti-theft would require a key of some sort.
The key here - pun intended - is that the user needs to be able to factory-reset an "unlocked" device and know with confidence - perhaps because a dedicated/single-purpose LED lights up at the end of a successful reset - that the device reset successfully.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If this vulnerability shut down all the hospitals in the UK, you'd see some action maybe. Without a crisis, you just have some snooty security gurus gnashing their teeth, which they do all the time, right?
This is a big problem -- getting chip / system / OS designers to spend time and money to debug systems beyond what end users ignorantly are willing to pay for.
Fiat Lux.
What happens when the software/hardware to turn off the Management Engine has bugs or can be exploited?
Keep in mind just how heart-breakingly simple the recent AMT auth bug was.
Basic answer is very simple : no computer is secure.
If you want a private computer, you cannot connect it to a network.
if you buy American CPUs, they may one day decide to kill the machine remotely. Don't take the risk, consider another architecture. This applies to military hardware as well, e.g. if a country buys American fighter jets, they make sure they can take them out of the sky with the push of a button.
Clerks taught me to never go ATM...
See subject: This "layered-security"/"defense-in-depth" set of measures I've used since ~ 1996 or so https://yro.slashdot.org/comments.pl?sid=10610229&cid=54415425/ & THAT particular measure STOPS AMT COMMUNICATION REMOTELY in/out bound @ ports noted OUTSIDE & IN FRONT OF the INTEL CHIPSET!
APK
P.S.=> It's only a SMALL PART of what's in the security guide but it works vs. this threat even IF you have a vulnerable machine w/ the BIOS defaults set "on" for this to work in the 1st place - but rest assured - BOTTOM-LINE: I read & appreciated YOUR posts about it (I thanked you for it under your registered user account "Ungrounded Lightning", unless HE TOO was doing it (he was))... apk
TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."
This has been known for years.
People have been saying it for years. Probably the EFF has brought it up before, too.
This will have no impact. The only thing that will have an impact is a security catastrophe that probably makes the recent ransomware outbreaks look like a pop gun. And it very well might happen if these systems are as powerful as believed. So far as they're concerned it's probably just another tool that Intel and application programmers can use to try to wrest control of general-purpose computers away from the public and into the hands of large corporations and the government.
Namely the vPro and selected Xeon chips that were marketed to business users at extra cost. You had to pay extra to get these features on the chip, so most chips sold to individual consumers didn't come with them.
I agree it's abysmal to know most Intel and AMD chipsets are compromised in this fashion, but it's time to hold your NSA overlords accountable or get over it. Tough titty, it's there... deal with it. Shit or get off the pot. Now for that Ford Fairlane line again... "Hey Ford! This shit is gettin' old man!" Ahh Morris Day, you're the man.
Yeah, ok. Whatever. Your solution to a possible problem is to move to Chinese chips. Because that's a country that believes in your privacy and security.
GTFO you moron.
lkcl, is that you?
This is about the dozeneth story in the last couple weeks talking about features as if they were bugs.
The Intel Management Engine is a FEATURE, not a BUG, and it is not a THREAT. It is there for corporate users to effectively manage their assets. Your work-issued laptop is not yours, and your employer has every right to monitor your activities. They can do so BY DESIGN. This is not a BUG or a security THREAT.
Believe it or not, YOU are a bigger security threat to your employer than ANY IT asset.
The Chavistas need to shut the fuck up about this "feature is a bug" nonsense.
Luck is the best defence? Wtf are you smoking?
My TRON program should take of the Master Control Program, and shut that right down.
If telephones are outlawed, then only outlaws will have telephones.
The AMT threat uses ports 16992-16995: Blocking them @ router firewall perimeter means it can't talk in/out stupid https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22ports+16992-16995%22+and+%22AMT%22&btnG=Google+Search&gbv=1/
* Lots more than just Symantec 2nd'ing me...
APK
P.S.=> You FAIL, you FAKE NAME online fool for your FAKE LIFE, lol... apk
outdated, now it's:
yum install nsa-backdoor gchq-backdoor
Get with the times, neckbeard!
"First they came for the slanderers and i said nothing."
The Management Engine is the most important tool for Timmy Cook and Apple Ink to wage absolute control on Intel chip sets in all Apple Ink computer-based products.
To persuade Intel from any changes to the Management Engine, Timmy will wield his $300 Billion housed in Chinese Communist Party Banks in Beijing, Shanghai and Hong Kong and his $212 Billion housed in Mafia controlled banks in Ireland, Italy and the Netherlands.
Challenge to the EFF. Do you accept?
outdated, now it's:
yum install nsa-backdoor gchq-backdoor
Get with the times, neckbeard!
+1 Unintentionally Funny, given that yum has been deprecated in favor of dnf in newer distros.
Shit, I better trim my beard now that I made that simple mistake!
"First they came for the slanderers and i said nothing."
With all the surveillance, wars, torture, espionage, hacking, breech of privacy, a looming police state, probably instilled by USA, the future is so to speak ruined for me, not trusting my own country anymore, and it seems to me that an era of people on this planet, has been fucked with, and there would be no way to simply apologize for it, given the willful nature of politics.
I mean, I can't help but think that there is over a decade of abuse, and wanting to reel that stuff back just won't do it for me.
AMD has a similar feature.
On AMD, it's called IPMI.
The difference is that IPMI is a vendor neutral industry standard (and could be found on chipset of any vendor),
whereas Intel's ME is their own "NIH-Syndrom" spin of the same concept.
The difference is that IPMI is considered a "special feature", and can only be found on specific server/workstation chipsets.
The AMD 990FX doesn't feature this micro server.
You need to order specific workstation motherboard from manufacturer such as SuperMicro.
(You know, the manufacturer with such a filmsy UEFI implementation, that the FlashROM can randomly commit suicide when you simply add a boot option).
Or from manufacturer of servers (HP, etc.)
the FSF warned about these backdoors in both Intel and AMD CPUs a while ago. I think the said the last processor made without this "backdoor" was an AMD processor made in 2011.
Huh.... no. Wrong.
For the record : both Intel's ME and industry standard IPMI live inside the motherboard chipset, not inside the CPU.
(i.e.: they live where they have access to all the critical component to function : network card, embed GPU's framebuffer, etc.).
On AMD's side, IPMI is *still* only featured on server chipset. Again, there's no IPMI in gamer-oriented chipsets such as 990FX. /.ers : the tower under their desk in their basement geek-cave is safe. It's the server at work at their day-jobs.
So for most AMD-powered
On Intel's side ME is much more widely spread even on normal desktop chipset (the idea is to make the life of sys admins in enterprises easier).
Tehcnically it's not much a "backdoor" (i.e.: something hidden) as it is a "maintenance entrance" (i.e.: makes the life of the sysadmin easier so he can remotely VNC and diagnostic a server that won't boot, flash computer's firmware UEFI/BIOS, etc.)
The problem is that the quality of this small server is horrendously bad. To the point that any motivated script kiddy can pwn all the workstations and servers across the whole enterprises network easily, simply by downloading some ready to use package.
(Luckily, most of the ME and IPMI implementation only listen to the secondary network port, and thus should be only visible on the private administration network. The bad news is that pro laptops also have ME and that can be enabled on the *WIFI* network)
So to keep with the above metaphore, ME and IPMI are a "maintenance access" door, which actually isn't even locked, but whose whole security boils down to a small sticky note say "please, sysadmins only".
Life would have been much more easy if the ME / IPMI firmware running on the embed system was open-sourced....
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
IPMI and TrustZone are 2 entirely different concepts.
IPMI is a separate full blown soc that run a micro server offereing a web interface for admins and a java-based VNC
(AMD's equivalent of intel'sME/AMT)
TrustZone is about having a separate core that handle a couple of security tasks that, by purpose, need to be shielded from CPU activity.
namely handling private keys
(it's cousin of Intel's Trusted Platform).
IPMI is the scary one, because it has full access to tons of critical component (network, framebuffer, firmware settings, etc.) even it the main CPU is shut down (it's a full blown independent server inside a dedicaded SoC on the motherboard, usually inside the chipset)
TrustZone basically only handles key signing/encryption/etc. so isn't that much critical.
Same goes for Intel's ME vs Trusted-whatever-its-called now.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
As a member of the audience, if I am going to be buying a chipset then who do I buy it from if I want to talk with my wallet? Aren't Intel and AMD pretty much the only games in town?
Go buy a motherboard with gamer-oriented AMD chipset.
On AMD's side, IPMI (the industry equivalent of Intel's ME) is usually only available on chipset targeting the server/workstation market.
(i.e.: you'll find IPMI on motherboard by SuperMicro. Not on those by ASUS/GigaByte/etc.)
And the best move would be to start coordinating petitions to ask for the opensourcing of the small OS and server running on the chipset's embed core.
(AMD is rather opensource firendly so they might step in and try help push forward a "open IPMI" initiative).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
thanks to H.265/HEVC videos.
Problems are patents.
There exist *several separate* patent pools, and a few extern patent holder.
So paying the IP rights for H265/HEVC is nightmarish patent minefield.
So most manufacturer end up NOT enabling hardware H265/HEVC.
Thus you end up with VLC doing the work on your CPU.
Luckily things are very likely to get better soon with AOMedia's AV-1
(similar to other opensource efforts as OPUS, Vorbis, etc. it's designed to be patent-free)
(and its has all the big names behind it - including Google and Netflix, i.e.: most of the content watched only - but also hardware manufacturer, etc.)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
But there was a company that made the Vortex86 CPU (using tech that had fallen out of patent I believe. Newest models were only 686 last I checked.)
Anyway, I've been having a discussion about this for the past couple of months with friends: mouser.com has PCIMG 1.0 and 1.3 backplanes available (intended for industrial systems where you might want to replace the CPU/memory board without having to pull all the installed peripheral cards, for low uptime replacement turnaround (except in the event of backplane failure.)
The point made was: these backplane boards can be had for ~40 (PCI/ISA PCIMG 1.0) up to 600 dollars (latter being a PCIMG 1.3 12 or 18 slot PCIe board with a 40+ lane PCIe bridge chip connected to either one or two x16 PCIe buses off the CPU board.)
While companies like lowrisc are ignoring the desktop market with shitty embedded chips that don't compete on price or features with either an arduino, or a RaspPi, we could be funding a series of single board computer designs (even if we had to use ARM, or older Via, or other non-management engine/trustzone CPUs, with the only concerns being 1-3 peripheral busses (PCIMG 1.0 is PCI/ISA plus a molex, PCIMG 1.3 is PCI(-X?) plus 2x PCIe x16, either 1.0 or whatever the SBC supports if a passive and sufficiently designed backplane.) talking to the devices you plugged into your backplane, which handles the PSU connections, powering the peripheral devices, and either via backplane connector, or molex plugs, powering the SBC which in turned interacts with peripheral cards plugged into the backplane.
Much cheaper (from a non-mass market commercial perspective) than designing modern PC motherboards with everything integrated, limits the amount of engineering required for us to get a system running, allows the benefit of reasonably cheap peripheral devices already in existence without a difficulty in sourcing an appropriate motherboard/embedded SBC (RaspPi style, not an actual backplane SBC like I discussed above.)
Doing this would also allow easier device driver regression testing against multiple cpu architectures and device platforms, since everything bus-level would be the same from the SBC to the devices, leaving only architecture specific glue logic to be abstracted to ensure drivers function correctly.
Having said this: PCIMG standards are not free (although I believe they state usage of the standard is royalty free, although patents would still apply for PCIe and later revisions of PCI, making the PCIMG 1.0 boards a better starting point for cheap, open source, patent unencumbered SBC designs.)
Starting from here we could once again retake personal computing for the common man (and specifically us security conscious nerds who have been railing against these things for the past 8 years, 15ish years (Palladium) or 20ish years (Clipper). The compatible PC architecture that made x86 worth staying on is long since past. Windows 10 is showing the waning of Microsoft as a must have operating system/gaming platform. Intel has let MBAs overcome them and been unable to keep their manufacturing lead over their competition, while also hemorrhaging the designers necessary to have better technology than anyone else (Honestly this was always BS, but they used to have the right software/hardware guys to pull a Scotty and make it all seem to work, at least long enough to limp the Enterprise back to the bank... Sadly scotty has been replaced by an alien redshirt engineer who just doesn't have the chops to perform miracles. Combined with shadowy government expectations and the great Federation has left the Enterprising waning, as other ships struggle to overcome it and gain the spotlight. My analogy is starting to dwindle, but the point is the same: Wintel no longer offers an advantage over the competition. The competition no longer offers an advantage security and consumer friendliness-wise to warrant our support or purchasing. The only thing we can do now is take our free market votes and since nobody in the market is proving what we want
Now "yum" is an alias for "dnf" on those systems. The command works fine.
Now, "pip install", *that* is a problem. It's even worse than "cpan install" was, since pypio.org actually publishes different binary tarballs with the same name whenever a developer feels like updating a release in place. It's almost as much fun as the various Java built tools, ant, maven, and gradle, that randomly seek out binary modules from who knows where to compile them without source code into your local working environment, and provide no usable provenance on where the modules came from
Secondly IPMI style functionality is a small subset of what Intel's IME does.
It's still a small separate SoC, which runs its own small operating system, webserver and java-based VNC solution (which already implies TONS of access),
and is connected and listening to the network constantly, even when the main CPU is completely shut down (or even unable to boot) (which was the entire purpose of this kind of system).
In practice the code quality of the system running on this chip is still so awefull that, it's still vera pwnable.
- Thirdly AMD's equivalent is the PSP, which just like IME is in every Intel chip, PSP is in every AMD chip.
- Fourthly the Trust Zone functionality in AMD's PSP seems to go even a step ahead
From what I've understood, all these various "Security Processor" mainly deal with storing private key in a secluded part of the system.
They're mainly handling cryptography-related questions.
They don't have a networking stack (and could not be listening on the network even if the CPU is unpowered, they *are* part of the CPU).
Except libreboot's rant about them, I haven't seen yet any concrete proof that they can - by themselves - handle anything more nefarious than "store private key inside, perform signature and encryption/decryption if provided with the correct PIN".
In marketing material, they seems to be attached to wild possibility (remote wiping stolen computers), but there's evidence that these kind of functionality require coordination between multiple component, and the security processor's role boils down "contains the crypto key to the data saved on the mass storage device". They actual communication of the remote command require kludges in the UEFI / IntelAMT / IPMI.
Even TFA specifically speaks about the security hazard contained in *the chipsets* (not the CPU).
But I haven't been *actively* investigating these capabilites.
so maybe recently, Intel and AMD have discretely been moving extra functionality into their secure processors
(network access, full memory r/w access, always-on even when the main CPU is turned off, etc.)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
See subject: Per research AMT/Intel Mgt. Engine uses ports 16992-16995 https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22ports+16992-16995%22+and+%22AMT%22&btnG=Google+Search&gbv=1/ & in my case? I only allow 80, 8080 & 443 here on a SINGLE stand-alone system (that's it per my security guide I was paid for 11++ yrs. ago based on the highly esteemed CIS Tool who took security fixes from me to their ware too no less https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/
* Of course, you must also be CERTAIN your router's internal ware is "solid" as well (turn off things like UPnP etc. also outlined in said guide 2nd link above) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/ )
APK
P.S.=> Good luck - as it's the BEST DEFENSE vs. this threat by stopping it being able to communicate in/out period, outside of the INTEL chipset, & stopped external to it via a router/firewall hardware... apk
Ah good news, it would be no help as another technological footnote like Vorbis & Theora.
regarding Vorbis : back in the days it did see some success. By virtue of being BSD-like licensed (i.e.: a permissive license) it was used to compress audio in several game engines (e.g.: at ID starting from Quake3 and up). Also Spotify apparently used it on their app, at least for some time.
regarding Theora : Google used it on Youtube as a possible alternative, so still some use.
But yes, both pale in comparison with OPUS (the offspring of Xiph and Skype collaboration) which incredibly widespread (again permissive license AND best quality in A/B/X tests AND patent free), seems like any modern communication application uses it : it's used for WhatsApp, Skype (well obviously), etc. but also even in some un expected places (Digital Radio Mondial - the digital success of AM Radio, same relationship as DAB+ to FM Radio - supports OPUS. It's not in the official specs, but the major software suite all have ways to use it).
And again the number of AOMedia members is impressive, so it's clearly going to be a success.
The things which changed in the recent time :
- Patent real-word problems: Frauenhofer was some pain back in the MP3 era (hence some in the wild usage of Vorbis). During the MPEG4 AVC / H 264 era, a nice single central patent pool made the things not that much difficult. Theora was a nice concept or patent-free-ness, but in practice there wasn't much difficulties in obtaining the necessary license. Nowaday H265 / HEVC is pure madness. To the point that several hardware manufacturer have backpedalled and we currently see a *decrease* of device manufactured with H265 support enabled. There is definitely room for a patent-free / freely licensed codec.
- Quality : Vorbis was a provably better than MP3 back then (hence tiny better success in the wild). But Thoera was just a repurposed old codec from On2 (VP3) that just got opensourced, not much more arguments going for it.
Compare the situation nowadays with OPUS which completely blasts everything in ABX tests except for the ultra-low-bandwith ( 4 kbits) which are beyond its scope anyway.
Currently AV-1 is the offspring of the Daala efforts of Xiph (and there's some really interesting idea going in: perceptual vector quantization, chroma-from-luma, lapped transforms, rANS entropy coding, etc.), Google's VP10 (now we are several generations down) and Cisco's thor.
Even at the current state of development, it's already showing promises.
So yeah, big thing are in the making.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Having a system within the system that can't be turned off is an issue, especially with lack of documentation. Leads to all sorts of conspiracy theories, some of which are even plausible. But: it *can* be turned off when the system is down, preventing any postulated exfiltration of data during standby. Just turn off the power external to the system. Put it on a power strip you can switch off. Turn off the UPS. Etc. No power in = no standby power. Good for your power bill too. Won't work on a laptop, of course, unless you're willing to pull the battery. Or do Intel/AMD have a tiny battery in the CPU to keep the ME running, too? THAT would be troubling if you could find it.
The late-production Core2 CPUs don't appear to have this, or if they do the Intel detection software can't find it. A Core2 Extreme runs Win10 quite well.
Will that CPU chip include China's Great Firewall as a feature too?
You're funny. But seriously you don't need to do that. It is pre-installed in your machine and would phone home even if you're on Linux or Windows. It doesn't care what OS is running on the main x86 CPU, because IME/AMT OS is running in an ARC CPU.
See subject: Don't put words in my mouth I never said - show us where I said "hosts cure all", ok? You can't. I never have.
In fact, I've ADMITTED, & in a +5 INFORMATIVE RATED POST, a thing hosts CANNOT STOP (BGP exploit) before http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450/
Thus PROVING YOU WRONG w/ concrete, undeniable & VERIFIABLE proof - go away, moron - quit stalking me via your bullshit UNIDENTIFIABLE anonymous posts you loony weirdo!
APK
P.S.=> This is 1 time routers are best albeit only since they're OUTSIDE of the influence of the local system w/ INTEL AMT on it & can block this going in/out because routers/modems are external to the PC - but again, UNFORTUNATELY, as I also noted? ROUTERS ARE LOADED w/ SECURITY ISSUES https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/ & that's FAR from a COMPLETE & CURRENT list of those security issues routers have... apk
This thoroughly evil Intel backdoor is also a problem for low latency - every so often, the response latency just gets blown to hell and there is nothing that can be done about it, except switch to a different chip. It is high time Intel came clean about it. Just pure evil, nothing less. Can't say anything good about this, or about the idiot PHBs that came up with it.
When all you have is a hammer, every problem starts to look like a thumb.
This is an interesting product but it uses ARM, that is not completely open. Yeah they supposedly dont have a management engine of any sort yet but it's still not "open" like they claim.
If you connect your remote management IP address to the internet, you deserve everything you get.
Mine are on a separate VLAN with no connectivity to the internet and only one workstation can get through the firewall.
right again
Incorrect. The ARM processor they're using was specifically chosen because it has GPL-compliant code available, for all components except the GPU/VPU, and those non-free components will be disabled on the products they offer that are FSF certified to "respect your freedom".
https://www.crowdsupply.com/eoma68/micro-desktop/updates/picking-a-processor
https://lists.gnu.org/archive/html/libreplanet-discuss/2016-06/msg00212.html