Slashdot Mirror
Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions (zdnet.com)
Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.
Ain't that about a bitch? No big shock here
of how well "security by obscurity" works.
I want my C64 back. I want hardware I can understand and software I can control. Fuck this modern bloated 4 gigabyte web browser tab horseshit with thousands of people mashing their keyboards randomly and millions more observing my private data.
Are we just to assume that they're effectively obsolete and have to purchase new "patchable ME" CPUs that are probably just putting a newer, more secure back door in?
That Intel allowed remote access on cheaper motherboards where the customer did not pay for the feature.
Going out on a limb here.... while Intel claims the problems affect the 6th, 7th, and 8th gen processors, I bet they probably didn't bother testing or auditing earlier systems. Hasn't ME been around much longer than that?
Really, this ought to be factory disabled by OEMs and only shipped enabled to large corporate customers.
FFS give me a list of impacted hardware. Or is it EVERYTHING? Should I just be using a RaspPi until this mess is sorted out? Oh wait I have to run a tool. Why should I trust Intel code on my system again? Here's a better way to secure a system: Don't have code run below the OS, CPU, and Memory!
As can be nicely seen, not only do back-doors allow people in that you do not really want to let in (Intel, the NSA), they often have serious flaws that let everybody else into your machines as well. The only sane and secure design is not to have any back-doors in the first place.
Since Intel now has a ton of egg on their faces after their announcement, I expect we have a really, really serious problem now as long as the ME stays active in any significant number of computers. Otherwise they would just have tried to sweep this under the rug, but it seems to be that the insecurity of the ME is far, far too bad for that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Seriously glad I have older Intel CPU's that are not affected. The only one is my Skylake laptop but given this is a hardware attack not OS attack this is pretty serious because you can be running Windows or Linux and be affected.
...and very difficult to patch?
I do not like the ME, but at least this is local acess exploit only:
would allow an attacker with local access to execute arbitrary code.
To be fair, a local attacker can pretty much always gain access to your system, ME or no ME. A simple HW keylogger is ample and most people would never notice.
So you HAVE to keep your hardware secure if you want the data ot be secure. That is still true with the ME. I will be much more worried if there is a remote exploit.
This is exactly why these features should be extensively documented and people should be able to run their own dam code on them.
That way it can be disabled and it isn't some great surprise when you get hacked because intel thought it was a good idea to host a facebook page from a secret processor in your machine.
More importantly has there been any independent verification of chips from others? Intel has been doing it for years. Employees, senior developers and managers routinely leave one chip company and join other chip companies. This idea must have metastasized by now and the dispersed cells must have established new locations to grow.
Are you really going to trust any statement from the management of Samsung, of all companies? Heck, I can't even trust German companies after Volkswagen.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Intel has severely compromised their future.
How could anyone dig their way out of this mess?
( Glad I dumped my stock! )
Raspberry Pi has firmware running in it that you don't have access to either. I say this not to escuse Intel but to point out that Raspberry PIs are not necessarily safer.
The CIA thinks it gets to have it's hands into everyone's computer.
They don't.
Corporatism != Free Market
Are you shilling for Broadcom here? What makes you think their black box is any more secure?
Forget Intel chips, use AMD
The USA has NEVER been a Democracy, never. Thats just a fact, its a republic, theres a difference.
Haven't seen this mentioned anywhere, but I assume this "feature" is also enabled on Intel-based Mac computers?
Somebody bring me my fainting couch. Security through obscurity never works.
The US is a corporate kleptocracy similar to Fascism but with less government control.
I don't read your sig. Why are you reading mine?
The US is republic. We have always pseudo democratic processes to choose our leaders.
Lighten up. It was just a joke.
https://unix.stackexchange.com/questions/405783/why-does-man-print-gimme-gimme-gimme-at-0030
OK. It's there and it's not going to just disappear, sooooo, is there any way to root it and use it ourselves? Who wouldn't want to turn a dual-core into a tri-core (or even just a dual and 1/2 core)?
Yeah, let's allow some shitbox knockoff CPU manufacturer in China to backdoor our chips instead of Intel.
You're one stupid piece of shit, you know that? Is the POTUS on Slashdot now?
The kind where the user can take control of his machine against the wishes of its maker? Yeah, that's a nasty one, fix that immediately!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Intel has a way to update the management engine firmware for your security, but it just also happens that the update makes it impossible to disable via methods some have recently discovered.
Why do you care what they think? We The People have known that we can't audit this stuff for years and we didn't care, so it's kind of weird to expect Intel to be mad about it or something.
Voters disagree. I'm not saying you're wrong, just that most people disagree with you, so your views are incompatible with democracy. You might want to ease down on this anti-democracy talk and maybe consider a position that voters in a democracy would support. We The People think you democracy-promoting people are very undemocratic and we are all constantly working to drop a nice, warm, new pile of shit on you every two years.
Intel Backdoor Inside (TM)
The US is actually both. We get to vote on our government which meets the minimum criteria for a democracy. Just because we have representatives who run the government doesnâ(TM)t make us not a democracy.
> Intel [...] is on a path to bankruptcy.
lol. because they enable government agencies to spy on us? have you been paying any attention to who has all the money?
- For the complete works of Shakespeare: cat
>"Sorry buy Fascism is a socialist ideology"
the definition of fascism is "rule by corporations"
trying to conflate socialism with marxism just makes you an a55licker to power. suck that a55, fvcking shill
The USA has NEVER been a Democracy, never. Thats just a fact, its a republic, theres a difference.
Agreed. One results in continuous expansion of government power, while the other results in continuous expansion of government power.
Stop Intel AMT/ME easily... apk
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 + 623-625 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
It's well-known that the USA is a republic, but why do you say that it is not a democracy? The concepts are definitely not mutually-exclusive, you know. In fact, one of the most iconic forms of republic is the "representative democracy", which also happens to be a democracy. Guess which type of republic the USA is.
Great, now there will be no chance of disabling this bullshit. Once Intel patches up all these bugs there will be slim chance of using any of the exploits to find a way in to and disable the IME.
Sure the older platforms may still have a chance, until BIOS updates, or driver updates go out to update the IME. Hopefully the IME doesn't phone home to pull updates. But you know the new platforms that come out will have all these exploits sealed up.
Hahaha
Or someone installs a separate malware with virtual USB device to take advantage of said ME flaw.
Firmware cleaning won't work because the malware can simply lie about a successful installation.
Boom, enjoy your worthless motherboard.
...where I run CentOS and Firefox. I'm not trusting any sensitive personal data to Intel until I get easy tools to remove the ME.
I wish Oracle would put out a "Raspberry-Pi" class of the SPARC T2. The design is open and can be trusted.
Security by obscurity is crypto with closed source (obscure) code. No way to audit or check.
More transparent security is with open source crypto algorithms.
The algorithm is known to every one...but the key that runs through the algorithm with your message is secret.
Big difference Ubetcha. Yep ... a Demos lets Bantus parasite bling ... lets savages vote ... trashes whitemans paradise for mudville guilt. Shitsville. OTOH a just republic having first blundered into slavery repents ... pays restitution vis Bibical rules ... then steamships them back to jujuland. Lives happy ever-after. Big difference eh pad'res ?
brought to you by your local 3 letter agency. this is just limited hangout after they get outed
Maybe so, but the isolation options are not very well-engineered yet. You have to be an IT guru to even have a shot at getting Qubes to work properly, and Purism has their head so far in the clouds it is not known if they can deliver a workable, long-term support plan for their products. What we need are engineers to take conpartmentalization and make it easy and default in mainstream builds.
Two thumbs WAY down for Intel pulling this shit in the first place.
One thumb sorta up for them admitting they have bugs in said shit.
This is why I only buy my chips from the Russians and Chinese.
The govcode/malware is installed directly by the manufacturer.
One wonders how fast computers would be if they were not running other priority tasks at all times.
Give everyone tools to shut this crap down or we will never buy shit from you again.
Signed,
Everyone
"choose" ... with a convoluted process where one's vote does not carry the same weight as someone else's. ... going around a few obstacles making it very difficult for many people to vote
"choose"
"choose" ?
Who do you think has the power in the end ? ... sorry, I meant lobbies the politicians ?
_ The people ?
_ Whoever corrupts
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
US should be a republic, which means the rule by constitution. In fact US is more or less democracy, which means rule by zeitgeist. Fascism btw is a form of socialism, where individual property rights are non-existent, and production is delegated to government selected corporations with no competition or freedom of entry to the markets.
http://www.templeos.org/ToPuni...
Heed Terry the Terrible's Edict!!!
Brian Richardson directly challenged authority of King 11/18/17. Gets a beating for stupidity. 11/18/17 NIST at 17:20 hours
APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script/malware rob speed/security/privacy/bandwidth.
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster from local RAM!
* Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking vs. infection of it built-in)
> The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public.
Besides that obscure processor RMS talks about (Longsoon, after a quick search), what options are left if someone is mandated to have secrecy (e.g., people on other countries' IRSes) or just want to avoid having his/her equipment taken hostage?
Intel is out, AMD is out, what choices are considered reasonably safe? I remember hearing about smart phones having similar surveillance, but was it at the CPU level?
It was 11 *categories* of bugs, most of them with multiple occurrences.
And hasn't been for about 2 years now.
There is a mostly open source firmware built on top of the VC4 core that can initialize everything except for the GPU display hardware and some other things. It DOES initialize serial, and the ARM cores however, and I believe had USB working last time I looked. Since it is running on the VC4 you could run custom GPU code on it, but it unfortunately lacks the display output initialization needed for non-console/network display. On the OTHER hand, if you wrote suitably secure code (since the VC4 does NOT have an MMU, and has full hardware level access to all RAM in the system.) you could use it as an encryption acceleration processor to free up the main ARM cores for general purpose processing loads, and even run OpenCL threads on it with some compiler/library support.
It is too bad they don't have a high speed bus interface, or they would actually make an excellent low end open source GPU replacement for PCI/PCIe systems now that both Nvidia and AMD GPU hardware is locked up as tight as Intel and AMD's (Mis-)Trusted Execution Cores..
So most of these bugs rely on local access. This seems to mean executing code locally, rather than physical access. But what kind of privilege is required to exploit the vulnerabilities? Can only privileged, ring 0 instructions do this, e.g. by writing to the ME over HECI, or can any old unprivileged instruction run by any old process do this? "Unspecified vector" isn't gonna cut it, but I don't know enough of the internals of the IBM PC architecture, much less modern Intel architectures, to know if there are even any *possible* ways to interact with the ME short of using privileged I/O.
This is the difference between this being an irritating show of Intel's security, and an extreme, unmitigated disaster a la rowhammer.
No there isn't ya dumb shit. A republic is a representative democracy by definition. Check a dictionary before you haul out that silly talking point again.