Slashdot Mirror
Researcher Finds Another Security Flaw In Intel Management Firmware (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).
If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."
If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."
Totally different things. I imagine they find software and firmware vulnerabilities all the time. Hardware is difficult to patch around, and obviously comes with the noteable performance hit.
I hope heads will roll...but like always...never happens! I could even imagine an increased sales for the new generation of Intel processor with the meltdown flaw fixed. smh
"Chipjack"
From A high Level It seems Intel Is starting the year severely Skrewed.. Oi'vie
They have become increasingly user-hostile. Superfast rootkit and advertising platforms. It wouldn't be so bad if this crap could be flushed out like the ol' Windows 98, but now they come with layers of "protection" baked into the silicon that does nothing to protect you, and everything to protect the corporate marketshare.
What a sad end for general computing.
If you have physical access you can do anything...
All of you who own Intel processors should get rid of your Intel hardware and replace it by buying AMD hardware. Intel has deflected responsibility for their mistakes while forcing the secret and vulnerability-ridden ME on users. If you don't replace your Intel hardware with AMD hardware, you're willfully allowing yourself to remain vulnerable to these exploits and have nobody else to blame but yourself. I'm glad I only buy AMD hardware. But if I had Intel hardware, I'd throw it in the trash and go buy replacement AMD hardware right now.
If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password
So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.
Now, you might argue that it should be more like keyless entry for an automobile: the manufacturer sets a code a and provides you a device (key fob) for entry. However, if Intel did that, they would be accused of making their products difficult to use or crippling them (because people would certainly lose their AMT key fobs and Intel would either be unable to recover them, or would charge a fee for the service) or taking advantage of the user (because they would certainly lose the key fob). Plus, that would make it an absolute nightmare for central IT, the target audience for this particular feature.
The point is that if you are buying machines that have this capability, then you are buying mid-range to high-end business/professional stuff. AMT is not available on entry-level and most consumer gear. Besides, the people who don't bother setting the MEBx password on their systems (assuming they don't have central management through IT) are probably the same sort of people who buy a wireless AP, turn it on and leave the password set to the default and the admin function accessible over the wireless interface.
Intel has problems, but this one is definitely way down on the list.
I activate AMT on all the computers that passes by my office, so this does not affect me. Anybody who did not like having IME on their computers (eg. home users) can flash a neutered image using me_clean. I don't see this as a big issue.
It is like saying that the router has a security flaw because the default password is admin/admin.
Shouldn't AMD benefit from this long term?
I've worked in the IT field for 15 years - in academia, for financial institutions, for Fortune 500 companies, and at small, locally owned businesses.
You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.
You can show your C-levels the lock and hand them the key, but you can't make them set the latch.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Millions of devices ship with default passwords. It is an issue only if it is not possible to change it, and the need to change is not clearly explained when it was shipped. Ideally it should not be the same password for all devices but something unique to each chip, given to the manufacturer as part of shipped chips.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Over the last few months, we've come to know that:
1) For years Intel has put a backdoor in hundreds of millions of CPUs, called "Management Engine"
2) That the aforementioned backdoor, besides being evil in itself, is also full of bugs
3) That their CPUs, because of some mentally diseased architectural features, somehow allow javascripts from a browser to read kernel memory, something that would have been inconceivable until a decade ago
4) ... and finally that Intel doesn't even want to refund customers for all of the above, they just issued "mitigations" that don't work, decrease available computing power, and are also bugged themselves!
How can anybody suck so much? Are there any Intel employees on this forum? Can you read this? Why do you suck so much for being human beings? Are you actually human or are you bacteria? What do you think about the fact that all the rest of the world really really hate you? Have you ever considered suicide?
These are programming flaws. Programmers are never held accountable for anything. Every time something like this is reported folks on here make up every excuse why it's not the fault of the programmer.
Watch.
I think the main point is that people don't realize that they have a "lock" that they need to change the combination on. Perhaps with additional education people can "check their sh*t" and see if it needs to be changed. Then the bad actor can just look under their keyboard for the PW, but at least it won't be "admin" anymore.
AMD has their own version with an unpatched hole. AMD is just as bad for this stuff. https://m.slashdot.org/story/335801
The NSA etc. would have loved these move past Go collect total access security vulnerabilities. It's a good thing they didn't know about them...
Bad analogy. The difference here is once the attacker turns on remote monitoring, it occurs silently. There's no indication that it's happened and no way to recover. If you forget the combination to your safe, then 1) it's obvious and 2) you can still retrieve the contents in other ways.
This is not just a case of "stupid user". It's a poor design on Intel's part. Intel handed them a loaded shotgun with a hair trigger pointed directly at their foot.
Democracy is two wolves and a sheep voting on lunch.
No. One is a software flaw. The others are hardware flaws. Not even in microcode. The actual pipeline steering logic. Not that I am saying this justifies anything.
can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu...
How do you bypass the BIOS password if you can't get to the BIOS boot menu, because you don't have the BIOS password? I don't think "brief physical access" covers "opening the case and pulling the CMOS battery".
That must explain the up to 8 middle-man connections when I connect to the Guest Wi-Fi (SSID TuscanHillsGuest 2.4 GHz 802.11n) that immediately show up in Windows Resource monitor and try to latch on to a program task number or even a local machine task number. I have even seen attempted middle-man attacks from Zayo.com, Above.net, and Rochester.rr.com Internet providers that at one point DID throttle Wi-Fi thruput and even once disrupted an attempt to register Corel Paint Shop Pro X9... but that was ALSO when Microsoft was apparently sabotaging Microsoft Security Essentials (VirtualHoser::snac sent even in %temp% logfiles) and now they all get kicked out as Blocked when using the Firewall Booster of TrendMicro Anti-Virus + Security for Windows (after doing away with MSE). My system is Intel Core i3 3200 MHz/3.2 GHz running Windows 7 SP1 64-bit Home Premium... others may vary but Microsoft with assistance did manage to at one point Throttle my Wi-Fi, disable my Dial-up modem (fixed using Phone dialer), even spontaneous abort burning a Mastered CD (fixed using Regedit with Run as Administrator Command Prompt elevation)... but I am still stuck with only one CD burn only until logoff/logon and I have to System Restore due to boot to an unknown duration black screen if I reboot (so I only put the System to Sleep). See Facebook daniel.rouse.146 for Timeline Details as I discovered the hack attempts and resultant problems... but some may have been Feed Tombstoned by Facebook.
How is this even a flaw?
It's a case of default state + physical access == ownership.
This is nothing new at all.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Agree this is not a flaw but talking about Intel design in general...we haven't heard any good news about AMT , Intel CPU design and the whole Intel Press Relations in denial.
Equifax
You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.
You can show your C-levels the lock and hand them the key, but you can't make them set the latch.
Absolutely! Except there is going to come a point in time where a concerted effort by a small nation-state sponsored groups will be able to completely destroy corporate giants overnight. When they see empires around them begin to fall they will either start caring or become a casualty of cyberwarfare.
Anons need not reply. Questions end with a question mark.
When we have a top official selling American national Security to the highest bidder (pay to play) all while storing email on a private server - and not only not be prosecuted, but protected by the FBI, why in the fuck would I care about what goes on in the private sector???!!!!!
I don't particularly see this as bad engineering even.
The thing ships disabled by default and with a default local only pwd to enable it OR lock out other access.
It can be disabled in the BIOS (and then the BIOS pwd activated) as well.
The config guide even says setting the password is a non optional step in any multi user/multi access environment, or you can get a sku where it's not even available.
no different than leaving the BIOS unlocked. I could boot a USB device that installs a rogue bootloader on the HDD.
Intel's fscked up plenty lately, this is just flamebait, and it's not even needed... focus on the real issues: AMT remote exec vuln, local buffer overflow in ME kernel (well shit), and of course Meltdown and Spectre.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software like the unistaller for it & DisableAMT.exe + the test in usermode via Intel-SA-00075-GUI.exe to TRIPLE CHECK)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!
Especially after this finding: Intel Management Engine pwned by buffer overflow vendor patches for the vulnerability may not be enough http://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/ & Marcus Hutchin's "magic bit" patch doesn't help vs. this either.
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Russia invests enormous resources into making their own Elbrus chips which are based off of MIPS architecture. They are certainly lagging a few generations from the fastest process technology, but that's what you got to do if you don't want to have NSA backdoors in weapons systems: https://en.wikipedia.org/wiki/Elbrus_(computer)
I am not sure who you are referring to with "they" on your above statement. Was it those doing MITM or those domains Zayo.com, Above.net etc.
First rule when you connect in a public WiFi is to use a VPN or Tor to route your traffic and avoid being a victim of MITM.
Moder i-series from i3 to i7 have IME/AMT accessible via WiFi so your story could be true, but there are a lot of factors too. Could be one of the commercial softwares you are using from AV, Firewall, Corel, and yes even the OS itself.
Rule 1 of security. Physical access trumps everything else. So you can't claim finding a defect that can be exploited physically is a breach. For that matter, someone could start plugging things into the motherboard. This just a lot of stupid hoopla. Everyone in OpenSource knows the REASON Open Source works is to bypass security through obscurity. Open Source DOES NOT and WILL NEVER (and neither will any security system) foil physical access 100% of the time. As for this - I've never even seen this option in my Bios choices. Just pop sensationalism.
Kill all power to the machine for a while and remove the little watch battery and put back.
The difference here is once the attacker turns on remote monitoring, it occurs silently. There's no indication that it's happened and no way to recover.
In the implementation I have at work:
a) When I connect remotely to the computer via AMT, a red border (early versions of ME) or a flashing red/yellow border (later versions) is shown on the physical monitor. There is also a small network icon shown in the top right corner. This is drawn by the ME, and no settings can disable this.
b) The AMT drivers and software for Windows allow you to disconnect an active session with a hot key. The remote viewer has no recourse other than to reconnect.
c) You can reset ME to factory settings via the BIOS.
Your brain has poor security, Fox News hacked in.
What does Trump have to do with this?
Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleanerme_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacke
AMD flaw is much more difficult to exploit than Intel's and is much weaker.
The only selling point of Intel CPU was that 5% extra performance, which came at the cost of major security flaw.
Nobody will buy Intel anymore.
How many Linux developers have been fired for continuing to introduce hundreds of security vulnerabilities every year? How do they manage to fuck it up every release cycle? I mean its a clone of an existing successful proprietary design (like much of open source)..
You can show your C-levels the lock and hand them the key, but you can't make them set the latch.
The real problem is that most of the users and developers are too stupid to know how to get back in the building if the latch is set.
Tor to route your traffic and avoid being a victim of MITM.
I always thought that the first rule of TOR was that you are deliberately putting three malicious actors in the middle... and they are logging and modifying your communications.
The first rule of public wifi is don't! The second rule is connect to your own secure vpn at home with some kind of network lock to prevent unsecured traffic egressing over the public wifi.
The third rule of public wifi is do you really trust your ISP at home?
I guess using shit that incompetent admins spent extra money for and then left wide open by never configuring is now Intel's fault? This is the manual single-machine way to provision AMT / vPro. The only way this is a "flaw" is because the monkey in IT either didn't know what they were buying, or didn't bother to actually use what they were sold. By the way, once AMT / vPro are configured in any way (and if the admin of a machine is at all smart, they are doing this through a software provisioner when installing the OS in order to make sure the settings are the same each and every time), this "flaw" is no longer an option without the password, or without a few reboots and access to the BIOS.
Oh wait, is being able to press DEL, F1, F12, etc. and access the BIOS because a password wasn't set a "flaw" now too? Because that's the same fucking thing.
Don't want nefarious people configuring your vPro for you? Either don't buy a machine with vPro built in (yes, vPro is different from AMT - AMT is the base tech, vPro is a feature set running on top that allows the remote control, remote boot options, remote BIOS access, etc.), or fucking configure the thing you paid an extra $30 or so for.
What a sensationalist clickbait article that has been completely documented by Intel and the vast majority of their OEMs for like 6 years.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Here's the good news about AMT and vPro: You can spend $30/system to have vPro on it, you can mass-configure with software Intel provides for free (but you need to buy a signed certificate specifically for AMT provisioning that matches your DHCP's DNS suffix for it to work), and then you can remotely reboot provisioned hardware from ISO images to reimage hardware from anywhere in the world, if you have granted access. It just needs to be on your network, and this includes notebooks that are wireless only.
I implemented this at a Fortune 500 that has about 50,000 Windows PCs spread across the US like trading stamps, and contracted with a 3rd party for on-site support. They charged a minimum 2 hours for a service call. vPro paid for itself in the first year just from reimage tickets alone - never mind the cost savings of not having to license a remote viewer for the help desk that is worth a damn and has the required security features for this company (HIPPA).
If you opt-in on something that:
- allows remote access in hardware
- leave it unconfigured
- allow some bad actor physical access
then you get what you deserve. Change any one of those three, and you're fine.
This "flaw" is in IT staff, not the product.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Apparently it's now a "flaw" with Kwikset, Schlage, Yale locks if I don't turn the lever on the inside to the 'lock' position. These lock manufacturers must do something about this immediately!
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Now why would you go and destroy the crux of his incredibly flawed and untrue statement with things like facts and experience?
What kind of argumentative strategy is that?!
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I find it hard to get worried about an exploit which requires physical access to the machine because if a hacker has that it pretty much means it doesn't matter what you've done and whether or not an exploit exists they're going to be able to get access to your data. Once a hacker has physical access to your machine it is pretty much game over.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
Yep, you're right. Let's punish volunteer open source developers. That will make the body of open source software develop faster.
Every initial setup process should provide a default pass.
You can implement a lot of security layers on top, but everything must start from an open system.
I don't know why you are in defensive posting. Never talked about flaws. Just the whole AMT is a fiasco because it has no use outside work environment yet imposed on consumer products WHICH most will never update the AMT firmware because they don't know how. If you followed Intel in the past two months you will know what I'm talking about. I'm not talking about BIOS or default user/pw value there.
See subject: "... being WORLD-class" (like me, lol) & quoting a fellow /.er on that note (China too):
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
Even a NATION copied my ideas (dns level protections & speed via hosts that NO OTHER PROGRAM LIKE MINE DOES - apparently, only I had the insight vs. my competitors) http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/
* It's the POLISH descent in me folks - what can I say?
I've posted on this TONS of times & YES, it works (9/10 upmodded) but I don't have an "OpenSORES 'pr machine'" behind me like Marcus Hutchins etc.!
APK
P.S.=> Probably why Whipslash likes me (not) per the TUNE by CoNcReTe BLoNdE I dedicated to him on our "anniversary" here (lol) which shows I AM STILL IN HOLLYWOOD https://developers.slashdot.org/comments.pl?sid=11595037&cid=55905861/ ...apk
See subject & a "1 yr. anniversary" tune dedicated to WHIPSLASH https://developers.slashdot.org/comments.pl?sid=11595037&cid=55905861/ & it's lyric from it that FITS YOU "The troll on the /. corner? I flipped him a quarter & he looked @ me & SMILED"
Apparently so, thanks for the UPMOD on my post on Intel AMT/ME, it works!
(& YOU GOT THE DOWNMOD for once, not I (why this happens to me I have no idea - I do some decent things here for ZERO compensation (hell, I take shit here like mad, lol)).
* Another lyric from it for you TROLL -> "He wasn't confused, he wasn't ABUSED..." (well, untrue - this time? JUSTICE WAS SERVED & you got the downmod, well-deserved) "... HE NOTHING TO GAIN & LESS TO LOSE!"
From either behind your MANY sockpuppet FAKE NAME ACCOUNTS HERE or by UNIDENTIFIABLE anonymous posts stalking/harassing me, downmod bombing me etc., nigh constantly.
APK
P.S.=> Ah, doesn't matter - why? "I'm still in HOLLYWOOD" (& I don't know why), lol (see that link above - it explains it ALL)... apk
See subject: I have an older version Delphi XE 4 32/64 bit targetting for Win/MacOS X (not Linux) BUT I heard tell OLD Kylix (which Borland did for Linux = FREE now) & FreePascal + it's LAZARUS IDE (almost PERFECT CLONE of Delphi 2.x IDE & commandset = VERY compatible) could "make it so Jean Luc" - & yes, I've thought about it - HOWEVER (being honest here)? It wouldn't be TOO hard to do (MS drive letters vs. *NIX mounted devices changes = ez, WinSock2 vs. std. *NIX sockets already abstracted away (for most part), & API call analogs (ez if you know both OS decently))
* So yes, it is "doable" - & I'd even "OpenSORES" it BUT /. trolls have MANY TIMES 'threatened' that IF I did, they would create a MALICIOUS "DOPPLEGANGER" OF IT & NO way I will allow a "Google EFast Chrome" debacle to wreck my good name - no way (look that up, you'll understand if you don't already).
APK
P.S.=> Besides - there ARE scripts for your boys (though mine's GUI) in the interim meantime period (but I am SURPRISED none of you have built one to 'rival' mine actually - it's WHY I 'rib on' my 'naysayer detractors' here, to MOTIVATE THEM to do so, in part - the rest is to bust them up for "F'ing w/ me" & I always do getting the best of them, lol (but, it's work building a work like this (believe it or not, 54,000++ lines of errtrapped pretty much "bulletproof bugfree" stuff) & many here are employed fulltime (I am long retired 10++ yrs. running my own business & this was just a hobby to me, albeit one on a 'pay it forward' thing as Joe Walsh says "Life's been GOOD TO ME so far" & I wanted to return the favor for the ABSOLUTE GOOD is all in this prog))... apk
See subject: WINE != perfect (everyone KNOWS this) & sadly (though I am 'loathe to admit it'? LOL - neither am I).
It may be something in WINE or possibly Borland/Embarcadero's code (or a Win32 API I use, extensively in it) that doesn't 'mesh' & I've never 'formally examined it' or traced it under WINE here either!
(No need for me PERSONALLY (retired). I don't use it - & to be BLUNT about it? I am not out to "help the competition" as Windows was a HUGE part of my life/career & gave me what I had (albeit via my own efforts career-wise & the BIGGEST share of PC desktops & servers combined IS STILL WINDOWS, hence my choice of going mostly THAT direction for "job surface area" for lack of a better expression on that sentiment here, like it OR not, it's truth from my perspective for me & WHY I said it)).
* On Dedup? It should NOT be a problem algorithmically - I chose a modified quicksort (the default & MOST optimal over the most sort sizes & data mixes (mostly sorted vs. totally randomized unsorted as 'extremes' & saved me using HEAPSORT (good one, could be superior but TONS MORE CODE I avoided)).
Datastructures is a GOOD COURSE that covers this IF you are interested in education...
(Lastly - if this is some 'potshot' from you "trying to make me look bad" albeit in a 'snide manner' TROLLING ME? LOL, then I thank you @ least for your civility if not 'slyness' too (wish MORE trolls had your method actually vs. what I usually get here (bogus downmods, namecalling etc.))
APK
P.S.=> In any event, there you have it on ALL possibles you asked for (or not)... apk
The lock and gun analogies don't fully click for me. When people buy a lock, they understand its function and how to operate it. They know they need to lock it for it to perform its duty. People who buy guns know guns are dangerous and know how to increase security by storing them in a safe and/or using a trigger lock.
The controvsial features Intel and others baked into computers are hidden side features (remote control) -- not the main feature of the product, and 99.99999% of consumers, small businesses and small IT shops don't know the features exist.
For me, here's a better analogy regarding locks: imagine if every lock sold at Home Depot and Lowes had a hidden feature not mentioned in the marketing lit or loser manual (1-paragraph instruction sheet in 14 languages) but is mentioned only in an advanced manual online. This hidden feature allows anyone blowing a 2.6 KHz whistle for 5 seconds within 2 meters of the lock to unlock it -- unless you disable the feature. Now if the feature comes disabled on all new locks and a user has to enable it, then, yes, it's the user's fault if the default whistle frequency wasn't changed after enabling it. But the creators and legit willing users of the feature assume it doesn't have flaws that can be exploited. If instead they assume the feature has unknown exploitable flaws, they wouldn't risk such a feature.
Certain types of features are better left off in order to reduce the chance of human user and design errors (e.g., the Chernobyl reactor -- "it was user error," many people yell, but having features that depend so much on humans is unwise).
Also, if a disabled feature has a flaw that creates a vulnerability or if a correctly enabled feature has a flaw that creates a vulnerability, then such a feature is dangerous. Maybe this doesn't apply to Intel -- yet, but it doesn't make sense to me that the head of Intel would dump stock merely because he realized an obscure legit feature was about to be widely publicized.
By some estimates at least 80% of big corporations have been breached, hacked etc. IT departments and small IT shops LOVE convenience over security, especially if it saves money and time for customers/bosses. The mere presence of unattended remote control systems adds risk considering so many software and hardware systems, maybe most, have flaws that can be exploited. (Lists like full-disclosure and CERT spew se-flaw notices all week long.)
Intel and every hardware and software company, plus standards groups for WPA2 and many others security "standards," have produced horrendous bugs that allow attackers to gain control or snoop.
It's prudent to reduce exposure to entire classes features, e.g., visual basic, java, flash, IE, Windows, unattended remote access, if the risks outweigh convenience FOR USERS AND THE COMPANY (the convenience of IT depts shouldn't be weighed against the risk to users and companies -- a real conundrum!).
Oh come on....think about that...you have to know thereâ(TM)s a lock. Most people donâ(TM)t and there is no reason for them to have known...it requires some deep expertise.
â"â"â"â"â"â"
So, the "flaw" is that the user forgot to set the lock?
I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing.
And what about when you buy a new electric frying pan? Do you remember to change the default factory passcode for one of your own? Or do you not even realize that your new frying pan has a passcode that needs to be set?
The latter is the situation with a huge number of PC buyers.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
So, the "flaw" is that the user forgot to set the lock?
No, the flaw is that there is an extra subsystem living within the CPU which is enabled by default, whether you want it or not, listening on all your network ports and waiting for someone to come along with the default password and take over the system.
If the system had to be enabled manually by someone with physical access (and the BIOS password, if one is set) then it would be reasonable to expect the administrator to change the access codes. The same applies if the remote management capability were the primary reason to choose this model over other designs, which would be closer to your document-safe example. However, being enabled by default out of the factory, including on systems which have no use for it, makes it an open backdoor. (Whether Intel or system integrators are responsible, it is clear that CPUs with this "feature" are being used in situations where remote management capabilities are more of a liability than an asset, and not something the end-user would have requested—unlike a combination on a safe.)
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat