I think 4k displays on the desktop will be most useful to make Microsoft's crappy grayscale font rendering tolerable. Outside of this I stopped caring about screen resolution years ago.
What is the difference between a small point font and a huge monitor? If you want more lines of code on screen change point size and use fonts optimized for lower DPI. The results are sure to amaze.
If your going to have a 39" beast in front of you.. your going to sit at some increased distance from it... cones of your eyes only have a ***15 degree FOV*** the rest is subconscious illusion / wishful thinking.
Moving your head/eyeballs around all day is not progress nor is wasting your time heckling the boss for an ultra deep desk to compensate. I choose to be smart about using a single display which already covers most of my field of view with sufficient resolution. More is not always better. A little discipline regarding usage of display areas goes a long way and for god sakes changes your fonts.
Finally 16:9 is a shit aspect ratio for main display for programmers unless display is configured in portrait mode. You need at the very least 16:10.
You can cut the monitoring if you don't want it to alert the police, but then what is the point? Buzzers don't stop murders and they only alert thieves that they have a time limit now.
There is no point in monitoring period. The buzzer going off alerts people who are actually in the area and possibly able to assist in some way. Talk to those people before there is a problem and come to a mutual understanding.
If you betting on cops getting to you just in the nick of time after your monitoring company farts around going thru your contact list and then just...drumroll... "calls the police" to do anything other than file a report after perps have already fled your living a dangerous delusion. If your goal is not to be killed by a murder *you* need to be prepared to defend yourself, plan an escape route or hide in some kind of panic room and hope perps left their metal vapor torches at home.
Let's not get lost here. We need and want the NSA to do it's legitimate job in protecting the nation against terrorists and people to whom the idea of "mass extinction" is just a shorter way to get their god to sort us all into our respective eternal bins.
If you have no reason to trust your own government to act lawfully and morally this is a hard sell. How many hundreds of thousands of people were killed when Iraq was invaded with completely fabricated lies as justification? Does this count as Mass Extinction? While I'm sure there are people who would love to come to America and blow things up most of the "terrorists" have local political and tribal battles to fight. "Terrorism" is more about those stuck in the dark ages acting out against the rise of Modernity than a world view where USA is constantly in the crosshairs. This country is too big to not be open to anyone determined to be here. We can't even control our Southern borders. My risk exposure from normal criminal activity is multiple orders of magnitude more than my exposure to being harmed by foreign terrorists.
The whole issue with the NSA eavesdropping is the potential for , as Snowden admirably put it, "turnkey tyranny".
The whole issue is "absolute power corrupts absolutely" no organization run by humans deserves to gobble up the worlds communications and do whatever they please with it. I don't care what your flag is or what your goals are.
But we WANT them to get a quantum computer and every other thing under the sun they can get. Yes, absolutely we do, even as we do the work that needs to be done to make sure our liberties stay intact.
I want everyone to get a quantum computer assuming high qbit entanglement is even possible not just one organization. The equivalent of the little black box with "too many secrets" written on the side of it I trust to nobody or everybody. If there is just one of them the world is better off with it destroyed.
There is another 4th Amendment question in whether businesses should be required to turn over data under Section 215 of the Patriot Act, which has passed and is law until it gets overturned. The answer will depend on whether corporations are people and if the government should be allowed to tell businesses what they can and cannot do with their own property.
To file under 215 requires:
A statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, such things being presumptively relevant to an authorized investigation if the applicant shows in the statement of the facts that they pertain toâ"
(i) a foreign power or an agent of a foreign power;
(ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or
(iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation; and
Nearly all of the outrage is based on dishonest memes that do not accurately represent the situation:
This very same bullshit was famously tried in 2004 while Mr Ashcroft was hospitalized and it didn't work then. Now after the law means whatever you want it to and everyone has sold out to Military industrial machine the sky is the limit I suppose.
There is no possible authorized investigation requiring collection of call data of everyone in the country so what the NSA did instead was redefine the word "collection". In the NSAs world the tree in the woods has only fallen once all of its cellulosic fibers have been processed into a table and toothpicks.
the NSA listening to your phone calls (they are not), the NSA spying on the American people (they are not and take great effort to avoid doing so),
Every time Keith Alexander opens his mouth he spews the same rhetoric. Every media outlet reporting on this issue I have ever seen which has been many dozen over the past several months correctly parses call information and content of call. Nothing is being confused in reporting as is routinely claimed by NSA and their jerkoff group goons. Certainly nobody here is confused about the issue.
To quote vice president Joe Biden:
"Harry I don't have to listen to your phone calls to know what your doing. If I know every single phone call you've made I am able to determine every single person you've talked to I can get a pattern about your life that is very very intrusive"
Snowden releasing the documents to the people (he did not), Snowden as a whistleblower (he is not, he copied everything he can find), etc, and news reports that were intentionally falsified by professional bullshitter Glenn Greenwald and published in the Guardian, a newspaper known for falsifying international news worse than Fox News does Washington politics.
What Snowden or Glenn did or did not do is totally irrelevant to what NSA did or did not do.
... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.
If you assume your webserver is compromised do you think it is a good idea to be entering credit card numbers into it?
That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.
Compromise of *any* tier still results in an unacceptable breach. While access might be curtailed your still screwed.
Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.
Until someone hacks your web server and configures it to exfils every credit card number it ever dealt with from then on.
This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.
My own opinion with regards to non-physical presence is PayPal is the correct model and CC need to be phased out entirely. Security problems mostly evaporate if payment is *given* rather than *taken*. Simple change in philosophy solves most of the payment security issues.
Chip with no CC fallback solves physical problems although physical "what you know" (e.g. pin) entry needs to be integrated on-card rather than entered into POS terminals.
I'll admit to being surprised by this. I assumed Microsoft had the common sense to encrypt error reports especially given they contain at least partial contents of applications internal memory and would therefore assumed to be considered sensitive. The dialogues asking you to send certainly make this posture clear.
In fact when I first read this the other day I was a bit confused as to how they (NSA) were getting this data...from Microsoft servers? It didn't even enter my mind these things were sent unencrypted and trivially pulled off the wire.
While we normally have WER and associated scheduler task entries disabled there are still some machines we send the reports in the off-chance bugs get fixed...not anymore...sad.. inexcusable...
This completes creates quite an interesting feedback loop imagine using QUANTUMINSERT to load malware or trigger crashes... if there is a problem or your not sure about the memory environment sit back and wait for the error report.
How implausible is it to imagine that a system could be set up to suck all data off every device (especially solid state storage) as it passes through airport security?
Since it's legal, why wouldn't the government want to do it? Ya know. Just in case. To protect us.
Just remember "collecting" data from your devices is not really "collecting" until someone looks at data "collected" from you.
The bigger question Android users should ask themselves - why do Androids not come with full device encryption enabled by default? Why are Androids, by default, still vulnerable to the kind of attack that Apple fixed in 2009?
What good is encryption if Google can remotely install any software it damn well pleases on your handset without your knowledge or approval?
There really is no need to deny because nobody believes you or cares.
Whether by your own incompetence or collusion your platform is insecure "100% of the time".
Even when operating as designed and even assuming no secret backdoors both iOS and Android have methods of remote installation of software without giving user a choice or prompt. These platforms and the networks they run on are all defective by design.
But how do we KNOW this works? (As opposed to, say, the machine's AMT server no longer talking to remote clients unless the right encrypted hand-waving is done by the client to tell the server it's NSA calling - or the encrypted handwaving telling eavesdropping firmware to switch VT-d on and be cagey about it?)
If I understand it correctly, the AMT stuff is running on a separate ARM core. There's no reason (beyond software elegance) that this has to work through the normal virtualization mechanism, or that NSA wouldn't think ahead and either design it to work with its own mechanism or turn VT-d on but make it act like it's off, and spread the story about VT-d disablin a necessary underpinning of the feature.
As far as I understand it AMT is defective by design all you need is a signed certificate from a CA recognized by AMT with a cert domain that matches DHCP advertisement to victim (Trivially accomplished) to establish full remote control there is not initially anything to latch/constrain to specific certificate identities therefore anyone who spends the money to obtain a certificate signed by a CA has ability co-opt any system not yet initialized (virtually all of them) which I find totally insane and very scary.
Obviously it is impossible to verify any of your points. To me it is enough that AMT is defective by design just as it is enough that Huawei router firmware is so poorly written as to be defective by design you don't really need secret backdoors when the systems can so easily be hijacked by design.
I can't verify CPU, HDD, GPU, NIC firmwares or the OS harbor intentionally compromised code planted by NSA or other intelligence agencies and bad actors. I would imagine the same coopting of the OS could be done via DPCs from a number of system internal sources without separate AMT infrastructure.
All I know if you disable VT-d the known established mechanisms by which you could interact with AMT over a wired or wireless network including any exploitable vulnerabilities in AMT's IP/TLS stack are not operative on systems I have tested. This is really what I personally care about.
I agree there ought to be a way to permanently disable AMT wholesale on all systems with the hardware and it should be disabled by default rather than enabled by default. We have other systems with IPMI which have this capability and get disabled via motherboard jumpers before the system is placed into production.
Technologies like AMT/IPMI are extremely dangerous by themselves even if you assume no NSA backdoors. Even if the operator is aware of their existence they are almost always neglected and forgotten by both users and hardware vendors alike.
He hasn't helped one god damned bit (entendre intended) until the US passes laws (or some other measure) that limit the power of the NSA.
As if "we the people" especially those of us who can code or make decisions on whether to embrace "the (NSAs) cloud" with no "expectation of privacy" are powerless to do anything about the overreach of a states three letter agency.
This mess was created mostly by the availability of technology and it can certainly be curtailed with careful use of it. My only fear is to see efforts of IETF and others eventually overshoot and create a fight over legislative restrictions on use of technology we are not yet ready to have.
As of today, the snowden leaks basically mean (see other recent articles) that the NSA and other agencies will redouble their efforts to be even MORE pervasive in spying.
I doubt they are that stupid. The more egregious the louder the backlash WHEN discovered. If you just turn up the volume willy nilly you place your capabilities in that much more unnecessary risk.
Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature.
You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.
These things are quite spooky and potential security threat not many are aware of.
In most instances on Intel hardware you can effectively disable AMTs interface to the outside world by turning off the hardware virtualization (VT-d) feature in the BIOS. This feature is often the means by which physical wireless/wired interfaces are shared by AMT engine and main system. So while it is still there at least its not running an IP stack when the system is not booted or listening for TCP connections on ports the operating system has no idea exists.
They have BOTH exploits AND backdoors to choose from, with different levels of detectability.
There is nothing wrong with guessing especially if there is no practical way to obtain supporting evidence however it is never appropriate to confuse what may well be reasonable guesses and assumptions with facts or verifiable evidence.
The fact that open holes are left into products that the NSA is directly partnering with the companies that make them, then exploiting them?
It's a LITTLE BEYOND NAIVE to think they have nothing to do with making sure they exist in the first place, in some instances at least.
I guess my own personal view is that in most instances the bar for successful exploitation is still so low developing an independent exploit is safer than working with vendors who would also have knowledge of exploit and a relationship that could very well produce harmful blowback for both NSA and vendor upon discovery.
Just look at the landscape around you there is a constant steady stream of security patches for all major general purpose operating systems, browsers, networking equipment.. We have instances of single individuals (e.g. Luigi Auriemma) finding hundreds of security holes in all manner of products as a hobby just for fun. Imagine what a team of well paid world class talent is able to accomplish.
This reminds me of those who believe modern technology has been derived by reverse engineering alien technology. While it is impossible to rule out LGM influence completely nobody is ever able to produce the original alien gizmos as they are naturally super ultra top secret. It is often still possible to look at each instance and trace it back to the hard work or fuckup of some individual or team.
Don't think for a second that these back-doors that companies put in at the behest of the NSA aren't also being used to the benefit of those companies.
There is no evidence from the article we are talking about intentional backdoors created at the request of NSA. Rather the kind of backdoors created by unintentional programming errors where once exploited allows foothold to be maintained by patching firmware of various hardware subsystems.
So, if the NSA were shuttered tomorrow, what makes you think those back-doors are going to go away? How much is it worth to those tech companies to know exactly what their customers are doing? How much is it worth to their institutional shareholders?
How much is legal trouble, bad publicity and resulting loss of customers worth to shareholders?
A (un)intentional backdoor actively exploited to gain market intelligence is a backdoor with high probability of discovery. Likewise any use of covert capability erodes that capability.
This situation is insane there are so many controllers with field upgradable firmware and no meaningful security it is hard to make fun of overly paranoid who throw away perfectly functional hardware after having been hacked anymore.
I think one of three things needs to occur with my preference being option #1.
1. All firmware updates should be non-persistent applied by OS drivers when system/hardware boots.
2. Special boot menu and standardized interfaces provide exclusive avenue for firmware updates. Updates become impossible when system booted normally even with root access.
3. User controlled option to permanently blow a fuse preventing any firmware update functions without replacement of hardware.
but for real reliability stick with the 7200 RPM or 5400 RPM drives. Sadly the 7200 RPM drives are dead now. Nobody makes them for laptops. I guess the next best thing for speed + a little more reliability is Intel SSD.
7200 RPM laptop drives are readily available from multiple vendors.
Answer this question: Is there any data that you want to be **completely unavailable** to law enforcement with **proper warrant**?
There will be a lot more of it now. This is not a zero sum game. If people know their shit is being abused they will not use it or develop alternate solutions which can only be cracked with a $5 wrench. By overstepping you actually create a feedback loop whereby your capability is eroded. Warrants are useless if the capability to execute does not exist.
Our military and law enforcement absolutely must be able to use all means to catch the bad guys.
Just a second there you can't just lump Military and Civilian systems together. NSA is supposed to be military. They are not supposed to be in the LEA business.
Remember who is actually being killed by whom in this country. I'll give you a hint >12k are not being killed by terrorists in the US every year.
The problem is *how* the data is collected and used....which is controlled by regulations.
The problem is the NSA has warrantless access to all of it. How they get it is irrelevant the fact they have it is what matters.
The answer is **transparency** of the process, not allowing criminals a walled garden that law enforcement cannot have access to.
The government has already lost its legitimacy in this regard. I hope it tries to recover some of it..that would mean at minimum stopping secret (interpretation of) law, secret courts and secretly collecting data on everyone without cause.
People are just being forced to give up anonymity. There's a difference.
I don't quite understand how linking a throwaway account accomplishes use of real-world identity.
e.g. Most facebook accounts are fake and there are plenty of sites offering disposable email accounts (10minutemail.com) to easily bypass "identity verification" during registration.
My suspicion this is mostly cover for laziness, lawyers hyperventilating and desire to convert anonymous browsers accessing sites to user identity. Being turned off by trolls in the comments seems paradoxical considering a great number of news articles these days are trolls themselves all about stoking controversy designed first and foremost to whore hits than to convey useful factual information.
Slashdot Mirror
lock the thermostat and adjust it via your phone or computer. Then she can't do a thing.
LOL keep dreaming.
At least that built in microphone will be put to good use.
Those bubbles you see around you are not soap bubbles.
I think 4k displays on the desktop will be most useful to make Microsoft's crappy grayscale font rendering tolerable. Outside of this I stopped caring about screen resolution years ago.
What is the difference between a small point font and a huge monitor? If you want more lines of code on screen change point size and use fonts optimized for lower DPI. The results are sure to amaze.
If your going to have a 39" beast in front of you .. your going to sit at some increased distance from it... cones of your eyes only have a ***15 degree FOV*** the rest is subconscious illusion / wishful thinking.
Moving your head/eyeballs around all day is not progress nor is wasting your time heckling the boss for an ultra deep desk to compensate. I choose to be smart about using a single display which already covers most of my field of view with sufficient resolution. More is not always better. A little discipline regarding usage of display areas goes a long way and for god sakes changes your fonts.
Finally 16:9 is a shit aspect ratio for main display for programmers unless display is configured in portrait mode. You need at the very least 16:10.
You can cut the monitoring if you don't want it to alert the police, but then what is the point? Buzzers don't stop murders and they only alert thieves that they have a time limit now.
There is no point in monitoring period. The buzzer going off alerts people who are actually in the area and possibly able to assist in some way. Talk to those people before there is a problem and come to a mutual understanding.
If you betting on cops getting to you just in the nick of time after your monitoring company farts around going thru your contact list and then just ...drumroll ... "calls the police" to do anything other than file a report after perps have already fled your living a dangerous delusion. If your goal is not to be killed by a murder *you* need to be prepared to defend yourself, plan an escape route or hide in some kind of panic room and hope perps left their metal vapor torches at home.
Let's not get lost here. We need and want the NSA to do it's legitimate job in protecting the nation against terrorists and people to whom the idea of "mass extinction" is just a shorter way to get their god to sort us all into our respective eternal bins.
If you have no reason to trust your own government to act lawfully and morally this is a hard sell. How many hundreds of thousands of people were killed when Iraq was invaded with completely fabricated lies as justification? Does this count as Mass Extinction? While I'm sure there are people who would love to come to America and blow things up most of the "terrorists" have local political and tribal battles to fight. "Terrorism" is more about those stuck in the dark ages acting out against the rise of Modernity than a world view where USA is constantly in the crosshairs. This country is too big to not be open to anyone determined to be here. We can't even control our Southern borders. My risk exposure from normal criminal activity is multiple orders of magnitude more than my exposure to being harmed by foreign terrorists.
The whole issue with the NSA eavesdropping is the potential for , as Snowden admirably put it, "turnkey tyranny".
The whole issue is "absolute power corrupts absolutely" no organization run by humans deserves to gobble up the worlds communications and do whatever they please with it. I don't care what your flag is or what your goals are.
But we WANT them to get a quantum computer and every other thing under the sun they can get. Yes, absolutely we do, even as we do the work that needs to be done to make sure our liberties stay intact.
I want everyone to get a quantum computer assuming high qbit entanglement is even possible not just one organization. The equivalent of the little black box with "too many secrets" written on the side of it I trust to nobody or everybody. If there is just one of them the world is better off with it destroyed.
There is another 4th Amendment question in whether businesses should be required to turn over data under Section 215 of the Patriot Act, which has passed and is law until it gets overturned. The answer will depend on whether corporations are people and if the government should be allowed to tell businesses what they can and cannot do with their own property.
To file under 215 requires:
A statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, such things being presumptively relevant to an authorized investigation if the applicant shows in the statement of the facts that they pertain toâ"
(i) a foreign power or an agent of a foreign power;
(ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or
(iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation; and
Nearly all of the outrage is based on dishonest memes that do not accurately represent the situation:
This very same bullshit was famously tried in 2004 while Mr Ashcroft was hospitalized and it didn't work then. Now after the law means whatever you want it to and everyone has sold out to Military industrial machine the sky is the limit I suppose.
There is no possible authorized investigation requiring collection of call data of everyone in the country so what the NSA did instead was redefine the word "collection". In the NSAs world the tree in the woods has only fallen once all of its cellulosic fibers have been processed into a table and toothpicks.
the NSA listening to your phone calls (they are not), the NSA spying on the American people (they are not and take great effort to avoid doing so),
Every time Keith Alexander opens his mouth he spews the same rhetoric. Every media outlet reporting on this issue I have ever seen which has been many dozen over the past several months correctly parses call information and content of call. Nothing is being confused in reporting as is routinely claimed by NSA and their jerkoff group goons. Certainly nobody here is confused about the issue.
To quote vice president Joe Biden:
"Harry I don't have to listen to your phone calls to know what your doing. If I know every single phone call you've made I am able to determine every single person you've talked to I can get a pattern about your life that is very very intrusive"
Snowden releasing the documents to the people (he did not), Snowden as a whistleblower (he is not, he copied everything he can find), etc, and news reports that were intentionally falsified by professional bullshitter Glenn Greenwald and published in the Guardian, a newspaper known for falsifying international news worse than Fox News does Washington politics.
What Snowden or Glenn did or did not do is totally irrelevant to what NSA did or did not do.
... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.
If you assume your webserver is compromised do you think it is a good idea to be entering credit card numbers into it?
That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.
Compromise of *any* tier still results in an unacceptable breach. While access might be curtailed your still screwed.
Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.
Until someone hacks your web server and configures it to exfils every credit card number it ever dealt with from then on.
This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.
My own opinion with regards to non-physical presence is PayPal is the correct model and CC need to be phased out entirely. Security problems mostly evaporate if payment is *given* rather than *taken*. Simple change in philosophy solves most of the payment security issues.
Chip with no CC fallback solves physical problems although physical "what you know" (e.g. pin) entry needs to be integrated on-card rather than entered into POS terminals.
Reading more carefully dumps are encrypted yet certain summary data like memory offset and shared library crash occurred within are not.
I'll admit to being surprised by this. I assumed Microsoft had the common sense to encrypt error reports especially given they contain at least partial contents of applications internal memory and would therefore assumed to be considered sensitive. The dialogues asking you to send certainly make this posture clear.
In fact when I first read this the other day I was a bit confused as to how they (NSA) were getting this data...from Microsoft servers? It didn't even enter my mind these things were sent unencrypted and trivially pulled off the wire.
While we normally have WER and associated scheduler task entries disabled there are still some machines we send the reports in the off-chance bugs get fixed...not anymore...sad.. inexcusable...
This completes creates quite an interesting feedback loop imagine using QUANTUMINSERT to load malware or trigger crashes... if there is a problem or your not sure about the memory environment sit back and wait for the error report.
How implausible is it to imagine that a system could be set up to suck all data off every device (especially solid state storage) as it passes through airport security?
Since it's legal, why wouldn't the government want to do it? Ya know. Just in case. To protect us.
Just remember "collecting" data from your devices is not really "collecting" until someone looks at data "collected" from you.
Minority? The majority of X11 users will never remote an application.
Except xeyes
It would have been better to contact FBI and report this fraud. Whoever the hell runs fwdsnp.com needs to spend some time in jail.
The bigger question Android users should ask themselves - why do Androids not come with full device encryption enabled by default? Why are Androids, by default, still vulnerable to the kind of attack that Apple fixed in 2009?
What good is encryption if Google can remotely install any software it damn well pleases on your handset without your knowledge or approval?
There really is no need to deny because nobody believes you or cares.
Whether by your own incompetence or collusion your platform is insecure "100% of the time".
Even when operating as designed and even assuming no secret backdoors both iOS and Android have methods of remote installation of software without giving user a choice or prompt. These platforms and the networks they run on are all defective by design.
But how do we KNOW this works? (As opposed to, say, the machine's AMT server no longer talking to remote clients unless the right encrypted hand-waving is done by the client to tell the server it's NSA calling - or the encrypted handwaving telling eavesdropping firmware to switch VT-d on and be cagey about it?)
If I understand it correctly, the AMT stuff is running on a separate ARM core. There's no reason (beyond software elegance) that this has to work through the normal virtualization mechanism, or that NSA wouldn't think ahead and either design it to work with its own mechanism or turn VT-d on but make it act like it's off, and spread the story about VT-d disablin a necessary underpinning of the feature.
As far as I understand it AMT is defective by design all you need is a signed certificate from a CA recognized by AMT with a cert domain that matches DHCP advertisement to victim (Trivially accomplished) to establish full remote control there is not initially anything to latch/constrain to specific certificate identities therefore anyone who spends the money to obtain a certificate signed by a CA has ability co-opt any system not yet initialized (virtually all of them) which I find totally insane and very scary.
Obviously it is impossible to verify any of your points. To me it is enough that AMT is defective by design just as it is enough that Huawei router firmware is so poorly written as to be defective by design you don't really need secret backdoors when the systems can so easily be hijacked by design.
I can't verify CPU, HDD, GPU, NIC firmwares or the OS harbor intentionally compromised code planted by NSA or other intelligence agencies and bad actors. I would imagine the same coopting of the OS could be done via DPCs from a number of system internal sources without separate AMT infrastructure.
All I know if you disable VT-d the known established mechanisms by which you could interact with AMT over a wired or wireless network including any exploitable vulnerabilities in AMT's IP/TLS stack are not operative on systems I have tested. This is really what I personally care about.
I agree there ought to be a way to permanently disable AMT wholesale on all systems with the hardware and it should be disabled by default rather than enabled by default. We have other systems with IPMI which have this capability and get disabled via motherboard jumpers before the system is placed into production.
Technologies like AMT/IPMI are extremely dangerous by themselves even if you assume no NSA backdoors. Even if the operator is aware of their existence they are almost always neglected and forgotten by both users and hardware vendors alike.
The real question is "did humans evolve from some lower primate, and eventually from some soupy goop, or was there some other starting state?"
The earth was seeded by Martians, ask Story Musgrave he knows how it all went down.
He hasn't helped one god damned bit (entendre intended) until the US passes laws (or some other measure) that limit the power of the NSA.
As if "we the people" especially those of us who can code or make decisions on whether to embrace "the (NSAs) cloud" with no "expectation of privacy" are powerless to do anything about the overreach of a states three letter agency.
This mess was created mostly by the availability of technology and it can certainly be curtailed with careful use of it. My only fear is to see efforts of IETF and others eventually overshoot and create a fight over legislative restrictions on use of technology we are not yet ready to have.
As of today, the snowden leaks basically mean (see other recent articles) that the NSA and other agencies will redouble their efforts to be even MORE pervasive in spying.
I doubt they are that stupid. The more egregious the louder the backlash WHEN discovered. If you just turn up the volume willy nilly you place your capabilities in that much more unnecessary risk.
Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature.
You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.
These things are quite spooky and potential security threat not many are aware of.
In most instances on Intel hardware you can effectively disable AMTs interface to the outside world by turning off the hardware virtualization (VT-d) feature in the BIOS. This feature is often the means by which physical wireless/wired interfaces are shared by AMT engine and main system. So while it is still there at least its not running an IP stack when the system is not booted or listening for TCP connections on ports the operating system has no idea exists.
THE NSA WORKS WITH THE COMPANIES. This is known.
They have BOTH exploits AND backdoors to choose from, with different levels of detectability.
There is nothing wrong with guessing especially if there is no practical way to obtain supporting evidence however it is never appropriate to confuse what may well be reasonable guesses and assumptions with facts or verifiable evidence.
The fact that open holes are left into products that the NSA is directly partnering with the companies that make them, then exploiting them?
It's a LITTLE BEYOND NAIVE to think they have nothing to do with making sure they exist in the first place, in some instances at least.
I guess my own personal view is that in most instances the bar for successful exploitation is still so low developing an independent exploit is safer than working with vendors who would also have knowledge of exploit and a relationship that could very well produce harmful blowback for both NSA and vendor upon discovery.
Just look at the landscape around you there is a constant steady stream of security patches for all major general purpose operating systems, browsers, networking equipment.. We have instances of single individuals (e.g. Luigi Auriemma) finding hundreds of security holes in all manner of products as a hobby just for fun. Imagine what a team of well paid world class talent is able to accomplish.
This reminds me of those who believe modern technology has been derived by reverse engineering alien technology. While it is impossible to rule out LGM influence completely nobody is ever able to produce the original alien gizmos as they are naturally super ultra top secret. It is often still possible to look at each instance and trace it back to the hard work or fuckup of some individual or team.
Don't think for a second that these back-doors that companies put in at the behest of the NSA aren't also being used to the benefit of those companies.
There is no evidence from the article we are talking about intentional backdoors created at the request of NSA. Rather the kind of backdoors created by unintentional programming errors where once exploited allows foothold to be maintained by patching firmware of various hardware subsystems.
So, if the NSA were shuttered tomorrow, what makes you think those back-doors are going to go away? How much is it worth to those tech companies to know exactly what their customers are doing? How much is it worth to their institutional shareholders?
How much is legal trouble, bad publicity and resulting loss of customers worth to shareholders?
A (un)intentional backdoor actively exploited to gain market intelligence is a backdoor with high probability of discovery. Likewise any use of covert capability erodes that capability.
This situation is insane there are so many controllers with field upgradable firmware and no meaningful security it is hard to make fun of overly paranoid who throw away perfectly functional hardware after having been hacked anymore.
I think one of three things needs to occur with my preference being option #1.
1. All firmware updates should be non-persistent applied by OS drivers when system/hardware boots.
2. Special boot menu and standardized interfaces provide exclusive avenue for firmware updates. Updates become impossible when system booted normally even with root access.
3. User controlled option to permanently blow a fuse preventing any firmware update functions without replacement of hardware.
but for real reliability stick with the 7200 RPM or 5400 RPM drives. Sadly the 7200 RPM drives are dead now. Nobody makes them for laptops. I guess the next best thing for speed + a little more reliability is Intel SSD.
7200 RPM laptop drives are readily available from multiple vendors.
Answer this question: Is there any data that you want to be **completely unavailable** to law enforcement with **proper warrant**?
There will be a lot more of it now. This is not a zero sum game. If people know their shit is being abused they will not use it or develop alternate solutions which can only be cracked with a $5 wrench. By overstepping you actually create a feedback loop whereby your capability is eroded. Warrants are useless if the capability to execute does not exist.
Our military and law enforcement absolutely must be able to use all means to catch the bad guys.
Just a second there you can't just lump Military and Civilian systems together. NSA is supposed to be military. They are not supposed to be in the LEA business.
Remember who is actually being killed by whom in this country. I'll give you a hint >12k are not being killed by terrorists in the US every year.
The problem is *how* the data is collected and used....which is controlled by regulations.
The problem is the NSA has warrantless access to all of it. How they get it is irrelevant the fact they have it is what matters.
The answer is **transparency** of the process, not allowing criminals a walled garden that law enforcement cannot have access to.
The government has already lost its legitimacy in this regard. I hope it tries to recover some of it..that would mean at minimum stopping secret (interpretation of) law, secret courts and secretly collecting data on everyone without cause.
People are just being forced to give up anonymity. There's a difference.
I don't quite understand how linking a throwaway account accomplishes use of real-world identity.
e.g. Most facebook accounts are fake and there are plenty of sites offering disposable email accounts (10minutemail.com) to easily bypass "identity verification" during registration.
My suspicion this is mostly cover for laziness, lawyers hyperventilating and desire to convert anonymous browsers accessing sites to user identity. Being turned off by trolls in the comments seems paradoxical considering a great number of news articles these days are trolls themselves all about stoking controversy designed first and foremost to whore hits than to convey useful factual information.