Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Software/OS spying and hardware spying. How to deal with both of them?

  1. #11
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    16,004
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Software/OS spying and hardware spying. How to deal with both of them?

    Quote Originally Posted by vibers View Post
    freemedia2018, Thanks for your reply. I have checked the Processor found in your link but that would be quite expensive. I also checked other Linux PC makers’ websites but they charge quite high prices as compared to the prices charged by others. I agree that Arm based processors is the way to go if you care for your security. I would wish we see Arm processors based PCs with a reasonable price.
    There appear to be 2 methods on Linux to check whether a system has MEI enabled.
    https://www.cyberciti.biz/faq/how-to...d-under-linux/ (I consider this a reputable site).
    I use nmap a little, but not with lua, so that technique didn't work for me. I pulled the mei-amt-check code down, compiled it and ran it on 3 of my physical systems.
    On AMD Ryzen:
    Code:
    $ sudo ~/bin/mei-amt-check 
    Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
    If you receive the same error, this system does not have AMT
    Very much expected.

    On both Intel systems - a) Pentium 3258 and a Core i5-8250U
    Code:
    $ sudo  ~/bin/mei-amt-check 
    Error: Management Engine refused connection. This probably means you don't have AMT
    Both of these do have the mei_me kernel module loaded. None of my boxes are "High end", sorry.

    At least for my systems, this one variant doesn't matter. If your system supports IPMI https://en.wikipedia.org/wiki/Intell...ment_Interface, then perhaps you should be worried. IPMI has a history of not really having much security, just like RIBLO and DRAC cards.

    ARM has all sorts of issues. They just aren't as fast, capable, compatible, at least at the $100/CPU ranges. Trying to find an ARM CPU that competes with a $80 Ryzen 5 1600 (65W) is impossible. Forget about mid-level or above gaming or any virtualization on ARM. I use some programs that have never been ported to ARM too, so include that in your "he's biased" calculations.

    For routing, it isn't just about the CPU, it is about the packets/sec, which is why custom routers, from reputable vendors, known to support their product lines, could be the best choice. I've named them already. If you find it in a big-box electronics store, that isn't likely a router for your best security.

    If you seek a low-end desktop, then some of the higher-end ARM SBCs are a viable option. Check out the Rock64PRO and the Odroid-N2. These are in the $60-$80 range and I think both have GigE networking, USB3 ports and perhaps SATA-3 connectors. You'd want to use an eMMC storage module for the OS-Boot, not any SD-based storage. Running an OS on SD is brutal to the flash storage. Those are the good options if you want a tiny computer and don't need peripherals or much data throughput. The lack of dual (or quad) NICs limits their usefulness as a router.

    If it isn't clear, I've given up on trying to have a non-Intel/AMD server or desktop, except for play devices. I'm going to believe that my router provides the best protection available due to the choices I make around that hardware, software, and network architecture. I would never put wifi into a router. Adding a PoE wifi-AP for $70 that can actually be located where you need it is much better than trying to get wifi signal out of a wiring closet or the corner home-office. Plus, wifi standards are rapidly changing with plans for wpa3, wpa4, wpa5, and wpa6 over the next 6-10 yrs. Best to have a solid router and be able to swap out the wifi-AP with minimal fuss, IMHO. Plus, I don't trust any wifi enough to put it onto the LAN. Wifi is put next to the internet and treated just like all other internet traffic. If a wifi device needs access into a protected part of the LAN, then it needs to use a full VPN.

    There are many more important security issues than the supervisor on a CPU, IMHO. Perhaps I'm just mis-informed, but worrying about the bucket of feed in the corner while the barn is on fire doesn't make sense when there is livestock and horses in the barn that need to get out for safety. Ya'll.

    That EFF link says this:
    If provisioned, AMT listens on ports 16992 and 16993
    Code:
    sudo nmap  -p 16992-16993  172.22.22.1/24 |more
    Should find them. Change the network/subnet to whatever you need.

  2. #12
    Join Date
    Mar 2009
    Beans
    1,946

    Re: Software/OS spying and hardware spying. How to deal with both of them?

    +1 for what TheFu says. All of that.

    I have IPMI on more than one system. The IPMI processor (called a Base Management Controller, or BMC) is tied to a specific NIC by the BIOS settings. I leave them at the system board default, just in case my system gets the BIOS zapped for some reason. The physical NIC with the BMC on it in my case is attached to a network with no route to the Internet. I have the IPMI-controlled systems and one workstation on that network. None of them forwards packets for that interface. Virtual machines do not have access to that NIC, at all.

    If I were really worried about this security exposure for your IME processor, I would add an external NIC and then make sure the internal NIC has no connection, or wire something up like what I did.

    IPMI is very cool hardware. I specifically look for hardware with IPMI for my servers. Frankly I hadn't followed it closely enough to realize that the IME is the next generation of that.

    You can't possibly investigate, use and configure IPMI without knowing that it's a massive security hole if you're not careful. It's blatant. In my opinion Intel should make more noise about this IME processor, so people are aware of it. But that said, the really dangerous stuff seems to be turned off in the BIOS by default.


    With respect to coprocessors with closed-source blobs, we've never really been free of that ever. Your video card. Your motherboard. Whatever. Your TV, BluRay, phone, tablet, SmartHome hardware, you can actually get a light bulb with wifi built in and it talks directly on TCP/IP. Your car either does now or soon will have up to 20 processor subsystems each with IP addresses, and a cellular connection to the Internet. Eventually you have to trust somebody, or you have to prevent any new technology from entering your life.
    Help stamp out MBR partition tables. Use GPT instead!

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •