Thread replies: 24
Thread images: 3
Thread images: 3
File: 483473587385783275.jpg (8KB, 261x143px) Image search:
[Google]
8KB, 261x143px
Daily reminder that you're probably using malicious hardware.
Your hardware is botnet if you're using a recent Intel or AMD platform. These CPUs have a small SoC integrated into them that can't be disabled or else the machine will fail to boot. The AMD version is the Platform Security Processor. It does power management and less is known about it than the Intel equivalent. As far as we know it doesn't have networking capabilities but you should definitely assume so. The Intel version is called the Management Engine. The ME has access to your RAM, your hard drive, all I/O including cameras and microphones and it can turn your computer on and off. It can act as a keylogger. A lot of these "features" are made possible by a firmware frontend held in the BIOS chip called Active Management Technology. AMT can set up a virtual serial connection that could potentially allow and attacker to pass data around a LAN, allowing malware to not only be spread silently to all of the machines utilizing and exploited AMT/ME, but also to bypass the machine's firewall. In other words, it has the potential to allow 13 year olds to grab you by the balls regardless of your OS, your motherboard, or any extra hardware apart from the ME and AMT. The ME has full network access and can access the OS network stack or set up its own. It has read-write access to all memory, including the BIOS flash chip, which it can silently update if you're running Windows 7 or higher. Everything Core i3 and greater is compromised in this way. Some Core 2 models also have a ME but it can be disabled. The Intel ME is openly offered as a "feature" for enterprise use, but it's so much more than that. Search around for Project Odin's Eye, brought to you from our good friends at the CIA.
(1/3)
>>
>>62009955
Dirty phoneposters aren't safe either. Every smartphone has a baseband processor that acts much like the early implementations of the Intel ME did, where it's not integrated into the CPU, but is on a different part of the main logic board. It has been proven in some older Samsung Galaxy models that all of your flash memory, cameras, and microphones can be accessed remotely over a cellular connection because the baseband hardware isn't isolated, allowing it to bypass the HAL and kernel to access these things. Keep in mind that iPhones and iPads use baseband hardware made by Qualcomm and Intel and they use closed source, proprietary firmware that neither iOS nor LineageOS devs can do anything to mitigate.
(2/3)
>>
>>62009961
Sources:
>Apple baseband device list:
https://www.theiphonewiki.com/wiki/Baseband_Device
>Android basebend problems:
https://www.replicant.us/freedom-privacy-security-issues.php
>Intel ME stuff:
https://libreboot.org/faq.html#intelme
>AMD PSP stuff:
https://libreboot.org/faq.html#amd
(3/3)
>>
>>62009971
Archives in case anyone wants them. They're in the same order.
>Apple
https://archive.fo/g7amc
>Android
https://archive.fo/BesDJ
>Intel
https://archive.fo/O5MQ6
>AMD
https://archive.fo/l1Klj
>>
You know it's possible to externally monitor network usage, right? It's easy to know what data your computer is sending over your network with the proper equipment, even if it tries to hide it from the user; this is how Windows 10 was proven to be backdoored, for example. If there is Big Brother-ish features in IME, they almost certainly require direct access to the machine.
The real issue with it is the fact that it's incredibly insecure and can shatter even a hardened OS if a vulnerability is found.
>>
>>62010036
How do you know that a single command or payload can't be sent to activate hidden malicious features? Nobody said it was actively sending out data. That would be ridiculous.
>>
>>62009955
Yep, it's a big problem.
It was pretty speculative for a while, but an actual vulnerability in Intel AMT was found a few months ago. It probably only affects you if your employer uses the "features" of AMT on the machine you use, and there's a firmware patch from Intel that fixes it. But there are probably other vulnerabilities too; we can't tell since it's proprietary software.
Announcement:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Blogpost:
https://mjg59.dreamwidth.org/48429.html
So, what doesn't have this?
Here's a non-exhaustive list of systems where the ME or PSP either doesn't exist or can be removed:
https://libreboot.org/docs/hardware/
And another non-exhaustive list of products you can buy that have no proprietary software at all:
https://www.fsf.org/resources/hw/endorsement/respects-your-freedom
Any ARM system doesn't have it, but it probably has some other proprietary components (e.g. baseband, but also various firmware for components). There are a few ARM laptops you can get that are free of proprietary software, but the computational power is not very good.
There's also a company making a POWER9 workstation with free firmware, but it's pretty expensive.
https://www.raptorcs.com/TALOSII/
In the long term, RISC-V might be the best way towards somewhat affordable, somewhat powerful owner-controlled hardware.
>>
What if I'm using a TV browser
I literally don't know what cpu
>>
>>62010366
Enjoy your botnet
>>
>>62010366
Same thing. If it's a Samsung smart TV I know that the CIA had a program to spy on people with them called Weeping Angel.
>>
>>62009955
Before the ME thing, what is the last procesor to not have this shit? but that is powerful enough? i dont care if is AMD or Intel
>>
>>62010494
AMD started adding the PSP around 2013. Look for AMD stuff that's from 2011 or 2012. Intel started adding them in like 2005 or 2006 to the Core2 machines. I'm currently typing this from a ThinkPad T400 with a Core2 Duo P8400 with Libreboot and Fedora installed. Libreboot is a BIOS replacement that will fully disable the ME.
Your other choices are some older MIPS hardware but a lot of it is either chinkshit or workstation/server stuff from the early 2000s that's like 600MHz. There's also ARM but it has similar issues, though not as bad. I would recommend a Raspberry Pi 3 even though it has non-free SoC initialization and video firmware. RISC-V looks promising but it's in its baby stages of development right now and is not ready for consumer use. There's old PowerPC Mac hardware that might be worth looking at.
Basically you'll have to choose between freedom and games, or really and programs at all if you go with an obscure architecture that isn't x86 or ARM. The only reason I use x86 is because I need specific closed source programs that don't run on anything else and my Libreboot ARM Chromebook isn't powerful enough to run an abstraction layer or a full VM. I'm not actually sure what ARM hardware has a VT-x equivalent, as I've never tried to run VMs on my ARM laptops, SBCs, or phones. My Core2 Duo laptop just barely runs OpenBSD with XFCE in QEMU at an acceptable speed.
>>
>>62010601
>Libreboot ARM Chromebook
What distribution did you install on it? Is it installed on the internal storage or an SD card?
I got the ASUS C100 which is pretty similar to the C201 but not supported by Libreboot yet, but I haven't been able to install Debian or Parabola onto the internal storage.
>>
>>62010069
I don't, but at the same time I don't think that'd be very effective. It'd be easily prevented with a properly configured network and the potential for accidents and exploits is tremendous.
>Nobody said it was actively sending out data. That would be ridiculous.
Can you imagine the ensuing shitstorm though?
>>
File: iM59R8m.png (131KB, 359x538px) Image search:
[Google]
131KB, 359x538px
>>62010657
I got the C201 and I installed Debian stretch with XFCE on the internal storage. I just use it for hobbyist programming and web browsing so it's not like I need very much storage. I can always SSH into my home server and pull files from that if I need them on the Chromebook. My server is pretty ghetto. It's a cluster of 4 of the 3rd gen RasPi 3 with 6 1TB external HDDs hooked up because they were cheap. I use it for cloud storage and backups. I've found that is much better than putting everything on one hard drive in a laptop that you can lose.
>>62010694
It's security through obscurity. And try to think about how many people have a properly configured network? 99% of people I know use the cheap shit router the ISP provided with the default password. It's really only /g/entlemen and foreign spies that run OpenWrt or OpenBSD on expensive routers. Normies just don't care, and that's why something like the Intel ME backdoor would be so effective.
>>
>>62010453
Lol we all saw the Facebook posts
>>
Make this a general so I can my General filter gets this out of my way.
>>
>>62011337
"No"
>>
>>62009955
Hi Pingu!
>>
nah x60 + libreboot
>>
File: hqdefault.jpg (18KB, 480x360px) Image search:
[Google]
18KB, 480x360px
>>62011678
Noot noot, there's malware in your CPU. Install Librenoot.
>>
>>62009955
>botnet
stopped reading there
>>
this is why we have to start promoting more RISC-V solutions for SBC's and SoC's. I've personally been in talks with other engineers in developing a low-cost RISC-V system to be used in smartphones, as a secure and competitively priced alternative to the ARM chips of yesteryear.
Imagine, having a bunch of autist meticulously comb over every inch of your CPU to make sure it is libre and clean. being able to use a phone that you can be sure doesn't have any unwanted software on it.
>>
>>62011820
There's still the issue of baseband chips. Maybe there could eventually be RISC-V baseband processors running OsmocomBB. It's pretty old but it might be a nice base to start with.
Thread posts: 24
Thread images: 3
Thread images: 3