Intel Refutes Claim That It Includes Backdoors in Its CPUs

[pr1v 36]

Opinions?...

 

http://news.softpedia.com/news/intel-refutes-claim-that-it-includes-backdoors-in-its-cpus-505892.shtml

[LZ1 672]

Hello !

 

They have to say that, lol. But then again, he's right though, it's not a backdoor. It's a frontdoor.

 

Just like Windows Update is also for delivering "updates and fixes". Well, quite a few unwilling Windows 7 and 8 users found out how that ultimately worked haha.

[serenacat 83]

Don't know, but would like to know. "Enterprise wide" remote management and monitoring seems rather dual-use with "full spectrum global dominance".

Curious what sovereign governments and their military do about this - do the Indians, Pakistanis, Chinese use Intel chips ?

There has been some mention of the Chinese government using their own Linux versions, and various chip foundrys could churn out decent custom processor chips with an auditable RISC/ARM design which may not match Intel bang for buck but pretty good, as in mobile phone CPUs. And what is open source (auditable, secure?) Android like when "scaled up" for multiprocessors on servers and workstations ?

Maybe Intel have a lot to lose.

 

[cm0s 118]

old hardware =

 

happy happy joy joy

 

cheerz

[pr1v 36]

old hardware = 

 

Tech Republic's article

 

Thanks for the link

[zhang888 1066]

Interesting 32C3 talk on the matter, from the creator of Qubes OS:

http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/

[pr1v 36]

Interesting 32C3 talk on the matter, from the creator of Qubes OS:

http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/

 

Very interesting

And now I wonder about the laptops recommended/certified by FSF... (Libreboot, etc).

 

About Minifree and Libreboot

Minifree Ltd, trading as Ministry of Freedom (formerly trading as Gluglug), is a UK supplier shipping worldwide that sells GNU/Linux-libre computers with the Libreboot firmware and Trisquel GNU/Linux-libre operating system preinstalled.

Libreboot is a free BIOS/UEFI replacement, offering faster boot speeds, better security, and many advanced features compared to most proprietary boot firmware.

[zhang888 1066]

The problem with Libreboot/Coreboot and others is that they can only run on older hardware.

The latest supported model is the x200, which is almost a decade old.

 

I can see the advantages of running without Intel's ME/AMT, but this must not come at the

expense of modern security mechanisms like Supervisor Mode Execution Protection (SMEP)

and Supervisor Mode Access Prevention (SMAP), which are very important features introduced

in the past years and which are not available in Libreboot/Coreboot CPUs.

 

To read more what it is, check here:

http://www.phoronix.com/scan.php?page=news_item&px=MTE5NzI

 

Personally I prefer to run a secure OS on the latest hardware, if you care about security only,

and less about "hardware freedom", the attack surface of Libreboot vs. Intel ME+SMAP is larger.

[pr1v 36]

Good point zhang888 but...

Doesn't it affect to security too?

[zhang888 1066]

Historically, not.

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits

 

However kernel exploits that are mitigated using a SMAP aware kernel are very common:

https://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/

 

So, in order to protect yourself from remote adversaries - which should be a more common threat vector, running latest

hardware (Haswell and above) is a plus.

[pr1v 36]

Sorry, I mean if it's not only about "hardware freedom" but if it could also envolve "against security" too.

Yes, from one point of view it seems a great advantage in security to avoid those attacks, but ... Is our security also compromised if we keep on using those intel chips?, could they be backdoored?. We could use other computers/chips and add extra security against those attacks you mentioned.

[zhang888 1066]

The chips are only a small part of a larger scope, which is your machine.

You may have a theoretical "blob-free" CPU without latest security mechanisms,

or you can have a modern one with ME, but also important features in place.

Most attacks will exploit the low hanging fruit which are the kernel vulns in order to

backdoor your system, and not a component that is signed and is very undocumented.

 

So if you ask in terms of security, your most paranoid option would be running something

like Qubes. The less paranoid option should be running Linux 3.7+ with grsec and SMAP CPU.

That is of course if you prefer to use the x86 platform.

 

Edit:

There is a very interesting new local root exploit for Ubuntu 16.04 that is once again mitigated

by SMEP/SMAP:

https://www.exploit-db.com/exploits/40049/

 

    if (check_smaep()) {
        printf("[-] SMEP/SMAP support dectected! Quitting...\n");
        return -1;
    }

Bottom line is...If you can use a newer CPU, you are probably safer from the common types of

attacks. The adversaries who can subvert Intel firmware remotely, probably can also compromise

you even with ME disabled

[OmniNegro 155]

AMD for life.

 

But even AMD has similar nonsense in their CPUs, but to a much lesser extent.

[zhang888 1066]

I don't know if it was mentioned, but it is probably worth to look at a niche hardware vendor called Purism.

This is probably the most open hardware x86 compatible laptop, yet with still modern CPUs.

 

As of for me, I still prefer to use latest gen Macbooks with dual boot Arch and macOS.

They have been a very hard target to attack, especially after the Thunderstrike patches in 2015.

 

https://puri.sm/products/

https://www.qubes-os.org/news/2015/12/09/purism-partnership/