Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Intel and backdoors
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6401
Location: Saint Amant, Acadiana

PostPosted: Tue Jan 10, 2017 3:40 am    Post subject: Intel and backdoors Reply with quote

http://www.itnews.com.au/news/intel-debugger-interface-open-to-hacking-via-usb-446889
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Tue Jan 10, 2017 3:47 am    Post subject: Reply with quote

That's just a decoy to distract them from figuring out what is right under everybody's nose.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Tue Jan 10, 2017 4:23 am    Post subject: Reply with quote

I don't recall if I've posted a link to this yet, but this seems like the appropriate thread...

Is the Intel Management Engine a backdoor?
Quote:
Various sources report that Intel's latest x86 chips contain a secret backdoor. SoftPedia cites security expert Damien Zammit as revealing that these Intel chips come with an embedded subsystem called the Management Engine (ME) that functions as a separate CPU and cannot be disabled, and the code is proprietary.

According to Intel, the ME is in place so enterprise businesses can manage computers remotely via Active Management Technology (AMT). AMT runs completely isolated from any operating system installed on the PC.

It gets creepier.

According to Zammit, the ME:

has full access to memory (without the parent CPU having any knowledge);
has full access to the TCP/IP stack;
can send and receive network packets, even if the OS is protected by a firewall;
is signed with an RSA 2048 key that cannot be brute-forced; and
cannot be disabled on newer Intel Core2 CPUs.

[...]

_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Thu Oct 26, 2017 10:41 pm    Post subject: Reply with quote

Deep dive into Intel Management Engine disablement wrote:
Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines.

In this post, I will dig deeper and explain in more details what this means exactly, and why it wasn’t done before today for the laptops that were shipping this spring and summer.

The life and times of the ME
Think of the ME as having 4 possible states:
  1. Fully operational ME: the ME is running normally like it does on other manufacturers’ machines (note that this could be a consumer or corporate ME image, which vary widely in the features they ‘provide’)
  2. Neutralized ME: the ME is neutralized/neutered by removing the most “mission-critical” components from it, such as the kernel and network stack.
  3. Disabled ME: the ME is officially “disabled” and is known to be completely stopped and non-functional
  4. Removed ME: the ME is completely removed and doesn’t execute anything at any time, at all.

_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 686
Location: The Holy city of Honolulu

PostPosted: Fri Oct 27, 2017 1:15 am    Post subject: Reply with quote

pjp wrote:
Deep dive into Intel Management Engine disablement wrote:
Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default.


Good.
_________________
People Of Love

Kindness Evokes Kindness

Peace Emits Positive Energy
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Thu Nov 09, 2017 9:09 pm    Post subject: Reply with quote

MINIX — The most popular OS in the world, thanks to Intel
Quote:
MINIX is running on “Ring -3” (that’s “negative 3”) on its own CPU. A CPU that you, the user/owner of the machine, have no access to. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. Most user applications take place in “Ring 3” (without the negative).

[...]

The second thing to make my head explode: You have zero access to “Ring -3” / MINIX. But MINIX has total and complete access to the entirety of your computer. All of it. It knows all and sees all, which presents a huge security risk — especially if MINIX, on that super-secret Ring -3 CPU, is running many services and isn’t updated regularly with security patches.

[...]

Google wants to remove MINIX from its internal servers

According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:

Full networking stack
File systems
Many drivers (including USB, networking, etc.)
A web server
That’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.

Why on this green Earth is there a web server in a hidden part of my CPU? WHY?
The article continues.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Thu Nov 09, 2017 10:37 pm    Post subject: Reply with quote

Tanenbaum thanks intel

Some articles on this story really are really FUD, but FUD sells well apparently ....
There a lot of confusion about those rings anyway, the researchers
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
say that ME on the southbridge boots in Ring-0 and later runs in Ring-3, but I am not sure they meant negative rings, or that since the embedded CPU is an x86 it has a 2-bit Current Privilege Level (CPL) field maintained by the CPU itself and only 2 privilege levels are used like in most modern OS.


What's Ring-0 anyway?
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5404
Location: Removed by Neddy

PostPosted: Thu Nov 09, 2017 10:38 pm    Post subject: Reply with quote

erm67 wrote:

What's Ring-0 anyway?
Essentially kernel
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Fri Nov 10, 2017 3:13 am    Post subject: Reply with quote

erm67 wrote:
Tanenbaum thanks intel
Hah!

I guess one question to be answered is whether or not AMD or ARM have similar back doors.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Fri Nov 10, 2017 8:30 am    Post subject: Reply with quote

pjp wrote:
erm67 wrote:
Tanenbaum thanks intel
Hah!

I guess one question to be answered is whether or not AMD or ARM have similar back doors.

How do you know there is backdoor? Did someone find an exploit, or actually get their hands on the real firmware?
How do they initialize all the peripherals and CPUs otherwise? The MB chipset can be used with several CPU so it must be independent from th main CPUs, and it needs a complex firmware since there are various things that needs to be initialized. I doubt AMD south and north bridges don't have a CPU and an Operating System inside.
Some ARM System on Chip architectures have a dedicated invisible core that runs as a hypervisor, initializes the system and 'improves security', you know the binary blob that you load on the raspberryPI to boot runs on that invisible core, and is basically the same.


Naib wrote:
erm67 wrote:

What's Ring-0 anyway?
Essentially kernel

And viruses ....., it's just 15 more CPU instructions not a big deal.

I was not clear, I meant if Ring-3 is interpreted by the press as ring negative 3 how do they read Ring-0, like Ring negative 0? Are they so ignorant? the PL field has only 2 bits, there no place for all those rings.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5647

PostPosted: Fri Nov 10, 2017 8:41 am    Post subject: Reply with quote

erm67 wrote:
How do they initialize all the peripherals and CPUs otherwise?


back in my day, you would assert the reset pin for several clock cycles and the cpu would start at the reset vector. the hardware would initialize itself, or it didn't work. 8)
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Fri Nov 10, 2017 4:00 pm    Post subject: Reply with quote

bunder wrote:
erm67 wrote:
How do they initialize all the peripherals and CPUs otherwise?


back in my day, you would assert the reset pin for several clock cycles and the cpu would start at the reset vector. the hardware would initialize itself, or it didn't work. 8)


You must be very very old, intel switched to minix and a 32bit x86 CPU 10 years ago, previously they used a Argonaut Risc Core 32 bit CPU running a proprietary Operting System in their southbrige chips, probably since the 1990s there was an operating system hidden in every computer, so that's how you did it in the 70s and 80s right?

:roll: :roll: :roll:

BTW southbridge and northbridge chipset always sounded suspicious to me :-) they did even require a fan on some boards. Probably it all started with the advent of plug&pray, we could have suspected that there was a microprocessor hidden somewhere for that.

Anyway if I was the NSA and install a bak door on every computer in the world I wouldn't use a web server .... don't know why but some people get mad when they hear about web servers, remember systemd's log some time ago? LOL some people are funny.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ


Last edited by erm67 on Fri Nov 10, 2017 4:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 686
Location: The Holy city of Honolulu

PostPosted: Fri Nov 10, 2017 4:14 pm    Post subject: Reply with quote

Also of interest : The Memory Sinkhole

Quote:
Abstract

In x86, beyond ring 0 lie the more privileged realms of execution, where code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS.

The architecture has heaped layers upon layers of protections on these ‘negative’ rings, but 40 years of x86 evolution have left a labyrinth of forgotten backdoors into the ultra privileged modes.

Lost in this byzantine maze of decades old architecture improvements and patches, there lies a design flaw that’s gone unnoticed for 20 years.

Exploiting the vast, unexplored wasteland of forgotten x86 features, we demonstrate how to jump malicious code from ring 0 into the deepest, darkest realms of the processor.

The attack is performed with an architectural 0 day built into the silicon itself, and directed against a uniquely vulnerable string of code widely deployed on modern systems.

_________________
People Of Love

Kindness Evokes Kindness

Peace Emits Positive Energy
Back to top
View user's profile Send private message
SiberianSniper
Guru
Guru


Joined: 06 Apr 2006
Posts: 361
Location: Dayton, OH, USA

PostPosted: Fri Nov 10, 2017 4:42 pm    Post subject: Reply with quote

Somewhat related
Quote:
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Fri Nov 10, 2017 5:27 pm    Post subject: Reply with quote

Muso wrote:
Also of interest : The Memory Sinkhole

Quote:
Abstract

In x86, beyond ring 0 lie the more privileged realms of execution, where code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS.

The architecture has heaped layers upon layers of protections on these ‘negative’ rings, but 40 years of x86 evolution have left a labyrinth of forgotten backdoors into the ultra privileged modes.

Lost in this byzantine maze of decades old architecture improvements and patches, there lies a design flaw that’s gone unnoticed for 20 years.

Exploiting the vast, unexplored wasteland of forgotten x86 features, we demonstrate how to jump malicious code from ring 0 into the deepest, darkest realms of the processor.

The attack is performed with an architectural 0 day built into the silicon itself, and directed against a uniquely vulnerable string of code widely deployed on modern systems.

This supports my idea that the researchers werenot talking about negative rings otherwise they had used ring -1 ring -2 (whatever it means since the paper doesn't explain it), instead the original paper about IME claims that the the small 32 bit processor boots in Ring-0 and than switches to Ring-3 (without spaces).
The article also claim that the processon inside the southbridge can read all the memory in the PC but doesn't explain how a 32 bit processor an read >4G of ram ....
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Fri Nov 10, 2017 7:08 pm    Post subject: Reply with quote

Protection ring references ring -1 (VT-x and AMD-V), ring -2 (System Management Mode (SMM)) and a ring -3 rootkit.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5647

PostPosted: Sat Nov 11, 2017 1:23 pm    Post subject: Reply with quote

erm67 wrote:
bunder wrote:
erm67 wrote:
How do they initialize all the peripherals and CPUs otherwise?


back in my day, you would assert the reset pin for several clock cycles and the cpu would start at the reset vector. the hardware would initialize itself, or it didn't work. 8)


You must be very very old, intel switched to minix and a 32bit x86 CPU 10 years ago


Nah, I'm only in my 30s. AMT wasn't a thing until ICH7/i945. There are plenty of Intel chips leading up to socket 775. Granted, I'd probably not want to go back to socket 478, I just retired one recently.

But the reset vector thing used to be relevant on the 6502/z80/68k, and probably the 486/pentium. No idea when/if they stopped doing it that way.

edit: ARM still uses it apparently.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Sat Nov 11, 2017 3:19 pm    Post subject: Reply with quote

Haven't gotten around to finishing this one yet, but looks interesting:

Hack.lu 2017 Intel AMT: Using & Abusing the Ghost in the Machine by Parth Shukla
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Sat Nov 11, 2017 5:48 pm    Post subject: Reply with quote

bunder wrote:
erm67 wrote:
bunder wrote:
erm67 wrote:
How do they initialize all the peripherals and CPUs otherwise?


back in my day, you would assert the reset pin for several clock cycles and the cpu would start at the reset vector. the hardware would initialize itself, or it didn't work. 8)


You must be very very old, intel switched to minix and a 32bit x86 CPU 10 years ago


Nah, I'm only in my 30s. AMT wasn't a thing until ICH7/i945. There are plenty of Intel chips leading up to socket 775. Granted, I'd probably not want to go back to socket 478, I just retired one recently.

But the reset vector thing used to be relevant on the 6502/z80/68k, and probably the 486/pentium. No idea when/if they stopped doing it that way.

edit: ARM still uses it apparently.


The hidden microprocessor with the secret OS was introduced probably with the late pentiums, there was no south bridge and north bridge with 486 and early pentium, I can vaguely remember when it happened and that was long before AMT was introduced.

AMT is not mandatory for a working motherboard and is a pay for feature, unless you took your company PC home (and you're scared they can find it) it is unlikely that the NSA paid intel to activate AMT on your PC. They did not put that microprocessor in the southbridge to create AMT. And I really don't think AMT is active on my 200$ lenovo laptop.
The rest of the minix OS instead is required, there is a tool that disables most of the hidden OS, but the PC reboots every 30 minutes because without it it doesn't work, the super secret key that purism claim they will use to disable IME is also dangerous. Intel say it was an experimental feature required by an unnamed vendor (probably Dell) working on an NSA program, but the proper funcionalities of the motherboard are not guaranteed using it. That chip mediates Plug&Play and other events between devices and the CPU, if it's turned off such events will not be delivered to Ring 0.

You give some things like granted like event X happens on the PCI bus and I see Y happen on the CPU, but there's the south/north bridge between the PCI bus and the CPU that makes it happen.

Now, I also remember that Dell offered an anti-theft feature in the bios of its early 2000 enterprise laptops, that could be turned on but not turned off and made it possible to find a stolen laptop as soon as it was on the 'net even if it was formatted or turned off ........ We had a problem with stolen laptops at the company I worked for in that period and it was activated on every company laptop. A predecessor of AMT very likely but very similar.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 215
Location: Where the black men cannot enter

PostPosted: Sat Nov 11, 2017 9:27 pm    Post subject: Reply with quote

https://software.intel.com/en-us/node/632292

Quote:
Setup Mode Hello Messages
Setup and Configuration of Intel AMT > Setup and Configuration Methods > Remote Configuration > Setup Mode Hello Messages
When an Intel AMT device transitions from Factory Mode to Setup Mode, it attempts to create a TCP/IP connection with the SCA on the default port as described in the following steps.

1. Intel AMT connects to the SCA using one of the following methods:

• Using the IP address entered via the BIOS extension – Continue from step 2.

• Looking up the address on the domain name server (DNS), using the SCA hostname. Intel AMT does a DNS lookup using the hostname “ProvisionServer” and the optional domain name entered via the BIOS sub-menu as one of the TCP/IP parameters or the default domain name, if no domain name was entered (this is an OEM option and may be blank). Intel AMT sends this lookup request even if no domain name was entered. If this lookup fails (and it will if there is no FQDN or domain suffix), Intel AMT tries a DNS lookup using a DNS suffix returned by the DHCP server, if the DHCP server is configured to return domain names (DHCP option 15). If the DNS server does not have a record for the setup and configuration server FQDN, the device will not be able to look up the FQDN of the SCA server. The user will need to either manually enter the setup and configuration server IP address via the BIOS extension or add a static alias to the DNS server, where the setup and configuration server hostname, combined with Intel AMT local domain, resolves to the setup and configuration server IP address.

2. When the device successfully connects to the SCA, it sends a ”Hello” Message, with one of the following formats:

• For PSK:


This is how AMT works, so basically this is what to look for on the router, there are a few problems for this to be a real problem:
1) My ISP provided modem only lets out traffic from IP addresses that were given through DHCP, and I hardened it so the IP will be given only to known MAC addresses, so unless it uses the same IP configured through DHCP on the eth interface it will not be able to communicate outside my home lan (maybe or maybe not).

2) It is extremely unlikely that even if my OEM has burned the AMT component in the firmware it has also configured a provision server and a domain name for a cheap laptop. My router returns a domain name: home.lan, it works fine on my private lan but it is invalid outside it, AMT will go nowere using it.

3) I can exclude that the FQDN for the provisioning server on the .home.lan domain is defined on the dns on my router.

Anyway I guess I am going to scan for such hello packets, just in case, a few months ago a misterious IP address appeared on my lan, you know there's an arpwatch process running 24/7, that's when I hardened the setup using fixed MAC addresses.

After all the "Out Of Band" capabilities of AMT are not telepatic but regular TCP/IP stuff. Yet another techno boogieman.
I forgot according to intel AMT switches back tofactory mode and than setup mode if it is configured to be active and the bios resetted, so if you're paranoid turn off the lappy, remove the coin battery or reset the bios, fire up wireshark and wait to see if it calls the NSA.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5647

PostPosted: Sat Nov 11, 2017 11:25 pm    Post subject: Reply with quote

erm67 wrote:
there was no south bridge and north bridge with 486 and early pentium


Sure there was. i430vx and PIIX3 was on the pentium 1. 286/386/486 had chipsets too.
Back to top
View user's profile Send private message
R0b0t1
Apprentice
Apprentice


Joined: 05 Jun 2008
Posts: 255

PostPosted: Sun Nov 12, 2017 1:45 am    Post subject: Reply with quote

Muso wrote:
pjp wrote:
Deep dive into Intel Management Engine disablement wrote:
Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default.
Good.
Consumer computers (especially laptops) shipping before the 6th generation chips were out that did not license vPro technology, and that should have had the management engine irreversibly disabled, still occasionally had users detect that Intel ME was enabled by scanning their machines in a low power mode and finding that a Java-based SOAP webserver was running. There was no interface to access the Intel ME settings. A laptop I have is one of the affected units.

WhitneyLand wrote:
One way to think of ME is, we all woke up one day and discovered we have had high resolution night vision spy cams installed in our bedrooms.

The next realization is there is no way to turn them off or remove them. It’s posisble even moving won’t help.

And yet we really don’t seem to care much. Lesser issues generate national outrage and high volumes of press coverage. Why?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17300

PostPosted: Sun Nov 12, 2017 3:46 am    Post subject: Reply with quote

Hopefully the folks at puri.sm know something WhitneyLand does not.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Mon Nov 13, 2017 2:44 am    Post subject: Reply with quote

Sounds like a bunch of gobbledygook to me. You guys are just paranoid, and I'm sure this stuff is perfectly safe to use. As Obama said, "If you can't trust us, we gotta problem.". You probably think the moon landing was fake too.
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 686
Location: The Holy city of Honolulu

PostPosted: Mon Nov 13, 2017 6:55 am    Post subject: Reply with quote

Bones McCracker wrote:
Sounds like a bunch of gobbledygook to me. You guys are just paranoid, and I'm sure this stuff is perfectly safe to use. As Obama said, "If you can't trust us, we gotta problem.". You probably think the moon landing was fake too.


++

After I agreed, I got back in line for the chip implant, like a good citizen

What's on CNN?
_________________
People Of Love

Kindness Evokes Kindness

Peace Emits Positive Energy
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum