On Thu, 7 Sep 2017 at 21:17:20 +1000 Erik Christiansen <dva...@internode.on.net> wrote:
> The notion of an extra embedded CPU or two on big Intel chips is not > difficult to credit, but where is the postulated entire minix OS loaded > from? It's in the report by the Positive Technologies team: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html We see increasing interest in Intel ME internals from researchers all over the world. One of the reasons is the transition of this subsystem to new hardware (x86) and software (modified MINIX as an operating system). The x86 platform allows researchers to make use of the full power of binary code analysis tools. Previously, firmware analysis was difficult because earlier versions of ME were based on an ARCompact microcontroller with an unfamiliar set of instructions. > If our hosts cannot be trusted not to phone home to folk wearing dark > glasses, They do not just that they phone home, the worst part is that they pick up the phone, your phone! > then would it not suffice to employ a simple embedded host with > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? Maybe, but it's difficult to know exactly what triggers the numerous ME modules and functions of a running system - it's best disabling everything at boot time. You are supposed to filter both incoming and outgoing traffic, which is not very easy when you do not know what you need to block. Plus, I do not remember where I read it, but there are functions in WiFi AP/DSL modems that were found to have backdoors that are triggered by a precise sequence of IP packets the unit receives where both headers and payload matter, which makes for a complicated deep packet inspection firewall that you need to set up. What we actually need is Openhardware products ready to supplant current off-the-shelf proprietary chips and controllers. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng