Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
podmo: > I'm going to rely on Intel not wanting to sabotage their own company but > still wish they would provide better documentation and while I'm at it, an > easily accessible jumper or BIOS switch to disable it. Meanwhile, I'll > focus on standard security practices such as OS hardening, network > firewalling, sandboxing, etc. I'm fully prepared to retract this if actual > evidence shows up but at this point all of these have a better ROI against > attackers than chasing shadows or worrying about FUD. They won't deliberately add backdoor whatsoever. This is just a proprietary hypervisor: Roman Mamedov: > it's still a separate computer in your CPU, running proprietary > code, and having full read/write access to your RAM. It can mess with > your apps, OS and security in all sorts of interesting ways, and you > can NOT be absolutely certain that it doesn't. And it has bugs that can be exploited. Remotely. By anyone (there is no such a thing as NOBUS). If they're exploited then *ALL* your firewalls/sandboxes/whatever are meaningless. This won't seize to be a problem if you focus on other problems. Both should be solved. -- Ivan Markin -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On 19 Dec 2016 23:05 Roman Mamedov wrote: > > It can mess with your apps, OS and > security in all sorts of interesting ways, and you can NOT be absolutely > certain that it doesn't. No, but you can say the same about any complex system unless you built it yourself. How do you know for sure the processor you are using doesn't have an undisclosed equivalent to ME? If it's been audited, how do you know the company doing the audit isn't compromised? Not much point rehashing the entire Trusting Trust discussion. I'm going to rely on Intel not wanting to sabotage their own company but still wish they would provide better documentation and while I'm at it, an easily accessible jumper or BIOS switch to disable it. Meanwhile, I'll focus on standard security practices such as OS hardening, network firewalling, sandboxing, etc. I'm fully prepared to retract this if actual evidence shows up but at this point all of these have a better ROI against attackers than chasing shadows or worrying about FUD. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On 12/19/2016 5:05 PM, Roman Mamedov wrote: On Mon, 19 Dec 2016 18:20:41 - "podmo"wrote: I could ...turn AMT off entirely. Unfortunately that's only what it wants you to believe. With the capabilities it has, and with its code being entirely closed source and unaudited, for a truly secure system you can't rely on this "Okay I'm now turned off!" make-believe. Can't rely on "not using the on-board NIC" as suggested above either; it's still a separate computer in your CPU, running proprietary code, and having full read/write access to your RAM. It can mess with your apps, OS and security in all sorts of interesting ways, and you can NOT be absolutely certain that it doesn't. You may be correct - or could be partly / totally wrong, as well. Do we have enough info to know who's right or wrong & what capabilities it absolutely has? Unless there's official, credible papers that no one mentioned. If it's as bad as some say, question is, what will smaller, poorer, less technical countries do? Let all their secrets become an open book? What will users do? If half of the claims are true, this is beyond 1984 - Big Brother. Once inexpensive gov't technology is developed (not requiring $millions to abuse), it's often obtained by criminal element or insane dictators. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On Mon, 19 Dec 2016 18:20:41 - "podmo"wrote: > I could ...turn AMT off entirely. Unfortunately that's only what it wants you to believe. With the capabilities it has, and with its code being entirely closed source and unaudited, for a truly secure system you can't rely on this "Okay I'm now turned off!" make-believe. Can't rely on "not using the on-board NIC" as suggested above either; it's still a separate computer in your CPU, running proprietary code, and having full read/write access to your RAM. It can mess with your apps, OS and security in all sorts of interesting ways, and you can NOT be absolutely certain that it doesn't. -- With respect, Roman -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On 12/18/2016 10:22 AM, Milton Scritsmier wrote: > Not all Intel chipsets support AMT (check Intel's website for which ones > do, but most consumer PC/laptop chipsets don't), and for every version > of ME firmware there are two releases, one for chipsets with AMT support > and one for chipsets without. Chipsets which support AMT can have the ME > firmware updated remotely if it's signed properly and the AMT password > is entered or bypassed somehow. Chipsets without AMT support cannot be > updated remotely AFAIK. > > If somebody got their hands on the Intel ME toolset and private signing > keys they could create a custom version of ME firmware that could do > just about anything, including accessing almost all the PC's RAM at any > time. But getting it on the machine is the trick. Without AMT support it > would require physical access to the machine, but then you can do just > about anything anyway with physical access. > Thank you, Roman and Joe for your well-written, rational and FUD free emails to the list on this topic. ;) I played around with AMT on a system I have access to. Per the manufacturer's documentation it ships out of the box in factory mode which disables all remote access features. After changing the ME password from the default I could configure AMT and turn AMT off entirely. Like Roman mentioned, no need for BMC so I think the Reddit poster's information was out of date but his point about securing the OS is still a good one. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On 12/17/2016 3:58 PM, podmo wrote: Agree Intel needs to do a much better job documenting the capabilities, The most detailed documentation Intel has issued on the ME is probably the 2014 book "Platform Embedded Security Technology Revealed" by Dr. Xiaoyu Ruan, who is an Intel employee who has a major role in designing software for the ME. It's not really a ME design document so much as a book about designing hardware/software secure platforms that uses the ME as an example and goes into some detail about its design. Not all Intel chipsets support AMT (check Intel's website for which ones do, but most consumer PC/laptop chipsets don't), and for every version of ME firmware there are two releases, one for chipsets with AMT support and one for chipsets without. Chipsets which support AMT can have the ME firmware updated remotely if it's signed properly and the AMT password is entered or bypassed somehow. Chipsets without AMT support cannot be updated remotely AFAIK. If somebody got their hands on the Intel ME toolset and private signing keys they could create a custom version of ME firmware that could do just about anything, including accessing almost all the PC's RAM at any time. But getting it on the machine is the trick. Without AMT support it would require physical access to the machine, but then you can do just about anything anyway with physical access. Could always use a third party NIC instead of the onboard one too. Yes. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
> On 12/17/2016 4:08 PM, Roman Mamedov wrote: > Confirmed technical details on this topic aren't exactly > published on Intel's site. > ... > Podmo stated Agree Intel needs to do a much better job documenting the capabilities, but until there's a verified exploit not much point running around in circles about it. Could always use a third party NIC instead of the onboard one too. (And it wasn't me, I was just quoting a followup Reddit post.) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
On 12/17/2016 4:08 PM, Roman Mamedov wrote: On Sat, 17 Dec 2016 21:48:51 - "podmo"wrote: It cannot be used to access all your data remotely. That only works if you have all AMT features enabled, and you have a special device called a BMC card plugged into your computer and connected to the network. The whole point of Intel AMT is that you CAN manage your computer remotely without it having a separate BMC plugged in (e.g. see [1]). AMT itself is in effect an integrated BMC by its own. After that the entire "well-written, rational response" falls apart, the author clearly has not even a single clue of what he's trying to talk about. [1] http://support.radmin.com/index.php?/Knowledgebase/Article/View/9/9/How-to-set-up-Intel-AMT-features I'm no expert on Intel ME capabilities (by any stretch), but from the little I read from more "professional" sources, it does provide ability to remotely access computers. Assuming they have the expertise & required data access to it. Those professional sources could also have some things wrong, or partly wrong. Confirmed technical details on this topic aren't exactly published on Intel's site. If it gets to the point where it's common knowledge to every hacker how to even partially misuse the ME, then Intel will have made a grave business decision. At that point, they'd have to discontinue it, perhaps give refunds for unusable computers or issue permanent fixes - to close the holes. If it becomes common knowledge & they don't take drastic action, they'd suffer tremendously. That's not to say they might not leave a better protected opening for government agencies. What are all the countries - businesses, governments around the world going to do? Buy computers that are open books to even 1 or 2 top level agencies of a few key "democratic" countries, much less hackers freely trading (Intel ME) "Both the keys and the toolchain, as well as the source code," as Podmo stated? I doubt it. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes
> https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_to_defeat_tor_on_95/ > > " > So, The NSA and FBI CAN force Intel to give up the keys Intel ME. [...] There is a well-written, rational response further down in that same Reddit thread: "This post has a lot of misunderstandings behind it. First off, the Intelligence Community does not need to force Intel to give up Manageability Engine keys (or AMD's PSP keys for that matter). Both the keys and the toolchain, as well as the source code are traded underground. I know that at least up to firmware version 8 is traded underground, and version 11 (the latest) is available without difficulty to people who know how to find it. I have access to version 8's signing keys myself, being in that scene, but all my computers use version 11 so I haven't cared to mess with it. It's certainly not common but it is absolutely something that FVEY and related contractors (Raytheon, Leidos, half the people you'll see at ISS, etc) will be able to get their hands on, if they haven't already. Second, the abilities of the Manageability Engine are greatly over-exaggerated. It cannot be used to access all your data remotely. That only works if you have all AMT features enabled, and you have a special device called a BMC card plugged into your computer and connected to the network. BMC cards can include 3G/4G or WiMax support, which is where the myth that vPro CPUs have a 3G backdoor comes from. I have an enterprise ThinkPad that proudly boasts having WiMax support, requiring extensive configuration. It was expensive. If you don't have a BMC card (and you do not), then it is not possible to remotely control your system. Even if you did have a BMC, simply having the signing keys and toolchain for the ME would not be sufficient to get in. An attacker would need either a 0day, or your credentials. Having the signing key allows nothing more than writing malicious firmware over SPI and allowing it to persist. It's just a little more powerful than the UEFI kits cr4sh can write, and just as easily detectable by reading your flash chip. But it's not like you're analyzing your microcode (of which there are likely signing keys being traded as well), which can also be installed on a large number of systems, considering the BIOS functions to load the latest microcode it has into the CPU. Thirdly, you don't have to worry about the ME hiding Intel-provided backdoors because it is not impossible to reverse engineer ME firmware. The firmware is huffman coded, which can be decoded with some manual effort, and then you have ARCompact bytecode with Java-based modules. Intel can be a nasty company, but they aren't going to risk everything with overt backdoors that simply exfiltrate your memory over the network. Plus you could easily block that with a separate firewall. Even if it is sent out-of-band with regards to the kernel's networking stack, it's still sent over the same physical NIC, just with a different IP and MAC. The ME is absolutely not what you have to worry about in these threat models. It is only a way for malware to hide itself from forensic analysis, not a mystical way to remotely contact any system which runs it, absent a BMC card. If you have to have something to worry about, worry about 0days. They are much more dangerous and valuable than something which, at best, provides a persistent infection that is trivial to detect offline. There are RCEs for every major httpd. There are LPEs that even work on grsecurity (at least one that I know of), and dozens that work on vanilla Linux. There are at least two traded ring 0 RCEs for Windows, one of which I have, and there are probably a couple ring 0 RCEs in Linux's Netfilter (conntrack, anyone?). Secure your OS, use sandboxes and mandatory access controls (SELinux or AppArmor or RBAC), keep up to date, read security mailing lists, be wary of red herrings, use grsecurity + PaX, and most importantly, understand your own threat model. I can say with absolute confidence that the Intel Manageability engine is not a threat in the least to the integrity of the Tor network. Especially not when each and every one of you are running a browser which can be exploited with images and CSS. Sandbox your shit." P.S. Please double-check the facts before spreading FUD. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Intel ME / AMT + NSL vs Tor Nodes
https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_to_defeat_tor_on_95/ " So, The NSA and FBI CAN force Intel to give up the keys Intel ME. They can force them to install a system that can dump your memory and send it over the network invisibly. Intel could be given a gag order to cover this up. So, is Tor pointless? Even if your computer is safe what about the nodes? And your VPN's servers? Simpler and more effective than Hard Drive Malware. You could install it on every chip Intel used. Even if I use a Libreboot T400 and use the best VPN I can find or several of them they can still easily defeat that with an Intel ME hack. Is Tor worth using if your adversary is the US government? " -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk