Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Ivan Markin]

podmo:
> I'm going to rely on Intel not wanting to sabotage their own company but
> still wish they would provide better documentation and while I'm at it, an
> easily accessible jumper or BIOS switch to disable it. Meanwhile, I'll
> focus on standard security practices such as OS hardening, network
> firewalling, sandboxing, etc. I'm fully prepared to retract this if actual
> evidence shows up but at this point all of these have a better ROI against
> attackers than chasing shadows or worrying about FUD.

They won't deliberately add backdoor whatsoever. This is just a
proprietary hypervisor:

Roman Mamedov:
> it's still a separate computer in your CPU, running proprietary
> code, and having full read/write access to your RAM. It can mess with
> your apps, OS and security in all sorts of interesting ways, and you
> can NOT be absolutely certain that it doesn't.

And it has bugs that can be exploited. Remotely. By anyone (there is no
such a thing as NOBUS). If they're exploited then *ALL* your
firewalls/sandboxes/whatever are meaningless. This won't seize to be a
problem if you focus on other problems. Both should be solved.

--
Ivan Markin
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[podmo]

On 19 Dec 2016 23:05 Roman Mamedov wrote:
>
> It can mess with your apps, OS and
> security in all sorts of interesting ways, and you can NOT be absolutely
> certain that it doesn't.

No, but you can say the same about any complex system unless you built it
yourself. How do you know for sure the processor you are using doesn't
have an undisclosed equivalent to ME? If it's been audited, how do you
know the company doing the audit isn't compromised? Not much point
rehashing the entire Trusting Trust discussion.

I'm going to rely on Intel not wanting to sabotage their own company but
still wish they would provide better documentation and while I'm at it, an
easily accessible jumper or BIOS switch to disable it. Meanwhile, I'll
focus on standard security practices such as OS hardening, network
firewalling, sandboxing, etc. I'm fully prepared to retract this if actual
evidence shows up but at this point all of these have a better ROI against
attackers than chasing shadows or worrying about FUD.









-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Joe Btfsplk]

On 12/19/2016 5:05 PM, Roman Mamedov wrote:

On Mon, 19 Dec 2016 18:20:41 -
"podmo"  wrote:


I could ...turn AMT off entirely.

Unfortunately that's only what it wants you to believe. With the capabilities
it has, and with its code being entirely closed source and unaudited, for a
truly secure system you can't rely on this "Okay I'm now turned off!"
make-believe.

Can't rely on "not using the on-board NIC" as suggested above either; it's
still a separate computer in your CPU, running proprietary code, and having
full read/write access to your RAM. It can mess with your apps, OS and
security in all sorts of interesting ways, and you can NOT be absolutely
certain that it doesn't.

You may be correct - or could be partly / totally wrong, as well. Do we 
have enough info to know who's right or wrong & what capabilities it 
absolutely has?

Unless there's official, credible papers that no one mentioned.

If it's as bad as some say, question is, what will smaller, poorer, less 
technical countries do?

Let all their secrets become an open book?
What will users do?  If half of the claims are true, this is beyond 1984 
- Big Brother.
Once inexpensive gov't technology is developed (not requiring $millions 
to abuse), it's often obtained by criminal element or insane dictators.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Roman Mamedov]

On Mon, 19 Dec 2016 18:20:41 -
"podmo"  wrote:

> I could ...turn AMT off entirely.

Unfortunately that's only what it wants you to believe. With the capabilities
it has, and with its code being entirely closed source and unaudited, for a
truly secure system you can't rely on this "Okay I'm now turned off!"
make-believe.

Can't rely on "not using the on-board NIC" as suggested above either; it's
still a separate computer in your CPU, running proprietary code, and having
full read/write access to your RAM. It can mess with your apps, OS and
security in all sorts of interesting ways, and you can NOT be absolutely
certain that it doesn't.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[podmo]

On 12/18/2016 10:22 AM, Milton Scritsmier wrote:

> Not all Intel chipsets support AMT (check Intel's website for which ones
> do, but most consumer PC/laptop chipsets don't), and for every version
> of ME firmware there are two releases, one for chipsets with AMT support
> and one for chipsets without. Chipsets which support AMT can have the ME
> firmware updated remotely if it's signed properly and the AMT password
> is entered or bypassed somehow. Chipsets without AMT support cannot be
> updated remotely AFAIK.
>
> If somebody got their hands on the Intel ME toolset and private signing
> keys they could create a custom version of ME firmware that could do
> just about anything, including accessing almost all the PC's RAM at any
> time. But getting it on the machine is the trick. Without AMT support it
> would require physical access to the machine, but then you can do just
> about anything anyway with physical access.
>
Thank you, Roman and Joe for your well-written, rational and FUD free
emails to the list on this topic. ;)
I played around with AMT on a system I have access to. Per the
manufacturer's documentation it ships out of the box in factory mode which
disables all remote access features. After changing the ME password from
the default I could configure AMT and turn AMT off entirely. Like Roman
mentioned, no need for BMC so I think the Reddit poster's information was
out of date but his point about securing the OS is still a good one.




-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Milton Scritsmier]

On 12/17/2016 3:58 PM, podmo wrote:



Agree Intel needs to do a much better job documenting the capabilities,


The most detailed documentation Intel has issued on the ME is probably 
the 2014 book "Platform Embedded Security Technology Revealed" by Dr. 
Xiaoyu Ruan, who is an Intel employee who has a major role in designing 
software for the ME. It's not really a ME design document so much as a 
book about designing hardware/software secure platforms that uses the ME 
as an example and goes into some detail about its design.


Not all Intel chipsets support AMT (check Intel's website for which ones 
do, but most consumer PC/laptop chipsets don't), and for every version 
of ME firmware there are two releases, one for chipsets with AMT support 
and one for chipsets without. Chipsets which support AMT can have the ME 
firmware updated remotely if it's signed properly and the AMT password 
is entered or bypassed somehow. Chipsets without AMT support cannot be 
updated remotely AFAIK.


If somebody got their hands on the Intel ME toolset and private signing 
keys they could create a custom version of ME firmware that could do 
just about anything, including accessing almost all the PC's RAM at any 
time. But getting it on the machine is the trick. Without AMT support it 
would require physical access to the machine, but then you can do just 
about anything anyway with physical access.



Could always use a third party NIC instead of the
onboard one too.


Yes.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[podmo]

> On 12/17/2016 4:08 PM, Roman Mamedov wrote:

> Confirmed technical details on this topic aren't exactly
> published on Intel's site.
>
...
> Podmo stated

Agree Intel needs to do a much better job documenting the capabilities,
but until there's a verified exploit not much point running around in
circles about it. Could always use a third party NIC instead of the
onboard one too.
(And it wasn't me, I was just quoting a followup Reddit post.)


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[Joe Btfsplk]

On 12/17/2016 4:08 PM, Roman Mamedov wrote:

On Sat, 17 Dec 2016 21:48:51 -
"podmo"  wrote:


It cannot be used to access all your data remotely. That
only works if you have all AMT features enabled, and you have a special
device called a BMC card plugged into your computer and connected to the
network.

The whole point of Intel AMT is that you CAN manage your computer remotely
without it having a separate BMC plugged in (e.g. see [1]). AMT itself is in
effect an integrated BMC by its own. After that the entire "well-written,
rational response" falls apart, the author clearly has not even a single clue
of what he's trying to talk about.

[1]
http://support.radmin.com/index.php?/Knowledgebase/Article/View/9/9/How-to-set-up-Intel-AMT-features

I'm no expert on Intel ME capabilities (by any stretch), but from the 
little I read from more "professional" sources, it does provide ability 
to remotely access computers.
Assuming they have the expertise & required data access to it. Those 
professional sources could also have some things wrong, or partly 
wrong.  Confirmed technical details on this topic aren't exactly 
published on Intel's site.


If it gets to the point where it's common knowledge to every hacker how 
to even partially misuse the ME, then Intel will have made a grave 
business decision.  At that point, they'd have to discontinue it, 
perhaps give refunds for unusable computers or issue permanent fixes - 
to close the holes.  If it becomes common knowledge & they don't take 
drastic action, they'd suffer tremendously.  That's not to say they 
might not leave a better protected opening for government agencies.


What are all the countries - businesses, governments around the world 
going to do?  Buy computers that are open books to even 1 or 2 top level 
agencies of a few key "democratic" countries, much less hackers freely 
trading (Intel ME) "Both the keys and the toolchain, as well as the 
source code," as Podmo stated?

I doubt it.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[podmo]

> https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_to_defeat_tor_on_95/
>
> "
> So, The NSA and FBI CAN force Intel to give up the keys Intel ME.
[...]

There is a well-written, rational response further down in that same
Reddit thread:

"This post has a lot of misunderstandings behind it. First off, the
Intelligence Community does not need to force Intel to give up
Manageability Engine keys (or AMD's PSP keys for that matter). Both the
keys and the toolchain, as well as the source code are traded underground.
I know that at least up to firmware version 8 is traded underground, and
version 11 (the latest) is available without difficulty to people who know
how to find it. I have access to version 8's signing keys myself, being in
that scene, but all my computers use version 11 so I haven't cared to mess
with it. It's certainly not common but it is absolutely something that
FVEY and related contractors (Raytheon, Leidos, half the people you'll see
at ISS, etc) will be able to get their hands on, if they haven't already.

Second, the abilities of the Manageability Engine are greatly
over-exaggerated. It cannot be used to access all your data remotely. That
only works if you have all AMT features enabled, and you have a special
device called a BMC card plugged into your computer and connected to the
network. BMC cards can include 3G/4G or WiMax support, which is where the
myth that vPro CPUs have a 3G backdoor comes from. I have an enterprise
ThinkPad that proudly boasts having WiMax support, requiring extensive
configuration. It was expensive. If you don't have a BMC card (and you do
not), then it is not possible to remotely control your system. Even if you
did have a BMC, simply having the signing keys and toolchain for the ME
would not be sufficient to get in. An attacker would need either a 0day,
or your credentials. Having the signing key allows nothing more than
writing malicious firmware over SPI and allowing it to persist. It's just
a little more powerful than the UEFI kits cr4sh can write, and just as
easily detectable by reading your flash chip. But it's not like you're
analyzing your microcode (of which there are likely signing keys being
traded as well), which can also be installed on a large number of systems,
considering the BIOS functions to load the latest microcode it has into
the CPU.

Thirdly, you don't have to worry about the ME hiding Intel-provided
backdoors because it is not impossible to reverse engineer ME firmware.
The firmware is huffman coded, which can be decoded with some manual
effort, and then you have ARCompact bytecode with Java-based modules.
Intel can be a nasty company, but they aren't going to risk everything
with overt backdoors that simply exfiltrate your memory over the network.
Plus you could easily block that with a separate firewall. Even if it is
sent out-of-band with regards to the kernel's networking stack, it's still
sent over the same physical NIC, just with a different IP and MAC.

The ME is absolutely not what you have to worry about in these threat
models. It is only a way for malware to hide itself from forensic
analysis, not a mystical way to remotely contact any system which runs it,
absent a BMC card.

If you have to have something to worry about, worry about 0days. They are
much more dangerous and valuable than something which, at best, provides a
persistent infection that is trivial to detect offline. There are RCEs for
every major httpd. There are LPEs that even work on grsecurity (at least
one that I know of), and dozens that work on vanilla Linux. There are at
least two traded ring 0 RCEs for Windows, one of which I have, and there
are probably a couple ring 0 RCEs in Linux's Netfilter (conntrack,
anyone?). Secure your OS, use sandboxes and mandatory access controls
(SELinux or AppArmor or RBAC), keep up to date, read security mailing
lists, be wary of red herrings, use grsecurity + PaX, and most
importantly, understand your own threat model.

I can say with absolute confidence that the Intel Manageability engine is
not a threat in the least to the integrity of the Tor network. Especially
not when each and every one of you are running a browser which can be
exploited with images and CSS. Sandbox your shit."

P.S. Please double-check the facts before spreading FUD.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[grarpamp]

https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_to_defeat_tor_on_95/

"
So, The NSA and FBI CAN force Intel to give up the keys Intel ME. They
can force them to install a system that can dump your memory and send
it over the network invisibly. Intel could be given a gag order to
cover this up. So, is Tor pointless? Even if your computer is safe
what about the nodes? And your VPN's servers? Simpler and more
effective than Hard Drive Malware. You could install it on every chip
Intel used. Even if I use a Libreboot T400 and use the best VPN I can
find or several of them they can still easily defeat that with an
Intel ME hack. Is Tor worth using if your adversary is the US
government?
"
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk