Re: [qubes-users] Re: More information needed about Qubes security
On 20190114 at 03:26 -0800 Foppe de Haan wrote: > can the IME really talk to any NIC? Or just the ones that it has drivers for > (e.g., other intel products)? If the latter, wouldn't an add-in card (or USB > dongle) solve that issue? First: You do not need to quote the entire message if you just want to add two lines of questions. Quote what you refer to and cut the rest out. To answer your question: It depends. The Management Engine has a connection to every bus in your system but after initial tests and the first part of the boot process should be pulling up something euphemistically called "firewall" to prevent all unnecessary access. That leaves you with what Intel calls "vPro" which is part of nearly every current piece of business hardware (I tried getting my hands on a vPro-free Lenovo P52 and was told that mere mortals are not permitted to order them). In that case you have a second PHY on your network connector and the wireless interface is offering a similar mechanism. So getting a machine without THAT will put you at least in the driver's seat regarding control of network connections. You could/should of course remove all wireless interfaces and put a physical packet filter in front of your computer (I'm currently using GL-Inet's GL-USB150 as "USB WLAN interface"). It is of course more work and needs more maintenance. And yes, I consider damning VNC per se a very hipsteresque attitude to security. Especially because the designers didn't even attempt to put anything security-related into the protocol and force you to make your own decisions on how to implement it. At that point I stopped reading the message you quoted and nearly stopped reading yours, too. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d93dbafba3a8ad9b49e070466e8eaba19736dcc.camel%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: More information needed about Qubes security
Le lundi 14 janvier 2019 à 03:26 -0800, Foppe de Haan a écrit : > can the IME really talk to any NIC? Or just the ones that it has > drivers for (e.g., other intel products)? If the latter, wouldn't an > add-in card (or USB dongle) solve that issue? It seems that the IME is a complete computer with direct access to northbridge and southbridge and can intercept any signal on the host and replace any firmware. So sniffing USB to reassemble network traffic should not be impossible. Read Blackhat presentations : Slides: https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf PDF: https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11dd0a11860b16f6af79272bbaa63754792ff125.camel%40mailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: More information needed about Qubes security
On Monday, January 14, 2019 at 12:17:21 PM UTC+1, Alexandre Belgrand wrote: > Hello, > > I am still brooding over before installing Qubes. > > My first thinking is that since Intel ME backdoors provide full access > to authorities, there is no way we can stop government agencies. Recent > research (read 1) shows that Intel ME has access to all parts of a > computer, even switched-off. > > This is not an NSA problem. If the NSA can do it, then any government > agency including the Chinese, the Russians, the Germans, the French, > India, etc .. can break into anyone's computer. > > Intel ME even includes a VNC server (VNC is crap), which should be able > to display dom0. Intel ME has direct access to network cards and > connections are routed to the Intel ME before they reach the network > stack. Therefore, network connections from intruders should be > invisible to dom0 and other cubes. > > There is also the alternative to switch to Coreboot and try to disable > Intel ME. But I read that on my laptop, a Lenovo Thinkpad X230, it was > impossible to completely remove Intel ME. Intel ME is constantly > monitoring hardware and if it is removed, the computer will reboot > after 30 minutes. In the X230 legacy bios, I disabled Intel ME > completely, but a test in Gnu/linux shows it is still active. > > Also, when installing Coreboot, I loose Lenovo's frequent BIOS updates, > and I am not very sure to be protected against Intel meltdown and > Spectre. > > So a reasonable approach to me is to rely on a firewall and monitor > incoming and outgoing packets. Network surveillance is IMHO the only > way to discover an attack. I am using PC Engines APU with coreboot and > open hardware, which is the best I can find in my price range. > > Network surveillance is how I discovered last time that my computer had > been hacked, when I saw packets flowing to China. > > Since then, now I keep no personal document on a computer. > > When I discovered Qubes, it caught my eye but ... > (a) It does not protect from Intel ME backdoors. > (b) Has a Linux firewall running on a normal Fedora kernel, not even > compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. > (c) Using Coreboot might be an alternative, but I don't know how secure > is Coreboot against other attacks. > > So my first opinion would be that Qubes can only protect against a > simple software attack, not a complex hardware attack. > > What's interesting in Qubes is that : > (d) It has reasonable defense in depth, at the scale of today's > hardware. > (e) It has good privacy protection. For example, it can protect me and > my family when surfing on Internet and keep my data private. > > If you can tell me anything more about Qubes security, I am really > interested. I am still waiting for more information before stepping on. > > (1) What we have learned about Intel ME > http://blog.ptsecurity.com/2018/11/what-we-have-learned-about-intel-me.html can the IME really talk to any NIC? Or just the ones that it has drivers for (e.g., other intel products)? If the latter, wouldn't an add-in card (or USB dongle) solve that issue? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7066e924-5548-42ef-b3b6-48bf3a7ffb25%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.