Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
infinityfal...@openmailbox.org wrote: Like Legimet said, it's highly doubtful. This is rather minor compared to the Vault 7 dump, and even that didn't get much more than news reports and some software patches (although making it into the mainstream is an achievement in itself). I am not keen to evaluate the importance of the Vault 7 leaks or any other leaks by mainstream so-called journalism. I think this is a metric that fails both on its own merit (important articles could come much later, even years later, and be very few in number) and in a more important sense of: evaluations based in how computers work, and understanding the allowable limits of corporate media. In the IT field, these stories come from writers who show unfettered deference to the proprietors that distribute unsafe software. Elsewhere the writers know relatively little about how computers and software works, and they are not skilled at conveying the importance of the leaks to the public despite that most of the public relies on the software to be secure. The patches proprietors release is as unvettable as the unpatched software was when it was released. With non-free software IT admins simply can't inspect what they're assigned to operate (no matter how skilled the IT admin is); the admins apply these changes ignorant to what they're patching, ignorant to what the patch changes, and ignorant what the end result will be. The only information they have to go on are the (apparently inadequate) textual descriptions that sometimes accompany the patch. It's a pity the EOMA68-A20 release had to be pushed back; this would be the perfect opportunity to say "We told you so"! It still is; whether we have something to recommend to substitute doesn't change the fact that non-free software is an unjust menace more people now depend upon in their everyday lives.
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
Like Legimet said, it's highly doubtful. This is rather minor compared to the Vault 7 dump, and even that didn't get much more than news reports and some software patches (although making it into the mainstream is an achievement in itself). In fact, hypothetically speaking, it could actually introduce more difficulty. If the result is some people choosing AMD instead, that's going to reduce the chance of us getting ANYWHERE with freeing the PSP. The best we can do is hope that anybody phased by the Intel leak realizes AMD isn't necessarily any better, and opts for something libre. It's a pity the EOMA68-A20 release had to be pushed back; this would be the perfect opportunity to say "We told you so"!
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
Thank you for clarifying that- it makes it much clearer why nobody picked it up for so long (although what convinced them to use the said comparison function is still beyond comprehension...). As for your point in regards to caring, you're unfortunately probably right. The most mainstream news source I've seen carry this was Slashdot, and even then I suspect many readers probably aren't greatly moved by this revelation (disclaimer: I do have a ME-enabled device presently, so perhaps that's hypocritical to say). Perhaps it's a little too much to propose there were malicious motives behind it, but it can't be ruled out...
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
"except for checking that two 32-bit hashes were the same length" Not quite. It only checks the entered password against the stored password but checking length is what it didn't do. The result is, if I enter a password of one character it checks that character against the first character of the stored password, essentially. This means, without any altering of the login at all you can just type through the alphabet until it grants access. People have been talking about how the ME system is a terrible security concept for years but they didn't care, and they won't start now. I read one guy said they likely leaked this as an excuse to disable the new ME remover technique with an "update."
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
I highly doubt it.
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
I agree that intel is crap but I also wonder to myself, does this help with freeing the intel me management? just a thought...
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
Even for proprietary software, this seems incredible. Correct if I'm wrong, but- has it taken 7 years for it to emerge that the authentication feature did absolutely nothing AT ALL (except for checking that two 32-bit hashes were the same length)? Even if I'm certain the i5 laptop on which this post is written doesn't have AMT or vPro, that kind of oversight (at best) suggests any trust I had in it was entirely misplaced... Whoever quipped that the infamous "Intel Inside" stickers reminded them of the "Smoking Kills" ones was perfectly correct, and may very well find their simile reified soon.
Re: [Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
This affects vPro/AMT, specifically.
[Trisquel-users] The hijacking flaw that lurked in Intel chips is worse than anyone thought
https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
