SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story taken from The Register:
For the past nine years, millions of Intel desktop and server chips have harbored a security flaw that can exploited to remotely control and infect vulnerable systems with spyware.
Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products."
That means hackers exploiting the flaw can log into a vulnerable computer's hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, and with local access.
These management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the running operating system, applications and any antivirus.
It can only be fully fixed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.
Intel's vulnerable AMT service [is] part of the vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn't provisioned, a logged-in user can still potentially exploit it.
Intel reckons this vulnerability basically affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary consumers, which typically don't. You can follow this document to check if your system has AMT switched on.
Basically, if you're using a machine with vPro features enabled, you are at risk.
According to Intel today, this critical security vulernability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP.
[...] For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel's AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.
Finding such a bug is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password 'hackme', in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers.
Also see the story at semiaccurate.
-- submitted from IRC
(Score: 5, Interesting) by Scrutinizer on Tuesday May 02 2017, @02:07AM (8 children)
Intel has it's busted Active Management Technology, [libreboot.org] yet AMD has similarly-flawed Platform Security Processor [libreboot.org].
The proper solution, though not sexy or enticing like the speedy-but-flawed Intel/AMD offerings, seems to be much more akin to what Rhombus Tech [rhombus-tech.net] is working to build: new computer designs using the most open hardware available as a means to build a market that will ultimately cater to the security-conscious, among others. The big sacrifice in the present is in speed and features, and some markets (e.g. high-end gamers) might never be served by this in the foreseeable future. It still seems to be the most promising near-term approach for avoiding these sorts of flawed-by-design processors.
(Score: 4, Interesting) by The Mighty Buzzard on Tuesday May 02 2017, @02:13AM (4 children)
I highly recommend the AMD Phenom II x6 1090t or 1100t. They're still exceedingly capable even at seven years old.
My rights don't end where your fear begins.
(Score: 1) by Scrutinizer on Tuesday May 02 2017, @02:24AM
True - my current "big rig" still uses an AMD processor of that generation, and though it's getting redlined more often these days, it can still build up enough steam to handle the flashy new games that have caught my interest.
The larger concern is with the trend towards ever more slipshod parts and supply lines for the older, safer tech soon disappearing.
(Score: 2) by butthurt on Tuesday May 02 2017, @04:09AM (2 children)
What's a good supplier? I see some used ones for sale on Ebay and Amazon.com. I see them for sale as part of a system, via Pricewatch.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @05:06AM (1 child)
Dunno if you can find one for any scale now. Up until last year or so you could still find new-in-the-box ones on Amazon but I guess I hadn't looked it a while.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @07:07AM
I have one as well. And for people in the US, keep your eyes out for your local computer resellers. I saw FX9370s selling for 970 or the CS52(??) C32/G34 chipset that have IOMMU support only have v1, which AMD doesn't support for OpenCL on the AMDGPU driver hardware (RX and maybe other GCN era stuff) or heterogenous system memory management (Which is why those chips only recieved support on Intel X79+ motherboards, same as the Intel Xeon Phi cards... 64 bit BAR+IOMMU was only available on those chipsets.)
As such there are essentially no 'current feature level' hardware that can actually take advantage of high performance videocards, and provide an otherwise libre and secure operating platform.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @03:42AM (2 children)
Allwinner are not so open, they ignore GPL constantly. Most viable Single Board Computers using those chips can run modern Linux thanks to sunxi project people, not the company. And the video driver has a closed version only because the reverse engineering effort was kicked down by FOSS community (or should I say FOSS companies?), read and weep https://libv.livejournal.com/27461.html [livejournal.com] (same blog, RadeonHD killing https://libv.livejournal.com/27799.html [livejournal.com] FOSS companies are "lovely").
You can buy from many other suppliers, BTW. Allwinner or similar ARM based SBC.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:10AM (1 child)
Agreed, Allwinner isn't a great choice for an open hardware manufacturer. However, as I recall, they were/are the current best choice for creating a market for open computing devices, which can then in turn be used to pressure manufacturers to make fully-open chips.
Obviously, those who don't agree are free to not buy anything Allwinner makes...
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:54AM
I guess we could link to sunxi, the community porting Allwinner things to mainline kernel and other great contributions, specially the page with the HW it supports, for those interested: https://linux-sunxi.org/Buying_guide [linux-sunxi.org]