SoylentNews is people
SoylentNews
Hugo Landau has written a blog post about why Intel will never let hardware owners control the Management Engine. The Intel Managment Engine (ME) is a secondary microprocessor ensconced in recent Intel x86 chips, running an Intel-signed, proprietary, binary blob which provides remote access over the network as well as direct access to memory and peripherals. Because of the code signing restrictions enforced by the hardware, it cannot be modified or replaced by the user.
Intel/AMD will never allow machine owners to control the code executing on the ME/PSP because they have decided to build a business on preventing you from doing so. In particular, it's likely that they're actually contractually obligated not to let you control these processors.
The reason is that Intel literally decided to collude with Hollywood to integrate DRM into their CPUs; they conspired with media companies to lock you out of certain parts of your machine. After all, this is the company that created HDCP.
This DRM functionality is implemented on the ME/PSP. Its ability to implement DRM depends on you not having control over it, and not having control over the code that runs on it. Allowing you to control the code running on the ME would directly compromise an initiative which Intel has been advancing for over a decade.
(Score: 1, Informative) by Anonymous Coward on Monday July 23 2018, @11:35PM (18 children)
I'm not interested in your latest superhero movie. Give me back my CPU.
(Score: 3, Insightful) by c0lo on Monday July 23 2018, @11:49PM (6 children)
That CPU? It wasn't truly yours ever.
Yes, you own it as a blackbox, but don't have any right on the design of the CPU and never had.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2, Insightful) by Anonymous Coward on Tuesday July 24 2018, @03:06AM (5 children)
(Score: 2) by c0lo on Tuesday July 24 2018, @03:35AM (4 children)
You realize that this doesn't hold to much of a value, the question of your trust in the ... ummm .. assuring party still remains.
I mean, how could one verify the "no more no less" assurance if one doesn't have access to the design of the CPU?
It doesn't even need to be a false assurance given in ill-faith, to err is human, unintentional bugs in hardware aren't new.
Even if you know implementation details doesn't keep you from harm's way: the predictive branching, out-of-order execution and all the other stuff used by Spectre were known as design principles for quite a long way back
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by stormwyrm on Tuesday July 24 2018, @06:20AM (3 children)
Gaining access to the design of the CPU to be able to look at it does not automatically give you the rights to the design of the CPU, any more than having a peek at the source code for Windows gives you any right to use it the way you'd be able to use code that was released under a Free license. Your previous post talked about "rights on the design of the CPU". An independent third-party auditor might be able to gain enough access to the designs to audit them under a non-disclosure agreement, and yes, it's naturally going to be a matter of trust in the auditors as well. But that's also true for a lot of things out there. We have it just about entirely on trust that every bit of Free Software out there doesn't have malicious misfeatures. The only difference is that that trust is highly distributed, making it a lot stronger than trust in say, Microsoft alone. Plenty of other people can and have had a good look at the code. If you had an open hardware design for a CPU, I doubt that you, personally, would have the time, knowledge, and inclination to be able to do a thorough job of assuring its trustworthiness all by yourself, any more than you would have for something as complex as the Linux kernel. The only advantage it would have is that the ability to audit it is a lot easier: you don't have to sign NDA's or pay Danegeld to Intel or AMD to be able to audit the design of RISC V or some other Free CPU, which increases the chances that someone trustworthy has done the auditing already. But again, that's also something you still probably need to take entirely on trust.
Unintentional bugs are out of scope here. We're talking only about outright malicious features designed specifically to subvert the user's intentions put there deliberately by the designer, like Intel's ME or AMD's PSP. You can get unintentional bugs in any design, Free or proprietary or anything in between. Even so, I'd rather have a system that at minimum strives to be loyal [gnu.org] to me, instead of having deliberate back doors baked into it to allow itself to betray me to whoever is supposed to be its true master. Unintentional mistakes are a fact of life. Deliberate disloyalty and betrayal shouldn't be.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Insightful) by anubi on Tuesday July 24 2018, @07:01AM (2 children)
Agreed, I have no rights to the CPU design. But I find myself in the same position as if I were buying locks.
Say, for instance, I love Schlage locks. But some suit-man over there accepts the idea that all his locks should open with a master key. Now, the playing field is wide open to whoever gets a copy of the master key. Now, anybody who has an interest in violating my lock is free to do so.
( Just for example... mechanical locks like this are not secure at all. "bump keys". And any locksmith can pick one. A lot of kids can, too. )
I know I am going to be moderated "redundant" for this post. Everyone on this forum is saying the same thing! Dammit! Just how can one explain in words that even a Hand Shaking SuitMan can comprehend that having any hardware with a cooked-in-silicon master key backdoor is a really, really, really bad idea?
This is one issue I have been screaming about ever since "scripts" which mix code and data. Never execute code you can't verify or hold someone accountable - and for crying out loud, don't willy nilly leave your business and trust some lock, especially if you know even a script kiddie will have free run of your place once he jimmies your lock. The technology exists for you to have the only key in existence, yet you choose to use a technology where others you have no idea who they are also have a key?
Once the trick gets out how to get in your machine through that backdoor, there will be no patch. And all your stuff is right out there for anyone who knows how the "open sesame" works.
And to think that suit-men have spent so much effort on copyright. They are watching their candy jar while someone else is making off with their bank account!
My grandpa, and old dirt-farmer, was smarter than that... when the local kids took to setting outhouses on fire, or moving them back four feet, he built his out of cinderblock.
Yet, how many of those executives are going to authorize purchase and implementation of this backdoored technology in *their own* corporation?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by stormwyrm on Wednesday July 25 2018, @05:30AM (1 child)
Numquam ponenda est pluralitas sine necessitate.
(Score: 1) by anubi on Wednesday July 25 2018, @08:06AM
I was mostly referring to the lock I compared to... standard common house front door lock.
Like you say, they come in varieties from that super cheap lock I use on a gate, just to let people know that I don't welcome uninvited visitors, but should they insist and force it open anyway ( can be done with paper clip ), another circuit will sense the open gate and make a fuss.
I have a G&S dial lock on an outside door.... just in case I lock myself out of my own house. It'll be easier to bash the door down than to open that one without its combination.
Generally, its hard to compare mechanical locks to electronic locks.. as its usually hard to violate a mechanical lock in private. Whereas an electronic lock can be hammered at from the other side of the planet for years if it comes to that.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Tuesday July 24 2018, @12:04AM
.. and going beyond c0lo's point, this isn't the first time you've paid your supply chain to slurp from that hose either; https://www.techdirt.com/articles/20060227/0211220.shtml [techdirt.com]
(Score: 3, Informative) by fyngyrz on Tuesday July 24 2018, @01:20AM (9 children)
Don't give Intel CPUs a network connection any longer. Just use 'em for grunt work given on USB sticks. It's all they deserve at this point.
(Score: 0) by Anonymous Coward on Tuesday July 24 2018, @04:03AM (8 children)
It'll try to connect out using wireless
Like a virus
(Score: 2) by fyngyrz on Tuesday July 24 2018, @04:11AM (7 children)
Easily dealt with.
(Score: 1) by anubi on Tuesday July 24 2018, @05:12AM (6 children)
How would you handle:
"! Update required. Please connect to internet for critical system security update. " ( ding! )
And system fails to run until you agree and give it what it wants.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Unixnut on Tuesday July 24 2018, @08:46AM (2 children)
I would not use a system that tries to control, deny my instructions and generally boss me around.
I mean think about it, if you care about freedom and security enough to never ever connect your PC to a network and only deal with USB sticks as your interaction, why on earth would you go through all that effort, and deal with all the inconvenience, and then stick to a software system that tells you what you should do, and denies you control unless you submit to its instructions?
Ideally, If you want security and control, you have to apply it to the entire stack, from the silicon to the end-user app.
Also, I would not recommend USB sticks, after all, an entire class of viruses developed that spread by floppies, in theory nefarious backdoor could just use your USB stick for compromising you. Not sure what would be a good way for communication, I would probably go back to the old RS232, with custom (and limited) commandsets. It is a low-level, simple and rugged enough system that it would be hard to find underlying security holes in, at which point your security is as good as the terminal server you write/use on the other end of the line.
(Score: 3, Insightful) by fyngyrz on Tuesday July 24 2018, @10:03AM
With an axe.
(Score: 2) by fyngyrz on Tuesday July 24 2018, @10:05AM
ugh, sorry, replied to wrong message. Coffee!
(Score: 2) by fyngyrz on Tuesday July 24 2018, @10:10AM (2 children)
I'd handle it with an axe.
Seriously. If a machine with no connection to the net suddenly demanded one and this was hardware-based, there's no way in the world it could be trusted. You know, we don't have to use computers. If the process is made to be intolerable, then we should stop using the problem hardware until / unless they fix it. Or, if there is one, use an alternative source of hardware (and don't reward the miscreants who made the untrustworthy hardware with future purchases, either.)
(Score: 3, Insightful) by anubi on Tuesday July 24 2018, @11:05AM (1 child)
I was relating the frustration I am experiencing with my phone when using Yelp, and it keeps nagging me requiring a Google account if I am going to see more than one set of reviews... it bluescreens on me, "checking info", then redirects me to Google... "Add your account".
This kind of thing really annoys me.
I keep seeing all these gadgets for sale on store shelves, but they have internet connection. My guess is I pay maybe $19.95 plus tax for the gadget in the retail store, take it home, then find it needs "activation", which is a stiff monthly fee? I know businessmen are really "thinking outside the box" these days, and will pull off anything to get someone to bite, then reel 'em in.
I've been seeing this ad for a "Micro Mechanic" bluetooth OBD reader, but being bitten by businesstalk, I don't know what they are really saying on the ad... like "free download"... I have had those... I could download it for free, but not run it. Just "activate" it, eh? Monthly fee? Termination agreement required? Have to surrender my banking credentials, name, and God knows what else they may demand, or just write off the little junklet I just paid for... brand new junklet. Do I have to load malware in my phone? I feel like I'm playing a game of three card monte with a street shyster every time I hear those TV ads.
Its really hard for me to trust marketers these days. Many of them seem to think that once I have paid for *anything*, I am now fair game for a feeding ( fee-ing) frenzy to herd me where they want me to go to cut my losses of giving them any money in the first place. If it involves any computer or phone, I have almost convinced myself that they *will* use my own technology as their enforcement agent for forcing yet more and more money from me in order to get what I paid for to work... kinda like getting involved in some sort of cult. Not at all like buying a drill motor from Home Depot.
So far, I have not bought any "smart" drill motors that tell me "Thank you for buying me, now just log onto www.gotchanow.com and do whatever they demand from you to activate me. You have shown you are a smart guy who leads the pack in adopting smart technology, and you may now show your friends and boss how smart your are!"
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Monday July 30 2018, @03:40AM
Don't but those personal cloud devices then
does not work without an Internet connection