SoylentNews is people
SoylentNews
Days after being announced, Tenable reverse engineered the Intel AMT Vulnerability. According to a blog post, the vulnerability is a backdoor dream. The AMT web interface uses HTTP Digest Authentication, which uses MD5. The problem is that partial matches of the hash are also accepted. Therefore, Tenable decided to experiment and while doing so:
[W]e reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header).
Authentication still worked. We had discovered a complete bypass of the authentication scheme.
Long story short, for over five years, a complete and trivial bypass of AMT authentication has existed. If this wasn't an intentional backdoor, it is a monumental mistake in security and coding best practices. Regardless, the "backdoor" is now public. With Shodan showing thousands of unpatchable computers (as no patch is currently available, assuming they would ever be patched) exposed to the Internet, some poor IT sod is bound to show up to work some bad news on Monday.
(Score: 2) by Wootery on Tuesday May 09 2017, @10:12AM (2 children)
dammit, if you devise a language (compiled or interpreted) which perfectly enforces string types then how is that going to compete with Perl, Python, Ruby, JavaScript or any other language which copies the bad meme of a terse concatenate operator?
Depends on the problem domain, no?
Ada is a 'correctness-first' language, and has found a niche in critical-systems. Maybe they should try using something like Ada for this sort of code in future (where the cost of a bug is enormous) -- we all know C's track-record for 'low-level bugs'.
(Score: 2) by urza9814 on Tuesday May 09 2017, @11:17PM (1 child)
IS the cost of this bug enormous? I mean it could be to the company that gets screwed if it's exploited, but what does it really cost Intel? Nobody ever got fired for buying Intel, and I doubt anyone is seriously considering switching to AMD solely because of this bug. I don't think the cost to Intel is going to be much more than the cost of implementing the fix, which they can probably get nearly free by coercing a bunch of H1Bs to work a week of unpaid overtime. But using a correctness-first language would require them to allot more planned dev effort to the initial development, and it's harder to mandate overtime when it's not an "urgent production issue" so those hours will be more expensive because Intel will actually have to pay for them.
I wouldn't be surprised if coding this right in the first place was actually more expensive than fixing it later. That's why the problem exists in the first place. Intel ought to be sued into oblivion for gross negligence over shit like this (not for just having a bug, but for first designing such a massive security hole and then not bothering to even test a null login on such a critical system) but instead they'll hide behind the usual bogus clickwrap EULA or whatever the firmware equivalent is...and they'll keep raking in the profits while the rest of us are screwed with one flaw after another over and over again...
(Score: 2) by Wootery on Wednesday May 10 2017, @08:45AM
I disagree. I think this could cost them bigtime. Your CPU turning out to be hackable is the best thing you can do to scare off security-aware customers.
coercing a bunch of H1Bs to work a week of unpaid overtime
Intel's software engineers do not, on average, work for free. Let's not be silly.
I wouldn't be surprised if coding this right in the first place was actually more expensive than fixing it later.
But again, you're pretending there's no way this could scare off big customers. Military cyber-security folks might seriously question opting for Intel products in future, for instance. It says a lot about Intel that they allowed this to happen in the first place, both in terms of their competence and their high-level values and decision-making. They placed gimmicky bullshit over risking exposing their customers to below-ring-zero compromise.
I agree that a lawsuit deterrent isn't likely, but I don't agree that the market will necessarily forgive them.