#intel

canoodle@nerdpol.ch

Russia's Conti working on exploits for Intel ME BMC AMT IPMI - Intel ME the biggest security fuck up in computing history - sue Intel

“The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine.”

“Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system.

If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.” (https://hackaday.com/tag/intel-me/)

Intel might have installed – over the course of at least a decade (to this day?) a closed source backdoor in your computer’s firmware, that might never receive updates and is hard to remove.

Once this backdoor is fully cracked, everyone (Russia, China and North Korea) can use it.

Having remote control over a server down to the BIOS is a neat feature.

https://dwaves.de/2018/12/03/intel-bmc-java-jviewer-kvm-remote-control-with-linux-and-intel-mainboard-s2600cwr/

Hackers think so too.

Because a firmware is sometimes hard to update.

BIOS-UEFI updates need to be as easy to install than OS updates.

There are even parts of Intel ME that can not be updated at all (yet) because they are encrypted & signed and the system won’t start if they are missing (security by obscurity).

another dramatic way to put it:

The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine.”

“Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system.

If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.” (https://hackaday.com/tag/intel-me/)

Currently the OS must be hacked or USB access (“physical access equals root access”) before it is possible to malware very deeply in the system = having this guy say: “only solution” “shredder mainboard”

But it might be just a matter of time, until new attack vectors are found, that allow exploit over network, maybe even in the security-nightmare language that every browser runs: JavaScript? X-D (just turn it off globally thanks!)

https://www.golem.de/news/conti-ransomware-gruppe-arbeitet-an-exploit-fuer-intel-me-2206-165848.html

(Conti is a hacker group associated with Russia)

https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html

https://www.golem.de/news/security-hackern-gelingt-vollzugriff-auf-intel-me-per-usb-1711-131065.html

Intel ME: Will Intel deliver updates? I hope so. Otherwise: Seriously sue intel to put your IT hardware at danger of being destroyed PERMANENTLY.

As it has happened with those KA-SAT satellite modems.

solutions anyone?

Yes multiple hard one’s.

  • try turning AMT BMC Intel ME off in the bios
    • some BIOS even allow to disable Intel ME permanently
  • on some systems BMC can be disabled with a jumper on the motherboard
  • Flash GNU Linux to the BIOS! (CoreBoot, LibreBoot with the Lenovo x60s no problem, with newer notebooks / PCs probably more effort)
  • “Just use AMD”, yes better but according to this video only a partial solution?

intel needs to work with it’s damaged customers to fix this mess

Or be sued for every hack and every ransomware attack and every downtime and every destroyed motherboard.

seriously.

open source backdoors instead of closed source backdoors!

ok ideally no backdoors at all?

“Intel had already found the vulnerability (CVE-2019-0090) itself last year, described only as a privilege escalation and tried to fix a possible attack vector.

According to PT, however, there are probably other attack vectors and the real problem in ROM still remains, as this part cannot be updated.

This is the preliminary culmination of an embarrassment on the part of Intel, which the manufacturer is trying to sell as security.

By now at the latest, Intel should mothball the concept of a proprietary ME and work on the open hardware security chip that Google

“Customers, users and Intel would be the winners.”

translated from: https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html

“Together with partners, Google has announced the Open Titan project.

The goal is a completely openly designed chip based on RISC-V, which is to be used as root-of-trust in many different devices.”

https://www.golem.de/news/open-titan-google-startet-oss-projekt-fuer-hardware-security-chip-1911-144816.html

links:

https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/

#linux #gnu #gnulinux #opensource #administration #sysops #cybersec #itsec #cyber #intel #intel-me #intelme

Originally posted at: https://dwaves.de/2022/06/10/russias-conti-working-on-exploits-for-intel-me-bmc-amt-ipmi-intel-me-the-biggest-security-fuck-up-in-computing-history-sue-intel/

canoodle@nerdpol.ch

Russia's Conti working on exploits for Intel ME BMC AMT - Intel ME the biggest security fuck up in computing history - sue Intel

Intel might have installed – over the course of at least a decade (to this day?) a closed source backdoor in your computer’s firmware, that might never receive updates and is hard to remove.

Once this backdoor is fully cracked, everyone (Russia, China and North Korea) can use it.

Having remote control over a server down to the BIOS is a neat feature.

https://dwaves.de/2018/12/03/intel-bmc-java-jviewer-kvm-remote-control-with-linux-and-intel-mainboard-s2600cwr/

Hackers think so too.

Because a firmware is sometimes hard to update.

BIOS-UEFI updates need to be as easy to install than OS updates.

There are even parts of Intel ME that can not be updated at all (yet) because they are encrypted & signed (security by obscurity).

Currently the OS must be hacked or USB access (“physical access equals root access”) before it is possible to malware very deeply in the system = having this guy say: “only solution” “shredder mainboard”

But it might be just a matter of time, until new attack vectors are found, that allow exploit over network, maybe even in the security-nightmare language that every browser runs: JavaScript? X-D (just turn it off globally thanks!)

https://www.golem.de/news/conti-ransomware-gruppe-arbeitet-an-exploit-fuer-intel-me-2206-165848.html

(Conti is a hacker group associated with Russia)

https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html

https://www.golem.de/news/security-hackern-gelingt-vollzugriff-auf-intel-me-per-usb-1711-131065.html

Intel ME: Will Intel deliver updates? I hope so. Otherwise: Seriously sue intel to put your IT hardware at danger of being destroyed PERMANENTLY.

As it has happened with those KA-SAT satellite modems.

solutions anyone?

Yes multiple hard one’s.

  • try turning AMT BMC Intel ME off in the bios
    • some BIOS even allow to disable Intel ME permanently
  • on some systems BMC can be disabled with a jumper on the motherboard
  • Flash GNU Linux to the BIOS! (CoreBoot, LibreBoot with the Lenovo x60s no problem, with newer notebooks / PCs probably more effort)
  • “Just use AMD”, yes better but according to this video only a partial solution?

intel needs to work with it’s damaged customers to fix this mess

Or be sued for every hack and every ransomware attack and every downtime and every destroyed motherboard.

seriously.

open source backdoors instead of closed source backdoors!

ok ideally no backdoors at all?

“Intel had already found the vulnerability (CVE-2019-0090) itself last year, described only as a privilege escalation and tried to fix a possible attack vector.

According to PT, however, there are probably other attack vectors and the real problem in ROM still remains, as this part cannot be updated.

This is the preliminary culmination of an embarrassment on the part of Intel, which the manufacturer is trying to sell as security.

By now at the latest, Intel should mothball the concept of a proprietary ME and work on the open hardware security chip that Google

“Customers, users and Intel would be the winners.”

translated from: https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html

“Together with partners, Google has announced the Open Titan project. The goal is a completely openly designed chip based on RISC-V, which is to be used as root-of-trust in many different devices.”

https://www.golem.de/news/open-titan-google-startet-oss-projekt-fuer-hardware-security-chip-1911-144816.html

#linux #gnu #gnulinux #opensource #administration #sysops #cybersec #itsec #cyber #intel #intel-me #intelme

Originally posted at: https://dwaves.de/2022/05/17/russias-conti-working-on-exploits-for-intel-me-bmc-amt-intel-me-the-biggest-security-fuck-up-in-computing-history-sue-intel/

garryknight@diasp.org

WikiLeaks: Julian Assange spying case: Judge suggests CIA may have received illicitly recorded conversations | International | EL PAÍS English Edition

Proving that US intelligence services learned about the WikiLeaks founder’s defense strategy by spying on his lawyers could annul the extradition request, say legal sources

#politics #USA #UK #intel #law #Wikileaks #Assange

https://english.elpais.com/international/2022-06-09/julian-assange-spying-case-judge-suggests-cia-may-have-received-illicitly-recorded-conversations.html

anonymiss@despora.de

#Linux 5.18 officially released, #Intel #processor #SDSi in-app purchase feature online

source: https://www.realmicentral.com/2022/05/23/linux-5-18-officially-released-intel-processor-sdsi-in-app-purchase-feature-online/

Some users worry that Intel is exploring a new business model by launching SDSi. Under this “business model”, Intel #CPU features will be disabled by default until the user “pays” an additional fee to obtain a corresponding license to “unlock” full functionality.

Bullshit Intel has a #KillSwitch for its CPUs and the power to turn off all CPUs. I don't want that kind of #crap in my CPU. Please do not support this by promoting this #business model. Do not buy Intel CPUs anymore!

#Technology #fail #wtf #omg #feature #hardware #problem #news #economy #bullshit

oliver@societas.online

So langsam ist mal wieder ein neuer #Rechner fällig, nach weit über 10 Jahren :P Es ist schon erstaunlich, dass ich nach all den Jahren immer noch halbwegs aktuelle Spiele zocken kann. Okay, zwischenzeitlich habe ich eine größere SSD und eine neue Grafikkarte eingebaut, RAM hatte ich schon von Anfang an genug. Der Sockel 1366 war halt auch einfach eine gute Plattform.

Doch nun brauche ich bald einen neuen. Oder vielmehr: ich möchte. Übrigens nicht zum ersten Mal. Dann schaut man sich um und tackert sich im Kopf aus einzelnen Komponenten ein System zusammen. Und da hakt es: Finde mal ein wirklich gutes Gehäuse mit gutem Design und sehr guten Werten (für Passivkühlung zb) oder guter Anordnung. Da braucht man gar nicht erst so Ansprüche stellen, dass die USB-Ports abgesichert sein sollten (wegen eventueller Security-Paranoia). Und überhaupt: Ist passive Kühlung möglich, sollte es doch lieber aktiv gekühlt sein oder gar eine Wasserkühlung oder Besseres? Naja, man kann’s auch übertreiben. Im Prinzip fände ich eine passive Kühlung oft ausreichend, aber um eine zuschaltbare aktive Kühlung kommt man wohl nicht drumherum, wenn ich nicht den ganzen Klumpatsch in eine Kiste mit Öl schmeißen möchte. Macht den Komponententausch ja auch nicht einfacher.

Und dann noch das Zubehör: Meine derzeitige #Dockingstation (für den 5,25"-Einschub von Fantec) ist so lala, aber auch nur, weil ich selbst noch Löcher gebohrt und einen anständigen Lüfter drauf gesetzt habe (das kleine Ding surrte einen um den Verstand). Sonst geht’s eigentlich und ob ich noch mal ein DVD-ROM einbaue … kann ich auch drauf verzichten.

Da ist die Qual der Wahl bei den Komponenten zwar auch lästig, aber immerhin hat man da reichlich Auswahl. Aber einfach ist auch das nicht. CPU von #Intel oder doch #AMD Ryzen? Tendiere ja fast eher zu AMD. Und die Grafikkarte? AMD Radeon hat gescheite open-source-Treiber für #Linux, aber Nvidia hat CUDA:

Es kommt bestimmt gleich einer um die Ecke und fragt mich die nicht dumme Frage: “Was willst du mit dem Rechner überhaupt machen?”. Und da ist die kurze Antwort: “So ziemlich alles!”. Denn ich hasse Begrenzungen und ich will mir in den nächsten 10 Jahren danach garantiert keinen neuen Rechner kaufen müssen.

Eigenbau/Abwandlung fällt eigentlich flach, ich habe schon genug Hobbys. Obwohl das echte Vorteile hätte: Da könnte man sich sogar so einen Luxus-Quatsch wie einen Steampunk-Sterlingmotor-CPU-Kühler basteln, nachdem man das brandneue #Mainboard verfeinert hat. Aber nein, ich baue mir definitiv keinen Kühler und Gehäuse selbst, denn ich will ja bald einen neuen Rechner haben und nicht nach 5 Jahren Tüftelei. Also fällt auch der für ein paar Sekunden in Erwägung gezogene Plan aus, sich ein ideales Gehäuse auszudenken und in China in Kleinserie fertigen zu lassen. Nee, das muss schon was anderes sein.

Das Leben ist unglaublich schwer, wenn man sich schlecht entscheiden kann und nicht einfach irgendeinen Kram kauft, über den man im Mediamarkt stolpert. Aber ich will ja auch zufrieden sein. Falls dennoch jemand einen Tipp hat: Immer her damit!

paulkater@diasp.org

Running #Ubuntu 20.04 on an HP desktop with an Intel graphics card, I experience something fuzzy on certain sites.
Attached image is from a spreadsheet in the Zoho office suite. As you see, the active cell, in edit mode, is very crisp and clear.
The surrounding cells are amazingly fuzzy.

The same sheet on my Acer Aspire laptop, same Ubuntu, with Nvidia graphics, is clear and crisp all over.
Anyone have an idea what is happening here, and how to fix this? I already played with refresh rates, but that doesn't make any difference.

Spreadsheets in Google Sheets don't have this odd behaviour on either machine.

#linux #intel #graphics

erikengheim@xn--y9azesw6bu.xn--y9a3aq

Why Did Intel x86 Beat RISC Processors in the 1990s?

RISC workstations from companies such as Sun, Silicon Graphics and NeXT battled Intel in the 90s and lost. Will the same happen with Arm and RISC-V?

Whenever I write about the ascent of modern RISC processors such as Arm and RISC-V, I always get comments about how RISC processors failed to take on Intel in the past and that they are doomed to fail again.

It is true that there was a battle between RISC and CISC processors in the 1990s. At the time workstations from companies such as Sun, Silicon Graphics and NeXT were hot stuff. Computers magazines had lots of stories about them. I remember going to conferences back then and seeing mostly Unix workstations rather than Windows machines. However within relatively few years these Unix workstations were pretty much all gone.

The question people cannot stop asking is: Why would history not repeat itself? Will x86 not always end up victorious in the end?

To understand why this will not happen this time around, we need to understand why RISC workstations lost back in the day and why the everything will be different this time around.

Intel’s Volume Advantage in the 90s

Production volume matters a lot when it comes to cost of chips. Large and advanced independent chip manufacturers such as Taiwan Semiconductor Manufacturing Company (TSMC), which make chips for Apple and many others today, did not exist in the 90s.

The one who had the most advanced manufacturing capability and the highest volume was Intel. RISC processors at the time were cheaper to design as they were simpler. However lower volume meant higher unit price.

Intel had the opposite situation. They had much higher design costs as the x86 instruction-set made chips harder to design. However, due to their volume they could produce chips at lower cost per unit.

For high-end workstations which would be low volume, there was an obvious advantage with RISC chips. You could design higher performance chips at lower cost. For low volume workstations Intel would not be able to compete as the their design cost could not be amortized across enough volume of chips.

The Unix workstations ended up with advanced custom made hardware at every level which supported all sorts of fancy features such as hot-plugging hardware at runtime, extremely fast memory. I think some workstations even let you add a CPU while it was running but don’t quote me on that.

Combined this produced awesome RISC machines at eye-watering prices.

Open vs Closed Platform

Closed platforms may give better overall user experience, just look at Apple. The problem is that you end up with premium prices. All the RISC workstation vendors were like Apple: They sold premium products at premium prices.

The problem with such a business model is that the low-end competitor always end up improving and closing in on you. The low-end has the benefit of volume which means high-end products very often lose out to low-end products moving up the value chain.

The Threat of “Good Enough”

The problem for RISC based workstations was that eventually PCs started getting good enough. They still had flaws compared to RISC based workstations but the PCs could offer far more software and much lower prices. Thus Intel started gradually eating into the market of RISC workstations which then had to decide whether to fight in the low-end of their business or try to race ahead at the high-end.

With higher volume and higher total profits, Intel could afford to throw a lot more money at designing chips than the RISC guys. They could also use smaller node sizes to increase performance without actually having better designed chips than the RISC guys. This made Intel gradually erode the RISC advantage.

They never stood a chance because they began at the high-end not the low end.

Why RISC Today is Totally Different From the 90s

Today the chip game is completely reverse. Arm did not start by selling high-end RISC workstations. Instead they began by dominating the low-end chips market made up of micro-controllers, embedded devices, dumb phones and smart phones. In 2020 25 billion Arm based chips got shipped. In comparison the whole PC market in 2020 was 275 million units. Think about that! That is an order of magnitude difference.

Here is a crazy fact few seem to have picked up about the world we live in today. People are used to thinking about Apple as being the small player. Macs have about 10% marketshare of the computer market. So in people’s mind Apple is a small player. What people fail to take into account is how dominant smart phones and tablets have become. An iPhone today frequently costs significantly more than a desktop computer or laptop. You got plenty of smart phones capable of outperforming low-end PCs.

These devices have high end CPUs in them. Many of Apple’s iPad models have M1 chips inside. The very same chip used in many of their popular desktops and laptops. Thus in terms of CPU capability it does not make that much sense to separate these markets. So here is a simple statistics that will blow your mind: Apple shipped a total of 285 million iPhones, iPads and Macs in 2020.

Thus there are more CPUs going into Apple products than there are CPUs going into the whole PC market. Thus being king-of-the-hill in the PC market isn’t that big of a deal. This market is what Intel owns but it simply isn’t that big of a market. Apple alone are making of CPUs than Intel.

So if you look at the whole Arm market it is clear that the idea that x86 is still the dominant player is just ludicrous. Arm already won. Intel and AMD today are where the RISC workstation guys were in the 90s. They god the high high-end while facing a high-volume competitor which is rapidly catching up.

x86 Performance Edge is Not Going to Hold

The fastest super computers today are built using Arm not x86 chips. Intel and AMD are able to outperform the chips made by Apple but only at the cost of insane power usage. That is not a sustainable strategy to maintain an edge. Apple has the clear lead in terms of performance per watt. Now Apple cares more about slim design and long battery life than Intel and AMD which both make a lot of money on delivering to data centers. Thus they are not directly competing across the whole product lineup.

But other companies such as Amazon, Ampere and Nvidia are making Arm chips for data centers which will compete directly with AMD and Intel. Ampere has their Ampere Altra Max with 128 Arm Neoverse N1 cores. The Altra outperforms the AMD EPYC 7763 with 64 cores which is regarded as the fastest x86 CPU. Amazon has come out with their Graviton3 chip with 64 Neoverse V1 cores. Meanwhile Nvidia has announced their Grace super-chip which will have 144 Neoverse V2 cores.

It might be interesting to note the difference between the Neoverse N and V cores. The N variants are for traditional server workloads while the V variants are for high performance computing (HPC). With HPC we typically mean scientific oriented workloads such as machine learning, lots of matrix multiplications and other floating-point operations.

So you can imagine you might want the Neoverse N cores for hosting databases and web-servers while you would use Neoverse V for machine learning, data analysis, simulations etc.

The important point is that Arm chips exist for all markets. Apple make the Arm chips that can compete in the desktop and laptop consumer space. Amazon, Ampere and Nvidia supplies the Arm chips which can compete in data centers.

But x86 won in the 90s over RISC! Sorry but the rules have changed. Arm has higher volume today and Arm chip makers have access to equal or superior manufacturing through companies such as TSMC.

What About RISC-V?

It is not just when talking about Arm chips that the x86 victory over RISC in the 1990s is mentioned. It is also a point raised whenever somebody talks about the future of RISC-V. Again exactly the same story applies to RISC-V as with Arm. RISC-V chips can in principle be built by TSCM so there is no node size advantage for Intel.

What about volume? RISC-V like Arm is starting at the low end where volume is high. RISC-V processors are going into hard drive controllers, mice, keyboard, bluetooth devices, IoT and a dozen other things today. Thus RISC-V is a lot more like Arm than the UltraSPARC, MIPS and Alpha RISC processors of the 1990s.

Of course it will take time for RISC-V to gain the kind of popularity and performance Arm enjoys today, but there is nothing stopping RISC-V from beating x86 chips sometimes in the future. However, by the time RISC-V is competing in the high performance space I doubt there are any x86 chips around to compete against. The future will more likely be a battle between Arm and RISC-V. But you should give RISC-V at least another 5–6 years before you can expect it to be going up against Arm.

#processors #risc #intel