Securing yourself adequately for today.... and a better model for tomorrow
As many of you know, I was recently hacked. It was quite bad, to be sure. To make matters worse, I don't know who hacked me. Did you know that you've been hacked, too?
http://trak.in/tags/business/2017/05/02/intel-computers-vulnerability-hacking-intelgate/
https://fossbytes.com/new-intel-cpus-can-be-hacked-using-the-usb-port-and-a-hardware-feature/
Odd timing for the release, too. I mean-- may day?
Anyway let me spell it out for you, really cleanly:
If you use Intel products, your shit is fucked.
I'm typing this on a machine right now, whose shit is fucked. What are the short-term solutions?
Short Term
- Buy an AMD PC
- Toss out any Intel products
Mid-term
- Evaluate different ARM CPU vendors, assess security in the most minute detail
- Evaluate AMD CPU solutions
- Drag & Quarter the "security" execs at Intel
- Determine to what degree these "security" execs colluded with US gov agencies.
- Prosecutions
Long-term
- phibetaiota - In my opinion, there is no alternative to re-building technological society from the ground up around the principle that the device must serve the user at all times.
Because I could smell a fart, I made docs like this one:
https://docs.google.com/document/d/175-QUX9rBF0-mPzRXrhnGgb3QitE0K2UNUEFx8-KLIs/edit?usp=sharing
'Cause it was smelling all farty. very, very farty.
reiterating: Due to the below, fuck yo cryptocurrency, biotch.
https://www.itnews.com.au/news/intel-debugger-interface-open-to-hacking-via-usb-446889
We will get there from the ground up or not at all.
you ever smelled a fart so stinky that it cleared the room? I've emitted some of these in my life. This time tho, it was Intel who farted. But lots of folks fart.
If you have fart-clearing skills, please get ahold of anyone at Dawn. We need you. Clearing fart requires capital, patience, and talent. Only a fart-free world can be a free world.
This page:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Clearly states:
This vulnerability does not exist on Intel-based consumer PCs.
Now while I agree, effort should be made to triple-check that is the case, by following these detection methods.
We should make note that it primarily affects Intel-based PC/Laptops that advertise vPro technology (look at the above link I posted for sample images) and even then, vPro must be enabled in the BIOS.
Typically you'd find this in "enterprise" quality PC's... for instance those that are issued by Banks, Insurance Companies, and other Large Corporations to their employees.
Consumer-grade Intel computers (the cheap ones you buy at Walmart and Best Buy) typically don't have this vPro BIOS setting, but I recommend you check your system anyway.
See the shit about the JTAG above?
No man, it's EVERYTHING.
Remember: CORPORATIONS HAVE INCENTIVE TO LIE!
The reason I said that, is they ask you in the document to look for the service in Windows 7 as this:
"Look for the Intel Management & Security Application User Notification Service"
(Which I didn't find) but luckily for me, step 2 was discovering I'm running an AMD cpu, so bonus for me.. and that's probably why I didn't find that Windows Service running.
BTW, I stopped trusting Intel after this:
https://www.wired.com/1999/01/intel-on-privacy-whoops/
About 18 years ago Intel was giving each CPU a serial number which could be found by the operating system and software installed, which means your privacy was gone. That's probably when AMD did it's best year of business, because they weren't stupid enough to thwart their customer's privacy with a "new feature".
Every since then I didn't trust Intel, and I still don't. Obviously Intel hasn't learned their lesson yet...
As for me, I am quite certain my machine is effected.
And as for cheap machines, I am certain that they simply haven't found the interfaces used to hack the proletariat and steal their thoughts.
Would you agree, this is more Windows / BIOS based, and less Linux?
are there any decent CPUs that are fully open source?
I'm going to hedge on this one and say "not one that is open enough, and not the fabrication machines." LowRISC / OpenRISC seem like a great place to get this kicked off, though.
However, I don't know of a LowRISC / OpenRISC design that is really going to fit the bill. I made a spreadsheet on this and am looking for it now....
Not really.
Very fine allegory - re-steemed my learned friend.
Awareness of these corporate calamities may eventually yield demand for more robust alternatives.... Thanks!
Well, isn't that just the best....
No one gives a fuck, asshole.