We could just remove or cleanse https://github.com/corna/me_cleaner the ME to seal this loophole.
在 2017年05月02日 00:13, Sam Kuper 写道:
On 01/05/2017, Shawn citypw@gmail.com wrote:
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platf...
The piece states, "on April 25, Intel released a firmware fix for this unnamed issue. It affects every Intel machine from Nehalem in 2008 to Kaby Lake in 2017."
Has anyone here got a link describing or including the fix, either directly from Intel, or from an OEM? At the moment, there are no advisories listed at https://security-center.intel.com/advisories.aspx newer than April 3, so presumably either the piece is false, or else the firmware fix was released to OEMs but not publicly.
Discussion elsewhere:
https://news.ycombinator.com/item?id=14237266
https://www.reddit.com/r/linux/comments/68ma1a/every_intel_platform_with_amt...
The ME is the WEP of motherboards.
On Mon, May 1, 2017 at 9:18 AM persmule persmule@gmail.com wrote:
We could just remove or cleanse https://github.com/corna/me_cleaner the ME to seal this loophole.
在 2017年05月02日 00:13, Sam Kuper 写道:
On 01/05/2017, Shawn citypw@gmail.com citypw@gmail.com wrote:
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platf...
The piece states, "on April 25, Intel released a firmware fix for this unnamed issue. It affects every Intel machine from Nehalem in 2008 to Kaby Lake in 2017."
Has anyone here got a link describing or including the fix, either directly from Intel, or from an OEM? At the moment, there are no advisories listed at https://security-center.intel.com/advisories.aspx newer than April 3, so presumably either the piece is false, or else the firmware fix was released to OEMs but not publicly.
Discussion elsewhere: https://news.ycombinator.com/item?id=14237266 https://www.reddit.com/r/linux/comments/68ma1a/every_intel_platform_with_amt...
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/01/2017 11:16 AM, persmule wrote:
We could just remove or cleanse https://github.com/corna/me_cleaner the ME to seal this loophole.
This particular hole, perhaps. Do we know that "cleansing" the ME doesn't simply introduce a bigger hole? Why are the non-removable bits so heavily obfuscated, anyway?
The ME is bad news from a security perspective, period. Security conscious organisations, or those handling high value data, should not be using Intel products (unless perhaps they have a signed financial guarantee of data privacy and integrity from Intel...)
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
I don't like that article because they shill for purism at the end.
Nothing that purism does is special they're just an overpriced quanta laptop that they ran someone elses tools on - they'll never figure out how to really disable ME because it can't be done.
I can't understand why they didn't just go with a realistic option that can be free such as FM2.
On 05/01/2017 01:13 PM, Timothy Pearson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/01/2017 11:16 AM, persmule wrote:
We could just remove or cleanse https://github.com/corna/me_cleaner the ME to seal this loophole.
This particular hole, perhaps. Do we know that "cleansing" the ME doesn't simply introduce a bigger hole? Why are the non-removable bits so heavily obfuscated, anyway?
It is disturbing that intel is so evasive on the ME question, why is it present on every platform even consumer ones that lack remote management anyway? (besides the DRM stuff no one uses like PAVP)
The ME is bad news from a security perspective, period. Security conscious organisations, or those handling high value data, should not be using Intel products (unless perhaps they have a signed financial guarantee of data privacy and integrity from Intel...)
Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJZB2yrAAoJEK+E3vEXDOFboYUH/i00HzanuLFUOyBJxHt+AFtJ //nV6o+1h9H7u4RmoH3kQXzIJB8KXhrhkFH0SYIJtrQGswjDMPp0FIpWa/slRwym NqmaTKKpBivJzfBHTv/UQJ0tp4IddVuhyF8eKvDb6R/hM76RlFGsQ4aZoqq88UD4 ZzizORd1ktmO8Qe2waxYds9Mi8pUj/wGyjOdGFWEbOs0Syw/k1azSsng+8wR72y1 Fn37VMku/GChTM6bjw1zrObUVOm77QO5FD/5OqvC8H+ruyTqSPHwunUUd+z6DGby Bw0ZKidi0+kqhPiPY76duEhVDkaiy9YinH66p5EQW4B5bJGNn03lhSJERnR5jVc= =9hlc -----END PGP SIGNATURE-----