[coreboot] Intel ME Question

Zoran Stojsavljevic zoran.stojsavljevic at gmail.com
Sat Dec 24 09:57:44 CET 2016 

Interesting question... Really! We know that ME is one, crucial (has
influence over protocol stack) for network to work with INTEL CORE
families. Not sure about INTEL ATOM, since they're more simplistic, many of
them (I should say most of them, exception is certainly Broxton/BXT) are
ordered CPUs (I am sure BXT is OOO (Out Of Order) pipeline design, thus,
considerably faster).

Now... In regards what here is said, TOR browser (I have one installed on
my PC/notebook - Tor Browser 6.0.8) is very secure, I should say. But,
there is always possibility that bare basic ME will do something very nasty
to your computer/to you. INTEL is NOT to be TRUSTED (my extensive
experience with INTEL)! For example, send some unwanted IP messages to
somebody else you do NOT want these messages to be sent/seen (NSA, for sake
of argument).

Let us think about the given scenario. You open TOR browser, then start
sending/posting messages. ME is copying them, also sending with other
destination address. If it happens immediately, it also will go via the
same service... But, also, ME CAN change socket layer info, I do agree. It
MUST have for this a lot embedded logic in itself, thus unpacking enveloped
info from IP headers deeper in the message. It can understand that this is
intended for TOR, but also it needs to have thousands of TOR network
addresses somehow embedded to conclude this, which is impossible in real
time. So, it might send EVERY message somewhere else simply changing socket
layer service. I agree.

Now, even if you do NOT know anything about this, one billion ME driven PCs
World Wide will do that, sending roughly billion of messages to NSA servers
every second. This is something NSA needs to process very fast. These are
gazillion/zettabytes to be processed every day... :-)))

If you know about networking services, you can, for sake of security,
simply add small HW device (firewall) between your PC and WiFi router,
which will target ONLY wanted by you external net addresses (after you
configure it).

If this is NOT enough, The Best solution, very soon, is coming to the
theater near you: WIN10 ARM based mobile and server PCs (they have NOTHING
lookalike ME magic, so none of this above will come to play).  ;-)

Zoran

On Fri, Dec 23, 2016 at 9:36 PM, Timothy Pearson <
tpearson at raptorengineering.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/23/2016 02:13 PM, bancfc at openmailbox.org wrote:
> > Hi,
> >
> > Seeing that many of you know a lot about Intel's ME I wanted to ask a
> > couple of things if its ok.
> >
> > * Is the ME network accessible on all Intel chips or only the vPro ones
> > with AMT?
> >
> > * I saw an interesting take on this in the link below, instead of the
> > usual FUD surrounding this topic whenever its mentioned. What is your
> > take on what he says?
> >
> > https://www.reddit.com/r/onions/comments/5i6qa3/can_
> the_nsafbi_use_intel_me_to_defeat_tor_on_95/
>
> Honestly I'd be far more concerned about the claim that the signing keys
> are not only known, but actively traded among criminals.  That means
> that we are no longer just looking at state-level attacks on ME-enabled
> systems, and we have a much larger problem than first assumed by the
> majority of the security community.
>
> - --
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJYXYrQAAoJEK+E3vEXDOFbJZYIAKLSm/XRly1MJ9vj7Uhrhl4a
> N32atZlU+9yluH7D3qqmDKAlmTp/vp2xIfEas9HPRE6XvR9p/Dohrfqw5reu36Fr
> /u3YD0RZT7hqugDO+eoeDQU1H0gbd//5d4m1PMkEPcVkBUeno1oeOjVl/3D22n9B
> Dcfu1d0fHkgVY2dJFBGiSS+OPhLlvGwa4wP7oRGzQ/Yq5MGAkhI1+nFRRToKIg6d
> 3QaFyGysoNO73dWqDdgnrE8BDRydXuib3IF6fAB5y0ZzejB8EZRmKDB9GPWv1vTU
> rZ/nh0XaqdjU09R+voSI+9YACLzMK/Xug40U9/DIUovT/mn96BHd9DV1VGbJB2Y=
> =Ekoa
> -----END PGP SIGNATURE-----
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161224/d2082cd2/attachment.html>

More information about the coreboot mailing list