Sep 13, 2016

It's a shame that ME can't be removed or disabled on modern Intel CPU's. Same goes for AMD and maybe companies that implement something like ME in ARM. OpenSPARC is quite dead, sadly enough.

Highly recommended read about x86 security: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

The author of this paper is also the developer of Qubes OS. They recently added another requirement to laptops who are 'Qubes certified': they must run Coreboot. It's not Libreboot yet, but that is a huge leap forward for x86 security. Hopefully this will trigger vendors to make their hardware Coreboot compatibile. It won't do anything about Intel ME, but it is a step in the right direction.

I ordered a Thinkpad x200 to flash it with Libreboot last week, just to have at least one device without any malware (in RMS sense)

Aug 25, 2016

Intel Management engine built into modern Intel CPUs is closed source software that has full control over your computer.

We need to be able to inspect with tools inside the ME code. This should help.

See also research paper by Joanna Rutkowska - Intel x86 considered harmful http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Jul 05, 2016

Joanna Rutkowska has written about Intel based products that are possibly vulnerable to the Intel management engine code. Even if you run an open source operating system such as Linux or FreeBSD, there is still proprietary code in the management engine that you cannot look or verify that its secure.

Here is the paper http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

UEFI is another gigantic hide point for malware.

I think one could possibly run more simple platforms such as Raspberry PI, Odroid which may not have embedded management engines. That should be more secure than x86 platforms.

Jun 15, 2016

Joanna Rutkowska has written a nice paper on the topic, highly recommended: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Edit: There's also a talk from 32c3 for those more inclined to watch a video. I am pretty worried ever since I watched that: https://www.youtube.com/watch?v=rcwngbUrZNg

(which is why I have researched non-Intel laptop alternatives..cliffnotes: GPUs without BLOBs are hard to find and there will be some severe tradeoffs which is expected)

Jun 11, 2016

Wow, no one here has mentioned Johanna Rutkovska's (Invisible Things Lab & QubesOS), "Intel x86 Considered Harmful"?

http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

Essential reading!!

https://www.youtube.com/watch?v=rcwngbUrZNg

Feb 17, 2016

There's some value over other laptops, notably that it's tested with Linux as the main target and uses recent hardware that is virtualization friendly (+15" which is a personal requirement for me). Configuring a laptop like that takes a nontrivial amount of time from my experience. What interests me is that it will run Qubes OS before the 15" ships if that statement is to be trusted. It is one of the more interesting approaches out there and I'll gladly pay a premium for a Qubes laptop.

The BIOS is not free and the laptop won't be free anytime soon due to Intel ME [1]. Unfortunately the compromise for the foreseeable future seems to be freedom vs. more power or hoping for something awesome non-x86.

[1](PDF): http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Jan 31, 2016

For the scary applications (regarding user freedom) of Intel SGX, see Joanna Rutkowska's two blog posts about Software Guard Extensions.

Part 1: http://blog.invisiblethings.org/2013/08/30/thoughts-on-intel...

Part 2: http://theinvisiblethings.blogspot.com/2013/09/thoughts-on-i...

Intel SGX also had some useful applications alongside those that are harmful to users, like search engines that provably don't log queries, mail servers that provably don't keep your mail, provably safe Bitcoin mixers and so on. But if using Intel SGX requires a business agreement with Intel, I worry we will only see the bad things and not the useful ones.

It is possible I am wrong and cloud providers will give people who aren't Hollywood access to Intel SGX. But all the applications require trusting Intel and the NSA. Hollywood surely does not mind trusting them, do we?

Intel x86 considered harmful[1] talks about all the scary stuff with Intel's processors.

[1]: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Jan 13, 2016

Alas, CPU. Namely ME[1] and FSP/SMM blob [2].

If you are wondering what's wrong with either of them, I would recommend Joanna Rutkowska's research as a starting point [3,4].

[1] https://libreboot.org/faq/#intelme

[2] https://libreboot.org/faq/#fsp

[3] http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

[4] https://media.ccc.de/v/32c3-7352-towards_reasonably_trustwor...