First
Let's go hack the x86 world.
Positive Technologies, which in September said it has a way to drill into Intel's secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration. The biz has already promised to demonstrate a so-called God-mode hack this December, saying they've found a way …
....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
In years past it would be tin-foil hat territory and it can be equally well assigned to incompetence, but it would seem to be awfully convenient for the various 3 letter agencies out there. More-so if it had been kept under wraps. Will this spell the end of such dual controls or will the World just quietly ignore it whilst updating their status?
I imagine that there *are* people (say, in Russia or China) who *are* now asking whether there is a trusted source of x86-compatible CPUs. And if not, whether there ought to be.
If these people *aren't* asking that question, they aren't doing their job properly.
Actually, Russian government asked this question several years back, passed protectionist legislation, and is now turning to its own CPU designers and fabricators for their systems.
I can only imagine, China being China, it has already done this several years back.
I do use a separate computer for my privacy needs. It's built with an Intel Pentium 4 511 2.80GHz 533 and a 915GEV motherboard. Actually it's surprisingly fast for what is 12 year old technology. It makes me think that for most use cases, there's not much gain in running the latest CPUs.
Apple's secure enclave runs the L4 microkernel, which has been formally verified. Intel's supposedly-secure management engine runs a 30 year old OS used for teaching that has never had any sort of security evaluation.
Yeah, that makes sense. I would have assumed it ran some sort of microkernel that's at least been designed for embedded use!
This post has been deleted by its author
The bit at the end is the important part. It says earlier versions of MINIX were designed for education, later versions for availability, and none were designed for "military grade security".
Intel took a copy of an earlier version. The creator of MINIX hopes that Intel did security hardening on it in addition to the changes that Intel asked him to make to the source code.
What is the fascination with formally verified software all of a sudden? It means nothing in the real world. Many commercial TCP/IP stacks have been formally verified, almost all have suffered serious security issues (many found by Michal Zalewski). WPA2 was also formally verified, and we now see how that worked out in the real world. Lots of software also happens to fully pass their test suites, before we start exploiting it. ;-) Save your money, skip the formal verification, and focus on simplicity.
well, there's now a linux version that disables it [so they say].
I expect that requiring physical access to the machine is enough, for the moment, but I'm still concerned about any on-board network adaptor being connected in ANY way to the outside world.
Keep in mind, IPv6 exposes EVERYONE to the intarwebs, because (virtually) all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC. If your NIC can be cracked using an exposed port, in ANY way, because of the "management engine", we are all in one huge sorry state as far as security goes...
I am not aware as to whether Intel's "management protocol" can withstand intarweb routing. Most likely it can withstand WIFI routing, and possibly a spoof of some layered protocol if you're using a VPN. Sniffing any kind of SSL would be extremely difficult, but not impossible, especially if your network is being monitored. The odds of this crack being successful WITHOUT physical machine access is PROBABLY small. HOWEVER, I wouldn't trust it anyway, so maybe I should stick with "the earlier architecture".
...all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC
Ahem. You might want to look into IPv6 link-local and IPv6 unique-local addresses (not the deprecated site-local as I originally wrote).
Firewalling networks is also (as you imply) generally a good idea. IPv6 capable IoT devices directly connected to the Internet need to handle things differently, which is a whole other story.
Note that all IPv4 addresses are public, that is, they are all known, it's just that some are defined by the rules as unroutable on the public Internet, and most ISPs enforce that by filtering. IPv6 local addresses are similarly defined as unroutable on the public Internet, but unlike IPv4 non-routable addresses, IPv6 local addresses have the capability of having good chance of being globally unique, unlike, say 192.168.1.1 or 169.254.1.1.
> Note that all IPv4 addresses are public ...
Bombastic Bob is probably talking about home routers generally using NAT for IPv4, which didn't originally have an equivalent for IPv6. Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic.
> You just need the firewall, and I don't recall firewalls going away with IPv6, not even on home routers, unless you can prove otherwise.
It would be great if it was that simple. :)
Home routers are often used by people with no real knowledge of computers/IT. They have no understanding of TCP, let alone what the heck a "port" is. So getting them to (correctly) configure a firewall for their new something-they-just-plugged-into-the-network isn't really practical.
Some home routers have a GUI which lets people select a protocol (eg HTTPS) for a device, and can build a basic firewall based on that. That definitely helps. But it's not a real solution to the problem, as many devices use non-standard ports, and the end user won't have a clue what to do.
NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.
Home router issues don't go away with IPv6. That's why uPnP exists for better or worse because the computer illiterate want to use their stuff, the Internet is not built around hand-holding, and the security/ease-of-use dichotomy prevents a happy medium. You simply can't fix Stupid, but Stupid outvotes you, so you can't tell them to stay off the Internet.
Simple. To talk to an IPv6 Internet, you need an IPv6 stack, period. There's just no physical way to cram 128 bits into 32 bits of space without something giving. Since you'll already have the IPV6 stack...
You have heard of tunneling IPv6 over IPv4, haven't you? ;)
Around these parts, we've already had to deal with blocking that as muppets discovered it and were using it to get around blocks, rules and regulations.
NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.
this! i wish i could give you more thumbs-ups but...
You don't need NAT for IPv6. Heck, it's generally not needed given the address space.
It isn't a matter of needing NAT. It is a matter of being no one's business how many systems we have connected to our networks and using services on/over the Internet. NAT allows for multiple systems to use the connection of one system without exposing their private parts to the world+dog. IPv6, by design, leaves your privates exposed for any dog to come sniffing about.
"generally using NAT for IPv4"
yes (and the rest, mostly yes).
Sure, there's a spec for IPv6 NAT somewhere, but I'm not aware of it actually being used. I rely on a firewall blocking 'incoming' traffic from "teh intarwebs" on specific ports that are well known, like 139, 445, 6000, yotta yotta and those ports that Winders machines INSIST on listening on "*" to... [because the coders were TOO LAZY to bind it to localhost]
"Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic."
As long as they apply the _same_ firewalling rules on IPv6 as on IPv4 (ie, all incoming blocked by default, etc) then there's no major issue.
There are of home routers which mirror the IPv4 rules to IPv6 by default.
It always makes me laugh the amount of downvotes for questioning the default security implications of IPv6, it's like going into a group of knife jugglers and saying "it's a bit dangerous" and getting "of course it's not dangerous we are all professionals!!".
IPv6 for the average user is less secure than 4 for the simple reason very few people had their PC on a public v4 IP or relied solely on the internal firewall, in fact must internet users couldn't tell you if they are running a correctly configured firewall or have ever allowed software to drill through that.
I like a router with a firewall, blacklist, whitelist, maybe a bit of traffic shaping, logging etc and you bunch of knife jugglers can do as you please, blindfolded.
Ooh I mentioned the downvote, we know what comes next! frankly I couldn't give a shit and have just about forgotten what I used to come to this site for...
what's a good consumer-grade router than comes, or can take, the better open source router OSs?*
* skipping on DD-WRT - DD-WRT itself is really nice, but their website is utterly confusing as to what build might be expected not to be brick your particular router. I'll confess a lack of comfort at playing around blindly with something that controls your internet access - even if it's not permanently damaged, googling how to fix your corrupted router can be problematic.
Loads of great reasons for this little beauty to exist... some extinction level event the Overlords didn't want anyone to know about like an impending asteroid strike, discovery of a real alien invasion, to stop rogue AIs using CPUs like neurons to take over the world, or to rewrite history to their liking...
I just read Wikipedia's entry on the ME.
The thing can execute Java as well.