693 posts • joined 21 Oct 2007
Replying this far down...
...to preserve the illusion. Thank you, El Reg. Now I have a hardlink to an article I can present whenever anyone asks me "What is a troll?" No, it's not being nasty or insulting, that's just being a complete see you next Tuesday.
Put simply, a troll is simply a post or article cunningly crafted to get someone, anyone biting and thrashing at the keyboard maniacally. This article and the sarcasm dripping therefrom is a perfect example which, given that this is three or more pages of thrashing, splashing and foaming in, worked magnificently. The keep net¹ must be overflowing.
¹ "Trolling" is actually an angling term. Nothing to do with mythical creatures, billy goats or bridges whatsoever.
¹½ I remain extremely disappointed that nobody has called out <CTRL><Z> as being the background current process key-press rather than the Windozified "undo" with which everyone now associates it.
What goes through someone's head when they do that?
Greed and the good ol' tradition of winner takes all.
@whitepines, yes, it would be better if they'd join the debate rather than just clicking the little button, wouldn't it? I agree that the down-vote was unwarranted.
It's pertinent information if anyone is looking to specifically avoid this mess, as is the fact that Core number numeral devices, more often than not, do come with ME, albeit easily disabled on at least some of the ICH9 variants. I wasn't trying to contradict you or "be clever," just inform.
Re: Macs don't have it, AFAIK
No OEM has the ability to remove the ME, period.
True. One can force the thing into a halted state, however, by removing everything but essential bringup (BUP in all the docs so far) code from the embedded firmware. For some machines, this means breaking out the SPI flasher. For others, mainly consumer motherboards, the EFI setup utility's own flasher usually suffices once you have run me_cleaner on the flash file.
However, since the flash is accessible from the client OS (they're mostly just dangling from an SPI bus these days), it's conceivable that Chipzilla will conspire with MS or EFI vendors to put the code back again, quite possibly with a routine to halt the boot process completely and drop you into a flash rescue mode if it is anything less than fully operational. As you rightly say, the ME machine is still there with its tentacles in your entire memory space and remains a security risk.
If I may be permitted the vulgarity, it's a right pain in the arse and is making x86 look even less appealing than it was before they started this nonsense.
Let me be as clear as possible. EVERY AMD CPU has the PSP. It cannot be removed, it cannot be disabled, and it has full access to the x86 cores and all of the system components. It's stored on rewriteable firmware storage and anyone with access to the AMD signing key can run their code at the highest possible privilege level on the entire system.
Correct, with the tiny qualifier of CPUs and APUs >= family 16h. Trinity and Richland APUs on socket FM1 and Phenom II and Athlon II CPUs on Socket AM3 are probably the last to be PSP-free. A general rule-of-thumb is if it's a 2013 or newer core, it has PSP/Secure Processor.
Re: Macs don't have it, AFAIK
That word does not mean what you think it means. TFA points you in the direction of several OEMs who will butcher/castrate ME or flip the HAP bit for you. Was this anti-troll rant a troll of its own, perchance?
Re: Blast from the past: remember 'Trusted Computing'?
The sad part is that 98% (number from anus) of users won't care. As long as Netflix works, fux not given.
Also, the US is not the world. Some of us aren't subject to the DMCA so aren't afraid to tinker despite all the warnings of the apocalypse, Armageddon, the heat death of the Universe and inter-dimensional rifts caused by people trying to fix or de-traitorify their own sodding property.
Seems that we have this week's designated goat, sacrificed upon the altar of Being Seen To Be Doing Something. One can't help wondering just how "seriously" this would be taken were VW a B2B or, better still, a government supply organisation.
Once more unto the trough...
"Sinecure" is not a decongestant - in any context.
Sure the manufacturer might be able to get to it but how likely is that going to happen?
Big Data loves you. This data has value to be (I hate this word) "monetised" and Cerberus will be wearing little bootees¹ and a doggie coat before anyone with an MBA and a performance review forthcoming misses this opportunity.
Please note that said MBA isn't inherently evil, just working in an environment that mandates such tactics to survive.
Just wait until EVs enable full log slurps while on charge. Track, speed, control usage ("throttle" position, braking, steering input) listening habits, calls made, occupancy, times and dates, the lot. Autonomous vehicles will be even worse, especially if this idea of dial-a-shed becomes reality. The scope for private information leakage is enormous.
With that, facial recognition and smart meters it'll only take getting out of bed and turning on the bog light before some beige numpty in a cardigan with a notebook (computer) can see what you're doing.
Who didn't install Firefox and immediately add StartPage, DDG and DeepSearch then remove everything else?
I also have github as a provider but that's just me. I'm odd.
Re: It's good to see your tax money being spent
I seem to have struck a nerve. If NASA wish to replace the ageing RTG design with a commentard with steam coming out of its ears as a power source, do give me a shout. Just think of me as that neutron that pushes the reaction to criticality...
Re: It's good to see your tax money being spent
Knowledge is always relevant. Imagine if Voyager had hit the heliopause and just blipped out of existence because its location variable was trying to access memory in the UniverSim that was dedicated to another process. Would that have been wasted money?
It didn't happen but it could have; that would have told us all manner of interesting things.
I thought LG owned WebOS now? Perhaps, given that it's a patent dispute, we're not supposed to understand it?
Re: Cool marketing idea
The Tecra I mentioned up-thread is a Core 2 Duo. It has Intel ME, so I'd say the 2006 quote is the more accurate. If in doubt, assume it's there and check with intelmetool (a sub-project of coreboot) with iomem=relaxed passed to the kernel at boot if running >Linux 4.4.
At this point, Intel's little backdoor snoop is quite well understood. What is more worrying is the number of people who have never heard of PSP or Secure Processor and think they're so much safer using AMD chippery.
On x86 the assumption has to be, if it's fairly recent, that there's some form of hidden embuggerance that has the potential to bite you on the bum. Even if it doesn't fulfil the requirements for Active Management, you still don't know what that little Minix (apologies to Professor Tanenbaum - it runs a derivative of Minix, it wasn't his idea) parasite is doing which, given that it has direct access to memory (and you'll recall most devices are mapped into memory space these days), could be just about anything. In fact, even after running me_cleaner on the firmware dump I can't be 100% sure the thing really is in a stopped state after bringup but it's far better than trusting Intel's encrypted code buried in the flash chip.
"What happens if you don't install it [the driver] ?" looks like willingness to learn to me, which puts x 7 several orders of intelligence above the average manager. We're not born experts, it takes pain, exposure to lusers and unwilling loss of follicles. Enough with the down-votes already.
x 7, imagine a Raspberry Pi made small enough to fit into a motherboard chipset with electronic tentacles that reach deep into the parent machine. The operating system for this parasitic computer is embedded into the BIOS, so it initialises first before the BIOS/EFI hands off to the real operating system. The only way to confound it (as pointed out downthread, it's not really permanently castrated, just befuddled) is to take away its bits of BIOS to the point it enters a halted state and minds its own sodding business. All the driver does is allows you to interact with it from the main operating system. Without the driver, it's still there with its tentacles in your RAM and buses but your OS isn't aware of what the conduit that links the parasitic computer to the main computer is for.
Re: Matryoshka dolls
Certain implementations can be disabled by removing just enough of the code to stop it from running. You have to be very careful as some of these machines shut down after 30 minutes if the ME is in a particular state of not being able to boot.
See ME Cleaner for details. It's not for the faint of heart but I was going to stop using this Lenovo if I couldn't rid myself of at least the ME code running at ring -3 so I had very little to lose. With a dump of both SPI chips, I could always restore it to factory state anyway.
A computer within a computer with access to everything and no idea what it is up to. Yes, that's a brilliant idea, especially if we can't see the code or use it for our own purposes.
Two machines here with IME, a Lenovo G710 and a Tecra M10. The former required a full strip-down and a CH341A dongley thing with an SOIC8 clip to remove this malware. The latter (well done, Toshiba) allows disabling the thing before it even starts, confirmed by intelmetool. On the Lenovo, removing all but BUP has left a dangling USB device that can no longer enumerate. I suspect this is the JTAG port oft reported but it's a pain in the arse as it spams syslog.
That said, I can live with a dead USB device hanging off of bus 3. It's infinitely preferable to hardware which does $DEITY knows what behind my back.
Yes, @x 7 it requires a driver for the control interface, yet the underlying processor and code still run regardless of driver status. If it's exposed to $SKIDDIE or $THREELETTERAGENCY you're SOL and JWF¹. Please note that AMD on anything newer than Piledriver also has something similar called PSP/Secure Processor which is pretty much the same idea - closed source crap running at ring -3.
¹ Shit out of luck and jolly well fucked.
I hope, should the BTs decide to pursue this offer, that the vendor will keep them on hold, transfer them to another extension which will also keep them on hold, repeated ad nauseam until they give up. That would be poetic justice.
Re: What did you expect?
East Asia? I thought it was Eurasia this month, and always had been?
/me fully expects this to whoosh far overhead...
Relieved of command by Captain Bogbot.
I can't help thinking, putting myself into the situation you so eloquently describe, that it would all be worth it if there were a Matrix-style EMP generator. The satisfaction when you turn the big red switch and robo-leg-shagger slumps into a heap, the alarm silences forever, all the doors become manual again and the idiot lantern finally shuts the feck up would be blissful.
All joking aside, we're setting ourselves up for a fall here. I'm not talking about Elon's vision of AI-enhanced killbots stalking the last remnants of humanity through the ruins of cities, rather that we're already only 10kWh away from total vulnerability. Adding more artificial dependence on technology is just asking for extinction because the whole bloody mess is really quite fragile and apt to go TITSUP (total inability to support usual pandering) at a moment's notice. At what point do we admit we are damaging our ability to adapt, survive or even make our own decisions amidst all this convenience?
The very first priority should be shifting the focus from the needs of marketers to the requirements of the meatsack trying to use these devices. The vast majority of this traffic doesn't need to ever leave the local segment.
In the case of those that do need to use the maelstrom of the Internet, there are certain design rules that should be followed. I wanted a vehicle tracker. I researched the various options from hideously expensive to cheap and shonky. All, without fail, required the use of some third party server, more often than not Google's maps crept in, leaked data like a sieve and kept quite a lot of numbers you probably didn't want them to keep.
I ended up designing my own. STM32+SIM800+Neo6, simple firmware that opens a GPRS connection and uploads a JSON string to my MQTT server over TLS every three minutes if the vehicle has moved more than twenty metres then turns the GSM radio completely off. Simple, effective, private and secure. I can then use HomeAssistant to grab an OSM tile and display the location on a nice map.
At no point does unencrypted data move out of my control. Nor is there any facility for communicating with the device over any public network - it talks, the server listens, then it says goodbye once a successful status message is received. It cannot be redirected, suborned, repurposed to carry out DDoS attacks or tricked into leaking data.
Other IoT stuff here include a weather station, solar charge controllers, various light and socket controllers and the garage door opener. All are custom built, all have ONE job and none of them will even acknowledge the existence of anything but the intended control channels.
The Unix philosophy works well in this arena and I commend it to my colleagues.
Beautifully put, conscience. Even Apple's early GUI was heavily influenced by GEM. What Apple now do best is marketing and packaging products to look shinier than they otherwise would then convincing you that your life will be empty without these things. Jony Ive's design skills are not to be belittled, yet to claim the results are anything more than admittedly inspired interpretation of existing technology with much prior art is risible.
The Treo 180 and 270 were the first integrated touch/phone devices. The former was monochrome, the latter colour. I had both. Both had keyboards. Graffiti™ was introduced with the PalmPilot (and the USRobotics branded device, back when modems were a thing) and subsequently carried across to the likes of the Tungstens, which were excellent in their day. It still wasn't the slab format, though. Palm's Treo 650 was the closest they ever came and, yes, it had a keyboard,
As for the Newton, least said soonest mended. The fact remains that the XDA was the first of what we now recognise as the de-facto standard format for a smartphone.
Everyone forgets this device. It was the first slab+colour touch screen with rounded edges that preceded the iShiny by years. If anyone has a claim to the format, it's O2. Palms either had keyboards or Grafiti™ input areas, Nok's Symbian was still a clunky menu-driven affair and Apple were still churning out clicky iPods.
Although it ran CE, the XDA was still an impressive beast for its time. With a decent OS, it could have spawned a revolution with itself as a major player. Instead, it rested on its laurels, kept the mediocre Redmondware and allowed Apple to pinch the format, as is their wont, apply polo-necked street cred to it and market it aggressively. Like Psion, whose 5MX has yet to be bettered in certain niche tasks, a very solid foundation was left unbuilt upon.
@Andy 97: Suckered in by the usual bait and switch. Don't feel as if it's your fault, many of us have been there. I'm fully expecting MinusNet to bump theirs by the same amount now, and STILL no IPv6 to show for it. Bastards.
Re: He really wants this?
I'm not convinced "sorry, love, I'm running a bit late. I need to find a Vacant Bellend Charge Point™" is going to improve the lot of already unpopular electric vehicles, either, especially when they grow another two connections (I2C, I'm assuming, although this is the Government so they'll probably have to spend a quarter of a billion to make a new standard that doesn't work) to slurp your mileage for road pricing...
Please note that Vacant is part of the name, not the charging facility's actual state. So, to specify one that you can actually use would mean "I need a vacant Vacant Bellend Charge Point™"
Re: You cant have it both ways
Remember Cirkit? Buy the catalogue in Smiths and order away to your heart's content.
I'm afraid I won't lament the passing of Maplin. They've been extracting the urine on prices for years and their products really aren't much cop, either. Take that "temperature controlled" soldering station with a triac chopper circuit and no tip feedback. It's temperature controlled only in that you can vary how fast the tip loses heat to a joint. Worse, it wipes out anything below 30MHz any time it is switched on. Awful bloody thing, and that's just one example.
Re: Lineage OS
Ta muchly for that post. I shall sync and kick off a build. That will be pretty much all devices patched against this flaw.
Credas wrote: Great idea, but who's going to do the hard work in the absence of a future source of income from patent licensing?
I didn't say it was a perfect solution; those only exist in the minds of idealists. There are some advances, however, that we could do without. Let us first define progress: Taking the best of what you have. And ruining it.
It's somewhat confusing that we have one law which prohibits monopolies and another that encourages them in very specific niches. It's almost as if it was designed by two different committees. Oh, wait...
I've been saying since forever that patents and standards should be mutually exclusive. Moot point here, though, because WPA/RSN is handled by the host so the binary blobs full of trade secrets used to abstract the hardware (Atheros, Broadcom et al) aren't an issue in this context.
Re: MAC Filtering
Never rely on MAC filtering for anything. MAC spoofing is utterly trivial. That's not to say don't enable MAC filtering and know what's on your network, just don't treat it as a layer in the security onion.
IPSEC is your friend if you really want to be secure over 802.11. There's the obvious trade-off in CPU cycles and throughput overheads, natch, but you need to define your priorities and compromise accordingly.
Allow me to clear this up:
What is happening is due to the hype surrounding the planned British exit from the EU. Both sides are equally to blame, the Remainers for foretelling years of doom and the Brexiteers for swaggering about as if the continent doesn't matter.
This is, in reality, two groups of powerful people arguing about who gets which cut of the swag. The losers, whatever happens, will be us. Every. Single. Time. Supporting one or the other is a bit like turkeys voting for Christmas.
Despite the icon, it's not exactly rocket science.
...how sad, never mind. This is the first step towards a default policy of "sod off" to people (I use the term loosely) who want to know every last detail of your life. As I've said before, bricks and mortar shops get the local telephone exchange's post code, they all get my defunct and unconnected landline and web biscuits disappear every time I hit the little X at the top right.
It was starting to get to the stage where they wanted your inside leg measurement to buy a sodding bag of Wotsits. Now, if we can just educate people to stop the human version of trackers (that bloke with the slack jaw grunting from behind the till) adding your details to every damned database in Christendom we'll be well on the way to having these cretins beaten. Okay, it not nearly so bad in that he doesn't follow you around the other shops - probably because he'd get a totally non-virtual smack in the mouth for doing so - and then adds your other purchases to his little electronic list but it's bad enough.
"Can I take your post code, sir?"
"What for? I'll take them with me. I don't want them delivering and I don't need a warranty on a packet of screws." -- recent visit to Screwfix
Expression of wild-eyed, maniacal insanity, responding to every query with "What was that, Mr Flibble? Two hours W-O-O? Yes, that will teach him for being a bread basket" and filling the spaces with mumbled rants. They don't even have to be coherent, just make sure they sound ominous.
Worked for me for years, headphones optional. It's all spare cycles anyway.
Re: Treat it as a reccomendation
@zarvus: You realise, of course, that my point was not that Russia is all sweetness and light but that we have skeletons in our closets and rampant hypocrisy enough of our own as well, yes? Which do you prefer, an organisation which is open about its desire to oppress or one which does the same authoritarian shit but wraps it up in a veneer of "for your own good"?
Before you start banging on about democracy, take a look at how much choice you *really* have in those elections you're so fond of. Even the candidates are pre-selected before you even get to know there's an election happening, not to mention the actual core of "free western democracy" is beyond the electorate's reach in reality - the career civil servants, who are the reason the policies never seem to change between administrations, regardless of what the manifestos promise.
So, tovarisch, do you still feel like taking the piss or can you admit that no system is perfect?
Re: I wonder why that might be?
What was that old joke back in the Soviet era? "You can do anything you want in the USSR except vote." Looking at what voting gets us these days, I think I know which philosophy I'd prefer.
Re: Treat it as a reccomendation
This, in a nutshell. I can't think of a better recommendation for any product than "the NSA doesn't like it."
Credit reference agencies
Equifax, Experian, Call Credit et al, as far as I'm concerned they can all sod off. These parasites gather information on individuals and addresses whether you consent or not. This is what happens when you allow them to do so. I'm frankly surprised it took this long.
Please to be using our free WiFimabob.
Probably not applicable to greasy spoons, or whatever the equivalent Greek purveyor of e-coli is, but the majority of this free WiFi is simply another method of tracking. Since it's free, you have no expectation of level of service so if they fling an ad or two you're not going to ask for your money back.
Of course, we all have a VPN service to connect to, don't we? RSN with AES doesn't really matter when you have an encrypted pipe to the Internet, does it? And we'd never accept their DNS as canonical, would we? Think again. They're collecting MACs, linking them with customer data and they have a globally unique ID for you from one hotel stay, regardless of the pipe to the Internet. The AP has to be able to see your dirty MAC, Mr Columbo. You may as well have an LED sign, in 16M glorious colours, advertising your presence to every smug-faced marketer on the planet until your next device upgrade when the MAC changes again.
As always, follow the money.
Again, this remains relevant.
Your post advocates a
(x) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting cybercrime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Legitimate uses would be affected
(x) Requires immediate total cooperation from everybody at once
(x) Many users cannot afford to lose business or alienate potential employers
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Lack of centrally controlling authority
(x) VPNs and proxy servers
(x) Jurisdictional problems
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(x) Extreme stupidity on the part of users
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(x) Blacklists suck
(x) Whitelists suck
(x) Countermeasures should not involve sabotage of public networks
(x) Why should we have to trust you?
(x) Feel-good measures do nothing to solve the problem
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
Okay, I had to extend "spam" to "cybercrime" but the underlying message is the same.
I have some DVRs (one Tivo, two Humax) which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet.
Be very careful with that assumption. You're probably okay with your Tivo and Humax DVRs but most of these cheap CCTV DVR/NVR/IPCs, which is what we're discussing here as it was these which were targeted by Mirai, have a "cloud" feature built into the binary that processes the stream(s). Even if you disable the thing in the config, it'll still ping out to let the mothership know it's alive¹, which is why I said one of the mitigations was to block outgoing packets on MAC. Anything that can tunnel out through NAT/uPnP/firewall can tunnel back in again. ShieldsUp! won't detect stateful connections, only blatantly open ports.
¹Yes, I did verify this on the Hi3518E based cameras and a cheap, shonky Owsoo NVR, watching the resolver logs and sniffing the packets as they hit the brick wall of my router. Since most of this bilge is based on HiSilicon chippery, a safe course would be to err on the side of caution.
Re: Clueless users
Thanks for that, Symon. I didn't even know that existed but it looks very useful.
This is one time you really can't level that charge against the consumers. Many of the shonky PoS have hard-coded passwords in their root ROMfs and you simply can't change it without unsquashing the filesystem, messing with crypt, recreating the bin and buggering about with arcane flash commands in u-boot - and that assumes you can get a bootloader prompt in the first place, not to mention knowing the flash layout.
IP cameras based on the ever-so-popular Hi3518E chipset had this right up to the January 2016 firmware release. Worse, the default password was the same across multiple manufacturers. The only solution was to block forwarding at the gateway with MAC filtering or stick them on their own isolated segment.
If you want a decent IP camera, a Pi Zero W with the Picam NoIR, a switchable IR cut filter, a ring of IR LEDs and a decent wide angle lens works nicely. If you need a NVR, use a Pi III with ZoneMinder. All of this shonky rubbish needs to die in a fire.
News everybody was waiting for.
Yep, I'll sleep tonight. </sarcasm>
Re: Don't get your OS from an advertiser
Please stop shoving "Android" into a pigeon-hole. There's Android™ and then there's Android. Even if you don't feel like building it yourself, there is a plethora of options other than stock GoOgle-age. For my device, the Wileyfox Storm (I know, big mistake but I've beaten it into submission), there's Lineage nee CyanogenMod, Dirty Unicorns, AOSP Extended, VertexOS and many others. For a mainstream device such as the Moto <letter> handsets, there's more choice than you can shake a soggy stick at.
For Joe Public, yes, iOS offers advantages. For us lot on t' Reg, custom built Android beats seven shades of excrement out of Apple's walled garden.