Closed CPU's and Fabs Untrustworthy
https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. https://libreboot.org/faq/ Links being mostly on the billions of gates we know exist, unfortunately not on the top secret ones we don't...
On Thu, 2016-06-16 at 01:22 -0400, grarpamp wrote:
https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine.
https://libreboot.org/faq/ Links being mostly on the billions of gates we know exist, unfortunately not on the top secret ones we don't...
A computer inside a computer, running an OS the users can't change or audit. What could possibly go wrong? And what derelict clown thought up this idea? The existence of this malware is bad enough if it can be disabled, or changed to no longer be a threat. The fact that the CPU will not boot or will not stay running if this "other" CPU is physically removed, makes this a disaster. This makes the Pentium FDIV and F00F bugs look like the missing yellow key bug in MAP31 of the TNT: Evilution episode of Final Doom. (Which is to say, an annoyance but one which can be easily worked around.) Do AMD CPUs have these yet? How about other manufacturers (if there are any left)? Is this something we have to worry about today on any new computer designed for Intel CPUs, or is this just for "enterprise-level" gear? How do I know if a computer has this *before* I buy it? -- Shawn K. Quinn <skquinn@rushpost.com>
On Thu, Jun 16, 2016 at 01:06:58AM -0500, Shawn K. Quinn wrote:
On Thu, 2016-06-16 at 01:22 -0400, grarpamp wrote:
https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine.
https://libreboot.org/faq/ Links being mostly on the billions of gates we know exist, unfortunately not on the top secret ones we don't...
A computer inside a computer, running an OS the users can't change or audit. What could possibly go wrong? And what derelict clown thought up this idea?
The derelict clowns at the NSA and other US MIC organs, who pay a pretty penny for the in CPU operating system! And, of course, the derelict clowns heading up Intel who take the money.
The existence of this malware is bad enough if it can be disabled, or changed to no longer be a threat. The fact that the CPU will not boot or will not stay running if this "other" CPU is physically removed, makes this a disaster. This makes the Pentium FDIV and F00F bugs look like the missing yellow key bug in MAP31 of the TNT: Evilution episode of Final Doom. (Which is to say, an annoyance but one which can be easily worked around.)
Do AMD CPUs have these yet? How about other manufacturers (if there are any left)? Is this something we have to worry about today on any new computer designed for Intel CPUs, or is this just for "enterprise-level" gear? How do I know if a computer has this *before* I buy it?
You sir, are not entitled to know! Now get back to your subservient life, peasant!
On Thu, 16 Jun 2016 01:06:58 -0500 "Shawn K. Quinn" <skquinn@rushpost.com> wrote:
On Thu, 2016-06-16 at 01:22 -0400, grarpamp wrote:
https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html
Do AMD CPUs have these yet?
I want to know too. (OK, I'll see what I can find out...)
On Thu, 16 Jun 2016 18:15:09 -0400 grarpamp <grarpamp@gmail.com> wrote:
Do AMD CPUs have these yet?
The second link was there for a purpose.
well, your link wasn't explicitly enough this one is : https://libreboot.org/faq/#amd
On Thu, 16 Jun 2016 18:15:09 -0400 grarpamp <grarpamp@gmail.com> wrote:
Do AMD CPUs have these yet?
The second link was there for a purpose. https://libreboot.org/faq/
Any-way, what's the point of bothering running any sort of 'secure' software on wholly compromised hardware...? I naively admit I wasn't aware of the fact that americunts (intel/amd) had sunk that low, but then again that's rather stupid on my part. Question remains, addressed to people interested in 'security' : Nobody seems to be trying to fix 'our' fundamental problem...? All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
On 6/17/16, juan <juan.g71@gmail.com> wrote:
Any-way, what's the point of bothering running any sort of 'secure' software on wholly compromised hardware...?
There isn't. But blatant risk taking is apparently fun for humans to engage in ;)
I naively admit I wasn't aware of the fact that americunts (intel/amd) had sunk that low, but then again that's rather stupid on my part.
Don't worry, many people don't know Intel's NIC's are involved in it too, all documented on Intel's site. Which means like any good manufacturer, they left themselves (and whoever their buddies or daddies are) nice little magic packet backdoors to the otherwise "secure" AMT, before even getting packet to the CPU gates and userland.
Question remains, addressed to people interested in 'security' :
Nobody seems to be trying to fix 'our' fundamental problem...?
I certainly not first to suggest starting open version of cpu and fab, but people cry 'impossible', and 'cost v benefit', 'time', bawl waah. Musk said fuck all that anti BS and is going to Mars.
All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
There are facts in there. But what is the fundamental problem? Surveillance? Secrets? Structures? The human genome?
On 6/17/16, juan <juan.g71@gmail.com> wrote:
the fact that americunts (intel/amd) had sunk that low
Then there's question what is and isn't secret in these chips, who will buy them, and what they'll do to Intel and users, by who... https://www.google.com/search?q=chinese+processors https://www.google.com/search?q=indian+processors https://www.google.com/search?q=russian+processors
On Fri, 17 Jun 2016 01:46:04 -0400 grarpamp <grarpamp@gmail.com> wrote:
On 6/17/16, juan <juan.g71@gmail.com> wrote:
the fact that americunts (intel/amd) had sunk that low
Then there's question what is and isn't secret in these chips, who will buy them, and what they'll do to Intel and users, by who...
https://www.google.com/search?q=chinese+processors https://www.google.com/search?q=indian+processors https://www.google.com/search?q=russian+processors
A quick look and I see there are no indian processors and a few russian ones. China is a wholly different matter and but althoug I'm not too hapy to admit it, the chinese can be trusted as much as the americans : zero. Not sure if that's what you were getting at though?
On Fri, 17 Jun 2016 01:23:05 -0400 grarpamp <grarpamp@gmail.com> wrote:
On 6/17/16, juan <juan.g71@gmail.com> wrote:
Any-way, what's the point of bothering running any sort of 'secure' software on wholly compromised hardware...?
There isn't. But blatant risk taking is apparently fun for humans to engage in ;)
Yeah... Well, I imagine that 'upstanding citizens' assume they will never be attacked by the Intel/AMD/US governmentcorporation. So, from the point of view of 'upstanding citizens' everything is fine and dandy. I know, in theory it may be possible for evil terrists to use the same backdoors or 'management engine' that the US govtcorp uses, but I think that's unlikely. Contrary to libertarian wishes, the gov't isn't that stupid or inept.
I naively admit I wasn't aware of the fact that americunts (intel/amd) had sunk that low, but then again that's rather stupid on my part.
Don't worry, many people don't know Intel's NIC's are involved in it too, all documented on Intel's site. Which means like any good manufacturer, they left themselves (and whoever their buddies or daddies are) nice little magic packet backdoors to the otherwise "secure" AMT, before even getting packet to the CPU gates and userland.
Ah yes, the ethernet subsystems also have a fully compromissed embedded procesor(s)?
Question remains, addressed to people interested in 'security' :
Nobody seems to be trying to fix 'our' fundamental problem...?
I certainly not first to suggest starting open version of cpu and fab, but people cry 'impossible', and 'cost v benefit', 'time', bawl waah.
Yes, and I'm wondering why. Creating a replacement for intel processors at 'competitive' prices might be a bit hard, but...hm...OK...there's this https://en.wikipedia.org/wiki/OpenRISC
Musk said fuck all that anti BS and is going to Mars.
All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
There are facts in there.
But what is the fundamental problem? Surveillance? Secrets? Structures?
The human genome?
Yeah, maybe the human genome. But joking aside, if one wants a 'secure' system of sorts while said 'secure' system can be trivially remote controlled by an 'attacker', one seems to have a fundamental problem, in my opinion...
On 6/16/2016 11:35 PM, juan wrote:
On Thu, 16 Jun 2016 18:15:09 -0400 grarpamp <grarpamp@gmail.com> wrote:
Do AMD CPUs have these yet?
The second link was there for a purpose. https://libreboot.org/faq/
Any-way, what's the point of bothering running any sort of 'secure' software on wholly compromised hardware...?
I naively admit I wasn't aware of the fact that americunts (intel/amd) had sunk that low, but then again that's rather stupid on my part.
Question remains, addressed to people interested in 'security' :
There's value in running security software on a compromised system because it helps to stop /mass/ surveillance. Ultimately, if you are under surveillance, they're going to get you but they're going to have to devote some time an effort /to you/. You're not going to get caught up in the worldwide dragnet. My personal quarrel with the NSA and other security services isn't that they watch people at all. It's that innocent people are getting caught in a dragnet and that information could be used against them later.
Nobody seems to be trying to fix 'our' fundamental problem...?
It's a hard AND expensive problem to address. There aren't a whole lot of people with processor design skills that aren't already working in processor design for one of the biggies. And the few that are likely don't have the money to bring up what it takes to do it. It's not like this is going to be bootstrapped by a Kickstarter.
All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
It's making people more aware of what's going on and how to protect themselves. Sure, it's not solving the problem but it is making things a bit better. Perfect is the enemy of good. If the spooks don't go after one person because it would take more personalized resources than simply catching them in a dragnet, that security has worked. We don't need 'perfect'. We need 'good enough'.
On Fri, 17 Jun 2016 13:52:38 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
There's value in running security software on a compromised system because it helps to stop /mass/ surveillance.
Does it? Your servers are compromised and so are your 'SSL' connections...your tor routers are obviously compromised...any system used to defend against mass surveillance that you run on compromised hardware is...compromised.
Ultimately, if you are under surveillance, they're going to get you but they're going to have to devote some time an effort /to you/. You're not going to get caught up in the worldwide dragnet.
Backdoored hardware affects everybody except the gov't. Not to mention, why would it be OK to stop mass surveilance but not 'targeted' surveillance...of some big number of people?
My personal quarrel with the NSA and other security services isn't that they watch people at all.
Well, at least you are sincere...
It's that innocent people are getting caught in a dragnet and that information could be used against them later.
Aren't they 'innocent'? If they are 'innocent' they 'have nothing to hide'.
Nobody seems to be trying to fix 'our' fundamental problem...?
It's a hard AND expensive problem to address. There aren't a whole lot of people with processor design skills that aren't already working in processor design for one of the biggies.
I don't think processor design is especially hard. I admit I'm guessing, but I can't imagine what could be so hard about designing some kind of not-fancy, risc system. Not to mention.... http://opencores.org/
And the few that are likely don't have the money to bring up what it takes to do it. It's not like this is going to be bootstrapped by a Kickstarter.
Actually, it seems exactly like the kind of project that could/should be 'crowfunded'. What's the 'minimum order' when dealing with something like TSMC ?
All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
It's making people more aware of what's going on and how to protect themselves. Sure, it's not solving the problem but it is making things a bit better.
I don't know. I wouldn't blame Snowden and co.(or maybe I would?) but since 2013 things just kept and keep getting worse. Your NSA friends didn't back off an inch.
Perfect is the enemy of good. If the spooks don't go after one person because it would take more personalized resources than simply catching them in a dragnet, that security has worked. We don't need 'perfect'. We need 'good enough'.
'good enough' requires working hardware, not hardware remotely controlled from washington.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 6/17/2016 6:05 PM, juan wrote:
On Fri, 17 Jun 2016 13:52:38 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
There's value in running security software on a compromised system because it helps to stop /mass/ surveillance.
Does it? Your servers are compromised and so are your 'SSL' connections...your tor routers are obviously compromised...any system used to defend against mass surveillance that you run on compromised hardware is...compromised.
Yes it does. Because before Snowden, they were basically capturing data right off the wire in many cases. They were passive. It just flowed right into their filters. Compromised hardware doesn't stop them from getting your data in all cases, but it makes them work a little more for it. They can't just sit on the wire and collect it because they have to address the differences in each compromised system. They have to seek you out instead of sucking it all in.
Ultimately, if you are under surveillance, they're going to get you but they're going to have to devote some time an effort /to you/. You're not going to get caught up in the worldwide dragnet.
Backdoored hardware affects everybody except the gov't.
Not to mention, why would it be OK to stop mass surveilance but not 'targeted' surveillance...of some big number of people?
I don't have a problem with targeted surveillance For example, if the police believe (with good reason) that someone is plotting to bomb the Whitehouse, I believe they should absolutely have the right and the tools to monitor that person. That surveillance should stop the moment they either have enough to make an arrest or they realize they are wrong. Do you believe that no surveillance should happen at all for any reason? You believe that's reasonable?
It's that innocent people are getting caught in a dragnet and that information could be used against them later. Aren't they 'innocent'? If they are 'innocent' they 'have nothing to hide'.
I don't subscribe to that believe so please don't put words that I didn't say or assume beliefs that I haven't expressed. People who are caught in the surveillance dragnet /may/ be innocent of any crime or they might not be. We really don't know, do we? I'm sure that some if the information the agencies have gathered /do/ involve people who are guilty of crimes and the data might prove it. Some, probably most, don't. If the government has strong evidence that an individual has committed a crime and evidence of it is being shared with others then they should go through the legal channels and get authorization to collect data on that single person. Not the entire neighborhood, not the entire city. A single person. Also, I don't subscribe to the bs about 'if you have nothing to hide, you have nothing to fear'. Taking precautions to protect privacy should never be taken as evidence of guilt. I'm not ashamed of my naked body and there are times when I might even have no problem walking in front of a window naked. But there are also times when I want privacy and will draw my blinds. I don't hide the fact that I use the bathroom but that won't stop me from closing the door when I go in. In both of those cases, I'm not hiding anything. I'm exercising a right to /privacy/. My privacy, when I am not committing a crime that harms others, should /always/ be under my control.
Nobody seems to be trying to fix 'our' fundamental problem...?
It's a hard AND expensive problem to address. There aren't a whole lot of people with processor design skills that aren't already working in processor design for one of the biggies.
I don't think processor design is especially hard. I admit I'm guessing, but I can't imagine what could be so hard about designing some kind of not-fancy, risc system.
Not to mention....
Processor design isn't particularly difficult. Neither is algebra. Something doesn't have to be /hard/ to not be /common/ and not be specialized. Processor design is not difficult to those who have taken an interest in it and chosen to learn how to do it. The number of people who would do that and then not seek jobs in the industry is negligible. Sure, there are some people who might do it out of interest or even for fun, but do you believe that number is really enough to start a company powerful enough to mass manufacture chips? Oh, and what about the person actually 'assembling' the chip who might know very little if anything about processor design? What about that person being bribed to insert something they don't even understand into the assembly process? Do you think that wouldn't happen? If Intel made it a policy not to have anything secret in their microprocessors, do you really believe the security agencies would just go "darn! There goes our chance to compromise Intel chips!" Also, what's stopping the agencies from actually starting up a front company just to manufacture open chips and slipping something in? Don't think it would happen because 'someone is watching' and the whole 'shallow bugs with many eyes' thing? I present to you Heartbleed and ShellShock. Oh and, of course, having the perfect processor /design/ is useless unless you have trusted fab which, of course, circles back to the low level worker and a nice big deposit of Bitcoin.
And the few that are likely don't have the money to bring up what it takes to do it. It's not like this is going to be bootstrapped by a Kickstarter.
Actually, it seems exactly like the kind of project that could/should be 'crowfunded'.
What's the 'minimum order' when dealing with something like TSMC ?
OK, so I'll retract my statement above. Maybe this could be crowd sourced. But again, how do we guarantee fab security? If a company has to crowdfund a small number of chips, do you really think they are going to have the money to set up fab operations that they can closely audit and control?
All the talk about snowden, tor, 'hacking' and similar propaganda is...well...propaganda.
It's making people more aware of what's going on and how to protect themselves. Sure, it's not solving the problem but it is making things a bit better.
I don't know. I wouldn't blame Snowden and co.(or maybe I would?) but since 2013 things just kept and keep getting worse.
Your NSA friends didn't back off an inch.
No, you're very right that they didn't. New attacks are being developed right now against vulnerabilities and backdoors we haven't even discovered yet. And the attacks get better and better especially when the companies collude with the government. It's not going to magically get better through simply knowing about how bad it is. That wasn't my point. But what can happen is larger and larger groups of people (who control the money that places like Intel are rather fond of) standing up and saying "we can't trust you so we're going elsewhere". Critical mass is needed to make a difference not just a few geeks ranting on Internet forums and mailing list. We don't have the market moving power that a larger group does. That's why making people aware and actually agitating the situation is so important.
Perfect is the enemy of good. If the spooks don't go after one person because it would take more personalized resources than simply catching them in a dragnet, that security has worked. We don't need 'perfect'. We need 'good enough'.
'good enough' requires working hardware, not hardware remotely controlled from washington.
No it doesn't. Good enough, in this case, means getting a bit of breathing room for people while the geeks figure out how we back the government off technically. Until they can't technically control every single piece of hardware, at least make it as hard as possible for them to control it. Sure, it's not solving the problem entirely but you have to admit it's going to protect some people who would otherwise get caught up in a dragnet. Their data isn't there anymore. Don't get me wrong, I am 100% behind making hardware secure. But we can't be so focused on absolute security with no compromise that we /only/ work on that and leave everything wide open until we have absolute. That's kind of like "well, we think the NSA might be able to break TLS by asking for our private key so we'll just keep using HTTP until we develop a way where having our private key doesn't matter". You do what you can and then you refine it closer and closer to perfection. Shit, I write a lot... Sorry :) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXZK1RAAoJEAKK33RTsEsVZP0QAJGSzHuvIDzoGJav/QG2eXOf hgl8Q/D/0/xStelYBsx2Sq6y6RHzczFeI3LlJdAT3W/WkqtugSCRtTtUFY4sHsyL gbRfCIkW2Yfg25z6fCr5iCp6rMqwEYlEy+H46tVsEizmGtYqVYo1jNaEsHMAzbbD SwTZ+I2sByKRoc+ArLzNiuEyp/1qynxQStocFNjZuhyJi7ujaKxK5k3V6Lh2HBkt dcNJngwJ7Ws4esIDDQ4DtzsNgK56GWMEt66GtUHGQaZxklB+QAwawZGgFpP2rHLu hjH72ko0doGwoSX1SRVATneqofq7WCvR7k8bRTV2ipsgGKHOpfndT6UBldK94ukL Tso2BOb7YVxgNIbz2BIOE4auJr9CNpQJSoaikoLkmQ1/IeYqqt7JAhdYR0VuBNbt 5sFUq0LejAQYZQSNoPX/38tlz6t7+9VO4iVn2iWzNp052/S3UwLvZaH/n9cfjaNm Hjhz0jebH2rzLdm3SlZr8F618luPuqgQg7HHNCdvm2MIlNc5oDKZOWhhfvvgDy1/ q1wZPntscLdolM/VY1m4MZMOK219MEatp4lgNBxsChhKH5Op11LN2U6hUZ069Rgb TL121QmP7JfmkbpehVONRbhhbou8bKsbcRvBe7ZDaS1kp950npNY8vJOjbpcINAX ISgmOkyMy9JcdKhxwhOc =DS8O -----END PGP SIGNATURE-----
On Fri, 17 Jun 2016 21:09:21 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 6/17/2016 6:05 PM, juan wrote:
On Fri, 17 Jun 2016 13:52:38 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
There's value in running security software on a compromised system because it helps to stop /mass/ surveillance.
Does it? Your servers are compromised and so are your 'SSL' connections...your tor routers are obviously compromised...any system used to defend against mass surveillance that you run on compromised hardware is...compromised.
Yes it does. Because before Snowden, they were basically capturing data right off the wire in many cases.
And now more people turned https on? So the gov't now has to steal keys? And how hard could it be to steal keys when all intel/amd processors are backdoored? Also, you say "before snowden", but it just so happens that there were people giving the game away before snowden did : This is from 2006 https://en.wikipedia.org/wiki/Room_641A
They were passive. It just flowed right into their filters. Compromised hardware doesn't stop them from getting your data in all cases, but it makes them work a little more for it. They can't just sit on the wire and collect it because they have to address the differences in each compromised system. They have to seek you out instead of sucking it all in.
Yes, they now have to work more. But the million dollar question is how much more.
I don't have a problem with targeted surveillance For example, if the police believe (with good reason) that someone is plotting to bomb the Whitehouse, I believe they should absolutely have the right and the tools to monitor that person.
And I believe that blowing up the white house and its contents is an act of justice ;)
That surveillance should stop the moment they either have enough to make an arrest or they realize they are wrong. Do you believe that no surveillance should happen at all for any reason? You believe that's reasonable?
This being the cpunks mailing list I think it's reasonable to subscribe to libertarian anarchism and correctly see the government as the biggest criminal organization in town and having zero legitimacy. So I don't think that anything the gov't does is reasonable (OK, defense of person and property would be reasonable IF they only did that, which is virtually impossible or an 'utopia')
It's that innocent people are getting caught in a dragnet and that information could be used against them later. Aren't they 'innocent'? If they are 'innocent' they 'have nothing to hide'.
I don't subscribe to that believe so please don't put words that I didn't say or assume beliefs that I haven't expressed. People who are caught in the surveillance dragnet /may/ be innocent of any crime or they might not be. We really don't know, do we?
We don't. My point is, if one believes the government is good and it catches the bad guys, then why would one object to mass surveillance?
I'm sure that some if the information the agencies have gathered /do/ involve people who are guilty of crimes and the data might prove it. Some, probably most, don't.
'crimes' as defined by the government? Like smoking pot or gay sex? But again, the gov't uses mass surveillance. They discover 'criminals', which is allegedly good, while the innocent under surveillance don't suffer any harm (they don't even know they are being spied). What's the objection to mass surveillance then?
Also, I don't subscribe to the bs about 'if you have nothing to hide, you have nothing to fear'.
Why not? The goverment is good. Why shouldn't they know everything, in order to 'prevent' crimes and find 'criminals'?
Taking precautions to protect privacy should never be taken as evidence of guilt. I'm not ashamed of my naked body and there are times when I might even have no problem walking in front of a window naked. But there are also times when I want privacy and will draw my blinds. I don't hide the fact that I use the bathroom but that won't stop me from closing the door when I go in. In both of those cases, I'm not hiding anything. I'm exercising a right to /privacy/. My privacy, when I am not committing a crime that harms others, should /always/ be under my control.
Right to privacy, sounds reasonable to me, but the government can claim that 'national security' trumps it. Or something.
And the few that are likely don't have the money to bring up what it takes to do it. It's not like this is going to be bootstrapped by a Kickstarter.
Actually, it seems exactly like the kind of project that could/should be 'crowfunded'.
What's the 'minimum order' when dealing with something like TSMC ?
OK, so I'll retract my statement above. Maybe this could be crowd sourced. But again, how do we guarantee fab security?
That is of course a good question...My answer is "I don't have the slightest idea" - grarpamp? But at least the design and fabrication of micros seems doable. Not only that, there are a few designs already created... https://en.wikipedia.org/wiki/LEON https://en.wikipedia.org/wiki/LatticeMico32 https://en.wikipedia.org/wiki/RISC-V https://en.wikipedia.org/wiki/S1_Core https://en.wikipedia.org/wiki/OpenSPARC
If a company has to crowdfund a small number of chips, do you really think they are going to have the money to set up fab operations that they can closely audit and control?
Building a fab isn't an option - at least not a 5 billion, state of the art fab. What can realistically be crowdfunded is the manufacturing of chips at one of the fabs that do that kind of work.
No, you're very right that they didn't. New attacks are being developed right now against vulnerabilities and backdoors we haven't even discovered yet. And the attacks get better and better especially when the companies collude with the government. It's not going to magically get better through simply knowing about how bad it is. That wasn't my point.
I see.
But what can happen is larger and larger groups of people (who control the money that places like Intel are rather fond of) standing up and saying "we can't trust you so we're going elsewhere". Critical mass is needed to make a difference not just a few geeks ranting on Internet forums and mailing list. We don't have the market moving power that a larger group does. That's why making people aware and actually agitating the situation is so important.
Yes, if enough people stopped buying stuff from intel, they might get worried. But how many people are we talking about? Tens of millions? More? Is it easier to convince that many people to boycott intel, or is it easier to manufacture open source processors for a smaller market more interested in security?
Perfect is the enemy of good. If the spooks don't go after one person because it would take more personalized resources than simply catching them in a dragnet, that security has worked. We don't need 'perfect'. We need 'good enough'.
'good enough' requires working hardware, not hardware remotely controlled from washington.
No it doesn't. Good enough, in this case, means getting a bit of breathing room for people while the geeks figure out how we back the government off technically. Until they can't technically control every single piece of hardware, at least make it as hard as possible for them to control it.
Yeah, but in this particular case I don't see how software is going to do any damage control when " the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface"
Sure, it's not solving the problem entirely but you have to admit it's going to protect some people who would otherwise get caught up in a dragnet. Their data isn't there anymore.
Don't get me wrong, I am 100% behind making hardware secure. But we can't be so focused on absolute security with no compromise that we /only/ work on that and leave everything wide open until we have absolute.
Yes, agreed. But what seems to have happened so far is that the majority of efforts have been directed at the software side of things.
That's kind of like "well, we think the NSA might be able to break TLS by asking for our private key so we'll just keep using HTTP until we develop a way where having our private key doesn't matter". You do what you can and then you refine it closer and closer to perfection.
Shit, I write a lot...
Sorry :)
no worries =P
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZK1RAAoJEAKK33RTsEsVZP0QAJGSzHuvIDzoGJav/QG2eXOf hgl8Q/D/0/xStelYBsx2Sq6y6RHzczFeI3LlJdAT3W/WkqtugSCRtTtUFY4sHsyL gbRfCIkW2Yfg25z6fCr5iCp6rMqwEYlEy+H46tVsEizmGtYqVYo1jNaEsHMAzbbD SwTZ+I2sByKRoc+ArLzNiuEyp/1qynxQStocFNjZuhyJi7ujaKxK5k3V6Lh2HBkt dcNJngwJ7Ws4esIDDQ4DtzsNgK56GWMEt66GtUHGQaZxklB+QAwawZGgFpP2rHLu hjH72ko0doGwoSX1SRVATneqofq7WCvR7k8bRTV2ipsgGKHOpfndT6UBldK94ukL Tso2BOb7YVxgNIbz2BIOE4auJr9CNpQJSoaikoLkmQ1/IeYqqt7JAhdYR0VuBNbt 5sFUq0LejAQYZQSNoPX/38tlz6t7+9VO4iVn2iWzNp052/S3UwLvZaH/n9cfjaNm Hjhz0jebH2rzLdm3SlZr8F618luPuqgQg7HHNCdvm2MIlNc5oDKZOWhhfvvgDy1/ q1wZPntscLdolM/VY1m4MZMOK219MEatp4lgNBxsChhKH5Op11LN2U6hUZ069Rgb TL121QmP7JfmkbpehVONRbhhbou8bKsbcRvBe7ZDaS1kp950npNY8vJOjbpcINAX ISgmOkyMy9JcdKhxwhOc =DS8O -----END PGP SIGNATURE-----
so after some basic searching (showing how limited my knowledge is) I learned that * sun designed (mass manufactured?) open source processors https://en.wikipedia.org/wiki/OpenSPARC * sun was eaten by oracle (I knew oracle controlled java, I never bothered to check why...) * fixed costs for having a modern cheap mass produced start at 2 million dollars? http://electronics.stackexchange.com/questions/7042/how-much-does-it-cost-to... grarpamp?
participants (5)
-
Anthony Papillion -
grarpamp -
juan -
Shawn K. Quinn -
Zenaan Harkness