2014-02-16 4:03 GMT+01:00 <[1]dan@geer.org>:

   So, to get down to brass tacks: If I can get to the chip mask pre
   lithography, how many gates do I need?  A thousand for a kill switch
   and three thousand for a connection?

   You can also manipulate other parts of the machine. With features
   present in vPro all that's needed is a "buffer overflow" hidden "bug"
   that allows remote control. The "bug" might even be hidden in non-spec
   gates or code flashed into it later.
   Bottom line: no defense when you use vPro capable Intel chipsets.
   This is a massive problem for me as someone who'd like to produce a
   secure system. If the NSA can remote enable vPro anytime they like,
   what am I going to do at any other level? There's plenty of tricks you
   can pull to make it seem they didn't use vPro, as vPro usage is pretty
   much undetectable. Think manipulation of random number generation
   making it seem they have some unknown random number generator attack,
   when in fact they just manipulated it.
   So large is our current closed source trouble.

References

   1. mailto:dan@geer.org