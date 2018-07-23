Security: Data Security and Back Doors (ME) in Hardware
Episode 106 - Data isn't oil, it's nuclear waste
Josh and Kurt talk about Cory Doctorow's piece on Facebook data privacy. It's common to call data the new oil but it's more like nuclear waste. How we fix the data problem in the future is going to require solutions we can't yet imagine as well as new ways of thinking about the problems.
Intel Patches New ME Flaws That Could Let Hackers Run Arbitrary Code: Check For Patches
Talking specifically about the flaws, the first one is CVE-2018-3627. Described as a logic bug, this easily exploitable bug allows code execution. CVE-2018-3628 is the more dangerous sibling which enables comprehensive remote code execution in the AMT process; it’s also identified as a “Buffer overflow in HTTP handler.”
Intel patches new ME vulnerabilities
In early July, Intel issued security advisories SA-00112 and SA-00118 regarding fixes for vulnerabilities in Intel Management Engine. Both advisories describe vulnerabilities with which an attacker could execute arbitrary code on the Minute IA PCH microcontroller.
The vulnerabilities are similar to ones previously discovered by Positive Technologies security experts last November (SA-00086). But that was not the end of the story, as Intel has now released fixes for additional vulnerabilities in ME.
Why Intel will never let owners control the ME
Intel/AMD will never allow machine owners to control the code executing on the ME/PSP because they have decided to build a business on preventing you from doing so. In particular, it's likely that they're actually contractually obligated not to let you control these processors.
The reason is that Intel literally decided to collude with Hollywood to integrate DRM into their CPUs; they conspired with media companies to lock you out of certain parts of your machine. After all, this is the company that created HDCP.
This DRM functionality is implemented on the ME/PSP. Its ability to implement DRM depends on you not having control over it, and not having control over the code that runs on it. Allowing you to control the code running on the ME would directly compromise an initiative which Intel has been advancing for over a decade.
Android Leftovers
ReactOS 0.4.9 released
The ReactOS Project is pleased to announce the release of version 0.4.9, the latest in our accelerated cadence targeting a release every three months. While a consequence of this faster cycle might mean fewer headliner changes, much of the visible effort nowadays comes in the form of quality-of-life improvements in how ReactOS functions. At the same time work continues on the underlying systems which provide more subtle improvements such as greater system stability and general consistency. Also: ReactOS 0.4.9 Officially Released As The First Self-Hosting Version, Better Stability ReactOS 0.4.9 Officially Released with Self-Hosting Capabilities, New Features
Slax 9.5.0 released
I am happy to announce that a next version of Slax Linux has been released. Slax is a minimalistic, fully modular operating system. As usual, this version incorporates all upstream improvements from Debian stable, and fixes few small known bugs. I am also happy to announce that it is now possible to purchase Slax preinstalled on an USB flash drive with hardware-based AES encryption. This device is universally usable because the encryption is performed directly by the drive itself, there is no software to install needed. Once disconnected, the USB drive automatically locks itself again. Payment is possible only with Bitcoin, because I truly wish to see PayPal and credit card companies to cease to exist soon.
