[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4652



File: 1488988695545.png (176.96 KB, 222x300, vuu8dJz.jpg)

No.4652

Greetings Lainons. Perhaps you can help me.

We all know the NSA, CIA, FBI, the ABC, DEF, GHI and so forth are spying on us through hardware. Let's face it; its embedded in Intel and AMD cpu's at this point, and probably the motherboards as well. X86 and amd64 are no longer secure.

Now, with all that said, what are some 'open-source' hardware that have no proprietary garbage on them? Is the Raspberry Pi like this?

>pic unrelated

  No.4656

>We all know the NSA, CIA, FBI, the ABC, DEF, GHI and so forth are spying on us through hardware. Let's face it; its embedded in Intel and AMD cpu's at this point, and probably the motherboards as well. X86 and amd64 are no longer secure.
They've not been secure for many years, no.

>Now, with all that said, what are some 'open-source' hardware that have no proprietary garbage on them? Is the Raspberry Pi like this?

The Raspberry Pi is not this. As of the last time I've checked, it has a required GPU that requires proprietary software to operate.
There's not much in the way of hardware built and designed in the open for free public use. You may be interested in the RISC-V and related projects.

As a stopgap, you may want to peruse this, the laptop RMS currently uses:
https://www.fsf.org/news/libreboot-x200-laptop-now-fsf-certified-to-respect-your-freedom

I currently use a Lemote Yeeloong for certain needs, but these systems are reasonably scarce and so I wouldn't recommend pursuing one unless you very much want it in particular.

Your image is spoilered for being irrelevant. In the future, put in the small effort to find and use a relevant image.

  No.4658

>>4652
While your reasoning for asking this question may be security related, your question itself seems more like it belongs on /tech/. Furthermore, when you say "open source hardware" do you mean hardware that uses open source firmware, devices where the boards and other information for building your own is open sourced as well, or devices using actual open source processors?

>We all know the NSA, CIA, FBI, the ABC, DEF, GHI and so forth are spying on us through hardware. Let's face it; its embedded in Intel and AMD cpu's at this point, and probably the motherboards as well. X86 and amd64 are no longer secure.

You should really state a more detailed threat model. As this statement could describe someone worried about anything from exploitable bugs in firmware, to malicious firmware being flashed, to your device, to malicious firmware coming from the factory, to actual hardware backdoors.

  No.4663

>>4652
Raspberry pis are broadcom boards that have AMD processors, they're as proprietary as it gets (the only "openness" they have is the large community dedicated to reverse-engineering the hardware).

RISC-V is a project aiming to build a fully open-source processor ISA. The HiFive1 by SiFive (https://www.sifive.com/products/hifive1/) is an arduino-like microcontroller that's available for purchase. lowrisc (http://www.lowrisc.org/) is a raspberry-pi like SoC that's in development, they're looking to crowdfund an initial version by the end of 2017.

  No.4664

File: 1489029028153.png (64.98 KB, 200x86, 1461288154237.jpg)

>>4663
>Raspberry pis are broadcom boards that have AMD processors
I don't even.

  No.4667

>>4656
can you libreboot a laptop yourself?

  No.4668

File: 1489043047077.png (51.97 KB, 190x200, UAFSE.jpg)

>>4667
Can you use a fuarrrking search engine? If you are incapable of doing the most basic research to answer that question yourself, then no you won't be able to install libreboot yourself as you'd inevitably fuarrrk something up along the way.

  No.4689

>>4668
At least he's not part of the botnet because of Google searches.

  No.4690

>>4689
its a fuarrrking saying, don't take it so literally.

  No.4692

OP, if you'd rather trust the MPS, MSS, PLA etc. and you live outside of China, you could always go the MIPS route and get a device with a Loongson.

If you larger budget, the novena could be worthy choice.

Now say you're worried about what 4658 mentioned, 'anything from exploitable bugs in firmware, to malicious firmware being flashed...'.
Best available solution would be to flash with coreboot and compartmentalize your peripherals with Qubes; just make sure the device you get is in both their HCLs.

  No.4693

This may not be on topic, but it's a /sec/ question anyway.

Non-US resident here.
This may sound like I'm trying to troll you people, but i swear, I'm not. I seriously want to know.
Don't you ever get tired of this? Like, being afraid of everything being a potential sec breach for you?

I'm all for privacy and open software-hardware but how far can your distrust go? What kind of life do you live when you feel like every single chip in any motherboard could have a hardware backdoor?

I really like /sec/ and miss /cyb/, but damn. I'll keep modifying my soykaf to use more secure software, but i feel like distrusting hardware based on potential sec holes is kinda going to far down the madness lane.

  No.4695

>>4693
Seriously this.

I've been using Windows for years on proprietary hardware and never had a problem. Even if the government is spying on me, its never effected my personal life.

  No.4696

>>4695
I didn't mean it like that either. I don't think we should get into a "why would i care about my privacy if i don't have anything to hide" kinda debate, privacy is a human right and we all should fight for it.
But, in my honest opinion and without meaning to harm or attack anyone, going as far as checking every single piece of hardware for potential back doors is too much paranoia. I'm pretty paranoid myself, and i trust almost only the software written by me or other people on the internet which can be audited for security and such, but man- if i start distrusting my hardware, what's left?
I feel like the only answer for me at least would be suicide.

I do my best to cover and protect my own privacy, but i gotta stand on some solid ground, and if the hardware isn't that ground, there's just nothing left for me.

  No.4701

>>4693
>Don't you ever get tired of this? Like, being afraid of everything being a potential sec breach for you?
Not really. All this hype about the recent CIA leak is mostly over nothing and I'm amazed at how people are freaking out from the revelation that government agencies use exploits and that software vulnerabilities exist. This leak has changed nothing for how you would secure a computer. The only thing that could be particularly worrisome about this leak when it comes to personal computers is if Wikileaks doesn't release the CIA's zero day exploits to the affected parties and later to the public, as otherwise whoever leaked this information to Wikileaks can us those zero day exploits or sell them on the black market.

>What kind of life do you live when you feel like every single chip in any motherboard could have a hardware backdoor?

/sec/ is for real world security issues, not sci-fantasy issues. Hardware back doors are stupid because they can't do as much as malicious firmware (which the Snowden leaks showed that the NSA has used), they still require getting malware to the system you wish to compromise to actually make use of the back door, and actual use of such a back door would be extremely limited due to the massive fallout that would result if its existence was discovered or leaked.

  No.4702

>>4701
>and actual use of such a back door would be extremely limited due to the massive fallout that would result if its existence was discovered or leaked.
Thank you for replying to the second doubt i had. You mean that ALL of the soykaf that ever gets posted about hardware backdoors are based on pure guesses?
Holy crap my man.

  No.4704

>>4696
not to mention all of the devices in any given room that aren't secure. people walking about with their glowing rectangles running stock botnet everything.

i've got several layers of tinfoil myself but how much effort is necessary when you walk around potentially being watched all day?

it comes down to threat model. if you're worried about state actors, you're not going to be able to lead a "normal" life and avoid them. by not leading a "normal" life, you're easily targeted by state actors.

i personally don't see a way to secure ourselves from the state so my threat model is avoiding other individuals who would passively target me to utilize my systems (DDoS botnets and the like). i don't believe i've drawn the ire of anyone who would want to directly attack or dox me, so i don't consider that model at the moment.

i also do my best to avoid corporate surveillance that's designed to feed marketing engines and direct ads at me.

none of that requires me to worry about the hardware level. i do try to ensure the hardware layer is secure if it's within my practical means, though. it's not something i aim for directly.

  No.4706

I'm not gonna let your nonsense sink this thread.

  No.4708

File: 1489102406571.png (23.06 KB, 200x196, 1477601409239.jpg)

>>4690
But it's a harmful saying that promotes the use of non-free search engines.

  No.4709

>>4708
Ok lain, next time you're given the chance, drop "just fuarrrking searx it".
You'll get an odd stare and then a response of "searx", "what's a searx".
>fuarrrk this planet

  No.4713

>>4709
You don't have to mention any search engines at all. Just tell people to "look it up" or consider ignoring them if you REALLY think they aren't worth your time. Nobody's impressed with your cynicism.

  No.4718

>>4713
>Nobody's impressed with your cynicism.
the need to impress others shows nothing but self pity for oneself.
speak your mind slave

  No.4720

>>4693
>Don't you ever get tired of this? Like, being afraid of everything being a potential sec breach for you?
Yes. I'm not afraid. The entire world is too complex and tiresome nowadays. I think it's fair to say humans aren't inclined towards living like this well.

>I'm all for privacy and open software-hardware but how far can your distrust go? What kind of life do you live when you feel like every single chip in any motherboard could have a hardware backdoor?

I already want to design my own hardware; the security aspect is purely an auxiliary benefit.
As for everyone else, I want to isolate myself entirely, eventually, for at least a few years, at least to clear my head.

  No.4728

>>4706
Wtf does that mean? What "nonsense"?

  No.4731

>>4720
>I already want to design my own hardware; the security aspect is purely an auxiliary benefit.
That sounds cool, i might get into it someday
>As for everyone else, I want to isolate myself entirely, eventually, for at least a few years, at least to clear my head.
You know, I've never been on for escapism, but i think i understand you. I try to live a normal life aside from all the stuff i usually do, no idea why, but yeah, it's so tiresome sometimes. Sometimes i feel like the only way to do things my way is fighting against something. I'd love to have some peace every now often. But we're getting to much in /feels/ territory. I really hope you get to feel better relatively soon my man.

  No.4739

If you don't need HD video and don't mind ARM, the rockchip based cromebooks are pretty good, same with the odroid and several other non-rpi SoCs. From what i understand the rpi needs a binary blob even just to boot, since it uses the gpu to initialize everything for some reason. most SoCs use the same gpu serise, but if you just don't install the userland binaries you can dodge any closed source code. The ASUS Chromebook c201 is even listed on the libreboot site.

>>4693
Nah, soykaf's fun. Every day my cyberpunk LARPing gets a little more real.

Also, don't think you are free from it just because you aren't from the US. If you look hard enough i'm sure you will find that your country has equally shady practices, or treaties to share intel with a nation that does.

  No.4741

>>4739
>the odroid
Last I checked those needed a signed bootloader, or at least some of them did. I'm still hoping that new RK3288 based SBC from Asus gets good support from the FOSS community.

  No.4760

"Open source hardware" is a joke for dummies that think hardware is like software

In reality, unless you have an electron microscope and time to check each layer of silicone for any irregular pattern of transistors then its futile.

Unless.... you could have a global community of people donating extra old processors to that one guy on college that has access to electron microscope....

  No.4766

>>4760
I would think open source hardware would be more important for promoting competition in the market and driving down cost than it would be for security. There is arguable advantages for security but like you said, you can't be sure. If there are several companies making the same sort of chips then you could choose a company you distrust the least. That way when you get pwned by a hardware backdoor you can at least you can say you tried to avoid it.

  No.4767

>>4766
Competition in the market?
Open source hardware is usually underpowered and overpriced, not to mention it is barely open source.
The little market share that laptops like bunnie's has are not putting even a scratch at big companies.

Best way to go about it is what I said. One guy with access to electron microscope using a crowdfunded thing to make big companies flinch.

  No.4774

>>4766
Has anyone ever been pwnd by a hardware back door, ever?

  No.4776

>>4774
Not him, but remote hardware backdoors are bound to be precious, considering the small attack surface (pretty much just the NIC firmware, plus the IME if it's an Intel NIC). I bet even the NSA can't afford to burn them on low-value targets. They do have SMM rootkits, according to Snowden, but just for persistence, not insertion.

  No.4777

>>4774
How would you know if you were?
Would it matter?
Security is all about "might happen", thats why you wear seatbelts while you drive you dummy.
Long story short, seen few people trying to dissect Intel ME but with no results. They found out it spits out public key encryption after fuzzing it.

  No.4778

>>4777
>Would it matter?
Yes, because there is no evidence of hardware back doors existing and the risks of having them implemented in hardware outweigh the benefits, see: >>4701. Also keep in mind that if such a back door exists, then whatever group implemented it would risk it not only being used against them but also against critical infrastructure and banking institutions in their country unless information was passed around for those potential targets to avoid the back doored hardware (which only increases the risk of the back door being discovered).

>Security is all about "might happen", thats why you wear seatbelts while you drive you dummy.

...and hardware back doors are so far off from what might realistically happen that you may as well be worried about the government having a back door in major encryption algorithms like AES, the government secretly proving P=NP, or aliens abducting and sodomizing you (as is to be expected of aliens~).

  No.4781

>>4777
>Security is all about "might happen", thats why you wear seatbelts while you drive you dummy.
Okay, i get you, but this is exactly the same thing as wearing tinfoil hats only in case the government is reading your brain with invisible rays, or living under a bunker only in case of a possible nuclear war.
I'm pretty paranoid myself, but i think that's going a little too far, which is what i was stating in my original post.

  No.4798

>>4778
>Yes, because there is no evidence of hardware back doors existing
My dude, just because Intel doesn't come out and say "HEY, THIS IS A BACKDOOR" doesn't mean it's not still a backdoor. Ostensibly, yes, these management engines are to be used in corporate environments for OOB management but when these features questionably appear in end-user processors, there's a problem. It doesn't matter if Intel has bad intentions with the ME or not; considering that the way it is designed would allow Intel to execute code on any networked computer with a post-2008 Intel processor makes it by definition a backdoor. Call a spade a spade.

https://libreboot.org/faq/#intel

  No.4802

>>4798
>Call a spade a spade.

but do you always call a spade a weapon?

  No.4805

>>4802
A properly sharpened entrenching tool is your friend Boris.

>>4760
Right, where's the fundamental difference between open-source software being compromised via an infected compiler and open-source hardware being compromised in the factory (analogous to compiling stage)?

Aside from Diverse Double-Compiling not applying nearly as nicely to hardware.
https://en.wikipedia.org/wiki/Backdoor_(computing)#Countermeasures

  No.4806

>>4798
>Ostensibly, yes, these management engines are to be used in corporate environments for OOB management but when these features questionably appear in end-user processors, there's a problem.
They're used for a lot more features than OOB management.

>considering that the way it is designed would allow Intel to execute code on any networked computer with a post-2008 Intel processor makes it by definition a backdoor

First of all, AMT can be turned off in the BIOS/EUFI. Second of all, even if you do have it enabled, some random person on the internet can't just open up a connection on that port on a machine on your network unless you aren't using a router, firewall, or anything between your computer and the internet. A service that you can disable is not a back door.

  No.4807

>>4805
>A properly sharpened entrenching tool is your friend Boris.

doesn't answer the question.

  No.4808

>>4806
>AMT can be turned off in the BIOS/EUFI
How can you be sure that it's off? It doesn't matter if you turn off the AMT in the BIOS; the ME is still present, still running, and can still have network capabilities turned on.

>Second of all, even if you do have it enabled, some random person on the internet can't just open up a connection on that port on a machine on your network unless you aren't using a router, firewall, or anything between your computer and the internet.

I never said they could. However, if you make any connection to an Intel-controlled server, then--barring strict blacklisting of Intel domains/IPs at the router--Intel could relay the "magic" packets for remote code execution on the user's computer; and the router would happily forward them right to their computer, compromising it. Not to mention that the ME could make all of this transparent by simply disallowing those magic packets from being sent along to the OS (and thus able to be detected by the user). I'm not saying that Intel would do this, but I am saying that this is /possible/ and regardless of your stance on the ME, it is still a backdoor. OOB management is a backdoor _by design_ and its inclusion should not be something the hardware manufacturer decides for end-users. That's the problem with the ME--end users can't remove it or disable it in any meaningful way.

>A service that you can disable is not a back door.

It's still a backdoor regardless of whether it's on or not. I really don't know how else to get this through to you because it's a very simple concept: A spade is still a spade even if it's being used as a weapon, >>4802, instead of moving soil or anything else for that matter.

Again, OOB management is a backdoor _by design_. This doesn't mean it's always bad, that'd be ridiculous, the problem is not being able to prevent it from running *and* remove it completely. I feel like I'm repeating myself here.

  No.4809

>>4808
>However, if you make any connection to an Intel-controlled server, then--barring strict blacklisting of Intel domains/IPs at the router--Intel could relay the "magic" packets for remote code execution on the user's computer; and the router would happily forward them right to their computer, compromising it.
That's not how networking works. Just because you connected to an IP address somewhere doesn't mean that your router or firewall will suddenly allow the computer at that IP address to send packets to any port on your computer, unless you have your router or firewall specifically configured to do so.

>It's still a backdoor regardless of whether it's on or not

No, it's not, and neither is the SSH server that came pre configured to run with the Linux distro I have installed on a device of mine, nor is the ability to plug a terminal into the serial port on my desktop. Accusing everything you don't like of being a back door just makes the words lose their meaning.

  No.4812

>>4809
>That's not how networking works. Just because you connected to an IP address somewhere doesn't mean that your router or firewall will suddenly allow the computer at that IP address to send packets to any port on your computer, unless you have your router or firewall specifically configured to do so.
Where did I say that they could send packets to any port? Besides, the destination port *doesn't matter*. As long as it's a port that the router is expecting a response on, a software firewall on the computer will not matter regardless of how strict or permissive the firewall rules are. This is because the ME has access to these packets _before_ the OS is even made aware of it.

>Accusing everything you don't like of being a back door just makes the words lose their meaning.

So you're not willing to admit that the ME is a backdoor, huh? Even in the face of damning evidence to the contrary? Well, I'm done wasting my time here with a contrarian.

  No.4813

>>4812
>Where did I say that they could send packets to any port? Besides, the destination port *doesn't matter*. As long as it's a port that the router is expecting a response on, a software firewall on the computer will not matter regardless of how strict or permissive the firewall rules are. This is because the ME has access to these packets _before_ the OS is even made aware of it.
...and now you're entering tinfoil hat hardware back door territory that I already addressed the problems with making here: >>4778, complete with the normal lack of evidence to back up the claim that such a back door exists.

>Even in the face of damning evidence to the contrary?

You haven't provided any evidence, just baseless claims and speculation. Additional attack surface existing does not a back door make.

>Well, I'm done wasting my time here with a contrarian.

Wanting to see actual evidence of serious vulnerabilities like back doors existing in hardware/firmware from the manufacturer instead of baseless claims and speculation about malicious acts on the part of manufacturers is contrarian? It sounds like you would be better off on a different site if you consider dealing in facts and evidence rather than baseless claims and speculation to be contrarian.

  No.4814

It's very unlikely that any security agency would go to the effort of strongarming or infiltrating intel and AMD, and it's even less likely that they would waste such a good exploit on the general public, when other exploits exist at the software level that are easier.

  No.4817

>>4812
I'm not the same guy you've been talking to, I agree with you that ME is indeed a backdoor.

However, if you actually understand how networking works on basic level, you would understand just about how impossible it would be for Intel to perform a stealthy intrusion into a properly secured network using the ME as a platform for entry.

Never go full schizo

  No.4863

> Is the Raspberry Pi like this?
No.
Get a thinkpad X60. Replace the wifi card with something Libre. Flash the BIOS chip with Libreboot. Install Trisquel.

  No.4864

RBPi's aren't open-source hardware. Beaglebone Blacks are.

  No.4867

File: 1489806224302.png (30.29 KB, 200x164, 53247490.jpg)

>>4864
>open hardware
>proprietary HDMI connector by default
I don't understand why this is acceptable. There is literally a licensing fee for it yet people keep putting it on everything.

  No.4888

>>4867
Because it pays for itself a thousand fold over?

  No.4903

>>4867
>DVI is bulky, not designed for audio
>USB 3.0 to replace HDMI

Do you have an alternative solution?

  No.4912

>>4807

Try to walk through airport security with a spade and see how far you get...

  No.4913

>>4912
So all bottles of water are bombs. Got it.

  No.4914

>>4903
DisplayPort. From https://en.wikipedia.org/wiki/DisplayPort#Cost

"VESA, which created the DisplayPort standard, states the standard is royalty free to implement."

  No.4933

How is the license on USB-C?

Can it finally replace HDMI?