MINIX Creator Andrew Tanenbaum Sends Open Letter to Intel Over MINIX Drama

[phanbuey]

just wait until they can separate us and control our emotions through mass ai targeted social and mass media messaging ...

then all the nakedwatermonkeyants will be part of the hive.

and there will be drones. and white chryslers... and puppies.

/tinfoil

time to go break something i guess.

 

[OSdevr]

Why would it be awkward? It would be interesting actually.

See my username . I wrote a hobby OS a while back. I've been thinking about doing it again (properly this time).


What I find most surprising about Minix in Intel CPUs is that they have a multitasking operating system in there (apparently with various privilege levels). I would have thought a monotasking OS would be much more suitable, or even no 'OS' at all, just using the core like a microcontroller.

 

[phanbuey]

See my username . I wrote a hobby OS a while back. I've been thinking about doing it again (properly this time).


What I find most surprising about Minix in Intel CPUs is that they have a multitasking operating system in there (apparently with various privilege levels). I would have thought a monotasking OS would be much more suitable, or even no 'OS' at all, just using the core like a microcontroller.

not an os writer (disclaimer) - but could it be because they want to open the chips up to direct connect self learning algorithms, or at least experiment with the concept, in the near future?

 

[RejZoR]

Still have the third edition of "Modern Operating Systems", along with Crowley's "Operating Systems: Design Oriented Approach".
Though, I gave up on college way before I got those


Don't worry, they've got one of their own.


Several potentially critical vulnerabilities with no way of patching on older platforms (sources mention some were known for many years).
Also, no way of completely disabling ME without harming the hardware (you are lucky if you'll only get a 15 second POST delay, otherwise your mobo won't even start).
Plus, both AMD and Intel are so secretive about their security tech, that it forces people to think whether ME or AMD SecureChip are really that secure, or whether they simply apply the tactics of "obfuscated security".

It's not the same. AMD openly documented it and we all know they run a secure coprocessor to isolate YOUR code. What Intel is doing is hiding their own code for unknwon purposes.

 

[silentbogo]

It's not the same. AMD openly documented it and we all know they run a secure coprocessor to isolate YOUR code. What Intel is doing is hiding their own code for unknwon purposes.

You are confusing things again. Not sure if it's intentional or unintentional.
AMD PSP has been around just a tad less than IME, and in both instances the presence of such technology was well known and presented in advance. Both are supervising the entire system, and both are closed-source.
Neither company actually disclosed the internals of their security tech beyond vague "memory management", "platform updates", "security", "crypto".
Actually, in case of AMD it's even worse.
Intel ME is actively being researched and dissected, plus all of the Intel's ME tools and UEFI tools (meant for OEMs) are easy to find after numerous leaks. In case of AMD - no tools are available, no active research is in process as far as I know.
Some intel motherboards can survive the procedure of removing ME region from BIOS, or replacing it with open-source alternatives. For AMD - no such luck. No PSP firmware means a bricked motherboard.
Plus we don't know if AMD PSP is present on current-gen. gaming consoles (I believe it is and in addition to Crypto and DRM probably handles some more questionable stuff).

There is no open documentation on AMD PSP. And it is absolutely the same.
AMD won't opensource PSP firmware in the foreseeable future, regardless of whether the community demands it, writes petitions, or whether it will simply make them look better than Intel for once.

 

[natr0n]

 

[Easo]

Can someone explain to me where the problem exactly is? What Intel ME does has been known for years, after all, it's used in vPro capable CPU's for remote management even when computer has been turned off (think iLO, iDRAC or similar, if you are familiar with physical server management).

 

[silentbogo]

Can someone explain to me where the problem exactly is?

Bug in earlier versions of AMT and SBA package, which is hard to mitigate (old hardware, no BIOS updates from OEMs).
https://www.intel.com/content/www/u...ogy/intel-amt-vulnerability-announcement.html

 

[GatoRat]

Release something for free and then whine when someone actually uses it. Release software under GPL and then whine when people don't use it.

 

[Easo]

Bug in earlier versions of AMT and SBA package, which is hard to mitigate (old hardware, no BIOS updates from OEMs).
https://www.intel.com/content/www/u...ogy/intel-amt-vulnerability-announcement.html

Yeah, but so what? Bugs can happen for all systems and support for old computers have always been up to the manufacturer. It has nothing to do with Intel. HP, for example, patched even their 1st Gen Core series computers.

Plus this is not something you can easily exploit.

 

[biffzinker]

https://thenextweb.com/security/201...computer-intel-skylake-cpu-can-owned-via-usb/

Security firm Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed-out details of the attack are yet to be known, but from what we know, it’s bad.

Essentially, the IME is linked to JTAG (Joint Test Action Group) debugging ports. USB ports also use JTAG. For this attack, Positive Technologies figured how to bridge the gap, although as previously mentioned, they haven’t gone into specifics of how. Fortunately, this particular attack vector only affects Skylake and above CPUs.

 

[syrup]

My eyes glaze over whenever I try to wrap my head around what the Management Engine is - especially how it applies to my computers. On the one hand, there are heaps of people who say it's only for remote admin and basically doesn't affect the consumer space (which seems true in some sense - Intel's statement on the critical ME vulnerability that was in the news earlier this year says it doesn't affect consumer PCs or firmware). On the other hand, consumer motherboards do have ME listed as a feature with driver/software downloads made available for it, and there are those that describe it as being involved in fan control, overclocking, etc. to the extent that "it is essential for it to be operational in order for the platform to be working properly, no matter if the advanced/corporate features are available or not".

I don't know whether they're all talking about the same thing, but it all falls under discussion of the 'Management Engine'.

Anyway, what I do know is that my main system's consumer level motherboard (ASUS Z270G) has no Intel ME or AMT settings in the BIOS, but it's vulnerable enough to require security updates at the firmware level, because just a few days ago ASUS went out of their way to release a specific Management Engine firmware update to address a security issue:

 

[Jism]

It's no secret that a country such as russia develops his own cpu's since X86 / X64 hardware in general cannot be trusted.

I remember the complete german goverment had to fully replace all hardware since it was rooted at firmware level. This is how they got it. There's spying from all sort of continents all over the world.

Opensource is the way to go. This way, lots of people can contribute to the code, safety and features to make sure it's tested at it's best. Why do you think windows NEEDS so many updates in general. Cause the OS in base is like a cheese hole full of flaws.

Software is becoming more harder and harder to exploit, so they simply aim at low level features. intel IME is such as bad design, nobody knows what exactly is inside of there and what it's puspose is. You might as well simply call it a backdoor since NSA does alot of exploiting on computers in general.

 

[OSdevr]

not an os writer (disclaimer) - but could it be because they want to open the chips up to direct connect self learning algorithms, or at least experiment with the concept, in the near future?

I doubt it, they've been building this thing in since at least '06.

Plus this is not something you can easily exploit.

The problem is that if it is exploited it would be undetectable and irremovable. It's a perfect target for say a government to snoop on its citizens. The NSA is now known to have a similar exploit on file targeting System Management Mode (another part of the CPU that is invisible to the OS).

My eyes glaze over whenever I try to wrap my head around what the Management Engine is - especially how it applies to my computers.

The thing is no one really knows what all the ME does. In addition to the management features it may be involved in power management (including thermals).

Opensource is the way to go. This way, lots of people can contribute to the code, safety and features to make sure it's tested at it's best. Why do you think windows NEEDS so many updates in general. Cause the OS in base is like a cheese hole full of flaws.

Have you ever checked for package updates? The Linux base system is constantly being patched. Open source does not necessarily mean more secure. ShellShock was a massive security hole in one of the most used open source pieces of software on the planet yet it went undetected for 25 years.

 

[Jism]

Open source is'nt safe either, but at least it gives developers and people a chance to look at certain code. We still dont know what is housed into intels IME nor AMD's counterpart.

 

[OSdevr]

Open source is'nt safe either, but at least it gives developers and people a chance to look at certain code. We still dont know what is housed into intels IME nor AMD's counterpart.

Agreed.

 

[nem..]

http://omicrono.elespanol.com/2017/11/minix-sistema-operativo-mas-utilizado-mundo-nadie-conoce/
quoting and translating
Neither Windows or Android, the most popular operating system is another and you use it without knowing it. Your Windows, your Mac or your Linux may not be alone. If you have an Intel processor on your computer, whether desktop or laptop or server, chances are you have a hidden operating system. And this system, called MINIX, has even its own secret processor.

AMT, where Intel and MINIX come together

This is where the interesting comes from. Intel AMT (Active Management Technology), also known as Intel Management Engine, is a kind of "secret processor" that works independently of the rest of the computer. It has nothing to do with the processor you use to play or to run the computer. It is a completely differentiated chip.

And in this hidden or secret processor is where Intel has decided to use MINIX. Intel AMT is able to access any region of memory, read and write all files, and even make a web server. All without the rest of the system even knowing of its existence. And everything working with MINIX, that system that was born with an educational purpose

 

[Katanai]

Serious question: Does anyone know what specific models have this "feature"? I'm not asking only about processors that are out now but since when has this started? It seems that even some of the Core2Duo processors had some form of Intel vPro features. Was this processor present in these CPU's or maybe on the motherboard? Do all i series processors have this in them from the start of the series, or since when?

 

[Vya Domus]

In case of AMD - no tools are available, no active research is in process as far as I know.

....

AMD won't opensource PSP firmware in the foreseeable future, regardless of whether the community demands it, writes petitions, or whether it will simply make them look better than Intel for once.

Which makes it safer in actual fact. Best security measure is to not give people a backdoor. There shouldn't be any tools or documentation available for the public but instead these should be strictly regulated by authorities.

 

[OneMoar]

you can already disable most of intels ME's functionality including ALL of the remote stuff

https://github.com/corna/me_cleaner

once again press release announces something that has been known for 5 years and people loose their minds

 

[Easo]

Well, it's like people don't know that stuff like vPro has existed for a long long time and ME was needed for it.
Big companies wanted this feature, Intel made it.

 

[Vayra86]

Still have the third edition of "Modern Operating Systems", along with Crowley's "Operating Systems: Design Oriented Approach".
Though, I gave up on college way before I got those


Don't worry, they've got one of their own.


Several potentially critical vulnerabilities with no way of patching on older platforms (sources mention some were known for many years).
Also, no way of completely disabling ME without harming the hardware (you are lucky if you'll only get a 15 second POST delay, otherwise your mobo won't even start).
Plus, both AMD and Intel are so secretive about their security tech, that it forces people to think whether ME or AMD SecureChip are really that secure, or whether they simply apply the tactics of "obfuscated security".

Security through obscurity is a great measure ON TOP OF other safeguards, not as a sole safeguard. Everything can be cracked, all it needs is time.

Probably Illuminati at work, or pink unicorns

 

[lexluthermiester]

Security through obscurity is a great measure ON TOP OF other safeguards, not as a sole safeguard. Everything can be cracked, all it needs is time.

Probably Illuminati at work, or pink unicorns

My money is on pink unicorns..

 

[buildzoid]

Which makes it safer in actual fact. Best security measure is to not give people a backdoor. There shouldn't be any tools or documentation available for the public but instead these should be strictly regulated by authorities.

Authorities are still people. They aren't infallible and having a permanent backdoor in a system means that when the backdoor gets discovered everyone is screwed. Whether or not the backdoor is discovered is just a matter of time.

 

[lexluthermiester]

Authorities are still people. They aren't infallible and having a permanent backdoor in a system means that when the backdoor gets discovered everyone is screwed. Whether or not the backdoor is discovered is just a matter of time.

Well said! This is exactly correct.