Coreboot Gets Support For Haswell Power Limiting
Phoronix: Coreboot Gets Support For Haswell Power Limiting
After landing hardware support improvements last week for Coreboot, the open-source BIOS firmware replacement now has another new feature: ACPI power limiting and it's been implemented for Intel Haswell CPUs...
This tells me to get an x86 Chromebook if my netbook is ever destroyed
This tells me exactly what to do if I ever have to replace my netbook: get any low-end x86 Chromebook, replace the firmware with straight Coreboot, and replace Chrome OS with my normal encrypted OS (using MATE and IceWM desktop options fopr a light machine). No Microsoft tax, a cheaper machine, total extermination of verfied or delayed boot answering to someone other than myself. Good luck NSA trying to backdoor a machine with no blobs at all...
Originally Posted by pgeorgi
I do not own a smartphone or tablet
And I do not trust any router or any part of the Internet with sensitive information. I treat all networks as malicious, and know that routers are actualy bigger targets than computers. I do not allow any computer (routers, etc included) to simultaniously handle my encrypted filesystem and connect directly to the Internet. I do not use routers to move sensitive shit between machines, I use encrypted flash drives for that.
Originally Posted by uid313
I have seen the Underhanded C work, and have read papers concerning hardware backdoors. There have been instances of this being done with computers ordered in advance, then shipped to a known party under surveillance. Embassies and governments are the usual targets-or the usual cases where they get caught. The best defense is to do what I do: buy all components on the spot with cash so nobody can predict which processor, board, etc you will have. The manufacturer cannot predict what examples I will pull from the shelf, and there are no credit card records or Windows activation records to find it after the fact.
Any silicon backdoor must now be in every machine, or in none. Here's the kicker: a always-on backdoor in every machine that talks to the network will be caught by someone running Wireshark for some unrelated reason. Thus, it must be able to be turned on and off. Probably the firmware the device is shipped with-or even its OS-plays a role in that. I never permit any computer I acquire for secure work to talk to any network before the vendor-provided OS has been removed. In this Chromebook case this could be applied as well to the firmware.
Dump both the firmware AND the OS, and turning such a backdoor on becomes much harder, though not totally impossible. That's why the folks handling Snowden's take used randomly purchased, cash-only machines that had never been connected to any network to protect their encrypted data, brought it only by flash drives. I do not now deal with that high a level of secret information, but I do know how it is done.
In the meantime, the NSA will never admit in court to backdooring Intel's or AMD's hardware in open court because Occupy protesters storm a convention of gas fracking CEO's (and local cops or the FBI want the raw video clips), no matter what we do inside. Not worth blowing one or the other chipmaker out of the water trying to solve a less than $1M case.
Some clarifications about hardware backdoors and encryption
1: No machine with vPro or similar out-of-band management can be trusted or used for secure information, this has been known for years.
Originally Posted by uid313
It is also known that vPro can be broken so far as remote attack is concerned by connecting to the network with a discrete non-Intel
network card and not using the one vPro depends on at all. Still not trusted as it could store something locall for a later raid once
2: Local attacks: If a machine is not secured against local physical access, it cannot be considered secure for encrypted material. Thus,
a local privilige escalation attack would be against a machine considered already compromised. Any evidence that a machine has
been powered up by an unknown party requires DISPOSAL of a machine handling high value encrypted files anyway.
3: The best evidence that hardware backdoors are not storing encryption passphrases or keys locally is that nobody in any protest movement,
direct action political movement, armed group, or organized crime ring has been arrested based on the take from a hardware backdoor
decrypting an encrypted computer-anywhere.
4: Putting the backdoor itself in the silicon is not enough. For the attack I am concerned with, it would need to predict what encryption
program would be used, where they key would go in RAM, that kind of stuff, even on encryption programs yet to be written or updated.
Pretty soon you are asking to add a lot of gates for "hardware-accelerated policing." The more undocumented gates, the greater the risk
of detection or just plain suspicion after someone X-rays the chip.
Security is always a balancing act, and always an arms race. So is attacking. Secure today may not be secure tomorrow, but you pick all low-hangng fruit, every time. When more is needed, such as at the Snowden level, a far more detailed study is needed-and if something does not NEED to be on computer, it should not be at that point. Strong defenses are layered-get through one and face another, like cracking a DM-crypt disk after a month of supercomputer time, only to find a Truecrypt container using a different cypher, key, and passphrase staring back at you. Maybe you crack that passphrase too, getting lucky on the first round of dictionary attacks, only to find those raw video clips you wanted were all shredded with random numbers instead of being saved. You'd have to be awful determined not to throw in the towel at that point.