Announcement

Collapse
No announcement yet.

A Kubuntu-Powered Laptop Is Launching In 2020 For High-End KDE Computing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by madscientist159 View Post
    But that's not disabled as the word is commonly used,
    "Disabled" is something done with a configuration option, and you are "politely asking it to do X". The application can ignore the setting. The ME does not seem to ignore it.

    You are confusing it with "removed".

    If the ME were actually disabled, Joanna wouldn't be saying its still hackable in the HAP state, right?
    https://mobile.twitter.com/rootkovsk...64351008395264
    She is saying that until the ME reads the config and executes the action it is active (and vulnerable).

    Since you don't explain what this "early ME code bypass" hack is, it involves writing stuff to the flash chip. Even without the ME you're screwed if someone can do that.

    Sadly on most systems it's easy to do so. What about your own Power boards? Does the firmware have a hardware switch to go in read-only mode? Will you consider implementing that?

    Comment


    • #32
      Originally posted by JanW View Post
      starshipeleven Yes, I have a 97Wh battery in my Dell. For the Clevo I have seen 57Wh quoted elsewhere, but I guess 62 or 57 does not really matter. It's small. The Clevo is an almost-always-plugged gaming machine of which no one expects significant battery life.

      From my perspective, MindShareManagement may be wrong about the needs of their target market. Professionals buying a Laptop do not buy it because they sometimes prefer to sit on the sofa with it for two hours. They travel, they work on-site, they go to conferences and trade shows. If you don't get through a work day of very light usage while having the computing power once you plug in, you lose many potential customers. Say what you will about Apple, they do understand their target market, and there is a reason they offer adequate battery life.
      In Silicon Valley and many other areas you will find office upon office where dozens of coders spend 8-12 hours every day using MBPs to write code at their desk and are always plugged in. They only require battery when attending meetings for a few hours at a time.
      ​​​​​​
      ​​​We have found 3- 4 hours for modest use like image editing, web browsing, or similar office tasks.
      Last edited by deppman; 12-18-2019, 11:38 AM. Reason: Clarify battery life

      Comment


      • #33
        Originally posted by starshipeleven View Post
        "Disabled" is something done with a configuration option, and you are "politely asking it to do X". The application can ignore the setting. The ME does not seem to ignore it.
        The whole problem with the ME is that you (and I) really have no idea what it does due to the way it's designed. You argue setting the HAP bit stops further apps from running, and with just as much evidence I could claim it shifts the ME into a mode where it remotely accepts a specially crafted non-IP key handshake for government access to / control of the system (given its specced origins, this is not a totally off the wall idea).

        Originally posted by starshipeleven View Post
        You are confusing it with "removed".
        Not at all. See the dictionary: https://www.merriam-webster.com/dictionary/disable

        "to make ineffective or inoperative"

        The ME must have an effect, or the system would boot without it. Therefore, it is NOT disabled.

        Originally posted by starshipeleven View Post
        She is saying that until the ME reads the config and executes the action it is active (and vulnerable).
        So not disabled then, right?

        Originally posted by starshipeleven View Post
        Since you don't explain what this "early ME code bypass" hack is, it involves writing stuff to the flash chip. Even without the ME you're screwed if someone can do that.
        And you can 100% guarantee that it isn't vulnerable in any other way?

        Originally posted by starshipeleven View Post
        Sadly on most systems it's easy to do so. What about your own Power boards? Does the firmware have a hardware switch to go in read-only mode? Will you consider implementing that?
        There are read-only switches on the board for exactly that purpose. FW needs a bit more work to enable them (right now if you actually shut off write the FW isn't happy as it wants to cache VPD entries) but this is an actual goal we are working toward and can retroactively enable on all of our hardware.

        Plus, even now, it's not that easy. The root keys are stored in the CPU, so just altering the Flash isn't sufficient.

        Comment


        • #34
          Originally posted by deppman View Post
          In Silicon Valley and many other areas you will find office upon office where dozens of coders spend 8-12 hours every day using MBPs to write code at their desk and are always plugged in. They only require battery when attending meetings for a few hours at a time.​​​​​​
          ​​​
          He is talking of the more "free" type of workers, artists and freelancers that are the backbone of Apple's reputation and brand recognition.
          And yes, they commonly value long battery life.

          If it wasn't for them that set the brand as desirable, the corporate drones you mention would be tapping away on HP or Dell laptops instead.

          Comment


          • #35
            Honestly, putting a dGPU in all workstation laptops makes little sense. The most graphically demanding thing I use for work is a web browser, and an integrated GPU is good enough even for accelerating image editing.

            Since Thunderbolt exists, I think there would be plenty of people who'd rather have an integrated GPU on the go, and the possibility to hook external one up if it's needed for something like playing games outside of work.

            Comment


            • #36
              Originally posted by JanW View Post

              So how long does the battery last then? Retailers commonly quote 2-3h battery life for that laptop. Do you mean initially your battery life was even less than that and you went back to those (presumably Windows) values? Maybe you managed to squeeze out 4h on not-too-demanding workloads? How does that compare to a MBP?

              I think I might have been in your target market. A while ago I got a reasonably specced Dell Precision 5520 with Nvidia graphics, installed Kubuntu, and while the battery life is acceptable, the thermal performance is so abysmal that I cannot run any meaningful workload (scientific image processing) on the machine without the CPU throttling. But if your machine does not get me through a few lectures in a row on battery, then I will still prefer my crappy Precision 5520 with non-optimized Kubuntu.
              We found 3-4 hours of while running web apps, office apps, or image editing.

              Comment


              • #37
                Originally posted by madscientist159 View Post
                You argue setting the HAP bit stops further apps from running, and with just as much evidence I could claim it shifts the ME into a mode
                That's not how evidence works. HAP bit is shown to stop further interaction with known documented API.

                Your claim is on the same level of saying the ME can contact aliens with a beam of psychic energy.

                Not at all. See the dictionary: https://www.merriam-webster.com/dictionary/disable
                With the setting it is indeed "ineffective" and "inoperative", after it has read it and executed it.

                If you want something that does not need to read a setting you are looking for "removed"

                The ME must have an effect, or the system would boot without it. Therefore, it is NOT disabled.
                It is disabled after the board init phase, which means after the first 100ms or whatever when you press the power button.

                And you can 100% guarantee that it isn't vulnerable in any other way?
                And you can 100% guarantee that your Power CPUs don't in fact contain another CPU running a secret OS that is accessible only by using secret and undocumented instructions?
                (which is actually shown to be possible and somewhat true for some older VIA CPUs where you do have such instructions to do nice things)
                Fuck off with this bs.

                There are read-only switches on the board for exactly that purpose.
                While on Intel in most cases firmware access is widely available and anything can write to it.
                Last edited by starshipeleven; 12-18-2019, 11:59 AM.

                Comment


                • #38
                  Originally posted by starshipeleven View Post
                  That's not how evidence works. HAP bit is shown to stop further interaction with known documented API.
                  And no vendor has ever published wrong, incomplete, or misleading public API documentation? You've seen the full, complete source code of the ME and can guarantee the API and configuration bits do exactly what they state, with no unwanted / undocumented side effects?

                  If you haven't, you are just blindly trusting a vendor with zero legal recourse if anything goes sideways. That's not how security and associated auditing / hardening works.

                  Originally posted by starshipeleven View Post
                  Your claim is on the same level of saying the ME can contact aliens with a beam of psychic energy.
                  And at this point, it's fairly clear you have a machine with a "disabled" ME that you want to feel safe using, and are perfectly willing to bury your head in the sand (figuratively) to keep that safe feeling. That's fine, but also insufficient for us that need real security vs. a mere feeling of safety.
                  Last edited by madscientist159; 12-18-2019, 12:04 PM.

                  Comment


                  • #39
                    Originally posted by madscientist159 View Post
                    And no vendor has ever published wrong, incomplete, or misleading public API documentation?
                    It's reasonable to assume most malware targeting it will use its API and not assume it is in a weird undefined mode that can only be enabled by enabling an undocumented switch.

                    I'm not trying to hide from the Big Brother, I'm trying to avoid malware.

                    You've seen the full, complete source code of the ME and can guarantee the API and configuration bits do exactly what they state, with no unwanted / undocumented side effects?
                    This is SIL-4 (safety-critical) certification lol, not even Linux that is opensource can seriously guarantee that.

                    If you haven't, you are just blindly trusting a vendor with zero legal recourse if anything goes sideways.
                    You are always blindly trusting a vendor, yours is just a different line in the sand.
                    We are all blindly trusting Torvalds too that some kernel API or subsystem isn't actually wrong, and sometimes bugs happen and systems can be compromised.

                    We are all blindly trusting that the CPU actually works as documented.
                    The processor isn't opensource, it may very well have undocumented instructions that do whatever.
                    Old VIA processors had some fun stuff like "instant privilege escalation" CPU instructions for example.

                    Can you guarantee Power processors don't have that? No you can't. Ops, you are just blindly trusting a vendor with zero legal recourse if anything goes sideways, fuck you very much.

                    That's not how security and associated auditing / hardening works.
                    You have a very wrong idea of how security works. Security audits don't usually claim vulnerabilities until they have proof of it.

                    And at this point, it's fairly clear
                    that I'm waiting for a true half-decent fullstack open system before committing to the limitations of a different architecture.
                    Power is cool but I don't feel it is worth it.

                    I'm on AMD, btw. More because of Intel CPU vulnerabilities than because of ME. Yes I know there is the PSP

                    Comment


                    • #40
                      Originally posted by starshipeleven View Post
                      It's reasonable to assume most malware targeting it will use its API and not assume it is in a weird undefined mode that can only be enabled by enabling an undocumented switch.
                      I don't agree with that.

                      Originally posted by starshipeleven View Post
                      I'm not trying to hide from the Big Brother, I'm trying to avoid malware.
                      I try to do both; I don't like being spied on or having the potential for data theft regardless of what the actual entity engaging in such activities happens to be -- whether Google or a black hat, my data is none of their business unless I explicitly allow them (or the general public) access to some piece of it.

                      Originally posted by starshipeleven View Post
                      This is SIL-4 (safety-critical) certification lol, not even Linux that is opensource can seriously guarantee that.
                      Perhaps not, but I also know I'm allowed to patch and modify the kernel as events transpire. I am NOT permitted to do that with the ME, which means that the concession made for Linux is not valid for the ME.

                      Originally posted by starshipeleven View Post
                      You are always blindly trusting a vendor, yours is just a different line in the sand.
                      We are all blindly trusting Torvalds too that some kernel API or subsystem isn't actually wrong, and sometimes bugs happen and systems can be compromised.

                      We are all blindly trusting that the CPU actually works as documented.
                      The processor isn't opensource, it may very well have undocumented instructions that do whatever.
                      Old VIA processors had some fun stuff like "instant privilege escalation" CPU instructions for example.

                      Can you guarantee Power processors don't have that? No you can't. Ops, you are just blindly trusting a vendor with zero legal recourse if anything goes sideways, fuck you very much.
                      Actually, yes, there is certainly legal recourse for defective POWER systems. You can sue for hardware defects, and often win, but in general that is not the case for licensed software like the ME. See the difference, and why companies tend to put a lot more Q/A into non-mutable hardware where they have a lot more potential liability?

                      Originally posted by starshipeleven View Post
                      You have a very wrong idea of how security works. Security audits don't usually claim vulnerabilities until they have proof of it.
                      So you advocate no proactive security measures? Are you still using the not yet deprecated (i.e. still generally accepted as useful at the moment) weaker encryption algorithms / key lengths, or have you looked at what is likely to happen in the next few years and started using stronger encryption?

                      A few years ago common knowledge was Facebook / Google were OKish entities, and those that said otherwise were ridiculed in a similar manner. How are they seen now in the wake of things like Cambridge Analytica? A proper security stance looks heuristically at all elements, looking to past and likely future possibilities, in addition to the total technically possible access level of a hardware or software component (which is oftentimes a good indicator of what the company is actually doing or will end up doing).

                      Originally posted by starshipeleven View Post
                      that I'm waiting for a true half-decent fullstack open system before committing to the limitations of a different architecture.
                      Power is cool but I don't feel it is worth it.

                      I'm on AMD, btw. More because of Intel CPU vulnerabilities than because of ME. Yes I know there is the PSP
                      Interesting. With POWER an open ISA etc., what would you be looking for in addition?
                      Last edited by madscientist159; 12-18-2019, 01:10 PM.

                      Comment

                      Working...
                      X