Usr6 Posted November 6, 2017 Report Share Posted November 6, 2017 You might not know it, but inside your Intel system, you have an operating system running in addition to your main OS, MINIX. And it’s raising eyebrows and concerns. Take a look at your desktop computer. What operating system is it currently running? Now take a look in your data center — at all of your servers. What operating system are they running? Linux? Microsoft Windows? Mac OS X? You could be running any of those three — or one of countless others. But here’s the crazy part: That’s not the only operating system you’re running. If you have a modern Intel CPU (released in the last few years) with Intel’s Management Engine built in, you’ve got another complete operating system running that you might not have had any clue was in there: MINIX. That’s right. MINIX. The Unix-like OS originally developed by Andrew Tanenbaum as an educational tool — to demonstrate operating system programming — is built into every new Intel CPU. MINIX is running on “Ring -3” (that’s “negative 3”) on its own CPU. A CPU that you, the user/owner of the machine, have no access to. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. Most user applications take place in “Ring 3” (without the negative). The first thing that jumps out at me here: This means MINIX (specifically a version of MINIX 3) is in all likelihood the most popular OS shipping today on modern Intel-based computers (desktops, laptops and servers). That, right there, is absolutely crazy. The second thing to make my head explode: You have zero access to “Ring -3” / MINIX. But MINIX has total and complete access to the entirety of your computer. All of it. It knows all and sees all, which presents a huge security risk — especially if MINIX, on that super-secret Ring -3 CPU, is running many services and isn’t updated regularly with security patches. Google wants to remove MINIX from its internal servers According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3: Full networking stack File systems Many drivers (including USB, networking, etc.) A web server That’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about. Why on this green Earth is there a web server in a hidden part of my CPU? WHY? The only reason I can think of is if the makers of the CPU wanted a way to serve up content via the internet without you knowing about it. Combine that with the fact that Ring -3 has 100 percent access to everything on the computer, and that should make you just a teensy bit nervous. The security risks here are off the charts — for home users and enterprises. The privacy implications are tremendous and overwhelming. Note to Intel: If Google doesn’t trust your CPUs on their own servers, maybe you should consider removing this “feature.” Otherwise, at some point they’ll (likely) move away from your CPUs entirely. Note to AMD: Now might be a good time to remove similar functionality from your CPU lines to try to win market share from Intel. Better to do so now before Intel removes the “Management Engine.” Strike while the iron’s hot and all that. Note to Andrew Tanenbaum: Your operating system, MINIX, is now one of the most used on modern computers! That’s kinda cool, right? Note to everyone else: We’re all MINIX users now. Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind. Sursa: https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html 1 2 Quote Link to comment Share on other sites More sharing options...
gutui Posted November 6, 2017 Report Share Posted November 6, 2017 aparent off topic, The US Wants to Regulate Surveillance Software Like Weapons , caci Privacy is Becoming a Crime – Why Intel Chips May Present a Whole New Risk fiindca "Active Management Technology": The obscure remote control in some Intel hardware ridicind serioase dubii ca NSA could have planted Permanent Backdoors in Intel And AMD Chips ... incit preventiv Cisco posts kit to empty houses to dodge NSA chop shops ... iar acum, "Earlier this month, Deputy Attorney General Rod Rosenstein gave a speech warning that a world with encryption is a world without law -- or something like that. The EFF's Kurt Opsahl takes it apart pretty thoroughly. Last week, FBI Director Christopher Wray said much the same thing. This is an idea that will not die." scrie Bruce Schneier legat de FBI Increases Its Anti-Encryption Rhetoric. insa, exista o solutie de compromis , A reasonably secure operating system care "brings to your personal computer the security of the Xen hypervisor, the same software relied on by many major hosting providers to isolate websites and services from each other". 1 Quote Link to comment Share on other sites More sharing options...
UnixDevel Posted November 6, 2017 Report Share Posted November 6, 2017 no offence eu nu vad nimic nou .... mi se pare aiurea sa se agate de MINIX, se stia de el Quote Link to comment Share on other sites More sharing options...
u0m3 Posted November 7, 2017 Report Share Posted November 7, 2017 (edited) L.E.: oarecum tangential... Edited November 9, 2017 by u0m3 New Info 1 Quote Link to comment Share on other sites More sharing options...
gutui Posted January 3, 2018 Report Share Posted January 3, 2018 Computer vendors start disabling Intel Management Engine , Intel® Management Engine Critical Firmware Update (Intel-SA-00086) ... Quote Link to comment Share on other sites More sharing options...
Usr6 Posted January 4, 2018 Author Report Share Posted January 4, 2018 The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them. Sursa: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html What are Meltdown and Spectre Google described the two attacks as follows: Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Google says it chose the Meltdown codename because "the bug basically melts security boundaries which are normally enforced by the hardware." Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. "The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time," Google says. "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate." sursa: https://www.bleepingcomputer.com/news/security/google-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws/ Sursa: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/ 1 1 Quote Link to comment Share on other sites More sharing options...
