Rtersieva

Hello! A couple weeks back, I wrote a zine called “let’s learn tcpdump!” and released the early access version for $10 as an experiment.

Today, I’m releasing it for everyone!

the zine

If you want to read the zine now, here it is:

The print version is pay-what-you-can. It includes a version with an adorable colour cover, if you want to print it in scintillating colour!

Here’s the cover:

the experiment

I did an experiment where I charged people $10 for early access to the zine! Here are the results:

• People seemed pretty excited to give me money for a thing (“yay! this is awesome! this helped me use tcpdump! thank you!“) (people said a bunch of nice things on twitter!)
• 190 people bought it in all, for a total of $1970. Thank you, everyone! It feels really cool that people actually think the stuff I make is worth money, and it makes me feel motivated to make more zines like this. And it makes it easier for me to do things like pay illustrators to make awesome illustrations!
• 1 person bought an “enterprise license” ($100) so that they could print it out and give it out to a lot of people at their conference.

thanks

Special thanks to my friend Maya who did the lettering for the title! you are the best. And to my awesome partner Kamal who always helps review my zines.

And to the amazing illustrator Vladimir who made the cover! Paying artists is really cool.

Intel’s CPUs have another Intel inside.

Since 2008, most of Intel’s chipsets have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

This post will describe the nature of the vulnerabilities (thanks to Matthew Garrett for documenting them well), and the potential for similar bugs in the future. EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

What is AMT? How is it vulnerable?

On many Intel chips, the Management Engine is shipped with the AMT module installed. It is intended to allow system administrators to remotely control the machines used by an organization and its employees. A vulnerability announced on May 1 allows an attacker to bypass password authentication for this remote management module, meaning that in many situations remote attackers can acquire the same capabilities as an organization’s IT team, if active management was enabled and provisioned.

Once they have AMT access, attackers can interact with the screen or console as if the user were doing so themselves. Attackers can also boot arbitrary OSes, install a new OS, and (with some work) steal disk encryption passwords.

Not every machine is susceptible to the attack. For it to work, AMT has to have been both enabled and provisioned (commonly AMT is enabled but not provisioned by default). Once provisioned, AMT has a password set, and is listening for network packets and will control the system in response to those. It can be provisioned by default if vendors used a feature called “Remote Configuration” with OEM Setup, by a user with administrative access, interactively or with a USB stick during system boot, or (via the LMS vulnerability) by unprivileged users on Windows systems with LMS. Macs have MEs, but don’t ship with AMT at all. The password protection is crucial for machines with AMT provisioned, but this week’s vulnerability allowed it to be bypassed.

How can users protect themselves?

Many organizations will need to take steps to protect themselves by ensuring that AMT is disabled in their BIOS and LMS is not installed, or by updating Intel firmware.
Unfortunately, even if AMT is currently disabled, that doesn’t mean an attack was never possible—an attacker might have disabled AMT after concluding the attack, to close the door on their way out.

But troublingly, AMT is only one of many services/modules that come preinstalled on Management Engines. The best recommendation we can make for addressing this vulnerability today is to disable that specific AMT module, because Intel doesn’t provide any way to generally limit the power of the ME. But vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes. While these may be useful to some people, it should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user’s interests, and should never be installed in an ME by default.

For expert users on machines without Verified Boot, a Github project called ME cleaner exists and can be used to disable a Management Engine. But be warned: using this tool has the potential to brick hardware, and interested parties should exercise caution before attempting to protect their systems. A real solution is going to require assistance from Intel.

What Intel needs to do fix this mess

Users need the freedom to choose what they want running on their system, and the ability to remove code that might contain vulnerabilities. Because the Management Engine only runs code modules signed by Intel, this means having a way to disable the ME or reflash it with minimal, auditable firmware. While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility.

What would be best for users and for the public’s ability to control machines that they have purchased would be for Intel to provide official support for reducing the attack surface to limit the potential harm of the ME.

So we call upon Intel to:

• Provide clear documentation for the software modules that are preinstalled on various Management Engines. What HECI commands provide a full list of the installed modules/services? What are the interfaces to those services?
• Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
• Offer a supported way to disable the ME. If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
• On systems where the ME is an essential requirement for other security features that are important to some users (like Boot Guard), offer an additional option of a near-minimal, community-auditable ME firmware image that performs these security functions, and nothing else. Or alternatively, a supported way to build and flash firmware images where the user can inspect and control which services/modules are present, in order to manage security risks from those modules.

Until Intel takes these steps, we have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure. Intel needs to act quickly to provide the community with an auditable solution to these threats.

Correction 2017-05-12: Intel has contacted us with two corrections to the details of this post. (1) Management Engines are not physically located on the CPU die itself, but in other parts of Intel's chipsets; (2) the LMS-based local privilege escalation was a second consequence of the first code vulnerability, rather than a second vulnerability or bug of its own. We have accordingly edited the language of this post in a couple of places, but do not believe these updates affect its conclusions.

Let's block ads! (Why?)

Let's block ads! (Why?)

For Sharing:

Square-ways | Long-ways

A look at how chewing gum is made and the surprising history that gave birth to gumball machines, bubble gum, and beyond. Read More

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.

Read more of this story at Slashdot.

Hanging in the wardrobes of our flat, alongside our clothes, are a couple of small bags of dried lavender. Like many others, we keep them there to ward off clothes moths, but while offhandedly discussing this a couple of weeks ago I realised that I had absolutely no idea if there was scientific evidence to […]

An anonymous reader quotes Gizmodo: According to ABC News, officers were called to a home outside Albuquerque, New Mexico this week when a Google Home called 911 and the operator heard a confrontation in the background. Police say that Eduardo Barros was house-sitting at the residence with his girlfriend and their daughter. Barros allegedly pulled a gun on his girlfriend when they got into an argument and asked her: "Did you call the sheriffs?" Google Home apparently heard "call the sheriffs," and proceeded to call the sheriffs. A SWAT team arrived at the home and after negotiating for hours, they were able to take Barros into custody... "The unexpected use of this new technology to contact emergency services has possibly helped save a life," Bernalillo County Sheriff Manuel Gonzales III said in a statement. "It's easy to imagine police getting tired of being called to citizen's homes every time they watch the latest episode of Law and Order," quips Gizmodo. But they also call the incident "a clear reminder that smart home devices are always listening."

Read more of this story at Slashdot.

Three police officers are confirmed dead after a huge, 10-hour gunbattle with militants.

The European Union and Japan conclude a landmark free trade deal in Brussels, EU officials announce.

Reader Artem Tashkinov writes: Daniel Stenberg, an employee at Mozilla and the author of the command-line tool curl, was not allowed to board his flight to the meeting from Sweden—despite the fact that he'd previously obtained a visa waiver allowing him to travel to the US. Stenberg was unable to check in for his flight, and was notified at the airport ticket counter that his entry to the US had been denied. Although Mozilla doesn't believe that the incident is related to Trump's travel ban, the incident stirred fears among international tech workers, who fear they'll miss out on work and research opportunities if they're not allowed to travel to the US. The situation even caught the eye of Microsoft's chief legal officer Brad Smith, who tweeted at Stenberg to offer legal assistance.

Read more of this story at Slashdot.

Fitbit has published the results of a study that uses their longitudinal sleep database to analyze millions of nights of Sleep Stages data to determine how age, gender, and duration affect sleep quality. (Sleep Stages is a relatively new Fitbit feature that "uses motion detection and heart rate variability to estimate the amount of time users spend awake in light, deep, and REM sleep each night.") Here are the findings: The average Fitbit user is in bed for 7 hours and 33 minutes but only gets 6 hours and 38 minutes of sleep. The remaining 55 minutes is spent restless or awake. That may seem like a lot, but it's actually pretty common. That said, 6 hours and 38 minutes is still shy of the 7+ hours the the CDC recommends adults get. For the second year in a row Fitbit data scientists found women get about 25 minutes more sleep on average each night compared to men. The percentage of time spent in each sleep stage was also similar -- until you factor in age. Fitbit data shows that men get a slightly higher percentage of deep sleep than women until around age 55 when women take the lead. Women win when it comes to REM, logging an average of 10 more minutes per night than men. Although women tend to average more REM than men over the course of their lifetime, the gap appears to widen around age 50.

Read more of this story at Slashdot.

   FOO FIGHTERS пуснаха изненадващо онлайн нов видеоклип и песен. Парчето се казва "Run", а видеото е режисирано от фронтмена на ...

In the age of Siri, we take for granted how far speech recognition technology has come. But a quick glance back at 1986, when IBM introduced its voice recognition software, shows that we’ve travelled light years since the earliest version of this game-changing software. And it’s even more fun in satire form.

Read more...

This is how you make fettuccine Alfredo like the Romans, only...not quite as overloaded with butter and cheese as the original recipe. Read More

Japan may be the greatest culinary destination on Earth. It could take a lifetime to explore the food there thoroughly, but even a short trip can open up worlds of discovery. Here are some of Daniel's top picks from a recent trip to Tokyo, Kyoto, Fukui, and Ishikawa. Read More

Joseph Lichterman, writing for Nieman Lab: Two weeks ago, NRKbeta, the tech vertical of the Norwegian public broadcaster NRK, published an explainer about a proposed new digital surveillance law in the country. Digital security is a controversial topic, and the conversation around security issues can become heated. But the conversation in the comments of the article was respectful and productive: Commenters shared links to books and other research, asked clarifying questions, and offered constructive feedback. The team at NRKbeta attributes the civil tenor of its comments to a feature it introduced last month. On some stories, potential commenters are now required to answer three basic multiple-choice questions about the article before they're allowed to post a comment. The goal is to ensure that the commenters have actually read the story before they discuss it.

Read more of this story at Slashdot.

An anonymous reader shares a VentureBeat report: At Google's inaugural TensorFlow Dev Summit in Mountain View, California, today, Google announced the release of version 1.0 of its TensorFlow open source framework for deep learning, a trendy type of artificial intelligence. Google says the release is now production-ready by way of its application programing interface (API). But there are also new tools that will be part of the framework, which includes artificial neural networks that can be trained on data and can then make inferences about new data. Now there are more traditional machine learning tools, including K-means and support vector machines (SVMs), TensorFlow's engineering director, Rajat Monga, said at the conference. And there's an integration with the Python-based Keras library, which was originally meant to ease the use of the Theano deep learning framework. And there are now "canned estimators," or models, Monga said, including simple neural networks to start using quickly.

Read more of this story at Slashdot.

"I am free of all prejudice. I hate everyone equally."

When you take too long to choose a chocolate.

Lately I see a lot of code like Optional.ofNullable(i).ifPresent(x->doBla(x)); instead of a old known: if (i != null) { doBla(i); } It is debatable which style is easier to read. Especially when multiple layers are nested. It’s probably a matter of preference which style works better for you personally. But what we can measure is […]