[throwawaysed]

NSA 100% . Some time around 10 years ago governments decided the internet was too "dangerous" to be free. Arab spring cemented that into their minds, and now a bastion of free thought has become the worlds biggest spying apparatus.

[IshKebab]

Please. While no-doubt the NSA take advantage of this probably-insecure privileged processor, I seriously doubt they were behind it. Secure boot is an obvious business need and Intel and AMD clearly implemented it in the laziest way possible. And by laziest I mean: nobody is going to argue with you in a meeting if you say "we don't need to release the source code for this".

Seriously, anyone who has actually worked in a real company knows that it is a huge amount of effort to get source code released to the public, and if any of it is licensed from third parts it is probably near-impossible.

[kalenx]

We're not talking about secure boot, we're talking about Intel Management engine, which is a totally different story. You do not need ME at all to implement Secure Boot feature. Actually, no one really knows what Intel ME is doing, and _that_ is a huge problem.

[jackyinger]

Though I agree that there is a high likelihood that there is nefarious activity going on, I also ageee that there are legitimate uses for extra processors and firmware.

Take microcode for example. At one time (as I understand it) microcode was not a signed blob. However companies wishing to hide details of their microarchitecture chose to encrypt it.

My guess is that these encrypted blobs grew first out of corporate closed source culture, which is strong in HW companies. If they are subverted with actively malicious code it was probably by secretive efforts, not the NSA simply propositioning the HW manufacturer.

Finally I'd like to point out that unless you design your CPU chip yourself and oversee the layout of it on the die, it is also possible that the semiconductor manufacturer you hire could embed their own nefarious processor within your design.

In practicality, I think running RISC V on an FPGA would have a very low risk of subversion. Though the FPGA design tools might add nefarious logic too.

[tedunangst]

The businesses which pay extra for vpro know at least some of what ME is doing.

[Spooky23]

Try using Intel ME. Than come back and tell us that's a tool for mass surveillance.

If you think there's a evil NSA front for this type of stuff -- its Absolute Software. Their bits have been embedded in most BIOS packages since the 90s, and nobody has heard of them.

[trome]

Absolute with their Computrace product is selling what amounts to a hardware rootkit, which can be enabled with a simple unprivileged exe or bash script.

You can wipe, encrypt, lock, view & kill processes, retrieve any file and view every file on machine, and view hardware & software status and licensing. It also incorporates a bunch of other features, but those are what scare me most.

This is only made worse by the fact that it is readily exploitable: https://threatpost.com/millions-of-pcs-affected-by-mysteriou...

[Spooky23]

It certainly seems unusual that this software exists, but only from a single company. You would think HP/Dell/Lenovo/etc who are desperate for services revenue, would be making a similar technology if it was valuable.

A past employer looked into the product and had a reasonably high level engagement. We never got complete answers to many questions, and the company itself didn't feel particularly large. Granted we disengaged when we couldn't make the ROI work -- we just don't lose many devices. It seems unusual that a teeny company from Vancouver that nobody has heard of can navigate the bureaucracy of massive PC vendors and Asian suppliers of motherboards and android SoCs for decades.

It also seems weird when you consider that Intel, despite having a near monopoly on x86 and the ability to get other mega corps to put Intel stickers on things, (and even push them to make Atom phones that nobody wants!) gets comparatively little love for its management layer.

[trome]

Intel's ME/vPro can do a lot, but its nowhere near the fit and finish of Computrace. They aren't very good on sales, but once you become a reseller there are a ton of features you can access & use to manage your computers.

The reason Absolute is Vancouver based by the way is the Canadian Govt gives massive tax breaks to software companies, hence why a ton of point of sale and other software companies are based just to the north.

[jakeogh]

Thanks. https://www.absolute.com/en/about/persistence

[trome]

So why not build our own network with crypto, blackjack & hookers on libre hardware? Say on an OrangePi PC2 with a bunch of high gain USB 5GHz radios attached, and throw some spinning rust on there so you can run a Nextcloud instance and/or join your local Ceph cluster/IPFS.

We have CJDNS (which salsa20's all your data & can VPN legacy networks to ya), fully FLOSS SBCs for under $20ea, and 802.11n and AC outdoor radios can be had for cheap, this is merely a community involvement problem.

[timonovici]

I'm a software engineer myself - but I can't even contribute to projects such as lowRISC - is way beyond my abilities. Right now I'm learning to program microcontrollers, and I want to learn about FPGA's as the next step.

I also work at a company that has exactly this focus - to sell, and eventually produce devices that can be run with free software from top to bottom - but I don't see ourselves producing our own devices in the next 5 years, even if we would become wildly sucessful.

The hope seems to lie with ARM for the moment - C100 / C201 have even the Embedded Controller (EC) code avaiable - but they do have plans to implement something simillar to ME, AFAIK.

[trome]

Yeah, I'm not advocating for building our own SoC, as just taping out a chip is tens of millions, instead I'm advocating for using inexpensive Arm64 chips that already are a known quantity (firmware free, mainlined drivers) to build a fast & secure network, and scale from there.

[timonovici]

The issue is not widely known, silicon is very costly to manufacture, and most people frankly don't care, as long that spying is unobtrusive (and hell it is so).

Also, most people already are living with the thought that their computers are cracked/hacked/virused the moment they are connected to the internet - all my friends and relatives ask me to check their computer for viruses - almost none trust their computers or phones (especially Android phones, it seems). For such people, where this is the natural state of the world, it's very hard to imagine that they can change anything about it - and telling them that there are backdoors from the moment the laptop is assembled, doesn't help much.

[trome]

Sure, but the silicon & libre drivers already exist and don't need to be manufactured, so at this point its a marketing problem of selling a more secure computing box.

[throwawayish]

Anyone trusting a computer - any computer - is a giant fool in my book. Trust is a strong word, and computers suck balls fundamentally at keeping information safe.

[Famicoman]

tomesh is literally doing CJDNS+OrangePiZero+5GHz+WAP+802.11s to get the most inexpensive yet performant meshing node. Come chat via Matrix at #software:tomesh.net

[trome]

Mmm, how is throughput? I know that on an OrangePi PC (same Allwinner H3) I was getting 5MB/s for a point to point transfer, didn't check relay throughput though. I assume the H5 would do better with gigabit and 2.5x better NEON performance, but I've yet to test (just got kernel 4.10 built for it & booting Debian reliably).

[Famicoman]

Seems to be good, here are some iperf3 tests over the link:

OPi with no build flags: [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-120.00 sec 290 MBytes 20.3 Mbits/sec 165 sender [ 4] 0.00-120.00 sec 290 MBytes 20.3 Mbits/sec receiver.

OPi with optimal build flags: [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-120.00 sec 366 MBytes 25.6 Mbits/sec 141 sender [ 4] 0.00-120.00 sec 366 MBytes 25.6 Mbits/sec receiver

[MichaelMoser123]

>NSA 100%

What about the other powers? China, France, Russia have their own NSA's that would be asked to provide solutions to protect all the PCs in the service of their own governments, what are they doing about it?

[MichaelMoser123]

also how can the American NSA trust the manufacturing process? Couldn't the Chinese counterpart of the NSA possibly reprogram the code of this processor when it was manufactured? Reflections on trusting trust that is...

[timonovici]

Take sample processors, uncap them, x-ray them, compare the designed circuitry with the x-rayed one. That would be a way.