Hacker News new | ask | show | jobs
by jaimex2 3324 days ago
God #$%@ing damn it, this is why we can't have nice things. You can do only so much to not get pwned software wise, now you need to be paranoid about the hardware too?!

Going through all Xeon servers is going to be fun tomorrow.
5 comments
nom 3324 days ago
Unfortunately, there are too few hardware developers and not enough hardware-awareness, thanks to the good abstraction nowadays. In the modern age, only few software devs cares about the underlying hardware, because it just works. The thing is, software _runs_ on hardware and any bug/backdoor etc in it undermines everything above.

Did you know that the baseband chip in your smartphone runs it's own linux? Or that every SIM card comes with java applications that can communicate with it? I guess not.

Considering how much hardware is required on a modern PC main board, it's really not that surprising that there are backdoors, bugs, or other mechanisms that can be exploited.

link
throwaypestban 3324 days ago
> the baseband chip in your smartphone runs it's own ...

Microkernel

In many if not most cases this kernel would be an L4 implementation.

> OKL4 has been deployed on over 2 billion mobile phones (https://en.wikipedia.org/wiki/Open_Kernel_Labs)

link
monocasa 3324 days ago
Modern hexagons run a full Linux under L4 also. It seems like the microkernel separation isn't really architected towards security AFAICT, but for running hard real time tasks on the same cores as the rest of the system.
link
criddell 3324 days ago
If your servers have multiple network ports and you aren't using them all, don't use the first one. Apparently the ME interface is only exposed on the main network interface.
link
wmf 3324 days ago
Xeon servers don't have AMT, but you might want to verify that your BMCs are firewalled and fully patched.
link
jaimex2 3323 days ago
Good to know, thanks :)
link
Kali909 3324 days ago
It's comical at this stage.
link
digi_owl 3324 days ago
I am tempted to go back to dialup style connectivity. Meaning i disconnect the router from the net unless i absolutely need something online.
link
mkl 3324 days ago
You absolutely need security updates, or your system will be out of date and extra-vulnerable as soon as you plug it in.
link
digi_owl 3324 days ago
Makes a guy wish there was an alternate pathway for getting updates...
link