|
Thanks Ants posted:lol Uber is burning piles of tyres all the way down Unless you're a woman! Then you are treated like a princess!! until you refuse to sleep with your boss
|
# ? Nov 22, 2017 01:33 |
|
|
# ? May 9, 2024 21:48 |
|
Naturally, no one will go to jail over this.
|
# ? Nov 22, 2017 01:33 |
|
^ Xpost from meme thread
|
# ? Nov 22, 2017 05:46 |
|
So, Lenovo posted the list of laptops vulnerable to the Intel Management Engine vulnerability and when they have a patch outgoing according to them. https://support.lenovo.com/us/en/product_security/len-17297 My dinky Skylake tablet convertable I never use as a tablet I was gifted (Lenovo Yoga 700-11ISK) isn't even listed, so who knows? Certainly isn't getting patched I'm guessing, but the one time this thing ever got a firmware update it was a Windows-only update (which made it fun, I single-boot Linux off it). What do I even do with an otherwise usable computer with a remote execution vulnerability in the Management Engine?
|
# ? Nov 22, 2017 06:44 |
|
Potato Salad posted:^ Xpost from meme thread Like, is this a new gilded age of corporate/rich person impunity, or am I just getting more to the age where I notice it more and my bile just rises faster?
|
# ? Nov 22, 2017 06:49 |
|
gourdcaptain posted:So, Lenovo posted the list of laptops vulnerable to the Intel Management Engine vulnerability and when they have a patch outgoing according to them. https://support.lenovo.com/us/en/product_security/len-17297 Is it even a problem on systems without vPro (like most consumer grade laptops)?
|
# ? Nov 22, 2017 07:50 |
|
Internet Explorer posted:Seriously? It sounds like someone is just using his name as a display name. I didn't say he was actually compromised, just telling him what he should do if he thinks he is compromised. If you have a password manager, changing all your passwords isn't hard.
|
# ? Nov 22, 2017 08:55 |
|
dissss posted:Is it even a problem on systems without vPro (like most consumer grade laptops)? Intel's linux detection tool for the vulnerability says it's vulnerable, so I'm going to guess so? (After I edited it to point at python2 instead of just "python" for its interpreter so it would run at all.)
|
# ? Nov 22, 2017 09:25 |
|
dissss posted:Is it even a problem on systems without vPro (like most consumer grade laptops)? ME is a part of every recent Intel CPU, vPro or not.
|
# ? Nov 22, 2017 10:12 |
|
doctorfrog posted:Like, is this a new gilded age of corporate/rich person impunity, or am I just getting more to the age where I notice it more and my bile just rises faster?
|
# ? Nov 22, 2017 11:21 |
|
gourdcaptain posted:So, Lenovo posted the list of laptops vulnerable to the Intel Management Engine vulnerability and when they have a patch outgoing according to them. https://support.lenovo.com/us/en/product_security/len-17297 Don't execute untrusted code ever. dissss posted:Is it even a problem on systems without vPro (like most consumer grade laptops)? This is against the Minux kernel executing on the CPU itself, not the vPro management stuff that it hooks in to on the motherboard. Every 6th gen CPU forward is affected. BangersInMyKnickers fucked around with this message at 13:46 on Nov 22, 2017 |
# ? Nov 22, 2017 13:42 |
|
I ran this tool they recommended and it said at least my personal tablet/laptop isn't affected.
|
# ? Nov 22, 2017 13:46 |
|
That tool has apparently had false-negatives. Just check the CPU model against Intel's article.quote:6th, 7th & 8th Generation Intel® Core™ Processor Family
|
# ? Nov 22, 2017 13:48 |
|
My XPS 13 is vulnerable
|
# ? Nov 22, 2017 13:54 |
|
BangersInMyKnickers posted:That tool has apparently had false-negatives. Just check the CPU model against Intel's article. It's an i5! I'm safe!
|
# ? Nov 22, 2017 14:15 |
|
Absurd Alhazred posted:It's an i5! I'm safe! i5s are not safe. "6th, 7th & 8th Generation Intel® Core™ Processor Family" That means any i3, i5, i7, or i9 with a 6xxx through 8xxx model code. Also the older ones aren't necessarily safe, they're just using a different version of the ME hardware and software which hasn't been looked at as deeply because IIRC it can be fully neutered.
|
# ? Nov 22, 2017 14:53 |
|
wolrah posted:i5s are not safe. iSuck.
|
# ? Nov 22, 2017 14:56 |
|
wolrah posted:i5s are not safe. The older versions have similar risks and cannot be "fully neutered". 6th gen forward the ME engine moved to Minix and the security researchers are able to pick at it with more conventional tools. The ME engine before that was some kind of proprietary microkernel and they've been having a harder time picking it apart and analyzing. Impossible to say if that is a good or bad thing at this point, but most likely bad since governments have a lot more money to poke at this stuff and possibly access to proprietary Intel documentation on it.
|
# ? Nov 22, 2017 15:05 |
|
In what way can your Intel PC be controlled, though? Even if you've got some kind of outward-facing RDP/VNC/SSH setup it ultimately falls down to the security of that, doesn't it? I guess it comes down to being extra vigilant with whatever software you tell your PC to run?
|
# ? Nov 22, 2017 15:51 |
|
The ME is hooked in to effectively everything and executes above the OS and in some ways the majority of your hardware. Successful execution allows for direct access and tampering, a hardware rootkit that will never leave and Intel will provide no reflash/factory restore procedure for. It goes in the trash in such a situation. The system cannot be trusted, which is been the fundamental complaint and concern about the access the ME has in the first place and security searchers have been making noise about. The mother of all privilege elevation attacks.
|
# ? Nov 22, 2017 15:58 |
|
|
# ? Nov 22, 2017 16:08 |
|
BangersInMyKnickers posted:The older versions have similar risks and cannot be "fully neutered". 6th gen forward the ME engine moved to Minix and the security researchers are able to pick at it with more conventional tools. The ME engine before that was some kind of proprietary microkernel and they've been having a harder time picking it apart and analyzing. Impossible to say if that is a good or bad thing at this point, but most likely bad since governments have a lot more money to poke at this stuff and possibly access to proprietary Intel documentation on it. It seems there was a version number thing that was throwing off my memory. ME versions 1-5 can be fully disabled. ME version 6 added a watchdog system that shuts the PC down if the ME hasn't started up within 30 minutes of boot. In my head I associated this with the 6th-gen Core chips, but instead this was in the first-gen Core i-series. From here on out we can only neuter it to one level or another, not eliminate it. ME version 11 (Skylake) changed to the Minix-on-x86 platform used currently.
|
# ? Nov 22, 2017 16:39 |
|
This is the standard laptop for my company good days
|
# ? Nov 22, 2017 16:45 |
|
"Hey guys I'm going to add this super secret software with all system access but its ok because we write perfect, bug-and-expolit-free code"
|
# ? Nov 22, 2017 17:44 |
|
Thermopyle posted:"Hey guys I'm going to add this super secret software with all system access but its ok because we write perfect, bug-and-expolit-free code" Said everyone ever. There's a reason this is a booming and lucrative field.
|
# ? Nov 22, 2017 18:02 |
|
It'd be one freaking thing if you could update the firmware for it straight from Intel, but nope, gotta wait for the OEM to release an update with the fix for it. Motherboard or system OEMs. We are so screwed.
|
# ? Nov 22, 2017 18:49 |
|
gourdcaptain posted:It'd be one freaking thing if you could update the firmware for it straight from Intel, but nope, gotta wait for the OEM to release an update with the fix for it. Motherboard or system OEMs. We are so screwed.
|
# ? Nov 22, 2017 18:52 |
|
anthonypants posted:What makes you say that? OEMs don't exactly have a great track record of updating all their models (see my phantom tablet) or informing everyone of firmware updates.
|
# ? Nov 22, 2017 19:19 |
|
BangersInMyKnickers posted:This is against the Minux kernel executing on the CPU itself, not the vPro management stuff that it hooks in to on the motherboard. Every 6th gen CPU forward is affected. Hmmm so I guess while everything is vulnerable only the more popular corporate stuff (Thinkpads, Latitudes and EliteBooks) are ever going to see a fix.
|
# ? Nov 22, 2017 19:25 |
|
dissss posted:Hmmm so I guess while everything is vulnerable only the more popular corporate stuff (Thinkpads, Latitudes and EliteBooks) are ever going to see a fix. That's the most likely outcome, which sucks but is probably Good Enough from a risk mitigation standpoint since most corporates and governments will have a recourse in the coming weeks. This isn't something you, as a state actor, would try to target against Joe Blow Civilian though the human rights and journalist crowds should be concerned. It will absolutely suck if a developed attack vector leaks like EternalBlue and gets in the hands of script kiddies.
|
# ? Nov 22, 2017 19:31 |
|
dissss posted:Hmmm so I guess while everything is vulnerable only the more popular corporate stuff (Thinkpads, Latitudes and EliteBooks) are ever going to see a fix.
|
# ? Nov 22, 2017 19:35 |
|
anthonypants posted:Mostly because there's a lot of consumer stuff that doesn't have any vPro/IME hardware. Again, going by Intel's own detection tools, this doesn't seem to require vPro because my very cruddy Intel Core m5-6Y54 equipped tablet triggered the detection tool for the vulnerability.
|
# ? Nov 22, 2017 19:43 |
|
It's an old NUC with an i3-6100U CPU, which I think is in the vulnerable range. Also, I love it when official dead-serious Intel security testing software can't even spell words right. A "priviledge" account? That sure inspires trust when I'm about to run the drat thing as root...
|
# ? Nov 22, 2017 20:19 |
|
evil_bunnY posted:It's long been like this/worse, some people are finally noticing simply by virtue of information being easier to disseminate. This also means truthers, birthers, etc also get more of an audience, unfortunately. Truther/birther/vaxxer conspiratorial stuff is kinda the natural result of people who get woke in a false start due to being, for whatever reason, unwilling to accept the full, obvious answer for why X problem exists. Examples, Alex Jones trutherism as a diversion from the Bush/GOP's lies leading up to the 2001+ iraq war and the horrors largely attributable to their partisan side, their tribe. Vaxxer bullshit due to an unwillingness to accept that bad things happen for no reason. That's my working theory and I'm sticking to it Potato Salad fucked around with this message at 20:34 on Nov 22, 2017 |
# ? Nov 22, 2017 20:32 |
|
BangersInMyKnickers posted:The ME is hooked in to effectively everything and executes above the OS and in some ways the majority of your hardware. Successful execution allows for direct access and tampering, a hardware rootkit that will never leave and Intel will provide no reflash/factory restore procedure for. It goes in the trash in such a situation. The system cannot be trusted, which is been the fundamental complaint and concern about the access the ME has in the first place and security searchers have been making noise about. The mother of all privilege elevation attacks. I've been trying to wrestle explaining concisely why this is such a big deal, tyvm.
|
# ? Nov 22, 2017 20:37 |
|
wolrah posted:i5s are not safe. It's not yet clear if those older Dell updates address the ME CVEs, or the TXE CVEs, that were included in this disclosure. Edit: apparently Intel Manageability Engine Firmware 8.x/9.x/10.x were also affected by these CVEs, but: "The two CVE IDs above were also resolved in earlier generations of corporate versions of Intel ME, where Intel® Active Management Technology shares the same code base. " As in, this isn't the first time Intel have fixed this particular ME vulnerability. FFS. Mr Chips fucked around with this message at 05:16 on Nov 23, 2017 |
# ? Nov 23, 2017 04:59 |
|
Mr Chips posted:apparently Intel Manageability Engine Firmware 8.x/9.x/10.x were also affected by these CVEs, but: Intel screwing up fixing things they've fixed before is hardly a surprise for me.
|
# ? Nov 23, 2017 10:20 |
|
You could say the same for most companies. It’s not just intel.
|
# ? Nov 23, 2017 22:02 |
|
https://twitter.com/infosecTweet/status/934077403088998401
|
# ? Nov 24, 2017 16:14 |
|
|
# ? May 9, 2024 21:48 |
|
https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ This is some "login to Windows by browsing help files for a print driver" levels of fun
|
# ? Nov 28, 2017 22:01 |