This made me download Qubes. Amazing project that seems to care.
If a laptop does have an internal microphone, I just assume it is on and recording.
Other than that, I don't assume any other part of the laptop is compromised, but maybe I should. Thanks for asking this thought-provoking question.
Anyway, I'm not going to take the laptop apart and analyze the internal microphone hardware to make sure that the switch actually disables the mic. So even in that case, I'd assume the mic was still on even if the switch was in the off position.
On the other hand, I'd prefer to buy a laptop with a hardware switch for the internal microphone, if one existed, as it's better to have such a switch in case it actually does work as advertised.
The machine does nothing with them unless you give them permission to do something.
My thinking on the subject was roughly that for an attacker to have the ability to spy on me via that mechanism would strongly imply that they already have privileged access to my computer (to be able to active the device and exfiltrate the data).
At that point, personally, I'm far more worried about the data they'd get from my keyboard (specifically credentials for various systems) than I am about them being able to see me sit at a desk.
If my threat model includes backdoored hardware, I'm in a bad place as (I'd expect) would most people be.
[0] https://security.stackexchange.com/questions/118854/attacks-...
The purism laptops do, but afaik, they are the only ones.
Another type of user keeps confidential stuff out of networked computers and the cloud entirely.
Both are worthy defense strategies.
Older ThinkPad laptops had physical switch for microphone.
Holy shit where did that come from o_0
> USB 3.0 runs as a binary blob in the BIOS
Is that running on the chipset or the CPU?
Keylogging isn't good either, but if you're using a password manager and/or 2FA then it's not really as big of an issue. It is an issue for your disk encryption passphrase, but I'm hoping that in the future we might be able to remedy that through some 2FA-like system[1]. If we seal disk encryption keys inside TPMs then we have to only come up with a sane security policy (which is obviously the hard part).
Disk controllers are similarly not an issue if you have full-disk encryption (though then your RAM is the weak point because it contains the keys). There was some work in the past about encrypted RAM but I doubt that is going to be a reality soon. The real concern is that a worrying array of devices plugged into your laptop can DMA your memory (USB 3.1, PCI, etc). iommu improves this slightly but from memory there is still some kernel work necessary to make the order in which devices load secure (if you load a device that supports DMA before iommu is loaded then you don't have iommu defences).
[1]: https://www.youtube.com/watch?v=ykG8TGZcfT8 "Beyond Anti-Evil Maid"
They may have my data if I'm compromised, that doesn't mean I want them to have embarrassing video or audio of me as well.
I see it, and I see the AMD and ARM equivalents, and I'm sitting here wondering how the hell do I buy a decent laptop without that crippling trust hole. AFAICT, one cannot.
I'm willing to pay more for processors that aren't thus afflicted. Is anyone at AMD, Intel et al listening?
https://news.ycombinator.com/item?id=14669377
> Is that running on the chipset or the CPU?
USB 3.x controllers are more complex than predecessors and typically run some firmware on the controller chip to implement functionality which used to be implemented in the OS drivers.
I believe so too. OpenPOWER and RISC-V show great promise but I am not aware of any significant tape-outs for either (and not to mention you have to have consumer motherboards et al that are compatible with the chipset).
The nice thing about OpenPOWER is that there are many distributions (openSUSE is one that I know for sure) that provide some support for ppc64le and thus the transition shouldn't be too painful from a port-the-distro perspective. RISC-V also will have similar support once it's merged into the mainline kernel and also once distributions have significant confidence to spin up some QEMU build images for RISC-V.
> I'm willing to pay more for processors that aren't thus afflicted. Is anyone at AMD, Intel et al listening?
I am inclined to believe that the reason is economic rather than them just being evil (that doesn't mean that it's not a horrible misfeature that mistreats users, I just don't think that the inclusion of ME on consumer hardware was an intentional decision). Intel ME is "required" for enterprises because sysadmins want to be able to control all of the machines they provide their employees (you can have varied opinions on whether that's ethically acceptable, but that's the reason).
Given that consumer hardware generally comes from the enterprise world after it has dropped in value, I would not be surprised if Intel ME was left in consumer CPUs simply because it was cheaper than removing it. There's also the (weaker) argument that an enterprise should be able to use Intel ME on a BYO-device system, but that strikes me as unethical.
You might be willing to pay extra for Intel ME-less CPUs, but have you seen what the bill is for a full tape-out? There needs to be significant market demand for something like that.
Of course, if you could do that you could probably compromise browser cookies anyway.
I'm not sure we're discussing the same threat model here. If you're worried about long-term compromise then that race window is a much smaller concern than the fact that having a TOTP code makes it so that an attacker can't just keylog you and get the password at a later time.
Agreeing on threat models is the first step in any discussion about security. Does your threat model include being so badly owned that a keylogger on your machine can exfiltrate data so quickly that someone can replay your login session? Is that a reasonable threat model? Is it helpful to require that to be solved or otherwise not be considered good enough?
In your personal life just leave your microphoned laptops/phones in a box in the room next door. Two birds, one stone: less time spent behind a screen unless you need it, and your tinfoil-hat friends feel safer!
but even a sysadmin at a fortune 500 company is in the dark about all that this second cpu can and can't do.
The sysadmin might not know how it works, but they do know they can control machines remotely using their Intel branded management system (or other rebranded variety). Just because they don't know how bad it is doesn't mean that's not the motivation for it.
IPMI is a similar deal. Modern servers have a secondary computer embedded in the motherboard (which have been historically _very_ insecure) because it's useful for managing servers. Intel AMT is the work-laptop version of that technology, and you can bet that most enterprises use it.
> if it was economical they would offer you to pay more for full control for it.
But they do. The entire reason why enterprise deployments of large numbers of work laptops/desktops is so expensive is because you have to pay extra for the management system that comes with it. Just because they don't remove the "backdoor" in their consumer lines doesn't mean they won't charge you through the nose to be able to administer the damn thing.
I am very anti-ME and wish that all firmware was free software, but arguing that the reason why ME is present in consumer CPUs is not for economic reasons doesn't sound right to me. The reason why the technology was developed is because the developers were not aware how unethical their actions were, and that's where the core of this problem lies.