Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It feels to me like the entire os security model is broken and leaving security up to applications even well resourced ones like chrome is a fools errand.

Is there anyway we could benefit from starting again and building a secure os from first principles? Isn’t this one of Fuscias goals?



You have to start further back than you realize. Almost all computers nowadays ship with a second dedicated CPU and OS that you can't access or shut off. They are network self-aware and it is a backdoor. The most well known one is called the Intel Management Engine.

There is no point having better software if you can't even secure the hardware. Yes, the risk is minimal because even if the key to the ME leaks, it will never be given away or sold because it's too valuable. It is still a sense of disquiet for me that it is there in the first place. It doesn't add to the performance or security of your existing setup. It is there to make things easier for others.


I'm fine with the ME, but if it ever did leak, it very well could be sold or dumped on a pastebin.

Hackers are unpredictable. They could throw the plans for a fusion reactor that saves the world in the ocean. They could launch a nuke for the lulz. They can be crazier than wallstreetbets people.


The server motherboard I just bought has this as well. Thankfully access to it is at least isolated to a separate network port. I'm debating supergluing it closed or maybe physically disconnect the port somehow.


You may want to review that very carefully, typically if that separate network port doesn't have a live network on it that issues DHCP addresses the functionality will fall back to the port that is attached.


Oh fun. Thank you for the tip! Any sugestions on how to go about this? I'm a relative newb in these matters. Switching from MacOS to linux daily driver


Keep an eye on ports 16992-16995, 5900, 623, 664, and realize that packets destined for those ports may never become visible to the OS so you'll have to catch them in transit to the board. Another place to look at is what DHCP leases are issued by your DHCP server, conceivably the management engine could request an address for itself.


Also be aware of the sideband interface[1] available to the IPMI by checking the block diagram in your motherboard's manual. For instance, here's AsrockRack's X470D4U diagram[2] showing the IPMI can be accessed directly through its dedicated NIC and also sideband through one of the main NICs.

[1] https://en.wikipedia.org/wiki/NC-SI [2] https://i.ibb.co/dL1tNCq/image.png




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: