CPU level security threat. How can we protect ourselves?

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,320
Veering off-topic into politics really
Just a reminder. Politics is strictly off limits.

Which, I will be the first to admit, is kinda difficult in topics concerning both privacy and security. But, if you want to have these kind of threads, you'll exercise caution.
 


Linuxembourg

Member
Credits
540
Just a reminder. Politics is strictly off limits.

Which, I will be the first to admit, is kinda difficult in topics concerning both privacy and security. But, if you want to have these kind of threads, you'll exercise caution.
Yeah. I think you've gotta be careful such topics are on point to begin with.
 

Angry Dog

Member
Credits
550
Well you should be concerned, if your ISP sees everything you do, so can everyone else including Governments. :mad:

We are all average users but we have a right to privacy, something we should never take for granted, that is unless people are stupid enough to run Windoze Spyware 10 where micro$oft not only spy on you but sell your information to Governments or anyone with cash. :mad::(

Speaking of Ram, in my tower I have 16GB of Ram, I have used nearly half sometimes but that's running my VM at the same time. These days 8GB of Ram is the norm and the more you have, the more you can multi-task. :);)
I get it i really do...

Lets turn the focus to the topic: BOTH privacy and security because i really do agree with you.

Firstly You have VPN and other such services. You use them and they work well. Now problem is your ISP can't see what you are doing BUT they can see whatever you are doing is encrypted. Now if you are just a normal user this does not bother them. UNTIL an event happen and give them cause to investigate everyone that is using this type of encryption.

Secondly lets consider what i said: having a VM browser means i can accept all the cookies i need to, and get to the page i want to access and then leave. Once done i shut the VM down and delete the image and just clone one from the original again. i can repeat this every day, several times a day.

So Google can't track me very well, my IP is masked and all that good stuff. Now consider all these steps was taken BUT Winspy 10 phones home sending key-logs? How will that data get used? Facespy accumulated enough data trough family/friends "not even me" to know where I am, and what I do. So there is that.

Now "Phonespy" also collects a ton of data and send that around as well.

The question is, do you need all this in your life? That is situational. Some of us do need X Y and Z to do work and stuff like that.

BUT now I sit with a computer that has a open door. So what good is all my steps towards my privacy if my security is compromised and with that my privacy? See entities like Winspy and Phonespy along with facespy can be held accountable to a degree. But someone with the right tool can also access my PC and there will be no accountability because they got good in hiding themselves.

This is why i started to write here about this. I want to know, what steps can I take to fully secure myself Firstly and secondly setup a VPN and do all the other good stuff. Now like i said i have nothing to hide, BUT i still want my security.

So here are the solutions as i see it:

1> ARM processors. For now they seem to be solid with no security problems that is build into the CPU or hardware. How true this is i don't know but for now it looks that a Pi computer is solid.

2> WIFI use. For now every YouTube channel has some step-by-step instructions on how to compromise this technology. So not using it is a solution.

3> Isolated networks. Using more then one Pi computer one can setup isolated work-stations each with a task. This means if 1 gets compromised the network is isolated so access is limited.

4> The use of VMs. VM computers allow us to have a safe isolated place to access the internet and even IF it gets compromised it can be easily deleted without suffering any real problems. Also it gives the added benefit to start with a "new" clean install each time. So nothing gets stored. To add to this you can "and i have done this" use a USB to cat5 device and give it, its own isolated network as well. Very cool stuff.

5> Backup. This is self explanatory at this point.

So knowing all this why am I still upset.

Because my main computer that I spend money on is now good for nothing. Why? Because i cannot trust it. I don't know what can be done and what can't be done and because this info ranges from facts to fiction it is hard to accept that a "patch" will deal with the problem. A problem that shouldn't exist in the first place. So in my opinion the guilty parties should be held accountable and they must be reminded they are serving the public and that they are selling a product. So a compromised product should be recalled and steps should be taken to stop it from happening.


So all this said, Is this to much?

Yes i am the first to admit it is. BUT what about the tax office? What about the hospitals? What about Other important facilities? What happens when this thing goes bad?

Then it is no longer just about being paranoid then a situation can easily become life or death especially in facilities like hospitals.

So sorry for the rant and my constant stupidity. But I am just a user and I am just trying to understand this world.


thank you for tolerating me :)
 

Linuxembourg

Member
Credits
540
I think a far better approach would be to limit your use of the internet/etc as a whole. At the end of the day, that is the main risk.

1) You identify internet use/whatever as a privacy risk and limit it to stuff like this. Much like your curtains or the outside of your house, you don't worry about it being public.

2) You identify high risk stuff you do (scripting/whatever) and you do it offline, on a device that never connects to the internet/etc. For extra levels without ever connecting to any network or other device.

3) Whenever you do need to do very risky stuff online, you work out how to do it in a ridiculously safe way that would be tedious to implement for everyday browsing.
 

Angry Dog

Member
Credits
550
I think a far better approach would be to limit your use of the internet/etc as a whole. At the end of the day, that is the main risk.

1) You identify internet use/whatever as a privacy risk and limit it to stuff like this. Much like your curtains or the outside of your house, you don't worry about it being public.

2) You identify high risk stuff you do (scripting/whatever) and you do it offline, on a device that never connects to the internet/etc. For extra levels without ever connecting to any network or other device.

3) Whenever you do need to do very risky stuff online, you work out how to do it in a ridiculously safe way that would be tedious to implement for everyday browsing.
Using the internet less is a long term goal of mine for several reasons. As you know it is very distracting and also i honestly need to focus on work. This is why i want a pc just for browsing because it is a process "cloning the VM loading the VM" having to do this over and over again makes it cumbersome, and in this case that is a good thing.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,320
I can't remember where which topic it was but @KGIII once said something like the only security that protects you 100% of the time is to unplug your system from the network or to turn it off.
You'll probably also want to bury it at the bottom of a concrete-filled pit. After all, a physical intrusion could access the hard drive.
 

Angry Dog

Member
Credits
550
You'll probably also want to bury it at the bottom of a concrete-filled pit. After all, a physical intrusion could access the hard drive.
i get it, i do... i sound like something that escaped from a nice padded room in a building filled with happiness. Sadly, if only right.

But a serious question i need to ask, Why don't people demand that CPU manufactures explain why these open doors exist in the first place? i mean they are selling these devices and we trust them, shouldn't there be some accountability? Surly right?
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,320
The intentional doors are there for remote management and business applications. The other doors are, at least as far as anyone can prove, accidental. There will never be a flawlessly secure platform so long as humans are in the loop. You will never have 100% security. You're fretting over what's largely FUD and you're not really at much risk for hardware vulnerabilities. If you care, you'd spend your time securing the software that you use.
 

Nik-Ken-Bah

Well-Known Member
Credits
1,460
You will never have 100% security
That is very true because when the processor circuitry is designed and then built on to the silicon wafers for the processors may induce unexpected and unintended behaviour which may be due to having to accept a few but manageable idiosyncrasies due to the closeness of components on the wafer. One being parasitic capacitance from memory.
but as Rabbie Burns said

The best laid schemes o' mice an' men Gang aft a-gley,
And lea'e us naught but grief and pain. For promised joy. – Robert Burns.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,320
... due to the closeness of components on the wafer.
I don't think many people truly understand the scale at which you speak of.

People get mad when things break. Me? I'm just amazed that they work as often as they do.

It's the same thing with the 'net. The more you learn about how it actually works, the more amazed you are that it works at all and the more sympathetic you are when there are outages or other problems.
 

Angry Dog

Member
Credits
550
I don't think many people truly understand the scale at which you speak of.

People get mad when things break. Me? I'm just amazed that they work as often as they do.

It's the same thing with the 'net. The more you learn about how it actually works, the more amazed you are that it works at all and the more sympathetic you are when there are outages or other problems.
i surly don't understand a lot of it. All i know is, it scares me because hospitals and stuff like that needs working systems/networks and knowing that someone can compromise this risking the health/safety of thousands is scary to me. It really is, it removes that "trust" we have in the systems, companies that are suppose to keep us safe. i will never look or value a computer/phone the same way again.
 

Nik-Ken-Bah

Well-Known Member
Credits
1,460
, it scares me
The cure for that is study and reading as knowledge is the only palliative that will dispel the malady called fearfulness since it is a symptom of not knowing.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
13,320
it scares me because hospitals and stuff like that
There's been a trend of putting things online needlessly. This will likely pass or result in better security.

But, it's not like the MRI machine is going to come alive and eat you.
 

stan

Well-Known Member
Credits
4,477
All i know is, it scares me because hospitals and stuff like that needs working systems/networks and knowing that someone can compromise this risking the health/safety of thousands is scary to me.
Fire scares me. But I still use it because I like cooked food. You take precautions for the things that you can control, and you accept that there are things you cannot control. If you have a medical emergency, go to the hospital. Don't agonize over their security... you can't control it. Overall they do a pretty good job.

Consider airplane crashes... you can't control them either. You see them on the news, and hundreds die. But normal is that there are many thousands of uneventful flights every day, and millions survive them. When you see a hospital on the news with a ransomware attack, remember that normal is that every other hospital in the country is running just fine. The sky is not falling.

Back to your topic: CPU's. Again, you cannot control their manufacture. Use them, or don't... but there will never be a perfect product... ARM included. The world is not perfect, and it never will be. What you CAN control is the operating system and software that you use. You can mitigate the threats with your behavior and choices, but there will always be threats. If you haven't already, you might take a look at Qubes Linux or OpenBSD.
 
Last edited:

Angry Dog

Member
Credits
550
Fire scares me. But I still use it because I like cooked food. You take precautions for the things that you can control, and you accept that there are things you cannot control. If you have a medical emergency, go to the hospital. Don't agonize over their security... you can't control it. Overall they do a pretty good job.

Consider airplane crashes... you can't control them either. You see them on the news, and hundreds die. But normal is that there are many thousands of uneventful flights every day, and millions survive them. When you see a hospital on the news with a ransomware attack, remember that normal is that every other hospital in the country is running just fine. The sky is not falling.

Back to your topic: CPU's. Again, you cannot control their manufacture. Use them, or don't... but there will never be a perfect product... ARM included. The world is not perfect, and it never will be. What you CAN control is the operating system and software that you use. You can mitigate the threats with your behavior and choices, but there will always be threats. If you haven't already, you might take a look at Qubes Linux or OpenBSD.
Yea but...

See here is the thing, i am young enough to see how the tech world have changed and old enough to remember how things use to work before the internet.

See in the winNT4.0 days, where i live we had servers running in some room that was normally hidden. Now it was a pure LAN system and viruses was a thing BUT because all one had to do was to remove the floppy drive it wasn't a big problem.

Network admins could setup a lot of security locally and tape storage took care of most of the backups.

Now what have changed?

Well funny enough, even if you look at a modern hospital, the data they have to store remained the same. But access to that data changed. So the network grew and the biggest security flaw in human history was the invention of the USB thumb drive. That enabled people to simply find a USB port on the back of the computer and in a blink of an eye infection became a real problem.

Then the birth of active directory became a thing and firewalls became complicated network policies became the norm and finally the cloud became a thing. Also remember everyone and their pet lawnmower was writing viruses to give Microsoft a very very hard time. And it worked, most of the back end systems is Linux/ and i remember Unix base. But as we all know even now you get serious security risks for Linux as well. It is not as bad as Microsoft but... don't think it doesn't exist it does.

I would argue that the systems that ran winNT4.0/4.1 on a isolated LAN was much more secure then the internet of things that we have today. Simply because an isolated network with a good user polices IS much much more secure then later implementations. Yes it was a nightmare running Novel with win95 and all that BUT it worked. Novel was actually good once it was running and set-up properly.

Backup was never a problem because to be honest very few companies really needed tons of storage. I personally know that a 1Gb hard drive back in the day was plenty and honestly it was the Software that demanded more not the files that was saved. Also remember Zip compressor was standard and really it worked well enough. YES some files got corrupted but that was due to the spinning rust not being swapped out in time. Other then that i personally have Zip files that are very old and still worked just fine to this day.

But yes files got bigger and yes compression is still a thing.

So why am i telling you this?

Because i know it is possible to make a network safe. really safe. It use to be my job. But never did we have to worry about CPU level attacks. Never in my life was that even a problem. remote KVM on bios level isn't new. It simply is not new it existed for a very very long time. But for most of it you couldn't corrupt the bios because most servers had a physical jumper that could be switched. Once switched it became a ROM and you cannot touch it unless you physically open the box and switched the jumper over.

My point here is, it worked... it worked very very well. Case and point many companies today deploy a double network. 1 is for company use the other for internet. So essentially every user would have a small laptop connected to the net and their main work station was on a isolated Lan that was on permanent lock-down and USB drives is simply banned from the office. I know it existed because i was one of the 20 techs that set it up. This was 4 years ago now.

But then cloud came and a lot of techs like myself became printer mechanics on large format printers and or coding. Some just dropped the tech world and went over to management/financing department or human resources. point is the cloud took more then what it gave when it came to security on the network.

Simply put you cannot secure a cloud system fully because you don't have physical access to it. But due to CPU hacks being a thing now and YES I DO NOT UNDERSTAND IT i simply don't. Not a single cloud service can be 100% secure simply because a low level "bios level" access exist and there is no real way to secure it. Nah... in my opinion hardware manufacturers dropped the ball and everyone is paying the price.
 
Last edited:

70 Tango Charlie

Well-Known Member
Credits
1,973
@Angry Dog
I noticed a couple of comments that I would like to respond to.
You mentioned that you are old enough to remember how things use to work before the internet. Just how old is that? I had an older brother who worked for IBM back in the 50s and 60s. I was not interested in computers at that time as there were only Big Blue and a few others. I do remember buying a Timex computer that I hooked up to my TV set. That did nothing for me as I did not understand what to type on its' keyboard to get it to do anything. That was in the middle 80s as I remember.
Then, around 1993 a relative gave me an old desktop cp that was collecting dust in their basement so I could learn to type, which I became fairly proficient at as time went by.
My introduction to the internet was by way of the local library, which had the best connection available at the time. If I recall right, Mozilla was the browser in use at the library. That was around 1998, before Internet Explorer became very popular.
Enough of my background history.
Now with all due respect, I disagree with your statement - "the biggest security flaw in human history was the invention of the USB thumb drive." My opinion is just the opposite of yours on this subject. I believe the USB thumb drive is one of the finest inventions developed for storage of computer data. It can be the most secure of anything used to store data. It is completely portable. When not attached to a computer it is totally secure from prying eyes. Your computer hard drive is not as secure as a thumb drive.
As with anything else, when the human element enters any situation, lots of bad stuff can happen.
Case in point: around 50,000 people die each year in traffic accidents in the USA. Does that make cars unsafe? I have been driving for 71 years without any huge problems. I still drive every day without any problems. What makes cars unsafe is usually the driver and his/her unsafe driving habits.
Same principle can be applied to computers and their peripherals, like USB flash drives, or thumb drives. If the user has developed bad habits then there can be bad results.
I have one file of which I am very protective. The original is on a USB flash drive that goes with me wherever I go. I have other copies also, but the original goes with me in my pocket. That is about as secure as I can make it.
Thank you for considering my opinion.
Old Geezer, TC
 

Linuxembourg

Member
Credits
540
@Angry Dog
Now with all due respect, I disagree with your statement - "the biggest security flaw in human history was the invention of the USB thumb drive."
Agree with all your points, and you echo the correct general point of KGIII too.

Being picky, the biggest security flaw in human history is more likely to be dynamite or gunpowder, or something like that. Even in terms of data security, rubber-hose crypt-analysis is generally quite successful I'd imagine.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top