Computers and the internet gave you freedom. Trusted Computing would take your freedom.
Learn why: https://vimeo.com/5168045

  • 0 Posts
  • 197 Comments
Joined 2 years ago
cake
Cake day: June 7th, 2023

help-circle







  • These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.

    as I know linux is capable of loading its own, updated cpu microcode at boot time. I’m not sure if it’s being done by default, but this article probably means that it isn’t

    but the main thing is that built-in microcode version is probably not that bad of a problem if you take care of it





  • But an adversary could easily use a bad usb when they have physical access to the computer and glitter nail polish doesn’t detect that. I guess that this is why nail polish isn’t sufficient on its own and why we need also either trenchboor or Heads.

    it would be interesting to know how much does usbguard protect against this. of course you also need to do something to limit booting from usb, but how effective is usbguard in practice?
    what is the risk of sticks that tries to compromise the machine through kernel driver vulnerabilities?
    is it possible that it compromises some other firmware on the machine (like the EC in laptops)?
    or that it takes advantage of some hardware design failure?


    Personally I’ve only heard about Heads so far, but I think this is an interesting topic. Could you give us a short explanation about why is SRTM not enough, and what is a better way?







  • its still better in a sense. usb storage devices all have an internal “mini computer” that run their own code and have access to the USB bus of the connected computer, with the ability to even present themselves as a keyboard, a network adapter or a lot of other things. that’s not a good idea to plug in to the hospital computer after it was given to the patient, and it is also not the best idea to just plug these in at home.

    optical media on the other hand does not store code that is executed by the drive.

    the problem is that pendrives have a firmware, and too much capabilities, even when not accounting for errors in hardware and code that participates in making it work. some of them (maybe most?) is even writable with the right tools, and the computer’s user doesn’t even need to know that it’s happening.
    the most famous web browser that allows any website access to your USB devices with just 1 or 2 clicks makes this even worse.