I've thought of a way to disable remote access by Intel ME and AMD PSP.

  • Registration closed, comedy forum, Internet drama, Sneed, etc.

Yun

kiwifarms.net
Joined
Dec 1, 2021
Intelligence agencies are the biggest liars. Don't believe them when they say there is no backdoor in CPUs.
I assume they have had some sort of remote access to billions of computer devices for years, and their AIs analyze people's data constantly.

Hardware backdoors need straightforward access to the clearnet in order to leak information to intelligence agencies.

Thus, in theory, blocking straightforward access to the clearnet is sufficient to block remote access by Intel ME and AMD PSP.

To defeat firewall network address translation, hardware backdoors need to contact servers over the internet.

By installing a general-purpose linux distribution on a router single board computer such as NanoPi R4S and making it route to the internet only via the router's internal VPN,
you can prevent computers behind the router from giving hardware backdoors straightforward access to the internet.

You can configure computers behind the routers to access the internet via the router's internal VPN.

You can run OpenVPN, but I think yggdrasil or wireguard is better because I don't want to update OpenVPN certificates regularly.

One problem is that even ARM single board computers come with proprietary blobs. Even if you assume that intelligence agencies have remote access to your ARM router, they may not be able to access computers behind the router because the hardware backdoors behind the router can't access the internet.
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
I don't know what is going on over at the AMD side but not using the built in NIC seems to stump IME.
Did you actually sniff packets? I guess hardware backdoors in CPU and some NICs could cooperate.
Some NICs can have their own hardware backdoors although they wouldn't necessarily have access to computer RAM.
 
Last edited:

byuu

Non-binary they/them
kiwifarms.net
Joined
Aug 17, 2018
You should look at the crazy hardware the NSA has in its ANT catalogue:
download.jpeg
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
@byuu What's the solution to USB implant? I'm here to find solutions. A faraday cage to block RF signals?
I read that cryptocurrency exchanges store their offline computers in large faraday cages to block RF signals.
I think that specific USB implant doesn't have access to computer RAM.

Also, if there is electromagnetic radiation from wireless implants, I can detect it with an EMF meter. I have EMF meters in my house.
I also have a broadband radio that can catch any RF signal between 100khz and 30mhz.
I just need to know the frequency range in which wireless implants operate.

I keep my smartphone off for most of the time, and there is no WiFi or bluetooth in my room. Thus, it's relatively straightforward to detect any unintended electromagnetic radiation in my room.
 
Last edited:

byuu

Non-binary they/them
kiwifarms.net
Joined
Aug 17, 2018
What's the solution to USB implant? I'm here to find solutions. A faraday cage to block RF signals?
Technically, couldn't it use the USB cable as an antenna to escape a faraday around the pc itself?
You'd probably want to cover all your walls and windows with tinfoil.

Also, keep in mind this is just the ten year old technology - who knows what they have now.
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
Technically, couldn't it use the USB cable as an antenna to escape a faraday around the pc itself?
You'd probably want to cover all your walls and windows with tinfoil.
Tinfoil is not good for interior design. Nowadays, people sell EMF-blocking wallpapers and EMF-blocking window films.
But, you can detect RF signals with EMF meters and radios.
Tecsun PL-600 radio catches EMF between 100khz and 30mhz.
TriField TF2 measures EMF between 30mhz and 2.4Ghz
Safe and Sound Classic 2 measures EMF between 200mhz and 8Ghz.
With these 3 equipments, you can catch EMF between 100khz and 8Ghz. It's very likely that any wireless equipment uses frequencies between 100khz and 8Ghz.

I try to make sure my room has as least amount of EMF as possible.
 
Last edited:

byuu

Non-binary they/them
kiwifarms.net
Joined
Aug 17, 2018
Tinfoil is not good for interior design. Nowadays, people sell EMF-blocking wallpapers and EMF-blocking window films.
But, you can detect RF signals with EMF meters and radios.
Tecsun PL-600 radio catches EMF between 100khz and 30mhz.
TriField TF2 measures EMF between 30mhz and 2.4Ghz
Safe and Sound Classic 2 measures EMF between 200mhz and 8Ghz.
With these 3 equipments, you can catch EMF between 100khz and 8Ghz.

I try to make sure my room has as least amount of EMF as posssible.
There are stenography methods to make the radio signals very hard to distinguish from noise.

Oh, and you could modify the PSU as well to send data to a receiver outside through mains like Powerline adapters do.
Better run the pc on a generator.
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
Wireless implant is less of a concern because its range is limited, and I can detect it with EMF meters.

The real issue is to prevent CPU backdoors from accessing the internet.

Once you prevent CPU backdoors from accessing the internet, you can then worry about wireless implants and powerline ethernet.

Can a PCIe/USB NIC prevent CPU backdoor from accessing the internet? PCIe/USB NICs can have their own backdoors, though.

I don't think a powerline ethernet adaptor in a PSU is useful because a PSU doesn't establish data connections to computer components.
 
Last edited:

AmpleApricots

kiwifarms.net
Joined
Jan 28, 2018
Check out the video by that one guy that found an undocumented function in some ancient VIA processor (google search terms: "VIA C3 god mode") that allowed to completely bypass any ring security model of the OS and instantly give you full privileged access to everything no matter from where it was ran from. And that was just some random old computer he picked off the shelf. Modern computers are complicated black boxes you only interact with from the outside. You have absolutely no idea what's going on inside. There's no way to ever know, especially when such functionally is hidden with full intent and not just a random oversight and BIOS programmers taking the CTRL+C/CTRL+V approach like in that VIA chip from 2003. Thinking you can somehow make such a setup "safe" against every *possible* threat is just jerking off and wasting time.
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
Thinking you can somehow make such a setup "safe" against every *possible* threat is just jerking off and wasting time
I didn't claim that I neutralized all threats, but doing nothing is worse. I can do some things to at least neutralize remote access by CPU backdoors.
Without remote access, intelligence agencies can't just monitor my computers.

VIA C3 god mode requires a compromised software. I install softwares from linux distribution package repositories, and I also maintain my own software repository.

We will have to neutralize threats one by one. If we do nothing, we are screwed anyway.

We need balanced defense. If we spend too much time on defense, we forget to make progress. But, if we spent no time on defense, we would be completely defenseless.

I'm pursuing balanced defense.
 
Last edited:

Yun

kiwifarms.net
Joined
Dec 1, 2021
I don't know how to utilize CPU backdoors. But, I think I can neutralize remote access without spending too much time.

I can either attach a USB network interface or force my router to give internet access only through its internal VPN.
Router internal VPN looks like a surefire way to neutralize CPU backdoor remote access.
A USB network interface is easy, but a USB network interface may have its own backdoor which may potentially co-operate with CPU backdoors.

If intelligence agencies have no access to CPU backdoors, CPU backdoors can't do anything because CPU backdoors are not advanced general-purpose artificial intelligence that can conduct things on its own.

The real long-term solution is open-source CPU, but I don't know how to make a CPU, let alone a reasonably fast CPU. I don't know how to produce a lot of CPUs cheaply.
 
Last edited:

Yun

kiwifarms.net
Joined
Dec 1, 2021
I think there are ways to restrict root power with mandatory access control mechanisms such as AppArmor and SELinux.
If you run any large software, consider running it with AppArmor or SELinux.
I already run many softwares inside firejail sandbox. Firejail is substantially better than nothing. If I add AppArmor or SELinux on top of firejail, things can be reasonably secure...
 

annoyingfuck

kiwifarms.net
Joined
Jul 2, 2019
I think there are ways to restrict root power with mandatory access control mechanisms such as AppArmor and SELinux.
If you run any large software, consider running it with AppArmor or SELinux.
I already run many softwares inside firejail sandbox. Firejail is substantially better than nothing. If I add AppArmor or SELinux on top of firejail, things can be reasonably secure...
I've been using firejail, I'm swapping it out for bubblewrap, something about tor going to it.
 

Yun

kiwifarms.net
Joined
Dec 1, 2021
I've been using firejail, I'm swapping it out for bubblewrap, something about tor going to it.
bubblewrap doesn't have profiles, and it can't filter dbus. bubblewrap isn't a replacement for firejail.
Something built on top of bubblewrap can have firejail's functionalities and compete with firejail.