>>>>>>>>>You are right - it did not occur to me at the time. I shall consider doing so this coming weekend. Perhaps a good reason to make the move to Linux. The laptop is "beefy" enough; 8Gb RAM, 2.5Ghz CPU, Lenovo Thinkpad T520 model.
>>>>>>>>
>>>>>>>>There is some interesting reading if you Google [lenovo banned].
>>>>>>>
>>>>>>>Interesting but not conclusive enough. Australia government denies it too. Lenovo does come preinstalled with various services running which call home to look for updates (bios, drivers, etc). I always switch all that off. But there could of course be far deeper, pre O/S backdoors. Who knows...
>>>>>>
>>>>>>
>>>>>>
>>>>>>Intel's vPro allows for any code injection over a network, wired or wireless. It monitors every keystroke, and using hyper-threading, injection of code to execute on the CPU is outside of any awareness by the OS or machine state.
>>>>>
>>>>>Yes, I read about this - Joanna Rutkowska -
http://en.wikipedia.org/wiki/Blue_Pill_%28software%29>>>>
>>>>
>>>>That one's different using virtualization. The vPro system works without installing anything on the machine.
>>>
>>>Fascinating. But what can one do? If you cant detect it then what to do? Use old hardware, old O/S, old drivers, etc?
>>
>>
>>I misread your reply in my last message.
>>
>>Yes, only defense: don't use it. Or mechanically disable the on-board vPro enabled com as by sabotaging the WiFi antenna, and using USB-based alternative.
>
>Yes, but the truth is that for most end-users, and I include myself in that definition even though I have studied infosec quite a bit, it becomes practically impossible to detect and prevent. There can be, as Al has pointed out, low level backdoors that only real security researchers are going to discover. I have come to the opinion that there are now so many security researchers all looking to make a name for themselves that they will find the backdoors and nasty business going on. They will publish and we will get to know about it. There are enough independent "policemen" / researchers out there that it will be hard for mainstream hardware / software vendors to really get away with serious security breaches, imo.
I used to share that opinion, but now I'm not so sure. Legend has it that:
- nation-states are actively buying zero days
- in addition to in-house efforts to develop their own
Quite recently I read an article (can't find it now, of course :() The gist was a former employee of a US intelligence agency claiming that at any given time that agency had literally hundreds of zero-days for every imaginable platform. When one was disclosed and/or patched they'd scratch it off their list, but that just reduced it to 99. In the meantime their army of ultra-bright, well-funded analysts were busy finding more all the time.
So, it's becoming a contest between:
- in the red corner, software and equipment vendor security teams, and "ethical" hackers some of whom are not well funded compared to nation-states
- in the blue corner, black hats driven by the profit motive, and well-funded nation-states
The question is, who does one bet on?
Some provocative articles for those interested:
http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?pagewanted=all&_r=0http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.htmlhttp://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/
Regards. Al
"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov
Neither a despot, nor a doormat, be
Every app wants to be a database app when it grows up