CPU firmware is likely the worst type of compromise (see Intel ME). However, the issue is that private information can be gained by listening in on conversations near a laptop or by recording what the camera sees.
Keylogging isn't good either, but if you're using a password manager and/or 2FA then it's not really as big of an issue. It is an issue for your disk encryption passphrase, but I'm hoping that in the future we might be able to remedy that through some 2FA-like system[1]. If we seal disk encryption keys inside TPMs then we have to only come up with a sane security policy (which is obviously the hard part).
Disk controllers are similarly not an issue if you have full-disk encryption (though then your RAM is the weak point because it contains the keys). There was some work in the past about encrypted RAM but I doubt that is going to be a reality soon. The real concern is that a worrying array of devices plugged into your laptop can DMA your memory (USB 3.1, PCI, etc). iommu improves this slightly but from memory there is still some kernel work necessary to make the order in which devices load secure (if you load a device that supports DMA before iommu is loaded then you don't have iommu defences).
> CPU firmware is likely the worst type of compromise (see Intel ME).
I see it, and I see the AMD and ARM equivalents, and I'm sitting here wondering how the hell do I buy a decent laptop without that crippling trust hole. AFAICT, one cannot.
I'm willing to pay more for processors that aren't thus afflicted. Is anyone at AMD, Intel et al listening?
I believe so too. OpenPOWER and RISC-V show great promise but I am not aware of any significant tape-outs for either (and not to mention you have to have consumer motherboards et al that are compatible with the chipset).
The nice thing about OpenPOWER is that there are many distributions (openSUSE is one that I know for sure) that provide some support for ppc64le and thus the transition shouldn't be too painful from a port-the-distro perspective. RISC-V also will have similar support once it's merged into the mainline kernel and also once distributions have significant confidence to spin up some QEMU build images for RISC-V.
> I'm willing to pay more for processors that aren't thus afflicted. Is anyone at AMD, Intel et al listening?
I am inclined to believe that the reason is economic rather than them just being evil (that doesn't mean that it's not a horrible misfeature that mistreats users, I just don't think that the inclusion of ME on consumer hardware was an intentional decision). Intel ME is "required" for enterprises because sysadmins want to be able to control all of the machines they provide their employees (you can have varied opinions on whether that's ethically acceptable, but that's the reason).
Given that consumer hardware generally comes from the enterprise world after it has dropped in value, I would not be surprised if Intel ME was left in consumer CPUs simply because it was cheaper than removing it. There's also the (weaker) argument that an enterprise should be able to use Intel ME on a BYO-device system, but that strikes me as unethical.
You might be willing to pay extra for Intel ME-less CPUs, but have you seen what the bill is for a full tape-out? There needs to be significant market demand for something like that.
> but even a sysadmin at a fortune 500 company is in the dark about all that this second cpu can and can't do.
The sysadmin might not know how it works, but they do know they can control machines remotely using their Intel branded management system (or other rebranded variety). Just because they don't know how bad it is doesn't mean that's not the motivation for it.
IPMI is a similar deal. Modern servers have a secondary computer embedded in the motherboard (which have been historically _very_ insecure) because it's useful for managing servers. Intel AMT is the work-laptop version of that technology, and you can bet that most enterprises use it.
> if it was economical they would offer you to pay more for full control for it.
But they do. The entire reason why enterprise deployments of large numbers of work laptops/desktops is so expensive is because you have to pay extra for the management system that comes with it. Just because they don't remove the "backdoor" in their consumer lines doesn't mean they won't charge you through the nose to be able to administer the damn thing.
I am very anti-ME and wish that all firmware was free software, but arguing that the reason why ME is present in consumer CPUs is not for economic reasons doesn't sound right to me. The reason why the technology was developed is because the developers were not aware how unethical their actions were, and that's where the core of this problem lies.
I was referring to TOTP. Some 2FA doesn't protect against this, sure. But the whole point of TOTP is that the codes change over time, so having the current TOTP token is entirely useless. This is literally the threat model of TOTP. The only way of breaking it is to get the shared key (which a keylogger won't do, and you need to attack the TOTP device).
Most services I use have 30 second TOTP codes, but if you're facing an attacker that can perform an on-demand replay attack in the same time it takes for GMail to load then you have much bigger problems (like hijacking browser sessions). Also, my response was in relation to saying that there was "no security improvement" which is simply not true.
I'm not sure we're discussing the same threat model here. If you're worried about long-term compromise then that race window is a much smaller concern than the fact that having a TOTP code makes it so that an attacker can't just keylog you and get the password at a later time.
Agreeing on threat models is the first step in any discussion about security. Does your threat model include being so badly owned that a keylogger on your machine can exfiltrate data so quickly that someone can replay your login session? Is that a reasonable threat model? Is it helpful to require that to be solved or otherwise not be considered good enough?
Keylogging isn't good either, but if you're using a password manager and/or 2FA then it's not really as big of an issue. It is an issue for your disk encryption passphrase, but I'm hoping that in the future we might be able to remedy that through some 2FA-like system[1]. If we seal disk encryption keys inside TPMs then we have to only come up with a sane security policy (which is obviously the hard part).
Disk controllers are similarly not an issue if you have full-disk encryption (though then your RAM is the weak point because it contains the keys). There was some work in the past about encrypted RAM but I doubt that is going to be a reality soon. The real concern is that a worrying array of devices plugged into your laptop can DMA your memory (USB 3.1, PCI, etc). iommu improves this slightly but from memory there is still some kernel work necessary to make the order in which devices load secure (if you load a device that supports DMA before iommu is loaded then you don't have iommu defences).
[1]: https://www.youtube.com/watch?v=ykG8TGZcfT8 "Beyond Anti-Evil Maid"