Biometrics can be a bit difficult... fingerpring scanners don't work that well if, well, you have bad fingerprints. Some people I know suffer a lot because of that.
Intel tends to oversell the features of their CPUs and bury the potential risks real deep. Unfortunately I can't help but come to the conclusion that security is more and more elusive when pervasive backdoors are built into the hardware.
THANK YOU for this link. That blog also has some amazingly prescient commentary (from 2013) about the SGX secure computing extensions now added to Skylake and going forward, pointing out that with or without Intel's knowing collusion with the NSA there are serious concerns ahead when these features are in all chips whether we want them or not... even if for a small niche of applications they may be useful. Having been treated here somewhat as a tinfoil-hatter for suggesting this in the SGX article comments, and for predicting the rise of SGX-using malware that cannot be disassembled and debugged (or possibly even detected) even by the AV companies, it's good to see that I'm not the only one worried by this. I reckon I'll be sticking with Haswell-E. :(
"One aspect still presents a serious security challenge on x86 platform: the boot security. Intel has introduced many competing and/or complementary technologies which are supposed to solve the problem of boot security: support for TPM and TXT, support for SMM sandboxing, finally Boot Guard and UEFI Secure Boot. Unfortunately, as we have seen in the first chapter, none of these technologies seem satisfactory, each introducing more potential problems than it might be solving.
Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressingly, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not. The author considers this to be probably the biggest mistake the PC industry has gotten itself into (that she has ever witnessed)."
"We have seen that Intel ME is potentially a very worrisome technology. We cannot know what’s really executing inside this co-processor, which is always on, and which has full access to our host system’s memory. Neither can we disable it."
I was having some intel management engine issues on my computer recently. Is this what Intel ME is? PC would boot really slowly while it was enabled in device manager. Had some power failure issue. Had to disable it (the device listed in device manager)
From the blog you linked to "(hypothetical) CPU backdoors", since when does (hypothetical) CPU backdoors = pervasive backdoors are built into the hardware.
Biometrics are actually very insecure. If someone puts his effort into compromising your account, he could easily swipe your fingerprint and create a replica without you even knowing. The big move in the industry to support biometrics has nothing to do with security and everything to do with selling that data to the highest bidders.
This has to be one of the silliest comments I have ever read. Please enlighten us all on how you could "easily swipe your fingerprint and create a replica". You must be reading too many marvel comics as this comment is just nonsense.
And still there is not even 2 step authentication for my region on : -Amazon (unless forcing it by going true the american website) -paypal (Some people say you can , but like amazon i assume it isn't worldwide or pulled after a security paper?) -so many online ("cheap") hosting companies that sell simple password-login admin control panels.
Being the tech guy for some elder people around me the entire idea of a password is so outdated. At least the local banks/gouvernement agencies have switch to none user password and using eID/cards/token systems.
Quiet funny that gaming 10 years ago made me most aware of the need of more then just a password and overall the entire removal of them and using eID/certifcates/.... So many forum/WoW/Steam accounts getting hacked and indirectly making me to administrate/fix crap.
"despite Windows 7 and Skylake having a rough start together"
Come on, AT, you can do better than this! If MS decides not to support features of new CPUs in Win 7/8, anyone else is free to do so. Many people wrote this in the comments of the original article. I'm not sure what's worse: an AT editor not being aware of this or an AT editor writing as if he wants to generate a problem where no problem is. I'm not saying this would be your intention.. but one can get that impression from the quoted sentence.
It's not just that. If you read the original article, Microsoft has the right to not patch Skylake systems if there is an issue only on Skylake. This news was targeted towards business and enterprise and there is a big difference there between something that works and something that is supported. Windows 7 has support until 2020, but not on Skylake. Just like in 2020 that doesn't mean Windows 7 will just shut down, but it's a big change in policy regardless.
Which is great and all, except that Intel's firmware ecosystem is horribly, fundamentally insecure, and frankly, the idea of it doing anything more related to security is downright terrifying: http://blog.invisiblethings.org/papers/2015/x86_ha...
I've never really understood the desire to turn over security from well understood open-source software, to black-box firmware that could be doing whatever it wants to.
Interesting and will take 2 decades till it trickles down to IT departments. Or how else can be explained, that we still use passwords? Our IT in fact disables the fingerprint readers on the laptops. And has other stupid practices like password change every month. And password has to have all the bells and whistles. So yeah you know what people do: post-it on screen. Give everyone a fingerprint scanner and it would be 10times more secure. And if you then let them have a PIN + scanner like 100 times more secure.
It's with everything else in companies. They say security is important balabla then you look what they actually do: non-sense because else it would cost them something.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
20 Comments
Back to Article
casperes1996 - Tuesday, January 19, 2016 - link
This seems like a pretty lovely move, honestly. Simple and on paper very secure.LordanSS - Tuesday, January 19, 2016 - link
I agree. Seems interesting.Biometrics can be a bit difficult... fingerpring scanners don't work that well if, well, you have bad fingerprints. Some people I know suffer a lot because of that.
close - Wednesday, January 20, 2016 - link
http://blog.invisiblethings.org/2015/10/27/x86_har...Intel tends to oversell the features of their CPUs and bury the potential risks real deep. Unfortunately I can't help but come to the conclusion that security is more and more elusive when pervasive backdoors are built into the hardware.
asmian - Wednesday, January 20, 2016 - link
THANK YOU for this link. That blog also has some amazingly prescient commentary (from 2013) about the SGX secure computing extensions now added to Skylake and going forward, pointing out that with or without Intel's knowing collusion with the NSA there are serious concerns ahead when these features are in all chips whether we want them or not... even if for a small niche of applications they may be useful. Having been treated here somewhat as a tinfoil-hatter for suggesting this in the SGX article comments, and for predicting the rise of SGX-using malware that cannot be disassembled and debugged (or possibly even detected) even by the AV companies, it's good to see that I'm not the only one worried by this. I reckon I'll be sticking with Haswell-E. :(Oxford Guy - Friday, January 22, 2016 - link
"One aspect still presents a serious security challenge on x86 platform: the boot security. Intel has introduced many competing and/or complementary technologies which are supposed to solve the problem of boot security: support for TPM and TXT, support for SMM sandboxing, finally Boot Guard and UEFI Secure Boot. Unfortunately, as we have seen in the first chapter, none of these technologies seem satisfactory, each introducing more potential problems than it might be solving.Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressingly, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not. The author considers this to be probably the biggest mistake the PC industry has gotten itself into (that she has ever witnessed)."
Oxford Guy - Friday, January 22, 2016 - link
"We have seen that Intel ME is potentially a very worrisome technology. We cannot know what’s really executing inside this co-processor, which is always on, and which has full access to our host system’s memory. Neither can we disable it."Azix - Thursday, February 18, 2016 - link
I was having some intel management engine issues on my computer recently. Is this what Intel ME is? PC would boot really slowly while it was enabled in device manager. Had some power failure issue. Had to disable it (the device listed in device manager)ironargonaut - Thursday, January 21, 2016 - link
From the blog you linked to "(hypothetical) CPU backdoors", since when does (hypothetical) CPU backdoors = pervasive backdoors are built into the hardware.benzosaurus - Monday, January 25, 2016 - link
Oh good, I'm not the only who's going to link to that paper in response to this :)ddriver - Wednesday, January 20, 2016 - link
Now if only it didn't come with a backdoor.Biometrics are actually very insecure. If someone puts his effort into compromising your account, he could easily swipe your fingerprint and create a replica without you even knowing. The big move in the industry to support biometrics has nothing to do with security and everything to do with selling that data to the highest bidders.
ironargonaut - Thursday, January 21, 2016 - link
Cool, where is it and what is the password.rhog - Saturday, January 30, 2016 - link
This has to be one of the silliest comments I have ever read. Please enlighten us all on how you could "easily swipe your fingerprint and create a replica". You must be reading too many marvel comics as this comment is just nonsense.plopke - Tuesday, January 19, 2016 - link
And still there is not even 2 step authentication for my region on :-Amazon (unless forcing it by going true the american website)
-paypal (Some people say you can , but like amazon i assume it isn't worldwide or pulled after a security paper?)
-so many online ("cheap") hosting companies that sell simple password-login admin control panels.
Being the tech guy for some elder people around me the entire idea of a password is so outdated. At least the local banks/gouvernement agencies have switch to none user password and using eID/cards/token systems.
Quiet funny that gaming 10 years ago made me most aware of the need of more then just a password and overall the entire removal of them and using eID/certifcates/.... So many forum/WoW/Steam accounts getting hacked and indirectly making me to administrate/fix crap.
Krysto - Wednesday, January 20, 2016 - link
Just one problem: you have to trust Intel's much criticized by security experts' proprietary ME, where these credentials are stored.BigLan - Wednesday, January 20, 2016 - link
Don't worry, I'm sure Mcafee will test it and validate it!MrSpadge - Wednesday, January 20, 2016 - link
"despite Windows 7 and Skylake having a rough start together"Come on, AT, you can do better than this! If MS decides not to support features of new CPUs in Win 7/8, anyone else is free to do so. Many people wrote this in the comments of the original article. I'm not sure what's worse: an AT editor not being aware of this or an AT editor writing as if he wants to generate a problem where no problem is. I'm not saying this would be your intention.. but one can get that impression from the quoted sentence.
Brett Howse - Wednesday, January 20, 2016 - link
It's not just that. If you read the original article, Microsoft has the right to not patch Skylake systems if there is an issue only on Skylake. This news was targeted towards business and enterprise and there is a big difference there between something that works and something that is supported. Windows 7 has support until 2020, but not on Skylake. Just like in 2020 that doesn't mean Windows 7 will just shut down, but it's a big change in policy regardless.benzosaurus - Wednesday, January 20, 2016 - link
Which is great and all, except that Intel's firmware ecosystem is horribly, fundamentally insecure, and frankly, the idea of it doing anything more related to security is downright terrifying: http://blog.invisiblethings.org/papers/2015/x86_ha...I've never really understood the desire to turn over security from well understood open-source software, to black-box firmware that could be doing whatever it wants to.
beginner99 - Thursday, January 21, 2016 - link
Interesting and will take 2 decades till it trickles down to IT departments. Or how else can be explained, that we still use passwords? Our IT in fact disables the fingerprint readers on the laptops. And has other stupid practices like password change every month. And password has to have all the bells and whistles. So yeah you know what people do: post-it on screen. Give everyone a fingerprint scanner and it would be 10times more secure. And if you then let them have a PIN + scanner like 100 times more secure.It's with everything else in companies. They say security is important balabla then you look what they actually do: non-sense because else it would cost them something.
Azix - Thursday, February 18, 2016 - link
something you do not need a CPU to do AT all. 2 step authentication? come on