social.stefan-muenz.de

Search

Items tagged with: server

Server Maintenance


#nota404mn will be down for 75 minutes while I take a backup and install much needed updates. Starting in 2 minutes. #podmin #server #maintenance #updates #backup
 

Server Maintenance


#nota404mn will be down for 75 minutes while I take a backup and install much needed updates. Starting in 2 minutes. #podmin #server #maintenance #updates #backup
 
I' having a little 'technical' #problem while #adding #users to a @group on a #Lubuntu #server.
Here's the puzzling thing (to me):
mc@Lubuntu1:~$ groups 
mc adm cdrom sudo dip plugdev lpadmin sambashare shared 
mc@Lubuntu1:~$ groups mc 
mc :  mc adm cdrom sudo dip plugdev lpadmin sambashare shared common

See the difference?
I cannot understand why the group "common" does not appear with the first command.
Perhaps someone more experienced than me with linux/ubuntu knows why this is happening?
Thanks in advance for any help.
 
I' having a little 'technical' #problem while #adding #users to a @group on a #Lubuntu #server.
Here's the puzzling thing (to me):
mc@Lubuntu1:~$ groups 
mc adm cdrom sudo dip plugdev lpadmin sambashare shared 
mc@Lubuntu1:~$ groups mc 
mc :  mc adm cdrom sudo dip plugdev lpadmin sambashare shared common

See the difference?
I cannot understand why the group "common" does not appear with the first command.
Perhaps someone more experienced than me with linux/ubuntu knows why this is happening?
Thanks in advance for any help.
 

Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de


Ein Service zum Finden von Favicons sorgt dafür, dass der Browser von Duckduckgo ein Datenschutzproblem hat.
Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de
#Datenschutz #Android #App #Browser #Datensicherheit #Suchmaschine #Server #Internet #Security
 

Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de


Ein Service zum Finden von Favicons sorgt dafür, dass der Browser von Duckduckgo ein Datenschutzproblem hat.
Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de
#Datenschutz #Android #App #Browser #Datensicherheit #Suchmaschine #Server #Internet #Security
 

Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de


Ein Service zum Finden von Favicons sorgt dafür, dass der Browser von Duckduckgo ein Datenschutzproblem hat.
Datenschutz: Duckduckgo-Browser leakt besuchte Domains - Golem.de
#Datenschutz #Android #App #Browser #Datensicherheit #Suchmaschine #Server #Internet #Security
 
Bild/Foto

Android OpenPush

Introducing a Free, Decentralized Push Messaging Framework for Android


The OpenPush project aims to create a free and open source self-hosted replacement for Android Push Notifications usually sent through Google's proprietary Firebase Cloud Messaging platform. This started as a PrototypeFund project. Development is still ongoing.

Concept

The green components (PushClient and PushServer) in this high-level overview are part of this project. The red components are different apps and their corresponding webservices using the push functionality.

Benefits
  • Free Software. FCM is a proprietary service and the Firebase client libs are closed source. This makes projects including fcm libraries effectively non-free software which i.e. cannot be added to the FOSS F-Droid appstore.
  • Self-hosted. When self-hosting a open source project, there's no dependency on an external service anymore.
  • User is in control. A smartphone user can chose a pushserver instance, possibly self-hosted or hosted by a trusted entity. This instance's url is communicated to the webservice together with the app token to the push-notification producer. Push-notifications will only be sent to this server.
MORE:
https://bubu1.eu/openpush/

LINKS:
- https://gitlab.com/Bubu/pushserver
- https://gitlab.com/Bubu/pushclient
Push messages are an essential part of connected mobile devices. They are also one of the critical missing pieces in the open source Android ecosystem. Until now, free Android apps would either need to implement their own push notification system, do without any push messaging or use the proprietary Google Cloud Messaging service. In this talk I will introduce OpenPush, a free and open source, self-hosted and decentralized replacement for Google Cloud Messaging.

We expect both a long battery life and instant notifications from our mobile devices. When implementing your own mobile push functionality you can usually optimize for either of these goals. This is especially true if the user is running multiple applications which each come with their own persistent on-going connection for push notifications. Wanting to combat the battery drain associated with maintaining multiple connections Google introduced the Google Cloud Messaging (GCM) framework which recently has become Firebase Cloud Messaging (FCM). Firebase Cloud Messaging relies on the availability of the proprietary Google Play Services Framework on an Android device. Using FCM also requires the inclusion of the proprietary FCM client library into open source Android apps like Signal, Wire or even Firefox, which makes them effectively non-free software which cannot be distributed via the fully free F-Droid software repository. Additionally all push notifications delivered via FCM need to pass through Google's servers leaving a metadata trace, even if it's an empty wakeup event or if the content of the message is encrypted.

Decentralized, self-hosted systems like Matrix, Nextcloud or RocketChat currently still have a dependency on Google's infrastructure and Terms of Service for delivering push Notifications.

In this talk I'll present a self-hosted, free alternative push messaging implementation which can either run alongside or as a replacement to FCM. The talk will give a general architecture overview as well as walk through the design and implementation challenges of a push messaging service.

Further I'll present how OpenPush can be used by different projects and discuss some additional ideas on how the wider ecosystem could look like in the future.
MORE:
https://fosdem.org/2020/schedule/event/dip_openpush/

VIDEO:
https://video.fosdem.org/2020/UA2.220/dip_openpush.webm

#android #droid #f-droid #push #client #server #api #source #code #matrix #nextcloud #smartphone #internet #web #www #decentralized #google #messaging #cloud #ecosystem #free #foss #mobile #news #fosdem #network #framework
 
Once #Android has been reprogrammed to use a local #server for its #connectivity check, one can get a fascinating and counter-intuitive display:
Despite being fully connected by cell network the status bar indicates a failed #internet connection, while, when connected to local #WiFi, the status is fully operational connection, despite the uplink being actually down.

That's what happens when a major fiber is cut by subway construction work...
 

Server Umzug

Ich glaube, ich muß jetzt langsam auf einen neuen #Server umziehen. Die alten #Uberspace6 werden zum Ende des Jahres abgeschaltet und auch das mit dem separaten Datenbankserver ist ja auch. Meine Friendica Instanz mault auch schon länger herum, daß ein Datenbank Update nicht funktioniert hat, auch das konvertieren in das Barracuda Datenbank Format funktioniert leider nicht.

Außerdem soll ja die Möglichkeit kommen, auf den neuen #Uberspace7 mehr als 10GB Platz zu buchen. Ich werde mir jetzt mal eine Checkliste anlegen, an was ich alles denken muss, das wird spannend. Wenn irgendjemand Erfahrung mit dem (erfolgreichen) #Umzug seiner #Friendica Instanz auf einen anderen Server hat, nur her damit. ;-)
Ich bin am Überlegen, ob ich von #Apache auf #Nginx umsteige.
Such zum testen ein #Howto für einen #Ubuntu #Server 20.04 inkl. #MariaDB und aktuellen #PHP.
Habt ihr Tipps oder Hinweise, was ein Apache User zu beachten hat?
Mal sehen vielleicht bringe ich mit dieser Konstelation #Friendica zum laufen?
#Followerpower
 
Ich bin am Überlegen, ob ich von #Apache auf #Nginx umsteige.
Such zum testen ein #Howto für einen #Ubuntu #Server 20.04 inkl. #MariaDB und aktuellen #PHP.
Habt ihr Tipps oder Hinweise, was ein Apache User zu beachten hat?
Mal sehen vielleicht bringe ich mit dieser Konstelation #Friendica zum laufen?
#Followerpower

Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest


Ich habe meinen ehemaligen Artikel "Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest" aus Dezember 2019 von Digitalcourage inhaltlich aktualisiert und noch mal auf "The Digital Native" publiziert. Wer ihn noch nicht gelesen hat oder mal auf den aktuellen Stand gebracht werde möchte, dem kann ich ihn nur ans Herz legen!

Zum Artikel

#Digitalcourage #Cloud #Datenschutz #EFF #OpenSource #Nextcloud #Owncloud #OwnCube #Seafile #Server #Admin
Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest
 

Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest


Ich habe meinen ehemaligen Artikel "Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest" aus Dezember 2019 von Digitalcourage inhaltlich aktualisiert und noch mal auf "The Digital Native" publiziert. Wer ihn noch nicht gelesen hat oder mal auf den aktuellen Stand gebracht werde möchte, dem kann ich ihn nur ans Herz legen!

Zum Artikel

#Digitalcourage #Cloud #Datenschutz #EFF #OpenSource #Nextcloud #Owncloud #OwnCube #Seafile #Server #Admin
Datenschutzfreundliche Cloudspeicherdienste im Vergleichstest
 
Bild/Foto

"UBUNTU SERVER: How to make a fanny fart?" or CVE-2020-11932

It's easy! Just try to install the fresh version and make LUKS-encrypted partition.

Your passphrase (clear text) will be here:

/var/log/installer 

autoinstall-user-data 
curtin-install-cfg.yaml 
curtin-install.log 
installer-journal.txt 
subiquity-curtin-install.conf

Special thanks to #subiquity installer & personally to Mark! :)


MORE FUN AND BLACK-SEX:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11932
https://bugs.launchpad.net/ubuntu/%2Bsource/subiquity/%2Bbug/1878115

Logged luks passwords


Bug #1878115 reported by Seth Arnold on 2020-05-12
#canonical #ubuntu #ubuntu-server #server #luks #security #cve #crypto #encryption #sex #girl #news #photo #subiquity #launchpad #passphrase #Mark #Shuttleworth #bug #installer #iso #rms #stallman

P.S. "Ubuntu Spyware: What to Do?" By Richard Stallman

 
Dank @jr gibt es ein paar schöne neu Informationen für die #Jitsi #Server #Liste !

Es wird jetzt wenn möglich die Jitsi Version mit angezeigt und es gibt zwei schöne neue Emojis 🔐 🔍

https://fediverse.blog/~/DonsBlog/videochat-server
 
Angenommen ich möchte meinen Heimserver weitestgehend via Solar versorgen.

Wie geht man da am besten vor?

Dachfläche wäre genügend vorhanden Richtung SO und Richtung NW.

Will man den Strom direkt in den Server hauen, oder einspeisen?

Mit was für Kosten muss man rechnen? Panels, Akkus, Konverter,... Ka was man da alles braucht...

Vielleicht sind ja Bastelfreunde unter euch, die mir eine grobe Übersicht verschaffen können.

#solar #photovoltaik #server #basteln

1/?
 
Über schwerwiegende Sicherheitslücken in dem Servermanagement-Tool Saltstack wurden mehrere Server gehackt. #Sicherheitslücke #Datensicherheit #Hacker #LineageOS #Server #Internet #Security
 
Über schwerwiegende Sicherheitslücken in dem Servermanagement-Tool Saltstack wurden mehrere Server gehackt. #Sicherheitslücke #Datensicherheit #Hacker #LineageOS #Server #Internet #Security
 
#Jitsi #Video #Server #Liste

es gibt mal wieder ein paar neue Instanzen für euch.

meet.stuvus.uni-stuttgart.de
meet.hackerspace-bremen.de
meet.blankenberg.eu
meet.hostpoint.ch
meet.cyon.tools
hosttech.chat

https://fediverse.blog/~/DonsBlog/videochat-server

https://blog.ggc-project.de/~/DonsBlog/videochat-server
 
Heute habe ich mal ein paar Instanzen von der #Jitsi #Server #Liste gelöscht, die länger nicht mehr erreichbar waren.

conconf.org
jitsi.parinux.org
de-fsn-2.jitsi.rocks
de-nue-1.jitsi.rocks
de-nue-2.jitsi.rocks
de-wob-1.jitsi.rocks
jitsi.minzord.eu.org
jitsi.silentt.fr
jitsi.cc
meet.jitsi.xyz
jitsi.parinux.org

https://fediverse.blog/~/DonsBlog/videochat-server

Backup der Liste
https://blog.ggc-project.de/~/DonsBlog/videochat-server

Die Liste als Text
https://codeberg.org/favstarmafia/Jitsi_Server_Liste
 
Ich habe gerade folgende 20 Instanzen der Liste hinzugefügt:
avecvous.linagora.com
dorlanjitsi.ddns.net
jitsi.arvidortwig.de
jitsi.eichstaett.social
jitsi.hbs.ac
jitsi.laas.fr
konferenz.buehl.digital
meet-13.immerda.ch
meet-6.immerda.ch
meet-7.immerda.ch
meet.greenmini.host
meet.in-berlin.de
meet.infomaniak.com
meet.jotbe.io
meet.nerd.re
meet.petermueller.me
meet.speakup.nl
meet.tellifon.ch
meet.ustavimokorono.si

https://fediverse.blog/~/DonsBlog/videochat-server

#Jitsi #Server #Liste
 

Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de


Rückzug oder Strategiewechsel? Eigene Konnektoren aus Hardware kommen nicht mehr von T-Systems.
Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de
#T-Systems #Datenschutz #Datensicherheit #Gesundheitskarte #Telematik #Server #Internet #Security
 

Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de


Rückzug oder Strategiewechsel? Eigene Konnektoren aus Hardware kommen nicht mehr von T-Systems.
Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de
#T-Systems #Datenschutz #Datensicherheit #Gesundheitskarte #Telematik #Server #Internet #Security
 
Da will man nur kurz eben was testen und hat dafür noch ältere #Server - #Hardware parat. Wacker die aktuelle Installation von #CentOS 8 angeworfen und was is? Kein #RAID-Controller gefunden. :-(

Eingebaut ist ein DELL Perc 6/i, welcher mit SLES jahrelang gute Dienste tat. Und #Fedora 31 hat keine Probleme, den auch zu erkennen und zu installieren.

Offenbar hat #RedHat sich gesagt, dass die zahlenden Kunden so alte Hardware nicht mehr einsetzen und kurzerhand die Treiber rausgeworfen.

Aber der Weg über die driver update disks (DUD) funktionierte mit etwas Geduld und Spucke. Das System ist nun installiert.

Kann ja sein, dass ältere Hardware nicht zum Klientel von RedHat passt, aber etwas mehr Umweltbewustsein würde dieser Firma auch gut stehen. Schließlich ist ein Haufen Energie in die Herstellung dieser Server geflossen.

#Umwelt

https://elrepoproject.blogspot.com/2019/08/rhel-80-and-support-for-removed-adapters.html

Phase 1 Complete


Anything from this point on will not be saved. Should be back up by 1600 UTC ~2hours to complete. Schedule post.

#upgrade #podmin #server #nota404mn
 

Dave Temkin auf Twitter: "I’m in the Chicago suburbs today with the @WeAreNetflix Open Connect Business Operations team touring our new OCA (Open Connect Appliance) shipping, assembly and fill site. It’s where we pre-load Netflix content on our servers before shipping them to ISPs around the world. https://t.co/h8g9sjWavk" / Twitter

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
- Andrew S Tannenbaum
#netflix #appliance #server #hardware

https://twitter.com/dtemkin/status/1232782308878553090
 
Und mal wieder stehe ich vor der Frage ob ich meinen #server umziehe...
Kann mir jemand relativ günstige V- oder root-Server mit großer Platte (1TB wenn möglich) und halbwegs vernünftigem Prozessor empfehlen? Meiner bei Online.net hat zwar schön viel Platz, aber die CPU schwächelt mit #nextcloud ... 😢
#pleaseboost
 
ok .. tried out following setup:
* Thumbor Image processor
* Minio backend for storing images
* #Redis caching #server

wtf ... it's just fucking awesome. Let's take this image: https://images.mws.bka.li/RIFk8CMuG4CbQwwfLqGd4CGWL0A=/fit-in/x695/teleyal/Greybleb.png
I upload the original #image into the #Minio bucket via @nextcloud , set "fitIn" to the size I want and #Thumbor does the rest, including caching via Redis
 
"Auf digitale Prozesse umstellen" ist leicht gesagt, aber in vielen Firmen ein komplexes Unterfangen. Viele Mitarbeiter und Chefs lieben ihre analogen Arbeitsmethoden und #Digitalisierung #Bundesregierung #Bundeswehr #ElonMusk #Head-MountedDisplay #Innovation #PC #Vorgelesen #Kodak #Server
 

#howto install and use #openssh / #sftp #server on #Android #mobile with #termux


Install Termux:
Termux (Terminal emulator with packages) - https://f-droid.org/app/com.termux

pkg install openssh

(Set new user password)
passwd

(Check username)
whoami

(Start)
sshd

(Check server port - default: 8022)
netstat -tlnp

(Check IP)
ifconfig

(Connect SSH)
ssh user@ip -p 8022

(Connect SFTP)
sftp -oPort=8022 user@ip

P.S.: Can be used with keys too.

#GNU #Linux
 
Was gibt es eigentlich besseres bei Preis und Leistung als #Hetzner für nen #Server?
 
Was gibt es eigentlich besseres bei Preis und Leistung als #Hetzner für nen #Server?
 
Okay, mein Mastodon ZFS macht irgendwelche txg_sync Dinge 🤔

Mal beobachten.

#zfs #server
Bild/Foto
 

Chat: Mozilla wechselt von IRC auf Matrix und Riot - Golem.de


Die Firefox-Hersteller von Mozilla nutzen künftig die freie Chat-Plattform Matrix und die Riot-Clients statt IRC. Das Team hatte mehr als ein halbes Jahr nach einer Alternative
Chat: Mozilla wechselt von IRC auf Matrix und Riot - Golem.de
#Mozilla #Barrierefreiheit #IRC #InstantMessenger #Matrix #Rust #Server #Internet #OpenSource
 

Chat: Mozilla wechselt von IRC auf Matrix und Riot - Golem.de


Die Firefox-Hersteller von Mozilla nutzen künftig die freie Chat-Plattform Matrix und die Riot-Clients statt IRC. Das Team hatte mehr als ein halbes Jahr nach einer Alternative
Chat: Mozilla wechselt von IRC auf Matrix und Riot - Golem.de
#Mozilla #Barrierefreiheit #IRC #InstantMessenger #Matrix #Rust #Server #Internet #OpenSource
 
In einer Software für Arztpraxen ist der Updateprozess ungeschützt über eine Rsync-Verbindung erfolgt. Der Hersteller der Software versucht, Berichterstattung darüber zu #Medizin #Datensicherheit #Man-in-the-Middle #Sicherheitslücke #Unternehmenssoftware #Server #Applikationen #Security #Wirtschaft
 

Laptop Like It’s 1979 with a 16-Core Z80 on an FPGA


#fpga #retrocomputing #client #cpm #netowrk #retro #server #turbopascal #verilog #z80 #hackaday
posted by pod_feeder_v2
Laptop Like It’s 1979 with a 16-Core Z80 on an FPGA
 

Laptop Like It’s 1979 with a 16-Core Z80 on an FPGA


#fpga #retrocomputing #client #cpm #netowrk #retro #server #turbopascal #verilog #z80 #hackaday
posted by pod_feeder_v2
Laptop Like It’s 1979 with a 16-Core Z80 on an FPGA
 
Wir handhabt ihr es eigentlich bei euren Servern? Ein kleiner VPS für nen Mailserver, einer für Cloudgeschichten, ein dritter fürs hosting?

Oder ein großer Brocken und dort dann alles drauf?

#linux #server
 
Kann mir jemand einen verschlüsselten Cloud Speicher empfehlen in Deutschland:

- Transportverschlüsselung
- Dateien verschlüsselt (256 Bit)
- Server Standort Deutschland / Schweiz
- Teilen von Dateien möglich

Danke

#Server #Cloud #Verschlüsselung #Encrypted #security
 
Weiß jemand was das für ein Schloss am Festplattenfach ist und welcher Schlüssel dazu passt? #hdd #server #storage #festplatte
Bild/Foto
 

There will be #server #maintenance this evening, which will lead to #downtime.

Von heute Abend auf morgen früh kann es aufgrund einer #Serverwartung meines Webhosters zu Ausfallzeiten kommen.


#diaspora #podserver #podmin #diaspod
 

There will be #server #maintenance this evening, which will lead to #downtime.

Von heute Abend auf morgen früh kann es aufgrund einer #Serverwartung meines Webhosters zu Ausfallzeiten kommen.


#diaspora #podserver #podmin #diaspod
 

There will be #server #maintenance this evening, which will lead to #downtime.

Von heute Abend auf morgen früh kann es aufgrund einer #Serverwartung meines Webhosters zu Ausfallzeiten kommen.


#diaspora #podserver #podmin #diaspod
 
Der erste Wurf von der Anleitung ist fertig. Ich habe 3 mal drüber gelesen und keine Fehler mehr gefunden. Falls ihr Fehler findet, bitte einfach melden, ich korrigiere sie dann.

#Matrix #Synapse #Server auf einem #Raspberry Pi4B 4GB installieren

https://fediverse.blog/~/FossMessenger/matrix-synapse-server-auf-einem-raspberry-pi4-b-4gb-installieren
 
Bild/Foto

Avoid Intel and AMD Universal Backdoors


Only use computers certified to Respect Your Freedom (RYF)

The #Intel #Management #Engine is present on all Intel #desktop, #mobile ( #laptop ), and #server #systems since mid 2006. It consists of an #ARC #processor core (replaced with other processor cores in later generations of the ME), #code and #data #caches, a #timer, and a secure #internal #bus to which additional #devices are connected, including a #cryptography engine, internal #ROM and #RAM, #memory #controllers, and a direct memory access ( #DMA ) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has #network access with its own #MAC #address through an Intel #Gigabit #Ethernet #Controller. Its #boot program, stored on the internal ROM, loads a #firmware “manifest” from the PC’s SPI #flash #chip. This manifest is signed with a strong #cryptographic #key, which differs between versions of the ME firmware. If the manifest isn’t signed by a specific Intel key, the boot ROM won’t load and execute the firmware and the ME processor core will be halted.

The Active Management Technology ( #AMT ) application, part of the Intel “vPro” brand, is a #Web server and application code that enables #remote #users to #power on, power off, view information about, and otherwise manage the #PC. It can be used remotely even while the PC is powered off ( via #Wake-on-Lan ). Traffic is encrypted using #SSL / #TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known #vulnerabilities, which have been #exploited to develop #rootkits and #keyloggers and #covertly gain #encrypted #access to the management features of a PC. Remember that the ME has full access to the PC’s RAM. This means that an #attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open #files, all running #applications, all #keys pressed, and more.

ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include an ME application for audio and video DRM called “Protected Audio Video Path” (PAVP). The ME receives from the #host operating system an encrypted #media #stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the #GPU, which then #decrypts the media. PAVP is also used by another ME application to draw an #authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC’s screen in a way that the host #OS cannot detect. ME firmware version 7.0 on PCHs with 2nd Generation Intel Core #i3 / #i5 / #i7 (Sandy Bridge) CPUs replaces PAVP with a similar DRM application called “Intel Insider”. Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the #omnipotent #capabilities of the ME: this #hardware and its proprietary firmware can access and #control everything that is in RAM and even everything that is shown on the #screen.

The Intel Management Engine with its #proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and #mouse movements, and even #capture or #display #images on the screen. And it has a network interface that is demonstrably #insecure, which can allow an attacker on the network to #inject #rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a #threat to #freedom, #security, and #privacy that can’t be ignored.

Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME can be disabled by setting a couple of values in the SPI flash memory. The ME firmware can then be #removed entirely from the flash memory space. Libreboot does this on the Intel 4 Series systems that it supports, such as the Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which are found on all systems with an Intel #Core i3/i5/i7 CPU and a PCH, include “ME Ignition” firmware that performs some hardware #initialization and power management. If the ME’s boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

Due to the signature verification, developing free #replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel. As previously stated, the ME firmware includes proprietary code licensed from third parties, so Intel couldn’t release the source code even if they wanted to. And even if they developed completely new ME firmware without third-party proprietary code and released its source code, the ME’s boot ROM would reject any modified firmware that isn’t signed by Intel. Thus, the ME firmware is both hopelessly proprietary and #tivoized.

For years, #coreboot has been #struggling against Intel. Intel has been shown to be extremely uncooperative in general. Many coreboot #developers, and #companies, have tried to get Intel to #cooperate; namely, releasing source code for the firmware components. Even #Google, which sells millions of #Chromebooks (coreboot preinstalled) have been #unable to #persuade them.

Even when Intel does cooperate, they still don’t provide source code. They might provide limited #information (datasheets) under #strict #corporate #NDA ( #non-disclosure #agreement ), but even that is not guaranteed. Even ODMs and IBVs can’t get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).

In summary, the Intel #Management #Engine and its applications are a #backdoor with #total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the Libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all #recent #generations of Intel hardware.

Recent Intel graphics chipsets also require firmware blobs


Intel is only going to get #worse when it comes to user freedom. Libreboot has no support recent Intel platforms, precisely because of the problems described above. The only way to solve this is to get Intel to #change their #policies and to be more #friendly to the free software #community. Reverse engineering won’t solve anything long-term, unfortunately, but we need to keep doing it anyway. Moving forward, Intel hardware is a non-option unless a #radical change happens within Intel.

Basically, all Intel hardware from year 2010 and beyond will never be supported by Libreboot. The Libreboot project is actively #ignoring all modern Intel hardware at this point, and focusing on #alternative platforms.

Why is the latest AMD hardware unsupported in Libreboot?


It is extremely unlikely that any post-2013 #AMD hardware will ever be supported in Libreboot, due to severe security and freedom #issues; so #severe, that the Libreboot project recommends avoiding all modern AMD hardware. If you have an AMD based system affected by the #problems described below, then you should get rid of it as soon as possible.

AMD Platform Security Processor (PSP)


This is basically AMD’s own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the #implementation is wildly different.

The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main #x86 core #startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the #x86 cores will not be #released from #reset, rendering the system #inoperable.

The PSP is an ARM core with TrustZone #technology, built onto the main CPU die. As such, it has the ability to #hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, #login data, #browsing #history, #keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the #network controllers and any other PCI/PCIe peripherals installed on the #system.

In theory any #malicious entity with access to the AMD signing key would be able to install persistent #malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD #firmware in the #past, and there is every #reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to #remotely #monitor and control any PSP enabled machine completely outside of the user’s #knowledge.

A reliable way to avoid Intel and AMD’s universal backdoors is to use computers with such spyware effectively removed or disabled like the ones certified to Respect Your Freedom (RYF).

#NSA #spyware #spy #mass #surveillance #FSF #GNU #GNULinux #RYF #technology #laptops #CPU #processor #universal #backdoor #malware #Corei3 #Corei5 #Corei7
 
Later posts Earlier posts