Example: Intel ME, AMD PSP, and potential backdoor in the “Baseband Processor” in phones…
Not every threat actor has access to every vulnerability. The top spies won’t share their best tools with normal cops, for example. They can’t risk their access/methods coming to light for relatively minor reasons. Consider your threat model, and do your best.
A determined burglar could find a way to climb through my window, but I still lock the front door.
Like many things, privacy is not all-or-nothing. Reducing exposure helps.
True security/privacy is impossible.
It is a compromise, and it all depends on your threat model; everything is probably “backdoored” some way or another.
However the productive thing isn’t 100% blocking these risks, it’s mitigating it. It’s not feasible to build your own processor, so for example, choose the least worse between Intel ME and AMD PSP. It’s sad that we have to live in a world where surveillance is everywhere, but this is how it is for now.
tl;dr: don’t worry too much about these, you’ll still be backdoored one way or another, what is important is making it harder for them
This. You can’t have perfect privacy/security without going hermit living in the woods off grid. You have to make your compromises and do what is best for you to protect yourself and your data as much as you’re comfortable and willing to do.
You can’t have perfect privacy/security without going hermit living in the woods off grid.
Satellites. Nowhere is safe 😞
Fair point. Even hermiting in the woods isn’t perfect.
DRAM is still susceptible to RowHammer because it’s a physics problem.
There are many methods of fingerprinting a system connected to the internet, it’s very difficult to prevent it.
Most processors that do speculative execution are vulnerable to Spectre-style exploitation, and this can’t be fully mitigated with firmware updates, only with hardware redesigns.
If you pay any attention to cybersecurity news, you learn that basically everything is vulnerable in some way, and that a fair amount of the vulnerabilities are part of larger systems beyond your control that we’re stuck with for various legacy and dependency reasons. The vulnerabilities are never going away. Every new addition to computer network technology brings new vulnerabilities with it. This is inevitable. It is a consequence of developing open systems like IP, where any idiot can buy a box of some type with a network interface and plug it into the big’ol rat’s nest and get a connection. Open means exposed.
I think it’s possible that no Turing machine can actually ever be completely secure, because by definition there is always a way to put the machine in any state, including the state where all the doors are unlocked.
So, why bother with security?
Because you want to close as many of those doors as often as possible. Because knowing that there is always an opening somewhere, your goal is to reduce the odds that it will be found and used by someone else.
Risk assessment is how you move forward. Risk assessment is how you limit the scope, so that you put your best effort where it’s most effective. Know the field, know the threats, know what network(s) you’re connected to and how and where. Know where your important data is. Protect the pieces of your digital life that present the greatest risk. Diversify and segregate systems, data storage and connections based on risk.
You know that a lock can be picked by someone with the right tools and skills. You probably still lock your front door when you leave.
It’s not about 100% prevention, it’s about limiting your risk, and taking risks where they’re worthwhile and avoiding them where they’re not.
Very well-written and informed response, thank you.
You may have already seen this, but if not
https://www.privacyguides.org/en/basics/threat-modeling/
If you wanted to use the most secure tools available, you’d have to sacrifice a lot of usability. And, even then, nothing is ever fully secure. There’s high security, but never full security. That’s why threat models are important.
A threat model is a list of the most probable threats to your security and privacy endeavors. Since it’s impossible to protect yourself against every attack(er), you should focus on the most probable threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure.
You could break it down further
- what are you trying to protect day to day
- what do you need to take extra steps for
Limit risk, airgap when needed.
RISC-V may be an answer in the future, especially the open source implementations.
Baseband processors are a more difficult subject.
I feel like RISC-V has already been ruined by vendor-specific proprietary extensions.
You just leave those bits out when making your own CPU.
Sure, but I think chances are high that “your own” will be much slower than the others.
The old world is dying, and the new one struggles to be born. Now is, indeed, the time of monsters. I urge people to cast aside the veil of humanity for a while, as they (you know who) have already done. Embrace your beastly nature, and take up arms. Resist and persist.
If it cannot break out of its shell, the chick will die without being born. We are the chick, the world is our egg. If we don’t crack the world’s shell, we will die without being born. Smash the world’s shell, for the revolution of the world!
Source: idk some anime or sth
