this post was submitted on 06 Feb 2025
39 points (89.8% liked)

Privacy

894 readers
83 users here now

Protect your privacy in the digital world

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be nice, civil and no bigotry/prejudice.
  2. No tankies/alt-right fascists. The former can be tolerated but the latter are banned.
  3. Stay on topic.
  4. Don't promote proprietary software.
  5. No crypto, blockchain, etc.
  6. No Xitter links. (only allowed when can't fact check any other way, use xcancel)
  7. If in doubt, read rule 1

Related communities:

founded 3 months ago
MODERATORS
fxomt@lemmy.dbzer0.com
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social
39
I feel like all this is futile. Hardware backdoors probably exist, and if so, what's the point? (lemmy.dbzer0.com)
submitted 2 weeks ago by IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com to c/privacy@lemmy.dbzer0.com
16 comments fedilink hide all child comments
 

Example: Intel ME, AMD PSP, and potential backdoor in the "Baseband Processor" in phones...

top 16 comments
sorted by: hot top controversial new old
[–] NaibofTabr@infosec.pub 28 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

DRAM is still susceptible to RowHammer because it's a physics problem.

There are many methods of fingerprinting a system connected to the internet, it's very difficult to prevent it.

Most processors that do speculative execution are vulnerable to Spectre-style exploitation, and this can't be fully mitigated with firmware updates, only with hardware redesigns.

If you pay any attention to cybersecurity news, you learn that basically everything is vulnerable in some way, and that a fair amount of the vulnerabilities are part of larger systems beyond your control that we're stuck with for various legacy and dependency reasons. The vulnerabilities are never going away. Every new addition to computer network technology brings new vulnerabilities with it. This is inevitable. It is a consequence of developing open systems like IP, where any idiot can buy a box of some type with a network interface and plug it into the big'ol rat's nest and get a connection. Open means exposed.

I think it's possible that no Turing machine can actually ever be completely secure, because by definition there is always a way to put the machine in any state, including the state where all the doors are unlocked.

So, why bother with security?

Because you want to close as many of those doors as often as possible. Because knowing that there is always an opening somewhere, your goal is to reduce the odds that it will be found and used by someone else.

Risk assessment is how you move forward. Risk assessment is how you limit the scope, so that you put your best effort where it's most effective. Know the field, know the threats, know what network(s) you're connected to and how and where. Know where your important data is. Protect the pieces of your digital life that present the greatest risk. Diversify and segregate systems, data storage and connections based on risk.

You know that a lock can be picked by someone with the right tools and skills. You probably still lock your front door when you leave.

It's not about 100% prevention, it's about limiting your risk, and taking risks where they're worthwhile and avoiding them where they're not.

[–] refalo@programming.dev 2 points 2 weeks ago* (last edited 2 weeks ago)

Very well-written and informed response, thank you.

[–] fxomt@lemm.ee 21 points 2 weeks ago (1 children)

True security/privacy is impossible.

It is a compromise, and it all depends on your threat model; everything is probably "backdoored" some way or another.

However the productive thing isn't 100% blocking these risks, it's mitigating it. It's not feasible to build your own processor, so for example, choose the least worse between Intel ME and AMD PSP. It's sad that we have to live in a world where surveillance is everywhere, but this is how it is for now.

tl;dr: don't worry too much about these, you'll still be backdoored one way or another, what is important is making it harder for them

[–] harsh3466@lemmy.ml 4 points 2 weeks ago (1 children)

This. You can't have perfect privacy/security without going hermit living in the woods off grid. You have to make your compromises and do what is best for you to protect yourself and your data as much as you're comfortable and willing to do.

[–] fxomt@lemm.ee 4 points 2 weeks ago (1 children)

You can't have perfect privacy/security without going hermit living in the woods off grid.

Satellites. Nowhere is safe 😞

[–] harsh3466@lemmy.ml 3 points 2 weeks ago

Fair point. Even hermiting in the woods isn't perfect.

[–] mox@lemmy.sdf.org 19 points 2 weeks ago

A determined burglar could find a way to climb through my window, but I still lock the front door.

Like many things, privacy is not all-or-nothing. Reducing exposure helps.

[–] otter@lemmy.ca 16 points 2 weeks ago

You may have already seen this, but if not

https://www.privacyguides.org/en/basics/threat-modeling/

If you wanted to use the most secure tools available, you'd have to sacrifice a lot of usability. And, even then, nothing is ever fully secure. There's high security, but never full security. That's why threat models are important.

A threat model is a list of the most probable threats to your security and privacy endeavors. Since it's impossible to protect yourself against every attack(er), you should focus on the most probable threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure.

You could break it down further

  • what are you trying to protect day to day
  • what do you need to take extra steps for
[–] electric_nan@lemmy.ml 10 points 2 weeks ago

Not every threat actor has access to every vulnerability. The top spies won't share their best tools with normal cops, for example. They can't risk their access/methods coming to light for relatively minor reasons. Consider your threat model, and do your best.

[–] RobotToaster@mander.xyz 6 points 2 weeks ago (1 children)

RISC-V may be an answer in the future, especially the open source implementations.

Baseband processors are a more difficult subject.

[–] refalo@programming.dev 1 points 2 weeks ago (1 children)

I feel like RISC-V has already been ruined by vendor-specific proprietary extensions.

[–] The_Decryptor@aussie.zone 1 points 2 weeks ago (1 children)

You just leave those bits out when making your own CPU.

[–] refalo@programming.dev 1 points 2 weeks ago

Sure, but I think chances are high that "your own" will be much slower than the others.

[–] narr1@lemmy.dbzer0.com 4 points 2 weeks ago (1 children)

The old world is dying, and the new one struggles to be born. Now is, indeed, the time of monsters. I urge people to cast aside the veil of humanity for a while, as they (you know who) have already done. Embrace your beastly nature, and take up arms. Resist and persist.

[–] miracleorange@beehaw.org 2 points 2 weeks ago

If it cannot break out of its shell, the chick will die without being born. We are the chick, the world is our egg. If we don't crack the world's shell, we will die without being born. Smash the world's shell, for the revolution of the world!

Source: idk some anime or sth

[–] GBU_28@lemm.ee 3 points 2 weeks ago

Limit risk, airgap when needed.