SecurityIsAFunctionalRequirement

So it has recently been revealed that intel management engine is about as secure as a sign saying “Please don’t hack me”

I dont know who could have possibly thought that an always-on minix-based picocomputer that controlled your actual computer was a good idea, but apparently enough of intel’s execs were stoned enough that it made it to production.

As of now, the only fix for the newest vuln is to disable IME, either with one of the vulnerabilities that kills IME, or by installing coreboot.

Im going to use this as an opportunity to proselytize for the eldritch cult of thinkpad, since the t420 and t430 can both be made non-vulnerable to IME exploits and can be upgraded to be powerful enough for most people.

I personally switched to using a Thinkpad T430 as my daily laptop on last tuesday, and am going to install coreboot as soon as the parts I need to flash the chip arrive.

What a coincidence that I become a thinkpad nerd mere days before they are revealed as some of the small number of safe machines on the planet.

So I am presently involved in security research on remotely compromising networked Accuvote TSX machines. The machines themselves are easy to find, ohio is still selling them for about $100 a pop on ebay. Even after the DefCon shitstorm. The hard part is finding network cards.

There are two sites that advertising the network cards for sale, with prices around $150. This is a bit expensive as a college student working with a scrounged budget.

I already confirmed that they dont work with just any PCMCIA+ network card due to proprietary modifications by Diebold (Security through obscurity is NOT A VALID STRATEGY!!!!), but I was able to determine that the card advertised is just a rebranded Linksys PCMPC100. These cards are available for $10 new in box on ebay. I tested one and it worked.

So this is my new tumblr, I am a Cybersecurity student at Purdue, and recent events have inspired me to create a blog to rant about security at companies that really should know better, spam pics of my cars, share my assorted code and robotics projects, and occasionally yell at Trump.

The title is inspired by a now-infamous in my circle of friends quote from one of our database design classes, that “Security is NOT a functional requirement” and the philosophy that security is something to be added on after the product has been built.