koldfront

Updating Intel ME on a Lenovo Carbon X1 3rd gen #commandline #computers #hardware #security

No doubt to Andrew S. Tanenbaum's great joy recent news have revealed that many Intel processors run a version of Minix on some kind of extra "security" core.

Unfortunately it seems to be full of holes.

After downloading and running a tool from Intel to check whether my system was vulnerable, Intel-SA-00086 Detection Tool , and getting the unfortunate message:

  Based on the analysis performed by this tool: This system is vulnerable.
  Explanation:
  The detected version of the Intel(R) Management Engine firmware
    is considered vulnerable for INTEL-SA-00086.
    Contact your system manufacturer for support and remediation of this system.

I started looking for how to update the faulty code in my processor.

I found a description on how somebody updated their Lenovo X1 Carbon 5th gen, Solved: Re: X1 Carbon 5th gen on Linux: How to update Intel Management Engine 11.8 Firmware??, which was basically a couple of amendments to another guide: Updating Intel Management Engine firmware on a Lenovo without a Windows Install, which was written for a Gen 4.

Here is what I did to upgrade my Lenovo X1 Carbon 3rd gen running Debian unstable:

Running the detection tool now says:

  INTEL-SA-00086 Detection Tool
  Copyright(C) 2017, Intel Corporation, All rights reserved
   
  Application Version: 1.0.0.146
  Scan date: 2017-12-09 16:59:33 GMT
   
  *** Host Computer Information ***
  Name: tullinup
  Manufacturer: LENOVO
  Model: 20BSCTO1WW
  Processor Name: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz
  OS Version: debian buster/sid  (4.14.0-1-amd64)
   
  *** Intel(R) ME Information ***
  Engine: Intel(R) Management Engine
  Version: 10.0.56.3002
  SVN: 0
   
  *** Risk Assessment ***
  Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.
   
  For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
    Intel Security Advisory Intel-SA-00086 at the following link:
    https://www.intel.com/sa-00086-support

Yay.

 (0 comments)

Bioinformatics Software Developer #biotech #free software #programming #python

If you're a developer with keen programming skills and interest in learning the subject matter, the department I work in is hiring:

Bioinformatics Software Developer

We use Linux (Ubuntu) on desktops and servers and are currently working on a project based on Python, Hadoop and Solr to make information and analyses available to our colleagues.

The office is located in Bagsværd north of Copenhagen (and it does not look like the picture on the job-page).

The application deadline was October 24, 2017; time's up!

 (0 comments)

Making VLC interface fit in with a dark widget theme #ui #x

Install the adwaita-qt package, and in /etc/environment set:

  # Make vlc look consistent:
  QT_STYLE_OVERRIDE=Adwaita-Dark

Bingo!

 (0 comments)

HiDPI note to self #x

To scale most things (Firefox, Sakura, GTK-apps): set Xft.dpi: 150 in, say, /etc/X11/Xresources/xft.

This makes Chromium's windows display way too big fonts, however, so to fix that add --force-device-scale-factor=1.5 to CHROMIUM_FLAGS in /etc/chromium.d/default-flags.

Adding -dpi 150 to the call to X in, say, /etc/lightdm/lightdm.conf doesn't seem to influence anything.

 (0 comments)

Panopticon prison in Cuba #architecture

Humans are very peculiar animals. At least these buildings are not in use.

 (0 comments)

Patched ejabberd (erlang-p1-tls) to support multiple ECDH curves #free software #programming

After the upgrade to Debian 9 (stretch) yesterday I hit this problem where my ejabberd would not talk a Prosody server.

The problem seems to be that the two servers each support exactly one ECDH curve, and it is not the same one.

There is an ejabberd issue from May 5 on the subject: TLS ECDH curve selection.

Reading that lead me to an issue on the tls package used by ejabberd from November 9, 2015: Allow specification of ECC named curve used in ECDH key exchange.

Hm, couldn't I just patch my erlang-p1-tls package, to fix the problem? I tried:

--- erlang-p1-tls-1.0.7.orig/c_src/fast_tls_drv.c
+++ erlang-p1-tls-1.0.7/c_src/fast_tls_drv.c
@@ -384,16 +384,15 @@ static int verify_callback(int preverify
 static void setup_ecdh(SSL_CTX *ctx)
 {
    EC_KEY *ecdh;
+   static int curves[] = {NID_X9_62_prime256v1, NID_secp384r1};
 
    if (SSLeay() < 0x1000005fL) {
       return;
    }
 
-   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+   SSL_CTX_set1_curves(ctx, curves, 2);
+   SSL_CTX_set_ecdh_auto(ctx, 1);
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
-   SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
-   EC_KEY_free(ecdh);
 }
 #endif

The result? It works, my ejabberd can now talk to the Prosody server! - I hope it can talk to other ejabberd's as well.

Free software - software you can fix yourself!

Update: it has been fixed in the Erlang tls library as well.

 (0 comments)

Upgraded server to Debian 9 (stretch) #debian

I upgraded my home server to Debian 9 (stretch) today - as stretch was released during the weekend.

The upgrade was uneventful - just the way I like it.

Only two things broke severely:

And then there were a couple of hickups with older websites, and I had to upgrade the website of Feedbase to Spock 0.12.0, which took a little fiddling.

But overall I think this is the smoothest Debian upgrade yet. Kudos!

 (0 comments)

Archive... Search... Keywords...
Publisher at Google+
Sommerhus 2015

Sunday

Wright brothers took off (114).

Stine Sjørslev Kelså (42).

Monday

Perl 1.000 released (30).

Wednesday

Apple buys NeXT (21).

Thursday

Adams first recorded usenet-address (25).

2017-12-22

Ramanujan (130).

Winter solstice.

2017-12-23

Vincent van Gogh cut off his ear (129).

2017-12-24

Jesus (2016).

2017-12-25

Isaac Newton (375).

2017-12-26

Sonja Rindom (113).

2017-12-28

Linus Torvalds (48).

0.0239 s
webcustodian@koldfront.dk