0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/837 Thanks! 1 00:00:15,500 --> 00:00:17,709 Our speakers for the next talk are going 2 00:00:17,710 --> 00:00:18,710 to be 3 00:00:20,370 --> 00:00:21,079 ego. 4 00:00:21,080 --> 00:00:24,049 So Kinsky and 5 00:00:24,050 --> 00:00:25,190 Nicola Corner, 6 00:00:26,960 --> 00:00:29,319 both of them do reverse interning full 7 00:00:29,320 --> 00:00:30,320 for fun and for living. 8 00:00:32,430 --> 00:00:34,489 Nicola wrote a couple of Python scripts 9 00:00:34,490 --> 00:00:36,919 to disable the into the management 10 00:00:36,920 --> 00:00:37,920 engine 11 00:00:40,160 --> 00:00:41,899 and is studying electrical engineering at 12 00:00:41,900 --> 00:00:42,900 the University of Milano. 13 00:00:45,210 --> 00:00:47,449 And today is they gonna speak about 14 00:00:47,450 --> 00:00:49,619 it to management and 15 00:00:49,620 --> 00:00:51,749 lay out research and 16 00:00:51,750 --> 00:00:53,489 facts for a lot of myths that were 17 00:00:53,490 --> 00:00:55,739 traveling around the world and around 18 00:00:55,740 --> 00:00:57,359 the Internet for the past year? 19 00:00:57,360 --> 00:00:58,589 I would say. 20 00:00:58,590 --> 00:01:00,449 All right. Please welcome Zone were for 21 00:01:00,450 --> 00:01:01,450 big applause. 22 00:01:13,710 --> 00:01:14,859 Hero. 23 00:01:14,860 --> 00:01:15,889 Okay. 24 00:01:15,890 --> 00:01:17,809 Thank everyone for coming. 25 00:01:17,810 --> 00:01:18,830 That's quite all the people. 26 00:01:20,320 --> 00:01:22,399 It's the first time I speak with 27 00:01:22,400 --> 00:01:24,849 so many in front of feedback, but 28 00:01:25,970 --> 00:01:26,970 we'll see. 29 00:01:27,360 --> 00:01:28,360 Anyway, 30 00:01:29,540 --> 00:01:30,769 just a little bit about me. 31 00:01:33,440 --> 00:01:35,509 Yeah, I'm a software 32 00:01:35,510 --> 00:01:37,539 developer at a little company called X 33 00:01:37,540 --> 00:01:38,540 Rays. 34 00:01:39,230 --> 00:01:40,879 But in my free time, I do some reverse 35 00:01:40,880 --> 00:01:43,459 engineering and so happens that 36 00:01:43,460 --> 00:01:45,649 the company develops the software 37 00:01:45,650 --> 00:01:47,089 for reverse engineering. 38 00:01:47,090 --> 00:01:49,060 So that's a bit of a good fit, I think. 39 00:01:50,130 --> 00:01:52,219 I am not a security researcher. 40 00:01:52,220 --> 00:01:53,179 So some might. 41 00:01:53,180 --> 00:01:55,519 My day job is just software development. 42 00:01:56,840 --> 00:01:59,179 So this was just my hobby, 43 00:01:59,180 --> 00:02:00,180 so to speak. 44 00:02:01,310 --> 00:02:02,989 But does MacRobert did a bit of 45 00:02:04,070 --> 00:02:05,299 hacking of it either. 46 00:02:05,300 --> 00:02:06,949 This is the Amazon Kindle, the first 47 00:02:06,950 --> 00:02:08,659 version, the ugly one. 48 00:02:10,789 --> 00:02:13,009 Yeah, I did a bit of both blogging back 49 00:02:13,010 --> 00:02:14,010 then. 50 00:02:14,720 --> 00:02:16,929 Yeah. This was, uh, that was 51 00:02:16,930 --> 00:02:18,799 what I found this little Portmans and did 52 00:02:18,800 --> 00:02:20,819 some exciting filesystem. 53 00:02:20,820 --> 00:02:22,909 Anyway, it's not related to this one. 54 00:02:22,910 --> 00:02:24,409 Just just a bit of background. 55 00:02:26,690 --> 00:02:28,560 And then I get interested in me and 56 00:02:29,640 --> 00:02:31,879 the result is this top cop, you'll find 57 00:02:31,880 --> 00:02:32,880 it interesting. 58 00:02:34,370 --> 00:02:36,509 I'm Nicola Khanum. 59 00:02:36,510 --> 00:02:38,819 I do hope you reverse engineer 60 00:02:38,820 --> 00:02:40,549 and I'm interested in Do-It-Yourself 61 00:02:40,550 --> 00:02:41,549 Hardware. 62 00:02:41,550 --> 00:02:43,789 I'm currently an electronics engineers to 63 00:02:43,790 --> 00:02:46,019 enter in the Polytechnical de Milano. 64 00:02:46,020 --> 00:02:47,439 And I'm not a researcher. 65 00:02:47,440 --> 00:02:49,679 A security researcher. 66 00:02:49,680 --> 00:02:51,959 I like to build my own stuff from 67 00:02:51,960 --> 00:02:54,029 scratch. And I really like 68 00:02:54,030 --> 00:02:55,680 BCB Mulenga like this one. 69 00:02:58,740 --> 00:03:01,539 Okay. Yeah, just a little disclaimer 70 00:03:01,540 --> 00:03:03,639 that all that describe 71 00:03:03,640 --> 00:03:06,129 here is information either from public 72 00:03:06,130 --> 00:03:08,399 sources or from our armed forces 73 00:03:08,400 --> 00:03:09,639 hearing. 74 00:03:09,640 --> 00:03:11,649 Of course, as always, you can be sure 75 00:03:11,650 --> 00:03:13,839 that everything that we say is 76 00:03:13,840 --> 00:03:15,039 100 percent correct. 77 00:03:15,040 --> 00:03:16,040 It's just our opinion 78 00:03:17,230 --> 00:03:19,929 and it may turn out wrong in future. 79 00:03:19,930 --> 00:03:22,119 And we don't have any ideas within the or 80 00:03:22,120 --> 00:03:23,049 any special relationship. 81 00:03:23,050 --> 00:03:25,209 So everything is dealt with, 82 00:03:25,210 --> 00:03:26,210 we say is not 83 00:03:28,900 --> 00:03:30,819 endorsed by India or anything like that. 84 00:03:33,410 --> 00:03:35,160 Okay, let's go one 85 00:03:36,630 --> 00:03:38,539 so just a little bit about what does 86 00:03:38,540 --> 00:03:39,540 Intelli mean. 87 00:03:41,640 --> 00:03:43,789 Amy is a nowadays 88 00:03:43,790 --> 00:03:46,139 it it means management, manageable 89 00:03:46,140 --> 00:03:47,519 management engine. But the reason it was 90 00:03:47,520 --> 00:03:49,139 called manageability engines was quite a 91 00:03:49,140 --> 00:03:50,930 big scene in early 2000. 92 00:03:53,220 --> 00:03:55,319 Then a bit 93 00:03:55,320 --> 00:03:56,239 later. 94 00:03:56,240 --> 00:03:58,229 Now, now it'll test tends to code 95 00:03:58,230 --> 00:03:59,789 Comverse Security and manageability 96 00:03:59,790 --> 00:04:01,879 engine or just Converse 97 00:04:01,880 --> 00:04:03,139 ticker-Tape engine. 98 00:04:03,140 --> 00:04:05,429 So depending on which 99 00:04:05,430 --> 00:04:07,499 generation or which document editing, 100 00:04:07,500 --> 00:04:09,199 it may be called different things, but 101 00:04:09,200 --> 00:04:10,470 it's basically all the same thing. 102 00:04:11,640 --> 00:04:13,699 And in mobile, what embedded 103 00:04:13,700 --> 00:04:16,078 platforms there is a variation called 104 00:04:16,079 --> 00:04:17,709 trust execution, engine or deoxy. 105 00:04:19,350 --> 00:04:21,338 It's a little cut down and smaller 106 00:04:21,339 --> 00:04:23,849 firmware, but it's also similar thing. 107 00:04:23,850 --> 00:04:25,709 And then servers sort of platform cental 108 00:04:25,710 --> 00:04:27,149 sort of profiles. There is also 109 00:04:28,350 --> 00:04:29,969 a version of me running different for 110 00:04:29,970 --> 00:04:31,480 Mercal surplus for services. 111 00:04:32,640 --> 00:04:34,319 So basically most Intel platforms 112 00:04:34,320 --> 00:04:36,480 nowadays, they have some rotation of it. 113 00:04:37,770 --> 00:04:39,689 And what is it? What is it? 114 00:04:39,690 --> 00:04:42,599 Well, Intel Intel says this 115 00:04:42,600 --> 00:04:44,329 on their frequently asked question page 116 00:04:45,380 --> 00:04:46,979 Gilden to many Intel chipset based 117 00:04:46,980 --> 00:04:49,319 platforms is a small portable lobar 118 00:04:49,320 --> 00:04:51,959 computer subsystem which performs 119 00:04:51,960 --> 00:04:52,949 various tasks. 120 00:04:52,950 --> 00:04:54,329 Yeah, I got some some things because I 121 00:04:54,330 --> 00:04:56,819 didn't have tasks during 122 00:04:56,820 --> 00:04:59,249 a while. 123 00:04:59,250 --> 00:05:01,379 A computer is running or during 124 00:05:01,380 --> 00:05:03,499 sleep and so on. 125 00:05:04,590 --> 00:05:05,999 It must function correctly to get the 126 00:05:06,000 --> 00:05:07,829 most reformism capability from ABC. 127 00:05:07,830 --> 00:05:09,029 So it's a bit vaguer, but 128 00:05:10,260 --> 00:05:11,260 that's what they say 129 00:05:13,020 --> 00:05:15,669 and what other people say. 130 00:05:15,670 --> 00:05:16,559 Yeah. 131 00:05:16,560 --> 00:05:18,169 For example, some people say that it's a 132 00:05:18,170 --> 00:05:19,470 barmaid for NSA 133 00:05:20,520 --> 00:05:22,379 and it has no useful purpose. 134 00:05:22,380 --> 00:05:24,479 And of course, I 135 00:05:24,480 --> 00:05:26,639 guess you can blame me as well, because 136 00:05:26,640 --> 00:05:28,439 my first presentation on this topic was 137 00:05:28,440 --> 00:05:29,800 called Get to Know a lot of 138 00:05:31,550 --> 00:05:33,689 You. Just a bit of explanation about 139 00:05:33,690 --> 00:05:34,690 it. 140 00:05:34,980 --> 00:05:37,079 When they submitted the abstract at 141 00:05:37,080 --> 00:05:39,390 the beginning, I was looking just at the 142 00:05:40,890 --> 00:05:41,890 antitheft feature 143 00:05:43,360 --> 00:05:45,450 that Intel was using back then, 144 00:05:46,620 --> 00:05:49,139 and that one did indeed work 145 00:05:49,140 --> 00:05:50,140 like like a rootkit. 146 00:05:51,180 --> 00:05:53,459 But in the process, you have this habit 147 00:05:53,460 --> 00:05:55,689 of Hebert's 148 00:05:55,690 --> 00:05:57,179 that I get easily distracted. 149 00:05:58,290 --> 00:06:00,689 And once I started looking at 150 00:06:00,690 --> 00:06:02,379 this and just left, I found that it 151 00:06:02,380 --> 00:06:03,359 simply meant incidental. 152 00:06:03,360 --> 00:06:04,349 Amy. 153 00:06:04,350 --> 00:06:06,360 And then from there, it's kind of 154 00:06:07,370 --> 00:06:09,129 was all all kinds of things opened. 155 00:06:09,130 --> 00:06:11,249 So I started looking into what what else 156 00:06:11,250 --> 00:06:13,169 is it inside Amy and so on. 157 00:06:13,170 --> 00:06:14,170 So anyway, 158 00:06:15,300 --> 00:06:16,959 my point is that it's not Messaggero to 159 00:06:16,960 --> 00:06:19,049 get as it was just kind 160 00:06:19,050 --> 00:06:21,779 of maybe a bit of cliqued by title 161 00:06:21,780 --> 00:06:23,849 to get my submissions accepted, which I 162 00:06:23,850 --> 00:06:24,850 succeeded. 163 00:06:26,760 --> 00:06:28,699 Yeah, so anyway. 164 00:06:29,910 --> 00:06:31,619 And that is, for example, article from 165 00:06:31,620 --> 00:06:32,999 Hockaday. 166 00:06:33,000 --> 00:06:35,339 It's a bit difficult to read, I guess. 167 00:06:35,340 --> 00:06:37,479 So I will I will read 168 00:06:37,480 --> 00:06:38,480 some of it. 169 00:06:40,200 --> 00:06:41,519 It says, among other things. 170 00:06:44,850 --> 00:06:46,319 It's a microcontroller which has direct 171 00:06:46,320 --> 00:06:48,629 access to everything in the computer. 172 00:06:48,630 --> 00:06:50,549 Every computer was an Intel chip made in 173 00:06:50,550 --> 00:06:51,839 the last few years, has one. 174 00:06:51,840 --> 00:06:53,219 And if you're looking for a perfect 175 00:06:53,220 --> 00:06:54,869 tector for a stock, you won't find 176 00:06:54,870 --> 00:06:56,999 anything better than Zanmi. 177 00:06:57,000 --> 00:06:58,559 It's a scary scene in your computer. 178 00:06:58,560 --> 00:07:00,389 And this fear is compounded by ignorance 179 00:07:00,390 --> 00:07:02,009 with no one knows what it can actually 180 00:07:02,010 --> 00:07:04,289 do. And without being able to audit 181 00:07:04,290 --> 00:07:06,389 the Quadrani on Zimmy, no one knows 182 00:07:06,390 --> 00:07:07,919 exactly what will happen when it's broken 183 00:07:07,920 --> 00:07:08,920 open. 184 00:07:09,720 --> 00:07:11,039 Yeah. So anyways, this is just one 185 00:07:11,040 --> 00:07:12,539 article, but there are many similar 186 00:07:12,540 --> 00:07:14,369 articles in the recent years. 187 00:07:16,610 --> 00:07:17,610 And so on. 188 00:07:18,630 --> 00:07:20,769 So, for example, on 189 00:07:20,770 --> 00:07:23,559 ratings, all this this discussion 190 00:07:23,560 --> 00:07:26,249 and and one post says 191 00:07:26,250 --> 00:07:28,229 the conspiracy theorist in me also makes 192 00:07:28,230 --> 00:07:30,059 me believe that Intel is not entirely 193 00:07:30,060 --> 00:07:31,439 responsible for Zanmi. 194 00:07:31,440 --> 00:07:33,719 I imagine that NSA and other people, 195 00:07:33,720 --> 00:07:35,819 letter agencies, have had their 196 00:07:35,820 --> 00:07:38,040 fair share of responsibility for it to. 197 00:07:39,600 --> 00:07:40,889 No, of course, the. 198 00:07:40,890 --> 00:07:43,089 Who knows who is pushing it. 199 00:07:43,090 --> 00:07:45,329 You know, another example 200 00:07:45,330 --> 00:07:46,330 on foreign forums. 201 00:07:47,550 --> 00:07:49,049 The U.S. government can still make 202 00:07:49,050 --> 00:07:50,639 demands of what it should or shouldn't 203 00:07:50,640 --> 00:07:51,929 contain. 204 00:07:51,930 --> 00:07:53,519 The U.S. government has a long term plan 205 00:07:53,520 --> 00:07:54,739 to control the entire Internet. 206 00:07:54,740 --> 00:07:56,609 The army is, of course, part of that 207 00:07:56,610 --> 00:07:57,610 plan. 208 00:07:59,820 --> 00:08:01,970 Or in I.R.S., just random channel 209 00:08:03,010 --> 00:08:05,099 and some guy says, yes, there was 210 00:08:05,100 --> 00:08:07,159 a discussion about limiting risks with 211 00:08:07,160 --> 00:08:08,069 Amy. 212 00:08:08,070 --> 00:08:09,539 And there's a guy replies, How can I 213 00:08:09,540 --> 00:08:11,369 limit my risk when there is a dedicated 214 00:08:11,370 --> 00:08:13,439 computer on top of a computer that has 215 00:08:13,440 --> 00:08:15,779 full access? Get to be disabled. 216 00:08:15,780 --> 00:08:17,459 There is no need for a because it's a 217 00:08:17,460 --> 00:08:19,799 built in hardware store, bypasses 218 00:08:19,800 --> 00:08:21,779 any firewall, latches on to any Wi-Fi 219 00:08:21,780 --> 00:08:23,649 signal, cannot be disabled and so on. 220 00:08:25,530 --> 00:08:27,430 So he has that's all sounds pretty scary. 221 00:08:28,860 --> 00:08:31,019 But is it all of his a straw? 222 00:08:31,020 --> 00:08:32,759 So in my opinion, after looking at this, 223 00:08:32,760 --> 00:08:34,949 all the senior I think that's 224 00:08:34,950 --> 00:08:37,288 most of this kind of 225 00:08:37,289 --> 00:08:39,209 scary things are quite far fetched. 226 00:08:39,210 --> 00:08:41,459 And just 227 00:08:41,460 --> 00:08:43,529 to answer part of the first 228 00:08:43,530 --> 00:08:45,690 question, that is it 229 00:08:46,890 --> 00:08:48,299 has no no useful purpose. 230 00:08:48,300 --> 00:08:49,249 And I say no. 231 00:08:49,250 --> 00:08:50,789 It does have purpose. 232 00:08:50,790 --> 00:08:52,619 Just because it's personal, it has no 233 00:08:52,620 --> 00:08:54,779 purpose. That you don't see a purpose. 234 00:08:54,780 --> 00:08:56,190 Doesn't mean that there is no purpose. 235 00:08:59,940 --> 00:09:02,849 So initially it was created to 236 00:09:02,850 --> 00:09:04,949 implement something called empty to 237 00:09:04,950 --> 00:09:06,179 solve real I.T. problems. 238 00:09:07,620 --> 00:09:09,729 And let's see, what 239 00:09:09,730 --> 00:09:11,189 are those problems. 240 00:09:11,190 --> 00:09:13,199 So just a bit of history on the remote 241 00:09:13,200 --> 00:09:14,200 management. 242 00:09:14,940 --> 00:09:18,209 So in the late 90s, there was. 243 00:09:18,210 --> 00:09:19,559 It began well when people had many 244 00:09:19,560 --> 00:09:21,689 computers, but they didn't want 245 00:09:21,690 --> 00:09:23,849 to have monitor a keyboard for 246 00:09:23,850 --> 00:09:24,779 each one of them. 247 00:09:24,780 --> 00:09:26,879 They had something called keyboard 248 00:09:26,880 --> 00:09:29,059 video speech will later keyboards with 249 00:09:29,060 --> 00:09:30,060 your mouse. 250 00:09:31,420 --> 00:09:32,420 Then later 251 00:09:35,070 --> 00:09:36,539 appeared the standard called Wildfire 252 00:09:36,540 --> 00:09:38,939 Management, which included, among 253 00:09:38,940 --> 00:09:41,279 other things, we can learn and 254 00:09:41,280 --> 00:09:42,839 rebuild execution environment which are 255 00:09:42,840 --> 00:09:44,820 still in use of nowadays. 256 00:09:45,900 --> 00:09:47,779 Then IBM introduced a online 257 00:09:49,050 --> 00:09:51,319 that allowed the network 258 00:09:51,320 --> 00:09:54,059 card to sound very Salyers in case 259 00:09:54,060 --> 00:09:55,470 something happens with the computer. 260 00:09:56,580 --> 00:09:57,690 But it was just one way. 261 00:09:59,190 --> 00:10:01,639 Then in 2001, introduced 262 00:10:01,640 --> 00:10:02,970 understand that format, one 263 00:10:04,350 --> 00:10:07,259 which allowed to sense some more things. 264 00:10:07,260 --> 00:10:09,329 But it was you could be UDP only and 265 00:10:09,330 --> 00:10:10,590 it had no encryption. 266 00:10:12,500 --> 00:10:13,709 Two to two years later, they added 267 00:10:13,710 --> 00:10:15,749 encryption and impro some things, but it 268 00:10:15,750 --> 00:10:18,299 still was not completely enough 269 00:10:18,300 --> 00:10:19,300 for many 270 00:10:20,550 --> 00:10:22,799 purposes. And just yet, 271 00:10:22,800 --> 00:10:25,529 in the background, they did some research 272 00:10:25,530 --> 00:10:28,349 with Mesnier Enterprises 273 00:10:28,350 --> 00:10:30,269 and they announced something called Empty 274 00:10:30,270 --> 00:10:32,339 in 2004 on Interleaving Little 275 00:10:32,340 --> 00:10:33,340 Forum. 276 00:10:33,870 --> 00:10:35,639 And the Enron presentations, they showed 277 00:10:35,640 --> 00:10:37,979 this picture that 278 00:10:37,980 --> 00:10:39,959 we have new technology which allows all 279 00:10:39,960 --> 00:10:42,299 this and HSF 280 00:10:42,300 --> 00:10:45,149 was on raises and of course, 281 00:10:45,150 --> 00:10:46,859 anyone in enterprise courses, this 282 00:10:46,860 --> 00:10:47,559 picture. 283 00:10:47,560 --> 00:10:49,659 She says all those green nancies, 284 00:10:49,660 --> 00:10:51,779 they think that's really 285 00:10:51,780 --> 00:10:52,919 good for early Guzzi. 286 00:10:52,920 --> 00:10:53,920 I need to have it. 287 00:10:54,810 --> 00:10:55,810 And it was very popular. 288 00:10:56,850 --> 00:10:59,669 So one year later, say, there it is, the 289 00:10:59,670 --> 00:11:00,670 first version had 290 00:11:03,240 --> 00:11:04,980 it hidden inside the 291 00:11:06,060 --> 00:11:07,319 network card. 292 00:11:07,320 --> 00:11:09,449 Well, not not card, but network chip, 293 00:11:09,450 --> 00:11:10,650 which was on the motherboard. 294 00:11:13,020 --> 00:11:14,789 It had the features which were not 295 00:11:14,790 --> 00:11:15,790 supported by 296 00:11:16,920 --> 00:11:19,109 people, stopped by just one, the format 297 00:11:19,110 --> 00:11:21,329 ISF, for example, to get idea 298 00:11:21,330 --> 00:11:22,350 direction so you could 299 00:11:24,000 --> 00:11:26,339 mount an image over the network 300 00:11:26,340 --> 00:11:28,919 and put the remote computer over it. 301 00:11:28,920 --> 00:11:31,079 It had several overlain so 302 00:11:31,080 --> 00:11:32,250 you could have Sayo console. 303 00:11:35,480 --> 00:11:36,959 Yeah, for some reasons, they used soap 304 00:11:36,960 --> 00:11:40,349 API, so ximo over htp 305 00:11:40,350 --> 00:11:41,720 ximo was a scene back then. 306 00:11:44,870 --> 00:11:46,679 Yeah, Zan's eh. 307 00:11:46,680 --> 00:11:48,649 They said they started the work, aren't 308 00:11:48,650 --> 00:11:51,379 improving it. It was very popular 309 00:11:51,380 --> 00:11:53,389 and they decided, why do we need to put 310 00:11:53,390 --> 00:11:55,529 it isn't Rakolta let's put it inside the 311 00:11:55,530 --> 00:11:57,139 North Bridge. 312 00:11:57,140 --> 00:11:59,249 We have some space is justice 313 00:11:59,250 --> 00:12:00,389 since a sizable car. 314 00:12:00,390 --> 00:12:01,390 It's not a big deal. 315 00:12:02,780 --> 00:12:05,119 And the more platforms 316 00:12:05,120 --> 00:12:06,120 can have it. 317 00:12:07,820 --> 00:12:09,799 Then they did some more improvements, for 318 00:12:09,800 --> 00:12:11,899 example, in 2007. 319 00:12:11,900 --> 00:12:13,699 They started the reasons the first 320 00:12:13,700 --> 00:12:16,939 varanus of this year were without ADT 321 00:12:16,940 --> 00:12:19,039 to support first mobile 322 00:12:19,040 --> 00:12:21,709 users, for example, QST is a 323 00:12:21,710 --> 00:12:23,869 quiet system, didn't quite, uh, 324 00:12:23,870 --> 00:12:26,089 system technology, I think basically 325 00:12:26,090 --> 00:12:27,090 fund management. 326 00:12:28,310 --> 00:12:30,649 So when the process gets hot, 327 00:12:30,650 --> 00:12:32,839 it tells it in birth control, 328 00:12:32,840 --> 00:12:34,129 your Twitter underfunds. 329 00:12:34,130 --> 00:12:35,780 So it it gets a little colder. 330 00:12:37,160 --> 00:12:38,719 So basically, it's something that works 331 00:12:38,720 --> 00:12:40,009 without the involvement of the main 332 00:12:40,010 --> 00:12:41,010 c.p.u. 333 00:12:41,600 --> 00:12:44,269 And I guess they just had 334 00:12:44,270 --> 00:12:46,549 some spare space and they decided we can 335 00:12:46,550 --> 00:12:48,019 add this feature and it will really 336 00:12:48,020 --> 00:12:50,269 improve the work 337 00:12:50,270 --> 00:12:51,619 of our hardware. 338 00:12:51,620 --> 00:12:52,620 So why not do it? 339 00:12:54,060 --> 00:12:55,639 And they also TPM because 340 00:12:56,780 --> 00:12:59,089 people started well, not people, but 341 00:12:59,090 --> 00:13:00,090 staff. 342 00:13:00,780 --> 00:13:01,889 Yes, it was, uh, 343 00:13:03,320 --> 00:13:04,969 initiative by Microsoft, the trusted 344 00:13:04,970 --> 00:13:07,369 computing and TPM 345 00:13:07,370 --> 00:13:08,480 Standard appeared and 346 00:13:10,370 --> 00:13:11,389 they decided why. Right. 347 00:13:11,390 --> 00:13:13,730 People need to have an extra chip and 348 00:13:14,780 --> 00:13:16,759 spend spend more money. 349 00:13:16,760 --> 00:13:19,759 Well, we can just add 350 00:13:19,760 --> 00:13:21,949 it inside and it 351 00:13:21,950 --> 00:13:24,199 will be cheaper for people and 352 00:13:24,200 --> 00:13:25,179 so on. 353 00:13:25,180 --> 00:13:27,329 So and then the other there's 354 00:13:27,330 --> 00:13:28,649 the first version of yourself. 355 00:13:30,580 --> 00:13:32,689 I didn't look at it, but that's the first 356 00:13:32,690 --> 00:13:33,690 time it appeared. 357 00:13:36,050 --> 00:13:38,659 Then eight, nine say 358 00:13:38,660 --> 00:13:40,189 they move to so-called. 359 00:13:40,190 --> 00:13:41,700 We call it generation two. 360 00:13:43,460 --> 00:13:45,439 They switched it to a different c.p.u, to 361 00:13:45,440 --> 00:13:47,599 a more efficient instruction set. 362 00:13:47,600 --> 00:13:49,219 And they added also Kadim supports 363 00:13:49,220 --> 00:13:50,899 previously. What what what had to be done 364 00:13:50,900 --> 00:13:53,209 in hardware using external 365 00:13:53,210 --> 00:13:54,439 switches. 366 00:13:54,440 --> 00:13:56,089 Now, it could be done over the network. 367 00:13:56,090 --> 00:13:57,619 So we could have full control of the 368 00:13:57,620 --> 00:13:58,620 computer, 369 00:13:59,770 --> 00:14:01,849 like says, if we do use the 370 00:14:01,850 --> 00:14:04,549 mouse and keyboard and so on. 371 00:14:04,550 --> 00:14:05,899 They used the version of the V.A. 372 00:14:05,900 --> 00:14:06,900 protocol. 373 00:14:08,360 --> 00:14:10,429 Anyway, just some milestones. 374 00:14:10,430 --> 00:14:11,809 They're not really interesting. 375 00:14:11,810 --> 00:14:13,549 I guess I'll skip them. 376 00:14:14,840 --> 00:14:15,840 So. 377 00:14:16,370 --> 00:14:18,499 So. So somebody is that the 378 00:14:18,500 --> 00:14:18,849 original? 379 00:14:18,850 --> 00:14:21,469 It was created for this empty 380 00:14:21,470 --> 00:14:23,359 advancement management technology, I 381 00:14:23,360 --> 00:14:24,360 think, 382 00:14:27,320 --> 00:14:28,789 or what what they called it. 383 00:14:28,790 --> 00:14:30,859 We process umbrella term, which is not 384 00:14:30,860 --> 00:14:33,499 really concretely defined, 385 00:14:33,500 --> 00:14:35,839 but eventually they they they also added 386 00:14:35,840 --> 00:14:37,969 other features which which 387 00:14:37,970 --> 00:14:40,339 were not related to empty, but 388 00:14:40,340 --> 00:14:43,159 just because they could be useful and 389 00:14:43,160 --> 00:14:44,869 they had the opportunity. 390 00:14:44,870 --> 00:14:45,829 So they other main many things, for 391 00:14:45,830 --> 00:14:48,229 example, one I didn't mention 392 00:14:48,230 --> 00:14:50,689 is ICESCR Integrated Core Control. 393 00:14:50,690 --> 00:14:53,389 So previously you had to have a separate 394 00:14:53,390 --> 00:14:54,949 chip on Sunday onto the motherboard, 395 00:14:54,950 --> 00:14:56,959 which was responsible for controlling the 396 00:14:56,960 --> 00:14:58,129 clocks. 397 00:14:58,130 --> 00:15:00,019 Now it could be integrated all in the 398 00:15:00,020 --> 00:15:01,289 chipset. 399 00:15:01,290 --> 00:15:03,379 And again, the customer 400 00:15:03,380 --> 00:15:04,380 safety on the 401 00:15:05,870 --> 00:15:07,430 bill of materials and the. 402 00:15:09,890 --> 00:15:11,749 It was also a bit more secure because 403 00:15:13,010 --> 00:15:14,599 once the clocks were set, they were 404 00:15:14,600 --> 00:15:16,669 locked and they could not 405 00:15:16,670 --> 00:15:19,259 be controlled by other software 406 00:15:19,260 --> 00:15:20,989 inside the. So you couldn't overheat your 407 00:15:20,990 --> 00:15:22,039 computer accidentally. 408 00:15:23,450 --> 00:15:24,889 Of course, until was added. 409 00:15:24,890 --> 00:15:25,890 Also part of it 410 00:15:27,190 --> 00:15:28,950 then a dynamic application order 411 00:15:30,410 --> 00:15:32,229 for the applets. 412 00:15:32,230 --> 00:15:34,219 They implemented that one time password, 413 00:15:34,220 --> 00:15:35,629 for example. 414 00:15:35,630 --> 00:15:37,009 And one feature, I think, was that they 415 00:15:37,010 --> 00:15:38,569 really liked was silicon work out 416 00:15:38,570 --> 00:15:40,450 capability for 417 00:15:41,710 --> 00:15:43,789 for patching bugs and hardware that 418 00:15:43,790 --> 00:15:45,079 previously had. 419 00:15:45,080 --> 00:15:46,669 They had to replace the entire 420 00:15:47,750 --> 00:15:49,879 chips and nowadays they could just 421 00:15:49,880 --> 00:15:51,979 release the new firmware and the box 422 00:15:51,980 --> 00:15:52,980 would be fixed. 423 00:15:54,220 --> 00:15:55,779 So that's, I guess, their kind of 424 00:15:55,780 --> 00:15:57,950 motivation for all of this seems 425 00:15:59,080 --> 00:16:00,609 so I think 426 00:16:02,080 --> 00:16:03,969 it's kind of reasonable that they they 427 00:16:03,970 --> 00:16:06,099 added this to Amy because 428 00:16:06,100 --> 00:16:08,229 they had the opportunity and it 429 00:16:08,230 --> 00:16:09,609 saves them their money and their 430 00:16:09,610 --> 00:16:10,610 customers. 431 00:16:12,070 --> 00:16:14,229 And when you also say that 432 00:16:14,230 --> 00:16:16,389 it was and they say and they control what 433 00:16:16,390 --> 00:16:17,590 they say is then, 434 00:16:18,640 --> 00:16:20,349 as you know recently, is that it was 435 00:16:20,350 --> 00:16:21,350 discovered that 436 00:16:22,450 --> 00:16:24,789 on request of government agencies into 437 00:16:24,790 --> 00:16:27,009 that a bit 438 00:16:27,010 --> 00:16:29,169 that would allow you to disable 439 00:16:29,170 --> 00:16:32,049 it earlier so it doesn't run 440 00:16:32,050 --> 00:16:34,389 for the rest of the operating 441 00:16:34,390 --> 00:16:35,679 period of your computer. 442 00:16:37,360 --> 00:16:39,399 And then if they had control over Zinta, 443 00:16:39,400 --> 00:16:41,029 why would they request this bit? 444 00:16:41,030 --> 00:16:42,459 It doesn't it doesn't really make sense, 445 00:16:42,460 --> 00:16:44,109 in my opinion. 446 00:16:44,110 --> 00:16:45,279 And here's a post from 447 00:16:46,890 --> 00:16:48,669 from one guy on Hacker News, and he 448 00:16:48,670 --> 00:16:50,299 claims to be an internal engineer. 449 00:16:50,300 --> 00:16:52,469 Unfortunately, a bit hard to 450 00:16:52,470 --> 00:16:53,470 read. 451 00:16:54,010 --> 00:16:55,029 And he says, 452 00:16:56,320 --> 00:16:58,479 I worked at Intel on a meal for four 453 00:16:58,480 --> 00:17:00,849 for three years and they killed Kantos. 454 00:17:00,850 --> 00:17:02,919 Two things. And he was not born out of 455 00:17:02,920 --> 00:17:04,989 desire to spy on people, nor 456 00:17:04,990 --> 00:17:07,809 was it two, to the best of my knowledge, 457 00:17:07,810 --> 00:17:09,249 created at the request of U.S. 458 00:17:09,250 --> 00:17:10,749 government or others. 459 00:17:10,750 --> 00:17:12,858 It wasn't an honest attempt at providing 460 00:17:12,859 --> 00:17:14,709 functionality that we believed was useful 461 00:17:14,710 --> 00:17:15,710 for sysadmins. 462 00:17:18,450 --> 00:17:20,608 It was initially to be going much worse. 463 00:17:20,609 --> 00:17:22,679 Early pilots with actual customers, 464 00:17:22,680 --> 00:17:25,019 such as the British bank, were 465 00:17:25,020 --> 00:17:26,719 going to run out of more stuff. 466 00:17:26,720 --> 00:17:28,799 Think a full JVM and have a lot 467 00:17:28,800 --> 00:17:31,139 more direct access to the Euroland. 468 00:17:31,140 --> 00:17:32,549 Security concerns it. 469 00:17:32,550 --> 00:17:33,780 This idea is pretty early on 470 00:17:34,980 --> 00:17:36,749 in the 8th. I personally believe the 471 00:17:36,750 --> 00:17:38,269 whole thing was a bad idea and everybody 472 00:17:38,270 --> 00:17:40,529 else feels lucky to feel is 473 00:17:40,530 --> 00:17:42,419 fit to cap on end of it. 474 00:17:42,420 --> 00:17:43,979 But the scene was never let the bucket or 475 00:17:43,980 --> 00:17:45,629 anything like that. 476 00:17:45,630 --> 00:17:47,669 So I kind of totally agree with this guy. 477 00:17:47,670 --> 00:17:49,979 So I think it's kind of something that 478 00:17:51,750 --> 00:17:53,789 kind of spun out of control and it was 479 00:17:53,790 --> 00:17:54,839 not really meant to be 480 00:17:56,130 --> 00:17:58,259 as bad as it turned 481 00:17:58,260 --> 00:17:59,260 out. 482 00:18:00,750 --> 00:18:02,969 So a bit more 483 00:18:02,970 --> 00:18:04,759 about us, our moves. 484 00:18:04,760 --> 00:18:07,369 So people say that it's always on when 485 00:18:07,370 --> 00:18:08,699 the opposite is off. 486 00:18:08,700 --> 00:18:10,079 Well, it's kind of true, but 487 00:18:12,400 --> 00:18:13,979 it has some some circumstances. 488 00:18:13,980 --> 00:18:16,199 So it's a little 489 00:18:16,200 --> 00:18:17,950 bit about, I mean, our states. 490 00:18:19,500 --> 00:18:21,629 So when the ABC is on and is 491 00:18:21,630 --> 00:18:23,369 also working and everything is fully 492 00:18:23,370 --> 00:18:25,529 powered, but 493 00:18:25,530 --> 00:18:27,869 when it is sleeping and ECan 494 00:18:27,870 --> 00:18:29,219 can be in different states and for 495 00:18:29,220 --> 00:18:30,699 example, one of state is called and won. 496 00:18:32,010 --> 00:18:34,339 So my NCP was suspended, 497 00:18:34,340 --> 00:18:36,749 but Emmy functions it hatzakis it. 498 00:18:36,750 --> 00:18:38,819 It has been a bit of drama which is which 499 00:18:38,820 --> 00:18:40,169 is working. 500 00:18:40,170 --> 00:18:42,029 It has US system and Amee systems are 501 00:18:42,030 --> 00:18:43,030 working. 502 00:18:45,840 --> 00:18:46,840 And 503 00:18:48,260 --> 00:18:50,639 once as some timeout 504 00:18:50,640 --> 00:18:53,189 expires, it goes to Zolf state. 505 00:18:53,190 --> 00:18:55,369 And in that case, it's completely powered 506 00:18:55,370 --> 00:18:57,509 off. So it works for a bit and then it 507 00:18:57,510 --> 00:18:59,639 goes off, but it can 508 00:18:59,640 --> 00:19:01,409 have so-called wake mode. 509 00:19:01,410 --> 00:19:03,209 So when the packet comes out on the one 510 00:19:03,210 --> 00:19:05,429 and empty is active, it wakes up and 511 00:19:05,430 --> 00:19:06,540 can handle the request. 512 00:19:07,950 --> 00:19:10,019 So it's kind of fourth, 513 00:19:10,020 --> 00:19:11,989 but not completely off. 514 00:19:11,990 --> 00:19:13,740 But anyway, it's. 515 00:19:16,770 --> 00:19:18,269 When you power down your computer, 516 00:19:18,270 --> 00:19:19,270 usually it's off. 517 00:19:20,040 --> 00:19:22,259 In some cases, you can cut Fullerton's 518 00:19:22,260 --> 00:19:23,730 a bias. If you have empty, 519 00:19:25,080 --> 00:19:26,219 here's a picture. You can you can 520 00:19:26,220 --> 00:19:27,509 configure that. 521 00:19:27,510 --> 00:19:29,669 It should still be only on 522 00:19:29,670 --> 00:19:32,009 in once the computer is on 523 00:19:32,010 --> 00:19:34,259 or one computer is in the slip. 524 00:19:34,260 --> 00:19:36,539 It can be also be powered 525 00:19:36,540 --> 00:19:38,609 if it's on a power and so on. 526 00:19:38,610 --> 00:19:40,499 So this set in depends on the on your 527 00:19:40,500 --> 00:19:42,539 system. And then sometimes it's 528 00:19:42,540 --> 00:19:43,769 configurable, sometimes it's not. 529 00:19:46,690 --> 00:19:47,690 So another one, 530 00:19:49,180 --> 00:19:51,369 it can look as if it was a common sound 531 00:19:51,370 --> 00:19:52,599 over there. 532 00:19:52,600 --> 00:19:53,739 Yes, it was kind of true. 533 00:19:54,900 --> 00:19:57,579 It's for sometime, but it's not anymore. 534 00:19:57,580 --> 00:19:59,799 So if you still need the Zemi, which has 535 00:19:59,800 --> 00:20:02,229 this TGT, which means of deterrence, 536 00:20:02,230 --> 00:20:03,460 models of antitheft, 537 00:20:04,570 --> 00:20:06,729 and it was only 538 00:20:06,730 --> 00:20:08,949 present in the air since four 539 00:20:08,950 --> 00:20:10,119 four nine nine zero 540 00:20:11,350 --> 00:20:12,430 in 10, it was removed. 541 00:20:13,600 --> 00:20:16,829 And for this to be possible, 542 00:20:16,830 --> 00:20:18,969 the antitheft needs to be 543 00:20:18,970 --> 00:20:20,109 enabled. 544 00:20:20,110 --> 00:20:21,609 And your computer needs to be enrolled in 545 00:20:21,610 --> 00:20:23,679 zanti software gram because it has to be 546 00:20:23,680 --> 00:20:25,749 periodically pinging the 547 00:20:25,750 --> 00:20:26,750 server 548 00:20:27,850 --> 00:20:29,839 that this is it is not stolen. 549 00:20:31,690 --> 00:20:33,909 And yes, it had for 550 00:20:33,910 --> 00:20:36,429 some time, it has support for 3G 551 00:20:36,430 --> 00:20:38,019 and this readerships had to be connected 552 00:20:38,020 --> 00:20:39,159 directly to the chipset. 553 00:20:39,160 --> 00:20:41,229 For example, if you had the use be 554 00:20:41,230 --> 00:20:43,929 key was 3G, it wouldn't work, 555 00:20:43,930 --> 00:20:45,170 only was the built in module. 556 00:20:46,600 --> 00:20:48,739 And this comment to turn off 557 00:20:48,740 --> 00:20:50,799 to to kind of because you had to 558 00:20:50,800 --> 00:20:51,800 be signed by the intel, 559 00:20:53,320 --> 00:20:55,659 so it had to go through Intel servers 560 00:20:55,660 --> 00:20:56,660 to be really active. 561 00:20:57,700 --> 00:20:59,490 And eventually in 2015, Intel, 562 00:21:01,180 --> 00:21:02,499 Intel, they moved it and 563 00:21:03,790 --> 00:21:05,529 it's completely gone. So it's not 564 00:21:05,530 --> 00:21:06,880 president in the modern PCs 565 00:21:08,050 --> 00:21:10,239 and all the other side. 566 00:21:10,240 --> 00:21:11,949 I just have solutions which are offered. 567 00:21:11,950 --> 00:21:13,509 They don't use Emmi. 568 00:21:13,510 --> 00:21:14,679 They all use a. 569 00:21:14,680 --> 00:21:17,169 And a bio. So you if I module 570 00:21:17,170 --> 00:21:18,489 which works on the operating system 571 00:21:18,490 --> 00:21:20,410 level. So it's a software agent. 572 00:21:25,010 --> 00:21:27,219 So another one is 573 00:21:27,220 --> 00:21:28,609 going to need all that and might be seen. 574 00:21:30,320 --> 00:21:31,989 And it's it's a bit complicated, 575 00:21:33,400 --> 00:21:35,499 so it can it can 576 00:21:35,500 --> 00:21:36,670 read the cost memory, 577 00:21:37,810 --> 00:21:39,599 so, for example, it cannot read your 578 00:21:39,600 --> 00:21:41,379 contract directly. 579 00:21:41,380 --> 00:21:43,539 It can maybe push some driver 580 00:21:43,540 --> 00:21:45,879 or whatever that it would cause 581 00:21:45,880 --> 00:21:47,969 the data, Brett, from from hard 582 00:21:47,970 --> 00:21:49,779 drive and then fetch this data from 583 00:21:49,780 --> 00:21:51,069 Xenome. 584 00:21:51,070 --> 00:21:53,259 But it cannot access the heart 585 00:21:53,260 --> 00:21:54,789 of darkness, as far as I know. 586 00:21:54,790 --> 00:21:55,790 Of course. 587 00:21:57,500 --> 00:21:59,929 And according to the documentation 588 00:21:59,930 --> 00:22:02,449 in the in the book come 589 00:22:02,450 --> 00:22:04,639 about. I mean, the sensitive areas 590 00:22:04,640 --> 00:22:05,669 are blocked terms of trees. 591 00:22:05,670 --> 00:22:08,329 So, for example, this Amam is 592 00:22:08,330 --> 00:22:11,379 blocked and cannot be read by this 593 00:22:11,380 --> 00:22:12,380 DMA engine. 594 00:22:13,880 --> 00:22:15,919 It has a bit of fox as to the internal 595 00:22:15,920 --> 00:22:16,920 GPO. 596 00:22:17,570 --> 00:22:19,489 But as far as I know, it has it has no 597 00:22:19,490 --> 00:22:22,039 actual real access to the pixels. 598 00:22:22,040 --> 00:22:23,179 So it can kind of 599 00:22:24,840 --> 00:22:27,079 redirect data from from from the drivers 600 00:22:27,080 --> 00:22:29,179 to the GPO and and does a 601 00:22:29,180 --> 00:22:31,189 key exchange, but it cannot directly 602 00:22:31,190 --> 00:22:32,299 decrypt the data. 603 00:22:33,590 --> 00:22:35,659 However, there is a bit of a 604 00:22:35,660 --> 00:22:37,519 footnote, so to speak. 605 00:22:37,520 --> 00:22:39,289 It can emulate the idea or you'll be 606 00:22:39,290 --> 00:22:41,569 device on the horse. So it could put 607 00:22:41,570 --> 00:22:42,949 a different image. 608 00:22:42,950 --> 00:22:45,189 Well, that man could definitely 609 00:22:45,190 --> 00:22:46,519 much use an empty. 610 00:22:46,520 --> 00:22:47,839 And then, of course, he could access the 611 00:22:47,840 --> 00:22:49,249 file system or whatever. 612 00:22:49,250 --> 00:22:51,949 But this is not directly in itself. 613 00:22:51,950 --> 00:22:53,489 It's something that use use me. 614 00:22:55,100 --> 00:22:57,489 And one more note that this is all about 615 00:22:57,490 --> 00:22:59,059 generation to have me. 616 00:22:59,060 --> 00:23:01,389 So in in Emilien, 617 00:23:01,390 --> 00:23:03,469 Maxine was talking yesterday and he 618 00:23:03,470 --> 00:23:05,389 claims that it has access to Maust 619 00:23:05,390 --> 00:23:06,289 devices on the cost. 620 00:23:06,290 --> 00:23:07,909 So much so maybe this situation has 621 00:23:07,910 --> 00:23:08,910 changed. 622 00:23:09,770 --> 00:23:10,770 So I don't know. 623 00:23:11,990 --> 00:23:14,239 So it can ease some, some stuff but 624 00:23:14,240 --> 00:23:15,240 not everything. 625 00:23:15,950 --> 00:23:17,359 And then people say it's a black box. 626 00:23:17,360 --> 00:23:19,279 We can't. I would do that. 627 00:23:19,280 --> 00:23:20,449 Just give up. 628 00:23:20,450 --> 00:23:22,159 And I said, not really. 629 00:23:22,160 --> 00:23:24,829 So for example, there is a tweet from 630 00:23:24,830 --> 00:23:26,479 Daniel Behler on on Twitter 631 00:23:27,530 --> 00:23:30,289 and he quotes his friend who says 632 00:23:30,290 --> 00:23:32,449 it was, uh, a follow up to 633 00:23:32,450 --> 00:23:34,729 the croc attack, which was basically 634 00:23:34,730 --> 00:23:37,219 is a bug in the space 635 00:23:37,220 --> 00:23:38,269 in the implementation of the 636 00:23:38,270 --> 00:23:39,949 specification. 637 00:23:39,950 --> 00:23:41,759 And he says whenever he comes, 638 00:23:41,760 --> 00:23:44,149 justification, how do you 639 00:23:44,150 --> 00:23:45,049 break it? 640 00:23:45,050 --> 00:23:46,189 So it is a specific thing. 641 00:23:46,190 --> 00:23:48,439 I've seen every time he says must 642 00:23:48,440 --> 00:23:49,700 check that they really did 643 00:23:51,020 --> 00:23:52,579 this every time. 644 00:23:52,580 --> 00:23:54,709 It says must not checks that they did 645 00:23:54,710 --> 00:23:57,109 not every, he says, should 646 00:23:57,110 --> 00:23:59,209 assume that they did not do it and test 647 00:23:59,210 --> 00:24:01,289 for it every time it mentions 648 00:24:01,290 --> 00:24:02,459 the requirements. That does not affect 649 00:24:02,460 --> 00:24:04,399 functionality, assuming it was done 650 00:24:04,400 --> 00:24:06,229 wrongly by one company and nobody, not 651 00:24:06,230 --> 00:24:07,579 just because it still works. 652 00:24:08,660 --> 00:24:10,879 So anyway, I think this scene also 653 00:24:10,880 --> 00:24:13,039 plays like, well, for 654 00:24:13,040 --> 00:24:13,939 Intel, we don't really have 655 00:24:13,940 --> 00:24:15,049 specifications, but you have some 656 00:24:15,050 --> 00:24:17,359 documentation which escapes various 657 00:24:17,360 --> 00:24:19,069 flows, for example, for activation 658 00:24:20,240 --> 00:24:21,889 for the remote aromas and so on. 659 00:24:21,890 --> 00:24:24,019 So you can also do the same thing just 660 00:24:24,020 --> 00:24:26,209 for suspects and and 661 00:24:26,210 --> 00:24:27,269 see if they really 662 00:24:28,520 --> 00:24:30,039 followed correctly. 663 00:24:30,040 --> 00:24:32,160 And maybe you can find some bugs. 664 00:24:33,940 --> 00:24:35,680 And the notion 665 00:24:36,700 --> 00:24:38,509 there is blackbox auditing. 666 00:24:38,510 --> 00:24:40,729 So plenty of products can 667 00:24:40,730 --> 00:24:42,309 can be audited without source code. 668 00:24:43,640 --> 00:24:45,469 And our did this Housel source. 669 00:24:45,470 --> 00:24:47,480 And just as a kind of 670 00:24:48,560 --> 00:24:50,649 points to the my previous slide, 671 00:24:50,650 --> 00:24:52,759 there is a master status 672 00:24:52,760 --> 00:24:54,089 by what she does. 673 00:24:54,090 --> 00:24:56,299 There are various in 674 00:24:56,300 --> 00:24:58,609 in 2010 called security operation 675 00:24:58,610 --> 00:25:00,949 of Intel's active management technology. 676 00:25:00,950 --> 00:25:02,689 So it was all his work. 677 00:25:02,690 --> 00:25:03,679 It did not at all enough. 678 00:25:03,680 --> 00:25:04,669 And yet it reverse engineering. 679 00:25:04,670 --> 00:25:06,679 He just read the documentation provided 680 00:25:06,680 --> 00:25:08,829 by Intel and he tried to talk 681 00:25:08,830 --> 00:25:11,269 to activate until a meet or 682 00:25:11,270 --> 00:25:13,729 not. I mean empty 683 00:25:13,730 --> 00:25:15,589 and see if it's really activated the way 684 00:25:15,590 --> 00:25:16,879 they describe. 685 00:25:16,880 --> 00:25:19,519 And he tried to find some kind of 686 00:25:19,520 --> 00:25:20,689 holes in that specification. 687 00:25:20,690 --> 00:25:22,609 And he did find some things which you 688 00:25:22,610 --> 00:25:24,259 have to fix it later by Intel. 689 00:25:24,260 --> 00:25:26,479 But at the time, they were really 690 00:25:26,480 --> 00:25:27,409 kind of bugs. 691 00:25:27,410 --> 00:25:28,520 For example, Intel says that 692 00:25:29,750 --> 00:25:31,639 Empty should not be pinging the 693 00:25:31,640 --> 00:25:33,649 activation server before it goes into 694 00:25:33,650 --> 00:25:34,729 step mode. 695 00:25:34,730 --> 00:25:36,349 But she lost. 696 00:25:36,350 --> 00:25:38,449 He found that in some cases 697 00:25:38,450 --> 00:25:40,579 it does because the activation server. 698 00:25:40,580 --> 00:25:41,580 So apparently 699 00:25:43,850 --> 00:25:45,889 it was not completely implemented 700 00:25:45,890 --> 00:25:47,149 correctly by Intel. 701 00:25:47,150 --> 00:25:49,489 And in the later versions, it'll change 702 00:25:49,490 --> 00:25:50,869 the way you activate and detect 703 00:25:50,870 --> 00:25:52,099 motivation works. 704 00:25:52,100 --> 00:25:54,079 And now it's more correct. 705 00:25:54,080 --> 00:25:55,460 So you don't have to 706 00:25:56,630 --> 00:25:58,609 have the source code to. 707 00:25:58,610 --> 00:26:00,769 Sometimes even the jurors adhere to to 708 00:26:00,770 --> 00:26:01,770 just avoid it. 709 00:26:02,510 --> 00:26:04,639 And even if you don't have source code, 710 00:26:04,640 --> 00:26:06,469 you have the binary code. 711 00:26:06,470 --> 00:26:07,669 There's also a former is available in 712 00:26:07,670 --> 00:26:10,039 flash. It's not encrypted for 713 00:26:10,040 --> 00:26:11,040 now. 714 00:26:12,110 --> 00:26:14,149 So you can just figure out how to extract 715 00:26:14,150 --> 00:26:15,150 the just 716 00:26:16,340 --> 00:26:17,660 symbols, the code and see what it does. 717 00:26:19,100 --> 00:26:20,509 And in my opinion, it's a superior 718 00:26:20,510 --> 00:26:21,510 approach. 719 00:26:22,130 --> 00:26:24,739 So when you have the binary code, 720 00:26:24,740 --> 00:26:27,079 you see what is actually being executed. 721 00:26:27,080 --> 00:26:28,399 So you don't see the comments. 722 00:26:28,400 --> 00:26:29,869 You're not confused by comments by it, by 723 00:26:29,870 --> 00:26:31,969 the variable names or whatever or code 724 00:26:31,970 --> 00:26:33,529 formatting. Like, remember the go to 725 00:26:33,530 --> 00:26:35,599 files that Apple had in their 726 00:26:35,600 --> 00:26:36,749 encryption code? 727 00:26:36,750 --> 00:26:38,149 Not encryption. I don't remember. 728 00:26:38,150 --> 00:26:40,269 Somebody was whisky's anyone 729 00:26:40,270 --> 00:26:41,809 that there was a goto which was indented 730 00:26:41,810 --> 00:26:42,919 a bit wrongly. 731 00:26:42,920 --> 00:26:44,779 And it was not obvious when you're just 732 00:26:44,780 --> 00:26:45,780 glance at the code. 733 00:26:48,140 --> 00:26:49,159 So what do you do when you have it in 734 00:26:49,160 --> 00:26:51,259 binary? It's kind of hard to miss 735 00:26:51,260 --> 00:26:52,260 such things. 736 00:26:53,790 --> 00:26:55,039 Yeah, and you don't have the comments, 737 00:26:55,040 --> 00:26:56,689 but sometimes comments, so they tend to 738 00:26:56,690 --> 00:26:58,939 go stale and they made 739 00:26:58,940 --> 00:27:01,009 they made this Capsis, which are not true 740 00:27:01,010 --> 00:27:02,010 anymore. 741 00:27:02,580 --> 00:27:03,950 And Mr. Binder, it's a bit harder. 742 00:27:05,120 --> 00:27:06,559 Yeah. One downside, of course, it's it's 743 00:27:06,560 --> 00:27:08,479 much it takes a lot of more time. 744 00:27:10,580 --> 00:27:11,580 But that's life. 745 00:27:15,110 --> 00:27:17,029 And so just to summarize it, there were 746 00:27:17,030 --> 00:27:18,979 some bucks as a lotto fund until 747 00:27:18,980 --> 00:27:20,479 recently. 748 00:27:20,480 --> 00:27:22,729 And the judge just mentioned previously 749 00:27:22,730 --> 00:27:24,499 that just by virtue of Cerveris, he found 750 00:27:24,500 --> 00:27:26,839 some issues by 751 00:27:26,840 --> 00:27:28,909 but just monetary incentives work during 752 00:27:28,910 --> 00:27:31,149 the activation process and in trying 753 00:27:31,150 --> 00:27:33,329 to change some things 754 00:27:33,330 --> 00:27:35,419 sends us or we'll not believe that was 755 00:27:35,420 --> 00:27:36,770 found this year, earlier this year 756 00:27:40,070 --> 00:27:42,049 about the empty Digest's that could be 757 00:27:42,050 --> 00:27:45,079 sent to to log into the empty. 758 00:27:45,080 --> 00:27:46,429 And that's one of the ways forward, just 759 00:27:46,430 --> 00:27:47,869 looking as a different network traffic 760 00:27:47,870 --> 00:27:49,979 again and and trying 761 00:27:49,980 --> 00:27:52,160 things so without source code again. 762 00:27:53,390 --> 00:27:55,639 And the last one with 763 00:27:55,640 --> 00:27:57,979 a buffer overflow 764 00:27:57,980 --> 00:28:00,109 again was found was also scored just 765 00:28:00,110 --> 00:28:01,249 by the computer company, 766 00:28:02,300 --> 00:28:03,589 the binary code. 767 00:28:03,590 --> 00:28:04,999 So just to summarize. 768 00:28:07,700 --> 00:28:09,259 Even if his black box and you don't have 769 00:28:09,260 --> 00:28:10,739 such code, you can audit. 770 00:28:12,680 --> 00:28:14,239 And maybe you can even get by without 771 00:28:14,240 --> 00:28:15,519 resources, Genea, of course, is better 772 00:28:15,520 --> 00:28:16,759 reservists. Gene might be on. 773 00:28:16,760 --> 00:28:18,589 But you can. 774 00:28:18,590 --> 00:28:20,359 I was out in my work. 775 00:28:22,250 --> 00:28:23,630 Now, one more thing 776 00:28:24,640 --> 00:28:26,909 I you can write 777 00:28:26,910 --> 00:28:28,969 the undetectable third kit for its 778 00:28:28,970 --> 00:28:30,799 stealthy and undetectable. 779 00:28:30,800 --> 00:28:32,929 And indeed the there were some 780 00:28:32,930 --> 00:28:34,999 attempts of making their targets for the 781 00:28:35,000 --> 00:28:37,279 national army in particular. 782 00:28:37,280 --> 00:28:39,439 In 2009 at the black 783 00:28:39,440 --> 00:28:41,569 huts, there was a presentation 784 00:28:41,570 --> 00:28:42,710 by Invisible since love 785 00:28:43,850 --> 00:28:45,589 was probably the first one is the first 786 00:28:45,590 --> 00:28:47,509 research on this on this topic. 787 00:28:48,590 --> 00:28:50,959 They found the bug in some viruses 788 00:28:50,960 --> 00:28:53,209 which allowed access to the Intel's 789 00:28:53,210 --> 00:28:54,729 memory area. 790 00:28:54,730 --> 00:28:56,959 And at that time it was just plain 791 00:28:56,960 --> 00:28:57,960 text code. 792 00:28:58,610 --> 00:29:00,409 So not predictive, not anything. 793 00:29:00,410 --> 00:29:02,389 And they could inject some code into imir 794 00:29:02,390 --> 00:29:04,109 memory and could zip code. 795 00:29:06,410 --> 00:29:07,410 So. 796 00:29:08,130 --> 00:29:10,769 This allowed them to kind of 797 00:29:10,770 --> 00:29:12,869 have to get like seen, but 798 00:29:12,870 --> 00:29:14,429 it has some advantages. 799 00:29:14,430 --> 00:29:16,159 It has to be in Chapter 20 on nature 800 00:29:16,160 --> 00:29:17,160 about. 801 00:29:18,780 --> 00:29:19,780 And 802 00:29:20,890 --> 00:29:22,979 and since then, Apple's 803 00:29:22,980 --> 00:29:25,139 sorry, not Apple interface, that they 804 00:29:25,140 --> 00:29:27,459 implemented the in, so you cannot get 805 00:29:27,460 --> 00:29:29,849 the city or modifications 806 00:29:29,850 --> 00:29:31,809 will be detected and rejected. 807 00:29:31,810 --> 00:29:33,180 The the machine will reboot. 808 00:29:35,940 --> 00:29:36,940 I was. 809 00:29:39,080 --> 00:29:41,539 Patrick Stayman home, who might some 810 00:29:41,540 --> 00:29:43,739 who wrote a book on detecting their 811 00:29:43,740 --> 00:29:44,949 attacks. 812 00:29:44,950 --> 00:29:47,019 So I think it's not it can 813 00:29:47,020 --> 00:29:49,329 be considered undetectable anymore. 814 00:29:49,330 --> 00:29:51,579 So we can detect there may by some side 815 00:29:51,580 --> 00:29:52,580 effects. 816 00:29:53,170 --> 00:29:54,770 And it's not so stealthy anymore. 817 00:29:56,320 --> 00:29:58,659 And some people say, 818 00:29:58,660 --> 00:30:00,879 okay, it's just saying it's there and 819 00:30:00,880 --> 00:30:02,439 you can't remove it and you cannot do 820 00:30:02,440 --> 00:30:03,069 anything. 821 00:30:03,070 --> 00:30:04,070 So 822 00:30:05,140 --> 00:30:06,669 I think it's a myth. Let's see what what 823 00:30:06,670 --> 00:30:07,670 can be done about it. 824 00:30:09,980 --> 00:30:12,109 So about one year ago, I started 825 00:30:12,110 --> 00:30:14,899 playing with Corbould and I asked myself 826 00:30:14,900 --> 00:30:16,640 if I could remove the let me fear. 827 00:30:18,110 --> 00:30:20,399 And unfortunately, the aliber boot fake 828 00:30:20,400 --> 00:30:22,429 you page, I had the answer. 829 00:30:22,430 --> 00:30:24,709 And it seems that the before versions six 830 00:30:24,710 --> 00:30:26,659 say it was possible to disable Internet 831 00:30:26,660 --> 00:30:28,909 Emmi just by removing the Fermor 832 00:30:28,910 --> 00:30:30,040 from this by flash. 833 00:30:31,360 --> 00:30:33,579 Unfortunately, this isn't 834 00:30:33,580 --> 00:30:35,869 available anymore, because starting from 835 00:30:35,870 --> 00:30:38,229 version six, if you remove 836 00:30:38,230 --> 00:30:40,299 the intel, let me fill in where 837 00:30:40,300 --> 00:30:42,459 the C will turn on that and we'll 838 00:30:42,460 --> 00:30:44,440 turn off of. After 30 minutes. 839 00:30:47,160 --> 00:30:49,379 So it seems that 840 00:30:49,380 --> 00:30:51,229 it is not technically required. 841 00:30:51,230 --> 00:30:53,819 It seems like an artificial lock. 842 00:30:53,820 --> 00:30:55,859 So I started looking for a way at least 843 00:30:55,860 --> 00:30:56,860 to reduce its fear. 844 00:30:58,020 --> 00:30:59,969 And they found this message on the 845 00:30:59,970 --> 00:31:02,069 Corbould mailing list by Tremolite Son, 846 00:31:03,180 --> 00:31:05,639 in which he tried to remove parts 847 00:31:05,640 --> 00:31:07,829 of the interlinear femur, and 848 00:31:07,830 --> 00:31:10,039 he found out that the 849 00:31:10,040 --> 00:31:12,269 p.c still turned on that without 850 00:31:12,270 --> 00:31:13,289 turning off. 851 00:31:13,290 --> 00:31:15,579 After 30 minutes and 852 00:31:15,580 --> 00:31:17,759 in a few days, he found out that 853 00:31:17,760 --> 00:31:19,709 he could actually remove parts of him, 854 00:31:19,710 --> 00:31:21,869 telling me without 855 00:31:21,870 --> 00:31:23,639 compromising the correct boot of the 856 00:31:23,640 --> 00:31:24,640 system. 857 00:31:25,260 --> 00:31:27,479 So I tried to do his 858 00:31:27,480 --> 00:31:28,480 work again. 859 00:31:29,460 --> 00:31:31,619 And to avoid doing things 860 00:31:31,620 --> 00:31:33,359 by hand, though, with an X-ray it or I 861 00:31:33,360 --> 00:31:35,549 started writing AMMU Cleaner, which 862 00:31:35,550 --> 00:31:37,729 is a Python script that able to reduce 863 00:31:37,730 --> 00:31:39,899 any MTel, any film or image to the 864 00:31:39,900 --> 00:31:42,119 minimal image needed 865 00:31:42,120 --> 00:31:44,819 for a corrective boot of APEC. 866 00:31:44,820 --> 00:31:46,679 So first of all, where's the intel? 867 00:31:46,680 --> 00:31:47,669 Let me feel, Mirwaiz. 868 00:31:47,670 --> 00:31:49,469 Where is it located? 869 00:31:49,470 --> 00:31:51,659 It is located on the same chip as 870 00:31:51,660 --> 00:31:53,009 the BIOS EFI. 871 00:31:54,720 --> 00:31:57,509 So reading and writing it 872 00:31:57,510 --> 00:31:59,789 is quite simple because you can either 873 00:31:59,790 --> 00:32:02,009 use an external program marro, which can 874 00:32:02,010 --> 00:32:04,139 be a cheap Linux board 875 00:32:04,140 --> 00:32:06,269 with an SBI interface or 876 00:32:06,270 --> 00:32:08,099 a dedicated program matter. 877 00:32:08,100 --> 00:32:10,319 Or in some cases you can also use 878 00:32:10,320 --> 00:32:12,419 the vendor toolset to flesh out 879 00:32:12,420 --> 00:32:14,609 the bias to dump her and write 880 00:32:14,610 --> 00:32:16,200 again that you are modified the major. 881 00:32:17,850 --> 00:32:20,189 Now this is possible because the 882 00:32:20,190 --> 00:32:22,469 spy chiefs in the intel 883 00:32:22,470 --> 00:32:24,539 assistance are partitioned them. 884 00:32:24,540 --> 00:32:26,429 So this is this Quima. 885 00:32:26,430 --> 00:32:28,589 You have the Intel Flesche descriptor, 886 00:32:28,590 --> 00:32:30,569 which contains different partitions 887 00:32:30,570 --> 00:32:32,639 inside that they 888 00:32:32,640 --> 00:32:34,669 s.p.i cheap. So we have this critter 889 00:32:34,670 --> 00:32:37,049 regiona, which is like a partition 890 00:32:37,050 --> 00:32:39,329 table and then different partition. 891 00:32:39,330 --> 00:32:41,869 For example, Dubai bias region and 892 00:32:41,870 --> 00:32:43,710 the intel let me fill my region. 893 00:32:45,870 --> 00:32:47,339 All we want is the intel. 894 00:32:47,340 --> 00:32:49,649 Let me fumer. So we just have to extract 895 00:32:49,650 --> 00:32:51,849 it. And we can do it with the help of 896 00:32:51,850 --> 00:32:53,939 HFT tool from the Corbould project. 897 00:32:55,110 --> 00:32:57,269 So first step, but let's try 898 00:32:57,270 --> 00:32:59,549 to remove every partition from the femur 899 00:32:59,550 --> 00:33:01,889 except for DFT Pyar, which seems 900 00:33:01,890 --> 00:33:03,989 to be the fundamental one needed for the 901 00:33:03,990 --> 00:33:04,990 correct. 902 00:33:07,380 --> 00:33:09,509 Indeed, the intel, let me fear more, is 903 00:33:09,510 --> 00:33:11,859 partition. That this is the simplified 904 00:33:11,860 --> 00:33:13,959 schema. So we have an FBI 905 00:33:13,960 --> 00:33:15,689 team, which is the former partition 906 00:33:15,690 --> 00:33:18,119 table, which contains a list 907 00:33:18,120 --> 00:33:20,229 of the partitions inside that the fumer 908 00:33:20,230 --> 00:33:21,419 image. 909 00:33:21,420 --> 00:33:23,189 In this image, we can see that there is 910 00:33:23,190 --> 00:33:25,739 the F TPR, which is the core partition 911 00:33:25,740 --> 00:33:28,019 and the NFTE partition, which is the 912 00:33:28,020 --> 00:33:30,119 partition with the network stack and 913 00:33:30,120 --> 00:33:31,120 EMT. 914 00:33:32,520 --> 00:33:34,589 Removing this partition is quite easy 915 00:33:34,590 --> 00:33:36,749 because the inside the FBT we have 916 00:33:36,750 --> 00:33:38,849 these entries and the Channel three has 917 00:33:38,850 --> 00:33:40,349 the offset and the size. 918 00:33:40,350 --> 00:33:42,539 So all we have to do is just to remove 919 00:33:42,540 --> 00:33:44,789 the cord from the offset to the offset, 920 00:33:44,790 --> 00:33:45,790 plus the size 921 00:33:47,180 --> 00:33:49,139 the partition are signed. 922 00:33:49,140 --> 00:33:50,799 But that they are assigned individually 923 00:33:50,800 --> 00:33:52,800 so we can remove the whole partition 924 00:33:53,940 --> 00:33:55,889 without any major effect because that the 925 00:33:55,890 --> 00:33:57,479 signal was inside the partition. 926 00:33:57,480 --> 00:33:59,159 So we removed both the code and the 927 00:33:59,160 --> 00:34:00,160 signator. 928 00:34:01,230 --> 00:34:03,359 Moreover, the FTT is not signed. 929 00:34:03,360 --> 00:34:04,769 It just has a check some. 930 00:34:04,770 --> 00:34:07,079 So it's quite easy to remove everything 931 00:34:07,080 --> 00:34:08,309 we want. 932 00:34:08,310 --> 00:34:09,539 So I tried it. 933 00:34:09,540 --> 00:34:11,619 I fleshed backtrace out the result on my 934 00:34:11,620 --> 00:34:12,840 DC and it worked. 935 00:34:13,949 --> 00:34:16,049 So this was the first step. 936 00:34:16,050 --> 00:34:18,448 The next step was to try to remove 937 00:34:18,449 --> 00:34:20,729 the ls that the main modules? 938 00:34:20,730 --> 00:34:23,158 Now things are becoming a bit 939 00:34:23,159 --> 00:34:25,769 complicated. So let's review the 940 00:34:25,770 --> 00:34:27,999 layout of the entire 941 00:34:28,000 --> 00:34:29,189 hemisphere. 942 00:34:29,190 --> 00:34:31,459 So we have the SBI Cheap 943 00:34:31,460 --> 00:34:33,959 Bouy which contains different regions. 944 00:34:33,960 --> 00:34:36,089 For example, to the script 30 bias and 945 00:34:36,090 --> 00:34:38,339 the Emir region inside that 946 00:34:38,340 --> 00:34:39,689 DMF, you're more wet. 947 00:34:39,690 --> 00:34:41,729 We have different partitions. 948 00:34:41,730 --> 00:34:43,899 For example, the TPR and DNF, 949 00:34:43,900 --> 00:34:46,138 TV and inside the each 950 00:34:46,139 --> 00:34:47,369 code partition. 951 00:34:47,370 --> 00:34:48,428 For example, the F.T. 952 00:34:48,429 --> 00:34:50,039 PR. We have different modules. 953 00:34:51,280 --> 00:34:53,459 The modules can be either Hofferman 954 00:34:53,460 --> 00:34:55,649 compress the or else that compress the. 955 00:34:56,790 --> 00:34:59,339 They use the two different kind 956 00:34:59,340 --> 00:35:00,629 of compressional schemes. 957 00:35:00,630 --> 00:35:02,429 So because else that they may offer 958 00:35:02,430 --> 00:35:04,649 Subedar compressions, but 959 00:35:04,650 --> 00:35:06,799 it needs a loaded 960 00:35:06,800 --> 00:35:07,829 Fermor to be used. 961 00:35:09,270 --> 00:35:11,369 On the contrary, half man, the 962 00:35:11,370 --> 00:35:13,559 compress has a worse 963 00:35:13,560 --> 00:35:15,989 compressor composition of nature, 964 00:35:15,990 --> 00:35:17,729 but that can be done directly by the 965 00:35:17,730 --> 00:35:19,799 Ardler. So they use the half month to 966 00:35:19,800 --> 00:35:21,989 compress the early stages 967 00:35:21,990 --> 00:35:24,059 modules and elser them for 968 00:35:24,060 --> 00:35:25,110 the later stages. 969 00:35:28,840 --> 00:35:30,909 So different partitions have 970 00:35:30,910 --> 00:35:32,289 different structures. 971 00:35:32,290 --> 00:35:34,479 But the CSF, we 972 00:35:34,480 --> 00:35:36,549 kept only D.F., TPR partition. 973 00:35:36,550 --> 00:35:38,139 We are only interested in that. 974 00:35:38,140 --> 00:35:40,419 And that is called the partition. 975 00:35:40,420 --> 00:35:43,179 Moreover, the internal structure of the 976 00:35:43,180 --> 00:35:45,629 devastation changes between the different 977 00:35:45,630 --> 00:35:47,439 that in telling me generations. 978 00:35:48,790 --> 00:35:50,679 So generational one is not of our 979 00:35:50,680 --> 00:35:52,899 interest because that in telling me could 980 00:35:52,900 --> 00:35:54,159 be removed completely. 981 00:35:54,160 --> 00:35:56,229 So no problem for. 982 00:35:56,230 --> 00:35:58,389 And let's focus on generation two because 983 00:35:58,390 --> 00:35:59,429 I started fund that. 984 00:36:00,670 --> 00:36:02,729 So Dieser is 985 00:36:02,730 --> 00:36:05,019 in Turn-off schema of a generation to 986 00:36:05,020 --> 00:36:06,699 quote partition. 987 00:36:06,700 --> 00:36:09,069 So we have a section that is a manifesto 988 00:36:09,070 --> 00:36:11,799 which contains the RSA signature 989 00:36:11,800 --> 00:36:13,929 of the list of the modules. 990 00:36:13,930 --> 00:36:15,309 Here you can see that we have different 991 00:36:15,310 --> 00:36:17,469 modules and each entry has named 992 00:36:17,470 --> 00:36:19,359 the offset this size, the compression 993 00:36:19,360 --> 00:36:21,459 type. And most importantly, hash. 994 00:36:23,470 --> 00:36:25,719 This means that the modules are not 995 00:36:25,720 --> 00:36:27,459 directly signed. 996 00:36:27,460 --> 00:36:29,349 Each module is Heffter. 997 00:36:29,350 --> 00:36:30,939 And the list of the hashes is then 998 00:36:30,940 --> 00:36:32,439 signed. 999 00:36:32,440 --> 00:36:34,729 Luckily for us, the hashes are lazy 1000 00:36:34,730 --> 00:36:37,159 evaluated, so invalidating 1001 00:36:37,160 --> 00:36:39,529 a hash of a module doesn't prevent 1002 00:36:39,530 --> 00:36:40,989 the loading of a previous one. 1003 00:36:42,310 --> 00:36:44,349 This is important because it means that 1004 00:36:44,350 --> 00:36:46,539 you can that we can stop the boot 1005 00:36:46,540 --> 00:36:49,209 of this system by invalidating 1006 00:36:49,210 --> 00:36:51,789 a module. All the Cequent module 1007 00:36:51,790 --> 00:36:52,719 will not be loaded. 1008 00:36:52,720 --> 00:36:53,629 But the previous one. 1009 00:36:53,630 --> 00:36:54,630 Ah, okay. 1010 00:36:56,080 --> 00:36:57,429 So I tried again. 1011 00:36:57,430 --> 00:36:59,529 I updated Ammu cleaner and I tried 1012 00:36:59,530 --> 00:37:01,809 to remove every partition in DFT 1013 00:37:01,810 --> 00:37:04,419 Piara else that I may compress the 1014 00:37:04,420 --> 00:37:06,719 so that only five modules 1015 00:37:06,720 --> 00:37:07,720 that were kept. 1016 00:37:08,530 --> 00:37:10,579 I fleshed Bekker. There is altor and it 1017 00:37:10,580 --> 00:37:11,580 work again. 1018 00:37:12,370 --> 00:37:14,619 So at this point I had removed 1019 00:37:14,620 --> 00:37:17,199 most of the code, but there were still 1020 00:37:17,200 --> 00:37:20,079 the Hofman modules and I wanted to remove 1021 00:37:20,080 --> 00:37:21,519 at least that most of them. 1022 00:37:23,160 --> 00:37:25,269 Documentation online for the 1023 00:37:25,270 --> 00:37:28,089 HALFMAN module so are very poor. 1024 00:37:28,090 --> 00:37:30,339 So I relied on the source code of 1025 00:37:30,340 --> 00:37:32,569 UNEF me, which is the decompress or for 1026 00:37:32,570 --> 00:37:34,689 in telling me generation two for the F my 1027 00:37:34,690 --> 00:37:37,839 modules and the Rickover the structure. 1028 00:37:37,840 --> 00:37:40,439 So wildy else that I mean modules 1029 00:37:40,440 --> 00:37:42,519 were just a single block of data from 1030 00:37:42,520 --> 00:37:45,239 the offset to the offset plus this size 1031 00:37:45,240 --> 00:37:47,679 D. Huffine Compressed modules 1032 00:37:47,680 --> 00:37:49,809 are fragmented, so there 1033 00:37:49,810 --> 00:37:51,879 is a single partition 1034 00:37:51,880 --> 00:37:53,979 share among 1035 00:37:53,980 --> 00:37:56,259 3M and we have 1036 00:37:56,260 --> 00:37:58,599 an L. L UTI which stands for Local 1037 00:37:58,600 --> 00:38:01,079 Lookup Table which contains 1038 00:38:01,080 --> 00:38:03,159 Celesta of and Triste that has 1039 00:38:03,160 --> 00:38:05,469 a valid flag and the offset 1040 00:38:06,770 --> 00:38:08,829 the offsets point 1041 00:38:08,830 --> 00:38:09,969 to the F Munchak. 1042 00:38:09,970 --> 00:38:12,669 So we charra fixed that size 1043 00:38:12,670 --> 00:38:13,689 uncompressed data. 1044 00:38:13,690 --> 00:38:15,549 But from our point of view, since we're 1045 00:38:15,550 --> 00:38:17,769 seeing only the compressive data, 1046 00:38:17,770 --> 00:38:19,150 they are variable size. 1047 00:38:20,380 --> 00:38:22,509 Dieser, let's say complex chemo was 1048 00:38:22,510 --> 00:38:25,119 probably used by Intel to 1049 00:38:25,120 --> 00:38:27,249 further shrink the HALFMAN 1050 00:38:27,250 --> 00:38:29,349 compression because in this way different 1051 00:38:29,350 --> 00:38:31,409 chunks can be reused 1052 00:38:31,410 --> 00:38:34,539 again in different minor modules. 1053 00:38:34,540 --> 00:38:36,729 However, once I understood 1054 00:38:36,730 --> 00:38:38,829 the structure of DNA, all 1055 00:38:38,830 --> 00:38:41,169 I had to do was to create a white list 1056 00:38:41,170 --> 00:38:43,119 of the modules that couldn't be removed 1057 00:38:43,120 --> 00:38:45,519 because the B the are 1058 00:38:45,520 --> 00:38:47,829 part of a partition of a module 1059 00:38:47,830 --> 00:38:50,589 that I want. I don't want to be removed 1060 00:38:50,590 --> 00:38:51,999 and remove all the others. 1061 00:38:53,170 --> 00:38:55,299 So I tried to remove the module 1062 00:38:55,300 --> 00:38:56,739 with the less important name. 1063 00:38:56,740 --> 00:38:58,899 And just to start the with trawls, 1064 00:38:58,900 --> 00:39:01,029 the FTC s and I fleshed victories 1065 00:39:01,030 --> 00:39:03,139 out later and it worked again. 1066 00:39:04,300 --> 00:39:06,599 So I moved on that and I tried 1067 00:39:06,600 --> 00:39:08,739 to discover which modules that were 1068 00:39:08,740 --> 00:39:10,329 really needed for the boot. 1069 00:39:10,330 --> 00:39:11,949 And they found out that the only two 1070 00:39:11,950 --> 00:39:13,929 modules were needed. 1071 00:39:13,930 --> 00:39:15,879 These two modules were they'd be Uki, 1072 00:39:15,880 --> 00:39:18,189 which stands for Bring Gapper, 1073 00:39:18,190 --> 00:39:20,259 which is the Mod, the first the loaded 1074 00:39:20,260 --> 00:39:22,449 modular, which initialize all 1075 00:39:22,450 --> 00:39:24,529 the system and turn off 1076 00:39:24,530 --> 00:39:25,629 at 30 minutes. 1077 00:39:25,630 --> 00:39:26,630 Watchdog. 1078 00:39:27,760 --> 00:39:28,839 Dear on Keeper. 1079 00:39:28,840 --> 00:39:30,609 Dear on P Modula. 1080 00:39:30,610 --> 00:39:32,319 Which is not always present. 1081 00:39:32,320 --> 00:39:33,819 Seems to contain some sort of 1082 00:39:33,820 --> 00:39:36,609 configuration data read by Dupee, 1083 00:39:36,610 --> 00:39:38,709 but it's very small, something like 1084 00:39:38,710 --> 00:39:40,860 two kilobyte. So I'm not a problem. 1085 00:39:43,450 --> 00:39:45,549 Interestingly, there is not 1086 00:39:45,550 --> 00:39:48,219 colonel now because the Colonel Modula 1087 00:39:48,220 --> 00:39:49,749 has been removed. 1088 00:39:49,750 --> 00:39:52,029 So it seems that on generation 1089 00:39:52,030 --> 00:39:54,249 two, it's possible to have a fully 1090 00:39:54,250 --> 00:39:56,739 functioning p.c without 1091 00:39:56,740 --> 00:39:58,839 a kerchner running in Telhami. 1092 00:40:02,100 --> 00:40:04,259 So next step, but Rickover, the free 1093 00:40:04,260 --> 00:40:05,279 space. 1094 00:40:05,280 --> 00:40:07,409 Why? Because I was 1095 00:40:07,410 --> 00:40:09,609 using Corbel term and the intel 1096 00:40:09,610 --> 00:40:11,369 telling me a few more imager. 1097 00:40:11,370 --> 00:40:14,369 Was that something like five megabytes 1098 00:40:14,370 --> 00:40:16,379 while decode remaining after the removal 1099 00:40:16,380 --> 00:40:18,119 was much, much less. 1100 00:40:18,120 --> 00:40:19,919 And they wanted to recover that space 1101 00:40:19,920 --> 00:40:22,649 because I wanted to store a Linux 1102 00:40:22,650 --> 00:40:24,790 kernel directly inside my spy chip. 1103 00:40:27,190 --> 00:40:28,190 Why not? 1104 00:40:34,980 --> 00:40:37,199 So I started that just by truncated 1105 00:40:37,200 --> 00:40:39,389 the image just after, let's say, 1106 00:40:39,390 --> 00:40:41,729 their last valid module. 1107 00:40:41,730 --> 00:40:42,679 And that worked. 1108 00:40:42,680 --> 00:40:45,029 But well, not that was 1109 00:40:45,030 --> 00:40:47,369 expected because the dead 1110 00:40:47,370 --> 00:40:50,099 space that I had removed wasn't met 1111 00:40:50,100 --> 00:40:52,319 by anything inside in Clemmy so 1112 00:40:52,320 --> 00:40:54,599 I could easily removed it. 1113 00:40:54,600 --> 00:40:56,789 But that was that wasn't enough. 1114 00:40:56,790 --> 00:40:59,159 Because, let's see, for example, 1115 00:40:59,160 --> 00:41:01,709 this Cheam between the FBT, 1116 00:41:01,710 --> 00:41:04,229 which is at the beginning of the M.E. 1117 00:41:04,230 --> 00:41:06,389 imager and the F DPR, which is our 1118 00:41:06,390 --> 00:41:08,729 partition that we must keep. 1119 00:41:08,730 --> 00:41:11,579 There may be other partitions 1120 00:41:11,580 --> 00:41:13,589 that I had that previously moved. 1121 00:41:13,590 --> 00:41:15,239 And now they are not there anymore. 1122 00:41:15,240 --> 00:41:17,579 So I have the FBT, something like one 1123 00:41:17,580 --> 00:41:19,769 megabyte of F F. 1124 00:41:19,770 --> 00:41:21,189 And then finally my code. 1125 00:41:22,230 --> 00:41:24,629 And I want to recover that space. 1126 00:41:24,630 --> 00:41:26,789 So I have to figure out how I 1127 00:41:26,790 --> 00:41:28,649 can move the partitions. 1128 00:41:28,650 --> 00:41:30,179 And you may say, well, it's easy. 1129 00:41:30,180 --> 00:41:32,499 You just move the code that you correct 1130 00:41:32,500 --> 00:41:35,159 the entry inside the FBT. 1131 00:41:35,160 --> 00:41:36,689 The offset of that entry. 1132 00:41:36,690 --> 00:41:37,690 And that's all. 1133 00:41:38,580 --> 00:41:40,679 Unfortunately, on the generation two, 1134 00:41:41,730 --> 00:41:44,189 it's not possible because. 1135 00:41:44,190 --> 00:41:46,349 Well, it's not that easy because it 1136 00:41:46,350 --> 00:41:48,899 seems that that some offsets 1137 00:41:48,900 --> 00:41:51,659 inside the DFT PR partition 1138 00:41:51,660 --> 00:41:53,999 are not related to the beginning 1139 00:41:54,000 --> 00:41:55,529 of the F TVR partition. 1140 00:41:55,530 --> 00:41:58,109 But they are related to the FBT, 1141 00:41:58,110 --> 00:41:59,729 so you can't move the cord without 1142 00:41:59,730 --> 00:42:01,889 adjusting them as well. 1143 00:42:01,890 --> 00:42:03,449 It took a bit of time. 1144 00:42:03,450 --> 00:42:05,579 But I was able to found them 1145 00:42:05,580 --> 00:42:07,679 out. And luckily they 1146 00:42:07,680 --> 00:42:08,680 aren't signed. 1147 00:42:10,200 --> 00:42:12,599 So after many tries and 1148 00:42:12,600 --> 00:42:15,059 breaking my laptop many times 1149 00:42:15,060 --> 00:42:17,719 I found out which ones 1150 00:42:17,720 --> 00:42:19,289 were they're responsible for this 1151 00:42:19,290 --> 00:42:21,360 behavior. And I corrected them as well. 1152 00:42:22,620 --> 00:42:24,389 I flashed back the is to end it work 1153 00:42:24,390 --> 00:42:25,390 again. 1154 00:42:25,980 --> 00:42:28,829 So this is the current situation 1155 00:42:28,830 --> 00:42:31,079 starting from a five megabyte C major. 1156 00:42:31,080 --> 00:42:33,599 We have now that an 84 kilobytes 1157 00:42:33,600 --> 00:42:35,669 imager, which is 1158 00:42:35,670 --> 00:42:38,009 moreover full of 1159 00:42:38,010 --> 00:42:39,809 free space, because as you can see, there 1160 00:42:39,810 --> 00:42:42,449 is the FBT badfinger, 1161 00:42:42,450 --> 00:42:44,599 just the head there and some pointers 1162 00:42:44,600 --> 00:42:46,769 betting again, the 50 kilobytes of 1163 00:42:46,770 --> 00:42:48,719 data, which is the real data, and then 1164 00:42:48,720 --> 00:42:50,789 acting. So starting from five 1165 00:42:50,790 --> 00:42:53,009 megabytes. Now we have, let's say, 1166 00:42:53,010 --> 00:42:54,010 50 kilobytes. 1167 00:43:02,340 --> 00:43:04,559 And just to have an idea, this is 1168 00:43:04,560 --> 00:43:07,199 the size comparison of 1169 00:43:07,200 --> 00:43:09,179 my image. So you can see that most of 1170 00:43:09,180 --> 00:43:11,369 this base is dedicated to the network 1171 00:43:11,370 --> 00:43:13,919 tech and the two Intel EMT. 1172 00:43:13,920 --> 00:43:16,229 We have a small partition of FDCPA, 1173 00:43:16,230 --> 00:43:18,719 plus a small partition off EFA 1174 00:43:18,720 --> 00:43:20,969 FSL, which is an internal file system 1175 00:43:20,970 --> 00:43:23,759 that in time you can read and write. 1176 00:43:23,760 --> 00:43:24,759 And inside the F.T. 1177 00:43:24,760 --> 00:43:26,699 part, the only thing that we really need 1178 00:43:26,700 --> 00:43:28,859 for the core boot of the APC is that 1179 00:43:28,860 --> 00:43:31,049 BP plus sometimes the RUMPY, 1180 00:43:31,050 --> 00:43:32,880 but it is very, very small. 1181 00:43:34,860 --> 00:43:37,019 So I decided also to port 1182 00:43:37,020 --> 00:43:38,849 my work on generation three. 1183 00:43:38,850 --> 00:43:41,369 Now don't start leaving the room 1184 00:43:41,370 --> 00:43:43,229 saying, oh my God, this starting again 1185 00:43:43,230 --> 00:43:45,119 from the beginning, not with generation 1186 00:43:45,120 --> 00:43:47,339 three, was much, much easier 1187 00:43:47,340 --> 00:43:49,499 because the internal structure of their 1188 00:43:49,500 --> 00:43:50,940 party, Sharna, have changed. 1189 00:43:52,320 --> 00:43:54,839 Without any change, I was able to 1190 00:43:54,840 --> 00:43:57,279 remove all the partitions except for 1191 00:43:57,280 --> 00:43:59,969 FDCPA because the structure was the same. 1192 00:43:59,970 --> 00:44:02,099 But the internal schema of the party, 1193 00:44:02,100 --> 00:44:04,019 scholls, had changed. 1194 00:44:04,020 --> 00:44:06,179 And this one is the new internat scheme 1195 00:44:06,180 --> 00:44:09,269 of the code partitions. 1196 00:44:09,270 --> 00:44:11,069 Now they are indexed by the code, the 1197 00:44:11,070 --> 00:44:13,140 partition directory, the CBD in. 1198 00:44:14,900 --> 00:44:16,459 As depicted in the picture, in the 1199 00:44:16,460 --> 00:44:17,599 picture. So we have 1200 00:44:18,620 --> 00:44:20,889 three different types of entries, 1201 00:44:20,890 --> 00:44:23,299 which are the name of the partition 1202 00:44:23,300 --> 00:44:24,219 dot man. 1203 00:44:24,220 --> 00:44:26,719 She is the all the manifest, the plus 1204 00:44:26,720 --> 00:44:27,860 the extension answer, 1205 00:44:29,150 --> 00:44:31,279 a modular metadata and the module 1206 00:44:31,280 --> 00:44:33,829 data. As you can see, also the signature 1207 00:44:33,830 --> 00:44:35,389 schema had changed. 1208 00:44:35,390 --> 00:44:37,519 So there is the old modern manifest that 1209 00:44:37,520 --> 00:44:38,999 signs the extensions. 1210 00:44:39,000 --> 00:44:41,089 That's that hashes that the kernel 1211 00:44:41,090 --> 00:44:41,989 metadata. 1212 00:44:41,990 --> 00:44:44,539 That hashes the kernel data. 1213 00:44:44,540 --> 00:44:46,639 But luckily for us, that the 1214 00:44:46,640 --> 00:44:48,769 lazy evaluation of the hashes is 1215 00:44:48,770 --> 00:44:50,929 still valid. So we can exploit, again, 1216 00:44:50,930 --> 00:44:52,999 delays, evaluation to remove as many 1217 00:44:53,000 --> 00:44:55,369 code as a mini partition, sorry, 1218 00:44:55,370 --> 00:44:57,199 as many modules as possible. 1219 00:44:59,280 --> 00:45:01,409 So this is the least of the 1220 00:45:01,410 --> 00:45:02,609 types. 1221 00:45:02,610 --> 00:45:03,929 So I tried again. 1222 00:45:03,930 --> 00:45:06,569 By trial and error, I figure out 1223 00:45:06,570 --> 00:45:08,879 which modules were really needed and 1224 00:45:08,880 --> 00:45:10,250 which one we're not. 1225 00:45:11,400 --> 00:45:13,469 And it seems that only four modules are 1226 00:45:13,470 --> 00:45:15,779 really needed. So C sleep RB, 1227 00:45:15,780 --> 00:45:16,780 which is 1228 00:45:18,630 --> 00:45:20,789 sometimes a very small party like 1229 00:45:20,790 --> 00:45:23,069 the corresponding of Rumpy 1230 00:45:23,070 --> 00:45:25,079 the kernel this time, and they'd be UAP 1231 00:45:25,080 --> 00:45:26,080 partition. 1232 00:45:28,820 --> 00:45:31,009 After weeks, some weeks later, after 1233 00:45:31,010 --> 00:45:33,439 my work there, positive technologies, 1234 00:45:33,440 --> 00:45:36,169 the researcher shared the discoveries 1235 00:45:36,170 --> 00:45:38,329 of a method that able to disable 1236 00:45:38,330 --> 00:45:39,409 in time. 1237 00:45:39,410 --> 00:45:41,719 So they conferred my work. 1238 00:45:41,720 --> 00:45:44,149 And they found a nice bonus, 1239 00:45:44,150 --> 00:45:46,309 let's say, which was 1240 00:45:46,310 --> 00:45:48,919 that in telling me generation three. 1241 00:45:48,920 --> 00:45:51,289 So starting from Intel, I mean, eleven, 1242 00:45:51,290 --> 00:45:54,199 which is Skylake has a killswitch, 1243 00:45:54,200 --> 00:45:55,629 which is the HAARP. 1244 00:45:57,950 --> 00:46:00,139 If you want to learn more about 1245 00:46:00,140 --> 00:46:02,239 the HPV, I suggest you to 1246 00:46:02,240 --> 00:46:04,099 read the blog post here. 1247 00:46:04,100 --> 00:46:06,199 I just tell you that 1248 00:46:06,200 --> 00:46:08,449 it's a beta. You set this beta one 1249 00:46:08,450 --> 00:46:10,809 in kilometers off for just after 1250 00:46:10,810 --> 00:46:13,769 their system initialization, 1251 00:46:13,770 --> 00:46:15,579 just stuff that they're run off the 1252 00:46:15,580 --> 00:46:16,580 European module. 1253 00:46:18,280 --> 00:46:20,389 Ego's Kuczynski, moreover, found 1254 00:46:20,390 --> 00:46:22,939 a different BTD out to Amy Decebal 1255 00:46:22,940 --> 00:46:25,099 beat them which with 1256 00:46:25,100 --> 00:46:27,739 which should achieve the same result. 1257 00:46:27,740 --> 00:46:28,909 But on generation two. 1258 00:46:28,910 --> 00:46:31,489 So we have two different beats. 1259 00:46:31,490 --> 00:46:33,919 One on generation two and one internation 1260 00:46:33,920 --> 00:46:36,079 three that are able to solve the 1261 00:46:36,080 --> 00:46:38,389 disable our in telling me without trying 1262 00:46:38,390 --> 00:46:39,469 to modify the code. 1263 00:46:42,700 --> 00:46:44,859 So the final result is 1264 00:46:44,860 --> 00:46:47,199 that a combination 1265 00:46:47,200 --> 00:46:49,279 of HGP beat 1266 00:46:49,280 --> 00:46:51,379 the end. Out to Amy Decebal 1267 00:46:51,380 --> 00:46:53,729 Beta is Ebola. 1268 00:46:53,730 --> 00:46:55,689 Plus, the code removal is able to 1269 00:46:55,690 --> 00:46:57,909 completely turn off 1270 00:46:57,910 --> 00:47:00,079 in telling me just after dehydrating 1271 00:47:00,080 --> 00:47:02,349 Zelle in celebration. 1272 00:47:02,350 --> 00:47:04,509 Moreover, add to these two 1273 00:47:04,510 --> 00:47:05,649 beats. 1274 00:47:05,650 --> 00:47:07,509 Forcing Clemmy to turn off. 1275 00:47:07,510 --> 00:47:09,819 And the report is saying status 1276 00:47:09,820 --> 00:47:12,129 to the system. So it seems that it is 1277 00:47:12,130 --> 00:47:14,599 better supported by commercially 1278 00:47:14,600 --> 00:47:15,999 biased implementations. 1279 00:47:18,810 --> 00:47:20,939 Moreover, to check the status of Internet 1280 00:47:20,940 --> 00:47:23,279 me, I use the Internet to learn 1281 00:47:23,280 --> 00:47:25,619 it all from the Corbould projector 1282 00:47:25,620 --> 00:47:27,689 to receiver the status 1283 00:47:27,690 --> 00:47:29,309 of intelli me. 1284 00:47:29,310 --> 00:47:31,409 So here you can see its output 1285 00:47:31,410 --> 00:47:33,239 with the honor. 1286 00:47:33,240 --> 00:47:34,549 Think by the X. 1287 00:47:34,550 --> 00:47:36,629 220 with the saw code, the 1288 00:47:36,630 --> 00:47:37,529 removal. 1289 00:47:37,530 --> 00:47:39,569 So for example, you can see the error 1290 00:47:39,570 --> 00:47:42,239 code that which is image failure. 1291 00:47:42,240 --> 00:47:44,459 So you tried to load that a module but 1292 00:47:44,460 --> 00:47:46,569 that Modula hadn't a 1293 00:47:46,570 --> 00:47:48,509 valid hash. 1294 00:47:48,510 --> 00:47:51,149 And you can see that the firmware 1295 00:47:51,150 --> 00:47:53,639 in it complete has not been 1296 00:47:53,640 --> 00:47:54,640 completed. 1297 00:47:55,230 --> 00:47:57,289 And the current progress phase 1298 00:47:57,290 --> 00:47:59,069 is the Dupee phase. 1299 00:47:59,070 --> 00:48:01,239 In telling me is stuck trying to load the 1300 00:48:01,240 --> 00:48:03,509 kernel, but it can't load the kernel 1301 00:48:03,510 --> 00:48:05,609 because the kernel is not correctly 1302 00:48:05,610 --> 00:48:06,610 hash. 1303 00:48:08,100 --> 00:48:10,499 With the addition of the Rs to MGD 1304 00:48:10,500 --> 00:48:12,629 able beta, you can see that 1305 00:48:12,630 --> 00:48:14,279 the status of the intel on me had 1306 00:48:14,280 --> 00:48:15,269 changed. 1307 00:48:15,270 --> 00:48:17,779 And now the progress data is 1308 00:48:17,780 --> 00:48:20,219 disable to different states. 1309 00:48:20,220 --> 00:48:21,750 But the result is the same. 1310 00:48:23,620 --> 00:48:25,749 Moreover, thanks to the testing 1311 00:48:25,750 --> 00:48:27,160 performed by the community. 1312 00:48:28,420 --> 00:48:30,969 I found out that Emmi Cleaner is not 1313 00:48:30,970 --> 00:48:33,339 limited to my p.c, but works 1314 00:48:33,340 --> 00:48:35,669 on NBC from Nikahang 1315 00:48:35,670 --> 00:48:37,989 to conflict. So the current 1316 00:48:37,990 --> 00:48:40,179 line of Intel products 1317 00:48:40,180 --> 00:48:41,800 are covered by any cleaner. 1318 00:48:52,590 --> 00:48:54,569 As you can see, the Fermor size. 1319 00:48:54,570 --> 00:48:56,280 If you want to retrieve the spacer 1320 00:48:57,330 --> 00:48:58,559 is greatly reduced. 1321 00:48:58,560 --> 00:49:00,769 So we go from one not five megabytes 1322 00:49:00,770 --> 00:49:04,029 or five megabytes, depending on the 1323 00:49:04,030 --> 00:49:06,509 Internet. Let me fear to 84 kilobytes 1324 00:49:06,510 --> 00:49:08,639 for generation two and from two 1325 00:49:08,640 --> 00:49:11,219 megabytes or six tsotsis, 1326 00:49:11,220 --> 00:49:13,529 six megabytes for generationally 1327 00:49:13,530 --> 00:49:15,420 to 330 kilobytes, 1328 00:49:16,890 --> 00:49:19,049 meaning, let's say, a wanted feature 1329 00:49:19,050 --> 00:49:20,549 else and are now gone. 1330 00:49:20,550 --> 00:49:22,079 So on generation two. 1331 00:49:22,080 --> 00:49:23,039 On donation two. 1332 00:49:23,040 --> 00:49:24,570 There is no corner running anymore. 1333 00:49:25,980 --> 00:49:28,189 We lose the DNF TV 1334 00:49:28,190 --> 00:49:30,269 so no more network stack 1335 00:49:30,270 --> 00:49:33,259 or EMT forum in Clemmy. 1336 00:49:33,260 --> 00:49:35,459 The dynamic application loader is gone. 1337 00:49:35,460 --> 00:49:37,589 And the platform trust technology, which 1338 00:49:37,590 --> 00:49:39,510 is the framework TPM is gone. 1339 00:49:40,580 --> 00:49:41,729 Okay. 1340 00:49:41,730 --> 00:49:43,739 Something bad that can happen sometimes. 1341 00:49:43,740 --> 00:49:44,969 So on. 1342 00:49:44,970 --> 00:49:47,129 Many DDA and these depend 1343 00:49:47,130 --> 00:49:48,109 solely on there. 1344 00:49:48,110 --> 00:49:50,219 A few more implementation of your p.c. 1345 00:49:51,270 --> 00:49:53,759 You can have a break so that it doesn't 1346 00:49:53,760 --> 00:49:54,839 turn on at all. 1347 00:49:54,840 --> 00:49:57,509 No way you can have is light. 1348 00:49:57,510 --> 00:49:59,939 But the delay. So some seconds before 1349 00:49:59,940 --> 00:50:02,279 the screen turns on the 1350 00:50:02,280 --> 00:50:04,559 on some bias's with dual 1351 00:50:04,560 --> 00:50:05,999 bios feature. 1352 00:50:06,000 --> 00:50:07,949 There is an automatic rollback of DME 1353 00:50:07,950 --> 00:50:09,189 cleaner modifications. 1354 00:50:09,190 --> 00:50:11,039 So you flash any cleaner. 1355 00:50:11,040 --> 00:50:13,299 You turn on the B, C and you find that 1356 00:50:13,300 --> 00:50:15,359 the any fear Murree inside 1357 00:50:15,360 --> 00:50:18,419 that your S.P.I flesh has been a 1358 00:50:18,420 --> 00:50:20,519 downgrade to the previous version. 1359 00:50:20,520 --> 00:50:23,219 And sometimes you can also see these 1360 00:50:23,220 --> 00:50:24,299 warning messages. 1361 00:50:24,300 --> 00:50:26,639 So careful your 1362 00:50:26,640 --> 00:50:28,459 intel. Let me. FEMA is damaged. 1363 00:50:28,460 --> 00:50:29,460 Press theft to continue. 1364 00:50:33,570 --> 00:50:35,969 Some feature that someone can 1365 00:50:35,970 --> 00:50:37,319 lie can now gone on. 1366 00:50:37,320 --> 00:50:39,179 So, first of all, you can't have 1367 00:50:39,180 --> 00:50:41,489 overclocking with these kind 1368 00:50:41,490 --> 00:50:44,399 of removal because the ICC party, SHONN, 1369 00:50:44,400 --> 00:50:47,099 which was one of the 1370 00:50:47,100 --> 00:50:49,199 modules removed by any cleaner, is 1371 00:50:49,200 --> 00:50:50,969 now gone that you don't have. 1372 00:50:50,970 --> 00:50:53,069 Obviously intelligent EMT 1373 00:50:53,070 --> 00:50:54,029 anymore. 1374 00:50:54,030 --> 00:50:56,279 You don't. And the Intel DHP you, 1375 00:50:56,280 --> 00:50:58,619 which is the protected audio video pather 1376 00:50:58,620 --> 00:51:01,439 anymore. So some kinds of DRM 1377 00:51:01,440 --> 00:51:03,629 may be broken now and 1378 00:51:03,630 --> 00:51:05,909 some parts of Intel, SGX are gone. 1379 00:51:05,910 --> 00:51:07,170 Plus other stuff. 1380 00:51:09,840 --> 00:51:12,269 Now you may say, OK, this is good, but 1381 00:51:12,270 --> 00:51:13,949 I want to see some proof. 1382 00:51:13,950 --> 00:51:15,239 Well, first proof. 1383 00:51:15,240 --> 00:51:16,739 You're seeing these slides. 1384 00:51:16,740 --> 00:51:19,119 They are. Might be maybe she doesn't have 1385 00:51:19,120 --> 00:51:21,569 Internet. Emmi the fool in telling me 1386 00:51:21,570 --> 00:51:22,649 anymore. 1387 00:51:22,650 --> 00:51:23,969 Let's see, however, a demo. 1388 00:51:23,970 --> 00:51:24,970 So we have. 1389 00:51:26,010 --> 00:51:27,839 Initially they were using any image, 1390 00:51:27,840 --> 00:51:30,779 which is, as you can see, five megabytes. 1391 00:51:30,780 --> 00:51:32,170 Let's run them clean on it. 1392 00:51:33,480 --> 00:51:34,480 Here it is, the. 1393 00:51:36,900 --> 00:51:37,900 Good luck. 1394 00:51:38,730 --> 00:51:40,379 And you can see that now they modified 1395 00:51:40,380 --> 00:51:43,589 their new images, only 84 kilobytes. 1396 00:51:43,590 --> 00:51:45,029 Let's see the difference between these 1397 00:51:45,030 --> 00:51:47,219 two. You can see that the original any 1398 00:51:47,220 --> 00:51:49,489 image as in in his have 1399 00:51:49,490 --> 00:51:51,449 pretty many partitions. 1400 00:51:51,450 --> 00:51:53,529 The modified as only one, the 1401 00:51:53,530 --> 00:51:55,139 FDR. 1402 00:51:55,140 --> 00:51:57,659 So let's dump the 1403 00:51:57,660 --> 00:52:00,089 current running FEMA and my see, 1404 00:52:00,090 --> 00:52:02,519 you can see these reassuring messages 1405 00:52:02,520 --> 00:52:04,529 from my flash zone. 1406 00:52:04,530 --> 00:52:05,489 Ignore them. 1407 00:52:05,490 --> 00:52:06,490 Everything is safe. 1408 00:52:08,870 --> 00:52:11,059 Let's extract the intel, 1409 00:52:11,060 --> 00:52:12,999 let me feel more from the dumper. 1410 00:52:13,000 --> 00:52:15,169 Okay, with IFB, Twilla, you 1411 00:52:15,170 --> 00:52:17,539 can see there you can see Flash region 1412 00:52:17,540 --> 00:52:19,709 too, in telling me Dot B now, which is 1413 00:52:19,710 --> 00:52:21,649 eighty four kilobytes. 1414 00:52:21,650 --> 00:52:23,749 Let's go. Let's compare it with 1415 00:52:23,750 --> 00:52:25,160 my modified imager. 1416 00:52:26,890 --> 00:52:28,659 You can see it's the same, so I'm running 1417 00:52:28,660 --> 00:52:30,669 my modified image on my C 1418 00:52:32,050 --> 00:52:34,599 less than see the current status 1419 00:52:34,600 --> 00:52:36,429 of Intel let me with in claiming to. 1420 00:52:38,970 --> 00:52:42,089 So as you can see, the future unit 1421 00:52:42,090 --> 00:52:44,159 hasn't completed its 1422 00:52:44,160 --> 00:52:45,929 Thakkar in the initialize anger. 1423 00:52:45,930 --> 00:52:48,209 And as you can see him, the Froggies 1424 00:52:48,210 --> 00:52:50,339 face state in telling me, has been 1425 00:52:50,340 --> 00:52:51,629 disabled. 1426 00:52:51,630 --> 00:52:54,239 Moreover, not that the response 1427 00:52:54,240 --> 00:52:56,759 from Intel any is not complete. 1428 00:52:56,760 --> 00:52:59,039 As, for example, in telling me, I cannot 1429 00:52:59,040 --> 00:53:01,319 give you its current capabilities 1430 00:53:01,320 --> 00:53:03,029 because that that part of your money is 1431 00:53:03,030 --> 00:53:04,030 now gone. 1432 00:53:06,750 --> 00:53:08,129 So what can you do? 1433 00:53:08,130 --> 00:53:10,409 Well, you can try and clean air or 1434 00:53:10,410 --> 00:53:12,659 on your system, however, 1435 00:53:12,660 --> 00:53:14,759 be careful because 1436 00:53:14,760 --> 00:53:17,429 it's dangerous. 1437 00:53:17,430 --> 00:53:19,829 So you may want to have a very 1438 00:53:19,830 --> 00:53:21,999 clever way to restore your 1439 00:53:22,000 --> 00:53:23,000 P.C. 1440 00:53:23,670 --> 00:53:26,549 if it works well, if it doesn't work. 1441 00:53:26,550 --> 00:53:28,619 Not well. But please report that both 1442 00:53:28,620 --> 00:53:29,620 of them. 1443 00:53:30,620 --> 00:53:32,789 And. Well, I also I 1444 00:53:32,790 --> 00:53:35,039 would also like to thank all these 1445 00:53:35,040 --> 00:53:37,529 people that directly 1446 00:53:37,530 --> 00:53:39,869 or indirectly helped me 1447 00:53:39,870 --> 00:53:40,999 in this research. 1448 00:53:44,770 --> 00:53:47,049 And that's 1449 00:53:47,050 --> 00:53:48,050 all. 1450 00:53:55,900 --> 00:53:58,749 You can check on my GitHub, I have some 1451 00:53:58,750 --> 00:54:00,969 some tools for working with Emmy, 1452 00:54:00,970 --> 00:54:02,049 for extracting images. 1453 00:54:02,050 --> 00:54:03,029 If you're interested in the reverse, 1454 00:54:03,030 --> 00:54:04,179 engineer me. 1455 00:54:04,180 --> 00:54:05,180 I have some stuff. 1456 00:54:06,430 --> 00:54:08,589 So you can dump the images and extract 1457 00:54:08,590 --> 00:54:11,049 Mondiale some dissembles them 1458 00:54:11,050 --> 00:54:12,050 I'm playing to. 1459 00:54:13,350 --> 00:54:15,639 I'm populated now weekend so that 1460 00:54:15,640 --> 00:54:17,349 we will have more information about the 1461 00:54:17,350 --> 00:54:18,449 internal structure of Emmi. 1462 00:54:18,450 --> 00:54:20,819 And so we can makes more sense of 1463 00:54:20,820 --> 00:54:21,729 the assembly. 1464 00:54:21,730 --> 00:54:23,959 Hopefully that will help for people to 1465 00:54:23,960 --> 00:54:26,259 investigate more about 1466 00:54:26,260 --> 00:54:28,359 how it works and discover other things 1467 00:54:28,360 --> 00:54:29,360 about it. 1468 00:54:30,580 --> 00:54:32,649 And I guess we 1469 00:54:32,650 --> 00:54:34,059 can take some questions. 1470 00:54:37,690 --> 00:54:39,219 Thank you, Hugo. Thank you, Nicolo. 1471 00:54:48,000 --> 00:54:49,379 If she would like to ask a question, 1472 00:54:49,380 --> 00:54:50,969 please line up at the microphones 1473 00:54:53,700 --> 00:54:55,769 in the early 60s, you just want to close 1474 00:54:55,770 --> 00:54:56,759 this one. 1475 00:54:56,760 --> 00:54:57,779 If you would like to leave. 1476 00:54:57,780 --> 00:54:59,729 Please leave. To my left, your right hand 1477 00:54:59,730 --> 00:55:00,629 side only. 1478 00:55:00,630 --> 00:55:01,630 Thank you. 1479 00:55:02,190 --> 00:55:03,929 Is there a request from the I.R.S.? 1480 00:55:09,850 --> 00:55:10,850 Currently not. 1481 00:55:11,640 --> 00:55:12,259 All right. 1482 00:55:12,260 --> 00:55:14,909 So my phone number one question 1483 00:55:14,910 --> 00:55:17,349 can be Enderlin, he access memory 1484 00:55:17,350 --> 00:55:18,440 meant I owe 1485 00:55:19,540 --> 00:55:20,859 you money, Mopti or 1486 00:55:23,040 --> 00:55:24,269 I'm not sure I seen. 1487 00:55:24,270 --> 00:55:26,429 Probably not, because it 1488 00:55:26,430 --> 00:55:27,809 uses the email. 1489 00:55:27,810 --> 00:55:30,439 And I don't I don't think you may walks 1490 00:55:30,440 --> 00:55:32,399 over. I'm a male. 1491 00:55:32,400 --> 00:55:35,269 But of course I don't have 1492 00:55:35,270 --> 00:55:37,989 currently is goosh on the inside than me. 1493 00:55:37,990 --> 00:55:39,779 But you can ask Maxim, maybe he can try 1494 00:55:39,780 --> 00:55:40,780 and see if it works. 1495 00:55:42,180 --> 00:55:43,840 He has a huge one in a million 1496 00:55:45,570 --> 00:55:47,639 but as far as I can tell, probably not. 1497 00:55:50,200 --> 00:55:51,400 Hope that answers the question. 1498 00:55:52,760 --> 00:55:55,389 OK. My friend, I'm afraid your question. 1499 00:55:55,390 --> 00:55:56,859 Yes. 1500 00:55:56,860 --> 00:55:58,569 In your presentation, you mentioned the 1501 00:55:58,570 --> 00:56:00,819 word the laptop quite a number 1502 00:56:00,820 --> 00:56:02,229 of times. 1503 00:56:02,230 --> 00:56:04,509 If one actually has access 1504 00:56:04,510 --> 00:56:06,609 to keep on program one, report the BIOS. 1505 00:56:06,610 --> 00:56:07,629 How safe is this? 1506 00:56:07,630 --> 00:56:09,349 Can you always city program? 1507 00:56:09,350 --> 00:56:11,049 Then that thing can recover and get 1508 00:56:11,050 --> 00:56:12,969 everything back to the way it was? 1509 00:56:12,970 --> 00:56:15,069 Or can you actually really damage your 1510 00:56:15,070 --> 00:56:17,039 laptop beyond repair? 1511 00:56:17,040 --> 00:56:18,040 Okay. 1512 00:56:19,030 --> 00:56:21,519 First of all, no laptop have been 1513 00:56:21,520 --> 00:56:22,520 hurt during these 1514 00:56:24,230 --> 00:56:26,189 days during these researcher. 1515 00:56:31,630 --> 00:56:33,249 I have here my laptop. 1516 00:56:33,250 --> 00:56:35,469 I freaknik the something like 1517 00:56:35,470 --> 00:56:37,659 forty or forty five times 1518 00:56:37,660 --> 00:56:38,919 something like that. 1519 00:56:38,920 --> 00:56:40,029 And it's still working. 1520 00:56:40,030 --> 00:56:42,009 So if that's the partially answer your 1521 00:56:42,010 --> 00:56:43,309 question. 1522 00:56:43,310 --> 00:56:45,939 Yes. If you have access to us, access 1523 00:56:45,940 --> 00:56:47,979 to an external program. 1524 00:56:47,980 --> 00:56:49,929 And you have a valid dom, but you can 1525 00:56:49,930 --> 00:56:52,419 always roll back the modifications. 1526 00:56:52,420 --> 00:56:54,459 And that's why if you go on my GitHub 1527 00:56:54,460 --> 00:56:56,619 pager, you'll see that I 1528 00:56:56,620 --> 00:56:58,419 always recommend using an external 1529 00:56:58,420 --> 00:57:00,489 program because once you have a valid 1530 00:57:00,490 --> 00:57:03,009 dom, so you you should be really careful 1531 00:57:03,010 --> 00:57:04,899 while doing your first time, but you're 1532 00:57:04,900 --> 00:57:06,339 always safe. 1533 00:57:06,340 --> 00:57:08,049 For example, I've physical. 1534 00:57:08,050 --> 00:57:10,329 You broken a 1535 00:57:10,330 --> 00:57:11,829 S.P.I cheaper. 1536 00:57:11,830 --> 00:57:12,789 I removed it. 1537 00:57:12,790 --> 00:57:14,559 I soldered another one. 1538 00:57:14,560 --> 00:57:16,539 And they flashed back to the future. 1539 00:57:16,540 --> 00:57:18,079 And it's still working. 1540 00:57:18,080 --> 00:57:20,249 So if you have an external 1541 00:57:20,250 --> 00:57:22,239 program, you should be always safe. 1542 00:57:25,140 --> 00:57:26,710 My phone number for your question. 1543 00:57:28,270 --> 00:57:29,349 Hi. Hi. 1544 00:57:29,350 --> 00:57:30,159 Great talk. 1545 00:57:30,160 --> 00:57:31,549 First of all, thank you. 1546 00:57:31,550 --> 00:57:32,769 Small question. 1547 00:57:34,240 --> 00:57:36,559 Does the removal of the intelli me 1548 00:57:36,560 --> 00:57:38,679 reduce the power consumption 1549 00:57:38,680 --> 00:57:40,899 of the whole C as well? 1550 00:57:40,900 --> 00:57:42,549 A little bit, maybe because of the 1551 00:57:42,550 --> 00:57:44,949 reduced bite size? 1552 00:57:46,600 --> 00:57:48,729 I think so. But because that you 1553 00:57:48,730 --> 00:57:50,710 don't have intellect, me running anymore. 1554 00:57:51,760 --> 00:57:54,189 But the point is that the intel, 1555 00:57:54,190 --> 00:57:56,309 the prettiest, the intel 1556 00:57:56,310 --> 00:57:59,169 let in such a way that 1557 00:57:59,170 --> 00:58:01,659 it seemed packed on the power consumption 1558 00:58:01,660 --> 00:58:03,579 that was minimal. 1559 00:58:03,580 --> 00:58:06,159 So I think that the removal of its femur 1560 00:58:06,160 --> 00:58:08,329 shouldn't change much or the situation of 1561 00:58:08,330 --> 00:58:09,789 your P.C.. 1562 00:58:09,790 --> 00:58:11,579 Yes. On the other hand, I think that 1563 00:58:11,580 --> 00:58:13,549 since there's a clock control modules 1564 00:58:13,550 --> 00:58:15,789 removed, you may lose as a clock 1565 00:58:15,790 --> 00:58:18,009 control. So, for example, the reducing 1566 00:58:18,010 --> 00:58:20,099 off of the processor speeds 1567 00:58:20,100 --> 00:58:21,909 that is sometimes used to reduce the 1568 00:58:21,910 --> 00:58:23,349 power. Maybe it may be gone. 1569 00:58:23,350 --> 00:58:25,239 So it may actually consume more power. 1570 00:58:25,240 --> 00:58:27,369 But I don't think anyone has 1571 00:58:27,370 --> 00:58:29,409 actually measured. So it's an open 1572 00:58:29,410 --> 00:58:30,849 question for now. 1573 00:58:30,850 --> 00:58:32,799 And I guess it depends on so on so on the 1574 00:58:32,800 --> 00:58:34,289 board, on the actual firmware, on how we 1575 00:58:34,290 --> 00:58:35,290 get configured and so on. 1576 00:58:36,670 --> 00:58:37,670 OK. Thank you, 1577 00:58:39,100 --> 00:58:40,209 Mike, for number five. 1578 00:58:40,210 --> 00:58:41,210 What's your question? 1579 00:58:42,250 --> 00:58:45,219 Are you guys in contact with 1580 00:58:45,220 --> 00:58:46,569 the company? 1581 00:58:46,570 --> 00:58:48,789 So just to me, you could 1582 00:58:48,790 --> 00:58:50,949 tell them to make sure that 1583 00:58:50,950 --> 00:58:53,259 in future on version four or something, 1584 00:58:53,260 --> 00:58:55,419 they do not start signing all 1585 00:58:55,420 --> 00:58:57,369 this stuff because I would make these 1586 00:58:57,370 --> 00:58:58,929 fixes or cleaning's and possible. 1587 00:59:00,670 --> 00:59:02,319 Sorry, I didn't quite get. 1588 00:59:02,320 --> 00:59:03,909 Do you want them to start saying or stop 1589 00:59:03,910 --> 00:59:04,739 signing? 1590 00:59:04,740 --> 00:59:05,769 No, stop signing. 1591 00:59:05,770 --> 00:59:06,789 Stop sign anyway. 1592 00:59:06,790 --> 00:59:09,189 I mean, in your talk, you mentioned that 1593 00:59:09,190 --> 00:59:11,469 certain parts were luckily not signed, 1594 00:59:11,470 --> 00:59:13,569 but no, 1595 00:59:13,570 --> 00:59:16,359 I said they're not encrypted for now. 1596 00:59:16,360 --> 00:59:17,469 Yes. 1597 00:59:17,470 --> 00:59:19,599 Well, they did start encrypting one 1598 00:59:19,600 --> 00:59:21,129 module for now as they started encrypting 1599 00:59:21,130 --> 00:59:23,079 that DADT. 1600 00:59:23,080 --> 00:59:24,579 And some people theorize on Twitter that 1601 00:59:24,580 --> 00:59:26,139 it's related to some contract with 1602 00:59:26,140 --> 00:59:27,459 Netflix. 1603 00:59:27,460 --> 00:59:28,899 So Barclays, as they want to hide some 1604 00:59:28,900 --> 00:59:31,089 DRM keys or whatever, 1605 00:59:31,090 --> 00:59:33,219 but the rest of the firmware is still 1606 00:59:33,220 --> 00:59:35,589 open, so you can still extract 1607 00:59:35,590 --> 00:59:36,590 it and disassemble. 1608 00:59:37,690 --> 00:59:39,909 So I don't think there was a plan to to 1609 00:59:39,910 --> 00:59:41,919 start encrypting the rest. 1610 00:59:41,920 --> 00:59:43,569 It doesn't really make sense. 1611 00:59:43,570 --> 00:59:45,609 There are certain, although I think it 1612 00:59:45,610 --> 00:59:47,709 does not rely 1613 00:59:47,710 --> 00:59:49,599 on the prosecution. 1614 00:59:49,600 --> 00:59:51,069 I think it's just contractual obligations 1615 00:59:51,070 --> 00:59:53,079 that they have to keep that part just 1616 00:59:53,080 --> 00:59:54,080 because of DRM. 1617 00:59:56,530 --> 00:59:58,839 So I I think that it will stay unclipped 1618 00:59:58,840 --> 01:00:00,489 it for the foreseeable future 1619 01:00:03,320 --> 01:00:04,570 for number two, your question 1620 01:00:05,870 --> 01:00:08,049 in the slides 1621 01:00:08,050 --> 01:00:10,129 earlier, you have 1622 01:00:10,130 --> 01:00:12,579 red area, your map. 1623 01:00:12,580 --> 01:00:14,739 To me, it's 1624 01:00:14,740 --> 01:00:17,079 just part of the mine. 1625 01:00:17,080 --> 01:00:19,389 Computers ran. 1626 01:00:19,390 --> 01:00:21,249 How is the research? 1627 01:00:21,250 --> 01:00:24,559 How does the army make sure. 1628 01:00:24,560 --> 01:00:26,519 Okay. Youso as dozens. 1629 01:00:26,520 --> 01:00:27,209 Yes. So. 1630 01:00:27,210 --> 01:00:29,739 So this is called the UMAY Unified 1631 01:00:29,740 --> 01:00:30,939 Number Architecture. 1632 01:00:30,940 --> 01:00:32,979 Not sure why is the name, but this is 1633 01:00:32,980 --> 01:00:35,079 this works in a way similar to 1634 01:00:35,080 --> 01:00:37,329 as some graphic adapters work. 1635 01:00:37,330 --> 01:00:39,389 So it takes a part of the of the drama 1636 01:00:39,390 --> 01:00:41,169 of the computer and the resource for the 1637 01:00:41,170 --> 01:00:43,389 use of of graphical 1638 01:00:43,390 --> 01:00:44,919 device for Amy. 1639 01:00:44,920 --> 01:00:46,809 And this is enforced by the chipset. 1640 01:00:46,810 --> 01:00:48,399 So it's the cost froster cannot access 1641 01:00:48,400 --> 01:00:49,400 it. 1642 01:00:50,460 --> 01:00:52,649 So, yeah, it's like 1643 01:00:52,650 --> 01:00:55,109 that. There's also the bias has taken 1644 01:00:55,110 --> 01:00:57,289 transfigures property to allocate 1645 01:00:57,290 --> 01:00:59,559 this memory and laughers registers 1646 01:00:59,560 --> 01:01:00,509 and the virus doesn't. 1647 01:01:00,510 --> 01:01:01,589 Does not lock the registers. 1648 01:01:01,590 --> 01:01:03,029 And you can have access to the memory in 1649 01:01:03,030 --> 01:01:04,030 theory. 1650 01:01:05,010 --> 01:01:07,779 And that was kind of 1651 01:01:07,780 --> 01:01:09,959 the attack in 2009 that they broke 1652 01:01:09,960 --> 01:01:10,960 same news the first time. 1653 01:01:12,060 --> 01:01:12,989 What was the moment? 1654 01:01:12,990 --> 01:01:14,039 It's enforced by the chipset. 1655 01:01:14,040 --> 01:01:16,289 So once the register 1656 01:01:16,290 --> 01:01:18,479 is configured properly, you cannot access 1657 01:01:18,480 --> 01:01:19,760 that memory from the main support you. 1658 01:01:20,940 --> 01:01:22,589 But INTUITY, you could you could access 1659 01:01:22,590 --> 01:01:24,389 it, for example, by using hardware 1660 01:01:24,390 --> 01:01:26,849 attack. So just by accessing the 1661 01:01:26,850 --> 01:01:27,949 reliance on the RAM, 1662 01:01:29,010 --> 01:01:30,719 however, it will not be enough. 1663 01:01:30,720 --> 01:01:32,909 As I mentioned, they started in integrity 1664 01:01:32,910 --> 01:01:34,979 check. So once it gets 1665 01:01:34,980 --> 01:01:37,379 back as a memory into its own ram, 1666 01:01:37,380 --> 01:01:39,449 it checks if if it has 1667 01:01:39,450 --> 01:01:41,129 been modified. In that case, it shuts 1668 01:01:41,130 --> 01:01:43,440 down the computer. 1669 01:01:44,560 --> 01:01:45,639 So there is protection against 1670 01:01:45,640 --> 01:01:46,640 modification. 1671 01:01:47,640 --> 01:01:48,640 Thank you. 1672 01:01:49,660 --> 01:01:50,879 I fully would ask the questions, but 1673 01:01:50,880 --> 01:01:52,979 obviously your time's up for this story. 1674 01:01:52,980 --> 01:01:54,719 Can people still find you for further 1675 01:01:54,720 --> 01:01:56,939 questions on the conference? 1676 01:01:56,940 --> 01:01:57,940 I mean. 1677 01:01:58,340 --> 01:01:59,359 Okay. 1678 01:01:59,360 --> 01:02:00,569 Yeah. Again. 1679 01:02:00,570 --> 01:02:01,949 Yeah. If you have other questions, we can 1680 01:02:01,950 --> 01:02:04,059 take a look 1681 01:02:04,060 --> 01:02:05,459 on the floor. 1682 01:02:05,460 --> 01:02:06,460 Thank you. 1683 01:02:06,840 --> 01:02:07,840 Thank you.