Back to post index

How many published opinions are no longer held?
Tags: [X200] [Intel ME] [security]
Published: 10 Oct 2018 20:34

Neil deGrasse Tyson recently gave his opinion on tattoos when he was on the Joe Rogan Experience podcast:

There’s nothing I value in my mind, body, and soul so much in this moment, that I want to indelibly etch it on my skin. I want to leave room for me to have a possibly more enlightening thought later.

I’ve always committed to making the things that I post here “write-only” in a sense - I won’t edit previous posts except to correct errors. This means that each post (if it’s an opinion) becomes a snapshot of what I was thinking at the time.

Another reason is if a post is linked somewhere, I don’t want that to not make sense in that context anymore because I changed it. Blog posts are supposed to be for sharing with the web, and I think that kind of linking only makes sense if the content is static.

I only recently realized the bigger picture: my current opinions may differ from what was posted previously. Some of what I believe is going to change as time progresses and I (hopefully) grow. It becomes interesting to think about publicly challenging a previously held (and posted) opinion as arguing with my past self. If my beliefs did change, that process was private with respect to this blog. My private state will have deviated from the public state. By posting follow ups and changes, I argue with my past self.

Another interesting aspect of this is how a previously held opinion may have become part of my identity, and by arguing with my past self I’m attacking my own identity. Will that affect how I think? How I change? Will I be less likely to change beliefs if I publicly posted them?

What about the sum total of published opinions? As time goes on, the probability that some of those opinions are still held might tend to zero. For what percentage is this true? Are some opinions more likely to change as time goes on? For some opinions, the opposite might also be true: people may double-down on opinions as time goes on. It’s false to think that all growth manifests as your opinions changing.

revisiting my position

Why was I thinking about this? Two reasons.

First, my choice of main workstation has changed over the years:

Each choice reflects my opinions at the time, and what I chose to value in a workstation: roughly speaking, it was performance, then cost (x2), then performance, then security. For each change the reason made sense at the time.

Second, about a month ago I started questioning my choice to use the X200. My reasons for choosing it were security focused, but I started thinking: am I being too paranoid? I can deal with the negative aspects of this machine but is the trade-off worth it? Is there a tangible security benefit? What’s the probability that my choice of an X200 for its security will have actually stopped an attack?

What about all of the other ways to compromise my data? A dedicated attacker won’t necessarily attack the best defended part, they will look for the weakest part of the ecosystem and attack accordingly. Does this invalidate my choice of the X200?

A month ago, I didn’t have good answers to these questions.


There have been two new attacks recently: one related to a BIOS/UEFI rootkit, and one related to the Intel ME.

The first is LoJax, allegedly the first UEFI rootkit to appear in the wild:

Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process.

On systems that were targeted by the LoJax campaign, we found various tools that are able to access and patch UEFI/BIOS settings. All used a kernel driver, RwDrv.sys, to access the UEFI/BIOS settings.

The third tool’s purpose is to add a malicious UEFI module to the firmware image and write it back to the SPI flash memory, effectively installing the UEFI rootkit on the system. This patching tool uses different techniques either to abuse misconfigured platforms or to bypass platform SPI flash memory write protections.

The second is related to a previously unknown Intel ME Manufacturing Mode:

In this article, we will describe how undocumented commands (although “undocumented” applies to practically everything about Intel ME) enable overwriting SPI flash memory and implementing the doomsday scenario: local exploitation of an ME vulnerability (INTEL-SA-00086)

This is exactly what prompted me to use the liberated X200: a local exploit of the ME (without physical access) is the so-called doomsday scenario I referenced in the previous post.

However, the impact of this is very limited. It was a mistake for the Manufacturing Mode to be enabled.

Should these attacks justify my choice? I’m doubling down at this point. Installing exploits below the level of the OS seems to be on the radar of both current exploit writers and security researchers, both producing / discovering novel attacks.

Discuss on Hacker News