nemozone

a zone for no one and everyone :) Btw this blog is only for adults! Dieser Blog ist nur für Erwachsene!

Wake-On-LAN (WOL) is a technology that allows one computer to remotely Wake Up another computer on a local area network (LAN). It requires the support of the computer's network card and motherboard. To configure WOL on Ubuntu 22.04, you will need to use the ethtool command to enable it.

First, you need to find out where ethtool is installed. This terminal command will do that:

foc@ubuntu22:~$ sudo --preserve-env systemctl edit --force --full wol-enable.service

[Unit] Description=Enable Wake-up on LAN [Service] Type=oneshot ExecStart=/sbin/ethtool -s enp2s0 wol g

[Install] WantedBy=basic.target

Replace enp2s0 value with the computer's network interface name. Next, install the ethtool package:

foc@ubuntu22:~$ sudo apt install ethtool -y

Then check if the network card supports wake-on-LAN using this command:

foc@ubuntu22:~$ sudo ethtool enp2s0

Settings for enp2s0: ... Supports Wake-on: pumbg Wake-on: d Link detected: yes

The expression “Wake-on:d” indicates that the wake-on-lan feature of the network card is supported but deactivated. To enable it, run the following command:

foc@ubuntu22:~$ sudo ethtool -s enp2s0 wol g

Settings for enp2s0: ... Supports Wake-on: pumbg Wake-on: g Link detected: yes

Some motherboard manufacturers require you to change the settings in the BIOS to enable this feature.

Finally, create a systemd service to enable WOL at startup:

foc@ubuntu22:~$ sudo --preserve-env systemctl edit --force --full wol-enable.service

[Unit] Description=Enable Wake-up on LAN [Service] Type=oneshot ExecStart=/sbin/ethtool -s enp2s0 wol g

[Install] WantedBy=basic.target

After creating the service, reload and enable it:

foc@ubuntu22:~$ sudo systemctl daemon-reload foc@ubuntu22:~$ sudo systemctl enable wol-enable.service Created symlink /etc/systemd/system/basic.target.wants/wol-enable.service → /etc/systemd/system/wol-enable.service

Enabling Wake-on-Lan on Ubuntu 22.04 is relatively easy once you know the steps. First you need to find out which network interface you are using, then you need to install the ethtool package and use the command to check if your network card supports wake-on-Lan. Once it is confirmed, you need to run the command to enable WOL. Finally, create a systemd service to enable WOL at startup. After completing these steps, you should be able to use Wake-on-Lan on your Ubuntu 22.04 machine.

Citations :

  1. http://ubuntuguide.net/remotely-turn-on-ubuntu-from-lan
  2. https://www.unifiedremote.com/tutorials/how-to-configure-wake-on-lan-on-windows
  3. https://necromuralist.github.io/posts/enabling-wake-on-lan/
  4. https://www.maketecheasier.com/enable-wake-on-lan-ubuntu/
  5. https://www.golinuxcloud.com/wake-on-lan-ubuntu/
  6. https://www.cyberciti.biz/tips/linux-send-wake-on-lan-wol-magic-packets.html

The Intel Management Engine (ME) is a component embedded within Intel CPUs which is separate from the main processor, BIOS and Operating System. It has been criticized for its security risk and possibility of being a backdoor for various groups, including the NSA.

In response to these claims, Intel has denied any backdoors or providing access to computing systems without the explicit permission of the end user. However, Intel does acknowledge that it sometimes explores modification or disabling certain features at the request of equipment manufacturers supporting their customer's evaluation of the US government's “High Assurance Platform” program.

To mitigate the Intel ME on their devices, the NSA has implemented a High Assurance Platform (HAP) disable bit. This was discovered by Positive Technologies experts, who confirmed the HAP disable bit with Intel. They have warned that this method might be dangerous as it was not thoroughly tested and could potentially damage or destroy a computer.

The Intel ME also has full access to memory and the TCP/IP stack, as well as being signed with an RSA 2048 key. It can send and receive network packets even if the OS is protected by a firewall, making it difficult to disable without compromising the boot-up process. Furthermore, the health of the ME firmware cannot be audited and no one outside of Intel has seen the code for the ME.

Despite Intel denying any malicious intent, many experts still believe that the ME is a backdoor and should be disabled. To learn more about the Intel ME and how to disable it, please refer to the references listed below.

Well this is uncool, but what about the HAP?

The High Assurance Platform (HAP) is a secure computing platform program run by the US National Security Agency (NSA) in coaction with the tech industry. It was designed to develop the 'next generation' of secure computing platforms, allowing secure data movement between domains. Interestingly, it was discovered that the NSA had implemented an undocumented bit called “reserve-hap” which when set to “1”disabled Intel ME. This was apparently done at the request of equipment manufacturers and customers evaluating the HAP program, and the modifications underwent a limited validation cycle.

Some PCs use Intel ME to initialize or manage certain system peripherals and/or provide silicon workarounds, which means the user may lose functionality by disabling it.

The idea behind High Assurance systems is to make claims about the system's behavior and provide evidence that it will behave as described. This is achieved through a combination of formal software verification methods, third-party expert evaluation, security testing and analysis. Typically, these systems are more constrained than traditional cybersecurity products, such as signature-based malware detection and AI-based anomaly detection. This means they can be more effectively quantified and mitigated.

The Intel Management Engine (ME) is an embedded program, which cannot be completely wiped from the system. However, it can be disabled by setting the “reserve-hap” bit to “1”. This can be done by disabling Intel Active Management Technology (AMT) in BIOS. Depending on the Hewlett-Packard (HP) model, users should go to BIOS Advanced > Remote Management Options > Active Management / Unconfigure AMT on next boot and set Intel AMT (Enabled, disabled). Some HP models require pressing CTRL+P to access the AMT Menu and set Intel ME Control State (Enabled, disabled). Once these steps are completed, the Intel ME tool will be disabled and any associated components will be uninstalled.

Conclusion, am I forked? 🤔

We'll yes and no, there is for some devices the possibility to partially disable the Inte ME. Even if this wasn't intended by the manufacturer. E.g., via Coreboot.

But the best method to avoid this would be to buy a device which is already corebootified or allows to partially disabled it from the bios. Keep in mind, this nasty son of a feature can't be disabled completely.

tuxedocopmuters.com offer some devices also puri.sm, system76 and some other vendors too.

Like to feel your pulse rising? :D

Aight open your sweet terminal mostly ctrl+alt+t

git clone --depth=1 https://review.coreboot.org/coreboot 

cd coreboot/util/intelmetool/ 

sudo apt install -y libpci-dev zlib1g-dev 

make

sudo ./intelmetool -m

And got any warnings? :D If so…

Alt text

Good, good proceed…

On Ubuntu 22.04, you can check if Intel AMT is active using the terminal. First, you need to clone the mei-amt-check repository from GitHub:

$ git clone https://github.com/mjg59/mei-amt-check.git Once cloned, change directories into the new mei-amt-check folder and run the make command to build the program:

$ cd mei-amt-check
$ make

Next, run the mei-amt-check program with sudo:

$ sudo ./mei-amt-check

This command will output whether or not Intel AMT is enabled and provisioned on your machine. If it is enabled, the output should look something like this:

AMT present: true
AMT provisioning state: provisioned
Flash: 9.1.42
Netstack: 9.1.42
AMTApps: 9.1.42
AMT: 9.1.42
Sku: 8
VendorID: 8086
Build Number: 3002
Recovery Version: 9.1.42
If the output instead reads “Intel AMT: DISABLED”, then Intel AMT is disabled on the system.

Alternatively, you can use the Nmap tool to scan for Intel AMT. Download the script http-vuln-cve2017-5689.nse with wget or curl:

$ wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse

Run nmap against the target IP address with the script:

$ nmap -p 16992 --script http-vuln-cve2017-5689 <target_ip>

If Intel AMT is enabled and provisioned, the output should indicate that the port is open and that it is vulnerable to CVE-2017-5689.

Annotation of 2nd editor:

What about AMD, then? Well… Still forked :D

“Fun fact: AMD has similar criticism for their CPUs, their ME equivalent is called PSP. Maybe in the future I will write an article about it too.” 😉

Reference Links:

https://www.cyberciti.biz/faq/how-to-check-whether-amt-is-enabled-and-provisioned-under-linux/

https://manpages.ubuntu.com/manpages/trusty/man7/amt-howto.7.html

https://www.intel.com/content/www/us/en/support/articles/000054916/technologies.html

https://virtualizationreview.com/articles/2020/01/13/configuring-intel-amt.aspx

https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/

Citations :

  1. https://www.cyberciti.biz/faq/how-to-check-whether-amt-is-enabled-and-provisioned-under-linux/
  2. https://manpages.ubuntu.com/manpages/trusty/man7/amt-howto.7.html
  3. https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/
  4. https://virtualizationreview.com/articles/2020/01/13/configuring-intel-amt.aspx
  5. https://www.intel.com/content/www/us/en/support/articles/000054916/technologies.html

References: https://github.com/corna/me_cleaner/wiki/Get-the-status-of-Intel-ME

Citations :

  1. https://www.intel.com/content/www/us/en/support/articles/000039084/technologies/intel-active-management-technology-intel-amt.html
  2. https://www.partitionwizard.com/resizepartition/intel-management-engine-components.html
  3. https://www.reddit.com/r/thinkpad/comments/cnel4o/disable_intel_me_and_amt_thinkpad_t420/

Citations :

  1. https://www.ptsecurity.com/ww-en/analytics/disabling-intel-me-11-via-undocumented-mode/
  2. https://www.embedded.com/high-assurance-software-engineering-improves-embedded-design-security/
  3. https://freeandfair.us/articles/what-is-high-assurance/
  4. https://www.csoonline.com/article/3220476/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html
  5. https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
  6. https://www.ul.com/services/ul-cybersecurity-assurance-program-ul-cap
  7. https://news.ycombinator.com/item?id=15117026
  8. https://m.digitalisationworld.com/blogs/56054/high-assurance-security-why-should-we-care
  9. https://www.partitionwizard.com/resizepartition/intel-management-engine-components.html
  10. https://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
  11. https://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/

References:

https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/

https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/

https://en.wikipedia.org/wiki/Intel_Management_Engine

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

https://hackaday.com/2017/12/11/what-you-need-to-know-about-the-intel-management-engine/

https://en.wikipedia.org/wiki/Intel_Management_Engine

https://puri.sm/learn/intel-me/

https://www.quora.com/Is-the-Intel-Management-Engine-one-of-the-backdoors-that-NSA-uses-to-spy-on-citizens

Citations :

  1. https://www.quora.com/Is-the-Intel-Management-Engine-one-of-the-backdoors-that-NSA-uses-to-spy-on-citizens
  2. https://en.wikipedia.org/wiki/Intel_Management_Engine
  3. https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/
  4. https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
  5. https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
  6. https://puri.sm/learn/intel-me/
  7. https://hackaday.com/2017/12/11/what-you-need-to-know-about-the-intel-management-engine/

Eine Metafrage ist eine Frage über eine Frage, wie beispielsweise „Darf ich etwas fragen?“ oder „Kennt sich jemand mit Computern aus?“.

In der Regel wird der Begriff Metafrage aber verallgemeinert und damit alle Fragen bezeichnet, die keine direkte Frage zum Problem des Hilfesuchenden sind. Der Hilfesuchende fragt also zunächst allgemein, ob jemand helfen kann. Gerade Neulinge oder unerfahrene Benutzer lassen sich zu Metafragen hinreißen, um einen kompetenten und hilfsbereiten Ansprechpartner zu finden. Meistens werden Metafragen ignoriert oder der Fragende wird rüde darauf hingewiesen, dass ihm niemand bei seinem Problem helfen könne, ohne dies zu kennen. Grundsätzlich folgt auf eine Meta-Frage eine weitere Frage…

http://www.metafrage.de/

finds bugs in your shell scripts.

https://www.shellcheck.net/

“BIOS Password Recovery for Laptops Quick and easy way to recover BIOS passwords on laptops. Based on research by Dogbert and Asyncritus.”

https://bios-pw.org/

CodeCheck

CodeCheck is your personal shopping assistant when it comes to healthy and conscious consumption 🕵️‍-. Simply scan the barcode or EAN number of your food 🥗 or cosmetics 💄 and in just a few seconds you can find out whether the products are vegan, vegetarian or gluten- or lactose-free. Additionally, if they contain: palm oil, microbeads, nanoparticles, parabens, paraffins, too much sugar, etc.. CodeCheck also helps you, if you have an allergy to something. Now you can also customize CodeCheck to fit you best. Based on your individual needs, it will give you a personal rating circle which shows whether a product is suitable for you. You can set warnings, for gluten or if a product is vegan or vegetarian or not ⚠️. You will always receive suggestions of better alternatives, too. But CodeCheck[…]

https://play.google.com/store/apps/details?id=ch.ethz.im.codecheck&gl=US

ToxFox

Track down pollutants, protect health and put manufacturers under pressure: With the ToxFox you will become a sleuth yourself and set an example for more transparency and better products!

Many products contain chemicals that can harm health and the environment. BUND developed the ToxFox so that you can check[…]

https://play.google.com/store/apps/details?id=de.bund.toxfox&gl=US

Intelligent Speaker

Intelligent Speaker is a new way of being efficient Text to speech browser extension runs on leading tts engine and has useful features to make you productive. With Intelligent Speaker you get[…]

https://intelligent-speaker.com/