From what I've seen, most of the newer ipmi gear including the dedicated port ones include a standardized i2c interface between the platform controller/ec side (the main server) and the BMC - while it has in most cases similar authentication requirements as the typical ipmi over lan, once you've gotten past that you pretty much can run any ipmi commands, including getting raw access to its private i2c bus which I would assume attaches to its bootstrap flash. Once you're that far in bridging between the two nets would just entail writing some (non trivial) software.
That's the absolute truth. And given the vast array of high frequency oscillators, high end dacs and software configurable pin reassignment, you really need to include a pretty effective rf shield (say ~-40db over ~10kkhz-1.xghz) or go for something closer to an air moat than an air gap.
By the same token the only 100% trustworthy human is a dead one. But we trust folks constantly and we're overwhelmingly better off for it.
Short answer is you can trust building block type components like CPUs if they're designed by a company that is in the camp of the same nation state/alliance that you align with as well. Very similar to the thought process you would use when deciding if you can trust that guy over there with a gun.
Theoretically the answer is no if you're talking about gear (say highly integrated Socs) designed and fabbed in a country that has demonstrated a trust issue or two with the folks that issue your passport.
Practically though this is one of the last things you should be spending time worrying about assuming you're not currently engaged in global politics or things that have a blast radius.
You can pretty much hide a semitrucks worth of nastyness inside any modern chip these days. And while it wouldn't be impossible to find, it requires a well financed effort to try.
But the real answer is you didn't really ask the right question. Computers (and phones/etc etc) are so inundated with security holes between the endless streams of bugs, opaque supply chains, exploitable design errors and a pervasive belief that better security = less sales that there's simply no need to go after the cpu, it's far cheaper and provides credible deniability to all involved.
While I have no doubt there are at times intentional flaws introduced into big name chip designs, any use of such things would be limited to extremely unique circumstances as the blowback if discovered would be pretty damn apocalyptic if you're talking say intel/ibm/oracle.
Anybody that's going to get at your data is ether going to convince you to give it to them, or spend an hour or two and beat your software stack.
Even when the NSA testifies in congress to convince them to block telecom mergers unless they get a clause barring zte/huawei gear it's primarily the software stack that they're worried about. Even listening devices need point releases from time to time.
_NSAKEY discovered two years before patriot act is passed? coincidence? i think not!!1
said another way, what relates the two events in the editorialized title? Just an end of the innocence type vibe? Trusting the sigint guys to design your crypto has always been a well acknowledged double edged sword.
Boxee's main problem is they built a platform for pirates, sold it at break-even and expected to make their money selling said pirates $5 VOD movies from walmart.
I was drawn to Boxee over XBMC because of the legitimate media sources it worked well with (YouTube, BBC iPlayer, etc). Granted I could do the same with XBMC (in fact I do do the same with XBMC), but Boxee just worked nicer out of the box.
Plus most of the local storage stuff I had was CD and vinyl rips.
Boxee organised it's content by metatags, so I'd imagine it would be slightly annoying for pirates (which, more often than not, are labelled wrong) than other similar solutions which place a higher precedence on organisation via directory hierarchy (Boxee could do this too - but it was much more awkward to get to than in XBMC et al)
They built a platform for pirates, tried to pivot to be a legit business, was met with resistance from companies they had previously been empowering pirates against, and so tried to pivot again to something no one, pirate or non-pirate, really wanted (cloud dvr).
As I understand google policy, they allow a user supplied CA to over-rule certificate pinning, to allow for the common use case of an enterprise supplied certificate rewriting at the firewall. So unless you're using one of the magic wildcard sub-ca certs issued by a default CA I suspect you're seeing the google apps allowing an exception to pinning.
If so, that's pretty cool. Happen to know if foursquare / twitter have anything in place that lets them handle the enterprise case w/o letting me mitm them?
But then this is partly a choice on their part. For example, I just received a new Visa PayWave card which lets me pay for anything under $100 just by waving my card over the terminal (no contact, no PIN, nothing). So they are removing just about every form of security from the transaction. The letter that comes with the card is full of assurances that I bear no liability for misuse of the card.
So basically, the card providers are throwing security out the window because they want to increase the rate of legitimate transactions and then wholesale black banning whole segments of the market that have slightly higher risk to counterbalance the increased risk. If they were willing to apply slightly higher security measures they could easily mitigate the risk, but they don't want to because it would decrease the rate of legitimate transactions.
Make cuts with a sharp knife around the chip to sever the NFC antenna. Then confirm it doesn't work at a terminal you trust that you can cancel the transaction on.
With UK credit laws I might be OK with this on a credit card but there was no way I wanted it on my debit card with a direct line to my current account. I only use the debit card for cash and the very occasional purchase (think car purchase once every 5 years or so frequency and inconvenience to pay cash).
I have no idea if they are required to do so, but it's worth noting that while the government requires a warrant to open US mail and inspect the contents, your agreement with UPS/FedEx allows them to open anything they see fit to.
To be clear, it allows UPS/FedEx to open it, not the government. Although UPS/FedEx can then voluntarily give it to the government should they open it...
Consider the 50+ doors the FBI broke down in response to operation payback, yet 0 prosecutions have occurred in the US. Before that happened it was widely speculated that ddos was not a crime in the united states, and that appears to have been defacto agreed to by the US Attorney in this case.
