Gigabit NICs to avoid

Logan, Wendell, and Qain,

While watching The Tek today Wendell and Logan mentioned that there were some motherboards even today shipping with Gigabit NICs that can't even do full gigabit speeds and I have also heard in the past that there are some crappy ones.

Wondering if you guys could chime in on specifically which ones you don't like and which ones you really like since you didn't want to get into it on the show.  Maybe even do a video segment covering NICs as it is something not talked about a whole lot anywhere else.

Thanks guys!

Just get a Intel, simple

I understand Intel is good, but I am also sure there are others.  What about Killer?  The Realtek and others (are there others?) can't ALL be bad.  A bit more elaboration would be nice.

Pretty much.. get intel and don't bother thinking about it further. Not worth the braincells required. 

Intel are kind of bastards though; on certain modern cpus intel has dedicated resources for wiring up their nic that doesn't use pci-e lanes. which is awesome on platforms like haswell where you have a limited number of lanes anyway.

Purely anecdotally I have had okay luck from broadcom and perhaps a distant third marvel. Then about 2.5 parsects. Then there is realtek.

Thanks for the response.  Never realized realtek NICs were so bad.  So I guess most boards on the market that are not either "Killer" (Qualcomm) or Intel have terrible onboard NICs then since they usually use a Realtek 8111 series.  Interesting. 

While we are on the topic of Intel, question (I am putting on my tinfoil hat for this one):

There are suspicions that there is an NSA backdoor in the Intel hardware random number generator. I believe this to be true. What are the chances that there is an NSA backdoor in the Intel NICs and how would that function?

First of all, if you are going to use a non hardened Operating System like Windows (which almost certainly itself contains several back-doors) on your computer, they are not going to bother with hardware back-doors.

Why risk having an ultra secrete back-door discovered, when you can just hack the OS.

So unless you want to use a secure Operating System, you are probably not going to have to worry about the network adapter.

If you later on decide that you want to do ultra secure computing you ca still ad another network adapter, and not use the NIC

P.S.: there's also a chance that UEFI contains a back-door.

From my experience, killer are pretty lame. I don't do a lot of multiplayer gaming so I can't say whether or not there is any improvement in latency from using killer but for file transfers they are useless, I could never get close to gigabit speeds, the whole computer would jerk and act really weird during large transfers and the CPU usage would go right up. Switched to an intel card and the difference was like day and night.

I'm not using the spyware platform knows as Windows. I am reasonably confident in the security measures that I am using, both on the OS side, and on the internet traffic side. That's mostly because I know their weaknesses.

Why risk having an ultra secrete back-door discovered, when you can just hack the OS.

By that reasoning, why bother compromising the Intel hardware random number generator (which I believe has happened) when you can just hack the OS?

Anyway, regarding my question. You simply stated that if I have doubts about the Intel NIC, I should use another adapter, which in itself might be ineffective, since NSA has been using wireless adaptors on USB plugs to hack a computer not connected to the internet. My original question was about how likely it is to have a backdoor in the intel NICs, and what would that backdoor do. You haven't touched on any of those points, therefore my question still stands.

Compromising the random number generator was done to weaken encryption, so they could decrypt data without having to: use a back-door or penetration of the OS security.

They bothered compromising the the random number generator, because that's more economical than hacking the computer of everyone who encrypts. (The more computers they hack the higher the risk that they get caught & their back door might become known i.e. worthless)

"how likely it is to have a backdoor in the intel NICs"

You are asking the wrong question for 2 reasons:

1. "I am reasonably confident in the security measures that I am using": You're positive that your Operating system & employed Software has no 0-day exploits? You are either an upper Tier IT-sec expert, or your assumption that you are safe on the software side is wrong. (You don't strike me as an IT-Sec genius, No Offence)
2. "...how likely is ... a backdoor in the intel NICs". You are asking me to give you a statistical likelihood of a conspiracy. Which is impossible to do because everything I'm going to calculate is inevitably going to be predicated on my personnel trust/paranoia level (=bias) . Until we know for sure everything is wild speculation, hence useless.

The right question to ask is how to improve your security: And for 99.9% of the computers out there, the answer is going to be improving/auditing the software, reducing dependencies of proprietary solutions...

If the NSA decides to hack your computer it is almost certainly going to be via software vulnerabilities. Concentrate on that. Follow Security news about confirmed hardware-back-doors & replace insecure parts.

If that isn't good enough for you, you have to play on the level of banks & ultra-high-security players, who do custom hardware designs and use their own firmwares etc...  Or wait 5-10 years until open-hardware movement gains momentum.

1. I am reasonably confident in the security measures that I am using

What I meant was that I believe that I have struck a balance between MY need for privacy and MY need for security and the amount of work (and learning) that I have to do to ensure the above. I am well aware that there's no such thing as complete security, nor do I want to strive for it.

You don't strike me as an IT-Sec genius, No Offence

No offence taken, I posted my question so I can hear what others think, and possibly learn new things.

2. ...how likely is ... a backdoor in the intel NICs

I agree 100% with what you've said about this point. But I wasn't asking so someone can tell me the facts, although it would be awesome if someone posted a link to a trustworthy website that discloses information about Intel backdoors... but then again, "trustworthy" can also be a matter of personal opinion. I realize that a lot of the things posted on internet forums are extremely subjective, I'm not that naive to believe anything someone says under the protection of a virtual identity. I want to hear what other people on this forum think, or perhaps even what the Tek Syndicate crew thinks, since I value their opinion.

Follow Security news about confirmed hardware-back-doors & replace insecure parts.

That's your opinion, and I respect that. I would rather go the extra mile and simply not buy hardware that I believe (opinion, not proven fact) is compromised.

So... instead of telling me that I am approaching this problem from the wrong angle, what do you think about hardware backdoors in the Intel NICs? Possible, probable, tinfoilhat nonsense, or you simply find this irrelevant?

EDIT: gave this some thought:

They bothered compromising the the random number generator, because that's more economical than hacking the computer of everyone who encrypts. (The more computers they hack the higher the risk that they get caught & their back door might become known i.e. worthless)

You said that they added a backdoor in the Intel hardware RNG because it was easier (and harder to discover) than hacking the software. Are there any security measures that make more sense to bypass on a hardware level, by using a backdoor in the NIC, than by hacking the software? I am genuinly interested in this.

I really don't know what else to say other than, wild speculations about conspiracies are unproductive. I have no clue whether the Intel NIC or any other network adapter is compromised. I have no facts & no reasonable arguments, so i can't have an opinion. My conclusion is: I do not know. I also do not know if Not-buying a NIC will improve or decrease my odds of not having a hardware back-door.

However I'm certain that my computers have lots software vulnerabilities, So I'd rather spend my time resolving a problem that I know exists, than worrying about a hypothetical one.

I also plan to use open-hardware once it has matured enough for somebody with my skill-level to use it productively.

Also you >> seem to << falsely equate back-dooring encryption, with back-dooring a computer in your last paragraph . The weakened Intel random number generator did not allow access to a computer.

"Are there any security measures that make more sense to bypass on a hardware level, by using a backdoor in the NIC, than by hacking the software?"

This is confusing: Are you asking me whether you can pro-actively configure your software to "cock-block" their attempt at using their hardware-back-door ?

Well that depends, if the attacker has access to the hypervisor or processor management: then no.

Also you >> seem to << falsely equate back-dooring encryption, with back-dooring a computer in your last paragraph . The weakened Intel random number generator did not allow access to a computer.

Backdooring encryption means making it relatively easy to descipher encrypted data, by either reducing the number of possible combinations needed to guess a cipher to a reasonable amount (by reasonable I mean gaining more from the data than you lose in the process of decrypting it), or outright having the key to the encryption. Backdooring a computer means gaining root access to the computer. Am I mistaken in my understanding of the terms? As you have aptly noticed, I'm not an IT specialist in any sense of the word (although I have decided to start studying Computer Science come this autumn), and I understand that the way I word things might be confusing for someone who knows the correct terminology.

If I remember correctly from an article about FreeBSD using its own RNG called Yarrow in conjunction with the Intel RNG, the FreeBSD team considered the Intel RNG was adding 4 bits of entropy to the kernel entropy pool, which is extremely low (as I am typing this, my linux kernel has 3850 bits in its entropy pool).

This is confusing: Are you asking me whether you can pro-actively configure your software to "cock-block" their attempt at using their hardware-back-door ?

I am not asking that. I am asking if there is a type of security measure which can be more easily compromised by using a hardware backdoor than a software one. Applied to the Intel example, the type of security that is being compromised is encryption, the hardware backdoor is the Intel hardware RNG, and the software alternative is the adding of a backdoor in a lot of systems which is more likely to be discovered. If it's still not clear enough, I'll consider this my own fault by not knowing how to ask the right question, because you have shown to be more than willing to have a dialogue with me, and I appreciate that.

In general I would consider hardware-back-doors to be more difficult then software-back-doors, because compromising hardware is inherently more complex to engineer and probably requires more cloak & dagger logistics, because you have to smuggle the back-door past designers & manufactures.

However Hardware back-doors can still be the logical choice because it's more persistent then Software, & less people are capable of finding it. I think that in a few generations when we consider not being able to understand source code as being illiterate, that hardware-back-doors will become the easier choice.

I could imagine with the advent of AIs who can audit source code, that premeditated software-back-doors will become extinct. Artificial Intelligences can improve their own code, which will eventually lead them to override back-doors that their own code contained. I assume that we won't connect AIs that audit source-code to the Internet.

Regarding entropy and random number generators, i think the only real source of randomness are quantum fluctuations. One can measure nuclear decay to "harness" that randomness. There is a service called Hotbits who provides genuine random Numbers by measuring nuclear decay.

I think it'd be possible to implement a tiny alpha-ray source (Americium-241 for example) with a simplified Geiger-counter in a chip. But i guess no computer hardware manufacturer wants to risk a "Radioactive computer" headline. Regardless that a tiny alpha radiation source is probably so weak that it won't even penetrate a sheet of paper much less the shell of computer.

Some people suggested measuring surrounding radio-waves & background-radiation for random number generation, but who says an attacker isn't local and can measure it too.

If I had anything ultra critical that I wanted to encrypt, I probably would hook up a Geiger-counter to the line-in of my sound card and use the Americium from an old Smoke-detector.