Purism Now Offers Laptops with Intel's 'Management Engine' Disabled (puri.sm) 151
"San Francisco company Purism announced that they are now offering their Librem laptops with the Intel Management Engine disabled," writes Slashdot reader boudie2. Purism describes Management Engine as "a separate CPU that can run and control a computer even when powered off."
HardOCP reports that Management Engine "is widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn't easily alterable, isn't fully documented, and has been found to be vulnerable to exploitation... In short, it's a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system."
Purism writes: Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process, has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery... "Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops. It is also available as a software update for previously shipped recent Librem laptops," says Todd Weaver, Founder & CEO of Purism.
HardOCP reports that Management Engine "is widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn't easily alterable, isn't fully documented, and has been found to be vulnerable to exploitation... In short, it's a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system."
Purism writes: Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process, has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery... "Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops. It is also available as a software update for previously shipped recent Librem laptops," says Todd Weaver, Founder & CEO of Purism.
Upgrades? (Score:5, Insightful)
Does this also mean they can "unlock" the soft-locked downgrades on the cheaper processor series to make them full strength?
So if the management engine isn't actually necessary what actually does it provide?
Is this new one open source? or have we met the new boss, same as the old boss?
What country is Purism based in or owned by?
Re:Upgrades? (Score:5, Insightful)
Oh, honey. It's a backdoor by the NSA. They can remotely access your computer, no matter what is installed on it, and even if it's turned off. No, I'm not kidding and it's not a conspiracy theory.
Re: (Score:2)
If you're not kidding, then it is a conspiracy theory.
Believing that it is true does not stop it from being a theory, or from involving a conspiracy. Actually, it would be required to have a conspiracy since it is actually sold as an enterprise security feature and companies are paying extra for the features it comes with.
Re: Upgrades? (Score:1)
But this is actually happening, and the NSA/CIA have done stuff like this before. Elliptic Curve anyone? This is worse.
There's no conspiracy or theory anymore because they just do it out in the open.
Re: (Score:2)
The ME is actually used for user functions as well. It manages the power states and allows proper remote managing for CPUs with that enabled, but it's still a black box that "for some reason" NSA have disabled on their computers.
It runs an entire OS with programs and stuff.
Re: (Score:2)
The ME is actually used for user functions as well. It manages the power states and allows proper remote managing for CPUs with that enabled
How do you get a dog to take medicine? You put the pill in a doggy treat.
Re: (Score:2)
My experience with pills in doggy treats is that dogs are extremely good at eating very fast and leaving the pill sitting on the floor. It was amazing to see a dog that could eat a pile of chicken not much smaller than her head in 90 seconds being able to eat her way around any pill we mixed with food.
Re: (Score:1)
It runs an entire OS with programs and stuff.
It runs Minix.
Yes, 2017 is the year of Minix on the Desktop.
Tannenbaum wins -- more PCs will be running Minix that Linux soon. He was right -- microkernels are the wave of the future.
Linus's last refuge will be Android.
Re: (Score:2)
Re: (Score:2, Insightful)
So if the management engine isn't actually necessary what actually does it provide?
It provides an excellent opportunity for your government to get to know you better! Your wants, your needs . . . your seditious thoughts and deeds . . . whether you voted for President Zuckerberg or not . . .
What country is Purism based in or owned by?
Does it even matter any more . . . ? The British share their "intelligence" with the Americans, who usually just buy it from some "leaky" old German SED folks who are still working on the taxpayers' dime to undermine the evil capitalist system. A better question would be to ask which companies own wh
Re: (Score:3, Informative)
Despite Intel's claims, ME is a backdoor.
If it wasn't a backdoor they would let you completely remove it.
It's a dumpster fire of privacy issues, security problems and blatant government snooping.
Re: (Score:2, Insightful)
No, it's in all Intel motherboards made in the last 7-10 years.
And the BIOS doesn't disable it. It just makes it unresponsive to YOU - all this has been documented.
Re: (Score:2)
> You will only find AMT in enterprise equipment, and even then, only if it was setup as enterprise.
This is disinformation.
Re: (Score:2)
You have NO fucking clue.
The ME/AMT bullshit is physically inside every single Intel x86 CPU from the last decade or more.
It's "disabled" on consumer SKUs via a firmware flag at best. That just means it doesn't present the user-facing features. It's still physically present. It's still electrically connected. It still has a full system inside the CPU to fuck you.
Obligatory:Intel CPU Backdoor Report (May 5 2017) (Score:5, Informative)
All Intel did was added another hidden switch only they know how to switch on, like a unique wifi signal or magic packet on the onboard nic.
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
[Quotes] Vortrag [events.ccc.de]:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."
"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."
"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Useful links:
The Intel ME subsystem can take over your machine, can't be audited [ycombinator.com]
REcon 2014 - Intel Management Engine Secrets [youtube.com]
Untrusting the CPU (33c3) [youtube.com]
Towards (reasonably) trustworthy x86 laptops [youtube.com]
30C3 To Protect And Infect - The militarization of the Internet [youtube.com]
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software [youtube.com]
1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
Amy_Intel Feb 8, 2016 9:27 AM
The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.
Long version:
Re:Upgrades? (Score:5, Informative)
On your first question, usually the cheaper processors these days are actually different layouts, a long, long time ago this wasn't the case but then it was a case of binning, you could potentially get lucky but it was usually a more expensive model that got rejected but still ran on slower speeds with large portions of cache and other features disabled (eg. due to low yields on the wafer). These days production has gotten smaller, better and cheaper so yields are rarely a problem and even if they were, they probably wouldn't produce useful products anymore.
The management engine provides exactly that, management. It's intended for servers and enterprise systems. It's a form of baked-in IPMI and these days runs a version of MINIX. It can connect either directly or over VPN to your corporate environment and then you can remotely manage the machine, it can do security posture assessments (because it's not controlled by the OS, it can peer into hypervisors or compromised hosts), it can even emulate a serial port so you can connect to your host if you're running Linux/Unix-type systems.
Nothing about this is open source besides it being based on MINIX, to actually use it you have to pay Intel for their closed source software to be able to access the devices.
Purism is a computer technology company based in South San Francisco, California and registered as a social purpose corporation in the state of Washington.
Re: (Score:1)
If we ignore the inept implementation for a minute, the optimistic promise of the management engine is to provide features for IT management of workstations and laptops. It brings the IPMI and remote KVM features of datacenter machines to the low-margin, high volume corporate desktop market and lets these features work wherever the machine will reside, rather than only in a controlled machine room.
Over its multiple iterations, it has gained more features to allow an IT worker to rescue and reconfigure a mac
Re: (Score:2)
Hey, that's some great customer feedback from someone who wants a robust and secure management engine on their machine. but -
> Even if you ignore the "it's an NSA backdoor" FUD, ... I would like to ask you if this is FUD then why is it fucking impossible to buy a modern CPU **without** these back doors (oh, sorry, "management interfaces" if you insist), despite persistent calls for them and despite the intensity with which they are loathed?
Re: (Score:2)
Because that management firmware is involved in... managing the p
Re: (Score:2)
I have never in my life heard of any person or company utilizing the "features" or ME/AMT.
The only thing anyone uses is IPMI-type shit for servers (via BMC, iDRAC, iLO, or whatever else you want to call it).
Re: (Score:2, Informative)
A secure laptop should have verified boot because it addresses an attack model that has become more important after the Snowden revelations. We learned that:
- NSA wants to keep their best exploits secret. For example, it uses more valuable exploits on less technically sophisticated targets who are less likely to discover them.
- NSA goes to great lengths to achieve persistence, for example hard drive firmware attacks that expose the exploited code the first time a sector is read, at boot, b
Re: (Score:2)
Does this also mean they can "unlock" the soft-locked downgrades on the cheaper processor series to make them full strength?
Long story short, no. The IME interacts with the machine's firmware and can be killed that way. The thermal and frequency limits are untouchable and look likely to remain that way.
So if the management engine isn't actually necessary what actually does it provide?
Legacy device emulation, out of band management, health status and alerting. It offers a lot of functionality; the only problem is that the code is so privileged that the OS cannot even detect it.
Is this new one open source? or have we met the new boss, same as the old boss?
They are simply disabling IME. There is no replacement; your machine doesn't need it to operate.
Re: (Score:2)
Does this prove my IQ > 80?
Re: (Score:2)
I just modded it as 'overrated' for you. Does this prove my IQ > 80?
And then commented logged in...I'd say no, no it does not.
Re: (Score:1)
Um, AMD has similar features in theirs as well.
Re: (Score:1)
AMD has similar features in theirs as well.
Do you have any evidence of this? I'd like to learn more about that.
A link or two would be nice.
Re:Fuck these Intel chips. Buy from AMD. (Score:5, Informative)
>>AMD has similar features in theirs as well.
>Do you have any evidence of this? I'd like to learn more about that
A link or two would be nice.
Platform Security Processor (PSP); it is exactly the same as Intel's backdoor- hardware based, secret, non-controllable.
https://hothardware.com/news/a... [hothardware.com]
https://www.techpowerup.com/23... [techpowerup.com]
https://libreboot.org/amd-libr... [libreboot.org]
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Thank you.
Re: (Score:2)
A few from the front page of goog about the AMD Secure Processor. It does, apparently, run its own OS and have its own flash/memory.
https://hothardware.com/news/amd-confirms-it-will-not-be-opensourcing-epycs-platform-security-processor-code [hothardware.com]
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Crypto-AMD-SP [phoronix.com]
https://www.anandtech.com/show/11551/amds-future-in-servers-new-7000-series-cpus-launched-and-epyc-analysis/3 [anandtech.com]
Re: (Score:2)
If there's a PSP inside a PlayStation 4's AMD Jaguar CPU, then why can't it play PSP games?
For the Win! (Score:4, Informative)
Re: (Score:2)
Another option is to buy a Mac, since Apple’s products do not have the IME enabled.
... assuming you can live without ports, anyway.
Re: (Score:2)
Well, other than the fact that Apple also has proprietary security ICs on their boards!
Even a micro using Harvard architecture usually has some proprietary security features for disabling/reenabling chip programming. Who knows what it really does? There is no end to it, you'll never be able to buy integrated circuits that somebody already manufactured and know for sure what is inside them, what the Secret Code(TM) Really Does(R)
Re: (Score:2)
Hey! Less ports just means there's less vectors for something bad to get into your computer. Right? ^_^
Re: (Score:3)
I recently bought a T560 and it doesn't have the parts of the Intel ecosystem that were accused of being "spyware," which is not the IME itself but the AMT (Active ManagenT).
Just take a look at Intel's CPU lineup; only the more expensive chips have it. You can get the upgraded CPU in most Thinkpads, but take a careful look at the specs and prices; the CPU with the Intel Management Engine costs a lot more and is only very slightly faster; most of the increased price is for the IME! It makes sense to buy it i
Re: (Score:2)
Lenovo's C:\Windows\system32\autochk.exe is a Windows executable.
Reposted subject (Score:2)
This was already reported and posted to slashdot four days ago.
Re: (Score:2)
Firmware can't fix it. It's a hardware backdoor. You may be able to neuter some of Intel's firmware for ME, but you don't know how the hardware works so you can never truly verify that it's not still fucking you in the ass.
Mitigation (Score:2)
Re: (Score:3)
Re: (Score:2)
No, the AMT has full access to RAM, and only after it has been turned on in the BIOS and also provisioned, with the caveat that if you have Windoze installed with the Intel drivers then it can do the provisioning from the OS.
The IME is just the part that the AMT interfaces with when installed. It is like a BIOS for add-on ICs, and the AMT is the add-on IC that provides the enterprise remote management features. There are other add-ons for IME that might also have network interfaces, for example there is one
Excellent (Score:5, Insightful)
It is time to regard the ME (and the AMD equivalent) as what they are: Hardware back-doors. I would like to see more research into breaking into them, disabling them and eventually also reprogramming them. Until the CPU manufacturers hand out full documentation and a reliable way to disable, they must be regarded as malicious attackers in any scenario where security matters.
In the end, this is a good thing however. With a bit of luck, nobody will get away with hidden undocumented hardware in the not so distant future.
Re: (Score:1)
Funny is they all started campaign against Kasperky when worse backdoor already exists.
Re: (Score:2)
Indeed. I hope they survive. They have done some really impressive research and shared it.
Re: (Score:2)
A smoke bomb and flash powder explosion is useful. Because you are supposed to look somewhere else while the magic is being worked. Have you never been to Vegas?
We need software freedom. Always. (Score:5, Informative)
We already knew from their announcement that they were backdoors, and the Intel ME security problems confirmed this. In addition to documentation on how to use and disable the system, we also need software freedom—controlling our own computers requires the freedom to run, inspect, share, and modify the software, and exclusive control over any encryption keys used so we can decide who else gets to control the hardware with us. Until we have software freedom these devices are not good at all, they are a clear threat to our ability to exclusively control our own computers.
This is also why computers with other architectures are so interesting and important. As far as we know POWER [raptorcs.com], PPC [powerpc-notebook.org], and other architectures either don't have backdoors built into the hardware or the comparable hardware comes with user-revocable keys and respect for our software freedom. This is a good time to get away from Intel/AMD systems. They're not trustworthy.
Re: (Score:2)
I don't think it is any better on ARM, which is the main alternative. And doing a CPU in an FPGA costs just too much performance-wise. But we will see how things develop. I am not at all above to limit my PC to running games and doing all other stuff on a different machine. In fact, with Win10 being only avoidable for so long, I am in the process of moving all my browsing, email, etc. to a Linux system and that one could be moved to a different architecture pretty easily.
Re: (Score:2)
It would be much easier to hide such a thing in ARM, as ARM usually uses sub-cores for some I/O tasks already.
In the end, you have to trust the manufacturer on what they say anyways, unless you put a core you verified yourself on an FPGA.
Of course, there is a huge risk in hiding such a backdoor in hardware. If anybody manages to find a remote exploit and publishes the backdoor access info, this could kill a CPU manufacturer economically.
Re: (Score:2)
I had a look at POWER and it seems you basically have to spend 3k+ to get a system at the moment. Do you know a possibility to get CPU+Mainboard+Cooler for, say, 1k or so? Speed would be secondary.
Re: (Score:2)
I am aware of this. It is a good start. Now make it work with all ME implementations and the AMD equivalent.
And I really would like that kernel as sort-of BIOS replacement. In all my PCs the Linux kernel does a much better job of finding and initializing the hardware than the BIOS does...
Re: (Score:2)
Given that the intended function is remote management, calling it a "backdoor" is inherently dishonest. These are clearly side doors.
Re: (Score:2)
Don't forget the back-up generator...
Re: (Score:2)
Just because you’re paranoid, it doesn’t mean they aren’t out to get you.
Re: (Score:2)
If a firewall manufacturer didn't let you block arbitrary ports, would you be ok with it?
Re: (Score:1)
If a firewall manufacturer didn't let you block arbitrary ports, would you be ok with it?
Depends on the manufacturer. There isn't a single computer user anywhere in the world that hasn't placed some kind of "trust" in others when it comes to operating their incredibly complex machines. In this I include the likes of RMS who I will tell you right now has put a lot of faith in the trust that others made software and hardware he uses that isn't nefarious.
The only thing that is variable is the amount of trust, and that is typically based on past performance and trust worthy actions. Hurrah Purism i
Re: (Score:2)
So why not provide a way to turn it off for those of us who don't want it?
Re: (Score:1)
[citation needed]
Re: (Score:2)
From modified USB, RJ45 socket, ethernet connectors to a radar device, backdoor software implants. A PCI bus device, SIM card. IRATE MONK for the firmware of hard drives. Backdoor software implants for motherboard BIOS and RAID controllers...
Does this imply another backdoor? (Score:2)
I wonder if this fix is now available because there is some other backdoor available to government agencies. Besides, how will a typical consumer know that this has actually been disabled?
There is no root source of trust, so security is impossible for anyone who is not themselves an expert.
Or sell laptops without them? (Score:2)
How long is it going to work? (Score:2)
I somehow expect that for some reasons, most likely copyright or some similar bullshit, Windows will curiously stop working soon if that spying engine is not running.
I Have a Question (Score:2)
Re: (Score:1)
It depends on if it is vPro enabled or not. If the CPU has the vPro labeling on the package then it has it. Why? Because SOME of those K series processors are actually down-binned Xeons and they pretty much all have it. Just have to examine the packaging before purchase or if buying online be willing to ask questions to the retailer.
Couldn't we just use AMD's CPUs? (Score:1)
I know it hasn't been an option recently, but the new AMD CPUs, including mobile, look pretty good. Wouldn't it be easier to just switch to them? Or do they have their own equivalent of IME?
Re: (Score:1)
They have their own version called PSP, that uses TrustBoot. Their hidden co-processor is an ARM CPU. I am not current on if it can be accessed outside of the LAN or not, but late winter of 2016 it couldn't be as far as regular "legit" use was concerned.
Even when powered off? (Score:2)
So the ME has a built-in battery? When I power off my PC, I really power it off. Yes, once the computer part is off I also switch off the power supply.
Re: (Score:1)
So you can only be owned while your computer is on, congratulations.
Not that it changes much -- while the computer is "off" (aka S5), the RAM isn't refreshed and the non-SB power rails are down, so pretty much all the ME can do at that point is pinging home, mining BTC or turning on the machine.
Re: (Score:2)
Sigh. (Score:2)
"Preorder from $1,199"
For a Core M, Intel HD Graphics, 8GB, 11.6" laptop.
That's some pricey freedom.
They don't even have a model with an Ethernet port (which makes me question what disabling the ME actually does anyway, because isn't the ME for things like OOB access?).
Sorry, but - as always - I have to live in the real world rather than some scene out of Hackers. And if I really valued my freedom and genuinely thought things like this were the threat, I wouldn't be using any of these machines, no matter t
Re:Sigh. (Score:4, Interesting)
"Preorder from $1,199"
For a Core M, Intel HD Graphics, 8GB, 11.6" laptop.
That's some pricey freedom.
They don't even have a model with an Ethernet port (which makes me question what disabling the ME actually does anyway, because isn't the ME for things like OOB access?).
Sorry, but - as always - I have to live in the real world rather than some scene out of Hackers. And if I really valued my freedom and genuinely thought things like this were the threat, I wouldn't be using any of these machines, no matter the cost.
They don't include an ethernet port on the machines because there is no compatible hardware they can install on their devices which can be operated within Linux without requiring use of a firmware blob. As a Purism Librem 15v3 owner, I'm not quite as hardcore as Purism themselves are, so I am willing to use firmware blobs for specific devices. So instead of PureOS I run Arch. I have also replaced the 100% libre Atheros wifi hardware with an Intel module because the Atheros module had les than great performance (plus doesn't support 802.11ac). As for ethernet, I have a USB3/Ethernet dongle that I use for that purpose. Having said all that, I have used Purism's update to completely disable Intel ME on my laptop and everything is working without a hitch. I don't trust Intel ME. I'm willing to trust tiny firmware blobs for specific devices in specific cases. I'm not willing to trust an entirely seperate and unauditable system that operates independently and secretly. No sir. IME is a cancer (and PSP by extension) on modern day computing.
To those that claim that you can disable and remove Intel ME on other laptops, so this really isn't a big deal or particularly notable. You are telling half truths. For older hardware that is certainly true. For Skylake level hardware there are no other devices that that had have or currently can have the Intel ME removed/neutralized/disabled. me_cleaner doesn't support Skylake level systems yet. In fact the Purism update process makes use of a forked version of the me_cleaner which contains changes Purism has made to accomodate their Skylake hardware. They plan on switching back to me_cleaner once all of their patches are accepted in the upstream project.
But hey, don't take my word for it. Cruise the blogs and forums on Purism's website if you want to learn more. Don't take my word for it. Don't take anybody's word for it. Especially not Intels much less AMDs.
Re: (Score:2)
Ethernet adaptors are one of the most-highly-open-sourced categorised of device in the world. Drivers for Linux - almost always entirely-source unless they are serious TCP offloading things aimed at HPC - exist for network cards before ANYTHING else.
Sure, maybe the onboard Ethernet is tied into the firmware, so put in a daughterboard and a cheap chip (there are literally Ethernet daughterboards available, retail, for less than $15 - let alone, in bulk, part of the design, modules etc.). A compatible Gigab
Re: (Score:2)
Ah, the Apple method:
"That device you paid a bundle for? Yeah, just buy a ton of extra cables, adaptors and dongles from other people and carry them wherever you go."
No thanks.
Who is their real customer? (Score:1)
Re: (Score:3)
There is also the group that doesn't want to be treated like criminals.
No need to be paranoid to watch over your privacy. Frankly, it is nothing short of amazing how much stuff already happens behind your back and is innocently sending data back home... any application that can send data, can set up a reverse tunnel to do whatever it likes.
Therefore I went back to the way internet was accessed before the turn of century: you access it by proxy (socks5 or otherwise), and if you donot know the proxy, then no
Intel created a backdoor in the ME .. (Score:1)
I suspect the 'flaw' was intentional as the NSA ordered Intel to implement a kill switch [theregister.co.uk] into the design and the 'flaw' allowed
Packet filtering? (Score:3)
Why not just filter all IME frames at the ethernet switch level?
Re: (Score:2)
I realize it is of limited use - but I'd love to know if IME packets can be easily identified.
Jumper setting on Motherboard (Score:2)
My latest build was on a ASUS B250 MB, which contains a jumper setting to shut down ME. Note that the default setting is to allow ME. Always read your manual!
Now a good follow up question: Does the jumper setting really work or does it just make me believe I turned ME off?
Oh reeeeeeeeeeally... (Score:3)
"Purism Now Offers Laptops with Intel's 'Management Engine' Disabled"
Or is that just what they want you to believe, hmmm? (cue the paranoia music...)
Anyone here with experience of their OS? (Score:2)
Can anyone provide (or link to) comprehensive reviews/analysis of Purism's "PureOS" (as I understand it a debian variant)?
Just the hardware alone isn't enough, we need to look at the software/OS as well if we're gonna talk about something being "secure"