Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com) 140
An anonymous reader quotes Liliputing.com
Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
Thanks for the value Dell! (Score:1)
Make me pay extra to have something disabled which should never have existed in the first place. Just buy AMD and enjoy security through obscurity!
the problem with opt-out and herd immunity (Score:4, Insightful)
In general opt-out is problematic. Most people don't do it then the vendors say "see no one wants to opt-out", making it a self-fulfilling prophecy. Now imagine you charge them or limit their options to some expensive computer models if they want to opt-out. That's not going to work.
And the basic problem here is that it's not me that I'm worried about it's, collectively, everyone else. The same logic as getting a Flu shot. THe herd immunity protects you more than the flu shot you just got.
I want everyone else to have a secure computer. And not just so they aren't mailing me trojans in cat pictures or attacking me across the network, But also so they aren't attacking my bank or DDOS-ing netflix when I'm watching Game of thrones.
Re: (Score:2)
Luckily for you, Game of Thrones is not available on Netflix.
Re:Thanks for the value Dell! (Score:5, Insightful)
Re: (Score:1)
It likely didn't require any effort above what they already did to sell to US FedGov. Look up High Assurance Platform.
Re: (Score:1)
Except they don't have to, and didn't. It was previously reverse engineered by others [ptsecurity.com].
I'd bet $10.00 that this is an attempt by Dell to gouge certain types out of more money. Heck I wouldn't be surprised if they try to prevent the end user from doing it themselves in some way, just to help ensure a profit.
This is why you don't hand control of things t
Re: (Score:2)
Re: (Score:2, Informative)
It's not in the CPU - the IME is in the South Bridge. AMD has their own version. I wouldn't be surprised if ARM has theirs as well.
Re: (Score:1)
Only on older models. It's on the CPU die now.
AMD's equivalent is a standalone ARM Trustzone chip that probably isn't implemented in their Southbridge, either. I don't think.
Re: (Score:2)
Re: Thanks for the value Dell! (Score:1)
but their PSP can not connect to ethernet or Wi-Fi and doesn't provide built-in KVM like Intel AMT.
Re: (Score:2)
How do you know?
Re: (Score:2)
Re: (Score:3, Informative)
TrustZone is just a hardware-level (think at the data bus level) capability to allow software to be non-secure (eg, Normal World) or secure (eg, Secure World). This happens at the at the AXI interface level with a special bit called the 'NS bit'. Every single AXI transaction carries this bit. Now, on its own this is harmless as TrustZone requires another software-level portion of this called the TrustZone Secure Monitor (ARMv7 and prior) or ARM Trusted Firmware (ARMv8 and later).
ARM Trusted Firmware (ATF
Re: (Score:3)
PSP [amd.com] (now ASP, actually -- wasn't aware of the name change) makes use of TrustZone.
The Platform Security Processor (PSP) [libreboot.org] is built in on all Family 16h + systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the x86 cores will not be released from reset, rendering the system inoperable.
The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.
So, as I said, PSP (neigh ASP) is AMD's version of Intel's ME and is based on ARM TrustZone. It's literally an ARM core with TrustZone that manages the boot process and provides various out-of-band features separate from the x86 cores.
You are correct, though, that Tru
Re: (Score:2)
Re: (Score:3)
Worse (Score:3)
The situation is a bit worse with Qualcom chipsets.
The thing running with Intel ME on the motherboard's own embed computer, or with AMD PSP on the extra security core on the latest CPUs, is just basically a ROM.
You're free to hack it.
You might break your computer while doing it (e.g.: some require signed bit to get executed, most of these embed "ring -3" OSes have watchdogs that force the whole system to reboot or not even leave reset if they don't trigger, etc.)
But you can still break your computer if you
Re: (Score:3)
It is not the same thing with AMD and currently it is unbroken for AMD. Intel seems to really have screwed up the security of the ME, while AMD seem to have been a lot more conservative.
I fully agree that it is a problem there as well and that these things need to be auditable by anyone and reliably disabling must be possible.
Re: Thanks for the value Dell! (Score:2)
DIY (Score:3, Interesting)
So in theory, it doesn't matter if you order one of these 'Custom Order' editions? You'll be able to apply the exact same changes yourself?
Re:DIY (Score:4, Insightful)
I assume the system remains under warranty if Dell does it.
Re: (Score:2)
New slogan! (Score:5, Funny)
Intel Management Engine: the original Systemd. ;)
Re: (Score:2)
"Disabled", not disabled. (Score:5, Interesting)
Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?
We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.
None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.
Until it's physically gone from the board, you can bet it's never going to be permanently disabled.
Re: (Score:3)
No, it won't be disabled. It'll just be hidden, as usual. It'll still be in the silicon and they'll still be able to reenable it at will.
I've also never seen it used. For servers, OEMs add in their own controller chip to implement IPMI and their custom shit, and that's all you need. Dell's DRAC/iDRAC, HP's iLO, etc. They don't live in the CPU have ring negative 9999 access, and you can turn them off!
Re: (Score:3)
I've also never seen it used.
Not for anything useful, however it is well known to cause horrible, unavoidable latency spikes in real time response, for example in financial transaction platforms.
Not in the CPU. (Score:2)
They don't live in the CPU have ring negative 9999 access, and you can turn them off!
AMD's PSP lives in the CPU.
Intel's ME is a ARC core on the motherboard's chipset.
As in : in theory, you could remove the RAM and the CPU out of their socket, and as long as there's a PSU connected to the motherboard, this shit still runs.
(In practice, the system running on it requires a bit of cooperation from the main CPU and expects a little bit of RAM handed to it. So without CPU and RAM in the socket, the OS will probably crash, but that's just an implementation details. The actual hardware is separate
Re:"Disabled", not disabled. (Score:5, Insightful)
On what basis do you claim this? Since Dell is not being specific about how they disable it there's very little reason to assume that it's a physical change. Since the Intel Management Engine can reasonable considered to be directly accessible to law enforcement, I don't see why most vendors will not leave it accessible to court ordered access. They consider it important to cooperate with national governments to retain export licenses and government contract work.
Re: (Score:3)
What we know so far:
- There is a disable bit, added at the request of the NSA, to support "High-Assurance Platform" mode. It's supposed to be reserved for government use, but is available on most (all?) consumer hardware too. There is no official mechanism to enable it, only a hack, so it's not clear if Dell is using it.
- Due to flaws in the way that the ME does integrity checks you can actually just erase most of the ME firmware, leaving only the early boot code necessary to bring the system up from cold.
Re: (Score:2)
Re: (Score:2)
NSA ANT catalog https://en.wikipedia.org/wiki/... [wikipedia.org]
Think the thinking around SWAP, DEITYBOUNCE, IRONCHEF, Straitbizarre, Unitedrake.
Re: (Score:2)
Re: (Score:2)
Fuck you, shill. Physically present is physically enabled.
Re: "Disabled", not disabled. (Score:1)
Sure, use a dip switch for everything. And then build an extra room in your house so you have space for your mainboard.
Re: (Score:2)
It's all microcontrollers these days, DIP switches mean nothing since you can't be sure the firmware code will honour the DIP switches configurations.
Re: "Disabled", not disabled. (Score:3)
Re: (Score:2)
DIP switches were fine for selecting adresses, IRQs and DMAs but what good could they do now apart from being on/off switches? As I said, everything is now integrated in microcontrollers these days. All you could hope to do is toggle power to complete microcontrollers but since they each do a lot of functions in a single chip, even that idea wouldn't work.
Re: "Disabled", not disabled. (Score:2)
Re: (Score:2)
It's all microcontrollers these days, DIP switches mean nothing since you can't be sure the firmware code will honour the DIP switches configurations.
It will honor it when it is a power switch.
Re:"Disabled", not disabled. (Score:5, Insightful)
The reason this shit is in consumer-grade hardware is because it's a "free feature". So, why not include it? It's the same reasoning as to why we can't buy a consumer TV without tons of "smart TV" features we don't want. After all, it's cheaper to offer only a single SKU.
Companies throw in these "extras", but apparently don't really consider the fact that sometimes, extra features can actually be "anti-features", in that they might have an actual penalty in terms of security or usability. It's why companies hoard their customers personal data, because its seen as nothing but beneficial, and not a potential privacy disaster for everyone else.
Only when companies that willfully put their customers security at risk are heavily penalized will they start treating security and privacy with the respect it deserves. Until then, it's going to be an uphill battle.
Re: (Score:2)
Companies throw in these "extras", knowing that consumers don't really consider the fact that sometimes, extra features can actually be "anti-features", in that they might have an actual penalty in terms of security or usability.
FTFY. These are features in the eyes of consumers. The overwhelming majority of people put more braincells to work deciding if they should grab a Mars bar or a Snickers while waiting in line at the checkout of a supermarket.
All the while the company can say: "Look this stuff you used to pay other vendors extra for you now get for free when you buy Intel!" People like free stuff regardless if the have any intention of using it or not.
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:1)
Let's take a look at their C810 laptop product line. The cd-rom drive was on the same controller as the hard drive so when the CD started going bad the machine wouldn't boot.
The keyboard permanently imprinted itself on your laptop LCD when closed.
If you held it any way shape or form on the lid side there was a strong chance it would crack and/or crack the screen.
They also overheated like crazy. My company ordered 180 of these things and over 150 were lemons within the first year. Dell wouldn't stand behi
Re: (Score:2)
no way to know if its really disabled.
the companies have zero trust from us, for those that have been following along and are old enough to know better.
no way to know it won't just be opened up again in some other update, or even just via time or another trigger.
bottom line: the greed and lack of forthought that created ME can't be fixed. people will take a mile if you give them an inch, and that goes double (huh?) for those who have a taste for power.
the bad guys will always want to have ways to get into
*NEVER ONBOARD FUSES* (Score:2, Interesting)
That is what they already use with cellphones to disable your ability to run DRM'd videos and such on a rooted/jailbroken device.
What we need is jumpers that can electrically disable hardware. As it is right now, even jumpers on the motherboard are most likely soft switches. If you doubt me, go read the spec sheets for SPI flash. Hint: No SPI flash chip actually respects the write-disable pin in hardware. All of them require external software support in order to strap the SPI flash to read-only mode, and on
Re: (Score:2)
Exactly! Is there firmware update open source so users can verify it?
On top of that, just how valuable might the list of those who have paid to have it disabled be to government agencies? They could be making money from the buyer, the agency paying them for the new backdoor, and the agency paying for the list of those that paid to have the ME remove and thus have a higher probability of having something to hide. As a company, how could Dell pass this up!
Re: (Score:3)
From the start this was a problem (Score:5, Interesting)
Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.
Re: (Score:2)
After that, I was just treated like the party buzzkill.
That's what you get if you insist to be the security guy at the marketing meeting.
Re: (Score:2)
Well, my boss had a brain and wanted someone who knew what the hell they were actually talking about at the event. He turned white as a sheet when I translated it for him. We started buying AMD after that.
Recent AMDs (Score:2)
We started buying AMD after that.
Speaking of which, have you found a way to disable AMD PSP on their latest CPUs ?
Or do you just keep buying the pre-PSP ones ?
Re: (Score:2)
This is when Intel was just releasing their Intel ME system so, AMD didn't have an equivalent yet. Then, the race to the bottom began. If I was still in that position, I'd be having to make some hard choices right now. Mostly based off which system I could be most certain that these system on a chips were fully disabled. I wish we could physically pull them from the boards myself.
Embbed system (Score:2)
I remember some time back there was a NIC card which had some kind of cpu/ram/etc with it. I think it may have been able to offload torrents or something like that.
One such NIC was the Killer NIC [wikipedia.org] (no, not that [fiftythree.org] one).
Microsoft Research also developed an USB variation [archive.org] of this.
Do we need that kind of things these days and maybe some BSD based guardian to live there to report on any strange stuff being sent or received?
Basically you would have a computer spending full time making sure your computer is secure, or trying to.
That's exactly how Intel ME /AMT and how IPMI (the industry standard equivalent for servers) were sold back then. :
The only exception
- they were sold to management, not to you the end-user. So ITs could remotely manage your workstation or company servers remotely, even if they are powered down, while keeping you, the user entirely out of the loop.
- nobody though about software freedo
Disabling the Intel ME - direct story link (Score:5, Informative)
Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:
Researchers find a way to disable Intel's Management Engine [bleepingcomputer.com].
Re: (Score:2)
If we discussed something on Slashdot before it is of great value to click through and read the comments rather than posting a direct link and have the same discussions over and over again.
Re: (Score:2)
Is unprovision the same as disabled? (Score:2)
I ran the INTEL-SA-00075 procedures to verify unprovisioning and that the LMS service was stopped. My question i
Re: (Score:3)
"<code>" tag abused, comment ignored.
Re: (Score:2)
Re: (Score:1)
For what it's worth, among the more alarming bugs found in ME is the ability to bypass password protection, so the strength of your password doesn't really matter.
does AMD have this sort of feature? (Score:2)
Re:does AMD have this sort of feature? (Score:4, Informative)
Yes, it's called a "Platform Security Processor".
1. https://libreboot.org/faq.html... [libreboot.org]
Re: (Score:1)
Note, however, that it's only on Ryzen (and on some of their more recent CPUs with integrated graphics). The FX-series of desktop processors don't have it. The second-hand market might serve you well at this point.
Thank you to the Linux laptop vendor (Score:5, Insightful)
Thank you to the Linux hardware vendor [system76.com] who took the leadership role in opting out of this Intel spyware madness. For any of you thinking about finally escaping the Windows chamber of horrors, this company deserves your business.
Re: Thank you to the Linux laptop vendor (Score:5, Informative)
You forgot about Purism. I believe they were the first ones to offer laptops with Intel ME disabled, back in October.
https://hardware.slashdot.org/story/17/10/29/0324201/purism-now-offers-laptops-with-intels-management-engine-disabled
Re: (Score:2)
Thanks for the catch.
Full Control (Score:1)
I'd have been fine if I had 100% control of this processor.
Nope, sneaky ass shit from all sides in how it works. Security through obscurity. Feature Bloat out the ass with no way to disable stuff you don't need.
Fuck. That.
I will only forgive them if they make new versions 100% open. Then we can install our own OSes as we see fit.
They could even make the first step by open sourcing it.
Will they? Fuck naw. It's Intel. They are the Sony of CPUs.
EZ way to cripple Intel AMT/ME (Score:1)
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this
Other things of equivalent value (Score:2)
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
A fast ARM SoC would add $20-$40 to the BOM price of a product. The slightly improved graphics for laptops is around $40 (maybe closer to $45). There are probably lots of things of value that could have been added to the system instead of IME only to have each vendor go to the effort to disable it for customers that really don't want it.
I think it's a bit suspect that Intel went to the effort to create and hide ME, when it doesn't appear to offer value to the end user. I only have read lots of hand waiving
ME Cleaner on github (Score:4, Informative)
https://github.com/corna/me_cl... [github.com]
Charging who? (Score:1)
They are charging Intel or the customer? Yes, I already know the answer, but it is worth asking, isn't it?
I'm asking because I don't understand why we should pay to remove Spy(hard)ware.
What is it? (Score:2)
Re: (Score:3)
Lights-out management.
When these things are sitting in datacentres, corporate networks, or any of a thousand other legitimate places, they can be managed by a remote support person via the network even if they can't even boot (e.g. BIOS access, switching to PXE booting and re-imaging and then restoring to normal operation, debugging, etc.).
It's a legitimate feature, which is used by lots of places that want such a feature. However, what it's doing ENABLED BY DEFAULT is another question entirely, as it is l
"Less is more!" (Score:2)
... so obviously one has to pay more to get a laptop less the Intel Management Engine.
It makes total sense.
Retrofit for free? (Score:1)
Dell has a program that will (allegedly) disable it in computers that have already been sold. Free.
Why not buy a Dell and then disable it with the free program?
Because by then, the damage may already have been done, perhaps.
A possibly helpful link: https://downloadcenter.intel.c... [intel.com]
Re:For people with a life... (Score:5, Insightful)
Intel created it's own operating system on a chip that is almost completely outside of user control. It has full functionality to read and take control of any part of your PC, even when it is powered off. All the code is black boxed and unreadable to the user so there is no auditing it to see if it is secure. If a hacker or virus was able to re-write the OS on the chip (something that has confirmed to be possible), they would have complete control of your system with virtually no way to remove it. For people in the tinfoil hat club (a club I visit from time to time), this means that Intel, and anyone that they choose to grant access to, such as FBI, NSA, etc., can clandestinely monitor all activity that you do on your PC without any indication that they are doing so and no security software that you run, commercial or home-brew, will alert you to the monitoring.
Re: (Score:2)
Re: (Score:1)
What is the alleged upside to Intel ME?
The Department of Justice has not yet sued them out of existence.
Re:For people with a life... (Score:5, Insightful)
Well, that's fucking scary. What is the alleged upside to Intel ME? Asking for a friend...
Mass configuration, deployment, and recovery for a large fleet of desktop computers you are tasks with managing.
You enable ME to remotely control the hardware and provision its boot drive, and manage the initial setup of the OS down for untrained staff for repair purposes.
You can enable it by hitting Control-P at boot, turn ME on, setup an IP/vlan, and upload a public key into it to authenticate.
Alternately you can load some config files on a USB stick to do that, and hitting Control-P will see this and use those configs for you.
Alternately again, if you buy a hundred or more PCs a year, you can provide a special public key and ME-Manager IP address to your OEM, and they put it into a special provisioning mode with that info.
On first boot it will contact your provisioning server and accept configurations sighed with that special keypairs private key, and the provisioning server then uploads the real public key and other settings.
Once provisioned, you can instruct the system to mount an ISO image over the network to be in the optical drives place, and send power on/off events.
Generally you'll do this to load your initial OS base image and let it image the HD for your company.
Once that part completes, the base image OS does its own initial setup depending on OS (Active directory for windows; ldap with puppet for unix or RedHats launchpad as just two examples)
When a desktop has a boot drive failure, you can order a new HD and have it shipped to the branch office, and have nearly anyone swap the HD out.
In the mean time you've reset the system to be in provisioning mode, so you instruct your "remote hands" to change out the HD for the new one and hit the power button.
The system comes up and has the HD imaged again, either with a previous backup, or your base image, and go from there.
The concept is a great one.
However the GP is telling the truth when they say the ME code can't be audited.
That's a pretty big problem as you have to trust Intel that it does what they say it does.
Of course to even get to ME, you need either layer-3 network access or physical access.
If one has physical access they already "own" the system, and already falls under physical security instead.
It's the local LAN access that can be a problem.
The concern in the real world isn't so much about Intel or the government, as those bodies already don't have access into our firewalls nor do we provide them VPN access in. It's about other employees which need to be in the building to do their work and thus have access to the LAN.
GP also intentionally confused the separate issues with taking over the ME code.
Researchers have found code exploits and used those to perform the hijacking of the ME.
There is zero evidence Intel has any additional access than is claimed.
This is like saying a one-off typo in some code that results in a remote exploit in your webserver is the exact same thing as the makers of that webserver intentionally granting someone else access to your system. And that is rarely the case.
As the ME code isn't able to be audited the possibility is not zero percent.
But even if it could be shown Intels code has no backdoors and everything is written to work exactly like the ME documentation says it does, that only means Intel is trustworthy in their intentions. Bugs in code that result in an exploit are still very possible and still a real threat.
I just don't see the usefulness of saying "Looks like a bug in OpenSSH has an exploit, and Linus allowed it to be put on Linux, thusly I will never trust another thing Linus says or writes including any patches to fix the problem" purely due to not being smart enough to understand the math and code doing encryption.
Re: (Score:2)
Re:For people with a life... (Score:4, Interesting)
Most of that is simply false, and I have proven it myself with HP Compaq, EliteDesk, and EliteBook hardware.
You don't need access inside a network or on the physical machine, it has been proven to "call home" and receive orders much as botnets do, over unblocked HTTP requests.
Etherial shows nothing except ARP traffic while powered off, or powered on in any mode but provisioning mode.
In provisioning mode Etherial shows two TCP connections to my provisioning server, and neither are HTTP.
You can't stop it if it is plugged into a network
Until ME is enabled, it doesn't even perform ARP requests let alone is capable or tries to send packets anywhere.
and all of the benefits you listed already existed in other forms which didn't require a massive multi-million-dollar engineering effort to stick inside the chip undetected for years.
It was never hidden in the chip, you just didn't bother reading Intels documentation, which was publicly available on Intels website since before vPro and ME hit the market.
Yes management cards were available before, but they are equally closed source and not auditable, and cost extra per PC to deploy.
If it were legitimate it would have been public knowledge from the start,
Which is has been.
https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9 [intel.com]
https://www.intel.com/content/www/us/en/software/setup-configuration-software.html [intel.com]
Documentation goes back to 2008 when vPro, the software containing ME, was released.
not a secret projects the alphabet agencies recruited hardware developers for, required top secret clearance to undertake within the Intel team working on it, etc.
Any evidence for that claim? Other than Intels own website and documentation that disproves it was "secret"?
The justifications for the existence of it are like the shills
Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about.
Yes, I use technology, that makes me a shill by your definition.
Continue on with your fantasies, I'll stop ruining them.
Re: (Score:1)
Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about. Yes, I use technology, that makes me a shill by your definition. Continue on with your fantasies, I'll stop ruining them.
Funny, I've spent the past decade in crypto work. Guess you're the expert on shady shit and why people do it though, being someone willing to put so much effort into Correcting The Record .
Re: (Score:2)
The funny thing here is that any credibility you had you just lost with a really lame attempt at appeal to authority while at the same time directly attacking the person you responded to rather than their content.
I sincerely hope you're better at "crypto work" than you are at discussing something.
Re: (Score:2)
Re: (Score:2)
There was no legitimate content to respond to
I thought you were an appeal to authority. I thought authorities could read.
hence why my opinion as a computer security expert is infinitely more valuable
But it turns out you're just a clown. But a good one. You made me laugh and I am generally considered not to have a sense of humour. I proclaim you the authority on being a clown!
Re: (Score:2)
Re: (Score:2)
https://software.intel.com/shibboleet/apply-holy-handgranade/calculate-airpeed-of-a-swallow/buzzword-buzzword.html [slashdot.org] is not exactly "public knowledge". But the first chapter of the Hitchhiker's Guide to the Galaxy is. It shows the exact same issue.
Off course, this is all fine and dandy for specially ordered corporate machines, but for consumer electronics it is plain scary. Whether someone has hidden a documenting pin in a haystack or not.
Re: (Score:1)
Mass configuration, deployment, and recovery for a large fleet of desktop computers you are tasks with managing.
You enable ME to remotely control the hardware and provision its boot drive, and manage the initial setup of the OS down for untrained staff for repair purposes.
You can enable it by hitting Control-P at boot, turn ME on, setup an IP/vlan, and upload a public key into it to authenticate.
Alternately you can load some config files on a USB stick to do that, and hitting Control-P will see this and use those configs for you.
You're confusing the ME hardware and operating system with AMT, one of the applications that runs on them.
https://en.wikipedia.org/wiki/Intel_Management_Engine [wikipedia.org]:
Re: (Score:1)
Of course to even get to ME, you need either layer-3 network access or physical access.
Maybe not. One problem is that ME runs a custom version of MINIX: sure enough, the thing has a full TCP/IP stack. Maybe it has even drivers for a bunch of very common PCI-E network/WiFi cards, or USB ones (would be easier too). Which means that you *could* have someone peeking in your PC even from the Internet... and even if you attached the LAN cable to a discrete card instead of the motherboard plug.
Not knowing is the real problem here...
Re: (Score:2)
> What is the alleged upside to Intel ME?
For a laptop or home PC, none.
for Corporate IT management. If you have a PC/Server lock-up (or have a user/virus disable remote management.) They do not have to locate the PC, to push updates and cold boot/restart...
Another example is a UPS shutdown without forcing a power cycle of the UPS (and thus all devices on the UPS) you can boot a single PC.
Re: (Score:2)
Well, that's fucking scary. What is the alleged upside to Intel ME? Asking for a friend...
There is none. It was created in a secret program within Intel, hidden for years, only the US and Israeli governments have access to it, and it consumes resources on the machine it operates on while spying and intercepting everything going through it to transmit off for analysis (when it doesn't do the analysis locally.)
After they were discovered they suggested it was a means to allow for remote management of machines by system admins, but no system admins actually have access to it anywhere to do more tha
Re: (Score:2)
That one engineer can work on a lot more computers.
No more union workers needed 24/7 at another site to help get computer systems working again.
Re: (Score:2)
It is a great tool in a corporate setup. It's worse than useless in a private one.
Re: For people with a life... (Score:3)
Re: (Score:3)
The core is MINIX but, what has been cracked of it shows that Intel has rolled their own version of it. It's hard to be sure what is stock and what is Intel's at this point. I'm sure with all the hype that someone will jack the code off the chip and find out one way or the other. Either that or the source code will find it's way to Wikileaks.
Re: (Score:2)
Now that the secret is out (it was security by obscurity), hackers, viruses and trojans will try to hack your intel CPU. Once it's hacked, the hack could be inside the CPU itself so reformatting your HDD or even install a different OS wouldn't matter.
Re: (Score:2, Insightful)
What is Intel Management Engine and why is it so bad that we want to disable it?
I get this feeling you don't belong on a site for nerds, not quite sure where it comes from...