Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Intel Businesses Portables Privacy Security Hardware

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com) 140

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.

The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled

Comments Filter:
  • by Anonymous Coward

    Make me pay extra to have something disabled which should never have existed in the first place. Just buy AMD and enjoy security through obscurity!

    • by goombah99 ( 560566 ) on Sunday December 03, 2017 @05:44PM (#55669425)

      In general opt-out is problematic. Most people don't do it then the vendors say "see no one wants to opt-out", making it a self-fulfilling prophecy. Now imagine you charge them or limit their options to some expensive computer models if they want to opt-out. That's not going to work.

      And the basic problem here is that it's not me that I'm worried about it's, collectively, everyone else. The same logic as getting a Flu shot. THe herd immunity protects you more than the flu shot you just got.

      I want everyone else to have a secure computer. And not just so they aren't mailing me trojans in cat pictures or attacking me across the network, But also so they aren't attacking my bank or DDOS-ing netflix when I'm watching Game of thrones.

    • by NicknameUnavailable ( 4134147 ) on Sunday December 03, 2017 @05:56PM (#55669495)
      It's not Dell's fault and it did genuinely take some effort on their part to figure out a way to do this without bricking machines in a fairly reliable manner. They also tend to have the best support in the industry, meaning if Intel figures out a way to reactivate it Dell will be on the hook for disabling it again, $20-$40 is nothing for that kind of long term support on a system they have no actual control over.
      • by Anonymous Coward

        It likely didn't require any effort above what they already did to sell to US FedGov. Look up High Assurance Platform.

      • by Anonymous Coward

        It's not Dell's fault and it did genuinely take some effort on their part to figure out a way to do this without bricking machines in a fairly reliable manner.

        Except they don't have to, and didn't. It was previously reverse engineered by others [ptsecurity.com].

        I'd bet $10.00 that this is an attempt by Dell to gouge certain types out of more money. Heck I wouldn't be surprised if they try to prevent the end user from doing it themselves in some way, just to help ensure a profit.

        This is why you don't hand control of things t

    • Please do some research on AMD, they have the same functionality on their boards.
  • DIY (Score:3, Interesting)

    by Anonymous Coward on Sunday December 03, 2017 @04:42PM (#55669187)

    So in theory, it doesn't matter if you order one of these 'Custom Order' editions? You'll be able to apply the exact same changes yourself?

    • Re:DIY (Score:4, Insightful)

      by kav2k ( 1545689 ) on Sunday December 03, 2017 @06:40PM (#55669611)

      I assume the system remains under warranty if Dell does it.

    • I don't know whether this is just value-based pricing for something with zero cost or if Dell is actually delivering something different here. The reason that the Intel ME can be so intrusive is that it has complete control over the network interfaces. It's possible that these systems have the built-in network interface disabled (not connected to anything) and separate wireless/ethernet systems. Or maybe not, but until we know, we can't really say if this is reasonable or not.
  • New slogan! (Score:5, Funny)

    by Gravis Zero ( 934156 ) on Sunday December 03, 2017 @04:44PM (#55669197)

    Intel Management Engine: the original Systemd. ;)

  • by Anonymous Coward on Sunday December 03, 2017 @04:47PM (#55669203)

    Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?

    We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.

    None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.

    Until it's physically gone from the board, you can bet it's never going to be permanently disabled.

    • No, it won't be disabled. It'll just be hidden, as usual. It'll still be in the silicon and they'll still be able to reenable it at will.
      I've also never seen it used. For servers, OEMs add in their own controller chip to implement IPMI and their custom shit, and that's all you need. Dell's DRAC/iDRAC, HP's iLO, etc. They don't live in the CPU have ring negative 9999 access, and you can turn them off!

      • I've also never seen it used.

        Not for anything useful, however it is well known to cause horrible, unavoidable latency spikes in real time response, for example in financial transaction platforms.

      • They don't live in the CPU have ring negative 9999 access, and you can turn them off!

        AMD's PSP lives in the CPU.

        Intel's ME is a ARC core on the motherboard's chipset.
        As in : in theory, you could remove the RAM and the CPU out of their socket, and as long as there's a PSU connected to the motherboard, this shit still runs.
        (In practice, the system running on it requires a bit of cooperation from the main CPU and expects a little bit of RAM handed to it. So without CPU and RAM in the socket, the OS will probably crash, but that's just an implementation details. The actual hardware is separate

    • by Anonymous Coward

      Sure, use a dip switch for everything. And then build an extra room in your house so you have space for your mainboard.

      • It's all microcontrollers these days, DIP switches mean nothing since you can't be sure the firmware code will honour the DIP switches configurations.

        • They are talking about actual hardware control via dip switch, not a switch that is used to set a soft bit.
          • DIP switches were fine for selecting adresses, IRQs and DMAs but what good could they do now apart from being on/off switches? As I said, everything is now integrated in microcontrollers these days. All you could hope to do is toggle power to complete microcontrollers but since they each do a lot of functions in a single chip, even that idea wouldn't work.

        • It's all microcontrollers these days, DIP switches mean nothing since you can't be sure the firmware code will honour the DIP switches configurations.

          It will honor it when it is a power switch.

    • by Dutch Gun ( 899105 ) on Sunday December 03, 2017 @05:32PM (#55669387)

      The reason this shit is in consumer-grade hardware is because it's a "free feature". So, why not include it? It's the same reasoning as to why we can't buy a consumer TV without tons of "smart TV" features we don't want. After all, it's cheaper to offer only a single SKU.

      Companies throw in these "extras", but apparently don't really consider the fact that sometimes, extra features can actually be "anti-features", in that they might have an actual penalty in terms of security or usability. It's why companies hoard their customers personal data, because its seen as nothing but beneficial, and not a potential privacy disaster for everyone else.

      Only when companies that willfully put their customers security at risk are heavily penalized will they start treating security and privacy with the respect it deserves. Until then, it's going to be an uphill battle.

      • Companies throw in these "extras", knowing that consumers don't really consider the fact that sometimes, extra features can actually be "anti-features", in that they might have an actual penalty in terms of security or usability.

        FTFY. These are features in the eyes of consumers. The overwhelming majority of people put more braincells to work deciding if they should grab a Mars bar or a Snickers while waiting in line at the checkout of a supermarket.

        All the while the company can say: "Look this stuff you used to pay other vendors extra for you now get for free when you buy Intel!" People like free stuff regardless if the have any intention of using it or not.

      • In the rare cases where they are a anti-features, they can charge extra to disable them!
    • Re: (Score:2, Informative)

      Intel and Dell aren't even remotely the same. Intel is a largely foreign-owned corporation which integrates sleazy components like the management engine under secret projects on behalf of alphabet agencies. Dell on the other hand has the best hardware support I've encountered in my decade and a half in IT while the fucking owner is extremely approachable. I sent him a message years back, had a genuine conversation, and he seemed legitimately like a cool person who was really passionate about his projects
      • by Anonymous Coward

        Let's take a look at their C810 laptop product line. The cd-rom drive was on the same controller as the hard drive so when the CD started going bad the machine wouldn't boot.

        The keyboard permanently imprinted itself on your laptop LCD when closed.

        If you held it any way shape or form on the lid side there was a strong chance it would crack and/or crack the screen.

        They also overheated like crazy. My company ordered 180 of these things and over 150 were lemons within the first year. Dell wouldn't stand behi

    • no way to know if its really disabled.

      the companies have zero trust from us, for those that have been following along and are old enough to know better.

      no way to know it won't just be opened up again in some other update, or even just via time or another trigger.

      bottom line: the greed and lack of forthought that created ME can't be fixed. people will take a mile if you give them an inch, and that goes double (huh?) for those who have a taste for power.

      the bad guys will always want to have ways to get into

    • by Anonymous Coward

      That is what they already use with cellphones to disable your ability to run DRM'd videos and such on a rooted/jailbroken device.

      What we need is jumpers that can electrically disable hardware. As it is right now, even jumpers on the motherboard are most likely soft switches. If you doubt me, go read the spec sheets for SPI flash. Hint: No SPI flash chip actually respects the write-disable pin in hardware. All of them require external software support in order to strap the SPI flash to read-only mode, and on

    • Exactly! Is there firmware update open source so users can verify it?

      On top of that, just how valuable might the list of those who have paid to have it disabled be to government agencies? They could be making money from the buyer, the agency paying them for the new backdoor, and the agency paying for the list of those that paid to have the ME remove and thus have a higher probability of having something to hide. As a company, how could Dell pass this up!

    • by tlhIngan ( 30335 )

      Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?

      We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable thin

  • by TheReaperD ( 937405 ) on Sunday December 03, 2017 @04:48PM (#55669205)

    Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.

    • After that, I was just treated like the party buzzkill.

      That's what you get if you insist to be the security guy at the marketing meeting.

      • Well, my boss had a brain and wanted someone who knew what the hell they were actually talking about at the event. He turned white as a sheet when I translated it for him. We started buying AMD after that.

        • We started buying AMD after that.

          Speaking of which, have you found a way to disable AMD PSP on their latest CPUs ?
          Or do you just keep buying the pre-PSP ones ?

          • This is when Intel was just releasing their Intel ME system so, AMD didn't have an equivalent yet. Then, the race to the bottom began. If I was still in that position, I'd be having to make some hard choices right now. Mostly based off which system I could be most certain that these system on a chips were fully disabled. I wish we could physically pull them from the boards myself.

  • by 93 Escort Wagon ( 326346 ) on Sunday December 03, 2017 @04:50PM (#55669221)

    Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:

    Researchers find a way to disable Intel's Management Engine [bleepingcomputer.com].

    • If we discussed something on Slashdot before it is of great value to click through and read the comments rather than posting a direct link and have the same discussions over and over again.

  • I have noticed a number of Intel ME articles recently appearing on Slashdot. On the business laptops I maintain, firmware was available to resolve latest issues. After installing the latest ME firmware, I performed an unprovision through BIOS, then I went into the ME settings via Ctrl-P and added a password to the ME settings. All the ME settings for IP addresses, etc. are blank.

    I ran the INTEL-SA-00075 procedures to verify unprovisioning and that the LMS service was stopped. My question i
  • inquiring minds want to know
  • by Tough Love ( 215404 ) on Sunday December 03, 2017 @05:32PM (#55669385)

    Thank you to the Linux hardware vendor [system76.com] who took the leadership role in opting out of this Intel spyware madness. For any of you thinking about finally escaping the Windows chamber of horrors, this company deserves your business.

  • by Anonymous Coward

    I'd have been fine if I had 100% control of this processor.
    Nope, sneaky ass shit from all sides in how it works. Security through obscurity. Feature Bloat out the ass with no way to disable stuff you don't need.
    Fuck. That.

    I will only forgive them if they make new versions 100% open. Then we can install our own OSes as we see fit.
    They could even make the first step by open sourcing it.
    Will they? Fuck naw. It's Intel. They are the Sony of CPUs.

  • by Anonymous Coward

    Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.

    Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this

  • Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.

    A fast ARM SoC would add $20-$40 to the BOM price of a product. The slightly improved graphics for laptops is around $40 (maybe closer to $45). There are probably lots of things of value that could have been added to the system instead of IME only to have each vendor go to the effort to disable it for customers that really don't want it.

    I think it's a bit suspect that Intel went to the effort to create and hide ME, when it doesn't appear to offer value to the end user. I only have read lots of hand waiving

  • They are charging Intel or the customer? Yes, I already know the answer, but it is worth asking, isn't it?
    I'm asking because I don't understand why we should pay to remove Spy(hard)ware.

  • What is the IME supposed to do? What is the supposed benefit for it being there?
    • by ledow ( 319597 )

      Lights-out management.

      When these things are sitting in datacentres, corporate networks, or any of a thousand other legitimate places, they can be managed by a remote support person via the network even if they can't even boot (e.g. BIOS access, switching to PXE booting and re-imaging and then restoring to normal operation, debugging, etc.).

      It's a legitimate feature, which is used by lots of places that want such a feature. However, what it's doing ENABLED BY DEFAULT is another question entirely, as it is l

  • ... so obviously one has to pay more to get a laptop less the Intel Management Engine.

    It makes total sense.

  • Dell has a program that will (allegedly) disable it in computers that have already been sold. Free.

    Why not buy a Dell and then disable it with the free program?

    Because by then, the damage may already have been done, perhaps.

    A possibly helpful link: https://downloadcenter.intel.c... [intel.com]

Prototype designs always work. -- Don Vonada

Working...