Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server
from the what-could-possibly-go-wrong? dept
One way of looking at the history of computing is as the story of how the engineering focus rose gradually up the stack, from the creation of the first hardware, through operating systems, and then applications, and focusing now on platform-independent Net-based services. Underneath it all, there's still the processor, even if most people don't pay much attention to it these days. Unregarded it may be, but the world of the chip continues to move on. For example, for some years now, Intel has incorporated something called the Management Engine into its chipsets:
Built into many Intel Chipset–based platforms is a small, low-power computer subsystem called the Intel Management Engine (Intel ME). The Intel ME performs various tasks while the system is in sleep, during the boot process, and when your system is running. This subsystem must function correctly to get the most performance and capability from your PC.
That is, inside recent Intel-based systems, there is a separate computer within a computer -- one the end user never sees and has no control over. Although a feature for some time, it's been one of Intel's better-kept secrets, with details only emerging slowly. For example, a recent article on Network World pointed out that earlier this year, Dmitry Sklyarov (presumably, that Dmitry Sklyarov) worked out that Intel's ME is probably running a variant of the Minix operating system (yes, that Minix.) The Network World article notes that a Google project has found out more about the ME system:
According to Google, which is actively working to remove Intel's Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:
Full networking stack
File systems
Many drivers (including USB, networking, etc.)
A web serverThat’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.
Why on this green Earth is there a web server in a hidden part of my CPU? WHY?
The "Ring-3" mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 ("minus 3") trumps everything above -- include the operating system -- and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here's what we learned earlier this year:
Intel says that three of its ME services -- Active Management Technology, Small Business Technology, and Intel Standard Manageability -- were all affected [by a critical bug]. These features are meant to let network administrators remotely manage a large number of devices, like servers and PCs. If attackers can access them improperly they potentially can manipulate the vulnerable computer as well as others on the network. And since the Management Engine is a standalone microprocessor, an attacker could exploit it without the operating system detecting anything.
As the Wired story points out, that critical bug went unnoticed for seven years. Because of the risks a non-controllable computer within a computer brings with it, Google is looking to remove ME from all its servers, and there's also an open source project doing something similar. But that's difficult: without ME, the modern systems based on Intel chipsets may not boot. The problems of ME have led the EFF to call on Intel to make a number of changes to the technology, including:
Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
Offer a supported way to disable the ME. If that's literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
Those don't seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own -- and that ought to include the Minix-based computer hidden within.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cpus, hidden computer, minix, privacy, security, web servers
Companies: intel
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
me = millenium_edition
Regards
Your CIA, FBI, Home Affairs and basically all government.
[ link to this | view in thread ]
What. The. Frak.
[ link to this | view in thread ]
Avoid Online Scams
For Brilliant Mind, a well design Course form Online Scam Killer for those entrepreneurs who want to learn about making money online. To Avoid Online Scams, learn some new and easy concept to earn money through internet.
website:-https://onlinescamkiller.com/avoiding-scams
Email id:- sirshendu@onlinescamkiller.com
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Avoid Online Scams
[ link to this | view in thread ]
On a side note: it seems more recent Intel ME's are a modified form of x86, however in the past there have been variants of ARC cores as well.
[ link to this | view in thread ]
AMD also uses such things to manage their stuff as far as I know but at the very least there isn't indications it has this level o bullshit (network that can't be managed by the front system, really?).
Wtf was Intel thinking?
[ link to this | view in thread ]
Re:
How much will the NSA give us.
[ link to this | view in thread ]
Re:
I hope that Intel has done us all a back handed favour in that the reaction to vulnerabilities in the ME will increase the desire to audit or be able to audit all levels of a system.
Will that actually happen? I don't know, but that's my hope
[ link to this | view in thread ]
Intel owns You
However, this is old-news that broke widely in Spring of 2016.
Several independent researchers have published software/scripts claiming to disable Intel ME, but non-experts run substantial risk of bricking their PC's'.
Only Intel can remedy this issue and it is largely unresponsive. There are indications that Intel can and will disable its ME for some "government" PC users.
Whom do you trust in life?
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Joanna Rutkowska was right.
[ link to this | view in thread ]
It's the compromise between expensive custom-made ASIC-style tech, and the flexibility of cheaper off-the-shelf components (with apparent backdoors like this).
I've got a few Z-80s lying around if they want something retro ;)
[ link to this | view in thread ]
Simple Fix?
If the ME has a network stack then it has to be set to DHCP. So an easy fix would be to find out it IP address or the port it uses if it is piggy-backing on the PC's IP and block it at your local firewall level.
Does AMD have something similar? This is seriously something that has me considering a switch. I will communicate with my dollars.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Actually, here is a nice comic strip about that kind of door.
[ link to this | view in thread ]
Re:
Trade secrets are one thing. But we can't trust computer security to be secret anymore, not when it's this vitally important.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
They were thinking that they wanted to push features of high-end systems into their commodity systems. A "service processor" has been a standard feature on supercomputers and mainframes since at least 1960s. Over the years Intel has steadily incorporated high-end features like ECC, vector processing (MMX, SSE, etc), IOMMU, IO hot swapping, etc into their chips. This management engine can be a godsend for a corporate IT department managing thousands of systems, giving them fully centralized control over desktops and servers.
Where they screwed up was in trying to keep it locked down, proprietary and worst of all, mandatory. I'm sure they made that choice because they thought security through obscurity was both a good idea and sufficient. They wouldn't be the first to make that mistake and they won't be the last.
[ link to this | view in thread ]
Re:
The fix would rather be putting them back in.
[ link to this | view in thread ]
Just Curious
Or is the usage of these components so minimal that that it goes undetected?
I seem to remember an issue with the Intel ME system a few months back. The fix that came from Intel required a reboot in my Windows systems (Dual booting here) but never got mentioned in my Linux system. Hmm.....
[ link to this | view in thread ]
Get Over It, Time To Move On
The fact that your hardware is compromised from the factory and the compromise is baked right into the hardware is OLD NEWS. Years old.
Time to move on to something new.
With the large sizes of modern hard drives it is time to start building "management engines" directly into the drives. Each hard drive would have a secondary network connector (ethernet, wifi) in addition to the primary connection of the drive to the computer (scsi, sata, eide, etc). The drive would refuse to work without the network connector being operational at least occasionally.
This would enable the mother ship to analyze the contents of your drive. Because of: (in decreasing order of national importance)
[x] anti-Trump comments!
[x] Copyright Infringement
[x] videos of crimes committed by police
[x] Think of the Children!
[x] Blackmail material
[_] Justin Bieber music
[x] Crypto keys
[x] Terrorism
Furthermore, the mother ship would be able to communicate with the management engine inside of a hard drive in order to write to it which is useful for planting evidence.
The remote monitoring consoles for scanning and altering hard drives need an advanced UI that can be operated by one hand. This leaves the other hand free for . . . um . . . .
eating donuts. And other activities.
[ link to this | view in thread ]
Most people laughed at this saying it was bogus, now I am not so sure.
[ link to this | view in thread ]
Re:
Tough times for paranoiacs. Technology companies and their governments are putting up a seriously high bar to clear.
[ link to this | view in thread ]
Re: Simple Fix?
Also on servers or other machines with multiple network interfaces, the IME is always on the first port. So if you don't need both, plug into the second one and you are going to be protected.
The ME does a lot of stuff. Some of it we need so you can't just get rid of it entirely. It would be nice though if you could turn off the remote management features or shut it down after the machine has booted.
[ link to this | view in thread ]
Re:
http://www.amd.com/en-us/innovations/software-technologies/security
There are other added items in the Zen Core lineup too...
http://www.amd.com/en/technologies/zen-core
Every CPU that has a security feature baked in is just going to need something like this anyways. The problem is the idea of moving the security to the CPU, it should not be moved there. Security modules should be separate, but then again, how else can you take money from the NSA an build in a hackable management feature that lets them spy on all these machines?
The NSA has been creating a security Debt in computing for several years now and there is no telling how compromised systems have been made to help government interests.
[ link to this | view in thread ]
Re:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
There *is* an "official" way to disable it
The linked blog post is from 2016. Since then, people have found a (semi-)official way to disable it. It's believed that the idea of the ME freaked out certain government agencies who weren't going to buy Intel CPUs if they couldn't disable it (all the more reason to let everyone disable it). It's obscure and undocumented: the HAP or AltMeDisable bit.
To say that the bug went unnoticed for seven years might be inaccurate. That the NSA noticed it could be the very reason they pushed Intel for those magic bits.
[ link to this | view in thread ]
Re:
Imagine, ME running ME... I don't want to live on this planet anymore.
[ link to this | view in thread ]
Re: There *is* an "official" way to disable it
[ link to this | view in thread ]
Re: Re:
AMD got the community excited some years ago (pre-Ryzen) because they promised to release enough information to allow a fully free BIOS. Wikipedia says it's "AGESA", released as source in 2011. Notably, this included the memory setup code, which for Intel is an unexplained binary blob. But AMD have refused to release the information for their latest CPUs. It's not just the algorithm; they don't even release register documentation that would allow people to implement their own algorithms.
That's far from obvious. Please explain.
CPUs have always had "security features", like protected mode, that weird i960 stuff, crypto instructions... none of that required firmware running above the OS. But the CPU itself was still secret, which is the real thing that needs to change to solve this problem. There are several promising projects including lowRISC (RISC-V) and J2 (SH-2).
[ link to this | view in thread ]
Re: Intel owns You
I guess that makes it ok?
"Whom do you trust in life?"
On the internet? ... no one
I wonder if/when this little piece of shit they have concocted will have wifi and how will they hide the antenna. Screen rooms are expensive.
[ link to this | view in thread ]
Re: me = millenium_edition
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Avoid Online Scams
But according to many of our esteemed "leaders" this is nothing to worry about and is probably fake news.
It is things like this that are putting the Onion out of business.
[ link to this | view in thread ]
Re: Just Curious
Yes, but by then the system could be compromised. It might only take one packet.
That's not how it works. It won't be sending network traffic, in most configurations, except in reply to network traffic sent to its address (it may have IP/MAC addresses different from the ones known for that interface). If nobody knows to send those manchurian packets to it—how can you if you don't know whether it's enabled or what its address is?—it will be undetectable.
[ link to this | view in thread ]
Re: Re: Just Curious
If so - then it is probably capable of sharing resources and therefore you would not be able to so easily stop its net traffic, deep packet inspection would but it is not easy for the general public to do.
[ link to this | view in thread ]
Re: Get Over It, Time To Move On
Why?
Such attitudes are unacceptable and are of little help to the unsuspecting and gullible public.
[ link to this | view in thread ]
It's worse than you say
https://twitter.com/h0t_max/status/928269320064450560
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Intel owns You
Yes and no. We've known about ME for some time now, but its codebase and the extent of its capabilities are new information that's just recently been released.
[ link to this | view in thread ]
Re:
I'm definitely keeping an eye on RISC V.
[ link to this | view in thread ]
Re: Get Over It, Time To Move On
We're closer than you may think... people have already ported Linux to run on the embedded CPU of a hard drive, and there are "external hard drives" that include a network interface for free (i.e., external drives don't cost appreciably more than internal).
Never store anything other than a minimal boot partition unencrypted. Crypto is so fast that there's no reason to. If you want convenience, use a plaintext key stored on a USB stick, plus a random recovery password written on paper; at least then you can still RMA the disk when it dies, without sending all your private data to the (USA-based) repair center. USB sticks are cheap enough to destroy with a hammer as necessary.
[ link to this | view in thread ]
Re: Re: There *is* an "official" way to disable it
They wouldn't have let us disable the ME with a single bit. They'd have required NSA-signed firmware, linked to a hardware serial number.
(There's precedent for including "extra" signing keys: Windows has long been known to include an "NSAKEY".)
[ link to this | view in thread ]
Re: Re: Re: Just Curious
Hypervisors are sometimes called "ring -1" indicating they run closer to hardware than ring 0 (the OS kernel). Then System Management Mode is ring -2, and as the article says, ME is ring -3. So basically, rings -2 and -3 are the hypervisors you never wanted.
"Deep packet inspection" cannot go deep enough to detect sufficiently advanced steganography—like modifying the timing (jitter) of the legitimate packets the OS was already sending.
[ link to this | view in thread ]
Re: Re: Get Over It, Time To Move On
This is an issue of major importance.
I'm also pointing out that they probably won't stop by just pre-compromising microprocessors. They will probably try to compromise other hardware as well. By "they" I mean whoever put Intel up to this nonsense.
As things stand at the moment, can you even trust your compiler tool chain when run on an Intel microprocessor? (See "Trusting Trust" article from ancient times.)
[ link to this | view in thread ]
Re: Re: Intel owns You
[ link to this | view in thread ]
Re: Re:
Intel would still make money with open-source chips. Nobody else has chip-manufacturing technology (lithography) as advanced as theirs. An open-source design is one thing, but you need to physically build it. (Competitors include AMD aka Globalfoundries, TSMC, Samsung.)
Unfortunately, it's been shown that the chip-builders can introduce flaws (with security impact) almost undetectable by the designers... at least until the next stage of this arms race.
[ link to this | view in thread ]
Re: Re: Intel owns You
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
But actually i wasn't thinking in terms of Minix being bad, it's just Intel's behavior. I've been a bit of an admirer of Minix for years, and play around with it occasionally. I think i still have 3.1.2 alpha on CDs somewhere, as those were convenient for storage when that was released.
Maybe Intel should cough up that USB support back upstream, if it is implemented in the OS code.
[ link to this | view in thread ]
Re: Re: Just Curious
Only if its ME lets it.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Get Over It, Time To Move On
[ link to this | view in thread ]
Re: Re:
That's where my question goes. Intel is no newbie, it should have seen how bad it would be if flaws were discovered.
[ link to this | view in thread ]
Re: Simple Fix?
What do you mean by "local firewall"? If it's the firewall on that PC, the ME bypasses that completely. If an external firewall, you're still vulnerable to worms within the LAN. Also note that it would see the traffic to all IP addresses, and we hope ignore traffic to other addresses; but they could've coded that wrong, maybe with weird fragmentation or something you'd crash the IP stack before it looked at the address.
Fill the built-in port with glue, attach a USB LAN adapter, and hope the ME doesn't support those.
[ link to this | view in thread ]
Re: Re:
Unless you're trying to be anonymous, in which case both are bad
[ link to this | view in thread ]
Re: Re: Re: Re: Just Curious
[ link to this | view in thread ]
Re: Re: Re:
I thought it would be super obvious. In order to interactively provide security to keep a CPU from executing malicious code something has to be able to intercept, analyze, and release it. This means that some form of a management engine will be necessary to operate outside the scope of a standard CPU's function.
Or in lay speak... a cpu needs to process instructions, malicious or not... it is more effective to add a management tool designed to handle it. Because a CPU guarding itself is a much less effective and easier to compromise guard.
[ link to this | view in thread ]
Re: Re:
CISC for cpu core and RISC for encryption, cpu, storage, and comms.
[ link to this | view in thread ]
Re: Re: Re: Just Curious
Wireshark only works because the hardware is designed to allow it to work.
If you want to be sure, you 'must' use an external an directly attached network device to snoop the traffic coming out of your NIC.
[ link to this | view in thread ]
Re: Re: Re: Re:
Computer security used to be rather straight forward and did not require management engines between the user and their hardware - acting like a nanny. However, recent events/products have made things a bit cloudy ... hahaha ... and nefarious money grubbers are eager to cash in. In addition, the IOT idiots allowing huge bots to run rough shod over the unsuspecting consumers is not helping.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Access
Is it possible that the FBI exploited this old vulnerability (the 'backdoor') in accessing that 'child porn' ring with their "NIT"?
How about phones? Do these chips run in our cells?
I'm just trying to get a bead on this "old" news. Old? First time I'm hearing it.
[ link to this | view in thread ]
Re: It's worse than you say
Wow. Thanks for the link.
wow
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
"unless your definition of security differs from what the rest of us use."
Most security is theater, yes I have a different definition than most of you.
I hope you understand the insult I intended in that statement!
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
What exactly is incompetent and /or wrong, no need for a thesis - just put it in one sentence so we all can see just how super smart you are - is that too difficult for you?
So, you are telling me that it is ok for a cpu to have theater baked into it? I think it is you who is baked.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Just Curious
There are 5 prevalent types of hypervisors that generally exist and focus on specific things.
1st Style, and may not really be considered a hypervisor in the general sense as hardware is 100% emulation where lots of things are interpreted so that it can execute in a foreign environment... think came console emulators here this may also be very similar to 5th style virtualization as well.
2nd Style, Hosted Hypervisor where a full Operating System is running and usually on top of another already running OS not intended to run another OS. Vmware Player and Windows Server virtualization are these.
3rd Style, Native/Baremetal Hypervisor where the hardware itself is involved with the virtualization of things where any OS that is running is dedicated to the running of OS's. VMware ESX, Hyper-V are good examples of these.
4th Style, Hardware Virtulalization where hardware is virtualized inside of hardware.... think Software Designed Datacenter or SDNetworking, or Cisco UCS platform, HP Blades or any other High Density Computing platform.
5th Style, software virtualization where applications themselves are separated from the OS layer by abstraction... think App-V or the next generation Docker Containers. This is new and a growing sector.
"The Cloud" is usually composed mostly of the 3rd and 4th and 5th types to varying degrees depending on the provider.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
Eh, no. I am just saying most not all. The problem with TPM is its closed off nature, not its presence in the system. But that is just simply how proprietary works now isn't it?
"just put it in one sentence so we all can see just how super smart you are - is that too difficult for you?"
lol... I am not smart enough to put an entire "concept" into a single sentence that people could possibly understand. But "Security Theater" is the general term for this... basically building something that "looks" like it is secure while it actually is NOTHING of the sort in reality or practice. Like the TSA for example. It's a fucking joke, PURE theater from its inception and its practices and policies.
"So, you are telling me that it is ok for a cpu to have theater baked into it?"
How you came to that conclusion is beyond me.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re:
/facepalm!
[ link to this | view in thread ]
Re: me = millenium_edition
[ link to this | view in thread ]
Re: Re: Re: Get Over It, Time To Move On
If your disk has been compromised, you can still keep your key secret (AFAIK—I don't think HDDs are bus-mastering). If the CPU/ME is compromised, you're screwed, but it's not a reason to avoid disk encryption.
[ link to this | view in thread ]
Re: Access
Not these specific chips, no; Intel has never gotten a significant toehold in the mobile market. (I don't think IME is present in Atom chips, but I'm not 100% sure on that; at any rate, your phone probably doesn't have an Atom chip in it anyway.)
That said, your phone is probably just as vulnerable at the firmware level; maybe moreso.
[ link to this | view in thread ]
Remember their 'uncore'?
Consider a modern multi-core CPU is like a small minicomputer cluster of old. That is as close as I can surmise, without more details being available. I know it is used (supposedly limited to *cough*) to enterprise level support which is to enhance control by IT staff for updates, rollouts and gods knows what else.
However, please note that this is Intel supplied data and they have a bias for their viewpoint. To the extent of not wanting others to see much. Thus Google's push to get rid of it or at least mitigate its absolute control over the CPU.
Considering that Intel jumped whole hog into the DOS IN BIOS (UEFI) one suspects it incorporates features to support that bullshit boot system.
Of course, it is probably filled to overflowing with mission and feature creep just to make me feel good about HW bozos writing SW. Although they aren't even HW folk. They're chip designers. At Intel that gives them God Mode Always On status. Like in a video game.
[ link to this | view in thread ]
Re: Re: Access
[ link to this | view in thread ]
Re: Re: Re: Re:
That's one example of a security feature, not the only way to implement security. That idea seems inherently heuristic, dependent on knowing the specifics of what "normal" instructions look like for an OS. Normally CPUs use deterministic security, like page-table R/W/X bits, and AFAIK these features have been dependable. It's not the CPU's job to detect malice, it just needs to provide features OS kernels can use for security.
Has anyone ever broken out of ring 3 of the 80386 or its successors, by exploiting the CPU rather than the OS? I've seen no evidence CPU-internal security features are less reliable than external ones.
[ link to this | view in thread ]
So you don't have to worry about Sony or anyone else putting a rootkit on your system because Intel already included one right in the chipset?
I found a program that supposedly checks for the ME, but naturally it registers as a threat to my antivirus.
The instructions for disabling this, if it's in your system, are equally as vague.
Assuming that this is actually a genuine mistake rather than a malicious act on Intel's part, I have to wonder; Just how frigging stupid are the designers? Computers have been a consumer product for close to 40 years now and if there's one truth, it's that any flaw that can be exploited will, 100% without any shadow of a doubt, be exploited. Was this designed by the same idiot who thought it would be a good idea to make Outlook Express automatically execute email attachments? Or the moron who decided that automatically executing whatever code the system found on a USB device or optical disc was a smart thing to do?
Is it really plausible to believe that such supposedly smart people keep making such mind-numbingly stupid decisions?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
And it makes sense for huge installations run by outfits with huge budgets that can afford fancy firewalls with constant maintenance - but the general public finds its self at quite a disadvantage in that many do not know what a firewall is nor why they now are in need of one.
[ link to this | view in thread ]
Re: Re: me = millenium_edition
[ link to this | view in thread ]
Use or Not
When you have a user you cannot bump off of the system (like at a Hospital, in the ICU) how would you get in to update, make changes, or check problems reported? This service allows you to do all of the above. If you are in a hardened, firewalled computer network, there is usually not much to worry about with this setup. Even at home, the ability to wake up your computer, remotely while it is turned off, is a godsend to some who VPN in for whatever reason (work, information retrieval, etc.). So now if you leave your house with your system off, you have the chance to send a 'magic packet' to communicate with your device at the most basic level, issue a command 'turn on'.
For Network Admins, the ability to make changes behind the scenes is critical, if you are in New York, and have to change a system in Chicago (that is turned off) then you have the ability to make changes, without user intervention.
Plus no talk of the fact that Intel ships processors with this ability turned off, and you can make the change permanent. It is funny how this 'advanced' service can be misconstrued as a government backdoor, because incorrectly implemented, it essentially is. All this functionality is unavailable to a system that is disabled, believe me when I try to access a system that is off, and ME is off, No amount of 'magic' will tamper with that system.
The bios is a scary place for some, and mucking around in it is more of a concern, because you can essentially make a system or break it in there. Most users 'I' find, do not even know it exists or have been into it imho, except by accident. That is why it (ME) is off, at the start. No need to muck around,, find the right thing there (bios wise) and shut it down.
Paranoia abounds around any tech, heck there were more problems with XP (OS) than any ME implementation. Imagine at the end of life for XP getting a critical update for a flaw? Does that mean for the entire run of XP that flaw was there and being accessed by nefarious parties?
Intel ME allows you to make remote changes to your PC, or a corporate 'company' pc, which you have no control over anyways. Worry about if you must, but that will not make it go away 'magically' Ha could not resist.
You can install updates and troubleshoot a system without user intervention, or even the user knowing you are there. As above in a Hospital ICU this is important, but on your home system not so much. But if you set it up, read the 'manual', even at home it can be useful. The network admins toolkit has even more 'nefarious' tools than ME, and if used, still the user has no idea changes are being made while they are happily typing away, are you on a network? Behind a router, on the internet, firewalled? Why?
There are so many other easier ways to compromise a system than using 'intel's' ME, I would be much more afraid of them, oh yeah, that is why you do use a firewall, to harden, NAT, the perimeter of your home network. And even after finding that the WPS2 the defacto standard router security software has been hacked, all routers are now suspect.
So, pick your poison, Intel ME, Your own O.S. (what are patches for, sure enhancements, but closing doors too), Your personal router which you have hid behind forever, how long has the WPS hack been there without your knowledge, how many times was it used before it was eventually found, or noticed?
Hackers do not yell, look what I have found, they will have that door closed as soon as possible if they did. So it is good for them to keep their findings under wraps for as long as possible, and this includes all software (Office back orifice) for example. These are not security people these are the one's (hackers) who want what they can glean from you (bank info, credit cards, etc.). Right now at this time, what zero day flaw is being exploited on your own personal system - at home or at work??
[ link to this | view in thread ]
Re: Use or Not
Excellent...
Thank-you.
[ link to this | view in thread ]
Just in case,
[ link to this | view in thread ]
HIPAA Compliance?
Just asking.
[ link to this | view in thread ]
Re: Use or Not
[ link to this | view in thread ]
IT working in Health
I mean be real, is there IT at your hospital? I would hope so. These IT people do they need Intel's ME to view systems? No. When they are called to repair a database, fix encrypted email, or any other 'information' they will see in the daily performance of their duties, they certainly do not need Intel ME to view patient data. Fines are huge, jail time is looming.
After going through most of the links provided in this article, can you spot the one using and arduino hooked up to a bunch of wires that is going to re-firmware a system, hysterical. Or the google pdf that looks like a poor power point presentation? How about the pictures of the unit on a quilt, in a room that looks like it is a kids bedroom that has no parental direction (like clean it up dude).
If you go through this article with a critical eye, some of the amateurish evidence, the big words thrown in for some good measure, like explaining this to a user: We are so sorry but it seems osi layer 1 is responsible for your pc not connecting to or talking with the server. You sent packets out, but they are not being received by the remote system. We implemented the layer 1 fix and now you are back online.
Just enough jargon, eh? The true meaning of the above statement? User Calls> IT help me I cant reach the internet. IT shows up, looks it over for a minute and replaces the broken cable. OSI layer 1 is the physical layer of the network, Cables etc.
The first explanation makes the IT person feel superior of their knowledge regarding networked systems. But knowledge of one system in the business infrastructure does not make you a genius, no matter how many big words you know. Talk to me like a lawyer, I will be lost in a second.
The second explanation is geared to the user, it is what they want or need to know - without having to go online and look it up.
Wired is usually a good source of information and I have read it on occasion, but what they are saying, what you are worried about, and who can gain access to a system with Intel ME disabled?? I know horror story's that hold water, with respectable intel backing up the story, from respectable names in the industry.
PFSense, a respectable name in the routing/firewall industry is riding on top of FreeBSD, Warning, warning, cough, cough, ugh.
[ link to this | view in thread ]
Unconvincing or not
Maybe it is a wall to you, but it is the least jargonated wall of information I thought I would leave, To be helpful, not simplistic, or condescending to those who simply do not understand. I have no stake in Intel or AMD, since it is the Chipset, not the CPU. But that is just being nit picky, chipset or CPU, it's all the same YA ?
Wanna see your intel ME??? In windows 10, type a search for 'device manager', and open the local systems device manager, you will be awarded a screen with all kinds of installed devices on your system. Swell. Should work on 7 too. In Device manager, Expand system devices. Scroll down through until you reach the Intel devices. Look for Intel(R) Management Engine Interface. Yep there it is hidden for all to see. So nefarious and dripping with, well you know what eh? Oh I also have a High Precision Event Timer, do you? Oh well, not all systems are the same.
For something that is so well hidden, hard to find, or even disable on a system - well looks like you been had my friend (or not).
[ link to this | view in thread ]
Well
[ link to this | view in thread ]
Paranoia extreme edition
[ link to this | view in thread ]
Re: Use or Not
But turning it off there does not - at least not necessarily - disable all of the things that it does, or close the potential security holes that some of those things represent.
https://puri.sm/learn/avoiding-intel-amt/ and https://puri.sm/learn/intel-me/ - while from a group which is explicitly pro-software-freedom and anti-black-box, and as such may be open to accusations of bias - have a few things to say about the subject; the latter includes the claim that some ME features can only be "fused" on or off, and that once they're fused on (as many suppliers do before passing the unit on to the consumer, and as Intel may expect them to generally do), they physically can't be switched off.
Because Intel ships processors that way to its suppliers, not to the consumer (unless you're buying direct from Intel, maybe), and the supplier can and very well may turn this on in such a way that you can't turn it back off.
Just because another way is easier doesn't mean that this way isn't a genuine danger. Yes, it's best to take care of the bigger risks first - but that's not justification for ignoring the smaller ones.
[ link to this | view in thread ]
Re: Re: Re: me = millenium_edition
[ link to this | view in thread ]
Re: Paranoia extreme edition
I have read the articles proclaiming the death of hobbyist computer building and even claiming the personal computer market is going away. Who would spend $1K on a system that is designed to allow easy access whether you like it or not? Guarantied to be controlled by someone other than yourself, who would put sensitive information upon such a device?
They keep selling more and more shit that is eventually going to kill the internet by making it useless. Is this their goal or are they simply, out of ignorance, killing the goose that lays golden eggs?
[ link to this | view in thread ]
Re: Re: Use or Not
Manuals for it, and it's operation are online, and the software is geared towards a corporate IT, but if you have this engine in your system, you can download the software to utilize it. Until you 'play' with it yourself, all these posts are hilarious. Using wording like On the CPU, May pose a threat, possibly compromise a system. The Chipset, may pose a threat, and many consumer grade gaming boards do not have it, or would install it on a non corporate designed system. You have choices, I already shown you how to look for it, and if you find it woe is me, if you are the owner of a bank I would be worried, but joe blow?
I can give legit websites that will tell you which boards support it and which do not, it is a co-processor in the chipset, if you know co-processor means one set aside, like do you have a math co-processor or not?
But of course if you have your mind made up, love a good conspiricy, and believe the 'testor' did not set up the hole, then there is no changing of mind, but I am going to show these posts to my friends. As we laugh, we will be glad you are 'anonymous' if you gave your info, ridicule would abound, behind your back of course.
I joined this site thinking it was about tech, I am sorely disappointed. Believe what you wish, no matter how flimsy it is, or who it appears to be from. I am nobody. And I typically try to spread misinformation, instead of information. This process was not 'just discovered' I have been using AMT for years. If you 'just heard of it' then you speak volumes to your ignorance. 'Sorry' Could not resist. Let me know if you need links...
[ link to this | view in thread ]
Re: Use or Not
[ link to this | view in thread ]
Re: Re: Paranoia extreme edition
[ link to this | view in thread ]
Door In Open
[ link to this | view in thread ]
Parting Shot Boom
[ link to this | view in thread ]
Re: IT working in Health
Do you have a point you are trying make here? If so, would you make it VS some bullshit vague crap?
[ link to this | view in thread ]
Re: Parting Shot Boom
And Microsoft Linkedin poster ignores the ability of rubber hose key management beyond the Star Trek meme she posted.
[ link to this | view in thread ]
Re: Re: Re: Use or Not
Yes.
No, but one of my co-workers (the one whose judgment I trust the most, as it happens) has.
[ link to this | view in thread ]
Re: Re: Re:
I would worry about chinese figuring out how to take over intel cpu.
[ link to this | view in thread ]
[ link to this | view in thread ]
Someone appears to be monitoring browsing for certain references
https://www-ssl.intel.com/content/www/us/en/support/articles/000005974/software/chipset-soft ware.html?wapkw=management+engine
[ link to this | view in thread ]
Re: Re: Paranoia extreme edition
Sure, people throw away Pentium 3 computers all the time. Grab one from the curb. I've done that and ported Coreboot to whatever random motherboard it had, so I know there's no proprietary software/firmware on it. (Maybe grab more than one... I bricked one doing that.)
More practically, the Raspberry Pi 3 is widely available and has a quad-core CPU with no management engine. It's short on RAM but can run a full desktop system. (And has some proprietary firmware, but people have made some progress on a replacement.) ARM-based Chromebooks also have no ME and some can run Coreboot.
[ link to this | view in thread ]
Re: Re:
It's always funny to see one anonymous poster calling out another for being anonymous.
[ link to this | view in thread ]
Re: Use or Not
[ link to this | view in thread ]
Monitoring
[ link to this | view in thread ]
once again.
[ link to this | view in thread ]
Stall Man
[ link to this | view in thread ]
Open Source
[ link to this | view in thread ]
Re: HIPAA Compliance?
[ link to this | view in thread ]
Re: Re:
Yes, I know they're separate companies. I was just using MS as an example of how people in the computer industry keep adding ridiculously stupid "features" for the sake of convenience without stopping to consider how they might be abused. Then once these "features" are embedded in the hardware/software, people have a hell of a time trying to disable them to keep themselves safe.
I wish there was a patch to completely remove the whole auto-run system from Windows. I've disabled it for all devices in the registry, but there's nothing stopping some program from re-enabling it. In fact, a couple years ago, it did get re-enabled without my knowledge. I didn't realize it until I put a game CD in the drive and the launcher automatically popped up.
[ link to this | view in thread ]
Re: Unconvincing or not
Yup, I see it. Such a descriptive name too! How could anyone see "Management Engine" and not instantly realize that it's a mechanism for allowing others to remotely access their system? It's so obvious that even the most computer illiterate can't help realize what it is during their daily perusal of Device Manager.
And it's so easy to see exactly what it's doing too! I'll bet you just double-click on it and you'll be able to set all sorts of options, right?
[ link to this | view in thread ]
Turned off...
Then that same caveman realized 'fire' is gonna make him the most powerful freaking guy on Earth. And, he was for a time. Realized the profit of using a necessity to life as a commodity, Put 'em in his Kingdom, with a class all his own, ruling over the species, and here we are. Gettin all manipulated and shit...
As for the I(r) Management Engine in Device Manager, I went and found it and disabled it. I will watch, and run my different apps and see just what might turn it back on.
Thanks for the post.
[ link to this | view in thread ]
Re: Turned off...
I shut IME off (disabled), and logged into my money and a couple other sites. The login was prompted each time - each site - because they "noticed" a change in my logins...
Not one thing was changed. No passes, emails, or computers and browsers, but they noticed something different. Makes me want to know what.
I always have my UNCServer processes stopped - have to do it manually everyday, but it has never caused my logins any interuption.
Was this little IME bastard being used by my finacial institutions? 'cuz that's a little disturbing - finacial institutions using something for what, and to what end? Justified? I'd like anyone here to break some eggs and make comment to this possibility. Then again, I might be a conspiracy lover... nah. It's just messed up to think on.
[ link to this | view in thread ]
Re: Use or Not
If it's harmless, why does the author of Minix, Tanenbaum, call it Orwellian spyware? Is he technically incompetent to make those claims?
[ link to this | view in thread ]