Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Shows RealVNC Embedded In the BIOS

Posted by timothy on from the no-not-that-other-idf dept.

LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."

109 of 154 comments (clear)

  1. And how bad it becomes when a vuln is found by djsmiley · · Score: 3, Insightful

    So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?

    While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

    So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)

    --
    - http://www.milkme.co.uk
    1. Re:And how bad it becomes when a vuln is found by durrr · · Score: 2

      Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

    2. Re:And how bad it becomes when a vuln is found by jhigh · · Score: 4, Insightful

      I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

      You've obviously never worked in kiosks before - this would be endlessly useful for any company supporting a large number of kiosk computers. That being said, your point about possible vulnerabilities are well put. However, we can't let potential vulnerabilities get in the way of advancing technology. Just like I'm sure there will be some creative way for the bad guys to exploit this, I'm just as sure that there will be some equally creative way for the good guys to protect this.

      --
      Social Engineering Expert: Because there is no patch for stupidity.
    3. Re:And how bad it becomes when a vuln is found by halfEvilTech · · Score: 1

      Yes and it now gives those "security vendors" even more ammunition to sale snake oil products to protect your bios.

      I can see the sales line now...

      Buy the all new BIOS ULTRA DEFFENDER DELUXE 2XXX SUITE ENTERPRISE. Only $99.99 per server this week only. Don't let those pesky hackers take over your servers.

    4. Re:And how bad it becomes when a vuln is found by vlm · · Score: 1

      Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

      They make money off every bricked / overheated / burned out MB / CPU. Stupid for anyone to buy, brilliant for them to try and sell.

      Heck they could even write the windows worm themselves to cause maximum damage... set fan speed to lowest, set CPU voltage to maximum, set CPU speed to max, disable thermal throttling... insta-profit!!!!!

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:And how bad it becomes when a vuln is found by The+Moof · · Score: 1

      Maybe I'm missing something about the kiosk industry (it's been a long time). Booting up can be done via wake-on-LAN, shutting down remotely is built in at the OS level. What BIOS functionality would you need to access that doesn't require you to already be physically in the box?

    6. Re:And how bad it becomes when a vuln is found by asdfghjklqwertyuiop · · Score: 1

      There have been remote console mechanisms for PCs for a very long time now. I don't know why everyone suddenly thinks this is something new and shocking.

    7. Re:And how bad it becomes when a vuln is found by cayenne8 · · Score: 1
      Yeah..but VNC is pretty insecure isn't it?

      I mean, we have it on many boxes, but you have to run a ssh tunnel to the box to run VNC through to keep things a bit more secure.

      I can't see them doing that in the BIOS...or can they?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    8. Re:And how bad it becomes when a vuln is found by drinkypoo · · Score: 1

      Would it be possible that a vulnerability allowed normal bios patching to be blocked too?

      No.

      Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

      Perhaps you should read up on IPMI (mentioned above) before you come to such conclusions. It's a whole separate computer inside your computer (generally just in servers) which can share your ethernet port and which can manage your system. Generally speaking they provide sensor access (handy on platforms which otherwise obscure it) as well as remote shutdown, startup, reflash, and usually BIOS config, albeit through their interface. There are generally working IPMI tools for Linux. I had an eServer 325 for a moment (not that exciting though and very loud) which had an IPMI module and it was dandy.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:And how bad it becomes when a vuln is found by Anonymous Coward · · Score: 1

      Some of the DRAC cards used VNC as the display protocal; they had some propriatary stuff on top to do other things though. I could see this being useful for geeks; if I'm watching the baby play in the living room I can't easily be in the office getting my computer back up. I just hope they shipped disabled so that those who want it can enable it but if the user is unaware of the feature it can't be used to compromise it.

    10. Re:And how bad it becomes when a vuln is found by DJLuc1d · · Score: 1

      That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?

    11. Re:And how bad it becomes when a vuln is found by ThatsNotPudding · · Score: 1

      I'm just as sure that there will be some equally creative way for the good guys to protect this.

      Exactly how can a vulnerability burned into silicon be 'protected'?

    12. Re:And how bad it becomes when a vuln is found by shawn(at)fsu · · Score: 1

      If you are so worried about security why are you accessing the internet at all? For that matter why do you even have a computer? Do you also not use a credit card or check card? It was pointed out quite eloquently above. "we can't let potential vulnerabilities get in the way of advancing technology."

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
    13. Re:And how bad it becomes when a vuln is found by asdfghjklqwertyuiop · · Score: 1

      Probably no more secure than the existing PC remote console systems (i.e. not very good). I don't expect this to be any better than the existing stuff, just cheaper. Hopefully this thing by Intel will have it's own network port or at least the ability to be on it's own vlan like the existing ones so it can be segregated network-wise.

    14. Re:And how bad it becomes when a vuln is found by Joce640k · · Score: 2

      Look on the bright side: At least the Linux users won't be able to act all smug about how much more secure their machines are then Windows machines.

      --
      No sig today...
    15. Re:And how bad it becomes when a vuln is found by darksabre · · Score: 1

      How about the OS is hosed and you want to force a PXE boot in order to re-image the disk?

    16. Re:And how bad it becomes when a vuln is found by Bengie · · Score: 1

      Intel is saying you can now do remote boot options, prior to the OS starting up. Remote into the BIOS, then tell the machine to boot from the NIC instead of the HD, then run memtest or something.

    17. Re:And how bad it becomes when a vuln is found by Unequivocal · · Score: 1

      It's not burned into the silicon, it's loaded in the BIOS. Which implies it can be updated in the bios when vulns are found.

    18. Re:And how bad it becomes when a vuln is found by nine-times · · Score: 1

      I would assume that this is something that is available in the BIOS, but that you can turn it off. The default should probably be for it to be turned off.

    19. Re:And how bad it becomes when a vuln is found by Anonymous Coward · · Score: 1

      From TFA:

      Last year, RealVNC teamed up with Intel to incorporate a bona fide VNC server (using hardware encryption native to vPro chipsets)

      I don't know why I read the comments on this site anymore. Once upon a time it was 80% morons and maybe 10% of posters had read the article. If only I knew how much I'd wind up missing those days....

    20. Re:And how bad it becomes when a vuln is found by Truekaiser · · Score: 1

      call me paranoid, but the security risks of having this in general user hardware may be used as the stick to push a more general adoption of tpm hardware for general use as a carrot to fix the problems this creates.

      tpm hardware, when used in a server setting is useful, and it's the only place it's useful as a server needs to be reliable and the software needs to be trusted in the mission critical roles they are used for. tpm has no practical purpose on a normal level desktop other then consolizing the normal pc and locking it down to only run one os(windows) and only approved windows software(no foss ports or indie devs). this is because normal antivirus software in windows does a good enough job along with proper use practices or better quality code design as in other pc operating systems.

    21. Re:And how bad it becomes when a vuln is found by icebike · · Score: 1

      Linux users would know enough to never hook a cat5 cable to the on-board nic, at least not a cable exposed to the internet.
      They would simply install an add-in nic for the public side of the machine.

      --
      Sig Battery depleted. Reverting to safe mode.
    22. Re:And how bad it becomes when a vuln is found by icebike · · Score: 1

      Actually if you watch the video you will see some stuff that is better than the existing stuff.
      Such as mounting an ISO on the GUEST machine over the network to be used by the Host machine.
      Most of the current tools don't allow manipulating things in the bios without flaky and expensive additional hardware.
      (So flaky and so expensive that you almost never see this stuff deployed in real life).

      If Intel can manage the security properly this would be very valuable.

      As demonstrated in the video, there still seems to be a requirement for someone to read a number from the screen of the remote machine over the phone to the person doing the remote manipulation, however this might have been a choice they made for the demo so as not to reveal just how prone to hacking this might be.

      --
      Sig Battery depleted. Reverting to safe mode.
    23. Re:And how bad it becomes when a vuln is found by asdfghjklqwertyuiop · · Score: 1

      I meant better security-wise. Yeah, I agree, the existing remote console things are all kind of flakey.

    24. Re:And how bad it becomes when a vuln is found by sjames · · Score: 1

      IPMI has supported serial over LAN for ages, and server BIOS have supported redirect to serial for even longer.

      You just fire up the IPMI client, cycle power (telling it to boot into BIOS), then go to the serial over lan console.

      In an office environment, it would be quite useful on the desktop. Not just for support, but for daily operations like powering up just before work so people don't leave them on all night to save the morning annoyance. In the home, I can see it being quite useful to parents wanting to monitor the kid's computer (but look out, lest the kids turn the tables!).

      All of that said, adding VNC to IPMI's serial over LAN would be helpful when dealing with GUI addicted OSes from Redmond (I don't know if OSX can be installed over serial+lan or not).

      The better remote management arrangements DO allow a remote BIOS update, even if the BIOS was corrupted so that the main computer won't boot. The service processor has it's own ROM and can re-flash the BIOS over I2C/smbus.

      The downside on the desktop is that too many people won't bother setting a password.

    25. Re:And how bad it becomes when a vuln is found by icebike · · Score: 2

      You presume that is possible. And you presume the disableing is actually honored.
      I looked at the bios screens very carefully and saw no such option.

      --
      Sig Battery depleted. Reverting to safe mode.
    26. Re:And how bad it becomes when a vuln is found by LWATCDR · · Score: 2

      Thanks for pointing that out. Wow I never knew how many people just read the summary. When I wrote that summary I covered that this was already available. That the abilities are not that new but have been around for a while on system using IPMI, and what chip sets supported it. I left out that it was encrypted front to back because I actually thought that everyone and their dog would just assume that it was or read the article if they didn't bother to watch the video.
      You know I really made an effort to write a none inflammatory, informative, and factual summary. Oh well maybe next time.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    27. Re:And how bad it becomes when a vuln is found by Lennie · · Score: 1

      ll the article did say:

      "using hardware encryption native to vPro chipsets"

      So it could include SSH or HTTPS.

      --
      New things are always on the horizon
    28. Re:And how bad it becomes when a vuln is found by Jeremiah+Cornelius · · Score: 1

      Combine these two efforts with TXT and say to yourself: "This is not Palladium."

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    29. Re:And how bad it becomes when a vuln is found by Anonymous Coward · · Score: 1

      True, I did take that for granted without looking into it more.

      Whenever I think a designer "can't be that stupid", I tend to get proven wrong.

    30. Re:And how bad it becomes when a vuln is found by orange47 · · Score: 1

      don't worry, sooner or later someone will make Linux variant that runs in BIOS :)

    31. Re:And how bad it becomes when a vuln is found by orange47 · · Score: 1

      yeah, right. remember the autorun fiasco?
      the 'creative' solution from 'good guys' was to shut it off.. what a waste of time

    32. Re:And how bad it becomes when a vuln is found by sexconker · · Score: 1

      From TFA:

      Last year, RealVNC teamed up with Intel to incorporate a bona fide VNC server (using hardware encryption native to vPro chipsets)

      I don't know why I read the comments on this site anymore. Once upon a time it was 80% morons and maybe 10% of posters had read the article. If only I knew how much I'd wind up missing those days....

      And the encryption protects you against what, exactly?
      1: Snopping.
      2: MITM.

      If there's a vulnerability, you're still fucked.

    33. Re:And how bad it becomes when a vuln is found by sexconker · · Score: 1

      If you are so worried about security why are you accessing the internet at all? For that matter why do you even have a computer? Do you also not use a credit card or check card? It was pointed out quite eloquently above. "we can't let potential vulnerabilities get in the way of advancing technology."

      You are selling you crotchless pants, and telling people it'll take less time to take a piss.
      They say "Seems unnecessarily risky for very little benefit. I don't want to get raped.".
      You respond "If you're so worried about rape, why do you have genitals?".

      Absurd.

    34. Re:And how bad it becomes when a vuln is found by atisss · · Score: 1

      Introducing Norton BIOS security 2012

    35. Re:And how bad it becomes when a vuln is found by rsborg · · Score: 1

      That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?

      Paranoia++ = "How do you know they aren't doing this already? What if Adobe's Flash division is secretly funded by Intel?";

      --
      Make sure everyone's vote counts: Verified Voting
    36. Re:And how bad it becomes when a vuln is found by That+Guy+From+Mrktng · · Score: 1

      Was the telescreen optional? right.

    37. Re:And how bad it becomes when a vuln is found by ckaminski · · Score: 1

      Daily operations - there's be an answer for that for DECADES (at least one) called Wake-On-LAN.

      Windows, the only OS in the world you can't network boot.

    38. Re:And how bad it becomes when a vuln is found by drinkypoo · · Score: 1

      time to take the system offline to reload the software ... in the bios.

      Uh, what year is it? No wonder you posted as AC. I can't remember the last time I got a machine I couldn't flash live.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    39. Re:And how bad it becomes when a vuln is found by sjames · · Score: 1

      WakeOnLAN is a bit hit and miss. It';s great when it works, but the feedback is really poor. You fire off the packet and can't know if you succeeded until a few minutes later when it boots (or doesn't). If you don't hear from it, you are none the wiser as to why. I have a desktop machine where WOL works about 40% of the time.

      I've seen machines where IPMI was iffy as well, but could tell instantly that it wasn't working.

    40. Re:And how bad it becomes when a vuln is found by GPLHost-Thomas · · Score: 1

      What are you complaining about? Obviously, there will be options in the BIOS to disable that new feature! In the mean while, it's great options for IT support.

    41. Re:And how bad it becomes when a vuln is found by GPLHost-Thomas · · Score: 1

      So, are you also assuming that you can't select which IP address the VNC server is binding on? Continue with this kind of revert-thinking assumptions, and you'll be mod-up "funny"! :)

    42. Re:And how bad it becomes when a vuln is found by icebike · · Score: 1

      Go watch the video.
      The guy shut down the entire tcp/op stack and was still talking to machine.

      You can't do that with a nic in a slot.

      The bios has direct control of that nic and can power it up even when the machine is shut down.

      --
      Sig Battery depleted. Reverting to safe mode.
    43. Re:And how bad it becomes when a vuln is found by GPLHost-Thomas · · Score: 1

      Right. I've been doing that for YEARS using IPMI (on Supermicro servers for example). And what does it proves?

  2. Yeah, just great... by Rosco+P.+Coltrane · · Score: 1

    Using VNC, one can now power down, power up, reboot, go into the BIOS, mount disk images on the network

    ... watch what your employees are doing,

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Yeah, just great... by felipekk · · Score: 2

      Employers were able to do that for a long time already...

    2. Re:Yeah, just great... by spire3661 · · Score: 1

      I always find it cute when I remote into a persons comp and they get all indignant like im invading their privacy.

      --
      Good-bye
  3. Finally! by jackb_guppy · · Score: 2

    I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.

    It is shame that it maybe to late with VBLOCK and ESX system taking hold.

    1. Re:Finally! by organgtool · · Score: 1

      Agreed! I've been waiting decades for a technology that will open up my hardware configurations to anyone on the internet capable of hacking it. I hope it can flash the firmware too!

    2. Re:Finally! by asdfghjklqwertyuiop · · Score: 2

      Why have you been waiting so long? If you've wanted to set up your servers incompetently this way it's been possible for decades with DRAC or ILO or LOM or IPMI... or hardware serial consoles for longer than there's been an Internet.

    3. Re:Finally! by Phics · · Score: 1

      This has been around for a while. It's part of vPro, and it already has the ability to boot a machine with a disabled HDD using an ISO remotely. I'm kind of shocked because this isn't exactly news... I've been showing our clients how to use VNC Viewer Plus to remotely manage hardware for some time now.

      Like Intel's Centrino product, vPro is a suite of technologies designed to aid with management in environments where machines are deployed. The VNC component allows for out-of-band remote KVM - this means you can work on a system even if there is no OS, or if the OS isn't working correctly. vPro also provides hardware aid for full disk encryption, (more secure than software-only solutions), as well as asset tracking through software such as Computrace Lowjack, (includes other features like remotely bricking a system, etc.).

      vPro presently only works on i5/i7 systems with a vPro enabled chipset. It is one of those major features which Intel has been unable to market successfully, as proven by the general lack of knowledge here at Slashdot.

      --
      There are two types of people in the world; those who believe there are two types of people, and those who don't.
  4. Desktops finaly get IPMI like by silas_moeckel · · Score: 1

    Look like about what we have had for years on server gear. I do hope you can disable that 6 digit key bit (making it worthless for servers and off hours). Has this not been around since version 6 and they are on version 8 now?

    --
    No sir I dont like it.
  5. Re:Needs Security by hedwards · · Score: 1

    Indeed. The main alternative to this is TFTP and SSH, and that isn't secured either as you have to load and boot the image before SSH gets into the picture.. Which is understandable, but at this point in history, you really shouldn't be doing these things over a network without some security in place. Even a supposedly secured network can be infiltrated if it's valuable enough.

    And this is definitely not going to be worth using over the internet unless one has a means of ensuring a secured connection between the two points.

  6. Intel have been pushing this for years by jimicus · · Score: 1

    Or at least something very like it - vPro.

    While IPMI is well-established on the server, so far no form of BIOS-level remote control seems to be doing particularly well on the desktop. It's damn difficult to find definitive statements from any major OEM concerning which lines support it, there's a plethora of versions with varying levels of sophistication, some of which require proprietary software in order to use.

    That in itself isn't the end of the world, but even tracking down suitable proprietary software can be like pulling teeth!

    Myself, I think that the majority of companies being targeted with this are the huge organisations with offices and staff everywhere - but they tackled the problem 10 years or more ago, they've got a whole stack of solutions and processes already in place and so something which doesn't really bring anything particularly useful to the table isn't all that interesting.

    1. Re:Intel have been pushing this for years by Lennie · · Score: 1

      As I understand it, this is just VNC with small enhancements for ISO-boot and encryption, which makes it easier to deal with on many different platforms.

      --
      New things are always on the horizon
  7. Re:REALLY useful by Cylix · · Score: 3, Interesting

    More then likely this is integrated at the BMC (baseboard management controller). While the BMC may be integrated into the system and a few values override some of the DMI it is not technically the BIOS. I've run into several systems with dead BMCs and they will happily chug along and act mostly normal. (DMI values revert to the BIOS provided values)

    You can obtain the source to the FRU and play with your hearts content. Unfortunately, these are typically available on their high end S5000 and above series boards. SuperMicro makes some cheap boards with IPMI, but I don't know if it is a similar BMC setup. Now, the kicker is the BMC is just linux on a chip managed through IPMI. You can obtain and modify this to your hearts content. Though I don't know if they left out any bits and the system firmware is still a binary blob I believe.

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  8. SSH? by Kagetsuki · · Score: 2

    Why VNC? Why not SSH?

    By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.

    1. Re:SSH? by wagnerrp · · Score: 2

      Agreed. VNC just seems like a stupid choice for such a system. VNC, Citrix, Windows Terminal Services, Remote Desktop... all of these things only exist as a crutch to allow remote use of programs not designed for remote operation. If you are designing the application from scratch, why not design it for remote use in the first place? Use a terminal or curses application. Use an embedded web server and a javascript application. Do something that actually makes sense rather than render a 2D interface, and then compress it for display over VNC.

    2. Re:SSH? by silas_moeckel · · Score: 3, Insightful

      Because it's not adding a new interface it's connecting to the existing one. You want a tech to be able to correct say broken nic drivers. It's not meant for application sharing etc.

      --
      No sir I dont like it.
    3. Re:SSH? by jorgef · · Score: 1

      Intel only supports SSH Out of Band Management for entry-level server motherboards.

    4. Re:SSH? by ceoyoyo · · Score: 1

      Never used an Apple I or II? Not only a shell in ROM but Basic too.

    5. Re:SSH? by sgt+scrub · · Score: 1

      The Alpha workstations had a shell too.

      --
      Having to work for a living is the root of all evil.
    6. Re:SSH? by nine-times · · Score: 1

      Because what are you going to SSH into? The BIOS? Great, now you can change BIOS settings, and the whole system is completely useless once you boot your OS. Or are you going to SSH into your OS? Well first, that's no good for Windows, and second, we've already had remote logins on the OS level for a long time.

      Sorry, but the value in something like this is to be able to see what's being displayed on the screen, regardless of what kind of output it is, and then to be able to use input devices (keyboard and mouse) for a total remote-access and remote-admin solution. VNC accomplishes that. SSH does not.

    7. Re:SSH? by TheGratefulNet · · Score: 1

      if you've used vnc, you would not have to ask this.

      I've been a vnc user for over a decade, now. ALL my home systems are vnc based. the noisy-room servers all are up 7x24 and usually run freebsd or linux. the clients are noiseless (ideally) things that boot up and I run vncviewer as soon as I get a term window inside a graphic screen. the o/s is a life-support system for vnc. vnc IS the killer app.

      sadly, I find that vnc over win (7 or xp) is the best overall client. the video drivers are fast, usually stable and easier to deal with than linux. suspend and resume also works well on windows; often better than linux.

      so, unix for the backend; but win+vnc_client for the viewer side of things. love this combo. I can walk up to any station in the house and get the same 'persistent desktop'. usually my desktops stay up half a year or more (server reboot based). my web sessions are all unix based and served over vnc.

      I would not run video over vnc, but I never intend to do that anyway.

      ssh has its place; but ssh is a transport for things, its not an end-all application. vnc is still a transport, of sorts, but it transports my whole *desktop*. like 'screen' but for graphics.

      I'll buy some of those motherboards and replace my clients that boot from ssd. I'd LOVE to get rid of all of that and simply boot from bios into vnc-client. that would be GREAT if it really does work and lets me eliminate all my client os installs!

      count me in as one who would re-buy systems because of this.

      --

      --
      "It is now safe to switch off your computer."
    8. Re:SSH? by wagnerrp · · Score: 1

      But the fancy graphical interface IS a new one, and you only have access to the fancy new graphical BIOS configuration utility. If it were the age old BIOS configuration utility, you would have no problem pumping that over a telnet or SSH terminal. It's not like you have meaningful access to the OS installed on the system such that you could tinker with the system or replace drivers.

    9. Re:SSH? by omnichad · · Score: 1

      Unless it was implemented as a virtual serial port. You would at least be able to SSH into a terminal session on any OS that supports that sort of thing (i.e. not Windows). I was thinking the same, though.

    10. Re:SSH? by lukeskywalker9m · · Score: 1

      Because shell gurus like you will be extinct sooner :D.

    11. Re:SSH? by Kagetsuki · · Score: 1

      "Use an embedded web server and a javascript application." - actually that's genius. It's not like you would need to start from scratch either, you could use Router firmware like OpenWRT to do it. OpenWRT also has SSH and Telnet included, and you could add VNC support through packages.

    12. Re:SSH? by richlv · · Score: 1

      a glance at the article only seemed to touch on bios controlling, it didn't seem to imply full remote keyboard/video/mouse control. if so, ssh would be MUCH better.

      it only mentions "install an OS", which is very vague and doesn't imply the above.

      --
      Rich
    13. Re:SSH? by nine-times · · Score: 1

      Wait, so what are you confused about? VNC *is* full remote video and keyboard/mouse control. How else would you remotely install the OS unless the VNC session continued while the OS booted?

      SSH just isn't better for the intended use here. It's worse. If it were just for BIOS control it would work, but it could mean learning complex commands and settings for each individual manufacturer and model. For a BIOS with a limited configuration options, a menu system is going to be easier and more intuitive than a command line.

      But since the point is not just to allow remote configuration of the BIOS, but to allow total remote video/mouse/keyboard regardless of OS support, SSH is entirely inadequate.

    14. Re:SSH? by silas_moeckel · · Score: 1

      Yes you do that's the point. You can connect at any point and see whatever is on the primary screen, This could be the text bios, a full gui desktop or various installers. You can mount ISO's remotely all without help from the OS network stack. There is a serial connection as well that uses a bit funky protocol (it's all wrapped in udp packets and encrypted) but there are proxies to convert that to straight ssh/telnet. It's nearly what IPMI is for servers.

      --
      No sir I dont like it.
  9. Re:UltraVNC? by MobileTatsu-NJG · · Score: 1

    Wouldn't a BIOS screen be really low-rez anyway?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  10. The BIOS needs to die by Anonymous Coward · · Score: 1

    Hey, that's great Intel. But, when can we get off the shelf motherboards with a EFI instead of a legacy BIOS? What's the hold up?

    1. Re:The BIOS needs to die by Lennie · · Score: 1

      EFI is just as big a mess as the legacy BIOS:

      http://lwn.net/Articles/451690/
      http://lwn.net/Articles/453003/

      And would you like Microsoft with their Windows 8 (App) Store and Intel to control your PC like it is an Apple iDevice ?:
      http://lwn.net/Articles/459569/

      --
      New things are always on the horizon
  11. Re:This isn't new... by wagnerrp · · Score: 1

    Except this is new, and retarded. A full IP-KVM solution makes sense. It allows you to actually connect to and use the PC remotely without any additional software needed. That is not what this is. This is taking the graphical UEFI configuration utility, rendering it, compressing it, and sending that over VNC. You can only access the configuration utility, and not the local terminal. Rather than use a sensible mechanism of remote configuration, like an SSH or web application, they chose VNC.

  12. Re:Needs Security by X0563511 · · Score: 1

    This is assuming you're stupid and use it over an untrusted network.

    BMCs and such generally talk over a protected VPN and are not general access. These are the same LANs that allow you to telnet to APC controllers and fiddle with power outlets.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  13. Let's hope AMD does what? by erroneus · · Score: 1

    Uhm... Patents? Software Patents? Who wants to bet there are dozens of patents on this technology already applied for by Intel? We already know VNC's patents, but not when you add "in the BIOS" to the end of it.

  14. Re:UltraVNC? by l_bratch · · Score: 2

    This probably just implements the standard RFB protocol, so any viewer (UltraVNC, RealVNC or whatever) can connect to it.

  15. Big boon to the Enterprise... by MrWin2kMan · · Score: 1

    This will be very useful in the Enterprise space, with no need to resort to HP iLO or Dell's DRAC, or IBM's management processor.

    --
    Nothing to see here but us trolls...move along...
  16. This scares the living Bejezus outta me by dayton967 · · Score: 1

    VNC is not the pinnacle of security to begin with, unless they changed it, the default password limitation in VNC use to be at least only 8 characters. And if they haven't it just gives a much easier method of compromising a system.

  17. lets hope this thing dies. by nimbius · · Score: 1

    RealVNC at the GPL level, which i suspect is what we're testing with, has no encryption. IPMI, which is billed as standard on most enterprise grade servers on the other hand, comes with the option of key based crypto.

    --
    Good people go to bed earlier.
    1. Re:lets hope this thing dies. by LWATCDR · · Score: 1

      No you are wrong.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  18. Nice! by sgt+scrub · · Score: 1

    Cool! I use VNC hooks for recording user sessions. Is it a full install? ie. key stroke and pointer location code too?

    --
    Having to work for a living is the root of all evil.
  19. Re:Needs Security by X0563511 · · Score: 1

    Only if you're stupid (again) and have Windows on said secure network. Here's a hint - you can only get to it through (non Windows!) trusted (read: secured and audited) machines, and only management devices reside upon it.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  20. OEM's wont like it... by Taelron · · Score: 1

    OEM's like Dell and HP have the DRAC's and ALOM "add-in" cards that they sell at various prices ranging from $99 upwards of $650. Yet Intel is talking about enabling features the OEM's are charging premiums for in the BIOS for free. This could have a backlash effect from the channel partners...

    1. Re:OEM's wont like it... by nine-times · · Score: 1

      Depending on the feature set, quality, and reliability, people may still want to buy the Lights-Out add-on cards. Either way, that's the way progress works sometimes. You're making money fixing problems, and then those problems go away. I don't think that Intel's, Dell's, or HP's business will be so hurt by this that it'll cause a huge hubbub.

    2. Re:OEM's wont like it... by Junta · · Score: 1

      I mentioned this elsewhere, but AMT (which this is a part of) is a non-starter in the 'server' Intel chipsets at all, and even if it were, the second they drop an emulex or broadcom to drive the networking, it would still become non-working.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:OEM's wont like it... by cas2000 · · Score: 1

      yep, *LO cards have a lot more than just a BIOS implementation of VNC.

      To start with, they provide a hardware watchdog, power on/off/cycle options, and querying of sensors and settings via ipmi from the OS as well as just remote console access. They're also a dedicated computer that's available at all times, not just when the machine is running the BIOS, including when they main machine is powered off. i.e. they offer out-of-band access to controlling the server.

      You can completely manage a remote machine. And it's just as useful when the remote machine is in a server room down the hall or even a machine in the spare room at the back of the house (walking back and forth between your main system and the back room system gets old after the first 5 or 6 times) as it is for a remote server on the other side of the world.

      The one big annoyance with every single lights-out card i've ever used (DRAC, ILOM, ELOM, RiLO/iLO, and others) is that they *all* use their own crappy proprietary java applet for remote console access rather than VNC or RDP. And the trouble with java for client apps is that it's way too fragile and version dependent - some applets require java 1.5 and won't work with 1.6, and some are the opposite. Some only work with Sun (Oracle, now) Java, and some work on openjdk. If you need to run several different applets occasionally, you're screwed.

      VNC in the BIOS isn't as good as a real BMC card, but this is a great step in the right direction. IMO, IPMI belongs on consumer-grade equipment too, not just on server motherboards.

      And hopefully it will encourage the server-board manufacturers to dump their java craplets for de-facto standard protocols.

      The clueless paranoid whingers here who think this is a bad idea obviously have never had to manage more than one system at a time - and that one is probably at home in their parents' basement.

      ps: finally a topic where "Imagine a Beowulf Cluster of these" is an appropriate comment. VNC at the BIOS level would be incredibly useful for managing a cluster built with a rack or racks of cheap consumer motherboards. even if you dedicate the built-in NIC for this task, buying a second network switch and a cheap PCI or PCI-e card for each machine is a lot cheaper and a lot less hassle than buying a KVM, and ethernet patch cables are easier to manage than KVM cables.

  21. Default=disable by phorm · · Score: 1

    I'm hoping that by default it's disabled and requires enabling+password to work.

    However, isn't VNC an insecure protocol? Perhaps it had a default SSL layer or something like that (I suppose then it would need an ability to update the cert as well) then it would be a safer solution.

  22. Dammit Jim! by bigredradio · · Score: 1

    Finally a good post and I am all out of mod points!

    --
    Flexible bare-metal recovery for Linux/UNIX
  23. Re:DHCP? Huh? by nabsltd · · Score: 1

    Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

    I suspect that like IPMI, if you enable this new system, then as long as the "big red switch" is on (i.e., the motherboard is getting the power it would need to respond to the momentary "power on" switch), then the network card will also be powered and able to send and receive.

    The real trick is the very first time power on...if this new feature is set to "on" by default, and the NIC is set to use DHCP, then you can just drop ship new systems to wherever they are needed and then start the remote configure. Of course, that would be a really bad default, as the security holes it opens are profound. Imagine a company that doesn't use this feature, but doesn't disable it correctly...any internal hacker could then "watch" the initial OS install, and possibly be given remote admin access, allowing them to trojan the machine.

  24. Re:DHCP? Huh? by smbarbour · · Score: 1

    Using VNC, one can now ... power up,

    Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

    I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).

  25. this is new? by Maglos · · Score: 1

    I use this tech on a number of lenovo desktops. It works pretty good, though I have had some reliability issues. Isn't this standard with all vPro capable hardware. BTW this has some amazing potential when working with our India based IT support, especially for a small company.

    1. Re:this is new? by Lennie · · Score: 1

      As I understand it, this is VNC (with encryption) and vPro isn't.

      --
      New things are always on the horizon
  26. Not really.. by Junta · · Score: 1

    Currently, they have this tied to AMT. That only works with a pure Intel implementation (integrated Intel nic, chipset, etc). AFAIK, it's even *specefically* only the 'desktop' chipsets that bother putting in the bits. So your EP/EN/EX platforms are not invited to the party at all, even *if* your vendor didn't put Emulex or Broadcom down. They specifically segmented this off as 'desktop/laptop', and said 'IPMI' is the server equivalent (which covers most of the base capabilities, but omits KVM and has delegated that to proprietary extensions, as real men need nothing more than Serial (even windowws admins).

    --
    XML is like violence. If it doesn't solve the problem, use more.
  27. Very cool, but can be difficult to set up. by sshambar · · Score: 1

    I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.

    However, I had a few issues with the design:

    1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port using RealVNC

    2) RealVNC Viewer Plus ($$) is required if you want the ability to have full AMT (all the cool remote disk mounting, system power control etc). Some of this you can get via the web interface though (via a different port).

    Apart from the setup pains though, it's very cool tech. I was also able to perform a full GUI install of Fedora on my US server from my laptop in Norway, using an ISO file on the laptop for the install (yes, you read that correctly... you can mount a local disk file on the remote machine and the bios make's it appear as a local disk! But again, that required the AMT features, and RealVNC Plus :P).

    The system works by intercepting IP packets on the motherboard network interface (so you must connect via that port, not just any network port), and redirects connections to a selection of ports (all configurable) to support remote management via VNC, http/https, or a few other protocols. This means you can connect in and check out the desktop at full rez even when someone's using the machine, or even work on fixing issues even though a kernel oops. Basically, as long as the network to the port stays up, you have access to full console control.

  28. Re:First post by Jeremiah+Cornelius · · Score: 1

    Alright! I have my hard-to-detect avenue for exploit. What a great vector! Thanks, Intel!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  29. and IPMI isn't open? by funkboy · · Score: 1

    "now it can be done using the open standard VNC"

    there are no less than four open-source IPMI projects

  30. Re:DHCP? Huh? by vlm · · Score: 1

    I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).

    Yeah but thats cheating. You need an extra box and a WOL compatible switch, right? If I'm allowed to cheat and have stuff other than the as advertised VNC, then I can just specify a robot arm poised to punch the power switch. Or default the bios to always power up on restoral of AC and hook up to innumerable remote rebooter products and home automation products.

    I have noticed over the years that the concept of a power switch has been removed. The only thing my cable settop box does when its "off" is output a black screen. The giant office printer at work merely shuts off the LCD backlight when its switched off. Its all about making the greenies think they're saving KWH while not actually doing anything.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  31. Re:First post by That+Guy+From+Mrktng · · Score: 1

    Yes, another reason to not use intel, I mean, in a perfect world it would be awesome since you don't have truckloads of haxorRs and government agencies on the line to poke at your stuff, a cute little world where military research facilities don't get breached. How do we know intel is going to lose this info, how do we know someone else puppet (aka government) developed this and is using intel as a proxy. VNC is open source, so wheres the source of this implementation? Why VNC and not RDP? I use VNC but I acknowledge that RDP is better.

    It may be useful on a data center anyway and I hope AMD keeps away from this unless for some reason, some government rules that this help to "think of the children while keeping the turririst away" and get shoved anyway.

    Time to hoard on pre-brigbrother hardware gear.

    In other news: Tin foil industry have seen a rise in trading in the late afternoon.

  32. Re:Orwell would be proud by atisss · · Score: 1

    If you can't trust manufacturer for not putting in such backdoor - how can you trust the setting that the same manufacturer put in?

  33. What I want in a BIOS by PenguinJeff · · Score: 1

    I want a bios that can only be upgraded in an upgrade mode. After the upgrade it defaults to a non upgrade mode; thus, the only way to upgrade the bios is to reboot and set the upgrade mode in the bios, then boot an os with an app to upgrade the bios. It would also be nice to warn and stop with a continue question while in the update mode. This should be much harder to compromise than current bioses that can be written from the OS. Its a dream and will probably never happen but wouldn't it be nice. I also look forward to having UEFI bioses (I know some have it but very few.) I realize for arrays of computers this would be cumbersome maybe have the options to turn this behavior on. I've worried about compromised bioses ever since you where allowed to update the bios from the os. VNC in the bios seems like a big security hole.

  34. Old news by Mock · · Score: 1

    It's called AMT, and I've been running one of these for over a year on my $120 vPro motherboard.
    As of AMT 6.0, you can control every aspect of the pc, including interacting with the bios screen, from remote.

    http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

  35. Re:Orwell would be proud by Belial6 · · Score: 1

    If you can't trust the manufacturer to not put in such backdoors, how can you trust that they have not already put it in and just not given you an interface to it?

  36. Windows OS - Windows Driver by Dareth · · Score: 1

    VNC subsystem -> VNC Driver
    Multiple systems can share a physically functional NIC. A bad driver in the OS layer does not stop the NIC in a different environment from using it.

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  37. Re:REALLY useful by Cylix · · Score: 1

    I also had a chance to watch the video.

    This is integrated into the vPro management utilities. vPro is a proprietary BMC featured in their laptops and desktops. I have only user end experience with this, but you really just want to think of it as a DRAC. The major difference here is that beyond being another management interface it is shared with the host nic.

    Same technology and the primary difference is the level of exposure*1. vPro already offers remote kvm with a proprietary interface. Introducing VNC simply gives a better alternative to the already available management utilities.

    It's an improvement, but not anything world shattering.

    *1 Do you need any more reasons to be on the internet unprotected?

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  38. poor solutions to an already solved problem by Gravis+Zero · · Score: 1

    we already have KVM over IP which are independent systems and it's important that they are independent! when you get hacked the hackers, they can flash the BIOS which would be an insanely bad if they did this to a system with KVM over IP on MB.

    why KVM over IP on MB is a gigantic security issue:

    * BIOS memories are large have entire programs (see remote access forever using "unflashable" BIOS)
    * BIOS KVM over IP cannot be on an internal network only
    ** you can hack a KVM over IP system on a shared connection
    ** a DDOS takes out your KVM over IP
    * MB makers less interested in security than KVM over IP hardware people
    * cant replace KVM over IP system if it's found to be insecure

    --
    Anons need not reply. Questions end with a question mark.
  39. Re:Why will we be unhappy? by thegarbz · · Score: 1

    So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea!

    Why? What's so spectacular about a BIOS update? The boot to DOS and load the new BIOS from floppy is a thing of the past. My girlfriend upgraded her BIOS the other day. Didn't even notice. Ok that's a lie, she did notice. A window came up giving her a list of 2 drivers and a new BIOS, she clicked ok. That was it. The update utility for her computer is memory resident, so in theory it could be done as silently as a windows update.

    The only critical part is still a potential for a bricked machine due to a dodgy update, but between the few seconds the update took making a power outage unlikely, and the way companies like Gigabyte have released motherboards with multiple BIOSes as backups just in case an update goes screwy, is that much of a concern?

  40. Re:DHCP? Huh? by smbarbour · · Score: 1

    Exactly. All that is required is that the packet reaches the intended destination. The easiest way to do that on a TCP/IP network is the magic packet sent to one of the broadcast addresses (either network specific i.e. 192.168.0.255 or the general purpose one: 255.255.255.255). Every switch knows how to handle network broadcasts (and every hub, though I haven't seen an actual network hub in ages since small switches are commodity hardware now, transmits every packet to every connected port).