FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

gnujoshua (540710) writes "The Free Software Foundation has announced its endorsement of the Libreboot X200, a refurbished Lenovo ThinkPad X200 sold by Gluglug. The laptop ships with 100% free software and firmware, including the FSF's endorsed Trisquel GNU/Linux and Libreboot. One of the biggest challenges overcome in achieving FSF's Respects Your Freedom certification was the complete removal of Intel's ME and AMT firmware. The AMT is a controversial proprietary backdoor technology that allows remote access to a machine even when it is powered off. Quoting from the press release: "The ME and its extension, AMT, are serious security issues on modern Intel hardware and one of the main obstacles preventing most Intel based systems from being liberated by users. On most systems, it is extremely difficult to remove, and nearly impossible to replace. Libreboot X200 is the first system where it has actually been removed, permanently," said Gluglug Founder and CEO, Francis Rowe."

even when it is powered off.

[kairis]

AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

Re:even when it is powered off.

AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

Yes. "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed" declares Wikipedia. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Re:even when it is powered off.

[fuzzyfuzzyfungus]

That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

Re:even when it is powered off.

[Zitchas]

I kind of suspect that is the point: Low level functionality that allows them to actually turn on the computer, not just wake it up from standby or hibernation. It also grants access for BIOS updating, erasing and reinstalling hard drives, and other access like that.

I suspect that the only "Off" that would actually block its activity would be the more absolute "the power bar is turned off" type security. Which is probably a good idea anyway, these days.

Re:even when it is powered off.

Not true. It can power on systems remotely.

http://www.radmin.com/radmin/intel_amt_features.php ...really really scary.

Re:even when it is powered off.

[kav2k]

Quoting the same article

For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down.

So no magical "I'll maintain that WiFi connection even when asleep"

Re:even when it is powered off.

[TechyImmigrant]

Assuming you haven't disabled it in the bios.

Re:even when it is powered off.

[Darinbob]

Presumably "off" does not mean "powered down with no obvious source of energy"? A laptop has a battery but a desktop does not.
What if a laptop disables wifi (I always do this), will the bios power it up against my will?

Re:even when it is powered off.

[Darinbob]

I have my desktop, monitor, speakers, etc, all plugged into a power control thingy, and I always turn that off. So the desktop can not power itself on without a finger pushing a button. Ya, I'm a bit paranoid, or maybe it's OCD, but I like to power things off for real rather than allow standby/vampire power which can amount to a lot of juice if you add up all the devices doing this.

Re:even when it is powered off.

[GrumpySteen]

Not at all. It still makes a great paperweight and can be used to bludgeon enemies in a pinch.

Re:even when it is powered off.

[JohnFen]

I work with AMT systems. AMT systems can be powered up from being completely off (not in standby, etc.). This is accomplished because AMT processors contain an entirely separate little computer that itself never turns off, even when the rest of the system (including the CPU) is.

Re:even when it is powered off.

[Shirley+Marquez]

Old school systems that had a physical Big Red Switch (including the original IBM PC, XT, and AT) really were completely off when they were off. But pretty much every computer these days has a soft switch, and depends on some part of the circuitry getting a bit of power to monitor the switch so it can turn the rest of the system on.

Re:even when it is powered off.

[lsatenstein]

That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

On the desktop, when the system is powered off, it is not truly off. The powersupply is on, and other power, however minimal, is obtained from the router or the hub connection. The powersupply is often sustained to keep the RAM alive, and some reboot info.

Want it off, disconnect it from the router. If it has wifi built-in (as some desktops do), use the powerswitch on the back of the computer to fully poweroff the system.

Re:even when it is powered off.

[cthulhu11]

So it's a service processor, like we've been using for decades. Big whoop.

The year of Linux?

[roc97007]

Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

(Are there enough people who *care* about these issues?)

Re:The year of Linux?

[TWX]

(Are there enough people who *care* about these issues?)

Not for $700+ for an obsolete laptop, there aren't.

I've seen some niche things, but DAMN, this is takes the cake.

We have an X301 at home. It was a great computer when we bought it new, but the battery life is terrible by modern standards, the Centrino processor is slow, and the screen is dim and low-res. The weight, presence of an optical drive (though just DVD) and keyboard are the plusses. We just bought a replacement for it; I may still upgrade the RAM to 8GB from the 2GB that it has now so that it's a nice around-the-house lappy, but it's never going to be the primary computer ever again.

If they'd managed to do this treatment to a Thinkpad X1 Carbon or something else that's modern then I expect a lot more people would be interested, but somethis this old? For this kind of money?

Re:The year of Linux?

[future+assassin]

Untill they classify it as a tool for promoting terrorism.

Re:The year of Linux?

[roc97007]

Ouch. Good point.

Re:The year of Linux?

[CODiNE]

Let's not forget back in the day when Linux and the GPL was "communist".

Re:The year of Linux?

[bill_mcgonigle]

Not for $700+ for an obsolete laptop, there aren't.

It would be a decent one for a CA, to keep in the safe.

Re:The year of Linux?

[Gr8Apes]

Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

(Are there enough people who *care* about these issues?)

Nah, BSD will be on the desktop before Linux makes it. Wait, it already has...

Re:The year of Linux?

[idontgno]

It's a snowclone.

"If you install linux, the X win!"

"X" is the bogeyman of the day. Historical examples include Communists, kiddy porn users, Terrorists, Anarchists, Freemasons, Jacobites, and immigrants.

Re:The year of Linux?

[AmiMoJo]

Actually it seems quite reasonable for the money, assuming that the battery is new (re refurbed quality replacement cells). It's no screamer but a Core 2 Duo is plenty for most desktop stuff. The 1280x800 resolution is fine for a 12" display on an ultra-portable. 8GB of RAM max, and with an SSD it should be pretty quick. Even the GPU isn't bad.

Plus you get a nice Thinkpad keyboard, still pretty hard to beat, and Thinkpad build quality. If you want a secure laptop for business or general desktop stuff I'd say it is pretty good. Where else are you going to get something even half as trustworthy? In the EU all electrical items have a minimum 2 year warranty as well.

Re:The year of Linux?

[caseih]

I have an X200 and specwise it's hardly any different from the current X220. Same processor (i5), same speed, same memory options. I bought it only last year specifically because it had a real keyboard. So, no the X200 is still a great laptop. And $700 is a good price, about par with used X200s.

When I got the X200, I wiped it and put Linux on it. Now months later, I was fiddling with the BIOS and discovered that the Lojack stuff is activated, and cannot be deactivated (fortunately it does nothing on Linux, so far as I've been able to read). In order to deactivate it I need to contact the company who makes the malware and provide them with proof of purchase, and they'll give ma code to deactivate it, provided of course it's not been reported stolen (always a risk when buying used laptops, even on reputable sites). The catch is that I have to be running Windows to deactivate it. Sigh. So my ears perked up when the article mentions they've replaced the firmware. Wonder if that can be done to existing laptops without too much trouble.

Re:The year of Linux?

Possibly unknown to many of you, but Gnu/Linux is used by the U.S. Department of Defense.

Re:The year of Linux?

[caseih]

My bad. The X200 is a much older laptop. The X220 is what I have and it's practically identical to the X230, which is the latest shipping version that has the chicklet keyboard that I can't stand.

Re:The year of Linux?

[vandamme]

Which America were you referring to? 1776?

Re:The year of Linux?

[MagicFab]

I agree it's absurd to pay such a price for something Intel could be doing. Why is Intel's problematic setup the default in the first place?

The higher-than-ebay cost for this machine basically covers maintaining a proper commercial operation for existing formware/BIOS modification, distributing and seliing the system, including:

* Upgraded with an 802.11n wireless card (Atheros AR5B95, AR9285 chipset), ensuring full compatibility with free drivers in Trisquel GNU/Linux-libre.
* The Gluglug ships to USA, Canada and European countries at no extra cost. Other countries may vary.
* Each sale directly supports the Libreboot project, helping to fund further development of the software.

If you want an X1 Carbon with such changes, have you written to ask Intel if/how they are working with the FSF? I sure hope the FSF has, but while we're waiting for Intel to do the right thing, I am happy to pay Gluglug to provide a faster way to get a system with better freedom.

Re:The year of Linux?

[RockDoctor]

Not for $700+ for an obsolete laptop, there aren't.

I got one of their previous offerings - an X60 with 3GB ram and a 320GB hard drive which I promptly replaced with a TB one I already had - for IIRC £220, and after a bit over a year I've had to spend another £20 to put a bigger battery into it. I dont' know what that translates into in dollars, whichever dollar you're using.

Everything works properly, and without hassles.

In contrast I spent half as much again on a brand new piece of shit at about the same time for the stepdaughter after she fried her laptop video with static. That had some piece of shit called Windows 8 on it which has been and endless source of problems.

GlugLug seemed to struggle a bit with fulfilling orders after they last got a big write up in a UK-based Linux magazine. It took about 2_1/2 weeks from order to arrival.

Bigger screen than the current machine ... hmmm, considering it.

Re:The year of Linux?

[RockDoctor]

Coming soon (in a future libreboot update):

ProteanOS BusyBox/Linux-libre operating system pre-installed directly in the SPI flash chip, alongside Libreboot. This will mean that the user has a full operating system available at all times (as part of the boot firmware) as a boot menu option for recovery or any other purpose such as updating libreboot, even if the HDD or SSD is removed from the machine. Those who order today will receive this as a software update when available, with installation instructions.

OK, I'll put that idea on hold for a bit then.

Since when is AMT controversial?

[ArmoredDragon]

I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk. What I like about it is the following:

- Allows you to remotely manage client PCs in a work environment, up to and including re-formatting the HDD with a new OS, including being able to remotely mount a local ISO image to install the OS.
- Works even when some of the most critical system components don't work, such as CPU, RAM, etc, as it's an independent subsystem. Even if you don't want the remote management features, this is a huge deal when you have a seemingly dead system and aren't sure exactly how to fix it. AMT helps you figure out the EXACT problem FAST, and you don't even have to have the computer in your hands to do so.
- Integrates with LDAP (including Active Directory, Samba, etc)
- Provides the ability to power on and remotely wipe the laptop if it was stolen and contains sensitive data.

So what's so controversial about it?

Re:Since when is AMT controversial?

It's not possible to turn it off. Among other things it handles the "Protected Video Path" on Intel GPUs (aka it implements DRM).

Re:Since when is AMT controversial?

[tlhIngan]

So what's so controversial about it?

It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

Re:Since when is AMT controversial?

God fucking christ dammit.

How can you trust any hardware unless you audit the design and the machinery used to implement that design on silicon?

The fact is that you can't.

There are almost certainly undocumented Intel instructions or I/O ports which will enable software to bypass OS level protections. I imagine they are used almost never, but when they're used, you can be damn sure it makes a huge difference to the party with the privilege to know them. What can we do about it? Sweet fuck all until we get over the idea of trusting big business/government contractor (but I repeat myself) and develop and implement hardware the way we develop software. Won't the start-up cost be prohibitive? Eventually no.

In the meanwhile, un-Clippered encryption will be outlawed, and hardware licensed to require backdoors.

Re:Since when is AMT controversial?

[Rennt]

However you slice it, AMT is a backdoor. If you control the backdoor on your own equipment then you can do some cool tricks, but implementing a backdoor massively increases the attack surface of the system.

The question is whether the cool tricks are worth the risk. For managed corporate drone PCs the answer is probably yes. For everyone else it is definitely no. For a personal laptop it's an emphatic FUCK NO.

Badly written Hollywood movies used to give crackers stupid computer-superpowers. Now that AMT is here those kind of fantasies become reality.

Re:Since when is AMT controversial?

[Obfuscant]

It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

And also Completely Free Of Full Remote Management capabilities.

I have a bunch of servers that all have iDrac or other management connections, and it sure is a lot easier to talk to a malfunctioning system when there is a dedicated remote console server. I've had people go wild using memory resources on some compute servers to the point that memory management is killing parts of the operating system. Parts that are required to remotely log in. Dedicated remote management means I can get a console to at least identify the problem (scrolling "killed" reports, e.g.) and then reset the system, without having to go find the physical system I need to poke.

I can't recall a single laptop I've had that has an active network connection when it is off, so how would someone use this AMT on a Lenovo laptop to turn one back on to do anything to it? If you don't want remote access to a laptop that's turned off, unplug the network cable. Set a password on the remote access. End of problem. I call FUD on this fear.

Re:Since when is AMT controversial?

[fuzzyfuzzyfungus]

Any remote management tool would be a 'backdoor', except that it is put in place by the owner for their convenience and with their consent.

AMT is a particularly powerful, and somewhat opaque, management tool. Anyone who suspects the possibility that(deliberately, or by mistake) those very, very, useful capabilities might be available to others under some circumstances would naturally be suspicious of it.

And, for the FSF and those who share their concerns, the fact that it is a wholly proprietary(and tricky to remove or replace) blob embedded in the brainstem of their computer is not something that would make them happy.

Re:Since when is AMT controversial?

[halivar]

Oh, I can see it now. Some Linux enthusiast (wait, no, a GNU/Linux enthusiast; run-of-the-mill Linux enthusiasts are too corrupted by pragmatism) poring over hundreds of giant sheets of chip diagrams, nodding sagely at incomprehensible engineering spaghetti he doesn't even understand. "Hmmm... yes... this all seems to be in order..."

Re:Since when is AMT controversial?

It'd be a security risk even if AMT were open source.

It's an entire other operating system running on what is basically an entirely different computer that has complete control over your server. Do you bother updating it? You spend how many hours making sure your server software is up-to-date, and yet it's all for naught if a hacker breaks in through AMT.

Same thing goes for IPMI. Heck, some vendors were shipping boxes with IPMI enabled, _and_ with SSH enabled to IPMI, _and_ with a default password.

It's an insane state of affairs.

Sure this stuff is convenient for a certain class of administrators. But it's most convenient for hackers.

You don't need to be paranoid about hidden backdoors in AMT. It's inherently a backdoor, with or without nefarious activity by vendors or the government.

Re:Since when is AMT controversial?

[Obfuscant]

So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have.

Didn't say that. I said I can't recall ever seeing it. Sorry the difference escapes you.

If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything.

It's hard to listen on an interface that has been shut off. Or on one that has been unplugged, which if you recall was what I suggested to deal with an always-on laptop network connection. Seems like I admitted they existed, which contradicts the words you tried putting in my mouth earlier.

I know what "wake on lan" is, and I also know that it is a BIOS setting to enable and disable it. Still, you can't "wake on lan" a system that isn't connected to a lan, now can you? That seems like a simpler solution if you are scared of the boogeyman turning your powered-down laptop back on. It's not like you have to crawl under the desk to get to the network connection when you unplug a laptop.

But using the simple solution doesn't allow for an "oh noes, the gov'mint can turn my laptop back on and monitor me, must buy a special laptop to be safe!" FUD campaign.

Re:Since when is AMT controversial?

[unixisc]

So is AMT hardcoded into the silicon - is it a part of the CPU, or is it something that's a part of the firmware in the flash, but in the boot section, thereby making it unremovable?

Re:Since when is AMT controversial?

[TechyImmigrant]

It's off by default. What have you been smoking?

Re:Since when is AMT controversial?

[fuzzyfuzzyfungus]

A mixture of both. The AMT system includes a dedicated ARC cpu, which runs its own OS and functions independently of the host to a large degree; but also can see into, and sometimes make use of, some of the hardware visible to the host system(details depend on version). For communication, for instance, the AMT system has access to the wired NIC below the OS's view(wireless NICs are more complex, I think AMT can do a direct connection to a trusted AP if configured to do so; but can't do VPN without piggybacking on the host OS), and it also has enough hooks into the various peripherals that it can do remote KVM in hardware, by emulating HID devices and snooping the framebuffer, mount an .iso as though it were a connected SATA device, and access some storage and memory locations that are also accessible to the host OS or programs, in order to gather data on system health, software versions, etc.

I'm not exactly sure how the BIOS/UEFI flash and the flash that stores the AMT firmware are related to one another. On computers with AMT, a 'bios update' will often flash both; but I don't know if that's because they are just different areas of the same SPI flash chip, or whether it's just a convenience bundling of two nearly unrelated updaters.

Re:Since when is AMT controversial?

[K.+S.+Kyosuke]

All the 'Libre' crowd rants about the source code of the software, but somehow gives a pass about the hardware not being open

You must be living on a different planet.

Re:Since when is AMT controversial?

[TheDarkMaster]

The problem is that it is a too powerful tool that if used for evil can cause impressive havoc and no one would know until too late. And a too powerful tool where you are not sure if you have the control you should have. Usefull, yes, but a too big security risk for my taste.

Re:Since when is AMT controversial?

[hermitdev]

Not to be pedantic or argumentative, but how are you sure your open hardware design isn't manipulated or back-door'd after you hand it over to a 3rd party for manufacturing? There is no single person in the world that build a useful general purpose (in today's standards) computer from hardware to software, guaranteeing that no one else has had an opportunity along the way to manipulate it in some fashion. At some point, you have to start trusting people/organizations/companies. The fewer involved, the greater level of trust you can reasonably assume. We've already seen how the "many eyes" postulation may be flawed (see: openssl). I chalk that up more to human nature: everyone assumes everyone else is looking, so until you personally have a problem, you don't look, you just assume & trust. I know I do this; I only read others' code when I'm bored or have to. Once I'm sufficiently bored by reading others' code that I'm not paid to read, I get back to my regular job.

Re:Since when is AMT controversial?

[Miamicanes]

As I understand it, at the bare-metal hardware level, AMT is basically a networked JTAG programmer grafted onto the ethernet controller that can do things like read & write values into RAM, stuff values into the CPU's registers, update the BIOS NVRAM, and override the normal boot process as long as you have physical ethernet access to the same network as the target computer & can present AMT with credentials it's satisfied with. It basically starts with the foundation provided by Wake-on-Lan & PXE, and adds the JTAG-like capabilities and security on top.

Re:Since when is AMT controversial?

[jhantin]

Exactly. How is this materially different from an integrated remote-access card and baseboard management controller? I'm at a loss why Intel used an Argonaut core for it, though. I'd have expected a lightweight x86, or maybe an ARM. However, all that is beside the point.

The main reason for all the hullabaloo is that the Intel firmware that normally runs on this coprocessor is delivered as a closed-source blob, which raises trust issues given how pervasive its access to the machine is. It's also had its share of bugs and exploits, some of which work even if AMT is turned off in the BIOS, since the coprocessor may still be doing mundane baseboard tasks like fan control.

Re:Since when is AMT controversial?

[unixisc]

I agree w/ you, and the same argument goes for software. RMS and the FSF supporters tell us that we need the source code for the 4 GNU freedoms. Well, even hardware - particularly at chip level - has hardware description languages, or HDL code that defines it, both in a structural level and behavioral level. Yet, the same people argue that they are circuits, since they cannot be changed. Why not? Just get the HDL code, put it on an FPGA, and recode it whenever needed.

For the record, I agree w/ the Open Source guys - focus on the advantages of FOSS code, and accommodate the business modifications needed to the licenses. That's the pragmatic approach, as opposed to the Copyleft cult of the FSF. And I have no problems w/ binary blobs, or closed drivers, or exceptions to the FOSS rule.

Re:Since when is AMT controversial?

[Darinbob]

But the instructor at the certificate course assured me that it was safe!

Re:Since when is AMT controversial?

[Darinbob]

So the whole point is to avoid walking to the client's desk? I remember when that used to be the majority of my social life...

Re:Since when is AMT controversial?

[Fjandr]

Even then, you can't really be sure unless you inspected the silicon wafers yourself.

Re:Since when is AMT controversial?

[PopeRatzo]

At some point, you have to start trusting people/organizations/companies.

What you're really saying is, "You don't have a choice, so just suck it up, princess. Privacy is so 20th century."

No, you don't have to trust people/organizations/companies who have not earned your trust. You are the one paying. Use the power you have as a consumer. Weaponize your purchasing power.

And always, always reserve the right to just say "Nope, I don't need it, I don't want it, and I'll find another way."

Re:Since when is AMT controversial?

[PopeRatzo]

There are reasons beyond the "4 GNU freedoms" to oppose these devices being installed into all new computers.

I'll bet your not so sanguine about having a device installed in your car that allows for remote shutoff, location reporting and monitoring of your driving habits.

Because the real question is not "what is so controversial?" but rather "how secure are these systems?" It's not about what a sysadmin can do with the power to remotely turn on your computer, but what some miscreant can do with that power when he inevitably gets his hands on it. And the computer in question is not the one on your desktop at work or your business laptop (that your company paid for anyway), but the one you have at home for your taxes/banking/personal communications.

Re:Since when is AMT controversial?

[tepples]

So the whole point is to avoid walking to the client's desk?

Perhaps the point is to avoid flying to the client's desk in another country.

Re:Since when is AMT controversial?

A locksmith can change a lock and then claim to give you all the keys to your lock. It's very possible that the locksmith has an ulterior motive, withhold a key to your lock and lie to you about it. You could now spend your life with this possibility in mind and do nothing about it, you can act to find evidence that this key exists, or you can choose to trust your locksmith that he isn't cheating you.

Tell me, do you personally change your own locks and personally cut the corresponding keys or do you trust that your locksmith is not cheating you?

Re:Since when is AMT controversial?

[MikeBabcock]

May I direct you to the other closed-source firmware story of the day about DLink routers having remote DNS admin capabilities without password? You can't trust remote admin features on hardware when you can't see or have someone you trust see the software its running.

Re:Since when is AMT controversial?

[TechyImmigrant]

Yes, please keep lecturing me about products I design. I'm sure I'll learn more by 'Googling around'.

Re:Since when is AMT controversial?

[Ungrounded+Lightning]

All the 'Libre' crowd rants about the source code of the software, but somehow gives a pass about the hardware not being open ...

You haven't been watching very closely.

*I* have been ranting on slashdot about AMT for years. Look it up.

Re:Since when is AMT controversial?

So I gather this version of GNU/Linux doesn't support SSH etc? or are they performing the usual BS double standard of it is only a remote backdoor if it isn't our endorsed tech.

Re:Since when is AMT controversial?

[gnupun]

wait, no, a GNU/Linux enthusiast; run-of-the-mill Linux enthusiasts are too corrupted by pragmatism) poring over hundreds of giant sheets of chip diagrams,

They don't do that (poring) even for software, that they can read and understand, hence all these critical bugs. Why should manufacturers spill their millions of dollars worth secrets to a bunch of freeloaders? Vendors are fully within their rights to keep their designs secret -- If you don't trust their products, don't use it.

Re:Since when is AMT controversial?

[Troed]

What's controversial?

Heard of humanity's latest hero - Snowden?

On my personal computer there's no IT department that needs any of the things you mentioned. Thus it should be configurable.

It's not.

Re:Since when is AMT controversial?

[gl4ss]

that's like saying that crotchless pants are great for easy access when traveling on the subway

Re:Since when is AMT controversial?

[jabuzz]

I don't trust the locksmith. So I actually fit the lock myself, and when it comes to getting keys cut the locksmith has no idea where the lock for the key I am getting cut is going to be located because I don't tell them or even give them my home address. In fact they don't even know my name because I paid in cash.

Re:Since when is AMT controversial?

[jones_supa]

We wouldn't have the screaming-fast modern computers with zigabytes of jibberies and Gordon Freeman if it wasn't for copyrights and patents creating business interest to put astronomical amounts of money and engineering into specialized proprietary research.

Re:Since when is AMT controversial?

[WillRobinson]

I absolutely agree with you. Looking back and remembering what we thought technology would turn into from the 80's and looking at it today's light, things have gone to hell in a hand basket compared to what we thought these technology's would become. Remembering back to some of the first hacks we read about, I never thought we would be spending so much energy on securing every point, as either someone was trying to abuse the system or our own or other governments and entity's trying to monitor us or steal from us.

I have unfortunately became my own father, "trust nothing you read, trust nothing you hear, and only trust half of what you actually see"

Re:Since when is AMT controversial?

[mrchaotica]

Tell me, do you personally change your own locks and personally cut the corresponding keys

I do. All it takes is a screwdriver, you know. Some of the newer locks (e.g. Kwikset SmartKey) are even designed to be easily re-keyed by the owner.

Re:Since when is AMT controversial?

[TechyImmigrant]

Its the difference between "turn it off" and "I don't want this to be on my computer in the future".

It's a benefit to you if you want to prevent someone with physical access to be able to turn it on then use it as a remote attack vector later.

Re:Since when is AMT controversial?

[RockDoctor]

And also Completely Free Of Full Remote Management capabilities.

I have a bunch of servers that all have iDrac or other management connections,

I suspect that you're not the target audience for this system.

I have an 18-wheler truck for sale. Would that be good for your daily commute to the building with the underground par park?

Now that all the secure everything is gone...

Can we put it all back, under our control?

I want a computer that secureboot's my signed bootloader that boots my signed kernel that executes my signed init and starts a signed console with a signed login and logs me into a signed bash.

I want the promise fulfilled: that I know with cryptographic certainty that as long as my key is secure, "They" have not tampered with my persistent environment.

A far cry from what it has become: the MAFIAA knowing with cryptographic certainty that I have not tampered with my environment.

Re:Now that all the secure everything is gone...

"They" are the ones manufacturing the computers. Like the one you used to post that crap, for example.

Secure Boot was only ever meant to do two things, neither of which involve security or booting:

1) Make it more difficult for anything other than Windows to run without minor to major headaches on a PC.
2) Give Microsoft a means of providing a license key per copy of Windows in an area that the end-user can't get at. It's an extension of the "no used games" idea they had for the XBONE that people freaked the fuck out over...oddly enough, though plenty of red flags were raised about TPM and Microsoft closing in their monopoly on the PC market, there wasn't much of a fuss made about Secure Boot until it was too late to do anything about it.

Again, note that neither of those involves protecting your privacy. It doesn't involve booting -your- signed kernel, it involves booting whatever kernel Microsoft permitted to be signed. If it weren't for the inevitable backlash I'm certain that Microsoft would steam straight ahead and just outright refuse to sign any other kernel than their own. "Linux on the desktop" and others now owes its existence to Microsoft "allowing" Linux to run on said device. Own an Android tablet? No problem. They regularly rattle their sabres at Android device manufacturers with vague threats about patent violations and as a result, over a billion dollars in revenue per year comes from Android...which comes from Linux. Microsoft is indirectly claiming ownership of Linux through aggressive litigation, essentially forcing companies into paying for a product they should be getting for free. If that sounds familiar, it's because they tried to do it by proxy, funding SCO until they ran themselves into the ground. Now they don't need companies like SCO in their back pocket, the only thing secured by Secure Boot is Microsoft's monopoly over the PC market. Now they're waving a free Windows 10 upgrade in people's faces to try and tempt them into hopping back on the Microsoft upgrade train...you think that a Windows 10 computer will be under your control? Here's a hint as to what's coming down the pike; Bitlocker, the only available option for full disk encryption for Windows at this point, uploads the encryption keys to Microsoft's servers for "backup" purposes. Oh, I'm sure it's all benign, they wouldn't misuse something like that. I'm sure not once has Microsoft ever turned over a user's encryption keys as a result of some "national security letter" or a briefcase full of cash from one of the three-letter-agencies like the NSA.

To answer your question? No, you can't put it back under your control. You had your chance to fight TPM and Secure Boot, the same way that you fought CISPA/SOPA from being passed...didn't work this time. Now Microsoft has control...and whoever has control of Microsoft, by extension, controls you.

You will never know with "cryptographic certainty" that "they have not tampered with" your "persistent environment." Unless you inspect every line of code, study every IC down to the micron level, audit each and every piece of the system you're running, your "promise" will never be fulfilled. If you don't know how a given system will react under all circumstances, you have to assume that it's potentially insecure. Hell, take a brief look around the front page for the Intel AMT article. You really think that the same administration who pondered a "kill switch" for the entire internet would abandon that idea just because of bad publicity? The CIA torture report was bad publicity to say the very least...yet it was a news story for all of about a week. They have their kill switch, they have a reliable means of powering on and accessing low-level system functionality, remotely. In addition to that, they have going for them a mostly apathetic populace, who are more concerned with their Facebook posts than the fact those Facebook posts are being collected and analyzed by foreign and domestic intelligence agencies. All the US need do to cripple a developed nation would

Re:Now that all the secure everything is gone...

[yuhong]

This is full of errors. For one thing, the way the Win8 license key is stored in the ROM has nothing to do with Secure Boot. I think it uses ACPI.

Inquiring minds want to know

[Qzukk]

But does it run Windows?

Re:Inquiring minds want to know

So in other words I'm not free to choose which user-space operating system I want.

AMD

[Atmchicago]

Would it be easier to go with an AMD laptop? Do they have similar firmwmare concerns?

Re:So...

[TWX]

...if I absolutely HAD to have something FSF-compliant...

Such requirements are only self-imposed requirements. Even defense contractors like Boeing use stock computers from large OEMs like Dell.

I can't think of a single instance when something being FSF-compliant matters at all, except maybe if you want to work for Richard Stallman. If Wikipedia is to be believed then there are exactly twelve people in the world affected.

Re:A Perfect Metaphor For the FSF/GNU...

Newer Intel things are much harder to free (for example, removing AMT from later Intel boards makes it reset every 30 minutes like clockwork.) At least people are trying to do something though. Instead of bashing on these efforts, why not focus on getting Intel and AMD to free those proprietary bits of software? Then it would not be necessary to waste months of effort on older hardware only to have someone bash on them that it's not good enough.

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

I agree, for me it stands for RMS Decidedly Successful. He's on the level of Alan Turing. Turing was driven to kill himself by people against who he was back then. Same thing for some people now with RMS. His philosophy of freedom as in libre will be common sense in 100 years, and people like you will be looked back on in shame.

Re:OLD Hardware

[unixisc]

Why not go w/ the Librem, discussed here a few days ago?

Re:A Perfect Metaphor For the FSF/GNU...

[unixisc]

I fully endorse this! I visited a Linux conference in my city several months back, and all the booths had something interesting or the other. Only exception was the FSF - except for slogans like iBad and posters & stickers, they really had nothing worth showing. And how can they be, when they've completely discounted the importance of good products, and made liberated products the only criteria by which to endorse? Other companies make products around Linux or the BSDs, while all these guys do is take a fully functional Linux, cripple it some b'cos the software that makes it better ain't liberated, and then they expect people to pay equal or inflated prices for those.

What are all the GNU programs I have on my computer? Most of them - GTK+ ones - now conquer my whole screen and are usually difficult to resize, except under GNOME. Functionality - less than other standard BSD or Linux programs. If GNU wants to be relevant, there is one way they could do it - have their cadres focus on writing great software, as opposed to being the Software industry's equivalent of the OCCUPY crowd.

Re:Snore.

[unixisc]

Get the FSF/RMS to do some ass-smooching, and then you too will get your /. headline

Re:Um, let me get this straight...

[unixisc]

I've wondered that as well. Why do these laptops need to be based on an x86? Use something like RMS' previous fav - a Loongson CPU, or an Allwinner - the same thing being used for some Android tablets. That way, one can get a fully documented thing. Of course, it would be illegal to sell that in the US due to laws violating IP, but since when has that stopped RMS, or the FSF, which is his sock puppet?

Re:So...

[TheDarkener]

I can't think of a single instance when something being FSF-compliant matters at all

Except for ones own piece of mind, of course. Which I guess doesn't matter.

What about CPU microcode?

[Balial]

If you're going to drop the Intel ME, Intel could still put something together in the CPU microcode patches. Or, you know, just in the silicon itself.

This product is a sham. "Only free software -- until it's not".

Re:What about CPU microcode?

[gnujoshua]

Except that the Intel Microcode on the CPU has been wiped no Intel Microcode patches or updates are applied to the CPU on the Libreboot X200. So "it is free software and it continues to be free software?"

Re:What about CPU microcode?

[yuhong]

Microcode don't run when the computer is powered off and can't connect to a network directly.

Re:What about CPU microcode?

[The+Finn]

CPU microcode still exists even if the blobs aren't included. You're just limited to the version that's included with the stepping of your CPU. I believe the management engine (ME) on the chipset is the same way. (On the server side, at least, the chipset won't allow the CPUs to boot without an ME blob.)

Just because your software doesn't include any blobs doesn't mean that there aren't any blobs on the hardware.

Re:So...

[tshawkins]

Interesting, the first time they did that, it would trigger a wave of replacement world wide, so you get the situation where they wont because they dont want to burn that card.

It long past the point where the world needs a reliable supply of non-US based technology components, i now consider almost everything originating from the US as being irrevocably compromised. And china is not much better.

We have sold our souls to the devil for the nice tunes he plays, and now we have to pay.

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

Funny how when its RMS, it's "religion" and "god worship" but when it's Einstein or Newton it's just appreciating the immense contributions made by a gifted intelligent individual. I hear the same thing with anti-Obama nutbags, calling anyone who has admiration for him a stupid "worshiper" who "drank the Koolaid". Ah, the convenience of self-justifying logic. How nice that must be for you.

Re:So...

[AHuxley]

Re: "It long past the point where the world needs a reliable supply of non-US based technology components, i now consider almost everything originating from the US as being irrevocably compromised"
Yes this is the first small positive steps that keep the networked computing side. The user gets new firmware, hardware and an OS thats more understood. The hardware also has some of the more remote friendly aspects looked at.
The next step for nations is a box with a chip and motherboard that is fully understood as designed. Beyond that is paper, a typewriter, one time pads and number stations.
Projects like this will help a lot of people and nations :)

Re:So...

[AHuxley]

Re: "But, honestly, that same amount of money will get you a MUCH better NEW laptop and there are ways to secure a system around AMT."
The issues with the newer systems is the remote low level access thats part of the "NEW laptop" or computer system.
If a person is seen and tracked outside away from their networked computer that would give time to access that networked computer.
Some of the needed tools are are built into the hardware as sold and powered waiting for the remote commands.
After a system is altered all the owner would see in their own logs is the soft sleep or shutdown and their own use.
Projects like this remove some of that built in, waiting, easy remote access as sold. A remote system that could have granted easy network access might now need physical access or other network access that might be more a bit more difficult to hide.

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

lol, I had you pegged. Anyone who likes someone you don't like is a "religious zealot". Face it, you just resent RMS, and Obama, who are in your face about being good people and doing good things, and you can't do anything about it. You're the very picture of abject impotence..

Re:So...

[Chas]

This is where the whole notion of risk management comes into play.

Now, if you're a world famous nuclear scientist working on spurting-edge fusion power experiments, a stupid-rich CEO of an unpopular company or a politician with even more dirty laundry than your AVERAGE political hack, you're probably a FAR bigger target than "Joe Familyguy".

I'm not saying "don't secure your shit.

But at some point, the risk/return equation simply becomes unacceptable for most people.

Technically, if you disassembled your machine, broke it down to component parts, sealed each part inside an air/water-tight safe (a different safe for every part), and buried each part in a location only known to you in a concrete and rebar cage. Your shit would be REALLY fucking secure.

But actually using the system (let alone accessing the data) becomes an unacceptable hassle.

So, at some point, there's ALWAYS tradeoffs between security and usability. ALWAYS. Anyone telling you different is selling you a line of high-grade BULLSHIT.

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

Icaza is an interesting person. I loathed him during the Novell days. He was doing evil in my view. Now, at Xamarin, I think he is doing immense good. But, he is only doing that good because he was stopped from doing any more evil. Sometimes brilliant people need to be contained and redirected. Icaza is a prime example.

Re:I am actually excited about Intel AMT

[gnupun]

If I understand it correctly, I would be able to power on, fix or reimage my home desktops/laptops while at work or away on a trip. Or fix my moms crashed computer from half way around the globe.

And govt agencies and hackers would also be able to do this and we don't want that. As far as fixing your mom's computer, a simple video chat using some mobile phone can be used to fix the computer, without the invasive spyware.

Intel Active Management Technology ..

[lippydude]

" Intel Active Management Technology: Known Vulnerabilities and Exploits"

What is needed is another OOB security-sub-system to protect the Intel Active Management Technology from getting compromised :)

What's so controversial about AMT?

[lippydude]

@ArmoredDragon: "I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk."

Either by accident or design, it allows for a backdoor into the system. I wouldn't be suprised it it didn't come with its own backdoor ref.

Re:OLD Hardware

[j0se_p0inter0]

Different guy here: I would love to get one of those but they are significantly more expensive (granted the hardware does look very nice, it's probably worth it). I'm tempted to pick up a Libreboot X200 sometime soon, with 8GB RAM and an SSD it should be more than adequate for running a lightweight desktop and doing all the stuff I typically do. The keyboard looks very nice.

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

Your comment shows the basic confusion people like you suffer from, and RMS has a one-liner that encapsulates it perfectly: "The freedom to remove another person's freedom is not a freedom at all, it's tyranny." If your software project's "success" means the loss of freedom for a lot of people, then your project should fail. It's basic ethics and morals. Comcast would post amazing returns to its investors if everyone was forced to use them for broadband... why shouldn't we let them have a monopoly?

Re: Hey Insane RMSDSer, yes YOU!

[borknado]

We probably are close in ideology. But consider this, if RMS was any less of a clever zealot, would the Novell project have failed like it should have? Would Microsoft be playing nice now? Would Linux exist as it does? Would people even have a free c compiler? Do you really want to roll those dice? With the Snowden revelations, and ever new threats to our freedom emerging every day as tech changes, don't we need some unwielding force for libre, so that the middle we end up in is somewhat tolerable, like it is now? I personally use all sorts of proprietary code, and I write proprietary code, but I am glad RMS is doing exactly what he is doing, so that overall I live in a (somewhat) free world of technology. Ugh, imagine if GNU/Linux didn't exist, and all we had were IIS servers! As for Microsoft, remember that the .NET project was originally just another one of their "Embrace/Extend/Extinguishi" shticks. Now it can actually so some good because it will simply never be dominant.

Re:I am actually excited about Intel AMT

[iamacat]

Have you ever actually tried to fix an unbootable computer over "simple video chat" with a non-technical person? Hehe.

I would install a pre-shared key and not give it "govt agencies and hackers". If they have a secret backdoor into TLS or intel hardware, I am screwed anyway.

Re:So...

[RockDoctor]

I make it a smidgin under $400, since I've got bigger hard drives already available. Assuming you're talking about US dollars.

Say you wanted to spend $750 on a newer laptop, then needed to spend 10 hours researching it and working out how to disable all remote management things and remove proprietary blobs from the firmware. Oh, and add in a modern WIFI chip too. That would be implying that you value your time at ~$35/hour.

If you value your time more highly than that ... well, it may become worthwhile to look at a solution like this.

Will a modern (last couple of years) laptop really let you get your work done more rapidly?

Re:So...

[RockDoctor]

Even defense contractors like Boeing use stock computers from large OEMs like Dell.

I don't know about defence contractors, but I'll be in the offices of an oil major tomorrow lunch time because they wipe the hard drives of all their OEM laptops and re-image them with a heavily customised version of XP, Vista or Win7 with all sorts of weird different networky things. Pain in the arse, but that costs them money - I go into their office for a videoconference meeting (because their laptop won't work on anyone else's network), and they pay a day's day-rate.