Slashdot Mirror
Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)
A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Breaking: A user with AMD-powered computer found happy. More at 11PM.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
https://libreboot.org/faq/#int...
https://libreboot.org/faq/#amd
Both Intel and AMD had this for years - read above links ...
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
From the article:
We have no physical separation between the components that we can trust and the untrusted ME components, so we can't even cut them off the mainboard anymore.
Why do you trust the main CPU, if you don't trust the ME chip?
I love AMT. AMT is definitely one feature of the Dell Optiplex small form-factor systems that I like to use for my headless home servers. Its like having a built-in Cyclades serial console server. For running headless systems its almost essential.
The only thing I don't like about it is that you need to have Windows installed to be able to update it as part of the updates released by Dell.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Uh, the claims are quite true. I've been using these features at work for about a decade to perform remote OS installs and HD re-imaging at remote locations, where the on-site staff only pop in a new blank HD.
All Core i7 CPUs have this in them standard, and many i5's too especially at the higher end.
[PDF] Datasheet on the MEBX management engine:
http://download.intel.com/supp...
[PDF] How to enable and use the AMT active management engine:
http://www.intel.com/content/d...
And here is the SCS software used on another computer to control an AMT enabled computer:
http://www.intel.com/content/w...
RealVNC works with an AMT enabled computer out of the box too and with all the normal features you would expect like remote keyboard/video/mouse control, redirected drives, etc. But isn't a free program.
Other VNC clients seem to be hit or miss but even when they work you only get remote KVM, you'd have to use the built-in AMT web server to configure drive redirection and issue power on/off/reboot commands.
There is a similarly limited VNC client included in the SCS software link above, and a second web browser window will let you do the rest, even if slightly clunky, but still for free.
Intel market cap: $150 Billion
AMD market cap: $3.54 Billion
That is a lot of kiddie gamers........
The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue. AMD is a sad joke compared to Intel. They are not peers, hell they arent even really competitors. If they were sodas AMD would be RC Cola, to Intel's Coca-Cola, not Pepsi.
Good-bye
... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.
Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?
Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).
Sleep tight.
Umm no, they don't. Maybe back in 2000 to around 2008, after Intel went with that netburst shit, but not anymore. Every datacenter I've managed for the last 3 years has almost no AMD gear at all.
If the only goal was simply to provide low-power functionality, the coprocessor would be fully controlled by the operating system (ultimately, by the owner of the machine).
In fact, the main goal is to provide remote administration capabilities (what they call Intel Active Management Technology). In other words, the idea is to allow a remote administrator to take over the machine in a way that is independent of and invisible to the main operating system and processor. This serves a legitimate purpose in an "enterprise" environment (one person administers a large number of diverse machines) -- for example it allows taking back control of a cracked machine, or recovering critical data from memory after OS crashes. However, this feature is not useful for a privately administered single-user machine.
Finally, by definition a remote administration feature is a back door. This one is incredibly dangerous: a rootkit running on the coprocessor is entirely invisible to the operating system, has its own independent network access, and can monitor the disk, the memory and all other peripherals. In principle the remote management features must be activated via the System BIOS and you can set a password there, but really your only measure of safety against this back door is your trust that there are no bugs in Intel's code.
Why isn't Intel allowing you to replace the firmware? Because it's hard to ensure that the owner of the machine is the one initiating the firmware replacement. The real troubling point is that Intel isn't allowing you to disable this feature with a hardware switch. Hardware switches (jumpers on the motherboard) are a way of controlling the system available only to the physical owner of the machine. Having a hardware switch would satisfy both the enterprise and security-concious customers.
AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?
I'm sure it can be used, just like the rest of the hardware "can be used."
But these things in one form or another have been around for over two decades and everyone who has ever set up real server hardware from scratch knows they're there and their existence has never been a secret. (The closed-source code they run, on the other hand...) It's not even "news" that chipset manufacturers have started to integrate these systems directly into CPUs.
The earliest one of these I remember was called iLOM on a Sun Systems but I'm sure they predate that. Just LOM and ILO are other names I've seen.
Once desktops started to need active runtime heat management, many of them got a "systems management" co-processor that helped with thermal/power control.
Personally I'd be just as worried about whatever firmware is running on the ethernet card these days... which is to say, not very, because there's not much to be done about it, unless you have the reason and time to invest in completely open hardware from top to bottom and the willingness to live within the limitations that might entail. So while I would normally suggest the mildly paranoid just not use the onboard ethernet ports, I can't say I really trust ethernet cards, either.
Also since there are so many gaping holes just staring me in the face in commercial OSes when it comes to (software) VPN and WPA drivers, I figure it'll be a long, long time before I can get around to finessing things down to the metal, if ever.
Someone had to do it.
AMD is a cheap knockoff whose entire design philosophy revolves around avoiding patent and copyright lawsuits from Intel. Its in house technology is extremely inferior. The only good thing they can possibly do for the market now is to completely open up all development resources.
And, let's bring back the alpha chip. It already is superior to Intel. Always has been.
And GODDAMMIT! Where's our 3D printers that can print homemade computers? We were supposed to have that shit 30 years ago.
Really...
Its not like they are the one that made the AMD_64 instruction set that was then in turn licensed to intel...
While its manufacturing technique is inferior that is because the brain-dead executives sold off their fab and they now have to contract with someone else to do it.
As for bringing back ALPHA it may have been superior then they stopped developing it in 2001. Intel/AMD have come a long way in 15 years.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
This is such overblown pap - the only way to provision Intel AMT / vPro is to either have physical access to the keyboard during reboot, or to have a certificate signed by a trusted provider specifically for provisioning AMT / vPro if you would like to do it over the network. And no, you can't add in your own self-signed nonsense because the CAs that can do this are in the AMT firmware. If you don't get a cert from Verisign / Comodo / etc., the firmware tells you to stick it up your ass and refuses to provision.
Having done manual provisioning, scripted provisioning, and network provisioning in a technology trial for using vPro on a network with ~55,000 PCs spread across the continent, I can say that Intel thought about this "back door" and made it so that you have to go through some extraordinary work in order to use it. And, even then, unless you paid for full-blown vPro on each and every PC, you get access to basically what you could have done with Wake-on-LAN back in the day, with a few extras. With vPro you can do remote control and remote virtual disk mounts, but doing so causes big flashing red and yellow bars on the border of the screen letting a local user know someone's doing it.
Moreover, Intel has been actively marketing this functionality for over 5 years to big business as a way to cut software costs for costly (and shitty) remote control solutions that don't work when the OS is fucked. To think that this is some super secret clandestine operation is complete horseshit.
What an overblown piece of trash this 'article' is.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
There is actually quite a lot of us because if you were to do a blind A/B test with an FX-8 versus an i5? You wouldn't be able to tell which is which....but your wallet would know the difference.
My FX-8320E when paired with an R9 280 and 16GB of RAM plays all my games with so much bling that I have gotten killed on several occasions because I was too busy gawking at the pretty to notice the enemy coming up behind me, runs very very cool (on air the highest I have ever hit is 122F with all 8 cores slammed doing A/V work) and the whole system, with an SSD and 3TB HDD? Less than $550 after MIR.
When you add to this the fact that AMD has been opening their docs, just as the FOSS community asked them to do, giving massive amounts of code to the community with Vulkan being just one of many, no DRM chips like TPM, oh and you can get their chips for often less than a third an equivalent Intel chip? Its really not a hard choice to make.
ACs don't waste your time replying, your posts are never seen by me.
Exactly so. For years I used to wonder which was more important: hardware or software. It was after the Alpha debacle that I came to understand that neither is very important compared to marketing.
I am sure that there are many other solipsists out there.
AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel.
Ideas are a dime a dozen. It's the actual implementation that makes a difference in the real world. If the idea were so obvious, you'd think that Intel would have been in a much better position to bet on the new idea, with all their resources.
It's interesting that after about 14 years of AMD64, we are still haunted by x86-32 in many places with closed binary-only software. For instance, Skype on Linux was only released as a 32-bit binary, so you had to maintain all these ugly compatibility libraries. I wonder how much of this is due to the AMD origins of the architecture, and the subsequent slowness of the Intel and Microsoft camp to adopt it.
Escher was the first MC and Giger invented the HR department.
Working at DEC in 1992-3, I never saw anything like that. The Alpha computers I used were exactly like their VAX predecessors except that they ran a whole lot faster. No unreliability, no overheating. Perhaps your experience was running Ultrix, which was always an unhappy compromise - like all proprietary version of Unix.
My assessment, as a 20-year DEC employee, was that Alpha was perhaps the greatest hardware achievement the company ever brought off.
I am sure that there are many other solipsists out there.