Is the 'Secret' Chip In Intel CPUs Really That Dangerous?

New submitter Miche67 writes: A recent Boing Boing blog post by Damien Zammit is stirring up fears, claiming Intel's x86 processors have a secret control mechanism that no one can audit or examine. And because of that, he says it could expose systems to undetectable rootkit attacks that cannot be killed.
Blogger Andy Patrizio, after talking with an Intel spokesperson, says the developer's argument has holes and he doesn't think Zammit will persuade Intel to replace the system with a free, open source option.

So, what we have is an open source crusader scaring the daylights out of people on a giant what-if scenario that even he admits couldn't happen in our lifetimes.

An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

So .. Security by Obscurity.

How nice ... Is there any history about how that has worked before?

Re:So .. Security by Obscurity.

By its very nature, you never hear about the cases where "Security by Obscurity" actually works.

Re:So .. Security by Obscurity.

It is in the "hardware", hardcoded !!!
Once you know its "secret", Intel have to "recall" (as in Toyota) all hardware to replace a "defective" (not trusty anymore) item, not anyone, but the processor.
And some processor are expensive than the rest of the computer systems.
Do you believe it, maybe, that is why the processors are so expensive, to support few "accidental" exposures.

Re:So .. Security by Obscurity.

That is not in any way security by obscurity. Unsurprising that some idiot mods model you up.

Speaking of "model" idiots, feel free to define the word "obscure".

Here, let me do it for you, since you obviously don't fucking get it. They're NOT explaining exactly how the hell they control this, other than claiming there are "mechanisms in place" (which you don't know), to protect the "very secure" system (which you cannot audit), via polices and procedures (which you also don't know and cannot audit).

Doesn't get any more obscure than that. For all we know right now, the "mechanism" is a cleartext password of "12345" until proven otherwise, so knock it off with the bullshit semantics already.

Re:So .. Security by Obscurity.

Are you therefore conceding that this (i.e., the security of Intel's IMEI) cannot work? Because we have heard about it?

Re:So .. Security by Obscurity.

[msauve]

"Is there any history about how that has worked before?"

Sure, FBI sends "National Security Letter" to Intel, demanding they open the door without telling anyone. FBI then has unrestricted access to Intel systems, worldwide, but "no, you can't see the source code, it's secure, we promise."

Re:So .. Security by Obscurity.

Hey, Intel spokesshill says it's A-OK and everything is peachy keen. That's good enough for me! I mean, why would they lie?

The same goes for Windows 10. Microsoft says that it's TOTALLY NOT spyware and that having the computer control what I can and can't do is the best thing for me, so why should I doubt it? I just love it when my computer reboots while I'm busy working! It makes me feel like my computer is a living person and not just a machine for doing work on!

These companies CLEARLY have MY best interests at heart. I just love them so much! Thank you Intel and Microsoft!

Re:So .. Security by Obscurity.

[Pope+Raymond+Lama]

Very relevant video presented at last year's CCC

https://media.ccc.de/v/32c3-73...

The whole model (in)security is thoroughly explained - better than on yesterday' article,
and way, way better than on this so called "rebuttal".

Re:So .. Security by Obscurity.

[arglebargle_xiv]

There's actually a lot of precedent for this sort of thing in the way of ILOM/DRAC/IPMI and similar capabilities. In fact Intel's AMT isn't really news, it's been there for years. A general pattern in all of these systems is the use of crappy old ARM processors, incredibly ancient Linux kernels (2.6.x), unpatched old binaries from God knows where, and coding like it's 1997 (strcpy(), fixed-length buffers, etc). There's lots of material out there on this, e.g. Dan Farmer's take. Oh yeah, and you typically can't disable it, even when you think you've disabled it. My only surprise about all of this is that people are surprised by it.

Re:So .. Security by Obscurity.

[invictusvoyd]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

That "spokesman" did learn this exact paragraph in his management college. Exact. He was told to remember it word by word.

Re: So .. Security by Obscurity.

[ememisya]

Oh but Intel programmers, much like casino software developers, never make mistakes.

Re:So .. Security by Obscurity.

Of course he won't convince Intel to replace it with a free and open source alternative. ... because it's not about your freedom or security.

Read Vernor Vinge's "Rainbow's End" (2006). It's a novel that predicts the introduction of a "Secure Hardware Environment".

SHE (Secure Hardware Environment) - Following the trends of many modern governments to control encryption and other advanced or threatening technologies, the ultimate dream of government is that all computing hardware must be regulated by the government. And this government regulation requires that the lowest level computing infrastructure gives back door access to the government to everything that takes place in computers.

It's a combination of tech companies rent-seeking (not wanting to 'sell' hardware, but license it to you), DRM demands from industry and spying demands from government.

The result is shit like this. This is the future you chose.

Re:So .. Security by Obscurity.

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

That "spokesman" did learn this exact paragraph in his management college. Exact. He was told to remember it word by word.

What that spokesman spoke was completely true. It might not fit your view of how things are, but it is how things are.

Re: So .. Security by Obscurity.

You sound like a typical freshman, but by the second year of business school you should be better able to identify the BS in this and similar official statements.

Re:So .. Security by Obscurity.

yea that was like a management combo breaker LOL

Re:So .. Security by Obscurity.

[lsatenstein]

How nice ... Is there any history about how that has worked before?

Microcode update for buggy instructions that are discovered after the chips were distributed. You must notice microcode updates are performed by that second chip.

Re:So .. Security by Obscurity.

[epine]

That "spokesman" did learn this exact paragraph in his management college. Exact. He was told to remember it word by word.

Why bother? You only need the last four words.

should the need arise

Hint, with all those resources and processes available, "need arising" is a major cost center.

Note that it's only the policies and procedures that are "managed by a dedicated team". Everyone else on call when the shit hits the fan—the one true sound of need "arising"—has a real job elsewhere within Intel.

Re:So .. Security by Obscurity.

[sjames]

The old IPMI type BMCs had a lot less control over the platform, They had a connection to a virtual serial port, the power and reset line, and an internal USB connection. Sometimes they could see the video frame buffer. They had their own network interface NOT bridged to the host interface.

If you don't want it, leave the management interface unconnected. If someone gains unauthorized access, they get a console, not a peek into main memory. Before that, the management card was an add-on that plugged into a special socket on the MB.

Re:So .. Security by Obscurity.

[arglebargle_xiv]

If you don't want it, leave the management interface unconnected.

For Ethernet-based ones, that often doesn't help. The LOM subsystem will detect the absence of a connection over the management LAN and switch over to using the data LAN via a portknocking interface or something similar. In other words it'll rootkit your network interface. So you actually have to set up a dummy LAN with enough infrastructure to tarpit the LOM stuff so it doesn't enable comms on the data LAN. And then hope that it remains fooled by your dummy management LAN.

Re:So .. Security by Obscurity.

[sjames]

Like I said, the older ones did **NOT** have a bridge to the main interface. No cable in the management port, no management connectivity.

For the first few years after the (pseudo) bridging was introduced, you really needed to use the management interface anyway as the bridging would cause the main interface to go dead occasionally and need a system reset to recover.

So is this a manufactured clickbait story?

[CajunArson]

So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years* having an "OMG YOU TRANSMIT YOUR IP ADDRESS TO THE WORLD EVERY TIME YOU GO TO A WEBSITE!!" moment.

And it wasn't even that original since the same damn hissy fit gets thrown every year or so as memory serves, since this is by no means the first time I've heard the conspiracy theory.

So, either this guy is an idiot (not discounting that at all) or he managed to troll people into generating clicky clicky ad revenue by recycling conspiracy theories. Some of the people being trolled might be willing participants to boot.

Re:So is this a manufactured clickbait story?

[MightyMartian]

The biggest flaw I've heard in some early remote management systems was piss-poor security.

Re:So is this a manufactured clickbait story?

[toonces33]

That sounds about right. As best I can tell from the article they are essentially talking about the kind of stuff you can do from a DRAC/IPMI port. But there is no requirement that you plug in an Ethernet cable into the associated port if you don't want to.

Re:So is this a manufactured clickbait story?

[bersl2]

You're going to make a comparison to IPMI?

Start reading: http://fish2.com/ipmi/

Re:So is this a manufactured clickbait story?

[HiThere]

It appears that you are correct that this "isn't new", but it also appears that the only answer ever received is "trust us". And while this isn't proof that the conspiracy theories are right, it isn't exactly proof that the "conspiracy theories" are wrong.

Re:So is this a manufactured clickbait story?

[mrchaotica]

Not only "trust us," but also "oh, by the way, you have no choice because we've made implementing your own open-source firmware impossible".

Re:So is this a manufactured clickbait story?

[maas15]

So interestingly.... if you start adding the words, it's a Management Engine, made by intel... So it's an Intel Management Engine. So if you had a way of controlling it, that way of controlling it would be an interface...... making it an Intel Management Engine Interface, IPMI. LOL! It is an IPMI device.

Re:So is this a manufactured clickbait story?

[maas15]

Oh wait hm. I guess it doesn't turn into the correct acroynm. It's still just an IPMI device though, Intel is building it into the CPU now.

Re:So is this a manufactured clickbait story?

[Chalnoth]

Still seems to me that it could be a significant concern, if not an immediate concern.

I'd primarily be worried that if a serious vulnerability was discovered, that many systems could retain the vulnerability for many years due to the fact that motherboard BIOSes are frequently not updated for years at a time. Presumably the vulnerability could be mitigated at the OS level, but it still sounds like a potentially worrying source of attack, and I'd feel a lot better if it were made open-source.

Re:So is this a manufactured clickbait story?

No. The blogger was rehashing an old vulnerability in iAMT where DMA malware was loaded and executed on the ME. He then tries to run his own exploit, fails at it, and then claims that since the system is found to be secure and impenetrable it can't be trusted because... reasons.

And further, there is no evidence that this attack surface is as vulnerable as it was in the past. I/OMMU was partly developed as a countermeasure and newer generations of x86 have enhanced attestation, like the author mentions but doesn't trust. Also, i'm sure newer chipsets probably include traffic integrity monitors beyond i/ommu.

Re:So is this a manufactured clickbait story?

[vux984]

As best I can tell from the article they are essentially talking about the kind of stuff you can do from a DRAC/IPMI port.

And yes, don't you think a drac/ipmi functionality that had any exploitable security holes would represent a rather massive security issue?!

I know certainly do. And most PCs that aren't using these features should probably have it off by default, don't you think?

But there is no requirement that you plug in an Ethernet cable into the associated port if you don't want to.

Many boards with it only have ethernet port. Its not necessarily a physically separate port like the ones on my servers.

Re:So is this a manufactured clickbait story?

[cfalcon]

> I guess it doesn't turn into the correct acroynm

If you say "ip-me", then it is an acronym. If you say I-P-M-I then it is an initialism. Which is it?

Re:So is this a manufactured clickbait story?

[toonces33]

The ones that I have used all have a separate ethernet port for the management console. So by default it is off as you need to physically plug in an extra cable (and configure it in the BIOS) before any of this matters.

Show me a machine where you can't disable it in the BIOS, and where it shares the same ethernet port as the main machine, and then I will get a bit more excited.

Re:So is this a manufactured clickbait story?

[Jiro]

All machines since 2008-2009 are "you can't disable it in the BIOS".

Re:So is this a manufactured clickbait story?

[Austerity+Empowers]

So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years*

It is true that this is not new. It's not clear to me how many people are aware of it however.

Intel ME has greater capabilities than I think it should have for its purpose. In fact, no one is sure of all its capabilities as it seems we'd discover a new and unexpected one every time we hit a bug (at the time, this was many times daily). It does, however, have a very valid and useful purpose that has a clear place in the world. To some degree we already trust Intel a lot, all of our processing and data goes through their chips. They could do very awful things if that was their intent. What concerns me about Intel ME is that it does not appear to be a closed system, it is somewhat promiscuous and seems like a potential entry point. Last I worked with it (admittedly a few generations ago), it got its code via BIOS boot-rom like everything else, this could easily be co-opted by our favorite far east manufacturers. So whatever Intel's intent, it's not clear that they are in a position to be sure of anything.

Re:So is this a manufactured clickbait story?

[Austerity+Empowers]

talking about the kind of stuff you can do from a DRAC/IPMI port.

As far as I know it was an attempt to remove the dedicated processor that powers DRAC/iLO and relocate it to the Intel Chipset. It is a win for Intel in that it helps Dell and HP relocate management features to Intel chipsets and vendor lock in (cockblocking AMD further), while also removing expensive custom ICs that themselves were often buggy and flakey.

It does have the ability to do some things that those solutions did not have the capability of doing at the time, some of those things are very good (much better power management), some very bad.

Re:So is this a manufactured clickbait story?

[cb88]

In any case... "disable it in the BIOS" is a software switch that just disables documented interfaces it is highly doubtfult that it would disable undocumented backdoors.

Re:So is this a manufactured clickbait story?

On many servers, if you don't have the dedicated IPMI ethernet port plugged into a network when the box is powered on, it will find an ethernet port that IS connected to a network. The port is shared (via MAC filtering, I assume) by both the BMC and the mainboard.

IPMI in the server world is both vital and scary.

Re:So is this a manufactured clickbait story?

[vux984]

and where it shares the same ethernet port as the main machine

Seriously? How about... practically all modern intel PCs. (very very few of which have a dedicated magement port)

"The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current (as of 2015) Intel chipsets."

https://en.wikipedia.org/wiki/...

So if you can find an modern Intel PC with a single ethernet port. It's got it.

where you can't disable it in the BIOS

Disabling AMT in bios, may not actually disable it, it may just disable exposing it as a device to the host operating system. There are *plenty* of posts from people who disabled AMT only to find it was still running, still picking up an address via DHCP, and still manageable via AMT management tools, even while the PC was "off".

In general there generally are ways to disable it; I can't find a cite for a system where it literally couldn't be turned off.

But.. even turning it off isn't reliable.

"A Ring -3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset. [...] The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. "

https://en.wikipedia.org/wiki/...

So even where AMT was disabled, the co-processor is still physically there and may be reachable/exploitable.

Oh, and i forgot to mention, it works with laptops on wifi too.

"Intel AMT supports wired and wireless networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down."

I certainly don't think this article does any justice to the situation. But at the same time, the management engine stuff is a giant gaping security hole that does present serious and non-trivial to mitigate risks when exploits are found.

Re:So is this a manufactured clickbait story?

[hairyfeet]

I'm sorry but that article is at least partially FUD, and since part of it is FUD that makes the entire article suspect. it claims, and I quote "The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main x86 core startup." "The PSP is an ARM core with TrustZone technology, built onto the main CPU die."...this is a lie.

The ONLY chips AMD manufactures that have the ARM Trustzone chip is the 4, count 'em, 4, chips built on the Jaguar architecture. If you go to AMD's own website and look up trustzone you'll find the page hasn't even been updated since 2013 and you cannot find a single bit of software in the wild even able to make use of the AMD Trustzone core, its essentially dead silicon. The reason why AMD bought and used trustzone for that particular chip and that chip only is it was a requirement by the console OEMs for the hardware DRM for the Xbone and PS4. The four chips AMD sells to the public with trustzone? Are the Jaguar chips that for one reason or another didn't pass muster for being used in the MCMs they manufacture for the consoles, therefor they sell them as cheap HTPC chips which for that limited role they work quite well.

So I'm sorry but if they can't even get that simple fact right, despite AMD having opened their docs a couple years ago and the die layouts for both the FM2+ and AM3+ chips being available for nearly 4 years? Then I'm afraid their data on Intel is equally suspect.

Re: So is this a manufactured clickbait story?

YRUDMPRK

Re: So is this a manufactured clickbait story?

The biggest flaw that still exists in modern management systems is piss poor security.

It never gets any better. Quickest, dirtiest hack that convinces some career manager that it works is what gets shipped.

Re:So is this a manufactured clickbait story?

[Burz]

If I choose the option in my BIOS to *erase* the ME firmware, does that make it any better?

Re:So is this a manufactured clickbait story?

[vux984]

If your BIOS has that option, I'd think so,

But the coprocessor is still physically there; and the prom space for firmware still writaeble, so the potential for a root-kit to infect the space still exists.

Although at least remote exploit is unlikely; we're now at least talking about a local root privileges exploit to get the new infected firmware loaded; same as any other rootkit... although given it infects the ME firmware, you'd have to re-flash to get rid of it; assuming you managed to detect it.

Re:So is this a manufactured clickbait story?

[Darinbob]

To me, the whole concept of enterprise management is broken. We managed to put a man on the moon without IT goons sniffing around to make sure you weren't using unapproved software. And operating system built into the chip so that you can access it even when it's turned off, just seems bizarre, and to add this to *every* computer is overkill. If there are a few key computers that you need to access even when they're turned off then add extra third party hardware to those computers rather than having it built into the CPU module (and if the computer is that important, just don't turn it off in the first place).

The whole think just seems like a giant grab of power control by the IT groups.

Re:So is this a manufactured clickbait story?

[Darinbob]

while also removing expensive custom ICs that themselves were often buggy and flakey.

And of course, Intel is never buggy and flaky.

Re:So is this a manufactured clickbait story?

It sounds like you're the idiot here CajunAss

Re:So is this a manufactured clickbait story?

[Ungrounded+Lightning]

If I choose the option in my BIOS to *erase* the ME firmware, does that make it any better?

I was under the impression (from some of the sketchy online stuff touting it a few years back) that "erasing" the ME stuff actually consisted of erasing the configuration and returning it to factory settings.

Presuming this is true: Since factory settings consist of it waiting for anybody claiming to be its owner, and having the necessary software tools, to configure it, "erasing" it takes it from only responding to the keys of whomever previously controlled it to responding to anyone at all.

Re:So is this a manufactured clickbait story?

No.

It wouldn't be a problem if I could disable it if desired, like back in the Core 2 days.

The fact that it can't be disabled and can't be blocked by a local firewall screams NSA, US Government, and Security Letter.

The world is waking up to this sort of thing and refusing to buy it (American products). It only hurts America.

It's getting to be like DNA. To be robust you need a mix of parts from many sources, not all from the same inbred (US) gene pool. Maybe even running in parallel and displaying results only if the results agree.

Re:So is this a manufactured clickbait story?

Depends on the implementation. If it sets a boolean flag checked by the remote management CPU when a connection attempt arrives, sure. If it causes the board to physically cut power to the coprocessor (possible for energy efficiency) then no, at least not with a separate backdoor to reenable power.

Re:So is this a manufactured clickbait story?

How about this and this then?

Re:So is this a manufactured clickbait story?

To be fair Intel's stuff has been less buggy and flaky than many other stuff in the IT world. Broadcom, realtek, jmicron, OCZ, etc. Better than average.

When a PC dies it's far less likely that the Intel CPU (or AMD CPU) has failed, but more likely to be other stuff - video card, power supply, HDD, motherboard, RAM, etc.

Re:So is this a manufactured clickbait story?

You forgot to mention the 3G connection that is used on laptops for anti-theft. That's right, anti-theft also runs on the Management Engine (ME) chip - same one that runs AMT.

Re:So is this a manufactured clickbait story?

But the cpu refuse to boot if there is no valid ME firmware (ie signed by intel). So I wonder why there is such a option in your bios.

Re:So is this a manufactured clickbait story?

[sjames]

It makes a great deal of sense in any case where an admin or troubleshooter works remote. Sometimes you need to power cycle and see the serial output (or even video on some management). I can re-install a system, across the country that way, which sure beats having to fly out there to do it.Sometimes a system is only occasionally needed, so it can be powered down most of the time.

It's not a power grab. There's nobody at the site who is qualified diagnose and fix the systems in question, so nobody to grab the power from.

$10 worth of built in hardware easily replaces $100 worth of external hardware that doesn't work as well.

The internal hardware has gotten so cheap that it would cost more to have a second model without it.

As for non-servers, it's a great way to automate boot-up of desktops in the morning just before the employees arrive, or to do backups.

Re:So is this a manufactured clickbait story?

Everything you wrote is incorrect.

• AMD Puts The Opteron A1100 ARM SoC Into Full Production
• Puma (microarchitecture)
• Steamroller (microarchitecture)
• Zen (microarchitecture) [yes, that ARM Cortex-A5 integrated processor is the TrustZone silicon]

This is not a comprehensive list. Where are you getting your information, friend? -PCP

Re:So is this a manufactured clickbait story?

[Burz]

Thinkpads do have this option. I am also using a feature called "anti evil maid" in Qubes OS, which uses the TPM to guard against firmware tampering (you see the test at boot time).

secure 'for now'

It is probably secure 'for now'.

What about in 10 years after the OEM has dropped all support for my computer? Is it still going to be updated and secure?

Re:secure 'for now'

[Anonymous+Brave+Guy]

Well, Intel's view seems to be:

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure.

I don't know about you, but I'm totally convinced and no longer worried at all.

On a totally unrelated note, does sarcasm work on the Internet?

Re: secure 'for now'

[kenh]

You really plan on running your 10 year-old i5 desktop in 2025?

Re: secure 'for now'

[greenfruitsalad]

yes, absolutely.

Re: secure 'for now'

[Victor_0x53h]

Code always seems to live longer than you expect it to. Particularly for firmware Intel will likely continue using the existing codebase for 10 or more years even as they produce more modern hardware.

Re: secure 'for now'

[poptones]

No, a Beowulf cluster of them!

Re: secure 'for now'

An expensive 3d printer company sent us a PC upgrade for their hardware, probably top of the line 8-10 years ago which runs Windows XP. Hell, I'd bet 100 USD I can walk around the research park here and find a microcontroller debugger, still in use, running windows 2000 with very nearly its original hardware. The company I used to work for ships PC control hardware that is 3 years old now and will continue to do so for at least the next 7 years for procurement contract reasons. And that's not even touching 21 CFR certified systems where companies are loathe to alter and recertify them.

I absolutely expect people to be running 10 year old i5 hardware in 2025. Probably older.

Re: secure 'for now'

Fair enough. What about 5 years? I see post after post after post of people saying they are using *old* hardware.

What about ye ol Best Buy special which they are clearing out of stock?

This laptop is coming up on 5 years. It was EOL last year. Think I would get any support for it?

The only complaint I have about it is the video card.

My dad is using a computer from 2009. He is pretty happy with it.

Hardware has an interesting habit of hanging in there sometimes.

Re: secure 'for now'

[Darinbob]

Why not? Do you think it will self destruct before then?

Re: secure 'for now'

[inode_buddha]

The machine I am typing this on is a Gateway 2000 P4, bought new in 2000.... still does everything just fine. Running a fairly customized slackware (lotta compiling). Will be upgrading eventually because you almost need a dedicated co-processor for javascript nowdays. Otherwise its a still fine SOHO machine. Looking at dual socket 1366 boards (I miss my old SMP boxes)

Re: secure 'for now'

Yes. Actually, I'm typing this on a Core Duo. Not sure what your point is. Obsolescence and continuous hardware improvements are over.

And when...

...someone bypasses those mechanisms? If they can get into the IME, they can put their own code in there and put anything they like in it.

It has backdoor access. Authentication issue?

The chip has the "power" to do many things including take secret control of a system, transfer files, read RAM, anything. No debate on that.

The "debate" is whether security through Intel obscurity (un-auditable unless you work for them) can be trusted FROM NOW ON, without checkups.

If history is any measure...

Sit down civilian

You are protected because we say so. We will make sure you are safe from threats we deem to be dangerous. Also please sign this EULA that says we can share your information with third-parties. Also by accepting this EULA you understand that we will hand over and execute any valid request from a government official.

If it is, buy AMD

K.I.S.S.

Google is a CIA eavesdropping tracking corporation (See Eric Schmidt works at Pentagon) so use DuckDuckGo.

Bing is also a CIA eavesdropping tracking corporation (See Eric Schmidt works at Pentagon) so use DuckDuckGo.

Re:If it is, buy AMD

K.I.S.S.

Google is a CIA eavesdropping tracking corporation (See Eric Schmidt works at Pentagon) so use DuckDuckGo.

Bing is also a CIA eavesdropping tracking corporation (See Eric Schmidt works at Pentagon) so use DuckDuckGo.

http://www.thefullwiki.org/Motives_for_spying

Re:If it is, buy AMD

[Impy+the+Impiuos+Imp]

I'm sure the NSA has surrounded duckduckgo with network spy stuff and knows what goes in and out.

For that matter, duckduckgo's privacy wording doesn't exclude NSA letters.

Re:If it is, buy AMD

No, use StartPage.com and StartMail.com instead. These services are located in Europe and are not susceptible to the U.S. spy-courts, like DuckDuckGo is.

Re:If it is, buy AMD

Just make sure the AMD is from 2012 or earlier.

Re:If it is, buy AMD

I'm sure the NSA has surrounded duckduckgo with network spy stuff and knows what goes in and out.

For that matter, duckduckgo's privacy wording doesn't exclude NSA letters.

You don't get it. Not one person on Earth gives a shit if you type big huge dicks and how to suck them in a search engine.

duckduckgo doesn't have duckduckgo-analytics tracking you on the entirety of the Internet.

duckduckgo doesn't have dstatic or duck catpcha's you have to traverse either.

Google has google-analytics, gstatic, ytimg, and many more. Also facebook.net twitter.net etc.

NSA can read these letters.
http://www.youtube.com/watch?v=phW2cec__Ck

Yes, youtube also tracks you on sites that have nothing to do with Google and they are also Google.

Re:If it is, buy AMD

It doesn't matter if you are searching for hairy cocks in your mouth in a search engine, it matters when it's processed with algorithms and database'd with your Facebook data, financial data, address, SS#'s, medical data, emails, all that.

See this?
https://yro.slashdot.org/comments.pl?sid=9257279&cid=52343119

This reveals what i see as a problem

In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

This means that there are people, with the ability to access and modify this. to fix it, or....

Who drives the need?

In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Umm, if Intel is the only holder of the keys to the kingdom, then they get to decide when the need arises. In fact, how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

Forgive me if I'm skeptical about this. I think I'd rather have an agreement with Darth Vader. At least he doesn't pretend to be a nice guy.

Re:Who drives the need?

[__aaclcg7560]

I think I'd rather have an agreement with Darth Vader.

Are you sure about that?

https://www.youtube.com/watch?v=jsW9MlYu31g

Re:Who drives the need?

[Immerman]

>if Intel is the only holder of the keys to the kingdom ...mighty big "if" you've got there. Seems to me that it's quite likely that from the moment this functionality was introduced, various three-letter agencies (among others) started trying to get unrestricted access to it. Maybe it's technologically bulletproof, the first such device on the planet. But even if so, you have to ask just how dedicated Intel is to keeping their keys secure. Will they refuse any and all threatening letters from the government? Huge bribes? Mission Impossible style infiltration? Infiltrators planted in the employee pool? Blackmail of individuals with access? Kidnapping and ransom demands?

Given just how insanely powerful those "keys to the kingdom" would be, it seems rather likely that most or all of those tactics have been tried, among many others. And that attempts will continue until every powerful group who wants them has access.

Re:Who drives the need?

[Immerman]

I think that was the point. At least Vader doesn't pretend to be trustworthy in the first place.

Re:Who drives the need?

[Billly+Gates]

Well you could always renegotiate the deal?

Re:Who drives the need?

[evilviper]

how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

Right, because there's no way to ANONYMOUSLY post vulnerability information on the internet... Every known bug out there was submitted with the person's legal name and current address.

At some point, reality enters the equation, and you just need to keep your extreme paranoia in-check. Does anybody here have ANY cases they can point to, where AMT was exploited? Wake me when 99% of computer exploits cease to be drive-by phishing, and Linux/FreeBSD/Firefox/etc. cease to have ANY bugs that can be exploited, requiring attackers to escalate to finding hardware bugs.

'secret' = Intel AMT

The 'secret' they are referring to has been known for years as Intel AMT (Active Management Technology), basically it's Intel's own implementation of HP's iLO or Dell's DRAC, you need specialized software to access it, it's password protected, the passwords are encrypted in 256-bit, and their are no known exploits for it.
If people are seriously calling a technology of a CPU that Intel sells as a feature then the person who 'discovered' this knows nothing about technology or Sysadmin practices
case in point: https://www.reddit.com/r/sysadmin/comments/4oiu04/intel_x86_cpus_come_with_a_secret_backdoor_that/

Re: 'secret' = Intel AMT

[Ilgaz]

A government or a huge corporation won't tell anyone if they have cracked this technology.

Re:'secret' = Intel AMT

you need specialized software to access it

And we all know that software can never ever be copied, cloned or reverse-engineered by third parties.

Re:'secret' = Intel AMT

Why can't you turn it off though? Why does the chip turn itself off after half an hour if the ME isn't there? Why does the code HAVE to be active, or the machine doesn't work?

Stop worrying

[JustAnotherOldGuy]

"While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure."

Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

Re:Stop worrying

[asackett]

Especially if you're an Eastern European cracker, huh?

Re:Stop worrying

[drinkypoo]

Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

What I want is to be secure from an Intel subjected to coercion by a corrupt government.

Re:Stop worrying

If you read the article by the blogger, you would know just how secure it is. He claimed you could inject a rootkit into the firmware, wrote his own firmware, realized he couldn't pass attestation (since firmware needs intel signatures), and then claimed that the attestation security actually made iME *less* secure.

FOSS security idiots are just as annoying as those in the security-through-obscurity camp.

Re:Stop worrying

[evilviper]

What I want is to be secure from an Intel subjected to coercion by a corrupt government.

Then don't give Intel, or the corrupt government in question, access into your LAN.

If the government has to gain physical access to tap into your local network so that they can possibly break into your computer via Intel AMT, well, that's just one small step from physically walking into the building and seizing your computer, anyhow, so why would they even bother with the AMT?

Re:Stop worrying

[drinkypoo]

Then don't give Intel, or the corrupt government in question, access into your LAN.

Malware happens. Malicious hardware can turn a harmless attack into an effective one.

Re:Stop worrying

No need to be derogatory!

Re:Stop worrying

[evilviper]

Malware happens. Malicious hardware can turn a harmless attack into an effective one.

Except AMT malware does NOT happen.

At some point, reality enters the equation, and you just need to keep your extreme paranoia in-check. Does anybody here have ANY cases they can point to, where AMT was exploited? Wake me when 99% of computer exploits cease to be drive-by phishing, and Linux/FreeBSD/Firefox/etc. cease to have ANY bugs that can be exploited, requiring attackers to escalate to finding hardware bugs.

Re:Stop worrying

Just ask Intel to attach a dollar amount to that "very secure". Do they even have the funds to pay millions in damages per found venerability per sold CPU?

Re:Stop worrying

Just ask Intel to attach a dollar amount to that "very secure". Do they even have the funds to pay millions in damages per found venerability per sold CPU?

What on Earth makes you think they don't?
The whole direction of Intel's post FDIV response has been to identify the costs of such failures and so fund the resources to prevent them.

Re:Stop worrying

[cfalcon]

You aren't quite getting it. He wants to run software he trusts and can audit. This used to be possible- you can still run the existing libreboot stuff on older chips. The new chips only run the Intel Mystery Engine code that can't be inspected and could do gods-know-what.

Re:Stop worrying

[cfalcon]

And one more thing- Intel could offer to sign their code for them, or offer a version that is minimal, inspectable, and signed. Or they could not have the chips power off after awhile if they can't see the code running. Intel could solve this for them a bunch of ways.

Re:Stop worrying

In fact, Intel Management Engine being exploited in datacenters is exactly how I first heard about AMT many many years ago.

Re:Stop worrying

[truedfx]

The post you responded to was about damages. If it turns out a vulnerability is found in Intel's CPUs, and you and I are using vulnerable CPUs, will Intel reimburse your and my cost (in part or in full) of patching, upgrading and/or replacing? The point of the post you responded to was if they're so confident the CPUs are "very secure", offering shouldn't do them any harm, and an unwillingness to attach a reasonable amount to that could be an indicator that the CPUs are not as secure as Intel say they are. (Note: I'm not sure yet whether I agree or disagree with that logic.)

Re:Stop worrying

[ebvwfbw]

Don't worry, nobody would guess the password is "Pa$$w0rd".

Odd..

[kenh]

This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

Did this boing-boing blogger check with anyone that, you know, is fairly current on the Intel platform before exposing this 'incredible' security issue?

Re:Odd..

[barc0001]

> yet to date no one has successfully 'hacked' into this well-advertised feature...

Not that we know of anyway. Generally the really bad guys don't publicize what they've found, they just use it. So who knows? For all we know there might be some cool new ransomware being developed right this instant that will deploy and activate in the next 3 months that locks up most of the Intel systems on the planet.

Re:Odd..

This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

And Intel can be ordered to do just about anything with it, including for specific targets you'll never ever hear about.

This subsystem has all the hallmarks of a totalitarian security nightmare. Sure, anyone can do pretty much everything anyway, but this is something we know about, which is generalized, and which could easily be stopped (only kept for pro boards, with an hardware jumper, and full firmware sources), if we were not living in an insane society.

Did this boing-boing blogger check with anyone that, you know, is fairly current on the Intel platform before exposing this 'incredible' security issue?

The problem with this subsystem had been well-known from the beginning. The blogger in question may have sensationalized it now, and the Slashdot 'editors' rode with it, but it does not in any way mean no one has been talking about very seriously for a long time.

Re:Odd..

That's the point though. You wouldn't know if someone did.

Re:Odd..

This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

Intel Active Management Technology - Known vulnerabilities and exploits. Care to revise your position, friend? -PCP

Re:Odd..

to date no one has successfully 'hacked' into this well-advertised feature...

How would you know?
You don't even have the tools capable of telling you if it was...

Re:Odd..

[KiloByte]

Intel has some pretty competent engineers, I do believe that this is secure, and near-impossible to be hacked by anyone who hasn't paid Intel, either in money or in contracts/connections/legislation, especially the last part. Thus, it is certain this whole feature was really lucrative for Intel.

And no, you don't go that far out of your way to make engineering decisions whose only reasonable explanation is to make a backdoor hidden to not actually use it.

Re:Odd..

[KiloByte]

Not in the next 3 months, this backdoor has been there for a decade. And even if you knew the specs of the ME, you need Intel's signing key to put your code there.

Yes

[Opportunist]

Anything I cannot audit, I have to trust. I have no reason to trust Intel. So yes, it is potentially dangerous because I can neither audit nor trust it.

Re: Yes

[kenh]

Then turn it off in the BIOS.

Seriously, this is not a 'secret' function built into the CPau, it is a feature implemented in chipset and controlled by a BIOS setting.

Re: Yes

[mrchaotica]

That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it.

Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

Re: Yes

[greenfruitsalad]

once again, what guarantee do we have that port knocking won't activate the feature regardless of what's set in bios/uefi?

Re:Yes

You also cannot audit the processor design itself, the millions of proprietary logic gates you have no access to. This is also true on all commercial processors currently available. And if you use an open source processor, are you running it on an FPGA? Can you trust Xilinx and Altera? Are you compiling it with Cadence tools? What's to say you can trust those either?

The quest for trusted platforms is a deep and interesting field of research, because the results are interesting, and especially important when lives may be on the line. However, grousing about this one feature of certain processors misses a far deeper problem: if you want truly trustworthy platforms, you have to start from scratch.

Re: Yes

[Damarkus13]

Can you audit the rest of the CPU? You're already trusting Intel by using any of their chips.

Re:Yes

[NotInHere]

Yeah, the trusting trust problem extends to hardware. Modern computers are so small, you need a computer to build them. But in order to build that computer, you need yet another computer.

Re: Yes

[NotInHere]

That was true for ME versions up to 6.0, but for newer intel hardware, you can't boot a system without ME involvement anymore. Quoting https://libreboot.org/faq/#int... :

ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ingition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

Re:Yes

Intel has pushed a lot of code to the linux kernel. The kernel is 17M lines long. Do you know which lines were written by Intel and what they do? If not, you must not trust your linux box that much.

Re: Yes

[Bing+Tsher+E]

What guarantee do you have that the firmware in your DVD rom drive or even the firmware in your hard drive hasn't been reflashed to inject something into the datastream? Thise are undocumented auxilluary processors, too.

Re:Yes

[Cley+Faye]

Hmm. How much of the actual hardware in a system *can* you audit then?
Off-the-shelves stuff is out of question: processors design at the hardware level is not something most of us can access, and I believe they also run some internal software over that, which is not accessible either. Same for the memory controller. *bridges are also out of the question. Mainline GPUs that can peek and poke through PCI, and most other extension cards almost always have some firmware parts that are closed sources.
Granted, there exist completely free and open sources alternatives to most of this stuff, but as seen by the recent compiler issue from microsoft, can you trust the people building the devices to make them up to spec? And them, do they use tools that are 100% certain to not change how things operates?
Sure, if all your hardware is open source and can be somehow 100% certified by yourself to follow the original design, and the OS you run on it is also 100% open source (this one is actually feasible obviously) and you built it yourself, using a compiler you 100% audited yourself, then you can trust everything.
But if not, there is no need to look for a hidden backdoor in the processor; it can as easily run a secret blob on the main CPU without telling the OS and still have access to all the hardware.

Re: Yes

[Opportunist]

So then I have to trust the BIOS to actually do what it claims to do. It shifts the trust issue, but doesn't solve it.

Re: Yes

That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it.

Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

Where does it end? Reviewing every line of source code that runs both your hardware and software?

Re:Yes

[Opportunist]

What you can do here is audit at the interface. This can be quite taxing but it is at least possible. In the end, different hardware elements still have to communicate with each other and they have to rely on documented interface specs for this, and here is where you can insert the crowbar. Yes, that can entail creating your own hardware to take a "man in the middle" kind of approach when the communication is harder to decipher. Whether you really want to invest this much into your audit is up to you, but at least it's doable.

Not so much luck if you're dealing with structures that are integrated. Doing an audit for a mainboard and its substructures is already quite difficult and requires a good deal of equipment that most people might not want to spend the money for, but it's at least still doable. Auditing the insides of a modern CPU, though, is something that is outside of my reach at least.

Re: Yes

[Kjella]

That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it. Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

Without the hardware schematics and someone who can verify them there's no way to know what the hardware really does no matter what software you load on it. For example say there's a secret 1kB buffer that'll store the last 32 AES256 or 64 AES128 keys you've used with AES-NI, totally invisible. If you place the right 256-bit magic value in registers R12-R15 and call RDRAND, instead of doing its usual thing then and only then will it dump the keys out to you as "random" bits XOR'd with a second secret value. You can verify the source all day, you can audit the system in production, you can search for the keys popping up in memory and you'll find nothing.

Re: Yes

Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

You know what? You're right!

Now if you'll excuse me, my weekend plans are to X-ray my laptop, disassemble my CPU, and read through the software for accessing the USB controller. I'm sure you understand.

Re: Yes

[danceswithtrees]

It's worse than that. Even having the complete source code offers incomplete protection unless you are sure of your entire build toolchain. See Ken Thompson's hack: http://c2.com/cgi/wiki?TheKenT...

If you extend this to hardware, that's a whole nother layer to the crazyness.

Re:Yes

[coldie]

Um... you understand that Intel CPUs themselves have updatable micro-code, right? And there are a host of other processors in you computer you have no access or ability to audit? (GPU, SATA disk, SATA controller,DVD drive, potentially USB controller, heck if you have a PS2 keyboard port, there's a small processor there...) The idea of "auditing" a modern system is impossible.

Re: Yes

SOMETIMES. Mostly not. That's an extensible framework the CPU has access to, not EVERYTHING.

Re: Yes

what if there's a compiler backdoor?

Re:Yes

[muridae]

Let's audit our system, then. First, we need to audit the CPU . . . oh, wait, do you have a tunneling electron microscope, cause I don't and we need to be sure that the actual die matches the supposed schematics. So we'll have to buy 10 CPUs from different locations, and analyse 9 of them to trust the 10th one. Yeah, the AMT is in there, but you have to get that first part of the audit done first.

Now, assuming you've gotten that far, and are willing to postpone auditing the AMT for now, it's time to audit the Z170, X99, or whatever chipset you are running. Should buy several motherboards with your desired chipset, just to be sure the motherboard companies are all using the same chips, and that they are all authentic Intel Z170, B170, X99, whatevers; you'll need the VHDL or schematics here, too.

Wow, we're finally out of the motherboard and CPU combination, that's probably taken a few years off our collective lives. Time to audit the USB chip, cause it does have interrupt access to the CPU and even with all the VHDL/Verilog/Schematics there could be one of those hidden register tricks like Kjella mentioned, so we'll need to make sure that it's behaving as it should and not feeding in bad bits. Then over to the HDs, because sprite_tm showed that you could bury some malware into the drive controller and the Equation Group software has been found in those. Wouldn't want one of those chips to go un-audited.

And we have even gotten to the sound chips, the graphics cards or, oh gods, the ethernet/wifi chips. Those bastard internet I/O chips, who knows what kinds of back doors are lodged in those. For all we know, there could be a port knock code in the Intel Gigabit Ethernet chips that causes it to log all HTTPS traffic and send it out over a side channel (do the ethernet chips still have SSL accelerators, or is that a thing of the past? It plays for hyperbole, but I'm not sure where in the hardware the HTTPS decoding gets done anymore).

Seriously, have you audited any of the parts of your computer? Have you read reports from anyone else who has done any auditing? Or is this just a plea for karma? Because you don't sound informative, you sound uninformed. Every chip in your system has to be trusted, and I doubt you have attempted to audit any of them or any of the software or firmware involved either. Even with the code in hand, the long process of determining "which compiler and flags were used to build the TrueCrypt software for windows" experiment a few years ago would show you how you could have all the parts available and still have a hard time proving that the device or software you have came through a trusted source (they did eventually find the flags that built TrueCrypt and the version of MSVC used, but it took a while). That assumes that, for software, the compiler you and your provider use is not backdoored itself. Thompson's "Reflections On Trusting Trust" shows that even if you have the compiler source code, and the code for the project you want to build, and the compiler bootstrap executable, you still can't be sure that it's all "audited safe and clear".

So, there you have it. Yes, you have to trust, because it is literally outside yours, or mine, or damn near anyones to audit every system configuration out there to ensure that everyone and every device is safe. You don't trust Intel, fine. You shouldn't trust AMD, either, for the same reason. And you probably shouldn't trust SlashdotMedia, so until you can audit all of the possible data that you might get sent from the web, you might just want to disconnect from the internet. You know, to be safe from that "potential danger".

Re: Yes

[cfalcon]

The thing is, yours and the other examples of subsystems are just that- subsystems. They don't represent the same potential for disaster that something inside every intel chip does. If your DVD has an exploit by accident or a backdoor on purpose, the odds are really good that mine doesn't, and vice versa.

Re:Yes

[rew]

You are entirely correct that "audit at the interface" is a good idea. The problem here is that the interface is hidden inside the CPU. And the "interface" is undisclosed. What if there is a broadcast packet that, when the PC is off, puts the ME into slave mode? Yea, come out of powerdown, do NOT enable video (keep the monitor blanked), send the harddisk contents to NSA...
You can "see it happening" at the network interface (third meaning of that word) when it happens, but there might be a cryptographically secure way of preventing you from finding/probing that packet. In this case I mean with cryptographically secure that it is unfeasible to find it by brute force. Not that you can't see it come by on the net if it happens while you're looking. For such a feature: "all ME's report NOW" you can't have individually encrypted codes. So it would work for every one, e.g. a statiic say 256bit random password would be an example.

Anyway, This ME is embedded deep enough that it is difficult to probe at the interfaces. (you can't cut the trace that connects it to the rest of the system so that you can be sure it is turned off), and it has enough access to be able to do serious harm....

For example: Say the NSA secretly downloads your whole harddisk. But... you say: it's encrypted, don't worry! The ME has enough access that, when under control of "bad guys", it can halt your CPU just as it has obtained the key to your harddrive. Next time you boot the PC a mysterious packet flies off to some remote IP address...

Re: Yes

In Intel systems, yes, it's on the motherboard, but the BIOS switch does not control it, it may "unprovision" it. In AMD systems, the functionality is inside the actual CPU.

Re: Yes

[KiloByte]

The ME has complete control of your network card, making delivering a secret payload both easier to do and harder to find than anything which uses the main CPU.

Re: Yes

[PPH]

you can't boot a system without ME involvement anymore.

the whole PC will shut down after 30 minutes.

Umm, it appears you can get up and running for 30 minutes. Which should be long enough for you to fetch the firmware Intel expects and install it. So this appears to be a big 'fuck you' to anyone who tries to bypass the ME functions in that firmware.

Security by obscurity works quite well.

Obscurity is a perfectly acceptable security tool. We use it all of the time, in fact.

Any password used to authenticate with an online service is an instance of security by obscurity.

Any private key used to encrypt data is an instance of security by obscurity.

The PIN used when paying with plastic payment cards is an instance of security by obscurity.

The swipe gesture used to unlock a smart phone is an instance of security by obscurity.

The physical key you use to lock and unlock your home's door, or your vehicle's door, or the chastity device your wife makes you wear is an instance of security by obscurity.

Like most security tools, it shouldn't be used by itself, of course. But it's an essential part of many routine security activities that we likely all partake in on a daily basis.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

The term "security through obscurity" normally refers to the method being secret, not to secret information used to authenticate an actor within the system. More specifically, it normally refers to relying on the method being secret to make discovery of a vulnerability more difficult, rather than actually fixing the vulnerability. Clearly this is bad if an adversary becomes aware of that vulnerability anyway.

Re:Security by obscurity works quite well.

You logic. It makes sense and everything, but fails to address how it can induce disdain or rage.

captcha: backlash

Re:Security by obscurity works quite well.

[bws111]

No, the term security by obscurity means that the method MUST be a secret, because that secret is the only thing providing security. It is entirely possible, and quite normal, to have a security system which does not REQUIRE the method to remain secret, yet still not disclose what that method is. That is NOT security by obscurity, it is additional security by obscurity, and is in no way a bad thing.

Not disclosing the method sucks from an auditability standpoint, but in no way means that the actual security is provided by obscurity.

Re:Security by obscurity works quite well.

Your argument is a typical one that we see from people who, for whatever reason, have an irrational vendetta against the legitimate, useful and successful technique of security by obscurity.

You start playing games with definitions, trying to weasel your way into a situation where you don't have to admit that security through obscurity is a legitimate, useful and successful security technique.

Security by obscurity is, as the name implies, the use of obscurity as a tool to obtain security. It's as simple as that. Yes, that includes keeping methods secret, but it also includes the use of passwords, PINs, private keys, and other information that is withheld from adversaries.

But to give you credit, at least your argument isn't as asinine as those who say that it's wrong to use ssh passwords, yet they present private keys (which are nothing more than lengthy passwords!) as a better alternative.

Re:Security by obscurity works quite well.

No, the term security by obscurity means that the method MUST be a secret, because that secret is the only thing providing security.

I didn't think the definition was so restrictive. Either way, providing some security by obscurity to things you actually sell is probably going to continue to happen, almost by necessity. Having physical possession of something and plenty of time does open up a great many possibilities. That being said, you'd ideally like everything to remain unbreakable, even if all the engineering documents and notes are released. Such a release is bound to not help the devices security, though it may lead to the next device being more secure.

Personally I'm impressed with Apple's apparent security on their phones. Sure they have to nuke the key if the try count gets too high, but it seems to be working.

So in short, it is not in itself a bad thing to not release security relevant details if we are talking about one device in one point in time. Of course with software, releasing the details can lead to security problems being fixed in the next version of the software. Also, pure software does not have the same vulnerabilities that someone with physical possession of the hardware can attempt to attack.

Out of curiosity, would anyone want apple, google, and Intel to release all those details? If something was found it would be very bad, and it is not as if those three don't have the resources to outdo anything the average open source community could manage. Then again, if they were released we might trust their chips and such more, though whose to say, that the places that actually fab the chips aren't adding a little extra?

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

"Security through obscurity" is a term of art, a quick way of referring to a useful concept that anyone who works in the field understands. That meaning is surely also what the OP was referring in their post. Perhaps you weren't familiar with it, but every professional or academic working on IT security will be.

Security through obscurity is not a particularly successful technique and never has been, as you can tell from the vast number of published exploits against systems that were not actually secure based on vulnerabilities that were discovered despite their obscurity.

By the way, the point of private keys isn't (just) that they are longer than passwords, though that is a significant practical benefit. Authentication using public-private key pairs is also asymmetric: someone possessing the public key can verify that someone they are talking to, for example someone requesting SSH access to a server, is in possession of the corresponding private key without the private key ever being disclosed. This is qualitatively different to typical password-based authentication, where someone logging in to the server does actually send their full password to the server's SSH daemon (encrypted, obviously), even if further processing is then based on some derived hash value.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

How is that fundamentally different to what I wrote before? I think we're making the same point, even if we used slightly different words to do it.

Re:Security by obscurity works quite well.

[PatientZero]

[I]t normally refers to relying on the method being secret to make discovery of a vulnerability more difficult.

No, the term security by obscurity means that the method MUST be a secret, because that secret is the only thing providing security.

I'd argue that you're actually agreeing here. MUST versus relying. It's the GOP's claim that the password, private key, PIN, gesture, one time pad, etc. determines the system's obscurity—not the method itself—that you're both disagreeing with, and rightfully so.

"Security through obscurity" has a very specific meaning that the GOP is trying to invalidate by claiming that every method that requires a secret is obscure. They are trying to equate a system that uses a 2048-bit public/private key pair with one that uses a single digit "password" because they both contain a secret, and are thus equal in strength. Utter nonsense.

Re:Security by obscurity works quite well.

[Trongy]

The term security by obscurity does not refer to any system that relies on secrecy - it refers to schemes that are flawed by being trivially easy to compromise once a secret is revealed.

Requiring a key to unlock a door is not security by obscurity, even though the pattern of the key is the secret.
Hiding the key under the doormat is security by obscurity.

Re:Security by obscurity works quite well.

[AK+Marc]

When the method is secret, one should assume security through obscurity until proven otherwise. You are assuming security until proven otherwise, which is the wrong assumption.

Re:Security by obscurity works quite well.

[AK+Marc]

Obscurity is a perfectly acceptable security tool.

No, it is not. Your key being blank #23 and key pattern 8442332 isn't "obscurity". But the spare key being kept under a rock by the back door is.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

I agree with your examples, but I think your first sentence is inconsistent. If a system becomes trivially easy to compromise only once a secret is revealed then self-evidently that system does rely on secrecy for its security.

Re:Security by obscurity works quite well.

No, you still don't understand.

Let's say the key in both systems was compromised and you generated a new key. Which system is still secure?

If the key itself was the secret, then you are secure.
If the method itself is flawed, you are still insecure... I'll look under the doormat and immediately have the new key you generated.

Sure the key design itself is a secret, but it's the *main secret* with no shortcut to solving it. It takes many more tries to fabricate all possible keys where as it always takes exactly one try to look under the mat. That shortcut is why it's obscurity. Searching all possible keys means that brute force is the only way to find an answer and generally that means a system is secure as there are not shortcuts to the answer.

Hopefully you got it now.

Re:Security by obscurity works quite well.

Right. And if the rock isn't by the back door but is in another part of the city on a completely unrelated property and the key has no identifying marks.... in other words, really obscure.... then the security might be pretty damn good.

For low value targets it might be all that is needed. Like the janitor supply closet... you might get away with hiding the supply of toilet paper behind the cabinet in the janitor closet and never have anyone run off with a case.

For high value targets that might have motivated attackers, relying on really, really obscure probably is a really, really bad idea. But as one layer in an otherwise tough, multilayered security scheme?

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

Given that I've been working in this field on and off for multiple decades, I'm reasonably sure I understand one of the most basic principles, thanks. And yes, I would agree with your example there.

Since posting earlier, I'm wondering whether I just parsed Trongy's post differently to how it was meant. If the intended point was that there exist systems that rely on secrecy but are not examples of security through obscurity, I would have agreed with that, too.

Re:Security by obscurity works quite well.

[TechyImmigrant]

Security through obscurity is not a particularly successful technique and never has been, as you can tell from the vast number of published exploits against systems that were not actually secure based on vulnerabilities that were discovered despite their obscurity.

Security through obscurity is essential in a lot situations and is highly sucessful, particularly in the systems that don't end up in a paper at some CHES conference.

Undersirable as DRM might be, it by definition is security through obscurity because everything needed to break the DRM is in the hands of the owner of the device. If there's a key, it's in the box and you need to obscure it.

Side channel protections are often security through obscurity. Again everything is in the device and is observable. Methods of obscurity are the primary methods of side channel mitigations in hardware. It's not (necessarily) some weakly thought out practice. You can reason about the properties of your obfuscation in practical terms of things like the equipment needed, or amount of data needed for Bayesian statistics to have any power.

The chip in your credit card engages in obfuscation practices that are well developed but generally inadequate anyway because there's real money involved and governments and criminal enterprises are willing to invest in overcoming card security mechanisms.

Pointing to the systems that failed is confirmation bias. There are many obfuscation based security mechanisms, particularly in silicon, that have stood the test of time.

Re:Security by obscurity works quite well.

[TechyImmigrant]

Obscurity is a perfectly acceptable security tool.

No, it is not. Your key being blank #23 and key pattern 8442332 isn't "obscurity". But the spare key being kept under a rock by the back door is.

Yes it is. Pointing out a bad example doesn't mean there aren't good obfuscation techniques.

Re:Security by obscurity works quite well.

[AK+Marc]

No, there aren't. Steganography may be better. You won't know to look unless you know to look, but that's not going to keep it safe if anyone bothers to look. Same as a key under a rock.

Re:Security by obscurity works quite well.

[AK+Marc]

For high value targets that might have motivated attackers, relying on really, really obscure probably is a really, really bad idea. But as one layer in an otherwise tough, multilayered security scheme?

It's no better than going from DES to double DES. 56 key length equivalent to 57 key length equivalent. Is it better? Yes. But it's not even worth the trouble of implementing it. I know more than one person that keeps their keys in their car, and the car unlocked, because nobody would expect that.

Re: Security by obscurity works quite well.

"Security is pretty damn good"
Until someone sees you pick up the key and curiosly follows you.

Re:Security by obscurity works quite well.

The GOP? What do the Republicans have to do with this?

Re:Security by obscurity works quite well.

[Bengie]

If you have a system in which you cannot create a new key, then it doesn't matter if the method or the key get compromised, the end result is the same.

Re:Security by obscurity works quite well.

[TechyImmigrant]

A better analogy. A key under a 10 ton rock. You know the lifting capacity of a sucessful adversary. It's still obfuscation. But it has well defined properties.

Security of Things

Does obscurity also protects the hidden chip from Secret Warrants and similar things?

So let intel insure it

[joe_frisch]

If they are confident of their security, they ought to be able to get Lloyds to insure users against any break-ins or damages at the few X 100B$ level. Oh, maybe they can't convince Lloyds that it is *that* secure?

One thing that Snowdon taught us is that even the NSA cannot protect secrets. And yes, you can fault the entire program because of a single slip up.

Halt and catch fire?

Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Are they revealing they can turn their "secret chip" off remotely? Or perhaps even nuke the whole CPU?

If that would be the case, I guess some hardware hackers are going to have a field day.

Re:Halt and catch fire?

[TechyImmigrant]

Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Are they revealing they can turn their "secret chip" off remotely? Or perhaps even nuke the whole CPU?

If that would be the case, I guess some hardware hackers are going to have a field day.

Nope. If an Intel engineer rolls up to your house, breaks in and attaches a probe to your motherboard you should probably ask what the hell he or she is doing.

Re:Halt and catch fire?

[Ungrounded+Lightning]

Nope. If an Intel engineer rolls up to your house, breaks in and attaches a probe to your motherboard you should probably ask what the hell he or she is doing.

How about if they park down the block and turn on a WiFi Access Point?

How about if they just send you some packets over the internet?

How about if the machine, once connected to the net, "phones home", bypassing NAT and most firewalls?

These are all functions of Intel AMT that are ADVERTIZED AS FEATURES.

Re:Halt and catch fire?

[cfalcon]

> How about if the machine, once connected to the net, "phones home", bypassing NAT and most firewalls?

We'd see this. This is not a concern.

> How about if they just send you some packets over the internet?

A possible exploit or backdoor could be triggered this way. The workaround would be a really aggro firewall, but even then you'd have to be sure you were running it on something auditable if this was your concern.

Re:Halt and catch fire?

[Ungrounded+Lightning]

How about if the machine, once connected to the net, "phones home", bypassing NAT and most firewalls?

We'd see this. This is not a concern.

ORLY?

How would you see it? Are you logigng every outgoing packet and watching the logs for it? How would you know what to watch for? How would you differentiate it from any other encrypted connection (such as all that https: traffic your browser generates whenever you use it)?

We know the feature is there. They ADVERTISE and SELL tools to use it to their corporate customers.

Re:Halt and catch fire?

[cfalcon]

> ORLY?

YARLY

> Are you logigng every outgoing packet and watching the logs for it?

Not at the moment, but someone is. I've certainly spent some time watching all the goddamned traffic at times. Most importantly, many high value machines are behind aggressive firewalls that would default deny this, and log it. Someone would have seen it, and even if it was hidden well enough, it would assuredly be blocked from many critical machines, greatly reduces the risk of such a backdoor.

But seriously yes, someone would have seen it long before now.

>How would you differentiate it from any other encrypted connection

It would be the one going to a place that makes no fucking sense. Many machines are hooked to firewalls configured to only allow certain packets- if these guys randomly pooped out some exploit packet, it would have been noticed. In commercially sensitive environments and military environments, the logging can be utterly complete, with anomalies explained.

This really isn't a concern. You may not be looking, but you could. Someone is always looking though, packets can't be hidden. Blessedly.

> We know the feature is there. They ADVERTISE and SELL tools to use it to their corporate customers.

Right, but the advertised feature is not the concern. You can turn it off (fuck, it's usually off, you have to browse forums and shit to turn it on), and you can trivially block all the packets in question. The concern would be that, inside it is a backdoor or bug. That's a valid concern, but not the one about every computer periodically checking into a command and control sever. If you were looking to hide something, it would have some special packet that, if seen, triggers the backdoor.

Secure

If you can't audit the chose, it's not secure.

End of story.

Re: Secure

Code not chose

who has the RSA private key?

[lkcl]

there is some empirical evidence - nothing concrete that can be shared publicly - which tends to suggest that the RSA private key that Intel uses is already known and in use. if nothing else, you should not be reassured that there have been no "gagging orders" that come out of the U.S. Government on a regular basis, preventing and prohibiting companies from telling anyone that "yes we have had the NSA knocking on our door and yes we were forced to give them the RSA private key because otherwise they threatened that whoops, it would be really hard to get export licenses for our processors".

this kind of threat by security services is not outside the realm of possibility: it already happens, and i have met someone who was present at a meeting (with GCHQ) in which this type of threat to destabilise their business model was actually made.

there is a really simple solution, here: don't buy systems with intel processors. that assumes of course that people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it, so if you'd like to sign up for the crowdfunding campaign which will launch very shortly, you can do so here - http://crowdsupply.com/eoma68

Re:who has the RSA private key?

people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it

... Because you expect us to believe that Allwinner wouldn't obey the Chinese-government equivalent of a National Security Letter?

Re:who has the RSA private key?

>... Because you expect us to believe that Allwinner wouldn't obey the Chinese-government equivalent of a National Security Letter?

Maybe, but there *is* no AMT on it. You can't exploit what isn't there.

Re:who has the RSA private key?

[Keybounce]

there is a really simple solution, here: don't buy systems with intel processors.

The problem is, after reading about LibReboot, that AMD chips have essentially the identical issue.

Really curious: Apparently, modern intel chips cannot even work without loading microcode patches at startup; at least AMD chips aren't that buggy (they don't need microcode patches to run).

"scaring the daylights out of people..."

[turkeydance]

"on a giant what-if scenario that even he admits couldn't happen in our lifetimes." AGW.

don't be evil?

[Idisagree]

So basically they built in an backdoor into every modern intel CPU that is secured by technology they protect through obscurity.

What could possibly go wrong? /s

IME is defective by design

[WaffleMonster]

AMT allows anyone who can broadcast DHCP and legitimately purchase a certificate from a CA to own your system while if it isn't even turned on.

If there is a defect (as if the above isn't bad enough) they won't bother to fix their bugs once they have decided your hardware is no longer worth their time to support... same as IPMI vendors and all the rest.

Even when you turn off "AMT" in bios if you are lucky enough to even have that option which I do not... it is STILL there listening. The only way I've found to limit this unnecessary and unwanted system within a system madness is to disable the hardware virtualization feature which prevents sharing of hardware with IME and operating system.

Re:IME is defective by design

[freeze128]

Or you could just disable your PC's on-board ethernet port in the BIOS, and add a 3COM ethernet card and use that instead. Won't the IME be surprised when it cannot control another company's hardware!

Re:IME is defective by design

The second option sounds tempting, but if the chip has direct access to the host's memory, why wouldn't it be able to just use the addon network card? I like the idea that disabling VT-X somehow stops AMT from accessing the host's memory. Where could I read about it?

Ho-hum.

[dtmos]

If this latest revelation scares you, you'll go apoplectic to discover that this is SOP in IC design. Just about every IC more complicated than a 555 timer, from processors to Wi-Fi chips to you-name-it, has internal processors controlling substantially every part of their operation. It's a common technique to control every block one designs with an embedded core and a bit of code (in RAM, so that one could adjust the operation of the block after the design came back from fab by reloading RAM), making an easy-to-design programmable state machine. One ends up with a dozen or more cores in each chip design. Often there is one core programmed to run the top level of the design, controlling the warmup and warmdown procedures, reboot sequence, etc.

Move along, nothing to see here.

Re:Ho-hum.

While it's true that any device with DMA access can potentially send your data to the internet, the AMT is designed directly for this purpose, is built into the machine for no other reason, and cannot be disabled. At least, if I suspected my SSD's internal software for spying on me, I might be able to disconnect it from my machine and use another hard drive. Here, there's no such option because it's part of the motherboard chipset (Intel) or part of the CPU (AMD).

An Intel spokesperson told the publication

[twistedcubic]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure.

I almost fell out of my chair laughing when I saw this.

Re:An Intel spokesperson told the publication

[cjmnews]

I guess you read the book on it too? Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine

Brief answer

[Improv]

No. Obviously not and the guy stirring up trouble is either underinformed or irresponsible.

Most of the hardware in your computer isn't something you get (or could get) a gate diagram from. You'd never know if something is in there that theoretically could be triggered to do something. That's the way hardware is. This guy is fussing over a publicly known feature that people are using in the enterprise to manage systems en masse. It doesn't open some magic wormhole to the control system - it requires a clear path of access and a setup and all that fun stuff. Meaning if you want to use IME, you need to set it up on all the systems for your network environment and debug it and build tooling around it. It's not fun to get that stuff right, and often not that easy.

It's not impossible that there's a backdoor in IME, but it's just as easy to imagine a backdoor anywhere else in your system. It's hard to imagine how one could ever be confident that that's not the case. So the focus and the anger is misaimed.

Re:Brief answer

[joe_frisch]

Most other hardware doesn't have the external and CPU interfaces. A disk driver probably cannot do anything very useful with the data it sees if you use disk encryption. It can't read the data and probably doesn't have external network access.

This management system by design has low level access to the CPU and external interfaces. It is potentially a much more capable hacking tool.

Its not easy to think of a reason that there is not a local hardware disable since the management capabilities are not needed by a substantial number of users.

If Intel knows how to access the chip, presumably they can be ordered to do so by the government, making this a universal back door.

Intel workaround divined (2 chickens and goat guts

[swschrad]

1) carefully break hermetic seal of chip case in 0.15 micron clean room.
2) locate IME section on silicon under 300x microscope per diagram {secret}
3) using polygraphene pen under robotic control, connect IME die {secret} to {secret}.
4) hermetically evacuate clean room to -300 torr
5) reseal hermit chip case using {secret}

6) PROFIT!!

stinks of a back door

You can use FUD et al to entice them, but why would they otherwise open source it? They are under absolutely no obligation to do so, as you are under no obligation to trust them. If you don't, use another product from another vendor.

That said, all FUD aside, it is really bad judgement on intel's side to have this enabled by default (with many vendors using Intel's defaults without consideration), and then push the "drivers" so aggressively to users who have no idea what this is and that motherboard driver software includes all this crap.

Re:stinks of a back door

This kind of technology would be somewhat okay in a workstation/server enterprise setting. Why the hell do we need it on consumer machines, except to spy on the general public? Anyone remember the serial number instruction CPUID fiasco, Intel's initial attempt to help track users?

Nothing to see here; move along.

[fahrbot-bot]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. ,,, there are mechanisms in place to address vulnerabilities should the need arise.

Perhaps true, but this kind of talk makes my ass twitch.

" it is very secure" - see case closed!

[michaelcole]

An Intel spokesperson told the publication: "it is very secure"
Well then, case closed!
I guess we just need to *ask* these sites if they're secure, and we'll stop leaking everyone's password.

Always trying to lower the TC0??

[laurencetux]

take that to the bank you are hitting to get an "unlisted" account from??

historically speaking

everything related with secrecy in history of human civilization leaded to trouble. get a book hipster, your glasses are for reading, not to suck baby dicks.

Probably clickbait, real problem

I haven't followed the ruckus because it broke on one of those two-dot-oh web-o-rhea blogs I don't care to read, just like I don't care to read any "research" or other half-assed blogs from "computer security" companies. So it may well have clickbait-y hype qualities. However, that itself does not mean there is no problem. I would contend that there is a problem, it's been there for years, and it's getting worse.

That "enterprise management features" have for years done things this way (since ~2009 and ~2011 for intel and amd, respectively) does not mean that this is the right way to manage machines. We have had plenty of stories previously where people infected all sorts of things beyond the os, including bios, nic boot roms, you name it. Signing the boot ("secure boot") doesn't actually help either (but does conveniently take away control from the end-user). If you're sufficiently nefarious there will probably be some way to totally "pwn" any given machine. We have seen very shady things come by, including the still unresolved thing with the inaudible tone networking.

In particular to this here thing is that there's indeed a chip in the southbridge that runs a complete OS, and this does pretty much what a "lights-out-management" add-on card does. Those run their own embedded OS, hard to update, poorly audited, and "pwnable". Now the same thing sits in the south bridge. Can't turn it off, for if you try it'll shut down the entire system. So yes, this is problematic for a raft of reasons already.

On top of that, I've seen reports of the same system board from the same manufacturer, but manufactured in different countries (one engineering sample, the other production) look the same, show the same content of their firmware flash, but behave differently. Differences that went away with re-flashing. Meaning that some of these boards ran firmware that wasn't what you'd see if you'd look, IOW the actually active firmware actively hid that it was there, purporting to be a different firmware. This exposes the thing as a convenient back door for those in the know and with the means. Since this is the southbridge, that does mean that if you can get that LOM chip to do your bidding, you have complete control and access to the machine, bypassing the OS purportingly running the show on the "real" CPUs. And evidently you can, even if you're not the manufacturer.

So yes, despite the shouty hyping, this is an actual problem. You could make a good case it is actually worthy of the shouting and the hype, in fact.

It's been there for at least SIXTEEN YEARS, kids

The ME has been part of Intel chipsets for at least that long. If there was a problem, don't you think we'd've heard about it by now?

Extra general purpose computer running firmware ..

[khz6955]

'Intel Management Engine (ME) .. described as "an extra general purpose computer running a firmware blob .. a chip protected by RSA 2048 security on a chip'

Can I replace this firmware blob with one of my own?

Can I replace the RSA key with one of my own?

Can I audit this firmware blob to see what it does?

Can I disable this ME subsystem?

Who else can access this ME subsystem?

"there are mechanisms in place to address vulnerabilities should the need arise."

So basically Intel and any designated third party can access your computer regardless of in place security mechanisms.

now that the cat is out of the bag

[FudRucker]

i am sure every cracker/hacker in the world is looking for access to this hidden system within the system

Did anyone remember...

Clipper?

It doesn't matter.

In a month most of you will probably forget about this news.

so..

what are the odds that the Intel spokesperson is an impartial source?

Re:It has backdoor access. Authentication issue?

[PatientZero]

And when the FBI orders them to provide secret access to this chip running in all devices using it worldwide, they'll obviously break national security laws to inform the public, right? Oh, but of course, since it's the FBI, it'll still be secure from all (other) bad actors!

Service processor

[Todd+Knarr]

It's a service processor. No big deal in itself, we had them as far back as mainframes go. The VAX-11/780 I worked on/with in college in the early 80s had a small PDP-11 (an LSI-11/23) in the bottom as a service processor. I'd be more worried about a much more direct avenue of attack: microcode updates. Every Windows system and most Linux boxes include the packages to take the latest firmware updates from Intel and AMD and download them into the CPU during system boot. If Intel wants to put something malicious into the chip, all it has to do is issue a firmware update with it and it'll get near-100% coverage. If a bad guy has the keys to sign an IME binary, they also have the keys to sign a firmware update.

backdoor into every system?

If it's secure to intel or not; That suggests to me intel has a backdoor into every computer?

Yes.

This is pretty much what you can expect from now on, because that's what sells alas.

I'm glad there are other sites that do what Slashdot does better at this point, but it's sad to see it go. Hopefully they'll have the decency to just disappear like kuro5hin did a few weeks back rather than keep this farce up for a few more years of ad revenue.

Re: Yes.

Lol @ you thinking slashdot has good ad revenue.

Hint: geeks don't click ads, geeks use adblockers, if we do click on a link it's rare. Most are mis clicks.

They'll never guess the password

[Cajun+Hell]

But to get there, you have to break a chip protected by RSA 2048 security on a chip that can't be audited or examined. That's 2,048-bit security, which would require any attempt to break it to factorize semi-primes with approximately 617 decimal digits, which Zammit admits at this point is "pretty much impossible in one human lifetime for anyone with the biggest supercomputer."

Holy shit, this ("nobody will guess the password") is the excuse?! I especially loved the dumbed-down "that's 2,048-bit security." That has meme potential.

So, what we have is an open source crusader scaring the daylights out of people (just look at his headline) on a giant what-if scenario that even he admits couldn't happen in our lifetimes.

Yes, the scaremonger admits that he hasn't guessed the password. Therefore it's secure. Got it. (Wow!)

If there's something to debate here, I think it's fair to say that shockingly over-the-top morons like Andy Patrizio aren't going to be contributing to the discussion, on either side.

I'm not sure the Intel spokesman is helping to assuage fears either: "there are mechanisms in place to address vulnerabilities should the need arise." It sounds like he's saying there's already a backdoor that Intel can use to fight anyone else who breaks in.

With advocates like these, Intel doesn't need critics. At least the Intel spokesman one is murkier and more vague, not obviously stupid like the blogger's. I like to imagine him pausing and deepening his voice right before saying "..mechanisms in place.." and a slightly dark chuckle right before "should the need arise." Oh let's face it, I imagine the spokesman sounds like Emperor Palpatine so I never want to hear his(her?) real voice.

Re:They'll never guess the password

[arglebargle_xiv]

It's not just that, it makes the assumption that the only way in is by factoring the 2K RSA modulus. That's not how you get in, it's by exploiting a vuln in the 12-year-old copy of OpenSSL that it's using for the crypto, or using a TCP stack exploit that other vendors patched in 1997, or taking advantage of the fact that the incoming data is copied into a fixed-size buffer with strcpy(), or a million other code-like-its-1997 practices that are common in these management-engine devices. You don't even bother with the RSA signatures, in fact they're rather useful because they tell you which bit of the system not to bother attacking.

Re:They'll never guess the password

From what little I know, the AMT code is mostly written in Java, so you wouldn't expect such easy to make vulnerabilities as buffer overflows. They may actually be right that it is very secure. The problem is, who has access to your machine when you think it's off.

Its $CurrentYear

[PPH]

and you're still using Intel.

Re:Extra general purpose computer running firmware

> Who else can access this ME subsystem?

I'm pretty sure I can answer that one for you. The US Government. On demand (via National Security Letter, so no accountability of course). That's why IMHO the 'secret' chip in Intel CPUs really *is* that dangerous.

https://en.wikipedia.org/wiki/National_security_letter

"A national security letter (NSL) is an administrative subpoena issued by the United States federal government to gather information for national security purposes. NSLs do not require prior approval from a judge."

A better architecture...

[John+Allsup]

A better architecture would have the management engine off the main processor: leave the CPU for running user processes. Consider a small ARM processor running an RTOS, and if that did much of the work the kernel does. A modern PC is already like a mini heterogeneous supercomputer. Put the GUI on a core on the GPU card, so the CPU can send basic instructions and data (what they're moving towards anyway, but stick the windowing system the other end of the pcie bus, next to the GPU, possibly in the screen. Do likewise for io, network, and audio. Economies of scale is how the price is kept low. The trend has been to lump more and more work on faster and faster CPUs. Now that CPUs are no longer increasing in single core speed as they once did, performance gains will come from not using a 95W intel chip for what can be done just as well on a 1W ARM or MIPs chip. As for verifying security, use public key crypto, signiatures and hashing
to verify what us run (optionally), and separate OS install and normal runtime at a hardware level: have a small SSD for the core OS files (2GB would be plenty for a number of OSs side by side). In OS install mode, you can copy the files across, and do hardware diagnostics etc., but not run normal user software like Firefox. In normal run mode, the switch engages a hardware write blocker to the small OS SSD, and in signed mode the image needs to be signed by the hardware vendor somehow. Then malware cannot corrupt your OS as happens so often.

The only thing that is worse...

Is secret chip in Mr. Putin's head.

The real question that needs asking...

Is why all three major classes of CPUs have essentially the same 'Management Engine' design, and why all allow obscure said management engine's operations from the end user of the hardware.

ARM Trustzone(Arm core), Intel's ME(Arc core), and AMD's Trustzone core(Arm again)/System Management Unit (LM32):
Of these the latest versions of each support a permanent signing key, disallowing the end user from customizing, disabling, or auditing the software and operation of the most critical component of their online lives. And face it, unless you live out in the sticks in an off-grid community, your life *IS* plugged in. And now you're giving the keys to the kingdom to, if you're lucky, a bunch of slightly paranoid corporations who at least for now wouldn't abuse the privilege... And if you are unlucky, you are giving those keys not only to those corporations, but also to any social engineer, spy, law enforcement, or corporate espionage agent willing to invest the time, political leverage, or skill to retrieve the key. At which point all of that old hardware may be susceptable to a level of observation that would give even Xi Jinping and Kim Jong-un stiffies that even their no doubt plentiful hordes of mistresses couldn't bring down.

In other news: Kim Jong-un was killed by a female suicide bomber. google 'North Korea Leader' on google and it should be the first hit!

Don't forget....

A lot of the modern Intel processors were designed in Israel. If you aren't concerned with the FBI/NSA, what about Mossad? How about MI5/6/FBI/NSA via Intelligence sharing with Mossad?

Honestly the real question that should be asked nowadays is: With all of our devices backdoored to this extent, how come there are still terrorist attacks in first world countries other than because they are politically beneficial to societal, legal, and financial changes?

Re:Don't forget....

It's just like when the allied powers broke the German enigma encryption during WWII. If you all of a sudden act as if you know everything that is going on then you reveal to your enemies the what you did and they change tactics. You would essentially lose the power by using it too much.

Sounds like the Donald...

talking about his University.

If it walks like a duck and talks like a duck....

It's probably Donald Duck.

You are thinking 'SMI'

Which has been there since the 486(SL, or 386SL?). The Intel Management Engine, as mentioned has only been there since the Q35 chipset era, earlier equivalents were generally KNC/BMI/IPMI(Might be wrong about the first two acronyms, it's been years) interfaces and involved a secondary cpu board with a management processor on it which simply got a special header and possibly modified PCI slot to allow access to the CPU bus. Furthermore power management capabilities were only available with ATX power supplies (I have some proto-ATX systems that predated them, but had BMI interfaces on them.)

So . .

So it can be hacked.

Intel's 1 paragraph response

[Pope+Raymond+Lama]

Come on!! How can that even count as a "response"? The TFA just reiterate the original article, but punctuating it by the author's unexplainable hate for anything open,and at the very bottom, it quotes an "Intel Spokesman" in a few lines just saying "it is very secure".

All right! I feel safer already!

Re:It has backdoor access. Authentication issue?

> The chip has the "power" to do many things including take secret control of a system, transfer files, read RAM, anything.

Not with properly configured IOMMU tables it doesn't.

Re:So is this clickbait? - Yes.

Of course your PC is still on even when it's off. It's called 'standby' and is used for a number of things - like being able to start it up using a touch button rather than a big honkin' switch. Most power supplies have a switch on the back that actually shuts it all off - useful if you're going to be messing about inside though pulling the plug is better. Also, you can hook it up to a UPS if it's a desktop, and turning it off at the UPS turns it OFF much like that switch on the p/s. If the computer is sitting there in standby anyway, having the 'management engine' still running probably doesn't increase the power draw much. You can't spin up a disk drive on standby power, so unless it's actually turning the system on without your knowledge (isn't there a setting for that in the BIOS?) there's not much it can do while on standby.

What does it monitor when the computer's actually on? Talk to Intel. And as far as using the same network connection as the main system ... now many connections do you have? Most computers only HAVE one so any communication goes through that.

Clickbait.

Andy Patrizio

Andy Patrizio is a stupid idiot of a jounalist who knows nothing about computers and security.

They cut it off

[slashmydots]

"An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise. But WE'RE using it as a back door. I mean come on."

Re:They cut it off

[flacco]

Oh, well, OK, if there are policies and procedures, and mechanisms, and stuff, I guess it's all cool.

The simple question is: if this is a "product" for enterprise "management", why isn't it possible to turn this godforsaken surveillance engine OFF at the hardware level?

the primary "if"

[flacco]

> namely, if it can be compromised by a rootkit

It fucking IS a rootkit.

Christ.

Re:So is this clickbait? - Yes.

[vux984]

The point isn't that its on when the system is off. The point is what it can do to the host system when its on. It can read RAM. It can communicate over the network. Its completely beyond the control or purview of the host operating system.

What does it monitor when the computer's actually on? Talk to Intel.

The point being that if it can be exploited, then its at the mercy of hackers. So you can run OpenBSD or whatever you like, and if the ME is exploitable someone can remotely connect to your system, keylog it, rootkit it, read out the contents of ram...

Its fundamentally incompatible with a secure system; to have a 'black box' OS that can do anything it wants and may have all kinds of weaknesses and exploits and then have that piggy-backing on the host systems network interface.

On servers, where its relegated to a dedicated wired port... and the people running them are running the management over separate secure networks... it makes sense.

But WTF is this doing on wifi on laptops?

couldn't happen in our lifetimes.

[bug1]

Thats your problem there, thinking your attacker will use methods you expect.

e.g What if Intel decide to be the attacker ?

Re:couldn't happen in our lifetimes.

[cfalcon]

I don't think you need to really even mention that as a possibility.

What if the RSA key is solved? It's not impossible, after all, and if the keys to so many kingdoms are there...
Ok, so lets assume that's effectively impossible. It is a really big key, after all.
What if the RSA private key is stolen? What if it is leaked? Now we are relying on Intel's internal security. I'm sure it is top notch, but we are talking about a really valuable number here. When a code update gets signed, there is the possibility of a technical attack on the signing machine, etc.
What if the RSA private key is compelled as a release? Perhaps some foreign government makes Intel a deal they can't refuse.

If you can't think of a case when ANY of these could happen, pretend that there is a war. Something that can damage civil infrastructure in this way could definitely help our enemies, be it backdoor or glitch or exploit or whatever.

Why so fragile?

Update mechanism

Sure Intel can upgrade their reference firmwares, but the sprawling mess of motherboard manufacturers are not really interested in updating firmwares. Maybe for the latest generation but certainly not for anything over four years old.
I even have a Lenovo desktop that has insecure (default password you can't disable, way to go Intel) AMT and the instructions from Lenovo just tell to muggle up the IP address so it couldn't be accessed.

Got any national security letters lately, Intel?

You're not allowed to tell us? I rest my case.


An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Do AMD CPUs have similar technology?

[syncm]

> If not, my next buy is AMD...

Re:Do AMD CPUs have similar technology?

[cfalcon]

AMD has the "Platform Security Processor" which is the equivalent of the management engine, with similar restrictions.

It's still a fair bet to go to AMD if you are seeking to reduce your attack profile: if it requires some amount of effort X to own Intel and some equivalent amount of effort Y, with Y~=X, then there are some subset of potential attackers that would be willing to pay X to attack the large fleet of Intels, but not Y for the smaller flet of AMDs.

Re:couldn't happen in our lifetimes (God's key)

[info6568]

I could call this the "God's key".

As we know nothing about how this work inside, there are two big possibilities: (1) There is only one key for every Intel chip or (2) Intel stores private keys for every chip they produce. And both are equally fragile.

In the first place, that key must be in the hands of somebody in some moment in the CPU life cycle, or the key must be stored someplace and somebody must has a key to access the key, or any other combination of facts involving a human. As the weakest link, that human is the one must be protected.

In the second place, if there is only one key to have access to the most of Intel based computers around, then it deserves to invest in a methodology to break "that" key. The payment always will be higher than the money used to break it.

Also, when we talk about hundreds of years to break a key, that is a commercial buzzword referring to a "maximum" in the statistical world. There is a chance that the key be found in just five minutes so, to declare the type of key is not a good idea because they already gave enough information for somebody to try to break it.

But there is a particularly troublesome word has been used here. It is the "VERY" in "very secure". For me, something is or not secure and when very is used, it means that they don't trust 100% on what they do. There is a manageable risk that they decide to put into their shoulders in the name of all their users without having any idea what their users would be controlling with their CPUs. And this is a "very" risky bid.

Re:So is this clickbait? - Yes.

Is this thing required to be operational for the rest of the motherboard to function? I mean, if I get careless with a wandering soldering iron and happen to melty-burny-ize the chip this thing is on, is the entire board bricked or is it business as usual from my end of things, less one AMT engine?

manishs reposting own story from two days ago

[obsess5]

Doesn't anyone read Slashdot? manishs, who made this post, posted the same story, with the same links, on June 15: Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it.

And, the check is in the mail...

[martinfb]

And, the check is in the mail...

ORLY again. M.E. Phone Home and incoming calls.

[Ungrounded+Lightning]

How about if they just send you some packets over the internet?

A possible exploit or backdoor could be triggered this way. The workaround would be a really aggro firewall, but even then you'd have to be sure you were running it on something auditable if this was your concern.

Again, how would you know what to block?

Even if you knew what to block, how would your firewall ever see it? If you built it out of Intel chips, AMD's ME gets first look at them. It could recognize its own, see that they're for something behind it, and forward them itself, without the main CPU ever seeing them. Even if there are multiple cards involved the MEs get to talk to each other in private.

The same applies to outgoing packets from the advertised "M.E. Phone Home" feature on machines behind your firewall. A firewall's rules and logging don't mean squat when the firmware on the hardware under the firewall's processor intercept and forward the packets themselves and don't bother to mention it to their victim.

It might seem hard to do but it's actually pretty trivial. The M.E. already knows how to intercept packets for itself and establish a connection from an external controller. All it has to do in addition is provide that service on inward-facing interfaces as well, and proxy between them and similar connections on the outward-facing interfaces. Piece of cake.

Wrong tense

[KiloByte]

I'm afraid you used wrong tense.

Re:ORLY again. M.E. Phone Home and incoming calls.

[cfalcon]

> Again, how would you know what to block?

You're asking the wrong question. You block everything, default deny. The question is, how long will it take you to turn on just the things you need?

And of course, I'm not suggesting that you personally need to do this. But the fact is, there's plenty of machines that operate under this model, which definitely reduces the risk of this potential attack. It doesn't eliminate it, however.

> If you built it out of Intel chips

I do mention this. But firewalls are not always built out of Intel chips, and they are definitely not all built out of the ones with ME built in. Firewalls don't need to even be running x86 stuff normally either- there's a great deal of diversity in these solutions.

> A firewall's rules and logging don't mean squat when the firmware on the hardware under the firewall's processor intercept and forward the packets themselves and don't bother to mention it to their victim.

Again, if this was happening it would have been noticed. There's fully open hardware in the firewall arena. If a hardware firewall exists that secretly passes certain packets from WAN to LAN, that's a serious violation, and possibly even a criminal one. If you are saying that you can't trust the software firewall on your machine because the ME could issue packets raw on the LAN, yes, of course that is an issue. But a software firewall is never good enough alone, as Microsoft proved by shoving packets in and out that ignore admin configured networking.

Again, the ME is a risk- definitely- but there are possible mitigations for an ME bug (or backdoor) that you can take today, and they happen to be the same mitigations you are already doing for all the other potential risks.

wasted effort

[cwsumner]

If you don't know what is in any of the other chips, or even what is in the rest of that chip, then worrying about one extra block that you can't even prove is there, is wasted effort. 8-P

Guardian laptops

[ThatsNotPudding]

Remember when GCHQ demanded Guardian staffers destroy very specific locations on the laptop motherboards? Hmm.

Only as Dangerous as...

Your Bios/EFI...
Your video/graphics cards...
Raid adaptors...
Modems...
Hard drives...
optical disc drives...
thumb drives...
webcams...
your mouse...
your keyboard...
even your monitor thanks to today's 2 way communication standards ala HDMI.

Have you seen the source to ANY of these devices firmware?