Purism Now Offers Laptops with Intel's 'Management Engine' Disabled

"San Francisco company Purism announced that they are now offering their Librem laptops with the Intel Management Engine disabled," writes Slashdot reader boudie2. Purism describes Management Engine as "a separate CPU that can run and control a computer even when powered off."

HardOCP reports that Management Engine "is widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn't easily alterable, isn't fully documented, and has been found to be vulnerable to exploitation... In short, it's a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system."

Purism writes: Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process, has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery... "Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops. It is also available as a software update for previously shipped recent Librem laptops," says Todd Weaver, Founder & CEO of Purism.

Upgrades?

[goombah99]

Does this also mean they can "unlock" the soft-locked downgrades on the cheaper processor series to make them full strength?

So if the management engine isn't actually necessary what actually does it provide?

Is this new one open source? or have we met the new boss, same as the old boss?

What country is Purism based in or owned by?

Re:Upgrades?

[fph+il+quozientatore]

So if the management engine isn't actually necessary what actually does it provide?

Oh, honey. It's a backdoor by the NSA. They can remotely access your computer, no matter what is installed on it, and even if it's turned off. No, I'm not kidding and it's not a conspiracy theory.

Re:Upgrades?

[PolygamousRanchKid+]

So if the management engine isn't actually necessary what actually does it provide?

It provides an excellent opportunity for your government to get to know you better! Your wants, your needs . . . your seditious thoughts and deeds . . . whether you voted for President Zuckerberg or not . . .

What country is Purism based in or owned by?

Does it even matter any more . . . ? The British share their "intelligence" with the Americans, who usually just buy it from some "leaky" old German SED folks who are still working on the taxpayers' dime to undermine the evil capitalist system. A better question would be to ask which companies own which countries.

The Clintons sell stuff to Russia; Trump "makes business deals" with Russia, but in Putinist Russia Parlance, it looks like "Russia dealed him!"

Hey, the various leaders of the world are deeply divided on social and political issues, but they are united in one common goal . . . to keep an eye on, and control their populations.

I'm American, grew up there, and lived there until I graduated from college, but have been living and working in Europe since then. (It wasn't really planned; it just kinda sorta happened). On one business trip to scenic Austin, Texas, I drove by a car dealership and something unsettled me, but I couldn't determine what it was . . .

. . . until I realized that there were signs advertising "Pre-Owned Cars!" Um, wouldn't that be what we used to call, "Used Cars" . . . ? Isn't that what they really are . . . ? At any rate, why call this critter the "Intel Management Engine"? To be honest, Intel should call it, "The Intel Secret Backdoor To Your Computer, Allowing Access For Folks Who You Do Not Want!"

Re:Upgrades?

What coutnry is Purism based in or owned by?

I can field the based in question. The first four words of the summary are "San Francisco company Purism [...]." It's a US-based company.

Re:Upgrades?

Despite Intel's claims, ME is a backdoor.

If it wasn't a backdoor they would let you completely remove it.

It's a dumpster fire of privacy issues, security problems and blatant government snooping.

Re:Upgrades?

You mean like qualcom or apple? (cough Fox Con)

Re:Upgrades?

One poster here on /. even claimed that his laptops were bricked by malicious actors thru IME. Too bad, even M$ and intel can brick perfectly working machines just to get additional sales. Very frustrating for us laptop and PC owners.

captcha: wrench (sorry but this tool won't solve the IME problem)

Re:Upgrades?

[guruevi]

On your first question, usually the cheaper processors these days are actually different layouts, a long, long time ago this wasn't the case but then it was a case of binning, you could potentially get lucky but it was usually a more expensive model that got rejected but still ran on slower speeds with large portions of cache and other features disabled (eg. due to low yields on the wafer). These days production has gotten smaller, better and cheaper so yields are rarely a problem and even if they were, they probably wouldn't produce useful products anymore.

The management engine provides exactly that, management. It's intended for servers and enterprise systems. It's a form of baked-in IPMI and these days runs a version of MINIX. It can connect either directly or over VPN to your corporate environment and then you can remotely manage the machine, it can do security posture assessments (because it's not controlled by the OS, it can peer into hypervisors or compromised hosts), it can even emulate a serial port so you can connect to your host if you're running Linux/Unix-type systems.

Nothing about this is open source besides it being based on MINIX, to actually use it you have to pay Intel for their closed source software to be able to access the devices.

Purism is a computer technology company based in South San Francisco, California and registered as a social purpose corporation in the state of Washington.

Re:Upgrades?

If we ignore the inept implementation for a minute, the optimistic promise of the management engine is to provide features for IT management of workstations and laptops. It brings the IPMI and remote KVM features of datacenter machines to the low-margin, high volume corporate desktop market and lets these features work wherever the machine will reside, rather than only in a controlled machine room.

Over its multiple iterations, it has gained more features to allow an IT worker to rescue and reconfigure a machine without having to sit in front of it. This is a major "total cost of ownership" proposition for larger companies with multiple sites and many more users per IT staff member. At its very core, it allows IT to manage a machine that either has no OS or has a broken/compromised OS. It allows the IT worker to remotely "turn it off and on again". It allows the IT worker to access the BIOS settings and adjust boot settings. It allows the IT worker to virtually insert a bootable CD or USB thumb drive which is actually data streaming in from their management workstation. It allows the IT worker to see the booting OS and access its keyboard, mouse, and video display without the running OS having any say in the matter.

These same capabilities it offers to the IT worker are feared by the cynical, even if they were bug-free. If you understand that the owner of a corporate desktop is the corporation, and not the end-user, then you understand how these features allow owners to control their machines. If you have some wacky revolutionist idea that the end-user owns the desktop that their company furnished, you might despise this capability of the IT group to reach in and override the user.

I've purchased multiple iterations of cheap, corporate desktop motherboards with AMT on purpose. I use AMT to remotely manage the machines I own. I can manage my little server from a laptop elsewhere in the home. I can remotely manage my backup server 400 miles away in a friend's home, or a desktop and a media/PVR for my elderly parents. I've used versions from circa 2007 and from 2017. The basic remote power off/power on feature has always been useful. The 2007 machine provides remote serial console to let me see the BIOS POST sequence, and even the bootloader and Linux boot once I've configured them both to activate a serial console. The 2017 machine gives me a VNC-style KVM view of the BIOS, bootloader, and booted OS.

I've only used open source tools to manage these machines and so have provisioned them in their weakest, password-based configuration. I cross my fingers that my small SOHO LAN routers and firewall are sufficiently isolating these mechanisms from the Internet. I use an SSH-based tunnel through the router to access the AMT features from off-site. There are fancier, PKI based provisioning methods offered to large customers, where you can even have the management engine preconfigured with your own trusted certs and the machine can perform automatic enrollment into a campus-wide management system as soon as it is unpacked and powered up. I've never seen an open source attempt to provide these same functions using actual AMT parts, but the same basic premise has always been popular in Linux cluster management suites: rack a new machine, plug it in, turn it on, and let it automatically get registered into the cluster, get its OS installed, and enter service as one of hundreds of compute nodes.

The fact that that has been poorly implemented in the way only a hardware manufacturer could achieve is just frustrating. Even if you ignore the "it's an NSA backdoor" FUD, you have the general drawback of most software produced by hardware companies. It is written by someone who fails to really anticipate constant software updates, it is probably entangled in countless licensing agreements that prevent it from being open source, they try to treat the firmware image like it's another hardware unit to be stocked and sold, and it has that stupid miasma of secrecy which infects the culture of most

Re:Upgrades?

If you think turning off ME magically makes your computer secure. I've got news for you. If Intel is malicious enough to include such a little trojan as the ME... well I mean... they literally designed your closed source silicon CPU. Any number of "built in management engines could be lurking inside.

Re:Upgrades?

Russian hackers crack this))) https://www.itweek.ru/security/article/detail.php?ID=197089

Re:Upgrades?

A secure laptop should have verified boot because it addresses an attack model that has become more important after the Snowden revelations. We learned that:

  - NSA wants to keep their best exploits secret. For example, it uses more valuable exploits on less technically sophisticated targets who are less likely to discover them.
  - NSA goes to great lengths to achieve persistence, for example hard drive firmware attacks that expose the exploited code the first time a sector is read, at boot, but the original code from then on, when the system is scanned for malware or checksum mismatches.
  - NSA has many BIOS- and firmware-level attacks because it wants persistence even if the OS is wiped and replaced.
  - It's unrealistic to expect we will ever patch all the bugs the NSA knows about.

Verified boot is very powerful in this scenario because, even if you don't know about a bug, it can stop that bug from permitting secret persistence. It drives persistence techniques into the open. For example, to attack ChromeOS and survive a reboot, they may need to install a malware extension, which can be audited from cloud side thus making everyone a technically-sophisticated target.

Intel breaks verified boot with their FSP blob. Verified boot starts with "read only" firmware which contains the verified boot key(*), checks the signature on the read-write firmware and jumps to it. But the processor must be fed the FSP blob before it runs the first instruction, so there's no way to check a signature on the FSP blob. A variety of CPU errata are fixable by updating the FSP blob, so it's prohibitively costly warranty exposure to leave the FSP blob un-updateable by linking it into the read-only firmware.

This undermines the defense ecosystem / attack recovery benefits described above. To get them, all state on the machine needs to fall in one of three categories:

  1. not verified but impossible to change without physical access (ex. "remove the developer screw" on Chrome OS, or the trivial solution of replacing the entire CPU with a backdoored one)
  2. auto-updateable, but verified by boot signature chain
  3. wipeable user data

The first verified-boot key in the chain is in bucket 1, and other keys are in bucket 2. But Intel FSP inserts step 0:

0. CPU and RAM bring-up code: auto-updatable and not verified by boot signature chain.

It undermines the entire purpose of verified boot.

Disabling the ME is not very convincing unless there is some verified-boot way to make sure it stays disabled. The hypothetical persistent attack would simply un-disable the ME, so part of the problem is that it's there at all for an an attack can turn it on: it's a perfect hardware rootkit that can surveil without detection. There is no verified-boot way to disable the ME because of the FSP, so this Purism promise is pretty close to snake oil. They have hand-wavily reduced the attack surface somewhat, so it's not worthless, but it's not enough to fundamentally unbreak Intel's platform security-wise.

AMD has a similar blob called PSP. Many ARM chips also have this problem. FWIH Rockchip does not, so currently I would suggest a Rockchip Chromebook over Purism if security is the goal.

(*) You may have heard verified boot uses TPM. This is to prevent rollback from a current patched version of the OS to an old exploitable version without wiping user data first. The TPM starts in "willing to roll back counter if asked" mode, but before the program running on the CPU exposes its full attack surface, it either wipes userdata or sets the TPM into "only willing to roll forward the counter" mode. The read-only firmware obviously cannot maintain state. The purpose of the TPM is to maintain state with rules, and in this case the "rule" is a fuse that's reset on each reboot.

Re:Upgrades?

))

Re: Upgrades?

"Oh, honey. It's a backdoor BUY the NSA. "

FTFY, because we know they are paying these companies for the privilege.

Re:Upgrades?

Don't bother with this purism bullshit, it's just another "Libre"-gone-mad project by nerds who think there's a market for 100% hackable tech.

Sure the Management engine is a bit of a bummer, but it's not even turned on in 90% of the products that it's available in, because most of these are home users. It's primary use is Enterprise, and you have got to be rather foolish to actually turn it on unless you're managing more than a dozen computers centrally behind a firewall.

If you note, AMT could be only be exploited from the inside. Which meant that "the call is coming from inside the house" type of security problem, where you left the door unlocked anyway.

People who have Intel processors typically never turn this stuff in the first place if they're gamers. Anything that induces latency is bad. Most third party motherboards don't come with Intel network adapters (just about everything comes with cheapo Realtek chips) and those that do are gamer products.

So this problem is overstated for the end user. The likeliness that you have everything turned on from the factory to exploit this is zero. Only enterprise leased hardware would have this stuff turned on from the OEM, and that's because the OEM used it setup the Enterprise machines to begin with. I can't tell you how useful IPMI is when setting up computer servers, but AMT is not IPMI, and AMT is targeted at business assets.

Re:Upgrades?

That person needs to lay off smoking Pot.

You can not brick something through AMT if it was never turned on in the first place. You will only find AMT in enterprise equipment, and even then, only if it was setup as enterprise.

If you go buy an ASRock motherboard, the feature is there and turned off by default in the bios. You actually have to turn it on in the first place. You can not flip it on from within windows. Most Z-series chipsets used in desktops don't have it enabled because they don't have the entire vPro set.

Re:Upgrades?

No, it's in all Intel motherboards made in the last 7-10 years.

And the BIOS doesn't disable it. It just makes it unresponsive to YOU - all this has been documented.

Re:Upgrades?

How long before Intel fixes the bug that allows Purism to do this?

Re:Upgrades?

[Aighearach]

If you're not kidding, then it is a conspiracy theory.

Believing that it is true does not stop it from being a theory, or from involving a conspiracy. Actually, it would be required to have a conspiracy since it is actually sold as an enterprise security feature and companies are paying extra for the features it comes with.

Re:Upgrades?

[flacco]

> You will only find AMT in enterprise equipment, and even then, only if it was setup as enterprise.

This is disinformation.

Re:Upgrades?

>> So if the management engine isn't actually necessary what actually does it provide?

> Oh, honey. It's a backdoor by the NSA. They can remotely access your computer, no matter what is installed on it, and even if it's turned off. No, I'm not kidding and it's not a conspiracy theory.

THIS ^

Thought the same. Far from me to rain on these guys parade -- it may the start of something beautiful, but the sad truth is that what can be disabled by software can also be re-enabled. I'd even say ditch Intel and go for AMD, but the latter probably were "enlisted" the same way.

In my purchases I always make sure I don't get one of these CPUs, but sometimes an old computer is "inherited" and we can't really look a gift horse in the mouth...

Re:Upgrades?

[flacco]

Hey, that's some great customer feedback from someone who wants a robust and secure management engine on their machine. but -

> Even if you ignore the "it's an NSA backdoor" FUD, ... I would like to ask you if this is FUD then why is it fucking impossible to buy a modern CPU **without** these back doors (oh, sorry, "management interfaces" if you insist), despite persistent calls for them and despite the intensity with which they are loathed?

Re: Upgrades?

Paying billions to intel, google.

Re:Upgrades?

ORIGINALLY, it was a cheap way for motherboard manufacturers to save money. Instead of custom silicon that did 'x', 'y' or 'z', the idea was the main CPU could simply run custom code and emulate it.

Think of the the 'windows softmodem' days when the hardware didn't do much encode/decode and the host CPU did most of the heavy lifting.

Re:Upgrades?

If you're not kidding, then it is a conspiracy theory.

Believing that it is true does not stop it from being a theory, or from involving a conspiracy. Actually, it would be required to have a conspiracy since it is actually sold as an enterprise security feature and companies are paying extra for the features it comes with.

Believing that it's a "conspiracy theory" doesn't make it not true.

Re: Upgrades?

What country is Purism based in or owned by?

Holy Fuck! This got modded up to +4 as I type? The frist three words of the summary are "San Francisco company"

Is there a rule now that no one with an IQ above 80 is allowed to mod now?

Re: Upgrades?

But this is actually happening, and the NSA/CIA have done stuff like this before. Elliptic Curve anyone? This is worse.
There's no conspiracy or theory anymore because they just do it out in the open.

Re: Upgrades?

[slashrio]

I just modded it as 'overrated' for you.
Does this prove my IQ > 80?

Re: Upgrades?

[ArhcAngel]

I just modded it as 'overrated' for you. Does this prove my IQ > 80?

And then commented logged in...I'd say no, no it does not.

Re:Upgrades?

[Z80a]

The ME is actually used for user functions as well. It manages the power states and allows proper remote managing for CPUs with that enabled, but it's still a black box that "for some reason" NSA have disabled on their computers.
It runs an entire OS with programs and stuff.

Re:Upgrades?

At the hardware level, I honestly think that it's because they replaced their old embedded controller with the management engine's processor and used it as part of their basic architecture. It can't really be removed unless they design different chip variants, which they would then have to validate all over again.

At the software level, I'm sure they could design a much more limited firmware image that only does the basic embedded control functions needed for thermal management, voltage control, etc. I imagine they don't bother with this because they don't see it as a significant market segment, and the bean-counters see it as merely a pointless complication that would cost them money.

I think it would be great if Google and other large providers changed their opinion on this, by expressing a desire to purchase large quantities of chips that could be configured without the closed-source software. If they've bothered to design that capability in, perhaps you or I could also buy one, just like I can buy a $100 motherboard with all the corporate desktop features that nobody on /. seems to see a use for.

Re:Upgrades?

[sexconker]

You have NO fucking clue.

The ME/AMT bullshit is physically inside every single Intel x86 CPU from the last decade or more.
It's "disabled" on consumer SKUs via a firmware flag at best. That just means it doesn't present the user-facing features. It's still physically present. It's still electrically connected. It still has a full system inside the CPU to fuck you.

Re:Upgrades?

[sexconker]

I have never in my life heard of any person or company utilizing the "features" or ME/AMT.
The only thing anyone uses is IPMI-type shit for servers (via BMC, iDRAC, iLO, or whatever else you want to call it).

Re: Upgrades?

While I am sympathetic to Purism, I agree with this basic analysis. It is following the same problem that almost all FOSS projects face: building a product around what they think the market should be, rather than what it is. As a result, they end up creating products (like PureOS) that are grossly lacking functionality that people actually want and need. They seem to be pursuing the same route in Librem 5. They are not even allowing Signal or Telegram on Librem 5 by default!

The history of FOSS development: everyone wants to be a chief, but few can build a successful tribe. So we end up with lots of little tribes and few successful ones.

Here is another problem. With the Purism approach against any proprietary firmware, because they are trying to get FSF certification (who cares?), does that mean they will let critical components go unpatched because the patches contain some proprietary code?

Look, I wish everything was FOSS. I always prefer FOSS when I can. But the FOSS movement has historically proven to be really, really bad at organizational management, and so it is typically unable to put together a strong, well-supporter product built for longevity. The Linux Foundation, Canonical, and Red Hat are a few of the notable exceptions. Anyway, the idea that FOSS is always better is straight up wrong. Well-supported proprietary software (like OSX) is worlds apart better than a FOSS Linux distro that is a part-time hobby for a couple of guys in their garbage. Can proprietary code spy on you? Yeah, and you know what else can spy on you? Hackers exploiting your unpatched or poorly-supported open source software.

My plea for Purism and every other FOSS project that wants to make a real difference: imitate Canonical and Red Hat. The proof is in the revenues. Making lots of money is the market telling you that your business model works, and if you want to take FOSS to tens of millions of new users, you need to run a successful business that gives the customer what THEY want.

Re:Upgrades?

[tlhIngan]

Hey, that's some great customer feedback from someone who wants a robust and secure management engine on their machine. but -

> Even if you ignore the "it's an NSA backdoor" FUD, ... I would like to ask you if this is FUD then why is it fucking impossible to buy a modern CPU **without** these back doors (oh, sorry, "management interfaces" if you insist), despite persistent calls for them and despite the intensity with which they are loathed?

Because that management firmware is involved in... managing the processor.

Think about all the features it does - at a basic level, you can power on and reset the machine. That means the firmware must be able to turn on and turn off the PC, as well as reset it. Plus sleep modes - entering sleep and exiting out of sleep (and the various conditions to wake it up - network, for exaple).

Modern CPUs are complex beasts - even the little ARM SoC in your phone often has a management CPU on it handling power. It boots up when the chip powers up and manages the entire system power state. When you boot the main CPU cores (the one that runs your OS, like Android or Linux), the little management CPU (typically an ARM core, usually an ARM7, ARM9 or Cortex-M series - you want a CPU that sips power because it's running anytime there's power in the system) turns on the power rails while holding the main CPU cores in reset. It also often sets up the pre-boot environment - writing a simple start program to the CPU cores to run - usually load memory address X, if it's Y, then address Z has the boot code address, else wait and loop). Once the rails come up, it triggers the first CPU core to begin the boot.

Likewise, the Intel ME firmware does the same - preparing the power supplies in order to boot the main CPU, handling sleep conditions (including setting boot code addresses on wakeup, etc).

Disabling the firmware means you disable the chip's ability to boot itself - the ME processor is required in order to boot the processor, prepare it for sleep, wake it up, etc.

The NSA may have disabled versions of it, but it's really using the firmware flag to disable it (which is how Purism "disables" it as well).

Long gone are the days where you just applied power, a clock, and the CPU ran - modern CPUs are complex and with complex power needs (driven by their complex power schedules when coupled with frequency changing, turbo modes, etc).

Hell, I remember when I used to do frequency and voltage scaling on old SoCs - there was a "leap of faith" moment where you issued the change instruction and hoped everything came out on the other side. But this case only required one main power rail (Core voltage) which you adjusted, waited for confirmation (raise voltage before ramping frequency up, lower voltage once frequency ramped down). When your CPU has multiple rails, hundreds of power pins, and 3-6 voltage regulators to control, the main system software is inadequate. You want a sub-processor that can halt the main CPU, tweak all the voltages and rails, then once stable, re-start the CPUs again , otherwise you're just risking a main system crash.

Re:Upgrades?

[EndlessNameless]

Does this also mean they can "unlock" the soft-locked downgrades on the cheaper processor series to make them full strength?

Long story short, no. The IME interacts with the machine's firmware and can be killed that way. The thermal and frequency limits are untouchable and look likely to remain that way.

So if the management engine isn't actually necessary what actually does it provide?

Legacy device emulation, out of band management, health status and alerting. It offers a lot of functionality; the only problem is that the code is so privileged that the OS cannot even detect it.

Is this new one open source? or have we met the new boss, same as the old boss?

They are simply disabling IME. There is no replacement; your machine doesn't need it to operate.

Re:Upgrades?

I bet your mommy thinks your naivete is cute.

Re:Upgrades?

[erapert]

The ME is actually used for user functions as well. It manages the power states and allows proper remote managing for CPUs with that enabled

How do you get a dog to take medicine? You put the pill in a doggy treat.

Re: Upgrades?

https://raptorcs.com/TALOSII/

Re:Upgrades?

>They can remotely access your computer, no matter what is installed on it, and even if it's turned off.

That's why my PSU has a biometric reader.

Re:Upgrades?

[david_thornley]

My experience with pills in doggy treats is that dogs are extremely good at eating very fast and leaving the pill sitting on the floor. It was amazing to see a dog that could eat a pile of chicken not much smaller than her head in 90 seconds being able to eat her way around any pill we mixed with food.

Re:Upgrades?

[Eunuchswear]

It runs an entire OS with programs and stuff.

It runs Minix.

Yes, 2017 is the year of Minix on the Desktop.

Tannenbaum wins -- more PCs will be running Minix that Linux soon. He was right -- microkernels are the wave of the future.

Linus's last refuge will be Android.

Re:Upgrades?

[zwarte+piet]

Android is ditching the Linux kernel in the next version also.

Fuck these Intel chips. Buy from AMD.

Why buy a product and then do all this work to disable one of its 'evil' features? They aren't the only game in town.

For the Win!

[DaMattster]

I am in need of a new laptop now that my poor Lenovo T420 has completely died. I think I will go and buy one of these. Intel's Management Engine is spyware and exploitware and the fact that you cannot disable it is really and truly evil. AMD is no better.

Re:For the Win!

You're worried about security and you own a Lenovo??!?!? Bwhahahahahahahaha, you're funny....

Re:For the Win!

[93+Escort+Wagon]

Another option is to buy a Mac, since Apple’s products do not have the IME enabled.

... assuming you can live without ports, anyway.

Re:For the Win!

[Aighearach]

I recently bought a T560 and it doesn't have the parts of the Intel ecosystem that were accused of being "spyware," which is not the IME itself but the AMT (Active ManagenT).

Just take a look at Intel's CPU lineup; only the more expensive chips have it. You can get the upgraded CPU in most Thinkpads, but take a careful look at the specs and prices; the CPU with the Intel Management Engine costs a lot more and is only very slightly faster; most of the increased price is for the IME! It makes sense to buy it if you're in a corporate environment that buys the management software from Intel, but for regular users just choose the regular CPU and be happy.

The nonsense about being able to turn it on remotely requires it to actually have two parts installed, the IME and also the AMT module. The IME doesn't do anything without the AMT. People will present a bait-and-switch (and many of them are merely confused about the features, not even intentionally dishonest) where they talk about the IME being present in most Intel chipsets, but they when they start talking about the dangers they're talking mostly about the AMT which is the part that can actually be used remotely and isn't even installed on most systems.

Another part that people aren't understanding is that the AMT has to be turned on to be used. The remote stuff only works after it has been "activated" and also "provisioned." Provisioning is the step where it becomes able to listen to the network.

The reality is that you can't trust any hardware. It all comes out of factories you aren't allowed to inspect, it all runs proprietary microcode underneath the "registers" and "CPU instructions" that are presented to the programmer in a way that mimics older chips where the programmer directly accessed real registers using actual CPU instructions. Now those instructions are just an API. You don't know how it really works; you don't have access and it isn't publicly documented. There is more source code at a lower level than ASM, and nobody has access. Even if you buy an open source CPU, it is manufactured in facility controlled by others and is made up of proprietary logic gates and hidden microcode.

If there was an alternative, the IME concerns would be more valid than they are. This is scary mostly to ignorant people who think they otherwise would know what the CPU is doing. If you understand the way this technology really works, then the dangers in IME are present in all integrated circuits, all the time! Possibly excepting "new old stock" of ancient microcontrollers.

Re:For the Win!

[Aighearach]

Well, other than the fact that Apple also has proprietary security ICs on their boards!

Even a micro using Harvard architecture usually has some proprietary security features for disabling/reenabling chip programming. Who knows what it really does? There is no end to it, you'll never be able to buy integrated circuits that somebody already manufactured and know for sure what is inside them, what the Secret Code(TM) Really Does(R)

Re:For the Win!

[Teun]

Those that want security don't run Microsoft.
Lenovo's C:\Windows\system32\autochk.exe is a Windows executable.

Re:For the Win!

[PhunkySchtuff]

Hey! Less ports just means there's less vectors for something bad to get into your computer. Right? ^_^

Re: For the Win!

Check out System76. Great specs, strong builds, designed for Linux, and cheaper than Purism.

Re:For the Win!

Yes, but I hate the Apple Eco-System, and don't have an iPhone, so ....

If Apple was just the slightest less 'walled garden', I'd be more inclined...
* it would be hard for them to do that, and keep there market share I believe...

FreeBSD is still going strong... that work on Laptops these days?

Get non ime chips.

This is silly. Just get non VPro chipsets and you wonâ(TM)t have IME.

Re: Get non ime chips.

IME is present on all Intel chips, even the ones that are put on motherboards without vPro.

The only twow ways I have heard to disable it are the one discussed by Purism (never before available) and some hardware reprogramming stuff that only worked on certain mobos.

Re: Get non ime chips.

Using me_cleaner and taking credit for it was never before available because it is dishonest.

Now leak it!

It is now in Intel's interest to release or at least leak this fix, the repair in now in the wild from at least one vendor and the absolute best in security professionals can go back to using modern Intel hardware.
But only if they do as the mythical invisible hand of the market demands and release the fix. Otherwise it again exposes how Intel abuses it's monopolistic effects on the market keeping other players suppressed in the desktop/server CPU market.

Re:Fuck these Intel chips. Buy from AMD.

Um, AMD has similar features in theirs as well.

Reposted subject

[inicom]

This was already reported and posted to slashdot four days ago.

Re:Reposted subject

This was already reported and posted to slashdot four days ago.

Link? Searching for purism doesn't show a single story about laptops since 2015.

Wasn't someone working on firmware mods?

Wasn't someone working on a firmware scrubber that disabled all of this at the base level? There was a github link but I've lost it.

Re:Wasn't someone working on firmware mods?

here

Re:Wasn't someone working on firmware mods?

[sexconker]

Firmware can't fix it. It's a hardware backdoor. You may be able to neuter some of Intel's firmware for ME, but you don't know how the hardware works so you can never truly verify that it's not still fucking you in the ass.

Mitigation

[DaMattster]

It seems to me that you could mitigate the exploit severity of the Intel Management Engine by simply using full disk encryption with the decryption key on a USB thumb drive. When you are not using your computer, shut it down and remove the USB thumb drive. Even if someone manages to remotely access your computer via the Management Engine, the most they might be able to do is wake it up. There will be no useful data that could be gleaned from it, and in some cases, the PC won't even boot. HAHA! NSA suckers.

Re:Mitigation

[fph+il+quozientatore]

The ME has full access to RAM, at all time. What tells you they haven't saved your encryption key the last time you used it?

Re:Mitigation

[Aighearach]

No, the AMT has full access to RAM, and only after it has been turned on in the BIOS and also provisioned, with the caveat that if you have Windoze installed with the Intel drivers then it can do the provisioning from the OS.

The IME is just the part that the AMT interfaces with when installed. It is like a BIOS for add-on ICs, and the AMT is the add-on IC that provides the enterprise remote management features. There are other add-ons for IME that might also have network interfaces, for example there is one is that can be used to disable the machine in case of theft.

What tells you that your RAM chip didn't itself save your encryption keys and send them somewhere? You can't know that! You can't really know much of anything about what is really happening inside a complex device like a computer that is actually running and doing stuff. Who knows what sort of VW-style hidden code is in there that makes the device look like it operates a certain way, when really it can operate in a variety of ways.

If your activities require that level of trust, you can't write them down, or use electronics to work on them. Sorry. It is probably safest not to even think anything that requires that level of trust, because trust is an illusion. Find a methodology that relies less on trust, and activities involving technology might still be possible. ;)

Excellent

[gweihir]

It is time to regard the ME (and the AMD equivalent) as what they are: Hardware back-doors. I would like to see more research into breaking into them, disabling them and eventually also reprogramming them. Until the CPU manufacturers hand out full documentation and a reliable way to disable, they must be regarded as malicious attackers in any scenario where security matters.

In the end, this is a good thing however. With a bit of luck, nobody will get away with hidden undocumented hardware in the not so distant future.

Re:Excellent

Funny is they all started campaign against Kasperky when worse backdoor already exists.

Re:Excellent

As requested heres some more research for you on
disabling them and reprogramming. As well as de'blob'ing ME t points out the similarities to the E in UEFI and what we can do about it.

https://schd.ws/hosted_files/o...

Re:Excellent

A convenient diversion to be sure.

Re:Excellent

[gweihir]

Indeed. I hope they survive. They have done some really impressive research and shared it.

Re:Excellent

[gweihir]

I am aware of this. It is a good start. Now make it work with all ME implementations and the AMD equivalent.

And I really would like that kernel as sort-of BIOS replacement. In all my PCs the Linux kernel does a much better job of finding and initializing the hardware than the BIOS does...

Re:Excellent

[Opportunist]

A smoke bomb and flash powder explosion is useful. Because you are supposed to look somewhere else while the magic is being worked. Have you never been to Vegas?

Re:Excellent

I'd rather see research poured into exploiting the ME.

Once you start ransomwaring from the ME, it's game over for all such backdoors. This would prove once-and-for-all that a "government key" is just a key under the mat for any schmoe to use against you.

Re:Excellent

[93+Escort+Wagon]

Just because you’re paranoid, it doesn’t mean they aren’t out to get you.

Re:Excellent

There are great guys from Ukraine. Here is their site ssdevelopment.com.ua
A lot of smart programs are written and services in their country are inexpensive. Now they have written a new management system for enterprises for their country, you can read cserp.com.ua

Re:Excellent

[Aighearach]

Given that the intended function is remote management, calling it a "backdoor" is inherently dishonest. These are clearly side doors.

Re:Excellent

[Teun]

Until then A Beowulf cluster of old Pentium 5's is the secure alternative.
Don't forget the back-up generator...

Re:Excellent

[nyet]

So why not provide a way to turn it off for those of us who don't want it?

Re:Excellent

[nyet]

If a firewall manufacturer didn't let you block arbitrary ports, would you be ok with it?

Re:Excellent

Tinfoil hats: An old term used about people who used to believe that the US government was spying on people. Some of them even believed in a fictional agency (often called "No Such Agency" or NSA).

They were easily recognized at the time of the Snowden leaks because they shouted in unison: Oh my god, it's much worse than I thought".

Nowadays, the term is an easy way to recognize people who never heard of Edward Snowden.

Re:Excellent

[thegarbz]

If a firewall manufacturer didn't let you block arbitrary ports, would you be ok with it?

Depends on the manufacturer. There isn't a single computer user anywhere in the world that hasn't placed some kind of "trust" in others when it comes to operating their incredibly complex machines. In this I include the likes of RMS who I will tell you right now has put a lot of faith in the trust that others made software and hardware he uses that isn't nefarious.

The only thing that is variable is the amount of trust, and that is typically based on past performance and trust worthy actions. Hurrah Purism increased their trustworthiness factor by using coreboot to disable something in the CPU which (personally) I didn't consider untrustworthy. But you know what, given my skill level at auditing them, I'm just going to have to take their word for it that they did what they did and haven't dropped another bomb in there somewhere.

Just like how I take Mozilla's word that the browser I'm currently using matches the code they put on their site, and how much faith (not trust, but faith) I put into the general process that is Open Source's "many eyes" principle.

To get back to your question:
Yes I'm okay with it. I have no trust in my firewall. The black boxes that connect our networks together rank among the lowest of the equipment I trust. It's marginally above the Chinese IoT garbage. What I do trust is that port scanning from outside shows that ports appear to be blocked and that defence in depth means that if you have access to my network you have additional hurdles to get by.

And Speaking of hurdles, the amount needed to actually get in is one of the reasons I don't really give a shit if IME is actually a backdoor even if I didn't trust Intel in its designed purpose and even if I didn't in the past actually specifically part with extra money to buy server motherboards that actually include the features in question.

Re:Fuck these Intel chips. Buy from AMD.

[arcctgx]

AMD has similar features in theirs as well.

Do you have any evidence of this? I'd like to learn more about that.
A link or two would be nice.

We need software freedom. Always.

[jbn-o]

We already knew from their announcement that they were backdoors, and the Intel ME security problems confirmed this. In addition to documentation on how to use and disable the system, we also need software freedom—controlling our own computers requires the freedom to run, inspect, share, and modify the software, and exclusive control over any encryption keys used so we can decide who else gets to control the hardware with us. Until we have software freedom these devices are not good at all, they are a clear threat to our ability to exclusively control our own computers.

This is also why computers with other architectures are so interesting and important. As far as we know POWER, PPC, and other architectures either don't have backdoors built into the hardware or the comparable hardware comes with user-revocable keys and respect for our software freedom. This is a good time to get away from Intel/AMD systems. They're not trustworthy.

Re:We need software freedom. Always.

[gweihir]

I don't think it is any better on ARM, which is the main alternative. And doing a CPU in an FPGA costs just too much performance-wise. But we will see how things develop. I am not at all above to limit my PC to running games and doing all other stuff on a different machine. In fact, with Win10 being only avoidable for so long, I am in the process of moving all my browsing, email, etc. to a Linux system and that one could be moved to a different architecture pretty easily.

Re:We need software freedom. Always.

You keep talking about these things that "we need."

Our need for them bears no relevance on whether or not we will have them.

Intel and AMD are a cartel. Cartels further their own needs, to the detriment of the needs of their customers, with a great deal of impunity. They have an amazing library of perfectly legal dirty tricks they can use to squash any company that would try to rise up as a competitor, and have a lobbying budget capable of building ski resorts in a desert.

We have *no means* of stopping this.

However, there are several first-class citizens who DO have a means of stopping this. The only issue is the degree to which they are harmed by it. If that degree is high enough, they will put a stop to it. If not, they, *and all the rest of us* will continue to put up with it.

Them's the rules.

Re:We need software freedom. Always.

And using an FPGA is a laughable way to try to get away from proprietary black-box binary firmware blobs...

Re:We need software freedom. Always.

Since I live under a rock, what's wrong with ARM?

I was about to use Beagleboards (think this is ARM Cortex) and Raspberry Pi (not ARM) for some general computing stuff after I got playing around with some robotics stuff. Bad idea to load an use Debian on these for general computing? Some black box in these too?

Re:We need software freedom. Always.

[gweihir]

It would be much easier to hide such a thing in ARM, as ARM usually uses sub-cores for some I/O tasks already.
In the end, you have to trust the manufacturer on what they say anyways, unless you put a core you verified yourself on an FPGA.

Of course, there is a huge risk in hiding such a backdoor in hardware. If anybody manages to find a remote exploit and publishes the backdoor access info, this could kill a CPU manufacturer economically.

Re:We need software freedom. Always.

[gweihir]

I had a look at POWER and it seems you basically have to spend 3k+ to get a system at the moment. Do you know a possibility to get CPU+Mainboard+Cooler for, say, 1k or so? Speed would be secondary.

Re: We need software freedom. Always.

Anything with POWER9 will be at least $3k-ish. You could look for used POWER8 systems sat auction if you are ok with something a generation behind.

AMD and Intel CPUs have NSA backdoors

Forget the semi-documented Intel hardware features. For some time now AMD and Intel CPUs have implemented simpler full blown computers within each CPU- computers with their own flash memory ROM that can be updated. There is a very low speed robust wireless protocol that can talk to these computers, even when the main CPU is on stand-by power, and the boxed computer apparently has no wireless capabiliy.

For low speed radio, tiny inbuilt aerials within the chip suffice. So the PC is accessible across a faily sizeable air-gap, certainly from an agent outside the building where the PC is housed. And this backdoor computer within a CPU can, of course, be programmed to trojan the main computer to some degree when it is operating normally.

You could 'Faraday' your PC and never connect to a network- but then it wouldn't be very useful. The sad truth is that as tech advanced, the spying and subverting of the NSA and GCHQ would become unstoppable.

Of course, most people only care when NSA backdoors hit the wild and are used by 'criminals'. It would be a disaster if this happened with regard to the inbuilt NSA hardware in the CPU itself.

These 'outer ring' computers Intel builds now the CPU transistor count is insane are really attempts at 'security' that fall flat on their face in no time- and then end up as vectors of attack. They aren't the NSA computer systems in the CPU. The problem Intel has is that it is crap at software, and security is a software issue. So when the latest 'genius' in Intel invents a 'better' way to secure the computer- it misunderstands how software hackers operate- so becomes another useless level of hardware slowing everything down and adding to user complexity.

Re:AMD and Intel CPUs have NSA backdoors

[nikhilhs]

[citation needed]

Re:AMD and Intel CPUs have NSA backdoors

[AHuxley]

NSA ANT catalog https://en.wikipedia.org/wiki/... has some of the ideas that get used at the end of 2013....
From modified USB, RJ45 socket, ethernet connectors to a radar device, backdoor software implants. A PCI bus device, SIM card. IRATE MONK for the firmware of hard drives. Backdoor software implants for motherboard BIOS and RAID controllers...

Does this imply another backdoor?

[joe_frisch]

I wonder if this fix is now available because there is some other backdoor available to government agencies. Besides, how will a typical consumer know that this has actually been disabled?

There is no root source of trust, so security is impossible for anyone who is not themselves an expert.

Re:Fuck these Intel chips. Buy from AMD.

[markdavis]

>>AMD has similar features in theirs as well.

>Do you have any evidence of this? I'd like to learn more about that
A link or two would be nice.

Platform Security Processor (PSP); it is exactly the same as Intel's backdoor- hardware based, secret, non-controllable.

https://hothardware.com/news/a...

https://www.techpowerup.com/23...

https://libreboot.org/amd-libr...

https://en.wikipedia.org/wiki/...

Or sell laptops without them?

[TheOuterLinux]

Why not just sell laptops without the chips in the first place? -- https://vid.me/theouterlinux --

Re:Or sell laptops without them?

Because the chips in question are the CPU. The currennt discussion is about Intel CPUs, but AMD CPUs have a similar backdoor, as does ARM.

(Technically, it may be partly located in an external chip, but the CPU won't boot before that chip does the secret handshake).

Re:Fuck these Intel chips. Buy from AMD.

[Tinfoil]

A few from the front page of goog about the AMD Secure Processor. It does, apparently, run its own OS and have its own flash/memory.
https://hothardware.com/news/amd-confirms-it-will-not-be-opensourcing-epycs-platform-security-processor-code

https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Crypto-AMD-SP

https://www.anandtech.com/show/11551/amds-future-in-servers-new-7000-series-cpus-launched-and-epyc-analysis/3

Re:Fuck these Intel chips. Buy from AMD.

AMD TrustZone. They have secondary ARM processors onboard.

Re:Fuck these Intel chips. Buy from AMD.

Search "AMD psp" using your favourite web search engine.

How long is it going to work?

[Opportunist]

I somehow expect that for some reasons, most likely copyright or some similar bullshit, Windows will curiously stop working soon if that spying engine is not running.

Re:How long is it going to work?

Spot on. This machines with Intel CPUs but without IME can be detected and will be bricked by M$ Windows in just a single "Patch Tuesday".

Re:How long is it going to work?

Purism laptops don't come infected with Windows.

Re: How long is it going to work?

They seem to instead ship with an unlocked bootloader so that any program can flash any BIOS at any time.

Re:Fuck these Intel chips. Buy from AMD.

[arcctgx]

Thank you.

Obligatory:Intel CPU Backdoor Report (May 5 2017)

All Intel did was added another hidden switch only they know how to switch on, like a unique wifi signal or magic packet on the onboard nic.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

Re:Fuck these Intel chips. Buy from AMD.

https://hackaday.com/2016/11/28/neutralizing-intels-management-engine/

According to that URL neutralizing IME is only for hardware hackers, and very risky.

I Have a Question

[mschwanke97402]

I looked this up a couple of weeks ago. The Intel "K" type enthusiast processors do not have the vPro / ME stuff. Am I wrong here?

Re:I Have a Question

It is there, just not enabled. I have a 4790K that I've removed the ME from.

Re: I Have a Question

I have a i5 7600K that I had to flash a modded BIOS to remove the ME stuff.

Re:I Have a Question

[thejynxed]

It depends on if it is vPro enabled or not. If the CPU has the vPro labeling on the package then it has it. Why? Because SOME of those K series processors are actually down-binned Xeons and they pretty much all have it. Just have to examine the packaging before purchase or if buying online be willing to ask questions to the retailer.

Couldn't we just use AMD's CPUs?

[nikhilhs]

I know it hasn't been an option recently, but the new AMD CPUs, including mobile, look pretty good. Wouldn't it be easier to just switch to them? Or do they have their own equivalent of IME?

Re:Couldn't we just use AMD's CPUs?

No, they have AMT and it has yet to be cracked or removed.

Re:Couldn't we just use AMD's CPUs?

[thejynxed]

They have their own version called PSP, that uses TrustBoot. Their hidden co-processor is an ARM CPU. I am not current on if it can be accessed outside of the LAN or not, but late winter of 2016 it couldn't be as far as regular "legit" use was concerned.

Even when powered off?

[DontBeAMoran]

Purism describes Management Engine as "a separate CPU that can run and control a computer even when powered off."

So the ME has a built-in battery? When I power off my PC, I really power it off. Yes, once the computer part is off I also switch off the power supply.

Re:Even when powered off?

[fisted]

So you can only be owned while your computer is on, congratulations.
Not that it changes much -- while the computer is "off" (aka S5), the RAM isn't refreshed and the non-SB power rails are down, so pretty much all the ME can do at that point is pinging home, mining BTC or turning on the machine.

Re:Even when powered off?

[AHuxley]

Wake-on-LAN https://en.wikipedia.org/wiki/...

Re:Even when powered off?

Someone please update Wikipedia to explain (in a way that even AHusley will understand) that Wake on Lan won't work when the computer is literally switched off, and not just in some "soft off" state.

Re:Obligatory:Intel CPU Backdoor Report (May 5 201

Some people may regard these posts as spam, crap-flooding, or shit-posting.

I think they are an essential service.

Thank you for fighting the good fight and spreading the information.

Disturbing fact: Purism is a fraud

Purism advertises this as if it somehow matters. If you actually ask Todd about it he'll say now it's 98% free when the reality is THEY STILL SHIP PROPRIETARY BS and any of it could still have a backdoor. The whole point of Purism was a 100% free system and they've repeatedly done things to contradict the claims. They claimed to be the first with a 100% free system when they didn't even have a partially free system and other companies like ThinkPenguin already had an equally acceptable solution and were working on an actual 100% free system.

This guy is a leach that misrepresents what he is able to do and then claims credit for OTHER peoples work. Purism isn't the only company that's going to be shipping with the Intel Management Firmware disabled and there has already been for a long time a number of companies shipping systems without proprietary BIOS firmware and the Intel Management Engine.

Minifree for instance has been for years actually contributing something to moving the bar forward. Coreboot isn't 100% free. LibreBoot is. If you want a backdoor free system Purism can't deliver that. They can only deliver a system where the management engine firmware is disabled. Mini Free's libreboot'd systems aren't perfect, but they are a heck of a lot better than Purism.

ThinkPenguin's been working on a solution to all of this for several years that is actually got working prototypes and is about to ship the first generation systems that are 100% free- both in that the sources are available and in that there is no backdoor or intel management engine firmware.

EOMA68 is a standard upon which anybody can design and manufacture a 100% free device or system.

Minifree actually put energy into freeing coreboot and bringing the world freer laptops. Purism has done NOTHING of value and taken credit for others work. They have done little more than take advantage of the work others were doing.

Sigh.

[ledow]

"Preorder from $1,199"

For a Core M, Intel HD Graphics, 8GB, 11.6" laptop.

That's some pricey freedom.

They don't even have a model with an Ethernet port (which makes me question what disabling the ME actually does anyway, because isn't the ME for things like OOB access?).

Sorry, but - as always - I have to live in the real world rather than some scene out of Hackers. And if I really valued my freedom and genuinely thought things like this were the threat, I wouldn't be using any of these machines, no matter the cost.

Re:Sigh.

If it's got USB3.0, then use adapter for GbE.

Re:Sigh.

[ledow]

Ah, the Apple method:

"That device you paid a bundle for? Yeah, just buy a ton of extra cables, adaptors and dongles from other people and carry them wherever you go."

No thanks.

Re:Sigh.

[gamorck]

"Preorder from $1,199"

For a Core M, Intel HD Graphics, 8GB, 11.6" laptop.

That's some pricey freedom.

They don't even have a model with an Ethernet port (which makes me question what disabling the ME actually does anyway, because isn't the ME for things like OOB access?).

Sorry, but - as always - I have to live in the real world rather than some scene out of Hackers. And if I really valued my freedom and genuinely thought things like this were the threat, I wouldn't be using any of these machines, no matter the cost.

They don't include an ethernet port on the machines because there is no compatible hardware they can install on their devices which can be operated within Linux without requiring use of a firmware blob. As a Purism Librem 15v3 owner, I'm not quite as hardcore as Purism themselves are, so I am willing to use firmware blobs for specific devices. So instead of PureOS I run Arch. I have also replaced the 100% libre Atheros wifi hardware with an Intel module because the Atheros module had les than great performance (plus doesn't support 802.11ac). As for ethernet, I have a USB3/Ethernet dongle that I use for that purpose. Having said all that, I have used Purism's update to completely disable Intel ME on my laptop and everything is working without a hitch. I don't trust Intel ME. I'm willing to trust tiny firmware blobs for specific devices in specific cases. I'm not willing to trust an entirely seperate and unauditable system that operates independently and secretly. No sir. IME is a cancer (and PSP by extension) on modern day computing.

To those that claim that you can disable and remove Intel ME on other laptops, so this really isn't a big deal or particularly notable. You are telling half truths. For older hardware that is certainly true. For Skylake level hardware there are no other devices that that had have or currently can have the Intel ME removed/neutralized/disabled. me_cleaner doesn't support Skylake level systems yet. In fact the Purism update process makes use of a forked version of the me_cleaner which contains changes Purism has made to accomodate their Skylake hardware. They plan on switching back to me_cleaner once all of their patches are accepted in the upstream project.

But hey, don't take my word for it. Cruise the blogs and forums on Purism's website if you want to learn more. Don't take my word for it. Don't take anybody's word for it. Especially not Intels much less AMDs.

Re:Sigh.

[ledow]

Ethernet adaptors are one of the most-highly-open-sourced categorised of device in the world. Drivers for Linux - almost always entirely-source unless they are serious TCP offloading things aimed at HPC - exist for network cards before ANYTHING else.

Sure, maybe the onboard Ethernet is tied into the firmware, so put in a daughterboard and a cheap chip (there are literally Ethernet daughterboards available, retail, for less than $15 - let alone, in bulk, part of the design, modules etc.). A compatible Gigabit Ethernet chip with interfaces (even if you tied it into the USB bus) is literally in the pence range.

But if you're into making tradeoffs like "the board can't have Ethernet" but still bundling everything from USB to disabled-ME processors, Intel HD graphics, HDMI etc. and - most especially - Wifi, then really your compromises are in the wrong place.

I don't buy that argument at all. And for the price, I'd expect a secure method of communication rather than Wifi, on a supposedly "secure" laptop.

Re:Fuck these Intel chips. Buy from AMD.

[tepples]

If there's a PSP inside a PlayStation 4's AMD Jaguar CPU, then why can't it play PSP games?

Libreboot

This is nothing new. Libreboot has been able to disable Intel ME for years on a variety of laptops.

Who is their real customer?

[Jzanu]

Paranoia doesn't provide a solid revenue stream, the real target users must have a reason for paying for obscure features with no performance impact. That leaves two groups: spies and criminals. Spies have better systems provided by their governments. That leaves one group: criminals. There is some chance enabling fraud etc. conducted with computers could be a reason to seek this new "feature" but there are easier ways to obscure financial transactions. That sets aside one type of criminal customer whose activities rely on computer multimedia capabilities - pedophiles, as in the ones abusing and exploiting kids. Don't buy from this company, don't enable criminals. If you claim paranoia as motivation you just need to grow up. There are more effective ways to get information, and most involve simply arresting and beating you until you confess.

Re:Who is their real customer?

[swilver]

There is also the group that doesn't want to be treated like criminals.

No need to be paranoid to watch over your privacy. Frankly, it is nothing short of amazing how much stuff already happens behind your back and is innocently sending data back home... any application that can send data, can set up a reverse tunnel to do whatever it likes.

Therefore I went back to the way internet was accessed before the turn of century: you access it by proxy (socks5 or otherwise), and if you donot know the proxy, then no internet for you. The amount of stuff that gets blocked this way is amazing, and what's more amazing, there's is no complaining... just sneakily use the internet, but if it is not there, let's not alert the user about it.

Intel created a backdoor in the ME ..

[najajomo]

@Anonymous Cowards: "Intel created a backdoor in the ME web console by using strncmp() to compare password, anyone sending an empty string as password (length 0) can get into the system, with no access log on both Intel ME and the OS: The hijacking flaw that lurked in Intel chips is worse than anyone thought [arstechnica.com] The bug was in the code to compare the two passwords"

I suspect the 'flaw' was intentional as the NSA ordered Intel to implement a kill switch into the design and the 'flaw' allowed the NSA access any IME enabled computer on the planet. The same mechanism that Purism is using to disable the IME.

A sheep goes

It is time to regard the ME (and the AMD equivalent) as what they are: Hardware back-doors.

It's time to regard Slashdot posters for what they are: Tin-foil hat wearing nutjobs who think everything is a backdoor.

A sheep goes? Go ahead, say it...

Packet filtering?

[nyet]

Why not just filter all IME frames at the ethernet switch level?

Re:Packet filtering?

Do you never connect your computers to anybody else's network?

And do you have some way of knowing that your network blocks every packet that might conceivably originate from, or be able to influence, the ME?

(If you're on Slashdot I suppose it's possible. I can think of ways it might be done, like mandatory IPsec. But that's not how normal people, even normal geeks, operate their networks.)

Re:Packet filtering?

[nyet]

I realize it is of limited use - but I'd love to know if IME packets can be easily identified.

Re: Obligatory:Intel CPU Backdoor Report (May 5 20

Gives new meaning to the phrase (TM, I assume) "Intel Inside."

Itâ(TM)s not a San Francisco company

Dumbass. Itâ(TM)s registered outside San Francisco, so you are a fool.

Jumper setting on Motherboard

[eric31415927]

My latest build was on a ASUS B250 MB, which contains a jumper setting to shut down ME. Note that the default setting is to allow ME. Always read your manual!
Now a good follow up question: Does the jumper setting really work or does it just make me believe I turned ME off?

Re:Jumper setting on Motherboard

I would guess it works. At the very least, it probably nerfs ME hard enough to be useless to its masters.

Asus is a damned good electrical engineering company with global manufacturing and sales. You know as well as I do that the US is only a fraction of their customer base. Other countries' governments aren't going to buy their hardware if the US government retains backdoors, especially publicly exposed ones. And they're not going to build multiple different versions of something as low-volume as an enthusiast motherboard for US and non-US buyers. They might be bothered (but apparently not) to print a US-specific manual that doesn't tell you what those jumpers are for.

So I'd guess those jumpers do their job just fine.

Oh reeeeeeeeeeally...

[JustAnotherOldGuy]

"Purism Now Offers Laptops with Intel's 'Management Engine' Disabled"

Or is that just what they want you to believe, hmmm? (cue the paranoia music...)

Re:Oh reeeeeeeeeeally...

Disabled is like standby, it just needs the right signal and it boots back up to 100%.

"Optimized for Threadripper". Fuck you Intel.

Want to play? Then nobody buys your garbage. You can sink like the NFL. Then once consumers stop paying for your poison tech, everyone will see where you really get your crooked money from and who really owns your Board of Directors.

Introducing: Paper!

Introducing the newest completely secure innovation in FOSS:

P.A.P.E.R

Worried that everything, everywhere, at all times is a back door designed to attack you personally, but do not have thousands of dollars to spend on marketing fluff? Fear no more; you can now communicate securely using PAPER.

PAPER is 100% free of all proprietary code, and 100% free of back doors. Err, except for carbon paper, which is kind of like a back door.

PAPER is also interoperable. Anywhere you go in the world, PAPER just works, every time. Secure, reliable, convenient communication for 2017. Join the PAPER revolution.

Pen not included.

Anyone here with experience of their OS?

[Build6]

Can anyone provide (or link to) comprehensive reviews/analysis of Purism's "PureOS" (as I understand it a debian variant)?

Just the hardware alone isn't enough, we need to look at the software/OS as well if we're gonna talk about something being "secure"

Re:Anyone here with experience of their OS?

Can anyone provide (or link to) comprehensive reviews/analysis of Purism's "PureOS" (as I understand it a debian variant)?

Just the hardware alone isn't enough, we need to look at the software/OS as well if we're gonna talk about something being "secure"

No, nobody is going to indulge your pointless idiocy.

Re: Anyone here with experience of their OS?

There is no comprehensive review because hardly anybody uses PureOS, which is part of the problem. Distros with very small user pools cannot be considered sufficiently secure. A handful of people cannot effectively manage the security of an entire OS.

For all others: Ez way to block Intel AMT/ME

See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!

APK

P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

Intel ME works well with Windows 10

Windows 10 now has Intel ME plug-ins for ultimate data theft!

Re:Fuck these Intel chips. Buy from AMD.

It's actually ARM TrustZone which AMD utilizes.

I looked at an earlier version of this in detail on an ARM SoC. It consisted of a monitor mode that allowed you to run your most trusted SW between transitions of secure to/from non-secure modes. What was considered secure and non-secure were up to you. There was also what amounted to an extra address bit that gated access to peripherals. For example, if in non-secure mode, you could prevent processor access to a specific UART.