MINIX: Intel's Hidden In-chip Operating System

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

Thanks Ronald

[macxcool]

Now I have to go change my pants

Three questions

1) Do AMD processors have similar vulnerabilities or is this an Intel issue only?

2) Why isn't Intel being held responsible to fix this, either by action of lawmakers or through lawsuits for providing a faulty product?

3) Shouldn't Intel either have to patch the vulnerabilities or issue a recall?

Re: Three questions

[shm]

Research AMD PSP.

Re: Three questions

[DontBeAMoran]

And after that, research Sony PSP.

Re: Three questions

After that, check out SPS Commerce.

Re: Three questions

Are you sure you meant 'Sony' PSP??

Re: Three questions

[DontBeAMoran]

yes

Re: Three questions

An honest 4th question - any clue if Qualcomm's ARM processors have such also ?

captcha: Windows on Snapdragon

Re:Three questions

1) Yes
2) Because shitty nerds decided it was an issue.
3) Intel doesn't need to recall anything. It is OFF by default.

I can't emphasize this enough, it's a non-story that affects absolutely nobody except for platforms used by enterprise (think business laptops for asset tracking)

The average person does not have the Management engine turned on, it's built into the PCH chipset, not the CPU. You can actually rip out the firmware for the IME from the BIOS if you're paranoid as hell.

From Wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology :

"Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor (ISV) or value added reseller (VAR)."

IPMI has been around for a longer time than this, and guess what, it's basically the same thing, and you haven't server managers screaming bloody murder over it, because it has to be turned on in the BIOS, and you have to have the operating system use the watchdog process to tell it that something's amiss.

Which is why nerds shitting their pants over this is rather amusing more than concerning. The difficulty in pulling off anything is exceptionally high, that the most likely targets are in fact enterprise systems, and the most likely people to exploit it are corporate spies, because if you can get "inside" the network physically, you can compromise anything connected by the network if the IME is enabled and poorly configured.

Re:Three questions

[rickb928]

What should Intel be fixing? MINIX is licensed under the Berkeley license, and apparently they are in compliance. If there is a known security vulnerability, it was not part of the reporting, so far. Perhaps we need to trust Intel that they have secured this adequately, and I know it is common practice to declare all security to be 'vulnerable', and that is assumed to be a best practice, but to enlarge that attitude and declare all such features as unacceptable due to undisclosed or, more correctly, unknown security breaches is naive.

Intel and others have delivered systems with these 'power off' or out of band management systems for decades. The risks are well understood by those who need to deal with them. Crying the sky is falling dilutes the real arguments, for instance the necessity of these features in consumer grade products, deployment via OS vendors such as Microsoft of widespread out of band management without explicit knowledge by consumers, and lack of useful management tools for SMB users who are not entirely aware of the risks.

Tanenbaum's root complaint seems to be he got little or no credit. Fair enough.

And if you don't understand how attractive an out of band management is, you don't need to. That doesn't make it less useful, just makes you unaware, and be glad you are. All that nasty stuff needed to make large organizations function is worthy of scrutiny, but best left to professionals, despite your closely held distrust of authority.

Re:Three questions

[Aighearach]

Not just processors; all integrated circuits are black boxes to you, black boxes to the engineers that design circuits with them.

The datasheet doesn't actually document the wiring, it documents the interface, and the hardware diagrams are equivalent circuits from the perspective of the published API. Sorry.

This is a feature, not a bug, so there will be no recall. Note that this only exists if you have the AMT installed; that's the fancy part you have to pay extra for! Companies that want and have a use for centralized remote management will generally see AMT running MINIX as a huge feature! That gives them increased confidence in the security.

What most people will get confused on and "remember" wrong next week is that this is not an issue with the IME that all the intel chips have, it is only talking about the AMT... that is sold for enterprise remote management. For example, I could have paid an extra $150 for an upgraded CPU on my Thinkpad that would include this. Of course, it would still be turned off unless I subscribed to an Intel corporate service!

Re: Three questions

Thanks for clarifying Mr. NSA!

Re:Three questions

What's to fix? That is there by design. Nothing to fix, it is working as planned. So you say you wanted a computer without a separate CPU that can be remotely controlled without your knowledge? Well, they didn't ask you did they. You will take the computer they made for you and you will like it.

Re:Three questions

[Major_Disorder]

Ask the question people really care about.
Can you play Quake on the Management Engine, and if so, at what frame rate.

Re:Three questions

[rahvin112]

3) Intel doesn't need to recall anything. It is OFF by default.

This is not true. It cannot be turned off. Access can be disabled, but the ME itself is powered if the computer is plugged in (the computer doesn't even need to be turned on).

What is off by default is the ability to access and use the ME without paying Intel. Just because you the owner can't access the ME doesn't mean it's turned off or not doing things in the background, in fact it's been shown to do quite a bit even when it's "off" in the bios. And whether access is actually cut is another open question as no one can actually verify that or that it doesn't have a bug or backdoor.

Re:Three questions

This is misinformation.

Your wikipedia quote does not say it is turned off on consumer devices. It says that you can't use it without paying money to Intel. It doesn't say nobody else can use it. In fact, this feature has to be turned on, and is, because the processor won't start without it.

Re:Three questions

Question 1: A or B? ("AMD too, or Intel only?")
Answer 1: "Yes"
Not that helpful.

Re:Three questions

[FatdogHaiku]

Agreed. It can supposedly be mostly turned off if you want to roll the dice on bricking your device.
More info here:http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/
And here:https://github.com/corna/me_cleaner

Re:Three questions

They do have a history of hiding things to their customers (the Intel compiler did cripple software when running AMD), and just because we don't know it doesn't mean bad people won't know (security by obscurity is flawed).
https://threatpost.com/intel-patches-nine-year-old-critical-cpu-vulnerability/125331/

Trust is so easy to loose and so hard to regain.

Re: Three questions

[rickb928]

Not much of an answer...

Re: Three questions

No, the real question is whether you can make a beowolf cluster out of them.

Re:Three questions

1. Wrong.
2. Wrong.
3. WRONG.

Re: Three questions

[Type44Q]

1) Yes.

2) Null question.

3) "Should" in one hand; shit in the other...

Re: Three questions

[Type44Q]

it's a non-story

Can anyone spot the shill?

Re:Three questions

You'd think Tannenbaum would be grateful that someone is actually using something he put decades into developing. This sort of embedded application is exactly what Minix 3 was created for. If he wants credit Tannenbaum can just put "Used in the Intel Management Engine" on the Minix website.

Re: Three questions

[reboot246]

I thought he was talking about Corel's Paint Shop Pro.

Re:Three questions

[arglebargle_xiv]

The other thing is, are we really 100% completely totally sure this is Minix? I mean... Minix? A (no offence to ast) toy operating system written as a teaching tool in the 1980s? That Minix? Of all the endless, full-featured, modern, well-supported embedded OSes in existence, why would Intel use Minix?

Re:Three questions

Off by default, but can be enabled remotely if there is power to the computer.

Re: Three questions

[rickb928]

RTFA. Then consider most 'embedded OSs' are security nightmares.

Re: Three questions

4. And how long until they become bit coin miners making other people money.

Re: Three questions

[arglebargle_xiv]

I did RTFA. It was someone quoting someone else citing someone else referencing someone else who made an unsupported assertion that it was Minix.

Re: Three questions

Youâ(TM)re making it sound like he developed Minix and no one used it when in reality he designed it just to teach students how an operating system works; yes MINIX 3 is amazing but even still he believes itâ(TM)s more a teaching tool and modernised as a way to teach how modern systems are coded...

Re:Three questions

[aglider]

3) Intel doesn't need to recall anything. It is OFF by default.

This means that you blindly trust their words.
I DON'T!

Re: Three questions

[guruevi]

Some of them do, eg Apple and Samsung chips have something similar on-die while a lot of other chipsets simply have it off-die.

ARM chips are designed based on the requirements of the manufacturer.

Re:Three questions

Of course, it would still be turned off unless I subscribed to an Intel corporate service!

Wrong! This tech does not get "turned off" without bricking your system. Just because it's not usable by you, doesn't mean it's turned off, or not in use.

Re:Three questions

[OneHundredAndTen]

Intel doesn't need to recall anything. It is OFF by default.

Says who? Intel? Is this something that can be independently verified for each device? Even if it can, how do we know that Intel cannot turn it on remotely whenever they want?

Re: Three questions

[interstellarsurfer]

1. Yes.
2. It's not a bug, it's a feature!
3. No, they will be held harmless. By American courts, at least.

P.S. - Thank you NSA, for making the world a more dangerous place.

Re:Three questions

But can it run Crysis?

No mention of AMD?

[Zobeid]

Do AMD processors have any counterpart of this nonsense?

Re: No mention of AMD?

[shm]

AMD PSP

Re:No mention of AMD?

[Curupira]

Yes, it does. It's called "AMD Secure Processor" nowadays, but it's better known as PSP (as in "Platform Security Processor", its original name).

Re: No mention of AMD?

[Opportunist]

Then the logical next question is "Why do they?"

Re:No mention of AMD?

Yes. It's called PSP -- Platform Security Processor.

Re:No mention of AMD?

rtfa

Re: No mention of AMD?

The Opterons 41XX, 42XX, 43XX; 61XX, 62XX, 63XX and the FX series do not have this garbage baked in. Stockpile boards and CPUs while you can.

Re: No mention of AMD?

[Barefoot+Monkey]

Yes, and they also built their chips into a Playstation

Re: No mention of AMD?

It's Playstations all the way down.

Re:No mention of AMD?

[evolutionary]

According to the article the newest AMD processors do have this nonsense.*sigh*

Re: No mention of AMD?

[ausekilis]

No "Yo Dawg?"

AC, I am disappoint.

Re: No mention of AMD?

[Bing+Tsher+E]

I will just hang on to the Pentium III machines I have in storage. If this problem continues to grow, it will make sense to 'segment' my computer technology. Keep the high-horsepower processers securely firewalled, and put older more secure hardware out 'on the perimeter' to do communications. We could 'sector' our hardware and build the 'clustered' kind of computing system that Andy Tanenbaum pioneered with Amoeba. What an irony, eh?

Re: No mention of AMD?

[AlejandroTejadaC]

They changed the name to AMD Secure Processor: http://www.amd.com/en-us/innov...

Re: No mention of AMD?

[CustomBuild]

You could invest in a single parentheses factory and make a killing!

Re: No mention of AMD?

[pots]

Competition? They had to keep up with their rival, I assume. Same reason Google and Samsung have dropped the headphone jacks from their phones.

Re: No mention of AMD?

[Opportunist]

Who in their right mind devalues their product just because the competitor was stupid enough to do it? That makes zero sense.

Re: No mention of AMD?

[TWX]

Uh, all of them?

Re: No mention of AMD?

Or just buy and use whatever you were going to anyway, and don't turn it on. Then you get a shitload more performance, less electricity meter spinning, and you don't look like a paranoid idiot.

Re:No mention of AMD?

[AmiMoJo]

In some way's AMD's system is worse. Less is known about it, and we don't have any ways to sabotage and disable it.

At least with Intel we know how to delete all non-essential parts of the firmware and then set the master disable flag that the NSA asked for.

Re: No mention of AMD?

"Asp"

At least naming it for a venomous snake is approrpriate.

Re: No mention of AMD?

That's what I do with my butt toys for sure.

Re: No mention of AMD?

[TeknoHog]

If this problem continues to grow, it will make sense to 'segment' my computer technology. Keep the high-horsepower processers securely firewalled, and put older more secure hardware out 'on the perimeter' to do communications.

Incidentally, I currently have my Intel machines behind firewalls that run older AMD CPUs, i.e. no AMD equivalents of the hidden processors there. So I should be safe, right?

Re:No mention of AMD?

[Aighearach]

AMD is definitely going to have to pay somebody hack them and tell the world they're also running *NIX on the security co-processor. BOFHs everywhere want to know!

Re: No mention of AMD?

Sure you do. You've got all the switches. For sure.

Go suck more Intel cock fanboy.

Re: No mention of AMD?

If your firewall blocks outgoing connections by default then there's no way for the IME to connect to the secret Intel/NSA base and you will be, should be, might be safe.

Re: No mention of AMD?

I think dropping the headphone jack is more a design feature and a push forward. The jack is a terrible feature for durability and creates an unstable point in the casing, the less number of large holes drilled into essentially the main foundation of the phone the less point of failure or fatigue the phone has..

Re: No mention of AMD?

I think dropping the headphone jack is more a design feature and a push forward.

I think dropping the headphone jack is a concession to the Chinese government, who want to control what their prople can and cannot hear.

Re: No mention of AMD?

[guruevi]

Read up on why itâ(TM)s there in the first place. It is well documented and was never âoehiddenâ.

We know what it does, what itâ(TM)s function is and how to enable it. Because the majority of people doesnâ(TM)t, does not mean it is evil.

Re: No mention of AMD?

[Opportunist]

No, that the majority of people don't know what its function is doesn't mean it's evil.

That someone can control my computer without my consent and I cannot turn this "feature" off, does.

Re: No mention of AMD?

[guruevi]

I don't think you understand, you cannot enable this feature without the owner's consent.

The manual clearly states, there is a key combination you have to enter to get it to enable it, then you can connect it to a service on your LAN where you can remotely image the machine, but not enough where you can interrupt a running OS. Specific drivers and services must be present and running in order to use the Intel AMT to manage the host OS.

There is always the case that you AREN'T the owner of the computer (eg. a corporate computer, a rental or you trust your vendor to not have enabled it). All it takes is a re-imaging of the computer.

So the prerequisites to having it "control your computer surreptitiously"
- Install an Intel software package on a host on the same subnet you're currently on
- Go into the BIOS/EFI and enable the feature
- Install software packages to allow you to remotely control the host OS.

Overblown -- oh and AMD isn't any better

[CajunArson]

This stuff is overblown since these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.

Oh, and don't think your magical AMD saviours are any better. There a TrustZone processor that you have zero control over embedded in their products that does the exact same bad stuff.

Re:Overblown -- oh and AMD isn't any better

I am not sure why you are modded -1. This is exactly why I am actively buying vPro-enabled computers at work despite all these "dooms-day" articles about backdoor access to your computer through the chipset. I do not have the time to run between different office locations to fix people's issues when I can easily deal with it remotely. The OOB is a plus over any other remote-help software that requires Windows to be running before I can connect to it.

However, I would prefer to visit the manufacturer's website to download and install the additional ME firmware in order to activate the feature, rather than having this pre-embedded on every chipset. Those that ended up in home products do not need this.

Re:Overblown -- oh and AMD isn't any better

[Dishevel]

these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.

I think you mean that they only have a use to the consumer in a limited set of corporate environments. IME is active on all their chips.

Re:Overblown -- oh and AMD isn't any better

The ME is actually active all the time. Basically the modern Intel architecture just doesn't live without ME managing things. It may not be network enabled or remote accessed depending on the configuration, but it's pretty much always there now, and always active.

Even the vendors don't really know what all it may be doing, just that they have to interact with it to provide certain features or interrogate it to explain why the system decided to go haywire.

Re:Overblown -- oh and AMD isn't any better

[myowntrueself]

I am not sure why you are modded -1. This is exactly why I am actively buying vPro-enabled computers at work despite all these "dooms-day" articles about backdoor access to your computer through the chipset. I do not have the time to run between different office locations to fix people's issues when I can easily deal with it remotely. The OOB is a plus over any other remote-help software that requires Windows to be running before I can connect to it.

However, I would prefer to visit the manufacturer's website to download and install the additional ME firmware in order to activate the feature, rather than having this pre-embedded on every chipset. Those that ended up in home products do not need this.

I worked on a project to evaluate vPro and ME for laptops to be used in a very geographically dispersed and isolated environment where they would have Internet access but getting tech support to them would be a nightmare. It was very hard to get these technologies configured properly and two otherwise identical laptops, same make and model and, apparently same EVERYTHING, would behave differently with vPro/ME. I found it quirky and unreliable, sadly. Its a great technology for that kind of environment.

Re:Overblown -- oh and AMD isn't any better

> these management engines are only ever active in a limited set of corporate environments

Fun fact: you have no idea.

Nobody does outside of Intel.

There's been efforts (some recently pretty successful) to disable the ME on certain machines, to some degree. It doesn't seem like something you can do with an off the shelf chip and motherboard. If it was only active in a limited set of corporate environments, it probably wouldn't have been so hard to tear out, right?

Re:Overblown -- oh and AMD isn't any better

[Uteck]

But they are active even if you are not using it. They sit listening on the first Ethernet port and will even grab a DHCP address. Given the access they have, and the inability to turn them off, if they can get exploited there is nothing you can do.

Moving your connection too another NIC can stop it from communicating, but it is still active and waiting.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

"I do not have the time to run between different office locations to fix people's issues when I can easily deal with it remotely."

Until that ME processor itself dies. Then you're stuck fucking going there any goddamned ways to replace an entirely dead machine.

Lazy people should not be allowed hardware access.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

Oh, and that machine SHOULD NOT BE DEAD but yet because the tiny ME is dead (despite every system from long ago running fine without one) you're hosed.

You must be new in IT to not see why these things are inherently stupid. Try again when you've got 25+ years of experience in it.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

They were modded -1 because they're dead fucking wrong. The IME runs AT ALL TIMES IF PRESENT.

Re:Overblown -- oh and AMD isn't any better

[TheRaven64]

In a well-run IT department, replacing a dead machine is one of the simplest things to do and in comparison to staffing costs computers are almost free these days. Buy new machine, image it, drop it into the correct office, done. Replacing a machine even once a year is a lot cheaper than having a technician visit every desk once a month.

Re:Overblown -- oh and AMD isn't any better

And by the way, ME has been broken, full disclosure announced here:
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Re:Overblown -- oh and AMD isn't any better

please prove: " these management engines are only ever active in a limited set of corporate environments"

How do i go about turning it off? how can i verify that it is off? just because they are only used in a limited set of corporate environments doesn't mean that the ME is not active.

i think it is understated, In this day and age any professional understands that security is strongest when in layers. The problem here is that while this is useful in a corporate environment like you say, It has little to no use in a personal home environment. There is also no way to disable it for certain, about the only way to convince me that this is a decent idea is to have a hardware switch on the motherboard that comes with the ME (and amd's equivalent) disabled from factory. Otherwise this is quite simply a back door into anyones personal system that undercuts many layers of security that people try to implement. Therefor it really isn't overblown at all, especially because there is no way to disable it and when combined with the push for corporations to be able to hack back it can be deduced that this could potentially end very badly for the average computer user. You can sit there and say it isnt a big deal today, but it could be once someone figures out how to get some weaponized code in there

Re:Overblown -- oh and AMD isn't any better

[PoopJuggler]

Except it's been hacked.
And it's active all the time.

Re:Overblown -- oh and AMD isn't any better

[MachineShedFred]

Case where security is better due to vPro: a company I used to work for was buying vPro-enabled desktops so that we could provision them and install them in the 2000+ locations they have across the US, so that when Windows shits the bed and needs to be reimaged, a support guy from the call center can take care of it remotely instead of calling out a 2-hour minimum service tech for $LOTS per hour to reimage it.

The math showed that in one year, the average amount of reimaging happening in locations that didn't have on-site IT would pay for the extra costs alone, and then the next 3 years of that hardware's lifetime were savings against the TCO. And that's just for service calls not made to reimage - it didn't even factor in how much faster someone can troubleshoot if they can remote control a machine sitting at a bluescreen, or failing to find the startup disk and needs the ACPI setting in the BIOS changed because the bit got flipped on a power failure / CMOS default restore, etc.

vPro is a huge support cost savings, allowing support staff to be able to do far more of their job far better, bitching about it being there is silly, especially since it is unprovisioned by default and will remain that way unless you go out of your way to enable it.

Re:Overblown -- oh and AMD isn't any better

[MachineShedFred]

That's probably the fault of the OEM - I worked with Lenovo on this, and if they didn't configure the internal hardware and firmware load exactly the way it should be, it would be missing features, etc. Off-the-shelf models rarely would have the full vPro feature set we were looking for, so we needed to do custom builds. Then it worked great.

Re:Overblown -- oh and AMD isn't any better

Let me get this straight - software issues that can be fixed remotely with proper remote management should not be allowed, and should require an on-site visit because you say so. And hardware failures that would require an on-site visit regardless of the presence of remote management features is your justification for this half-assed argument?

Don't ever manage any IT department that matters. You are demonstrably incapable.

Re:Overblown -- oh and AMD isn't any better

[BlueStrat]

You might want to check your facts here the networking capabilities you're referring to on Intel chipsets is only in the corporate configurations. The consumer based version of the ME does not have a networking stack so there is nothing to remotely control on these configurations.

You don't know that. Nobody but a limited subset within Intel knows if that's actually true or not.

It's a giant freaking security hole with largely unknown properties, therefor nearly impossible for end users to reliably mitigate. Nobody concerned at all with information security should ever run US-made CPUs or commercial operating systems (win/mac). US TLAs have poisoned the well with American hardware and commercial OSes.

Strat

Re:Overblown -- oh and AMD isn't any better

[rickb928]

"I do not have the time..."

"Lazy people"

The latter written by someone who apparently has not done real world dispersed support for a living. Windshield time is real in the known relativistic universe. Denying it only leaves you with uses unable to work, and bosses unable to retain your services.

Re:Overblown -- oh and AMD isn't any better

[rickb928]

Set the HAP bit to 1.

You're welcome.

Re:Overblown -- oh and AMD isn't any better

So the year of MINIX on the desktop has already happened? I need to pay more attention. : (

Re:Overblown -- oh and AMD isn't any better

[dissy]

Until that ME processor itself dies. Then you're stuck fucking going there any goddamned ways to replace an entirely dead machine.

Actually that doesn't need to be the case.
For a single location it probably should be the case, but for multiple sites spread over the country or more it really is the most efficient option.

Our OEM vendor enables ATM for us and uploads our public provision key into the ME.
They can then ship the desktop to any location we tell them to.

Once its on the LAN and turned on, the ME contacts our provisioning server and gets all the ATM settings, bios settings, and access public keys, and as they are signed by our private provision key it installs them.

At that point the provision server, having the only "live" copy of our access private key, can then issue commands.
Specifically it tells the new PC to mount our base image ISO under the optical drive, and then to "power on" the desktop.
The last step of the OS installation from that boot ISO (just before rebooting to the local HD that is) signals back to the provision server that it's done, which causes it to "unmount" the boot ISO.

The only prep work we do is feed the new asset numbers and MACs, provided from the order confirmation from the vendor, into the provision server.

Most vendors only pre-load provision keys once you get to be a certain size, which is annoying for small shops on one hand, but on the other it isn't some insanely large limit like Microsoft Volume licensing for example.

Prior to us hitting that magic "300 PCs ordered" threshold by our vendor, there was indeed an extra step and although it wasn't completely necessary we kept it internal to the IT staff. That step was to plug in a USB flash drive containing our public provision key and a little ME/ATM config before hitting the power button and control-e on boot to load it.

Also the ATM-SDK is a free download from Intel. You can automate the hell out of the thing if you really want to.

If you are small enough to be a single-site shop, it likely wouldn't be worth such a setup when it's just as easy to walk across the building, but for multiple-sites spanning different cities it can be quite efficient of a time saver.

Re:Overblown -- oh and AMD isn't any better

[thegarbz]

They were modded -1 because they're dead fucking wrong. The IME runs AT ALL TIMES IF PRESENT.

Nope, not all of it. Many parts of it have to be expressly enabled in the BIOS. Just like I have a Linux system with X installed, doesn't mean the X server is always running. IME does more than out of band management. The IME components that run all the time are mostly related to platform power management which have existed since before the Core days under different names. You disable out of band management features in the BIOS then you can poke and prod on your network card all you won't. It will be dead.

It's a completely overblown risk by people who don't understand that it was a common feature most security conscious enterprises used to pay a premium for.

Re:Overblown -- oh and AMD isn't any better

Trust us. We're not gathering metadata on every email sent over the internet - NSA

Trust us. We've developed technology that lets us to blood tests that defy the laws of physics - Theranos

Trust us. There are weapons of mass destruction in Iraq - Bush Administration

Trust us. You can disable the ME - Intel

Re:Overblown -- oh and AMD isn't any better

Wow, you are simply so so wrong.

Re:Overblown -- oh and AMD isn't any better

[daniel23]

And by the way, ME has been broken, full disclosure announced here:
https://www.blackhat.com/eu-17...

An exploit to access turned -off computers, presentation due in a month. Sweeeeet...

Re:Overblown -- oh and AMD isn't any better

[Khyber]

You are so wrong that people already hacked the IME and proved you wrong long ago.

https://www.wired.com/2017/05/...

The entire system has to run, every part is dependent upon the other in a chain of trust.

"Many parts of it have to be expressly enabled in the BIOS."

Actually, no, and the most recent news revealed was that there was an accessible NSA-specific command HARDCODED INTO THE IME.

But please, by all means keep covering up when almost all of us know better. That's the sure sign of a shill.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

"Let me get this straight - software issues that can be fixed remotely with proper remote management should not be allowed"

If you need hardware to fix a *software* issue, you're a special kind of stupid and the company you chose for your code is also dumb as shit for not doing proper QA.

"Don't ever manage any IT department that matters. You are demonstrably incapable."

The NSA has their own special commands in the IME. You're a fucking idiot to think they're not crawling around inside your network without you knowing.

Don't ever try getting a job in security, you'd fail fucking miserably.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

"The latter written by someone who apparently has not done real world dispersed support for a living."

Son, I manage the entire SoCal network for an Arizona-based mental health facility. Come back when you know how to do your job and have to comply with HIPAA laws at the same time.

Your lazy remote access shit doesn't fly in real world security situations, child.

Re:Overblown -- oh and AMD isn't any better

[myowntrueself]

That's probably the fault of the OEM - I worked with Lenovo on this, and if they didn't configure the internal hardware and firmware load exactly the way it should be, it would be missing features, etc. Off-the-shelf models rarely would have the full vPro feature set we were looking for, so we needed to do custom builds. Then it worked great.

Hah! Funny you should say that; this was with Lenovo kit.

Re:Overblown -- oh and AMD isn't any better

[thegarbz]

Please don't confuse your inability to comprehend english with some technical matters.

Or maybe you do comprehend english including the link you sent me, and just happened to be off your pills when you read them. Or are the government spy satellites not aligned correctly to keep you in check?

Re:Overblown -- oh and AMD isn't any better

[PhunkySchtuff]

But they are active even if you are not using it. They sit listening on the first Ethernet port and will even grab a DHCP address. Given the access they have, and the inability to turn them off, if they can get exploited there is nothing you can do.

Moving your connection too another NIC can stop it from communicating, but it is still active and waiting.

I don't know about this - I've got a PC with a 7-series (Kaby Lake) intel CPU. I'm using onboard Ethernet. I've checked my DHCP leases and there are no unknown devices requesting an IP on my network.

Re:Overblown -- oh and AMD isn't any better

The IME runs AT ALL TIMES IF PRESENT.

All thanks to the fault tolerance of the micro-kernel architecture of MINIX! ;)

the hacker OS!

[aod7br7932]

and we should worry about chinese and russian hackers...

Re:the hacker OS!

We could all get hit with this, either malware, huge computer outages, or anything in between, and the media could tell us, 'It was the Russians', or, 'It was the Chinese hackers!'

And most people would buy it.

MINIX gives Them control over a lot more than just our computers.

How is this news again?

[Gabest]

Before the cloud, people used to put their own servers in server rooms. That's the interface to manage your machine from outside.

Re:How is this news again?

[Opportunist]

The new part is that you make people pay you for putting the computers you manage into their server room, pay for the power to run them and put their software for you to manage on it.

It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.

Re:How is this news again?

[David_Hart]

Before the cloud, people used to put their own servers in server rooms. That's the interface to manage your machine from outside.

This doesn't prevent a system from coming into your environment already compromised. That, to me is the scary part. Your order could be intercepted and compromised or compromised at the vendor before shipment. And there is no way to scan the subsystem for threats.

Re:How is this news again?

The innovation is, you now get the ability to have an insider compromise your data built right into the system!

Re:How is this news again?

[arth1]

It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.

Oh, you still pay for it. The fees include both hardware, operating costs and administration (done by largely unqualified people, but still administration of sorts). It's just cheaper due to scale.
And you're still responsible - the contracts tend to have clauses that you must not interfere with the hosting or other services. So if you deliberately break the hardware through software (quite doable, alas), don't expect them to blindly replace broken gear forever.

Re:How is this news again?

It's just a standard fad for the new guard just now getting into the world of computers.

Quoting the publicly available documentation as news is just what they do.

I suppose it's because a headline of "children learn of stuff that's 20 years old" isn't quite as scary sounding.

They mentioned the ME runs a web server. Just wait for the updated article tomorrow when they learn the AMT runs a full VNC server, let's you redirect cd/dvd block level commands for remote boot, and the serial port interface to the BIOS over a tv terminal!

Re:How is this news again?

[hackwrench]

No, I thought he meant the manufacturer was the admin who didn't get payed, didn't have to pay anything and could do whatever they want.

Re:How is this news again?

[Opportunist]

You buy the hardware I make, I retain the ability to do whatever I please with it and you can't do jack shit about it.

This is basically what Intel is telling you. No, you needn't pay Intel to do it, but then again, neither can you keep them from doing whatever the fuck they want to your hardware, software and data.

Re:How is this news again?

[rogoshen1]

Intel and the TLA's saying it's benign, we should probably just trust them implicitly, it's fine.
Also unintended consequences never, ever happen

Re:How is this news again?

[Opportunist]

They also offer to pay for any and all damages should (ok, rather, "as soon as") someone finds a backdoor into it and abuses it for industrial espionage?

no need to shutdown the internet with kill switch

its built directly into your PC!

BSD uber alles!

BSD wins again, tough luck Linux using, GPL commie loooosers, the BSD license is once again behind the worlds #1 operating system. Boo yeah!

Re:BSD uber alles!

Yep, score one for corporate control.

Hear that, Tanenbaum? That's the sound of Intel screwing you with your own code.

Re:BSD uber alles!

[Seven+Spirals]

I guess Intel didn't want systemd, either. Damn, even the evil empires can't stomach that pile of garbage.

Lookup "Minux security flaws" in google

[iplayfast]

I did, and apparently Minux is safe! :)

Re:Lookup "Minux security flaws" in google

I did, and apparently Minux is safe! :)

That's because you should have looked up "Minix" in stead of "Minux".

2 and 3:

Because it is functioning as intended for its usage among authoritarian regimes (the US included thanks to Congress, the NSA, CIA, and domestic SigInt/PsyOps.)

The Clipper chip concept was never off the table its implementation just became less 'warrant and seize' and more 'illegal wiretap'.

The years of the Minux desktop

[sinij]

Apparently, we have been having years of Minux desktop all this time and never knew.

Re:The years of the Minux desktop

About a hundred years ago in high school,I soldered together my first home built computer. It ran MINIX. Good times.

Tanenbaum: a professor of Computer Science...?

[Barnoid]

Kids these days...

Andrew S. Tanenbaum is the original creator of MINIX, not just "a professor" at Vrije Universiteit.

Re:Tanenbaum: a professor of Computer Science...?

So it is all his fault

Re: Tanenbaum: a professor of Computer Science...?

Um... cannot tell if on crack or just trolling?

Re:Tanenbaum: a professor of Computer Science...?

[93+Escort+Wagon]

Somebody needs to learn a little tech history. The Linux (monolithic kernel) versus Minix (micro kernel) debate is well known.

Re:Tanenbaum: a professor of Computer Science...?

[nctritech]

https://en.wikipedia.org/wiki/Tanenbaum%E2%80%93Torvalds_debate

I'll just leave this here.

Re: Tanenbaum: a professor of Computer Science...?

Obvious troll is obvious.

However, wouldn't that be nice? It would make Minix a derivative work of Linux, and ergo covered by GPL. We could demand that Intel get into compliance.

Re:Tanenbaum: a professor of Computer Science...?

[OzPeter]

Somebody needs to learn a little tech history. The Linux (monolithic kernel) versus Minix (micro kernel) debate is well known.

Apparently you don't hear that whooshing sound over your head.

Re:Tanenbaum: a professor of Computer Science...?

And everyone thought monokernel had soundly defeated microkernel years ago, turns out microkernel is the winner.

Re:Tanenbaum: a professor of Computer Science...?

Linus told us all where his first kernel version came from. That's closer to the point than the kernel-style debate of the later years, and why the AC's troll is actually funny.

Re:Tanenbaum: a professor of Computer Science...?

But now Tanenbaum is just an old idiot that thinks it is AWESOME that Minix is used by Intel in there ME crap and look how AWESOME Minix is with its BSD license.

Re:Tanenbaum: a professor of Computer Science...?

Thanks, Captain Obvious.

Re:Tanenbaum: a professor of Computer Science...?

Uhh, Tanenbaum stole the Minix code for Linus Torvalds. If it weren't for Linus, there'd be no Minix.

Apparently this was OzPeter posting as AC.

Re:Tanenbaum: a professor of Computer Science...?

Really cool thing - Tanenbaum is also the person behind electoral-vote.com (the best US elections site around pre-Nate Silver era). Renaissance guy.

Re:Tanenbaum: a professor of Computer Science...?

He's also not a professor of Computer Science anymore, he retired last year.

Makes systemd look a bit unnecessary

So even if a bug in systemd prevents the "good" guys from subverting the OS, they can at least rely on the hardware.

That's okay

[DontBeAMoran]

We can always use a Raspberry Pi, right?

Re:That's okay

[jandrese]

With the big binary blob from Broadcom? Pis are not open hardware.

Re:That's okay

Arm core couldn't possibly be full of backdoors.

Isn't this like a BIOS?

[known_coward_69]

that's been around for decades? except they add more stuff to it and now it runs in a separate processor?

Re:Isn't this like a BIOS?

[DontBeAMoran]

That's like saying the computer in a Tesla Model S is like the engine in a Ford Model T.

Re:Isn't this like a BIOS?

[ilsaloving]

No it's not. It's literally like having a full second computer running in parallel to your main computer, except that it is always running as long as there is power to your machine, and you can't shut it off, and it can take over your main machine.

It's a great feature for corporate environments where the remote access helps IT do their job. For everyone else, it's a f__king stupid idea because the average person has no idea what it does or why it's there, or even that it IS there, which paints a great big target on them for any malicious actor to exploit.

Re:Isn't this like a BIOS?

[ledow]

Do you know of a BIOS that runs when the computer is off?

This is beyond "when I get the magic packet IRQ from the Ethernet controller I will wake up" into "there's a full, general purpose OS running on every processor, talking to the network, interpreting traffic, able to intercept every memory access, and which we have no way to probe, investigate, debug or understand and which may well be auto-updating from the Internet on a regular basis without our consent".

Question: How do you generate a secure private key on a computer with this in? Literally, you can't.

With BIOS, the scope was so limited that it couldn't be used for such things, and was just "the code that the computer started at" (literally, a soft-reboot is "jump to address 0, the first line of the BIOS).

This is a full set of processors listening to everything your other processes do all the time no matter what OS you run or security you apply. And nobody knew what it was doing. And the governments have been removing it from their purchases for years by making Intel make chips without it.

If THAT ONLY wasn't reason enough to worry about what it could be doing, you clearly haven't understood what it could be doing.

Literally, this is a full-above-root compromise of every machine on the planet under Intel's sole control. Everything from microphones to connected devices to nearby wireless etc. could be turned against the user.

Doing that with "just a BIOS" was much harder, much more obvious (i.e. you could generally disassemble the firmware and/or inspect it step-by-step as it was running) and much less damaging.

Intel has a full computer in every chip on almost every motherboard on the planet. And nobody knows or understands why (because computers work just fine without such a feature, always used to, and still do when you disable such things by forceful means), nobody was really told about it, and it's taken years to discover even what architecture/OS it's running on, let alone what it's doing.

One virus exploiting one flaw in this and anyone can gain control of the planet over the Internet with NO WAY to clean it off or even detect it.

Re:Isn't this like a BIOS?

[zeugma-amp]

This is a full set of processors listening to everything your other processes do all the time no matter what OS you run or security you apply. And nobody knew what it was doing. And the governments have been removing it from their purchases for years by making Intel make chips without it.

This. Right here. The fact that governments have demanded hardware without it is reason enough NOT to trust that it is 'safe'.

Re:Isn't this like a BIOS?

[dissy]

Do you know of a BIOS that runs when the computer is off?

Sure: All HP servers, all Dell servers, all IBM servers.

HP calls it "iLo" or "Integrated Lights-Out"
IBM calls it the "RSA" or "Remote Supervisor Adaptor"
Dell calls it the "iDRAC" or "Integrated Dell remote access"

The hardware has been pretty standard for some time now. Although HP used to require purchasing a software license key per-server to be allowed to use it.

Intel ME/ATM is the same thing but available in desktop grade computers, any core-i chip with vPro.

Re:Isn't this like a BIOS?

[thegarbz]

Do you know of a BIOS that runs when the computer is off?

Was this an attempt at a joke? The answer to this question is: All of them since the days of ATX and if you were a corporate customer it predates this too.

Re:Isn't this like a BIOS?

What you cited is NOT BIOS, or even like it. You are describing what are generically known as Board Management Controllers (BMC) which are embedded controller chips (pretty much EXACTLY like Intel ME/ATM) typically implementing some form of IPMI interface for the server to the outside, usually over Ethernet. These do not run BIOS code, nor are they typically dependent on the system BIOS for anything. They are only dependent on the machine being connected to power. Some use in-band Ethernet, some have dedicated ports, but they are all implemented on embedded processors running custom firmware out of dedicated flash storage. Nothing. Like. BIOS.

Re:Isn't this like a BIOS?

So let's regard all computers as fundamentally insecure devices, isolate them behind whatever network controllers are reasonably secure, and apply security policies to prevent the hardware from unexpectedly sending and receiving data.

It might be necessary to think about open source hardware and DIY fabrication... (At a minimum, to produce network controllers with verifiable functionality and design)

all i have to say is

[FudRucker]

if my computer starts acting odd like it is being remote controlled i will first wipe the drive and do a clean install with a newer cleaner more secure operating system, and if this bad behavior still persists i will take a fucking 8 pound sledge hammer to it and turn it in to a pile of junk in short time

Re:all i have to say is

The problem is you may never know if it's being remote controlled. And with this the OS you're running won't help you much.

Re:all i have to say is

[FudRucker]

there is nothing left to do but get the BIG hammer

Re:all i have to say is

You big man.

Re:all i have to say is

No no. The proper solution is to pull the drives and see if it still acts funny. If it still acts funny with no OS, then you've caught a Class I Vathek (Ghostbusters reference.)

Seriously though, you can unplug the ethernet cable and reflash the bios if you're paranoid that it might have caught something. I'm sure someone out there has written a tool to delete the IME firmware out of the firmware hub.

Re:all i have to say is

[ChunderDownunder]

Hackers detivoize the Minix install and every PC commences mining cryptocurrency on behalf of our 'enemy' and the 3 letter agencies are unable to crack their way in since a firmware update retivoizes the machine locking the backdoors.

Re:all i have to say is

[Pascoea]

Your hardware bill must be obscene. If I smashed the hell out of my PC every time it did something "weird" I'd be buying a new one every week. But hell, I guess it would be fun to go full-on Office Space on a computer every other week.

Re: How about a list..

It's not in the OS...

This is a little bit awesome, though.

[Seven+Spirals]

I've been a MINIX user for a long time. I was introduced to it in college in my operating systems course by the Tannenbaum book. This in-chip weirdness is, uhm, bizarre. However, MINIX is still interesting. It's one of the few microkernel based Unix variants and it's innards are particularly clean and easy to hack on due to it's heritage as a teaching OS. I don't know what the hell Intel was thinking, but don't blame MINIX. Go install it and use this as an excuse to get your own hands dirty. :-)

Re:This is a little bit awesome, though.

[bluefoxlucid]

I've been waiting for someone to port Linux interfaces for SystemD (previously udev, kevents, and HAL) to Minix for a while, which would make it capable of replacing the Linux kernel.

Beyond that, you'd need to port in the file system and hardware drivers. Since they're separate services, you can make GPL versions out-of-tree and just load them into Minix. In-tree versions of adapted netbsd, freebsd, or dragonflybsd drivers are allowable.

Re:This is a little bit awesome, though.

[Seven+Spirals]

I've been waiting for someone to port Linux interfaces for SystemD (previously udev, kevents, and HAL) to Minix for a while, which would make it capable of replacing the Linux kernel.

While I see what you are getting at and it's a laudable goal, I don't see anyone wanting to dig into systemd to do it. It's like dissecting a skunk. You might learn something, and even do something to help, but it won't be pleasant.

Re:This is a little bit awesome, though.

Lol made my day. Obligatory background info: http://without-systemd.org/wiki/index.php/Arguments_against_systemd

Re:This is a little bit awesome, though.

[bluefoxlucid]

SystemD uses well-understood Linux kernel facilities such as the facility that sends notifications to an application when new hardware is plugged in, rather than having stuff constantly poll the USB/PCI bus and then run mknod scripts in /dev.

You may as well say nobody probably wants to dig into glibc to figure out how loading ELF executables works.

Re:This is a little bit awesome, though.

[krisbrowne42]

Before Linux existed I was running Minix on an IBM XT... The code was so clean, I could pretty comfortably find how every single part of the system worked... The more recent Minix 3 is a bit more mature, but everywhere I've looked the OSS version is still more clean and understandable than any other usable OS.

Intel 945 derivs excluding the 946 or one variant.

Q35/45 both have it, although removable.

X55 should not have it, as well as the 5xx0 LGA1366 chipsets. Only the later SoC PCH (Q55 or something?) is supposed to have a management engine onboard. All actual board designs had a non-Intel IPMI or IPKVM implementation if included.

Meaning you can get a dual hex core processor motherboard with up to 192 megs of registered DDR3 @ 1333 on it. Plenty fast enough for the majority of today's processing needs.

However 3,4,5 generations all had limited/broken IOMMU implementations (specifically XAPIC2 support) and no 64 bit BAR support for Intel Xeon Phi, Tesla, or GCN Radeon GPUs, meaning large scale heterogenous GPGPU clusters aren't possible on 'safe' hardware. Not a huge deal since Maxwell V2 and Vega both have signed firmware and management engines of their own, meaning only some older GPUs might be trustworthy depending on their errata and if the bios are truly replacable (AMD had signed segments prior to the current firmwares, which only have a single configurable range usable for changing overclocking settings... supposedly.)

In order to regain freedom, what is really needed is a crowdfunding effort to get the Adapteva Epiphany V available on an expansion card with glue logic for display, memory controllers, vbios/firmware, and PCIe bus access. Following that a RISC-V and/or J4 (The Hitachi SH clones) taped for a common CPU socket with a documented royalty free motherboard chipset reference design capable of supporting both current and future cpu arches that are made electrically compatible.

These three projects, even if not at the same level of performance as ARM or x86 processors, would make a huge shift in the computer industry, potentially giving back both the end-user security, as well as the market diversity people were used to during the x86 heydays of the late 80s through the late 90s.

Intel Scam of the Century

[oldgraybeard]

joke

Customers buying Intel Products!! Only to have Intel consume 90% of the processing power "To Mine Bitcoin " for their own profit. ;) Woot ;)

Bill Gates was Right!! People only do need 640k and 4.77MHz ;) lol

/joke

So it's a backdoor///

[evolutionary]

Let's call this what it is: A variation of the "clipper chip" like the government tried to do years ago, except this is more powerful and way worse. It's a backdoor that can potentially operate at a level few not in certain government departments or Intel top level developers can access. Perhaps it's time to give Intel the cold shoulder. Need to confirm if AMD has this backdoor OS in it's processors or not. Wonder how China and Russia respond to this sort of thing? Will we ever see an end of this screwing the end user for corporate and/or government interests?

Re:So it's a backdoor///

[swillden]

Let's call this what it is: A variation of the "clipper chip" like the government tried to do years ago, except this is more powerful and way worse.

That's a mischaracterization so egregious it could be called a lie.

The ME (and AMD's analogous PSP) have nothing to do with government, and nothing to do with cryptography (though they make heavy use of it). Clipper was about enforcing a standardized encryption mechanism with a built-in backdoor specifically for law enforcement. Completely different thing.

ME and PSP are remote system management tools. Their purpose is to enable enterprises to remotely administer systems, including not only being able to remotely install a new operating system, but to strongly verify the installation from the running OS. The reason it's in all systems, not just systems targeted at enterprise use, is that it's more economical to have a single solution

That said... you are absolutely correct that these tools *could* be used by malicious parties, whether for corporate espionage, government intrusion or anything else, and they are incredibly powerful, and not understood nearly well enough outside of the teams at Intel and AMD who build them. I know some of the people at Intel who work on this stuff and I'm pretty confident that they're doing good work, and doing the right things... but the lack of transparency makes me really nervous.

Remote management tools make sense, but it should be possible for end users to disable them, or to take ownership of them and use them for their own ends. The details of exactly how they work, including their source code, should be published. Indeed, I think government should mandate the publication of low-level system management tools and firmware. We need a lot more academic research into the security and operation of these systems.

Re:So it's a backdoor///

[evolutionary]

You seem very confident (feels almost defensive), but ask yourself, why is it closed source yet using an open source core? Nothing to with government? How would you know that for sure without the source? It's been well documented that the government has approached virtually everyone, even Torvalds, asking for backdoors. Some said yes, some said now, some were likely given a deal they could not refuse. The first thing anyone tries to do in spying is to create doors people don't know about or rebranding it as something else. The admission of the purposes of the clipper chip was met with a lot of resistance. So the government agencies decided to keep other attempts a secret to reduce resistance. Rebranding is a classing way of hiding something in business. why not government. Unless you know what is in fact in the source it is impossible to say my hypothesis is "egregious" because only top people even know what it does. And why would you put something like "DRM" in something at that low and dangerous level. The DRM is as much as Intel will admit to. (and they may have their hands tied and gagged). Never confuse statements given to the public for media purposes as complete disclosure. If it's as innocent as you say, why hide it? We've had evidence leaked that proved government intentions to hook into all system domestic and foreign through hacks in software and hardware. And a backdoor of this nature is pretty consistent with what we've found from brave people who put their lives on the line to let the public know.

Re:So it's a backdoor///

Unless you believe in magic, all communication between this thing you are so scared of and the outside world occurs over the ethernet cable you plugged in. This traffic isn't invisible. You can freely monitor it to your hearts content. If you care about security as much as your panic implies then you should already be doing this. So what's the issue?

Re:So it's a backdoor///

Finally, an authoritative source...if there's anyone who'd know about (and work for) "malicious parties", it would be Google Asshole Shawn Willden...

Re:So it's a backdoor///

[epine]

The ME (and AMD's analogous PSP) have nothing to do with government, and nothing to do with cryptography (though they make heavy use of it). Clipper was about enforcing a standardized encryption mechanism with a built-in backdoor specifically for law enforcement. Completely different thing.

What makes you so sure this isn't a government-friendly end-run around the failure of the Clipper chip program?

All we're presently missing is a handful of Snowden codenames for the many ways this advantages the NSA in their fight against all the things they fight against (some portion of which involves suppressing evil doers of evil, other portions of which involve being evil doers of evil, probably in the service of maintaining a well-ordered society, by which I mean grease-stripping the social mobility rails occupied by the already established fat cats).

The intelligence community runs on capabilities. Intel's IME is a capability like no other I've seen before. It routes around the power switch. Hot damn.

Re:So it's a backdoor///

[swillden]

Did you read my post?

Re:So it's a backdoor///

[swillden]

I don't think you read the post you replied to.

Re: So it's a backdoor///

Brave reply namefag.

Re:So it's a backdoor///

I do not think mischaracterization means what you think it means. A backdoor is a back door regardless of what you may call it.

Re:So it's a backdoor///

Or they learned from that failure of the clipper chip and marketed better as an enterprise tool meant to increase productivity and capability.

Re:So it's a backdoor///

[evolutionary]

Yes in detail. You said you knew some of the people. We all probably know somebody somewhere in our in IT. I've been around enough to know that often IT professionals at all levels cannot tell everything about where they work. Usually because of standard NDAs (non-disclosure agreements) but there could be other reasons too. I know enough to not probe too deeply if information is not being relayed consistently, and if I knew more than I should because of a slip of the tongue, I certainly wouldn't post it here. :-) Also, "doing the right thing" can mean different things to different people and as the old saying goes "the path to hell is oft paved with good intentions". Or as Dr. Martin Luther King would say, (paraphrasing a little), "what is worse than the actions of the bad people are the inactions of the good". the folks at Intel may all be "good people" for all I know, and people sometimes work with government with the best of intentions. I can't say if there is intent or not, but I do know when something is hidden like that there is a reason. And if there was a deal that "couldn't be refused" there would also be a "if you tell we imprison you" clause (reports have indicated you can go to jail even for consulting a lawyer in these cases...which should be outright illegal and certainly unconstitutional where you cannot even consult what your rights are, Where the Canary Warrant idea got started). So many possibilities. Being a "good person" doesn't mean people don't necessarily do bad things with good intent. Without the source, we cannot know. What we do know is secrets are being kept, and given the way we know governments around the world work, odds are good they are partially involved. The UK is trying to pass laws formally REQUIRING companies to have built in back doors to their technology officially. Imagine what could be going on unofficially. Possibly with unwilling consent. In China and Russia those laws were being discussed and may have already been passed.

Re:So it's a backdoor///

[thegarbz]

but ask yourself, why is it closed source yet using an open source core?

That arguement isn't on shaky ground, only because it has sunk and drowned in quicksand. Like WTF? You may as well say "but yes the sky is blue so it proves that Trump was actually the second shooter behind the grassy knoll". The two have as much to do with the use of open source in closed source, and both have equally as much to do with the security of some code shipped by a private company.

And why would you put something like "DRM" in something at that low and dangerous level.

Because that's the only place it has a hope in hell of working? Or have you not paid attention to the many years of DRM developments, TPM, encryption at a hardware level etc.

Never confuse statements

Good advice.

We've had evidence leaked that proved government intentions to hook into all system domestic and foreign through hacks in software and hardware.

Clearly you're a government spy trying to run a false flag operation here. Nice try. We have evidence leaked that proved government intentions to hook into all system domestic and foreign.

Re:So it's a backdoor///

Well, as much as I hate to drive you even further into paranoia, you can't trust anything about the processors you get from a supplier without or without a system management engine. So unless you design your own processor from scratch, and have your own fab (because something can be inserted that you don't know about during manufacturing), you can't know that there isn't something in it that is doing something nefarious.

Re:So it's a backdoor///

[swillden]

It's not necessary to speak with someone in detail about a topic to know what matters. It's enough to know their work on similar projects and -- most importantly -- their values. If the design and implementation work is begin done by people who would quit on principle and blow the whistle if they thought anyone were doing anything funny, then you can be pretty sure that either nothing funny is going on, or else if it is, it's incredibly subtle.

But that wasn't actually the part I was asking if you read. I was asking if you read:

Remote management tools make sense, but it should be possible for end users to disable them, or to take ownership of them and use them for their own ends. The details of exactly how they work, including their source code, should be published. Indeed, I think government should mandate the publication of low-level system management tools and firmware. We need a lot more academic research into the security and operation of these systems.

Minix, that's terrible

[Chrisq]

Minix, that's terrible. What I want to know is why they aren't running HURD.

Re:Minix, that's terrible

HURD? Hah! Not enough control.

Re:Minix, that's terrible

[sl3xd]

Minix 3.x is ~4 kLOC
SeL4 is ~10 kLOC
Hurd weighs in at ~344 kLOC

I can see that mattering on a low-power embedded core.

Is this an opportunity?

Can somebody with a few billion dollars to spare make a clean, open, and competitive X86 clone? Advertise it as spy-free and sell it?

PROFIT !

Minix like

[oldgraybeard]

To lazy to track this down. but I recall something about this Linux thing from Linus Torvalds in the mid 90s ;) lol

That open letter...

[fph+il+quozientatore]

Wow - that open letter is horrible. It just continues the old UNIX wars: "look how cool I am, *my* OS is used everywhere --- thanks to the superior microkernel approach and license. Boo GPL". Not even a mention of the fact that it is used to spy on users...

Re:That open letter...

Should be "could be used."

There are plenty of legitimate uses for this technology in an enterprise, there are hooks inside of SCCM for example that allow an administrator to turn on and reimage a corporate machine, or run updates or other administrative tasks. It can also be used by helpdesk staff to troubleshoot issues before the OS is even booted, maybe help someone get their machine working again without a visit to the desk.

The main problem is it is generally somewhat enabled by default (on but inactive), and not well documented. Things like provisioning are confusing for most.

Re:That open letter...

[Desler]

Not even a mention of the fact that it is used to spy on users...

First prove your claim and maybe he would address it.

It gets creepier . . . .

From Intel Press:

Platform Embedded Security Technology Revealed: Safeguarding the Future of Technology with Intel Embedded Security and Management Engine

"First, the engine should be used as frequently as possible-not only when management service is requested on the system. After all, how often do system problems happen? They do not
happen every day.
                Second, a successful state-of-the-art technology should not benefit only the network administrators and the employees in enterprises. It should bring values to a larger population.
                There are clearly many more possibilities and opportunities to be explored on the security and management engine. In today's mobile age, the demand for secure mobile services that involve valuable assets is gaining significant momentum. As a result, the embedded engine is reborn with new security features that are serving all end users every day."

Who determines what those "values" are? No one that you elected.

Deja Vu

There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords.

Sounds like systemd.

How far back does this run?

Which generation of Intel processor first implemented a functional version of this?

Re:How far back does this run?

[DontBeAMoran]

That's what I'd like to know too.

Re:How far back does this run?

This is a chipset feature, part of the firmware along with the BIOS. The original was on platforms including the Intel 82573E ethernet controller, then it was part of the Q963/Q965 chipsets. Think 2005-ish and later.

Re:How far back does this run?

Every "Core" series of CPU chipset.

My ASRock Haswell Motherboard with ME Version: 9.1.2.1010, is not affected by such vulnerability.
If you're concerned, download the Intel SA-00075 Detection tool.

It's important news, even if a little old

[evolutionary]

this was reported 4 years ago and I remember reading this article awhile back:

https://www.eteknix.com/expert...

Re:It's important news, even if a little old

[evolutionary]

And another article last year:

https://www.techrepublic.com/a...

Just like BMC/iLO/DRAC

Servers come with this feature too. IPMI is a flawed by design protocol that makes communication over a network standard. So easy to hack remotely as well as via firmware hijacks at the OS level.

The remote admin technology is just poorly designed all around.

Re:Just like BMC/iLO/DRAC

IPMI is more useful and more secure than those fucking IP-KVM's that don't get a single update and you can't log into them without installing old versions of Java and old web browsers that can run the Java plugin.

IPMI, when configured correctly, can be turned off in the BIOS, turned on in the BIOS and BMC mapped to it's own ethernet or to share an ethernet port. Then if you are really paranoise, you plug the BMC ethernet cables into it's own ethernet switch and never give it a real internet address, that way you can only remotely administrate a PC by IPMI by tunneling through one you've already configured. Problem solved.

You all gotta remember there is no perfect security, there is only "ineffective" security by leaving shit at defaults, and "security so complicated not even it's inventors know how it works" Security is always a compromise between usability and effectiveness. To take my example above, if any of those PC's connected to the IPMI subnet on their own switch is compromised by hackers, they could reasonably compromise the other machines if the BMC's don't have passwords. Regardless if they are running over SSH or open telnet.

Minix still around?

I thought Linux vanquished Minix back in the day.

Source: "Rebel Code: Linux and the Open Source Revolution" by Glyn Moody

Better proposal

The article proposes the Intel switch to Linux so they can open source this stuff.
That would eliminate the security thru obscurity story.

But it would be very disruptive.
A simpler plan would be to just publish the source for the already open source stuff they have.
The Minix license is compatible with publishing or not.

I seems likely (See Tanenbaum's letter) that Intel chose it because for the 'or not' part.

So, is there any kind of network firewall that one can put in front of these chips to help this situation?

Plot Twist

[etinin]

This is a huge plot twist in a longstanding argument (monolithic x micro kernel). It had been widely believed Minix was all but dead, but it looks like Minix won against Linux in a way, even if used for evil. Mr. Torvalds is probably not very happy that Intel didn't choose his kernel for their evil deeds.

Someone Knows How

[oldgraybeard]

To Access this, Just tell me ;) I will keep it to myself ;) Trust Me ;) Wink Wink

"running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords."

Does the ME depend on BIOS updates?

I keep getting error messages in Windows 10 about the IME being unable to communicate with the "firmware" (aka BIOS). So, if the BIOS is not up to date (as per the manufacturer's lack of interest in these matters when the system is out of warranty) but the IME is, what kind of catastrophic outcome should I expect?

Re:Does the ME depend on BIOS updates?

[nutznboltz]

To understand the implications of an out-of-date ME search on CVE-2017-5689 and INTEL-SA-00075

They do.

Via the PSP which is a dedicated ARM Trustzone core, also with a full OS, and all the disadvantages of ARM TrustZone on your cell phone/SBC.

The irony of all this is the Raspberry Pis are now one of the 'most trustworthy' devices in the average techies toolkit, because they have the TrustZone support strapped disabled by the Pi board (or not included at all on the earlier Armv6 variants.) and as long as nothing roots/jailbreaks via the GPU driver (which has no MMU and full access to all memory in the BCM SoC) it is simpler and more easy to audit than any post LGA1366 Intel hardware.

Given all the failed 'open source' chip/motherboard/gpu/etc projects we have laying around, as well as obvious false flag projects like the Purism hardware, I have to wonder: How much of this is psyops or government pushes to ensure peopel stay on Wintel/Android/Apple in order to maximize the spying capabilities of government agencies?

Three separate cores?

[Doctor+Memory]

TFA claims the latest version runs on three separate x86 cores. Are these three in addition to the stated number of cores on the chip, or is it running on three cores that I paid for, and interfering with my use?

Re:Three separate cores?

They are in addition, part of the chipset and firmware on the motherboard.

Re:Three separate cores?

3 cores using the electricity that I pay for

but how to we validate alleged "transistors" ?

Bah.
You're not a true Jedi until you've built your CPU from transistors.

Take that Linus, you lose

MINIX officially beat Linux. Andy Tannenbaum was right all along.

MINIX has nothing to do with it

[Jack+Greenbaum]

"MINIX can still potentially change your computer's fundamental settings." Give me a break. MINIX provides nothing that enables this. It could have been WinCE or even raw ASM and had the same capability. Its all about the hardware! What a dumb statement.

Re:MINIX has nothing to do with it

I think you're missing the point, which is that an OS sitting that high up can "potentially change your computer's fundamental settings." This is regardless of whether it's MINIX, WinCE or whatever else you're listing.

Re:MINIX has nothing to do with it

[bill_mcgonigle]

Give me a break. MINIX provides nothing that enables this.

If the ME can image the drive remotely it can certainly change /etc/ssh/sshd_config and /root/.ssh/authorized_keys with a small driver (ext2, etc.). GRUB is way tinier and can handle basic ext2 stuff.

It doesn't matter if the ME is only listening to the LAN. Give a decent blackhat a week and you'll have a package that deploys to an ad network which exploits the browser, then exploits the router, then exploits the ME and opens a remote C&C channel on the next reboot. If you need it quick, poison pid 0 via memory injection and the admin will reboot the server quickly when it 'oddly misbehaves'.

"Cosmic rays" are so 2013...

Overblown -- and inspectable.

It's overblown by those who've never managed a large number of computers in their life. Some probably have never even used a KVM. People fear what they do not understand.

No, it has nothing to do with the "Clipper Chip"

[Jack+Greenbaum]

The clipper chip was a back-doored encryption device. It has nothing to do with the hardware level access that the ME has in an Intel based system.

calling B.S. on part of this

> It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings.

Nope. The little watch battery that maintains the RTC is not powerful enough to do anything else. If the toggle switch on the back of my PSU is in the OFF position, that's it, game over.

Re: calling B.S. on part of this

All atx ps output low current 5v when plugged in, even when ""off"

Re: calling B.S. on part of this

[bestweasel]

IME can turn the machine on remotely only if there's power to the PSU.

Re: calling B.S. on part of this

Nope. If the PS has a physical toggle switch (required by safety regulation), it interrupts the main AC line. There can be no power to anything if that toggle switch is off.

MINIX, the father of Linux is the most popular OS

[SysEngineer]

If most MSWindows, Macs use Intel processors, then Minix is running on more computers than both making it the most popular OS. Then add in ARM android Linux, and other embedded computers, then this OS family is on 80%** of the computers in the world.
** AMD, old Macs and main frames are the only exceptions.

wow the FUD is strong in that one

[kamakazi]

We have a couple facts here, and a whole bunch of conclusions.
The facts are that there is a general purpose OS running a microkernel in a management layer on unspecified Intel CPUs. This general purpose OS provides at least network accessible management interfaces.
The conclusions are this general purpose OS is infinitely exploitable to steal all your top secret information and redirect all you web requests to the mind control platform of the month.
This Minnich character (I enjoyed that similarity, Minnich/Minix) then jumps to a call to neuter everything below the user installed OS including UEFI. He then juts off on a side tangent and says trust me (He is a Google engineer) to always install good safe firmware on your Chromebook. That was a nice subtle bit of astroturfing there. He also blames Minix for slow boot time on an Open Compute server, not sure where minix plays into that or what axe he is grinding.

Let's look at it a little more objectively. Why do these processor companies keep putting general purpose OSs at a level which was traditionally all hardware/firmware, and why do systems makers use an accesible programming layer to configure hardware like UEFI? Well, whe we were running 386s and 486s we really were running microprocessors. Hardware was relatively static, device support was locked at time of manufacture, processors did processing (with maybe a coprocessor for math) and accessory cards did a single function each. In that time frame supers, like the first Crays, couldn't even boot themselves. They used a completely separate computer to boot and for time scheduling and such. Now today, we have computers which are powerful on the level of the early supers. Our processing no longer all happens on the CPU, but also in the GPU(s) and other pieces in the system. We no longer have external memory and bus controllers, they are built into the processor or the mandatory northbridge, and are much more capable and adaptive. There are hosts of sensors built into modern processors. All of these pieces need to be managed. There is an absolute necessity for a relatively capable computer in there to manage all these pieces.
It used to be done with static logic arrays, controlled by registers, and we called it BIOS, and it had a little interface that could usurp the monitor output and keybpoard and chirp the speaker, later got so fancy it could hijack a mouse on some systems. It was very limited, in fact, on the earliest PCs it didn't have a UI at all, it had dip switches or jumpers on the system board.

Now with the advent of negotiated buses (even memory buses, back in the day I never would have conceived of a CPU being able to ask a memory module what capabilities it possessed and automatically configure timing parameters to best talk to it) the management processor has a lot to do. On high end machines they even do this negotiation on the fly with the advent of hot plug PCI buses and on the fly memory error compensation. By the nature of the beast this management engine has to be able to see all the data buses, otherwise every single connection interface would need an out of band management channel.

I suppose you could make this management engine like a FPGA, configure it once and burn your bridges, no further interraction possible, but then what happens when you need to add or change something?

Likewise it often doesn't need a network interface, but if it doesn't have one then we have to do wake on LAN with yet another baby management computer. How about physical intrusion detection? again, not often needed, but sometimes...

Basically what a general purpose OS in the management layer does is give nearly infinite flexibility. This technology is a big part of the reason so much of our stuff just works.

Now, I am not really a drink the cool-aid from the benevolent overlords kind of guy, I am not at all in favor of secret OSs underpinning our hardware without our knowledge, but let's not throw out the baby too. That capability is in most cases useful

Re:wow the FUD is strong in that one

And that's precisely the problem:

IT'S NOT SIMPLE, NEITHER CONTROLLABLE (for the owner of the device)

And that's because of design. It was designed to cater the enterprise market, but somewhere down the road, government agencies, and the media industry got involved and the resulting mess is what we got today. And that's another big problem these technologies bring to the table: Your computer is no longer "personal". At least while you're connected to the internet.

Of course, you can put a firewall or another machine with a arm or mips processor in between to stop the "bad" guys, but in the end, there's no easy solution to this, and probably will grow into worse problems... Just look to Windows 10 and the alleged "spy" at the OS level. And people just accepts that now.

Re:wow the FUD is strong in that one

Oh yeah, i forgot android and iphones calling home by default... yup... people accepted that first and foremost.

Re:wow the FUD is strong in that one

>> Now, I am not really a drink the cool-aid from the benevolent overlords kind of guy, [...]

Well, your user name is "kamakazi" [sic]... :-) /fleeing battleship

Re:wow the FUD is strong in that one

[kamakazi]

>> by Anonymous Coward on 19:13 7th November, 2017 (#55510563)

>>>> Now, I am not really a drink the cool-aid from the benevolent overlords kind of guy, [...]

>>Well, your user name is "kamakazi" [sic]... :-) /fleeing battleship

Umm, Is '[sic]' even a valid comment for a name? Unless, of course, you know how the name is actually spelled. Would you say "Kari" [sic] because somewhere else you had seen it written "Carrie"?

"Kamikaze" is an anglicization of a word that kinda sounded like that to some English guy who transliterated it incorrectly into English, the kamakazi user name is one that I chose many years ago (note the 5 digit UID) because I liked the way it looked when I wrote it, and it has a pleasing rhythm with 2 alliterative syllables. Since I don't speak Japanese I am quite sure I don't grasp the true denotative or connotative meaning of the word kamikaze. In fact, from a recent report that made a news site I frequent, even the Japanese are having a small cultural crisis over their historical view of the pilots who were called kamikaze.
Interestingly according to Wikipedia the word kamikaze is actually from the name given to a 13th century storm that took out an invding Mongol fleet, sounds kinda like what happened to the Spanish armada off the coast of Britain.

So what were you doing on a battleship anyway? :)

Re:wow the FUD is strong in that one

[OneHundredAndTen]

All that is very interesting. It also underlines a really nefarious aspect: that we cannot be sure that Intel will not be using that stuff to spy. We do not know if it is, but we sure know that they have built the capability to do so in their products. You may be OK with that; many of us are not.

Re:wow the FUD is strong in that one

>>Well, your user name is "kamakazi" [sic]... :-) /fleeing battleship

> Umm, Is '[sic]' even a valid comment for a name?

Yeah. [sic] just means "I didn't choose to spell it this way; the writer I'm quoting did"

Thank you.

Thank you for saying that it's off by default - everyone seems to just gloss over that one. More than that, there are only two ways to enable it:
  - using a keyboard shortcut during BIOS POST (physical access, the machine is already owned in any number of ways including just taking the drive out, why bother with AMT?)
or
  - enable it remotely through arbitrary privileged code execution on the machine (it's owned already) AND you have a certificate issued by a trusted CA specifically for AMT provisioning (costs money), and that certificate's domain matches the one being given out by DHCP at the time of provisioning (meaning the network is owned too). If you already own the machine to the point of executing whatever you like with admin-level permissions, and you own the network to the point of changing DHCP options, why bother with AMT?

For someone to get anywhere with AMT / vPro, they would already have exploited far easier routes to getting anything they could get through AMT / vPro. This is the reason we have seen exactly zero articles about people being exploited in the wild through AMT / vPro - anyone that knows what it actually is, and what it takes to run it, knows there are far easier ways in, and those easier ways are a predicate to using AMT to do whatever they could already do.

Re:Thank you.

how do you know, that intel/amd silicon has no extra "remote management" features then what is described in the worthless documentation? have you ever checked? is it even possible to actually check? ahaha.

Re:Thank you.

[EndlessNameless]

have you ever checked?

Personally, no.

is it even possible to actually check? ahaha.

Of course it is. You cannot remotely manage anything without network traffic. While AMT could hide this traffic from its host, it cannot hide the traffic from the network.

It's easy enough to monitor activity on an enterprise router, or to mirror a port so you can analyze its traffic later without affecting the traffic in any way whatsoever.

For a home user, you could route your traffic through a device running Snort or DD-WRT. I believe both support port mirroring. If not, it's pretty easy to find working enterprise equipment cheap on eBay. Even an entry-level Catalyst switch will support mirroring.

Re:Thank you.

Because nobody has ever used a scanning electron microscope to look at a chip's actual structure before. No wait, they do it to every iPhone on the day it launches.

Also, network monitoring. Turn it on in a lab, and watch / log what flows from it if you are that worried. Plus, why the fuck would Intel / AMD do that? News gets out that they pre-tapped every PC shipped in the last 5 years and they get straight-out banned from sale across the globe by governments that don't take kindly to that kind of thing, and sued into oblivion right here at home by everyone from the ACLU to the Libertarian Party.

For what? Some metadata to sell to Google? Please think about the risk versus reward you are talking about here - there's no upside to what you are talking about to Intel, so why the fuck do it?

Your paranoia is not serving you well.

Re:Thank you.

[Jiro]

While AMT could hide this traffic from its host, it cannot hide the traffic from the network.

That doesn't help. It would be easy for the manufacturer to program it so that it looks for a specific sequence of bytes over the network and transmits something when it receives that particular sequence of bytes.

Re: Thank you.

[guruevi]

Read up on the feature, thatâ(TM)s exactly how it works, the only thing is that you have to allow the traffic on your network to send it a sequence of bytes.

It has its own IP and MAC addressing, enabling the features is pretty obvious.

Re:Thank you.

[OneHundredAndTen]

Thank you for saying that it's off by default - everyone seems to just gloss over that one. More than that, there are only two ways to enable it: - using a keyboard shortcut during BIOS POST (physical access, the machine is already owned in any number of ways including just taking the drive out, why bother with AMT?) or - enable it remotely through arbitrary privileged code execution on the machine (it's owned already) AND you have a certificate issued by a trusted CA specifically for AMT provisioning (costs money), and that certificate's domain matches the one being given out by DHCP at the time of provisioning (meaning the network is owned too). If you already own the machine to the point of executing whatever you like with admin-level permissions, and you own the network to the point of changing DHCP options, why bother with AMT?

How the heck do you know all that? Because Intel has told you so? That surely makes one feel reassured all right.

Re:Thank you.

[Twanfox]

There was a brief stint in my company where we attempted to provision Intel vPro as a way to assist the Help Desk staff remotely support end user devices even through reboot cycles. We got through the whole process of configuration and provisioning. Required new objects in Active Directory, required us to abandon a disjointed DNS namespace, and provision certificates and then, at the end of the Proof of Concept, we got a site full of working remote management chipsets.

Then we asked the question: When we reimage the device, how do we re-provision the ME? It was determined that it wasn't possible to do it on-board even, that it had to be executed from the network/off board, which would require a sort of Rube Goldberg process to make happen in our imaging strategy.

The effort was abandoned after introducing far too much complexity in security to be feasible. It worked as advertised, but it was just too difficult to begin to work with. I can't imagine hacking it makes it any easier, given the restrictions configured in it.

Re: Thank you.

It has its own IP and MAC addressing, enabling the features is pretty obvious.

Do you have more details on this?

I have one particular PC wired to my router that always appears in the router's interface as being connected twice. Once with its legitimate, statically assigned IP and the MAC I can verify from Windows. The second connection is DHCP with the name "*" and a MAC address that begins with 48:00:33 (Technicolor, could be anything). This machine only has one NIC, no wireless card, and only one adapter/interface listed in ipconfig. Being unable to identify what the DHCP connection is or where that MAC is coming from, I've blocked that MAC from all network access in the router, but I've always been suspicious about what it is. The machine is running an Intel P6200.

Can this be controlled with a good firewall?

Just wondering.

Anyone analyzed the hosts contacted by the systems running ME? Would be interesting to know ;)

External firewall

I run a pfSense external firewall that should prevent any intrusions, that is if the ip addresses these embedded OSes use are known and flagged by Snort.

Run Minix on a VM on Minix then...

It's Minix all the way down!

It's very useful for those of us who turn it on

[raymorris]

It's extremely useful, to those of us who turn it on, because it replaces a $1,000 IP KVM. I don't care to drive an hour and half to the datacenter and an hour and a half back because somebody typoed a firewall or network setting. Much easier to just fix it remotely using IPMI or IME or whatever your vendor calls it this week.

If you don't need remote access to a crashed machine, don't turn it on.

Re:It's very useful for those of us who turn it on

[Opportunist]

If you don't need remote access to a crashed machine, don't turn it on.

If you know how to turn it off, please tell the world! Hell, I'd pay to know!

Generally no, arm chips on motherboards

[raymorris]

Generally no, arm chips don't have remote management built in. If you have an arm server, you'd do it the "old-fashioned" way, with the remote management processor being on the motherboard. The remote management processor on a mother board for older Intel or AMD CPUs may itself be an ARM cpu in many instances.

Re: Generally no, arm chips on motherboards

[Type44Q]

Someone's never heard of the baseband processor (no, it might not be on the same die but let's not be pedantic to the point but of stupidity).

Purism Librem Laptops Completely Disable Intel ME

This is one of the reasons why I was looking at Purism laptops. They've recently announced they have completely disabled the ME. My Librem 15v3 arrived yesterday and now I'm free...

Check it out...
Purism Librem Laptops Completely Disable Intel's ME

P.S. I am not an employee. Just happy to promote all the good things this company is doing.

Re: It's very useful for those of us who turn it o

Its EXTREMELY useful to The NSA too bud!

Finally!

[hoggoth]

2017 is the year of MINIX on the desktop! All of the desktops...

Stop Intel AMT/ME easily... apk

See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!

APK

P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

NOT "turn it on"! Get access to it! It's always on

In fact, it can't be turned of at all.
That't the point.
When you "turn it on", all you are doing, is opening a channel to talk to it.

And stop shifting the discussion! It's not about usefulness! It's about untrustworthiness on a psychopathic serial murderer level!

Re:No mention of AMD? Yes, RTFA

[sqorbit]

"What's the solution? Well, it's not "Switch to AMD chips". Once, AMD chips didn't have this kind of mystery code hidden inside it, but even the latest Ryzen processors are not totally open." Directly from the article.

Re:Purism Librem Laptops Completely Disable Intel

How do you know the ME has been completely disabled? Is there some way for you to verify it conclusively?

how is this news

[spongman]

IPMI has been a thing since the late 90's and similar proprietary systems existed long before that. ok, so now it's on-chip, but that doesn't change the fact that you should know about what traffic is on your LAN.

Libreboot says this Intel stuff killed Libreboot

Well killed them on Intel according to their FAQ
https://libreboot.org/faq.html#intel

Someone doesn't know the difference between a boar

[raymorris]

Someone doesn't know the difference between a board and a chip. A Qualcomm cellular modem with it's baseband processor, such as the famous MDM9600, may be on the opposite end of the circuit board from the CPU. Did you not even read the SUBJECT LINE of my post before spouting off with your stupidity?

Most ARM processors are in fact NOT in smartphones, so there no baseband processor in the device at all. Your car has several ARM processors, your TV probably has one, etc. In total, 86 BILLION ARM processors have been sold.

You might also note the baseband processor is not a remote management interface. The baseband processor cannot access the storage of the device, for example. (Though in one instance the main CPU, which can access the storage, had a backdoor which accepted commands over the modem).

How to exploit the Intel Management Engine

[najajomo]

Due to a 'bug' in the code, you can access the AMT with a zero length password. The ME cannot be completely removed, but due to a request from the NSA, it can be disabled with a secret kill switch.

Re:How to exploit the Intel Management Engine

Check for BIOS updates that address this flaw. I installed one from DELL months ago but I did not understand the full implications of what was going on back then as I do now.

Some red flags

There are so many red flags which would make any Intel x86 CPU suspect that this IME/AMT is indeed a backdoor.

i. Difficult to disable and not even listed in BIOS of old systems build before 2011. (Don't believe the disinformation campaign of some posts here that it can easily be turned off in BIOS)

ii. Very sparse documentation from Intel about this unknown feature.

iii. CPU and whole machine shutsdown after 30 minutes of IME/AMT is tinkered (or disabled via hardware hacks).

iv. Included even in home use versions. Should've only been included in Enterprise where an IT admin requires it.

v. Designed to be very difficult to reverse engineer because it (IME firmware) uses different CPU.

Now if this IME/AMT is NOT a backdoor, there should be complete documentation for everybody, and it should be easy to disable or turn off if not easy to unsolder from the MoBo. But NO, all the above proof just confirms this is a backdoor. Note that this feature can be used as killswitch on your PC/laptops so Intel and M$ can sell you a new one. This is a sick greedy world we're in.

This is good, if resources on our planet is infinite. But sadly, the rare metals in CPU and other electronic parts are not infinite on the crusts of the earth.

Intel should be forced to pay compensation

Intel is running their software on your CPU, using electricity
which you pay for. If they do not compensate for that, they are essentially
stealing money from you, which is an offense for which they can be held liable in court.

I propose everbody with such a CPU starts sending Intel invoices.
If hey do not compensate, a class action law-suit should be started.

over 8,500 systems with the AMT interface exposed

For someone to get anywhere with AMT / vPro, they would already have exploited far easier routes to getting anything they could get through AMT / vPro. This is the reason we have seen exactly zero articles about people being exploited in the wild through AMT / vPro

NSA shill detected.

The hijacking flaw that lurked in Intel chips is worse than anyone thought

A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone.

minixd

Systemd already takes advantage of this. Minixd offloads incremental backups to cia.gov to the minix chip which saves cycles on the main cpu. This feature also thankfully disables booting of inefficient non-intel setups.

Re:Purism Librem Laptops Completely Disable Intel

So you paid $1500 for a rebadged $400 ASUS laptop that doesn't even have an IME/vPro-enabled CPU to begin with?

I hope you feel smart.

Purism Laptops Completely Disables Intelâ(TM)

The Management Engine (ME), part of Intel AMT, is a separate CPU that can run and control a computer even when powered off. The ME has been the bane of the security market since 2008 on all Intel based CPUs, with publicly released exploits against it, is now disabled by default on all Purism Librem laptops.

Libreboot says this Intel stuff killed Libreboot

[nutznboltz]

Well killed them on Intel according to their FAQ
https://libreboot.org/faq.html...

Wrong

[Rujiel]

Anyone who bought a thinkpad laptop with an i5 or better has it on by default. You seriously think it's impossible for anyone other than a business to buy such a laptop?

Bingo

[Rujiel]

The shilling here is on overdrive. I first noticed it with Assange and Snowden threads, now it's all over the place.