Slashdot Mirror
System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com)
System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
I'm glad that they are doing this, BUT, from what I know about the IME, it is extremely complicated and disabling it is not simple or straight forward -- otherwise someone would have done it a long time ago.
At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.
Too late, amd has psp.
Avantgarde Hebrew science fiction
Typical slashdot user who is never satisfied by any progress toward something nice...
Second time I've seen this post, and I want to believe it's accurate and complete. Can any 3rd party verify this information in any way with a citation?
I have yet to hear of a single useful thing IME gets me, and lots of bad things it gets me. Current laptop runs an AMD chip, when it dies/becomes obsolete in 5 years or so I'll use it to determine which CPU my new system will have.
// hard drive is less than half full, even though I have a NAS I'm not good at updating
/// I remember the 3 year updates, with a graphics card every 18 months. Times have changed
/ Yeah, I said 5 years. This thing is 3-4 years old
Oh, admit it, you're thinking of drilling some holes in a few motherboards as a test, too.
Yea, the monitoring time is the real question I have here. Weeks... eh, slight confidence boost. Months... better. YEARS (multiple) and maybe we have reasonable confidence there isn't some timeout that waits before trying other outbound ports.
I can't speak for the AC, but I'd be down to experiment with a pile of motherboards and a power drill if someone else is buying.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Re monitoring
Are clandestine services staging servers pushing very direct requests over 16992-16995 to an ip that get detected time to time?
Huge malware scans up and down ip ranges in a random attempt to find the hardware that responds as cover? Ty.
Domestic spying is now "Benign Information Gathering"
...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.
most servers boards have ipmi with own nic most boards have a setting for combined or own. If intel wants to kill ipmi and go to IME they will need have so it can be put on it's own nic.
Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.
Reasons that APK deserves frequent downmoding:
1. lacks an account and always posts as AC
2. makes duplicate posts
3. admits to trying to avoid moderation
4. frequently posts off topic advertisements for his [free] products and services.
5. talks like a git. really his English phrasing is bizarre.
“Common sense is not so common.” — Voltaire
Yeah like how when Windows 10 introduced telemetry it became the Year of the Linux Desktop...that's right isn't it?
...I can't agree with the many reactionary Slashdot commenters...
...there should be a simple and transparent way to completely and verifiably disable it, ...
I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.
So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).
if you can't control what's in it.
The GP was unkind to you. I don't think you deserve to be censored. You provide a very good service. Personally I enjoy a good APK post with a side of LSD. The resulting colours in the sentence structure are amazing.
I didn't know people like this existed. Until today. I feel like being extremely privileged.
It's APK, and I don't trust APK at all due to the spamming.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?
(The management engine runs custom version of Minix)
There are no atheists when recovering from tape backup.
See subject & https://it.slashdot.org/comments.pl?sid=11050927&cid=55109115/ & spam? See https://slashdot.org/comments.pl?sid=11424811&cid=55655675/ , https://slashdot.org/comments.pl?sid=11424811&cid=55655691/ & https://slashdot.org/comments.pl?sid=11424811&cid=55655719/ where our /. peers shut you down speaking FOR me against your bs outnumbering you by MANY orders of magnitude as they both LIKE & USE my work - not yours - you're not capable of being useful, troll.
* Period!
APK
P.S.=> Too bad you never come up with something that works like I do Z00L00K - you're not capable of THAT either but I am - you WISH you were me, lol... apk
lacks an account and always posts as AC
So fucking what? This site allows anonymous posting. That is not a reason to downmod anything. Anonymous comments already start at 0. Just because you think everything online has to be tied to an account doesn't make it so.
Technically what you found was a mirror.
System76 seems to be one of very, very few American manufacturers that can be trusted. But one issue still remains - have they received any NSA court orders, compelling them to subvert the systems they sell?
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Err no it's not.
I was quite surprised (and saddened) to discover that Win10 has been the most popular Windows OS in Western nations for several months now, including America and Europe,overtaking Win7 around the beginning of 2017.
And sadly, Win10 is now only 2% behind Win7 as being the most popular Windows OS in the World.
If people are sheep-enough to let Google use them with Android / Chrome, then it makes sense why Microsoft following their spying strategy will also succeed.
People simply don't know / don't care about their privacy.
Hate to defend an illegible spammer like APK, but he appears to be right in blocking certain ports used by Intel AMT.
Design a model of your laptop with the original IBM 7-row keyboard and trackpoint, and you've got a customer for life here!
A government is a body of people notably ungoverned - AC
So fucking what? This site allows anonymous posting. That is not a reason to downmod anything. Anonymous comments already start at 0. Just because you think everything online has to be tied to an account doesn't make it so.
Sure, it's fine to post as AC. It's an integral part of this site. But mods are going to down mod ACs if they post horseshit. And in APK's case, he's not really anonymous. He's signed everything and chooses not to post under an account in an attempt to manipulate the comment system. He's done this for years with limited success.
PS - I've not spent a single mod point on this thread (obviously I cannot). This account is old enough that if I had multiple accounts I would more likely have the mod points on this account than some newer account, so it cannot be a sockpupper mod either.
PPS - I do use APK's host file on all my systems at home. His persistence and technical abilities work well for maintain host files. But he's less effective at communicating with other human beings on this forum. Either by his own choice or by his own limitations.
“Common sense is not so common.” — Voltaire
It's OK. I knew he'd bring out personal attacks when I responded to him with my account. Usually people reply AC to him and he ignores them after a while. He'll be fuming for a day or two before he finds something new to do. I've dealt with him before, and I've dealt with others on /. that were worse with boundaries than APK, to the point of filing police reports. At least APK usually only tries to discredit or embarrass me.
“Common sense is not so common.” — Voltaire
Guess what else I found? You EVEN complimented me on hosts being effective for you in your post history stopping ads in videostreams (I could've told you that - I never see YouTube ads, or rarely until I block the server serving them up, easy to find) - but NOW you give ME SHIT?
You don't seem to understand that one thing has nothing to do with the other. I can appreciate your persistence and technical abilities, while finding your posts inscrutable and bizarre.
You seem upset, but I gave you a very fair enumeration of why people tend to down mod your posts. I'm not orchestrating some down mod conspiracy against you, but I did draw a reasonably accurate picture of how mods independently come to the same conclusion.
If you want to take my old resume and do something with it. I'll let you know that it is copyrighted material, and authorization to reproduce that material is not automatic and must be obtained. I've granted others to reproduce it, but I have not granted you those same rights. (obviously)
“Common sense is not so common.” — Voltaire
Intel CPUs still run a blob at initialization called the FSP. This is sometimes entangled with the ME, but is separate and is not getting disabled. The blob is usually writable for updates and must run before any user-supplied code, so it's an ideal spot to put persistent malware to evade verified boot anti-persistence schemes. The AMD equivalent is called the PSP.
Hate to tell you but so far as I know AMD has it's own version of the Management Engine baked right into their silicon as well.
Having worked at Intel for a while testing graphics drivers, I know that the Management Engine is also leveraged to perform HDCP (High Definition Content Protection) as well as remote-management functions; any idea how disabling it at the firmware level will affect that? If HDCP is disabled as well then some AV content might not be playable on Intel platforms.
OrangeTide you called me names 1st offtopic:
You've called me names and bullied me for YEARS. Also read carefully, I did not call you a git.
5. talks like a git. really his English phrasing is bizarre.
No Intel AMT/ME on my ARM, so it's not really a problem that I've looked into. Given my networking background and multi-system household I probably would have attacked the problem using routing tables rather than hosts file, certainly disadvantages to routing tables but easily centralized and it's what I am familiar with.
Good on you for finding a solution that anyone can make use of and for sharing it. But that doesn't justify your abusive behaviour for the last several years.
I even show him complimenting my hosts technique & also where he TRIED 'weaselling out' of RTF issues I nailed him on.
Please paste the link where you nailed me on "RTF issues". We haven't seen any proof.
Doesn't add up considering YOU GOT DROPPED (or left) IN THAT SAME TIMEFRAME TOO LIAR / [slashdot.org] & "laid off" https://slashdot.org/comments.... [slashdot.org] YOU GOT DROPPED/FIRED https://slashdot.org/comments.... [slashdot.org] - IN THAT TIMEFRAME TOO - YOU are busted lying!
You screwed up the with your assumptions. The post from 2016 refers to being laid off in 2001. Which I was out of work for about a year and doing random consultant gigs to pay the bills.
YOU GOT DROPPED/FIRED https://slashdot.org/comments.... [slashdot.org] - IN THAT TIMEFRAME TOO - YOU are busted lying!
My post in 2015 is about my quitting Amazon in 2009.
7 yrs. on SAME job eh? [...] Doesn't add up per https://slashdot.org/comments....
I've been at NVIDIA for 7 years. Started in 2010.
AFTER this from your post history (of bullshit) https://slashdot.org/comments.... [slashdot.org] & 15 yrs. on that job too?
Yes, I've been working in IT since 1996 and as an embedded SW engineer since 1999. That's over 15 years. I have worked a few places as full time, and a lot of places as contractor. The paperwork in California to work as a contractor for more than 2 years is complicated so I usually move on but sometimes I convert to full time. You could describe that as being a "jobhopper", although it has more to do with the legal requirements in my state than any lack of commitment on my part.
So no lies there. I've certainly made mistakes in my life and online. I'm certain I have embarrassing posts on slashdot, I vaguely recall writing several. But you've failed to turn up anything damning.
I think your lack of reading comprehension, inability to contextualize and wild assumptions have a lot to do with your emotional and mental state. Do you have difficulty empathizing with other people? Is it hard to read the motives of other people? Are you suspicious that people are plotting against you?
Well it's not true. I'm not plotting against you. I'm not your enemy. And I tried very hard to have a two way discourse in spite of threats, walls of texts, off topic rants and repetitive statements.
This has not been a two-way discussions, it's been you shouting at me the entire time. Thank you for your participation, in the future learn to let others people participate in the discussion as well.
“Common sense is not so common.” — Voltaire
When we migrated from macs to linux laptops one year ago, I first considered buying System76 machines. I quickly understood they'd never offer the non-US keyboard in use here (I went up to asking them if a separate procurement would be feasible... no)
Then I discovered, much closer to my home, the German guys from Tuxedo. Smaller company, not the same surface on internet. But brilliant products. And localized keyboards.
Well, when the Intel-mgt-bug was discussed (first on LWN, months and months ago) I contacted Tuxedo asking if they'd upgrade things. Basically, the thing was already disabled on the recent machines I just bought.
As some other said, Syst76 are VERY late at the party...
Herve S.
well, actually , its a rating, not moderation ... nothing gets censored but people are free to filter as they please, thats about it, i think this is still one of the best if not THE best forum/site on the whole wide wwwebs
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
This is not a fair statement to make. It is akin to the same mentality from people who say "why do I need IT? I can just go to a store and buy a laptop and self support.". What goes into the clevo shell is still done by System76, making sure they work with Linux, have a customer support framework around it, and so forth. Plus there are contributing upstream with fixes to GNOME, fixes to Ubuntu, and is part of the eco-system. You might also consider that Purism doesn't make their own laptops either.