Slashdot Mirror
Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com)
An anonymous reader quotes Liliputing.com
Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
Make me pay extra to have something disabled which should never have existed in the first place. Just buy AMD and enjoy security through obscurity!
So in theory, it doesn't matter if you order one of these 'Custom Order' editions? You'll be able to apply the exact same changes yourself?
Intel Management Engine: the original Systemd. ;)
Anons need not reply. Questions end with a question mark.
Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?
We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.
None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.
Until it's physically gone from the board, you can bet it's never going to be permanently disabled.
Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:
Researchers find a way to disable Intel's Management Engine.
#DeleteChrome
I have noticed a number of Intel ME articles recently appearing on Slashdot. On the business laptops I maintain, firmware was available to resolve latest issues. After installing the latest ME firmware, I performed an unprovision through BIOS, then I went into the ME settings via Ctrl-P and added a password to the ME settings. All the ME settings for IP addresses, etc. are blank.
I ran the INTEL-SA-00075 procedures to verify unprovisioning and that the LMS service was stopped. My question is whether unprovisioning ME and using a strong password in ME and BIOS to prevent the provisioning results in the same end behavior as the "disable" that is being offered by System76 and Dell. What do you think Slashdot? Are any IT folks going through the configuration of Intel ME as I have done?
FYI, here is an example of the INTEL-SA-00075 risk assessment after the firmware upgrade and unprovision are verified:
Risk Assessment
Based on the analysis performed by this tool, this system's Firmware has been updated and system is in unprovisioned state. See Explanation for specifics.
Explanation:
The detected firmware on this system has the fix for INTEL-SA-00075. Ensure that the INTEL-SA-00075 tools were used to perform a full unprovisioning of the system prior to reprovisioning. This will remove any unauthorized configuration settings.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689
or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075
INTEL-SA-00075 Detection Tool
Application Version: 1.0.3.215
Scan date: 2017-11-29 16:06:18
Host Computer Information
Name: (snip)
Manufacturer: Hewlett-Packard
Model: HP EliteBook 8560w
Processor Name: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
Windows Version: Microsoft Windows 10 Pro
ME Information
Version: 7.1.91.3272
SKU: Intel(R) Full AMT Manageability
Provisioning Mode: Not Provisioned
Control Mode: None
Is CCM Disabled: False
Driver installation found: True
EHBC Enabled: False
LMS service state: Stopped
microLMS service state: NotPresent
Is SPS: False
What is Intel Management Engine and why is it so bad that we want to disable it?
inquiring minds want to know
Politics is Treachery, Religion is Brainwashing
Thank you to the Linux hardware vendor who took the leadership role in opting out of this Intel spyware madness. For any of you thinking about finally escaping the Windows chamber of horrors, this company deserves your business.
When all you have is a hammer, every problem starts to look like a thumb.
I'd have been fine if I had 100% control of this processor.
Nope, sneaky ass shit from all sides in how it works. Security through obscurity. Feature Bloat out the ass with no way to disable stuff you don't need.
Fuck. That.
I will only forgive them if they make new versions 100% open. Then we can install our own OSes as we see fit.
They could even make the first step by open sourcing it.
Will they? Fuck naw. It's Intel. They are the Sony of CPUs.
In general opt-out is problematic. Most people don't do it then the vendors say "see no one wants to opt-out", making it a self-fulfilling prophecy. Now imagine you charge them or limit their options to some expensive computer models if they want to opt-out. That's not going to work.
And the basic problem here is that it's not me that I'm worried about it's, collectively, everyone else. The same logic as getting a Flu shot. THe herd immunity protects you more than the flu shot you just got.
I want everyone else to have a secure computer. And not just so they aren't mailing me trojans in cat pictures or attacking me across the network, But also so they aren't attacking my bank or DDOS-ing netflix when I'm watching Game of thrones.
Some drink at the fountain of knowledge. Others just gargle.
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
That is what they already use with cellphones to disable your ability to run DRM'd videos and such on a rooted/jailbroken device.
What we need is jumpers that can electrically disable hardware. As it is right now, even jumpers on the motherboard are most likely soft switches. If you doubt me, go read the spec sheets for SPI flash. Hint: No SPI flash chip actually respects the write-disable pin in hardware. All of them require external software support in order to strap the SPI flash to read-only mode, and only AFTER the system powers on. Meaning that anyone who can power glitch your SPI flash can potentially rewrite while the system is operating, unless the north/southbridge has their own softstraps that disable it until reboot. (Hint: Intel does.) The real solution is a long and hard work at the software ecosystem we have allowed to build up, and crowdfunding hardware designs for common older fab technologies that we can get produced for cheap. Parallax the makers of the Propeller chip and the Stamp boards had a discussion on Hackaday a few months back on exactly this. Taping on 300NM cost ~250k for stencils, not including other manufacturing costs. A few million dollar kickstarter and the right hardware engineers and we could do that. Pentium 3 era process technology, but we have almost 20 years of design tech to improve what we manufacture on that same process. If that string of kickstarters is successful then more people would be willing to invest in a next generation design on a better process technology. Maybe 45-28nm with SOI or another improved technology. If this second campaign succeeds you will have dozens of competitive groups/companies willing to build open hardware designs on-contract for up front prices. Get a few of these going and we will have an ecosystem of standardized and open processors, bus interface chips, and other electronic components needed for building custom systems of whatever form factor, power envelope, and reliability rating you need.
But until somebody makes that leap with an actual desktop/modular notebook product, we're going to stay tied to proprietary technology that we can trust less with every passing day.
P.S. We really need an SPI chip that physically follows the write-lock strap pin.
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
A fast ARM SoC would add $20-$40 to the BOM price of a product. The slightly improved graphics for laptops is around $40 (maybe closer to $45). There are probably lots of things of value that could have been added to the system instead of IME only to have each vendor go to the effort to disable it for customers that really don't want it.
I think it's a bit suspect that Intel went to the effort to create and hide ME, when it doesn't appear to offer value to the end user. I only have read lots of hand waiving excuses about managing optimal performance or memory controller and related buses. That's somewhat plausible because I've seen 8051 and other microcontrollers used to initialize and manage PowerPC based systems some years ago. (Apple)
“Common sense is not so common.” — Voltaire
What they don't tell you, is when you pick this option, they leave the ME enabled, and also supply your details to the NSA as a 'suspicious person'. If you're paranoid enough to spend $30 'disabling' something that has you worried of being spied on, you -obviously- got something interesting going on with you... ;)
Backup your bs w/ proof OrangeTide https://it.slashdot.org/comments.pl?sid=11425437&cid=55663429/ provide proof of me picking on you 'for years' as you said in the post parent to mine in that link I just posted - you can't.
(If I had issues w/ you I'd have bookmarked it & I never have before YOU came in calling me a "git" (fool) starting hassles!)
* See you there (somehow I don't think I will & you will continue to embarass yourself as you did starting garbage with me - I am going to let YOU finish YOURSELF boy)
Additionally - CLASSIC & PRICELESS: I also CAUGHT YOU posting UNIDENTIFIABLE AC vs. using your registered 'lusername' yet you point to YOUR POST that was done under your REGISTERED 'lusrname' claiming it too (YOU = FLATOUT-BUSTED -> https://slashdot.org/comments.pl?sid=11432439&cid=55667787/ )
SEE YOU DOWNMOD HID THIS 6x TIMES I POSTED IT TOO https://slashdot.org/comments.pl?sid=11430293&cid=55668641/ & https://slashdot.org/comments.pl?sid=11433711&cid=55669021/ + https://slashdot.org/comments.pl?sid=11432725&cid=55669055/ https://slashdot.org/comments.pl?sid=11432725&cid=55669519/ https://slashdot.org/comments.pl?sid=11430293&cid=55669493/ https://slashdot.org/comments.pl?sid=11432483&cid=55666417/ - weak trying to hide it!
APK
P.S.=> This is the 18th time you've done a "Run, Forrest: RUN!!!" vs. it OrangeTide - why's that? I caught you lying?? Cat got your tongue??? Yes, obviously - pitiful... apk
https://github.com/corna/me_cl...
improve internet connectivity reliability to ensure updates and other communication are not blocked by outside measures.
(enable automatic fallback to tcp/ip ports 80 and 443)
I've previously worked on a Dell AIO (Optiplex 9010 I think). Imagine my surprise when I opened it's case to inspect the blown PSU to find a nice factory "ME Disabled" sticker on the main board shield. I believe it has been an option for corporate buyers on select models for some time. No telling exactly what "disabled" really meant though.
"CITATION PLEASE" (somehow I don't think you will produce backing evidence from a reputable source on portredirectors) & don't upgrade then!
* Pretty simple! IF that's the case in usermode, NO PROBLEM see next:
Removing ALL I said, ESPECIALLY THE SOFTWARE INTERFACE THAT MIGHT DO PORT REDIRECTORS via tools like the unistaller for it & DisableAMT.exe + the test in usermode via Intel-SA-00075-GUI.exe will TRIPLE CHECK that much!
APK
P.S.=> The rest is handled by the router & logs it has (+ you can monitor it YOURSELF - this was the HUGE WORRY EVERYONE HAD in the security community - A BLANK LOGON username/pwd etc. & THERE ARE GUIDES ON YOUTUBE that even show how it's done - BUT, those same 'guides' show you how to test it, yourself (same as 'security gurus' had to))... apk
They are charging Intel or the customer? Yes, I already know the answer, but it is worth asking, isn't it?
I'm asking because I don't understand why we should pay to remove Spy(hard)ware.
Totof
What is the IME supposed to do? What is the supposed benefit for it being there?
The situation is a bit worse with Qualcom chipsets.
The thing running with Intel ME on the motherboard's own embed computer, or with AMD PSP on the extra security core on the latest CPUs, is just basically a ROM.
You're free to hack it.
You might break your computer while doing it (e.g.: some require signed bit to get executed, most of these embed "ring -3" OSes have watchdogs that force the whole system to reboot or not even leave reset if they don't trigger, etc.)
But you can still break your computer if you want and maybe in the process produce a fully functioning computer with the "ring -3" OS either completely disabled or defanged and reduced to the most innocuous minimum (only the part triggering the watchdog, no networking at all).
With mobile chipsets (mostly Qualcom, but applies to others too) the thing that is in the northbridge of your SoC and that is in charge of handling the RAM, etc... is the baseband modem.
It's the piece of hardware that is also in charge of what goes out on the radio frequencies, and these frequencies happen to be heavily regulated (unlike the 2.4 Ghz used by everything else like Wifi, Bluetooth or your micro-oven).
If you don't hold a special license (like telcos and soc manufacturer do), you're not even legally allowed to modify this piece firmware.
That's the whole reason while, for their smartphone Librem 5, Purism is using some older FreeScale chipset, and keeping the baseband modem in a separate chips that doesn't have access to any critical component but only speaks over a standard protocol.
in short :
- researchers can freely try to find ways to completely remove or at least de-fang Intel ME and AMD PSP. And laptop manufacturer are free to then re-use this work to produce Intel-ME-less / AMD PSP-less laptops.
- researchers cannot legally modify the baseband firmware, and if a phone manufacturer were to try to use their work to produce phone using special "firmware with the backdoor removed" they'll be in for a hefty fine and their product banned. The only way would be for the people holding the license to the radio frequency (basically telcos, and chipset/SoC/PCB manufacturer) to accept their mods upstream and release an official firmware.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They don't live in the CPU have ring negative 9999 access, and you can turn them off!
AMD's PSP lives in the CPU.
Intel's ME is a ARC core on the motherboard's chipset.
As in : in theory, you could remove the RAM and the CPU out of their socket, and as long as there's a PSU connected to the motherboard, this shit still runs.
(In practice, the system running on it requires a bit of cooperation from the main CPU and expects a little bit of RAM handed to it. So without CPU and RAM in the socket, the OS will probably crash, but that's just an implementation details. The actual hardware is separate and autonomous, and you could imagine a specially crafted version of Minix that handles all its nefarious purpose (e.g.: flash a trojan-infected UEFI on the motherboard on NSA's orders) from within the confine of its limited resources without ever needing any request be server by the main CPU).
(Libreboot has detailled explanation of all the small details if you want)=
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We started buying AMD after that.
Speaking of which, have you found a way to disable AMD PSP on their latest CPUs ?
Or do you just keep buying the pre-PSP ones ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I remember some time back there was a NIC card which had some kind of cpu/ram/etc with it. I think it may have been able to offload torrents or something like that.
One such NIC was the Killer NIC (no, not that one).
Microsoft Research also developed an USB variation of this.
Do we need that kind of things these days and maybe some BSD based guardian to live there to report on any strange stuff being sent or received?
Basically you would have a computer spending full time making sure your computer is secure, or trying to.
That's exactly how Intel ME /AMT and how IPMI (the industry standard equivalent for servers) were sold back then.
The only exception :
- they were sold to management, not to you the end-user. So ITs could remotely manage your workstation or company servers remotely, even if they are powered down, while keeping you, the user entirely out of the loop.
- nobody though about software freedoms (freedom to study/modify, etc.) thus you, the end user, end up now with a blob on which you have absolutely zero control, but which could be exploited to remotely hose your machine even if it's powered down.
(At least IPMI can be kept on an entirely separate network port, which will be kept on a separate private network and thus will never get into contact with the internet - thus limiting any potential remote exploit. IntelME is an entirely different can of worms.)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
... so obviously one has to pay more to get a laptop less the Intel Management Engine.
It makes total sense.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
You bullshitting not I'm!
Any way to physically disable or destroy this component? Cut a trace, burn a capacitor, etc?
Because they promised that as a release day feature on their claimed 'privacy and liberty protecting laptop' for which they got a million plus dollar kikstarter and a premium 2000 dollar price tag for.
It took them *TWO* years after *RELEASE* to get Coreboot to replace AMIBios on it (because they didn't actually have staff for, and didn't hire anyone on contract to do this until at least a year later!) and they only ran me_cleaner after others had developed it, despite having claimed in their initial kickstarter to have ways of disabling Intel ME, even as people said that was a baldfaced lie.
The Purism crew is nothing but a bunch of snake oil salesmen, and the people financially supporting them are a bunch of whales easily separated from their money.
The closest we got to an actual 'libre' notebook was the ARM-based Novena, and I held the proprietary FPGA against them in that case, even though it didn't affect the main system itself at all. It was also 1/4 the price for the motherboard and only 1/2 the price fully loaded with far less proprietary hardware and no Management Engine type system enabled out of the box. Compared to the Purism laptop its only two downsides were the 4GB memory capacity (no cheap arms with PAE extensions/33+ bit memory controllers at the time,) and the weak but well supported Vivante GC graphics core. The purism used an Iris Pro, which was Intel Graphics, but with 128 megs of L4 video cache. Open source drivers, but Intel Inside (ugh!) The saddest part of that fiasco is they could have still purchased AMD hardware at that point that WAS openly documented and pre-PSP, but they didn't. The result being the clusterfuck of freedomlessness that we have today.
Only true for 6xxx 7xxx and 8xxx processors.
Only the last 3 generations of Intel processors run minix.
Everything older runs ThreadX with the modules removable via me_cleaner.
It almost certainly disables all network capabilities without a code exploit to upload new modules.
And in the minix case you can audit the code to verify that the 256k or so base image for the later minix based Intel ME/AMT implementations is probably the kernel and some basic bringup drivers, but probably not enough code to implement a usable runtime. Verification of the stock minix 3 x86 files should be able to tell you if eepro100+8139+8169+tigon3+others can fit into that 256k image and provide enough of a bootstrap environment to backdoor the system remotely, and under what circumstances. Given that the backdoored drivers would need to be able to operate alongside the OS drivers to stay hidden, it is unlikely offboard ethernet chipsets could be initialized for such a backdoor without evidence being visible in the user's operating system, certainly not with the stock minix3 drivers (I am less sure about the Intel drivers, since many models now support virtual cards for VTd usage, which could in fact allow that for all intel-based chipsets.)
Dell has a program that will (allegedly) disable it in computers that have already been sold. Free.
Why not buy a Dell and then disable it with the free program?
Because by then, the damage may already have been done, perhaps.
A possibly helpful link: https://downloadcenter.intel.c...
There's no time like the present. Well, the past used to be.