Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.

DIY

So in theory, it doesn't matter if you order one of these 'Custom Order' editions? You'll be able to apply the exact same changes yourself?

"Disabled", not disabled.

Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?

We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.

None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.

Until it's physically gone from the board, you can bet it's never going to be permanently disabled.

From the start this was a problem

[TheReaperD]

Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.

Re:For people with a life...

[dissy]

Most of that is simply false, and I have proven it myself with HP Compaq, EliteDesk, and EliteBook hardware.

You don't need access inside a network or on the physical machine, it has been proven to "call home" and receive orders much as botnets do, over unblocked HTTP requests.

Etherial shows nothing except ARP traffic while powered off, or powered on in any mode but provisioning mode.
In provisioning mode Etherial shows two TCP connections to my provisioning server, and neither are HTTP.

You can't stop it if it is plugged into a network

Until ME is enabled, it doesn't even perform ARP requests let alone is capable or tries to send packets anywhere.

and all of the benefits you listed already existed in other forms which didn't require a massive multi-million-dollar engineering effort to stick inside the chip undetected for years.

It was never hidden in the chip, you just didn't bother reading Intels documentation, which was publicly available on Intels website since before vPro and ME hit the market.

Yes management cards were available before, but they are equally closed source and not auditable, and cost extra per PC to deploy.

If it were legitimate it would have been public knowledge from the start,

Which is has been.

https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
https://www.intel.com/content/www/us/en/software/setup-configuration-software.html

Documentation goes back to 2008 when vPro, the software containing ME, was released.

not a secret projects the alphabet agencies recruited hardware developers for, required top secret clearance to undertake within the Intel team working on it, etc.

Any evidence for that claim? Other than Intels own website and documentation that disproves it was "secret"?

The justifications for the existence of it are like the shills

Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about.
Yes, I use technology, that makes me a shill by your definition.
Continue on with your fantasies, I'll stop ruining them.

*NEVER ONBOARD FUSES*

That is what they already use with cellphones to disable your ability to run DRM'd videos and such on a rooted/jailbroken device.

What we need is jumpers that can electrically disable hardware. As it is right now, even jumpers on the motherboard are most likely soft switches. If you doubt me, go read the spec sheets for SPI flash. Hint: No SPI flash chip actually respects the write-disable pin in hardware. All of them require external software support in order to strap the SPI flash to read-only mode, and only AFTER the system powers on. Meaning that anyone who can power glitch your SPI flash can potentially rewrite while the system is operating, unless the north/southbridge has their own softstraps that disable it until reboot. (Hint: Intel does.) The real solution is a long and hard work at the software ecosystem we have allowed to build up, and crowdfunding hardware designs for common older fab technologies that we can get produced for cheap. Parallax the makers of the Propeller chip and the Stamp boards had a discussion on Hackaday a few months back on exactly this. Taping on 300NM cost ~250k for stencils, not including other manufacturing costs. A few million dollar kickstarter and the right hardware engineers and we could do that. Pentium 3 era process technology, but we have almost 20 years of design tech to improve what we manufacture on that same process. If that string of kickstarters is successful then more people would be willing to invest in a next generation design on a better process technology. Maybe 45-28nm with SOI or another improved technology. If this second campaign succeeds you will have dozens of competitive groups/companies willing to build open hardware designs on-contract for up front prices. Get a few of these going and we will have an ecosystem of standardized and open processors, bus interface chips, and other electronic components needed for building custom systems of whatever form factor, power envelope, and reliability rating you need.

But until somebody makes that leap with an actual desktop/modular notebook product, we're going to stay tied to proprietary technology that we can trust less with every passing day.

P.S. We really need an SPI chip that physically follows the write-lock strap pin.