Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com)

Posted by EditorDavid on from the mismanagement-engine dept.

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.

11 of 140 comments (clear)

  1. New slogan! by Gravis+Zero · · Score: 5, Funny

    Intel Management Engine: the original Systemd. ;)

    --
    Anons need not reply. Questions end with a question mark.
  2. "Disabled", not disabled. by Anonymous Coward · · Score: 5, Interesting

    Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?

    We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.

    None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.

    Until it's physically gone from the board, you can bet it's never going to be permanently disabled.

    1. Re:"Disabled", not disabled. by Antique+Geekmeister · · Score: 4, Insightful

      On what basis do you claim this? Since Dell is not being specific about how they disable it there's very little reason to assume that it's a physical change. Since the Intel Management Engine can reasonable considered to be directly accessible to law enforcement, I don't see why most vendors will not leave it accessible to court ordered access. They consider it important to cooperate with national governments to retain export licenses and government contract work.

    2. Re:"Disabled", not disabled. by Dutch+Gun · · Score: 4, Insightful

      The reason this shit is in consumer-grade hardware is because it's a "free feature". So, why not include it? It's the same reasoning as to why we can't buy a consumer TV without tons of "smart TV" features we don't want. After all, it's cheaper to offer only a single SKU.

      Companies throw in these "extras", but apparently don't really consider the fact that sometimes, extra features can actually be "anti-features", in that they might have an actual penalty in terms of security or usability. It's why companies hoard their customers personal data, because its seen as nothing but beneficial, and not a potential privacy disaster for everyone else.

      Only when companies that willfully put their customers security at risk are heavily penalized will they start treating security and privacy with the respect it deserves. Until then, it's going to be an uphill battle.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  3. From the start this was a problem by TheReaperD · · Score: 4, Interesting

    Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  4. Disabling the Intel ME - direct story link by 93+Escort+Wagon · · Score: 4, Informative

    Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:

    Researchers find a way to disable Intel's Management Engine.

    --
    #DeleteChrome
  5. Re:For people with a life... by TheReaperD · · Score: 5, Insightful

    Intel created it's own operating system on a chip that is almost completely outside of user control. It has full functionality to read and take control of any part of your PC, even when it is powered off. All the code is black boxed and unreadable to the user so there is no auditing it to see if it is secure. If a hacker or virus was able to re-write the OS on the chip (something that has confirmed to be possible), they would have complete control of your system with virtually no way to remove it. For people in the tinfoil hat club (a club I visit from time to time), this means that Intel, and anyone that they choose to grant access to, such as FBI, NSA, etc., can clandestinely monitor all activity that you do on your PC without any indication that they are doing so and no security software that you run, commercial or home-brew, will alert you to the monitoring.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  6. Thank you to the Linux laptop vendor by Tough+Love · · Score: 4, Insightful

    Thank you to the Linux hardware vendor who took the leadership role in opting out of this Intel spyware madness. For any of you thinking about finally escaping the Windows chamber of horrors, this company deserves your business.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re: Thank you to the Linux laptop vendor by Anonymous Coward · · Score: 5, Informative

      You forgot about Purism. I believe they were the first ones to offer laptops with Intel ME disabled, back in October.

      https://hardware.slashdot.org/story/17/10/29/0324201/purism-now-offers-laptops-with-intels-management-engine-disabled

  7. Re:Thanks for the value Dell! by NicknameUnavailable · · Score: 5, Insightful

    It's not Dell's fault and it did genuinely take some effort on their part to figure out a way to do this without bricking machines in a fairly reliable manner. They also tend to have the best support in the industry, meaning if Intel figures out a way to reactivate it Dell will be on the hook for disabling it again, $20-$40 is nothing for that kind of long term support on a system they have no actual control over.

  8. Re:For people with a life... by dissy · · Score: 5, Insightful

    Well, that's fucking scary. What is the alleged upside to Intel ME? Asking for a friend...

    Mass configuration, deployment, and recovery for a large fleet of desktop computers you are tasks with managing.

    You enable ME to remotely control the hardware and provision its boot drive, and manage the initial setup of the OS down for untrained staff for repair purposes.

    You can enable it by hitting Control-P at boot, turn ME on, setup an IP/vlan, and upload a public key into it to authenticate.
    Alternately you can load some config files on a USB stick to do that, and hitting Control-P will see this and use those configs for you.
    Alternately again, if you buy a hundred or more PCs a year, you can provide a special public key and ME-Manager IP address to your OEM, and they put it into a special provisioning mode with that info.
    On first boot it will contact your provisioning server and accept configurations sighed with that special keypairs private key, and the provisioning server then uploads the real public key and other settings.

    Once provisioned, you can instruct the system to mount an ISO image over the network to be in the optical drives place, and send power on/off events.
    Generally you'll do this to load your initial OS base image and let it image the HD for your company.
    Once that part completes, the base image OS does its own initial setup depending on OS (Active directory for windows; ldap with puppet for unix or RedHats launchpad as just two examples)

    When a desktop has a boot drive failure, you can order a new HD and have it shipped to the branch office, and have nearly anyone swap the HD out.
    In the mean time you've reset the system to be in provisioning mode, so you instruct your "remote hands" to change out the HD for the new one and hit the power button.
    The system comes up and has the HD imaged again, either with a previous backup, or your base image, and go from there.

    The concept is a great one.

    However the GP is telling the truth when they say the ME code can't be audited.
    That's a pretty big problem as you have to trust Intel that it does what they say it does.

    Of course to even get to ME, you need either layer-3 network access or physical access.
    If one has physical access they already "own" the system, and already falls under physical security instead.
    It's the local LAN access that can be a problem.

    The concern in the real world isn't so much about Intel or the government, as those bodies already don't have access into our firewalls nor do we provide them VPN access in. It's about other employees which need to be in the building to do their work and thus have access to the LAN.

    GP also intentionally confused the separate issues with taking over the ME code.
    Researchers have found code exploits and used those to perform the hijacking of the ME.
    There is zero evidence Intel has any additional access than is claimed.

    This is like saying a one-off typo in some code that results in a remote exploit in your webserver is the exact same thing as the makers of that webserver intentionally granting someone else access to your system. And that is rarely the case.

    As the ME code isn't able to be audited the possibility is not zero percent.
    But even if it could be shown Intels code has no backdoors and everything is written to work exactly like the ME documentation says it does, that only means Intel is trustworthy in their intentions. Bugs in code that result in an exploit are still very possible and still a real threat.

    I just don't see the usefulness of saying "Looks like a bug in OpenSSH has an exploit, and Linus allowed it to be put on Linux, thusly I will never trust another thing Linus says or writes including any patches to fix the problem" purely due to not being smart enough to understand the math and code doing encryption.