Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server
from the what-could-possibly-go-wrong? dept
One way of looking at the history of computing is as the story of how the engineering focus rose gradually up the stack, from the creation of the first hardware, through operating systems, and then applications, and focusing now on platform-independent Net-based services. Underneath it all, there’s still the processor, even if most people don’t pay much attention to it these days. Unregarded it may be, but the world of the chip continues to move on. For example, for some years now, Intel has incorporated something called the Management Engine into its chipsets:
Built into many Intel Chipset?based platforms is a small, low-power computer subsystem called the Intel Management Engine (Intel ME). The Intel ME performs various tasks while the system is in sleep, during the boot process, and when your system is running. This subsystem must function correctly to get the most performance and capability from your PC.
That is, inside recent Intel-based systems, there is a separate computer within a computer — one the end user never sees and has no control over. Although a feature for some time, it’s been one of Intel’s better-kept secrets, with details only emerging slowly. For example, a recent article on Network World pointed out that earlier this year, Dmitry Sklyarov (presumably, that Dmitry Sklyarov) worked out that Intel’s ME is probably running a variant of the Minix operating system (yes, that Minix.) The Network World article notes that a Google project has found out more about the ME system:
According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:
Full networking stack
File systems
Many drivers (including USB, networking, etc.)
A web serverThat?s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.
Why on this green Earth is there a web server in a hidden part of my CPU? WHY?
The “Ring-3” mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 (“minus 3”) trumps everything above — include the operating system — and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here’s what we learned earlier this year:
Intel says that three of its ME services — Active Management Technology, Small Business Technology, and Intel Standard Manageability — were all affected [by a critical bug]. These features are meant to let network administrators remotely manage a large number of devices, like servers and PCs. If attackers can access them improperly they potentially can manipulate the vulnerable computer as well as others on the network. And since the Management Engine is a standalone microprocessor, an attacker could exploit it without the operating system detecting anything.
As the Wired story points out, that critical bug went unnoticed for seven years. Because of the risks a non-controllable computer within a computer brings with it, Google is looking to remove ME from all its servers, and there’s also an open source project doing something similar. But that’s difficult: without ME, the modern systems based on Intel chipsets may not boot. The problems of ME have led the EFF to call on Intel to make a number of changes to the technology, including:
Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
Offer a supported way to disable the ME. If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
Those don’t seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own — and that ought to include the Minix-based computer hidden within.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: cpus, hidden computer, minix, privacy, security, web servers
Companies: intel
Comments on “Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server”
Is my mid-2013 iMac affected by this horseshit?
Re: Intel owns You
Since 2008, most Intel chipsets contain this “Management Engine”.
However, this is old-news that broke widely in Spring of 2016.
Several independent researchers have published software/scripts claiming to disable Intel ME, but non-experts run substantial risk of bricking their PC’s’.
Only Intel can remedy this issue and it is largely unresponsive. There are indications that Intel can and will disable its ME for some “government” PC users.
Whom do you trust in life?
Re: Re: Intel owns You
“However, this is old-news that broke widely in Spring of 2016.”
I guess that makes it ok?
“Whom do you trust in life?”
On the internet? … no one
I wonder if/when this little piece of shit they have concocted will have wifi and how will they hide the antenna. Screen rooms are expensive.
Re: Re: Re: Intel owns You
That would be too easy to handle – just put your PC in a Faraday cage just big enough for the PC. You need your sneaky backdoor to communicate through an interface the user can’t afford to block. That’s the ethernet right now, since that’s the primary way PCs connect to the internet. Making it use WIFI would be better for a laptop or tablet.
Re: Re: Intel owns You
Yes and no. We’ve known about ME for some time now, but its codebase and the extent of its capabilities are new information that’s just recently been released.
Re: Re: Re: Intel owns You
You aren’t allowed to discuss something more than a day after it happens. And then you will be condemned for having the memory and attention span of a news cycle.
me = millenium_edition
This is absolutely unacceptable for every reason under the sun entirely. This is absolute proof that everything you know and do is totally and irreparably backdoored already. I do mean totally and absolutely backdoored. You cannot keep them out, you cannot do anything to minimise this, you cannot stop this ever. You and your people are entirely backdoored. you do understand the implications of this dont you. Cause if you dont i hope you dont do anything that make them interested in you. Cause you aint got no hope after that.
Regards
Your CIA, FBI, Home Affairs and basically all government.
Re: me = millenium_edition
Hahaha – on your way to the Ministry of Bullshit do pick up a few biscuits.
Re: me = millenium_edition
buy AMD
Re: Re: me = millenium_edition
You will be replacing a Trump for a Clinton, then. AMD got its own backdoor. Work is underway to produce backdoor free Workstations in the EOMA68 and Talos projects. But the first uses a somewhat low powered Allwinner A20 SoC, while the latter employs IBM POWER 9 CPU and costs a fortune ($5000, rounded up)
Re: Re: Re: me = millenium_edition
Greed knows no party, it is ubiquitous.
What. The. Frak.
Subject line says it all. This is utterly ridiculous. I’ve heard about the management engine before, but I had no idea it had a networking stack, let alone a full-blown web server. I thought that it was doing the management, not that it provided access for external management. I guess I assumed that nobody was stupid enough to expose low-level hardware controllers like that to potentially hostile actors, at least not without requiring something like a maintenance jumper or DIP switch. I know, stupid of me to assume basic competence.
Avoid Online Scams
For Brilliant Mind, a well design Course form Online Scam Killer for those entrepreneurs who want to learn about making money online. To Avoid Online Scams, learn some new and easy concept to earn money through internet.
website:-https://onlinescamkiller.com/avoiding-scams
Email id:- sirshendu@onlinescamkiller.com
Re: Avoid Online Scams
I think my irony module just overloaded.
Re: Re: Avoid Online Scams
With control of the ME, these scammerz will be able to click buttons for you, fill in your credit card info, change the delivery address, and soon – even vote for your and fill in your IRS tax forms.
But according to many of our esteemed “leaders” this is nothing to worry about and is probably fake news.
It is things like this that are putting the Onion out of business.
So does AMD have something similar?
Re: Re:
Yes they do, it is supposed to be similar to the Trust Zone stuff.
http://www.amd.com/en-us/innovations/software-technologies/security
There are other added items in the Zen Core lineup too…
http://www.amd.com/en/technologies/zen-core
Every CPU that has a security feature baked in is just going to need something like this anyways. The problem is the idea of moving the security to the CPU, it should not be moved there. Security modules should be separate, but then again, how else can you take money from the NSA an build in a hackable management feature that lets them spy on all these machines?
The NSA has been creating a security Debt in computing for several years now and there is no telling how compromised systems have been made to help government interests.
Re: Re: Re:
AMD got the community excited some years ago (pre-Ryzen) because they promised to release enough information to allow a fully free BIOS. Wikipedia says it’s "AGESA", released as source in 2011. Notably, this included the memory setup code, which for Intel is an unexplained binary blob. But AMD have refused to release the information for their latest CPUs. It’s not just the algorithm; they don’t even release register documentation that would allow people to implement their own algorithms.
That’s far from obvious. Please explain.
CPUs have always had "security features", like protected mode, that weird i960 stuff, crypto instructions… none of that required firmware running above the OS. But the CPU itself was still secret, which is the real thing that needs to change to solve this problem. There are several promising projects including lowRISC (RISC-V) and J2 (SH-2).
Re: Re: Re: Re:
“That’s far from obvious. Please explain.”
I thought it would be super obvious. In order to interactively provide security to keep a CPU from executing malicious code something has to be able to intercept, analyze, and release it. This means that some form of a management engine will be necessary to operate outside the scope of a standard CPU’s function.
Or in lay speak… a cpu needs to process instructions, malicious or not… it is more effective to add a management tool designed to handle it. Because a CPU guarding itself is a much less effective and easier to compromise guard.
Re: Re: Re:2 Re:
Baking security into a cpu is a bit silly and suggesting a management engine is necessary to make it work is even more ridiculous, unless your definition of security differs from what the rest of us use. Perhaps you refer to “security” as in protecting the corporate/political structure against unwanted political speech and/or dissemination of unwanted facts. In this case, I think you would be correct.
Computer security used to be rather straight forward and did not require management engines between the user and their hardware – acting like a nanny. However, recent events/products have made things a bit cloudy … hahaha … and nefarious money grubbers are eager to cash in. In addition, the IOT idiots allowing huge bots to run rough shod over the unsuspecting consumers is not helping.
Re: Re: Re:3 Re:
I got nothing to say to your logically incompetent post. It is so full of wrong that it would take and entire post for each mistake to explain how and why you are wrong.
“unless your definition of security differs from what the rest of us use.”
Most security is theater, yes I have a different definition than most of you.
I hope you understand the insult I intended in that statement!
Re: Re: Re:4 Re:
Yes, I’m sure that everyone but yourself is ignorant of the benefits provided by such ummm, what do you people like to call it now days … is it still called TPM?
What exactly is incompetent and /or wrong, no need for a thesis – just put it in one sentence so we all can see just how super smart you are – is that too difficult for you?
So, you are telling me that it is ok for a cpu to have theater baked into it? I think it is you who is baked.
Re: Re: Re:5 Re:
“Yes, I’m sure that everyone but yourself is ignorant of the benefits provided by such ummm, what do you people like to call it now days … is it still called TPM?”
Eh, no. I am just saying most not all. The problem with TPM is its closed off nature, not its presence in the system. But that is just simply how proprietary works now isn’t it?
“just put it in one sentence so we all can see just how super smart you are – is that too difficult for you?”
lol… I am not smart enough to put an entire “concept” into a single sentence that people could possibly understand. But “Security Theater” is the general term for this… basically building something that “looks” like it is secure while it actually is NOTHING of the sort in reality or practice. Like the TSA for example. It’s a fucking joke, PURE theater from its inception and its practices and policies.
“So, you are telling me that it is ok for a cpu to have theater baked into it?”
How you came to that conclusion is beyond me.
Re: Re: Re:2 Re:
When there is a capability that the owner cannot control, like ME or a locked secure boot, it does not provide for user security, but rather secures the suppliers control over the users machine.
Re: Re: Re:3 Re:
Well, what type of security did you think they were supplying? It’s not just to stop malware they hate… it is also to stop YOU from having control and power over your system.
Re: Re: Re:4 Re:
Yup … and you are telling us that is ok?
Re: Re: Re:5 Re:
heh heh… yes… that is just exactly what I was saying…
/facepalm!
Re: Re: Re:2 Re:
That’s one example of a security feature, not the only way to implement security. That idea seems inherently heuristic, dependent on knowing the specifics of what "normal" instructions look like for an OS. Normally CPUs use deterministic security, like page-table R/W/X bits, and AFAIK these features have been dependable. It’s not the CPU’s job to detect malice, it just needs to provide features OS kernels can use for security.
Has anyone ever broken out of ring 3 of the 80386 or its successors, by exploiting the CPU rather than the OS? I’ve seen no evidence CPU-internal security features are less reliable than external ones.
Re: Re: Re:
But goddammit we don’t want you booting anything but the preinstalled Windows OS. Of course “security” should be in tiny black boxes on the mobo!
I knew why i’m still using an AMD processor from 2012 and XP….
Unfortunately more recent AMD chip sets have a similar processor. I don’t believe anywhere near as much as information is available, but it’s called the PSP (not to be confused with the other PSP), and last time I checked I belive it was a small ARM A8 core. I have not heard how much of a software stack it runs, but to me it’s just a disturbing.
On a side note: it seems more recent Intel ME’s are a modified form of x86, however in the past there have been variants of ARC cores as well.
Open source chips anyone?
AMD also uses such things to manage their stuff as far as I know but at the very least there isn’t indications it has this level o bullshit (network that can’t be managed by the front system, really?).
Wtf was Intel thinking?
Re: Re:
Re: Re: Re:
You say that as if the entities were separate.
Re: Re: Re: Re:
they are separate as left pocket is separate from right pocket.
I would worry about chinese figuring out how to take over intel cpu.
Re: Re:
In my humble opinion I believe this is why RISC-V (or a similar arch) should be the future of processors.
I hope that Intel has done us all a back handed favour in that the reaction to vulnerabilities in the ME will increase the desire to audit or be able to audit all levels of a system.
Will that actually happen? I don’t know, but that’s my hope
Re: Re:
Open source chips is the “death of the industry” because then all the little optimizations (and non-optimizations) are free for any other hardware manufacturers to use.
Trade secrets are one thing. But we can’t trust computer security to be secret anymore, not when it’s this vitally important.
Re: Re: Re:
Intel would still make money with open-source chips. Nobody else has chip-manufacturing technology (lithography) as advanced as theirs. An open-source design is one thing, but you need to physically build it. (Competitors include AMD aka Globalfoundries, TSMC, Samsung.)
Unfortunately, it’s been shown that the chip-builders can introduce flaws (with security impact) almost undetectable by the designers… at least until the next stage of this arms race.
Re: Re:
They were thinking that they wanted to push features of high-end systems into their commodity systems. A "service processor" has been a standard feature on supercomputers and mainframes since at least 1960s. Over the years Intel has steadily incorporated high-end features like ECC, vector processing (MMX, SSE, etc), IOMMU, IO hot swapping, etc into their chips. This management engine can be a godsend for a corporate IT department managing thousands of systems, giving them fully centralized control over desktops and servers.
Where they screwed up was in trying to keep it locked down, proprietary and worst of all, mandatory. I’m sure they made that choice because they thought security through obscurity was both a good idea and sufficient. They wouldn’t be the first to make that mistake and they won’t be the last.
Re: Re: Re:
“Where they screwed up was in trying to keep it locked down, proprietary and worst of all, mandatory. I’m sure they made that choice because they thought security through obscurity was both a good idea and sufficient. They wouldn’t be the first to make that mistake and they won’t be the last.”
That’s where my question goes. Intel is no newbie, it should have seen how bad it would be if flaws were discovered.
Re: Re: Re:
“They were thinking that they wanted to push features of high-end systems into their commodity systems.”
And it makes sense for huge installations run by outfits with huge budgets that can afford fancy firewalls with constant maintenance – but the general public finds its self at quite a disadvantage in that many do not know what a firewall is nor why they now are in need of one.
Re: Re:
“Wtf was Intel thinking?”
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Re: Re:
I’m definitely keeping an eye on RISC V.
Re: Re: Re:
RISC died a dirty death like it should have for general computing.
CISC for cpu core and RISC for encryption, cpu, storage, and comms.
Re: Re: Re: Re:
Architecture snobbery is still cool – who knew?
Minix? It’s running Minix?!
Re: Re:
Better a micro kernel that can be updated live while still running than a kernel that would need a restart… is what they thought, I guess.
Re: Re:
Could be MUCH worse – they could have use Windows ME. 😉
Imagine, ME running ME… I don’t want to live on this planet anymore.
Re: Re: Re:
LMAO. I only saw one ME system ever, and it didn’t last long in that setup. Now I am frightened.
But actually i wasn’t thinking in terms of Minix being bad, it’s just Intel’s behavior. I’ve been a bit of an admirer of Minix for years, and play around with it occasionally. I think i still have 3.1.2 alpha on CDs somewhere, as those were convenient for storage when that was released.
Maybe Intel should cough up that USB support back upstream, if it is implemented in the OS code.
All your processor are ours. Corporations don’t give a F about you. Just look at IBM and the Holocaust. They will gladly sell you out/enable your slavery.
NSA backdoor.
Re: Re:
With all due respect, that is not a backdoor. It’s a penthouse. With trapdoor access to every room of the main apartment.
Re: Re: Re:
Actually, here is a nice comic strip about that kind of door.
Re: Re: Re: Re:
OMFG that was Awesome!
Re: Re: Re: Re:
Fitting, and seriously disturbing.
I never much cared for the supposed “corporate management” features, but this is absurd. Never mind that as consumers, we pay for the hardware and its development. Thanks for all the sneaky BS and the lovely attack surface, Intel.
Joanna Rutkowska was right.
This may help the uptake of in-house designs using tech such as FPGA or GPU. It’s no magic bullet, but Google has the smarts to analyse how its algorithms are run and perhaps port some of that to non-CPU technology.
It’s the compromise between expensive custom-made ASIC-style tech, and the flexibility of cheaper off-the-shelf components (with apparent backdoors like this).
I’ve got a few Z-80s lying around if they want something retro 😉
Simple Fix?
This is the first I have heard of this ME, so excuse my comment if this has been discussed before. I did super fast search but nothing apparent came up.
If the ME has a network stack then it has to be set to DHCP. So an easy fix would be to find out it IP address or the port it uses if it is piggy-backing on the PC’s IP and block it at your local firewall level.
Does AMD have something similar? This is seriously something that has me considering a switch. I will communicate with my dollars.
Re: Simple Fix?
Yes – you can certainly firewall the port.
Also on servers or other machines with multiple network interfaces, the IME is always on the first port. So if you don’t need both, plug into the second one and you are going to be protected.
The ME does a lot of stuff. Some of it we need so you can’t just get rid of it entirely. It would be nice though if you could turn off the remote management features or shut it down after the machine has booted.
Re: Simple Fix?
What do you mean by "local firewall"? If it’s the firewall on that PC, the ME bypasses that completely. If an external firewall, you’re still vulnerable to worms within the LAN. Also note that it would see the traffic to all IP addresses, and we hope ignore traffic to other addresses; but they could’ve coded that wrong, maybe with weird fragmentation or something you’d crash the IP stack before it looked at the address.
Fill the built-in port with glue, attach a USB LAN adapter, and hope the ME doesn’t support those.
The simplest most effective fix is to find the head of Intel and blow his/her brains out. When said person/position is replaced, repeat.
Re: Re:
The fix would rather be putting them back in.
Re: Re:
Yes, I can see why you’re an anonymous coward.
Re: Re: Re:
You’re using the wrong definition of “blow”. AC – just be sure they pay in advance. CEO’s are notoriously stingy.
Re: Re: Re:
It’s always funny to see one anonymous poster calling out another for being anonymous.
Just Curious
Wouldn’t something like Wireshark have detected any network traffic from the network stack/web server mentioned in the article? Wouldn’t some questions have come up about traffic coming from a computer with disabled NIC’s?
Or is the usage of these components so minimal that that it goes undetected?
I seem to remember an issue with the Intel ME system a few months back. The fix that came from Intel required a reboot in my Windows systems (Dual booting here) but never got mentioned in my Linux system. Hmm…..
Re: Just Curious
Yes, but by then the system could be compromised. It might only take one packet.
That’s not how it works. It won’t be sending network traffic, in most configurations, except in reply to network traffic sent to its address (it may have IP/MAC addresses different from the ones known for that interface). If nobody knows to send those manchurian packets to it—how can you if you don’t know whether it’s enabled or what its address is?—it will be undetectable.
Re: Re: Just Curious
I thought the ME was a cheapo version of a hypervisor – idk.
If so – then it is probably capable of sharing resources and therefore you would not be able to so easily stop its net traffic, deep packet inspection would but it is not easy for the general public to do.
Re: Re: Re: Just Curious
Hypervisors are sometimes called "ring -1" indicating they run closer to hardware than ring 0 (the OS kernel). Then System Management Mode is ring -2, and as the article says, ME is ring -3. So basically, rings -2 and -3 are the hypervisors you never wanted.
"Deep packet inspection" cannot go deep enough to detect sufficiently advanced steganography—like modifying the timing (jitter) of the legitimate packets the OS was already sending.
Re: Re: Re:2 Just Curious
Good to know.
Re: Re: Re:2 Just Curious
not all hypervisors are equal.
There are 5 prevalent types of hypervisors that generally exist and focus on specific things.
1st Style, and may not really be considered a hypervisor in the general sense as hardware is 100% emulation where lots of things are interpreted so that it can execute in a foreign environment… think came console emulators here this may also be very similar to 5th style virtualization as well.
2nd Style, Hosted Hypervisor where a full Operating System is running and usually on top of another already running OS not intended to run another OS. Vmware Player and Windows Server virtualization are these.
3rd Style, Native/Baremetal Hypervisor where the hardware itself is involved with the virtualization of things where any OS that is running is dedicated to the running of OS’s. VMware ESX, Hyper-V are good examples of these.
4th Style, Hardware Virtulalization where hardware is virtualized inside of hardware…. think Software Designed Datacenter or SDNetworking, or Cisco UCS platform, HP Blades or any other High Density Computing platform.
5th Style, software virtualization where applications themselves are separated from the OS layer by abstraction… think App-V or the next generation Docker Containers. This is new and a growing sector.
“The Cloud” is usually composed mostly of the 3rd and 4th and 5th types to varying degrees depending on the provider.
Re: Re: Just Curious
Only if its ME lets it.
Re: Re: Re: Just Curious
This is correct.
Wireshark only works because the hardware is designed to allow it to work.
If you want to be sure, you ‘must’ use an external an directly attached network device to snoop the traffic coming out of your NIC.
Get Over It, Time To Move On
The fact that your hardware is compromised from the factory and the compromise is baked right into the hardware is OLD NEWS. Years old.
Time to move on to something new.
With the large sizes of modern hard drives it is time to start building "management engines" directly into the drives. Each hard drive would have a secondary network connector (ethernet, wifi) in addition to the primary connection of the drive to the computer (scsi, sata, eide, etc). The drive would refuse to work without the network connector being operational at least occasionally.
This would enable the mother ship to analyze the contents of your drive. Because of: (in decreasing order of national importance)
[x] anti-Trump comments!
[x] Copyright Infringement
[x] videos of crimes committed by police
[x] Think of the Children!
[x] Blackmail material
[_] Justin Bieber music
[x] Crypto keys
[x] Terrorism
Furthermore, the mother ship would be able to communicate with the management engine inside of a hard drive in order to write to it which is useful for planting evidence.
The remote monitoring consoles for scanning and altering hard drives need an advanced UI that can be operated by one hand. This leaves the other hand free for . . . um . . . .
eating donuts. And other activities.
Re: Get Over It, Time To Move On
Old news .. time to move on ..
Why?
Such attitudes are unacceptable and are of little help to the unsuspecting and gullible public.
Re: Re: Get Over It, Time To Move On
I’m being sarcastic, but maybe not obviously enough.
This is an issue of major importance.
I’m also pointing out that they probably won’t stop by just pre-compromising microprocessors. They will probably try to compromise other hardware as well. By “they” I mean whoever put Intel up to this nonsense.
As things stand at the moment, can you even trust your compiler tool chain when run on an Intel microprocessor? (See “Trusting Trust” article from ancient times.)
Re: Get Over It, Time To Move On
We’re closer than you may think… people have already ported Linux to run on the embedded CPU of a hard drive, and there are "external hard drives" that include a network interface for free (i.e., external drives don’t cost appreciably more than internal).
Never store anything other than a minimal boot partition unencrypted. Crypto is so fast that there’s no reason to. If you want convenience, use a plaintext key stored on a USB stick, plus a random recovery password written on paper; at least then you can still RMA the disk when it dies, without sending all your private data to the (USA-based) repair center. USB sticks are cheap enough to destroy with a hammer as necessary.
Re: Re: Get Over It, Time To Move On
If your hardware or OS have been compromised, you cannot keep your key secret, and the ME compromises your hardware.
Re: Re: Re: Get Over It, Time To Move On
If your disk has been compromised, you can still keep your key secret (AFAIK—I don’t think HDDs are bus-mastering). If the CPU/ME is compromised, you’re screwed, but it’s not a reason to avoid disk encryption.
I had read articles and heard rumors that Putin wouldn’t allow any of the people that worked for him to use a computer. Everything was done on typewriters. He feared that the computers themselves would be open to the American government.
Most people laughed at this saying it was bogus, now I am not so sure.
Re: Re:
Typewriters are open to sound analysis. Handwriting seems like the safer option.
Tough times for paranoiacs. Technology companies and their governments are putting up a seriously high bar to clear.
Re: Re: Re:
Just because I am paranoid doesn’t mean someone isn’t watching.
Re: Re: Re: Re:
We are… ‘ALWAYS’ watching
Re: Re: Re:
I recall a story in the past where an Embassy used several Etch-A-Sketch devices to thwart spy devices they knew were planted in the building. I did a quick google search that returned nothing close to what I was looking for – wth happened to google search, it used to be better than this.
Re: Re: Re: Re:
Probably the NSA told Google to remove that article in order not to give people ideas.
Re: Re: Re: Re:
I don’t know but it gets crappier all the time, and has for years. I rarely ever go to it for a secondary search option anymore.
Re: Re: Re:
Unless you’re trying to be anonymous, in which case both are bad
https://thenextweb.com/security/2017/11/09/researchers-find-almost-every-computer-intel-skylake-cpu-can-owned-via-usb/?amp=1
There *is* an "official" way to disable it
The linked blog post is from 2016. Since then, people have found a (semi-)official way to disable it. It’s believed that the idea of the ME freaked out certain government agencies who weren’t going to buy Intel CPUs if they couldn’t disable it (all the more reason to let everyone disable it). It’s obscure and undocumented: the HAP or AltMeDisable bit.
To say that the bug went unnoticed for seven years might be inaccurate. That the NSA noticed it could be the very reason they pushed Intel for those magic bits.
Re: There *is* an "official" way to disable it
The NSA noticed it? How do you know they didn’t encourage or order it?
Re: Re: There *is* an "official" way to disable it
They wouldn’t have let us disable the ME with a single bit. They’d have required NSA-signed firmware, linked to a hardware serial number.
(There’s precedent for including "extra" signing keys: Windows has long been known to include an "NSAKEY".)
Re: Re: Re:
windows 95, to be exact. That is why government monopoly lawsuit against MS went nowhere.
It's worse than you say
The ME platform is now thoroughly owned.
https://twitter.com/h0t_max/status/928269320064450560
Re: It's worse than you say
Wow. Thanks for the link.
wow
Access
Is it possible that the FBI exploited this old vulnerability (the ‘backdoor‘) in accessing that ‘child porn’ ring with their "NIT"?
How about phones? Do these chips run in our cells?
I’m just trying to get a bead on this "old" news. Old? First time I’m hearing it.
Re: Access
Not these specific chips, no; Intel has never gotten a significant toehold in the mobile market. (I don’t think IME is present in Atom chips, but I’m not 100% sure on that; at any rate, your phone probably doesn’t have an Atom chip in it anyway.)
That said, your phone is probably just as vulnerable at the firmware level; maybe moreso.
Re: Re: Access
(Disclosure: I worked for Intel as a temp for six weeks in 2015, at which point I was laid off. I enjoyed working there; I did not enjoy being laid off six weeks into what was supposed to be a five-month contract. I do not believe these facts color my opinion of Intel/IME, but it’s probably worth mentioning that connection just for the sake of transparency.)
Remember their 'uncore'?
This is that. There is a small (ARM?) unit that manages several items, including some power issues (IIRC). It also is used to verify that the cores are talking to each other (or it). Read their web page for more Intel provided data.
Consider a modern multi-core CPU is like a small minicomputer cluster of old. That is as close as I can surmise, without more details being available. I know it is used (supposedly limited to *cough*) to enterprise level support which is to enhance control by IT staff for updates, rollouts and gods knows what else.
However, please note that this is Intel supplied data and they have a bias for their viewpoint. To the extent of not wanting others to see much. Thus Google’s push to get rid of it or at least mitigate its absolute control over the CPU.
Considering that Intel jumped whole hog into the DOS IN BIOS (UEFI) one suspects it incorporates features to support that bullshit boot system.
Of course, it is probably filled to overflowing with mission and feature creep just to make me feel good about HW bozos writing SW. Although they aren’t even HW folk. They’re chip designers. At Intel that gives them God Mode Always On status. Like in a video game.
So you don’t have to worry about Sony or anyone else putting a rootkit on your system because Intel already included one right in the chipset?
I found a program that supposedly checks for the ME, but naturally it registers as a threat to my antivirus.
The instructions for disabling this, if it’s in your system, are equally as vague.
Assuming that this is actually a genuine mistake rather than a malicious act on Intel’s part, I have to wonder; Just how frigging stupid are the designers? Computers have been a consumer product for close to 40 years now and if there’s one truth, it’s that any flaw that can be exploited will, 100% without any shadow of a doubt, be exploited. Was this designed by the same idiot who thought it would be a good idea to make Outlook Express automatically execute email attachments? Or the moron who decided that automatically executing whatever code the system found on a USB device or optical disc was a smart thing to do?
Is it really plausible to believe that such supposedly smart people keep making such mind-numbingly stupid decisions?
Re: Re:
You are mixing up Intel and Microsoft. Either are champions of the “a bad design just needs more resources to win the race” philosophy but they are still different entities.
Re: Re: Re:
Yes, I know they’re separate companies. I was just using MS as an example of how people in the computer industry keep adding ridiculously stupid "features" for the sake of convenience without stopping to consider how they might be abused. Then once these "features" are embedded in the hardware/software, people have a hell of a time trying to disable them to keep themselves safe.
I wish there was a patch to completely remove the whole auto-run system from Windows. I’ve disabled it for all devices in the registry, but there’s nothing stopping some program from re-enabling it. In fact, a couple years ago, it did get re-enabled without my knowledge. I didn’t realize it until I put a game CD in the drive and the launcher automatically popped up.
Use or Not
Intel ME can be turned off in the Bios (and is shipped to suppliers with it off) on most modern computers, it is mainly used in larger corporations that provide services to users during downtimes or low usage time (like when PC is asleep or off). Sure it can be nefarious, but you would protect your systems just as you protect your network. It does require password, and setup if you do decide to use it. Vanilla out of the box, it is not too scary.
When you have a user you cannot bump off of the system (like at a Hospital, in the ICU) how would you get in to update, make changes, or check problems reported? This service allows you to do all of the above. If you are in a hardened, firewalled computer network, there is usually not much to worry about with this setup. Even at home, the ability to wake up your computer, remotely while it is turned off, is a godsend to some who VPN in for whatever reason (work, information retrieval, etc.). So now if you leave your house with your system off, you have the chance to send a ‘magic packet’ to communicate with your device at the most basic level, issue a command ‘turn on’.
For Network Admins, the ability to make changes behind the scenes is critical, if you are in New York, and have to change a system in Chicago (that is turned off) then you have the ability to make changes, without user intervention.
Plus no talk of the fact that Intel ships processors with this ability turned off, and you can make the change permanent. It is funny how this ‘advanced’ service can be misconstrued as a government backdoor, because incorrectly implemented, it essentially is. All this functionality is unavailable to a system that is disabled, believe me when I try to access a system that is off, and ME is off, No amount of ‘magic’ will tamper with that system.
The bios is a scary place for some, and mucking around in it is more of a concern, because you can essentially make a system or break it in there. Most users ‘I’ find, do not even know it exists or have been into it imho, except by accident. That is why it (ME) is off, at the start. No need to muck around,, find the right thing there (bios wise) and shut it down.
Paranoia abounds around any tech, heck there were more problems with XP (OS) than any ME implementation. Imagine at the end of life for XP getting a critical update for a flaw? Does that mean for the entire run of XP that flaw was there and being accessed by nefarious parties?
Intel ME allows you to make remote changes to your PC, or a corporate ‘company’ pc, which you have no control over anyways. Worry about if you must, but that will not make it go away ‘magically’ Ha could not resist.
You can install updates and troubleshoot a system without user intervention, or even the user knowing you are there. As above in a Hospital ICU this is important, but on your home system not so much. But if you set it up, read the ‘manual’, even at home it can be useful. The network admins toolkit has even more ‘nefarious’ tools than ME, and if used, still the user has no idea changes are being made while they are happily typing away, are you on a network? Behind a router, on the internet, firewalled? Why?
There are so many other easier ways to compromise a system than using ‘intel’s’ ME, I would be much more afraid of them, oh yeah, that is why you do use a firewall, to harden, NAT, the perimeter of your home network. And even after finding that the WPS2 the defacto standard router security software has been hacked, all routers are now suspect.
So, pick your poison, Intel ME, Your own O.S. (what are patches for, sure enhancements, but closing doors too), Your personal router which you have hid behind forever, how long has the WPS hack been there without your knowledge, how many times was it used before it was eventually found, or noticed?
Hackers do not yell, look what I have found, they will have that door closed as soon as possible if they did. So it is good for them to keep their findings under wraps for as long as possible, and this includes all software (Office back orifice) for example. These are not security people these are the one’s (hackers) who want what they can glean from you (bank info, credit cards, etc.). Right now at this time, what zero day flaw is being exploited on your own personal system – at home or at work??
Re: Use or Not
Excellent…
Thank-you.
Re: Use or Not
Your wall o text is unconvincing.
Re: Use or Not
But turning it off there does not – at least not necessarily – disable all of the things that it does, or close the potential security holes that some of those things represent.
https://puri.sm/learn/avoiding-intel-amt/ and https://puri.sm/learn/intel-me/ – while from a group which is explicitly pro-software-freedom and anti-black-box, and as such may be open to accusations of bias – have a few things to say about the subject; the latter includes the claim that some ME features can only be "fused" on or off, and that once they’re fused on (as many suppliers do before passing the unit on to the consumer, and as Intel may expect them to generally do), they physically can’t be switched off.
Because Intel ships processors that way to its suppliers, not to the consumer (unless you’re buying direct from Intel, maybe), and the supplier can and very well may turn this on in such a way that you can’t turn it back off.
Just because another way is easier doesn’t mean that this way isn’t a genuine danger. Yes, it’s best to take care of the bigger risks first – but that’s not justification for ignoring the smaller ones.
Re: Re: Use or Not
Then this post is wrong, it is not on the cpu, and you can buy a motherboard with ‘other than intel chipsets’. I don’t understand this paranoia, do you work in IT? Have you used it? The software for the AMT is available to everyone, download it and test it. Oh that is right, to test it you have to turn it on, but before you do, use one of these documented compromises to break into it. After that doesn’t work enable it and see what you can do.
Manuals for it, and it’s operation are online, and the software is geared towards a corporate IT, but if you have this engine in your system, you can download the software to utilize it. Until you ‘play’ with it yourself, all these posts are hilarious. Using wording like On the CPU, May pose a threat, possibly compromise a system. The Chipset, may pose a threat, and many consumer grade gaming boards do not have it, or would install it on a non corporate designed system. You have choices, I already shown you how to look for it, and if you find it woe is me, if you are the owner of a bank I would be worried, but joe blow?
I can give legit websites that will tell you which boards support it and which do not, it is a co-processor in the chipset, if you know co-processor means one set aside, like do you have a math co-processor or not?
But of course if you have your mind made up, love a good conspiricy, and believe the ‘testor’ did not set up the hole, then there is no changing of mind, but I am going to show these posts to my friends. As we laugh, we will be glad you are ‘anonymous’ if you gave your info, ridicule would abound, behind your back of course.
I joined this site thinking it was about tech, I am sorely disappointed. Believe what you wish, no matter how flimsy it is, or who it appears to be from. I am nobody. And I typically try to spread misinformation, instead of information. This process was not ‘just discovered’ I have been using AMT for years. If you ‘just heard of it’ then you speak volumes to your ignorance. ‘Sorry’ Could not resist. Let me know if you need links…
Re: Re: Re: Use or Not
Yes.
No, but one of my co-workers (the one whose judgment I trust the most, as it happens) has.
Re: Use or Not
Oh and the High tech oven timer, Yes this is a picture for me…
Re: Use or Not
Choosing not to use it does not disable it.
Re: Use or Not
If it’s harmless, why does the author of Minix, Tanenbaum, call it Orwellian spyware? Is he technically incompetent to make those claims?
Just in case,
If you still are in need from the proverbial horses mouth on this subject, which to me is quite interesting, all the misinformation: https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
HIPAA Compliance?
How can healthcare EMR systems now running on Intel chips meet HIPAA compliance, now? Seems like this would be somewhat problematic.
Just asking.
Re: HIPAA Compliance?
Selective enforcement. Same as with Microsoft Windows.
IT working in Health
IT workers who will most likely be implementing the ‘secure’ (as secure as you can possibly be with tech) Intel Active Management Tech, in any healthcare setting– Will have signed and understood HIPPA Rules. This includes signing of confidentiality agreements with, Employers, Hospitals, and any patient pertinent information systems. Most of the signed agreements are explained ‘in detail’ the Fines, and/or Jail Time associated with the breach of patient confidentiality.
I mean be real, is there IT at your hospital? I would hope so. These IT people do they need Intel’s ME to view systems? No. When they are called to repair a database, fix encrypted email, or any other ‘information’ they will see in the daily performance of their duties, they certainly do not need Intel ME to view patient data. Fines are huge, jail time is looming.
After going through most of the links provided in this article, can you spot the one using and arduino hooked up to a bunch of wires that is going to re-firmware a system, hysterical. Or the google pdf that looks like a poor power point presentation? How about the pictures of the unit on a quilt, in a room that looks like it is a kids bedroom that has no parental direction (like clean it up dude).
If you go through this article with a critical eye, some of the amateurish evidence, the big words thrown in for some good measure, like explaining this to a user: We are so sorry but it seems osi layer 1 is responsible for your pc not connecting to or talking with the server. You sent packets out, but they are not being received by the remote system. We implemented the layer 1 fix and now you are back online.
Just enough jargon, eh? The true meaning of the above statement? User Calls> IT help me I cant reach the internet. IT shows up, looks it over for a minute and replaces the broken cable. OSI layer 1 is the physical layer of the network, Cables etc.
The first explanation makes the IT person feel superior of their knowledge regarding networked systems. But knowledge of one system in the business infrastructure does not make you a genius, no matter how many big words you know. Talk to me like a lawyer, I will be lost in a second.
The second explanation is geared to the user, it is what they want or need to know – without having to go online and look it up.
Wired is usually a good source of information and I have read it on occasion, but what they are saying, what you are worried about, and who can gain access to a system with Intel ME disabled?? I know horror story’s that hold water, with respectable intel backing up the story, from respectable names in the industry.
PFSense, a respectable name in the routing/firewall industry is riding on top of FreeBSD, Warning, warning, cough, cough, ugh.
Re: IT working in Health
riding on top of FreeBSD, Warning, warning, cough, cough, ugh.
Do you have a point you are trying make here? If so, would you make it VS some bullshit vague crap?
Unconvincing or not
My wall of text does not have pointers to information sources – with words like, “May” or “Possibly”, Nor do I take a tech giant like Google and place a feeble pdf online that is Well it is what it is. Or even the one story if you do read, has a retraction at the bottom over the misinformation that they tried to represent as fact.
Maybe it is a wall to you, but it is the least jargonated wall of information I thought I would leave, To be helpful, not simplistic, or condescending to those who simply do not understand. I have no stake in Intel or AMD, since it is the Chipset, not the CPU. But that is just being nit picky, chipset or CPU, it’s all the same YA ?
Wanna see your intel ME??? In windows 10, type a search for ‘device manager’, and open the local systems device manager, you will be awarded a screen with all kinds of installed devices on your system. Swell. Should work on 7 too. In Device manager, Expand system devices. Scroll down through until you reach the Intel devices. Look for Intel(R) Management Engine Interface. Yep there it is hidden for all to see. So nefarious and dripping with, well you know what eh? Oh I also have a High Precision Event Timer, do you? Oh well, not all systems are the same.
For something that is so well hidden, hard to find, or even disable on a system – well looks like you been had my friend (or not).
Re: Unconvincing or not
Yup, I see it. Such a descriptive name too! How could anyone see "Management Engine" and not instantly realize that it’s a mechanism for allowing others to remotely access their system? It’s so obvious that even the most computer illiterate can’t help realize what it is during their daily perusal of Device Manager.
And it’s so easy to see exactly what it’s doing too! I’ll bet you just double-click on it and you’ll be able to set all sorts of options, right?
Well
The first caveman who saw fire, burnt his thumb.
Paranoia extreme edition
Remember younger padiwans, if the ME is in the chipset, it dont matter what OS you place onto the machine, ME is still there, waiting for you, breathing, taking note of your secrets. Linux, well if it is installed onto a motherboard that supports ME, yes it is in Linux, so all the dual booting in the world wont help. MAC, would have to be one of the Intel systems that run windows and MAC OS side by side. IBM AS/400 and Power7’s well, nuff said.
Re: Paranoia extreme edition
Is it possible to acquire single core CPUs that do not have ME?
I have read the articles proclaiming the death of hobbyist computer building and even claiming the personal computer market is going away. Who would spend $1K on a system that is designed to allow easy access whether you like it or not? Guarantied to be controlled by someone other than yourself, who would put sensitive information upon such a device?
They keep selling more and more shit that is eventually going to kill the internet by making it useless. Is this their goal or are they simply, out of ignorance, killing the goose that lays golden eggs?
Re: Re: Paranoia extreme edition
It was a joke, ME appeared on Core2. Single cores were no fun to play with, until hyperthreading.
Re: Re: Paranoia extreme edition
Sure, people throw away Pentium 3 computers all the time. Grab one from the curb. I’ve done that and ported Coreboot to whatever random motherboard it had, so I know there’s no proprietary software/firmware on it. (Maybe grab more than one… I bricked one doing that.)
More practically, the Raspberry Pi 3 is widely available and has a quad-core CPU with no management engine. It’s short on RAM but can run a full desktop system. (And has some proprietary firmware, but people have made some progress on a replacement.) ARM-based Chromebooks also have no ME and some can run Coreboot.
Door In Open
http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/
Parting Shot Boom
https://www.linkedin.com/pulse/cyber-security-you-playing-out-your-league-what-yon-lew/?trackingId=OaDYqXNFT8yNaSgZ75MyBA%3D%3D
Re: Parting Shot Boom
A whole lotta posturing before getting to the point that few piles of data can be defended. The better plan is to not collect the data or never allow the data pile to touch the Internet. That which does not exist can not be taken and that which is not able to be reached via a path can not be taken out via a non-existent path.
And Microsoft Linkedin poster ignores the ability of rubber hose key management beyond the Star Trek meme she posted.
Someone appears to be monitoring browsing for certain references
After browsing this particular column and reader comments, the following page popped up on my browser while I was attending to something else. I had performed no action which should have actuated the page. I can only believe that an external source is monitoring my browsing for pages that contain references to a Management Engine. The URL of the site in question follows:
https://www-ssl.intel.com/content/www/us/en/support/articles/000005974/software/chipset-software.html?wapkw=management+engine
Monitoring
Yes this is what I would expect to hear from a troll laden set of comments, if I were so paranoid, that if I had any malware whatsoever, and were 100 percent sure that nothing (i mean nothing) was hijacking my browser (I dunno, BHO’s i guess??), and were a professor of Philosophy, Electrical Engineering (I.E.E.E), Programmer, and all around bad nerdy boy with too much time, or something else on his hands, would say. But LO, I am waiting for intel to knock at my door. I would work for them in a Heartbeat. As for open source projects to rid the world of nefarious computer backdoor products – more power to them, they are the hearlders of the future, spelt wron on puipose. Nhay Nyak Nyak, 1 stooge.
r/stallmanwasright
once again.
Stall Man
If only he had something other than Intel to run on, oh wait, he does…. OOPS does Linux run on a mac, I forgot? Is this about ME chips or open sores?
Open Source
Remember when open source is here to free you from being watched or soothes your paranoia, just when you feel it is ok to go back into the water, comes WIRESHARK. One of the best packet sniffers I have used, and it’s open source, and chock full of things to ‘watch’ what you do on your own workspace/Network. Remember no matter what it is, there are good uses, and bad use, dependent on the person(s) behind the wheel. Best of all, it’s free. Pick one, Free, Good, Fast, one but only one…
Turned off...
Then that same caveman realized ‘fire’ is gonna make him the most powerful freaking guy on Earth. And, he was for a time. Realized the profit of using a necessity to life as a commodity, Put ’em in his Kingdom, with a class all his own, ruling over the species, and here we are. Gettin all manipulated and shit…
As for the I(r) Management Engine in Device Manager, I went and found it and disabled it. I will watch, and run my different apps and see just what might turn it back on.
Thanks for the post.
Re: Turned off...
I shut IME off (disabled), and logged into my money and a couple other sites. The login was prompted each time – each site – because they "noticed" a change in my logins…
Not one thing was changed. No passes, emails, or computers and browsers, but they noticed something different. Makes me want to know what.
I always have my UNCServer processes stopped – have to do it manually everyday, but it has never caused my logins any interuption.
Was this little IME bastard being used by my finacial institutions? ‘cuz that’s a little disturbing – finacial institutions using something for what, and to what end? Justified? I’d like anyone here to break some eggs and make comment to this possibility. Then again, I might be a conspiracy lover… nah. It’s just messed up to think on.