This isn't a Windows issue, but I know a lot of you folks on the list also run Linux, or run your Windows as a VM within a Linux system, so this may be of interest there.
Posted on 12/03/2017 7:56:42 AM PST by dayglored
In a slap to Intel, custom Linux computer seller System76 has said it will be disabling the Intel Management Engine in its laptops.
Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers.
One of the most important vulnerabilities is in the black box coprocessor – the Management Engine – which has its own CPU and operating system that has complete machine control. It's meant for letting network admins remotely log into servers and workstations to fix any problems (such as not being able to boot).
The bugs – as security researchers discovered – allow for installing rootkits and spyware on machines that could steal or tamper with information. So, perhaps unsurprisingly, several vendors – including Lenovo – have been quick to patch the bugs.
Denver, Colorado-based System76, meanwhile, has just banned the Management Engine outright.
In a blog post Thursday, the firm wrote: "System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable."
It will apply to customers running Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS17.10, or an Ubuntu derivative with the System76 driver installed.
Desktops are not affected by the ban – they'll just receive ME patches "as they are available".
The firm said the rollout would happen over time and customers will be notified by email prior to delivery.
"Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can rollout extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don't install)."
System76 did, however, note that Intel has the power to change device function and not allow manufacturers and consumers to disable ME, so this may not last forever.
Intel has not responded to a request for comment. ®
Hey ShadowAce, here’s one for the Linux folks.
This isn't a Windows issue, but I know a lot of you folks on the list also run Linux, or run your Windows as a VM within a Linux system, so this may be of interest there.
I don’t really see why Intel would want such a chip in home computers, where this is no network admin. Why don’t they make separate chips for home use?
There are those who believe the real purpose of the ME was remote administration from government agencies, not just local-network system admins. Its feature set includes all sorts of spy-enabling and remote-control capabilities.
One has to wonder why it was kept such a low-profile "feature" for so long?
Originally the management stuff was limited to the more expensive vPro and Xeon processors that targeted business environments (IIRC) to allow remote install of the OS and remote console and BIOS access, etc.
I’m suprised that Intel put it in processors for home and mobile use, due to the added cost for a feature they are unlikely to use or need. It’s a nontrivial addition - a separate CPU and a rather complex hidden second OS.
The ME is a complete computer CPU (processor), hidden inside the chip you think runs your computer. In fact the ME can run the computer even when it is "turned off" normally, as long as it's still plugged in or on battery power. It can communicate with the rest of the network (including the internet) without your knowledge or consent.
The following is taken from "Intel Management Engine" on Wikipedia:
The Management Engine is often confused with Intel AMT. AMT is based on the ME, but only available on processors with vPro. It enables owners remote administration of their computer[12], like turning it on or off and reinstalling the operating system. However, the ME itself is built into all Intel CPUs since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the Management Engine (ME). Research by Youness Alaoui found that Intel delivers the processors to manufacturers with the Intel ME turned off and the ability to permanently set changes at a later date.[13][not in citation given][14][not in citation given] Thus, the ME is always on unless[not in citation given] it is not enabled at all by the OEM.[15][16]Critics like the Electronic Frontier Foundation (EFF) and security expert Damien Zammit accuse the ME of being a backdoor and a privacy concern.[17][4] As of 2017 Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.[16] Zammit stresses that the ME has full access to memory (without the parent CPU having any knowledge); has full access to the TCP/IP stack and can send and receive network packets independent of the operating system, thus bypassing its firewall.[18] Intel has responded by saying that "Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user."
[[ I know a lot of you folks on the list also run Linux, or run your Windows as a VM]]
Nope! Dual boot :)
Thanks for the ping- Will read about this later - definately ping us when linux stuff arises too-
Thanks for Wikipedia ref on ME and AMT.
More from the article:
“As Intel has confirmed[44] the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables all of ME’s functions. It is authorized for use by government authorities only and is supposed to be available only in machines produced for them.”
Really? Why?
Ah, right! My brain is just waking up...
> Thanks for the ping- Will read about this later - definately ping us when linux stuff arises too-
Okay, will do!
> Really? Why?
Because goobermint agencies need REAL security so their activities are kept secret from anybody else. Don'tchaknow? "Government authorities" need to make sure the populace is unaware.
But you have no need to fear, Comrade Citizen. If you are doing nothing wrong, you are perfectly safe.
/tinfoilhat
Seriously, I imagine it's because high-security cleared machines aren't permitted to communicate over back channels.
According to an article in Hot Hardware, Aug 30, 2017:
A team of researchers from Positive Technologies have dug into the innards of Intel Management Engine (ME) 11 and have found a way to turn the feature off...So I guess that System76 is disabling the ME -after- it boots up the main CPU. Or something like that...One bit of warning is that you cannot completely turn this off. ME is part of the boot process and required for launching of the main processor.
Positive Technologies wrote, "The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards."
Do the AMD cpus have the same “feature”?
Intel ,The Bug Is With You
Ping.
According to Wikipedia:
Intel's main competitor AMD has incorporated the equivalent technology "Platform Security Processor" (PSP) in virtually all of its post-2013 CPUs.According to https://libreboot.org/faq.html#amd:
AMD Platform Security Processor (PSP)This is basically AMD’s own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the implementation is wildly different.
Good idea, thanks. If I remember correctly, Intel-based Apple products don't activate the ME except to initialize the CPU.
But I'll leave it to Swordmaker to fill in the details.
It's been noted that the sticker that says "Intel Inside" is not a marketing slogan, but instead, a warning label.
My first guess is this is the backdoor the NSA and others use to sneak around.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.