Posted on 06/15/2016 7:43:51 PM PDT by Utilizer
The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.
When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).
On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.
(Excerpt) Read more at en.zicos.com ...
If it had affected AMD, or Micron, or National Panasonic or Matsushita (but I repeat Myself), Toshiba, Cypress Semiconductor, Intersil, Amidon, Xircom, Linear, Fairchild, Atmel, Thompson-Signetics, Harris, Pericom, Motorola, Texas Instruments, Celestica, Analog Devices, Uniden or Silicon Strategies...
I feel quite confident that there would have been at least a passing mention in the article referenced.
Apologies to all the companies I did not specifically name as I only did a swift listing of some of the ones I have enjoyed working with in the past.
Any noted (if necessary) Failure to Mention is entirely due to the faulty memory on this end, and not a reflection of your company’s helpfulness or general policies.
Cheers.
"Oh crap" is my middle name tonight -- I missed that it was your thread and so I apologize! If only there were a way to edit prior comments...
Indeed, this must have taken some detective work... KUDOS!!
I'm packin' it in for the night (almost 2AM) so I'll see ya on the rebound... Cheers!
Ah... “appreciated”, not “appreciate”, in that sentence...
Sorry. Typing and posting before proofreading again... :(
This is not the security problem you think it is.
It allows corporate network support to update software and monitor security leaks from inside corporate networks.
Intel, IBM, MS and probably Apple all use this feature to help manage internal networks.
Its called Vpro
The article is just scaremongering. Intel AMT has been in processors for a very long time and it is disabled by default.
Unless you have an enterprise PC with a BIOS that has it, go into your BIOS, specifically and deliberately turn it on (and it will ask you twice if you want to), and register it to a management server you have nothing to worry about. Connections to AMT require encryption and that BOTH ends trust each other, if the AMT on your system isn’t registered then it trusts no one and nothing.
It’s intended for enterprise customers so that they can remotely manage their assets, not for home consumers.
Oh and if you really want to make sure it can’t be used against you, reset your CMOS.
At least that is what it is SUPPOSED to do.
Nutcase is correct. This is part of Intel’s vPro platform. They tried to sell my last company on it but HIPAA regulations got in the way. Seems they decided to just keep it in their architecture rather than redesign.
iLO and iDRAC are discrete subsystems with dedicated network and chipsets. You can leave the port on the chassis unplugged and its relatively harmless. It’s also configurable in the BIOS. vPRo chipsets are built into the main die and can be called even if the BIOS has it turned off. That was the advantage with it when Intel first pimped it to businesses: users can’t turn it off and neither can the bad guys! Heh
But yes, you are correct that it’s relegated to the business platforms.
Exactly what it appears to be... NSA’s “back-door” since the hidden CPU acts as a TCP/IP server functioning even when the computer is in a sleep/power conservation mode. It’s encrypted, so somebody has the keys.
My HP rep kept pushing the tech as well. We have to comply with HIPAA and PCI.
Vpro may be designed for easy enterprise network management, but the possibility of abuse does exist.
Even though these chips may only be embedded on business network machines, it’s only a matter of time before personal computers are also compromised under the guise of “protecting your system from hackers and nasty viruses and identity theft”.
Sort of like the POTUS, SCOTUS, and Congress - works very well when honest men are in charge, but otherwise, not so much.
I don’t give the keys to my house or car to my boss, friends, neighbors, or strangers - just common sense.
Personal computers, laptops, and ‘smart’ cell phones hold the “keys” to one’s finacial and ‘legal’ house (reputation and freedom).
Call me paranoid, but it’s a sign of the times.
We’re a PCI and SOX shop here, and we’ve had the Intel mgmt tools locked out on purpose. What our desktop team can’t do with SCCM, they can sneaker-net.
I too lean to the paranoid side but Vpro is probably not something to worry too much about.
Most Intel processors do NOT have Vpro even accessible.
Intel charges more for the feature so many vendors choose to save $$$ by not having it.
I worked for 25 years for Intel in microprocessor design.
Part of the feature is in the microprocessor, the other is in chipset.
Not using the correct chipset, disables Vpro completely.
Thanks for the info.
Small businesses and independent contractors have reason to be paranoid because of various laws like HIPAA, GLBA, FERPA, PCI, and SOX.
It only takes being subject to one of those laws to incur hefty fines and possible jail time for breaches of security.
Here’s a couple of links about compliance that you might find interesting:
Regulatory Compliance
https://www.praetorian.com/regulatory-compliance
HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security
http://www.darkreading.com/compliance/hipaa-sox-and-pci-the-coming-compliance-crisis-in-it-security/d/d-id/1113516
Agreed.
All good things to monitor carefully.
The funny thing is the EU had much more stringent privacy laws and over the last year, they seem to be wanting to re-do them to an aggressive nanny state model.
I have one computer with Vpro to understand its issues as it might make a nice tool to upgrade internal security info remotely.
I’m not going to implement it yet until I fully understand all the hooks.
Please take me off the PING list. Thanks.
> “Im not going to implement it yet until I fully understand all the hooks.”
LOL - good idea. Good Luck.
If you discover anything useful, give me a shout (just curious).
Yeah, same we’re an SCCM shop.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.