Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 04 2015, @06:26PM   Printer-friendly [Skip to comment(s)]
from the you-might-have-paid,-but-it's-not-your-computer dept.

Over at Hackernews is a link to a discussion on how the Intel Management Engine (ME) is preventing screenshots, by bypassing the host CPU.

If you're on an Intel machine that you've purchased in the past 2-3 years, that computer almost certainly has an Intel Management Engine. You might not know what that is, and that's okay. You may also be unaware that the operating system on your computer could be leveraging features in the Intel Management Engine when consuming DRM Media.

This links to a blog posting on the Intel ME in response to Rosyna Keller's twitter posting about being unable to take screenshots from Netflix (The Rosyna of the article title).

The core of the technical detail is taken from Igor Skochinsky's presentation on the ME (PDF Link) . The article raises the questions over the position of the ME in the system and the security implications of the ME subverting the host machine hardware outside of the main processor:

Given that the ME sits in a position where it can configure the chipset and operate on the PCI bus, there are some serious security implications here I wish I could mitigate. Among them is the ability of the ME to run arbitrary code on the host CPU via option ROMs or presenting a disk-drive to boot from. Also among those abilities is the possibility to perform DMA to access host CPU memory. And another one is the ability to configure and use PCI devices present in the system (such as the ethernet card).

Related Stories

AMD Confirms its Platform Security Processor Code will Remain Closed-Source 35 comments

Submitted via IRC for TheMightyBuzzard

Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the "PSP" for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered "above root" level and are for the most part invisible to the OS. It is similar in this regard to Intel's Management Engine, but is in some ways even more powerful.

Why is this a bad thing? Well, let's play a theoretical. What happens if a bug is discovered in the PSP, and malware takes control of it? How would you remove it (Answer: you couldn't). How would you know you needed to remove it? (answer, unless it made itself obvious, you also wouldn't). This scenario is obviously not a good one, and is a concern for many who asked AMD to open-source the PSPs code for general community auditing.

Bit late to the reporting but we haven't covered it yet, so here it is. And I was so looking forward to a new desktop too. Guess this one will have to stay alive until ARM becomes a viable replacement.

Source: https://www.techpowerup.com/235313/amd-confirms-its-platform-security-processor-code-will-remain-closed-source

Previous:
The Intel Management Engine, and How it Stops Screenshots
Intel x86 Considered Harmful
Of Intel's Hardware Rootkit
Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard
Malware uses Intel AMT feature to steal data, avoid firewalls


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by kaszz on Sunday January 04 2015, @06:42PM

    by kaszz (4211) on Sunday January 04 2015, @06:42PM (#131630) Journal

    Have your own watchdog on the PCI-e bus?

    Whenever a bus access you disapprove of occurs the card could assert the error flag or such..
    Added benefit is that you could use to get screenshot by as sinister means that Intel use them self to defeat the user.

    • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @06:46PM

      by Anonymous Coward on Sunday January 04 2015, @06:46PM (#131633)

      PCI-e is a point-point interconnect. How exactly do you insert this in the path?

  • (Score: 1) by MichaelDavidCrawford on Sunday January 04 2015, @07:05PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Sunday January 04 2015, @07:05PM (#131641) Homepage Journal

    If not then my next CPU will be an AMD.

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @09:29PM

      by Anonymous Coward on Sunday January 04 2015, @09:29PM (#131673)

      amd is doing the same thing, embedding an arm core to provide the same functions.

    • (Score: 4, Informative) by tibman on Monday January 05 2015, @02:34AM

      by tibman (134) Subscriber Badge on Monday January 05 2015, @02:34AM (#131730)

      AMD uses an open standards equivalent to IME that is called DASH. Not many AMD motherboards have DASH at the moment. You can opt out of the feature like you would opt out of onboard video or onboard wireless.

      --
      SN won't survive on lurkers alone. Write comments.
    • (Score: 4, Informative) by Hairyfeet on Monday January 05 2015, @04:51PM

      by Hairyfeet (75) <bassbeast1968NO@SPAMgmail.com> on Monday January 05 2015, @04:51PM (#131890) Journal

      No they do not. As one poster mentioned there is a handful that utilize the FOSS DASH spec and there is a couple APUs coming out for business that will have an ARM Cortex DRM they licensed from ARM awhile back but those are 1.- Entirely optional, 2.- You have to go out of your way to buy chips and boards that support it, and 3.- This tech is not on, nor is it targeting, their mainstream offerings.

      As someone who has been building AMD exclusively for years I urge you to not believe the bullshit rigged benchmarks [youtube.com] but instead look at real world testing [youtube.com] which will show you a different picture. You can get the FX6300 for just $109 and if you keep an eye out I've been getting the FX8300 for around $120 and both of those chips are real monsters, they multitask like you would not believe. But anybody whose used AMD chips for awhile can tell you this, hell my Phenom II X6 I have at home for gaming is nearly 6 years old yet blows through games like Shadows of Mordor and is a transcoding beast. Don't buy the "ZOMFG an AMD will blow through teh power!" bullshit either as a few tests with killawatt will show you it would take nearly 18 years just to break even [youtube.com] due to how much more you'd spend on an Intel of equal performance.

      Finally if you're the type that cares about FOSS support? AMD supports the Coreboot foundation, pays several developers who work on the FOSS drivers to help them reach parity quicker, and since buying ATI has been opening the specs as fast as their lawyer can sign off on the docs with the only parts not being opened the parts they do not own like Intel's HDCP. So if you want serious bang for the buck with FOSS friendly hardware that isn't loaded with DRM? Try AMD.

        Oh and anybody that wants a kick ass HTPC? Try pairing the new Socket AM1 duals and quads [newegg.com] with OpenELEC or Windows 8. Its the same core used on the new PS4 and XB-One and if you use OpenELEC you can build a nice media tank for less than $150 shipped, and that is for a quad! Oh and for those that hate Windows 8? Normally I agree 110% but the one place I've found Metro actually nice to use is as a 10 foot UI, those big tiles make it easy to use with a one handed remote. I've been using these chips for awhile now and they're great, low power HTPCs, office boxes, hell I even slapped one in a large beige box full of drives for a client who is using it for a low power file and backup server. It works great and is low power enough it can just be shut in a closet and forgotten about, great little chips.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @07:24PM

    by Anonymous Coward on Sunday January 04 2015, @07:24PM (#131647)

    http://i.imgur.com/GxzeV.jpg [imgur.com]

    Pulled from the https://news.ycombinator.com/item?id=8833772 [ycombinator.com] forum.

    Really sums it all up.

  • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @08:25PM

    by Anonymous Coward on Sunday January 04 2015, @08:25PM (#131656)

    analog hole, bitches.

    • (Score: 2) by Bot on Sunday January 04 2015, @10:13PM

      by Bot (3902) on Sunday January 04 2015, @10:13PM (#131684) Journal

      That's why DRM needs to be integrated everywhere. This is the point of the whole exercise probably.
      The same system that produces propaganda masked as entertainment produces control masked as "rights management".

      --
      Account abandoned.
    • (Score: 0) by Anonymous Coward on Monday January 05 2015, @02:25AM

      by Anonymous Coward on Monday January 05 2015, @02:25AM (#131728)

      The government closed the analog hole for printing money. It's only a matter of time until the media companies start pushing for all cameras to include firmware that prevents a picture from being taken if it sees a specific watermark. It won't be an advertised feature.

    • (Score: 3, Interesting) by TheRaven on Monday January 05 2015, @01:36PM

      by TheRaven (270) on Monday January 05 2015, @01:36PM (#131834) Journal
      The point of this is not DRM - it would be painfully slow for such tasks. It's being able to run trusted software on an untrusted OS. One users of it is an internet banking app, that allows you to enter your pin in a way that is completely impossible for the OS (and therefore any malware running on the OS), to capture.
      --
      sudo mod me up
      • (Score: 3, Interesting) by Hairyfeet on Monday January 05 2015, @05:17PM

        by Hairyfeet (75) <bassbeast1968NO@SPAMgmail.com> on Monday January 05 2015, @05:17PM (#131897) Journal

        Considering there are already known exploits in the wild for this thing? That would probably be a very very BAD idea.

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 1) by anti-NAT on Sunday January 04 2015, @08:25PM

    by anti-NAT (4232) on Sunday January 04 2015, @08:25PM (#131657)

    If you own or administer the machine. This is how I worked around this Linux kernel bug

    https://bugzilla.redhat.com/show_bug.cgi?id=917081 [redhat.com]

    I've switched it back on as I want the hardware watchdog functionality it provides.

    • (Score: 2) by arashi no garou on Sunday January 04 2015, @10:02PM

      by arashi no garou (2796) on Sunday January 04 2015, @10:02PM (#131681)

      I've said in another article discussion that it can easily be turned off, but the tinfoil hat crowd here argues that it can't. I've disabled it myself on two different Intel Core systems under my watch. They can tell me all day long that I "didn't really" disable it, and all I can do is shake my head in bafflement. Morons will be morons.

      • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @11:00PM

        by Anonymous Coward on Sunday January 04 2015, @11:00PM (#131692)

        No it's a valid concern wondering if you can really disable it. As stated in the technical documents this cpu inside the main cpu is on a trust level above the main cpu, so turning it off in the bios might only just tell it 'okay lets not make ourselves visible to the cpu and the os anymore yet still run'.
        What i find scary is that it is still ON even if the rest of the machine is off, to turn it off you have to completely remove power from the system for half a minute.

      • (Score: 3, Insightful) by Anonymous Coward on Monday January 05 2015, @01:31AM

        by Anonymous Coward on Monday January 05 2015, @01:31AM (#131721)

        In this case, those "morons" know more about it than you do. As noted, there are actually exploits [wikipedia.org] that work for it even when it is disabled in the BIOS.

        This is a separate processor that shares the bus with your Intel processor, and which you cannot directly control. Those work because there is actually no way to turn it off. It boots before your system comes up, and remains active even when your PC is in "sleep" mode. In addition, it has the ability to mediate your "normal" processor's view of its own memory, and it uses that capability to hide "protected" memory areas from your normal processor under certain situations. It is also capable of directly accessing your network card without your OS being aware of it - also even when your PC is supposedly in sleep mode. See Igor Skochinsky's presentation (PDF linked in the article) for more details.

        • (Score: 2) by arashi no garou on Monday January 05 2015, @02:16AM

          by arashi no garou (2796) on Monday January 05 2015, @02:16AM (#131727)

          I would say to that, "unplug power and Ethernet from your computer if you're that worried about it", but then I'd be slammed with theories about how it can pull trickle power from the aether and send out signals via the GSM modem that is somehow hidden on the die, antenna and all.

          A far simpler answer is "don't buy Intel", but there's probably also a tinfoil theory about AMD and ARM processors scanning our brain waves, trying to control our thoughts, just waiting to refute that option as well.

          • (Score: 2, Informative) by Anonymous Coward on Monday January 05 2015, @02:44AM

            by Anonymous Coward on Monday January 05 2015, @02:44AM (#131731)

            It can use wireless. There's 4 citations about it on Wikipedia: https://en.wikipedia.org/wiki/Intel_Active_Management_Technolog [wikipedia.org]

            It's a feature. The theory being you can remotely cut off or fix a compromised computer before the rootkit/virus loads. The undocumented feature being law enforcement or hackers could have the computer send/receive anything without detection from the host. Anytime for ethernet connections or only when on for wireless connections, both before the OS starts.

          • (Score: 4, Informative) by FatPhil on Monday January 05 2015, @03:52AM

            by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday January 05 2015, @03:52AM (#131746) Homepage
            Most ARM chips you'll encounter in consumer electronics will have TrustZone(tm) which does effectively the same thing. It can prevent access to areas of RAM, and even prevent writing to on-board peripherals. It may even lie to the CPU, letting it think that it's successfully doing a write, even when it's being blocked.
            --
            I know I'm God, because every time I pray to him, I find I'm talking to myself.
        • (Score: 2) by kaszz on Monday January 05 2015, @06:05AM

          by kaszz (4211) on Monday January 05 2015, @06:05AM (#131774) Journal

          Locate the part of the chip die responsible and fry it by physical means?

          • (Score: 1) by boltronics on Tuesday January 06 2015, @02:00AM

            by boltronics (580) on Tuesday January 06 2015, @02:00AM (#132064) Homepage

            That's one option. If you don't want the machine to ever boot again.

            --
            It's GNU/Linux dammit!
            • (Score: 2) by kaszz on Tuesday January 06 2015, @02:18AM

              by kaszz (4211) on Tuesday January 06 2015, @02:18AM (#132074) Journal

              The fine print is to find the exact right spot to burn with a laser etc..

              • (Score: 2, Insightful) by boltronics on Tuesday January 06 2015, @02:39AM

                by boltronics (580) on Tuesday January 06 2015, @02:39AM (#132079) Homepage

                My understanding is that it's a prerequisite for the machine to even boot. So if that chip doesn't initialize, the CPU won't do anything.

                The code is encrypted by RSA 2048 IIRC, which is why it's so difficult to reverse engineer. If you could just wipe it (presumably effectively the same as damaging the chip) and avoid the danger, I'm sure hackers would be doing that already.

                --
                It's GNU/Linux dammit!
                • (Score: 2) by kaszz on Tuesday January 06 2015, @02:50AM

                  by kaszz (4211) on Tuesday January 06 2015, @02:50AM (#132083) Journal

                  Any idea how to screw this kind of chips?

                  • (Score: 1) by boltronics on Tuesday January 06 2015, @03:01AM

                    by boltronics (580) on Tuesday January 06 2015, @03:01AM (#132088) Homepage

                    Without Intel's help, you'd have to crack the encryption and reverse-engineer how it works so the software can be replaced. I think I read somewhere that we have the ability to replace the code if we learn how to build a replacement.

                    --
                    It's GNU/Linux dammit!
                    • (Score: 2) by kaszz on Tuesday January 06 2015, @03:10AM

                      by kaszz (4211) on Tuesday January 06 2015, @03:10AM (#132091) Journal

                      "if we learn how to build a replacement"

                      Why is that step required?

                      • (Score: 1) by boltronics on Tuesday January 06 2015, @03:42AM

                        by boltronics (580) on Tuesday January 06 2015, @03:42AM (#132101) Homepage

                        Presumably we don't have specifications? Which is why we need either Intel's help or the ability to reverse-engineer the exisiting binary to figure it out.

                        Happy for someone working on this to correct me if I'm misunderstanding the situation.

                        --
                        It's GNU/Linux dammit!
      • (Score: 0) by Anonymous Coward on Monday January 05 2015, @05:12AM

        by Anonymous Coward on Monday January 05 2015, @05:12AM (#131767)
        Adding it is step one.

        Not letting you turn it off is step two.

        And we all know step 3.
        • (Score: 0) by Anonymous Coward on Monday January 05 2015, @08:52AM

          by Anonymous Coward on Monday January 05 2015, @08:52AM (#131800)

          No. Actually, we don't know step 3.

          But step 4 is Profit!

      • (Score: 1) by modest on Monday January 05 2015, @06:49PM

        by modest (3494) on Monday January 05 2015, @06:49PM (#131929)

        Those freedom-loving hackers with the libreboot [libreboot.org] project are working hard to fix things for anyone concerned.

    • (Score: 2) by Open4D on Monday January 05 2015, @03:51PM

      by Open4D (371) Subscriber Badge on Monday January 05 2015, @03:51PM (#131875) Journal

      Thanks, it's good to know it can be disabled.

      But it still seems like unacceptable behaviour has happened somewhere along the line. Is Intel in the wrong, for making an "out-of-band management" system that can also be used for DRM, and not properly informing consumers about the treacherous component they're being sold?

      If there was an end-user level explanation of all this, how to disable it, the side-effects of doing so, and a guarantee that disabling it would always be possible in the future without any loss of functionality (such as the ability to use Netflix at all), then I might be okay with it. But there doesn't seem to be any of that.

       
      And I have to add this to Secure Boot [soylentnews.org] as something that I might have to learn about properly in order to defend my rights. I've got better things to spend my time on - but not much choice, it seems.

  • (Score: 2) by francois.barbier on Sunday January 04 2015, @08:49PM

    by francois.barbier (651) on Sunday January 04 2015, @08:49PM (#131662)

    Does it also deny screenshots with a compositing window manager [wikipedia.org]?

  • (Score: 3, Interesting) by FatPhil on Sunday January 04 2015, @09:09PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Sunday January 04 2015, @09:09PM (#131668) Homepage
    DRM = Direct Rendering Management - basically framebuffery stuff for modern graphics cards
    DRM = broken by design

    The two are completly unrelated concepts. In "drivers/gpu/drm/i915/intel_display.c", for example, the "drm" is the former, not the latter.
    --
    I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 2) by doublerot13 on Sunday January 04 2015, @09:16PM

    by doublerot13 (4497) on Sunday January 04 2015, @09:16PM (#131672)

    Vote with your dollars! If you are shopping for a new CPU have a good look at Intel's very helpful ark site.

    http://ark.intel.com/ [intel.com]

    • (Score: 2) by tempest on Monday January 05 2015, @02:12PM

      by tempest (3050) on Monday January 05 2015, @02:12PM (#131845)

      What does Intel call it on their site? None of their processors have this feature listed as far as I could see clicking on random CPU specs.

  • (Score: 0) by Anonymous Coward on Sunday January 04 2015, @11:26PM

    by Anonymous Coward on Sunday January 04 2015, @11:26PM (#131699)

    No user asked Intel for this and no user ever would. Hollywood and their equally nefarious MPAA purchased legislation to enforce it. The best way to protest this type of nonsense is to exploit it. Develop an attack and publish it for all to see. Then let Intel explain why everyone's computer is fucked. Turn the tables.

  • (Score: 0) by Anonymous Coward on Monday January 05 2015, @02:32AM

    by Anonymous Coward on Monday January 05 2015, @02:32AM (#131729)

    This breaks fair use. It's not illegal to take screenshots or short clips of media.

    • (Score: 2) by kaszz on Monday January 05 2015, @06:08AM

      by kaszz (4211) on Monday January 05 2015, @06:08AM (#131776) Journal

      It doesn't matter for people that will do what they like regardless of the law. For them constitution is toilet paper and the rest is there to be tricked.

    • (Score: 1, Informative) by Anonymous Coward on Monday January 05 2015, @02:46PM

      by Anonymous Coward on Monday January 05 2015, @02:46PM (#131850)

      "Fair use" isn't a right, it's a legal defence.

  • (Score: 0) by Anonymous Coward on Monday January 05 2015, @06:42AM

    by Anonymous Coward on Monday January 05 2015, @06:42AM (#131779)
    Intel apparently uses an ARC processor for this, AMD uses ARM. Is this part of Cory Doctorow's The coming war on General Purpose Computing [boingboing.net]
    ? Look thru the linux source tree for "trusted", you'll find lots of cryptic code, no comments anywhere. A linux user should be able to control what code runs on the box they own. For MS users, too bad, yer SOL. This is why I'm upgrading, not replacing, my 4yo system.
  • (Score: 0) by Anonymous Coward on Monday January 05 2015, @09:29AM

    by Anonymous Coward on Monday January 05 2015, @09:29AM (#131802)

    Also can upload contents of your ram and give remote access Vic , os agnostic.
    Called v pro and vt

    • (Score: 1, Insightful) by Anonymous Coward on Monday January 05 2015, @09:36AM

      by Anonymous Coward on Monday January 05 2015, @09:36AM (#131804)

      Vnc.

      America is a feminist police state. This is used to find and destroy men who think wrongly.

  • (Score: 0) by Anonymous Coward on Monday January 05 2015, @02:25PM

    by Anonymous Coward on Monday January 05 2015, @02:25PM (#131846)

    the end game always ends up like this; there is no point in acting surprised about this. The 'democracy' system is approaching the 'bottom of the barrel' of its life cycle. It is just an unfortunate stroke of luck for you guys (and me) that we were born at this time, rather than a different point in the cycle.

    Plato observed these patterns over a thousand years ago [wikipedia.org].

    I'm curious to know about the possibility of manufacturing all the components of a 100% free general purpose computer using global startup campaigns and the pooling of funds from userland.

    Moving forward into the future, my advice to anybody with logical ability and desire for higher consciousness is to take a vigilante stance and devote a bigger chunk of your time in learning how to cause chaos, destroy, rearrange, modify, hack, crack, reverse engineer and p0wn computing and signals systems. The same advice applies to students of Electrical Engineering and Electronics.

    God cannot exist without knowledge of the Devil.

    • (Score: 2) by Open4D on Monday January 05 2015, @04:22PM

      by Open4D (371) Subscriber Badge on Monday January 05 2015, @04:22PM (#131886) Journal

      I'm curious to know about the possibility of manufacturing all the components of a 100% free general purpose computer using global startup campaigns and the pooling of funds from userland.

      Perhaps this is the kind of thing you're hoping for ... Librem Freedom-Oriented Notebook Near Halfway to Crowd Funding Goal [soylentnews.org]

      • (Score: 0) by Anonymous Coward on Monday January 05 2015, @04:59PM

        by Anonymous Coward on Monday January 05 2015, @04:59PM (#131893)

        That Librem notebook project looks like a half-decent poke in this direction given the/their limitations.

        What I would like to have is a Desktop PC (Tower Case, ATX Motherboard, Chipset, CPU, RAM, Video Card, Sound Card, Network Card, Drivers, etc) which I can build myself whose components are all 100% Free (as in GNU philosophy) and 100% user-controllable.......what is the chance of ever seeing this?

  • (Score: 1) by art guerrilla on Monday January 05 2015, @06:23PM

    by art guerrilla (3082) on Monday January 05 2015, @06:23PM (#131919)

    ...but the annoyance is real
    using Ctrl-C/Ctrl-V to cut/paste screen shots of 'stuff' has been a lifesaver MANY, MANY times in my work...

    not to mention, WHY do mappers NOT want you to use their maps any more ? ? ? (meaning: WHY do mappers want me to USE THEIR method of using maps instead of what works for me?) in my line of work, need little map snippets ALL THE TIME; i don't even care if it has their watermark, name emblazoned, whatever... i just want an IMMEDIATE method of cutting/pasting the map snippets i need, and Ctrl-C/Ctrl-V worked fine until they decided to get all snippy about it... i don't want to use your stupid site, your stupid tools, your stupid ads, etc, etc, etc; just let me cut/paste your stupid map WITH your stupid name on it, and i'll be happy...