Slash Boxes

SoylentNews is people

posted by martyb on Monday June 20 2016, @10:12AM   Printer-friendly
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.

From Damien Zammit, we have this fun little tidbit:

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday June 20 2016, @10:48AM

    by Anonymous Coward on Monday June 20 2016, @10:48AM (#362815)

    I get why people are surprised by this, but I think these features are cool.

    Hell, every server I look after has the same features. I wouldn't buy servers without drac/ilo.

    All this news has made me want to look into this more. Maybe my work pc has this. If it does, it's not enabled. No mysterious ip addresses on the same vlan.

    And speaking of vlans, you can set amt to use vlan tagging for its traffic. If you wanted you could just set this to a random vlan and forget it.

    I'm probably going to turn this on if its there, and shove it on a vlan without public IPv6, and see what's possible.

  • (Score: 5, Insightful) by pTamok on Monday June 20 2016, @11:04AM

    by pTamok (3042) on Monday June 20 2016, @11:04AM (#362819)

    Remote management is great, useful, and cool. When YOU control it.

    If you can't load modified firmware onto the hardware (you are locked out), but somebody else can (anyone with the supplier's signing key, or any other signing key that may or may not be in the hardware), how much control do you actually have?

    • (Score: 0) by Anonymous Coward on Tuesday June 21 2016, @02:00AM

      by Anonymous Coward on Tuesday June 21 2016, @02:00AM (#363122)

      Who says the end user doesn't control it? You? Some dumb fuck who read shit and is now spreading FUD?

      Some douche read well known, public info on wikipedia, started posting about it to tech news web sites. And all of you idiots reacted and now claim the sky is falling.

      Just because it's there doesn't mean the government already controls your computer. Hell, if you have it, and you have not locked it down, then you actually deserve to have your machine compromised. Like all those fucking retards who turned IPMI on, left it exposed to the internet, with a default password.

      Honestly, this would be a problem if it was hidden, but the technical details are in plain view for anyone.

      And like I said above, you can probably configure AMT onto a separate VLAN, which doesn't go anywhere, and the problem would most likely be solved.

      • (Score: 0) by Anonymous Coward on Tuesday June 21 2016, @09:41AM

        by Anonymous Coward on Tuesday June 21 2016, @09:41AM (#363221)

        Now whose the dumb fuck spreading nonsense?

        Tell us how to turn it off then, this should be fun...

  • (Score: 5, Insightful) by DannyB on Monday June 20 2016, @01:48PM

    by DannyB (5839) Subscriber Badge on Monday June 20 2016, @01:48PM (#362876) Journal

    It's like the government mandating that security cameras be installed into every private home.

    But then some people come along and say it's not a big deal. In fact, it's very handy, because the government graciously allows the home owner to also make remote use of the cameras to look inside their own home.

    A large Starlink satellite constellation will be a smashing success!
    • (Score: 1, Insightful) by Anonymous Coward on Monday June 20 2016, @04:07PM

      by Anonymous Coward on Monday June 20 2016, @04:07PM (#362945)

      There are security cameras in every private home, and every private pocket. You paid for your phone yourself and the government didn't even have to mandate anything.

      • (Score: 3, Interesting) by DannyB on Monday June 20 2016, @04:26PM

        by DannyB (5839) Subscriber Badge on Monday June 20 2016, @04:26PM (#362954) Journal

        You're right. And something else about that occurred to me in the last few weeks.

        You once could remove the batteries from your phone. Not anymore.

        Gee, I wonder why?

        A large Starlink satellite constellation will be a smashing success!
        • (Score: 3, Interesting) by bob_super on Monday June 20 2016, @05:27PM

          by bob_super (1357) on Monday June 20 2016, @05:27PM (#362975)

          You're not paranoid enough: We're now allowed to use cell phones in airplanes... soon there won't be an "Airplane mode" way to allegedly disconnect from the world.
          And your phone "always listening" is touted as a feature (because a push-to-talk button was obviously too expensive).

          Sweet dreams, in your Faraday cage.

          • (Score: 0) by Anonymous Coward on Monday June 20 2016, @06:38PM

            by Anonymous Coward on Monday June 20 2016, @06:38PM (#362996)

            Note: airplane mode still allows one to make emergency calls, so it's not actually disabling the cell connection.

        • (Score: 2) by linuxrocks123 on Monday June 20 2016, @05:34PM

          by linuxrocks123 (2557) on Monday June 20 2016, @05:34PM (#362978) Journal

          You can't remove the batteries from some phones because a recent fad is phones being as thin as possible, and the standard battery-phone interface was making that more difficult.

          I can still remove the battery from my phone. I also have A PHYSICAL KEYBOARD! WHY WOULD ANYONE WANT A SUPER-POWERFUL COMMUNICATION-ORIENTED COMPUTER WITHOUT A DAMN KEYBOARD? I also have an SD card slot! YAY! My phone also has quadband GSM, and I think every UMTS/HSPA band there is, too, but I'm not sure. It's got a hell of a lot of them anyway.

          It has Android 2.3, which isn't ideal, but, well, at least it was rootable. The phone was manufactured 2012-2013 -- they just used a then-ancient Android build for some reason. It's not a popular phone so the only upgrade path was random uploads to XDA Developers, and I decided not to risk it. Everything I use works with Android 2.3, and some things -- Google Maps Navigation in particular -- actually work better with Android 2.3. Knock on wood things keep working.

          The biggest pain is no LTE, which is a bigger pain for me than most because they added LTE but not 3G where I live, so I'm stuck with EDGE. But I mostly need lots of data when traveling anyway, so not a big deal. EDGE works fine for navigation. Battery, well, it usually lasts the whole day but heavy use even for 30 minutes can change that. I haven't replaced the battery and have had it for 3 years now, so maybe I should do that soon.

          It's a Huawei U8730. It's also called the T-Mobile myTouch Q 2, note the 2, but there's another phone with almost exactly the same branded name, so, if you want it, look for Huawei U8730. I bought it for a little over $100 in 2013; it's $40 or less now on eBay. If mine breaks, I may very well get another one.