SoylentNews is people
SoylentNews
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.
From Damien Zammit, we have this fun little tidbit:
Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.
The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.
When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).
On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.
The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.
Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.
(Score: 1) by cpghost on Monday June 20 2016, @07:25PM
Very insightful comments here... one can see that you do have a sense of what security is all about.
Just to add one thing: suppose you have to deploy Intel-based hardware in a security-sensitive environment. It doesn't matter what kind of environment it is (governmental, R&D, healthcare, utilities, ...), all kinds of remote management to the hardware must be cut off. Currently, with wireless capabilities of the chips, you need to implement TEMPEST-level isolation just to be somewhat safe. Even if you put your sensitive hardware deep inside your premises, radio waves travel far, and can be inadvertently relayed by repeaters, so be careful.
The best way to prevent all those kinds of headaches is to really avoid cutting-edge x86 architecture altogether, and stick to either older x86 hardware, non-x86 hardware, or go with newer ARM cores that you have (had) audited yourself. And don't forget non-CPU hardware too that may have been especially TAO-ed for you by NSA & Co.
Cordula's Web. http://www.cordula.ws/
(Score: 0) by Anonymous Coward on Thursday June 23 2016, @08:34AM
Why does no one execute the people that put in these backdoors?
Do they not deserve to be killed?