Slash Boxes

SoylentNews is people

posted by janrinok on Wednesday December 06 2017, @06:49PM   Printer-friendly
from the what-people-want dept.

Submitted via IRC for TheMightyBuzzard

Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. …

... Intel's Management Engine is a hardware and software system designed to provide some remote management features. But it's come under criticism from privacy advocates, security researchers, and the free and open source software community.

That's because Intel Management Engine is basically a mystery. It's software that runs independently of a computer's operating system, which means that even if you wipe the OS, the Management Engine is still there. And there's no good way to know what it's doing.

The risks aren't just theoretical – Intel recently acknowledged a security vulnerability affecting nearly every PC that shipped with a 6th, 7th, or 8th-gen Intel Core processor. While the company is working with PC makers to roll out updates to patch that vulnerability, it wouldn't even exist if Intel hadn't bundled a feature many users don't need and won't use with its latest chips.

System76 are making a similar move:

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with …



Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by sjames on Thursday December 07 2017, @01:23AM (2 children)

    by sjames (2882) on Thursday December 07 2017, @01:23AM (#606519) Journal

    That is, as far as we know, needed to modify the firmware without having the signing key. If you have the signing key, you can just flash the BIOS to load the signed image on boot. Presumably, you can load the already signed official firmware with the known security flaws without having the signing key.

    For all we know, the signing key has already leaked. Considering how tight lipped Intel has been, I doubt they'd tell us about such a leak even if they knew.

    Meanwhile, didn't Intel claim the chipset couldn't boot with the ME disabled at one time?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by The Mighty Buzzard on Thursday December 07 2017, @01:59AM (1 child)

    They're not entirely disabling it or it wouldn't boot at all. They're likely combining both approaches used so far. Setting the CIA's "fuck you, Intel" bit and disabling or removing all the modules that would activate after the ones to allow the system to simply boot are run.

    "Buzzy, you're probably the dumbest person I've ever encountered. Well, there is aristarchus, so make it 2nd dumbest."
    • (Score: 2) by sjames on Thursday December 07 2017, @03:08AM

      by sjames (2882) on Thursday December 07 2017, @03:08AM (#606594) Journal

      That sounds like a somewhat fragile disabling. I wouldn't bet on it being that hard to turn back on.