Over at Hackernews is a link to a discussion on how the Intel Management Engine (ME) is preventing screenshots, by bypassing the host CPU.
If you're on an Intel machine that you've purchased in the past 2-3 years, that computer almost certainly has an Intel Management Engine. You might not know what that is, and that's okay. You may also be unaware that the operating system on your computer could be leveraging features in the Intel Management Engine when consuming DRM Media.
This links to a blog posting on the Intel ME in response to Rosyna Keller's twitter posting about being unable to take screenshots from Netflix (The Rosyna of the article title).
The core of the technical detail is taken from Igor Skochinsky's presentation on the ME (PDF Link) . The article raises the questions over the position of the ME in the system and the security implications of the ME subverting the host machine hardware outside of the main processor:
Given that the ME sits in a position where it can configure the chipset and operate on the PCI bus, there are some serious security implications here I wish I could mitigate. Among them is the ability of the ME to run arbitrary code on the host CPU via option ROMs or presenting a disk-drive to boot from. Also among those abilities is the possibility to perform DMA to access host CPU memory. And another one is the ability to configure and use PCI devices present in the system (such as the ethernet card).
(Score: 2) by kaszz on Sunday January 04 2015, @06:42PM
Have your own watchdog on the PCI-e bus?
Whenever a bus access you disapprove of occurs the card could assert the error flag or such..
Added benefit is that you could use to get screenshot by as sinister means that Intel use them self to defeat the user.
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @06:46PM
PCI-e is a point-point interconnect. How exactly do you insert this in the path?
(Score: 1) by MichaelDavidCrawford on Sunday January 04 2015, @07:05PM
If not then my next CPU will be an AMD.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @09:29PM
amd is doing the same thing, embedding an arm core to provide the same functions.
(Score: 4, Informative) by tibman on Monday January 05 2015, @02:34AM
AMD uses an open standards equivalent to IME that is called DASH. Not many AMD motherboards have DASH at the moment. You can opt out of the feature like you would opt out of onboard video or onboard wireless.
SN won't survive on lurkers alone. Write comments.
(Score: 4, Informative) by Hairyfeet on Monday January 05 2015, @04:51PM
No they do not. As one poster mentioned there is a handful that utilize the FOSS DASH spec and there is a couple APUs coming out for business that will have an ARM Cortex DRM they licensed from ARM awhile back but those are 1.- Entirely optional, 2.- You have to go out of your way to buy chips and boards that support it, and 3.- This tech is not on, nor is it targeting, their mainstream offerings.
As someone who has been building AMD exclusively for years I urge you to not believe the bullshit rigged benchmarks [youtube.com] but instead look at real world testing [youtube.com] which will show you a different picture. You can get the FX6300 for just $109 and if you keep an eye out I've been getting the FX8300 for around $120 and both of those chips are real monsters, they multitask like you would not believe. But anybody whose used AMD chips for awhile can tell you this, hell my Phenom II X6 I have at home for gaming is nearly 6 years old yet blows through games like Shadows of Mordor and is a transcoding beast. Don't buy the "ZOMFG an AMD will blow through teh power!" bullshit either as a few tests with killawatt will show you it would take nearly 18 years just to break even [youtube.com] due to how much more you'd spend on an Intel of equal performance.
Finally if you're the type that cares about FOSS support? AMD supports the Coreboot foundation, pays several developers who work on the FOSS drivers to help them reach parity quicker, and since buying ATI has been opening the specs as fast as their lawyer can sign off on the docs with the only parts not being opened the parts they do not own like Intel's HDCP. So if you want serious bang for the buck with FOSS friendly hardware that isn't loaded with DRM? Try AMD.
Oh and anybody that wants a kick ass HTPC? Try pairing the new Socket AM1 duals and quads [newegg.com] with OpenELEC or Windows 8. Its the same core used on the new PS4 and XB-One and if you use OpenELEC you can build a nice media tank for less than $150 shipped, and that is for a quad! Oh and for those that hate Windows 8? Normally I agree 110% but the one place I've found Metro actually nice to use is as a 10 foot UI, those big tiles make it easy to use with a one handed remote. I've been using these chips for awhile now and they're great, low power HTPCs, office boxes, hell I even slapped one in a large beige box full of drives for a client who is using it for a low power file and backup server. It works great and is low power enough it can just be shut in a closet and forgotten about, great little chips.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @07:24PM
http://i.imgur.com/GxzeV.jpg [imgur.com]
Pulled from the https://news.ycombinator.com/item?id=8833772 [ycombinator.com] forum.
Really sums it all up.
(Score: 2) by kaszz on Monday January 05 2015, @05:56AM
Short version Xkcd 448 - Copy it! [xkcd.com] ;-)
But I like the punish paying users [imgur.com] explanation. :D
Good links!
(Score: 3, Interesting) by WizardFusion on Monday January 05 2015, @11:00AM
"DRM manages access, in the same way a jail manages freedom"
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @08:25PM
analog hole, bitches.
(Score: 2) by Bot on Sunday January 04 2015, @10:13PM
That's why DRM needs to be integrated everywhere. This is the point of the whole exercise probably.
The same system that produces propaganda masked as entertainment produces control masked as "rights management".
Account abandoned.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @02:25AM
The government closed the analog hole for printing money. It's only a matter of time until the media companies start pushing for all cameras to include firmware that prevents a picture from being taken if it sees a specific watermark. It won't be an advertised feature.
(Score: 3, Interesting) by TheRaven on Monday January 05 2015, @01:36PM
sudo mod me up
(Score: 3, Interesting) by Hairyfeet on Monday January 05 2015, @05:17PM
Considering there are already known exploits in the wild for this thing? That would probably be a very very BAD idea.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1) by anti-NAT on Sunday January 04 2015, @08:25PM
If you own or administer the machine. This is how I worked around this Linux kernel bug
https://bugzilla.redhat.com/show_bug.cgi?id=917081 [redhat.com]
I've switched it back on as I want the hardware watchdog functionality it provides.
(Score: 2) by arashi no garou on Sunday January 04 2015, @10:02PM
I've said in another article discussion that it can easily be turned off, but the tinfoil hat crowd here argues that it can't. I've disabled it myself on two different Intel Core systems under my watch. They can tell me all day long that I "didn't really" disable it, and all I can do is shake my head in bafflement. Morons will be morons.
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @11:00PM
No it's a valid concern wondering if you can really disable it. As stated in the technical documents this cpu inside the main cpu is on a trust level above the main cpu, so turning it off in the bios might only just tell it 'okay lets not make ourselves visible to the cpu and the os anymore yet still run'.
What i find scary is that it is still ON even if the rest of the machine is off, to turn it off you have to completely remove power from the system for half a minute.
(Score: 3, Insightful) by Anonymous Coward on Monday January 05 2015, @01:31AM
In this case, those "morons" know more about it than you do. As noted, there are actually exploits [wikipedia.org] that work for it even when it is disabled in the BIOS.
This is a separate processor that shares the bus with your Intel processor, and which you cannot directly control. Those work because there is actually no way to turn it off. It boots before your system comes up, and remains active even when your PC is in "sleep" mode. In addition, it has the ability to mediate your "normal" processor's view of its own memory, and it uses that capability to hide "protected" memory areas from your normal processor under certain situations. It is also capable of directly accessing your network card without your OS being aware of it - also even when your PC is supposedly in sleep mode. See Igor Skochinsky's presentation (PDF linked in the article) for more details.
(Score: 2) by arashi no garou on Monday January 05 2015, @02:16AM
I would say to that, "unplug power and Ethernet from your computer if you're that worried about it", but then I'd be slammed with theories about how it can pull trickle power from the aether and send out signals via the GSM modem that is somehow hidden on the die, antenna and all.
A far simpler answer is "don't buy Intel", but there's probably also a tinfoil theory about AMD and ARM processors scanning our brain waves, trying to control our thoughts, just waiting to refute that option as well.
(Score: 2, Informative) by Anonymous Coward on Monday January 05 2015, @02:44AM
It can use wireless. There's 4 citations about it on Wikipedia: https://en.wikipedia.org/wiki/Intel_Active_Management_Technolog [wikipedia.org]
It's a feature. The theory being you can remotely cut off or fix a compromised computer before the rootkit/virus loads. The undocumented feature being law enforcement or hackers could have the computer send/receive anything without detection from the host. Anytime for ethernet connections or only when on for wireless connections, both before the OS starts.
(Score: 4, Informative) by FatPhil on Monday January 05 2015, @03:52AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by kaszz on Monday January 05 2015, @06:05AM
Locate the part of the chip die responsible and fry it by physical means?
(Score: 1) by boltronics on Tuesday January 06 2015, @02:00AM
That's one option. If you don't want the machine to ever boot again.
It's GNU/Linux dammit!
(Score: 2) by kaszz on Tuesday January 06 2015, @02:18AM
The fine print is to find the exact right spot to burn with a laser etc..
(Score: 2, Insightful) by boltronics on Tuesday January 06 2015, @02:39AM
My understanding is that it's a prerequisite for the machine to even boot. So if that chip doesn't initialize, the CPU won't do anything.
The code is encrypted by RSA 2048 IIRC, which is why it's so difficult to reverse engineer. If you could just wipe it (presumably effectively the same as damaging the chip) and avoid the danger, I'm sure hackers would be doing that already.
It's GNU/Linux dammit!
(Score: 2) by kaszz on Tuesday January 06 2015, @02:50AM
Any idea how to screw this kind of chips?
(Score: 1) by boltronics on Tuesday January 06 2015, @03:01AM
Without Intel's help, you'd have to crack the encryption and reverse-engineer how it works so the software can be replaced. I think I read somewhere that we have the ability to replace the code if we learn how to build a replacement.
It's GNU/Linux dammit!
(Score: 2) by kaszz on Tuesday January 06 2015, @03:10AM
"if we learn how to build a replacement"
Why is that step required?
(Score: 1) by boltronics on Tuesday January 06 2015, @03:42AM
Presumably we don't have specifications? Which is why we need either Intel's help or the ability to reverse-engineer the exisiting binary to figure it out.
Happy for someone working on this to correct me if I'm misunderstanding the situation.
It's GNU/Linux dammit!
(Score: 0) by Anonymous Coward on Monday January 05 2015, @05:12AM
Not letting you turn it off is step two.
And we all know step 3.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @08:52AM
No. Actually, we don't know step 3.
But step 4 is Profit!
(Score: 1) by modest on Monday January 05 2015, @06:49PM
Those freedom-loving hackers with the libreboot [libreboot.org] project are working hard to fix things for anyone concerned.
(Score: 2) by Open4D on Monday January 05 2015, @03:51PM
Thanks, it's good to know it can be disabled.
But it still seems like unacceptable behaviour has happened somewhere along the line. Is Intel in the wrong, for making an "out-of-band management" system that can also be used for DRM, and not properly informing consumers about the treacherous component they're being sold?
If there was an end-user level explanation of all this, how to disable it, the side-effects of doing so, and a guarantee that disabling it would always be possible in the future without any loss of functionality (such as the ability to use Netflix at all), then I might be okay with it. But there doesn't seem to be any of that.
And I have to add this to Secure Boot [soylentnews.org] as something that I might have to learn about properly in order to defend my rights. I've got better things to spend my time on - but not much choice, it seems.
(Score: 2) by francois.barbier on Sunday January 04 2015, @08:49PM
Does it also deny screenshots with a compositing window manager [wikipedia.org]?
(Score: 3, Interesting) by FatPhil on Sunday January 04 2015, @09:09PM
DRM = broken by design
The two are completly unrelated concepts. In "drivers/gpu/drm/i915/intel_display.c", for example, the "drm" is the former, not the latter.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by doublerot13 on Sunday January 04 2015, @09:16PM
Vote with your dollars! If you are shopping for a new CPU have a good look at Intel's very helpful ark site.
http://ark.intel.com/ [intel.com]
(Score: 2) by tempest on Monday January 05 2015, @02:12PM
What does Intel call it on their site? None of their processors have this feature listed as far as I could see clicking on random CPU specs.
(Score: 2) by doublerot13 on Monday January 05 2015, @06:08PM
vPro
(Score: 0) by Anonymous Coward on Sunday January 04 2015, @11:26PM
No user asked Intel for this and no user ever would. Hollywood and their equally nefarious MPAA purchased legislation to enforce it. The best way to protest this type of nonsense is to exploit it. Develop an attack and publish it for all to see. Then let Intel explain why everyone's computer is fucked. Turn the tables.
(Score: 1, Informative) by Anonymous Coward on Sunday January 04 2015, @11:34PM
Already done.
Seems intel doesn't care.
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits [wikipedia.org]
(Score: 2) by epitaxial on Monday January 05 2015, @12:48AM
I can imagine someone like the feds asking for this. No way to take screenshots on sensitive systems.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @05:28AM
They'd just use a camera.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @02:32AM
This breaks fair use. It's not illegal to take screenshots or short clips of media.
(Score: 2) by kaszz on Monday January 05 2015, @06:08AM
It doesn't matter for people that will do what they like regardless of the law. For them constitution is toilet paper and the rest is there to be tricked.
(Score: 1, Informative) by Anonymous Coward on Monday January 05 2015, @02:46PM
"Fair use" isn't a right, it's a legal defence.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @06:42AM
? Look thru the linux source tree for "trusted", you'll find lots of cryptic code, no comments anywhere. A linux user should be able to control what code runs on the box they own. For MS users, too bad, yer SOL. This is why I'm upgrading, not replacing, my 4yo system.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @09:29AM
Also can upload contents of your ram and give remote access Vic , os agnostic.
Called v pro and vt
(Score: 1, Insightful) by Anonymous Coward on Monday January 05 2015, @09:36AM
Vnc.
America is a feminist police state. This is used to find and destroy men who think wrongly.
(Score: 0) by Anonymous Coward on Monday January 05 2015, @02:25PM
the end game always ends up like this; there is no point in acting surprised about this. The 'democracy' system is approaching the 'bottom of the barrel' of its life cycle. It is just an unfortunate stroke of luck for you guys (and me) that we were born at this time, rather than a different point in the cycle.
Plato observed these patterns over a thousand years ago [wikipedia.org].
I'm curious to know about the possibility of manufacturing all the components of a 100% free general purpose computer using global startup campaigns and the pooling of funds from userland.
Moving forward into the future, my advice to anybody with logical ability and desire for higher consciousness is to take a vigilante stance and devote a bigger chunk of your time in learning how to cause chaos, destroy, rearrange, modify, hack, crack, reverse engineer and p0wn computing and signals systems. The same advice applies to students of Electrical Engineering and Electronics.
God cannot exist without knowledge of the Devil.
(Score: 2) by Open4D on Monday January 05 2015, @04:22PM
Perhaps this is the kind of thing you're hoping for ... Librem Freedom-Oriented Notebook Near Halfway to Crowd Funding Goal [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday January 05 2015, @04:59PM
That Librem notebook project looks like a half-decent poke in this direction given the/their limitations.
What I would like to have is a Desktop PC (Tower Case, ATX Motherboard, Chipset, CPU, RAM, Video Card, Sound Card, Network Card, Drivers, etc) which I can build myself whose components are all 100% Free (as in GNU philosophy) and 100% user-controllable.......what is the chance of ever seeing this?
(Score: 1) by art guerrilla on Monday January 05 2015, @06:23PM
...but the annoyance is real
using Ctrl-C/Ctrl-V to cut/paste screen shots of 'stuff' has been a lifesaver MANY, MANY times in my work...
not to mention, WHY do mappers NOT want you to use their maps any more ? ? ? (meaning: WHY do mappers want me to USE THEIR method of using maps instead of what works for me?) in my line of work, need little map snippets ALL THE TIME; i don't even care if it has their watermark, name emblazoned, whatever... i just want an IMMEDIATE method of cutting/pasting the map snippets i need, and Ctrl-C/Ctrl-V worked fine until they decided to get all snippy about it... i don't want to use your stupid site, your stupid tools, your stupid ads, etc, etc, etc; just let me cut/paste your stupid map WITH your stupid name on it, and i'll be happy...