Exactly. Remember Intel ME is a great utility and has some awesome abilities. The issue that people have is not the fact there is a CPU running another CPU that looks after the main one. It's that it's closed source and has remote control capabilities that can not be controlled by the user.
If Intel would just allow an owner to build and flash their own Intel ME version using their own private/public keys then no one would have an issue with that. It's the fact it's a secret closed system that has full control to monitor everything you do, and can not be fully disabled.
> It's the fact it's a secret closed system that has full control to monitor everything you do, and can not be fully disabled.
To add to that, it also makes code audits impossible.
Intel, AMD, ARM, et al: There is zero, and I mean ZERO reason to hide management functionality from users in this day and age. It's 2018, security through obscurity has been proven wrong time and time again. It's foolish to think otherwise. Edit: grammar.
It's not a coding error. It's built to do exactly what it looks like it's supposed to do: diminish any ordinary person's claim of total control over the behavior of the system, such that, should the need arise, a trained hand can lift the proper latch and intervene, to gain the upper hand, ostensibly so "the good guys" win.
The good guys being those that ordered Intel into compliance with such requirements.
>The good guys being those that ordered Intel into compliance with such requirements.
There is vast case law surrounding our first amendment right to refuse this kind of coercion. No one can force you to present something as yours against your will (at least, if they want it to hold up in court).
What is more likely is that Intel won a great many more government contracts by doing this. They'd make tons of money doing it, so they did it. And if they didn't do it, their competitor would. That's how the system works in this country.
They also won government contracts by not doing it; the High Assurance Platform mode (‘setting the HAP bit’) was a feature implemented by Intel for the NSA, incidentally discovered by security researchers.
Dell sold laptops with this as an option until they were asked not to.
It would be pretty easy for a sizable country or even a wealthy US state to demand that these ‘secure’ co-processors can be disabled at the user’s discretion, via regulation.
From the NSA’s perspective, having the keys to the backdoor is an asset, but having a backdoor at all is a huge liability, now they’re not the only game in town. US businesses and citizens simply have more to lose.
Honestly, I think it’s laziness and inertia more than conspiracy.
> From the NSA’s perspective, having the keys to the backdoor is an asset, but having a backdoor at all is a huge liability, now they’re not the only game in town. US businesses and citizens simply have more to lose. Honestly, I think it’s laziness and inertia more than conspiracy.
You're assuming (fully) rational actors. It's fairly easy to have blindspots when they are (at least temporarily) useful.
nobody is seeing this for what this really is: Apple users compromised by internal agent.
Nation states already paid google employees to target gmail etc. now they targeted an apple employee to make this mistake which allows any targeted attack into those companies that gives mbp to developers very easy to carry out remotely, as this probably leave the remote capabilities put in place for the NSA wide open.
Is the Intel ME that great? I mean I never heard anyone say that they actually use it. The explanation of its capabilities make it seem like a great tool for fleet management, yet nobody seems to be using it.
With other alternatives available, combined with low usage, I’m not sure that neither Intels ME nor AMDs PSP needs to be embedded in every CPU.
I think the specific part you're referring to is Intel AMT (Active Management Technology) which allows the user to remote control into their computer. AMT is a module that runs within the Intel ME operating system.
Intel ME does a lot of things, like the below (we think, no one really knows for sure):
- Active Management Technology (AMT)
- Alert Standard Format (ASF)
- Intel Boot Guard (IBG)
- Secure Boot
- Integrated Clock Controller (ICC)
- Quiet System Technology (QST) / Advanced Fan Speed Control (AFSC)
- Protected Audio Video Path (used in PlayReady DRM)
- Intel Security Assist (ISA)
- Serial over LAN (SOL)
- Firmware-based Trusted Platform Module (TPM)
> If Intel would just allow an owner to build and flash their own Intel ME version using their own private/public keys then no one would have an issue with that.
Note that unless you manufacture the CPU yourself you still cannot be sure if there are no hidden backdoors. For example the ME could pretend it's really running your firmware but at the same time running some hidden code only delegating some operations to your code.
I understand and agree with you to a certain extent, but we're not just talking about a couple of assembly commands that could be misused. The Intel ME is a FULL Operating System running MINIX Linux (edit: MINIX is not Linux, as corrected by @dragonwriter). It has it's own network and apps, that run inside a running kernel, of which you have no access to.
Even if the intentions are 100% legit, this is an operating system that you can not update (as frequently as your main operating system), and has many attack vectors.
Yes, it could pretend to run your firmware, but secretly load it's own, but it's actually quite hard to hide a 5mb (2mb min) piece of firmware in the chip. Research microchip decapping. You can clearly see the different regions of the chip.
But yes, it could be possible to hide a few x64 instructions, or circuits that could be manipulated. But running a remote control environment that can share your screen without your knowledge can only really be done clearly by running a large separate application stack alongside your main chip. (For now, who knows where we'll be in 5 to 10 years).
Hi @turblety, finally I see someone concerned about MINIX and everything that Intel ME can do to invade us, I read most of your comments, and you are pretty aware of the matter, is there a pc/chipset different from Intel and AMD that is free of this backdored tools?? I read on 1 comment from you something about IBM's OpenPOWER? thanks
Wikipedia says that MINIX is POSIX-certified, so it's pretty close (Unix-like). It doesn't seem anyone has shelled out the money for SUS certification, so it can't officially use the UNIX trademark.
The TLDR is that once they started putting a CPU vendor-controlled management CPU on their chipsets, they realised they could use it to implement DRM that Hollywood had been asking them for. We know that AMD has a contractual obligation to DRM vendors not to open source their GPU firmware for this reason, and it's likely Intel and AMD have similar contractual obligations as regards their Intel ME/AMD PSP firmware, as these are also involved in DRM.
Do you have any source for a time this DRM worked? What I mean is that I have watched/downloaded/streamed a lot of pirated content from various sources, using Intel and AMD hardware. CPU's and GPUs. Not once have the drivers blocked the viewing of pirated content via some kind of built in DRM. So if there is DRM baked into the drivers/ME, then what's the point if it doesn't do anything?
DRM doesn't stop you from playing pirated content, the goal is to make the content only decryptable using approved hardware/software, to limit people's ability to copy and paste content Willy nilly and share with their friends in Napster fashion. The determined people still stealing content never will be stopped, but it's inconvenient enough that average people aren't going to duplicate DRM-laden stuff themselves.
Importantly, I think, when there's a higher barrier to content theft, the remaining sources of pirated content are fewer and easier to track.
> Importantly, I think, when there's a higher barrier to content theft, the remaining sources of pirated content are fewer and easier to track.
Except DRM on end-user devices is done with security by obscurity and it's never ever worked for media. And never will.
So there is so many sources of pirated content that attempts to track of stop them never succeeded. Fortunately NSA and other government spying organizations can still have their backdoor because "Hollywood needs DRM" bullshit.
If Intel would just allow an owner to build and flash their own Intel ME version using their own private/public keys then no one would have an issue with that. It's the fact it's a secret closed system that has full control to monitor everything you do, and can not be fully disabled.