this post was submitted on 13 Aug 2023
260 points (92.5% liked)

Technology

60062 readers
3662 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
all 23 comments
sorted by: hot top controversial new old
[–] [email protected] 60 points 1 year ago (2 children)

The article really doesn't call out explicitly: The management engine never stops running, turning it off is nearly impossible, and if you do succeed the computer resets in 30 seconds. So this untrusted entity is constantly looking at everything happening, and the best we can do is load some dummy configuration so it doesn't do anything, or perhaps it doesn't do anything, because we don't know.

Having an architecture without the big brother chip sitting on the bus would be a huge huge bonus.

[–] [email protected] 13 points 1 year ago
[–] [email protected] 45 points 1 year ago (2 children)

Just a fancy ad for a brand, with words around it

[–] [email protected] 3 points 1 year ago

Basic Giga Devices?

[–] [email protected] 23 points 1 year ago (5 children)

Can someone explain what the Intel ME actually does / is? Thank you.

[–] [email protected] 33 points 1 year ago (1 children)

Intel Management Engine is a component that has access to your computer on a level that even you, the computer owner, don't have access to. It can be operated remotely, even when your computer is off.

And traditionally you can't even disable it (remember, you're not the trusted party in that mix).

https://en.wikipedia.org/wiki/Intel_Management_Engine

[–] [email protected] 22 points 1 year ago* (last edited 1 year ago) (1 children)

My understanding is that it's meant to be an enterprise tool for Sys admins of business and schools to allow for remote monitoring and troubleshooting, but because it's expensive to make two sets of devices, it's in everything.

Relevant bits from that wiki:

The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.

.

Intel's main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

.

Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern. Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.

.

In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to "Insert vulnerabilities into commercial encryption systems, IT systems, …" and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program

[–] [email protected] 7 points 1 year ago (1 children)

So who is using it? Where are tools which allow you to set up and manage the infrastructure? Why it can't be disabled, except hacks, and one undocumented feature requested by NSA, because they did not want it running? It is a backdoor, if it wasn't it would be disabled by default and you would have to pay premium to have that feature enabled.

[–] [email protected] 2 points 1 year ago

Enterprise. Intel has a tool that lets you use it but other management services like SCCM and landesk have methods to use amt/vpro.

[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (1 children)

IntelME is an embedded Microcontroller in the Intel Chipset (in the south-bridge chip) which depending on variations in generation, has a multitude of different features such as Active Management Technology used in IT department, clock controls and a few more things.

Because it is closed source there are security concerns about possible vulnerabilities in it which could possibly be exploited, as well as several conspiracy theories about it. Due to that hobbyists as well as certain OEMs have found out ways to disable it in attempt to mitigate these issues.


For more detailed information on it I would highly recommend this video by CCC on the subject, it covers what IntelME does and how it was able to be disabled.

34C3 - Intel ME: Myths and reality (Youtube)

34C3 - Intel ME: Myths and reality (media.ccc.de)

[–] [email protected] 5 points 1 year ago (1 children)

AMT is a great way to get a passworded VNC session into the terminal.

[–] [email protected] 1 points 1 year ago (1 children)

Well provided your OEM hasn't disabled it, on most of the computers I checked with IntelMEtool (the ones new enough to have IntelME) I found that AMT shows up as disabled on most of them, except for a few.

[–] [email protected] 23 points 1 year ago (1 children)

As a tech enthusiast and it support personnel i can tell you this: no one knows, possibly not even Intel.

[–] [email protected] 5 points 1 year ago (1 children)

I asked our Intel guy about it once. After you've dealt with vendors and sales engineers for long enough, you start to learn to detect when they have no clue how one of their offerings work. I'm not sure that I've ever heard so many non-specific comments, meaningless buzzwords, and attempts to redirect the conversation.

I didn't get it even a little bit until I found an open source project based on Intel AMT, and that's apparently just a piece of ME.

[–] [email protected] 1 points 1 year ago

Sounds about right👍

[–] [email protected] 9 points 1 year ago

It’s used for out of band management. With the correct hardware items (nic and gpu) it’s called vPro. With the proper certificate and supporting infrastructure it can auto-enroll into a management service such as SCCM. It allows companies to remotely view logs, bios settings and other items. With vPro it can include a complete remote KVM solution.

You can disable it from most UEFI settings interfaces without worry of causing other issues.

[–] [email protected] 5 points 1 year ago

It's a microcontroller that runs within Intel based systems allowing full control access at the processor level. It runs outside of your processor and any time the system is plugged in or is on battery. It doesn't require the main processor up for it to be accessible. More info on it on [wikipedia]https://en.wikipedia.org/wiki/Intel_Management_Engine).

AMD's equivalent is called AMD Secure Technology.

[–] [email protected] 20 points 1 year ago (2 children)

Since that “article” wasn’t a quick search turned up this python script. I haven’t tried it yet, but it seems almost risk free… and if nothing else a decent way to test my motherboards bios recovery routine.

[–] [email protected] 3 points 1 year ago

That just modifies an image, you still need to flash it using something like UEFITool to do the rest, and a good guide to follow.