back to article Wanna exorcise Intel's secretive hidden CPU from your hardware? Meet Purism's laptops

Purism – a San Francisco, California, social purpose company that flies the flags of privacy, security and software freedom – has begun offering its GNU/Linux-based laptops with Intel's Management Engine disabled. The Intel Management Engine is a hidden coprocessor at the heart of Chipzilla's vPro technology. Part of the …

Page:

  1. whitepines Bronze badge
    WTF?

    Disabled? Yeah, right...

    What everyone seems to be overlooking here is that "disabled" is not really "disabled". The ME is integral to the x86 boot process and always, always runs.

    What Purism is using here is the kill switch for the second level of ME services, akin to userspace on a normal Linux computer. The ME kernel still runs and is still required for bootup, even if it goes offline afterward. This means the machine is still just as vulnerable to preinstalled / evil maid type malware targeting the ME as it ever was.

    Purism really needs to be more clear on just what they are doing. They keep making grandiose claims that are not 100% true and compromising everyone's security as a result.

    1. Big John Silver badge

      Re: Disabled? Yeah, right...

      Do AMD chips have this 'feature?' (total noob here)

      1. whitepines Bronze badge

        Re: Disabled? Yeah, right...

        Yes, it's called the Platform Security Processor (PSP for short). Given AMD's track record of (not) keeping key material secret I'd expect it to be hacked at some point, and not in a good way....

        1. Michael Habel Silver badge

          Re: Disabled? Yeah, right...

          S0NY Called they want their PSP back!

    2. MacroRodent Silver badge

      Re: Disabled? Yeah, right...

      Purism seems to be doing here all they can do to disable the engine. If it gets killed very shortly after boot, it cannot get commands from evil masters. Any better ideas? Maybe using another CPU architecture would do it, but is making a high-end laptop around ARM (for example) feasible? In principle software compatibility should not be an issue (as long as you run Linux as the OS), but in practice x86 is still better supported for desktop applications, and it allows customers to boot Windows if they want.

      1. malle-herbert Silver badge
        Facepalm

        Re: and it allows customers to boot Windows if they want...

        Really ?

        First you try to make a laptop as secure as possible, only then to run the most insecure operating system known to man on it ?

        1. Anonymous Coward
          Anonymous Coward

          Re: and it allows customers to boot Windows if they want...

          "First you try to make a laptop as secure as possible, only then to run the most insecure operating system known to man on it ?"

          I didn't know intel laptops ran Android?

      2. DainB Bronze badge

        Re: Disabled? Yeah, right...

        Any better ideas?

        Yes. Firewall.

        1. Anonymous Coward
          Anonymous Coward

          Re: Disabled? Yeah, right...

          "Yes. Firewall."

          This stuff can access the network card directly. It doesn't care about local firewalls.

          And anyway if it uses says HTTPS how are you going to know which traffic to block?!

          1. DainB Bronze badge

            Re: Disabled? Yeah, right...

            "This stuff can access the network card directly. It doesn't care about local firewalls."

            Don't use local firewalls then.

            "And anyway if it uses says HTTPS how are you going to know which traffic to block?!"

            Err... It's quite unlikely it'll be trying access your internet banking or paypal account and it's really easy to check what goes where and when.

            If your computer that is not booted into any OS initiates some HTTPS traffic that's enough to kill it with fire. Unless I missed something there was not a single report about any system caught doing that.

            1. TheVogon Silver badge

              Re: Disabled? Yeah, right...

              "Don't use local firewalls then."

              So you propose configuring an external hardware firewall by destination IP and port for for every every PC you use in every location and say over wifi?! Good luck with that...

              "Err... It's quite unlikely it'll be trying access your internet banking or PayPal"

              On the contrary your Internet banking or PayPal would likely be of great interest to a hacker that has taken remote control of your PC.

              "and it's really easy to check what goes where and when."

              So you propose not only to hardware firewall every device everywhere, but also think you know exactly which of the millions of addresses on the Internet are "safe"?! And even if that were even possible then that won't help if they come via say TOR, a VPN, a proxy or another compromised device...

              1. DainB Bronze badge

                Re: Disabled? Yeah, right...

                "So you propose configuring an external hardware firewall by destination IP and port for for every every PC you use in every location and say over wifi?!"

                Oh, I'm so important that Intel wants to put rootkit on my laptop...

                Latte please, double shot, do you have free wifi here ?

                "So you propose not only to hardware firewall every device everywhere, "

                Yes, if you care about it you most certainly should.

                If you really do.

                Which is highly unlikely.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Disabled? Yeah, right...

                  "Oh, I'm so important that Intel wants to put rootkit on my laptop..."

                  The way in is already there. It's the relatively clueless about security like yourself that will be the ones most likely to get stung. You will think you are safe behind your firewall while hackers monitor everything you do until they can find an opportunity to fleese you.

                  1. DainB Bronze badge

                    Re: Disabled? Yeah, right...

                    "It's the relatively clueless about security like yourself that will be the ones most likely to get stung. "

                    Let me see..

                    Ad hominem attack - check. Posted as AC - check.

                    Reasons to argue with trolls - none detected.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Disabled? Yeah, right...

                  "Oh, I'm so important that Intel wants to put rootkit on my laptop..."

                  Too late: it is already there. They only need to activate it (and millions others if necessary), no manual steps needed.

            2. Irongut

              Re: Disabled? Yeah, right...

              So how does this external firewall know that the HTTPS traffic to/from PayPal or your bank is a virus in the IME and not you in your browser of choice? The source and destination IPs are the same and the encrypted traffic is unreadable.

              Or do you propose to temporarily disable the firewall every time you want to do banking? If so how do you protect yourself from IME nasties during that time?

              1. DainB Bronze badge

                Re: Disabled? Yeah, right...

                "So how does this external firewall know that the HTTPS traffic to/from PayPal or your bank is a virus in the IME and not you in your browser of choice? The source and destination IPs are the same and the encrypted traffic is unreadable."

                Quite frankly until someone proves that it is in fact possible to run malware on that level I would not give it a second thought. Burglars do not need use cat flap if front door is unlocked and wide open.

      3. Mpeler
        Paris Hilton

        Re: Disabled? Yeah, right...

        Glad to see that someone acted on [Erica] Portnoy's Complaint.....

        (they probably aroused Intel's Roth over that)

    3. TheVogon Silver badge

      Re: Disabled? Yeah, right...

      What I don't understand is why isn't there simply a Bios setting to disable it? Wouldn't that make sense? Then no need for special hardware for the US government, etc. etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Disabled? Yeah, right...

        There is on every thinkpad I've seen

        1. TheVogon Silver badge

          Re: Disabled? Yeah, right...

          "There is on every thinkpad I've seen"

          Great, so does that solve the problem? We just need that option on all BIOSs?

      2. bombastic bob Silver badge
        Unhappy

        Re: Disabled? Yeah, right...

        "What I don't understand is why isn't there simply a Bios setting to disable it? Wouldn't that make sense?"

        It makes _TOO_ _MUCH_ _SENSE_. That's why nobody's doing it, I guess...

  2. Anonymous Coward
    Anonymous Coward

    Hello: 'Trusted Computing' Model 2.0?

    ....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

    1. Anonymous Coward
      Anonymous Coward

      Re: Hello: 'Trusted Computing' Model 2.0?

      I think we are still at Model 1.0 will all the attendant problems of the Great Magic Box Idea.

      Once we get to the point where you are forced to watch Ads, read NYT headlines or listen to McCain extolling liberventionism while the webcam checks your attention level, THEN we will be at Model 2.0.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hello: 'Trusted Computing' Model 2.0?

      FAQ summarizes it nicely:

      " 25. So a `Trusted Computer' is a computer that can break my security?

      That's a polite way of putting it. "

      TCPA and derivatives are _designed_ to break _your_ security, i.e. backdoor. They have no other functions and the Intel moron who dares to lie otherwise, is an a**hole.

      "12. But can't you just turn it off?

      Sure - unless your system administrator configures your machine in such a way that TC is mandatory, you can always turn it off. You can then run your PC as before, and use insecure applications. "

      Which might have been true in 2003. In NSA-era it isn't and now you can't.

  3. frank ly Silver badge

    "It's not a purposeful backdoor,"

    It's an accidental backdoor?

  4. A Non e-mouse Silver badge

    Pixies?

    If a machine can't boot its OS, you need something running under the operating system, at the chipset firmware level, to recover the box.

    Er, isn't this what PXE booting is for?

    1. John Doe 6

      Re: Pixies?

      Servers got management CPU' for decades, I've got an IBM from 1998 with a PowerPC chip as management processor.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pixies?

        Different thing: That management is just for the server hardware and totally separate HW which has no idea what the main processor is doing.

        This "management" is sitting within main processor spying everything it does and acts as a middle man to _everything_ main processor is doing. Perfect backdoor you can't even disable.

        Renders any encryption you have totally worthless: NSA _must see_ everything you do and Intel is their hand sock in this case, lying whatever they can.

    2. Sampler

      Re: Pixies?

      I was thinking, fifteen years ago when I assisted the third line and infrastructure support guys, all the servers had iLO's in them, so, why would you need to build it into the chip for sysadmins when the chips go into a lot of other machines?

      Allow those that want to put iLO's into the devices, the rest of us that don't need one, can skip, makes the silicone cheaper, so more profit for intel, that point, right there, concerns me, why aren't Intel maximizing their bottom line?

      1. Anonymous Coward
        Anonymous Coward

        Re: Pixies?

        "makes the silicone cheaper"

        You made a boob with your spelling.

        s/silicone/silicon

        1. TheVogon Silver badge

          Re: Pixies?

          "You made a boob with your spelling"

          Android at least autocorrects silicon to silicone if you don't change it...

          1. HieronymusBloggs Silver badge

            Re: Pixies?

            "Android at least autocorrects silicon to silicone if you don't change it..."

            Good to know, but an odd choice considering silicon is much more common than silicone.

      2. TheVogon Silver badge

        Re: Pixies?

        "Allow those that want to put iLO's into the devices"

        ILO cards cost a few hundred quid and if optional take a slot / motherboard connector and presumably an additional network connection. Extra hardware built into a chip you already use costs a few cents...

      3. DainB Bronze badge

        Re: Pixies?

        Because iLOM has absolutely nothing to do with it, it's a separate CPU with it's own OS and totally different purpose.

    3. Anonymous Coward
      Anonymous Coward

      isn't this what PXE booting is for?

      Exactly.

      Not only that, looooong before there was PXE on x86, there were other technologies on other hardware that provided, as a standard documented part of the core CPU and boot ROM functionality, what PXE eventually got around to implementing as a "value add" feature.

      E.g. lots of DEC VAXes and pretty much every DEC/CPQ Alpha system had a documented network boot procedure, using either an IP network stack or (in the olden days) a DECnet stack. It needed no management co-processor or other untrustworthy stuff, just the standard processor and a standard boot ROM and standard documented network-bootable code and corresponding executables.

      The industry has moved on since then, hasn't it.

  5. mark l 2 Silver badge

    Looks like keeping hold of my 2007 Dell Latitude without these 'features' was a good idea. it is still going strong dual booting between Linux Mint and Window 7.

    1. bombastic bob Silver badge
      Black Helicopters

      "Looks like keeping hold of my 2007 Dell Latitude without these 'features' was a good idea"

      ack. Intel's "new, shiny" [particularly when running Win-10-nic] isn't worth the *RISKS*. I'll stick with proven, slightly older, very slightly slower tech that doesn't have a built-in back door.

  6. Milton Silver badge

    We need companies like Purism

    While I won't address all the tech details here, I will submit that the modern age absolutely needs organisations like Purism, as much as we need a free press, separation of powers in government, independent judiciary, free speech - the human right to dignity, privacy and the basic right *not* to treated like an exploitable commodity.

    Whether Purism specifically ticks all the boxes is less important than that we support the principles of security, freedom from snooping, government overreach and corporate spying.

    So I wish them well. "Apple, but ethical" - excellent. Next up, "Google but not evil" and maybe one day "Social media, by grown-ups".

    1. deive

      Re: We need companies like Purism

      Too right we do need more, but the only way that'll happen is if consumers actually buy...

      Also they said "there's no ethical computing device option" which may be true for the USA but the is Fairphone here in the EU. I would love to see those two collaborate on electronics that are totally ethical from mining and production through to software and data gathering

    2. Primus Secundus Tertius Silver badge

      Re: We need companies like Purism

      @Milton

      "Social media, by grown-ups"

      All computer freaks are nerds. Even me, a little bit.

    3. Anonymous Coward
      Anonymous Coward

      Re: We need companies like Purism

      "Google but not evil"

      Only when Satan has been cast from the fiery pit of hell can Google not be evil.

      1. Michael Habel Silver badge

        Re: We need companies like Purism

        ~Only when Satan has been cast from the fiery pit of hell can Google not be evil.~

        Really?! I would have thought he would have scored himself a nice Desk as the CEO of the slightly melting Chocolate Factory, had he been in need of some new employment.

      2. Captain DaFt

        Re: We need companies like Purism

        Only when Satan has been cast from the fiery pit of hell can Google not be evil.

        Don't bet on it.

        The Infernal Trinity of Google, Oracle, and Microsoft would see his deportment as a business opportunity immediately take over running Hell.

    4. Michael Habel Silver badge

      Re: We need companies like Purism

      I down voted you while your 'Heart' may well be with-in the PCZ (Political Correctness Zone), simply miming out the motions wont make anyone more secure in the end. In the end you only have but, Two options. Either do the job, you were tasked to do, Or find someone else who can. Making chimp like noises about having done much about nothing, and in the grand scheme of things serves no purpose other then to trick the schmo into buying whatever snake oil is on tap that day.

      While it may well be regarded as a better fix then not having done anything at all... it would have at least been more useful had this lot targeted Windows instead. Not that I have anything against Linux. But, like it or not, Windows is still the workplace king.

      1. Charles 9 Silver badge

        Re: We need companies like Purism

        "In the end you only have but, Two options. Either do the job, you were tasked to do, Or find someone else who can."

        There MUST be a third option because you may lack the skills to do it yourself and can't trust anyone else to do it.

        For example, how can one be sure the government can't subvert every phone using their airwaves if all radio chips must go through them first?

        1. Michael Habel Silver badge

          Re: We need companies like Purism

          ~For example, how can one be sure the government can't subvert every phone using their airwaves if all radio chips must go through them first?~

          Thus we have a reason why these Companies such as Purism exist for. It's up to you if you think that they are trusty enough, or not.

          A real Third Option is to NOT support Companies that pull this kind of crap. Which may on the face of it seem harder than it seems. But, I gather that this is only on the newer CPUs.

        2. Destroy All Monsters Silver badge

          Re: We need companies like Purism

          There MUST be a third option because you may lack the skills to do it yourself and can't trust anyone else to do it.

          That's the DayZ option: Innawoods with AKM and unconnected.

      2. AJ MacLeod

        Re: We need companies like Purism @Michael Habel

        If someone's concerned enough about security and privacy to disable the IME I don't think they're very likely to be interested in running Windows of any variety.

        1. TheVogon Silver badge

          Re: We need companies like Purism @Michael Habel

          " I don't think they're very likely to be interested in running Windows of any variety."

          It depends on the use. For desktops where you have user interaction Windows is most attacked. However if you look at say Internet facing servers, Windows server is several times less likely to be attacked than say Linux boxes if you look at for instance defacement stats versus share of boxes. That might well be partly because of what is commonly run on the Linux boxes rather than the OS itself but you could say the same about Windows on the desktop where attacks have commonly leavaged java, flash, acrobat, office, etc...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019