Linked by Thom Holwerda on Tue 24th Oct 2017 19:00 UTC
Intel

Only a few weeks after the news that security researchers had managed to completely disable the Intel Management Engine, Purism has announced it's disabling the IME on all of its available Librem laptops.

Purism's Librem Laptops, running coreboot, are now available with the Intel Management Engine completely and verifiably disabled.

The Management Engine (ME), part of Intel AMT, is a separate CPU that can run and control a computer even when powered off. The ME has been the bane of the security market since 2008 on all Intel based CPUs, with publicly released exploits against it, is now disabled by default on all Purism Librem laptops.

Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery.

Great move.

Order by: Score:
Awesome
by Poseidon on Tue 24th Oct 2017 20:12 UTC
Poseidon
Member since:
2009-10-31

Now this is something I can get behind. However, I bet Intel will start playing whack-a-mole and modifying it with each CPU release instead of offering an option to not have it altogether.

Reply Score: 7

RE: Awesome
by shotsman on Wed 25th Oct 2017 06:05 UTC in reply to "Awesome"
shotsman Member since:
2005-07-22

I agree. There may well be a few DMCA suits flying around as well.
"The Man" has gotta have his backdoors...

Reply Score: 1

RE: Awesome
by BlueofRainbow on Thu 26th Oct 2017 03:29 UTC in reply to "Awesome"
BlueofRainbow Member since:
2009-01-06

Yep - Intel is likely to counter-act every single move to disable IME.
Are AMD products free from such behind the scene interface?

Reply Score: 3

RE[2]: Awesome
by Andre on Thu 26th Oct 2017 19:05 UTC in reply to "RE: Awesome"
Andre Member since:
2005-07-06

According to the LibreBoot FAQ, AMD also has its own IME-like stuff called Platform Security Processor (PSP).

https://libreboot.org/faq.html#amd

Reply Score: 2

RE[3]: Awesome
by BlueofRainbow on Thu 26th Oct 2017 19:59 UTC in reply to "RE[2]: Awesome"
BlueofRainbow Member since:
2009-01-06

Thanks for pointing to the relevant information.

This is rather unfortunate that such features, intended for efficient remote management of systems within a business environment, have serious security flaws and cannot be disabled by an owner/end-user.

Reply Score: 2

Permanently disabled?
by ameasures on Tue 24th Oct 2017 20:20 UTC
ameasures
Member since:
2006-01-09

Disabled: yes. Verifiably disabled: yes.

Permanently disabled: perhaps, but would you bet money on it?

The IME technology has been in many/ most new machines for nine years so a high enough proportion are already exploitable...

The last private thing remaining is your vote; and when no one is looking strange things happen: like BREXIT and Trump.

Reply Score: 6

RE: Permanently disabled?
by Dr.Cyber on Tue 24th Oct 2017 22:29 UTC in reply to "Permanently disabled?"
Dr.Cyber Member since:
2017-06-17


The last private thing remaining is your vote; and when no one is looking strange things happen: like BREXIT and Trump.

Voting may be private but it is also completely useless so you are probably better off just keeping your vote in your head without ever casting it. It has the same effect but better privacy.

Reply Score: 0

RE[2]: Permanently disabled?
by leech on Wed 25th Oct 2017 06:20 UTC in reply to "RE: Permanently disabled?"
leech Member since:
2006-01-10

"
The last private thing remaining is your vote; and when no one is looking strange things happen: like BREXIT and Trump.

Voting may be private but it is also completely useless so you are probably better off just keeping your vote in your head without ever casting it. It has the same effect but better privacy.
"

That's why I'm a firm believer in anarchy. People always say "But if you don't vote you can't complain." Sure I can, if they EVER actually had someone I thought would do something worthwhile FOR ME, then certainly I'd get off my ass and vote. But they never do... so Anarchy in the USA!

Reply Score: 0

RE[3]: Permanently disabled?
by agentj on Wed 25th Oct 2017 09:00 UTC in reply to "RE[2]: Permanently disabled?"
agentj Member since:
2005-08-19

If you didn't vote you still can complain - if someone made some crap, it's one those who voted for him.

Reply Score: 1

RE[4]: Permanently disabled?
by Dr.Cyber on Wed 25th Oct 2017 11:24 UTC in reply to "RE[3]: Permanently disabled?"
Dr.Cyber Member since:
2017-06-17

Since I believe democracy is immoral saying I should not complain because I did not hypocritically vote would be nonsense indeed.

Group rape is democracy too. Just because one group is the largest does not mean it has the right to take the rights of all smaller groups.

On top of that many so called democracies are actually oligarchies with a nice puppet show where people just vote on the puppets. The puppet master stays the same no matter what the people vote.


Having an anarchy or small government would be better than what we have now but unfortunately anarchy and small governments are not sustainable due to human naivety which will be abused by other less naive humans.
America supposedly was free and had a small government in the past and look what happened to it now. It has become 1984 where the government sees and controls everything. And all that the people do is vote for candidates who support this Orwellian system like Trump or Hillary.

Reply Score: 0

RE[5]: Permanently disabled?
by The123king on Wed 25th Oct 2017 14:53 UTC in reply to "RE[4]: Permanently disabled?"
The123king Member since:
2009-05-28

"I think we should rapethis person, all in agreement, say "Aye"!"

I somehow don't think that's how rape works...

Reply Score: 4

RE[6]: Permanently disabled?
by Dr.Cyber on Thu 26th Oct 2017 19:55 UTC in reply to "RE[5]: Permanently disabled?"
Dr.Cyber Member since:
2017-06-17

"I think we should rapethis person, all in agreement, say "Aye"!"

I somehow don't think that's how rape works...

That was not what I meant. If the rapers join in out of their free will then that is their vote. And since the victim by definition does not want to get raped he will probably resist and that is his vote against the raping.

Reply Score: 0

RE[3]: Permanently disabled?
by zima on Thu 26th Oct 2017 15:56 UTC in reply to "RE[2]: Permanently disabled?"
zima Member since:
2005-07-06

if they EVER actually had someone I thought would do something worthwhile FOR ME

So you care only about election pork / have you no sense of community? And do you really think that government initiatives in, say, infrastructure or education bring no benefits to you? Maybe you're getting the gov you deserve...

Reply Score: 3

RE: Permanently disabled?
by Morgan on Tue 24th Oct 2017 23:08 UTC in reply to "Permanently disabled?"
Morgan Member since:
2005-06-29

I'm skeptical. They promised they already had disabled it (with Intel's blessing) before launch, they were called out on that lie, they revised it to "we're disabling it soon, we promise!", then nothing for nearly two years. Now, the laptops are all but obsolete, especially at the price they charge.

And as you said, is it really permanent? Is there any guarantee Intel won't be able to remotely patch it, perhaps via some as-yet-undocumented back door?

Too little, too late, and as far as I'm concerned they were liars from the beginning. Forget IME itself, I don't trust Purism.

Reply Score: 5

RE[2]: Permanently disabled?
by BlueofRainbow on Thu 26th Oct 2017 04:00 UTC in reply to "RE: Permanently disabled?"
BlueofRainbow Member since:
2009-01-06

Maybe they stretched their claims more then they should have. However, are there other notebooks currently on the market for which IME is crippled or disabled?

From the little I could find about IME within the Chromebook space, it seems that IME is active and that the systems could be hijacked via this feature. Hum - so much for security?

Reply Score: 3

RE[3]: Permanently disabled?
by Morgan on Fri 27th Oct 2017 18:31 UTC in reply to "RE[2]: Permanently disabled?"
Morgan Member since:
2005-06-29

Intel isn't the only CPU manufacturer (and I'm perturbed that I have to explain that on this site). That said, AMD supposedly has its own issues in this area.

There are also non-x86 laptops out there, with no backdoored management engines but with their own pros and cons.

You can get older Thinkpads with no IME at all, they are slow compared to the Purism machines but they are fully functional and come installed with a 100% Libre/Free version of Linux[1]. My wife's old laptop, which I currently use for testing Linux and BSD distros, is an AMD Turion II machine with no PSP (AMD equivalent of IME) baked in. It's no speed demon but it's fast enough for anything except AAA gaming, and it has an excellent keyboard.

Given that the Purism laptops are only IME-free nearly three years after their introduction and after a ton of misdirection, broken promises, and half-apologies, I'd say running on a slightly older but just as functional machine from a more trusted company is a no-brainer.

[1] https://minifree.org/product/libreboot-t400/

Reply Score: 3

v RE: Permanently disabled?
by binary0x01 on Wed 25th Oct 2017 02:50 UTC in reply to "Permanently disabled?"
Comment by ilovebeer
by ilovebeer on Tue 24th Oct 2017 23:13 UTC
ilovebeer
Member since:
2011-08-08

Let's just cut to the chase... If you care about privacy and want to continue using your computer you should, when not in use, unplug it from all power sources, disassemble its components, and then hope for the best. To resume usage, perform those steps in reverse.

In all seriousness, there is no true privacy anymore. Everything is tracking, recording, spying on, "telemetry"ing, or analyzing you in some way - you know, ... for `your` benefit *wink wink*. And people are working on technology to read and eventually manipulate your own thoughts so even those won't be private in a while. That's simply the world we all live in now and there's no turning back sans an event that destroys all the technological knowledge we've accumulated.

Reply Score: 6

RE: Comment by ilovebeer
by Morgan on Tue 24th Oct 2017 23:26 UTC in reply to "Comment by ilovebeer"
Morgan Member since:
2005-06-29

And people are working on technology to read and eventually manipulate your own thoughts so even those won't be private in a while.


Manipulation has been going on for a long time now. Dark patterns are all over the Web and in our everyday lives. It's most prevalent in advertising (thank Cthulhu for uBlock), but it happens in other transactions as well.

Just today I was changing registrars on one of my sites, the authorization email from the old registrar said "if you wish to cancel, please click this link. If you wish to proceed with the transfer, you must wait the mandatory minimum 5 days per ICANN rules." First, ICANN doesn't require a minimum 5 days, it's a maximum 5 days if the parties involved don't cancel the transaction. If no one cancels in that 5 day period, the transaction proceeds.

Second, and this to me is even more egregious: You can click the "cancel" link and it actually takes you to a page that allows you to immediately approve the transfer. Nowhere in the body of the email did it even suggest you could immediately approve it, in fact it seemed as if they went out of their way to make the transfer process as miserable as possible. I can only surmise they do this to make people think twice about transferring away from their service to their competitors.

I called them out on it via email, and their response was "yes, we are aware the message is confusing, however we will not change it as it is per ICANN policy." Of course I called them out on that lie as well, and got no response.

Reply Score: 3

RE[2]: Comment by ilovebeer
by ilovebeer on Wed 25th Oct 2017 00:06 UTC in reply to "RE: Comment by ilovebeer"
ilovebeer Member since:
2011-08-08

You're right, but I was referring to direct control & manipulation of thoughts, actually hi-jacking the mind rather than trying to influence decision-making through suggestive advertising, confusion, misleading, etc. If `they` can perfect it, it's the perfect weapon or method of control over entire populations of people.

Reply Score: 3

RE[3]: Comment by ilovebeer
by leech on Wed 25th Oct 2017 06:24 UTC in reply to "RE[2]: Comment by ilovebeer"
leech Member since:
2006-01-10

You're right, but I was referring to direct control & manipulation of thoughts, actually hi-jacking the mind rather than trying to influence decision-making through suggestive advertising, confusion, misleading, etc. If `they` can perfect it, it's the perfect weapon or method of control over entire populations of people.


I can't help but refer to Futurama when Fry discovers that in the future, they simply beam advertisements into your dreams.

Reply Score: 1

RE[2]: Comment by ilovebeer
by zima on Thu 26th Oct 2017 15:59 UTC in reply to "RE: Comment by ilovebeer"
zima Member since:
2005-07-06

Dark patterns are all over the Web and in our everyday lives. It's most prevalent in advertising (thank Cthulhu for uBlock)

Though too bad people with adblockers typically end up blocking everything, not rewarding sites which respect you (with moderate amount of ads), like OSNews ...where sometimes ads can be useful or "good", for example http://www.osnews.com/permalink?650097 or how I recently got an ad here for industrial PLC based on Arduino and Raspberry Pi, or for ~local IT conference that should interest my buddy...
(though I have no idea why I get ads for Mercedes-AMG GT, it's not like I'll ever be able to afford it ;) )

Reply Score: 3

RE[3]: Comment by ilovebeer
by Morgan on Fri 27th Oct 2017 18:34 UTC in reply to "RE[2]: Comment by ilovebeer"
Morgan Member since:
2005-06-29

That's what whitelists are for. :-)

Reply Score: 2

RE[4]: Comment by ilovebeer
by zima on Sun 29th Oct 2017 14:17 UTC in reply to "RE[3]: Comment by ilovebeer"
zima Member since:
2005-07-06

Aye, but I somehow doubt they're being used by any notable percentage of adblocker users - after all, "ads are evil" or smth... (but what can be evil about car manufacturer promoting cycling? ;) Or anything about... ARDUINO!!1 ;D )

Reply Score: 2

RE: Comment by ilovebeer
by zima on Thu 26th Oct 2017 16:01 UTC in reply to "Comment by ilovebeer"
zima Member since:
2005-07-06

Though "mind control" tech would be a boon for many mental disorders ...of course, after a while, we would possibly all be designated "sick" and requiring "treatment" ...and in a way we all are, we live now in vastly different conditions than what we evolved to, and the gap will only get bigger.
Hm, reminds me of an old game where ordinary citizens see reality as "just an ordinary ~XX century American town" in a really dystopian setting, possibly Syndicate Wars...

Reply Score: 3

v Nice
by Denacaers on Wed 25th Oct 2017 10:46 UTC
Good
by segedunum on Wed 25th Oct 2017 14:52 UTC
segedunum
Member since:
2005-07-06

IEM is an absolutely frightening Pandora's Box of security and other problems just waiting to happen.

Reply Score: 2

I say...
by drcoldfoot on Wed 25th Oct 2017 16:49 UTC
drcoldfoot
Member since:
2006-08-25

Thank You Lawd!!!

Reply Score: 0