• Welcome to Mugwump's Fish World.
 

News:

I increased the "User online time threshold" today (11/29/2023) so maybe you won't lose so many posts.   Everything is up-to-date and running smoothly. Shoot me a message if you have any comments - Dennis

Main Menu

Intel CPU chip

Started by Mugwump, December 06, 2017, 05:35:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Mugwump

December 06, 2017, 05:35:42 AM
Steven J. Vaughan-Nichols, writing for ZDNet:

Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared."

Jon

?Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming ?Wow! What a Ride!? ~ Hunter S. Thompson

BallAquatics

#1
December 06, 2017, 09:54:55 AM
These chips have been around for quite some time now.

What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to "disable AMT." That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to "enable AMT."

For remote access, a cooperating network interface is required: Intel ethernet adapters, Intel WiFi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer, that do not support AMT.

When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems in hardware from both Intel and AMD.

For the long term, lobby Intel to release the AMT software stack as free software. Send them an email letting them know you object to AMT and will not purchase any hardware that has it.

AMT is a serious obstacle to running a fully free system on modern Intel hardware, and a threat to users' privacy and security.

Dennis

wsantia1

#2
December 06, 2017, 06:26:21 PM
Quote from: BallAquatics on December 06, 2017, 09:54:55 AM
These chips have been around for quite some time now.

What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to "disable AMT." That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to "enable AMT."

For remote access, a cooperating network interface is required: Intel ethernet adapters, Intel WiFi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer, that do not support AMT.

When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems in hardware from both Intel and AMD.

For the long term, lobby Intel to release the AMT software stack as free software. Send them an email letting them know you object to AMT and will not purchase any hardware that has it.

AMT is a serious obstacle to running a fully free system on modern Intel hardware, and a threat to users' privacy and security.

Dennis

I agree 100%
Willie

Too Many Fish. Not Enough Tanks.

Mugwump

#3
December 06, 2017, 06:41:50 PM
Dell has announced that their new rigs will be able to turn it off...
Jon

?Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming ?Wow! What a Ride!? ~ Hunter S. Thompson
Print
Go Up Pages1
User actions