Steven J. Vaughan-Nichols, writing for ZDNet:
Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared."
These chips have been around for quite some time now.
What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to "disable AMT." That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to "enable AMT."
For remote access, a cooperating network interface is required: Intel ethernet adapters, Intel WiFi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer, that do not support AMT.
When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems in hardware from both Intel and AMD.
For the long term, lobby Intel to release the AMT software stack as free software. Send them an email letting them know you object to AMT and will not purchase any hardware that has it.
AMT is a serious obstacle to running a fully free system on modern Intel hardware, and a threat to users' privacy and security.
Dennis
Quote from: BallAquatics on December 06, 2017, 09:54:55 AM
These chips have been around for quite some time now.
What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to "disable AMT." That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to "enable AMT."
For remote access, a cooperating network interface is required: Intel ethernet adapters, Intel WiFi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer, that do not support AMT.
When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems in hardware from both Intel and AMD.
For the long term, lobby Intel to release the AMT software stack as free software. Send them an email letting them know you object to AMT and will not purchase any hardware that has it.
AMT is a serious obstacle to running a fully free system on modern Intel hardware, and a threat to users' privacy and security.
Dennis
I agree 100%
Dell has announced that their new rigs will be able to turn it off...