Intel declared war on general purpose computing and lost, so now all our computers are broken

Originally published at: http://boingboing.net/2017/05/09/management-engine.html

…

Turns out the main problem with both Orwell and Huxley is that they were insufficiently pessimistic and paranoid.

Intel’s Management Engine was originally intended (as the name kind of gives away) as an out of band management tool for IT administrators, much the same as HP’s iLO, or Dell’s DRAC are used for servers.
They basically enable someone who is responsible for many computers to work on them from their desk, rather than having to go round and plug a keyboard an monitor into each one. (This is important as almost all servers don’t have a monitor of keyboard anywhere near them).
For a sysadmin in charge of a whole office full of desktops, ME allows them to (eg) schedule all the machines in an office to reboot, and then boot a network image which does an offline virus scan of the harddrive. It can even reboot machines which have crashed, or hung, or that have dodgy memory.
Basically it’s a tool for situations where you need to administer a lot of computers at once.

Intel did not intend ME to “declare war on general purpose computing”. It has no use as a DRM system. The AMT module is only present on motherboards designed for the business market (the ‘Q’ series), not most people’s laptop.
(AMD supposedly support the similar DMTF DASH for out-of-band management, but I can’t find any actual systems that support it)

Where Intel went wrong was in not thoroughly auditing their code for flaws, and also in having the Management Engine turned on by default (they could/should have sold a special version of their chips/motherboards to businesses who wanted it turned on out-of-the-box).

But if it “works” in the business world, expect Intel to start moving it to personal systems and then start telling the media companies “Look, we’ve killed piracy for you!”

Yeah, good try there.

Yeah, I thought that’s what it was for. If anything, it’s an aid for general purpose computing.

I was wrong about it only being on business motherboards, it’s integrated into all the Intel chipsets now, mea culpa.

Looking at the possible capabilities, I’m not sure how you’d use it to stop piracy.
There is a possibility to snoop network traffic, if you’re using the built in LAN port*, and the AMT is connected to a management station (‘provisioned’).
It’s that last one that’s the sticking point. For someone to abuse your AMT, they have to be able to connect to it and ‘log in’, if you’ve not set up AMT, it’s not affected.
These recent flaws allow someone to authenticate to the AMT without knowing the password you have set, but you can still block communication with a firewall between your NIC and the internet (ie your home router).

So, if a media company could get on the same subnet as your machine, and were willing to hack into the AMT, then they could block certain kinds of network traffic, but I can’t see what else they could do.

/* It can use an Intel wireless card, but you’d have to specifically set up the AMT to do this

True, Intel sells it as a management tool for corporate users, as a way to manage large deployments of PCs centrally. But surely those users are interested in security as well. They want their IT guys to have access to the PCs they manage; the don’t want anyone else to have that access. Intel has a problem selling the tool if the tool is broken.

Yeah I really feel like Corey is going through contortions to turn this into a DRM story. First he labels it as a “war on general computing” but then goes on to describe the ME system as a general purpose computer (albeit one with control over the main system).

I’m all for keeping a wary eye on new technology and speculating how it could be used to control or monitor people but the real story here is how an amateurish programming mistake could result in catastrophe.

If you feel adventurous and you have a Raspberry Pi or some other ISP you actually can neutralize the ME by overwriting most of code the ME uses. Didn’t run into any issues with my T420 + GNU/Linux, Windows might be riskier.

A lot of what @phuzz said here.
As a server admin who was nearish only one of many data centers the remote connection is an IT management godsend. At least on the server end of things these require a dedicated network link and if you are doing it right on a different network segment than the server. It really nice when you get up at 1AM to find out via VPN rather than 30 minute drive that you can get to the console of the server remotely and see the POST info. (The not fun part is finding out the on call guy for the vendor is on the wrong side of the sound and the last ferry run was 2 hours ago)

From all that I know of it on the laptop/desktop side of things it does require a physical connection. How many of us bother with ethernet cables outside of work these days?
Is it war on general purpose computing? Oh hell no. However there is absolutely no reason for this to be on a consumer machine.

The latest gen (maybe two) can work over wireless I believe.

The demos at the trade shows are always fun to watch as the technician watches the “remote” machine blue screen and reboot. Then takes over the machine, reboots it and goes into the remote machines BIOS.

It’s all cool stuff, but finding the time to set up the infrastructure to use always bites me.

Well at home when I can just walk to the other room, it is a why bother kind of thing.
If I had 1,000+ desktops to manage across several locations, well duh, in a fucking heartbeat this would be set up.

I have lots of RPis, but I don’t have an Intel PC. Oh well.

Are you trying to speak truth to hyperbole?

More FUD spreading from Corey yet again. This thing isn’t enabled by default, so there’s no need to remove it, just don’t turn it on, and if it is on, just turn it off, no need to physically wipe the chip. This is a vital component for running a data centre, or administering any kind of network where you don’t have immediate physical access to the machines, which is why these chips were only used in server builds to begin with (they seem to be getting more common in consumer machines now as well, but there’s certainly use for them there too, there’s one machine I have at home I’d love to have it on, currently uses WOL, but would be nice to have more control for when I’m away from home and can’t get access).

The ‘blank password’ vulnerability they just discovered is pretty serious though, an incredibly sloppy bug, caused by a single line of code (they used the strncmp function when they should have used the strcmp function - see: https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/?comments=1&post=33283099). But even that vulnerability won’t affect you as long as you have a basic firewall installed, and for access to all but the most basic networks you need to be using a VPN, with the firewall blocking everything else.

I’m also bemused by Cory’s attempts to jam DRM into this story somehow.

Just build the plane out of whatever the black box is made of.

Whats really unfortunate is that many people will believe his article on the main site. Heaven only knows why but he gets taken seriously when he writes these articles.

We’re currently in a transition away from self contained computers in boxes on people’s desks, back towards a more complicated version of the old dumb-terminal model from 30-40 years ago. Cloud systems from Amazon, Microsoft and Google are becoming more like distributed operating systems at this point rather than isolated network services. This trend is only going to continue in the coming years. Of course while all this happens it’s important that we focus on transparency and security and privacy, and it’s probably a good thing that there are paranoid people like Cory around to poke at things, but it’s also important not to get too carried away and find conspiracies around every corner.

I think it might be that more folks are buying consumer level machines to do business work. (It’s sometimes a pretty hard sell when clients see a consumer-grade machine for half the price of a business model. Total cost of ownership should be drilled into everyone.) If you have a fleet of even a few hundred, you need to be able to remote boot, or just to turn on the computer to do updates, even if there are consumer models in the mix.

You’re just moving the goalposts. And an argument from ignorance is not much an argument at all.