Google Working To Remove MINIX-Based ME From Intel Platforms

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Obvious question

[TeknoHog]

More generally, how can I install my own OS on this hardware I bought? It's not like we're talking about a game console or some other appliance you don't really own...

Re:Obvious question

[complete loony]

What about JTAG [twitter.com]?

Re: Obvious answer

[Anonymous Coward]

It's a UNIX system, I know this!

Re:Obvious question

[slickwillie]

I think a more obvious question is what are the odds that a guy named "Minnich" discovered "Minix" running on the CPUs?

Re:Obvious question

[mentil]

Minimal

Re:

[Anonymous Coward]

A coincidence, Minnich discovered this while at Munich.

Re:

[Anonymous Coward]

Only Intel's selected partners have the shell prompt. What would be better business plan than selling the processor to every PC and remote access to them.

Re: Obvious question

[NEWS CLUES]

Google has done a great job however Google also has done a good thing on pixel phones [reliancejio.me] and that is their camera clarity.

Re:

[nycsubway]

Also, what is Minnich's problem with MINIX?

Re:

[Anonymous Coward]

..no, actually, that's wrong. It's in the PCH. In fact there's more than one embedded processor in the PCH, they all do various things (like power management). The ME is just one of them.

Re:Obvious question

[GerryGilmore]

Thank you! TFS states that "Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs" which is 100% pure, organic, dolphin-free BullShit!! The ME is NOT any part of the CPU itself, but built into the chipset surrounding the CPU. During my time there, it was limited to Xeon-level CPUs, but may be in later chipsets - I haven't kept up in a while, though I can still call out BS when I see it. C'mon /. - this is just sloppy!!

Re:

[networkBoy]

It is now in all chipsets and is the CSE/ME (converged security engine).

Pedantic

[Rujiel]

Regardless, intel processors, whether they're purchased individually or on a machine manufactured by the likes of dell, has Intel ME activated from the start. That's the point. Your nitpick is insignificant.

Interested move?

[alexhs]

Google Working To Remove MINIX-Based ME From Intel Platforms

... and replacing it with Android. "Just how much juicy monetizable user data could we get that way?"
(I believe I'm joking, but I'm not completely sure...)

No with chrome

[goombah99]

Seriously, and no joke, chromebooks disable the ME after boot.

Re:

[epine]

Seriously, and no joke, Chromebooks disable the ME after boot.

Do Chromebooks use the off switch, like most people do to turn their PC "off", or do Chromebooks actually unplug ME from the wall socket?

I have more confidence in the second method.

ME and chromebooks

[DrYak]

For chromebooks where google can't use their own openbios-based stack,
they use heavily modified firmware, where the ME part running on the micro-controller embed in the chipset is reduced to the base minimum necessary to get the chipset running.

Among other, all the juicy bits that are targeted by ME-exploits (half-broken webserver serving as the user-interface, capability to reflash the UEFI/BIOS while the main Intel CPU isn't even powered, VNC-like server with USB-over-network extensions, etc.) are all rem

Re:

[networkBoy]

there is a "minSKU" available that Google and Apple use that has ME alive long enough to bring up the system, do the secure boot stuff then dies.

Re:

[Anonymous Coward]

I doubt it...Ron has long been a linuxBIOS/coreboot guy and he has always been very clear that true open hardware means you can build your firmware from source.

I don't trust google at all any more but I'll gladly trust Ron to do it right....but maybe I trusted him a little more when he was a LANL or Sandia guy ;-) j/k Ron.

Re:

[eclectro]

This actually came to my mind. Imagine the power of this. There can only be one here. [youtube.com]

Most Widely Deployed OS?

[iCEBaLM]

Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

Re:Most Widely Deployed OS?

[G00F]

Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

On top of that, I'm willingto be there are more linux VM's than intel ME enabled CPU's.

ARM has TrustZone...

[Anonymous Coward]

Which is enabled/disabled in the stage0 bootloader usually, with signing/hashing just like the Intel ME firmware.

The only difference is that the TrustZone stuff runs on ARM cores and may run either on the primary cores, or a dedicated coprocessor depending on the design chosen by the downstream chip designer.

Earlier versions of TrustZone as well as the ARM Java/JVM stuff (I forget what those extensions were called, but they were basically the predecessor to TrustZone) were completely proprietary, required e

Year of the MINIX on desktops

[DrYak]

intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

The correct mention would be :
MINIX is the most widely deployed OS on desktops in the world.

But indeed, the desktop themselves are completely dwarfed by the embed world, were Linux seems to be the king.

and linux would be on some AMD x86 systems

BTW, IPMI [wikipedia.org] is the industry standard for "lights-out management" (and Intel ME/AMT is the Intel proprietary "lights-out management").

According to several presentation at conferences :
- lots of IPMI implementation run actually Linux on their embed micro-controller.
(Meaning that even in the server room/cluster/da

Re:

[jabuzz]

Except that the IPMI on a server usually is plugged into a dedicated ethernet port all of it's own. Well at least all of mine are.

Those ethernet ports are all highly segregated into a VLAN all of their own with very limited access to the outside world. They can hop to specific NTP servers and that's it. Everything else is contained within the VLAN itself.

So while I expect the lights out management to be buggy and badly maintained (I have to keep a raft of ancient web browsers available on console server to

Re:

[Big Hairy Ian]

Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

Finally I can declare this is the year of Linux on desktop :)

It's in the SouthBridge not CPU dammit

[Anonymous Coward]

Guys, can you at least get your facts straight before doing another FUD piece on the Intel ME?

1) The ME is not in the CPU, it's in the chipset, specificly it's loaded in the firmware of the firmware hub, and the "hidding processor" is in the chip we typically call the South Bridge.

2) It's OFF BY DEFAULT.

Go ahead and check it yourself:

INTEL-SA-00075 Detection and Mitigation Tool
https://downloadcenter.intel.com/download/26755

Re:It's in the SouthBridge not CPU dammit

[Z80a]

The remote management tools are off by default, but you still need the chip on to run the power management software on it, or the CPU turns off in 30 minutes.
And as it is a black box, it might be doing several other tasks while doing the power management.

Re:It's in the SouthBridge not CPU dammit

[Anonymous Coward]

2) It's OFF BY DEFAULT.

We don't believe Intel's claims. After the Edward Snowden revelations, after the way that an exploitable backdoor was hidden in the Dual_EC_DRBG standard [arstechnica.com], after news that Microsoft works to provide backdoors in its Windows operating system [archive.org], and after government officials have insisted that backdoors must be provided [theintercept.com], we just don't trust Intel. The ME has the potential to be the most perfect backdoor in almost every computer. And if the Intel ME is a backdoor, then most of our computers are vulnerable if anyone (anywhere in the world) learns how to exploit it.

Re:

[Anonymous Coward]

we just don't trust Intel.

Fair enough, but why would you trust Google?

Re:

[Anonymous Coward]

why would you trust Google?

I don't trust Google. But it certainly is interesting news that Google doesn't trust Intel, either.

Re:

[RockDoctor]

Just to square that circle, is there any reason at all for Intel to trust Google? Do they count the money, and remain prepared to spit?

Re:

[fisted]

Come to think about it, the one thing I'd want even less than an Intel-run ME is a Google-run ME...

Re:

[infolation]

The trustworthyness of Intel or Google is not important. The current Intel firmware code is complex, compiled blobs that are closed-source and unknown. The Google solution is much simpler, open-source GO that can be compiled on the fly. The creator of the replacement code can be untrustworthy, provided that code can be audited.

And... why are Intel unwilling to sell a CPU without the ME, when a client like Google - who build 1 million+ machines running their CPUs - don't want it?

Re:

[Waccoon]

I agree. Supposedly it's built into every Intel chipset, which means they spent money reserving the silicon and firmware real estate to have it there.

Its existence is default, even in low-end chipsets aimed at the consumer market, but 99.99% of the time it's disabled and simply a total waste of money and resources. Honest!

I don't buy it.

Re:

[Anonymous Coward]

2) If the ME isn't running or is running incorrectly, the platform will not power on. It may be completely unreachable from the network in some implementations, but it is the arbiter of whether the system will turn on or not. It's easier to describe it as 'disabled', but it certainly is running.

Re:

[Anonymous Coward]

It is not in the CPU, but that hardly makes a real difference. I'm not sure why people are getting all pedantic about whether it is in the CPU or in some part that is always paired with the CPU to run. The ME seems to be able to make out-of-band requests to the CPU to do potentially anything (including read memory locations). Sure it may not be able to be super high performance over DMI compared to being on CPU, but it's plenty good enough to be worried about it.

Re:

[eclectro]

Yea nope. Read the previous slashdot article on this. Minix is running even with your desktop pc powered down. Which makes this doubly pernicious for even those just casually concerned with security.

Re:

[Anonymous Coward]

Trust is so easy to loose and so hard to regain, they have some history of making shaddy things, remember their compilers tampering code to run bad on non-Intel processors? or that time when they shipped "Windows vista ready" GPUs that weren't (Microsoft had to lower their requirements)
https://www.theinquirer.net/inquirer/news/1558372/intel-caught-dodgy-gpu-drivers
Or all those laughs accounting had when the Pentium's FDIV bug appeared.
Well, sometimes they fix problems fast: https://www.pcworld.com/article/2

Re:

[ccr]

Actually some sources say that it has been in the "North Bridge", e.g. what has been known as "Platform Controller Hub" ( https://en.wikipedia.org/wiki/... [wikipedia.org] ) for some time. For example, see ME references in https://www.intel.com/content/... [intel.com]

However, it is stated in the above Wikipedia article: "Beginning with ultra-low-power Broadwells and continuing with mobile Skylake processors, Intel incorporated the clock, PCI controller, and southbridge IO controllers into the CPU package, eliminating the PCH for a sys

More instances of MINIX than Linux!

[Anonymous Coward]

Tanenbaum gets the last laugh over Torvalds.

Re:

[Bruce Perens]

Tanenbaum gets the last laugh over Torvalds.

Yes. We should put Andy in the hall of fame with the guy who invented stock derivatives. He wasn't responsible for the way others used it, either. :-)

Insert your story of unwitting engineers facilitating people who do really bad stuff here.

Its official

[viperidaenz]

It's the year of the Minix desktop!

Re: Not bad, so why not a RTlinux?

[Brockmire]

BB10, not BBOS.

Twisted facts...

[freeze128]

This doesn't line up with what I have heard over the past few months:

"Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs."
and
"Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor."

How can the IME be INSIDE the CPU, when it's widely known that it monitors packets coming from your ethernet connection EVEN IF YOUR COMPUTER IS POWERED OFF? If it's powered off, there is no power going

Re:Twisted facts...

[G00F]

If ever notice that when thigns are powered off they are still using 1-10wats? Or that LED's are still lit or blinking?

This is the case with PC's, Microwaves, Dumb TV, VCR's, your name it.

PC's no longer have an on/off button. It's now a button that asks the CPU to shutdown. Power is not cut removed, and some parts stay powered on. Can't ask the CPU to power on, if there's no power for it to reconize the input.

Re:

[bananaquackmoo]

Use a power strip. Problem solved.

Talk to Purism?

[Checkered Daemon]

Google might want to talk to Purism, who claim to have completely disabled Intel's ME in their secure Linux based laptops.

Re:Talk to Purism?

[Keith_Beef]

From https://puri.sm/posts/deep-div... [puri.sm]

Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines

First of all neutralized, then disabled. The next step is to completely remove it.

Re:

[rahvin112]

It's not disabled, it's "neutralized". In other words they believe they've cut it's access but they can't be certain. You can't disable it completely as severing it's connection to the main CPU kills the CPU.

Google is a major computer purchaser, rather than trying to disable the ME they should use their market power to force intel to sell CPU's without the ME. It should be trivial for Intel to spin up die without the ME integrated or fully disabled. Hell they should have the knowledge on how to disable the

slashdot

[Spaham]

You should peruse this great website which talked about this three days ago...
https://tech.slashdot.org/stor... [slashdot.org]

Cue the skeptics

[Anonymous Coward]

It seems like just a day ago, there was a Slashdot posting about this [slashdot.org], and several highy-rated comments amounting to "naw man, there's no way this could be a problem!" [slashdot.org]

So with all the verifiable, proven news of backdoors being built-in to software and hardware over the past decade, and all the news of vulnerabilities in software and hardware that compromise systems, people say "nah, not a problem, see, you can turn it off" about this "computer in my computer." Really? It's off?

I'm not seeing reports saying "The Intel ME is off by default in consumer devices, and this is verified by researchers." In fact, I'm seeing the opposite, which says that the Intel ME is always on. Do we have any proof that the "off switch" in BIOS actually makes this feature unexploitable? Because, really, that's what I want: I want this feature to be unexploitable, and the only way I can be sure of that is for it to be disabled, for real, because I don't need this feature.

So yeah, please forgive us all if we are just a BIT skeptical about Intel ME. Forgive us if we're skeptical of spokespersons at Intel saying "There's no problem with this feature."

Re:

[thegarbz]

ME is always on, but it has many functions that do not involve any kind of remote access. By contrast the remote functions are disabled.

Now really? Are they? Well until someone can prove to me that there's some way of getting a TCP packet to fly through the internet and into an ethernet port without a second IP address, without additional MAC address, and which doesn't appear to respond to any normally routable packet on any port, I really don't care how off or on it is.

As the old adage goes: If someone has

My thoughts

[DaMattster]

This may be worth 0.02 or less but I believe the vulnerabilities can be mitigated somewhat by using disk encryption. I store all of my data on virtual encrypted file system with a hardware decryption key. When I am done with the filesystem, I just unmount it and remove the USB thumb drive that acts as the decryption key. Yes, it's a pain in the ass and yes, it really only works on desktops. It is a little impractical to do this on a server. It would be good for Google to find a way to stop this Intel menace.

Re:My thoughts

[arth1]

This may be worth 0.02 or less but I believe the vulnerabilities can be mitigated somewhat by using disk encryption.

And what do you use to encrypt and decrypt that data, so it never passes through the CPU or south bridge?

Re:

[rahvin112]

The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.

Now do

Re:

[DaMattster]

The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.

Now do you realize why people are so scared of it?

I had no idea that the vulnerability ran that deep! This is bad

Old news

[complete loony]

Intel's ME being based on MINIX [ptsecurity.com] is quite old news. Or at least, based on the summary. Is there anything new in the talk that should have been in the summary / writeup?

Re:

[ChunderDownunder]

During the week, Tanenbaum was trying to troll Linus and RMS by suggesting there were more MINIX installs than Linux and that was because Linus had chosen the GPL.

Re:

[boudie2]

If Tannenbaum had licensed Minix as GPL instead of BSD, Intel couldn't have done this.

Minix most widely deployed, wait what?

[Tough Love]

Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

I seriously doubt this claim. Phones have outnumbered PCs for years, for one thing. And Linux is deployed maybe even in more TVs and routers than phones, and numerous other embedded systems, now increasingly including cars. Anybody with decent stats on this?

Re:

[sizzlinkitty]

From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base. Also don't forget all those "cloud" servers...

Re:

[Tough Love]

From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base.

Most of those PCs are in landfill today. I guess somebody just pulled the claim out of their ass.

Re:

[Zocalo]

While I think it's probably started to get pretty close, I suspect that *NIX (there is lots of BSD in the embedded space) hasn't quite knocked some of the more popular RTOSs - like QNX or VxWorks out of the park for embedded systems just yet either, and it gets even more messy if you take into account that many RTOSs are actually derived from *NIX OSs. There are an *awful* lot of home, office, and industrial appliances running something like QNX/VxWorks behind the scenes, and you typically have far more of

Re:

[Tough Love]

You are right that there are more RTOS computers out there than the sum of all general purpose computers, including personal, handset and data center. However, you are most probably not right that any one RTOS covers more devices than Linux does. Hell, I strongly suspect that my thermostat is running Linux, judging by the web connectivity options it has. And Wind River, one of the biggest vendors in the RTOS space, has been offering https://www.windriver.com/prod... [windriver.com]>its own flavor of Linux for years. Plu

Re: Minix most widely deployed, wait what?

[Brockmire]

Except it seems more like a hack, than proper design. We tried really hard with 2.4 and 2.6 kernels, and could not come near the vxworks performance for a wireless BS/CPE. The 2.4 worked better. The 2.6 was faster, but crashed a lot and didn't make it out of development. Mind you, I hated vxworks and Wind River, but they could charge like a mofo because they knew they had better OS.

Re:

[Tough Love]

What is "it", PREEMPT_RT or Xenomai? Not doubting your report, but 2.4 and 2.6 are both ancient.

Re:

[Tough Love]

We tried really hard with 2.4 and 2.6 kernels, and could not come near the vxworks performance for a wireless BS/CPE.

By the way, Linux seems to work out fine for these guys [saankhyalabs.com] and you already know the license cost.

Lots of Problems With That Statement

[Bruce Perens]

First, not all Intel systems that are capable of it actually have the management engine software. Second, the Intel PC motherboard probably does not hold the "largest number of systems" title, that might belong to Android phones. And anyway isn't the fact that MINIX with its BSD/MIT style licensing was used for the most user-hostile system in recent time an indictment of that license? You would not see GPL software used for this, for obvious reasons, and people who use GPL should be proud of that.

Re:

[Anonymous Coward]

The idea that a GPLed operating system wouldn't be used for this doesn't make sense. There is nothing preventing a company like Intel from using a minimal GPLed OS for this task. In fact, companies have used GPLed kernels, like Linux, in the past for locked down or embedded devices. Just look at the TiVo issue.

So not only can you use a GPLed kernel for this sort of thing, people have, GPL advocates have nothing to be proud of in this instance because there is nothing in the license which prevents a company

Re:

[Atmchicago]

If the OS were GPL'ed, then the source code would have to be made available upon request. Making the source code available would mitigate much of the concern that the OS is not trustworthy, as in principle third parties could look for flaws and undocumented features.

Re:Lots of Problems With That Statement

[Bruce Perens]

If the OS were GPL'ed, then the source code would have to be made available upon request. Making the source code available would mitigate much of the concern that the OS is not trustworthy, as in principle third parties could look for flaws and undocumented features.

Sure, the GPL would be better than what there is now. But I think even that would not be good enough. GPL source code would be the start of making a system that users could trust. Besides that, there would have to be an explicit way to turn it off that could be confirmed to work reliably, and I would prefer a way to permanently remove it from the system with confirmation that worked too.

There would be a lot of concern related to the overall security of that system (researchers tell us there are Minix bugs they will be reporting) and what that system is capable of doing for anyone but its owner.

I am not sure I would want anything other than a very minimal system written in some sort of functional language that could be proven correct (and we know how expensive that is to write).

Overall, I think I'd rather just have it out of my system.

Re:

[tender-matser]

The source code isn't worth much if you can't use it to rebuild and install the whole system.

For most android phones and wireless routers the "gpl source code" usually consist of some old / incomplete tarred archive of the linux source code which does NOT correspond to the kernel installed on the device; for many drivers, the source files are a mix of magic numbers and binary arrays; and no change logs or version history are ever provided.

The fact that they're able to pull this shit without anybody crying f

Re:

[Ed Tice]

Intel actually asked Tennenbaum to make Minix changes for them as part of the project. They very well may be running stock Minix.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bert64]

The source of windows nt4 is available on the internet too, but the version available will be significantly different from the versions currently being sold.

Re:

[JThundley]

What Tivo did is find and exploit a bug in the GPL 2 which was fixed in the next version to prevent that exploit.

In the meantime, this stalls AMT/ME

[Anonymous Coward]

See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/ [slashdot.org]

* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!

APK

P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

Re:

[Anonymous Coward]

Better check that that router doesn't have an Intel chipset while you're at it. Oh, and given that what was just disclosed is that there is a lot more stuff in the ME than AMT, even a web server with unknown triggers, I guess you better close the rest of those ports. Hmmmm. Whoops.

Re:

[Bert64]

As the ME is a black box, we still have no idea what ports it uses... We know for sure that it does use those ports listed, but can you prove it doesn't use any others?
Lack of evidence does not prove innocence.

Re:Bert64 - read what u said "we know/have no idea

[Bert64]

There's no contradiction, we know for sure it uses *some* ports but do not know what other ports it *might* use. Your notion of blocking the known ports is flawed as it may well communicate via other as yet unknown ports.

See subject: Point me to a valid reputable security community source that shows more ports being used than what I listed.

I don't need to prove that more ports are being used, you need to prove that other ports are *NOT* being used in order to validate your claim that filtering at the network layer is effective.

Monitoring in/out communique from router logs external to the PC would tell fact of what ports it used easily beyond Intel's docs.

Monitoring the network traffic only shows the communication that actually takes place, not the communication that *could* take place. We don't know if any circumstances exist in which it could attempt other forms of communication. Sure the network router could log this traffic were it to take place, but we cannot be sure of all the triggers which would make it do so. That also assumes that the device only has wired connectivity, which is connected directly to your networking equipment. If the device has any form of wireless connectivity it could attempt communication with anything that's within range.

Unless we are 100% sure of all the possible network communication the device could perform, and what could potentially trigger it, a blacklist approach at the network gateway can never be truly effective.

We don't know, and a lack of knowledge is dangerous.

Re:

[rahvin112]

Not only do we know what ports it could use, it could easily piggyback it's communications on a known port while it's being used. It's code may include anti-circumvention code that in the case it can't communicate with it's home base that it starts trying all available ports including port 80. It's ability to edit packets at transmission.

apk gets butthurt over tiniest things

[Brockmire]

See subject: you routinely fail to understand the point the other person makes, freaks out and attacks them with nonsensical bullshit. Brockmire P.S=> learn to fucking write a comprehensible post. Brockmire

UPDATE: Ports 623-625 also filter them

[Anonymous Coward]

UPDATE: Ports 623-625 also filter them - JUST picked that up today (new information apparently, maybe for versions past 5-11.6 Intel AMT/ME have).

APK

P.S.=> An unidentifiable ac (probably a troll harassing me as usual) noted it uses port 80 in his reply to my original post (maybe in the usermode software interface, that's easily removed, but I have not seen news of it being in the MINIX on motherboard chip portion)... apk

Re:

[Ed Tice]

This works fine if you have a desktop machine or server that never moves. It's a useless mitigation for laptop users who can't always use networks that they fully control

Re:

[Gavagai80]

Can't I just use a hosts file to fix the problem?

Intel ME

[wjcofkc]

Irony.

Google, our saviour

[wjcofkc]

Google is just as or more evil than... Wait. You know what? Fuck attempting to say something clever. I've always been on board with Open Source, yet I have always had my limits on the philosophy. It always seemed to me that the hard line Open Source philosophy wanted hold things back. I get it now. Not just because of this. Hold up and hold back. We are irresponsible with technology and ultimately we are holding back and damaging our species. If a hard line stance on Open Source means holding technology bac

Re:

[110010001000]

Well digital technology progress has stopped, so there is no holding anything back. The computer you use 10, 20, 50 years from now will be very similar to the one you are using right now. Because, physics.

Re: Google hold back? Backfired on them... apk

[Brockmire]

Your program is so fucking simple, if someone actually gave a fuck, they'd just write their own and make it look the same. But I imagine, they'd use one of the many other hosts file aggregator than your shit if they just want the functionality.

Re: I do what Dr. Mark Russinovich did... apk

[Brockmire]

Then you better google your program and check the top 10 hits. I know your shit was on a website without malware bytes in the server name just yesterday.

Intel should be forced to pay compensation

[Anonymous Coward]

Intel is running their software on your CPU, using electricity
which you pay for. If they do not compensate for that, they are essentially
stealing money from you, which is an offense for which they can be held liable in court.

I propose everbody with such a CPU starts sending Intel invoices.
If they do not compensate, a class action law-suit should be started.

EFF analysis

[Craggles]

https://www.eff.org/deeplinks/... [eff.org]

So how is google going to remove something from

[mark_reh]

hardware built into every PC? Are they going to somehow overwrite the Minix OS? Any side effects?

Re:

[m.alessandrini]

I'm wondering, where is this OS resident? As a software, I mean. I think it would not be practical to have it on an immutable ROM, maybe the chipset has a flash memory inside, and maybe they can find a way to access it?

Re:

[Zocalo]

Google apparently custom builds their core systems (or more likely gets a third party to build systems to their specs), including the use of their own motherboard designs. That affords them a lot more latitude to design the IME out of the system and implement alternatives that they control - using proprietary silicon if need be - than it would if they were buying pre-built systems off the shelf and trying to turn the IME off after the fact. I wouldn't count on any potential Google solution being a fix for

More questions

[Gonoff]

Are AMD CPUs clear of it?
Has someone got it onto RISC chips?
Has the NSA or other criminals got their hooks into it?
Can it be "zapped" with some xrays like cancer patients?

Re:

[TeknoHog]

Older AMD CPUs (read: Phenom 2 and earlier) do not have any kind of management processor. I don't know about the desktop versions of the earthmover cores (the FX-series), but a fair few of the mobile chips (the A-series) have it

The FX series don't have it, as they are family 15, and the PSP is only there starting from family 16: https://libreboot.org/faq.html... [libreboot.org] I think you can continue to buy FX CPUs for a while, as the (Ry)?Zen series is only now starting to make an impact in the marketplace.