On Mon, 25 Nov 2019 08:21:06 -0400 Freemor <[email protected]> wrote: > The IME is a local concern and not a remote one. Someone would have > to be on your local network segment to Futz with the machine and that > is only if you are using one of the "blessed" NICs (like the built in > Ethernet or wifi). [...] > And as I said above to use it as a backdoor someone has to directly > access the machine or be on the same network segment (LAN) while you > are using one of the Blessed NICs
That depends on several things: - AMT is typically found on computers for business but not on computers for consumers. The downside of laptops for consumers is that the display is often glossy, which is not fit for spending too much hours in front of it[1]. So many people doing work (including free software work) with computers end up with it. - AMT enables to remotely administrate a computer with VNC and through the Internet[2]. - To work it needs an Internet connection on one of the compatible interfaces such as: - The built-in Intel Ethernet interface - The built-in Intel WiFi card - A compatible cellular network modem[2]. So it would be a good idea to check: - if the computer is a laptop that has already been configured by a company's sysadmin. That may occur too if the laptop has been bought second hand. - if the laptop has a SIM card and/or a cellular network modem. > A lot has been made of the IME because of its ring -3 ness But any > maliciousness is theoretical at best (bugginess has been proven. But > no one has found code that would do thing all on its own). Beside the fact that it's designed to remove users control over their computers, which is enough to be a very serious attack on users freedom, I think we should rather shift the narrative on things like that: Weather it does or does not have a backdoor is not very irrelevant. Instead as part of the free software community, we should require from the manufacturers and/or software projects like Libreboot or Replicant that are dealing with things like that some serious proof or indication that it cannot attack users or does not have any backdoors: - In the case of Libreboot computers with an Intel GM45 chipset, the Management engine OS has been completely erased[3]. So while it's not perfect, as it has a ROM[3] you still have a way bigger assurance than if there was an OS running in it. In contrast, Intel cannot give us any proof to us that the Management Engine OS has no backdoor: We cannot review the source code and run the version we reviewed. - All the smartphones and tablets currently supported by Replicant have either a modem that is isolated, or no modem. Again here it's not perfect as the bootloader is nonfree on all currently supported devices, but we get way better assurances as for instance the microphone is controlled by free software, whereas in some older smartphones like the HTC Dream, the microphone was controlled by nonfree software. References: ----------- [1]https://en.wikipedia.org/wiki/Glossy_display#Adverse_health_effects [2]https://www.intel.com/content/dam/doc/white-paper/digital-signage-vpro-amt-3g-paper.pdf [3]The Management Engine OS is located on the same flash chip(s) that stores the BIOS/EFI/UEFI. That flash chip has several partitions, and the Management Engine OS is on one of its partitions. The Management Engine has a rom which loads that OS from its flash partition. With Libreboot on computers with the GM45 chipset, the flash partition table is configured to tell the Management Engine that there is no OS to load, and that's sufficient to have a functional computer. Denis.
pgp2gdAIAV09q.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
