Darren Reed wrote: > David Chieu wrote: > >> Darren Reed wrote: >> ... >> >>> And most importantly... >>> >>> How does someone disable the ME on the card when a >>> security vulnerability in it is found? >>> >> Each Intel AMT device must be provisioned with at least one >> username/password pair. > > > Is there a default username/password pair that allows > remote operations without these being set by the host? Yes. > Is the username/password stored on the NIC itself so > that it will survive the NIC being moved from one system > to another? The password is stored in ME, not on NIC. Hardware-wise, ME is part of the PC motherboard (North Bridge) and our test machines have on-board Intel NIC which can't be removed. > How does it defend against being brute forced? I don't understand the question. Can you give an example of brute forced? > ... > (many more questions) > >> Additionally, AMT supports Kerberos v5 (RFC 1510). > > > I'm starting to agree more with Scott, there's a lot more > to this case than is normal for a fast track - it seems like > the security questionaire would be appropriate given > there is a username/password pair in the mix here, along > with Kerberos support. > Agreed. >> Not running Solaris, you can turn off ME from most of PC BIOS that >> we've seen. There are some PCs where ME is not allowed to be disabled >> at all from the BIOS which could be a security hole once a >> vulnerability is found. However, this is beyond the scope of this >> project. > > > Thus to turn the ME on/off, you need to reboot and press > a magic key as the system comes up and go into a special > AMT configure screen? Correct. The systems that we've seen so far in the labs give you some of following simple choices, e.g.
a) AMT 2.0 or AMT 3.0 b) ASF, AMT, or None c) AMT only ASF is Alert Standard Format - see http://www.dmtf.org/standards/asf > There is no way to configure the ME from solaris by making > a call into the BIOS? > We've not yet explored the possibility to call into ME via BIOS from Solaris. Good question. -- David Chieu > Darren > >
