Panic level 9000+ bad.
1 Like
"For IT departments, vPro is an efficient way to monitor, update, and troubleshoot multiple PCs without needing to physically deal with hardware. This has become ever-more important as we move into a mobile reality where “the office” doesn’t necessarily mean four walls and a desk.
The company does the remote re-programming, not a nation state actor, Or CIA, NSA GHCQ or Chinese/Russian equivalent. An angry girl friend may be more dangerous.
I thought Intel vPro related to a company being able to forcible install software on their own corporate computers. Like Upgrades.
If I was a Corporate IT, I would want the capability to remotely disable, or find, a lost computer that belonged to my company.
Hard to guess if the encryption to do those things, for a group of ex-corporate hardware, might have been dumped onto the darknet for the entertainment of. . . .
On the Lenovo X-230 if one has not run 1vyrain, or done a hardware flash of core-boot or such. The laptop will not boot unless it has inside the original WiFi chip. Also a real IBM certified battery. I think Keyboard. Still, if one is going to progress into using Heads, with an external hardware flash. Then there are reputed to be some complications to already having used 1vyrain. Oh, For those who have not read about it. 1vyrain is a software flash of firmware to disable some parts of a few computers to allow some new parts to be used. and some other neetzy keen things. Effectively, as the other poster mentions. Changing the internal WiFi adapter effectively prevents the remote re-programming of part of Intel CPU chip by way of Management Engine (ME).
I am pretty sure one can now purchase a WiFi adapter for the X-230 that works better than the original. As well the replacement WiFi adapter having a FOSS driver. (module I think is the correct term for Linux) Sees possible connections better, faster, and can not be used by the software in the Intel ME, if it was still there.
I have not heard of any use of the Intel ME, in the wild, in actual use. Given the value of holding the potential of re programming a computer, it would only be used by a nation state actor, on the level of an act of war. Take down all the computers of another country. Not watch me. Use by a nation state is like using ICBM’s. Use it, and another country uses it in reprisal. In My Opinion; It is just dumb for Intel to keep adding it to current Processors. But a lot of noise, when Intel ME is not likely to be ever used. Less likely to be used specifically against me. Qubes Developers deal with more relevant security issues every day than the negative features of Intel ME.
Also guessing an adversary only gets to use it once, then the servers around the world will be modified to block it.
However, just the inconvenience of not being able to upgrade a WiFi chip, that is important.
And I still would want to get rid of security holes I know of.
Qubes is really like having several different computers on one laptop. In a similar vein, if I was using an at home connection: NitroWall NW678 | shop.nitrokey.com
drool. Hardware Firewall, good idea.
I would like an External USB Hub to block, handle certain risk factors. But who you gonna trust to design and build it??
I have worked with dozens of IT teams, some in the Fortune 500, and I have never seen organic use of Intel ME. Someone told me they were browsing LinkedIn and came across a profile of some woman who worked at Intel. On her LinkedIn page she described in one of her roles that she would “formulate strategies” to “increase demand for Intel AMT”, or something like that. The takeaway this person told me they had was that her role was to astroturf demand (so, plausible deniability) for AMT.
Intel ME/AMT is a total scam. Most government and corporate workers (even the IT departments) in USA have no idea that Intel ME/AMT is even a thing.
edit: Intel is headquartered in State of California
1 Like
This means that for many years when these X230 were in production use by various government workers and businesses, their machines were vulnerable to anyone who was tipped off with advanced knowledge of Intel wifi and Intel ME.
Intel ME has access to pci lanes and USB ports. A smart user could choose to use a wifi chip other than an Intel wifi chip, but Intel could work with OEMs to smuggle in firmware updates additional wifi drivers for Intel ME to use these other wifi chips.
Intel ME can also run when the system appears to be “off” if there is a power source. Intel wifi chips seem to use “extra” teeth on the pci connector. At the very least, Intel ME can potentially leverage non-Intel wifi while a system is on.
There are some out there who are convinced that the only way to safely use an Intel machine is behind one or more less problematic systems.
This subject is well known, and there has been provisions for the security hazard created with Intel ME. Or just part of Intel ME.
Intel ME is needed as part of the boot up of any computer with an Intel processor. What we are interested in, is the part of Intel ME that has the code to surreptitiously, covertly re-program the Intel ME Processor to do whatever the change is.
A great deal has been done to mitigate the problem part of Intel ME.
Is one example. If you want to say that you would prefer to use AMD processors because of this. AMD processors also have security issues. Although I am not sure how much is known about those, or how to mitigate them.
When I changed my Lenovo X-230 to fix the Intel ME problem, I installed an internal ‘Atheros chip based’ wireless adapter. Although I was apprehensive as that as that Atheros wireless processor came on a slow boat from China. I would be pretty sure the Firmware that Qubes used on that Atheros chip was FOSS, as the same Atheros chip is used by folks who know a great deal more reading through the code used in the chip, and Networking than I do. That because this is what Insurgo used on the Lenovo X-230 he sold for use with Qubes. If you read through the forums, you would notice Insurgo works on improving Heads, and providing free advice for folks.
The reason the Qubes HCL tends to favor older computers is, a great deal is known about them. Whereas the latest processor, with a bunch of newish other hardware, is unknown in what might be hidden in it. Perhaps it has security problems unknown to the manufacturer, as well.
Intel vPro is an alternate means to re-program my computer that might be likely be beyond my control.
Perhaps the other posters were unaware, that there was an age when nearly every update from M$ (shorthand for Microsoft) crashed the hardware and required part of the software rolled back to a previous version of Windows. So a lot of people turned off M$ Updates. As we also had malware which infected computers, then spewed onto the internet more copies of itself. The effect was that everything was slowed down. I can understand why a company, who had a lot of computers, perhaps hundreds of laptops wanted a way to force, trusted Updates onto the computers which they purchased.
From what I read Intel vPro was a means to do that. Someone said of all the IT groups he knew of, none used Intel vPro. Well, after I fix the Intel ME, in the next computer I purchase. I hoped to find an absolute means to to also fix Intel vPro. Then again, when the company bought a group of laptops, I would guess they were given an encryption key to forcibly do updates on the computers the company purchased for their employees to use. I need to read a good bit, and see if someone has a way to be sure I can turn Intel vPro off. That I can trust. Not so sure I trust a hack written by someone I do not know.
BTW. Intel provides a bit of a program to test and see if the obnoxious part of Intel ME is functional.
If all you do with an Lenovo X-230 is replace the WiFi adapter with say, the Atheros one. You will find the computer will not boot.
This is a lot of talking of someone invoking the power of the Intel ME to alter a particular computer. Not likely. It is like using an atomic bomb to rid your cat of fleas.
I am perplexed that Intel still trusts the loyalty of its engineers to keep the secret, and keeps installing the irritating feature within Intel ME.
I will guess this silliness ends when an Intel Engineer goes to work someday and says, "Hey boss, never gonna believe what happened. Someone offer me five hundred million dollars to tell him about we might be able to use Intel ME. Not that it would work from just any internet address, but what is done to test the functionality of Intel ME feature that re-programs my computer.
Insofar as another processor, like RISC-V coming along to prevent all the same. Well there are other ways to use a modification on the Mobo to accomplish the same thing.
Again why Qubes recommendations are usually for computers which are at least two years old. A lot has been discovered about them. Those newest computers which are Qubes trusted, were specifically engineered to not have the Intel ME problem.
Notice the computers which were built by a (a then chinese owned) Lenovo for the US Air Force, which had an extra chip added so after initial testing period, they could spew all kinds of data to China about the US Air Force. Although I can not find a trusted version to the news story now. Which means, if you see something interesting regarding security. Save the web page, not just the link. Cause now, without proof of the hacked US Air Force computers, I look a little paranoid.
If you know something provable, and can provide a link to a well trusted security site. Please tell me.
Hi @catacombs, I am curious how you came to this conclusion. The reasons I am aware of include upstream projects like Xen supporting new CPU as well as the general state of hardware support in the version of Fedora that is shipped in dom0.
Where did you get the notion that … “latest processor, with a bunch of newish other hardware, is unknown in what might be hidden in it. Perhaps it has security problems unknown to the manufacturer, as well” …is something that is considered by Qubes OS in terms of supporting hardware?
1 Like
good catch. It is an opinion. of what is likely in all the newish hardware sold by the latest - oh say, Dell, with an Intel generation 13 processor. What do we know of the MOBO that goes with it. While some can be known of the main processor… It is accurate to say, I do not know.
Perhaps you should close this thread, as it really seems to have no where to go. If the other posters want to speak in the subject, they can start a new thread.
Experiences certainly differ.
I dont know what “organic” use of ME might be, but I have seen extensive use
of remote management and control tools, that rely on AMT, even in the
US.
It’s worth noting that there are open source tools like MeshCommander
that allow you to work with ME/AMT and to see what can be done.
2 Likes