Only a few weeks after the news that security researchers had managed to completely disable the Intel Management Engine, Purism has announced it’s disabling the IME on all of its available Librem laptops.
Purism’s Librem Laptops, running coreboot, are now available with the Intel Management Engine completely and verifiably disabled.
The Management Engine (ME), part of Intel AMT, is a separate CPU that can run and control a computer even when powered off. The ME has been the bane of the security market since 2008 on all Intel based CPUs, with publicly released exploits against it, is now disabled by default on all Purism Librem laptops.
Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery.
Great move.
Now this is something I can get behind. However, I bet Intel will start playing whack-a-mole and modifying it with each CPU release instead of offering an option to not have it altogether.
I agree. There may well be a few DMCA suits flying around as well.
“The Man” has gotta have his backdoors…
Yep – Intel is likely to counter-act every single move to disable IME.
Are AMD products free from such behind the scene interface?
According to the LibreBoot FAQ, AMD also has its own IME-like stuff called Platform Security Processor (PSP).
https://libreboot.org/faq.html#amd
Thanks for pointing to the relevant information.
This is rather unfortunate that such features, intended for efficient remote management of systems within a business environment, have serious security flaws and cannot be disabled by an owner/end-user.
Disabled: yes. Verifiably disabled: yes.
Permanently disabled: perhaps, but would you bet money on it?
The IME technology has been in many/ most new machines for nine years so a high enough proportion are already exploitable…
The last private thing remaining is your vote; and when no one is looking strange things happen: like BREXIT and Trump.
Voting may be private but it is also completely useless so you are probably better off just keeping your vote in your head without ever casting it. It has the same effect but better privacy.
That’s why I’m a firm believer in anarchy. People always say “But if you don’t vote you can’t complain.” Sure I can, if they EVER actually had someone I thought would do something worthwhile FOR ME, then certainly I’d get off my ass and vote. But they never do… so Anarchy in the USA!
If you didn’t vote you still can complain – if someone made some crap, it’s one those who voted for him.
Since I believe democracy is immoral saying I should not complain because I did not hypocritically vote would be nonsense indeed.
Group rape is democracy too. Just because one group is the largest does not mean it has the right to take the rights of all smaller groups.
On top of that many so called democracies are actually oligarchies with a nice puppet show where people just vote on the puppets. The puppet master stays the same no matter what the people vote.
Having an anarchy or small government would be better than what we have now but unfortunately anarchy and small governments are not sustainable due to human naivety which will be abused by other less naive humans.
America supposedly was free and had a small government in the past and look what happened to it now. It has become 1984 where the government sees and controls everything. And all that the people do is vote for candidates who support this Orwellian system like Trump or Hillary.
“I think we should rapethis person, all in agreement, say “Aye”!”
I somehow don’t think that’s how rape works…
That was not what I meant. If the rapers join in out of their free will then that is their vote. And since the victim by definition does not want to get raped he will probably resist and that is his vote against the raping.
So you care only about election pork / have you no sense of community? And do you really think that government initiatives in, say, infrastructure or education bring no benefits to you? Maybe you’re getting the gov you deserve…
I’m skeptical. They promised they already had disabled it (with Intel’s blessing) before launch, they were called out on that lie, they revised it to “we’re disabling it soon, we promise!”, then nothing for nearly two years. Now, the laptops are all but obsolete, especially at the price they charge.
And as you said, is it really permanent? Is there any guarantee Intel won’t be able to remotely patch it, perhaps via some as-yet-undocumented back door?
Too little, too late, and as far as I’m concerned they were liars from the beginning. Forget IME itself, I don’t trust Purism.
Maybe they stretched their claims more then they should have. However, are there other notebooks currently on the market for which IME is crippled or disabled?
From the little I could find about IME within the Chromebook space, it seems that IME is active and that the systems could be hijacked via this feature. Hum – so much for security?
Intel isn’t the only CPU manufacturer (and I’m perturbed that I have to explain that on this site). That said, AMD supposedly has its own issues in this area.
There are also non-x86 laptops out there, with no backdoored management engines but with their own pros and cons.
You can get older Thinkpads with no IME at all, they are slow compared to the Purism machines but they are fully functional and come installed with a 100% Libre/Free version of Linux[1]. My wife’s old laptop, which I currently use for testing Linux and BSD distros, is an AMD Turion II machine with no PSP (AMD equivalent of IME) baked in. It’s no speed demon but it’s fast enough for anything except AAA gaming, and it has an excellent keyboard.
Given that the Purism laptops are only IME-free nearly three years after their introduction and after a ton of misdirection, broken promises, and half-apologies, I’d say running on a slightly older but just as functional machine from a more trusted company is a no-brainer.
[1] https://minifree.org/product/libreboot-t400/
I know, thank god Trump won man… we dodged a bullet with that Hillary thing, that’s going to jail soon btw, so there’s justice after all. On the tech side of things, yeah less non-user-controlled hardware is what we need.
Let’s just cut to the chase… If you care about privacy and want to continue using your computer you should, when not in use, unplug it from all power sources, disassemble its components, and then hope for the best. To resume usage, perform those steps in reverse.
In all seriousness, there is no true privacy anymore. Everything is tracking, recording, spying on, “telemetry”ing, or analyzing you in some way – you know, … for `your` benefit *wink wink*. And people are working on technology to read and eventually manipulate your own thoughts so even those won’t be private in a while. That’s simply the world we all live in now and there’s no turning back sans an event that destroys all the technological knowledge we’ve accumulated.
Manipulation has been going on for a long time now. Dark patterns are all over the Web and in our everyday lives. It’s most prevalent in advertising (thank Cthulhu for uBlock), but it happens in other transactions as well.
Just today I was changing registrars on one of my sites, the authorization email from the old registrar said “if you wish to cancel, please click this link. If you wish to proceed with the transfer, you must wait the mandatory minimum 5 days per ICANN rules.” First, ICANN doesn’t require a minimum 5 days, it’s a maximum 5 days if the parties involved don’t cancel the transaction. If no one cancels in that 5 day period, the transaction proceeds.
Second, and this to me is even more egregious: You can click the “cancel” link and it actually takes you to a page that allows you to immediately approve the transfer. Nowhere in the body of the email did it even suggest you could immediately approve it, in fact it seemed as if they went out of their way to make the transfer process as miserable as possible. I can only surmise they do this to make people think twice about transferring away from their service to their competitors.
I called them out on it via email, and their response was “yes, we are aware the message is confusing, however we will not change it as it is per ICANN policy.” Of course I called them out on that lie as well, and got no response.
You’re right, but I was referring to direct control & manipulation of thoughts, actually hi-jacking the mind rather than trying to influence decision-making through suggestive advertising, confusion, misleading, etc. If `they` can perfect it, it’s the perfect weapon or method of control over entire populations of people.
I can’t help but refer to Futurama when Fry discovers that in the future, they simply beam advertisements into your dreams.
Though too bad people with adblockers typically end up blocking everything, not rewarding sites which respect you (with moderate amount of ads), like OSNews …where sometimes ads can be useful or “good”, for example http://www.osnews.com/permalink?650097 or how I recently got an ad here for industrial PLC based on Arduino and Raspberry Pi, or for ~local IT conference that should interest my buddy…
(though I have no idea why I get ads for Mercedes-AMG GT, it’s not like I’ll ever be able to afford it
)
That’s what whitelists are for. 🙂
Aye, but I somehow doubt they’re being used by any notable percentage of adblocker users – after all, “ads are evil” or smth… (but what can be evil about car manufacturer promoting cycling?
Or anything about… ARDUINO!!1 ;D )
Though “mind control” tech would be a boon for many mental disorders …of course, after a while, we would possibly all be designated “sick” and requiring “treatment” …and in a way we all are, we live now in vastly different conditions than what we evolved to, and the gap will only get bigger.
Hm, reminds me of an old game where ordinary citizens see reality as “just an ordinary ~XX century American town” in a really dystopian setting, possibly Syndicate Wars…
You can get more effective writing papers are available at online https://www.clazwork.com/scholarship-canada-essay-writing-expert-wil…
IEM is an absolutely frightening Pandora’s Box of security and other problems just waiting to happen.
Thank You Lawd!!!