this post was submitted on 16 Sep 2024
58 points (96.8% liked)

Privacy

31951 readers
538 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

When it comes to Intel Management Engine, I actually think it's not a threat if you neutralize it. I mean to just set the HAP bit on it. Because if that isn't enough then that means all computers in the world which use Intel CPU can be accessed by NSA but if NSA had this much power then it seems obvious that they aren't using it and why wouldn't they use it?

There's a github project to neutralize/disbale Intel ME: https://github.com/corna/me_cleaner Disable is overwriting intel ME as much as possible with zeros, leaving only a little remaining to be able to boot the computer. The newer the intel chips are, the less likely it is to be able to disable it. But all chip sets can be neutralized which means to set the HAP bit which is an official feature. In theory we can't actually trust the HAP bit to really disable intel ME permanently. It's more like asking Intel to do what they have promised because it's proprietary. But I think it really does permanently disable it because otherwise NSA would be abusing this power.

That's why I think the newer laptop models are better because it's probably not necessary to disable, it's enough to just neutralize withthe HAP bit. And with a newer modern laptop they can have open source Embedded Controller firmware which is better than proprietary Embedded Controller firmware.

I'm interested to hear what you think as well.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 19 points 1 month ago (2 children)

IMHO Intel ME or the AMD equivalent are only relevant for state level targeted attacks. It wouldn't be wise for them to waste it on the small fries and risk having some snoopy I-have-nothing-better-to-do-with-my-life security researcher find some attack payloads.

Of course you are right to be worried and think about it. Right now the best you can do is coreboot, it allows you to disable it.

If you want to counter that risk the best is to get a computer like the nitropads (coreboot and only open source firmware, qubeos on top) https://www.nitrokey.com/news/2020/nitropad-secure-laptop-unique-tamper-detection or the ones of system76 After that, it's no use worrying too much. You could as well be hit be hit in a car crash, a seism or a tsunami could also hit you city. Don't think about it too much, just have a small plan so you are not too lost if the black swan comes for you.

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago) (1 children)

Open source is not enough. It needs to be entirely free software. I recommend buying a Libreboot laptop from before 2009, they can fully disable/remove the IME and have a 100% free BIOS firmware (anything supported device with a Core Duo processor basically).

[–] [email protected] 4 points 1 month ago

Thanks! I dug in and just found out that you can buy libreboot computers with Intel ME disabled and support the libreboot project on https://minifree.org/

They actually have an interesting selection.