I have contacted Intel and asked about intel ME.
I asked an Intel's agent whether intel ME can turn on PCs while users turn off their PCs and send information or not, I have heard of that, Is that right?
The agent answered me that that's not correct, the Intel® ME is a component of the CPU but it's not capable of such thing.
I was thinking Intel ME can do that, so I am confused.
How can I get evidence that Intel ME leaks information that is in my laptop (macbook 4.1) or is controlling my laptop?
Given that it does actually. Thanks.
name at domain wrote:
> I asked an Intel's agent whether intel ME can turn on PCs while users turn
> off their PCs and send information or not, I have heard of that, Is that
> right?
Yes, I believe that's correct.
> The agent answered me that that's not correct, the Intel® ME is a component
> of the CPU but it's not capable of such thing.
Perhaps the agent isn't aware of what investigations into Intel ME can do.
Just because they work for Intel doesn't mean they know everything Intel's
systems are capable of doing. You might be better off looking for
information on your own.
https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu/
is a fairly plain-language description of what Intel ME and AMT are but the
article is mostly promotional, speculative, and somewhat
self-contradictory. This article happens to have a fairly good introduction
to what ME and AMT are.
From that article:
> As Intel puts it, the Management Engine is “a small, low-power computer
> subsystem”. It “performs various tasks while the system is in sleep,
> during the boot process, and when your system is running”.
>
> In other words, this is a parallel operating system running on an
> isolated chip, but with access to your PC’s hardware. It runs when your
> computer is asleep, while it’s booting up, and while your operating
> system is running. It has full access to your system hardware, including
> your system memory, the contents of your display, keyboard input, and
> even the network.
And the following starts off the description of Intel AMT:
> Aside from various low-level functions, the Intel Management Engine
> includes Intel Active Management Technology. AMT is a remote management
> solution for servers, desktops, laptops, and tablets with Intel
> processors. It’s intended for large organizations, not home users. It’s
> not enabled by default, so it isn’t really a “backdoor”, as some people
> have called it.
>
> AMT can be used to remotely power on, configure, control, or wipe
> computers with Intel processors. Unlike typical management solutions,
> this works even if the computer isn’t running an operating system. Intel
> AMT runs as part of the Intel Management Engine, so organizations can
> remotely manage systems without a working Windows operating system.
but don't be thrown by not calling this a backdoor.
Intel's ME hardware sits at a point ideal for spying, filtering what you
send and receive over the network, and anything you do with the computer
(as ME has bus access). Functionally, that's what one needs to do spying or
remote administration. We don't need to know if ME actually spies or not
because we couldn't change ME even if we were to learn it does spy. The
case is closed: ME, AMT, and AMD's TrustZone are proprietary and therefore
not trustworthy.
As I understand it ME sees all of the network packets after they leave the
OS and before they leave the computer. Therefore ME can drop or edit
packets in a way the OS can't overcome. ME is OS-independent, it runs
regardless of what OS or OSes you install on the rest of the system.
So long as the computer is a modern Intel computer, ME is there (even if it
is disabled as Purism claims to do with the computers that company sells).
Parts of the article are clear and correct:
> You can’t disable the Intel ME. Even if you disable Intel AMT features
> in your system’s BIOS, the Intel ME coprocessor and software is still
> active and running. At this point, it’s included on all systems with
> Intel CPUs and Intel provides no way to disable it.
The BIOS is likely proprietary so drawing conclusions about what actually
happens when you think you're disabling AMT is speculation.
Also, you can't change the software ME runs because Intel's software is
proprietary (user subjugating) and you don't get a copy of Intel's key to
let you sign your own code to run on the ME instead of running Intel's
proprietary code, nor do you get the chance to remove Intel's key and run
only your own signed code so that you can really control the ME computer.
It's clearly not as good as say, modern POWER-based computers with free
software firmware and no added spying/sysadmin-convenience device. See the
Talos computers for this hardware or read the https://www.talospace.com/
blog about the Talos computers.
The section named "Why the Secrecy?" is pure speculation:
> Intel doesn’t want its competitors to know the exact workings of the
> Management Engine software.
We don't know what Intel does and doesn't want its competitors to know and
frankly that doesn't matter. What matters is that Intel is denying its
users (the owners of modern Intel-based computers) full control over their
computers. AMD does the same with its modern computers.
> This isn’t any sort of spying or monitoring software—unless an
> organization has enabled AMT and is using it to monitor their own PCs.
If we don't know what ME is capable of doing we can't draw conclusions
about what it does other than to say ME is untrustworthy and not under the
computer owner's exclusive control.
The article even contradicts itself in the next section:
> On November 20, 2017, Intel announced serious security holes in Intel ME
> that had been discovered by third-party security researchers. These
> include both flaws that would allow an attacker with local access to run
> code with full system access, and remote attacks that would allow
> attackers with remote access to run code with full system access. It’s
> unclear just how hard they would be to exploit.
If we don't know the scope of the exploits, we can't draw conclusions like
"[ME] isn’t really a “backdoor”, as some people have called it.".
Even the Intel "detection tool" to ostensibly "find out if your computer’s
Intel ME is vulnerable, or whether it’s been fixed" is proprietary. Using
one black box to diagnose another is compounding unwisdom.
Modern Intel and AMD computers just aren't fit for anyone seeking to
increase the amount of software freedom they have. Just because a
completely free system isn't available doesn't mean we need to lump
together all options available today and make no distinctions among them.
If your system doesn't have Boot Guard, just try to neutralize ME using "me_cleaner". You may need to use an external programmer, though.
For the dirty truth about ME, see https://www.fsf.org/blogs/sysadmin/the-management-engine-an-attack-on-computer-users-freedom
It's just the tip of an iceberg.
>I asked an Intel's agent whether intel ME can...
>The agent answered me that that's not correct
I asked Philip Morris whether the cigarettes I smoke with such passion cause cancer.
They answered: no way, only pleasure.
> I asked an Intel's agent whether intel ME can turn on PCs while users turn off their PCs and send information or not, I have heard of that, Is that right?
"The Intel Management Engine always runs as long as the motherboard is receiving power. The IME even runs when the computer is turned off."
https://en.wikipedia.org/wiki/Intel_Management_Engine
> How can I get evidence that Intel ME leaks information that is in my laptop
Inspect the network packets using another computer.
Just to make sure though, do not those Intel MEs which were crazed send the (maybe) encrypted (possibly not understandable even for them) packets anymore?
Even if after it was crazed, does it keep replying to someone's call with not understandable words.
Or only accidentally, sometimes does it send the information? I mean, I am interested in how crazy they are.
It would be similar to their ...parents's (and its good friends's) insanity.
Your English is difficult to understand.
If you sniff the traffic as I explained you will be able to see the IP address of the remote host (if there is communication). From that you will know who the remote IP address belongs to using https://ipinfo.io/x.x.x.x (replace x.x.x.x with the IP address)
If the packets are encrypted you won't be able to see their content as you don't have access to the encryption keys. But you will still be able to see if there is communication.
I see. So it is that we can judge whether we could make them disabled or not. It seems I need Kali Linux, I don't know well, though. Thank you!
From the Wikipedia article:
"Strictly speaking, none of the known methods disables the ME completely, since it is required for booting the main CPU. All known methods merely make the ME go into abnormal states soon after boot, in which it seems not to have any working functionality. The ME is still physically connected to the current and its microprocessor is continuing to execute code."
https://www.youtube.com/watch?v=WJo8RsJeqxU
This is a short and informative video on the topic
Thank you. I'm not good at especially listening, but it seems there is a condensed clue.