Usually when I'm reminded about IME (and whatever the equivalent is in AMD chips), it's in the context of some strong claims about it being "game over" for security and privacy against mass surveillance, engineered / funded by nation-state intelligence agencies, and rendering all other technical efforts moot. They make it sound plausible, and I think "why isn't this talked about or investigated more?" The section of the Wikipedia page that discusses the "backdoor" claim is frustratingly thin. I just don't know what to make of it. Hyperbole about a crappy thing, like the bloatware pre-installed on most new laptops and phones by the vendor? An open secret, with discussion about it suppressed?
I think we frankly don't know how much of a problem it is, yet. Since there's no widely applicable remote exploit for it, as far as the mainstream is concerned, all we're left to do is speculate on the risk. If someone operates a server, it's best practice not to have any extra services running on top of what's needed to run the original service. This is because every extra open port, software or complexity increases the attack surface. Same with Intel ME, people don't understand why it needs to be there, if nobody seems to even use it.
Preinstalls are not hyperbole though, there were some nasty stuff over the years. Lenovo, for one, bundled Superfish, which man-in-the-middled all HTTPS browser communication[0]. Similar effort from Dell[1].
I think ME's situation is similar to Stallman's attitude toward proprietary software. Proprietary is not evil by itself, but it's very easy to corrupt it to be so, and then the end user is powerless. And because the end user can't decide when this change happens, they are powerless to begin with. Therefore the thing shouldn't exist in the first place.
Before Snowden, I think absence of evidence could often be construed as evidence of absence.
But I think that ship has well and truly sailed.
We now know that, behind closed doors in classified places, every bad thing we imagined might be happening, _was_ happening, and then some, beyond the scale of the wildest imaginations of the most paranoid activists. And then some, and then some.
The fact that we don't have proof of _this_ particular bad thing, which is entirely possible and downright trivial and could actually be the entire purpose for which the functionality was designed, should in no way suggest that the capability isn't being used.
Ten years ago, I could see that being a reasonable argument. Now it just rings as blindingly naive.
It doesn't necessarily need to be a backdoor. Look up Remote Attestation, which is getting easier every year. With that, you can run whatever software you want on your device - but other servers do not need to talk to your device if they detect that you are.
It's coming up in Android more with SafetyNet. If your device is rooted, you fail SafetyNet. If you fail SafetyNet, almost all banking app servers will refuse to talk to you, rendering their apps useless. SafetyNet could be spoofed historically, but SafetyNet is moving into hardware instead of software since ~2020, so the spoofing has gotten way, way harder and may cross into downright impossible.
It's also coming to Windows with the Windows 11 TPM 2.0 requirement. See the video game Valorant, for example. If you are on Windows 11, it will mandate that you have a TPM 2.0 enabled and Secure Boot enabled. It has exceptions for VMs and Windows 10 and earlier right now - but they can literally close that door, at any time, and immediately remotely lock all machines to that requirement. No amount of game patching will bypass it - the multiplayer servers won't talk to you unless your hardware cryptographically reports that you've passed Secure Boot checks.
> It's also coming to Windows with the Windows 11 TPM 2.0 requirement.
My Lenovo L430 is apparently incapable of running Win11 for that reason. Win10 will soon be out of support, so I'm preparing to blow away my last-ever Windows system, and become all-Linux. I'm looking forward to it.
Isn't 'soon' 3 years from now? And it'll definitely impact PCs more than 7-10 years old at that point, but that's kind of a hard number to get worked up about. If it's that big a deal, when the deadline gets closer buy a new-to-you 7 year old machine for a couple hundred dollars.
You're right; I thought it was coming up in November. I wonder why I thought that? It might be a message that Microsoft presented to me after the forced update I received yesterday morning, while I was trying to use the damned machine.
If you fail SafetyNet, almost all banking app servers will refuse to talk to you
This is probably unique to me but I see that as a bonus security feature. All I want to use the phone for is voice, text, mumble, irc and ssh/sftp, only things hosted by me. Im still trying to find a non-google rom that is well supported for my model of android. If I could get a vendor unlocked CAT I would turn the droid into a dedicated mp3 player.
Before looking at IME, let's review other topics. Printer machine identification codes were secretly inserted into printers some time between the 1980s and 2004. Our communications are being monitored in a host of ways. One last refuge was our CPU, but now that is under foreign control as well.
Then there's older US government operations like Minaret, Shamrock, Cointelpro etc. to surveil US domestic political activities, from black civil rights, to Vietnam doves, to a very extensive surveillance of feminist groups. Cointelpro also involved US intelligence disrupting political movements, writing poison pen letters (a database admin and 60s peacenik I knew had one sent to his boss, a lawsuit later revealed the FBI sent it).
Nowadays this is PRISM, Xkeyscore etc. interacting with the telco monopolies and FAANG, to spy on Angela Merkel's phone calls (along with BND turned by the CIA), disrupt Airbus contracts in favor of US aerospace etc.
> Hyperbole about a crappy thing, like the bloatware pre-installed on most new laptops and phones by the vendor? An open secret, with discussion about it suppressed?
Personally, I worry about things like IME based on an entirely hypothetical theory: I think many of the big tech companies are riddled with spies from a variety of nations.
My rationale for this is simply that if I was in charge of a spy agency's offensive cybersecurity group, my top priority would be placing agents in Microsoft, Apple, Google, Cloudflare, Juniper, Cisco and so on. They'd have orders be careless in undetectably subtle ways - nobody's imprisoning a guy just because he added log4j to the codebase in 2010. To me this seems well within the capabilities of a spy agency with a multi-billion-dollar budget and tens of thousands of employees.
Even with code reviews, I doubt anyone could deliver a project like IME with no security bugs, if five of their peers were compromised by different nations' spy agencies.
If you think that's completely believable and what else would spy agencies be doing in the modern age, you'd be very suspicious of IME. But if you think that's an undisprovable conspiracy theory with no solid evidence whatsoever, you might think IME sounds just fine.
> my top priority would be placing agents in Microsoft, Apple, Google, Cloudflare, Juniper, Cisco
Interesting thought. Or more likely, I'd guess, spy agencies might recruit existing Big Tech company employees who have access to sensitive and desirable things. That's usually how it happens, reportedly, when American security clearance holders get caught doing bad things: they aren't deep cover agents who spent years working their way into position, they approached or got approached by foreign agents because of their position.
The existence of the High Assurance Platform (HAP) bit makes it pretty clear that
1) three-letter agencies don't trust the IME, and strongly implies that
2) they asked for it to be there in the first place.
Yeah, that's the kind of thing I've seen before, lots of circumstantial evidence that makes the claims sound plausible, but then the trail just seems to stop cold.
Abscence of evidence isn't evidence of the abscence thereof.
That it runs cold lodges it firmly in the "we are pointedly not going to talk about it" space, which for me is where the worry even starts. If my little gray hat wearing mind can come up with plausible ways to exploit something like that...
A) I am not that smart
And
B) Someone in a position to pull something like that off has probably already implemented it.
Only when your priors are that absence of evidence (in the sense of the trail going cold) is normal. Your parent comment's point is that this is a conspicuous absence of evidence.
This is offered very much in a “take it for what you will but for obvious reasons I am not going to give many more details” spirit. I worked for a major player in cybersecurity back when they were really trying to get everyone onboard with SGX. Our CISO was a technical guy, and worked closely with a peer who had a hybrid academic and professional background in cryptography. They both had strong credentials in mathematics and one was a practicing mathematician at one point.
After a thorough review, all of the stakeholders who reviewed it told the executive leadership not to touch it because their opinion was that it couldn’t offer anything meaningful beyond what we already had in place using the Windows API and it’s interface with the TPM, and they had concerns about what they felt were insufficiencies in the SGX design.
That experience was a bit more in-depth than I’ve detailed here, but the takeaway for me was that Blue was desperately trying to justify a technology that wasn’t what it was hyped up to be.
I’ve often thought IME is the same thing, “different day”.
> By this logic, should we not be outraged by 19th and 20th century genocide?
Well, no. I don't think you will actually find a real person living today that matches a real definition of "outrage" for genocides in the 19th and 20th centuries.
Discarding performative theatrics, you will find people who all agree it was bad... but they won't be literally outraged. The passing of time, and generations, has that affect.
Pretty sure Holocaust survivors and their immediate families, not to mention the scarcer immediate family members of Holocaust non-survivors, are still outraged about the Holocaust. I don't think that's performative theatrics.
Not the impression I've got. People come to terms with it - I'm not saying they would be wrong to still be outraged, but the human mind isn't built to keep that up for decades.
Intel vPro and similar systems centralize power over communication and record-keeping in a way that has historically been both necessary and sufficient to cause atrocities like the Holocaust, the Great Leap Forward, GULAG, and so on.
But, because of newly pervasive computer mediation of day-to-day interactions, these spyware systems potentially provide a degree of centralized social control that Stalin or Mao could never have dreamed of. Recent infringements on human rights in XUAR provide a preview of the resulting future. Essentialist explanations that attribute them to some unique depravity of the Chinese race are utterly implausible; they are due to the lack of effective checks and balances on state power.
Consequently we can expect the atrocities resulting from systems like vPro to be far worse than the Holocaust or any other historical events.
I cannot tell if you are arguing in good faith or if this is some very clever wit.
Comparing vPro to Stalin, Mao, the Holocaust and more is really not serving to forward your argument... particularly while you have an iPhone or Android device in your pocket, watch curated TV content on your Smart TV, and drive your modern car into the office where you use your Windows or OSX computer and ISP provided DNS.
This would definitely count in the "performative theatrics" category of any normal book. Why is this age so sensationalized? Words are becoming meaningless due to overuse, abuse and re-definition to fit convenient arguments...
>particularly while you have an iPhone or Android device in your pocket
- I don't.
>watch curated TV content on your Smart TV
- I watch media from physical discs on a TV with no network interface.
>and drive your modern car into the office
- I drive a car made before 2005.
>where you use your Windows or OSX computer
- None of my personal machines run any software developed by Microsoft or Apple.
>and ISP provided DNS.
- I do not.
Also, I have privacy expectations from my personal devices that I do not have of my workplace devices - privacy expectations that are threatened by ME/PSP.
You are either the Gray Man or you live in a cabin in the woods... or you're not quite as clever at disconnecting as you might think. If you use technology in 2022, it's reporting on you. It is that simple. And everyone, despite their best efforts, uses some technology.
These were contrived examples to highlight all the different mundane items in our daily lives that track and report on our behavior, habits, data, etc. Most of these we do not even consider as hostile devices or services... yet they are. In your example you buy DVD's... where did you get them? How did you pay for them? You were tracked and reported despite trying to be clever.
It is truly hard, next to impossible to operate in our society with total privacy, unfortunately.
This sidebar was brought on by someone bizarrely trying to connect IME first to the Holocaust, and then to Stalin and Mao, which I will never understand. IME isn't the only privacy hill to die on... and frankly, that hill already has too many bodies on it.
>If you use technology in 2022, it's reporting on you.
Categorically impossible statement to apply universally. I have several machines that do not have the physical hardware necessary for any kind of networking. I also have multiple machines that do not have ME fully functional. My most upstream local router, running open source firmware, has whitelist rules for outbound traffic and blocks by default. I also have detailed traffic analysis running 24/7 on my other routers, running different open source firmware. I regularly review for any traffic that I cannot definitively associate to my own activity, and I regularly mix and match the network route my devices take outbound to look for anomalies.
>In your example you buy DVD's... where did you get them? How did you pay for them?
As opposed to copying a friend's discs, or receiving them as gifts, both of which apply to a nonzero number of my movies and shows? What if I did buy them and paid in cash? Not cash received from an ATM or bank teller, of course, but cash received as payment from a customer at a farmer's market?
>IME isn't the only privacy hill to die on... and frankly, that hill already has too many bodies on it.
Privacy is somewhat like security in that you're never truly "done" implementing it. That's not an excuse not to strive for it. While it remains unproven that ME/PSP actually is a functional backdoor, there's no good reason to trust these subsystems. I have personally observed Ryzen-based systems attempting to send outbound traffic while the system was hibernating (before you ask, I will not reveal any metadata about this traffic publicly for obvious reasons.) I know I personally would gladly pay 3x MSRP for Ryzen chips without the PSP. I know many other people who would pay well above MSRP for modern Intel/AMD chips that do not have these subsystems. Market demand is there. The fact that neither major chip producer even offers the option to purchase chips without these subsystems should absolutely continue to arouse suspicion.
You are correct that there are many other issues like writing style analysis, timing analysis (including netflow metadata being sold by your ISP to Team Cymru), many entire threads could be filled with software privacy threats, etc, but again - that's not good justification to just throw your hands up and stop caring altogether. Privacy is an uphill battle in a losing war in today's world, but I for one will not stop fighting. I have a natural human right to privacy, not granted by any man, nor a million men calling themselves a government, and I will stop at nothing to exercise that right.
To your point, that insistence does push me closer and closer to the "cabin in the woods" lifestyle than a vast majority would be comfortable with.
I am not comparing vPro to Mao, and no reasonable person could construe my comment as comparing vPro to Mao.
I am comparing vPro (and similar hardware backdoors) to the totalitarian central government control established by the PRC in the early 01950s, in compliance with widely accepted Communist doctrine, which resulted in inevitable atrocities several years later — in this case, the Great Leap Forward, which was the worst famine in human history. Mao was far from unique among heads of totalitarian states in carrying out mass atrocities. Like hardware backdoors today, totalitarianism was new enough at the time that reasonable people could disagree about its likely effects, but in retrospect the causality is obvious.
I do not have an iPhone or Android device in my pocket (although I do carry one on special occasions), watch "curated" TV content on a "Smart TV", drive a modern car, or use [Microsoft] Windows or OSX. Furthermore, there is no basis for you to suspect that I do these things; you are attempting to drag HN down into the slime of Twitter-style "gotchas" instead of attempting to rise to the level of collaborative exploration of the truth.
Moreover, even if I did suffer these afflictions, it wouldn't make my argument invalid — even if it were not so wide of the mark, your inept attempt at a rebuttal is at best an argumentum ad hominem of the same sort as those who dismiss Noam Chomsky's criticism of US foreign policy on the basis that he pays US income tax.
I am disappointed in your total failure to engage in rational argument. You're arguing at the animal layer of vague emotional associations rather than reasoning about causes and effects. Please, try to do better.
(I do use ISP-provided DNS, which is a problem but not in the same category.)
Undoubtedly when Mao drove the Kuomintang out of the Mainland, there were people who "really fail[ed] to see how one could believe it rational" to fear that within a decade Mao would starve to death ten times as many innocent people as the Kuomintang had ever murdered, particularly since such a large democide had never happened before in history. Then, it happened.
I'm in no way conflating the impact of the two, I'm pointing out that the implication of the original comment "It's just too old for people to be outraged about still", is that people shouldn't be outraged at evil things solely because those evil things happened a long time ago.
The implication itself is ridiculous. Time does not make evil things less evil.
To suggest that I'm contrasting the impact of ME (not the same as vPro) with the holocaust is either blatantly missing the point or a deliberate, bad faith strawman.
The word "outrage" is problematic. It implies, by it's very definition, that the mere mention of these things brings people into a furry of uncontrollable anger.
I would wager people are abusing the word and changing it's meaning to sensationally signal displeasure or disappointment with historical events. Those are not the same.
Outrage has an emotional immediacy to it. It's really hard to be actually outraged by events that transpired 40 years ago, 100 year ago, centuries ago or more.
I assert there is no human alive today that is actually, really outraged by the Holocaust or any of the other atrocities mankind has perpetuated over it's history. Who would they be outraged with? Hitler - who has been dead for 77 years?
It would be quite emotionally immature to be literally outraged with any of this in a modern context...
This is a fair criticism. That said, I have a hard time believing that anyone was literally brought into an uncontrollable rage over ME even when we first found out about it. Additionally, nobody in the comment section appears to be in such a state.
Accordingly, I assumed that the top level comment was using "outrage" defined closer to the most scathing comments posted, perhaps as "unwilling to forget about, or accept".
We have no duty or obligation to forget about or accept the risks of unauditable, embedded microprocessors with full, undetectable access to onboard GbE, memory, main CPU registers, PCI devices etc. This subsystem poses extreme risk to privacy. The fact that is impossible to purchase new consumer-grade (not $1,000+ Power9) chips without this subsystem is consistent with what we would expect from an on-chip backdoor should one be proposed (or imposed) by US intelligence agencies, which have a lengthy history of rampant human rights abuses, a mission focused on violating privacy, a history of attempting to impose similar subsystems (clipper chip, MS Palladium), and who have a clear economic incentive to develop access that doesn't require them to keep playing the continual cat-and-mouse game of software exploit development and management.
I'm extremely skeptical of the intentions of anyone telling me that I should not be angry about the fact that there is an unauditable subsystem that heuristically matches almost everything needed for the MVP of a hypothetical hardware backdoor, that I cannot freely decide not to have bundled with new hardware, solely for the reason "it's existence has been known for close to a decade".
This top-level comment reeks of COINTELPRO-esque efforts to convince individuals to risk-accept a subsystem they have zero incentive to keep, but that intelligence agencies have massive incentive to retain, should it actually be a backdoor.
While it's a flawed philosophical/psychological model for reality, the seven stages of grief is quite applicable here. Why do people "get over" grief? Time...
Grief never actually goes away, but it lessens to the point where it no longer is emotionally painful to think about. Grief lessens after every thought has been thought, every word has been said, every emotion has been felt, over and over to the point where there's nothing left. Time heals all wounds, as it has been said.
The reason people are not feverously debating IME anymore is time. All of the arguments have been made... over and over. At this point, people are tired of the same things being said ad nauseam.
This is the same reason we see systemd-related comments downvoted and flagged into oblivion. People are tired of it...
So, while most of us agree IME is probably not something the average home user wants or needs, and IME is probably something that should be resisted... people are just not going to get worked up about it at the mere mention of IME anymore. That time passed... and therefore the word "outrage" is wildly inappropriate when applied here.
> Your implicit claim to possess superior emotional maturity
I do possess superior emotional maturity over those who wield the Holocaust as a tool in arguments about computer processors for internet points... yes.
> Holocaust survivors who remain outraged
I think your interpretation of "outrage" needs updating.
Those two things have disproportionate direct impact and can’t really be compared on the same level. But apples for apples, school educates students about genocide and not about the privacy considerations of backdoor chips.
I'm in no way conflating the impact of the two, I'm pointing out that the implication of the original comment "It's just too old for people to be outraged about still", is that people shouldn't be outraged at evil things solely because those evil things happened a long time ago.
The implication itself is ridiculous. Time does not make evil things less evil.
To suggest that I'm contrasting the impact of ME (not the same as vPro) with the holocaust is either blatantly missing my point (that the implication of the original comment is obviously completely false) or a deliberate, bad faith strawman.
It's not talked about more because it's a crazy conspiracy theory that has no merit. After all these years of scrutiny the worst vulnerability required physical access and disassembly in order to preform a hardware attack.
The people who believe this conspiracy theory, like many others, peddle misinformation to prove their point. No matter how much you try and debunk it you can't change their mind.
Yeah, see that's the other side of the story that doesn't seem to be told much either, and I'm interested in that too. It does seem like some researcher or journalist should have blown the case open by now if this thing were systematically providing telemetry from everyone's "powered off" (but still plugged in) machines to an intelligence agency. Can you point to an article or paper that thoroughly debunks the claims as crazy conspiracy theories?
The claims shift around so that they're nondisprovable. Someone could say that ME is a backdoor that has never been activated and will be undetectable until some future day when it is activated.
It’s a backdoor for sure. I think the extensive online campaign which desperately tries to prove its not, proves it is. Who can afford to police EVERY forum, social media platform, and web site only to call people mentally ill for suspecting it is? It’s a pattern which only fits certain players.
Nobody has any real material gain from tricking people into believing the earth is a sphere.
Conversely, if ME/PSP actually is a hardware backdoor:
1. The proprietor of the backdoor would've expended considerable resources designing, implementing, testing, and distributing it, and thus would have an economic incentive not to see it exposed and discarded so as not to incur development expenses on a successor.
2. The proprietor of the backdoor would have an operational incentive to not have collection disrupted by the backdoor being detected, exposed, and discarded.
Your comparison of what looks like a real conspiracy to a known character-assasination conspiracy (flat earth) is consistent with COINTELPRO techniques.
I'm not accusing you of being a bad-faith actor, but you're arguing against someone who is opposed to an alleged
US intelligence agency backdoor, using rhetoric consistent with known techniques used by US intelligence agencies to disrupt conversations (and discredit participants) who are exposing US secrets.
you're arguing against someone who is opposed to an alleged US intelligence agency backdoor, using rhetoric consistent with known techniques used by US intelligence agencies to disrupt conversations
Then they should use better arguments and not "everyone saying one thing somehow proves the opposite".
First they make you drink fluoridated dihydrogen monoxide, then when you get a job in enterprise IT, the extra ions in your teeth make you pay extra for vPro.
