undefined | Better HN

0 pointsderefr9y ago0 comments

The thing that was listening is just AMT. The ME consists of a much wider suite of behaviors.

For example: there's an embedded-profile JVM for running Java Card smart-card software, allowing enterprises to deploy crypto auth firmware written for smart-cards directly to the device. This avoids the need to flash, deploy, and manage hardware smart cards, while also preventing the OS from being able to introspect said software's operation. (This particular feature almost sounds like a good thing, doesn't it? It's a programmable TPM!)

0 comments

2 comments · 2 top-level

lima9y ago

In fact, AMT isn't listening in the operating system either but directly on the ME.

What OP removed is probably some sort of OS-level agent that collects information about the system (installed software, patches, ...).

amluto9y ago

Hmm, a programmable TPM / secure element running as a program on an undocumented OS that also runs a web server and is probably not hardened (and might not even have privilege separation or even an MMU for all I know) but nonetheless has superpowers over the main CPU. I'll stick with a hardware TPM, thank you very much.

(Qualcomm's TrustZone kernel runs on a similarly limited but much better documented platform, does not run a web server, and has had a good share of vulnerabilities over the years. I see no reason to expect Intel's ME software stack to be any better.)

j / k navigate · click thread line to collapse