Also, this topic has been rehashed to death on HN already.
> probably
Therein lies the issue. The real objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious.
It's 10PM. Do you know if your ME has been provisioned by evil malware?
I don't care about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.
My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.
Your ME can trivially pwn your OS and can therefore access the network. Moreover, I'd be shocked if the ME couldn't reflash your full firmware. How? By subverting early boot or by subverting SMM. This means that an ME code execution exploit can very likely become persistent. I bet it can also fairly bypass Boot Guard. Secure Boot doesn't help at all.
The upshot being that it's very likely that a malicious USB stick can persistently compromise any modern Intel box in a fairly generic way.
This is bad.
So on the one hand SecureBoot & ME are terrible, but on the other hand the pre-existing security regime was also terrible.
The ideal would of course be for Intel to be more open about the ME, but who knows if that will ever happen.
This is something that governments worldwide, large criminal organizations and others would be interested in.
I can't believe I'm even typing something like this! It reads like something from a bad dystopian film. To even have something like Intel ME considered would have been mind-blowing enough. To have implemented it... there are no words.
It is a bit unfortunate that all we can do is disable some modules or set the HAP bit without knowing exactly what has been neutralized, but it's certainly far better than the extremely limited control Intel provides the user over the ME.
It will be interesting to see if Intel tries to make this more difficult with future iterations (it will certainly be even more suspicious if they do).
It's no replacement for a system with a trustworthy firmware, but right now the available choices aren't good.
The real title of the blog post is "The Bad Thing"; I'm glad that's not the HN title, but our current one is unrepresentative of the content. Perhaps, "Intel ME: The Bad Thing".
