
How to become the sole owner of your PC [pdf] - ashitlerferad
https://github.com/ptresearch/me-disablement/blob/master/How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf
======
userbinator
30 years ago you could buy an IBM PC/AT and it would come with schematics,
detailed programming information, and the complete source code listing for the
BIOS[1]. There wasn't really anything "hidden", and you really felt like "the
sole owner of your PC". The PC became the dominant platform because of this.
Now, because of corporate interests[2][3], much of it is officially under a
thick layer of red-tape NDAs, and what little else interesting out there comes
mainly from leaks (be thankful for East-Asian companies' insecurity...), and
there are still plenty of things hidden away. On the the other hand, all of
this stuff _is_ documented somewhere; whether that documentation will ever see
the light of day is the real question (for anyone reading this who does
possess such information: please do the right thing ;-) Especially when it's
far easier now than before to distribute lots of data, putting the complete ME
programming documentation and maybe even source code online as a download or
on a disc to be supplied is entirely feasible. But Intel decided against,
leading me to think they really intended it to be a backdoor-ish sort of
thing, and that makes me really sad.

[1]
[https://archive.org/details/bitsavers_ibmpcat150ferenceMar84...](https://archive.org/details/bitsavers_ibmpcat150ferenceMar84_26847525)

[2]
[http://boingboing.net/2012/01/10/lockdown.html](http://boingboing.net/2012/01/10/lockdown.html)

[3]
[http://boingboing.net/2012/08/23/civilwar.html](http://boingboing.net/2012/08/23/civilwar.html)

~~~
13of40
> they really intended it to be a backdoor-ish sort of thing

Occam's razor says they really just sell a ton of CPUs to huge datacenters and
wanted to solve the problem of having to have some tech go out and physically
reset a machine when it misbehaves. If you've ever accidentally powered down a
machine that's sitting in some lights-out facility in Northern Alabraska, this
kind of technology is a godsend. Now I'm not saying I'd bet my hat that it's
100% secure, or that Intel couldn't be thumb-screwed by the feds to use it as
a backdoor in some scenario, but it wasn't built from the ground up to be one.

~~~
4ad
No, Occam razor says that if all you you want to do is LOM, you put an
embedded computer running Linux and ssh, connected only to to power and to the
console, and nothing else, not a SPARC (?!?) core running proprietary code
that does _way, way_ more than just implement support for LOM, and which has
access to all memory and CPU state.

~~~
kryptiskt
It's not a SPARC, it's an ARC. It's a very different processor.

~~~
Zardoz84
ARC not was a simplified SPARC for CPU architecture teaching ? I had to build
it on VHDL on my first year.

~~~
4ad
Well I have no idea how ARC came into existence, but looking at the ISA, it
has nothing in common with SPARC (I write SPARC compilers for a living, so I
know the ISA pretty well).

~~~
mattbee
I don't know the full story it was a spin-off of the work that Argonaut did
for the SuperFX chip in Star Fox on the SNES ->
[https://en.wikipedia.org/wiki/ARC_%28processor%29](https://en.wikipedia.org/wiki/ARC_%28processor%29)

------
yoo1I
Relevant, related talk from 32C3 by Joanna Rutkowska

[https://media.ccc.de/v/32c3-7352-towards_reasonably_trustwor...](https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops#video&t=0)

------
keyle
I've never heard of this before. This feels like science-fiction. You'd think
this would have blown over the internet 50 times over? What can 'they' do with
this?

~~~
zanny
It is like cell phone radios with DMA access. Anything they want, in practice.
If you are buying any computer commercially it always has backdoored hardware
with a wholly proprietary coprocessor with networking and memory access.

~~~
unusximmortalis
Can you please share links of evidence of this? Thank you

~~~
GrumpyYoungMan
See
[http://www.osnews.com/story/27416/The_second_operating_syste...](http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone)

Every brand of smartphone has this secondary firmware, entirely separate from
the primary OS. Without it, you can't connect to the cellular network.

------
setra
Just more evidence that modern CPU designs need to die, and that a libre
alternative is required.

~~~
pjlegato
The problem to be solved here is not just software. How do you beat the
economies of scale that standard designs have achieved?

For most applications, the end user gets _vastly_ more computing power per
dollar spent when they buy an off the shelf design that's in large scale mass
production.

You could port BSD or Linux to your new architecture for a reasonable amount
of money (though that's already an uphill battle selling that to a consumer).
How are you going to even come close to the unit economies of scale that Intel
and other large established players enjoy?

~~~
gcb0
do you need 40ghz with 32 cores or 2 cores at 1.5ghz and the garantee of full
control?

for personal computing, I'd take the later

~~~
marssaxman
By far the latter. My computation needs have been satisfied for years now;
paternalistic, insecure platform lock-in crap irritates me far more than
access to cutting-edge technology would benefit me.

------
Samis2001
While I wait patiently for more open hardware designs to become more popular /
actually used (Be it SPARC, RISC-V or something else), I wonder what AMD's
equivalent functionality is like in comparison to this - I strongly doubt that
no equivalent exists for AMD CPUs.

~~~
spash
From [https://libreboot.org/faq/#amd](https://libreboot.org/faq/#amd)

# Why is the latest AMD hardware unsupported in libreboot?

It is extremely unlikely that any post-2013 AMD hardware will ever be
supported in libreboot, due to severe security and freedom issues; so severe,
that the libreboot project recommends avoiding all modern AMD hardware. If you
have an AMD based system affected by the problems described below, then you
should get rid of it as soon as possible. The main issues are as follows:

# AMD Platform Security Processor (PSP)

This is basically AMD's own version of the Intel Management Engine. It has all
of the same basic security and freedom issues, although the implementation is
wildly different.

~~~
userbinator
_The PSP is an ARM core with TrustZone technology, built onto the main CPU
die._

That sounds even worse than ME:

 _Intel Management Engine (ME) is a separate computing environment physically
located in the (G)MCH chip._

Theoretically, if a third-party can figure out how to make a compatible MCH
they can use Intel CPUs without ME, but that is impossible with AMD's design.

Then again, developing a compatible MCH would be nontrivial too --- the last
truly "open" x86 bus interface was probably Socket 370 (still in use by VIA
and others), and the later bus interfaces are such high speed that they
require some _very_ expensive signal analysers to even see the communications
properly.

------
kriro
There's always the non x86 path.

I have recently purchased a pi-top which is basically a 3d-printed laptop case
+ laptop battery + keyboard + display + raspberry pi 3. The keyboard could be
better and I'll swap out the pi for a beagle bone black (pi comes with a
binary blob) but it's a surprisingly useful package. I only bought it to
experiment a bit with ARM assembly on the go but it's actually powerful enough
for a lot of day to day stuff (mail, surfing, libre office, programming). Not
great but good enough.

Of course you have to be willing to trade speed and availability of some
programs for that control but in theory a beagle bone + input and output
devices is a nice little open machine for a lot of day to day stuff.

~~~
notalaser
ARM isn't a lot better. It helps that the (relatively simple) boards have the
schematics available, but most platforms require binary blobs and there are
few of them that don't have a bunch of useful information tucked away behind a
gazillion NDAs.

The various warts in the implementation (e.g. no BIOS, so there's quite some
effort going just into making something boot on a new ARM board) and the non-
standard, or just closed source-dependent, augmentations that are required in
order to make an ARM CPU do anything breathtaking (PowerVR and Mali, TI's
EVEs) also mean that, at least if you're using Linux, you're often living
outside the mainline kernel. I have very few kind words to say about some of
the code that I've seen in manufacturers' kernel trees, _especially_ on
let's-pump-two-more-cores-before-next-years-mobile-world-so-that-we-can-play-
a-demo-that-looks-exactly-like-last-year-except-salespeople-are-gasping-for-
some-reason, the ancient Indian name by which ARM is also known in some
places. I would rather not have useful/important data reside on devices which
run that stuff.

~~~
kriro
I have admittedly not investigated it very deeply but the Beagle Bone Black
seems good enough with compromises. AFAIK it will boot without a blob but
contains one for the GPU (PowerVR). The device will run non-OpenGL stuff fine
and I believe there is some progress on reverse engineering an open driver.
There's armv7 (am335x) from OpenBSD which is my base indicator that it's at
least somehow usable without any blobs.

I'll yield to more informed people but searching a reasonably useful and
completely open (I guess I can live without HDL for everything but it would be
nice) machine has been a quest I go on every now and then. ARM seems to be the
best (and most affordable) bet. I'll gladly take other suggestions as the
whole ARM licensing model doesn't really sit well with me.

~~~
notalaser
I go on that quest every once in a while, too, but without too much luck.

I haven't ran OpenBSD on the BeagleBone Black, but I imagine it has no
graphical output of any kind. I see the X packages but the only on-board
devices that are listed as supported are:

    
    
        BeagleBone, BeagleBone Black
    	Supported on-board devices:
    	  standard serial port (com)
    	  watchdog controller (omdog)
    	  ethernet controller (cpsw)
    	  GPIO controller (omgpio)
    

so it boots but it seems a little unlikely that you can do much post-1980s
work on it.

I run into various ARM platforms at $work. The platform, as a whole, is
_probably_ a step backwards from e.g. PowerPC; it's very relevant today
because its power consumption is very hard to beat, and between mobile phones,
tablets, IoT and in-car infotainment, this is an important topic. But unless
you _need_ something that's super low power, the only thing ARM CPUs have to
show for themselves is that they aren't x86. This is more than made up for by
the headaches involved into getting stuff that runs on a company's Cortex A7
to run on another company's Cortex A7.

This isn't to say that it's a _bad_ thing. Pre-64-bit ARMs were designed (with
the exception of some really old stuff in the 80s) as a platform for
appliances, not for computers. They're excellent for designing phones and
tablets and smart TVs and whatnot. It's trying to bolt a general-purpose
environment on top of them that gives people headaches.

~~~
rjsw
The display controller on ARM SoCs is typically separate from the Mali or
PowerVR GPU and is often documented. If there are multiple ARM cores on the
SoC then the display may still feel fast enough for basic stuff even though
the CPU is doing all the work. Another factor is that some modern GPUs are 3D
only, the graphics stack gets a lot more complicated if it has to translate 2D
requests from an application into OpenGL calls to the GPU.

NetBSD has a framebuffer driver for TI OMAP CPUs so it could be possible to
port it to OpenBSD.

~~~
notalaser
Ah -- yes, on many (most?) devices, you can get framebuffer output without the
GPU. I just don't know if OpenBSD has that.

------
Animats
Has anyone found a remote attack via the Management Engine yet? It's basically
a backdoor; there must be some way to make it do things.

~~~
spydum
perhaps everyone who finds something disappears? </sarcasm>

seriously, AMT is stuff of nightmares. runs even when machine is powered off.

~~~
nickpsecurity
AMT is the reason I mock anyone here that talks about concerns of backdoors in
Intel's RNG's being ridiculous. The whole CPU is backdoored with a backdoor
that can run when it's _off_. Including probably the RNG given debug wires are
probably connected to it. Let's not worry about one feature when we have a
subversion this big.

Biggest irony: they advertise it as a feature for IT management. ;)

~~~
Spooky23
My team spent a bunch of time looking at AMT as a management tool -- it adds
lots of complexity and accomplishes almost nothing that cannot be done easier
a half dozen other ways. The only functionality we saw any real use for was an
always on VPN and remote wake up where networks block WoL.

The other thing that's even stranger is Absolute Software, a little company
nobody has ever heard of who somehow got every OEM to bundle their code in
system BIOS for theft recovery since the 90s.

~~~
nickpsecurity
re Absolute

It seriously reads like a botnet description. I'd have believed them if they
said "From the innovators behind Storm comes new endpoint protection..."

[https://www.absolute.com/en/about/persistence](https://www.absolute.com/en/about/persistence)

~~~
Spooky23
It is pretty disturbing. We were lobbied pretty heavily to evaluate it and did
some field tests as a result.

You can do some wacky shit with it. There is one mode where you can configure
it to delete certain directories or files to screw around with a thief. That
can be tweaked to delete files that the system needs. Those modes are
persistent, and even after reformatting or replacing the boot media, the agent
will reinstall and retrieve its policy file.

If you use it with Intel AMT, it can also brick the device permanently.
([http://www.intel.com/content/dam/doc/product-brief/mobile-
co...](http://www.intel.com/content/dam/doc/product-brief/mobile-computing-
protect-laptops-and-data-with-intel-anti-theft-technology-brief.pdf))

Everyone who tested the product had two questions: "Who is buying this?" and
"How do I get this dormant code off my devices?"

Laptops aren't cheap, but they aren't expensive enough as an asset to care
that much about recovery. And there are arguably better ways to safeguard data
assets.

------
elijahparker
I'm looking forward to this being complete:
[https://www.olimex.com/Products/DIY%20Laptop/](https://www.olimex.com/Products/DIY%20Laptop/)

Any ideas what a Chinese ARM chip might have for backdoors?

~~~
snaky
Anything.

------
niels_olson
So ... is my macbook or Dell server pre-pwned by Intel and re-pwned by the
Chinese? What, exactly, am I supposed to be afraid of here?

~~~
tk32
Nothing, as long as you have nothing to hide. :-)

~~~
markokrajnc
So if you have business secrets, you will have worries... :-)

------
jaytaylor
Does anyone know of a tool or even sequence of actual commands to disable the
Intel ME AMT functionality?

Did I miss it in the slides?

I see explanations and low-level temporary/soft-disablement references, but
nothing immediately actionable.

~~~
riscy
There is no prescribed way to disable it, and it looks like the slides only
provide a glimpse of the workarounds/hacks needed to do so. I imagine there's
a lot we're missing from this presentation, though, because it looks like
there was a demo.

~~~
GranPC
The demo is also available in the repository.
[https://github.com/ptresearch/me-
disablement/blob/master/Int...](https://github.com/ptresearch/me-
disablement/blob/master/Intel%20ME%20disabling%2C%20PHDays%20VI%20Demo.m4v)

------
casca
Direct link to the PDF: [https://raw.githubusercontent.com/ptresearch/me-
disablement/...](https://raw.githubusercontent.com/ptresearch/me-
disablement/e089b0e583070bc9a87b2d8e27ad7a9b0275f374/How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf)

------
King-Aaron
So, forgive me for this probably being an oversimplification, but is this the
same sort of thing as the old Clipper Chips?

[https://en.wikipedia.org/wiki/Clipper_chip](https://en.wikipedia.org/wiki/Clipper_chip)

~~~
khedoros
As I understand it, the clipper chip was a combined encryption accelerator and
key escrow device, with the escrow basically working as a government backdoor.

The Intel Management Engine is another computer in your computer, running its
own OS, and able to see everything your computer is doing, and modify it,
including things like network transfers.

------
incompatible
How about firewalling whatever ports the Intel code may use? If it can't
communicate with the Internet, presumably it's not likely to do any harm.

~~~
yoo1I
That only works for very simple surveillance. It has _complete_ control over
your hardware, and it can encode information that it wants to get off of the
system in a variety of different ways.

If you want to firewall ports or IP addresses on the machine itself, obviously
that doesn't do anything, so what you'd need to do is do it on your router
(that you hope doesn't have a similar backdoor that cooperates with ME), first
you'd need to _know_ what to block, which is difficult enough, and then you'd
have to trust that that information doesn't change.

But event then all it takes is for AWS or CloudFlare or $Foo to collude with
Intel to get at your juicy data again, so you really would need to work on a
blocked-by-default basis, which is possible, but not really practical,
depending on what you're doing.

It really depends on what your threat model is. If your're a high value target
to someone with a lot of resources, you're essentially screwed.

It can broadcast information via your speakers, and maybe even your
microphone. It can encode data in the timing of your packets as they leave
your system. It can encode data in it's power consumption, it can encode data
in what it sends to the screen, it can send data out via bluetooth or wifi.
There are probably more ways, that I didn't think of off the top of my head.

We have Free Software all the way down to the firmware level. Not widely
available, but the potential is there. That is good.

But for computers that we can really trust, we need to go deeper.

 _looks up Czochralski process_

~~~
kuschku
And it cooperates with Intel NICs - and when the ME is half-disabled, the NIC
starts showing erratic behaviour.

I’m back to using a realtek NIC from 2006 now.

------
mashlol
The PDF won't open for me on a Nexus 5, doesn't show thru githubs mobile site
either.

Edit: It worked when I requested the desktop version of github though.

~~~
yoo1I
_Sigh_... chrashes on Chromium on Linux as well.

<tinfoil_hat>maybe ME is detecting it and wants to prevent us from knowing
about it?!?</tinfoil_hat>

~~~
redcap
Thrashes a bit in Chrome on Windows for me.

------
markel777
The best way to disable intel ME is to reflash you system with ME FW in
Manufacture mode (if your system isn't not already in the mode) and than use
ME runtime disable command (can be sent by me-tools
[https://github.com/skochinsky/me-tools](https://github.com/skochinsky/me-
tools)) at each boot

------
dingle_thunk
Seems like if I really want to know what's going on at that level, I should
really use something more simple, like a raspberry pi...

~~~
technomancy
Why would you switch to a system that relies on NDA-protected chips when there
are free ones available like the BeagleBone?

~~~
dingle_thunk
Is a BeagleBone like a raspberry pi? :)

------
naveen99
It's only a matter of time. Once computer technology stabilizes, it will
become commodity, well documented etc. you can already make completely open
breadboards, that are more powerful than 50 year old computers. Might be
several decades though.

------
Qantourisc
Maybe we should all flash our Intel cpu, claim warranty, and keep the next
cpu. Initial support will have to RMA it under "The computer is broken it
shuts down after 40 secs!".

~~~
4ad
How would that solve anything? (Not that you could claim warranty anyway.)

------
gruez
Link to the talk?

~~~
TheWoodsy
[http://www.phdays.com/broadcast/](http://www.phdays.com/broadcast/) > Scroll
to bottom > Third last > How to Become the Sole Owner of Your PC

Talk is ~3.5minutes transcribed live to English. Sadly you're not missing much
by just looking at the PDF.

