Hacker News new | past | comments | ask | show | jobs | submit login

I find people freaking out about this extremely strange.

AMT is Intel's equivalent of IPMI. It is a non-standard implementation of it, and does not follow any of the relevant specifications. It does not integrate into most server management platforms.

AMT costs extra. Most mobos do not have it enabled as you have to pay Intel's tax on it, even if some of the hardware to enable it is in every northbridge.

A motherboard must implement it to be available. Most of the motherboards we own don't have it enabled. You cannot "break into it" if AMT isn't available on your motherboard to begin with.

Not all ME chips can run it due to Intel's requirements.

Now, is the ME chip a threat? Possibly, not not as much as your cell phone's baseband modem is. The baseband modem can talk to outside networks, ME can't unless it is paired with a NIC it can talk to (Intel does not require mobos that have this; and generally, motherboards meant for AMT ship Intel NICs, but not always).

Without AMT, the only thing the ME does is implement management functions that allow you to actually boot and use the machine.

In the article, it says "Personally, I would like if my ME only did the most basic task it was designed for, set up the bus clocks, and then shut off," except it is kept running so you can properly sleep and wake up your machine, and also be able to change CPU frequencies at run time (IE, idle the cpu), and also provide access to the sensors on the motherboard.

In addition, the ME handles Intel Smart Connect, which is also not available on all boards (Apple uses this to implement Power Nap). It also requires licensing, the same way AMT does, and may mobo manufs simply don't want to license it.

ME does not connect to the network if it doesn't have a payload that is able to do so (AMT, Smart Connect).

The reason people don't understand what ME is for is because all of the basic tasks the ME does used to be done by lots of custom hardware, much of it not provided by Intel and different on every board, and somewhat a bit of a driver nightmare.

I don't like standing up for Intel, but anti-ME articles that continually bring up AMT as if all computers have it is FUD. Very few computers have AMT, very few computers implement this OOB access, very few computers can implement AMT even if Intel let you purchase licensing for it after purchasing the hardware.

I'm not saying that ME is not a security hazard (it can be in some cases), but it isn't some ultra awesome NSA backdoor bullshit. Your phone, however, does have the NSA backdoor.




Expressing a concern and "freaking out" are wholly different beasts. Most people are doing the former, but you're painting everyone with the latter brush. That's both rhetorically dishonest, and just plain uncool.


>Now, is the ME chip a threat? Possibly, not not as much as your cell phone's baseband modem is. The baseband modem can talk to outside networks, ME can't unless it is paired with a NIC it can talk to (Intel does not require mobos that have this; and generally, motherboards meant for AMT ship Intel NICs, but not always).

The last ~dozen regular (gigabyte/asus/asrock/...) desktop PC motherboards i've seen have all used intel NICs for ethernet.


Intel NICs are considered a premium feature on desktop boards, it is not a common sight.


It's a lot more common than it was 2-3 years ago. ASRock, ASUS, and Gigabyte are using Intel NICs even on some boards with the low-end B150 chipset, and it's extremely common on Z170 motherboards. I can't be bothered to check the rest of the manufacturers, but it's clear that Intel NICs are popular.



IPMI should always be used on a dedicated port, and on an isolated network with strict access control.

Disclaimer: I run a dedicated server host.


An isolated network isn't enough, IPMI controllers often listen on all NICs.


Not exactly, ME even without AMT is scary[1].

[1]https://libreboot.org/faq/#intelme


Yes, early versions of the ME had issues.

However, that website is a known source of FUD. Shame, since I used to like the FSF before it just started attacking everyone that didn't comply with their requests.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: