Hacker News new | past | comments | ask | show | jobs | submit login

> they knowingly sold their systems

Everyone who sells systems knowingly sells exploitable ones, unless the sellers are naive. Every system you and I deliver to our customers/users is exploitable.

And knowing that I'd never be naive enough to embed it in every CPU I made since 2009. Not to mention allowing AMT to exploited even when it's disabled, and not share the source code so it could be properly audited. Every decision Intel made points to either them thinking this system was bulletproof (at least at the upper decision making levels) or they're so incompetent they shouldn't be trusted with anyone's security.

Corporate IT seems to disagree. Certainly they are sophisticated enough to know the risks, and they enable and use AMT widely.

Personally, I hesitate more than most because of the technical reasons you cite, but even turning on a computer is a risk. Probably this isn't the greatest risk to a business' IT.

As somebody who consults with Corporate IT, more often then not I run into the mindset "well if every other company is taking on the same risk then it's a wash". Aka disabling SELinux is what everybody does, we aren't taking on any more risk than anybody else (and it'll make us more competitive because we can iterate faster), so why not? Very few companies think of security as a feature, because so few consumers think of security as a feature.

I agree completely, many many companies are totally fine with accepting that risk due to the trade-off for ease of manageability. But I'm really not, in no small part because the overhead to managing a few computers is totally different than a large corporation with thousands of machines. I just wish my vote counted to Intel (or AMD for that matter), and I could completely disable ME because I'd rather the more difficult management of machines over the much larger attack surface.

Of course it all seems to lead back to monopolies/duopolies being bad for the average consumer. Who knew?

I agree on all points; well-made. Thanks.

> I just wish ... I could completely disable ME

You might find this useful:


I stumbled upon puri.sm in an old reddit thread talking about this, I'm very intrigued by the systems they make. Also it seems disabling ME might be possible, though risky: https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...

This is exactly right. Almost every company sees security simply as a cost.

This strikes me as an odd argument. Corporate America is notorious for not taking security seriously until it is too late. If you care at all about security you shouldn't take advice from what corporate IT is doing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact