This is something that governments worldwide, large criminal organizations and others would be interested in.
I can't believe I'm even typing something like this! It reads like something from a bad dystopian film. To even have something like Intel ME considered would have been mind-blowing enough. To have implemented it... there are no words.
The real title of the blog post is "The Bad Thing"; I'm glad that's not the HN title, but our current one is unrepresentative of the content. Perhaps, "Intel ME: The Bad Thing".
It is a bit unfortunate that all we can do is disable some modules or set the HAP bit without knowing exactly what has been neutralized, but it's certainly far better than the extremely limited control Intel provides the user over the ME.
It will be interesting to see if Intel tries to make this more difficult with future iterations (it will certainly be even more suspicious if they do).
It's no replacement for a system with a trustworthy firmware, but right now the available choices aren't good.
Also, this topic has been rehashed to death on HN already.
Therein lies the issue. The real objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious.
It's 10PM. Do you know if your ME has been provisioned by evil malware?
I don't care about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.
My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.
Your ME can trivially pwn your OS and can therefore access the network. Moreover, I'd be shocked if the ME couldn't reflash your full firmware. How? By subverting early boot or by subverting SMM. This means that an ME code execution exploit can very likely become persistent. I bet it can also fairly bypass Boot Guard. Secure Boot doesn't help at all.
The upshot being that it's very likely that a malicious USB stick can persistently compromise any modern Intel box in a fairly generic way.
This is bad.
So on the one hand SecureBoot & ME are terrible, but on the other hand the pre-existing security regime was also terrible.
The ideal would of course be for Intel to be more open about the ME, but who knows if that will ever happen.
rbe (Huffman , 0x007cc0 - 0x00a380): NOT removed, essential
kernel (Huffman , 0x00a380 - 0x019f40): NOT removed, essential
syslib (Huffman , 0x019f40 - 0x02cf40): NOT removed, essential
bup (Huffman , 0x02cf40 - 0x055d40): NOT removed, essential
pm (Huffman , 0x055d40 - 0x059740): removed
vfs (Huffman , 0x059740 - 0x066880): removed
evtdisp (Huffman , 0x066880 - 0x069300): removed
loadmgr (Huffman , 0x069300 - 0x06dec0): removed
busdrv (Huffman , 0x06dec0 - 0x071700): removed
gpio (Huffman , 0x071700 - 0x0738c0): removed
prtc (Huffman , 0x0738c0 - 0x074c00): removed
policy (Huffman , 0x074c00 - 0x07fa40): removed
crypto (Huffman , 0x07fa40 - 0x09a680): removed
heci (LZMA/uncomp., 0x09a680 - 0x09e580): removed
storage (Huffman , 0x09e580 - 0x0a4b00): removed
pmdrv (Huffman , 0x0a4b00 - 0x0a6700): removed
maestro (Huffman , 0x0a6700 - 0x0ab600): removed
fpf (Huffman , 0x0ab600 - 0x0add40): removed
hci (LZMA/uncomp., 0x0add40 - 0x0ae600): removed
fwupdate (LZMA/uncomp., 0x0ae600 - 0x0b3140): removed
ptt (LZMA/uncomp., 0x0b3140 - 0x0c82c0): removed
touch_fw (LZMA/uncomp., 0x0c82c0 - 0x133000): removed
The book is three years old, so maybe that's changed. Or maybe the functions you describe are part of AMT. I'd be interested in knowing more.
> system defense (packet filter)
At least that doesn't sound like it needs to transmit.
What anti-theft service does ME provide?
"Some of the other modules include ... a system for location tracking and remote wiping of laptops for anti-theft purposes."  (link to Igor Skochinsky slides).
As far as I know, AMT is on almost every ME implementation, but I'd love to learn more about it. When is it included? What is that based on?
Here's what I know:
1. Every system with the VPro branding includes AMT with remote access (I'm 90% sure of that). Considering the audience here at HN, most of their computers probably are VPro models.
2. Non-VPro models also include AMT, and possibly some have remote access. I recently was working with a non-VPro system that certainly had AMT, but had the Small Business Technology implementation, which purposefully omits remote access.
There's also Standard Manageability, which "appears only on Intel Desktop Boards that support Intel AMT but that do not have a vPro-compatible processor installed"; AFAICT it's a implementation of AMT, and I think it includes remote access. (There are not enough days in the week to sort out Intel's product line, and that was one thing I didn't need to know.)