> What if your computer is still accessible for Intel ME surveillance because the VPN server is also Intel ME and they would negotiate somehow to keep having your Intel ME instance an ability to phone home?
This would require the hardware backdoor to be aware of and integrate with the specific VPN that you used, which could be a version of the code published after the hardware shipped.
> Is in possible to have a VPN provider which guarantees not having any Intel machines on the network?
Irrelevant unless the code on your side could hook the VPN, though of course you could.
The better attack would be to have the compromised firmware send its packets using the addresses and ports of some existing connection regardless of its contents, and then have a compromised ISP read them. But even that could be detected by logging the packets at the clean firewall. If it records any that aren't a part of the VPN connection then you've got yourself a rat and a scandal.
This would require the hardware backdoor to be aware of and integrate with the specific VPN that you used, which could be a version of the code published after the hardware shipped.
> Is in possible to have a VPN provider which guarantees not having any Intel machines on the network?
Irrelevant unless the code on your side could hook the VPN, though of course you could.
The better attack would be to have the compromised firmware send its packets using the addresses and ports of some existing connection regardless of its contents, and then have a compromised ISP read them. But even that could be detected by logging the packets at the clean firewall. If it records any that aren't a part of the VPN connection then you've got yourself a rat and a scandal.