| HN Mirror

> What are the reasons for having this, I mean good business reasons?

So, I'll avoid writing anything about NSA collusion or related speculation and talk specifically about what you've asked -- business reasons. The main reason is that customers are already purchasing technology like this through third-party expansion cards and this kind of technology makes those (expensive) adapters less necessary for those customers if its built into the CPU. At a past company I worked at, every HP Proliant server we purchased was purchased with a PCI Express adapter that was a full computer on a card. It came with a special cable that passed the 15-pin VGA output through the card and allowed complete control of the server (and we purchased the "Lights Out" edition which included battery power so that the server could be powered on remotely).

It allows one to do things you can't do through software remote management, like install the operating system, modify the BIOS settings, see POST messages at boot. It sounds like AMT offers a lot of this functionality without the need for that (I think $700) board, which would be appealing to a lot of enterprises, almost all of whom consider folks screaming about possible vulnerabilities in AMT as tin-foil-hat wearing security geeks, or have otherwise convinced themselves that "it'll never happen to me (or Intel, etc)". I, personally, tried in vein to point out the security threats that these third-party boards posed to the organization, being that the software could not be audited, was often used for years past the support date of the hardware (where security patching via firmware updates was no longer provided) and allowed complete and total access to the system in ways that even the worst OS vulnerability wouldn't (that was the point, after all), but was basically told that the benefits outweighed the risks[0].

The argument for using a management board, however, was a little easier to make than the argument for using AMT. Our security standards required that any device with a management interface be segregated to a high-security management network that, while not air-gapped, was protected via additional VPN and two-factor authentication and no access to the internet from within. It's unhelpful if the laptop of the administrator with the appropriate token is infected with something, but at least this allowed for one extra set of firewalls between those interfaces and the internet. Now...whether or not these boards were actually on said management network is anyone's guess and in the case of AMT-style software, there'd be no way to do something similar. These PCI-e boards were complete computers with their own isolated[0] network adapters.

[0] I'm not positive about this one and in all likelihood a sufficiently bad vulnerability might make that separation irrelevant, but AFAIK, the network adapters on these boards were not accessible to the OS and were used by the management interface, only. If that wasn't the case, that would have made a great argument for their elimination since the management network would then be accessible via corporate (which is what the server was plugged into) without the VPN connection.