[mmastrac]

Respectfully, why would they? The goal here is to find exploits in ME and use them to make Intel chips more end-user friendly.

When we were rooting Android devices we sat on a lot of exploits that we believed we could use to give end-users freedom. There were a handful that were bad enough to warrant disclosure [1], but we still offered them as ways for users to control their own devices with a few layers of obfuscation on top.

[1] http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1...

[qb45]

Publishing a blog post isn't exactly sitting on a vuln. I would understand if they kept it to themselves and I would understand if they reported to Intel, but this?

[bigiain]

I'm not entirely sure the same "responsible disclosure" arguments for software apply to hardware.

With software, a patch release is a common enough thing that it's a solid argument that letting companies like Microsoft or Apple or Google or others who've demonstrated they'll actually fix security bugs (so, maybe not Oracle, for example), or any of the hundreds or thousands of widely-used OSS projects - I'm _much_ less convinced that any company like Intel will ever manage to get even a single digit percentage of their users to reflash CPU firmware - if that's even possible - and I've never heard of a hardware company freely replacing all user's CPUs where remote exploits are known.

Where the option of "give them 90 days to get a patch out - possibly give them an extension if they ask and explain why, but otherwise sit on the bug with the vendor until it's fixed or being actively exploited in the wild" à la Google Zero & Tavis seems to work reasonably well enough of the time for software bugs - it seems to me unlikely to be as beneficial for hardware bugs which are much much harder to get fixes to end users - and early disclosure giving the opportunity to mitigate with firewalls or unplugging the device seems more likely to be the better choice.

[pkaye]

Isn't the whole purpose of this IME to facilitate remote updates and management of systems? As for patching hardware, Intel does have the ability to apply microcode patches. At the least they are able to disable features that are buggy.

[bigiain]

Sure - it's _possible_ to patch the microcode - but can your dentist's receptionist do it? Or your mom? Unless there's a tool that automatically applies security microcode updates as easily and as widespread as automatic Windows updates - it's really only of use to enterprise/corporate networks... I've never bumped into a small or medium sized business that runs remote management for all the machines on their office networks...

[pkaye]

I know the Linux kernel on my Ubuntu system applies microcode patches early on bootup. I also know that Microsoft has microcode patches as updates. For example https://support.microsoft.com/en-us/help/3064209/june-2015-i...

[tsomctl]

Windows update does distribute microcode updates. For example, https://support.microsoft.com/en-us/help/3064209/june-2015-i...

[wolfgke]

> When we were rooting Android devices we sat on a lot of exploits that we believed we could use to give end-users freedom.

I often think whether one should really help people who decide to buy locked-down Android devices.

[executesorder66]

I would gladly buy an open source (including firmware) phone instead. Any you'd like to recommend?

[wolfgke]

First: mmastrac was explicitly talking about rooting Android devices via an exploit. Since as far as I know there are Android devices available that can be rooted on your own, buying one where an exploit is necessary is a conscious decision by people who don't care about such rooting. So your argument is off my point.

This said: To my knowledge for some mobile phones using a TI Calypso chip, one can flash a free firmware (OsmocomBB):

> https://osmocom.org/projects/baseband/wiki/Phones