[oroup]

Give me a break. The same three letter agency that convinced Intel to do this will convince Apple to do the same. I'm guessing you're basing your faith in Apple based on their refusal to cooperate in the San Bernadino case[1] and the so-called "cop button" in iOS 11[2]. (And some generic "we value privacy" rhetoric that I won't bother linking.)

That stuff is great but doesn't mean much. Just because they're blocking border agents from trivially imaging phones at the border doesn't mean that they won't cooperate at a higher level with some undocumented baseband features.

Just as Defense in Depth is a concept in security, we've already seen a corollary "Offense in Depth" from the intelligence community. Is the best attack in the random number generator[3] or undocumented silicon[4] or intercepting your boxes on the way to your data center[5] or tapping your fiber[6] or stealing your certs[7] or paying your employees to go rogue[8]? Why choose when you can just do them all.

Apple hardware is vertically integrated and utterly undocumented. The AMT chip has been present on motherboards since 2006[9]. The Snowden Introspection Engine found that the Wifi Chipset remains powered up even when Wifi is turned off.[10] I find it hard to believe that the same government who went to all these lengths to compromise our infrastructure would really let Apple get away with refusing. How did that turn out for Joseph Nacchio?[11]

[1] https://www.washingtonpost.com/world/national-security/us-wa...

[2] https://www.cultofmac.com/498052/ios-11-lets-quickly-disable...

[3] https://en.wikipedia.org/wiki/Random_number_generator_attack...

[4] https://en.wikipedia.org/wiki/Hardware_backdoor#Examples

[5] https://www.extremetech.com/computing/173721-the-nsa-regular...

[6] https://arstechnica.com/tech-policy/2013/10/new-docs-show-ns...

[7] https://nakedsecurity.sophos.com/2013/12/09/serious-security...

[8] http://www.ocweekly.com/news/fbi-used-best-buys-geek-squad-t...

[9] https://libreboot.org/faq.html#intel

[10] https://www.documentcloud.org/documents/2996800-AgainstTheLa...

[11] https://en.wikipedia.org/wiki/Joseph_Nacchio

[KGIII]

You're asserting that a 'three letter agency' convinced Intel to do this, and asserting it as factual. I'm not convinced that it is, and think market focus is more probable than nefarious agencies. Though, to be sure, those types of agencies would probably be willing to take advantage of this.

No, it seems more probable that they did this because their largest customers want centralized management at a low level. They want to be able to track and control assets, and to prevent asset loss. They, being the largest customers, control the features that Intel offers. It then makes no sense, financially, to make two versions of the CPU.

Unfortunately, the market for people who care is vanishingly small. Most people don't much care about privacy or security, other than to pay it lip service - if even that much. Prevalent is the idea that they've nothing to hide and, thus, nothing to fear.

So, without evidence that this was inspired by a three letter agency, I'm going to assume it is a financial decision. That seems much more reasonable and probable.

Do you have any evidence to prove three letter agency coercion? I'd expect it to be quite the news event, if you did.

[amigoingtodie]

If what you say is true, why has vPro not seen wider adoption?

It has been around long enough.

Anybody work for an MSP or enterprise that actually uses this in the field?

[KGIII]

I can't say, really. My contention was largely around the idea that it was asserted as fact that it was at the behest of a three letter agency and the remainder of the comment presented based on that. It has not been established that it was at the behest of a three letter agency and presenting arguments based on that is like building a house on the sand.

It hasn't anything to do with quality specifics, nor of alternatives. Without factual evidence to support the three letter agency theory, the rest of the argument is invalid.

Don't get me wrong, I think it's a horrible idea. I've just seen no reasons to assert that it was done because of a three letter agency being the directors. As near as I can tell, and I've followed this fairly closely, no such evidence exists. At best, it's speculation. At worst, it's conspiracy theory. Either way, presenting it as fact and then basing an argument on that is illogical.

We can do better than that. There are lots of valid complaints that don't need speculation, disinformation, or hyperbole. IME is a horrible idea, at least it is so long as you can't disable it as the end user. This very thread is a fine example of one of the reasons that it is horrible. It's a security nightmare and should be user controlled.

No three letter agency needed to point this out. Wild, unsubstantiated, accusations may make people take the complaints less seriously. That seems less than helpful.

[gras]

Do you then have substantive evidence that market forces/centralized management caused this?

[EasyAI]

Occam’s razor. I’m a very conspiratorial person and I’ve seen nothing to suggest any nefarious activity or collusion so I’m not getting carried away on this.

https://securingtomorrow.mcafee.com/executive-perspectives/a...

This is a statement by the Intel CTO from 2016 on the ME discussions, and briefly reassured us that Intel is conscious of the security of the ME, and that they have teams dedicated to it and can push firmware updates out to cover vulnerabilities.

https://www.intel.com/content/www/us/en/architecture-and-tec...

Intel made an official announcement in May that they have discovered an escalation of privilege vulnerability and are addressing it accordingly as you would expect. It also notes that consumer hardware and firmware is not affected by the vulnerability, demonstrating that Intel actually does release two different chips, and prioritizes privacy and security more over features on the consumer models.

https://newsroom.intel.com/news/important-security-informati...

Intel releases a software tool for checking if your system is one of the vulnerable units or not, they have a fix already for the firmware and confirm it is not due to physical design flaws, and are working with manufacturers to push the updates ASAP.

Overall, I don’t feel like Intel is at all intentionally sabatoging it’s customers, and genuinely considers the ME a valued feature by consumers, even though it bothers me that one is included on every product, they do differ and consumer models have fewer privileges than business models, which seems to be more of a firmware design than a hardware design, so I tend to believe that they simply don’t design extra chips without the ME and instead lock it down more on a software level. Vulnerabilities also appear to be firmware based, and the extremely vague announcement by black hat doesn’t suggest otherwise either. Intel very obviously takes the security of their devices very seriously and makes themselves available to users who need help identifying whether or not they’re vulnerable and what to do about it.

[int_19h]

In post-Snowden era, I'm not sure that Occam's razor applies that way anymore.

[MaxfordAndSons]

If the FBI couldn't compel Apple to make a slightly modified version of iOS, the NSA certainly couldn't compel Intel to design and implement the ME.

Nor could they likely pay them enough to make it worth the trouble if there wasn't a market for the ME - Intel is $170 billion company, with a $12 billion R&D budget last year alone [0].

[0]https://www.electronicsweekly.com/blogs/mannerisms/markets/i...

[EasyAI]

THANK YOU. Intel is not Facebook or Google or Microsoft. They do not run software botnets, search engines, or social networks. They do not have political directives or dreams of changing the world. People with those objectives infiltrate other industries where they can actually influence something.

[KGIII]

No, but I do not present it as fact nor as being the only possible solution. I think it more likely, as I said. In fact, I was clear about saying it was only my opinion that it was more likely.

That's pretty different than asserting it was done at the behest of a three letter agency and then basing a whole argument on that. Extraordinary claims require extaordinary evidence.

[madez]

> It then makes no sense, financially, to make two versions of the CPU.

You are wrong. They offer countless different versions of CPU's, famously denying "enterprise" features like ECC to private customers. One can only wonder why they are so generous and give everybody "enterprise" manageability for free.

[Idontknowmyuser]

Recent intel Cpus are designed in a country with a rich history of using and spreading exploits. I think it's a coincidence.

[breatheoften]

Your arguments make sense that the attack capacity continues to advance on many fronts (of course, the easy exploits like social engineering still remain the most common exploits by far — in raw numbers and probably in terms of impact as well). I would argue though that the existence of advanced attack capability doesn’t mean that the securable surface area of computing functionality can’t also grow over time.

I can probably agree that none of apple’s actions have significantly affected the percentage of computing functionality used in society that is comprisable at low cost — however I do think that Apple can choose to act to (1) increase the average cost to compromise (2) expand the (incredibly small) set of functionality which is not trivial to compromse.

I don’t think that any truly expert 3-letter agencies can reasonably oppose those goals in a way that completely prevents them from advancing. I think it would be self-defeating for the NSA to implement something like a “security blocking sophon”[1] that permanently cripples the capacity of technology to become more trustworthy given how dependent are the societies in which these entities operate on trustworthiness being possible in some contexts ...

[1] (sophons are a concept from this novel — which I won’t spoil, great series!) https://en.m.wikipedia.org/wiki/The_Three-Body_Problem

[jtmb]

Thank you for providing sources with your statements.

I agree with your premise but still want to recognize you backing it up with data.