Hacker News new | ask | show | jobs
by teddyh 2135 days ago
That’s a useless definition of “removed”; using that definition, ME can never be “removed” at all! But that’s not what we’re talking about here. A more useful definition would be to use “removed” as in “not a security problem anymore”.
2 comments
R0b0t1 2135 days ago
> using that definition, ME can never be “removed” at all!

This is my point. It can't be removed. It will always remain a security problem.

link
dongvsascript 2135 days ago
that's like saying having a flimsy house door lock lying in your kitchen drawer is a security problem.

you have hardware on the cpu no longer accessible by software. you have a mellanox network card the me can't talk to. it's there, in the kitchen drawer. it's no longer in the door -so not a security problem.

the 'issue' requires physical access to the machine, and for you to be logged in with an admin account. if someone is physically sitting next to your server and logged in as root, you have no security anymore. they don't need to break into anything, the can just run what they want already.

someone is in your car with keys in the ignition. you're saying they can steal your car by hacking the entertainment system because it's insecure.

link
R0b0t1 2135 days ago
No, this is more akin to having a flimsy plywood door with a plastic lock right next to your real one but acting like you've solved the issue by taping a "please don't use" sign over it.

Intel ME is still there. It is still potentially remotely configurable and remotely updateable. That those features are not advertised is irrelevant, they can be assumed to be there or easily added.

link
dongvsascript 2135 days ago
'It is still potentially remotely configurable and remotely updateable.'

and there's the issue. it is literally not remotely anything, since in the stated configuration it is not possible to get to it unless you are physically sitting at your computer and logged in. you are making stuff up and saying the thing you made up is dangerous.

link
yencabulator 2134 days ago
Sure, but not using an Intel NIC is supposed to make it already not remote accessible, without all this work.

If ME is still involved in the system, it can still act as an undetectable permanent implant/rootkit, you just need to burn one 0day to reach it by breaking into the x86 part first.

link
boring_twenties 2135 days ago
That definition doesn't change much, because the part that can't be removed can and will leave your system vulnerable to exploits like this one: https://www.intel.com/content/www/us/en/security-center/advi...
link