[Cryptography] Intel Management Engine pwnd

grarpamp grarpamp at gmail.com
Wed Nov 29 02:56:55 EST 2017


On Tue, Nov 28, 2017 at 11:17 PM, Jerry Leichter <leichter at lrw.com> wrote:
> You could block this entire mechanism by using an external Ethernet interface and not connecting the built-in one to anything

No. Not if your "external" NIC contains one of the Intel controllers with
support. These days most of Intel's have it. PCI is PCI, slotted or soldered.
Caveat blobs and secret sharing, one might presume, perhaps slightly less
foolishly, that other brands of controllers don't participate AMT/ME.

> connecting it to a separate management network fully isolated from the Internet and carefully controlled.

Cisco, Juniper, Huawei, Chelsio, etc... all closed source TOP SECRET blobs too.
When even your eyeglasses are secrets, you have no idea what truly
is or is not passing right in front of them.

> But not many will choose to do that because of the additional cost and likely performance implications.

First you have to get them woked to the predicament they've
buried themselves in. Then deal with how to dig out of it and
where to go once freed from the mire.


More information about the cryptography mailing list