[tor-talk] Intel ME / AMT + NSL vs Tor Nodes

[podmo]

On 12/18/2016 10:22 AM, Milton Scritsmier wrote:

> Not all Intel chipsets support AMT (check Intel's website for which ones
> do, but most consumer PC/laptop chipsets don't), and for every version
> of ME firmware there are two releases, one for chipsets with AMT support
> and one for chipsets without. Chipsets which support AMT can have the ME
> firmware updated remotely if it's signed properly and the AMT password
> is entered or bypassed somehow. Chipsets without AMT support cannot be
> updated remotely AFAIK.
>
> If somebody got their hands on the Intel ME toolset and private signing
> keys they could create a custom version of ME firmware that could do
> just about anything, including accessing almost all the PC's RAM at any
> time. But getting it on the machine is the trick. Without AMT support it
> would require physical access to the machine, but then you can do just
> about anything anyway with physical access.
>
Thank you, Roman and Joe for your well-written, rational and FUD free
emails to the list on this topic. ;)
I played around with AMT on a system I have access to. Per the
manufacturer's documentation it ships out of the box in factory mode which
disables all remote access features. After changing the ME password from
the default I could configure AMT and turn AMT off entirely. Like Roman
mentioned, no need for BMC so I think the Reddit poster's information was
out of date but his point about securing the OS is still a good one.