Torne Kat

TLDR: Privacy rambling. Cover your ass.

Privacy is a human right and the cornerstone of all freedoms. The right to think for yourself and at your own pace is fundamental to the ability to think critically and form educated opinions on the world around you. Without privacy freedom of thought is impossible. In the modern age computers serve as an extension of the mind. The internet has often been called the “information superhighway” and the “great idea exchange”. Most people use computers in one of two ways: to gather data and information (whether consciously or not depends on the individual) on the world around them, or to express themselves in one or more of the various media available online. For better or for worse this has become the norm for most people. For this process to be fully effective (so that truth may be found by all who seek) all must be allowed to contribute and to access the data online. Limits on this data whether by law or institutional policy become limits on the freedom of the minds of the people.

It is therefore why we must seek to secure absolute digital privacy. It is the key to freedom for ourselves and the future that we may be allowed to access all ideas and assess them purely on their merit. To this end paranoia is a must. Computers, while the greatest innovation of the modern age, serve as a series of black boxes. Abstracted functions stacked atop each other make for excellent security through obscurity to only those who do not look behind the curtain. In the case of government backed hacker groups or other institutions or organizations it is a trivial matter to abuse systems that rely purely on security through obscurity. Most people don’t even realize the width of the attack vectors on them. Laws against digital espionage only apply to those in your country not authorized by your government after all.

The Intel Management Engine (as well as AMD’s Platform Security Processor) is in essence a second computer built atop the cpu die itself. A small low power computer with complete access to ram contents (don’t forget that even on systems with full disk encryption the ram is unencrypted during runtime and holds your keys) and the network stack (wifi ssid and password?). It runs when your computer is off (but still plugged in from the 5v standby rail) and can at any time phone home. As well it obscures its own network traffic from analysis by other machines that also house this chip. I have been told that Intel and AMD are such large companies and that they surely would not allow for there to be any vulnerabilities in such a deeply connected system component (which acts as a closed system with no end user controls), yet we have these excellent headings over on Wikipedia. IME Vulnerabilities and AMD PSP Vulnerabilites. Any vulnerability in these systems is completely unacceptable, especially when you consider their dubious justifications for existing in the first place.

What can be done?.

There are ways one can mitigate IME. One such solution which is becoming less reasonable as time goes on is to just use a system that doesn’t have IME. Any computer made before 2008 would be safe but finding a computer from this time period that can still handle (the admittedly bloated) software people require today is just about impossible. Even with a minimalist Linux system the best computers from this time are starting to struggle with basic web browsing (to be fair emulation/gaming, coding, music production/ playback, and even illustrating with free programs like Krita or gimp run great still) Since the internet is the main resource people use computers for today this makes using an older computer less and less of an option for the average person.

The next best option is to take early IME systems and to prune their firmware with open source alternatives from projects like coreboot or one of its distributions. On many of the earliest systems that had IME it was not fully integrated into the boot process and so it could be fully disabled safely. On newer systems this is not the case since it is integrated in the post process. On such systems IME can still be neutered but not fully removed. Therefore I believe the best compromise is to use a system from the early days of IME. This brings me to the core2 series of cpus by Intel. In particular I like the core2 quads. The qx9300, q9100, and q9000 still provide acceptable performance for modern tasks as far as I can tell. The main problem with these cpus is the lack of support in commonly available systems and poor availability of systems which do support them. As mobile cpus only a few models of “desktop replacement” and “performance” laptops supported them. However they still used the same physical socket as the rest of the core2 duo cpus at the time. Famously the Thinkpad t400 and w500 only needed a few small modifications (six pinout alterations) to be able to run a core2 quad since the socket pinouts were almost identical. Theoretically this should be possible on any system with the same chipset and socket as the Thinkpads in question.