Convince me I'm being too paranoid about IME and UEFI

[LloydLynx]

So UEFI rids of the memory restrictions of the old 16 bit BIOS, gives the OS more control, and needs a large EFI partition to boot from instead of a tiny boot sector. That makes it way easier to write motherboard embeded malware. And the massively larger boot partition makes an Evil Maid attack way easier on a full disk encrypted OS.

 

This combined with the Intel Management Engine having full network access, and full access to the entire computers functions at all times, can be exploited by motherboard malware. Weither the computer is infected by a 3rd party, or the OEM backdooring. 

 

My current laptop has a traditional BIOS and no IME. I've been thinking about maybe a Latitude E6440 as my next laptop, but it does have the IME and UEFI.

 

I use an entirely FOSS userspace, and a nearly FOSS Linux kernel. That just leaves the various proprietary firmwares throughout my computer. I feel like I can trust my current BIOS since it's tiny and separated from the outside world, without an IME. Same for most of the other firmwares, that I know of at least. 

 

Now, I'm not from a country like China or NK that would punish me and my family for wrong think. But I am in the USA which has been known to secretly spy on citizens and plant backdoors in electronics. So it spooks me out using a computer made by a company in the USA or a similarly spooky country with an IME and UEFI, the newer the worse. I like knowing that everything I do offline will never ever leave my computer unless I will it. And I can't stand my computer acting against me like that. 

[da na]

I've never used UEFI BIOS, I do have a few computers that support it but I see no reason to use it versus traditional BIOS. Intel ME can be disabled by manufacturer if they want, my Latitude XT2 has it turned off (and a big sticker reading "ME Disabled". 

I don't see them as huge security risks - of course everything has some security risk associated with it, I just see them as unnecessary. Computers work just fine without either so what is even the point. 

[Levent]

Whole back door argument can go so much further than what you are thinking here. Older implementation of Intel ME is troublesome when it comes to security BUT that would hardly matter when the entire internet traffic is saved/processed by government agencies. Only way to be truly secure computer wise is to not use any smart device. 

 

Paranoia is not healthy. If you don’t have any reason to be targeted my 3 letter agencies or targeted by zero day attacks, then you shouldn’t worry.

[Ralphred]

45 minutes ago, Levent said:

or targeted by zero day attacks

Everyone is a target for 0 day attacks my botnet owning friend.

When I was doing government work back in the day the IME code was on a daughter board with the onboard NIC chips, we used to bin it and install a "safe" NIC. I used to cut the release tab off of blank crimped RJ45 plugs and stick them into the redundant ports to avoid mistakes.

[ApolloX75]

1 hour ago, Levent said:

Paranoia is not healthy. If you don’t have any reason to be targeted my 3 letter agencies or targeted by zero day attacks, then you shouldn’t worry.

I honestly have never understood that kind of paranoia. If you're not doing anything wrong, what do you have to hide?

 

If someone wants to know what you're doing bad enough, they'll find a way whether it's through your computer, stalking you, or just talking to people you associate with. Who cares.

 

If CSIS, the CIA or whoever really wants to know about me, I'm sure they've already got my info. I'm not up to anything, I lead a boring life in all respects, if some government agent wants to come over and build a PC with me in my basement and ask me what I'm up to, they're welcome to it.

[Erioch]

1 minute ago, ApolloX75 said:

If you're not doing anything wrong, what do you have to hide?

What kind of authority boot licking nonsense is this?

[Biohazard777]

2 hours ago, LloydLynx said:

I've been thinking about maybe a Latitude E6440 as my next laptop, but it does have the IME and UEFI.

Maybe take a look at System76 laptops instead:
https://support.system76.com/articles/intel-me/

https://support.system76.com/articles/transition-firmware/

[LloydLynx]

2 hours ago, Biohazard777 said:

Maybe take a look at System76 laptops instead:
https://support.system76.com/articles/intel-me/

https://support.system76.com/articles/transition-firmware/

That would be ideal, if they had a mouse stick and were 1/4 the price. 

[da na]

7 minutes ago, LloydLynx said:

That would be ideal, if they had a mouse stick and were 1/4 the price. 

Desolder your chipset. No more ME!

 

Seriously though, shop around for a Latitude E6440 with disabled management engine. They started doing it back in the Core 2 era, late 2009 really. You'll find a sticker under the battery that looks like

The big 3 always means the management engine has been disabled (with no way to re-enable it). (1 stands for AMT/vPro, don't know what 2 is.)

On my Precision M6700 (With ME) there is a BIOS option where the Management Engine can be, well, managed. It cannot be turned off to the extent that Dell does it in-house without a modified bios, though.

[Biohazard777]

1 hour ago, LloydLynx said:

That would be ideal, if they had a mouse stick and were 1/4 the price. 

Their pricing is IMO fine, usually 1-2k USD for current gen hardware.

You will mostly find e-waste new laptops for 1/4 of the price.

 

If you are comparing them to the price of Latitude E6440 then you should also pick an older System76 laptop, like:

not sure if this particular model has the option to disable Intel ME (you'd have to check for yourself),
just saying there are older gen pre-owned System76 laptops in the 200-300$ range.

Also System76 isn't the only one that offers laptops with Intel ME disabled.

 

As for the trackpoint, that is a small usability trade-off... If Intel ME is a serious concern for you.

[Echothedolpin]

3 hours ago, Erioch said:

What kind of authority boot licking nonsense is this?

Pretty normal for most people to have that opinion. Doesn’t mean it’s more valid than your own, but it doesn’t necessitate that level of response in any case.

[Lurking]

5 hours ago, ApolloX75 said:

I honestly have never understood that kind of paranoia. If you're not doing anything wrong, what do you have to hide?

 

If someone wants to know what you're doing bad enough, they'll find a way whether it's through your computer, stalking you, or just talking to people you associate with. Who cares.

 

If CSIS, the CIA or whoever really wants to know about me, I'm sure they've already got my info. I'm not up to anything, I lead a boring life in all respects, if some government agent wants to come over and build a PC with me in my basement and ask me what I'm up to, they're welcome to it.

If you have nothing to hide, please provide all your account data inc user names, password and so on for all of us to evaluate. Also provide your tax returns, financial data, loan documents etc. I suppose you could upload all relevant documents here. Also post ALL your financial transactions inc. what each one was for. Make sure to let your spouse, parents, friends, children, neighbors and work colleagues be part of this big showing.

 

You said you have nothing to hide. So, lets' see...  

 

 

[Uttamattamakin]

If you are not running a super secure OS like  Qubes, or are just installing Windows, then don't worry about the UEFI. 

[mmaatt747]

5 hours ago, ApolloX75 said:

If you're not doing anything wrong, what do you have to hide?

 

I'm not doing anything wrong when I use the restroom.  Nor do I have anything to hide.  I still like my privacy so therefore I still close the bathroom door.

 

I lock my house when I leave as well.  Even if I knew someone was only going to go through my things and rummage through my files and whatnot and not actually STEAL anything. I would still lock my door.  Why? Because again, I like my privacy.  Liking my privacy does not equate to me "doing anything wrong".

 

 

[Blue4130]

56 minutes ago, Lurking said:

If you have nothing to hide, please provide all your account data inc user names, password and so on for all of us to evaluate. Also provide your tax returns, financial data, loan documents etc. I suppose you could upload all relevant documents here. Also post ALL your financial transactions inc. what each one was for. Make sure to let your spouse, parents, friends, children, neighbors and work colleagues be part of this big showing.

 

You said you have nothing to hide. So, lets' see...  

 

 

Having nothing to hide from the government doesn't mean I will freely want to give my passwords to every random person on the internet.

[Uttamattamakin]

23 minutes ago, mmaatt747 said:

I'm not doing anything wrong when I use the restroom.  Nor do I have anything to hide.  I still like my privacy so therefore I still close the bathroom door.

 

I lock my house when I leave as well.  Even if I knew someone was only going to go through my things and rummage through my files and whatnot and not actually STEAL anything. I would still lock my door.  Why? Because again, I like my privacy.  Liking my privacy does not equate to me "doing anything wrong".

 

 

Are you using Windows to type this, are you using Mac?  Are you not using at least Linux, better still a Whonix VM in KVM?,  better yet QUBES. 
 

 

Every application can run in a separate VM with full (but not easy) cut copy paste between everyuthing.  All USB can be handled by a VM (better have a PS/2 mouse and keyboard though).  This gives the ultimate security.  Having used it myself it is a bit of a curiosity and a experiment but not a OS that one can use regularly.  Using Whonix in KVM for anything that really is sensitive while using bas linux is good enough for any normal person. 

[LloydLynx]

3 hours ago, da na said:

Desolder your chipset. No more ME!

 

Seriously though, shop around for a Latitude E6440 with disabled management engine. They started doing it back in the Core 2 era, late 2009 really. You'll find a sticker under the battery that looks like

The big 3 always means the management engine has been disabled (with no way to re-enable it). (1 stands for AMT/vPro, don't know what 2 is.)

On my Precision M6700 (With ME) there is a BIOS option where the Management Engine can be, well, managed. It cannot be turned off to the extent that Dell does it in-house without a modified bios, though.

Good to know some come with ME disabled. Do you know if the Radeon version is like that too?

[da na]

5 hours ago, LloydLynx said:

Good to know some come with ME disabled. Do you know if the Radeon version is like that too?

It was a configurable option on every model AFAIK.

[Alan G]

These discussions always morph into silliness.  Unless you are totally 'off the grid' which is pretty difficult to accomplish, the US has access to a bunch of stuff on you.  If you work you need an SSN and you need to pay taxes also likely a bank account.  If you drive you need a license.  You probably need a credit/debit card as well (try to pay for anything in Bitcoin and you will quickly find out that doesn't work).  Software and hardware protections against malware and 'snooping' is no substitute for being a smart user.

[dilpickle]

If the gubment really wanted to spy on you there is nothing you can do to stop them.

[dilpickle]

11 minutes ago, Alan G said:

These discussions always morph into silliness.  Unless you are totally 'off the grid' which is pretty difficult to accomplish, the US has access to a bunch of stuff on you.  If you work you need an SSN and you need to pay taxes also likely a bank account.  If you drive you need a license.  You probably need a credit/debit card as well

And the government sells all of that information to anyone who wants it:

 

https://www.newsweek.com/dmv-drivers-license-data-database-integrity-department-motor-vehicles-1458141

 

Case in point I recently registered a new LLC business with a completely made up name. No one but me and the state knows about it for now. But literally within 2 days I started to receive junk mail for it. Some of it very scammy.

[Alan G]

2 minutes ago, dilpickle said:

And the government sells all of that information to anyone who wants it:

 

https://www.newsweek.com/dmv-drivers-license-data-database-integrity-department-motor-vehicles-1458141

 

Case in point I recently registered a new LLC business with a completely made up name. No one but me and the state knows about it for now. But literally within 2 days I started to receive junk mail for it. Some of it very scammy.

That stuff is all done at the State and not the Federal level.  I had an LLC consulting firm after retirement and got lots of junk mail as well.  I complained to the State licensing  board but it didn't do much good.  Your driver's license is also linked to your insurance company so that premiums can be adjusted if you get a ticket or are in an accident where a claim is filed.  There are countless other examples as well.

 

For those who have not read Pynchon's 'Gravity's Rainbow,' it is worth highlighting his 'Proverbs for Paranoids (#5 has always been my fave):'

 

1. You may never get to touch the Master, but you can tickle his creatures.

2. The innocence of the creature is in inverse proportion to the immorality of the Master.

3. If they can get you asking the wrong questions, they don't have to worry about answers.

4.You hide, They seek.

5. Paranoids are not paranoids because they're paranoid, but because they keep putting themselves, fucking idiots, deliberately into paranoid situations.

[dight]

if you're this paranoid get coreboot / libreboot. there's only a small selection of computers that you can easily install it on tho. tbh tho u don't need to worry about the cia or terrorists or something idk backdooring into ur laptop with using the ime unless you're an activist, a journalist, a whistleblower or are otherwise a target of these kinds of attacks. normal people only need to worry about the security of their os and to not run FREE_ROBUX_HACK_WORKING_2015.exe on their pc.