The Bad Thing




What is "the bad thing"?

Let's say somebody told you that inside your laptop (and everybody else's laptop, plus lots of servers) there is a secret second computer which runs a secret body of code which can secretly examine and change any part of the system, and secretly send and receive data over Wi-Fi and wired Ethernet networks.

Probably you would answer "Yeah, right, and please take off your tin-foil hat". But what if you are wrong?

What if there really is a secret second computer hidden inside your computer? Even worse, what if the secret program running inside the secret second computer has security vulnerabilities so that attackers can run secret code on the secret computer inside your computer? What could be worse than that??? Ok, what if you can't turn it off?

Well, it's true. If you have a laptop newer than roughly 2010, whether the processor is Intel or AMD, it probably includes a thing that Intel calls the "Management Engine". The quick version of the story is:

Document Dump

Here is some publicly available information about ME.

About This Document

For a while I sporadically sent mail to people I know (largely technologists) about this--first, when I found out about it, so people could think about the likely future implications, then later, as the obvious implications became real, about the things that had been realized. The purpose of this page is to make some history available in a single place, so I can send people a URL instead of mail.

The moral of the story is, I think, that if you ask "What could possibly go wrong?" and a bunch of answers suggest themselves, it is probably a good idea to think carefully about what will happen when those things go wrong, because probably they will. (If you don't ask "What could possibly go wrong?" when deploying a secret computer running a mandatory secret body of code including a web server, well, maybe you should.)

The other moral of the story, I think, is that people might want to insist on computers that run code all of which can be inspected (see, e.g., Libreboot).



Best viewed with any browser
davide+receptionist@cs.cmu.edu