"Intel Inside" wasn't about the company, it was about the intelligence agencies.

I solve the security problem by storing critical sensitive information in my brain, then forgetting it.

To keep your CPUs from spying on you, you just run them over

"Bioluminescent" - Terry A Davis would be proud

Pretty sure TempleOS automatically patches this with divine microcoding.

Intel's security model is actually much more advanced than Security by Obscurity. Their actual security model is called "Trust Me, Bro" and it works like this: User: Intel, how can I know your system is secure? Intel: Trust me, bro! User: Can I see the source, so I can check for myself or let someone I trust check for me? Intel: Nah, bro, just trust us!

When you said “alphabet” I thought you meant Google not CIA, FBI, NSA... then I realized that was a distinction without a difference.

rest in peace, terry. our greatest programmer.

We're living in a 60s sci-fi writer's worst nightmare.

Poor MINIX, I worry it'll go down in history as "that spy OS used by Intel" despite it's long and proud career as an educational OS.

Intel Management Engine and AMD Platform Security runs at Ring -3, the most privileged ring in existence, and they are spywares indeed.

"Bioluminescent" 10/10

Builds a truly "libre" computer; installs Windows 10.

My grandpa worked for some part of his life in an encryption center for my country. He talked to me about stuff like this, I only vaguely remember it. I wish I was paying more attention back then.

I do believe one noted difference between Intel's ME and AMD's PSP, is that many of Intel's vulnerabilities were remotely exploitable where as AMD's required physical access. That is not an insignificant difference.

According to libreboot, anything from AMD's 15h architecture (Bulldozer) down should be fine, as they released the source code for them. Also, I got an ad for a schizophrenia medication at the end of this video. Fancy that.

USA : accusing tiktok for collecting users data Also USA : **looks away**

I remember reading somewhere, that some guy managed to get an Intel processor to run with a modified BIOS that lacks the Management Engine microcode needed for it to run; the CPU was working flawlessly, except for ANY kind of IP functions not working in any OS. I think this alone tells everything you need to know about this thing.

Protection Ring: 3: User Mode 2: Drivers 1: Drivers 0: Kernel -1: Hypervisor (virtual machine) -2: System Management Mode (operating system in the CPU) -3: Intel Management Engine (remote administration in intel cpu's)

The most secured computer is a pocket calculator

"There isn't much you can do about it" Reminds me if that line where a recalcitrant computer is threatened with a fire axe "I'll give you a reprogramming you won't forget". Almost anyone can disable IME. The clever thing is to disable it without disabling the rest of the CPU

Intel ME (Mossad Entrance)

This takes the word "intel" to a whole new level.

Aw man, time to build a room sized transistor computer out of soldered logic gates to run linux and avoid getting spied. Jokes aside, great video

The solution is clearly to design my own motherboard, so I can be sure there aren't more hidden mics than usual

There are already some senators who like to use something like this to get access to every piece of encrypted data on a consumer device if necessary... So they want to force all vendors to build something like this kind of spyware into all devices. This means that buying any device in the US will be equal to buying a full access backdoor to your own data.

about the last phrase of the video: unfortunately the computer started being developed in a elite group in universities and in the military, only later it became widespread in 1st world countries specially, so: this kinds of backdoor is really worrysome (is that the right word?) but for me it isn't that surprising, i didn't knew it was intel ME a spyware all along but the concept of a intentional backdoor in all consumer hardware wasn't a new thing to me

nope kernel runs on ring 0 on the main processor, rings 0 to 3 are actually implemented on the main processor (the one not of the Intel ME ) as a protection mechanism. So if the IME has some power over the main processor and not viceversa it would be fair to call the "ring on which it runs" ring -1.

So this was a 10 minute commercial for System 76

That's it, I'm dusting off my commodore 64.

It has been running the whole time on my computer and I didn't even know. Terrifying!

Minix is free and open source thoe, the book for Minix form Prof. Tanenbaum has all the source code at the end of the book. The Intel ME runs a propietary fork of Minix I wouldn’t call it pure Minix.

Me: "I should upgrade my old Q6600 file server, it still works but starting to show it's age." This video: "It's fine."

A bit beside the point, but I feel like you kind of missed the mark on the example about security by obscurity. Windows does not have more viruses created for it than Linux because it's closed source. It has more viruses created for it because it has a sigificantly larger userbase than Linux, and that userbase is also generally less tech savvy. The same goes for OSX, but not quite on the same scale

I recently bought a Dell precision 7540 and Intel ME disabled from the factory was the default option. I was pleasantly surprised to see that but this is Enterprise Dell so it makes sense. Also, because it's Enterprise Dell you don't get shafted. 4 SODIMM slots and 4 m.2 slots are in there. No funny business of "you opened it to add more ram so your warranty is void" or "you didn't order a second harddrive so we didn't soldier the other m.2 connector to the board" or anything like that. Built in gigabit Ethernet as well. It makes me sad though because laptops like this probably won't be around for much longer.

Wowie, thanks! Before, I wasn't really concerned because I thought "Sure, take my data, you won't be able to do shit with it anyway", but now the thought that someone at AMD could simply brick my PC remotely suddenly won't leave my head.

let's bring that templeOS back bois

"There isn't much you can do about it": A. I've thought of a cryptographic method that you could use to insulate your system's storage and memory from the ME. It's kinda complicated, and I dunno if any x86 os even supports it. However it is possible. B. Use ARM. ARM mfgs get to see the HDL. So, if ARM was hiding anything mfgs would know and word would get out. ARM's business model is inherently safer than Intel's & AMD's. C. If your protecting a nuclear ICBM silo in your backyard, you could use a high performance FPGA. An FPGA is like a programmable microchip. With an FPGA, you can design a CPU exactly how you like it. You don't actually need to design it yourself though. Just use an open source RISC-V core like the "Rocket Chip" or something. I think it's important to note that the ME can't just record all of your data. If the FBI (or CIA if you're a foreigner), or someone who reverse engineered the ME were after you, they could leverage the engine to to collect data from you. It's not as if this is happening to people and nobody knows about it though. The data would need to be exfiltrated somehow, and somebody would notice that.

Unlike intel ME, though, most AMD systems allow you to disable AMD's PSP. But then you don't have the on-board TPM to do secure boot with, which may or may not matter to you.

I worked IT in my college and I remember my boss making us go to every single computer in our inventory and install that Intel firmware patch. I didn't realize how truly bad it was.

Intel inside means a whole other thing now

IME doesn't just have ring 0 privileges, it actually runs in ring -2

thankfully there are some groups that are working on open source CPU designs. once they become ussble we can move our sensitive info there !

I found it heartwarming to know that Intel is so passionate about end-user experience. Silently. Watching. Always. 👁️👄👁️

If anyone out there is paranoid now, then buy a USB/PCIE network adapter, and abstain from using the integrated ethernet adapter on your motherboard (same goes for onboard wifi, if your motherboard supports it.) Why? Because Intel ME doesn't know how to use anything except for the integrated adapter(s), and therefore it will be unable to communicate with the outside world. That obviously doesn't fully disable ME, but it essentially neuters it.

Some time ago (months) I watched a video about China making a CPU. I remember commenting that I didn't trust them to *not* install a hardware backdoor... Guess I shoulda been looking closer to home. So has Intel and AMD said anything about _why_ these systems are installed?

Coreboot still can't remove the entire management engine. Also, ARM probably already has a similar management engine, at least on the Raspberry Pi, the GPU has VideoCore IV which can control the CPU.

Well, at least AMD says PSP can be disabled. Not that anybody trusts vendors in such things, but it can still be true (in theory).

*puts blanket over priceless jewel* "Now they'll never know where to look!"

Fun fact: If you somehow remove the Intel Management Engine, and the cpu doesn't see an Intel ME, the CPU will force the pc to shut itself off in exactly 30 minutes, regardless of what you're doing. One of my laptops has a corrupted ME configuration so it is very hard to work on Edit: found out from the guy that replied to me that modern intel cpus require me so yeah have fun removing it on the 12900k

7:43 "AMD has the same thing build into the motherboards" Shows an image with the PSP clearly on the SoC. Also, you can disable the PSP in the bios on AMD laptops (at least on my Lenovo Ideapad 5 15"). If they're doing something truly nefarious obviously that disable toggle won't actually do anything though.

Idk. about that whole disabling ME thing. I have have a friend who worked for Google and he said thay've meddled with it and even they are having a hard time disabling ME for good. They got it disabled only temporarily. Also he told me that ME being truly disabled in those laptops sold by companies like system76 is bullshit. But he says a lot of things so I wouldn't take his word as a granted truth.

Ever heard of the talpiot program, or unit 8200? The rabbit hole you just opened goes a lot deeper than you may be willing to go...

Watched this a while ago, but I just realized you called MINIX closed source. MINIX is an open source microkernel licensed under the BSD license. However, Intel made a derivative that is fully proprietary.

The real question is what is the total available byte length for preloaded code in ME. Since memory inside the processing chip has a premium, I believe it would be relatively small. That could give us more realistic bounds of what it can do with all the data it can "see" passing through it..

Still waiting for affordable OpenPower PCs

*To be clear,* System76 have *not* _successfully disabled the Intel Management Engine_ (9:42), only certain resources: _Disabling all functionality of the Intel ME is not possible. Methods for disabling runtime components vary between versions. System76 Open Firmware disables runtime components of the Intel ME using the most capable method possible._

You should've given us a reference as to what hardware is free from the x86 backdoor. For those interested, you can still get relatively recent AMD CPUs that don't ship with PSP; the first instance of a PSP ARM core implementation is with the late 16h family Puma micro-architecture (2014), so anything from Jaguar (2013) and beyond should be safe.

I've been sceptical about this subject. If there is a spyware, well, it has to transmit some sort of data to the desired control center. Me and a few of my colleagues, monitored network and systems with both Linux and Windows OS to make sure there is something going on.. But as much as I loved to prove this theory, we couldn't find any results ..

Anyone worried about Intel ME block you can block port range 16992:16995 on your router. Because ME network traffic runs on TCP/IP you can still block it. You just can't block it with the device that has ME.

I hope RISC-V will solve the Intel/AMD problem.

FYI, Minix isn’t a BSD, it’s its own OS written by a famous computer scientist (in CS circles) Andrew Tannenbaum. Lots good debates between him and Linus Torvalds back in the late 90s/early 2000s on OS architecture (especially monolithic kernel vs microkernel).

Gives a whole new depth to the logo "Intel inside".

Those Pre-2008 CPUs are looking better and better. Might have to pull out some old lemons, delid, over-clock the olden goldies.

"Bioluminescent government agents" Instasubbed.

Doesn't provide Purism a similar service to this with their laptops and NUCs besides System 76? It would also be interesting what exists on ARM chips similar to this. Because I would not assume that ARM chips are safe either considering the amount of chips inside of phones which couldn't be potentially be spied on if they were.

CPU that has spyware and it's in everyday. This is your daily dose of Recommendation

I found out about all this when it was first implement on our work tablets back in 2012. Wanna know how I worked out the capabilities of IME? I searched the Patent applications registry and found the applications by Intel. All capabilities were listed

This rabbit hole goes deeper than I ever thought.

Embedded microcontrollers should provide a secure hardware level of security when used with open source Linux, but at a reduced level of computing speed. Raspberry Pi, Nvidia Jetson NANO and other similar embedded systems (SoC) with GPU built in on the ARM Coretex system architecture don't have the management engine hardware built into them. This would be a good alternative for secure computing. Would the use of a Linux virtual machine running on Intel or AMD also provide a good level of security? Great video and information!

This is why my next build will use a SiFive RISC CPU and I'll just have to wait for gaming on RISC to catch up before I can stay up to date on games

iirc wiki says its ring -3 cba checkin

One can only wonder what the recent Chinese x86 CPUs do in the context of Intel ME and AMD PSP. It’s probably worse in a domestic Chinese context but makes you wonder a few things.

MINIX3 is not closed source - and as MEI has no storage on its own and doesn't sign the IFD (up to Skylake), you actually can control what segments you want to load. The structure is directly visible.

Really like your style of narration. This little background noice makes it even better, I'm kinda sinking into your space

All modern intel CPUs released before 10th gen and after 2008 now have CSME vulnerability that allows remote code execution. CVE-2019-0090, enjoy

Don't forget you can use hardware firewalls to at least control where your data goes. I've been wanting to get one to block Microsoft's forced updates as well

I decided a different route than buying S76, which was simply unplugging the machine. It’s brought a lot of piece of mind, reduction in carbon footprint & more free time (aided by unemployment).

The nice thing about the newer management engines is that you can actually control them yourself if you've got a newer vPro Intel CPU since it has a more advanced glowCPU (aka management engine) that can be used to perform actions on your PC remotely without having to be a federal agent to do so. You could actually install a completely different OS on your computer remotely on the new ones.

Hopefully in the future we’ll have more choice in the cpu market beyond intel and amd. Taking a look at the success of Apple’s M1 chips (not saying they lack spyware, I don’t know) I’d say there’s a reasonable chance we may see more companies enter the processor market. Perhaps a few that are privacy focused too.

You had *ONE* job! Just make freakin' processors!!!

5:14 Many companies do not afford their engineers the kind of time needed to chase down and fix vulnerabilities. Management is always focused on the new features, that's where the pressure gets applied.

There's also purism. They sell notebooks with disabled Intel ME (and other nice features).

Some motherboards allow it be disabled in the BIOS, other wise don't install the drivers and/or disable the device in device manager, for Intel, masquerades as "Simple Communications Controller". In the BIOS often described as a " Virtual Machine", ie a back door.

Well you can still theoretically block it at the network level, no? Assuming you can isolate what the connection is, can it be blocked at the router, if not an OS' firewall?

"it can bypass firewall configurations due to its dedicated network configuration" - this blips my "BS" radar. It can talk out the network port without the OS on that machine being able to use its own firewall to intercept it, sure. But the next firewall (perimeter equipment) WILL see that traffic, implied in your statement is that it can tunnel out through anything.

I'm old enough to remember when this was called a conspiracy theory.

I hear that AMD's PSP is not as bad as Intel's ME in that it can usually be disabled in the BIOS. They are also supposedly more friendly towards projects like Coreboot and Libreboot which would allow you to disable it.

Very nice to watch a KZbin video that doesn't sound like the creator has overdosed on caffeine, mainly due to too many edits.

Security by obscurity works but only when the device or software itself is obscure. For example, a completely custom, home-made OS will be inherently secure via obscurity simply because the only person with access to that OS is the person who made it. Trying to maintain obscurity for software or hardware that's readily distributed doesn't work because people still know it exists.

4:14 Viruses are designed to target the most systems possible, Linux, in respects to the normal end user, has a very small market share. There are so many viruses for Windows because it is so common so you can hit an exponential larger amount of people than a virus targeting Linux machines.

0:10 How about putting a firewall on your router and observing the traffic.

Can you do a dive into BIOS malware in general? Back when I was being actively targeted it happened on multiple machines of mine that BIOS would become compromised to bypass driver loading to prevent booting from external devices like CD/DVD or USB which would usually be needed to load isolated repair or rescue software.

This just gives a whole new meaning to they are always watching you.

Finally a reason to make me feel good to still b stuck with a old P45 chipset as main pc xD

so would it be possible to get one of these "non-IME" government CPUs from surplus auctions and shit? cuz i would definitely spend my time going through government auctions finding each and every i7 5xxx and higher chip i could and resell/hoard them if thats the case. wonder if intel just did a better job at masking it on them

It was always suspect when virtually all computers worldwide can only have an AMD or Intel CPU at the same time computers gained importance to everyday life at home or work. #phucked

Aren't IBM OpenPOWER CPUs another option that would at least give better performance than using an ancient Intel or AMD CPU? Or is there some issue with those that I'm not aware of? (I mean, apart for the eye-watering pricetag, and the reduced software support for anything that isn't x86_64 or ARM.)

exactly. at this point we got to make our own chips from scratch.

Don't store anything cool on something connected to the internet