Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Intel Privacy Security

Is the 'Secret' Chip In Intel CPUs Really That Dangerous? (networkworld.com) 245

New submitter Miche67 writes: A recent Boing Boing blog post by Damien Zammit is stirring up fears, claiming Intel's x86 processors have a secret control mechanism that no one can audit or examine. And because of that, he says it could expose systems to undetectable rootkit attacks that cannot be killed.
Blogger Andy Patrizio, after talking with an Intel spokesperson, says the developer's argument has holes and he doesn't think Zammit will persuade Intel to replace the system with a free, open source option.

So, what we have is an open source crusader scaring the daylights out of people on a giant what-if scenario that even he admits couldn't happen in our lifetimes.

An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.


This discussion has been archived. No new comments can be posted.

Is the 'Secret' Chip In Intel CPUs Really That Dangerous?

Comments Filter:
  • by Anonymous Coward on Friday June 17, 2016 @03:41PM (#52339273)

    How nice ... Is there any history about how that has worked before?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      By its very nature, you never hear about the cases where "Security by Obscurity" actually works.

    • 1) carefully break hermetic seal of chip case in 0.15 micron clean room.
      2) locate IME section on silicon under 300x microscope per diagram {secret}
      3) using polygraphene pen under robotic control, connect IME die {secret} to {secret}.
      4) hermetically evacuate clean room to -300 torr
      5) reseal hermit chip case using {secret}

      6) PROFIT!!

    • by msauve ( 701917 ) on Friday June 17, 2016 @05:01PM (#52340001)
      "Is there any history about how that has worked before?"

      Sure, FBI sends "National Security Letter" to Intel, demanding they open the door without telling anyone. FBI then has unrestricted access to Intel systems, worldwide, but "no, you can't see the source code, it's secure, we promise."
    • by arglebargle_xiv ( 2212710 ) on Friday June 17, 2016 @09:41PM (#52341319)
      There's actually a lot of precedent for this sort of thing in the way of ILOM/DRAC/IPMI and similar capabilities. In fact Intel's AMT isn't really news, it's been there for years. A general pattern in all of these systems is the use of crappy old ARM processors, incredibly ancient Linux kernels (2.6.x), unpatched old binaries from God knows where, and coding like it's 1997 (strcpy(), fixed-length buffers, etc). There's lots of material out there on this, e.g. Dan Farmer's take [fish2.com]. Oh yeah, and you typically can't disable it, even when you think you've disabled it. My only surprise about all of this is that people are surprised by it.
  • by CajunArson ( 465943 ) on Friday June 17, 2016 @03:44PM (#52339303) Journal

    So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years* having an "OMG YOU TRANSMIT YOUR IP ADDRESS TO THE WORLD EVERY TIME YOU GO TO A WEBSITE!!" moment.

    And it wasn't even that original since the same damn hissy fit gets thrown every year or so as memory serves, since this is by no means the first time I've heard the conspiracy theory.

    So, either this guy is an idiot (not discounting that at all) or he managed to troll people into generating clicky clicky ad revenue by recycling conspiracy theories. Some of the people being trolled might be willing participants to boot.

    • The biggest flaw I've heard in some early remote management systems was piss-poor security.

    • That sounds about right. As best I can tell from the article they are essentially talking about the kind of stuff you can do from a DRAC/IPMI port. But there is no requirement that you plug in an Ethernet cable into the associated port if you don't want to.

      • by bersl2 ( 689221 )

        You're going to make a comparison to IPMI?

        Start reading: http://fish2.com/ipmi/ [fish2.com]

      • by vux984 ( 928602 )

        As best I can tell from the article they are essentially talking about the kind of stuff you can do from a DRAC/IPMI port.

        And yes, don't you think a drac/ipmi functionality that had any exploitable security holes would represent a rather massive security issue?!

        I know certainly do. And most PCs that aren't using these features should probably have it off by default, don't you think?

        But there is no requirement that you plug in an Ethernet cable into the associated port if you don't want to.

        Many boards with it only have ethernet port. Its not necessarily a physically separate port like the ones on my servers.

        • The ones that I have used all have a separate ethernet port for the management console. So by default it is off as you need to physically plug in an extra cable (and configure it in the BIOS) before any of this matters.

          Show me a machine where you can't disable it in the BIOS, and where it shares the same ethernet port as the main machine, and then I will get a bit more excited.

          • by Jiro ( 131519 )

            All machines since 2008-2009 are "you can't disable it in the BIOS".

          • by cb88 ( 1410145 )
            In any case... "disable it in the BIOS" is a software switch that just disables documented interfaces it is highly doubtfult that it would disable undocumented backdoors.
          • by vux984 ( 928602 ) on Friday June 17, 2016 @06:04PM (#52340337)

            and where it shares the same ethernet port as the main machine

            Seriously? How about... practically all modern intel PCs. (very very few of which have a dedicated magement port)

            "The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current (as of 2015) Intel chipsets."

            https://en.wikipedia.org/wiki/... [wikipedia.org]

            So if you can find an modern Intel PC with a single ethernet port. It's got it.

            where you can't disable it in the BIOS

            Disabling AMT in bios, may not actually disable it, it may just disable exposing it as a device to the host operating system. There are *plenty* of posts from people who disabled AMT only to find it was still running, still picking up an address via DHCP, and still manageable via AMT management tools, even while the PC was "off".

            In general there generally are ways to disable it; I can't find a cite for a system where it literally couldn't be turned off.

            But.. even turning it off isn't reliable.

            "A Ring -3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset. [...] The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. "

            https://en.wikipedia.org/wiki/... [wikipedia.org]

            So even where AMT was disabled, the co-processor is still physically there and may be reachable/exploitable.

            Oh, and i forgot to mention, it works with laptops on wifi too.

            "Intel AMT supports wired and wireless networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down."

            I certainly don't think this article does any justice to the situation. But at the same time, the management engine stuff is a giant gaping security hole that does present serious and non-trivial to mitigate risks when exploits are found.

            • by Burz ( 138833 )

              If I choose the option in my BIOS to *erase* the ME firmware, does that make it any better?

              • by vux984 ( 928602 )

                If your BIOS has that option, I'd think so,

                But the coprocessor is still physically there; and the prom space for firmware still writaeble, so the potential for a root-kit to infect the space still exists.

                Although at least remote exploit is unlikely; we're now at least talking about a local root privileges exploit to get the new infected firmware loaded; same as any other rootkit... although given it infects the ME firmware, you'd have to re-flash to get rid of it; assuming you managed to detect it.

              • If I choose the option in my BIOS to *erase* the ME firmware, does that make it any better?

                I was under the impression (from some of the sketchy online stuff touting it a few years back) that "erasing" the ME stuff actually consisted of erasing the configuration and returning it to factory settings.

                Presuming this is true: Since factory settings consist of it waiting for anybody claiming to be its owner, and having the necessary software tools, to configure it, "erasing" it takes it from only responding to t

        • To me, the whole concept of enterprise management is broken. We managed to put a man on the moon without IT goons sniffing around to make sure you weren't using unapproved software. And operating system built into the chip so that you can access it even when it's turned off, just seems bizarre, and to add this to *every* computer is overkill. If there are a few key computers that you need to access even when they're turned off then add extra third party hardware to those computers rather than having it bu

      • talking about the kind of stuff you can do from a DRAC/IPMI port.

        As far as I know it was an attempt to remove the dedicated processor that powers DRAC/iLO and relocate it to the Intel Chipset. It is a win for Intel in that it helps Dell and HP relocate management features to Intel chipsets and vendor lock in (cockblocking AMD further), while also removing expensive custom ICs that themselves were often buggy and flakey.

        It does have the ability to do some things that those solutions did not have the capab

        • while also removing expensive custom ICs that themselves were often buggy and flakey.

          And of course, Intel is never buggy and flaky.

    • It appears that you are correct that this "isn't new", but it also appears that the only answer ever received is "trust us". And while this isn't proof that the conspiracy theories are right, it isn't exactly proof that the "conspiracy theories" are wrong.

    • Still seems to me that it could be a significant concern, if not an immediate concern.

      I'd primarily be worried that if a serious vulnerability was discovered, that many systems could retain the vulnerability for many years due to the fact that motherboard BIOSes are frequently not updated for years at a time. Presumably the vulnerability could be mitigated at the OS level, but it still sounds like a potentially worrying source of attack, and I'd feel a lot better if it were made open-source.

    • So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years*

      It is true that this is not new. It's not clear to me how many people are aware of it however.

      Intel ME has greater capabilities than I think it should have for its purpose. In fact, no one is sure of all its capabilities as it seems we'd discover a new and unexpected one every time we hit a bug (at the time, this was many times d

  • by Anonymous Coward

    The chip has the "power" to do many things including take secret control of a system, transfer files, read RAM, anything. No debate on that.

    The "debate" is whether security through Intel obscurity (un-auditable unless you work for them) can be trusted FROM NOW ON, without checkups.

    If history is any measure...

  • by Anonymous Coward on Friday June 17, 2016 @03:50PM (#52339361)

    In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

    Umm, if Intel is the only holder of the keys to the kingdom, then they get to decide when the need arises. In fact, how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

    Forgive me if I'm skeptical about this. I think I'd rather have an agreement with Darth Vader. At least he doesn't pretend to be a nice guy.

    • I think I'd rather have an agreement with Darth Vader.

      Are you sure about that?

      https://www.youtube.com/watch?v=jsW9MlYu31g [youtube.com]

    • >if Intel is the only holder of the keys to the kingdom ...mighty big "if" you've got there. Seems to me that it's quite likely that from the moment this functionality was introduced, various three-letter agencies (among others) started trying to get unrestricted access to it. Maybe it's technologically bulletproof, the first such device on the planet. But even if so, you have to ask just how dedicated Intel is to keeping their keys secure. Will they refuse any and all threatening letters from the go

    • how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

      Right, because there's no way to ANONYMOUSLY post vulnerability information on the internet... Every known bug out there was submitted with the person's legal name and current address.

      At some point, reality enters the equati

  • Stop worrying (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Friday June 17, 2016 @03:53PM (#52339407) Journal

    "While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure."

    Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

    • Especially if you're an Eastern European cracker, huh?

    • Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

      What I want is to be secure from an Intel subjected to coercion by a corrupt government.

      • What I want is to be secure from an Intel subjected to coercion by a corrupt government.

        Then don't give Intel, or the corrupt government in question, access into your LAN.

        If the government has to gain physical access to tap into your local network so that they can possibly break into your computer via Intel AMT, well, that's just one small step from physically walking into the building and seizing your computer, anyhow, so why would they even bother with the AMT?

        • Then don't give Intel, or the corrupt government in question, access into your LAN.

          Malware happens. Malicious hardware can turn a harmless attack into an effective one.

          • Malware happens. Malicious hardware can turn a harmless attack into an effective one.

            Except AMT malware does NOT happen.

            At some point, reality enters the equation, and you just need to keep your extreme paranoia in-check. Does anybody here have ANY cases they can point to, where AMT was exploited? Wake me when 99% of computer exploits cease to be drive-by phishing, and Linux/FreeBSD/Firefox/etc. cease to have ANY bugs that can be exploited, requiring attackers to escalate to finding hardware bugs.

    • take that to the bank you are hitting to get an "unlisted" account from??

  • Odd.. (Score:3, Insightful)

    by kenh ( 9056 ) on Friday June 17, 2016 @03:53PM (#52339411) Homepage Journal

    This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

    Did this boing-boing blogger check with anyone that, you know, is fairly current on the Intel platform before exposing this 'incredible' security issue?

    • Re:Odd.. (Score:4, Insightful)

      by barc0001 ( 173002 ) on Friday June 17, 2016 @04:01PM (#52339475)

      > yet to date no one has successfully 'hacked' into this well-advertised feature...

      Not that we know of anyway. Generally the really bad guys don't publicize what they've found, they just use it. So who knows? For all we know there might be some cool new ransomware being developed right this instant that will deploy and activate in the next 3 months that locks up most of the Intel systems on the planet.

  • Yes (Score:5, Informative)

    by Opportunist ( 166417 ) on Friday June 17, 2016 @03:54PM (#52339423)

    Anything I cannot audit, I have to trust. I have no reason to trust Intel. So yes, it is potentially dangerous because I can neither audit nor trust it.

    • Re: Yes (Score:4, Informative)

      by kenh ( 9056 ) on Friday June 17, 2016 @03:58PM (#52339457) Homepage Journal

      Then turn it off in the BIOS.

      Seriously, this is not a 'secret' function built into the CPau, it is a feature implemented in chipset and controlled by a BIOS setting.

      • Re: Yes (Score:5, Insightful)

        by mrchaotica ( 681592 ) * on Friday June 17, 2016 @04:09PM (#52339545)

        That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it.

        Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

        • by Kjella ( 173770 )

          That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it. Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

          Without the hardware schematics and someone who can verify them there's no way to know what the hardware really does no matter what software you load on it. For example say there's a secret 1kB buffer that'll store the last 32 AES256 or 64 AES128 keys you've used with AES-NI, totally invisible. If you place the right 256-bit magic value in registers R12-R15 and call RDRAND, instead of doing its usual thing then and only then will it dump the keys out to you as "random" bits XOR'd with a second secret value.

      • once again, what guarantee do we have that port knocking won't activate the feature regardless of what's set in bios/uefi?

      • That was true for ME versions up to 6.0, but for newer intel hardware, you can't boot a system without ME involvement anymore. Quoting https://libreboot.org/faq/#int... [libreboot.org] :

        ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ingition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

      • So then I have to trust the BIOS to actually do what it claims to do. It shifts the trust issue, but doesn't solve it.

    • Can you audit the rest of the CPU? You're already trusting Intel by using any of their chips.
    • Hmm. How much of the actual hardware in a system *can* you audit then?
      Off-the-shelves stuff is out of question: processors design at the hardware level is not something most of us can access, and I believe they also run some internal software over that, which is not accessible either. Same for the memory controller. *bridges are also out of the question. Mainline GPUs that can peek and poke through PCI, and most other extension cards almost always have some firmware parts that are closed sources.
      Granted,
      • What you can do here is audit at the interface. This can be quite taxing but it is at least possible. In the end, different hardware elements still have to communicate with each other and they have to rely on documented interface specs for this, and here is where you can insert the crowbar. Yes, that can entail creating your own hardware to take a "man in the middle" kind of approach when the communication is harder to decipher. Whether you really want to invest this much into your audit is up to you, but a

    • by muridae ( 966931 )

      Let's audit our system, then. First, we need to audit the CPU . . . oh, wait, do you have a tunneling electron microscope, cause I don't and we need to be sure that the actual die matches the supposed schematics. So we'll have to buy 10 CPUs from different locations, and analyse 9 of them to trust the 10th one. Yeah, the AMT is in there, but you have to get that first part of the audit done first.

      Now, assuming you've gotten that far, and are willing to postpone auditing the AMT for now, it's time to audit t

  • If they are confident of their security, they ought to be able to get Lloyds to insure users against any break-ins or damages at the few X 100B$ level. Oh, maybe they can't convince Lloyds that it is *that* secure?

    One thing that Snowdon taught us is that even the NSA cannot protect secrets. And yes, you can fault the entire program because of a single slip up.

  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Friday June 17, 2016 @04:10PM (#52339563) Homepage

    there is some empirical evidence - nothing concrete that can be shared publicly - which tends to suggest that the RSA private key that Intel uses is already known and in use. if nothing else, you should not be reassured that there have been no "gagging orders" that come out of the U.S. Government on a regular basis, preventing and prohibiting companies from telling anyone that "yes we have had the NSA knocking on our door and yes we were forced to give them the RSA private key because otherwise they threatened that whoops, it would be really hard to get export licenses for our processors".

    this kind of threat by security services is not outside the realm of possibility: it already happens, and i have met someone who was present at a meeting (with GCHQ) in which this type of threat to destabilise their business model was actually made.

    there is a really simple solution, here: don't buy systems with intel processors. that assumes of course that people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it, so if you'd like to sign up for the crowdfunding campaign which will launch very shortly, you can do so here - http://crowdsupply.com/eoma68 [crowdsupply.com]

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it

      ... Because you expect us to believe that Allwinner wouldn't obey the Chinese-government equivalent of a National Security Letter?

  • "on a giant what-if scenario that even he admits couldn't happen in our lifetimes." AGW.
  • by WaffleMonster ( 969671 ) on Friday June 17, 2016 @04:13PM (#52339591)

    AMT allows anyone who can broadcast DHCP and legitimately purchase a certificate from a CA to own your system while if it isn't even turned on.

    If there is a defect (as if the above isn't bad enough) they won't bother to fix their bugs once they have decided your hardware is no longer worth their time to support... same as IPMI vendors and all the rest.

    Even when you turn off "AMT" in bios if you are lucky enough to even have that option which I do not... it is STILL there listening. The only way I've found to limit this unnecessary and unwanted system within a system madness is to disable the hardware virtualization feature which prevents sharing of hardware with IME and operating system.

    • Or you could just disable your PC's on-board ethernet port in the BIOS, and add a 3COM ethernet card and use that instead. Won't the IME be surprised when it cannot control another company's hardware!
  • If this latest revelation scares you, you'll go apoplectic to discover that this is SOP in IC design. Just about every IC more complicated than a 555 timer, from processors to Wi-Fi chips to you-name-it, has internal processors controlling substantially every part of their operation. It's a common technique to control every block one designs with an embedded core and a bit of code (in RAM, so that one could adjust the operation of the block after the design came back from fab by reloading RAM), making an

  • by twistedcubic ( 577194 ) on Friday June 17, 2016 @04:18PM (#52339643)

    While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure.

    I almost fell out of my chair laughing when I saw this.
  • Brief answer (Score:5, Interesting)

    by Improv ( 2467 ) <pgunn01@gmail.com> on Friday June 17, 2016 @04:18PM (#52339645) Homepage Journal

    No. Obviously not and the guy stirring up trouble is either underinformed or irresponsible.

    Most of the hardware in your computer isn't something you get (or could get) a gate diagram from. You'd never know if something is in there that theoretically could be triggered to do something. That's the way hardware is. This guy is fussing over a publicly known feature that people are using in the enterprise to manage systems en masse. It doesn't open some magic wormhole to the control system - it requires a clear path of access and a setup and all that fun stuff. Meaning if you want to use IME, you need to set it up on all the systems for your network environment and debug it and build tooling around it. It's not fun to get that stuff right, and often not that easy.

    It's not impossible that there's a backdoor in IME, but it's just as easy to imagine a backdoor anywhere else in your system. It's hard to imagine how one could ever be confident that that's not the case. So the focus and the anger is misaimed.

    • Most other hardware doesn't have the external and CPU interfaces. A disk driver probably cannot do anything very useful with the data it sees if you use disk encryption. It can't read the data and probably doesn't have external network access.

      This management system by design has low level access to the CPU and external interfaces. It is potentially a much more capable hacking tool.

      Its not easy to think of a reason that there is not a local hardware disable since the management capabilities are not needed b

  • While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. ,,, there are mechanisms in place to address vulnerabilities should the need arise.

    Perhaps true, but this kind of talk makes my ass twitch.

  • by khz6955 ( 4502517 ) on Friday June 17, 2016 @04:50PM (#52339917)
    'Intel Management Engine (ME) .. described as "an extra general purpose computer running a firmware blob .. a chip protected by RSA 2048 security on a chip'

    Can I replace this firmware blob with one of my own?

    Can I replace the RSA key with one of my own?

    Can I audit this firmware blob to see what it does?

    Can I disable this ME subsystem?

    Who else can access this ME subsystem?

    "there are mechanisms in place to address vulnerabilities should the need arise."

    So basically Intel and any designated third party can access your computer regardless of in place security mechanisms.
  • i am sure every cracker/hacker in the world is looking for access to this hidden system within the system
  • It's a service processor. No big deal in itself, we had them as far back as mainframes go. The VAX-11/780 I worked on/with in college in the early 80s had a small PDP-11 (an LSI-11/23) in the bottom as a service processor. I'd be more worried about a much more direct avenue of attack: microcode updates. Every Windows system and most Linux boxes include the packages to take the latest firmware updates from Intel and AMD and download them into the CPU during system boot. If Intel wants to put something malici

  • But to get there, you have to break a chip protected by RSA 2048 security on a chip that can't be audited or examined. That's 2,048-bit security, which would require any attempt to break it to factorize semi-primes with approximately 617 decimal digits, which Zammit admits at this point is "pretty much impossible in one human lifetime for anyone with the biggest supercomputer."

    Holy shit, this ("nobody will guess the password") is the excuse?! I especially loved the dumbed-down "that's 2,048-bit security."

    • It's not just that, it makes the assumption that the only way in is by factoring the 2K RSA modulus. That's not how you get in, it's by exploiting a vuln in the 12-year-old copy of OpenSSL that it's using for the crypto, or using a TCP stack exploit that other vendors patched in 1997, or taking advantage of the fact that the incoming data is copied into a fixed-size buffer with strcpy(), or a million other code-like-its-1997 practices that are common in these management-engine devices. You don't even both
  • and you're still using Intel.

  • Come on!! How can that even count as a "response"? The TFA just reiterate the original article, but punctuating it by the author's unexplainable hate for anything open,and at the very bottom, it quotes an "Intel Spokesman" in a few lines just saying "it is very secure".

    All right! I feel safer already!

  • "An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise. But WE'RE using it as a back door. I mean come on."
    • by flacco ( 324089 )

      Oh, well, OK, if there are policies and procedures, and mechanisms, and stuff, I guess it's all cool.

      The simple question is: if this is a "product" for enterprise "management", why isn't it possible to turn this godforsaken surveillance engine OFF at the hardware level?

  • by flacco ( 324089 ) on Friday June 17, 2016 @11:24PM (#52341663)

    > namely, if it can be compromised by a rootkit

    It fucking IS a rootkit.

    Christ.

No spitting on the Bus! Thank you, The Mgt.

Working...