TL;DR: Intel put a special High Assurance Platform (HAP) mode in ME for the US government. If toggled on, it disables all non-critical ME functionality. Questioned, Intel responded:
> In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.
Historically, high-assurance security used a mix of commodity and custom hardware. SCOMP had IO/MMU plus type enforcement at memory & storage level. Congress mandated use of commercial off-the-shelf which forced ports to insecure architectures. Aesec's GEMSOS, one of first security kernels, did some kind of custom firmware when ported to x86. Paul Karger, one of INFOSEC's founders, decided on VMM's for easier security & legacy compatibility with modifications to PALcode. Many products, like INTEGRITY-178B, targeted PowerPC to get better hardware with cross-selling to aerospace. General Dynamics with NSA modified Intel stuff with misnamed HAP (Linux + VMware aint high assurance). Others are doing custom CPU's and firmware designed for security whereas Joshua Edmison made attachment that reuses high-performing CPU's.
So, there's a long history in high-assurance security of securing each layer. Mainstream security ignored it as usual until recently focusing on that stuff. Many smart folks among them are trying to secure software on backdoored CPU's while others (eg Raptor POWER, Cambridge CHERI) are trying to give us non-backdoored systems. At one point, I knew most of the latter since so few are working on that angle. Rarely fix root cause over tactical mitigations.
basically govt finally learned about ME (like VNC built into CPU) and said "what?! are you kidding!?" and on second breath - "keep it on for everybody else though!"
>AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.
>Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.
AMT is a piece of software that runs on the Management Engine. vPro-enabled platforms are the ones aimed at business laptops and workstations, not consumer stuff. It's important to make the distinction because people can check, find that their machine doesn't have the VNC functionality and then assume that they don't have anything to worry about as far as the ME goes, which is a false sense of security.
i don't think you described the behavior of typical HN reader :) Anyway, vPro with VNC seems to be present on all consumer (ie. with IGP) CPUs, so there is nothing to worry about in the sense that one anyway can't do anything about it, and thus the worrying is futile.
No, it's not. AMT is only shipped on Core-series CPUs when they're accompanied with the business chipset rather than the consumer chipset. It's not an integral part of the ME, it's software that the OEM has to license and ship in their firmware.
> In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.