Why aren't companies pressuring Intel to remove or disable the ME? It seems like a huge security risk for entire organizations. It's especially difficult to fix when running Linux, and many organizations/servers use Linux.
I ask myself that question every time I read something about ME.
Possible answers, in ascending order of paranoia, are:
* A lot of people just don't care. "It's not gonna happen to me"
* Some customers like the remote management capabilities without having to spend money on licenses for vendor-specific remote management systems such as HP iLO. If you have to manage hundreds or thousands of machines, it can make your life a lot easier.
* The NSA tells Intel (and AMD) to put it in there or else.
I assume some customers talk to Intel about this. I vaguely recall reading that the NSA gets servers with ME disabled. So "They" are most certainly aware of the risks.
FWIW, a while ago someone posted a video of a talk on HN given by a Google employee who talked about replacing stuff like UEFI firmware in their servers with their own code. If that person keeps going down that road, it's just a matter of time before he runs into the Management Engine.
I really hope that this issue generates enough pressure on Intel/AMD to provide a way to disable or replace their proprietary ultra-privileged code. But it is not easy to explain this to people without sounding like a paranoiac.
>The NSA tells Intel (and AMD) to put it in there or else.
Exactly. And this is where mass surveillance comes in to play: having dirt on anyone and being able to use it as leverage.
ie. Intel is forced to put it in there or the NSA will 'leak' how they <insert illegal business practice Intel engaged in that will put them out of business if published.>
There were investigating flashing the ME for their compute cloud processors [0] to avoid the possibility of an ME vulnerability being exploited, which would greatly harm their reputation.
