That only works for very simple surveillance. It has complete control over your hardware, and it can encode information that it wants to get off of the system in a variety of different ways.

If you want to firewall ports or IP addresses on the machine itself, obviously that doesn't do anything, so what you'd need to do is do it on your router (that you hope doesn't have a similar backdoor that cooperates with ME), first you'd need to know what to block, which is difficult enough, and then you'd have to trust that that information doesn't change.

But event then all it takes is for AWS or CloudFlare or $Foo to collude with Intel to get at your juicy data again, so you really would need to work on a blocked-by-default basis, which is possible, but not really practical, depending on what you're doing.

It really depends on what your threat model is. If your're a high value target to someone with a lot of resources, you're essentially screwed.

It can broadcast information via your speakers, and maybe even your microphone. It can encode data in the timing of your packets as they leave your system. It can encode data in it's power consumption, it can encode data in what it sends to the screen, it can send data out via bluetooth or wifi. There are probably more ways, that I didn't think of off the top of my head.

We have Free Software all the way down to the firmware level. Not widely available, but the potential is there. That is good.

But for computers that we can really trust, we need to go deeper.

looks up Czochralski process

And it cooperates with Intel NICs - and when the ME is half-disabled, the NIC starts showing erratic behaviour.

I’m back to using a realtek NIC from 2006 now.

Note that the firewall would need to exist outside the suspect system. And make sure your firewall device is not itself affecting by this.

Firewalling ports for incoming connections and IP addresses for outgoing, I should say.

Just be mindful of the fact that you've only increased the difficulty of an attack, the vulnerability still exists. I've got a lenovo that regularly sends out dhcp broadcasts, despite no dhcp code being on disk - it could just as easily call home with dns (sending recursive requests to the same ip as the last successful user initiated query). The only way to fix a ring -N rootkit is to remove ring -N.

> sends out dhcp broadcasts, despite no dhcp code being on disk

Woah, that's not just sitting there but actually actively doing stuff while bypassing your kernel. This sounds a lot more scary even though I know nothing about this Lenovo dhcp thing, observing it just makes it a lot more real to me.

Do you have any more information on this?

It has been several years since I dug into it, so I can really only offer keywords: AMT[0], which is a component within ME[1].

Also see https://media.ccc.de/v/30C3_-_5380_-_en_-_saal_2_-_201312291...

EDIT: I forgot to mention Computrace, the BIOS anti-theft service. IIRC that interacts with ME.

[0] https://en.wikipedia.org/wiki/Intel_Active_Management_Techno...

[1] https://www.kernel.org/doc/Documentation/misc-devices/mei/me...

It would be useful to boot the machine with FreeDOS (which has no networking code) and see what, if anything, comes out the Ethernet port.

No need, everything is compiled from source, no dhcp to be found, and the kernel's network stack shows no traffic - but the switch does. It is no secret that Intel ME does whatever it wants with the ethernet port.