[tclug-list] info request

Fri Mar 6 18:13:03 CST 2020

On Fri, Mar 6, 2020 at 12:03 PM Iznogoud <iznogoud at nobelware.com> wrote:
>
> >
> > While reading a little about the "Intel Management Engine" this post
> > came to mind. One issue of interest might be how the Intel ME (and other
> > brand) silent systems can send network traffic "out of band," even while
> > the main system is turned off but sideband power still on.
> >
>
> Well, let us know if you find out. I wanted to jail a system and see if it
> actually tries to "phone home". Alternatively, it may be listening for specific
> packets to arrive. I had a brief discussion with somebody (local to Mpls)
> who is part of the Libre BIOS movement about this. I hypothesized that the
> ICMP protocol (used for ping) is used to activate the IME of a given machine.
> Hard to actually detect this happening unless one is listening to open IP
> traffic ("man in the middle" style) and collecting ICMP packets for analysis.
> I do not have the time to work on implimenting this now, but it can be done.
>
> > Apparently, nobody, even Google, knows how to turn this off.
> >
>
> This person, who reads this list, can direct you to flushing Libre BIOS to
> your system. We do not know for sure, but you are getting a BIOS other than
> what the system came with. I am uncertain of the details and how effective
> this is.
>
> (Will monitor this thread.)
>
Greetings

I may not be the individual whose response is being looked for but as the OP
I can outline what I have found and how I was able to stop said unwanted
communications originating from my system(s).

There were two specific items that I saw on my router usage graphs that
I was able to eliminate.

1. (Maybe the easiest) At some time in the night (variously at different times
between 01.00 and 02.30) the wireless devices (only 2 both android operating
system) would burst  communication somewhere. Said burst was over
200 kBit/sec and didn't last long but was present every night. Said devices are
now placed in 'airplane' mode at lights out by the primary user. No longer a
spike in wireless services outgoing in the night.

2. The second was actually a smaller spike that was happening 2x per hour
showing just about 85 seconds past the hour and the half hour. This spike,
outgoing information from wired devices, was tamed by removing the tab that
was the access to my gmail accounts. Second culprit removed!

I found the second culprit by using whois in a terminal and entering the
15 or so addresses that were in the log times as connected. About 80%
of the addresses (there were only 2 that each had 1 repetition so about
10 different addresses in about 4 discrete url ranges) were to ms 6oo6le
(hopefully decipherable!). I thought I'd try just removing the tab where
access to my email accounts was listed. Interesting that there is only
fairly closely matching spikes for usage unless I am downloading system
updates or other large files - - - then predominantly only incoming data.

There may be other ways of taming the 40k hp vacuum data slurp but
the foregoing is how I've been able to tame, at least somewhat, the monster
at this location.

HTH