A Friendly Reminder to Buy Secondhand

[Deleted User]

Just got a heavily used Dell Optiplex 790 for parts from my university for scrap value. Threw in a hard drive and some RAM, and it ended up working very well. It came with an i5 2400, which is pretty slow by today's standards, but for a basic computer it's not bad at all, especially with Linux. After opening up the side once more to upgrade to a better CPU from the 2nd gen era, I found out this could be the most secure computer I've ever owned.

For those of you unaware, every Intel computer made after 2008 basically has a backdoor in it called the Intel Management Engine. This is meant to give enterprise administrators low level root access to computers remotely, but in recent years more and more vulnerabilities are being discovered that could mean attackers are able to break into Intel ME enabled computers and wreak havok. Because Intel ME works on such a low level with the BIOS, its privilege level is dangerously high. Intel ME exploits can affect any computer, with any OS.

Dell does deals with certain enterprises and government agencies to disable these management engines from the factory, and ONLY enterprises and governments get access to this option according to my research. End users that get Dell products either have to go through very risky BIOS modifications to disable it, or they have to shut up and deal with it. Because this computer was initially bought from Dell by my university, they got access to this feature upon purchase and chose to take advantage of it. Because I now bought it off of my university as surplus, that security feature was unintentionally passed onto me, part of the "unwashed masses" not worthy of such a feature. No risky BIOS mods for me, I get all the security I need right out of the box. Not to mention, a pretty decent computer despite its age.

Granted, I'll still have to deal with Meltdown and Spectre, but as far as I'm aware supposedly the Ubuntu kernel itself takes care of 90% of those vulnerabilites so I'll be okay.

Image attached of the factory tag so you know I'm not lying

 

[MoodyBlues]

Very interesting post, and it looks like you've gotten yourself a nice computer there. And, of course, the crowning touch: using Linux on it.

Personally, I don't buy secondhand...anything, but I admire your grabbing this and turning it into something with many useful years ahead of it. Good job!

 

[Deleted User]

Very interesting post, and it looks like you've gotten yourself a nice computer there. And, of course, the crowning touch: using Linux on it.

Personally, I don't buy secondhand...anything, but I admire your grabbing this and turning it into something with many useful years ahead of it. Good job!

I normally don't either, I just found one cheap and figured it would be good to screw around with at least, or to have a dedicated build server for the next time I want to make a ROM or something. Usually secondhand computers from businesses or colleges are junk, but every now and then you find a diamond in the rough, like I did with its Intel ME being disabled. Through this happy accident, I found out that ME being disabled is a common theme with old computers in this college, so mine specifically isn't unique

I wouldn't recommend something like a 2nd gen i5 as a daily driver for anyone unless you're on a tight budget, but for someone that's looking for a secondary computer for other purposes, and may specifically need one JUST for security, take a look at your local university. Many of them have government sponsored research labs. If the college uses Dell desktops/laptops, Dell gives businesses (especially the ones with government ties) the option to disable ME. If you get the option to buy surplus from a research lab specifically, the chances are high that it will have ME disabled from the factory as well.

Oh, also, don't delid 2nd gen CPUs. They don't have paste under the IHS, they're soldered on. I learned this the hard way

Still though, it may not be fast, but my old piece of junk from 2011 is more secure than 99% of computers out there

 

[Milo Willamson]

I normally don't either, I just found one cheap and figured it would be good to screw around with at least, or to have a dedicated build server for the next time I want to make a ROM or something. Usually secondhand computers from businesses or colleges are junk, but every now and then you find a diamond in the rough, like I did with its Intel ME being disabled. Through this happy accident, I found out that ME being disabled is a common theme with old computers in this college, so mine specifically isn't unique

I wouldn't recommend something like a 2nd gen i5 as a daily driver for anyone unless you're on a tight budget, but for someone that's looking for a secondary computer for other purposes, and may specifically need one JUST for security, take a look at your local university. Many of them have government sponsored research labs. If the college uses Dell desktops/laptops, Dell gives businesses (especially the ones with government ties) the option to disable ME. If you get the option to buy surplus from a research lab specifically, the chances are high that it will have ME disabled from the factory as well.

Oh, also, don't delid 2nd gen CPUs. They don't have paste under the IHS, they're soldered on. I learned this the hard way

Still though, it may not be fast, but my old piece of junk from 2011 is more secure than 99% of computers out there

I wonder how much more secure? I have mine from 2oo7ish.

 

[dontpanicbobby]

Being from Boston I assume you are talking about MIT's scrap sale? We're parochial like that.

I only use PCs at work. I switched to handhelds last decade or so. Anywho... Don't be surprised if I stop by this thread for further instructions.

 

[Deleted User]

I wonder how much more secure? I have mine from 2oo7ish.

Yours is secure. Intel ME didn't show up till 2008. If yours actually is from 2007, that's the last year before they started doing this crap, so hold onto that thing as long as you can.

It may not have been Intel's intentions, but ME is basically a GAPING backdoor on a BIOS level that allowed for full system access if exploited properly (on any OS). Having ME vs. not having ME or having a disabled ME is a theoretically huge difference.

Being from Boston I assume you are talking about MIT's scrap sale? We're parochial like that.

I only use PCs at work. I switched to handhelds last decade or so. Anywho... Don't be surprised if I stop by this thread for further instructions.

For me it's a college in PA. Feel free to check on any MIT PC junk sales though, some of those might be ME disabled.

In other news, my buddy just did a BIOS mod to clean Intel ME off of an old Lenovo Y40 I had. It worked. Turns out me_cleaner isn't as hard as I thought it would be, but doing the me_cleaner mod actually has some downsides. me_cleaner will break some thermal functions in certain OSes. Windows should be fine, but apparently in Linux you need to start the OS from the bootloader with a relaxed memory parameter otherwise it'll risk overloading the hardware. It also might cause some BIOSes to take longer to boot, because the BIOS is basically wasting time trying to figure out why Intel ME gets disabled midway through and eventually gives up.

If you or anyone else has any further questions don't hesitate to hit me up here

 

[Bearsyzf]

We used to have a program at work when they upgraded we would be able to purchase the old computers.

 

[Milo Willamson]

Yours is secure. Intel ME didn't show up till 2008. If yours actually is from 2007, that's the last year before they started doing this crap, so hold onto that thing as long as you can.

It may not have been Intel's intentions, but ME is basically a GAPING backdoor on a BIOS level that allowed for full system access if exploited properly (on any OS). Having ME vs. not having ME or having a disabled ME is a theoretically huge difference.


For me it's a college in PA. Feel free to check on any MIT PC junk sales though, some of those might be ME disabled.

In other news, my buddy just did a BIOS mod to clean Intel ME off of an old Lenovo Y40 I had. It worked. Turns out me_cleaner isn't as hard as I thought it would be, but doing the me_cleaner mod actually has some downsides. me_cleaner will break some thermal functions in certain OSes. Windows should be fine, but apparently in Linux you need to start the OS from the bootloader with a relaxed memory parameter otherwise it'll risk overloading the hardware. It also might cause some BIOSes to take longer to boot, because the BIOS is basically wasting time trying to figure out why Intel ME gets disabled midway through and eventually gives up.

If you or anyone else has any further questions don't hesitate to hit me up here

Thanks What is ME?

 

[Deleted User]

Thanks What is ME?

Intel Management Engine. BIOS level "administration" tool for Intel computers

 

[Milo Willamson]

Intel Management Engine. BIOS level "administration" tool for Intel computers

Ah thanks jasonmerc I never really got into the BIOS level of comptures, or tried anything to build my own p.c.