me_cleaner VS hardened_malloc

Some times Intel version of Lenovo have a problem with Intel ME , check this out. LINK

Yes; there are several ways, depending heavily on the version, and ranging from most trustworthy to least trustworthy:

* By patching the ME firmware itself - see the me_cleaner project, and methods documented here: https://puri.sm/posts/deep-dive-into-intel-me-disablement/ . This is Pretty Reliable; the runtime code has been deleted from flash.

* By setting a bit in the flash configuration, assumed to be added for the US High Assurance program: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bi... , https://www.ptsecurity.com/ww-en/analytics/disabling-intel-m... . This is Mostly Reliable; the mechanism has been fairly aggressively reverse engineered and was added for a program with strict requirements.

* By sending an HECI command that says "hey ME, turn off your runtime" https://review.coreboot.org/c/coreboot/+/52800 . This is Somewhat Reliable; the method is well understood and seems to work but I'm not sure someone has done a deep dive audit into whether it could be re-enabled somehow.

"...this is interesting is because POWER9 is basically the first time the public got a real view of how sophisticated the backstage cast actually is of a modern server CPU."

Not quite correct; the OpenSPARC T1 and T2 were publicly released and available by 2008.

https://www.oracle.com/servers/technologies/opensparc.html

"Large parts of this process are handled by vendor-supplied mystery firmware blobs, which may as well be boxes with “???” written in them.

The maintainers of the me_cleaner script likely have the clearest view of what is known.

https://github.com/corna/me_cleaner

Your dedicated laptop with disabled Intel ME running OpenBSD might be the gold standard choice for your hardware wallet. Main discussion here.

I consider a dedicated laptop with deactivated Intel ME running OpenBSD (maybe from USB flash) can be a much secure alternative to a proprietary hardware wallet connected to your casual multi-purpose laptop.

On a side note, if Intel has made it this hard to disable Intel ME, is the US government happy with this change? It was them who got the HAP bit part working, and I do not see any news suggesting they have another trick to disable Intel ME. Should I just assume that this still works? Has anybody here tried? And does me_cleaner still work (last updated in 2018: https://github.com/corna/me_cleaner)?

This is incorrect. Intel ME has an internal disablement mechanism: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit this is the mechanism that it used by S76 and Purism.

If you are sensitive about the Intel Management Engine, the original Core 2 Duo/Quad systems are the last where it could be fully disabled.

Anything later will forcibly shut down after 30 minutes if (at least a fragment of) Intel's closed & bug-ridden monitoring code is not present.

I ran me_cleaner on a few of these systems, and I do all my finances with them running OpenBSD (usually on q9550s).

Yes, this effort to run old hardware is worth it for me. Below are the bios images that I was able to produce:

https://github.com/corna/me_cleaner/issues/233

Relevant copypasta:

Fellow humans, there are alternatives to Google and Apple! Your neck need not be under anyone's boot! You don't even need to give up any functionality:

Data service:

The simplest thing is to buy a prepaid SIM and top it off with cash. The lovely people over at /r/nocontract maintain a big spreadsheet so you can filter by various properties of the available contracts.

Another way to go is to pay for a postpaid plan with a virtual credit card (VCC) like at privacy.com. It won't be linked to your name at the telco, but of course privacy.com knows who you are. There is also Abine Blur, and some others.

Yet a third way to go, which is nascent, is buy an eSIM with crypto. You can also buy prepaid VCCs with crypto.

An interesting new choice is PGPP https://invisv.com/pgpp/ who rotate your IMSI and do some other cool stuff. It works by e-sims.

All these methods make you /pseudo/nymous, but obviously you're still identifiable by subscriber number and possibly IMEI, to put aside correlational things like your traffic profile. You can help this problem by routing everything through a VPN. Then you're pseudonymous but the cell carrier knows nothing about you other than that you use a VPN. Pay for the VPN with crypto. Of course now the VPN provider knows your traffic, but you're much more anonymous to them than you are to a telco. You make your choices. Defense in depth. Etc.

OS:

GrapheneOS: https://grapheneos.org/ Very much like Calyx, but extra-hardened and with no MicroG. No involvement with Google at all by default. You can make a secondary profile in which you install Google Play Services to set up an environment where you can run unprivileged Play services + whatever crapware you need that requires them. Unprivileged here means it's like any other app: if you don't give it access to your location, it won't know where you are. If you end the profile session when you leave, Play Services stops running and stops talking to Google.

CalyxOS: https://calyxos.org/ Privacy-respecting Android distribution that replaces Google spyware with MicroG, so you can have your cake and eat it too. Most everything will work as you're used to, but it does still talk to Google to make that happen.

LineageOS: https://lineageos.org/ The successor to CyanogenMod, will work with many different phones. More privacy and control than stock Android.

There are also many others: Sailfish, Replicant, e

Hardware:

CalyxOS and GrapheneOS run best on Pixels. The path of least resistance is to get one of these phones and run GrapheneOS with Google Services installed in one profile or other.

You could also buy a Librem 5 https://puri.sm/products/librem-5/ If privacy and security and hacking are really important to you.

Or a pinephone: https://www.pine64.org/pinephone/

Neither work very well by regular standards, but they're cool :-)

It might be worth to switch to GrapheneOS if you have Pixel phones: https://grapheneos.org/

It is a more serious project than LineageOS in the sense that they take security very seriously and they take their development more professionally too. There are no disadvantages to using GrapheneOS compared to LineageOS.

You can see a comparison here: https://eylenburg.github.io/android_comparison.htm

If it still powers up but just won't boot you could try installing https://grapheneos.org/.

On 4thgen Pixels and up you can install GrapheneOS which is a security and privacy focused Android build. It does not come with any Google services pre-installed but you can put them on. https://grapheneos.org/

yes... will also de-google it cuz we can install GrapheneOS and also close the bootloader