×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Intel Shows RealVNC Embedded In the BIOS

timothy posted about 2 years ago | from the no-not-that-other-idf dept.

Intel 154

LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

154 comments

And how bad it becomes when a vuln is found (3, Insightful)

djsmiley (752149) | about 2 years ago | (#37456918)

So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?

While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37456956)

That's why i stopped shopping for intel products. Not ever. Forever.

Re:And how bad it becomes when a vuln is found (2)

durrr (1316311) | about 2 years ago | (#37456972)

Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

Re:And how bad it becomes when a vuln is found (1)

vlm (69642) | about 2 years ago | (#37457382)

Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

They make money off every bricked / overheated / burned out MB / CPU. Stupid for anyone to buy, brilliant for them to try and sell.

Heck they could even write the windows worm themselves to cause maximum damage... set fan speed to lowest, set CPU voltage to maximum, set CPU speed to max, disable thermal throttling... insta-profit!!!!!

Re:And how bad it becomes when a vuln is found (1)

DJLuc1d (1010987) | about 2 years ago | (#37457688)

That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?

Re:And how bad it becomes when a vuln is found (2)

Joce640k (829181) | about 2 years ago | (#37457796)

Look on the bright side: At least the Linux users won't be able to act all smug about how much more secure their machines are then Windows machines.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37458258)

And then Windows machines what?

Re:And how bad it becomes when a vuln is found (1)

icebike (68054) | about 2 years ago | (#37458380)

Linux users would know enough to never hook a cat5 cable to the on-board nic, at least not a cable exposed to the internet.
They would simply install an add-in nic for the public side of the machine.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37458726)

Wouldn't a Linux user be smart enough to disable it in the BIOS and save some cash on a redundant NIC?

Re:And how bad it becomes when a vuln is found (2)

icebike (68054) | about 2 years ago | (#37458806)

You presume that is possible. And you presume the disableing is actually honored.
I looked at the bios screens very carefully and saw no such option.

Re:And how bad it becomes when a vuln is found (1)

asdfghjklqwertyuiop (649296) | about 2 years ago | (#37457584)

There have been remote console mechanisms for PCs for a very long time now. I don't know why everyone suddenly thinks this is something new and shocking.

Re:And how bad it becomes when a vuln is found (1)

cayenne8 (626475) | about 2 years ago | (#37457622)

Yeah..but VNC is pretty insecure isn't it?

I mean, we have it on many boxes, but you have to run a ssh tunnel to the box to run VNC through to keep things a bit more secure.

I can't see them doing that in the BIOS...or can they?

Re:And how bad it becomes when a vuln is found (1)

asdfghjklqwertyuiop (649296) | about 2 years ago | (#37457724)

Probably no more secure than the existing PC remote console systems (i.e. not very good). I don't expect this to be any better than the existing stuff, just cheaper. Hopefully this thing by Intel will have it's own network port or at least the ability to be on it's own vlan like the existing ones so it can be segregated network-wise.

Re:And how bad it becomes when a vuln is found (1)

icebike (68054) | about 2 years ago | (#37458456)

Actually if you watch the video you will see some stuff that is better than the existing stuff.
Such as mounting an ISO on the GUEST machine over the network to be used by the Host machine.
Most of the current tools don't allow manipulating things in the bios without flaky and expensive additional hardware.
(So flaky and so expensive that you almost never see this stuff deployed in real life).

If Intel can manage the security properly this would be very valuable.

As demonstrated in the video, there still seems to be a requirement for someone to read a number from the screen of the remote machine over the phone to the person doing the remote manipulation, however this might have been a choice they made for the demo so as not to reveal just how prone to hacking this might be.

Re:And how bad it becomes when a vuln is found (1)

Anonymous Coward | about 2 years ago | (#37458248)

From TFA:

Last year, RealVNC teamed up with Intel to incorporate a bona fide VNC server (using hardware encryption native to vPro chipsets)

I don't know why I read the comments on this site anymore. Once upon a time it was 80% morons and maybe 10% of posters had read the article. If only I knew how much I'd wind up missing those days....

Re:And how bad it becomes when a vuln is found (2)

LWATCDR (28044) | about 2 years ago | (#37458944)

Thanks for pointing that out. Wow I never knew how many people just read the summary. When I wrote that summary I covered that this was already available. That the abilities are not that new but have been around for a while on system using IPMI, and what chip sets supported it. I left out that it was encrypted front to back because I actually thought that everyone and their dog would just assume that it was or read the article if they didn't bother to watch the video.
You know I really made an effort to write a none inflammatory, informative, and factual summary. Oh well maybe next time.

Re:And how bad it becomes when a vuln is found (1)

drinkypoo (153816) | about 2 years ago | (#37457628)

Would it be possible that a vulnerability allowed normal bios patching to be blocked too?

No.

Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

Perhaps you should read up on IPMI (mentioned above) before you come to such conclusions. It's a whole separate computer inside your computer (generally just in servers) which can share your ethernet port and which can manage your system. Generally speaking they provide sensor access (handy on platforms which otherwise obscure it) as well as remote shutdown, startup, reflash, and usually BIOS config, albeit through their interface. There are generally working IPMI tools for Linux. I had an eServer 325 for a moment (not that exciting though and very loud) which had an IPMI module and it was dandy.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37458024)

stupid....this will be a gift for anyone smart enough to reverse engineer realvnc.........aaaahhh...the whole world. Great for sniffing traffic. yes, the convenience to vnc into the bios is great....until vnc needs to be updated because of a known security vulnerability. time to take the system offline to reload the software ... in the bios.

Re:And how bad it becomes when a vuln is found (4, Insightful)

jhigh (657789) | about 2 years ago | (#37456978)

I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

You've obviously never worked in kiosks before - this would be endlessly useful for any company supporting a large number of kiosk computers. That being said, your point about possible vulnerabilities are well put. However, we can't let potential vulnerabilities get in the way of advancing technology. Just like I'm sure there will be some creative way for the bad guys to exploit this, I'm just as sure that there will be some equally creative way for the good guys to protect this.

Re:And how bad it becomes when a vuln is found (1)

halfEvilTech (1171369) | about 2 years ago | (#37457066)

Yes and it now gives those "security vendors" even more ammunition to sale snake oil products to protect your bios.

I can see the sales line now...

Buy the all new BIOS ULTRA DEFFENDER DELUXE 2XXX SUITE ENTERPRISE. Only $99.99 per server this week only. Don't let those pesky hackers take over your servers.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37457190)

I ticked "Foe" for that shitty joke.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37457310)

I ticked "Foe" for that shitty attitude.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37457086)

Agreed, down with the mentality of avoiding progression because someone could do something bad if the stars and moon align. I also see many ways this could be useful, and its also much cheaper than alternatives.

Re:And how bad it becomes when a vuln is found (0)

Anonymous Coward | about 2 years ago | (#37457198)

That's PHB thinking.

Is the system compromise likely to occur soon, or unlikely. I don't trust the sensibility of the designers and programmers as far as security goes, so I think that the security breaches will happen quite soon after release.

Re:And how bad it becomes when a vuln is found (1)

shawn(at)fsu (447153) | about 2 years ago | (#37457720)

If you are so worried about security why are you accessing the internet at all? For that matter why do you even have a computer? Do you also not use a credit card or check card? It was pointed out quite eloquently above. "we can't let potential vulnerabilities get in the way of advancing technology."

Re:And how bad it becomes when a vuln is found (1)

The Moof (859402) | about 2 years ago | (#37457486)

Maybe I'm missing something about the kiosk industry (it's been a long time). Booting up can be done via wake-on-LAN [wikipedia.org], shutting down remotely is built in at the OS level. What BIOS functionality would you need to access that doesn't require you to already be physically in the box?

Re:And how bad it becomes when a vuln is found (1)

darksabre (250838) | about 2 years ago | (#37457940)

How about the OS is hosed and you want to force a PXE boot in order to re-image the disk?

Re:And how bad it becomes when a vuln is found (1)

Bengie (1121981) | about 2 years ago | (#37457956)

Intel is saying you can now do remote boot options, prior to the OS starting up. Remote into the BIOS, then tell the machine to boot from the NIC instead of the HD, then run memtest or something.

Re:And how bad it becomes when a vuln is found (1)

ThatsNotPudding (1045640) | about 2 years ago | (#37457700)

I'm just as sure that there will be some equally creative way for the good guys to protect this.

Exactly how can a vulnerability burned into silicon be 'protected'?

Re:And how bad it becomes when a vuln is found (1)

Unequivocal (155957) | about 2 years ago | (#37458106)

It's not burned into the silicon, it's loaded in the BIOS. Which implies it can be updated in the bios when vulns are found.

Re:And how bad it becomes when a vuln is found (1)

Anonymous Coward | about 2 years ago | (#37457644)

Some of the DRAC cards used VNC as the display protocal; they had some propriatary stuff on top to do other things though. I could see this being useful for geeks; if I'm watching the baby play in the living room I can't easily be in the office getting my computer back up. I just hope they shipped disabled so that those who want it can enable it but if the user is unaware of the feature it can't be used to compromise it.

Re:And how bad it becomes when a vuln is found (1)

nine-times (778537) | about 2 years ago | (#37458130)

I would assume that this is something that is available in the BIOS, but that you can turn it off. The default should probably be for it to be turned off.

Re:And how bad it becomes when a vuln is found (1)

Truekaiser (724672) | about 2 years ago | (#37458302)

call me paranoid, but the security risks of having this in general user hardware may be used as the stick to push a more general adoption of tpm hardware for general use as a carrot to fix the problems this creates.

tpm hardware, when used in a server setting is useful, and it's the only place it's useful as a server needs to be reliable and the software needs to be trusted in the mission critical roles they are used for. tpm has no practical purpose on a normal level desktop other then consolizing the normal pc and locking it down to only run one os(windows) and only approved windows software(no foss ports or indie devs). this is because normal antivirus software in windows does a good enough job along with proper use practices or better quality code design as in other pc operating systems.

Re:And how bad it becomes when a vuln is found (1)

sjames (1099) | about 2 years ago | (#37458724)

IPMI has supported serial over LAN for ages, and server BIOS have supported redirect to serial for even longer.

You just fire up the IPMI client, cycle power (telling it to boot into BIOS), then go to the serial over lan console.

In an office environment, it would be quite useful on the desktop. Not just for support, but for daily operations like powering up just before work so people don't leave them on all night to save the morning annoyance. In the home, I can see it being quite useful to parents wanting to monitor the kid's computer (but look out, lest the kids turn the tables!).

All of that said, adding VNC to IPMI's serial over LAN would be helpful when dealing with GUI addicted OSes from Redmond (I don't know if OSX can be installed over serial+lan or not).

The better remote management arrangements DO allow a remote BIOS update, even if the BIOS was corrupted so that the main computer won't boot. The service processor has it's own ROM and can re-flash the BIOS over I2C/smbus.

The downside on the desktop is that too many people won't bother setting a password.

REALLY useful (0)

Anonymous Coward | about 2 years ago | (#37456926)

So, let's see... Intel is trying to extend their binary-only ugly turd of a software blob called BIOS to include applications. Yeah, that's REALLY useful. Give me the source of the BIOS and a license so I can build and distribute it with alternative stuff and maybe I'll call it useful. Otherwise it evil and useless. I don't want it at all and I hope it doesn't catch on.

Re:REALLY useful (3, Interesting)

Cylix (55374) | about 2 years ago | (#37457112)

More then likely this is integrated at the BMC (baseboard management controller). While the BMC may be integrated into the system and a few values override some of the DMI it is not technically the BIOS. I've run into several systems with dead BMCs and they will happily chug along and act mostly normal. (DMI values revert to the BIOS provided values)

You can obtain the source to the FRU and play with your hearts content. Unfortunately, these are typically available on their high end S5000 and above series boards. SuperMicro makes some cheap boards with IPMI, but I don't know if it is a similar BMC setup. Now, the kicker is the BMC is just linux on a chip managed through IPMI. You can obtain and modify this to your hearts content. Though I don't know if they left out any bits and the system firmware is still a binary blob I believe.

Needs Security (0)

Anonymous Coward | about 2 years ago | (#37456928)

Kinda useless without security layer like SSL.

Re:Needs Security (1)

hedwards (940851) | about 2 years ago | (#37457050)

Indeed. The main alternative to this is TFTP and SSH, and that isn't secured either as you have to load and boot the image before SSH gets into the picture.. Which is understandable, but at this point in history, you really shouldn't be doing these things over a network without some security in place. Even a supposedly secured network can be infiltrated if it's valuable enough.

And this is definitely not going to be worth using over the internet unless one has a means of ensuring a secured connection between the two points.

Re:Needs Security (1)

X0563511 (793323) | about 2 years ago | (#37457372)

This is assuming you're stupid and use it over an untrusted network.

BMCs and such generally talk over a protected VPN and are not general access. These are the same LANs that allow you to telnet to APC controllers and fiddle with power outlets.

Re:Needs Security (0)

Anonymous Coward | about 2 years ago | (#37457540)

There is no secure network. None of those devices should accept unsigned input from remote sources. Telnet to control power outlets? WTF? Will people never learn? Are Windows worms on the control network of a nuclear facility not enough to wake you up?

Re:Needs Security (1)

X0563511 (793323) | about 2 years ago | (#37458036)

Only if you're stupid (again) and have Windows on said secure network. Here's a hint - you can only get to it through (non Windows!) trusted (read: secured and audited) machines, and only management devices reside upon it.

UltraVNC? (0)

Anonymous Coward | about 2 years ago | (#37456944)

Can we get this using UltraVnc and not RealVNC. the half screen size feature is nice and RealVNC does not support this.

Re:UltraVNC? (2)

l_bratch (865693) | about 2 years ago | (#37457418)

This probably just implements the standard RFB protocol, so any viewer (UltraVNC, RealVNC or whatever) can connect to it.

Yeah, just great... (1)

Rosco P. Coltrane (209368) | about 2 years ago | (#37456964)

Using VNC, one can now power down, power up, reboot, go into the BIOS, mount disk images on the network

... watch what your employees are doing,

Re:Yeah, just great... (0)

Anonymous Coward | about 2 years ago | (#37457124)

Well if it's like the vPro KVM that's already in many Intel chipsets, it'll put a warning color band around the display when someone is viewing it remotely.

Re:Yeah, just great... (1)

spire3661 (1038968) | about 2 years ago | (#37457532)

I always find it cute when I remote into a persons comp and they get all indignant like im invading their privacy.

Wrong priorities (0)

Anonymous Coward | about 2 years ago | (#37456992)

Most BIOS interfaces are still actual text interfaces or simply text interfaces converted to pseudo-windows graphics. Anything a BIOS does can easily be controlled with a keyboard and a text screen. How about implementing an SSH server instead of the unencrypted VNC protocol? Enter the admins' public keys, then protect key storage and BIOS flashability with a DIP switch or a jumper. While you're at it, extend PXE so that it can verify cryptographic signatures against public keys in flash memory.

Finally! (2)

jackb_guppy (204733) | about 2 years ago | (#37457000)

I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.

It is shame that it maybe to late with VBLOCK and ESX system taking hold.

Re:Finally! (1)

organgtool (966989) | about 2 years ago | (#37457346)

Agreed! I've been waiting decades for a technology that will open up my hardware configurations to anyone on the internet capable of hacking it. I hope it can flash the firmware too!

Re:Finally! (2)

asdfghjklqwertyuiop (649296) | about 2 years ago | (#37457528)

Why have you been waiting so long? If you've wanted to set up your servers incompetently this way it's been possible for decades with DRAC or ILO or LOM or IPMI... or hardware serial consoles for longer than there's been an Internet.

Re:Finally! (0)

Anonymous Coward | about 2 years ago | (#37457570)

the security is great and it's not like you can connect to an arbitrary sniffed tcp port from the internet. Read into IPMI and AMT basics.

Re:Finally! (0)

Anonymous Coward | about 2 years ago | (#37457998)

the security is great and it's not like you can connect to an arbitrary sniffed tcp port from the internet.

Actually... yes you can! You should probably read up on IPMI exploits. Intel's AMT has vectors for doing some particularly interesting things with the systems UUID. You can however turn off AMT, as I am sure you will be able to do with VNC.

Re:Finally! (0)

Anonymous Coward | about 2 years ago | (#37457530)

"It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded"
Virtual CD was added recently.

Orwell would be proud (0)

Anonymous Coward | about 2 years ago | (#37457008)

I just about guarantee there will be backdoors built in so that the "Nanny State" can view any screen at any time. Combine this with IPv6 giving each device an Internet accessible IP address. How sad.

Re:Orwell would be proud (0)

RightSaidFred99 (874576) | about 2 years ago | (#37458358)

God, stick a fucking sock in it. Here's a clue: Turn it off if the same ideas that make you wear an aluminum foil hat make you paranoid that the Man is watching your every move.

Desktops finaly get IPMI like (1)

silas_moeckel (234313) | about 2 years ago | (#37457048)

Look like about what we have had for years on server gear. I do hope you can disable that 6 digit key bit (making it worthless for servers and off hours). Has this not been around since version 6 and they are on version 8 now?

Intel have been pushing this for years (1)

jimicus (737525) | about 2 years ago | (#37457072)

Or at least something very like it - vPro [wikipedia.org].

While IPMI is well-established on the server, so far no form of BIOS-level remote control seems to be doing particularly well on the desktop. It's damn difficult to find definitive statements from any major OEM concerning which lines support it, there's a plethora of versions with varying levels of sophistication, some of which require proprietary software in order to use.

That in itself isn't the end of the world, but even tracking down suitable proprietary software can be like pulling teeth!

Myself, I think that the majority of companies being targeted with this are the huge organisations with offices and staff everywhere - but they tackled the problem 10 years or more ago, they've got a whole stack of solutions and processes already in place and so something which doesn't really bring anything particularly useful to the table isn't all that interesting.

This isn't new... (0)

Anonymous Coward | about 2 years ago | (#37457104)

Dell, HP, IBM & others have similar remote KVM solutions for their servers.

Not sure about all of them, but in Dell's case they wrap the whole VNC connection in SSL first.

Re:This isn't new... (1)

wagnerrp (1305589) | about 2 years ago | (#37457328)

Except this is new, and retarded. A full IP-KVM solution makes sense. It allows you to actually connect to and use the PC remotely without any additional software needed. That is not what this is. This is taking the graphical UEFI configuration utility, rendering it, compressing it, and sending that over VNC. You can only access the configuration utility, and not the local terminal. Rather than use a sensible mechanism of remote configuration, like an SSH or web application, they chose VNC.

SSH? (2)

Kagetsuki (1620613) | about 2 years ago | (#37457114)

Why VNC? Why not SSH?

By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.

Re:SSH? (2)

wagnerrp (1305589) | about 2 years ago | (#37457292)

Agreed. VNC just seems like a stupid choice for such a system. VNC, Citrix, Windows Terminal Services, Remote Desktop... all of these things only exist as a crutch to allow remote use of programs not designed for remote operation. If you are designing the application from scratch, why not design it for remote use in the first place? Use a terminal or curses application. Use an embedded web server and a javascript application. Do something that actually makes sense rather than render a 2D interface, and then compress it for display over VNC.

Re:SSH? (3, Insightful)

silas_moeckel (234313) | about 2 years ago | (#37457412)

Because it's not adding a new interface it's connecting to the existing one. You want a tech to be able to correct say broken nic drivers. It's not meant for application sharing etc.

Re:SSH? (0)

Anonymous Coward | about 2 years ago | (#37458556)

Yes, I'm being a pain in the ass with this. I think NIC drivers are a great example of something that might need correcting...but how would you connect to the machine if its NIC driver is fubar?

Requisite car analogy: if your car won't start, you can't exactly drive it to the parts store to buy a new starter.

Re:SSH? (1)

wagnerrp (1305589) | about 2 years ago | (#37458874)

But the fancy graphical interface IS a new one, and you only have access to the fancy new graphical BIOS configuration utility. If it were the age old BIOS configuration utility, you would have no problem pumping that over a telnet or SSH terminal. It's not like you have meaningful access to the OS installed on the system such that you could tinker with the system or replace drivers.

Re:SSH? (0)

IGnatius T Foobar (4328) | about 2 years ago | (#37457538)

You're correct about that, but the reason it's still done is because of this annoying little program called "Microsoft Windows" which a lot of people refuse to stop using even though it's been proven to be a horrendously bad design.

Re:SSH? (0)

Anonymous Coward | about 2 years ago | (#37457816)

Why VNC? Why not SSH?

For Windows "servers".

Re:SSH? (1)

nine-times (778537) | about 2 years ago | (#37458202)

Because what are you going to SSH into? The BIOS? Great, now you can change BIOS settings, and the whole system is completely useless once you boot your OS. Or are you going to SSH into your OS? Well first, that's no good for Windows, and second, we've already had remote logins on the OS level for a long time.

Sorry, but the value in something like this is to be able to see what's being displayed on the screen, regardless of what kind of output it is, and then to be able to use input devices (keyboard and mouse) for a total remote-access and remote-admin solution. VNC accomplishes that. SSH does not.

Re:SSH? (1)

TheGratefulNet (143330) | about 2 years ago | (#37458214)

if you've used vnc, you would not have to ask this.

I've been a vnc user for over a decade, now. ALL my home systems are vnc based. the noisy-room servers all are up 7x24 and usually run freebsd or linux. the clients are noiseless (ideally) things that boot up and I run vncviewer as soon as I get a term window inside a graphic screen. the o/s is a life-support system for vnc. vnc IS the killer app.

sadly, I find that vnc over win (7 or xp) is the best overall client. the video drivers are fast, usually stable and easier to deal with than linux. suspend and resume also works well on windows; often better than linux.

so, unix for the backend; but win+vnc_client for the viewer side of things. love this combo. I can walk up to any station in the house and get the same 'persistent desktop'. usually my desktops stay up half a year or more (server reboot based). my web sessions are all unix based and served over vnc.

I would not run video over vnc, but I never intend to do that anyway.

ssh has its place; but ssh is a transport for things, its not an end-all application. vnc is still a transport, of sorts, but it transports my whole *desktop*. like 'screen' but for graphics.

I'll buy some of those motherboards and replace my clients that boot from ssd. I'd LOVE to get rid of all of that and simply boot from bios into vnc-client. that would be GREAT if it really does work and lets me eliminate all my client os installs!

count me in as one who would re-buy systems because of this.

Re:SSH? (0)

Anonymous Coward | about 2 years ago | (#37458440)

With the exception that you prefer running the VNC client under Windows, I'd recommend PXE booting the clients. Using PXE, you'd require absolutely no storage devices on the client end. In fact, you could even have a web browser via PXE. http://www.thinstation.org/

Lions, Tigers, and Securom. (0)

Anonymous Coward | about 2 years ago | (#37457250)

Entertainment companies will make the first best use of it. Browser, Flash, and now BIOS cookies. Tada!

The BIOS needs to die (1)

Anonymous Coward | about 2 years ago | (#37457284)

Hey, that's great Intel. But, when can we get off the shelf motherboards with a EFI [wikipedia.org] instead of a legacy BIOS? What's the hold up?

Re:The BIOS needs to die (0)

Anonymous Coward | about 2 years ago | (#37458390)

I built a Sandy Bridge PC this spring that had a EFI motherboard. My understanding without doing any research (valuable, huh?) is that most new motherboards for Intel are this way.

DHCP? Huh? (0)

vlm (69642) | about 2 years ago | (#37457322)

Using VNC, one can now ... power up,

Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

What I'm worried about is:

1) Its not going to be "open standard VNC" but some weird kluge that operates strictly on layer 2 and requires "special" probably windows only software, that at least doesn't require ip to work.

2) Or, to have the VNC interface not interfere with the "real" LAN card, it'll have two interfaces, either via VLAN which will invariably be messed up, or two phy interfaces, which will invariably be swapped and double my buildout costs. Or the extreme hackery of the lan port means it'll be one version of windows only hardware, never to be used on a different version of windows or linux or anything else; a "win-lancard".

3) To protect me from the latest windows worm that locks people out of their bios using this tech, my ISP will "save me" by blocking all standard port VNC traffic and any traffic analysis VNC traffic on alternate ports. Thanks guys, for removing VNC from the list of usable software. I feel so much better now.

4) Many non-technical users are going to get scammed by brightly flashing internet ads advertising security and safety at a cost for this. Right next to the equally snake oil "your computer is broadcasting your ip address" ads.

Re:DHCP? Huh? (0)

Anonymous Coward | about 2 years ago | (#37458226)

Using VNC, one can now ... power up,

Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box.

DRAC and BMC cards have been able to do this for years - you can very easily set IP information for the controller, DHCP, static, or otherwise. This wouldn't work terribly different than DRAC/BMC/ILO cards work right now, as they work completely independently of the rest of the system and guest OS.

Re:DHCP? Huh? (1)

nabsltd (1313397) | about 2 years ago | (#37458352)

Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

I suspect that like IPMI, if you enable this new system, then as long as the "big red switch" is on (i.e., the motherboard is getting the power it would need to respond to the momentary "power on" switch), then the network card will also be powered and able to send and receive.

The real trick is the very first time power on...if this new feature is set to "on" by default, and the NIC is set to use DHCP, then you can just drop ship new systems to wherever they are needed and then start the remote configure. Of course, that would be a really bad default, as the security holes it opens are profound. Imagine a company that doesn't use this feature, but doesn't disable it correctly...any internal hacker could then "watch" the initial OS install, and possibly be given remote admin access, allowing them to trojan the machine.

Re:DHCP? Huh? (1)

smbarbour (893880) | about 2 years ago | (#37458492)

Using VNC, one can now ... power up,

Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).

So... (0)

Anonymous Coward | about 2 years ago | (#37457360)

It's doing exactly what an IBM BladeCentre MM has been doing for over a decade?

Exciting... Hopefully they won't limit you to Java VNC like IBM.

Let's hope AMD does what? (1)

erroneus (253617) | about 2 years ago | (#37457374)

Uhm... Patents? Software Patents? Who wants to bet there are dozens of patents on this technology already applied for by Intel? We already know VNC's patents, but not when you add "in the BIOS" to the end of it.

Big boon to the Enterprise... (1)

MrWin2kMan (918702) | about 2 years ago | (#37457536)

This will be very useful in the Enterprise space, with no need to resort to HP iLO or Dell's DRAC, or IBM's management processor.

Not really.. (1)

Junta (36770) | about 2 years ago | (#37458778)

Currently, they have this tied to AMT. That only works with a pure Intel implementation (integrated Intel nic, chipset, etc). AFAIK, it's even *specefically* only the 'desktop' chipsets that bother putting in the bits. So your EP/EN/EX platforms are not invited to the party at all, even *if* your vendor didn't put Emulex or Broadcom down. They specifically segmented this off as 'desktop/laptop', and said 'IPMI' is the server equivalent (which covers most of the base capabilities, but omits KVM and has delegated that to proprietary extensions, as real men need nothing more than Serial (even windowws admins).

This scares the living Bejezus outta me (1)

dayton967 (647640) | about 2 years ago | (#37457708)

VNC is not the pinnacle of security to begin with, unless they changed it, the default password limitation in VNC use to be at least only 8 characters. And if they haven't it just gives a much easier method of compromising a system.

lets hope this thing dies. (1)

nimbius (983462) | about 2 years ago | (#37457732)

RealVNC at the GPL level, which i suspect is what we're testing with, has no encryption. IPMI, which is billed as standard on most enterprise grade servers on the other hand, comes with the option of key based crypto.

Nice! (1)

sgt scrub (869860) | about 2 years ago | (#37457944)

Cool! I use VNC hooks for recording user sessions. Is it a full install? ie. key stroke and pointer location code too?

OEM's wont like it... (1)

Taelron (1046946) | about 2 years ago | (#37458040)

OEM's like Dell and HP have the DRAC's and ALOM "add-in" cards that they sell at various prices ranging from $99 upwards of $650. Yet Intel is talking about enabling features the OEM's are charging premiums for in the BIOS for free. This could have a backlash effect from the channel partners...

Re:OEM's wont like it... (1)

nine-times (778537) | about 2 years ago | (#37458266)

Depending on the feature set, quality, and reliability, people may still want to buy the Lights-Out add-on cards. Either way, that's the way progress works sometimes. You're making money fixing problems, and then those problems go away. I don't think that Intel's, Dell's, or HP's business will be so hurt by this that it'll cause a huge hubbub.

Re:OEM's wont like it... (1)

Junta (36770) | about 2 years ago | (#37458796)

I mentioned this elsewhere, but AMT (which this is a part of) is a non-starter in the 'server' Intel chipsets at all, and even if it were, the second they drop an emulex or broadcom to drive the networking, it would still become non-working.

Default=disable (1)

phorm (591458) | about 2 years ago | (#37458084)

I'm hoping that by default it's disabled and requires enabling+password to work.

However, isn't VNC an insecure protocol? Perhaps it had a default SSL layer or something like that (I suppose then it would need an ability to update the cert as well) then it would be a safer solution.

this is new? (1)

Maglos (667167) | about 2 years ago | (#37458562)

I use this tech on a number of lenovo desktops. It works pretty good, though I have had some reliability issues. Isn't this standard with all vPro capable hardware. BTW this has some amazing potential when working with our India based IT support, especially for a small company.

Very cool, but can be difficult to set up. (1)

sshambar (542567) | about 2 years ago | (#37459162)

I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.

However, I had a few issues with the design:

1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port using RealVNC

2) RealVNC Viewer Plus ($$) is required if you want the ability to have full AMT (all the cool remote disk mounting, system power control etc). Some of this you can get via the web interface though (via a different port).

Apart from the setup pains though, it's very cool tech. I was also able to perform a full GUI install of Fedora on my US server from my laptop in Norway, using an ISO file on the laptop for the install (yes, you read that correctly... you can mount a local disk file on the remote machine and the bios make's it appear as a local disk! But again, that required the AMT features, and RealVNC Plus :P).

The system works by intercepting IP packets on the motherboard network interface (so you must connect via that port, not just any network port), and redirects connections to a selection of ports (all configurable) to support remote management via VNC, http/https, or a few other protocols. This means you can connect in and check out the desktop at full rez even when someone's using the machine, or even work on fixing issues even though a kernel oops. Basically, as long as the network to the port stays up, you have access to full console control.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...