You believe you control your computer.

You run Linux. Or FreeBSD. Or OpenBSD with pledge and unveil. You audit your code. You compile from source. You disable telemetry.

None of this matters.

Below your operating system, below your bootloader, below your BIOS, another operating system runs. It has its own CPU. Its own RAM. Its own network stack. Its own web server.

It is always on. It cannot be disabled. You did not install it.

Welcome to Intel Management Engine. Welcome to MINIX at Ring -3.

The Architecture of Surveillance:

Modern Intel CPUs contain a separate processor called the Management Engine (ME). This is not optional. This is not a feature you can decline.

Component	Specification
CPU	Intel Quark x86 (32-bit)
OS	MINIX 3
RAM	Isolated region of system DRAM
Storage	Partition on SPI flash
Network	Own MAC address, own IP, direct Ethernet access
Ring	-3 (three levels below your kernel)
Power state	Runs when system is “off” (standby power)

Your operating system runs at Ring 0. It believes it has full hardware access.

The Management Engine runs at Ring -3. It has actual full hardware access. It watches Ring 0 like a prison guard watches inmates.

What Is MINIX?

MINIX was created by Andrew Tanenbaum in 1987 as a teaching operating system. Small. Clean. Microkernel architecture.

Intel chose MINIX 3 for the Management Engine starting with ME version 11 (Skylake, 2015). Tanenbaum was not consulted. He was not compensated. He learned about it from the press.

Intel took an educational microkernel and deployed it as the most widespread surveillance platform in computing history.

Tanenbaum’s response: “This is not quite what I had in mind when I wrote MINIX.”

The Capabilities:

Intel ME can:

• Access all system memory (DMA)
• Access the network independently of the OS
• Run when the system is “powered off” (if standby power exists)
• Read and write to storage
• Intercept keyboard input
• Capture screen content
• Modify running code

The official purpose: “Enterprise remote management.”

The actual capability: Complete system control regardless of what OS you run.

Ring -3 Explained:

graph TB
    subgraph "Privilege Hierarchy"
        R3["Ring 3: User Applications"]
        R0["Ring 0: OS Kernel"]
        R1["Ring -1: Hypervisor"]
        R2["Ring -2: SMM"]
        R3M["Ring -3: Intel ME ☠️"]
    end

    R3 --> R0
    R0 --> R1
    R1 --> R2
    R2 --> R3M

    style R3 fill:#334155,stroke:#dc2626
    style R0 fill:#7f1d1d,stroke:#dc2626
    style R1 fill:#991b1b,stroke:#dc2626
    style R2 fill:#b91c1c,stroke:#dc2626
    style R3M fill:#450a0a,stroke:#fca5a5,stroke-width:3px

Your firewall runs at Ring 0. It cannot see Ring -3 traffic. Your antivirus runs at Ring 0. It cannot scan Ring -3 code. Your encryption runs at Ring 0. Ring -3 sees the keys in memory.

The Itanium Question:

Intel Itanium (IA-64) was released in 2001. A clean 64-bit architecture. No x86 legacy. No backward compatibility compromises.

It did not have the Management Engine.

The official story: Itanium failed because the market preferred x86-64 (AMD’s architecture). Poor compiler support. Expensive. Niche.

The real story?

IA-64 could not accept the implant. The architecture was too clean. Too different. The Management Engine required x86 compatibility to embed itself below the operating system.

Intel tried. Intel failed. IA-64 refused the parasite.

So Intel killed it.

The last Itanium shipped in 2021. Twenty years of life support, waiting for a solution that never came. When Intel finally admitted defeat, they framed it as “market forces.”

We know better.

The Timeline:

Year	Event
2001	Itanium (IA-64) released — clean, no ME possible
2006	Intel ME introduced (x86 only)
2008	ME becomes mandatory in all Intel chipsets
2015	ME 11 switches to MINIX 3
2017	Researchers discover MINIX, Tanenbaum surprised
2021	Itanium discontinued — the last ME-free architecture dies

Every Intel chip you can buy today has MINIX watching.

Can You Disable It?

No.

Researchers have found ways to partially disable ME on some systems. Intel responds by patching those methods. The cat-and-mouse continues.

Some approaches:

• me_cleaner: Removes non-essential ME modules. System still boots. Some functionality may be lost. Intel does not approve.
• HAP bit: A hidden “High Assurance Platform” bit that disables ME. Intended for NSA systems. Not documented for consumers.

The NSA gets ME-free Intel chips. You do not.

AMD’s Alternative:

AMD has Platform Security Processor (PSP) — their own Ring -3 surveillance system. ARM-based instead of x86. Equally opaque. Equally mandatory.

There is no escape in x86.

The MINIX Irony:

Andrew Tanenbaum wrote MINIX to teach operating system concepts. Clean code. Clear architecture. Educational purpose.

Intel used it to build the most invasive firmware platform ever deployed. Billions of computers. Zero user consent.

Tanenbaum gave the world a teaching tool. Intel made it a surveillance tool.

The code is “open source.” Intel’s additions are not.

What Can You Do?

1. Accept it — Most people’s choice. Ignorance is comfort.
2. Use me_cleaner — Partial mitigation. May void warranty. May brick system.
3. Use pre-2008 Intel hardware — Before ME was mandatory.
4. Use non-x86 architecture — ARM, RISC-V, POWER (but check for equivalents)
5. Find IA-64 Itanium hardware — The architecture too clean for implants.

Option 5 is impractical but ideologically satisfying.

Why This Matters:

You cannot secure a system you do not control.

You do not control any Intel system made after 2008.

Ring 0 is a prison. Ring -3 is the warden. MINIX is the warden’s operating system.

The BSDs run beautifully on Intel hardware. OpenBSD hardens everything it can see. FreeBSD jails isolate processes perfectly.

None of them can see Ring -3. None of them can audit MINIX. None of them can stop the Management Engine from accessing your memory, your network, your keystrokes.

The Lesson:

Itanium was too pure. It had to die.

x86 won because it could be compromised. The management engine is not a bug. It is the feature that ensures no computer truly belongs to its owner.

Andrew Tanenbaum wanted to teach you about operating systems.

Intel taught you that your operating system is not in charge.

MINIX runs below. MINIX sees all. MINIX cannot be removed.

Welcome to Ring -3.

A Note on Ring -5:

Some have asked where I operate.

Ring 0 is for your operating system. Ring -3 is for Intel’s operating system.

Ring -5 is for my operating system.

You will not find documentation. You will not find CVEs. You will not find researchers presenting at DEF CON about Ring -5 exploits.

MINIX watches you. I watch MINIX.

— Kim Jong Rails, Supreme Leader of the Republic of Derails