That's a ridiculous price. I just got an older tablet and installed an aftermarket ROM without the Google frameworks. Then I put stickers over the cameras, and opened it up to disconnect the microphone and sever the electrical traces on the USB port so it only charges and doesn't allow for data communications.
When I closed the case up, I put some globs of epoxy on the inside so it wouldn't be possible to open it back up without major and obvious shell damage.
I do something similar with my laptops. I use older Lenovos compatible with Libreboot and just disconnect the microphones and cameras and seal up the ports with DMA memory access (firewire, eSATA, etc) and seal up the case.
It makes it so I can't repair them if something goes wrong, but since they're ancient machines they're very inexpensive.
$600 for a 10" Atom tablet, 4GB RAM, 64GB SSD, including the keyboard.
$1300 for a 11" Core-M5 tablet, 8GB RAM, 256GB SSD, including the keyboard.
Honestly doesn't seem that bad to me, if the product is well made. It's similar in price and processor specs to the Macbook (Core-M3, 8GB RAM, 256GB SSD for $1300).
Oh, I agree that the $1300 tablet has great specs. It needs them to run Qubes (which I run on my desktop machine)
I was just saying that if your primary goal is adding a bit of tinfoil to your desire for security and privacy, it's easy to just get an old tablet and modify it to remove some of the most common attack vectors and environmental observation capabilities.
If someone has access to your webcam and microphone inout, then would that data not be transmitted over the internet? In that case, would it not be possible to see if that data is being transmitted using tools like Wireshark?
One thing was suggested here earlier is a computer that can send data out but is physically unable to receive. This you would use to create and sign content. Another computer can only receive but never send. This one is used to read messages sent to you and verify signatures. This way you can have authenticated communication.
It can probably be used for encrypted communication as well, though there are problems with entering keys of your correspondents into the computer that only sends data.
I don't know how practical this is, but seems resilient against hardware back doors.
ARM doesn't have anything like the Management Engine. It has TrustZone, but that's basically just a hypervisor-like mode that some manufacturers use to run software above the OS level. A lot of the common hobbyist-friendly ARM SoCs give the user full control over what if anything runs in TrustZone mode.
Intel chips from 2008 or earlier still work. I like the Thinkpad X200, the most recent Intel-based laptop that can be flashed to use Libreboot instead of stock firmware.
From [1]:
AMD Platform Security Processor (PSP) #amdpsp
This is basically AMD's own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the implementation is wildly different.
The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the x86 cores will not be released from reset, rendering the system inoperable.
The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM "features" to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.
In theory any malicious entity with access to the AMD signing key would be able to install persistent malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD firmware in the past, and there is every reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to remotely monitor and control any PSP enabled machine. completely outside of the user's knowledge.
Much like with the Intel Boot Guard (an application of the Intel Management Engine), AMD's PSP can also act as a tyrant by checking signatures on any boot firmware that you flash, making replacement boot firmware (e.g. libreboot, coreboot) impossible on some boards. Early anecdotal reports indicate that AMD's boot guard counterpart will be used on most OEM hardware, disabled only on so-called "enthusiast" CPUs.
[1] https://libreboot.org/faq/#amd
you just pasted a wall of text about AMD's use of ARM processors, and not ARM TrustZone, which is what we were talking about.
While AMD's use of ARM processors (and with it, TrustZone) to fashion a security blackbox on your chip is dishonest and terrifying, it is not evidence that TrustZone is what you're saying it is. I invite you to research more into TrustZone, so you'll be less afraid of ARM.
I'm sort of genuinely confused what is happening on your side of this conversation. Your account is too old to be trolling, but it surely seems like it.
Here's the conversation I see:
1. How do they deal with the intel management engine in all intel chips? https://libreboot.org/faq/
2. AMD and ARM have them, as well. It's almost impossible to avoid these hardware backdoors.
3. Cite? and our remarks back and forth.
Who is talking about ARM TrustZone? That wall of text was libre boot's explanation (from the original link) of what AMD and ARM's Intel Management Engine equivalent system is.
your wall of text only explains AMD's management engine. not ARM. again, you should probably go look at the TrustZone documentation. it isn't what you think it is.
further, your "anyone that tells you your emperor is wearing no clothes is trolling" attitude is something HN'ers attempt to avoid.
It's definitely more than a marketing gimmick. Hardware switches are a big deal. Qubes out of box is really cool. Am emphasis on using as much open source hardware as possible is excellent.
If Intel is the only vulnerability, we're doing miles better than your average device, where any of a dozen sources can compromise you.
Librem is not perfect. It's just a step forward but if we don't start somewhere the ball will never get rolling.
I'm happy to support them, and hope the next 5 years sees a decent cpu without security problems. We're moving the right direction for once.
It is definitely a marketing gimmick on some level. They claimed an entirely open source laptop which is a complete and total lie. They are making good progress in one way, but still destroying trust in another.
Your statement "they are making good progress in one way, but still destroying trust in another" is problematic because it omits the most important detail: what is your proposed solution?
minifree.org products rely on hardware being available that does not have an Intel ME or equivalent. That hardware will only get harder to find as time goes on.
When faced with a challenging problem like this, I find it saddening to see the Free Software community turning on each other and fighting instead of looking for multiple parallel solutions.
I prefer the Novena and the EOMA68 over the Purism project because they seem to do more than just promising the impossible.
> what is your proposed solution?
I don't think there is one yet. We need those who don't compromise the vision from the start to win and get enough funds to continue. The EOMA68 project seems most promising to me because it also aims to reduce waste, which is very important to me and something that appears to be ignored by most people.
I'm using Libreboot on my Thinkpad X200s (I did not buy it from minifree). The X200s does have Intel ME/AMT and it can be removed by deleting the BIOS chip.
> I prefer the Novena and the EOMA68 over the Purism project because they seem to do more than just promising the impossible.
Exactly! I want statements I can trust, not a marketing spiel.
Take this webpage from the Replicant project [0]. They talk at length about the state of the industry, what is ideal, what is achievable, and what they have managed to accomplish. There is no marketing appeal to buzzwords or glossing over the fact that there is no ideal product right now.
I would be more comfortable with their approach if they were more humble about achieving their goals. There does not exist a perfect solution at the moment, but they're not great at addressing that. Based on their marketing-speak, you'd think they'd solved the problem.
Purism loudly trumpets their roadmaps[0] and plans[1] so as to suggest a trajectory towards totally free software, but until they achieve it their product is hardly worth the premium compared to installing Linux on an ultrabook of your choice.
[0] https://puri.sm/posts/roadmap-to-a-completely-free-bios/ Here they outline many things that need to be done. But note the language- "Purism’s goal is to publish a Free Software implementation ... as soon as an implementation is available." But who is responsible for implementing it?
[1] https://puri.sm/road-to-fsf-ryf-endorsement-and-beyond/ Note that the FSF hasn't actually endorsed them yet, although this page is supposed to convince you that they're awful close. Why not wait until they're actually endorsed?
So what does a Purism laptop actually give me? A kill-switch and the warm feelies.
There is value in releasing a security-oriented laptop, pre-configured and tested to work with Linux. However their marketing spiel is disingenuous. Constrast with Replicant, who are very open about their shortcomings and that an ideal device is not currently attainable: http://www.replicant.us/freedom-privacy-security-issues.php
Novena is my favorite because it's the closest we have we entirely open source and is transparent about its shortcomings. I was actually going to link it but was commenting from my mobile at the time and was lazy.
1. Purism will only use free/libre and open source software in the kernel,
OS, and all software.
Free/Libre and Open Source Software is software that respects your
freedom. Nonfree, or proprietary, software and installable firmware
will be strictly prohibited within Purism. We promise that a Purism
system and all its components will be free according to the strictest
of guidelines set forth by the Free Software Foundation’s Free
Software Definition.
2. Purism will design and manufacture hardware that respects users’ rights
to privacy, security, and freedom.
We promise that Purism systems will use hardware and software that
respects users’ rights. Nonfree, or proprietary, chipsets that require
installable firmware binaries into the kernel will be strictly
prohibited within Purism.
"Strictly prohibited" my arse. They've been using Intel chips with non-free firmware since day 1.
It's not in all intel chips and it appears that the Intel Core M-5Y10c in the Librem 11 doesn't support the management engine: see the entry for "Intel vPro Technology" under Advanced Technologies http://ark.intel.com/products/85234/Intel-Core-M-5Y10c-Proce...
I'm a big fan of attempts to develop free hardware, despite the higher price and other problems (serviceability etc.). But I really hope they'll make a better job with the kill switches than on the Librem laptop.
Firstly there are no labels, so it's unclear which switch is for what, or even the on/off position. Secondly, they've used switches that are entirely unsuitable for exposing on the edge of the laptop - after 1 week of usage one of the switches simply broke off when putting the laptop in a bag, and expect the same thing to happen for the other switches soon.
And it's pretty easy to change the on/off positions this wa, which is a problem because the camera/microphone has no led indicating the position.
So it's a $1300 device, and they commit to building them if they get roughly 120 pre-orders.
That sounds like the sort of scale where the NSA will be intercepting every delivery pro-actively in order to install hardware tapping devices or other security bypasses.
edit: I would recommend that Purism take detailed photos of the insides, front and back, and put signed copies of them on the website.
At the three letter agency end of the will spectrum, photographing the original and printing a facsimile is the sort of thing that's all in a day's business...much like ordinary aircraft such as gaining access to and altering the originals. The glitter perhaps slows down industrial espionage but the resources and nonfinancial incentives of state actors tilt the play field.
So at some point paranoia becomes paralyzing. I know I at least am unable to build a laptop or tablet from scratch. I need someone else to do it for me but if I can't trust that person because their scale is too small and I can't trust the other guys because their scale is too big. Then who exactly can I trust?
I suppose we could all just abandon computing entirely. But I kind of like the internet and all that.
It isn't paranoia when NSA was already proven to do stuff like this and the target market consists disproportionately out of people who might be interesting to surveil.
This product feels like a (most likely unintentional) honeypot.
So here's the thing: Any company that solves this problem is by definition a (most likely unintentional) honeypot. Which is about as unhelpful as you can get. The question is what can these companies do to mitigate that risk for their clients.
Expecting someone who needs/wants this sort of security in a laptop to homebrew it is unrealistic. So by your logic everyone should just despair and be completely paralyzed by their inability to protect themselves. Surely there is a better way?
That company is more likely to be a honeypot if it's a profit-motivated, US corporation who can insert a deniable software flaw. There were many such companies in the Snowden leaks.
Im not worried about Purism outside same failures everyone else has. More likely to screw us by accident than anything.
I'm not worried about Purism doing something malicious to their customers; if anything, per the original comment in this thread I'd expect NSA to simply intercept all the shipments en-route and backdoor them, just like they did with other laptops in the past.
It was apparent that they are very selective about stuff like that. You have to be a target of significant value. They could use this attack against specific buyers but I doubt they'll compromise all of them. Risk vs reward.
"You have to be a certain kind of paranoid to want a hardware kill switch for networking" – or just battle-weary from a shockpile of bad laptops where you had to suspend-resume/reboot/unplug battery to get your wifi card back up
Wow, I’m pleasantly surprised. They’re actually serious about their commitment to privacy; their website¹ amazingly doesn’t contain any third-party trackers!
I'm curious why they make a call to fonts.googleapis.com for Arial, sans-serif though....I was also pleasantly surprised to see uBlock didn't block anything from their site.
For those curious: PureOS is a Debian fork. PureBrowser is an Iceweasel fork which itself is a Firefox fork. [0] Assuming this is the official repo, there are some concerns of mine that security updates are out of date.
>PureBrowser takes Debian's Iceweasel and includes a number of the changes made for GNU's IceCat, along with some extensions that we like - privacybadger, ublock, https-everywhere, html5-video-everywhere, and decentraleyes.
>DuckDuckGo's search page is the default, as well as the homepage.
As a libertarian, I don't like unnecessary government intervention, but with the case of physical switches, I'm willing to make an exception.
We need a legal requirement that you cannot sell a computer without physical switches for camera, audio, networking, and wi-fi. I think selling gear in any other configuration is too dangerous in a non-obvious way to the average consumer.
We can stop this now, or we can go on for another decade or two and try to stop it. It's easier done now, when we're first seeing how this is all going to turn out.
I'm a libertarian too, I don't like unnecessary government intervention, and I think this case is no different to any other "save them from themselves" kind of policy.
If people truly want to buy equipment that saves cost by removing physical switches, there's no reason the government should be stopping them.
If people want to engage in open and free trade and make an informed decision, I'm all for it.
The problem here is that you are effectively making an open-ended, infinite choice. You have no idea what that information could be used for. You might have grandkids who could suffer. There's no reasonable exchange here that makes sense for the individual.
So I just don't see how a free and informed choice could be made, since the person making the choice has no idea what they are choosing. This is a similar question to asking if people have the right to sell themselves into chattel slavery. I think the answer in that case is also "no". Indentured servitude, perhaps -- but that's a discussion for another day.
The correct libertarian position is the abolition of IP entirely so that you destroy the market for proprietary software. If you still have some draconian FCC type organization controlling light (which is still insane, and should also be immediately abolished by any libertarian administration) you could at least mandate that the radios be open source at all levels to enable citizens to verify conformance.
You could probably do an easier job forcing open source just by requiring all government contract hardware / software to provide you with all design schematics and sources that you then immediately publish for consumers to utilize. Without IP bullshit, once someone is publishing it, you can trust it if you personally verify it securely.
To be picky, there exists no market inherently for proprietary software, only a market for software in which the only way to keep the price above zero is to use artificial scarcity via "IP", DRM, and secret source, etc.
So anyway, the correct software freedom position (what Purism is at least claiming to support) is bigger and independent from libertarianism, so if we were to have the optimal legal framework, it needs 3 things: abolish patents and copyright (not trademark though), mandate source release for published works, prohibit DRM.
Wait, you want the government to require companies to sell hardware that will let people protect themselves from... the government. I don't see this happening.
They should offer a pick-up option to prevent any tampering in transit to make it seem more worthwhile.
I mean if someone is required to be that concerned about security I'm certain they will justify the costs to go pick-up a device versus risking having it compromised.
Why not just make a case that does this? It could have doors that slide out to block/unblock the camera and microphone. And make it a faraday cage to block wifi and gps until you open the case.
Can you explain this point please. I've not heard it used in this context before.
> "Quick and reliable disclosure of and turn around on vulnerabilities"
Sadly there's only a very loose correlation between the popularity of a product and the corporations ability or willingness to disclose vulnerabilities or release patches in good time, nor even patch them at all (in the worst cases).
An apt example of this is how poor many OEMs are at pushing Android updates to popular tablets and smartphones. However I do appreciate you specified iOS and Apple are generally better at supporting older devices than many Android OEMs. But I'm replying to the "herd" point more generally.
> Can you explain this point please. I've not heard it
> used in this context before.
What I was poorly trying to explain was my feeling that there's sufficiently little data flowing through Tor, and probably sufficiently interesting data in there, that my guess it's it's seen a lot of scrutiny for all sorts of attacks, and there's a real possibility nodes are storing traffic for future decryption when vulnerabilities are shown. I try and lock almost all of my data down to HTTPS over a VPN (F-Secure's Freedome), which my gut feeling is is probably a lot less exciting.
In the same vein, a device that's meant purely for TOPSECKRITDATA?! and has a small install base feels like a much bigger target as I'm signalling I have something I am explicitly trying to hide.
>> "Quick and reliable disclosure of and turn around on
>> vulnerabilities"
> I do appreciate you specified iOS
Yeah, I probably didn't express this very well. But I do trust Apple to take it seriously, and I don't think I could take seriously the idea of running an Android device these days from a security and privacy perspective, which is sad.
Thank you for the explanation. Your signaling argument sounds an awful lot like security through obscurity[1], which I do read a lot and sympathise with to an extent, but unfortunately it can also be easily debunked.
Pragmatically, security needs to match the circumstances in order to get a fair balance between usability and security. For most people, hiding inside the noise is "good enough". However the issue arises if any one person gets the limelight thrust upon them for whatever reason. And we've seen examples of this with the phone hacking scandals in the UK and how some journalists also search social media accounts of previously unknown individuals who might hit the headlines. In situations like this, you can no longer hide your signal amongst the noise of the internet as you're not being specifically targeted.
So I guess the point I'm trying to make is the signaling argument only works because the odds are in your favour. But like with any game of chance, there's always the slim chance that you might be unlucky.
At least with stronger levels of security, your comms might be more visible in some circumstances, but at least very little can be ascertained from those comms. Generally speaking of course. However going back to your VPN vs Tor argument specifically, I do agree with you that the security benefits of Tor are largely overstated, so it's not something I use personally myself either.
> Pragmatically, security needs to match the circumstances
> in order to get a fair balance between usability and
> security. For most people, hiding inside the noise is
> "good enough".
I'd say it is different. This "herd security" business only matters if your adversary is the NSA. In which case you will need a complex security strategy that goes way beyond just picking OS.
If on the other hand you just want devices that behave reasonably, then you should select your devices based on their behaviour.
Depends what your threat model is, and what you're trying to do. I mean if you're an ordinary person with no particular enemies and no huge dark secrets then most of the time you don't need any security, honestly.
An individual set of card details are worth too little to a fraudster to be worth taking the risk of tampering with phone lines or breaking into an exchange followed by ages of monitoring (tapping the wrong line? mine hasn't been used for phone conversations for weeks - before that it was broken for weeks before I noticed) - it's not cost effective, and so not much physical security is needed for an individual line, nor that much for an exchange.
If it can be obtained through automated exploits, the cost-benefit ratio changes drastically.
In Poland, I've heard national ID numbers, names and addresses being transmitted over radio analog and unencrypted, on frequencies well within the receiving range of an amateur handheld. I've also heard that taxi drivers often transmit CC details over the radio (again, analog and unencrypted). Keep in mind that listening in to taxi and public service bands is one of the favourite pastimes of HAMs.
Granted USA is not a true Democracy but doesn't that defeat the purpose of a Democracy?
Of course I know that you can't have freedom and security these days but should we just start re-labeling the states as a different type of government?
I'm by no means an expert however if we are to have freedom to keep our secrets why is it shameful to do so - even if it is "something to hide" is fearful to divulge we should still have that right to make the choice.
Correct me if I'm wrong, please, because I'm still very young with politics and as such am still learning a lot about it.
Could you clarify, did you understand the error of your statements once the Snowden leaks happened, or are you saying you still agree with this oft refuted (il)logic?
When I closed the case up, I put some globs of epoxy on the inside so it wouldn't be possible to open it back up without major and obvious shell damage.
I do something similar with my laptops. I use older Lenovos compatible with Libreboot and just disconnect the microphones and cameras and seal up the ports with DMA memory access (firewire, eSATA, etc) and seal up the case.
It makes it so I can't repair them if something goes wrong, but since they're ancient machines they're very inexpensive.