I think that the best privacy respecting laptop around would be a Libreboot computer that has the camera, microphone, and harddrive physically removed and runs Tails on a DVD so that neither the operating system nor the BIOS can be altered without physical access to the computer. The version of Libreboot on the laptop must be write protected, which would mean that updates would need to be externally flashed to the BIOS chip, but this prevents any attempted BIOS alteration from happening via software. Tamper proof stickers or glitter nailpolish could be applied to detect whether the device has been opened while out of your possession. There's no way to flash the Bios chip without opening the device. Preferences and files that the user wants to keep across amnesiac sessions would be saved on a LUKS encrypted USB thumb-drive. Libreboot will soon have reproducible builds which would allow users to compare the Libreboot ROM on their device against the reproducible build of the ROM. I would suggest that all Libreboot supported motherboards should be x-rayed and the x-rays should be published online under creative commons licenses so that users could have their own motherboards x-rayed to provide some sort of hardware verifiability which is currently very much lacking. Here's more info about Libreboot, which is a Coreboot fork that takes out all of Coreboot's proprietary blobs: http://libreboot.org/faq/ Here's the Free Software Foundation's announcement that the Libreboot x200 earned their Respect Your Freedom certification https://www.fsf.org/news/libreboot-x200-laptop-now-fsf-certified-to-respect-... Laptops that run Libreboot with operating systems that don't comply with the GNU Free System Distribution Guidelines (GNU FSDG) https://www.gnu.org/distros/free-system-distribution-guidelines.html don't have FSF's RYF certification. https://www.fsf.org/resources/hw/endorsement/respects-your-freedom So until Tails creates a version that complies with the GNU FSDG or until someone creates an operating system forked of a Free Distro https://www.gnu.org/distros/free-distros.html that has all of Tails' security features included we are all stuck with having to chose between security and freedom in our operating systems. We can code our way out of this false dichotomy though, if we want it. https://labs.riseup.net/code/issues/5393 https://mailman.boum.org/pipermail/tails-dev/2015-June/009023.html https://mailman.boum.org/pipermail/tails-dev/2015-June/009024.html If you believe that the security features in Tails aren't worth the trade off of having fully free software or if you believe that Tails running as a DVD instead of a USB stick isn't necessary, it is important to also note that Libreboot's GRUB payload allows you to boot fully encrypted harddrives and USB live systems by decrypting them within the GRUB instance on your Bios chip and then booting the decrypted OS. This means that the boot sector on the operating system or USB live system can now also be fully encrypted when not in use. Does anyone on this list think that Librem+PureOS is more free & secure than Libreboot+Tails as I described it here? Peace & Blessings, Jah Love On Mon, 14 Sep 2015 18:29:07 +0100 oshwm <oshwm@openmailbox.org> wrote:
Maybe manufacturers aren't sure what they should be building in order to genuinely and honestly be able to market as 'Respects Your Privacy'. It sounds simple but when you look at the ultimate level of privacy protection then you are talking about open source hardware, software and manufacturing processes and proper auditing of all of these. For a company to manufacture and market a device under these conditions is likely to be hideously expensive and have a very small customer base who are willing to pay such a large price in cash terms. What might be a good idea is for a community such as this one to create some sort of scale which describes the methods, materials and processes to achieve some sort of scoring which would range from 'NSA Spying Device' (0 out of 10) to 'Complete Privacy Protection' (10 out of 10). This would then allow manufacturers to work to a specific score and advertise as such.
cheers, oshwm.
On 14/09/15 17:09, Blibbet wrote:
Librem isn't perfect, and its BIOS isn't fully free. But it's free-er than almost any other laptop being sold that's worth owning, and it even comes with a hardware switch for some key sensors. If a product markets itself as 'privacy respecting' (is the Librem *actually* marketed this way) then it had better back up it's claims. Regardless of the way the marketing team is spinning things, they supposedly have 3 firmware developers trying to make a difference. Outside Bunnie Studios, I don't know of another OEM that is trying to help with this niche market with new hardware (not including refurbished Thinkpads). So I respect that effort. Not sure they'll fully succeed in this model, but perhaps a few models later they will have some decent boxes.
It sounds like they have a source license to Intel's Firmware Support Package (FSP), and are modifying it to disable some silicon/firmware features. The results will still be closed-source.
Today, nearly all Intel systems are 100% closed-source firmware, via IBVs (Phoenix, AMI, Insyde, and OEMs). Some AMD and ARM systems could provide blob-free firmware. If used in conjunction with fully open source OS/app stack, then you might be able to trust it.
Today, I don't see how you can trust any keys/certs in any of the Trusted/Verified/Measured/etc boots, most of the solutions don't seem to have any way for the owner/user to verify, eg, no CRL/OSCP keys. My reading of NIST SP80-147's seems to imply that sysadmins need to be able to verify things, but that doesn't seem viable today.
While Purism's marketing may be a bit overboard, I'm hopeful that they're trying. Maybe their next model will use the new RISC-V Raven3 chip, with U-Boot Verified Boot, and ship with full source to CPU/firmware/enclosure, firmware, OS, and apps. To get to that point, we'll probably need to help them fund this current Intel model, to keep Purism alive....
I am not sure why they they need to create yet-another privacy-centric OS, PureOS, and focus on improving and using Qubes/TAILs/Trisqel/Mempo/etc.
They're apparently working on a Free Software fork of FSP. I wish this was a shared effort with many more free software developers, perhaps managed by FSF or Linux Foundation, not just a single OEM. More than one Linux OEM could benefit from such an effort, most of them still use COTS 100% closed-source IBVs.
Can the current Intel-based solution get certified by the FSF RespectYourFreedom program? I'm not sure.
Whatever happens with what they do to the FSP and Intel silicon, if the result is less secure to attackers, that'll be an issue. Many who care about personal freedom and detest blobs seem to ignore security. But Purism cares about privacy and security, so they have to try and deal with both issues. Disabling BootGuard in updated FSP may make it more configurable, but less secure, it seems. Their web site has fancy graphics and tables. I hope they create a list of FSP modifications so we can see what security holes the system may have.
I like the kill switch. I'd go further: since many firmware attacks come through suspend/resume, I'd rather just disable that at the HW/FW/OS levels. I'd like to have a fully-lockable enclosure in a laptop, which can cover exposed ports, with a good quality lock, in a metal enclosure. Of course, it would't be able to make it through TSA customs, so probably not commercially viable. :-(
If I worked there, I'd tone down the marketing a bit (they have blobs in their firmware, and they're based on an Intel system, they'll never satisfy some of their potential market), perhaps focus on hardware that can be built with blob-free firmware for their next model. And I'd hire LegbaCore to evaluate the hardware before they ship it, for security issues. :-)
Looking forward to their next model!