On Monday, November 14, 2016 at 11:55:09 PM UTC, [email protected] wrote: > On 11/14/2016 04:50 PM, entr0py wrote: > > > [email protected]: > >> On 11/14/2016 03:12 PM, Eric wrote: > >>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: > >>>> Eric: > >>>>> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, > >>>>> [email protected] wrote: > >>>>>> Forgot to say: Purism is just an overpriced quanta/oem > >>>>>> whitebox laptop, it takes 5mil+ of startup funds to do a > >>>>>> small run of *just a motherboard* let alone an entire laptop > >>>>>> computer including the fab for a fancy aluminum case - it is > >>>>>> quite obvious that their components are not "hand selected" > >>>>>> and that they just called up some chinese OEM and asked them > >>>>>> what they had kicking around. > >>>>>> > >>>>>> I can't understand if they are scammers or just really > >>>>>> naive, Instead of making an OpenPower or ARM laptop and > >>>>>> having it be 100% libre from the start they instead do the > >>>>>> dishonest "you'll go to disneyworld one day poor johnny" - If > >>>>>> google can't convince intel to open up FSP/ME then nobody can > >>>>>> - coreboot with FSP is just shimboot (black box FSP - 95% of > >>>>>> the bios work) > >>>>>> > >>>>>> It bothers me quite a lot that they are on the list of > >>>>>> approved vendors when they are a dishonest company. > >>>>> Whoa. Ok, hold on a sec. I did not buy a Purism computer, > >>>>> though not for those reasons - putting a 28W TDP proc in a > >>>>> 15inch "workstation" is absurd to me. as is their lack of a > >>>>> screen configuration. I hear your anger at the gap between what > >>>>> they promise and what they deliver; I'm more displeased on the > >>>>> hardware side of things (though I do like HW kill switches. > >>>>> I've looked into what they promise and understand very well > >>>>> that they don't actually have a very free computer at all, > >>>>> especially on the bios/firmware side. > >>>>> > >>>>> What I actually ordered (and have now cancelled), was a Dell > >>>>> XPS 15". There is no vPro option in the configure menu, though > >>>>> it does support VT-d and SLAT. I've read all of Joanna's > >>>>> papers, and understand the concerns about Intel ME very well. > >>>>> However, on the Dell order, it claimed "ME Disabled." Perhaps > >>>>> they simply meant that vPro/AMT/TXT was disabled, and that was > >>>>> mine and Dell's fault for wishful thinking and false naming, > >>>>> respectively. Please see linked photo: https://d.pr/Q0YZ > >>>>> > >>>> Moral considerations aside, why not buy that Dell and pair it > >>>> with a portable router/firewall like this > >>>> (https://www.compulab.co.il/utilite-computer/web/products)? > >>>> Shouldn't that effectively block out any ME-related mischief or > >>>> do I have a fundamental misunderstanding? It doesn't seem > >>>> possible otherwise to get the type of processing power you're > >>>> looking for in a laptop form-factor. > >>> Also, the concern for me is not ME shenanigans. I'm more concerned > >>> about having TXT for AEM and measured boot, and the consumer Dell > >>> model does not have that (the processor and chipset don't support > >>> it). The other option aside from the Precision 5510, would be a > >>> ThinkPad T460 or T460p, but the downside there is performance (only > >>> SATA-3 SSD), and also the screen quality is terrible. > >>> > >>> Much as I dislike proprietary anything, I might take a second look > >>> at the new MacBook Pros, and run things that need higher security > >>> in a VM or in Whonix. > >> Why would you buy a macbook? You realize those have regular intel > >> processors and ME too right? > >> > >> Lenovo is owned by the chinese, and dell business laptop (their consumer > >> line is garbage) is a way better choice than either. > >> > >> It seems you do have (as you said) a fundamental misunderstanding of how > >> security actually works, and how a router/firewall operates. - thus I > >> don't think that anyone would be targeting you specifically with a ME > >> exploit. > > (top-posting fixed) > > > > Despite my "fundamental misunderstanding of how security actually works", I > > am able to read a thread and keep track of who said what - a skill you > > seemed to have misplaced in all your wizardry. Also, on your crusade to > > dismantle Intel and Google, it might behoove you to take a slightly less > > agressive tack with people who generally share your beliefs cause it seems > > you're significantly outnumbered as it is. > > > > Now if you'd like to respond without the obligatory disdain and actually > > explain something, my questions was: "Is Intel ME/AMT able to bypass > > firewalls that haven't been specifically configured to support those > > services?" This entry: > > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication > > leads me to think that ME TCP/IP traffic isn't automatically > > passed-through, but like *I* said, I may have a fundamental > > misunderstanding of that. > It is the same as any other device connected to your network, if it has > a world routable IP, you port forward, your router gets hacked, your > computer gets exploited or *it initiates communication on its own* then > yes it can communicate with the outside world. > For all we know it is simply waiting for an "activation" code sent via > MITM that it will detect.
Thank you for the explanation. Even Trump can act presidential. :) So it turns out my reasoning had a rather obvious flaw. I kept stubbornly assuming that my ME device would be on the LISTENING end when it could just as easily be set to call out periodically and render my genius plan moot. I guess now I'm back in the depressing boat with everyone else. > I do not want to "dismantle" intel/google, I simply want them to be more > friendly to the customer and for intel to end their war on free software > and general purpose computing - they used to be great companies but now > they aren't because of nepotism and outsourcing. > > Features like boot guard could have been implemented fully open source > and transparent, with a jumper to disable or place the computer in > signing mode so that you can sign/write your own firmware. > In 10-20 years you won't even be able to run unapproved binaries or view > unapproved files on an average computer, similarly as to how secure boot > v2 standards don't require the option to disable it (and thus you must > ask microsoft for permission to run linux on your own computer) it is a > slippery slope and if you give them an inch they take a mile. > > It is the hollowing of the market, the removal of the middle class of > computing. > You can buy a low performance arm (or the like) device with free > firmware or you can splash out 4-8K for a super high performance OPOWER8 > device from ibm/tyan - it is a myth that free firmware is only available > on old/slow devices. My next laptop will be a desktop board in a custom > made mobile 1U chassis. I spent some time reading up on Power (including this optimistic Anandtech review: http://www.anandtech.com/show/9567/the-power-8-review-challenging-the-intel-xeon-/2). The chips are seemingly priced competitively enough (though my office would turn into a sauna). I was intimidated by the prospect of having to port x86 packages to Power arch but looking through Debian repos, it appears that nearly all of the packages I use have already been ported to ppc64el. Then I noticed the one exception, the dealbreaker, is that Xen doesn't support Power. So it comes down to Qubes + Intel ME versus KVM + Power8 + clueless user. So yeah... guess my Intel boycott lasted all of one day. :/ > "top posting" is my natural way of reading things, with my eyes at the > center-top of the screen it feels more natural. I am the trump of the IT > world - a steamroller in every way "my way or the highway" - but I enjoy > and am happy to help people with highly technical questions that no one > else is able to answer as long as they do their own research as well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9fc50aeb-d800-4993-9c66-ff2a16329b1f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
