Thanks for putting all this information in one place. I was earlier looking to buy Insurgio Privacy Beast, but it was not clear whether it could be shipped to India. I then ordered Librem 13.
Is there any comparison available between these two, based on privacy and security considerations? Regards, Anil Kumar Singh > On 01-Jan-2020, at 2:15 AM, Thierry Laurion <thierry.laur...@gmail.com> wrote: > > > >> On Wed, Dec 25, 2019 at 6:03 PM <brendan.h...@gmail.com> wrote: >> Insurgo is providing a service. >> >> If one can do the steps themselves, that’s fine. >> >> If I were advising a somewhat less technical journalist or a potentially >> targeted human-rights worker or politically targeted activist who just >> wanted to get stuff done and had the resources, I’d point them to Insurgo. >> >> Brendan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "qubes-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to qubes-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com. > > > Hello there, Thierry Laurion from Insurgo Open Technologies. > > Thanks Brendan. > > I feel the need to clarify things a bit once in a while. This reply is one of > those. This QubesOS community is large, and even if replies were done on > Reddit and other posts here in the past, the same questions arises with the > same scattered answers. Here is a combination of those answers. > Insurgo made grant applications so that actual best trustworthy unmaintained > hardware becomes mainstreamed under coreboot, and added under Heads (extend > Heads measured boot support of latest coreboot VBOOT+measured boot on > Sandy/Ivy bridge xx30 and xx20 platforms: t530, t430, x220. Thanks to > obtained NlNet grant for Accessible Security project). > Insurgo is attempting to gather developers, device manufacturers > (RaptorEngineering) and funders around Power9-Power10 hardware based X86 > alternative platform (PPC64le QubesOS platform support which has a bounty > offer already but needs commited developers). Let's remember that their > Blackbird/Talos II platforms recently got RYF certification. > The last x86 platform having met RYF criteria is the X200, thanks to the > Libreboot project, which removed Intel ME. > Since then, the x86 platforms have blobs we have to accept/deal with to make > it trustworthier: > Sandy Bridge/Ivy bridge : EC firmware, Intel ME BUP ROMP modules. Coreboot > doesnt rely on FSP blobs for initialization. ME is actually neutered (no > kernel nor syslibs as opposed to newer platforms, just BUP and ROMP) and > deactivated (AltMeDisable bit, not HAP bit). > More recent hardware requires ME with its kernel and syslibs binary blobs > present, while ME is asked to be deactivated through HAP bit, requires Intel > FSP and other binary blobs for hardware initialization. > Insurgo works to bridge the gap to broader QubesOS accessibility, so that > users in need of remote support can have secured remote administration from > trusted third parties (new revenue? AccessNow? Other third parties?) over > hidden tor onion service from additional GUI (NlNet grant for Accessible > Security project). > Insurgo tries its best to support Heads community through GitHub opened > issues while promoting collaboration. > Insurgo tries its best to mainstream CI build systems to produce reproducible > builds artifacts (this is broken for months and is still not resolved). > Insurgo tries to raise awareness of researchers and developers on the current > state of "Open Source Firmware" (currently requiring FSP, ME or > equivalent,not having completely neutered Intel ME while claiming it is > deactivated, while system libraries and kernel is still there but latent...) > This implies going to conferences, doing talks, confronting the status quo, > researching, developing so we have alternatives in the future....while also > doing the required clerical work. > Insurgo made QubesOS preinstallable for the first time on the PrivacyBeast > X230, thanks to its reownership wizard which takes care of GPG key > generation, internal ROM reflashing, TPM ownership and sealing of > measurements, signing boot configuration, while enforcing diceware > passphrases in the provisioning phase. The goal is to generalize it to other > platforms. Ideally through collaboration... > Insurgo made the PrivacyBeast X230 certified by QubesOS, with a lot of work > done on Heads that is unfortunately not upstreamed yet. Will go back at this, > while branch is available through Gitlab and GitHub. > Insurgo collaborates with other parties to make needed work to have fwupd > (firmware upgrades), available inside of QubesOS, including Heads firmware, > thanks to NlNet Privacy and Trust grant, once again. > Insurgo tries to push verified boot to measure also the LVM containers inside > of deployed QubesOS reencrypted disk installation, through Heads, so that > third party OEMs could also deploy reproducible ROMs that are measureable, > verify their reproducibility, have verified boot and known good QubesOS > installation with safer defaults to deploy to users by themselves (LUKS > discards, MAC randomization, sdcard attached to sys-usb and others). The user > would not have to trust those third parties on the RoT. > Add internationalization into Heads, so that UK keyboards and other keymaps > can be selected at first boot and saved into the ROM at ownership. > .... Other work required by both QubesOS, Heads and their subprojects for > more accessible security and usability. > There is something really interesting in the open source world. > > Bigger corporation will pay for the development work they require to fit > their needs and upstream changes. This makes software and accomplished work > feel like free as in free beer. > > Meanwhile, when a small player tries to make important changes for everyone > in related projects, with really limited resources, people apply the same > free as in free beer logic since they can buy second hand hardware online at > lower price and do the reprogramming themselves, not understanding even the > differences on the model they are buying and the changes in costs associated > with the model they buy, nor the privilege they have to be able to do > required technical work themselves nor the knowledge privilege they have of > knowing that such hardware and free software exist with which their hardware > can be freed with. > > Of course, you can and are encouraged to backup your SPI flash chips, unlock > the rom, apply me_cleaner, flash ME and Heads back into SPI flash chips, > replace the wifi card, factory reset your USB security dongle, seal secrets > for remote attestation and sign boot components, if you are tech savvy enough > to do it right, yourself. > > Meanwhile, Insurgo's goal is to facilitate that DIY, while still making money > enough to pay itself and others to do the technical required work... so that > you can do it yourself if you'd like, while organizations needing this kind > of privacy/confidentiality/security for their users can also do the work for > their users, without knowing all the technical details. On the X230 now, and > other platforms in the near future. > > Meanwhile, the x230 i7 2.9ghz, with its IPS screen and replaced wifi card, > maximized 16GB ram and 256GB SSD drive, which makes the PrivacyBeast X230 > hardware, is the one of the last platform on which open source firmware can > fully thrive, meeting QubesOS requirements, pushing things the farthest > possible by truely neutering ME (releasing 5Mb of additional ROM space to do > more stuff from the boot environment), using its TPM to do the measured boot > functions, sealing secrets into a QR code that enforces remote attestation > through TOTP (smartphone based manual validation) or HOTP USB security > dongles (Librem Key/Nitrokey Pro and Nitrokey Storage which visually attests > of firmware integrity with a green or red LED), while using OpenGPG functions > of the smartcard to enforce verified boot on QubesOS core system components > (/boot), making those root of trust required components tamper evident. > > Thanks for you time. Equip yourself accordingly. :) > > Thierry Laurion > Insurgo, Open Technologies > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/CAAzJznx%2BSgVSWOMvaohPf-im082uXqSqsu%3DLLL7P4N8rhXRKKA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/90B618F0-32CE-473F-8595-55C8E5198DB5%40gmail.com.
