Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Rick Moen 
Quoting zap (calmst...@posteo.de):

> The Sad thing is, I sometimes if it is nonsensical, or stupid, I find it
> highly amusing. 

Isn't it just?  One of the mutt MUA's (many) unsung advantages is you
can often tell, merely by glancing at the threading pattern, that a
thread has gone totally off the rails and is now best deleted unread.

And yes, IMVAO, it's damned amusing, too.

> In this case though, it was getting old though. ;/

Quite.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Rick Moen 
Quoting eric (eri...@cox.net):

> That may remove some of the (off-topic?) traffic on this list even
> though I do not know what is off-topic anymore.

One rule of thumb I try to follow, to reduce noise, is state a specific
point of contention twice at most, then exit, even if an Inevitable One
insists on rearguing said topic and misrepresenting what you said
(a common ploy to troll another party into continuing) -- evading the
notorious 'dogfight' antipattern that otherwise ensues:

 61 r + 170830 George Tirebiter  (636) ,->
 62   F 170830 To George Tirebit ( 12)   ,->
 63 r + 170830 George Tirebiter  (520) ,->
 64   F 170830 To George Tirebit ( 16)   ,->
 65 r + 170830 George Tirebiter  (230) ,->
 66   F 170830 To George Tirebit ( 10)   ,->
 67 r + 170830 George Tirebiter  (121) ,->


ObWarGames: 'The only winning move is not to play.'  IMVAO.  ;->
(http://linuxmafia.com/~rick/lexicon.html#imvao))
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread John Franklin 

> On Sep 7, 2017, at 1:54 PM, KatolaZ  wrote:
> 
> These things will clear out when amprolla3 comes up. We are almost
> there.  The current amprolla is not merging sone suites on ascii,
> including ascii-updates and ascii-proposed-updates.

I’m looking forward to a big update when it finally does.  I hope amprolla3 is 
getting the priority attention it deserves.

jf
-- 
John Franklin
frank...@tux.org



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Rick Moen 
Quoting taii...@gmx.com (taii...@gmx.com):

> >I also find a bit questionable your going around attempting to tarnish
> >the reputation of someone with a real name, while concealing your own.
> Criticism isn't allowed?

This is of course nothing like what I said.

> I dislike when people deal with speculation instead of proven facts
> when judging technical merits.

Then, _address what you perceive as speculation_.  Instead ttempting
cheap character assassination, from behind cover of anonymity, suggests
you have no real argument.

> I don't use my "real" name on the internet for the same reason I
> don't want a computer with ME/PSP.

Once again, you are deflecting and changing the subject.  I said nothing
against being anonymous.  I merely said that slagging reputations of 
real named people with unsupported derogatory allegations, especially
when you refuse to name yourself, is disreputable and bogus.

Of course, you don't actually need to worry about 'taii...@gmx.com'
developing a bad reputation:  At some point, you can just walk away from
that 'nym and be someone else, which is the whole point, isn't it?  It
makes the character assassination ploy a bit transparent.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread KatolaZ 
On Thu, Sep 07, 2017 at 10:22:57AM -0400, fsmithred wrote:

[cut]

> 
> I think there's nothing in ascii-security and ascii-updates. The Packages
> files for both are empty. (I only checked amd64.)
> 
> In contrast to that jessie-security, jessie-updates and
> jessie-proposed-updates all have packages.
> 
> Can someone explain the difference between -security, -updates and
> -proposed-updates? What goes where, and why is ascii different from
> jessie? Thanks. Questions about security updates come up regularly on d1g.
> 

These things will clear out when amprolla3 comes up. We are almost
there.  The current amprolla is not merging sone suites on ascii,
including ascii-updates and ascii-proposed-updates.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Adam Borowski 
On Thu, Sep 07, 2017 at 05:25:47PM +0200, Enrico Weigelt, metux IT consult 
wrote:
> IMHO, even this discussion isn't strictly related to devuan

That's why we're talking on dng not on devuan-dev.

The latter is for development of Devuan specifically.
The former came with the slogan "campfire for systemd refugees".

> it's still related to the bigger picture, why FOSS exists at all.

Why would anyone bother to use free software if you have no free hardware to
run it on?  Hardware with merely closed internal workings but well-defined
programmer-facing specs has been so far considered acceptable, but nowadays
we're faced with hardware that actively works against you!  Security is
simply not possible on such gear.

> Actually, I'm very happy w/ the things posted here (*incl* the OTs).

I'd consider a discussion of bind vs nsd, or user questions somewhat OT
(even if usually helpful).  I don't see how talk about direct threats
towards openness of development would be against the spirit of such list --
be that replacing half of the system with an opaque unmodular blob with bugs
unfixable[1] for an outsider, so are backdoors or DRM in the hardware.

> Maybe we could split the list into multiple ones, for several topic
> types. (eg. strictly technical ones, like packages/patches, general
> discussions, etc)

There's probably not enough traffic for separating user-facing stuff yet;
strictly packaging stuff already has a list of its own.

Also, note my sig: it has the swirl rather than the chevron in it.  All of
Devuan development I do migrates through Debian first.  Yet I don't have a
feeling of being unwelcome here.

And, I guess it's up to Jaromil and co to declare what's acceptable here:
they're the owners of this list after all.

I do understand your anger about a spat between someone calling another
poster a Purism shill while the other person derided Talos in turn.  That
was ugly.  But, if you exclude this shout-fest, the rest of the thread was
worth the electrons it came on.


Meow!

[1]. Taking too much effort, for someone with decent general programming
skills but unfamiliar with the system in question, makes such a system
too closed to be allowed to live.  I'm not a kernel dev yet I can fix easy
kernel problems -- no such thing with systemd.
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Off-topic postings Was: Re: Talos, Intel, libre purism, ...

2017-09-07 Thread golinux 

On 2017-09-07 10:31, Svante Signell wrote:

On Thu, 2017-09-07 at 08:47 -0500, goli...@dyne.org wrote:

On 2017-09-07 08:01, Svante Signell wrote:
>
> Yes, please! Even if some messages are interesting, a majority of them 
> are off-topic for Devuan. This list should concern user feedback, etc. For
> pure development there is already list for that: devuan-dev.


LOL!  We had a devuan-discuss list and almost nobody used it so it 
was 

removed.  Unlikely we'll go there again.  Search the archives for the 
discussion about that event.


What to do then? Maybe create a devuan-user list and forward people 
contributing
off-topic postings on that list to this [DNG] list. This is similar to 
telling

people writing off-topic stuff on #devuan to move to #debianfork!
___



This is not a lack-of-a-list problem.  It is a human behavior problem 
that is not easily managed.  Either participants will get a clue or not 
. . .


golinux
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread golinux 

On 2017-09-07 10:40, zap wrote:

On 09/07/2017 08:11 AM, Antony Stone wrote:

On Thursday 07 September 2017 at 13:59:01, Narcis Garcia wrote:

This thread has now 86 posts, and I still don't see a solid 
contribution

to Devuan project.
This makes very heavy to be subscribed in a mailing list for people 
like
me, that are looking a good alternative to Debian/Systemd, not only 
in

software but also in community.

I'm strongly inclined to agree.

Perhaps we could have something like a "devuan-discuss" list for the
philosophy and the disagreements, leaving this list for discussions 
actually

directly related to developing or using Devuan?


Yes! PLEASE! let's do that. :)


Do you not READ this list?  Been there. Done that.  It failed miserably.

Date: 2016-11-06 07:59 -600
To: dng
Subject: [DNG] devuan-discuss is not useful, quite the opposite

Why don't you start a blog or something to host mind-numbing debates 
like this.


golinux
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] OT: (almost), but tangentially on-topic Re: Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Antony Stone 
On Thursday 07 September 2017 at 17:34:48, Rowland Penny wrote:

> On Fri, 8 Sep 2017 01:23:29 +1000 Erik Christiansen wrote:
> > 
> > Losing your temper in an infantile manner is not. And it won't.
> 
> No I didn't lose my temper, I just shouted because you lot must be deaf.

Just because someone doesn't do what you say does not mean they did not hear 
you.  Shouting is (in my opinion) ill-mannered and unlikely to achieve your 
objectives with the people you feel need shouting at.

> > > I don't care about your drivel, it has nothing directly to do with
> > > Devuan
> > 
> > Then don't read this thread. By all means divert it to your spam
> > folder, if you have the competence.
> 
> I do have the competence, but why should I have to, why should I not
> complain after 80 posts of drivel ?

It's your choice to be on this list, and it's your choice whether to continue 
reading a thread you clearly think is irrelevant to you.

I also think this thread should move elsewhere, but having expressed my 
opinion, if the thread continues, my next choice would simply be to ignore it.

> No sorry, but at 61 years of age, I feel that I am as mature as I am
> likely to get.

Oh, well in that case maybe you just need to get a bigger delete key.


Regards,


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 10:22 -0400, fsmithred wrote:
> On 09/07/2017 08:55 AM, Svante Signell wrote:
> > 
> 
> I think there's nothing in ascii-security and ascii-updates. The Packages
> files for both are empty. (I only checked amd64.)
> 
> In contrast to that jessie-security, jessie-updates and
> jessie-proposed-updates all have packages.
> 
> Can someone explain the difference between -security, -updates and
> -proposed-updates? What goes where, and why is ascii different from
> jessie? Thanks. Questions about security updates come up regularly on d1g.

In my opinion they should be as follows:
ascii-security: Debian stretch security updates, filtered so that if there is an
older Devuan package it cannot be installed.

ascii-updates: Remove, it serves no real purpose, or?

ascii-proposed-updates: Devuan packages, not yet migrated into ascii.
(similar to Debian packages in sid/unstable not yet merged into testing/buster.
They do migrate to testing after normally 5-10 days if no RC bugs, etc blocks
them)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread zap 


On 09/07/2017 08:11 AM, Antony Stone wrote:
> On Thursday 07 September 2017 at 13:59:01, Narcis Garcia wrote:
>
>> This thread has now 86 posts, and I still don't see a solid contribution
>> to Devuan project.
>> This makes very heavy to be subscribed in a mailing list for people like
>> me, that are looking a good alternative to Debian/Systemd, not only in
>> software but also in community.
> I'm strongly inclined to agree.
>
> Perhaps we could have something like a "devuan-discuss" list for the 
> philosophy and the disagreements, leaving this list for discussions actually 
> directly related to developing or using Devuan?
>
Yes! PLEASE! let's do that. :)

> Antony.
>

<>___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] OT: (almost), but tangentially on-topic Re: Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Rowland Penny 
On Fri, 8 Sep 2017 01:23:29 +1000
Erik Christiansen  wrote:

> On 07.09.17 15:42, Rowland Penny wrote:
> > On Thu, 7 Sep 2017 16:32:42 +0200
> > Adam Borowski  wrote:
> > 
> > > On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:
> > 
> > I have tried asking nicely
> 
> That was wise. It might have worked.

It didn't

> 
> > WILL YOU SHUTUP!!!
> 
> Losing your temper in an infantile manner is not. And it won't.

No I didn't lose my temper, I just shouted because you lot must be deaf.

> 
> > I don't care about your drivel, it has nothing directly to do with
> > Devuan
> 
> Then don't read this thread. By all means divert it to your spam
> folder, if you have the competence.

I do have the competence, but why should I have to, why should I not
complain after 80 posts of drivel ?
 
> 
> All lists tolerate a modicum of OT traffic - especially when it is
> tangentially on-topic, as is discussion of security risks when running
> linux. It is an act of consideration to flag such posts with "OT:",
> and that allows one procmail or MUA rule to screen all such traffic.

A modicum, you call over 80 posts a modicum ? Am I suppose to wait
until it gets to rival Tolstoy's War and Peace before complaining ?

> 
> But your whining, and the traffic which it might take to help you
> achieve a little more maturity is OT. So it might be useful for you to
> desist.

No sorry, but at 61 years of age, I feel that I am as mature as I am
likely to get.

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Enrico Weigelt, metux IT consult 

On 07.09.2017 16:12, Erik Christiansen wrote:


If the firewall is on a FPGA, then we know what every gate is doing, as
we have the VHDL source for it.


An purely FPGA-based firewall (w/o an cpu in it), specifically
synthesized for a given ruleset seems an very interesting approach.

Anyone here w/ some practical vhdl experience ?


--mtx
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Off-topic postings Was: Re: Talos, Intel, libre purism, ...

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 08:47 -0500, goli...@dyne.org wrote:
> On 2017-09-07 08:01, Svante Signell wrote:
> > 
> > Yes, please! Even if some messages are interesting, a majority of them 
> > are off-topic for Devuan. This list should concern user feedback, etc. For
> > pure development there is already list for that: devuan-dev.

> LOL!  We had a devuan-discuss list and almost nobody used it so it was 
> removed.  Unlikely we'll go there again.  Search the archives for the 
> discussion about that event.

What to do then? Maybe create a devuan-user list and forward people contributing
off-topic postings on that list to this [DNG] list. This is similar to telling
people writing off-topic stuff on #devuan to move to #debianfork!
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME

2017-09-07 Thread Rowland Penny 
On Thu, 7 Sep 2017 17:12:25 +0200
Edward Bartolo  wrote:

> Quote: "Please take this discussion somewhere else, it has NOTHING to
> do with Devuan"
> 
> This discussion has taught me that Intel CPUs from 2008 onwards also
> come with GRATIS but QUESTIONABLE functionalities, that many including
> myself, frown upon.
> 
> If there are non-risky hacks that readers can use to 'harden' their
> computer against this unwelcome feature, please go ahead and provide
> it, even here. This has to do with Devuan as it has to do with
> security.

Sorry Edward, but this doesn't really have anything to do with Devuan
OS directly and if it was just a mention of a 'feature', I could live
with it. This topic, like several others lately, just goes on and
on and on. It is just clogging my email with something I not that
interested in (well not to the extent it has been discussed here).

If you are going to mention something not directly to do with Devuan,
then do just that, mention it and move on, don't chew it over and over.
If you feel you should have a major discourse about it, then do it of
list!

Rowland


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Enrico Weigelt, metux IT consult 

On 07.09.2017 16:42, Rowland Penny wrote:

On Thu, 7 Sep 2017 16:32:42 +0200
Adam Borowski  wrote:


On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:


I have tried asking nicely

WILL YOU SHUTUP!!!


hey, please calm down.

IMHO, even this discussion isn't strictly related to devuan, it's still
related to the bigger picture, why FOSS exists at all.

Actually, I'm very happy w/ the things posted here (*incl* the OTs).

Maybe we could split the list into multiple ones, for several topic
types. (eg. strictly technical ones, like packages/patches, general
discussions, etc)

--mtx
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] OT: (almost), but tangentially on-topic Re: Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Erik Christiansen 
On 07.09.17 15:42, Rowland Penny wrote:
> On Thu, 7 Sep 2017 16:32:42 +0200
> Adam Borowski  wrote:
> 
> > On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:
> 
> I have tried asking nicely

That was wise. It might have worked.

> WILL YOU SHUTUP!!!

Losing your temper in an infantile manner is not. And it won't.

> I don't care about your drivel, it has nothing directly to do with
> Devuan

Then don't read this thread. By all means divert it to your spam folder,
if you have the competence.

All lists tolerate a modicum of OT traffic - especially when it is
tangentially on-topic, as is discussion of security risks when running
linux. It is an act of consideration to flag such posts with "OT:", and
that allows one procmail or MUA rule to screen all such traffic.

But your whining, and the traffic which it might take to help you
achieve a little more maturity is OT. So it might be useful for you to
desist.

HAND.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Edward Bartolo 
Quote: "Please take this discussion somewhere else, it has NOTHING to do with
Devuan"

This discussion has taught me that Intel CPUs from 2008 onwards also
come with GRATIS but QUESTIONABLE functionalities, that many including
myself, frown upon.

If there are non-risky hacks that readers can use to 'harden' their
computer against this unwelcome feature, please go ahead and provide
it, even here. This has to do with Devuan as it has to do with
security.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Rowland Penny 
On Thu, 7 Sep 2017 16:32:42 +0200
Adam Borowski  wrote:

> On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:

I have tried asking nicely

WILL YOU SHUTUP!!!

I don't care about your drivel, it has nothing directly to do with
Devuan

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Adam Borowski 
On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:
> On 07.09.17 13:32, Adam Borowski wrote:
> > On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> > > If our hosts cannot be trusted not to phone home to folk wearing dark
> > > glasses, then would it not suffice to employ a simple embedded host with
> > > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
> > 
> > It's not hard to trigger a backdoor using a higher level protocol, from
> > Javascript, etc.
> 
> But no-one who is awake would enable java or any of that stuff on a firewall.
> Back doors on the LAN can't phone home through a minimal-silicon RISC
> embedded firewall which is just too small to contain any secondary CPU.
> It just needs to run a minimal kernel with packet routing capability.
> Everything else is a door into vacuum.

You don't make a separate TCP connection, you put it into a stream the user
already has.  And no firewall can distinguish a https connection from
another, other that the destination (the black glasses guys won't use a
.nsa.gov server) or perhaps some flow patterns if you tunnel certain
long-lived protocols inside the https connection -- which isn't possible
if they use anything that resembles a typical browsing session.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread fsmithred 
On 09/07/2017 08:55 AM, Svante Signell wrote:
> On Thu, 2017-09-07 at 21:07 +0900, Olaf Meeuwissen wrote:
>> Hi John,
>>
>> John Franklin writes:
>>
>>> I’ve seen several security alerts from Debian, but no matching
>>> updates in Devuan.  For example, the “file" package has
>>> CVE-2017-1000249, released yesterday.
>>>
 For the stable distribution (stretch), this problem has been fixed in
 version 1:5.30-1+deb9u1.
> 
>> Uhm, Devuan ascii is testing.  I'd think that doesn't get any security
>> upgrades, just like Debian's testing (buster) doesn't get any.
> 
> No, Devuan ascii is stretch, i.e. Debian stable.
> 
> This upgrade should be available, but isn't:
> Adding to /etc/apt/sources.list,
> deb http://auto.mirror.devuan.org/merged ascii-security  main
> does not make it available:
> apt-cache policy file
> file:
>   Installed: 1:5.30-1
>   Candidate: 1:5.30-1
>   Version table:
>  *** 1:5.30-1 991
> 991 http://auto.mirror.devuan.org/merged ascii/main i386 Packages
> 100 /var/lib/dpkg/status
> ___


My sources.list is bigger than yours, and I see the same thing for file,
but I know of two other cases in which the patched version found in
stretch security is in ascii-proposed-updates -

apache2:
  2.4.25-3+deb9u2 0
10 http://security.debian.org/ stretch/updates/main amd64 Packages
100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages

chromium:
  60.0.3112.78-1~deb9u1 0
10 http://security.debian.org/ stretch/updates/main amd64 Packages
100 http://auto.mirror.devuan.org/merged/ ascii-proposed-updates/main
amd64 Packages

I think there's nothing in ascii-security and ascii-updates. The Packages
files for both are empty. (I only checked amd64.)

In contrast to that jessie-security, jessie-updates and
jessie-proposed-updates all have packages.

Can someone explain the difference between -security, -updates and
-proposed-updates? What goes where, and why is ascii different from
jessie? Thanks. Questions about security updates come up regularly on d1g.


fsmithred


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Rowland Penny 
On Fri, 8 Sep 2017 00:12:02 +1000
Erik Christiansen  wrote:

> On 07.09.17 14:05, Alessandro Selli wrote:
> >   ROMB is the ROM Bypass and that too is builtin the PCH chip:
> 
> Erik

Excuse me, but can you lot not take a hint ???

Please take this discussion somewhere else, it has NOTHING to do with
Devuan

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Docker on Devuan?

2017-09-07 Thread golinux 

On 2017-09-07 07:22, Olaf Meeuwissen wrote:

Hi Ozi,

Ozi Traveller writes:

Just wondering whether anyone has managed to get docker installed on 
Devuan?


If so, how? And are you getting docker updates as well?


Have a look at my blog post[1] on this topic ;-)

 [1]: 
https://paddy-hack.gitlab.io/posts/sandwiching-docker-with-devuan/


I basically just use the vendor provided package for Debian.  Works 
fine

so far.

I've also put together a Devuan base image and have a few issues[2] 
that

I plan to work on in the not too distant future.

 [2]: https://gitlab.com/paddy-hack/devuan/issues

Hope this helps,



Would you consider moving that to git.devuan.org?  Would make it easier 
for devuan users to find.


golinux
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Erik Christiansen 
On 07.09.17 14:05, Alessandro Selli wrote:
>   ROMB is the ROM Bypass and that too is builtin the PCH chip:
> 
>   Loading starts with the ROM program, which is contained in the
>   built-in PCH read-only memory. Unfortunately, no way to read or
>   rewrite this memory is known to the general public. However, one can
>   find pre-release versions of ME firmware on the Internet containing
>   the ROMB (ROM BYPASS) section which, as we can assume, duplicates the
>   functionality of ROM.

Many thanks Alessandro for elucidating that. I'm experiencing some
culture shock on reading it.

I have not made a survey of the open source CPU cores implemented on
FPGAs, but a quick "fpga linux board" google shows multiple candidates.
Running a minimal kernel with little more than packet routing filtering
and a local management interface - console only if we're paranoid, means
we _are_ in full control of all network traffic in and out of out LAN.
(I do not plan to use wlan.)

Presumably all externally initiated connections are already blocked.
Then if we only allow outgoing connections to whitelisted IPs, we're
beginning to make things more difficult for snoops. Vulnerabilities on
our hardware-compromised hosts are less exploitable if they can't be
reached, I figure.

If the firewall is on a FPGA, then we know what every gate is doing, as
we have the VHDL source for it.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Erik Christiansen 
On 07.09.17 13:32, Adam Borowski wrote:
> On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> > If our hosts cannot be trusted not to phone home to folk wearing dark
> > glasses, then would it not suffice to employ a simple embedded host with
> > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
> 
> It's not hard to trigger a backdoor using a higher level protocol, from
> Javascript, etc.

But no-one who is awake would enable java or any of that stuff on a firewall.
Back doors on the LAN can't phone home through a minimal-silicon RISC
embedded firewall which is just too small to contain any secondary CPU.
It just needs to run a minimal kernel with packet routing capability.
Everything else is a door into vacuum.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread golinux 

On 2017-09-07 08:01, Svante Signell wrote:

On Thu, 2017-09-07 at 14:11 +0200, Antony Stone wrote:

On Thursday 07 September 2017 at 13:59:01, Narcis Garcia wrote:

> This thread has now 86 posts, and I still don't see a solid contribution
> to Devuan project.
> This makes very heavy to be subscribed in a mailing list for people like
> me, that are looking a good alternative to Debian/Systemd, not only in
> software but also in community.

I'm strongly inclined to agree.

Perhaps we could have something like a "devuan-discuss" list for the 
philosophy and the disagreements, leaving this list for discussions 
actually 

directly related to developing or using Devuan?


Yes, please! Even if some messages are interesting, a majority of them 
are off-

topic for Devuan. This list should concern user feedback, etc. For pure
development there is already list for that: devuan-dev.
___


LOL!  We had a devuan-discuss list and almost nobody used it so it was 
removed.  Unlikely we'll go there again.  Search the archives for the 
discussion about that event.  It started here:

Date: 2016-11-06 07:59 -600
To: dng
Subject: [DNG] devuan-discuss is not useful, quite the opposite

More lists is not a solution for poor judgment on the part of list 
participants who always try to have the last word in some ridiculous 
hair-splitting debate that is often off-topic.


golinux
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 14:11 +0200, Antony Stone wrote:
> On Thursday 07 September 2017 at 13:59:01, Narcis Garcia wrote:
> 
> > This thread has now 86 posts, and I still don't see a solid contribution
> > to Devuan project.
> > This makes very heavy to be subscribed in a mailing list for people like
> > me, that are looking a good alternative to Debian/Systemd, not only in
> > software but also in community.
> 
> I'm strongly inclined to agree.
> 
> Perhaps we could have something like a "devuan-discuss" list for the 
> philosophy and the disagreements, leaving this list for discussions actually 
> directly related to developing or using Devuan?

Yes, please! Even if some messages are interesting, a majority of them are off-
topic for Devuan. This list should concern user feedback, etc. For pure
development there is already list for that: devuan-dev. 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] ascii-security Was:Re: Security updates in Devuan

2017-09-07 Thread Svante Signell 
On Thu, 2017-09-07 at 21:07 +0900, Olaf Meeuwissen wrote:
> Hi John,
> 
> John Franklin writes:
> 
> > I’ve seen several security alerts from Debian, but no matching
> > updates in Devuan.  For example, the “file" package has
> > CVE-2017-1000249, released yesterday.
> > 
> > > For the stable distribution (stretch), this problem has been fixed in
> > > version 1:5.30-1+deb9u1.

> Uhm, Devuan ascii is testing.  I'd think that doesn't get any security
> upgrades, just like Debian's testing (buster) doesn't get any.

No, Devuan ascii is stretch, i.e. Debian stable.

This upgrade should be available, but isn't:
Adding to /etc/apt/sources.list,
deb http://auto.mirror.devuan.org/merged ascii-security  main
does not make it available:
apt-cache policy file
file:
  Installed: 1:5.30-1
  Candidate: 1:5.30-1
  Version table:
 *** 1:5.30-1 991
991 http://auto.mirror.devuan.org/merged ascii/main i386 Packages
100 /var/lib/dpkg/status
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Docker on Devuan?

2017-09-07 Thread Olaf Meeuwissen 
Hi Ozi,

Ozi Traveller writes:

> Just wondering whether anyone has managed to get docker installed on Devuan?
>
> If so, how? And are you getting docker updates as well?

Have a look at my blog post[1] on this topic ;-)

 [1]: https://paddy-hack.gitlab.io/posts/sandwiching-docker-with-devuan/

I basically just use the vendor provided package for Debian.  Works fine
so far.

I've also put together a Devuan base image and have a few issues[2] that
I plan to work on in the not too distant future.

 [2]: https://gitlab.com/paddy-hack/devuan/issues

Hope this helps,
--
Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Softwarehttps://my.fsf.org/donate
 Join the Free Software Foundation  https://my.fsf.org/join
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Security updates in Devuan

2017-09-07 Thread Olaf Meeuwissen 
Hi John,

John Franklin writes:

> I’ve seen several security alerts from Debian, but no matching
> updates in Devuan.  For example, the “file" package has
> CVE-2017-1000249, released yesterday.
>
>> For the stable distribution (stretch), this problem has been fixed in
>> version 1:5.30-1+deb9u1.
>>
>> For the unstable distribution (sid), this problem has been fixed in
>> version 1:5.32-1.
>
> But, on a Devuan Ascii VM:

Uhm, Devuan ascii is testing.  I'd think that doesn't get any security
upgrades, just like Debian's testing (buster) doesn't get any.

In addition, this particular DSA doesn't mention fixes for oldstable so
I would not expect Devuan's jessie to get any security upgrade either.

Looks like you'll have to wait until whatever hit unstable trickles down
to testing.

> [...]
>
> Maybe this one is too new, but the “apache2" package has
> CVE-2017-9788 released July 18th, 2017.
>
>> For the oldstable distribution (jessie), this problem has been fixed
>> in version 2.4.10-10+deb8u10.
>>
>> For the stable distribution (stretch), this problem has been fixed in
>> version 2.4.25-3+deb9u2.
>>
>> For the unstable distribution (sid), this problem has been fixed in
>> version 2.4.27-1.
>
> The latest apache2 in Ascii is 2.4.25-3+deb9u1.

On my Devuan jessie I get this

$ apt-cache policy apache2
apache2:
  Installed: (none)
  Candidate: 2.4.10-10+deb8u10
  Version table:
 2.4.10-10+deb8u10 0
500 http://auto.mirror.devuan.org/merged/ jessie-security/main amd64 
Packages
 2.4.10-10+deb8u9 0
500 http://auto.mirror.devuan.org/merged/ jessie/main amd64 Packages

This matches what is available for Debian's jessie (oldstable).

Hope this helps,
--
Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Softwarehttps://my.fsf.org/donate
 Join the Free Software Foundation  https://my.fsf.org/join
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Rowland Penny 
On Thu, 7 Sep 2017 13:59:01 +0200
Narcis Garcia  wrote:

> This thread has now 86 posts, and I still don't see a solid
> contribution to Devuan project.
> This makes very heavy to be subscribed in a mailing list for people
> like me, that are looking a good alternative to Debian/Systemd, not
> only in software but also in community.
> 
> 

Totally agree with the sentiments of the above post.
Can we please keep to posts that are relevant to Devuan.

If you want to have philosophical discussions about Open source, can
you please do it somewhere else.

Rowland Penny
  
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Antony Stone 
On Thursday 07 September 2017 at 13:59:01, Narcis Garcia wrote:

> This thread has now 86 posts, and I still don't see a solid contribution
> to Devuan project.
> This makes very heavy to be subscribed in a mailing list for people like
> me, that are looking a good alternative to Debian/Systemd, not only in
> software but also in community.

I'm strongly inclined to agree.

Perhaps we could have something like a "devuan-discuss" list for the 
philosophy and the disagreements, leaving this list for discussions actually 
directly related to developing or using Devuan?


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Thu, 7 Sep 2017 at 13:41:25 +0200
Alessandro Selli  wrote:

> On Thu, 7 Sep 2017 at 21:17:20 +1000
> Erik Christiansen  wrote:
> 
> > The notion of an extra embedded CPU or two on big Intel chips is not
> > difficult to credit, but where is the postulated entire minix OS loaded
> > from?
> 
>   It's in the report by the Positive Technologies team:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> 
>   We see increasing interest in Intel ME internals from researchers
>   all over the world. One of the reasons is the transition of this
>   subsystem to new hardware (x86) and software (modified MINIX as an
>   operating system). The x86 platform allows researchers to make use
>   of the full power of binary code analysis tools. Previously, firmware
>   analysis was difficult because earlier versions of ME were based on
>   an ARCompact microcontroller with an unfamiliar set of instructions.

  Sorry, i think I misinterpreted your question.  Did you ask where in the
Intel hardware is the Minix OS loaded from?  In the above report I read that:

Similarly, we are sure that the ROM integrated into the PCH is
practically the same as ROMB, which also does not contain any code
allowing an exit from HAP mode.

  PCH is the Platform Controller Hub:

Intel Management Engine is a proprietary technology that consists of
a microcontroller integrated into the Platform Controller Hub (PCH)
chip and a set of built-in peripherals. The PCH carries almost all
communication between the processor and external devices; therefore
Intel ME has access to almost all data on the computer.

  The "set of built-in peripherals" most notably include the ethernet and the
WiFi controllers, depending on the specific chips involved.
  ROMB is the ROM Bypass and that too is builtin the PCH chip:

Loading starts with the ROM program, which is contained in the
built-in PCH read-only memory. Unfortunately, no way to read or
rewrite this memory is known to the general public. However, one can
find pre-release versions of ME firmware on the Internet containing
the ROMB (ROM BYPASS) section which, as we can assume, duplicates the
functionality of ROM.


  Bye,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Talos, Intel, libre purism, ...

2017-09-07 Thread Narcis Garcia 
This thread has now 86 posts, and I still don't see a solid contribution
to Devuan project.
This makes very heavy to be subscribed in a mailing list for people like
me, that are looking a good alternative to Debian/Systemd, not only in
software but also in community.


El 07/09/17 a les 13:43, Didier Kryn ha escrit:
> Le 07/09/2017 à 10:48, taii...@gmx.com a écrit :
>> On 09/07/2017 04:30 AM, Alessandro Selli wrote:
>>
>>> On Wed, 6 Sep 2017 at 17:12:27 -0400
>>> zap  wrote:
>>>
 Agreed! Talos is at least *LIBRE!*
>>>No, it ain't:
>>> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
>>>
>>> "BMCs and the IPMI Protocol
>>>
>>> Baseboard Management Controllers (BMCs) are a type of embedded
>>> computer used to provide out-of-band monitoring for desktops and
>>> servers. These products are sold under many brand names,
>>> including HP
>>> iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
>>> IPMI."
>>>
>>>IBM stuff is plagued by embedded controlware, too. 
> 
> 
> Alessandro, I've read that thread with great interest and I think
> you forgot a "detail": BMC software is open on IBM Power, meaning you
> can replace it by your own, or patch the existant if you prefer.
> 
> Wether there is yet another backdoor is only a supposition and it
> applies to everything you can buy, not specifically IBM. At least, if
> there is one, it is known only to the manufacturer and the 3-letter
> agencies, not to the general hacker. And I'm optimistic because of the
> following law: the time of life of a secret decreases when the number of
> persons who share it increases, and in this case there must be a number
> of engineers.
> 
> Didier
> 
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Didier Kryn 

Le 07/09/2017 à 10:48, taii...@gmx.com a écrit :

On 09/07/2017 04:30 AM, Alessandro Selli wrote:


On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:


Agreed! Talos is at least *LIBRE!*

   No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, 
including HP

iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

   IBM stuff is plagued by embedded controlware, too. 



Alessandro, I've read that thread with great interest and I think 
you forgot a "detail": BMC software is open on IBM Power, meaning you 
can replace it by your own, or patch the existant if you prefer.


Wether there is yet another backdoor is only a supposition and it 
applies to everything you can buy, not specifically IBM. At least, if 
there is one, it is known only to the manufacturer and the 3-letter 
agencies, not to the general hacker. And I'm optimistic because of the 
following law: the time of life of a secret decreases when the number of 
persons who share it increases, and in this case there must be a number 
of engineers.


Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Thu, 7 Sep 2017 at 21:17:20 +1000
Erik Christiansen  wrote:

> The notion of an extra embedded CPU or two on big Intel chips is not
> difficult to credit, but where is the postulated entire minix OS loaded
> from?

  It's in the report by the Positive Technologies team:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

We see increasing interest in Intel ME internals from researchers all
over the world. One of the reasons is the transition of this
subsystem to new hardware (x86) and software (modified MINIX as an
operating system). The x86 platform allows researchers to make use of
the full power of binary code analysis tools. Previously, firmware
analysis was difficult because earlier versions of ME were based on
an ARCompact microcontroller with an unfamiliar set of instructions.


> If our hosts cannot be trusted not to phone home to folk wearing dark
> glasses,

  They do not just that they phone home, the worst part is that they pick up
the phone, your phone!

> then would it not suffice to employ a simple embedded host with
> a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?

  Maybe, but it's difficult to know exactly what triggers the numerous ME
modules and functions of a running system - it's best disabling everything
at boot time. You are supposed to filter both incoming and outgoing traffic,
which is not very easy when you do not know what you need to block. Plus, I
do not remember where I read it, but there are functions in WiFi AP/DSL
modems that were found to have backdoors that are triggered by a precise
sequence of IP packets the unit receives where both headers and payload
matter, which makes for a complicated deep packet inspection firewall that
you need to set up.

  What we actually need is Openhardware products ready to supplant current
off-the-shelf proprietary chips and controllers.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Adam Borowski 
On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> If our hosts cannot be trusted not to phone home to folk wearing dark
> glasses, then would it not suffice to employ a simple embedded host with
> a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?

It's not hard to trigger a backdoor using a higher level protocol, from
Javascript, etc.

-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Erik Christiansen 
The notion of an extra embedded CPU or two on big Intel chips is not
difficult to credit, but where is the postulated entire minix OS loaded
from?

If our hosts cannot be trusted not to phone home to folk wearing dark
glasses, then would it not suffice to employ a simple embedded host with
a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
Buy two, take the lid off the chip on one, to confirm that there's only
enough silicon complexity to provide one RISC CPU, and paranoia might be
able to be reigned in. With a microscope, purely optical or USB, it is
not that hard to identify recognisable structures such as ALU,
registers, ROM, etc. Any second CPU capable of running a TCP stack would
show up.

If that's not enough, then an ethernet sniffer running on unsubvertible
low level 16 bit embedded hardware, running a low level RTOS, could
monitor traffic to the firewall, logging all destination IPs, protocol,
etc., revealing unwarranted traffic.

Conspiracy theories are lotsa fun, but if there's a problem with
substance, then restoring user control needn't be that hard, I figure.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Thu, 7 Sep 2017 at 06:29:59 -0400
"taii...@gmx.com"  wrote:

> On 09/07/2017 05:01 AM, Rick Moen wrote:
>
>> Quoting taii...@gmx.com (taii...@gmx.com):
>>
>> [speaking to Alessandro Selli]
>>
>>> You are constantly defending them and snubbing your nose at superior
>>> products so it is obvious you work for purism.
>> Can I ask for a bit more civility, please?  Mr. Selli is a fairly
>> passionate free software person, more than adequately accounting for his
>> views, which I respect even though we have sometimes disagreed rather
>> strongly.  There is zero justification for attributing ulterior motives
>> to him.
>>
>> I also find a bit questionable your going around attempting to tarnish
>> the reputation of someone with a real name, while concealing your own.
> Criticism isn't allowed? I dislike when people deal with speculation 
> instead of proven facts when judging technical merits.

  I provided links and quotes to back what I wrote.  Of course I could
still be wrong, but your criticism was not based on anything factual - at
least you did not provide facts to back your claims.

> Could POWER have an undocumented backdoor? Of course - anything is 
> possible when it comes to something that complex.
> Do modern x86 processors have one that is impossible to remove? That is 
> a proven fact.

  * Does POWER have an undocumented backdoor? Of course, that is a proven
fact.
  * Could they be disabled or at least partially removed?  No one knows.
  * Do modern x86 processors have undocumented backdoor? Of course, that is a
proven fact.
 * Could they be disabled or at least partially removed?  Yes, as Rick Moen
   reported on Thu, 31 Aug 2017 21:46:39 -0700 documenting his claims and
   quoting the works of the Positive Technologies team.

> I don't use my "real" name on the internet for the same reason I don't 
> want a computer with ME/PSP.

  No one can hack your brain remotely because they know your real name.
Concealing it just makes whatever you claim dubious and unverifiable without
third-party documentation - that you *always* fail producing.


  Greetings,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread taii...@gmx.com 

On 09/07/2017 05:01 AM, Rick Moen wrote:


Quoting taii...@gmx.com (taii...@gmx.com):

[speaking to Alessandro Selli]


You are constantly defending them and snubbing your nose at superior
products so it is obvious you work for purism.

Can I ask for a bit more civility, please?  Mr. Selli is a fairly
passionate free software person, more than adequately accounting for his
views, which I respect even though we have sometimes disagreed rather
strongly.  There is zero justification for attributing ulterior motives
to him.

I also find a bit questionable your going around attempting to tarnish
the reputation of someone with a real name, while concealing your own.
Criticism isn't allowed? I dislike when people deal with speculation 
instead of proven facts when judging technical merits.


Could POWER have an undocumented backdoor? Of course - anything is 
possible when it comes to something that complex.
Do modern x86 processors have one that is impossible to remove? That is 
a proven fact.


I don't use my "real" name on the internet for the same reason I don't 
want a computer with ME/PSP.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Thu, 7 Sep 2017 at 04:48:43 -0400
"taii...@gmx.com"  wrote:

> On 09/07/2017 04:30 AM, Alessandro Selli wrote:
>
>> On Wed, 6 Sep 2017 at 17:12:27 -0400
>> zap  wrote:
>>
>>> Agreed! Talos is at least *LIBRE!*
>>No, it ain't:
>> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
>>
>>  "BMCs and the IPMI Protocol
>>
>>  Baseboard Management Controllers (BMCs) are a type of embedded
>>  computer used to provide out-of-band monitoring for desktops and
>>  servers. These products are sold under many brand names,
>> including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and
>> Supermicro IPMI."
>>
>>IBM stuff is plagued by embedded controlware, too.
>
> Uhh no it is

  Yes it is.

> There is a major difference between ME/PSP and IBM's POWER-BMC - One is 
> open source and owner controlled the other two aren't.

  Anything from IBM and Power-related is proprietary.  Again, could you show
us blueprints of the CPU and the Remote Supervisor Adapter present in IBm's
chipsets?

> On 09/06/2017 07:18 PM, Alessandro Selli wrote:
>
>> On 06/09/2017 at 19:15, taii...@gmx.com wrote:
>>> On 09/06/2017 06:36 AM, Alessandro Selli wrote:
>>>
 The steep price.

>>> Uhh the laptops you guys are selling now cost just as much as TALOS...
>>"you" whom?  I am not a seller.
> You are constantly defending

  No, I reported of what they are doing, providing quotations.

> them and snubbing your nose at superior 
> products

  No, I am only pointing out anything you wrote about the supposed
superiority of TALOS is faith-based.

> so it is obvious you work for purism.

  You are constantly defending TALOS and their products based on proprietary,
closed-source hardware from a single producer that has decades-log strong
relationships with the US military and is known to put remote-control
hardware and software in their products that cannot be disabled AFAIK.  So,
it is obvious you work for TALOS.

>>> only they aren't owner controlled.
>>That you know of.  I remember IBM has always been one of the top USA
>> military's purveyors:
>>
>> http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d=miscellany19700206-01.2.13
>>
>> "In fiscal 1909, IBM contracted for $257,000,000.00 worth of its
>> products with the United States Department of Defense. 4 The importance
>> of IBM's military role has grown with the computerization of the
>> American war effort in Vietnam." (1909 is probably an OCR error, there
>> are many in the piece; it could be 1969).
>>
>>I very doubt material from IBM can be thought of being
>> freedom-and-liberty loving and exempt from any governmental-friendly
>> "features".  They just don't put it in their public spec sheets like
>> Intel does.
> Ahh oh well shucks looks like I had better buy a purism right? at least 
> then I know for a fact that there is a hardware level backdoor and can 
> act accordingly!

  You could buy a costlier product from TALOS and get yourself a system with
hardware backdoors that, differently from Intel's, cannot be disabled (at
least no one knows how to do it).

  Enjoy your golden privacy- and freedom-denying cage by Big Blue.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Rick Moen 
Quoting taii...@gmx.com (taii...@gmx.com):

[speaking to Alessandro Selli]

> You are constantly defending them and snubbing your nose at superior
> products so it is obvious you work for purism.

Can I ask for a bit more civility, please?  Mr. Selli is a fairly
passionate free software person, more than adequately accounting for his
views, which I respect even though we have sometimes disagreed rather
strongly.  There is zero justification for attributing ulterior motives
to him.

I also find a bit questionable your going around attempting to tarnish
the reputation of someone with a real name, while concealing your own.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread taii...@gmx.com 

On 09/07/2017 04:30 AM, Alessandro Selli wrote:


On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:


Agreed! Talos is at least *LIBRE!*

   No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, including HP
iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

   IBM stuff is plagued by embedded controlware, too.

Uhh no it is
There is a major difference between ME/PSP and IBM's POWER-BMC - One is 
open source and owner controlled the other two aren't.


On 09/06/2017 07:18 PM, Alessandro Selli wrote:


On 06/09/2017 at 19:15, taii...@gmx.com wrote:

On 09/06/2017 06:36 AM, Alessandro Selli wrote:


The steep price.


Uhh the laptops you guys are selling now cost just as much as TALOS...

   "you" whom?  I am not a seller.
You are constantly defending them and snubbing your nose at superior 
products so it is obvious you work for purism.

only they aren't owner controlled.

   That you know of.  I remember IBM has always been one of the top USA
military's purveyors:

http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d=miscellany19700206-01.2.13

"In fiscal 1909, IBM contracted for $257,000,000.00 worth of its
products with the United States Department of Defense. 4 The importance
of IBM's military role has grown with the computerization of the
American war effort in Vietnam." (1909 is probably an OCR error, there
are many in the piece; it could be 1969).

   I very doubt material from IBM can be thought of being
freedom-and-liberty loving and exempt from any governmental-friendly
"features".  They just don't put it in their public spec sheets like
Intel does.
Ahh oh well shucks looks like I had better buy a purism right? at least 
then I know for a fact that there is a hardware level backdoor and can 
act accordingly!

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Thu, 7 Sep 2017 at 10:30:39 +0200
Alessandro Selli  wrote:

> On Wed, 6 Sep 2017 at 17:12:27 -0400
> zap  wrote:
> 
> > Agreed! Talos is at least *LIBRE!*
> 
>   No, it ain't:
> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
> 
>   "BMCs and the IPMI Protocol
> 
>   Baseboard Management Controllers (BMCs) are a type of embedded
>   computer used to provide out-of-band monitoring for desktops and
>   servers. These products are sold under many brand names, including
> HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
>   IPMI."
> 
>   IBM stuff is plagued by embedded controlware, too.

  More info:

https://www.ibm.com/support/knowledgecenter/STAV45/com.ibm.sonas.doc/imm_users_guide_60y1465.pdf


IMM features
 The IMM provides the following functions:
 ° Around-the-clock remote access and management of your server
 ° Remote management independent of the status of the managed
server
 ° Remote control of hardware and operating systems
 ° Web-based management with standard Web browsers


  So much for the idea such a thing as a a freedom-loving and people's rights
and privacy respectfull technocorporation could exist.


  Greetings,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

2017-09-07 Thread Alessandro Selli 
On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:

> Agreed! Talos is at least *LIBRE!*

  No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, including HP
iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

  IBM stuff is plagued by embedded controlware, too.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng