Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On Sat, Oct 07, 2017 at 05:01:37PM -0400, taii...@gmx.com wrote: > https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/ > Purism is a scam, don't buy from them - their laptops are as owner > controlled and freedom respecting as a dell - their version of coreboot is a > wrapper layer with all the hardware init done by a black box binary blob so > it is worthless. I see that reddit post from 2 years ago referred to a lot, and I know this is (for some reason) a very emotional topic. However it doesn't seem to correspond to what I see when I dig under the surface, which is the purism guys merging changes into coreboot (eg https://review.coreboot.org/#/q/status:mergbranch:master topic:purism/librem13ed+project:coreboot+purism) and what I see on my own laptop, which is that it is SeaBios + coreboot . I doubt it is perfect, but it is way better than a Dell. If I look at https://puri.sm/faq/do-librem-devices-support-coreboot/ it says that 13v2 and 15v3 (what I have) come with coreboot pre-installed and for earlier versions they have instructions to update to coreboot. Sean -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171008092438.GA1688%40uncarved.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: AW: Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/08/2017 06:44 AM, One7two99 wrote: Hello Taiidan, There isn't any reason to buy purism's faux libre laptops instead of say a Lenovo G505S ... I don't understand why this topic is often discussed to emotionally. As far as I know the G505s is a big laptop (15inch?) which seems also located at the entry class (compared to the "Thinkpad class"). The performance is about the same as an ivy bridge class laptop (X230), the downsides being the build quality is not as good and there is no dock or second battery option. Don't get me wrong I think most "older" are perfectly fine, that why I am suggesting looking at a x230 or similar. A good thing with Purism Laptop line is, that it shows that there is a market for laptops that seem to look like they are more "free" than others - if the company fools people here, you are right this is bad - but this is also a chance for others to make it better. More competition is always good :-) If it was a bigger market I would agree with you, however in such a small market they simply suck resources from better projects. And maybe some users just want to buy a new "shiny" machine and not a 4y old laptop. Then they should buy a dell Maybe even for the "strange" reason that it just looks more sexy or that they need certain interfaces, a specific display resolution ... Whatever. Looking at my company it would not be possible to buy a used machine without hardware replacement as all laptop are covered with on-site service. That's why I'm using the X230 as BYOD device. which is actually owner controlled (open source hw init coreboot), supports qubes 4.0 and doesn't have a black box supervisor processor (ME/PSP) If I understand you correctly you're saying that the blob which contains Intel AMT/ME is not modified in Purisms laptop line? It is modified by me_cleaner but as I said before one can do this on pretty much any laptop without boot guard (or cross vendor cpu swap to disable BG) and save the additional thousand dollars you would have spent on a purism laptop over a dell (I like dell because of the "ProSupport" US tech support option on their business lines) - additionally if Intel had a backdoor in ME they would include it in FSP as well making purism's "coreboot" quite pointless me cleaner only would effect generic ME exploits not the hypothetical intel backdoor which could easily be included in the initial modules, hardware mask ROM or hidden EEPROM. As far as I know it is possible (at least for the laptop I am using an also others) to use ME_cleaner which will cripple the AMT Blob so that the risk that anything bad is running there is reduced. Yeah I did it on my X230 and it works great, but me is simply nerfed not disabled - a laptop without it is much better. Take a look at this post: https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/ "(...) Of those 23 modules, 21 modules are completely removed from the ME partition, and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM bypass” module which is used to bypass the ROM initialization code and it’s less than 1KB of code, used to load the BUP module and execute it. The BUP module is a 116KB module which is used to initialize the ME hardware. (...)" So this would still be a (bit more) reasonable secure laptop. Of course, but at that point you might as well just skip the middleman and go buy a laptop from a chinese whitebox seller like they did - then run ME cleaner yourself (and donate the money you saved to the people who made me_cleaner) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/158fc220-d2ec-962a-f16e-03d3c9c1ffc0%40gmx.com. For more options, visit https://groups.google.com/d/optout.
AW: Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
Hello Taiidan, >> There isn't any reason to buy purism's faux >> libre laptops instead of say >> a Lenovo G505S ... I don't understand why this topic is often discussed to emotionally. As far as I know the G505s is a big laptop (15inch?) which seems also located at the entry class (compared to the "Thinkpad class"). Don't get me wrong I think most "older" are perfectly fine, that why I am suggesting looking at a x230 or similar. A good thing with Purism Laptop line is, that it shows that there is a market for laptops that seem to look like they are more "free" than others - if the company fools people here, you are right this is bad - but this is also a chance for others to make it better. More competition is always good :-) And maybe some users just want to buy a new "shiny" machine and not a 4y old laptop. Maybe even for the "strange" reason that it just looks more sexy or that they need certain interfaces, a specific display resolution ... Whatever. Looking at my company it would not be possible to buy a used machine without hardware replacement as all laptop are covered with on-site service. That's why I'm using the X230 as BYOD device. >> which is actually owner controlled (open >> source hw init coreboot), supports qubes >> 4.0 and doesn't have a black box supervisor >> processor (ME/PSP) If I understand you correctly you're saying that the blob which contains Intel AMT/ME is not modified in Purisms laptop line? As far as I know it is possible (at least for the laptop I am using an also others) to use ME_cleaner which will cripple the AMT Blob so that the risk that anything bad is running there is reduced. Take a look at this post: https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/ "(...) Of those 23 modules, 21 modules are completely removed from the ME partition, and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM bypass” module which is used to bypass the ROM initialization code and it’s less than 1KB of code, used to load the BUP module and execute it. The BUP module is a 116KB module which is used to initialize the ME hardware. (...)" So this would still be a (bit more) reasonable secure laptop. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/U2YSAuXB-Uq42W3Bh-cTkPFPaMW9K6COj7i8EpLRkFhhp3pG6A8ZMXJDvg-pm7wPPsGucv-dCjU93W5WLBat8IzE8R5cG8ku1uFTRVePHcI%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/08/2017 05:24 AM, Sean Hunter wrote: On Sat, Oct 07, 2017 at 05:01:37PM -0400, taii...@gmx.com wrote: https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/ Purism is a scam, don't buy from them - their laptops are as owner controlled and freedom respecting as a dell - their version of coreboot is a wrapper layer with all the hardware init done by a black box binary blob so it is worthless. I see that reddit post from 2 years ago referred to a lot, and I know this is (for some reason) a very emotional topic. However it doesn't seem to correspond to what I see when I dig under the surface, which is the purism guys merging changes into coreboot (eg https://review.coreboot.org/#/q/status:mergbranch:master topic:purism/librem13ed+project:coreboot+purism) and what I see on my own laptop, which is that it is SeaBios + coreboot . I doubt it is perfect, but it is way better than a Dell. If I look at https://puri.sm/faq/do-librem-devices-support-coreboot/ it says that 13v2 and 15v3 (what I have) come with coreboot pre-installed and for earlier versions they have instructions to update to coreboot. Sean You seem to not have noticed the second half of my email, or read the entirety of that threads topic post. Their "coreboot" is simply a wrapper layer that performs no hardware init - everything is done by Intel's FSP binary blob making it pointless to have as all you do is move trust from vendor (quanta) to OEM (intel) - the whole point of coreboot is to avoid an OEM backdoor which this doesn't do so you are paying twice as much as dell for no real reason and supporting a company that has dishonest advertising. It is as you say "an emotional topic" because not only do they steal money and fame from vendors that sell real libre hardware but they also have shills everywhere to put down their technically superior competitors and put pressure on the FSF to loosen the RYF standards. There isn't any reason to buy purism's faux libre laptops instead of say a Lenovo G505S, which is actually owner controlled (open source hw init coreboot), supports qubes 4.0 and doesn't have a black box supervisor processor (ME/PSP) If google can't convince intel to open source ME and FSP then no one can. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e47abc3a-b86c-5ea9-8d86-316ef10da455%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/07/2017 01:10 PM, frassefredk...@gmail.com wrote: Thank you for your response and for sharing your thoughts and experince from using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked at Thinkpads, most of the models did not seem to be for sale anymore. Honestly I haven't seen any user using touchscreen with Qubes. Just out of interest what is the use case for touch? Regarding recommendation: You haven't said which display size you need. ' The use case of touch is mainly for ergonomical reasons. I read and write alot and it is better for my arms to scroll down the documents and highlight things using the touch instead of the keyboard and mouse. This is so important for me that I would pay more for a touchscrren even. But if I would be able to take notes on a Yoga from a conference, using the touch screen, then that would not a be a bad thing either, but I dont expect that to work well wth Qubes. Desired size of the screen is 14-16 inches. I Should be been more clear about my question regarding the security of the Lenovo and if they can be trusted. I have read articles accusing Lenovo of planting backdoors in its hardware. My technical skills are currently on a hobbyists level so I'm not always sure what to trust and not, wanted some input from others regarding this. But then I have also read this article (cited below) that sort of says that the likelyhood of there being a backdoor planted by Lenovo is low. I just dont know what to believe in. Do you have any comments to this? :) "Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services. On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver." Source: http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/ "...glaringly obvious to any engineer armed with a screwdriver." That's the most unbelievably naive view of security I can remember reading. I bet the author's password is "pa33w0rd", and it's secure because no one would guess some letters were switched with numbers. https://thehackernews.com/2015/09/lenovo-laptop-virus.html Note: (1) confirmed, (2) 3 times, (3) one of them was BIOS-embedded. https://thehackernews.com/2015/08/lenovo-rootkit-malware.html Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/06858cf0-1bfe-31a0-b318-03a811a2ed92%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/07/2017 09:42 AM, Frasse F wrote: I would like some purchasing advice: I'm looking for a laptop that is reasonably secure and also has a built in touch screen. I would prefer if it had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to run a Windows App-VM for dictation and speech recognition which is processed locally (I do a lot of writing and I also care about security/privacy). ... My second alternative is to buy a non purism laptop which has both a touchscreen, enough RAM and is fairly secure. So my second alternative that I'm considering would be the Lenovo 520 Yoga. https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running the Intel® Core™ i5-7200U Processor. According to the specification page on Intels website, this processor does not have the vPro technology. https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz These are my questions 1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety? 2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers? Personally, I avoid Lenovo like the plague since they became Chinese-owned. Yes, I know pretty much all the hardware is manufactured in China now anyway, but having the senior company management controlled by the Chinese government adds a whole 'nother layer of vulnerabilities. My suspicions were confirmed when they were caught pre-installing spyware on them. Of course, that was only Windows, and they were forced to remove it, and claimed it was only intended for Chinese customers. But to me it shows their intent, and there are many other ways they can embed spyware (BIOS/UFI, other firmware) that would affect Linux too, and wouldn't be so easily removed. Call me paranoid (because I am), but that's my opinion. I typically go with Dell, although their quality has gone down in recent years, and I can't comment on Qubes-specific issues, or your particular requirements. 3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it? Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26e6628d-9b30-0b64-0405-06ac2d6898f1%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
Thank you for your response and for sharing your thoughts and experince from using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked at Thinkpads, most of the models did not seem to be for sale anymore. > Honestly I haven't seen any user using touchscreen with Qubes. > Just out of interest what is the use case for touch? > Regarding recommendation: > You haven't said which display size you need. > ' The use case of touch is mainly for ergonomical reasons. I read and write alot and it is better for my arms to scroll down the documents and highlight things using the touch instead of the keyboard and mouse. This is so important for me that I would pay more for a touchscrren even. But if I would be able to take notes on a Yoga from a conference, using the touch screen, then that would not a be a bad thing either, but I dont expect that to work well wth Qubes. Desired size of the screen is 14-16 inches. I Should be been more clear about my question regarding the security of the Lenovo and if they can be trusted. I have read articles accusing Lenovo of planting backdoors in its hardware. My technical skills are currently on a hobbyists level so I'm not always sure what to trust and not, wanted some input from others regarding this. But then I have also read this article (cited below) that sort of says that the likelyhood of there being a backdoor planted by Lenovo is low. I just dont know what to believe in. Do you have any comments to this? :) "Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services. On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver." Source: http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6224b9b-9f60-4efc-8e98-ff1320ca97de%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
