Does your computer respect your rights? Part 1/2
A story about nostalgia, freedom and laptops
This is part 1 of a 2-story blog, in part 2 we go even further into data and hardware isolation.
My dear laptop… choices, choices…
In 2018, I needed to replace my laptop. It was a MacBook Air, 2012 model (6,5 years of productive life), and though it probably was the best laptop I ever had, it began showing signs of age. The battery needed replacement, the disk was low on space, the RAM was limited, and it began spinning its fans after about a minute or two of working on it. So, I started looking for a replacement. Throughout my entire working life, I have only used Windows for two years — and my preference had always been Linux. The powerful tools, the freedom and the ability to get almost anything done was always very appealing. The only challenges at that time were that certain less technical and more “business-oriented” things were a bit tricky. Like getting external displays to work. Or connecting to certain networks. Or certain hardware. Not much of a challenge at home, where you could choose your own infrastructure, but more so in a business setting. So, when MacOS X appeared, which combined the power of a Unix kernel, nice hardware from Apple and the usability one expects from them, I switched to a Mac. Specifically, the PowerBook 17", and I’ve been a Mac user ever since. The natural choice for me would then be one of the new MacBook Pros — very sleek, nice hardware etc. But something did not feel right about it.
Origins…
When I started working in 1998, I implemented Netscape products for clients — the server infrastructure and client software.
For those who did not experience those times, imagine a setting where you had to pay for an internet browser (there was really only one that actually worked), and where corporate internet sites (for those that had one) were nothing more than a glorified yellow pages entry with blue links. We were selling and implementing servers for email and newsgroups, calendars and address books, proxying (internet connectivity was very expensive), search and crawling, certificates (PKI, LDAP) etc. This stuff was all being deployed on a flavor of Unix servers and the occasional Windows NT (often running on RISC architecture). So, from the very beginning I had to work with the underlying infrastructure of what is today our modern internet — DNS, yellow pages, networking, routing, firewalls, services and ports, shells and scripting, processes, users and much more. And we delivered solutions to our clients that enabled them to go to a completely new desktop machine, fire up a browser, connect to a central server, and presto — their email, address book, calendar, network configuration, etc. was ready to use. Not bad for a business 20 years ago.
And it was all under the control of the client — using certificates for signing and encrypting mail, using LDAP as an address book, both internally and externally, setting network configuration, controlling proxies, etc. The only limitation was that there were (as today) certain export limitations on cryptography, which meant that only US clients would get the browsers, email clients and certificate tools that had strong encryption — everyone else (excluding no-export countries) would get weaker cryptography. 20 years ago, this bothered me — the only reason for limiting this was to be able to eavesdrop, but it is equally weak for everyone — malicious or benign. Well, if you aren’t doing anything illegal, you shouldn’t have to worry about this, right? To me, that is completely backwards.
Interlude — am I doing the right thing?
I recently had a client meeting together with a senior member from a big research firm, and we met again at the airport, somehow, we got to talking about Marc Andreesen of Mozilla fame, and more and more things started to come together. The feeling I had about a new laptop was not so much about hardware or usability anymore. It was about getting back to my roots. I had dedicated many later years to focus on open-source software, identity and access management, but what I did and what I helped clients achieve only went so far — it didn’t target the foundation of it all. I just don’t want anyone to have access to my information unless I explicitly allow it, whether it pertains to business situations or personal ones. There are many good reasons for this, and I will focus on one of them — the most important one for me. Intent. No matter why someone has access to your information, it is simply not possible to limit what that information can be used for — the intent. You can limit access to the information, but once the information is out there, it can be used for anything. To me, that is the main problem. Some people tend to think that as long as someone has a good intent, then it is okay to give them your information (same as the “if you aren’t doing anything illegal” argument mentioned above). I agree theoretically, but in reality, you simply cannot limit the use of that information for other purposes. So, I want something that allows me to be very critical regarding who I am sharing data with. Not just clicking “I agree” on a social media site (which is consenting), but having some way to control that what I actually share is what I agreed to, and no more.
Research, research…
I found a very interesting company called Purism (http://www.puri.sm), which produces laptops. They were originally based on a crowdfunding initiative in 2015 to create a rights-respecting laptop. They raised more than 1 million USD and have since launched several updates to their product line, including a USB security key and a future, rights-respecting phone. The interesting part of their products is that they focus on respecting the individual’s rights from both a software and a hardware perspective. They work with hardware that is documented, sourced in a good way and can be powered by open-source firmware. This way, end-users can have full control over what the computer is doing and can actually inspect every single line of code used from the hardware level and up. Even the Intel Management Engine has been disabled, so this is about as close as we can get to respecting individual rights today.
The laptop itself is a nice, black aluminium machine with features such as a TPM, physical (actually kills power) kill-switches for radio (wireless/Bluetooth) and webcam/microphone. This means that when the switch is off, it is actually not physically possible for software to snoop on you. The production quality of the laptop is great — not like anything I’d expect from a crowdfunded initiative. It does come at a cost, but then again — what is your information worth?
I opted for a Librem 13 v3 and a pre-installed PureOS operating system, which is based on Debian upstream but without non-free software. Out of the box it guided me through the initial install and configuration, encrypted the hard drive using LUKS, and got me going in a matter of minutes. It boots using coreboot, which is a great initiative to rid the machine of the Intel ME and any low-level stuff which isn’t good for you. But to be in more control I followed the documented procedures of rebuilding coreboot, making sure (because I can) that I am booting what I think I am booting. I now have a key generated that only I know, and that can verify the boot process.
I also purchased the Librem Key, which is a USB security card produced in a partnership between Purism and Nitrokey — basically it is the same physical key as the Nitrokey Pro 2, relabeled as a Librem Key. This key works like a YubiKey or other similar keys, except both the hardware and the software is open. Again — you can flash the firmware on the key with open-source software to make sure the key is doing what it should be, and not more. It can hold certificates, a number of credential sets (for websites tec) and supports OpenPGP. I set up the key with my certificate etc., and configured PAM on Linux (using poldi) to integrate the laptop security with the key. If I want to escalate privileges, like “sudo”, I am prompted to insert the key.
Now we are talking.
The key allows you to place your secrets on the key itself, and remove all keys from the local system, so that there is no way to get access without having the key (and knowing how to unlock it). This should not be done by the faint of heart, since you stand a very good chance of locking yourself out of your system permanently if you lose your key or forget how to unlock it.
Also, the LUKS disk encryption (I have two encrypted drives in the Librem 13) can also work with the key to decrypt when the key is present/unlocked, and encrypt when the key is removed/locked. I have this set up and working, but I will get some backup keys before I default to this behaviour.
Hold your horses!
But, hang on a minute, isn’t all this stuff also available if you buy a YubiKey, run secureboot, use the new T2 chip on Apple machines etc? Well, most of it, yes. But then you would be trusting Intel, Apple, Microsoft and others — they might be increasingly focusing on security, but definitely not freedom. If that is okay with you, fine. Just beware; you might not be able to fix or upgrade your machine by yourself, or source the parts you would like. You might not be allowed to run the software or operating system you want on that particular hardware. You could be locked out of your own system just by doing things you want with it. And you are susceptible to a whole bunch of security issues that you can do absolutely nothing about. This definitely is not for me.
These are not trivial vulnerabilities. And they are introduced by something I (the end user) am not really interested in.
Deeper down the rabbit hole…
The next thing I am working on, is getting Heads (http://osresearch.net/Installing-Heads) to work with the key. Heads is a solution for having a tamper-free BIOS boot process, where it uses the TPM on the laptop and prompts for a one-time code. This one-time code can be generated by Google Authenticator or similar, or it can use the Librem Key.
Currently this is an approach that can be used only for specific hardware, and in many cases, you need to access and tamper with the physical hardware to get access.
However, for the Librem laptops, this is not necessary, as the hardware and firmware are all open. Yeah!
Heads can be set to stop the boot process if you don’t have the right code, or just to warn you when someone has tampered with the laptop. I am setting the laptop up so that the green LED on the key lights up when the code matches, and the red LED lights up when it doesn’t. Very cool stuff.
So now I have a laptop which can follow a strict security policy: boot security, encrypted disks, multi-factor authentication where I want it, and the ability to completely remove security credentials from the computer, only storing these on the security key.
Finally, I have found something that makes me feel good about my choice! So, the next time you are considering buying a new laptop or phone, do consider putting pressure on vendors in the area of rights. Is the laptop truly yours? Can you do what you want with it? Can you restrict access to your information and verify that what is shared is _only_ what you agreed to?
In any case, please do consider that your hardware (and software) is eavesdropping on you, sharing information with parties you do not know about, and restricting how you can use your own (!) machine. And those same mechanisms have vulnerabilities that are exploited by agents with all kinds of agendas. The Librem is not a computer for everyone, but I hope this post makes everyone understand that it is important that hardware and software respects our right as consumers, and that tradeoffs that are made actually do just what they said they would, and no more.
After all, it isn’t paranoia if you are actually being followed, right?
Onwards!
Please note: the author and his employer has no affiliation with Purism Inc.
