Ok, maybe I've been doing too much hardware development and more tinkering than the average guy, but this part here, to me, sounds way overblown:
> As you can see, it is not a trivial matter to
> manufacture these HKSes. A lot of research and
> hard work went into the effort.
I mean, compared to all the other things one has to get right to design a laptop computer, switching these few signals is indeed very, very trivial.
And while the webcam/microphone switches will prevent the particular devices from working, I'm not so sure about the WiFi card and Bluetooth. The microphone surely is dead by cutting the single signal line and the webcam by cutting its power.
But there's no guarantee that the W_DISABLE# pins are honored with every firmware of every possible wifi module that could be inserted into that slot. What if W_DISABLE#, on the card, is only a gpio that is checked by the WiFi chip's firmware? It would have been safer to also cut the power there, too. Or at least to verify that W_DISABLE# cuts off power to the RF PAs (transmitter power amplifier) of WiFi and Bluetooth in a way that can't be circumvented.
This article does leave me slightly confused. Both these additions seem to be completely done after the fact. Why would you solder wires to 1 side of the pads for the pulldown resistors (suggesting that when the motherboard was designed it was intended to always have enabled WiFi) rather than designing a proper switch (not very many components!) into the board to start with? It all sort of suggests that they didn't actually design their motherboard at all, or that these switches were an afterthought. Neither of those is particularly good given their claims.
It probably costs a lot more than $250,000 to develop a laptop from scratch, so I wouldn't blame them for taking a higher level systems approach and buying in a pre-existing motherboard design. However, doing that inevitably gives up control of the design (which puts into doubt their claims of being completely open). If that's the approach they've taken, they're not particularly open about it.
> It probably costs a lot more than $250,000 to develop a laptop from scratch (...)
Novena[1] had a total budget of ~750k$. It was done from scratch, with some nonstandard (and somewhat expensive) components (e.g. an fpga; it had a software defined radio included too, though it was a mostly-off-the-shelf-one).
Novena's a pretty amazing project, but it's not nearly as polished as this purism laptop appears to be. It's (intentionally) a hacker friendly box with lots of space and less integration than a normal laptop. It even uses a RC hobbyist style battery. Novena is a labour of love driven by a particularly skilled person.
To design and mass produce a laptop as slim and well integrated as the Purism laptop is significantly more work. To do so having never produced a laptop before would cost even more so. $250,000 really is a small amount of money when you're trying to mass produce cutting edge consumer electronics.
Of course they may (almost certainly do) have other sources of investment.
Agreed, they're way overstating the difficulty here. I think they just wanted to advertise that they do this, which is fair, and it's a feature I wish more laptops had.
The transparency is good for a feature that affects security, enabling early discussions like this one, rather than waiting for post-shipment teardowns and reverse engineering. Like the Lenovo Retro surveys, this form of content marketing has the potential to improve product engineering/design.
Much has been written about the fact that Apple controls both hardware and software design. What kind of integrations become possible by combining open-design hardware with OSS software like Linux and Qubes?
It's even a bit worse when looking at it from a fail-safe point of view. To turn the bluetooth and wifi off, 3.3 Volt has to be put on the pins. Giving no power on the pins turns both devices on.
No, that's probably just by convention. If it's strictly an input then both directions are just the same in terms of safety. It's just sometimes more convenient to only pull things down or up and have a resistor provide the opposite pullup/pulldown current.
Maybe it was chosen because the "high" voltage isn't specified and the standard might say: "Pull down to GND to activate, leave open to keep card off." Then you don't have to think about the internal logic voltage of the circuit, you might fry the card if you pull up to 3v3 if the logic input is only 1.8V tolerant.
This would work better if the switch worked as you described - close a circuit to GND to turn the card on, leave the circuit open to turn the card off.
If the wires to the switch fail then the card fails on.
Not necessarily. An open wire doesn't mean 0 volts -- it is whatever the input of the gate floats to. There is no standard -- it depends if the manufacturer put a weak pull-up or pull-down into the chip, or if they have an active termination that will pull to either end. Or if the gate isn't designed any particular way, it could be subject to how well doped the transistors of that particular chip turned out. Being open also means it is subject to noise from adjacent signals, so it could be random that way, too.
These are signal pins, not power pins. The device is still receiving power when the switch is "off", all the switch does is provide a signal to the pins that tell it to disable itself.
To me it sounds like a practical decision. Go buy a USB wifi adaptor and plug and unplug it 100 times. Then tell me if the adaptor works correctly after that; the kernel driver is probably in some undefined state now.
The reality is that the chip/firmware/driver combination is tested by turning the power on once and then making it pass a few benchmarks that reviewers like. Doing something new and exciting may or may not work.
Certainly, some drivers are way better than others (ath9k is pretty good), but I imagine they tested the power up/power down method, noted that the kernel panics 1 time in 10, and decided nobody would buy their product if they implemented it that way.
With Bluetooth, it's precisely what all notebooks I can remember do. With WiFi, especially connected via PCIe, I wouldn't rule out problems. But please keep in mind that at least in the early days WiFi cards most often came as PCMCIA/PCcard/CardBus, so I'd guess the infrastructure started out PnP compatible from the start...
Especially since all of these peripherals are COMPLETELY modular for desktop form factors, since you could theoretically buy motherboards without these optional hardware features, and purchase them as completely separate devices, implying that they are assuredly unpluggable, and therefore, without question "switch-off-able" in very real terms.
So, yeah, why all the solder and "chip" modifications?
There are some reasons why you might not want to do that, or why that might be inconvenient. You could end up with weird voltages floating around and interfering with other parts of the circuit, or you could end up with an unexpected ground connection going through a chip somewhere. Basically, circuits (and ICs) are often designed with the assumption that ground is always ground. Sometimes you can power a chip just by supplying a voltage to the signal pins. This usually ends badly.
Grounds are often redundant and built into the chassis (of both the component and the laptop), routing back to the power supply. This is to create a sort of "faraday cage" that protects it against harmful electromagnetic interference and discharge (e.g. static electricity). It would be almost impossible to separate it from ground completely.
Great! Small point though, i would be in favour of a separate Bluetooth and Wifi kill switch.
EDIT: They use i5 and i7 processors, which IIRC use black-box Intel microcode... Also, i wonder if they support Libreboot? My apologies if it turns out i cannot read. Otherwise they look quite nice. I'm excited to see more "alternatives" in the "free as in liberty" laptop space.
> i would be in favour of a separate Bluetooth and Wifi kill switch.
that's what I thought as well.
About the microcode, this won't be fixed. But see the weekly updates on their blog[1] that states progress they make with the coreboot developers. Hopefully they can free the number one problem with intel chips[2] which is the Management Engine firmware.
In reply to sibling poster about dip switches, it looks like there are little wires running inside the case from the four separate connections to the two DPDT switches, i.e., if you want to find a DIP switch and mount it to your laptop, the 4 wires are easily hackable.
I think he means two switches, one for camera and microphone and one for blutooth and wifi; not a separate wifi switch and a bluetooth switch. Of course, a little DIP panel with a toggle for each device would be nice, too!
> EDIT: They use i5 and i7 processors, which IIRC use black-box Intel microcode... Also, i wonder if they support Libreboot? My apologies if it turns out i cannot read. Otherwise they look quite nice. I'm excited to see more "alternatives" in the "free as in liberty" laptop space.
They are going to use coreboot, which is free but includes some binary blobs from Intel. I don't think you can boot any modern x86 without a binary blob from the CPU manufacturer, unfortunately.
I also don't think it's possible to get any modern machine up without some device firmware blobs. The best-case is that all the blobs are provided onboard so the OS doesn't need to provide them, but they're still there and we have to trust them.
Purism seems to me an incremental improvement and I might buy one, but I really hope for a truly free machine someday.
You get an open ISA w/ Open Firmware w/ open HW implementation under GPL that you can fab wherever, including MPW runs that cut costs. Or you can just buy the one's he sells which go up to 4 cores now. Developers porting browsers, flash, servers, whatever can use regular development boards to get most of it done. Gaisler and SPARC have been best option to jump-start open HW/SW movement for a long time. Just not utilized.
A Transmeta approach could be used with underlying RISC core for x86 emulation. Wouldn't be core i7 speed or anything but it could be acceptable. China's MIPS-based Loongson does this.
> AFAIK the microcode updates aren't mandatory, you can use your computer without them and use the stock microcode (though that's also proprietary).
Microcode is only one part of it. I was thinking of the ME firmware, and to a lesser extent the FSP. It's not possible to boot a modern Intel processor without ME. The ME has direct DMA access to all peripherals and can use the network interfaces directly, behind the operating systems back.
I believe AMD has similar things. They are all signed by the manufacturer and the hardware will refuse to load a replacement even if it existed.
Puri.sm has been saying for weeks they are going to have a big announcement about the ME "next week". I do wish their process was a bit more open, but I'm hoping they've actually found a way to make the machine boot without an ME. That in and of itself would be a huge step forward for libreboot/coreboot.
I don't really feel like the librem laptops offer much value when built using a processor with IME. It's offering a mostly open source laptop, but still has a massive gaping backdoor for someone to log your every keystroke and get every bit of your data - even if the laptop is off or your harddrive is encrypted (source: http://libreboot.org/faq/#intel)
Yeah, the discussions get funnier when you see people speculating about Intel backdoors and ask yourself "Did everyone forget about Intel AMT?" Whether it's on or not, the functionality is probably in every chip in the family and maybe others to cut NRE costs.
Most open, security-focused laptop with the most closed, backdoored processor. It's funny shit.
I especially like to see this laptop because it's the first that I know of that can effectively turn off the microphone (for the webcam we already have stickers so this is less of an advantage, of course still laudable).
Though I think these hardware kill switches should not be optional. A product that praises itself for privacy and security should have this as a base feature instead of asking $89,- separately for it.
This is how it should be done. I really hope manufacturers will start going back to physical hardware switches. I hate long-pressing buttons to switch things on or off, not knowing whether devices are really on or off, or being unable to tell the state of a switch/device just by touching it (without looking).
The physical dual-position sliding switch has a lot of advantages, and yet it has almost completely disappeared from the electronics/computing world. I'd like to see it back.
I used to have a laptop that when you pressed the function button to enable/disable the webcam would actually install/uninstall the webcam drivers. I found it more hilarious than anything.
This is the first I've heard of Puri.sm. It seems like a very ambitious company. I'm not sure features like this are important enough to me to persuade my buying decision. However I love the idea of having another choice besides apple when it comes to hardware. I've just been really unhappy with everything else. I'm excited for another choice when looking for a high-end laptop!
I, too, welcome the existence of a company trying to compete based on preserving privacy and users' freedoms rather than invading it and spying on everything.
Personally, I would consider having hardware switches to disable external sensors and wireless communications channels in a laptop to be a significant factor in a purchasing decision. Other things being equal, I would opt for such features, and I would be willing to pay a bit extra to have them.
Unfortunately, it appears that other things are not equal. Unless I'm missing something, these systems seem to be relatively expensive for the rest of their spec.
More significantly, there is only so much you can do with hardware alone. For now, we also have the usual problem with installing an entirely free/open source software base, which is that much of the software that is useful for getting real work done is not from the FOSS world and the closest FOSS equivalents are not competitive if they exist at all. Being on-line is essential for a lot of activities, but as soon as you're on-line there is still a problem if you don't trust at least the OS and networking software as well as the hardware, and in a Windows 10 world that surely won't be true for many who would be interested in this kind of hardware in the first place.
Still, this seems like a step in a healthy direction, and for that alone I wish them success.
Testing it in the marketplace and tying the financial incentives to good ethics are both good decisions. They're really putting their work and money where their mouth is. I challenge others to do the same in terms of hardware purchases.
My favorite part is that they're going to support Qubes OS [1].
That's why I'm hoping their next Skylake generation will come with an option for a 6820HQ or 6920HQ CPU [2] (4 cores/8 threads/8MB L3 cache), as well as options for 16 and 32GB of DDR4 RAM (but I assume they'll have that covered) and at least a relatively fast NVMe 256GB SSD drive just so I can run Qubes at maximum performance. Fingerprint authentication (along with software support for two-factor auth at login) would be nice as well.
I do think they need to drive their prices down in the future, though ($2,000 for a "private laptop"). Privacy and security shouldn't be just for the rich. Their laptops feel like they are at least 50% more expensive than what they should be. I imagine this will get better with scale. Their laptops also don't have to be "Macbook Pro quality". I think some compromises there in thinness and build quality can be reasonable, if it means dropping the price by $300 or so.
Thanks for sharing, exactly what I am looking for as I am looking for a new laptop. Some quotes from the test of the Librem-13 that seemed important to me:
[..]The Librem 13 has a 13.3" 1920x1080 Matte IPS screen that I thought looked great. It is nice and bright and to my eyes looks better than the 1920x1080 IPS screen on my X240. [..]
[..] I'm used to the relatively weak speakers that tend to come with Thinkpads so I was pleasantly surprised at the volume from the Librem 13 speakers. Speaking of sound, I've gotten some questions about how quiet the laptop is. The laptop does have a fan and features vent holes along the bottom. It's kicked on while I've typed with it on my lap and while you can hear it a bit in a quiet room, to my ears it's pretty quiet. Let's put it this way, you can't hear it over my typing and certainly not if you were using the speakers at all. [..]
[..] It's a bit tricky to compare keyboards between the X200 and the two island keyboards but I definitely preferred the Librem 13 to the X240. When it came to the X200 and the Librem 13 I think it's more of a tie. I like the extra key travel of the X200 but the Librem 13 keyboard actually felt a bit crisper, especially when typing heavily with more force. [..]
[..] Honestly the biggest issue for me personally is the touchpad mouse. I'm just a trackpoint person, I can't help it. That said, at my day job I have a buckling spring keyboard with a trackpoint in the middle of it, but since my home setup uses a classic Model M I've sort of been trained to not reach for it and reach for the physical mouse instead (and for the most part I just stick to the keyboard and keyboard bindings anyway). If Purism can fix the issue with palm presses generating mouse events while typing (which the multi-touch driver is supposed to solve), I think the mouse will be fine. [..]
[..] The final hardware feature I want to cover is the hardware kill switches. This was a much-requested feature by the backers of the original Librem 15 and the Librem 13 has them as well. Unlike software-based kill switches or keyboard combos, these switches literally cut the power to the wireless and bluetooth in one case, and the webcam and microphone in the other. I honestly don't know of anyone else who offers a webcam/microphone kill switch like this. I tested the webcam kill switch myself and not only did the video output from Cheese go black, dmesg reported that the USB device was completely gone:
[ 626.880277] usb 2-5: USB disconnect, device number 3
and when I flipped the switch back on, the device reappeared: [..]
I would immediately order a Librem-15 if it had (as an option) a keyboard with a trackpoint with physical buttons and without the separate number block on the right, i.e. a centred keyboard.
The problem of malware being remotely added to devices like routers and hard drive firmware can be stopped utterly by having a hard switch (or jumper) that disables the "write to flash" signal.
And the ME (Management Engine [1]) rears its ugly head. Even Google Chromebooks with a "write protect screw" do not actually wire the write protect screw to the hardware "disable writes" signal on the flash.
And it's because the ME is continuously writing stuff to its region of the flash and the ME cannot be disabled. Such a security fail!
Assuming these guys succeed the ME ceases to become a problem and the SPI chip can finally be write protected.
There are rumors of "back doors" that would let an attacker bypass the "disable writes" signal, but that can be countered by using a large number of manufacturers when sourcing your flash chips. Hint: SPI flash chips can be had from many places.
While it is still possible that some of the chips will have a back door, either the back door will be too hard to create a viable attack for, or users can verify the contents of their flash. (SPI flash chips are too simple to run their own cloaking algorithm.)
Users can take defensive measures if a widespread attack is detected. Defensive measures might include finding out which manufacturer produces vulnerable chips. By avoiding a flash chip "monoculture" it would apply the collective power of the internet to preventing a flash back door, thus making the write protect line an effective security measure.
As long as you mean "write protect" in quotes, because the write protection is handled by circuitry outside the flash chip itself which then means that to be sure your flash is _actually_ protected you have to verify that additional stuff.
Yes, I miss jumpers and write-protect. Used to use them everywhere. Seems like nobody does these days and I bet most advertising it are software implementations.
The frustrating thing about the situation with the NSA and other state actors is that any security product actually seems like it makes one more of a target.
The laptop that security conscious people buy is a more logical target than the laptop the random consumer buys.
Buying a better rated consumer laptop for cash in person, loading your favorite secure OS and locking it down as well as possible seems like a better path than buying anything label "secure" with your credit card attached to your identifying information.
I really like this design decision to put in hardware switches. Not only are there security risks: SW switches are less reliable. How many times has something played really loud and the volume buttons lagged for rest of you? Or you have to screw with power button to shut a certain laptop down?
I want hard buttons for power, audio, radio, and keys I type with. Not "smart" hard buttons either: simple, stupid, old approach to buttons or switches that just worked.
I'm unsure on how that would perform practically with audible soundwaves or if any other research has been done in that area. It would however be hard to mitigate, if possible at all.
Modern laptops (and sometimes even HDDs) have accelerometers used to detect freefall and park HDD's heads before impact. Maybe those could be abused to function as a makeshift mic?
It would be cool if there was a fail safe switch that nuked the hard drive with microwaves or something crazy like that when it was pressed. That would be one laptop I'd buy.
If you're going to go that route, you want an encrypted hard drive whose keys can be destroyed at a moment's notice. I believe that's off-the-shelf tech now, but I'm not sure where to point you at it.
Many security conscious companies routinely collect cellphones and other devices during meetings etc. NSA aside things get compromised by regular malware all the time.
I've had a small thought in the past to setup a 'luxury' service to retrofit something similar on smartphones. You would still be screwed during an actual call, since the mic would have to be on.. but a kill switch would still provide a fair amount of damage control in the event of a compromise.
If you go the extra mile and implement a 'read-only' connection to software you could remove most of the hassle for users.
Imagine moving the switch to the on position also answering an incoming call if the phone is ringing. Then when you hang up the software can send a signal to move the physical switch to the off position (but make it physically impossible to move it to the on-position from software).
Complete with a tiny LED to alert the user the switch is on.
This company states that privacy is very important to them. It's also to me.
But now I'm wondering, what's the purpose of the killswitch besides having no wifi-connection for a certain period of time?
I mean, when you switch back to enable wifi again, everything you did on your computer during 'airgap-time' is still there, waiting to be compromised by corps/govs? Isn't it?
Please correct me if I'm wrong. I'm really curious to this concept.
* Heightened risk of compromise in particular physical locations?
* Use in conjunction with something like TAILS so it's harder for someone who breaks into your computer to achieve persistence?
* Decreased risk of compromises that involve multiple machines attacking each other?
* Attackers may be wary of storing huge amounts of data persistently because the associated changes in storage media could be detected by forensic spot-checks?
(The third one probably requires that the forensic examination can get access to everywhere that the data could be stashed ... like nonvolatile memory inside onboard devices, not just the hard drive and main RAM contents.)
Wi-Fi can, and will, send data behind your back even if you're not connected to any network. Some of it is a part of normal protocol operation (and can be used to track you). Malware on your system could initiate connection without you knowing. And then a malicious actor targeting you personally may spoof a network you often connect to (e.g. local coffee shop) and exploit the default autoconnect to known networks behaviour. Hardware switches protect you from all the above.
You could be booting off a USB running something like Privatix during the time you have wifi killed - so that system would be air gapped whenever it is running. But if you trust Privatix you don't really need a HW switch.
That's great! I would definitely buy a Purism laptop - however I need additionally a trackpoint a great keyboard and an excellent matte screen.
The trackpoint should be with three physical buttons and would be great if it comes without a trackpad - but at least an option to disable the trackpad should be there.
The keyboard should NOT have any separate number block like most of 15" laptops have today.
Would be great if there would be as well an option to order the keyboard without any labels on the keys.
The trackpoint and keyboard requirements could be options upon purchase. I understand that I am part of a minority. The thing is, I feel helpless without a trackpoint. Mouse and trackpads are no options. And Lenovo makes me desperate.
Just to add (instead of editing above): I think a lot of IBM employees would as well buy Purism laptops if they had a trackpoints. There are thousands of people that are used to ThinkPads and now IBM announced to purchase from Apple [1].
IBM offer ThinkPads or Macbooks, so people who still want the trackpoint get it. I barely ever see anyone using it though. So long as you don't get a W540 the touchpad is much easier to use (I have a W540 and its touchpad is so bad it makes me want to cry).
And while the webcam/microphone switches will prevent the particular devices from working, I'm not so sure about the WiFi card and Bluetooth. The microphone surely is dead by cutting the single signal line and the webcam by cutting its power.
But there's no guarantee that the W_DISABLE# pins are honored with every firmware of every possible wifi module that could be inserted into that slot. What if W_DISABLE#, on the card, is only a gpio that is checked by the WiFi chip's firmware? It would have been safer to also cut the power there, too. Or at least to verify that W_DISABLE# cuts off power to the RF PAs (transmitter power amplifier) of WiFi and Bluetooth in a way that can't be circumvented.