
Hard, Not Soft, Kill Switches - slasaus
https://puri.sm/posts/hard-not-soft-kill-switches/
======
cnvogel
Ok, maybe I've been doing too much hardware development and more tinkering
than the average guy, but this part here, to me, sounds way overblown:

    
    
        > As you can see, it is not a trivial matter to
        > manufacture these HKSes. A lot of research and
        > hard work went into the effort.
    

I mean, compared to all the other things one has to get right to design a
laptop computer, switching these few signals is indeed very, very trivial.

And while the webcam/microphone switches will prevent the particular devices
from working, I'm not so sure about the WiFi card and Bluetooth. The
microphone surely is dead by cutting the single signal line and the webcam by
cutting its power.

But there's no guarantee that the W_DISABLE# pins are honored with every
firmware of every possible wifi module that could be inserted into that slot.
What if W_DISABLE#, on the card, is only a gpio that is checked by the WiFi
chip's firmware? It would have been safer to also cut the power there, too. Or
at least to verify that W_DISABLE# cuts off power to the RF PAs (transmitter
power amplifier) of WiFi and Bluetooth in a way that can't be circumvented.

~~~
leoedin
This article does leave me slightly confused. Both these additions seem to be
completely done after the fact. Why would you solder wires to 1 side of the
pads for the pulldown resistors (suggesting that when the motherboard was
designed it was intended to always have enabled WiFi) rather than designing a
proper switch (not very many components!) into the board to start with? It all
sort of suggests that they didn't actually design their motherboard at all, or
that these switches were an afterthought. Neither of those is particularly
good given their claims.

It probably costs a lot more than $250,000 to develop a laptop from scratch,
so I wouldn't blame them for taking a higher level systems approach and buying
in a pre-existing motherboard design. However, doing that inevitably gives up
control of the design (which puts into doubt their claims of being completely
open). If that's the approach they've taken, they're not particularly open
about it.

~~~
robryk
> It probably costs a lot more than $250,000 to develop a laptop from scratch
> (...)

Novena[1] had a total budget of ~750k$. It was done from scratch, with some
nonstandard (and somewhat expensive) components (e.g. an fpga; it had a
software defined radio included too, though it was a mostly-off-the-shelf-
one).

[1] [https://www.crowdsupply.com/sutajio-
kosagi/novena](https://www.crowdsupply.com/sutajio-kosagi/novena)

~~~
leoedin
Novena's a pretty amazing project, but it's not nearly as polished as this
purism laptop appears to be. It's (intentionally) a hacker friendly box with
lots of space and less integration than a normal laptop. It even uses a RC
hobbyist style battery. Novena is a labour of love driven by a particularly
skilled person.

To design and mass produce a laptop as slim and well integrated as the Purism
laptop is significantly more work. To do so having never produced a laptop
before would cost even more so. $250,000 really is a small amount of money
when you're trying to mass produce cutting edge consumer electronics.

Of course they may (almost certainly do) have other sources of investment.

------
toothbrush
Great! Small point though, i would be in favour of a separate Bluetooth and
Wifi kill switch.

EDIT: They use i5 and i7 processors, which IIRC use black-box Intel
microcode... Also, i wonder if they support Libreboot? My apologies if it
turns out i cannot read. Otherwise they look quite nice. I'm excited to see
more "alternatives" in the "free as in liberty" laptop space.

EDIT 2: Some more information here:
[https://www.crowdsupply.com/purism/librem-13](https://www.crowdsupply.com/purism/librem-13)

EDIT 3: At least they're up-front about what's Free and what's not:
[https://puri.sm/posts/purism-software-freedom-
deconstructed/](https://puri.sm/posts/purism-software-freedom-deconstructed/)

~~~
throwaway7767
> EDIT: They use i5 and i7 processors, which IIRC use black-box Intel
> microcode... Also, i wonder if they support Libreboot? My apologies if it
> turns out i cannot read. Otherwise they look quite nice. I'm excited to see
> more "alternatives" in the "free as in liberty" laptop space.

They are going to use coreboot, which is free but includes some binary blobs
from Intel. I don't think you can boot any modern x86 without a binary blob
from the CPU manufacturer, unfortunately.

I also don't think it's possible to get any modern machine up without some
device firmware blobs. The best-case is that all the blobs are provided
onboard so the OS doesn't need to provide them, but they're still there and we
have to trust them.

Purism seems to me an incremental improvement and I might buy one, but I
really hope for a truly free machine someday.

~~~
witty_username
AFAIK the microcode updates aren't mandatory, you can use your computer
without them and use the stock microcode (though that's also proprietary).

~~~
throwaway7767
> AFAIK the microcode updates aren't mandatory, you can use your computer
> without them and use the stock microcode (though that's also proprietary).

Microcode is only one part of it. I was thinking of the ME firmware, and to a
lesser extent the FSP. It's not possible to boot a modern Intel processor
without ME. The ME has direct DMA access to all peripherals and can use the
network interfaces directly, behind the operating systems back.

I believe AMD has similar things. They are all signed by the manufacturer and
the hardware will refuse to load a replacement even if it existed.

~~~
artlogic
Puri.sm has been saying for weeks they are going to have a big announcement
about the ME "next week". I do wish their process was a bit more open, but I'm
hoping they've actually found a way to make the machine boot without an ME.
That in and of itself would be a huge step forward for libreboot/coreboot.

------
slasaus
I especially like to see this laptop because it's the first that I know of
that can effectively turn off the microphone (for the webcam we already have
stickers so this is less of an advantage, of course still laudable).

Though I think these hardware kill switches should not be optional. A product
that praises itself for privacy and security should have this as a base
feature instead of asking $89,- separately for it.

~~~
Karunamon
Doubly so considering the base model starts at $1,650 for specs that are
hardly top of the line.

I really wonder who the target market for this is.

~~~
pnathan
People who care about their security?

Lawyers, activists, crooks are 3 easy examples.

~~~
jgrowl
You seem to have repeated the same example twice.

------
jwr
This is how it should be done. I really hope manufacturers will start going
back to physical hardware switches. I hate long-pressing buttons to switch
things on or off, not knowing whether devices are really on or off, or being
unable to tell the state of a switch/device just by touching it (without
looking).

The physical dual-position sliding switch has a lot of advantages, and yet it
has almost completely disappeared from the electronics/computing world. I'd
like to see it back.

------
WormyMcSquirmy
I used to have a laptop that when you pressed the function button to
enable/disable the webcam would actually install/uninstall the webcam drivers.
I found it more hilarious than anything.

~~~
artmageddon
That's like trying to demolish a building by simply removing any roads that
lead to it.

------
swalsh
This is the first I've heard of Puri.sm. It seems like a very ambitious
company. I'm not sure features like this are important enough to me to
persuade my buying decision. However I love the idea of having another choice
besides apple when it comes to hardware. I've just been really unhappy with
everything else. I'm excited for another choice when looking for a high-end
laptop!

~~~
Silhouette
I, too, welcome the existence of a company trying to compete based on
preserving privacy and users' freedoms rather than invading it and spying on
everything.

Personally, I _would_ consider having hardware switches to disable external
sensors and wireless communications channels in a laptop to be a significant
factor in a purchasing decision. Other things being equal, I would opt for
such features, and I would be willing to pay a bit extra to have them.

Unfortunately, it appears that other things are not equal. Unless I'm missing
something, these systems seem to be relatively expensive for the rest of their
spec.

More significantly, there is only so much you can do with hardware alone. For
now, we also have the usual problem with installing an entirely free/open
source software base, which is that much of the software that is useful for
getting real work done is not from the FOSS world and the closest FOSS
equivalents are not competitive if they exist at all. Being on-line is
essential for a lot of activities, but as soon as you're on-line there is
still a problem if you don't trust at least the OS and networking software as
well as the hardware, and in a Windows 10 world that surely won't be true for
many who would be interested in this kind of hardware in the first place.

Still, this seems like a step in a healthy direction, and for that alone I
wish them success.

~~~
nickpsecurity
Testing it in the marketplace and tying the financial incentives to good
ethics are both good decisions. They're really putting their work and money
where their mouth is. I challenge others to do the same in terms of hardware
purchases.

------
pbhjpbhj
Kill switch to me implies an emergency power-off, like the "emergency" button
on an escalator.

To me these are better called "hard power switches".

------
AdmiralAsshat
IIRC I think one of the LinuxJournal guys reviewed a pre-production version of
the Librem 13" and 15" models:

[http://www.linuxjournal.com/content/purism-
librem-13-review](http://www.linuxjournal.com/content/purism-librem-13-review)

[http://www.linuxjournal.com/content/purism-
librem-15-review](http://www.linuxjournal.com/content/purism-librem-15-review)

~~~
reirob
Thanks for sharing, exactly what I am looking for as I am looking for a new
laptop. Some quotes from the test of the Librem-13 that seemed important to
me:

[..]The Librem 13 has a 13.3" 1920x1080 Matte IPS screen that I thought looked
great. It is nice and bright and to my eyes looks better than the 1920x1080
IPS screen on my X240. [..]

[..] I'm used to the relatively weak speakers that tend to come with Thinkpads
so I was pleasantly surprised at the volume from the Librem 13 speakers.
Speaking of sound, I've gotten some questions about how quiet the laptop is.
The laptop does have a fan and features vent holes along the bottom. It's
kicked on while I've typed with it on my lap and while you can hear it a bit
in a quiet room, to my ears it's pretty quiet. Let's put it this way, you
can't hear it over my typing and certainly not if you were using the speakers
at all. [..]

[..] It's a bit tricky to compare keyboards between the X200 and the two
island keyboards but I definitely preferred the Librem 13 to the X240. When it
came to the X200 and the Librem 13 I think it's more of a tie. I like the
extra key travel of the X200 but the Librem 13 keyboard actually felt a bit
crisper, especially when typing heavily with more force. [..]

[..] Honestly the biggest issue for me personally is the touchpad mouse. I'm
just a trackpoint person, I can't help it. That said, at my day job I have a
buckling spring keyboard with a trackpoint in the middle of it, but since my
home setup uses a classic Model M I've sort of been trained to not reach for
it and reach for the physical mouse instead (and for the most part I just
stick to the keyboard and keyboard bindings anyway). If Purism can fix the
issue with palm presses generating mouse events while typing (which the multi-
touch driver is supposed to solve), I think the mouse will be fine. [..]

[..] The final hardware feature I want to cover is the hardware kill switches.
This was a much-requested feature by the backers of the original Librem 15 and
the Librem 13 has them as well. Unlike software-based kill switches or
keyboard combos, these switches literally cut the power to the wireless and
bluetooth in one case, and the webcam and microphone in the other. I honestly
don't know of anyone else who offers a webcam/microphone kill switch like
this. I tested the webcam kill switch myself and not only did the video output
from Cheese go black, dmesg reported that the USB device was completely gone:

[ 626.880277] usb 2-5: USB disconnect, device number 3

and when I flipped the switch back on, the device reappeared: [..]

I would immediately order a Librem-15 if it had (as an option) a keyboard with
a trackpoint with physical buttons and without the separate number block on
the right, i.e. a centred keyboard.

------
eloy
> There is other NO laptop on the market today that has a physical means to
> turn off a machine’s built in Webcam and Microphone.

That was shocking to read, actually. I assumed that Purism wasn't the only
company doing this.

~~~
CuttlefishXXX
>a physical means to turn off a machine’s built in Webcam

I actually had one on my last laptop, namely a piece of black insulation tape
which I had placed over the lens.

------
WalterBright
The problem of malware being remotely added to devices like routers and hard
drive firmware can be stopped utterly by having a hard switch (or jumper) that
disables the "write to flash" signal.

~~~
sounds
This is a great point!

And the ME (Management Engine [1]) rears its ugly head. Even Google
Chromebooks with a "write protect screw" do not actually wire the write
protect screw to the hardware "disable writes" signal on the flash.

And it's because the ME is continuously writing stuff to its region of the
flash and the ME cannot be disabled. Such a security fail!

Assuming these guys succeed the ME ceases to become a problem and the SPI chip
can finally be write protected.

There are rumors of "back doors" that would let an attacker bypass the
"disable writes" signal, but that can be countered by using a large number of
manufacturers when sourcing your flash chips. Hint: SPI flash chips can be had
from many places.

While it is still possible that some of the chips will have a back door,
either the back door will be too hard to create a viable attack for, or users
can verify the contents of their flash. (SPI flash chips are too simple to run
their own cloaking algorithm.)

Users can take defensive measures if a widespread attack is detected.
Defensive measures might include finding out which manufacturer produces
vulnerable chips. By avoiding a flash chip "monoculture" it would apply the
collective power of the internet to preventing a flash back door, thus making
the write protect line an effective security measure.

[1] [http://libreboot.org/faq/#intelme](http://libreboot.org/faq/#intelme)

~~~
pgeorgi
Chromebooks only write protect half of the flash, the ME partition is in the
other half.

~~~
sounds
As long as you mean "write protect" in quotes, because the write protection is
handled by circuitry outside the flash chip itself which then means that to be
sure your flash is _actually_ protected you have to verify that additional
stuff.

------
joe_the_user
The frustrating thing about the situation with the NSA and other state actors
is that any security product actually seems like it makes one more of a
target.

The laptop that security conscious people buy is a more logical target than
the laptop the random consumer buys.

Buying a better rated consumer laptop for cash in person, loading your
favorite secure OS and locking it down as well as possible seems like a better
path than buying anything label "secure" with your credit card attached to
your identifying information.

------
nickpsecurity
I really like this design decision to put in hardware switches. Not only are
there security risks: SW switches are less reliable. How many times has
something played really loud and the volume buttons lagged for rest of you? Or
you have to screw with power button to shut a certain laptop down?

I want hard buttons for power, audio, radio, and keys I type with. Not "smart"
hard buttons either: simple, stupid, old approach to buttons or switches that
just worked.

------
happywolf
Kill-switch to me sounds like something pressed in emergency. Use cases cited
here should be called 'hardware switches'

------
mvdwoord
I wonder if there would be any way to use some other component in a laptop as
a microphone. Similar to the Funtenna stuff demoed by Ang Cui in several of
his talks. [https://www.blackhat.com/us-15/briefings.html#emanate-
like-a...](https://www.blackhat.com/us-15/briefings.html#emanate-like-a-boss-
generalized-covert-data-exfiltration-with-funtenna)

I'm unsure on how that would perform practically with audible soundwaves or if
any other research has been done in that area. It would however be hard to
mitigate, if possible at all.

~~~
TeMPOraL
Modern laptops (and sometimes even HDDs) have accelerometers used to detect
freefall and park HDD's heads before impact. Maybe those could be abused to
function as a makeshift mic?

------
Uptrenda
It would be cool if there was a fail safe switch that nuked the hard drive
with microwaves or something crazy like that when it was pressed. That would
be one laptop I'd buy.

~~~
jerf
If you're going to go that route, you want an encrypted hard drive whose keys
can be destroyed at a moment's notice. I believe that's off-the-shelf tech
now, but I'm not sure where to point you at it.

~~~
csours
It would also have to have no recovery mechanism, otherwise that could be
(ab)used to recover data after nuke.

------
m4yhem
These switches are a great idea..

Many security conscious companies routinely collect cellphones and other
devices during meetings etc. NSA aside things get compromised by regular
malware all the time.

I've had a small thought in the past to setup a 'luxury' service to retrofit
something similar on smartphones. You would still be screwed during an actual
call, since the mic would have to be on.. but a kill switch would still
provide a fair amount of damage control in the event of a compromise.

If you go the extra mile and implement a 'read-only' connection to software
you could remove most of the hassle for users.

Imagine moving the switch to the on position also answering an incoming call
if the phone is ringing. Then when you hang up the software can send a signal
to move the physical switch to the off position (but make it physically
impossible to move it to the on-position from software).

Complete with a tiny LED to alert the user the switch is on.

------
rambambam
This company states that privacy is very important to them. It's also to me.

But now I'm wondering, what's the purpose of the killswitch besides having no
wifi-connection for a certain period of time?

I mean, when you switch back to enable wifi again, everything you did on your
computer during 'airgap-time' is still there, waiting to be compromised by
corps/govs? Isn't it?

Please correct me if I'm wrong. I'm really curious to this concept.

P.S. I really dig the design of their laptops.

 _edit:_ Changed markup and added P.S.

~~~
jeremyjh
You could be booting off a USB running something like Privatix during the time
you have wifi killed - so that system would be air gapped whenever it is
running. But if you trust Privatix you don't really need a HW switch.

~~~
venomsnake
Do you trust the wifi firmware though?

------
reirob
That's great! I would definitely buy a Purism laptop - however I need
additionally a trackpoint a great keyboard and an excellent matte screen.

The trackpoint should be with three physical buttons and would be great if it
comes without a trackpad - but at least an option to disable the trackpad
should be there.

The keyboard should NOT have any separate number block like most of 15"
laptops have today. Would be great if there would be as well an option to
order the keyboard without any labels on the keys.

The trackpoint and keyboard requirements could be options upon purchase. I
understand that I am part of a minority. The thing is, I feel helpless without
a trackpoint. Mouse and trackpads are no options. And Lenovo makes me
desperate.

~~~
reirob
Just to add (instead of editing above): I think a lot of IBM employees would
as well buy Purism laptops if they had a trackpoints. There are thousands of
people that are used to ThinkPads and now IBM announced to purchase from Apple
[1].

[1]: [http://9to5mac.com/2015/05/28/apple-ibm-macs-
pc/](http://9to5mac.com/2015/05/28/apple-ibm-macs-pc/)

~~~
Milner08
IBM offer ThinkPads or Macbooks, so people who still want the trackpoint get
it. I barely ever see anyone using it though. So long as you don't get a W540
the touchpad is much easier to use (I have a W540 and its touchpad is so bad
it makes me want to cry).

------
tlarkworthy
post it note on the camera

------
tlarkworthy
post-it note on the camera.

