I'm personally re-thinking my approach to security and anonymity
online, esp. in light of recent news re: Facebook (Cambridge
Analytica, account breach), Google (Chrome 69, increased spying), etc.
I've bought a new laptop, and for the first time in 12 years it's not
a Mac - it's Thinkpad X1 Carbon 6 (similar/better specs vs Macbook Pro
at half the price) with OpenBSD, which takes 10 min to install, works
flawlessly with Thinkpad's hardware (minus bluetooth and finger
scanner) and have a security model I can trust.
I hear people say that and I always get excited. Then I just went to Lenovo’s site and I configured one and for a small margin on error they are the same. Why do people say this when it doesn’t seem true? Is there a “50% Off all Thinkpads” website I don’t know about?
I configured a machine with i7-8550U cpu (8th gen, 1.80Ghz, 8MB cache, up to 4Ghz Turbo boost), 14" WQHD (2560x1440) IPS anti-glare panel @ 300 nits, 16gb LPDDR3 2133mhz, 720p HD camera, integrated UHD graphics 620, and 256 GB PCIe-nvme hard drive for $1,396.47 before tax. I'm comparing it to a 15" macbook pro at $2,400 before tax (and it has DDR4 - so hungrier - memory).
Also for some reason people who say this never mention that they're happy with a 1080p screen.
I'm happy with a 1080p screen.
I don't need a trackpad that's half the size of the laptop. I don't need keys that only mostly work. I don't need a strip of whizbang capable of playing Doom.
I need function keys, that work, and give me tactile feedback.
People like different things.
Let's look at my work laptop from the year before last. It's a macbook pro with a retina screen from 2013. The CPU is a 2.4GHz dual-core i5 processor. (I'm specifically looking at the ME864LL/A).
Currently they're selling for 500£, second hand.
A quick look on thinkwiki.org shows the equivalent is an X201 or X230.
A quick gander on Ebay shows an X230 with better specs: This one has an i7 with a 3.6GHz processor, an SSD already fitted, and 8GB of ram (2x more than the macbook in question). It comes in pristine condition with the charger and dock included.
It costs $310.00, plus $20 shipping (There are others in good nick with roughly equivalent specs (~2.9Ghz) for $40 cheaper)
The default screen is kind of crap, but for an extra $80 - $130 and a spare hour you can upgrade it. This specific redditor bought a 2k screen (2560x1440 IPS) mod kit from China and it worked
So that makes it, what, $400?
It's $100 cheaper, for a better laptop with an equal or better screen.
: https://forum.51nb.com/forum.php?mod=viewthread&tid=1831613&... (you might need google translate)
Besides, that only works if you, as a mac owner, treat your machine well. From looking at second-hand macbooks, it's very difficult to find one where the screen isn't bent, or badly damaged, or where the battery (which is not easily user-servicable) actually holds a charge.
Personally I'm not even sure how you accidentally bend a laptop screen in the first place. All the thinkpads I've bought have been not only in fantastic condition, but almost every problem that presents itself (If any does, of course) is fixable for less than the price of a new machine.
I also believe I forgot to mention, that the older thinkpads have not only screen upgrades, but people in China producing motherboard upgrades? I could upgrade my $60 X200 to a recent-generation i7, with USB3 / USBC ports, fast graphics, etc. for even less than I could have bought that other Thinkpad with the same specifications, for.
Oh, and for the final dose of laptop superiority: Almost all thinkpads since before the X200 have keyboard drains. If I spill my drink on my laptop, my laptop still works.
I haven't kept track of Thinkpads (had a brief foray into Surface Pro land, then went back to an iPad + Mac for Apple's better stylus when they finally supported one), but I've been told the drains aren't a standard thing anymore? Some models have it, but Thinkpad doesn't list them in the specs so it's hard to even tell which.
For instance, the T480 does, but I think the T480s (slim) does not. And the T480's webpage doesn't mention it: https://www.lenovo.com/us/en/laptops/thinkpad/thinkpad-t-ser...
Yeah, that's the reason. <eye roll>
Take a look at the MacRumors buyers guide release date graph for the pro-line https://buyersguide.macrumors.com/#Mac
It's not as severe as it used to be now that returns are diminishing on new generations of components, but even three/four years ago, it could be startling.
I got a monster of a machine 2 years ago for < $1100, by buying during a 35% off sale and getting the SSD aftermarket.
At the end of the day, I still trust Apple the most, since they have a huge reputation they need to maintain, although I recognize it's not an optimal solution, as they might very well have weaknesses in their supply chain, or become dishonest at the request of some higher authority.
On a related note, it appears we don't live in the era of personal computers anymore, but rather personal interfaces. Most people are comfortable getting a mobile interface they control, while the computation and storage of their data is performed by somebody else.
Are you referring to ? Since I will be installing OpenBSD on this machine, I won't be affected by it. I do have to trust their BIOS, though, and unfortunately there is no easy way around it on modern hardware, unless you want to limit yourself to something supported by e.g. coreboot.
> manufactured by a dishonest company, in an authoritarian country
Macbooks are manufactured in the same country, but yes, I do understand your sentiment re: "dishonest" company - very few Chinese manufacturers can be fully trusted, as e.g. Chinese government has a lot of coercion power.
So, maybe you're fine for now (I envy you slightly for enjoying such a well designed piece of non-Apple hardware) but will you trust the X7, X8, etc? Especially with the escalating US-China trade war.
those were IdeaPads not ThinkPads.
> I couldn't get myself to trust a computer manufactured by a dishonest company, in an authoritarian country.
... you'd be naked and bereft a lot of other comforts if you were to get rid of everything made in China.
The hardware is shit. I've had to send it to service 3 times in the nearly 3 years I've been working with it. I just put in a new up arrow key last week because the last one broke. In it's current state only one USB port is functional.
Granted I'm a consultant and do heavily traveling but it has never happened to any of my colleagues Macs. Once it was in service for week because the wifi card was disconnected. Don't even get me started about running linux on it, not a nice experience.
Getting home and using my mac is such an upgrade, OS and hardware wise. Only thing I really miss is the red track button in the middle of the keyboard, that is a phenomenal feature!
I use two circa 2007 30" Cinema Displays, so from the laptop it goes Thunderbolt 3 > Thunderbolt 3 Hub > Thunderbolt 3 to dual DisplayPort > 2x DisplayPort to Mini DisplayPort > 2x Mini DisplayPort to Dual-Link DVI > Displays.
The upside is that my MacBook is connected to all that with a single cable that includes power. For peripherals I use bluetooth. When I travel I just carry that Apple HDMI/USB/power breakout dongle and it covers every situation I've found myself in so far.
What's interesting about OpenBSD/Thinkpad combo is that hardware support is miles better vs. Linux on the same hardware (WiFi, snooze, etc.), from what I can tell, as many of the OpenBSD developers use them as personal machines.
Oh, are you referring to the TrackPoint™-style pointer?
My T430s has been great. It sees a lot of use too.
I know it's just factory-installed bloatware at this point, but I'm concerned that before long Amazon's going to be paying off OEMs for physically integrated spy hardware, and while I love my ThinkPad systems, Lenovo's willingness to include Alexa makes me nervous.
On the other hand, Lenovo seems to use hardware components with good support by open-source drivers. Hopefully one day they (or someone else) will support something like coreboot, which will create a more open system (minus microcode in the CPU).
I installed Unbuntu on a Lenovo and the trackpad felt horrible in comparison, even after tinkering endlessly with the settings.
I always overshoot what I'm trying to click on a tiny bit. With a macbook touchpad, that just doesn't happen at all.
Also, it feels like the force and dexterity to use a trackpoint puts a bit too much pressure on my finger.
I've tried using a trackpoint for a while. I desperately regret switching my corp laptop from a macbook to thinkpad several months ago. Linux is nice, but now I have to deal with this really shitty trackpad for over another year until my refresh.
Do you switch fingers to give yourself a break?
What I would REALLY like though is a quality Linux operating system for the phone like Ubuntu Touch. I just don't feel comfortable on Android.
I should have added “desktop” there as well, otherwise I would say iOS is the most secure consumer operating system these days.
Emphasis added, because of course you don't need to, and most people don't. Apple themselves have been working at it and Mojave contains a bunch of new restrictions and brings more visibility to what software wants what. It's much more feasible now for users to simply prevent most (or all) standard software from accessing the camera or mic entirely. Someone could be very cautious about what they install and stick to more heavily controlled and sandboxed major name stuff from the MAS (even though I personally think the MAS is a huge disappointment and waste of potential still). Running software in a VM is another option for power users. And for that matter if you don't actually use the camera much/ever (likely true for many on HN) you could simply physically block it with an opaque black sticker, or even drill it out and stick some black epoxy in there or similar.
Ultimately this is just another possible layer and UX. If anything it is probably of most value to power users who want to run software from anywhere and in turn would like to have additional tools to handle some of the vetting and watching that Apple might do for general users with light needs. That's like Little Snitch too, I find it absolutely invaluable, but I also have the basic systems and networking knowledge for it to mean something to me. For end users I help it's of no direct use because it all might as well be in another language, they don't have the knowledge or metaknowledge, it's only any good in terms of providing an administrator willing to take an active hand in things occasionally another way to help lock systems down.
I do hope for Apple to continue their trend of privacy focus, for example they could make camera access more nuanced (like only if it has user focus). But I have more faith in their ability to make that functional for general end user contexts then in many server secure focused OS. To your point:
>(works flawlessly with Thinkpad's hardware (minus bluetooth and -finger scanner-) and...
But biometrics are incredibly value for general mobile usage security. Shoulder surfing these days should probably be considered the rule not the exception given the growing ubiquity of networked cameras everywhere and the data storage capacity and ML to handle their data. It's much easier to passively mass vacuum PINs or passwords then good biometrics right now where you can't ensure any physical security. OpenBSD does support HSMs which would help, though it's another thing to keep on hand as well. And of course there is the time factor of a good password vs biometric entry which discourages many people from using good passwords.
That's a good point. It is interesting, still, that someone took time to build an app like that - maybe its perception vs. reality, but I have seen a lot of coverage on how various spyware can use your cam without you knowing. Good that Apple is improving the security of the default system.
> And for that matter if you don't actually use the camera much/ever (likely true for many on HN) you could simply physically block it with an opaque black sticker, or even drill it out and stick some black epoxy in there or similar.
For what it worth, Thinkpad's new laptop (and the one I bought) have a built-in webcam cover, called ThinkShutter.
> But biometrics are incredibly value for general mobile usage security.
Agree - and I'm researching use of YubiKey (or something similar with proven security model) as a 2nd factor w/ OpenBSD, as I think it has a better security model vs. closed-source fingerprint scanner.
Countless people still insist that Facebook is literally recording their conversations. I'm not sure it's possible to overestimate people's paranoia, or how stupid it makes them act.
Of course, if a program has access to it (including Apple's own permission-exempt software) an unauthorized app may be able to use the authorized one as a route around the sandbox:
But Mojave also added an "APP_1 wants to control APP_2" permission prompt, so I don't think that workaround is typically possible. When the malware tries to use Quicktime to run a video/audio capture, the AppleScript should trigger a "Badware.app wants to control Quicktime" permission prompt.
Browser-level requests for camera/mic permission are obviously nice, and it's even better to see OSX offer the request to catch more cases and prevent workarounds. Requests for control transfers are also an obvious improvement; at a certain point the easiest way to curtail sandbox escapes without restricting normal functionality is to just talk to the user.
Honestly, a same-circuit "camera on" light is my preferred solution to this whole question, and I'd be happy to see the mic get a separate light or be tied into the camera circuit.
The problem is that this doesn't help if you have a desktop machine, but you are not literally sitting behind it to notice the light. Software could still eavesdrop on conversations during that time.
The nice thing about Micro Snitch is that it also keeps a log.
Ideally, we would of course have all these levels of protection: a light, a physical switch to disconnect the camera and mic, sandboxing with camera/mic permissions, and logs like those provided by Micro Snitch.
It's baked into the kernel, if that's what you're asking.
Similarly, X11 applications can snoop on keystrokes, mouse events, and other applications, etc.
Luckily, there has been a strong push to change things. E.g. Pipewire is going to provide access control for sound devices and cameras, Wayland provides more GUI isolation between applications, and Flatpak/Bubblewrap are introducing application sandboxing at a larger scale.
Not just "X11 applications" but any process that can open your X unix domain socket (usually at somewhere like /tmp/.X11-unix/X0) or, god help you, connect to tcp://localhost:$((6000 + $DISPLAY_NUMBER)).
Who knows how many cameras and audio input devices exist for generic PCs. Probably most of them use standard APIs you could interrogate, but I bet not all of them.
People would install it on purpose just to get their damn pulseaudio config sorted out.
Source code isn't really necessary. Nor sufficient for that matter even if it was there, you'd need verifiable builds and an assurance of no self updating capability too, basically for certain minimal products you need some level of trust. As far as extra verifying though you'd probably start the same way you would minimally blackbox anything: stick it on a virgin test box and monitor all I/O in a controlled setting (VM could work too, though if you're super paranoid you might take into account that can be detected and runtime behavior modified). I guess you could start disassembling it and poking around its memory and such too if you wanted.
But seriously, it's a Mac product, so source access everywhere should kind of obviously be off your list already. How do you know when Apple spies on you? You won't find the source code. And the answer is you blackbox it and mostly you trust that it'd get noticed at some point and Apple would get the crap sued out of them and be investigated by governments worldwide etc etc. Objective Development is a very long standing dev and has put out a far more critical long standing security product that has been used by a lot of sec people for a very long time. Sure they could be compromised in the same way any dev could, but on the lowest critical factor level they're unlikely to be the biggest risk in most users' threat model.
I don't meant to detract from the "trusting trust" question, there are lots of issues which really are best handled by just pushing the problem problem outside the average user's threat model. Even source-code verification isn't actually terribly robust on the user level: are you sure you got a clean install? Are you sure nothing has modified it? And so at a certain point "just trust Apple" is entirely reasonable.
But I do think we sometimes rely on webs of trust, elaborate app signing schemes, and other software or legal solutions when we could be getting by with a simple hardware answer. (And the entire IoT domain looks a lot like undoing solved hardware problems...)
Do check out David Wheeler’s 2009 thesis on Double Diverse Compiling for instance: https://dwheeler.com/trusting-trust/
Actually it is sufficient. On macOS one can install homebrew and add the build from source option. Most Linux distributions provide similar facilities.
Of course on can go Hardcore and use Gentoo, but yeah, in that case verified builds + OSS are the more efficient option unless on has access to a cluster.
Most just unpack the stage3, follow the handbook, and be on their merry way. Hell, I'm super paranoid and I haven't bootstraped on every install.
It's definitely not something I'd ever trust completely, not only could it be spying on you, but I also don't really trust my hardware. However, I must say, it's still very nice to have. It at least narrows the possible spying vectors, and it's nice to know immediately what apps are listening; the best example being Android Studio emulator: always listening.
So you have to implicitly trust the ObDev guys, and you have to implicitly trust the hardware, but beyond those two assumptions they function great for any other threat models.
Would still be nice if they were both open source but hey: I use the open source vscode and it phones home uncontrollably all the time, so source code only benefits us so much.
>Would still be nice if they were both open source but hey: I use the open source vscode and it phones home uncontrollably all the time, so source code only benefits us so much
Yup; definitely true.
At some level in the chain you put your trust in an authority.
Ideally the kind of authority who has more to lose than to gain from spying on their users.
Then all the spy software has to do is receive a signal to begin recording, saves to a buffer, and waits for you to check twitter before uploading.
I know you can do it with Windows. On iOS, you can only block cellular network access with the exception of third party keyboards where by default network access is blocked. I wish I could block apps from having any network access. Can you block network access in a per process basis with Linux or the Mac?
Actually Mojave introduced some significant new per-application protections and permission requirements for privacy related equipment, including camera and microphone , so I'm not sure it's as relevant now as it was at launch. I suppose that even if you grant something permission it could still be useful to have more active monitoring of usage as well, it might get compromised or look legit but then do things you don't expect.
2: This can actually "break" old software in some cases, because it'll try to access something and fail but the OS permission dialog will be hidden by some other window or not show up properly. Sometimes you can work around this manually in the Privacy pane of the Security & Privacy preference panel, where it'll list software that recently tried to access a resource but couldn't and you can check it off to allow it in the future.
IIRC all the good webcam implants ignore softlights -- presumably they'd slip by whatever code is monitoring the camera here
Happy to give any HN users a 6 month trial if they ask. My email is in my profile.
Good that Android catches this now though.
I wouldn't grant it either way though.