FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

gnujoshua (540710) writes "The Free Software Foundation has announced its endorsement of the Libreboot X200, a refurbished Lenovo ThinkPad X200 sold by Gluglug. The laptop ships with 100% free software and firmware, including the FSF's endorsed Trisquel GNU/Linux and Libreboot. One of the biggest challenges overcome in achieving FSF's Respects Your Freedom certification was the complete removal of Intel's ME and AMT firmware. The AMT is a controversial proprietary backdoor technology that allows remote access to a machine even when it is powered off. Quoting from the press release: "The ME and its extension, AMT, are serious security issues on modern Intel hardware and one of the main obstacles preventing most Intel based systems from being liberated by users. On most systems, it is extremely difficult to remove, and nearly impossible to replace. Libreboot X200 is the first system where it has actually been removed, permanently," said Gluglug Founder and CEO, Francis Rowe."

even when it is powered off.

[kairis]

AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

Re:

[Anonymous Coward]

AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

Yes. "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed" declares Wikipedia. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Re:

[kav2k]

Quoting the same article

For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down.

So no magical "I'll maintain that WiFi connection even when asleep"

Re:

[Darinbob]

Presumably "off" does not mean "powered down with no obvious source of energy"? A laptop has a battery but a desktop does not.
What if a laptop disables wifi (I always do this), will the bios power it up against my will?

Re:even when it is powered off.

[fuzzyfuzzyfungus]

That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

Re:

[lsatenstein]

That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

On the desktop, when the system is powered off, it is not truly off. The powersupply is on, and other power, however minimal, is obtained from the router or the hub connection. The powersupply is often sustained to keep the RAM alive, and some reboot info.

Want it off, disconnect it from the router. If it has wifi built-in (as some desktops do), use the powerswitch on the back of the computer to fully poweroff the system.

Re:

[Zitchas]

I kind of suspect that is the point: Low level functionality that allows them to actually turn on the computer, not just wake it up from standby or hibernation. It also grants access for BIOS updating, erasing and reinstalling hard drives, and other access like that.

I suspect that the only "Off" that would actually block its activity would be the more absolute "the power bar is turned off" type security. Which is probably a good idea anyway, these days.

Re:

[Anonymous Coward]

Not true. It can power on systems remotely.

http://www.radmin.com/radmin/intel_amt_features.php [radmin.com] ...really really scary.

Re:

[TechyImmigrant]

Assuming you haven't disabled it in the bios.

Re:

[Darinbob]

I have my desktop, monitor, speakers, etc, all plugged into a power control thingy, and I always turn that off. So the desktop can not power itself on without a finger pushing a button. Ya, I'm a bit paranoid, or maybe it's OCD, but I like to power things off for real rather than allow standby/vampire power which can amount to a lot of juice if you add up all the devices doing this.

Re:

[GrumpySteen]

Not at all. It still makes a great paperweight and can be used to bludgeon enemies in a pinch.

Re:

[JohnFen]

I work with AMT systems. AMT systems can be powered up from being completely off (not in standby, etc.). This is accomplished because AMT processors contain an entirely separate little computer that itself never turns off, even when the rest of the system (including the CPU) is.

Re:

[Shirley Marquez]

Old school systems that had a physical Big Red Switch (including the original IBM PC, XT, and AT) really were completely off when they were off. But pretty much every computer these days has a soft switch, and depends on some part of the circuitry getting a bit of power to monitor the switch so it can turn the rest of the system on.

The year of Linux?

[roc97007]

Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

(Are there enough people who *care* about these issues?)

Re:The year of Linux?

[TWX]

(Are there enough people who *care* about these issues?)

Not for $700+ for an obsolete laptop, there aren't.

I've seen some niche things, but DAMN, this is takes the cake.

We have an X301 at home. It was a great computer when we bought it new, but the battery life is terrible by modern standards, the Centrino processor is slow, and the screen is dim and low-res. The weight, presence of an optical drive (though just DVD) and keyboard are the plusses. We just bought a replacement for it; I may still upgrade the RAM to 8GB from the 2GB that it has now so that it's a nice around-the-house lappy, but it's never going to be the primary computer ever again.

If they'd managed to do this treatment to a Thinkpad X1 Carbon or something else that's modern then I expect a lot more people would be interested, but somethis this old? For this kind of money?

Re:

[bill_mcgonigle]

Not for $700+ for an obsolete laptop, there aren't.

It would be a decent one for a CA, to keep in the safe.

Re:

[AmiMoJo]

Actually it seems quite reasonable for the money, assuming that the battery is new (re refurbed quality replacement cells). It's no screamer but a Core 2 Duo is plenty for most desktop stuff. The 1280x800 resolution is fine for a 12" display on an ultra-portable. 8GB of RAM max, and with an SSD it should be pretty quick. Even the GPU isn't bad.

Plus you get a nice Thinkpad keyboard, still pretty hard to beat, and Thinkpad build quality. If you want a secure laptop for business or general desktop stuff I'd sa

Re:

[caseih]

I have an X200 and specwise it's hardly any different from the current X220. Same processor (i5), same speed, same memory options. I bought it only last year specifically because it had a real keyboard. So, no the X200 is still a great laptop. And $700 is a good price, about par with used X200s.

When I got the X200, I wiped it and put Linux on it. Now months later, I was fiddling with the BIOS and discovered that the Lojack stuff is activated, and cannot be deactivated (fortunately it does nothing on L

Re:

[caseih]

My bad. The X200 is a much older laptop. The X220 is what I have and it's practically identical to the X230, which is the latest shipping version that has the chicklet keyboard that I can't stand.

Re:

[MagicFab]

I agree it's absurd to pay such a price for something Intel could be doing. Why is Intel's problematic setup the default in the first place?

The higher-than-ebay cost for this machine basically covers maintaining a proper commercial operation for existing formware/BIOS modification, distributing and seliing the system, including:

* Upgraded with an 802.11n wireless card (Atheros AR5B95, AR9285 chipset), ensuring full compatibility with free drivers in Trisquel GNU/Linux-libre.
* The Gluglug ships to USA, Canad

Re:

[RockDoctor]

Not for $700+ for an obsolete laptop, there aren't.

I got one of their previous offerings - an X60 with 3GB ram and a 320GB hard drive which I promptly replaced with a TB one I already had - for IIRC £220, and after a bit over a year I've had to spend another £20 to put a bigger battery into it. I dont' know what that translates into in dollars, whichever dollar you're using.

Everything works properly, and without hassles.

In contrast I spent half as much again on a brand new piece o

Re:

[RockDoctor]

Coming soon (in a future libreboot update):

ProteanOS BusyBox/Linux-libre operating system pre-installed directly in the SPI flash chip, alongside Libreboot. This will mean that the user has a full operating system available at all times (as part of the boot firmware) as a boot menu option for recovery or any other purpose such as updating libreboot, even if the HDD or SSD is removed from the machine. Those who order today will receive this as a software update when available, with installation instructions

Re:The year of Linux?

[future assassin]

Untill they classify it as a tool for promoting terrorism.

Re:

[roc97007]

Ouch. Good point.

Re:The year of Linux?

[CODiNE]

Let's not forget back in the day when Linux and the GPL was "communist".

Re:

[idontgno]

It's a snowclone.

"If you install linux, the X win!"

"X" is the bogeyman of the day. Historical examples include Communists, kiddy porn users, Terrorists, Anarchists, Freemasons, Jacobites, and immigrants.

Re:

[Gr8Apes]

Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

(Are there enough people who *care* about these issues?)

Nah, BSD will be on the desktop before Linux makes it. Wait, it already has...

Since when is AMT controversial?

[ArmoredDragon]

I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk. What I like about it is the following:

- Allows you to remotely manage client PCs in a work environment, up to and including re-formatting the HDD with a new OS, including being able to remotely mount a local ISO image to install the OS.
- Works even when some of the most critical system components don't work, such as CPU, RAM, etc, as it's an independent subsystem. Even if you don't want the remote management features, this is a huge deal when you have a seemingly dead system and aren't sure exactly how to fix it. AMT helps you figure out the EXACT problem FAST, and you don't even have to have the computer in your hands to do so.
- Integrates with LDAP (including Active Directory, Samba, etc)
- Provides the ability to power on and remotely wipe the laptop if it was stolen and contains sensitive data.

So what's so controversial about it?

Re:

[Anonymous Coward]

It's not possible to turn it off. Among other things it handles the "Protected Video Path" on Intel GPUs (aka it implements DRM).

Re:

[TechyImmigrant]

It's off by default. What have you been smoking?

Re:

[Darinbob]

But the instructor at the certificate course assured me that it was safe!

Re:

[Anonymous Coward]

A locksmith can change a lock and then claim to give you all the keys to your lock. It's very possible that the locksmith has an ulterior motive, withhold a key to your lock and lie to you about it. You could now spend your life with this possibility in mind and do nothing about it, you can act to find evidence that this key exists, or you can choose to trust your locksmith that he isn't cheating you.

Tell me, do you personally change your own locks and personally cut the corresponding keys or do you trust t

Re:

[jabuzz]

I don't trust the locksmith. So I actually fit the lock myself, and when it comes to getting keys cut the locksmith has no idea where the lock for the key I am getting cut is going to be located because I don't tell them or even give them my home address. In fact they don't even know my name because I paid in cash.

Re:

[mrchaotica]

Tell me, do you personally change your own locks and personally cut the corresponding keys

I do. All it takes is a screwdriver, you know. Some of the newer locks (e.g. Kwikset SmartKey) are even designed to be easily re-keyed by the owner.

Re:

[TechyImmigrant]

Yes, please keep lecturing me about products I design. I'm sure I'll learn more by 'Googling around'.

Re:

[TechyImmigrant]

Its the difference between "turn it off" and "I don't want this to be on my computer in the future".

It's a benefit to you if you want to prevent someone with physical access to be able to turn it on then use it as a remote attack vector later.

Re:

[tlhIngan]

So what's so controversial about it?

It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

Re:

[Obfuscant]

It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

And also Completely Free Of Full Remote Management capabilities.

I have a bunch of servers that all have iDrac or other management connections, and it sure is a lot easier to talk to a malfunctioning system when there is a dedicated remote console server. I've had people go wild using memory resources on some compute servers to the point that memory management is killing parts of the operating system. Parts that are required to remotely log in. Dedicated remote management means I can get a console to at le

Re:

[AK Marc]

I can't recall a single laptop I've had that has an active network connection when it is off,

So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have. If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything. You don't have to electrically light your "transmit" wires to hear what's on the receive wires.

so how would someone use this AMT on a Lenovo laptop to turn one back on to do anything to it?

http://lmgtfy.com/?q=wake+on+l... [lmgtfy.com]

Re:

[Obfuscant]

So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have.

Didn't say that. I said I can't recall ever seeing it. Sorry the difference escapes you.

If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything.

It's hard to listen on an interface that has been shut off. Or on one that has been unplugged, which if you recall was what I suggested to deal with an always-on laptop network connection. Seems like I admitted they existed, which contradicts the words you tried putting in my mouth earlier.

I know what "wake on lan" is, and I also know that it is a BIOS setting to enable and disable it. Still, you can't "wake on lan"

Re:

[Darinbob]

So the whole point is to avoid walking to the client's desk? I remember when that used to be the majority of my social life...

Re:

[tepples]

So the whole point is to avoid walking to the client's desk?

Perhaps the point is to avoid flying to the client's desk in another country.

Re:

[RockDoctor]

And also Completely Free Of Full Remote Management capabilities.

I have a bunch of servers that all have iDrac or other management connections,

I suspect that you're not the target audience for this system.

I have an 18-wheler truck for sale. Would that be good for your daily commute to the building with the underground par park?

Re:Since when is AMT controversial?

[Rennt]

However you slice it, AMT is a backdoor. If you control the backdoor on your own equipment then you can do some cool tricks, but implementing a backdoor massively increases the attack surface of the system.

The question is whether the cool tricks are worth the risk. For managed corporate drone PCs the answer is probably yes. For everyone else it is definitely no. For a personal laptop it's an emphatic FUCK NO.

Badly written Hollywood movies used to give crackers stupid computer-superpowers. Now that AMT is here those kind of fantasies become reality.

Re:

[fuzzyfuzzyfungus]

Any remote management tool would be a 'backdoor', except that it is put in place by the owner for their convenience and with their consent.

AMT is a particularly powerful, and somewhat opaque, management tool. Anyone who suspects the possibility that(deliberately, or by mistake) those very, very, useful capabilities might be available to others under some circumstances would naturally be suspicious of it.

And, for the FSF and those who share their concerns, the fact that it is a wholly proprietary(and t

Re:

[unixisc]

So is AMT hardcoded into the silicon - is it a part of the CPU, or is it something that's a part of the firmware in the flash, but in the boot section, thereby making it unremovable?

Re:Since when is AMT controversial?

[fuzzyfuzzyfungus]

A mixture of both. The AMT system includes a dedicated ARC cpu [wikipedia.org], which runs its own OS and functions independently of the host to a large degree; but also can see into, and sometimes make use of, some of the hardware visible to the host system(details depend on version). For communication, for instance, the AMT system has access to the wired NIC below the OS's view(wireless NICs are more complex, I think AMT can do a direct connection to a trusted AP if configured to do so; but can't do VPN without piggybacking on the host OS), and it also has enough hooks into the various peripherals that it can do remote KVM in hardware, by emulating HID devices and snooping the framebuffer, mount an .iso as though it were a connected SATA device, and access some storage and memory locations that are also accessible to the host OS or programs, in order to gather data on system health, software versions, etc.

I'm not exactly sure how the BIOS/UEFI flash and the flash that stores the AMT firmware are related to one another. On computers with AMT, a 'bios update' will often flash both; but I don't know if that's because they are just different areas of the same SPI flash chip, or whether it's just a convenience bundling of two nearly unrelated updaters.

Re:

[Miamicanes]

As I understand it, at the bare-metal hardware level, AMT is basically a networked JTAG programmer grafted onto the ethernet controller that can do things like read & write values into RAM, stuff values into the CPU's registers, update the BIOS NVRAM, and override the normal boot process as long as you have physical ethernet access to the same network as the target computer & can present AMT with credentials it's satisfied with. It basically starts with the foundation provided by Wake-on-Lan & P

Re:

[TheDarkMaster]

The problem is that it is a too powerful tool that if used for evil can cause impressive havoc and no one would know until too late. And a too powerful tool where you are not sure if you have the control you should have. Usefull, yes, but a too big security risk for my taste.

Re:

[jhantin]

Exactly. How is this materially different from an integrated remote-access card and baseboard management controller? I'm at a loss why Intel used an Argonaut core for it, though. I'd have expected a lightweight x86, or maybe an ARM. However, all that is beside the point.

The main reason for all the hullabaloo is that the Intel firmware that normally runs on this coprocessor is delivered as a closed-source blob, which raises trust issues given how pervasive its access to the machine is. It's also had its

Re:

[MikeBabcock]

May I direct you to the other closed-source firmware story of the day about DLink routers having remote DNS admin capabilities without password? You can't trust remote admin features on hardware when you can't see or have someone you trust see the software its running.

Re:

[Troed]

What's controversial?

Heard of humanity's latest hero - Snowden?

On my personal computer there's no IT department that needs any of the things you mentioned. Thus it should be configurable.

It's not.

What's so controversial about AMT?

[lippydude]

@ArmoredDragon: "I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk."

Either by accident or design, it allows for a backdoor into the system. I wouldn't be suprised it it didn't come with its own backdoor ref [gov1.info].

Re:

[gl4ss]

that's like saying that crotchless pants are great for easy access when traveling on the subway

Re:Since when is AMT controversial?

[Anonymous Coward]

God fucking christ dammit.

How can you trust any hardware unless you audit the design and the machinery used to implement that design on silicon?

The fact is that you can't.

There are almost certainly undocumented Intel instructions or I/O ports which will enable software to bypass OS level protections. I imagine they are used almost never, but when they're used, you can be damn sure it makes a huge difference to the party with the privilege to know them. What can we do about it? Sweet fuck all until we get over the idea of trusting big business/government contractor (but I repeat myself) and develop and implement hardware the way we develop software. Won't the start-up cost be prohibitive? Eventually no.

In the meanwhile, un-Clippered encryption will be outlawed, and hardware licensed to require backdoors.

Re:Since when is AMT controversial?

[halivar]

Oh, I can see it now. Some Linux enthusiast (wait, no, a GNU/Linux enthusiast; run-of-the-mill Linux enthusiasts are too corrupted by pragmatism) poring over hundreds of giant sheets of chip diagrams, nodding sagely at incomprehensible engineering spaghetti he doesn't even understand. "Hmmm... yes... this all seems to be in order..."

Re:

[gnupun]

wait, no, a GNU/Linux enthusiast; run-of-the-mill Linux enthusiasts are too corrupted by pragmatism) poring over hundreds of giant sheets of chip diagrams,

They don't do that (poring) even for software, that they can read and understand, hence all these critical bugs. Why should manufacturers spill their millions of dollars worth secrets to a bunch of freeloaders? Vendors are fully within their rights to keep their designs secret -- If you don't trust their products, don't use it.

Re:

[jones_supa]

We wouldn't have the screaming-fast modern computers with zigabytes of jibberies and Gordon Freeman if it wasn't for copyrights and patents creating business interest to put astronomical amounts of money and engineering into specialized proprietary research.

Re:

[unixisc]

THIS!!!! All the 'Libre' crowd rants about the source code of the software, but somehow gives a pass about the hardware not being open (here, RMS prefers the term 'open' to 'free', even while he rants at the term 'open source' for software).

And this laptop - a lenovo - how is it preferable to the Librem laptop discussed here a few days ago, which was built from the ground up to be made w/ only publicly documented parts?

Re:

[K. S. Kyosuke]

All the 'Libre' crowd rants about the source code of the software, but somehow gives a pass about the hardware not being open

You must be living on a different planet.

Re:

[hermitdev]

Not to be pedantic or argumentative, but how are you sure your open hardware design isn't manipulated or back-door'd after you hand it over to a 3rd party for manufacturing? There is no single person in the world that build a useful general purpose (in today's standards) computer from hardware to software, guaranteeing that no one else has had an opportunity along the way to manipulate it in some fashion. At some point, you have to start trusting people/organizations/companies. The fewer involved, the grea

Re:

[unixisc]

I agree w/ you, and the same argument goes for software. RMS and the FSF supporters tell us that we need the source code for the 4 GNU freedoms. Well, even hardware - particularly at chip level - has hardware description languages, or HDL code that defines it, both in a structural level and behavioral level. Yet, the same people argue that they are circuits, since they cannot be changed. Why not? Just get the HDL code, put it on an FPGA, and recode it whenever needed.

For the record, I agree w/ the O

Re:

[PopeRatzo]

There are reasons beyond the "4 GNU freedoms" to oppose these devices being installed into all new computers.

I'll bet your not so sanguine about having a device installed in your car that allows for remote shutoff, location reporting and monitoring of your driving habits.

Because the real question is not "what is so controversial?" but rather "how secure are these systems?" It's not about what a sysadmin can do with the power to remotely turn on your computer, but what some miscreant can do with that power

Re:Since when is AMT controversial?

[PopeRatzo]

At some point, you have to start trusting people/organizations/companies.

What you're really saying is, "You don't have a choice, so just suck it up, princess. Privacy is so 20th century."

No, you don't have to trust people/organizations/companies who have not earned your trust. You are the one paying. Use the power you have as a consumer. Weaponize your purchasing power.

And always, always reserve the right to just say "Nope, I don't need it, I don't want it, and I'll find another way."

Re:

[Ungrounded Lightning]

All the 'Libre' crowd rants about the source code of the software, but somehow gives a pass about the hardware not being open ...

You haven't been watching very closely.

*I* have been ranting on slashdot about AMT for years. Look it up.

Re:

[WillRobinson]

I absolutely agree with you. Looking back and remembering what we thought technology would turn into from the 80's and looking at it today's light, things have gone to hell in a hand basket compared to what we thought these technology's would become. Remembering back to some of the first hacks we read about, I never thought we would be spending so much energy on securing every point, as either someone was trying to abuse the system or our own or other governments and entity's trying to monitor us or steal f

Re:

[Fjandr]

Even then, you can't really be sure unless you inspected the silicon wafers yourself.

Re:

[Anonymous Coward]

It'd be a security risk even if AMT were open source.

It's an entire other operating system running on what is basically an entirely different computer that has complete control over your server. Do you bother updating it? You spend how many hours making sure your server software is up-to-date, and yet it's all for naught if a hacker breaks in through AMT.

Same thing goes for IPMI. Heck, some vendors were shipping boxes with IPMI enabled, _and_ with SSH enabled to IPMI, _and_ with a default password.

It's an i

Now that all the secure everything is gone...

[Anonymous Coward]

Can we put it all back, under our control?

I want a computer that secureboot's my signed bootloader that boots my signed kernel that executes my signed init and starts a signed console with a signed login and logs me into a signed bash.

I want the promise fulfilled: that I know with cryptographic certainty that as long as my key is secure, "They" have not tampered with my persistent environment.

A far cry from what it has become: the MAFIAA knowing with cryptographic certainty that I have not tampered with my environment.

Re:

[Anonymous Coward]

"They" are the ones manufacturing the computers. Like the one you used to post that crap, for example.

Secure Boot was only ever meant to do two things, neither of which involve security or booting:

1) Make it more difficult for anything other than Windows to run without minor to major headaches on a PC.
2) Give Microsoft a means of providing a license key per copy of Windows in an area that the end-user can't get at. It's an extension of the "no used games" idea they had for the XBONE that people freaked the

Re:

[yuhong]

This is full of errors. For one thing, the way the Win8 license key is stored in the ROM has nothing to do with Secure Boot. I think it uses ACPI.

Inquiring minds want to know

[Qzukk]

But does it run Windows?

Re:

[Anonymous Coward]

So in other words I'm not free to choose which user-space operating system I want.

AMD

[Atmchicago]

Would it be easier to go with an AMD laptop? Do they have similar firmwmare concerns?

So...

[Chas]

$550-750 for a 6 year old, low-resolution, low memory laptop?

I mean, if I absolutely HAD to have something FSF-compliant without the possible security risk of AMT...

But, honestly, that same amount of money will get you a MUCH better NEW laptop and there are ways to secure a system around AMT.

Re:

[TWX]

...if I absolutely HAD to have something FSF-compliant...

Such requirements are only self-imposed requirements. Even defense contractors like Boeing use stock computers from large OEMs like Dell.

I can't think of a single instance when something being FSF-compliant matters at all, except maybe if you want to work for Richard Stallman. If Wikipedia is to be believed then there are exactly twelve people in the world affected.

Re:

[TheDarkener]

I can't think of a single instance when something being FSF-compliant matters at all

Except for ones own piece of mind, of course. Which I guess doesn't matter.

Re:

[Chas]

This is where the whole notion of risk management comes into play.

Now, if you're a world famous nuclear scientist working on spurting-edge fusion power experiments, a stupid-rich CEO of an unpopular company or a politician with even more dirty laundry than your AVERAGE political hack, you're probably a FAR bigger target than "Joe Familyguy".

I'm not saying "don't secure your shit.

But at some point, the risk/return equation simply becomes unacceptable for most people.

Technically, if you disassembled your mach

Re:

[RockDoctor]

Even defense contractors like Boeing use stock computers from large OEMs like Dell.

I don't know about defence contractors, but I'll be in the offices of an oil major tomorrow lunch time because they wipe the hard drives of all their OEM laptops and re-image them with a heavily customised version of XP, Vista or Win7 with all sorts of weird different networky things. Pain in the arse, but that costs them money - I go into their office for a videoconference meeting (because their laptop won't work on anyone

Re:

[tshawkins]

Interesting, the first time they did that, it would trigger a wave of replacement world wide, so you get the situation where they wont because they dont want to burn that card.

It long past the point where the world needs a reliable supply of non-US based technology components, i now consider almost everything originating from the US as being irrevocably compromised. And china is not much better.

We have sold our souls to the devil for the nice tunes he plays, and now we have to pay.

Re:

[AHuxley]

Re: "It long past the point where the world needs a reliable supply of non-US based technology components, i now consider almost everything originating from the US as being irrevocably compromised"
Yes this is the first small positive steps that keep the networked computing side. The user gets new firmware, hardware and an OS thats more understood. The hardware also has some of the more remote friendly aspects looked at.
The next step for nations is a box with a chip and motherboard that is fully underst

Re:

[AHuxley]

Re: "But, honestly, that same amount of money will get you a MUCH better NEW laptop and there are ways to secure a system around AMT."
The issues with the newer systems is the remote low level access thats part of the "NEW laptop" or computer system.
If a person is seen and tracked outside away from their networked computer that would give time to access that networked computer.
Some of the needed tools are are built into the hardware as sold and powered waiting for the remote commands.
After a system is a

Re:

[RockDoctor]

I make it a smidgin under $400, since I've got bigger hard drives already available. Assuming you're talking about US dollars.

Say you wanted to spend $750 on a newer laptop, then needed to spend 10 hours researching it and working out how to disable all remote management things and remove proprietary blobs from the firmware. Oh, and add in a modern WIFI chip too. That would be implying that you value your time at ~$35/hour.

If you value your time more highly than that ... well, it may become worthwhile to

What about CPU microcode?

[Balial]

If you're going to drop the Intel ME, Intel could still put something together in the CPU microcode patches. Or, you know, just in the silicon itself.

This product is a sham. "Only free software -- until it's not".

Re:

[gnujoshua]

Except that the Intel Microcode on the CPU has been wiped no Intel Microcode patches or updates are applied to the CPU on the Libreboot X200. So "it is free software and it continues to be free software?"

Re:

[The Finn]

CPU microcode still exists even if the blobs aren't included. You're just limited to the version that's included with the stepping of your CPU. I believe the management engine (ME) on the chipset is the same way. (On the server side, at least, the chipset won't allow the CPUs to boot without an ME blob.)

Just because your software doesn't include any blobs doesn't mean that there aren't any blobs on the hardware.

Re:

[yuhong]

Microcode don't run when the computer is powered off and can't connect to a network directly.

I am actually excited about Intel AMT

[iamacat]

If I understand it correctly, I would be able to power on, fix or reimage my home desktops/laptops while at work or away on a trip. Or fix my moms crashed computer from half way around the globe. And, since all communication is authenticated with a TLS certificate, there is little danger of other taking over my hardware.

I understand people's right to be paranoid or want 100% open systems, and hope that appropriate choices remain available. But even for most Linux kernel developers a failsafe way to repair a

Re:

[gnupun]

If I understand it correctly, I would be able to power on, fix or reimage my home desktops/laptops while at work or away on a trip. Or fix my moms crashed computer from half way around the globe.

And govt agencies and hackers would also be able to do this and we don't want that. As far as fixing your mom's computer, a simple video chat using some mobile phone can be used to fix the computer, without the invasive spyware.

Re:

[iamacat]

Have you ever actually tried to fix an unbootable computer over "simple video chat" with a non-technical person? Hehe.

I would install a pre-shared key and not give it "govt agencies and hackers". If they have a secret backdoor into TLS or intel hardware, I am screwed anyway.

Intel Active Management Technology ..

[lippydude]

" Intel Active Management Technology [wikipedia.org]: Known Vulnerabilities and Exploits"

What is needed is another OOB security-sub-system to protect the Intel Active Management Technology from getting compromised :)

Re:

[Anonymous Coward]

Newer Intel things are much harder to free (for example, removing AMT from later Intel boards makes it reset every 30 minutes like clockwork.) At least people are trying to do something though. Instead of bashing on these efforts, why not focus on getting Intel and AMD to free those proprietary bits of software? Then it would not be necessary to waste months of effort on older hardware only to have someone bash on them that it's not good enough.

Re:

[unixisc]

I fully endorse this! I visited a Linux conference in my city several months back, and all the booths had something interesting or the other. Only exception was the FSF - except for slogans like iBad and posters & stickers, they really had nothing worth showing. And how can they be, when they've completely discounted the importance of good products, and made liberated products the only criteria by which to endorse? Other companies make products around Linux or the BSDs, while all these guys do is ta

Re:

[borknado]

I agree, for me it stands for RMS Decidedly Successful. He's on the level of Alan Turing. Turing was driven to kill himself by people against who he was back then. Same thing for some people now with RMS. His philosophy of freedom as in libre will be common sense in 100 years, and people like you will be looked back on in shame.

Re:

[borknado]

Funny how when its RMS, it's "religion" and "god worship" but when it's Einstein or Newton it's just appreciating the immense contributions made by a gifted intelligent individual. I hear the same thing with anti-Obama nutbags, calling anyone who has admiration for him a stupid "worshiper" who "drank the Koolaid". Ah, the convenience of self-justifying logic. How nice that must be for you.

Re:

[borknado]

lol, I had you pegged. Anyone who likes someone you don't like is a "religious zealot". Face it, you just resent RMS, and Obama, who are in your face about being good people and doing good things, and you can't do anything about it. You're the very picture of abject impotence..

Re:

[borknado]

Icaza is an interesting person. I loathed him during the Novell days. He was doing evil in my view. Now, at Xamarin, I think he is doing immense good. But, he is only doing that good because he was stopped from doing any more evil. Sometimes brilliant people need to be contained and redirected. Icaza is a prime example.

Re:

[unixisc]

Why not go w/ the Librem [crowdsupply.com], discussed here a few days ago?

Re:

[unixisc]

Get the FSF/RMS to do some ass-smooching, and then you too will get your /. headline

Re:

[unixisc]

I've wondered that as well. Why do these laptops need to be based on an x86? Use something like RMS' previous fav - a Loongson CPU, or an Allwinner - the same thing being used for some Android tablets. That way, one can get a fully documented thing. Of course, it would be illegal to sell that in the US due to laws violating IP, but since when has that stopped RMS, or the FSF, which is his sock puppet?