We can get around Intel ME?
I could be wrong, but if I remember correctly, the Thinkpad x61 was the last version to ship without Intel ME, and I assumed the meme was a nod to that.
Don’t buy an Intel CPU :)
AMD has PSP, same bullshit. I’m not ARM ready either.
Pretty sure there’s a script somewhere that neuters it a bit.
Some computers do not require having the ME firmware installed. Usually, these are computers supported by a 100% free BIOS replacement such as GNU Boot (see the compatible models on the website). Libreboot was fully free in the past but it’s not true anymore since it does now support computers needing the ME working (at least for computer initialization) but neutered so that most of it can’t operate. However, you can’t be sure whether a neutered ME is harmful or not since we don’t know what it can really do as the initialization source code is not known.
They missed out the firmware in the WiFi adapter
Openwrt.
That’s not firmware in wifi adapter.
Unless you’re me who uses an OpenWRT router connected to wifi, plugged into my laptop via Ethernet
That is still not running in the wifi chip itself.
fool of you for thinking timmy would have wifi in his thinkpad T430
wifi? Nope. snip, snip
I don’t know, but I’m down with the clown… oh sorry, I thought you asked what was a Juggalo
Ah yes, a Linux teenagers power fantasy. Hardened Gentoo and Selinux beats deblobbing btw, noob.
Selinux
Hey, let’s not get crazy. I still want to use it for practical things, too. /s
You can’t impress me with a bog standard Gentoo. If you want to show power, build a fortress. At least put some tripwire you mostly trip yourself on (program that keeps an encrypted hash database of your system files to find intrusion changes, needs an update with every update of course or it alerts only your negligence).
Tripwire should encrypt everything and store key in RAM. Shutdown after 30s, if not emergency overwrite string is entered stored coded on real life paper in a vault with a 9 digits alphanumeric lock. 😏
Fuck yeah, that’ll show them!
Rkhunter?
I always wondered, did anyone ever find something with it? Wouldn’t a rootkit that is known enough to be in the detection file be outdated? But yes, you read the docs, points to you!
Yeah rkhunter looks for all the common kits BUT ALSO checks for suspicious changes if enabled as a service.
You’ve made me miss grsec and rbac again 🥲
Good old days :') I only noticed yesterday the grsec patches are no longer available, such a shame.
The maintainer had an epic meltdown over hardware vendors using the code and both breaking the license agreement and implementing it wrong so it didn’t work right.
I love this idea when in reality they probably have some Israeli 3rd party that they use that can just pop any system in under an hour regardless of any protection you think you have.
Can’t have ring -3 vulnerabilities if your CPU doesn’t have a ring -3
I got into gentoo because it made patching the kernel to hold luks keys in debug registers instead of RAM easier than Arch 😅
Wait, what? That’s so cool! Care to share somewhere I can start looking into this?
Thank you very much!
Hero.
Lmao
“Hang on, you mean to tell me this fucker barely uses the internet or TV at all anymore and instead just reads books and watches old films on disc? Like real books, not ghost-written memoirs of our favorite elites?”
“His fucking kernel is deblobbed too?”
As a noob, I genuinely can’t tell if this is real jargon or not
Lol tell me your computer is blobbed without telling me your computer is blobbed!
I would love to be fully open source but what metal to use…?
Tower’s explanation of blobs is kind of strange and not really correct. In a general sense a binary blob is just a situation where you have open-source software that is combined with proprietary components.
Most relevant example to the meme is that the Linux kernel is open-source, but can sometimes contain drivers that are proprietary and don’t have source code available. Those proprietary drivers would be the blobs.
As a counter-example, the linux-libre kernel that devfuuu linked to, is a version of the Linux kernel that has had all the blobs removed.
Oh that makes so much more sense <3
It’s referring to binary blobs. A windows exe might be a binary blob.
These are distributed compiled. Even if the project is open sources, the binary blob might have been generated by a compromised compiler.This is one of the reasons the XZ Utils compromisation went unnoticed for so long. One of the compressed files used for testing contained malicious code that would be included in the build artefacts (IE, the final compiled binary) under very narrow and specific circumstances.
So “deblobbed” means absolutely everything in the OS was built & compiled on their computer from original source code
Thanks! I wonder if I will ever reach that level of privacy paranoia. At the rate that I’m going, maybe 5 years.
Thanks. But I don’t understand why any of that ensures that the compiler isn’t compromised? Do you mean they have presumably vetted the compiler themselves first? This is something that would be incredibly time consuming to do, assuming we are talking about gcc or something equivalent, which, I mean if you’re compiling an OS…
That’s true.
But the idea is that there are no precompiled binaries that are implicitly trusted.
So you CAN vet all of the code and artefacts, and if something doesn’t seem right you can trace it back to the code and understand exactly why, instead of seeing a black-box binary and coming to the conclusion “it’s doing something it shouldn’t, but I don’t know what or why”.
The idea is that you are in control of the entire build process.But yes, it would be extremely time consuming to vet GCC, build it from source and (I guess) compare checksum/hashes against published binaries. Then vet all of the source code of everything you need to compile for Gentoo, then compile that and compare checksum/hashes etc.
Which is why it’s in a 4chan meme.But I imagine governments agency will have some deblobbed Linux installs with the technical capacity to vet all the code and artefacts
Ah yes… Government… Yeah they seem extremely,… very competent… For sure, for sure . But yeah , thanks see ya
The concepts they’re referring to have more to do with Ken Thompson’s Trusting Trust essay. Laurie Wired recently came out with an episode about it. It’s a rather intractable problem in computing, and unfortunately, even with the best practices to overcome it, you can never be 100% sure that your system is completely free of compromise.
Funny, I just watched it :D great recommendation
A government hackerman would be the same guy. Except working for the government.
Time for the $5 wrench…
Or just beat the shit out of them and get the info you need (or more likely want).
Relevant xkcd: https://www.explainxkcd.com/wiki/index.php/File:security.png
that did actually happen to a guy, over the password to his bitcoin account
https://abcnews.go.com/US/nyc-crypto-kidnapping-torture-case/story?id=122280419
Holly shit!
Wow, forgot about this one.
Yes, that is what the wrench is for…
Yes, that is how you’d use a wrench in that context
Not a hackerman, but I really don’t think that 12yo CPU is much more secure than a modern one.
Probably a reference to coreboot systems and maybe RISC stuff like open SPARC.
Let them try yo hack my C64 ✊🏻🤘🏻
It will prevent you from doing a lot of the things that will get the NSA interested in you?
Imagine trying to brute force a password on a Dell.
A correct assumption
Older ThinkPads had socketed CPUs, allowing you to upgrade to pre-IME Intel chips.
If we’re talking about security, the newer CPUs have better microcode. Those older CPUs are vulnerable to attacks such as Spectre. Older boards supported by Libreboot, such as the Haswell boards (e.g., Dell 9020 OptiPlex), which support 100% free BIOS firmware, which is to be used in conjunction with 100% free software. If you do so, you will have more security, freedom, and privacy than any other modern consumer grade computer.
Then again, these boards are old, so, given the microcode is old, if you’re running a virtual machine with a bunch of malicious software, an attacker can potentially exploit your host’s CPU and break out of that VM. Of course, determine your threat model. Are you running no JavaScript ever and only using libre software?
A deblobbed kernel isn’t great either in some cases, you may need some patches. For example, someone was able to exploit Intel’s iGPU on these older boards and gain complete access to your machine. The only way to fix this is by using a blob. Though, if you strictly only use libre software, this wouldn’t be a concern as much so you wouldn’t need this blob.
If you stick strictly to 100% free software, older hardware and a deblobbed kernel might be appropriate. But if you need to run blobs along with other proprietary software like JavaScript, the security provided by something like the Intel iGPU blob patch could be beneficial.
Literally just spends all day commenting hacker news posts
