Hi guys! I have had my Librem 14 for one week now, and I have been using it and enjoying it. The weird right had shift key throws me off, but other than that it’s been fun. I’ve been trying to only install software through the native package manager in general, and I also compiled and ran an open source LibGDX game that I have been working on as a hobby for a few years and this 3D RTS project ran beautifully with 60 FPS here on the Librem 14. Although my code is kind of an emulator for an old 2000s game and uses some nonfree 3D artwork for the characters, the code is mine and fun to use.
So I’ve been enjoying this device but I found myself on the holidays talking to folks about computer security and I’m suddenly reminded how I feel like any attempt to even understand what I should be aiming for with computers these days is derailed by differences in common foundational understandings.
When I use Wireshark on Windows, I can see that Windows calls home all the time. If I run my favorite 2000s game program that I thought was an offline game, every 3rd time or so it shoots encrypted traffic off to some Azure Edge “app click tracker” for Microsoft that I assume is a bean counter on EXE clicks and maybe some other things. When I open my Librem 14 and use Wireshark, it’s pretty quiet. There was some TCP connection when it was first starting up to some IP that was already DNS resolved by the time I opened wireshark, and for which a
whois told me it was Fastly in California (not sure what that is), but in general it’s much quieter than Windows. Like my Librem 5, I just feel good using this thing.
But is that only because I’m telling myself to feel good about it? I found myself having a conversation with folks who see “going it alone” with computer security and not sending everything we do back to major corporations as being probably a bad idea. We talk about the SolarWinds/SolarFlare hack and how most major agencies in the United States including the Department of Energy (nuclear weapons) were compromised, and how Microsoft was compromised, and this was all known to have happened. And so we talk about how maybe Microsoft being compromised means that all these people whose machines report their clicks to Microsoft might be likewise compromised.
But, on the flip-side, there is this idea that the Microsoft backdoor into everything means Microsoft can fix it. Is the future a world where “being compromised” is what happens to anyone who tries to “go it alone” and use open source software, because one mis-click installation of something bad run at the superuser level might install some vile garbage from a foreign nation state that spies on us forever, and that is effectively invisible. Whereas on devices running Windows or Android or Mac that the user practically doesn’t own, the constant surveillance means that the major corporations can always be aware of threats and always take action. And here on my Librem 14 where I want to feel safe, for example of someone finds a zero-day in whatever browser I choose, they might get into my system and never get out because I don’t have a big-budget security team watching over me.
And yet, in other circles and with other people, we have talked ourselves in circles with our dislike for these corporations and their invasions of privacy and their efforts to control our lives. And now, talking to people who happily give up their data, there is actually an understanding of what the free software is trying to do and the desire for control, and they see that as a form of toxic self-harm focused on the wrong threat actors. It’s suggested to me that the threat isn’t Google or Apple or Microsoft or their friends, but rather targeted spearfishing that only Google or Apple or Microsoft can save you from that would otherwise compromise your tech when you need it most, such as for those really personal things like shopping or mobile banking where you enter private personal details that need to be handled with care.
So, I guess it puts me in that weird situation of wondering, how can we know what to trust? If I decide to trust my LIbrem 14 more than my Windows, is that just an emotional choice based on whatever I decided to put in my head, and have I simply been “pwned” by Purism, or a foreign nation-state actor working through them to convince people like me to use devices where the device owner is the superuser, so that those foreign nation-states can hack in and become the true superuser in my place?
I find it very hard to prove a negative: how can I prove my Librem 14 is not infected with invisible malware? How can I prove my Windows device is not infected with invisible malware? If it were infected by a known threat then we could isolate and determine that, and prove it was present. But how can I ever prove it is not present?
And if there is no way to prove a negative, then is the only safety something that comes from proving a positive by the active work undertaken by wealthy major corporations on behalf of their users (or useds)?
If you were presented with a physical computer and invited to use it for some time, how would you convince yourself to trust it?