Interesting podcast discussing security in relation to Monero CCS Wallet Hack, mentioning Purism, free software, Intel ME

I thought this podcast episode from two weeks ago was really interesting, in particular the first 45 minutes where they talk about how a particular hack may have happened, the importance of free software, why any proprietary software on your device (including any DRM) should be seen as a vulnerability, how and why Intel ME is dangerous, and so on.

They mention the efforts by Purism and System76 to disable Intel ME and why that is important, also the Librem 5 kill switches are briefly menitoned, as well as GrapheneOS and the security issues with mobile phones compared to laptops.

The background is a recent incident where some kind of fund the Monero project keeps has been hacked, but you don’t need to know any details about that to listen to this, the discussion is mostly about how to be secure in general. In particular Francisco “ArticMine” Cabañas talks a lot about why you should use free software, I found that interesting and my impression is that he knows what he is talking about.

What do you think?

Edit: here are times of some of the most relevant parts if you want to jump directly to those:
00:10:20 to 00:18:00 : Dangers of DRM, Intel ME and so on
00:26:50 to 00:35:00 : “The mainstream is insecure”, free software, Purism&System76 disabling Intel ME
00:39:30 to 43:00:00 : need to go to other countries where it is legal to do research on Intel ME
00:44:00 to 00:46:00 : mobile devices, GrapheneOS, and “Purism phone” kill switches mentioned

6 Likes

Two hours is too long to listen to. Any chance you could list important timestamps relevant to Purism? Here is what the podcast lists:

  • (00:00:00) Intro
  • (00:06:00) CCS Hack Incident
  • (00:19:40) Security advice and Multi-sig
  • (00:36:55) Proprietary tech and solutions
  • (00:45:00) Moonstone Research Postmortem Analysis of the Hack
  • (01:26:00) Fluffypony Proposal to disband Core
  • (01:36:00) Funding & Governance going forward
  • (01:56:00) Closing remarks and Outro

I would say about fifteen minutes is a reasonable length of time I can afford to give this podcast.

1 Like

Okay, here are the best parts:

00:10:20 to 00:18:00 : Dangers of DRM, Intel ME and so on
00:26:50 to 00:35:00 : “The mainstream is insecure”, free software, Purism&System76 disabling Intel ME
00:39:30 to 43:00:00 : need to go to other countries where it is legal to do research on Intel ME
00:44:00 to 00:46:00 : mobile devices, GrapheneOS, and “Purism phone” kill switches mentioned

If you are strict about your 15 minutes limit then pick the first two parts.

3 Likes

Too bad you deleted your post; I literally read it from top to bottom.

Not strict: this is still approximate and variable depending on my schedule and interest. I will see if I can dedicate time to the podcast later today.

1 Like

Not much to say about their conversation, but will give a few comments about my perspective of the topics themselves.

I do not interact with anything related to DRM; I see both the thought process and actual practice ineffective.

The main reason why I support Purism is because of their efforts to reverse engineer the Intel ME. Given enough time and resources, that would liberate, in theory, half of x86-64.

The rest seems to be rambling.

More relevant to me, but nothing I can personally benefit from; my security practices are already super strict as is.

I do not necessarily follow the “mainstream is insecure” paradigm, but it just so happens to be where I ended up. I still critically examine what tools the mainstream has in order to compare and contrast between their position and mine.

Well there are many approaches to dealing with doing research on Intel ME; I suppose moving countries is one available method.

They neglected to mention unlocking the bootloader on Android devices. Also, they are not very familiar with the Librem 5.

They really should get a better microphone.


I already have prior interest in secure finance from a “cypherpunk” perspective, so Monero has been one asset I have been thinking about using myself. My current thinking, subject to change, is centralizing my trust on the Trezor Model T. I have yet to follow up on more research regarding this, but I will inevitably do so given enough time.

1 Like

Thanks for reading through it! I realized too late that there is too much fear and paranoia floating around, and would rather abstain from contributing to it. I will share some of what I wrote in a reply to another thread with a more informative tone :slight_smile: ill come back here to discuss some of these subjects when time allows

3 Likes