Preventing shipment interception, providing hardware integrity verification

Firstly, let me be clear: I highly respect and appreciate everything the Purism Team have done to date, want to support you and have an L13 and L15 on order, however am now feeling like I may need to cancel my orders.

THE PROBLEM
The real issue here for me, and surely must be for everyone else too (?) is what’s the point of stripping all the spyware / hack vulnerability out of these laptops to then allow it to be reinserted again during transit to the end user? Seriously, doesn’t this make the whole Purism project a fail, until we resolve this?

In the post “Preventing Shipment Interception”, solutions were proposed (holographic seal tapes, glitter nail polish over screws, etc) then quickly defeated with confirmed existing government practices (syringe to inject acetone under seal surface etc). To me, these solutions only help us confirm we have received a hijacked device which is then of no use to us. The real objective / solution surely is to deliver the Librem to the end user in a “guaranteed secure state”.

THE SOLUTION
Are there solutions that can be developed / offered (even at additional cost?) to receive in a “guaranteed secure state”? such as:

SOLUTION - Technical
Is it technically possible to deliver solutions like suggested by @pixel such as laptop signing key, fingerprints, etc, which would cryptographically sign the motherboard to prevent change, or similar ideas?

SOLUTION - Physical
Just sharing thoughts, but I may be interested in an “option” to choose some additional physical security. If we made it “too difficult” for them to quickly interfere with the laptop while in transit(?)
For example:
I) to choose one-way security screws, in conjunction with having you “super-glue” or “Loctite” the screws in the back cover. Also use super-glue to glue the back cover on even under the screws so they can not access inside. I accept that would mean I have to purchase a new replacement cover along with a replacement battery 2 years down the track, but thats a cost I would accept.

II) use stainless steel screws as they are a lot more difficult to micro-drill into the head and use an “easyout” (screw extractor) to remove the screw.

III) if points above were implemented and did actually stop a hardware / chip hack, but laptop was shipped in a bootable state, then we are still susceptible to boot / software install which still means delivered device may not be secure.

IV) deliver each Librem in multiple shipments for end user assembly(?) to avoid “boot-n-tamper” in transit(?) but then is susceptible to chip replacement hack as case is not super-glued together.

V) Other feasible solutions(?)

FINAL COMMENT
If you think this post is an over-reaction, consider this: Purism is manufacturing laptops DELIBERATELY designed to circumvent government malware / hacking / hardware monitoring, so if YOU were in charge of such monitoring, would you not specifically target ALL products dispatched by such a niche manufacture? I think this “delivered in a guaranteed secure state” is as important as all the other aspects you have so brilliantly addressed to date.

@mladen @jeff @pixel @jvader @todd-weaver and others, I would seriously appreciate your response to my thoughts above AND/OR other solutions as I am genuinely seeking a solution for us all, and so I do NOT have to cancel my orders.

Thx
bit

As evidenced by that threads discussion, we’re all in agreement on this. This industry has a history of things that look like over reactions until you see them in effect.

Now that we’ve given our feedback on that thread, Im waiting to see what they come up with.

Making it physically tamper proof would be awsome even post sale.

thats one reason i choose a retina macbook a few years ago, which has its ram soldered onto the motherboard. passwd the firmware, and no cold boot attacks, no decrypted drive (since the key is in the ram) etc. apple also doesnt allow for firmware password resets, making that harder too.

a randomly generated boot password could also be available to the user on the web site, or sent along with the pics etc in the email with the pics. part of the buying process would have to be uploading a pgp key.

these days, its no big deal for the paranoid to get ram maxed out. if they soldered it on, they could run memtest for a couple days before adding it to their inventory, or in purisms case, the eternal backlog.

Nothing is completely secure. This is pretty understood in the physical space. That’s why home security companies like tyco or or adt don’t sell things by saying - “buy our product and it is impossible for a criminal to break into your house!” That kind of security doesn’t exist in the physical world and it doesn’t exist in cyber space either. Anyone promising 100% impenetrable solution is selling snake oil.

@thomas.chiantia

“Anyone promising 100% impenetrable solution is selling snake oil.”

But security is a game of risk vs. reward…The goal is to make things incrementally more difficult to attack to dissuade attackers, not provide ‘perfect’ protection. Doing nothing is worse than having even rudimentary protections. To extend your analogy and flip it: homes with security system signs and yet lacking any real system, still get burgled less often.

My problem with Purism machines in their current state is that they are not much more secure than any other commercial laptop running Linux. They are finally starting to run Coreboot, but even that still retains a great deal of problematic binary blobbed code. The jump to Libreboot or a blob free Coreboot is NOT a small leap either. The ME has not been fully neutralized and could easily be ‘fixed’ by Intel to render the ME cleaner process useless. CPU bugs that demand microcode updates could be used by Intel to leverage ME updates as well, meaning previously ‘freed’ machines would be back under Intel’s lock and key unless you dare running with broken microcode.

You could buy a Raspberry Pi 3 for $35 and get virtually same end-result regarding libre vs closed firmware. Add the ability to acquire Pi’s virtually anonymously and you’ve tipped the scales.

Intel is simply a bad platform to start from if you want end-user control, privacy, and anonymity.

Thanks for your reply @M12321, appreciate your insight. My coding skills may embarrass me in public, but I appreciate security is a game, encompassing risk Vs reward, which I most certainly comprehend and practice, hence my “Final Comment” at the end of my post. I feel the Purism Librem the team have created so far is a good start if they can be delivered in a “guaranteed secure state”.

This topic was raised 18 months back and I would still appreciate a response from @todd-weaver or one of the Purism team members, so we know the official perspective on this and any possible action plans and timing.

Sincerely
bit

I think the glitter solution was not countered and is a pretty good first-approximation to tamper-evidence. Also taking a photo of internals that the end-user can compare.

This would have to be optional; I imagine most buyers do not have a PGP key (and telling them to generate one is sketchy because they may be buying a new laptop to replace a failing or untrusted one; you would not want the private key falling into the wrong hands or being lost to the buyer forever on a broken harddrive…maybe a throwaway just for the purchase, hut then web of trust is impossible).

@ArloJamesBarnes @pixel Appreciate and agree with your comments re the glitter polish could help solve the internal attack, so lets for a minute say that has addressed the physical internal attack.

What can we do about the software attack… ? If we (in addition to above) shipped the laptops WITHOUT the SSD, would that 100% prevent them injecting malware into a chip, or even just powering up (without the SSD) can they still install malware onto the hardware some how? OR, as suggest by others, (leaving the SSD installed) and set a bootup password, would that prevent injection of malware into a chip… ?

Thx
bit

@bit

You probably aren’t going to like my answers.

Getting physical access to a machine during shipping means (in order from easiest to pull off, to hardest, depending on your adversary’s resources) -

1. Any OS on any type of storage (HDD, SSD, etc.) is easily compromised. Any type of malware/rootkit/modified kernel etc. can be placed on the system. This can be negated by wiping the entire storage device and installing from scratch only if none of the below methods were also used. The methods below could be leveraged to restore any compromised OS component even after a wipe.

2. Even without an OS or any storage device at all, Coreboot/SeaBIOS are easily compromised in the firmware leading to an undetectable persistently compromised system. Even booting the system from USB and re-flashing would not help if the modified payload takes steps to preserve itself. This can only be negated by re-flashing the BIOS WITHOUT BOOTING the affected device (because you can’t trust anything it does after boot). This means having to use an external programming device. Needless to say, most users will never be comfortable with this and it still doesn’t guarantee a clean system if hardware modification has happened (listed below).

3. Hardware modifications. This would include modified chips, modified storage firmware, etc. This is even worse than above and is pretty much game over for you unless you have access to resources well beyond the average user.

In short, physical protection during shipment is the only realistic way to prevent compromise, assuming the system wasn’t compromised at the factory or even during chip/board fabrication.

(Of course all of this assumes no back doors are already present in the existing official binary blobs - Intel FSP, Intel ME, etc. which would mean the system is irrevocably compromised anyway.)

You’ve created a new topic but it really ends up being the same discussion as the previous one (as evidenced by the replies you’ve got here so far), so I’ll be merging it back into the original topic.

“Delivering in a guaranteed secure state” instead of simply having a tamper-evident or generally verifiable device (already part of the long-term roadmap), as others pointed out, has never been done. No company can claim with a straight face to deliver a “guaranteed secure” device so far. Unless you’re having Todd personally hand-deliver it to your door and prove his identity with a DNA test or something, and he assembled it himself down to the last resistor.

Purism tries to push for general security, privacy and software freedom for the greater public, and I don’t think it’s reasonable to expect a guaranteed protection against a government, especially at this early stage. Personally speaking, I think that if a government is out to get you, they will get you: even if your hardware and encryption was flawless, they could just lock you up and torture you with a $5 crowbar until you give up.

That doesn’t invalidate Purism’s mission, nor does it make it a less compelling solution against criminals (unless the criminals you want to defend against have government-like resources + expertise + dedication to track you… in which case, say hi to the Don for me).

@jeff

“Delivering in a guaranteed secure state” instead of simply having a tamper-evident or generally verifiable device (already part of the long-term roadmap), as others pointed out, has never been done. No company can claim with a straight face to deliver a “guaranteed secure” device so far.

They haven’t delivered yet, but it looks imminent:

They certainly appear to be doing due diligence with regard to secure design and implementation. Their secure microcontroller and keyfob solution to prevent tampering during shipment is impressive.

I thought ORWL’s keyfob approach was interesting. Joanna doesn’t trust it either, though. Once you start going down the absolute security path, you pretty much never come back out of the rabbit hole…

@jeff

From what I can see, almost all of Joanna’s criticisms are either inaccurate or, at least, outdated. It would seem the concerns over the datasheets for the secure micro-controller are unfounded. They are accessible under the manufacturer’s NDA if you REALLY want them and they are being subjected to third party security verification. Not ideal, but not horrible. It seems they plan on releasing a dev kit for the purpose of building the MCU firmware chain as well as pursuing a manufacturer firmware-free version of the MCU which would require new open firmware to be created. Some of this would definitely fall into the wait-and-see category, but it’s impressive effort nonetheless. Joanna mentions relay attacks not being addressed, however I quickly found mention of time-of-flight mitigations for this on the site.

@jeff Yes I was aware I was starting a new / similar topic (sorry) but I was trying to help encourage focus on the issue, thanks.

Also Jeff, I have meant NO disrespect to you or ANY of the Pursim team, as started in my first post I think you have done a brilliant job to date, I just felt there is one missing piece at the end of it, which is how do we deliver the device WITHOUT hardware or software tempering in transit, which seems to me, it would negate the great work you have done.

I am sure we all agree there is no “100% secure” option, please forgive my poor word selection. I like your NEW heading!!! What I am trying to see if we can achieve is a device that normal people with a high desire for a secure device, can have a Librem delivered WITHOUT tempering in transit.

ORWL is a security focused headless desktop PC (for those who dont know). I found this last night too and got rather interested. I wondered what you thought as it appears they have a range of solutions that perhaps Purism could benefit from to resolve the tempering in transit… ???

Respectfully & Sincerely
bit

@M12321 Thanks for your post… I have been reading on this topic for a few years and understand what you wrote and full agree that’s how it is, sadly. I am just a guy who has a very strong belief in privacy and sovereignty… my personal life is MINE. Well it doesn’t seem so these days but that’s my view and why I simply want a laptop that “they” dont get to view. I believe in privacy and sovereignty and am willing to put money on the table to buy the right device.

Jeeze, what a mess huh…

Before I even open my dumb mouth, understand I’m not as versed in all this.

As opposed to what, AMD? That’s literally the only other game in town so I assume so. Don’t they have their own versions of the same problems though? If not then I don’t know why Purism is going with Intel over AMD then, but my understanding is both Intel and AMD are “compromised”. In that case all Purism can do is choose one, probably the one that makes better processors functionally, and undo the “bad stuff”.

If all you need is a Raspberry Pi then go for it, though. They’re probably secure as can be because they’re too simple for anything to be hidden in them. Plus their portability and everything makes them easy to hide, destroy, etc at any moment and no cost to you.

What Purism is to me is a company making a machine that’s reasonably powerful and modern but also secure. Before Purism you could’ve always just gotten something like the Pi, or you could buy old hardware and install free/open software on it. But now that’s becoming laughable as “old hardware” is becoming truly “ancient hardware”.

It’s like the discussion about smartphones and security. There’s always going to be someone that argues you could just get a Nokia 3310 or something - and ultimately if you can deal with it, it’s honestly the best option. Cheap and you can’t be spyed on if the phone lacks the capabilities to begin with.

If ancient hardware or something like a Raspberry Pi is all you need, then good for you really. But it’s 2017, and for me a computer that can’t keep up with the times isn’t a computer I want. I do a lot more at my machine than just read e-mails. I want to be secure, but I’m not going to live in the 90’s and early 2000’s for it. Plus you never know - even buying old hardware, who’s to say that they didn’t sneak some chip in there or whatever?

That being said, I’ve basically concluded that for that reason I’d need to get a Purism laptop for “communications and browsing”, while still having a desktop powerhouse running Windows for everything else - I’ll root out as much of the bad in Windows as I can like I always do, but I still need the Windows machine for all the editing software and games I use. That being said, those are things I don’t really care if the NSA sees or whatever anyway - my communications and browsing history specifically is what I don’t want them eavesdropping on. So I guess there’s no need for my Purism device to really be powerful since I’m offloading all the CPU-intensive stuff to my gaming rig… but still, I don’t want it to be slow as molasses either.

I have now cancelled my two laptops… L13 + L15 Thanks for the prompt refund.

I LOVE what Purism has done on the Free Code side of things, but living overseas, was NOT happy with the fact it could be seriously compromised in transit. I have now done over 20+ hrs of reading and research on the ORWL (headless PC, not a laptop) and ordered one with Qubes OS I feel its the best compromise for me.

Wish Purism and you guys all the best with it…

Regards
bit

I think we are being a bit pedantic about this topic. One thing is as certain as death and taxes is that post 9/11 the intel agencies with the help of Snowden et al are going to get at your information if they want to. Period. They will break the law, ignore the law or whatever they need to do to achieve the results they desire. My goal is to fly under the radar as much as I possibly can in light of the fact that working in cyber for the government they are well aware of my existence and all of my personal information so I will never be “anonymous” or “private” again.

In 2012 I investigated a breach of a small government agency and no one I work with had ever seen malware like this. It turns out that once a box is infected, the payload (prior to when they rootkit the box) lives on any device with any amount of memory… keyboard, mouse, NIC’s (this is especially bad), graphics card and so on so the hash always comes out right. Then they rootkit and it’s over. They had control of an EPO server in this case (BAD) and it had been on that network in some variant since 2007.

Really… ? I get what you are saying but dont think we have to GIVE UP quite so easily. I know it will never be 100% private / secure but I dont plan on using Windows to make it easy for them.

That tells me it’s best to not hook up any outside hardware to the Purism laptop after I get one - especially if it’s ever touched any other computer. Also, only use it on secure networks that use open source firmware (DD-WRT, Tomato, OpenWRT, pfSense, etc) with a VPN to an external country (preferably Iceland, Switzerland, or Norway) enabled.

If this is really true then I hope maybe Purism will consider starting to offer mice and keyboards that are pre-checked by Purism pros, or even manufactured by Purism. Keyboards may be unnecessary but at the very least mice. I personally hate trackpads, after all.

I’ve been considering ditching my current mouse for a while. I mean, it’s a good mouse, but it seems Razer actually puts software (synapse) in the damn mouse that uploads to any computer you plug it into, which is just freaking ridiculous to me.

I’ve already decided that if I get a Purism laptop, nothing foreign is going to be allowed to touch it. My Windows computers will continue to be my playground, but my Linux laptop is going to be strictly for browsing and communication only, connected via ethernet to my network because I don’t want it to so much as share the same airwaves as other machines. Those killswitches are all staying off.

I asked about interdiction services (as recommended somewhere on the purism site), and the email I got back said that tamper-evident tape would be used to ship the laptop to me.

However, when it arrived, it seemed to have normal packing tape.