Supply chain security

Purism, a US based Linux laptop and smartphone manufacturer takes various measures for tamper resistance packaging and securing supply chain. Techniques such as tamper-evident seals, holograms, and blister packs are used by Purism to secure packages and provide visual evidence of any tampering. Purism’s manufacturing partners are located in the United States. By keeping the production within the country, they have better control over the supply chain as well. IIRC, Framework laptops are manufactured in Taiwan. Purism documents their manufacturing and assembly processes in their GitHub repo. This helps in verifying the entire supply chain. I’m also not aware of any tamper resistant techniques used by Framework team other than secure boot but it’s useless when laptop is already tampered before first use.

Don’t take it wrong, but I don’t trust the USA one bit in regards to respect privacy, so it does not really matter.

What we can do is verify that the hardware, when we put all extensions in (Memory, disks etc.) has not been tampered with. But that is as much as we can do from that side.
Purism is also using a different BIOS preventing the Intel ME Engine to be activated.
One of the reasons I decided to go AMD. I don’t know if AMD has something similar inside their CPU’s, but I bet we’ll see if that happens in the future.

And, in the end, supply chain security? How do you want to make sure the chip designs that are used have not been manipulated before manufacturing? We can go very far like that.


They do, it’s called the PSP.


As noted how far do you want to consider security. I don’t trust anyone, but the USA seem far more reasonable than Russia, China, India etc.

So I make the best of what I have and have little to need securing, and from whom??

I would be more concerned about social media info etc. than hardware.


The first two of these are easily bypassed, especially for a state actor. See for an example. Ultimately, this just creates a false sense of security.

The latter creates non-recyclable plastic waste, which would be antithetical to Framework’s mission of sustainability.

Framework is a repairability and sustainability brand, not an open-source or privacy brand. While they do have features that are attractive to users who care about those things, it’s really not their primary focus.


Nice ad for Purism… not sure what it’s doing on a Framework Community forum…


All these countries have different systems and are dangerous, yes. However, the most dangerous in my eyes is the USA: remember how most intellectually impaired and uncontrollable president in the history of the planet had the finger on the trigger of the biggest nuclear weapons arsenal. That is really frightening.
And the data the Secret services are collecting on everyone may not be a danger now, but can become the reason you will be incarcerated/eliminated in the future.

The biggest issue is the freedom to knowledge and the lack of common sense.
As you say - social media influence the masses. Not because they are there, but because:

  1. The social media do not provide solely facts, but opinions
  2. The people are intellectually not prepared to analyze social media and be able to extract the facts and form their own opinion.

Back to the topic - if you look at the mentioned security issues - most require the attacker to be in your system already. So - it is nice to be able to actually secure your system, but make sure you keep it updated at all times. And be sure you know your system (which is practically impossible on non Opensource systems).
Having worked at a security company in the past, most of these things are used to influence people into thinking they are vulnerable to make more business. Sometimes, the security issues are valid and need to be handled immediately. However it takes some knowledge and experience to identify the ones you really need to take action.

Really? You think Putin is somehow not impaired, nor Modi nor Erdogan, or NutonYahoo

And let’s be clear, if you are talking about Trump he made money, so not so daft and secondly he didn’t have his finger on the button, he could only activate it with agreement from others.

The freedom of knowledge is an internal issue, if you know yourself there is nothing else worth knowing.

As for being in my system: Well it’s not really mine, it just the gathering of a weak and greedy animal. It’s there to loose and not someone else’s to protect, unless of course they have designs to use it.

So yes to the topic.

There is no way I would trust any supply chain, but would tolerate loosing out to a ‘democracy’ like the USA than just about ant other authority.

So please don’t wrap my vulnerables in plastic padding and promises to keep me safe.

Take care all you that worry, you are not alone in worrying. You are in a huge disaffected social group.

OH! and Russia has more :scream:

Folks, let’s move away from the geopolitical discussion, please.


So it’s either the physical security, where cardboard seems ‘better’ to me. I’m sure a paper mache’ container can be formed around it and imprinted with a secure motif.

So is this really a worry, that someone may get to the laptop and install malicious software/ Sure there’s always a possibility

" manufacturing partners are located in the United States. By keeping the production within the country, they have better control over the supply chain as well. IIRC, Framework laptops are manufactured in Taiwan."

I like the idea of made in the USA, though given the aid to Taiwan, why not use them to make things - they get paid.

So apart from the geo-politics, and the environmental cost, which seem geo-unpolitical. I happy.

Have to find something more entertaining to do that worry about who is the bad boy politically, though that was a push from the OP. So goodnight before I get branded as ‘a bad boy’ for talking about politices. Just so easy to engage with such. :rofl:

1 Like

@amoun I am actually afraid of the stupidity of a certain politician. The other mentioned are smart, mean ok, but smart.

So - back to the topic.
Actually, whatever plan, country or whatever. As long as the entire production chain is not transparent, there can´t be real security/supply chain security.
As long as someone can tamper with the equipment or software you put on it, while hiding the change makes every security worthless. They will sell it to you: It is safe because we tell you so. But that is exactly the same with biometrics. Remember, for unlocking your device configured to use biometrics, they only need the specific part of your body to unlock it.
If you use a code, they will have to literally beat it out of you to access the system if decently secured (full disk encryption etc.).

And remember: it is not a matter of trust into the country or political system.
The issue is the data they already have on you. Maybe the current System won’t use that data against you. But what about the next, or the one after it? All the data is already there!

The entire problem is human. And as long as there are humans in power, they will tend to use every bit of leverage and advantage they can get. And that includes tampering with hardware, software etc.

So - as I try to think how things work since I am very young, I host everything myself @ home. I have my own DNS server, using split-DNS and DNSSEC and all possible security. Web-Server (completely self developed with builtin dynamic blacklisting with very sensitive triggers), Internal Cloud, Mail-system, self-build firewall and using a VLAN for the media-devices. Even my phone uses Lineage OS for reasons.
Imagine that every site/server/service I use, I assign an Alias. This makes it very easy to see who got hacked or sold/lost your E-Mail. All I have to do is disable that alias or change the password.
In house I use the RPZ (Start — RPZ block list documentation - actually using that for 20 years now) system to block all advertising data collection system. It can also be called SOA hijacking - means, if a DNS request comes in asking for google for example, my DNS server returns or not reachable depending on the device. This removes the possibility from most sites to collect data out of my LAN. Guess why google is pushing DOH (DNS over HTTPS). They sell it as security, but in the end, it is just to control your DNS source to bypass that type of protection. But boy do I reduce the amount of advertising getting through just with that.

So - when something new comes out (technology, software etc.) like when the cloud came out, I try to understand what it is, understand how it works, so I know what I’m talking about - and know how I can control it and adapt it to my acceptable level of non-intrusion into my life.

Remember - the big guys (Corporations, States - make no difference) out there are the bad ones. They want to control you and “sell” it as: For your own good/security. And this is total bullocks!

1 Like

I do that just by adding entries to my hosts file - and not just for google, but all advertising that gets on my wick. It does vastly reduce the amount of flashing images on screen as well.

Yes. The so called humans, that show absolutely little no humanity are a growing and dominate race, nothing can be done about that but to work on my own and leave others to theirs.

How you can adapt is best done by not using social media or money. Each of us is slave to to many ‘human’ made designs and dependent upon non-human ‘designs’ such as warmth, air and water, but we fight over land and such resources.

I don’t see how data security is such a big deal unless you want to use a lot of it.

So I’m not putting politics aside, but openess seems the way to go, so USA 1 other democracies OK aforementioned Zero trust.

I don’t have to put sensitive info on my computer, it a choice and I’m careful.

I have absolutely no worries about being hacked, the concern is a personal issue and I’m with Framework and Taiwan or the US or the EU. That’s about it.

Better stop this geo-political text, so will mute this post so I am no longer tempted to warm the waters

You can grab my version (I use that one for remote systems and my Android via AdAway app you can get through f-droid).
Check for yourself:

root@phobos-app-55b77758c7-tznnp:/app/site# ls -lh adblocklist.rpz 
-rw-r--r-- 1 root root 34M Feb 19 02:05 adblocklist.rpz
root@phobos-app-55b77758c7-tznnp:/app/site# wc -l adblocklist.rpz 
1103814 adblocklist.rpz

This is just and IP V4 ist, I disable IPv6 on my devices (still - will probably go over one day).
I use various sources to compile my version of it (scripted). But I also add some of mine :wink:
Sadly, more and more site require these data-leech sites to be accessible to work … But it’s ok for me to not reach/go on these sites.

@amoun If you want to discuss these geopolitical things, you can contact my on the Matrix network. Send me a pm for my details.

As this thread has moved way off the original topic and into areas that are best avoided on this forum, I’ll be closing it momentarily.

1 Like