Supply chain security

Purism, a US based Linux laptop and smartphone manufacturer takes various measures for tamper resistance packaging and securing supply chain. Techniques such as tamper-evident seals, holograms, and blister packs are used by Purism to secure packages and provide visual evidence of any tampering. Purism’s manufacturing partners are located in the United States. By keeping the production within the country, they have better control over the supply chain as well. IIRC, Framework laptops are manufactured in Taiwan. Purism documents their manufacturing and assembly processes in their GitHub repo. This helps in verifying the entire supply chain. I’m also not aware of any tamper resistant techniques used by Framework team other than secure boot but it’s useless when laptop is already tampered before first use.

Don’t take it wrong, but I don’t trust the USA one bit in regards to respect privacy, so it does not really matter.

What we can do is verify that the hardware, when we put all extensions in (Memory, disks etc.) has not been tampered with. But that is as much as we can do from that side.
Purism is also using a different BIOS preventing the Intel ME Engine to be activated.
One of the reasons I decided to go AMD. I don’t know if AMD has something similar inside their CPU’s, but I bet we’ll see if that happens in the future.

And, in the end, supply chain security? How do you want to make sure the chip designs that are used have not been manipulated before manufacturing? We can go very far like that.

5 Likes

They do, it’s called the PSP.

2 Likes

The first two of these are easily bypassed, especially for a state actor. See https://youtu.be/SRj74D3zozI?si=sDz4FiryJyYZVUs7 for an example. Ultimately, this just creates a false sense of security.

The latter creates non-recyclable plastic waste, which would be antithetical to Framework’s mission of sustainability.

Framework is a repairability and sustainability brand, not an open-source or privacy brand. While they do have features that are attractive to users who care about those things, it’s really not their primary focus.

5 Likes

Nice ad for Purism… not sure what it’s doing on a Framework Community forum…

4 Likes

All these countries have different systems and are dangerous, yes. However, the most dangerous in my eyes is the USA: remember how most intellectually impaired and uncontrollable president in the history of the planet had the finger on the trigger of the biggest nuclear weapons arsenal. That is really frightening.
And the data the Secret services are collecting on everyone may not be a danger now, but can become the reason you will be incarcerated/eliminated in the future.

The biggest issue is the freedom to knowledge and the lack of common sense.
As you say - social media influence the masses. Not because they are there, but because:

  1. The social media do not provide solely facts, but opinions
  2. The people are intellectually not prepared to analyze social media and be able to extract the facts and form their own opinion.

Back to the topic - if you look at the mentioned security issues - most require the attacker to be in your system already. So - it is nice to be able to actually secure your system, but make sure you keep it updated at all times. And be sure you know your system (which is practically impossible on non Opensource systems).
Having worked at a security company in the past, most of these things are used to influence people into thinking they are vulnerable to make more business. Sometimes, the security issues are valid and need to be handled immediately. However it takes some knowledge and experience to identify the ones you really need to take action.

Folks, let’s move away from the geopolitical discussion, please.

5 Likes

@anon81945988 I am actually afraid of the stupidity of a certain politician. The other mentioned are smart, mean ok, but smart.

So - back to the topic.
Actually, whatever plan, country or whatever. As long as the entire production chain is not transparent, there can´t be real security/supply chain security.
As long as someone can tamper with the equipment or software you put on it, while hiding the change makes every security worthless. They will sell it to you: It is safe because we tell you so. But that is exactly the same with biometrics. Remember, for unlocking your device configured to use biometrics, they only need the specific part of your body to unlock it.
If you use a code, they will have to literally beat it out of you to access the system if decently secured (full disk encryption etc.).

And remember: it is not a matter of trust into the country or political system.
The issue is the data they already have on you. Maybe the current System won’t use that data against you. But what about the next, or the one after it? All the data is already there!

The entire problem is human. And as long as there are humans in power, they will tend to use every bit of leverage and advantage they can get. And that includes tampering with hardware, software etc.

So - as I try to think how things work since I am very young, I host everything myself @ home. I have my own DNS server, using split-DNS and DNSSEC and all possible security. Web-Server (completely self developed with builtin dynamic blacklisting with very sensitive triggers), Internal Cloud, Mail-system, self-build firewall and using a VLAN for the media-devices. Even my phone uses Lineage OS for reasons.
Imagine that every site/server/service I use, I assign an Alias. This makes it very easy to see who got hacked or sold/lost your E-Mail. All I have to do is disable that alias or change the password.
In house I use the RPZ (Start — RPZ block list documentation - actually using that for 20 years now) system to block all advertising data collection system. It can also be called SOA hijacking - means, if a DNS request comes in asking for google adservice.google.com for example, my DNS server returns 127.0.0.1 or not reachable depending on the device. This removes the possibility from most sites to collect data out of my LAN. Guess why google is pushing DOH (DNS over HTTPS). They sell it as security, but in the end, it is just to control your DNS source to bypass that type of protection. But boy do I reduce the amount of advertising getting through just with that.

So - when something new comes out (technology, software etc.) like when the cloud came out, I try to understand what it is, understand how it works, so I know what I’m talking about - and know how I can control it and adapt it to my acceptable level of non-intrusion into my life.

Remember - the big guys (Corporations, States - make no difference) out there are the bad ones. They want to control you and “sell” it as: For your own good/security. And this is total bullocks!

1 Like

I do that just by adding entries to my hosts file - and not just for google, but all advertising that gets on my wick. It does vastly reduce the amount of flashing images on screen as well.

You can grab my version (I use that one for remote systems and my Android via AdAway app you can get through f-droid). https://www.solsys.org/adblocklist.rpz
Check for yourself:

root@phobos-app-55b77758c7-tznnp:/app/site# ls -lh adblocklist.rpz 
-rw-r--r-- 1 root root 34M Feb 19 02:05 adblocklist.rpz
root@phobos-app-55b77758c7-tznnp:/app/site# wc -l adblocklist.rpz 
1103814 adblocklist.rpz

This is just and IP V4 ist, I disable IPv6 on my devices (still - will probably go over one day).
I use various sources to compile my version of it (scripted). But I also add some of mine :wink:
Sadly, more and more site require these data-leech sites to be accessible to work … But it’s ok for me to not reach/go on these sites.

@amoun If you want to discuss these geopolitical things, you can contact my on the Matrix network. Send me a pm for my details.

As this thread has moved way off the original topic and into areas that are best avoided on this forum, I’ll be closing it momentarily.

1 Like