Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Hardware Section #1899

Closed
maltfield opened this issue Nov 29, 2022 · 34 comments · Fixed by #2268
Closed

Add Hardware Section #1899

maltfield opened this issue Nov 29, 2022 · 34 comments · Fixed by #2268
Labels
c:guides full-length guides and content c:hardware relating to hardware recommendations

Comments

@maltfield
Copy link

maltfield commented Nov 29, 2022

Request: Add "Hardware" Section

Can you please add a "Hardware" section to the Privacy Guides website?

Why?

Good operational security also includes careful selection of hardware, especially for hardware that's used to generate/store private keys.

Not all of this hardware is created equal. Some is more open. Some is more trustworthy. And some vendors, well, we have historic reasons to distrust them.

Examples

Some examples of privacy/security-related hardware:

  1. Laptop vendors like Purism or Qubes-certified laptops like the PrivacyBeast and NitroPad
  2. U2F/WebAuthn hardware tokens
  3. NitroKey or LibremKey or similar devices to verify boot authenticity (protection from Evil Maid attacks)
  4. BusKill laptop kill cords or other hardware Dead Man Switches
  5. Cryptocurrency hardware wallets
  6. USB Condoms
  7. True random number generators
  8. TPMs
  9. Biometric input devices
  10. Webcam covers
  11. Microphone blockers
  12. Privacy screens
  13. etc

Meta

(meta: when creating an issue on GitHub, the Suggest a New Provider or Software option links to a page that says the page doesn't exist https://discuss.privacyguides.net/c/suggestions)

@ghost
Copy link

ghost commented Jan 9, 2023

I like the idea, a few notes:
Laptop vendors: I don't think it makes sense to recommend specific machines, it matters more what's running on them and that the hardware is still receiving firmware updates from the OEM more than anything I think
True random number generators: This one doesn't seem necessary as it's the job of the TPM, Secure Enclave on apple devices, etc to handle all encryption. They include a true random number generator
Webcam covers: This is one that maybe we shouldn't recommend, it can cause damage to a laptop when you close it
Microphone blockers: Not sure how a microphone blocker would work, do you have any examples?

On top of your suggestions I think we'd want to include something on home networking equipment as well.

@maltfield
Copy link
Author

maltfield commented Jan 9, 2023

Laptop vendors: I don't think it makes sense to recommend specific machines, it matters more what's running on them and that the hardware is still receiving firmware updates from the OEM more than anything I think

I agree that specific models is a slippery slope, but would you agree that it makes sense to recommend specific vendors?

For example, to guide folks away from vendors that have been caught selling hardware that contains malware out-of-the-box and guide folks to vendors that have demonstrated a focus on privacy, trust, and--yes--commitment to LTS (eg via open firmware)?

Microphone blockers: Not sure how a microphone blocker would work, do you have any examples?

These are basically just 3.5mm TRRS jacks with nothing connected to them. If you just take a pair of (preferably old & broken) pair of headphones w/ a microphone and cut off the jack, you have a microphone blocker. But they also sell them on privacy stores. Your laptop detects that a microphone is plugged-in, and it switches input from the built-in microphone to the plugged-in microphone, which doesn't exist. Simple.

They also sell USB ones. Same thing: it identifies itself to the computer as a microphone, but there actually isn't one.

Example:

On top of your suggestions I think we'd want to include something on home networking equipment as well.

Nice addition :)

@ghost
Copy link

ghost commented Jan 10, 2023

Interesting, thanks for the explanation on mic blockers, that seems like a good thing to make people aware of. The hardware vendor thing is concerning, maybe we'll recommend that people nuke the preinstalled OS and install a fresh version of windows/linux, since I think maintaining a comprehensive list of all the vendors caught doing that would give people a false sense of security if their computer is from a vendor that hasn't done that before.

@ghost ghost added c:hardware relating to hardware recommendations c:guides full-length guides and content labels Jan 10, 2023
@ghost ghost self-assigned this Jan 10, 2023
@ghost ghost mentioned this issue Jan 10, 2023
14 tasks
@ghost
Copy link

ghost commented Jan 10, 2023

Should probably combine #1864 with this.

@maltfield
Copy link
Author

maltfield commented Jan 10, 2023

maybe we'll recommend that people nuke the preinstalled OS and install a fresh version of windows/linux,

Definitely

The hardware vendor thing is concerning...I think maintaining a comprehensive list of all the vendors caught doing that would...

Well, the list of vendors doing bad things is exceedingly long. I don't think it's necessary to maintain that list, but I do think it's necessary to have a notebox that explains this risk and maybe a few citations for examples.

On the other hand, the list of vendors who are privacy-focused and trustworthy is very small. That is a list that I think should be explicitly enumerated on privacyguides.org

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

i doubt microphone blockers have any effect? software can just pick any mic?
Better to use external mic and remove internal one, if this is part of your threat model.

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

i think encrypted drives are a good addition here.
perhaps bugdetectors, hotel alarms for a travel section.

@maltfield
Copy link
Author

doubt microphone blockers have any effect?

If your OS is not compromised, it does have an effect. I am not an Android developer, but I don't think apps can choose which microphone to listen-to.

Better to use external mic and remove internal one, if this is part of your threat model.

Definitely that's better. But I do think the mic blockers are a valid solution for many people who just want to stop non-malicious alexa, cortana, ok google, or whatever apps that are always listening from being able to hear for a bit

@maltfield
Copy link
Author

maltfield commented Jan 10, 2023

i think encrypted drives are a good addition here.

personally, I think history shows that FDE belongs in software, not hardware. But I do think that HSMs (eg NitroKey) should be listed as privacyguides-recommended hardware for holding the keys for an encrypted disk, for example.

bugdetectors, hotel alarms for a travel section.

I'm skeptical of the efficacy of such tools. Regarding travel, I do think Haven deserves a mention, but probably not in the hardware section.

On that (travel) note, I'm not sure if it's hardware, but I would consider glitter nail polish to be a reasonable addition to this list

@ghost
Copy link

ghost commented Jan 10, 2023

I definitely don't want to recommend anything unless it's absolutely proven effective, and I'm not sure that bug detectors fit that description. It seems like an effective bug sweep isn't feasible for the average person who isn't willing to drop thousands of dollars on equipment and training. Don't want to give people a false sense of security. Hotels usually have locks that only lock from the inside as well as the regular lock, so I'm not sure how necessary hotel alarms are.

Haven looks interesting, although surveillance apps might be out-of-scope for PG.

I like the nail polish idea. The anti-interdiction is nice, I think google has a similar thing? I can't remember.

Edit: it's called insider attack resistance

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

I have often been in hotels that do not have this door lock, it has proven to be effective in a personal case for me.

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

As for hardware usb drives I tooted today: https://mastodon.social/@ph00lt0/109664857214746240
These are really good tools that software cannot compete with as this won't work f.x. with a mobile phone, but also generally these hard drives are more secure.

@ghost
Copy link

ghost commented Jan 10, 2023

I have often been in hotels that do not have this door lock, it has proven to be effective in a personal case for me.

Might be good to mention it then, do you have any particular products in mind or are they all mostly the same?

As for hardware usb drives I tooted today: https://mastodon.social/@ph00lt0/109664857214746240
These are really good tools that software cannot compete with as this won't work f.x. with a mobile phone, but also generally these hard drives are more secure.

Might have you write that part as I'm not familiar.

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

I have a doorstop with alarm as not all handles have the same size. That works really well, not any particular brand just something cheap with a motion sensor.

@ph00lt0
Copy link
Member

ph00lt0 commented Jan 10, 2023

Might have you write that part as I'm not familiar.

sure thing, just ping me when this issue is a bit further. I don't mind to help out.

@matchboxbananasynergy
Copy link
Contributor

matchboxbananasynergy commented Jan 11, 2023

Haven looks interesting, although surveillance apps might be out-of-scope for PG.

@mfwmyfacewhen It is unmaintained and most of its functionality no longer works

guardianproject/haven#460
guardianproject/haven#454

@ghost
Copy link

ghost commented Jan 11, 2023

Haven looks interesting, although surveillance apps might be out-of-scope for PG.

@mfwmyfacewhen It is unmaintained and most of its functionality no longer works

Ah then I definitely won't mention it, thanks for the heads up.

@ghost
Copy link

ghost commented Jan 17, 2023

@maltfield I was looking on the GitHub for Buskill and I noticed the app seems to still be in beta, do you think it's fairly stable and usable? Generally we don't like to recommend beta software.

@maltfield
Copy link
Author

maltfield commented Jan 17, 2023

Buskill...seems to still be in beta

@mfwmyfacewhen BusKill is in beta like Gmail was in beta (for 5 years, very stable, but with better features being added). It being "beta" is probably not what you think..

BusKill is fully functional on all three target platforms. Currently it's very simple, but it does what it says it does: it locks your screen when a (BusKill) USB device is removed and it's armed.

do you think it's fairly stable and usable?

Absolutely yes. It's been stable at least since v0.4.0 was released on Oct 16, 2020. Here's a video demo showing v0.4.0 being used on all 3x platforms:

The video is a year old. The hardware has changed a bit, and there's been a couple newer versions of the software. But it's all stable.

Disclaimer: I'm the founder of the BusKill project.

@ghost
Copy link

ghost commented Jan 17, 2023

Thanks! Just wanted to make sure.

@ghost
Copy link

ghost commented Jan 20, 2023

@ph00lt0 Ready for you to write about encrypted drives if you have the time

@maltfield
Copy link
Author

maltfield commented Jan 25, 2023

Re: https://discuss.privacyguides.net/t/please-add-hardware-recomendation-section-all-categories/11616

I’d like to have a hardware section so that i can aim to buy that hardware as much as possible
right now, hardware on the site is limited to pixel phones and security keys but i’d like a few more:
...
wireless headphones

I've always wondered if there was actually a wireless microphone and/or wireless speaker on the market that was designed from the ground-up with security in mind

@maltfield
Copy link
Author

maltfield commented Jan 25, 2023

In the link above, the user also mentioned Purism.

laptos (right now , the best i could fiind is the librem 14 laptop with the boot usb)

Today I discovered a list of "competitors" to purism, which they openly linked-to from their blog because they considered them "friends & allys" over competition.

Purism has a few indirect “competitors” in the GNU/Linux community, but we actually consider them as allies working toward the same goal, with a different approach. If you feel like Purism’s offering does not suit you, please consider these companies that also put an emphasis on Free Software:

If you are interested in solid, well-made older laptops (from before Intel introduced the Management Engine in all of its chips in 2008) that currently have a 100% free BIOS and already have the FSF’s RYF certification, you should consider the various laptops from Vikings, Libiquity or Technoethical.

If you’re looking for workstations or servers with a freed BIOS, consider Vikings’ D16 workstation or D16 rackmount server.

If you are interested in an amazing open-hardware DIY computing platform, you should support Novena.

source: https://puri.sm/about/competitors/

Again, the list of privacy-friendly laptop manufacturers is so small, I think it's worthwhile that we actually enumerate them in this guide.

@dngray
Copy link
Member

dngray commented Jan 25, 2023

Laptop vendors like Purism or Qubes-certified laptops like the PrivacyBeast and NitroPad

Keep in mind we won't be recommending any "libre" laptops aka ancient Intel platforms (3rd gen) in the name of privacy. We do not want to give off the signal that you need these laptops for any kind of privacy, because that simply isn't true for most threat models. Further I think some of these schemes may very well be buying refurbished stock and selling them at a very high price to grift users.

There may be more room for vendors like Purism (which is at least 10th gen), System76, Starlabs, the latter two supporting latest CPUs and Coreboot as well. It looks as if Framework may support coreboot in the future.

@maltfield
Copy link
Author

maltfield commented Jan 25, 2023

There may be more room for vendors like Purism (which is at least 10th gen), System76, Starlabs

I would be very happy if we could just link to Purism, System76, and Starlabs.

Most people literally don't know there are options besides the major players like HP, Dell, Lenovo, Asus, Acer, Apple, etc. I do hope we can link to at least a few of those privacy-focused alternative vendors so that users are aware that better alternatives are out there..

@maltfield
Copy link
Author

maltfield commented Jan 27, 2023

@mfwmyfacewhen I have some very strong differences of opinion of sbeve's comments on the forums, so please take anything they say with a grain of salt. They're giving very bad advice that's not appropriate for high-risk users (journalists, whistleblowers, activists, human rights defenders, crypto traders, etc)

When I give OpSec trainings to these high-risk folks, I link them to privacyguides.org because the privacy guides, historically, has been good for both the general population and high-risk groups.

@matchboxbananasynergy
Copy link
Contributor

There may be more room for vendors like Purism (which is at least 10th gen), System76, Starlabs

I would be very happy if we could just link to Purism, System76, and Starlabs.

Most people literally don't know there are options besides the major players like HP, Dell, Lenovo, Asus, Acer, Apple, etc. I do hope we can link to at least a few of those privacy-focused alternative vendors so that users are aware that better alternatives are out there..

How are those vendors better? They mostly overcharge for little benefit imo. I wouldn't include them, personally.

@maltfield
Copy link
Author

maltfield commented Jan 27, 2023

How are those vendors better?

Transparency, libre software/hardware, security features, and privacy. Purism, afaik, is the most secure vendor out there. I don't know of any other vendor that's FSF certified and integrates Heads into their boot setup to cryptographically verify the authenticity and integrity of the firmware using keys that you control. They also have gone through great lengths to neutralize and disable the IME.

Also, again, most all of the mainstream vendors have been caught injecting malware into their machines. It's important to purchase from a vendor that values your privacy over their profits.

@matchboxbananasynergy
Copy link
Contributor

FSF certification isn't a positive, really. In fact, for me it's usually a red flag. FSF values free software, not security. The two could coexist in theory, but almost never do in practice. Also, "dsabling" the IME does more harm than good.

I am diametrically opposed to recommending marketing fluff and urging people to buy overpriced, insecure devices just because people have been duped into thinking they're somehow special.

@efb4f5ff-1298-471a-8973-3d47447115dc
Copy link
Contributor

Just wanted to chime in and ask if the tools listed here are considered.

privacytools/privacytools.io#904 (comment)

@tlaurion
Copy link

tlaurion commented Apr 25, 2023

Hey all.
Jumped here from haven call for leadership ticket that was referred from there.

Heads maintainer here.

I would love to pinpoint everyone to this issue which explains differences of architectures and platforms supported by Heads project:

linuxboot/heads#692

The point here, with Purism/Insurgo/Nitrokey and other makers jumping into coreboot now, is that coreboot alone is not a guarantee of privacy.

Intel ME neutering is a thing, deactivating is another. And depending of ME features provided, it may or not break features to remove or deactivate it, depending of how it is done as well.

RYF certification from FSF won't happen in newer hardware for reasons I covered under Qubes forum numerous times. Unfortunately with current state of things, I would agree that RYF certification is not a guarantee for privacy, since privacy is bound to security until a certain point, where all laptops/servers outside of kgpe-d16 and Talos II are not providing microcode update because of FSF policies, and that is currently endangering privacy to some extent.

I would love to invite discussions into where those hardware recommendations/endorsement should happen, and that is upstream in projects that are integrating coreboot for security/privacy reasons.

Its hard to recommend a platform versus another in current days. Newer platforms require non neuterable ME on Intel and FSF blobs inside of coreboot which is not initializing the hardware itself anymore. AMD is rarer outside of Chromebooks which come with a different way of computing, considering everything is cloud based and not offering sufficient storage nor ram to be useful outside of promoted usecase.

Its complicated but if the goal is to have a discussion on those topics, I would have a lot to say.

Threat modeling. Threat modeling. Threat modeling.

Insurgo here, feel free to contact me from details on my webpage.

Putting linuxboot/heads#692 in clearer terms is a goal. And complex. I would love to make a workgroup on that, with the privacy conscious guild.

@maltfield
Copy link
Author

maltfield commented Apr 25, 2023

Also, I'll add that since our discussion above, I did get a chance to play with Heads (via PureBoot) myself. I found the PureBoot docs to do a lot of handwaving, so I published the following guide that outlines Coreboot, Heads, and the tech that went into it (eg TPMs and "boot measurements"), which I think will be beneficial for anyone who needs a quick background of this tech

@tlaurion
Copy link

tlaurion commented Apr 25, 2023

@maltfield I reiterate that this write up is a must read.

Yet again I have mixed feelings when I read it myself for the 5th time.

Heads is the master project. Others are forks integrating different tweaks for the users they serve.
Pureboot/vaultboot/nitrokey are all forks of Heads, which goal is to provide ways to remote attest state of firmware prior of typing a passphrase to decrypt content. That's it.

After that, the platforms, or mainboards implementing it will differ in terms of TCB. And that is where things get more complicated.

@ghost
Copy link

ghost commented Apr 26, 2023

Just wanted to chime in and ask if the tools listed here are considered.

privacytools/privacytools.io#904 (comment)

Thanks for the suggestions! After looking over the list:

Lindy USB port locker: As a lock picking lawyer subscriber, the claim that this will somehow protect your USB ports from a government agency seems dubious. I don't want to recommend something that will give people a false sense of security.

Mic blocker: as covered earlier in this thread, the currently selected audio device isn't really a security feature and might get bypassed. The proper solution is sandboxing with a microphone permission enforced by the OS, or if you're really concerned, then you should be using a device that doesn't have a built-in microphone.

Anti-spy RF scanner: Discussed something like this in the issue. Being able to reliably detect devices based on RF signals takes proper training and experience. I don't want to give the impression that you can just buy one of these off the shelf and find any malicious devices near you.

USB data blocker: I'd rather just tell people to plug their phone into the wall using a wall adapter or a battery pack rather than recommend these products which or may not properly protect the device. Modern phones also require you to explicitly grant permission before allowing data access.

Tableau forensic bridge kit: This just seems like a forensics tool, not sure what the privacy benefit of it would be.

StarTech 1:5 USB flash drive duplicator and eraser: This is just a USB duplicator. Again not sure the privacy benefits here. Any computer can erase a flash drive as well, it's not necessary to buy a dedicated device to do that.

StarTech 4-bay drive eraser: Same thing but for hard drives. I don't think there's any privacy benefit here.

Lowell Destruct hard drive eraser: If you want to erase a hard drive, then you can just do that in your OS, don't need a dedicated device. Seems like it's just some janky software set to autorun when you insert it? Not really something I want to recommend to people.

Apricorn Aegis Padlock Fortress FIPS USB 3.0 hard drive: Looks fine, I did write a bit on FIPS drives. I don't really want to recommend a specific one since it's a standard.

Brick House Security stuff: Looks like they sell GPS trackers and hidden cameras and whatnot? This is antithetical to privacy and won't be recommended.

BusKill: Already recommended, although I need to expand on it a bit.

White Noise Audio Jammer AJ-34: Not sure how effective this one is in practice. I imagine if it's loud enough to stop microphones from being able to hear you, then it would stop the person you're talking to from being able to hear you as well. Also it's just a speaker that makes noise. That could be achieved with any speaker that you already have laying around.

Faraday bags: These are fine but they require good construction and there can't be any gap bigger than the wavelength of the signal from your phone or it's useless. Between relying on the construction of the bag and user error potential, I don't think these are reliable solutions. Really, if you don't trust your device to not send signals when you want it to, then you probably should be using a different device.

Camera blockers: Already mentioned.

Let me know what yall think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c:guides full-length guides and content c:hardware relating to hardware recommendations
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants