certified laptop delivery to Russia

[Oleg Artemiev]

Hello.

Has anyone sent the Qubes certified laptop to Russia?

Are there any delivery or customs issues that Russian citizen should
be aware of?

How do I check that US vendor hasn't passed implant into device?

My old laptop has gone. My current temporary laptop is not compatible
w/ Qubes (AMD CPU).

--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

[Alex]

On 06/13/2017 10:00 PM, Oleg Artemiev wrote:
> Hello.
>
> Has anyone sent the Qubes certified laptop to Russia?
>
> Are there any delivery or customs issues that Russian citizen should
> be aware of?
>
> How do I check that US vendor hasn't passed implant into device?

It's long been a bad idea in general buying computers that are meant to
have any appreciable level of security and have them shipped by mail
delivery...

And you are planning to buy something from the United States of America
(known for the very problem you are asking about), have it delivered to
the Russian Federation (not a very believable defender of citizen
privacy), and believe it will arrive safe and secure? Mmmm... I would
not try that :/

And I'm sorry, but apart from suspicion I can't really give you any
actual advice :( best of luck for your next laptop

--
Alex

[Oleg Artemiev]

On Wed, Jun 14, 2017 at 9:34 AM, Alex <alex...@gmx.com> wrote:
> On 06/13/2017 10:00 PM, Oleg Artemiev wrote:
>> Has anyone sent the Qubes certified laptop to Russia?
>> Are there any delivery or customs issues that Russian citizen should
>> be aware of?
>>
>> How do I check that US vendor hasn't passed implant into device?
> It's long been a bad idea in general buying computers that are meant to
> have any appreciable level of security and have them shipped by mail
> delivery...

I've spent some time to defend idea that I'll get qubes certified
laptop paid by my organisation.
Are there any ideas for anonymouse delivery? I am okay to pay for that.

> And you are planning to buy something from the United States of America
> (known for the very problem you are asking about),

No idea how to get that laptop in any other relatively secure way.
It is shipped worldwide but

> have it delivered to
> the Russian Federation (not a very believable defender of citizen
> privacy),

Yep. This is my second motherland since USSR has been killed by gorby & company.

> and believe it will arrive safe and secure?

The vendor should provide some security check algorithm I guess..
I beleave in Qubes. I beleave Qubes team.
Could anyone from Qubes team buy such a certified laptop for me and
make delilvery using my money?
The company I currently work with is okay with any delivery method I choose.

The url with paper for qubes certified laptop delivery:
https://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-purisms-security-focused-librem-13-laptop/
How can I check for "hardware implant free" state of delivered laptop?
I'd reinstall Qubes so software implants are out of this discussion.

> Mmmm... I would not try that :/

Does anyone know any tor covered anonymous delivery service?
The question with tor initiated anonymous delivery is reputation.
Laptop costs about 2k$.

> And I'm sorry, but apart from suspicion I can't really give you any
> actual advice :( best of luck for your next laptop

I know that there's no laptop store that sells that laptops in Russia.
I also know that Qubes QA team should not be bothered by bugreports
from non-certified hardware .

So better I should buy a laptop from compatible but not certified list?

It looks like buying Qubes certified laptop via any well known to me
american citizen could be better idea.

But laptop would be delivered cross-customs anyway..

Is there a US law restriction for delivery of librem13 or librem 15 to
Russia ? I guess not or not yet. At least their buying form has
Russian Federation in destination country list )

https://www.crowdsupply.com/purism/librem-15
https://www.crowdsupply.com/purism/librem-13

As I guess librem-15 is the same, but not yet certified? The Qubes
ceritified list has only librem-13 .
Also "Aside from compatibility, we do not believe that it should be
considered any safer than other laptops." is inside the notice on
qubes web https://www.qubes-os.org/doc/hardware/#qubes-certified-laptops
.

I'm okay to order delivery of parts and pay someone to build librem-15
from delivered parts or just do that myself.

Anyway where should I reed vendor instruction on "how to check the
delivered laptop for hardware implants"?

BTW: I love their claims: https://www.crowdsupply.com/about#user-rights

I don't think that my person is that important to merit goverment
backdoor from US or Russian Federation.
Though since that is just possible I should have exact rules how to
check hardware after delivery.

[Oleg Artemiev]

I'm sorry for Russian - no unofficial russian speakers mailing list
yet (except telegram group),
but that is really funny, please google translate this or just ignore:

[ cut from our company #security chat ]
Олег Артемьев
https://groups.google.com/forum/#!topic/qubes-users/k_WPyUAkW_U
обсуждение параноиков стоит ли покупать в магазине ноутбук с security фичами.
А вдруг там предусмотрено энэсэй в комплекте с ноутом.
А вдруг по дороге деливери сервис с карманами полными имплантов ) (edited)

В студию приглашаются призраки Сноудена и Ассанжа )

[19:07]
ладно.. как самый неуловимый и нафик не нужный Джо я переживу h/w
госзакладку - лишь бы [our company name] приобрела ноут с qubes
compatible характеристиками по vt-d и vt-x . ; )
[ end of our company #security chat]

[cooloutac]

I don't believe anythign is fully certified.

[Tai...@gmx.com]

I don't care how much cash they give to the devs purism is a scam plain
and simple, don't buy from them.
https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/

[Reg Tiangha]

Your news is old. The latest hardware revisions of the 13 and 15 inch
models will ship with coreboot:

https://phoronix.com/scan.php?page=news_item&px=Librem-13-v2-More-Coreboot

Although to be fair, I'm not sure what'll happen with the older models
and if it's easy to flash it yourself.

They'll still rely on the Intel ME (like all modern Intel laptops) but
it looks like ME Cleaner works on these models too. For now, that's the
best that anyone can hope for.

https://puri.sm/coreboot/

That said, I still think they're overpriced for what you get. I'm on the
fence on whether or not it's worth the premium to have something with
coreboot and a neutered ME pre-installed so I don't have to disassemble
the thing myself in order to flash the chips. Certainly not with the
exchange rates the way they are right now.

[car...@gmail.com]

Why do you guys endorse this laptop if you know you can't guarentee the integrity of it?

Couldn't he just buy a laptop and put qubes on it? It should be reasonable secure at that point.

[car...@gmail.com]

EDIT -----

Sorry I shouldn't have assumed you're one of the Qube os developers but my point still stands. Is there a way to gaurentee the integrity of 'purism librem' laptop? Or is it a marketing ploy?

Don't mean to come off as brash and self-centered. It's just frustrating that the laptop is selling for premium when it does not provide what it's advertising.

[Tai...@gmx.com]

On 06/19/2017 03:32 AM, Reg Tiangha wrote:

> On 2017-06-19 12:56 AM, Tai...@gmx.com wrote:
>> I don't care how much cash they give to the devs purism is a scam plain
>> and simple, don't buy from them.
>> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
>>
> Your news is old. The latest hardware revisions of the 13 and 15 inch
> models will ship with coreboot:

Wrong, their "coreboot" is simply a shim loader layer and their laptops
are simple quanta rebrands - that post goes over this.

What they have isn't "open source firmware" as all the hardware init is
done by Intel FSP binary blob, you might as well just buy a dell as
you'd be getting a system just as free.


I can't understand as to why so many have bought in to the claims by
purism of "that is the best we can do" as that simply isn't true - it is
entirely possible to have a 100% libre laptop with the amount of money
that they raised but then they wouldn't be making so much profit as
they'd actually have to pay hardware devs rather than simply rebranding
OEM laptops.

[cooloutac]

I agree they are super overpriced But i'm not sure we can have 100% libre hardware, at least not for desktops. I heard the guy Chris from thinkpenguin talk about on a radio show once, how there is really only a couple manufactures that dominate the world. You would have to make every single part from scratch.

I don't know anything about coreboot or libreboot. Though I know I'd actually would like to have secure boot, but I guess I'm crazy.

[Tai...@gmx.com]

On 06/21/2017 10:57 PM, cooloutac wrote:

>
> I agree they are super overpriced But i'm not sure we can have 100% libre hardware, at least not for desktops. I heard the guy Chris from thinkpenguin talk about on a radio show once, how there is really only a couple manufactures that dominate the world. You would have to make every single part from scratch.
>
> I don't know anything about coreboot or libreboot. Though I know I'd actually would like to have secure boot, but I guess I'm crazy.
>

Of course you can, see the TALOS project for libre hardware/firmware
concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware,
there are some POWER computers as well.

If someone tells you otherwise they don't know what they are talking
about, there is nothing stopping a company from making a libre computer
even a small company as long as they have the cash, purism could have
they just didn't want to.

Secure Boot is a marketing term for kernel code signing enforcement and
grub already does this, MS "secure" (from you) boot is a way for them to
eventually stop people from running linux.

[cooloutac]

I searched talos project and see stuff about body armor?

The guy from think penguin who sells libre laptops doesn't know what he is talking about? I agree he is a little extreme and paranoid, but The radio show was focused on wireless devices at the time and the dangers of the fcc ruling to lock them, and why purism, nor anybody, truly has a 100% libre machine. There is many firmwares integrated and attached to a mobo, but you are acting as if there is only one.

I don't know what you mean secure boot is a way to stop linux. It is supported by all major linux distributions. Even after that myth is proven wrong you still perpetuate it? Even after Richard Stallman himself says its ok to use secure boot?

I don't believe grub2 can take the place of secure boot. WOuld it have stopped hacking teams insyde bios exploit? More to it then just the kernel. I believe you would sign the grub but then grub would also be protected. I mean what does grub have to do with the bios?

If you want a conspiracy theory here is one. The reason the pyramid is on a dollar is because its human nature for there to be one entity controlling everythign else. If you want a 100% libre computer,you will have to manufacture every single chip on the mobo yourself. Not just the ones with firmwares, Because there is literally only maybe 2 or 3 companies who manufacture certain parts for a mobo in all of the world.

Do you know how much time and money, legal and political obstacles that would have? It would take more then the resources of a small indie company.

[Tai...@gmx.com]

Ah the smell of disinformation.

On 06/23/2017 10:28 AM, cooloutac wrote:

> On Thursday, June 22, 2017 at 6:51:27 PM UTC-4, Tai...@gmx.com wrote:
>> On 06/21/2017 10:57 PM, cooloutac wrote:
>>
>>> I agree they are super overpriced But i'm not sure we can have 100% libre hardware, at least not for desktops. I heard the guy Chris from thinkpenguin talk about on a radio show once, how there is really only a couple manufactures that dominate the world. You would have to make every single part from scratch.
>>>
>>> I don't know anything about coreboot or libreboot. Though I know I'd actually would like to have secure boot, but I guess I'm crazy.
>>>
>> Of course you can, see the TALOS project for libre hardware/firmware
>> concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware,
>> there are some POWER computers as well.
>>
>> If someone tells you otherwise they don't know what they are talking
>> about, there is nothing stopping a company from making a libre computer
>> even a small company as long as they have the cash, purism could have
>> they just didn't want to.
>>
>> Secure Boot is a marketing term for kernel code signing enforcement and
>> grub already does this, MS "secure" (from you) boot is a way for them to
>> eventually stop people from running linux.
> I searched talos project and see stuff about body armor?

The TALOS project from raptor engineering was a 100% libre firmware and
hardware PC project that did not meet crowdfunding goals.

>
> The guy from think penguin who sells libre laptops doesn't know what he is talking about? I agree he is a little extreme and paranoid, but The radio show was focused on wireless devices at the time and the dangers of the fcc ruling to lock them, and why purism, nor anybody, truly has a 100% libre machine. There is many firmwares integrated and attached to a mobo, but you are acting as if there is only one.

Thinkpenguin and system76 are good honest companies FYI, I would suggest
supporting them if you are interested in a new intel machine for linux.
He is not extreme nor paranoid, the fcc thing could mean the end of open
source linux drivers and firmware for wifi chips.

There is not "many firmwares attached to a mobo" there really is only
one most of the time, I know what I am talking about as I am involved in
the coreboot project and I own several libre firmware machines.
The KGPE-D16 and KCMA-D8 have full functionality with libre firmware and
zero blobs, I even play the latest games on mine so that excuse from
purism that "oh no one has this" doesn't fly moreso because they haven't
even "struck a compromise for the latest hardware" or what not as again
their "coreboot" has entirely blobbed hw init making it pointless.

The exception to this rule would be a device with for example an
integrated storage device, FullMAC (not the SoftMAC AGN atheros types)
wireless chip, or a laptop/mobile board with an EC.

>
> I don't know what you mean secure boot is a way to stop linux. It is supported by all major linux distributions. Even after that myth is proven wrong you still perpetuate it? Even after Richard Stallman himself says its ok to use secure boot?

"supported by all major linux distros"
Only by using a red hat supplied signed binary pre-compiled sketchy
version of grub.
I don't think I should need to ask red hat for permission to run linux
do you?
A machine that lacks the ability to use even your own bootloader is not
really your machine you are simply licensing the use of it.

SB 1.0 specs require owner control and method to shut it off and enroll
own keys, SB 2.0 doesn't have this requirement so OEM's will eventually
not implement it similarly to MS's ARM computers that only allow you to
install windows - thus stopping people from using linux so no it isn't a
myth.

> I don't believe grub2 can take the place of secure boot. WOuld it have stopped hacking teams insyde bios exploit? More to it then just the kernel. I believe you would sign the grub but then grub would also be protected. I mean what does grub have to do with the bios?

Again secure boot is simply kernel signing nothing special.
Grub2 on a coreboot device can perform the same function only it is
always owned controlled, most coreboot users use grub to load kernels
instead of loading a kernel directly from CBFS.

HT's exploit of crappy proprietary BIOS's would work on a "secure" boot
or otherwise machine.

> If you want a 100% libre computer,you will have to manufacture every single chip on the mobo yourself.

[citation needed]
Again that is purism propaganda that simply isn't true - again see
raptor engineerings TALOS project as a proof of concept, it was already
ready to go they just had to fab the boards.

> Because there is literally only maybe 2 or 3 companies who manufacture certain parts for a mobo in all of the world.

[citation needed]
If you were a hardware engineer you would know that isn't true, why do
you insist on saying "facts" about things you know nothing about

> Do you know how much time and money, legal and political obstacles that would have? It would take more then the resources of a small indie company.

Yet again see TALOS - the only reason it didn't work is because they
tried to get the crowdfunding money from a notoriously cheap community
instead of the business world.

I have several libre firmware servers under my desk right now, and I
contributed to the crowdfunding campaign for a libre BMC from raptor
which will be ready in a few months.

Off the shelf from a vendor? IBM will be happy to sell you a very high
performance computer with libre firmware for 10K, and you can get the
hardware specs if you become an OpenPOWER member.

There is no law that stops people from doing it and you don't have to
ask the government for permission - I grow increasingly tired of people
like you who spout facts as if they are experts in the field.

[Tai...@gmx.com]

For reference here is a link to an "off the shelf" system that has
vendor supplied init code and hardware specs

https://en.wikipedia.org/wiki/Novena_(computing_platform)

"Free" high performance systems are not as easily found but here is one

http://www.tyan.com/EN/solution/openpower-GN70BP010/index.htm

AFAIK what stops more performance (ie: power not arm) vendors from doing
this more often is that it costs money without providing a substantial
reward so systems like these are generally only made for other vendors
instead of end users.

[cooloutac]

only one firmware rom attached to a mobo? What about the cpu, what about other integrated chips on the mobo besides the bios rom? asking redhat for permission to use secure boot? wtf? I know You're being faceitious but it sounds even more ridiculous when they contribute most to the linux kernel and you are using Qubes which has dom0 based on fedora.

Who are you jealous of more, Redhat or Windows?

Why do I say only a couple companies control/manufacture everything? Cause thats what Chris from thinkpeguin said, the guy you said knows what hes talking about. The same goes for most industries. Also its just human nature, something engineers and developers have a hard time understanding.

So with Talos you then, according to you, have an example of how hard is to fund such a project. Although I don't think you really understand by how much. It would not be that easy to get funding from corporations because special interests are also invovled, and its going to take a shit load of money man. Chris will tell you its impossible right now. So we can be upset at purism for exaggerating/lying and being a marketing scheme, but we can't blame them for not having a 100% libre machine because its not practical for anybody right now. What would you rather they did use some arm architecture with a shitty processor noone would buy? Joanna points out most arm processors are not even open sourced let alone libre.

People also said secure boot would be the death of linux, so sorry if I don't understand your sb 2.0 comment and take it with a grain of salt... Its not gonna make me run for my guns like "people like you"...

[Tai...@gmx.com]

CPU's don't have firmware or mask ROM.
To use MS's "secure" boot you have to use a red hat signed version of grub you can't use your own.
Red Hat is a crappy company that foists systemd and other unwanted software on the rest of the linux community.

Who are you jealous of more, Redhat or Windows?

Huh?

Why do I say only a couple companies control/manufacture everything?

Cause thats what Chris from thinkpeguin said,  the guy you said knows what hes talking about.  The same goes for most industries.  Also its just human nature,  something engineers and developers have a hard time understanding. 

So with Talos you then, according to you,  have an example of how hard is to fund such a project.

I am saying that it is entirely possible to make an open source computer if you have a few mil in funding.

  Although I don't think you really understand by how much.  It would not be that easy to get funding from corporations because special interests are also invovled, and its going to take a shit load of money man.

Only a few million, which isn't really that much - purism raised 750K for reference.

   Chris will tell you its impossible right now. 

No it isn't.
TYAN Palmetto is an open source performance computer (both hardware and firmware) it just isn't advertised as such. IBM's Firestone is almost open source and it has twice the performance.
POWER CPU's are open source, hence OpenPOWER.

So we can be upset at purism for exaggerating/lying and being a marketing scheme,  but we can't blame them for not having a 100% libre machine because its not practical for anybody right now.   What would you rather they did use some arm architecture with a shitty processor noone would buy?  Joanna points out most arm processors are not even open sourced let alone libre.

When they released the first one they could have used an AMD FT3 CPU which actually had better peformance than the low power intel model so that excuse doesn't fly.
Their marketing is very dishonest, I respect thinpenguin and system76 as they aren't claiming to be more than they are.
Purism said "we have to compromise" but there is no compromise, it is 100% non-free just the same as a dell so I fail to see as to why they should exist.

Plenty of people buy ARM computers such as the novena (met 200% its crowdfunding goal when it was sold for 1K each), and appliedmicro sells ARM CPU's that have performance equivalent to an intel sandy bridge desktop cpu but with much lower power consumption.

People also said secure boot would be the death of linux,  so sorry if I don't understand your sb 2.0 comment and take it with a grain of salt...  Its not gonna make me run for my guns like "people like you"...l

They won't do it right away, simply a gradual introduction with more and more machines that are locked down. Why do you think SB 2.0 doesn't include the owner control mandate like SB 1.0? Just cause?

The idea isn't to stop experts it is to stop the average joe from installing linux on his Windows XP machine and using it for another 10 years, I did that for my mother and she likes not having to spend more money.he

[cooloutac]

I like how on the novena site they say "This is not a machine for the faint of heart. It’s an open source project, which means part of the joy – and frustration – of the device is that it is continuously improving. " improving....lol To me thats common sense though so kudos to them for being honest. But its most likely headache city and I bet the processor runs linux like crap. Using a machine like this probably defeats the purpose of security.

Privacy and security aren't the same thing, and open source doesn't automatically mean more secure.

again it needs to be practical to sell. something for cool tech experiments but not for serious business won't sell as well. assuming anything truly is 100% open source. And you do know 100% open source is totally different thing then 100% libre right?

What is SB 2.0 and SB 1.0? And I don't know what you mean by the idea isn't to stop the experts? So experts won't be affected only noobs? And who is trying to stop them, Microsoft or Redhat? You seem to not like either. Right now you should be thanking both of them for making computing exponentially more secure. haha I for one would love to see a 100% libre machine but prefer practicality, stability, and security rather then open source hardware for the sake of having it in spite of everything else.

[Oleg Artemiev]

On Sun, Jul 9, 2017 at 6:13 AM, cooloutac <raah...@gmail.com> wrote:
> On Saturday, July 8, 2017 at 12:40:31 PM UTC-4, Tai...@gmx.com wrote:
>> On 06/26/2017 10:41 AM, cooloutac wrote:
>>
>>
>>
>> On Saturday, June 24, 2017 at 12:30:48 AM UTC-4, Tai...@gmx.com wrote:
>>
>>
>> Ah the smell of disinformation.

I'm sorry. But Qubes is reasonably _SECURE_ for me. I just want all my
QA related stuff be tested and reported on fully compatible certified
hardware. This means no ARM and no AMD. Only Intel. Just because AMD
ignores Qubes OS. Certified laptop is preferable. I've no choice
really. Sorry. I'm glad there's critics around purism. My level of
understanding chip tech is not that deep. :( Finally I'll receive
laptop and ask nearest hardware tech person to review it for covert
things.. Then I'll just install Qubes myself.

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/75576096-3c91-4a96-9590-9dab0ccef9b4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.