Because I do not want to give every process on my laptop access to the Internet I block all Internet connectivity with a Firewall on my laptop and I block all Internet access for that laptop on my router as well.
Now to get access to the internet I allow only access to port 22 (SSH) and my router IP, then I run this command if I want to connect to the Internet:
ssh root@192.168.1.1 -D 9000
Which sets up a SOCKS5 proxy which allows you to use the Internet connection of the router, processes can be configured to use that SOCKS5 proxy (TCP only) if you want these processes to connect to the Internet.
For the router I'm using a commercial router with OpenWrt, though I rather have a bit more trustworthy hardware and software ...
>>1659 Just FYI, I'm attempting to block Internet access for processes (backdoors) in the firmware, BIOS, or CPU as well here. Also SSH isn't really necessary here, but I haven't put effort in looking for an alternative.
All Kiketel CPUs after the 286 have (((System Management Mode))), which is referred to as ring -2 and allows any random (((firmware))) to have full access to the computer and all data. Even with your setup, some (((people))) could inject special packets with sentinel values as a response to any request you make, which could do anything on your computer.
Newer kiketel CPUs also have (((Intel Management Engine))) in ring -3, which is like an even worse version of SMM.
I would personally recommend running Minix 1.x on a 286 machine. I have a non-botnet Toshiba T3100e to use for this purpose, however I need to write a bunch of drivers for serial and dial-up modems. I hope that one day I will be able to shitpost on nanochan from one of the few truly non-botnet systems in existence.
>>1662 >special packets with sentinel values as a response to any request you make
So outsiders can still upload data (for software updates) to my computer and make it compatible with my method of connecting to the internet ... that's indeed a problem. Besides I still have to trust the software that I give access to the internet, which I don't, at all.
Wondering how you guys handle things in terms of hardware/software security and privacy. I know my method is pretty hacky and barely works so any feedback is wanted.
>System Management Mode and Intel Management Engine
Intel is being incredibly shady with their features which almost no one asked for or uses. Besides the CPU the x86 platform is fucked as well, if you have a single hardware component with malware on its firmware you're fucked.
Speaking of thinkpads, which should people be looking to get? I've been wanting something I can easily libreboot which is also really light, but finding the x60 with a core 2 duo isn't all that easy. Plus I kind of want the tablet version as well. I've seen people saying that you can just go with any AMD thinkpad made before 2012, but all of them have the god awful keyboards.
>>1673 As I said, any CPU after the 286 is pozzed. The 286 is the last non-botnet x86 CPU.
Avoid DMA crap at all costs. Use PIO wherever possible. Although slow, it's secure. To do that you will have to make a few modifications to your OS, which should be Minix since it's the only unix-like OS which runs on the 286.
If you go for coreboot + me_cleaner you can find many more options. I understand that you are after ease of installation, but maybe you can find someone to help you with installation.
If you can pay for a new setup, get a purism librem.
If you go for coreboot + me_cleaner you can find many more options. I understand that you are after ease of installation, but maybe you can find someone to help you with installation. If you can pay for a new setup, get a purism librem.
>>1662 >All Kiketel CPUs after the 286 have (((System Management Mode))) How about AMD and VIA processors? When did they got SMM? Why limit ourselves to fucking Intel? Everything from Intel should be avoided
AMD added (((PSP))) which is equivalent to (((Intel Management Engine))) many years after Intel. So maybe they also added SMM later than Intel? We need to check that
Also we need to investigate what are the risks of SMM compared to risks of Intel ME and AMD PSP. If SMM was so great backdoor, why would they need to add ME and PSP?
>>1673 >Speaking of thinkpads, which should people be looking to get?
why limit yourself only to thinkpads?
>I've been wanting something I can easily libreboot
to remove Intel ME or to have open source bios? you can just buy a laptop without ME and PSP
>I've seen people saying that you can just go with any AMD thinkpad made before 2012, but all of them have the god awful keyboards.
so you want to trade freedom for better keyboard?
>>6793 Seconding this.
And I'll posit a hypothetical setup I find ideal. Assuming you set up a proper wall between you and the the router to filter out that which is threatening or weakening then you'll be better off with something subtle. So to be subtle blend in.
>Chromebook(non-systemd linux installed or OpenBSD) ~ OpenBSD RPI Firewall ~ router ~ internet
The Chromebook comes with Coreboot and you can reflash it to get more security. The chromebook is also common place enough people won't be alerted that you're different because its common enough no one would think about it. And also they're cheap and easy to get a hold of. The Raspberry Pi can be justified as a tinker toy and since OpenBSD would be running inside of an sd card you can dispose of the SD card relatively quickly and show the federales something faggy like Raspbian on another one.
To address some concerns you'll have I recommend wiping ChromeOS on the eMMC and replacing it with Ubuntu, boot your actual OS off of the sd or usb port.
Store your data in an encrypted external hard drive or home NAS. Download some PI manipulation tools into Ubuntu to make it look like you play with the PI as a soywarrior would and I think you're solid at this point. The configurations on your boot sd(bsd) and firewall sd(fsd) can be automated and encrypted further for your own benefit or you can toss this setup with one of the many encryption schemes of the Raspberry PI. The only slightly abnormal thing is the encrypted hard drives/nas but those are locked down and probably for home use only. Unless you're a hardcore programmer your chinkpad/latitude is going to get attention so hide it by using something normalniggers use and blend in.
>>6792 I checked and it turns out that 386DX and 386SX does not have System Management Mode. 386SL (laptop version) had System Management Mode
so we can now move to 386. this is a big achievement, as 386 is 32-bit (286 was 16-bit only), it has more instructions, it is 3.4 times faster (33MHz 386 vs 12MHz 286)
Because I do not want to give every process on my laptop access to the Internet I block all Internet connectivity with a Firewall on my laptop and I block all Internet access for that laptop on my router as well.
Now to get access to the internet I allow only access to port 22 (SSH) and my router IP, then I run this command if I want to connect to the Internet:
ssh root@192.168.1.1 -D 9000
Which sets up a SOCKS5 proxy which allows you to use the Internet connection of the router, processes can be configured to use that SOCKS5 proxy (TCP only) if you want these processes to connect to the Internet.
For the router I'm using a commercial router with OpenWrt, though I rather have a bit more trustworthy hardware and software ...