[talk] puri.sm laptops - Too good to be true?
Isaac (.ike) Levy
ike at blackskyresearch.net
Fri Oct 20 12:41:56 EDT 2017
For you, someone I've respected for years, a considered yet terse
(warning: verbosity breeds verbosity :)
This is a *BSD list, so it's kindof boring to discuss other Operating
Systems- yet, this post is certainly contextually relevant to the
Charles, in general- I think it's great if you like your Mac. Yet, I am
trying below to genuinely answer your questions about why *I* have
abandoned Apple and have nothing but disdain for their platform, so,
you'll have to put up with a grumpy ike if you read on below, you've
scratched a number of things in computing I truly loathe these days,
On 10/19/2017 19:20, Charles Sprickman wrote:
>>> Hey, have you considered a MBP? :)
>> I'll assume you are kidding :P
>> Since that talk, I've happily switched from OpenBSD to FreeBSD for my
>> primary personal rig- and *love it*.
>> Why I don't want a MBP (was given a shiny new one at work):
> This will be long because I normally don’t run into people that talk
> about the merits of different operating systems. If it’s too sprawling
> for talk@, let me know! My bad analogy hot take on this is>
> Windows = DNC (dominates, take what you’re given)
Not sure where you hang out day to day, but I'm pretty sure Windows no
longer dominates- Apple is the new Microsoft (in numbers, here).
I'll leave the political parties out of it and just address the
> OS-X = DSA (they’re trying, really they are and the old dude from VT is
> cool and likes guns)
The actual socio-political issues at Apple corp are way more fascinating
to me than this comparison, for example,
> Desktop *nix = Pure Marxism (exists in theory)
<insert sad trombone here>
Why? I'm typing this right now on a *real* (not theory) FreeBSD
desktop- which I love using, also was loving OpenBSD as desktop for a
year, (after 30+ years of Apple).
I started with the lightweight XFCE, which I still like best, but have
been using big fat KDE for a while now- due to the subtle (and mac-like)
window movements and interactions. So far, KDE has become easier on my
old eyes, (and it's still way lighter weight than the OSX finder,
particularly if you don't turn on the fancy 3d-enhanced stuff).
> Or for the other side of the political spectrum:
> Windows = RNC (capitalism is awesome, but we suck at making it work for
> middle class)
I think that's Apple now, the Apple Stores aren't exactly there for the
the common man.
> OS-X = Rand Paul Libertarianism (you can’t have weed, but you can have
> tax cuts because “takers”)
Will move on, too much to unpack there.
> Desktop *nix = (smash the state, invisible hand is the only option,
> social darwinism, mostly theory)
This one I find odd, why do you see a *nix desktop as as "smash the
state"? I'm curious.
That's certainly not why I want a *BSD laptop. I simply want a computer
that does precisely I want it to do. I want to hack on the source. I
want to know and use my hardware however I choose to use it. I want to
understand and audit various aspects which relate to my security needs
>> - I no longer want anything to do with Mac OS.
> What’s your biggest complaint there?
I responded with a short list before- but the jist:
- I want a machine that I can do what I wish with it
- that I can secure as I see fit
- that is my personal computer- (not a rented/metered device tuned for a
broad user base)
An Apple rig these days does not do much what I want it to do, and does
a lot of things I do *not* want it to.
I'm a UNIX hacker, and a specific and "advanced" user. Perhaps now more
than ever, I'm not part of the broad audience.
> I’m not onboard the whole
> “ios-ification” thing, I keep waiting for it to come and it hasn’t.
Sure it has, IMHO.
Software updates from the App Store, (and requisite apple account).
ADC login required to get the clang/llvm compiler. (OK, so that's
*sortof* cute-hacky workaround nowadays, but regardless).
And the most ios-ification thing I can think of: the manner in which
signed apps are rolled out. By default, Apple takes responsibility for
a *huge* amount of what can happen on your machine- with ambiguous terms
for how they handle this profound liability.
I'm not saying they are evil, I'm just saying that their handling of the
signing of programs which run (or do not run) on my computer is subject
to forces *way* outside of my control, and are totally opaque to me.
> there’s such an ecosystem of terrific software out there that just
> doesn’t exist in FOSS versions (Pixelmator, Photoshop, other
> graphics/video/audio stuff that I need often enough to miss).
I'm not sticking to an OS platform for any single software.
I do miss Photoshop and illustrator, but not much.
The product hasn't changed since I first picked up PaintWorks plus when
I was 8 years old, (except it's all cloud annoy).
Yet, I find Gimp usable- after all these years it's stable and fantastic
for my needs. Inkscape I may never quite get used to, but will see.
I'd never recommend or force Gimp on anyone, but I personally like it
quite a lot for my casual needs.
3D tools, well... for a project, I recently became proficient in
SketchUp on a Mac, and it's done nothing but open up a world of *way
better* open source apps (that I have yet to master enough to be
proficient with). So I don't miss the Mac there either.
OmniGraffle, in my NYC*BUG talk- I sang sad songs about how I miss it.
But hey- there's other ways to make structured graphs and draw- from
LibreOffice, to GraphVis, to Inkscape plus plenty of other tools I
haven't even tried yet.
> And iTerm2
> + tmux integration. Certainly there are going to be security issues,
Yes there certainly are security issues there.
No comment on iTerm2, I typically use whatever terminal is available- (I
believe they all do UTF-8 and proper terminal emulation these days- all
else is uninteresting candy to me).
I'm not a tmux(1) user, but it certainly does not require a mac :)
> in my various dayjobs I’ve yet to encounter a malware-infested Mac.
>From my view, Mac is the new Windows, circa 1997... Right as bad things
were proliferating, (internet), truly bad times were just around the
> a unified interface, I have a hard time leaving that. I’ve poked at a
> few current unix desktops in vmware (another options not available on
> desktop unix) and found them to be the UI equivalent of a vomited-up
> pizza. :)
I find that a bit harsh, (I'm using KDE right now <groans>, and it suits
my needs- and with some work, I got most of the things I cared about in
the OSX Finder- plus some new X11 things I'd always wanted,
(particularly on the scriptability front).
I do however miss *very nice* column view in Finder, the
In my old NYC*BUG presentation, the X11 desktop was an unfamiliar UI to
me- however the biggest point I had to grow though when leaving the Mac
(for OpenBSD/XFCE then). But, a few weeks of using it, and boom- I was
as fast and comfortable as before- and the desktop felt natural.
Programs I don't like? I delete them :) (Or rather, uninstall them
from ports etc...). My machine.
> I also dearly love Little Snitch, never seen anything like that on
> desktop *nix.
Sure, as a gui tool, sure- it stands out. But for years I've used:
- PF/IPFW outbond rules? (been doing that for years myself, even just
- Capsicum (FreeBSD), pledge(2) (OpenBSD)
- Super easy and mind-blowing dtrace one-liners (FreeBSD)
Applications are themselves incorporating great (and transparent)
sandboxing, particularly browsers- good work in Firefox/Chrome on this
And there's plenty of system level sandboxing, from chroot(8) to jail(8)
(And don't raise the idea "dtrace is there on a modern mac".
Implementation and apple maintenance So half-assed they obviously
stopped caring some time ago and it still just sits there, like many of
their man pages for missing utils- because nobody at Apple has taken
time to untangle how they jammed it in in the first place...)
> Not only does it act as a nice outbound firewall to show
> what’s trying to phone home, but it also works with the os-x
> code-signing stuff to block unsigned apps from network communications.
Right. Yet, the signing/blocking/etc decisions are being made at a
massive company with constantly shifting goals- angry birds sort of
goals- and a short attention span that can only be profitable in silicon
Does nothing but make me annoyed using *my* machine.
While I respect Apple's engineering here immensely, and respect their
intent, I'd think the NYC DMV would do a better job of managing signed
software and weather or not it runs on my computer. (The NYC DMV
actually is a pretty effective org these days, why not! ;)
> It’s pretty slick. I’m also a fan of the whole code-signing model as
> well, but I’m happy to hear how that’s a flawed security measure.
1) Crypto implemented in Hardware. Good for 2nd factor type measures.
Bad for places where you need good trust.
2) The code-signing model is a blackbox. Companies like Google and
Bloomberg have been *on their knees* to get to just *use it* for their
internal auth needs- but after ? years, Apple continues not to GAF.
Just this week: The WEP2-pocalapyse! (Did we not learn from WPA?
Everyone who trusts their wireless network and is compromised this week
because they ran naked mission-critical SQL or somesuch nonsense over
their wireless- well, IMHO, they deserve it.)
Even the Yubikeys this week, RSA implementation flawed because of a
vendor chip mistake. (I use the heck out of Yubikeys for 2fa, but
surely not for RSA signing/private keygen- for my applied needs it makes
no sense at all.)
Blackbox models are just bad security, regardless of Apple (or anyone's)
intent. Continuing this discussion makes me cranky so if you want to go
further please just go re-read some Schneider.
>> - USBc, *nothing but USBc*. That blows for so many reasons.
> I only recently discovered that, my prior/dying MBP had the magsafe
> connector, which is one of the best inventions ever compared to the
> idiocy of a barrel-plug that will both yank your laptop off the counter
> and more than likely do damage to the mainboard.
MagSafe: Best invention ever. I wonder if it's really patented,
particularly now they killed the product? :)
> My new MBP is USB-c and
> it’s love/hate. On the upside I can charge it in the car with no fancy
Do you USB-c your laptop right into *your car*?
I cannot comprehend. Honestly. Not sure I want to know more.
> On the downside, I have to carry a dongle for normal USB. But
> my use case is that I’m either on the couch with it or at a coffee shop,
> neither of which involve wires or dongles (and if I forego Chrome for
> Safari, 8 hours of working on a charge is a real thing).
Firefox user here. I find Chromium great on FreeBSD for YouTube etc...
Safari: well, I guess I have that on this KDE machine, (Konqueror fork).
Sortof kidding, sortof not.
> There is a headphone/mic jack too. :)
Macbooks appear to still have those.
The iPhone mess they've made has really ruined *my* experience with my
music- major love lost for their "Bravery".
> And of course, in a few years, windows laptops will also only have
> USB-c. It’s inevitable. Long term you will learn to love your
> single-standard jack.
Why will I learn to love this single-standard jack? And why do people
keep putting it that way?
I've been through *many* cable/port stnadards over the years, Spork you
have too. They come and go. None are guaranteed to last.
It's great if *you* like it. I do not, for specific usability,
security, and complexity issues. I prefer to use separate products for
floor wax and dessert topping.
> And none of this: http://www.smbc-comics.com/comics/20111004.gif
> I am of course going to have to buy one of these sorts of things:
It's neat to see a 3rd party mag-safe thingie. It doesn't get me
excited about buying an Apple laptop.
This "but I need a 3rd party dongle to do a thing I want" business is
why I've hated most non-apple laptops over the years.
>> - USBc - requires data exchange just to *charge the rig*
> I still say this is the eventual standard, but there are options for this:
Because you think it will be an eventual standard, does not address my
concern that the technology is unacceptably insecure to me.
It's like saying to me `Yeah, I know it's harmful but we'll all be doing
do it anyhow eventually here.` "Eventual standard" is a bold claim to
start with, and disregards my legitimate beef with USBc.
As I stated before, I'm *not* happy to require data exchange in order to
initiate the simple act of charging (male to male cables).
You seem to be just fine with that. Perhaps when you get owned one day
by plugging into power when your laptop was dying, you'll change your
mind. First time that happened to me was Defcon 10, a hacked-up
firewire drive- made me learn to be wary of DMA ports. Since then,
anyone who's not dug into the related exploits/meat of the Snowden docs,
well, I don't think they have anything relevant to say on security
today. From the tools to their documented, widespread, dragnet applied
>> - Bag full of adapters and peripherals.
> Depends on your use case - I’m on wifi about 99.9% of the time. I have
> an ethernet dongle, but that’s it. Oh, and an old Keyspan USB to serial
> - these are all dwarfed by other things I need to carry if I do go in to
> “work” (misc. serial console cables and such are way more bulky).
Great for you.
> And less stuff to carry overall - single charger for phone, tablet,
> laptop means less power cubes.
One standard to rule them all.
I have yet to see that work.
Even new iPhone is still not USBc.
> But I do like this dude:
> https://www.youtube.com/watch?v=-XSC_UG5_kU (DONGLES!)
>> - Apple USBc mixed up wth thunderbolt, and bang DMA!!! What could go
> See cable above.
Are you trolling me Spork?
Nothing from that (very very funny and sad) video makes me excited about
carrying more dongles.
> And in my use case I totally don’t find myself plugging
> into random shit. And as I discovered with my 2011 MBP, you can boot
> linux and fiddle with stuff in the EFI filesystem or use the “nvram”
> utility in single user w/SIP disabled to turn off various things (in my
> case, disabling the fried NVidia GPU).
> When you’re talking about
> shadowy figures sneaking up to you in public and plugging stuff into
> your laptop to own you, you’re already a target and I don’t know if a
> *BSD/Linux laptop will save you.
That's not the common case, and disregards the actual security problem
The common case is infected/flawed devices/dongles. We've seen this for
years in non-DMA stuff, from even USB sticks- to other
peripherial/dongles. We've even seen the mass application by "shadowy
figures" through the programs instituted by the NSA- and in that case
I'm less worried about the NSA, and more worried about people taking
advantage of their backdoors.
When you paint the picture as something so wild and sinister, you work
against simple hardware security here.
Yet perhaps I missed your point?
>> - Simply not interested in running anything but OSX on this hardware.
> Except in a VM.
> And speaking of VMs, OS-X now has a built-in VM system just waiting for
> a GUI: https://veertu.com/veertu-desktop/
For development, I use many forms of VM all day long.
I have no interest in running *the computer I want to run*, inside a
*computer I do not like or trust*.
Unless I missed your point, moving on:
>> Other Lenovo/Dell-XPS models I've been angling for:
>> - USBc charging
>> - Lots more proprietary hardware
>> - More dependence on bluetooth and gimmiky crapola
>> - Most of them: HDD/RAM soldered down, Particularly the HDD, that bugs
> The soldered in SSD sucks. Laptops are becoming big phones and that
> trend is not reversing. The RAM bothers me less because RAM generally
> doesn’t fail. SSDs wear out.
Finally we agree.
>> So, with that tip-of-the-iceberg ranting done, this Purism rig seems
>> almost too good to be true- *for me* :)
> I suspect that in 5 years or so the laptop market is going to be even
> more phone-like and disposable, not just on the Apple side.
Cool. And there will be no more servers because the cloud will take
care of that too.
(Now I'm grumpy and will probably ignore this thread for the weekend to
regain my sanity.)
Spork: we are due for a beer at a NYC*BUG meeting, no? Next round on me
More information about the talk