If I want a secure computer should I go with an older one with no intel ME or a newer one with secure boot and TPM?

[Game master arino]

Some people say intel ME is government spyware. But others say the features on newer computers like secure boot make things 10 times better. Currently my computer is running winglows 10 so I was thinking about getting a more secure system. What should I get?

 

[Grub]

Imagine believing corporations will protect you through their proprietary black boxes that operate above your control on hardware you purchased.

 

[Rusty Crab]

if you're going for privacy, forget it, you can't get that on Windows. The government will see literally everything you do no matter what your hardware is.
If you want security from theft, simply using bitlocker with a password will be sufficient.
Secureboot (I think?) tries to prevent rootkits and malicious bootloaders. If you're not doing risky behavior, you're unlikely to be affected by either of those.
I don't think Secureboot works with linux, so it becomes irrelevant.

All this said, since privacy is not an option under windows, you may as well just get a newer system.
If you are running linux, old thinkpads are likely your best bet.

The debate around ME is massive and autistic and way too much to get into. What I can say is that it's been around for a long time and nobody's seem to catch it doing anything over WAN (which is the big concern). Surely somebody would have noticed by now.

 

[Game master arino]

if you're going for privacy, forget it, you can't get that on Windows. The government will see literally everything you do no matter what your hardware is.
If you want security from theft, simply using bitlocker with a password will be sufficient.
Secureboot (I think?) tries to prevent rootkits and malicious bootloaders. If you're not doing risky behavior, you're unlikely to be affected by either of those.
I don't think Secureboot works with linux, so it becomes irrelevant.

All this said, since privacy is not an option under windows, you may as well just get a newer system.
If you are running linux, old thinkpads are likely your best bet.

The debate around ME is massive and autistic and way too much to get into. What I can say is that it's been around for a long time and nobody's seem to catch it doing anything over WAN (which is the big concern). Surely somebody would have noticed by now.

Oh on my new system I wont use windows ill probably use linux configured to run through tor. I just need to decide if I want to go with intel ME or not.

 

[Rusty Crab]

Oh on my new system I wont use windows ill probably use linux configured to run through tor. I just need to decide if I want to go with intel ME or not.

depends on how much performance you need.
If you need absolute privacy, you will need to find something without ME, but those are all very old.
Anything past 2008ish will have ME, but, like I said, nobody seems to have caught it red handed yet so the odds of you getting compromised by it seem slim.

If you're interested, Purism makes new laptops with ME disabled, though they are expensive and I can't personally vouch for them as a company. I can give my opinions on the similar company Pine64, however: stay the fuck away.

 

[Game master arino]

How do I tell if a CPU has intel ME in it or not? Wiki says any cpu after 2008 but not the month or anything.

 

[TheShedCollector]

Just don't connect it to the internet.

 

[Likely]

damn what you doing, trying to make threats against kim jong un? the cia doesnt care about your ass

The government will see literally everything you do no matter what your hardware is.

absolutely not true. the us is not gonna pop some spicy zero day on your ass because you post on kiwifarms and torrent dickgirl porn. unless you're selling kilos of drugs a day, forming a terrorist cell, etc, they're just gonna go "oh no we dont know what's going on"

If you want security from theft, simply using bitlocker with a password will be sufficient.

properly configured bitlocker (pin + tpm) is fine unless you're an actual terrorist, the feds dont want to reveal they have that capability just to bust you over your weird illegal porn. If you escrow your key like Home edition makes you, of course they'll fuck you instantly. And, if it's worth it to them to read your keys off the tpm with their weird future technology, they'll also likely just straight up kill you one way or another.

I don't think Secureboot works with linux, so it becomes irrelevant.

you can get a bootloader signed with microsoft's key from canonical/redhat, or you can create your own pk and truststore, sign the bootloader/kernel/image yourself

if you really really care, if you're terry davis and richard stallman at the same time, your best bet is to find one of the completely open riscv/power boards like talos, do your own bootloader/kernel/image signing, run a hardened minimalist+hardened image, use a separate computer for running a web browser, and literally never ever let the computer out of your sight. like sleep with it under your pillow. dont store anything but what's required on it, and make sure anything you do is within the statue of limitations by the time quantum computers get strong enough.

Frankly, running Linux and self-hosting "cloud services" are massive first steps that you should work towards if you're really concerned about privacy. Using a reputable VPN that doesn't log is another good step, although that's dubious and tricky to find.

 

[Game master arino]

damn what you doing, trying to make threats against kim jong un? the cia doesnt care about your ass

Im on to you glowie

 

[PetrifiedTom]

IF you want to browse web but don't want to point to your PC you can always use Windows, buy NAS, and redirect the outgoing/incoming Internet access by manually typing gateway as your NAS server. Some NAS servers (even cheap ones) support OpenVPN and so you not only connect to internet by 2nd device but also proxy your connection from country outside 8 eye.

Some people say intel ME is government spyware. But others say the features on newer computers like secure boot make things 10 times better. Currently my computer is running winglows 10 so I was thinking about getting a more secure system. What should I get?

It's not a spyware but a system that runs along with your OS. It might be used as backdoor but if you encrypt your disk drive it will be futile.

The only spyware there is, is Windows itself with NSA key that allows to decrypt anything on your computer.
https://en.wikipedia.org/wiki/NSAKEY

You are looking in wrong direction.

 

[Daniel]

Either use Linux or some obscure OS that's privacy focused or just avoid using the internet at all if you really care about government spyware.

Dead dogs don't bite, that's what I say.

 

[Kosher Dill]

One other thing worth mentioning is that it's possible to mostly disable the ME using me_cleaner if you're so inclined. That's a reasonable compromise for most people who aren't dissidents or Stallmanites.

me_cleaner status · corna/me_cleaner Wiki

Tool for partial deblobbing of Intel ME/TXE firmware images - me_cleaner status · corna/me_cleaner Wiki

github.com

I think this is built into various coreboot images. On some systems like Ivy Bridge it's even possible to do without a hardware flasher.

 

[Scumhook]

Sometimes, the old, original things are still the best.

Search your heart and visualise this pic I took of me and your dad about 9 months before you were born

 

[polyester]

if it's worth it to them to read your keys off the tpm with their weird future technology, they'll also likely just straight up kill you one way or another.

The government doesn't even need spooky quantum computer technology to crack your encryption, they can just imprison you (among other methods of coercion) until you tell them the password.

 

[byuu]

What does Secure Boot even protect against?
If your system is so compromised that you can fuck with the bootloader, you're already screwed.

 

[Bat Dad]

The government doesn't even need spooky quantum computer technology to crack your encryption, they can just imprison you (among other methods of coercion) until you tell them the password.

A good step for that if you are selling dope or something is to encrypt with a hardware token and destroy it before you get caught (if you have the chance). They tend to surveil and attempt to catch you while sitting on a libraries wifi with your device already unlocked. There are some ways to attempt to mitigate that as well (geofence activated locking etc).

What does Secure Boot even protect against?
If your system is so compromised that you can fuck with the bootloader, you're already screwed.

Early boot chain attacks. Of course, TPM is sometimes compromised, but I don't think it possible without physical access to the device. I think (?) the OG Nintendo Switch hack is against the TPM module on that device.

---

Edit:

Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG), and was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889.[1]

When a new revision is released it is broken down into 3 parts by the Trusted Computing Group. Each part consists of a PDF that makes up the whole of the new TPM specification.

• Part 1 – Design Principles
• Part 2 – Structures of the TPM
• Part 3 – Commands

TCG continues to revise the TPM specifications keeping it up with current needs. TPM Main Specification Version 1.2 was finalized on March 3, 2011, completing its revision.[2] TCG then released TPM Library Specification 2.0, with its most recent edition published in 2019.[3]

Trusted Platform Module provides

• A hardware random number generator[4][5]
• Facilities for the secure generation of cryptographic keys for limited uses.
• Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows a third party to verify that the software has not been changed.
• Binding: Encrypts data using the TPM bind key, a unique RSA key descended from a storage key[clarification needed].[6]
• Sealing: Similar to binding, but in addition, specifies the TPM state[7] for the data to be decrypted (unsealed).[8]
• Other Trusted Computing functions for the data to be decrypted (unsealed).[9]

Computer programs can use a TPM to authenticate hardware devices, since each TPM chip has a unique and secret Endorsement Key (EK) burned in as it is produced. Security embedded in hardware provides more protection than a software-only solution.[10]

The earlier the attack, the more likely it is to fully compromise the system. TPM tries to mitigate that by using a hardware key vault to protect the encryption keys, and secure boot disallows booting from unsigned sources.

 

[byuu]

Early boot chain attacks.

But where is the attack supposed to come from? If we're talking about a private pc at home then it comes from the network of a fully booted system which you'd have to gain full privileges to first to get access to the bootloader.

 

[CreamyHerman’s]

Bear Computer, no other choice

 

[Bat Dad]

But where is the attack supposed to come from? If we're talking about a private pc at home then it comes from the network of a fully booted system which you'd have to gain full privileges to first to get access to the bootloader.

I believe there have been rootkits that reside in the bootloader acquired from network sources in the past. At the very least, that is theoretically possible. The hardware module attempts to mitigate both network and physical attacks,

Nothing is secure against a motivated actor. The best you can do is hold off the theoretical windows of attack. Nothing is completely secure, but attacks are limited by the state of the art. For instance, if you have an encryption algorithm that would take 100 years to crack with the best of current tech, you're secure today. But if some innovation happens tomorrow that brings that time down to 5 years or something, then you may want to reconsider your investment in that hardware.

 

[byuu]

I believe there have been rootkits that reside in the bootloader acquired from network sources in the past. At the very least, that is theoretically possible.

How is that supposed to be possible unless you have PXE enabled?
Which a home user has no need for.