Random Things - Part 2: "bunnie" Huang, Mullvad's laptops, & System76 firmware

Random Things – Part 2: “bunnie” Huang, Mullvad's laptops, & System76 firmware

April 20, 2022

So I finally watched “Open Source is Insufficient to Solve Trust Problems in Hardware” by bunnie for 36C3 in 2019, which is on YouTube and the C3 website.

So, this is one of the rare times I had to use VLC to watch a video with a detached subtitle captioning file.

(I'm not sure how to make this work with mpv, which I like better because mpv doesn't have any desktop icon glitch, which makes it look like it's still running in the background, even if I don't have VLC open. I think this is actually happening, but I certainly didn't mean to after closing VLC. VLC is confused for some reason as a GUI program, which requires me to run $ pkill -9 vlc to fix this issue. Meanwhile, mpv doesn't have this issue because it's a CLI/keyboard oriented application, but does work with the mouse when needed — much like AwesomeWM. I'm sure there's a way in mpv, but I haven't sat down to figure this out. I only prefer to use VLC when watching my ~~torrented~~ locally downloaded TV shows from Netflix or other streaming services and there are too many subtitles to manage. Generally, VLC is better for more advanced subtitle option management that isn't quite already working 100% out of the box as-is and would make mpv more cumbersome.)

(I've realized all of this will probably reveal the more significant parts of my internet activity, but I'm still going to do it, because otherwise blogging will die off in the age of central adtech social media platforms.)

@flawedworld from GitHub in the real world?

@flawedworld currently develops GrapheneOS and Hexavalent Browser.

I heard @flawedworld's voice from a podcast episode shared on Twitter.

I didn't like the 2 hosts (or 3?). One of them is Mishaal Rahman. All of the hosts were rather capitalistic — i.e., they kind of simped for trusting the patriarchal Google to keep the world safe like virgin comsoomer millennials, instead of independent rational stoic chads. I don't know, that was my impression of these podcast hosts.

Anyways (I'm always getting off-topic), this podcast host can't even tweet about his latest podcast episode properly. Rahman posted some direct link to an embedded player from Captivate, instead of the proper URL. (Or is URI correct? I think the former is correct in this case.)

The link in the tweet contained a ?source=twitter/ URL tracker on it, so that basically makes me want to condemn these techbros to Hell for eternal damnation just for this privacy transgression. This link absolutely sucks because it doesn't show any show notes or transcription. Lastly, the voice transcription is absolutely crap. It's one thing for the transcription to be slightly disappointing due to insufficient line breaks making Darknet Diaries transcriptions difficult for me, but it's another when the auto voice transcription has absolutely abysmal accuracy rates, thus indicating these hosts don't care enough to read over the transcription — if it's even available in their “”“workflow”“”.

Anyways, I heard a man at the end of Bunnie's video. This voice sounded very similar to @flawedworld's voice. This could just be a coincidence (and the Android Bytes podcast audio quality could also just be absolute garbage, even by my non-audiophile standards).

I feel like an NSA lurker creep for writing this, but I also couldn't ignore this thought in my head.

I'm sure the NSA's internal R&D cross-references its voice recognition with manual human trial and error to have a standard measure/metric ensuring its voice recognition is actually performing better than an actual person...

Mullvad's also in the glitter game, Purism

Another point I'll make to dunk on Purism, since its AweSIM program is absolute overpriced Kaczynskian socialized leftist trash — any prepaid SIM card bought with cash sufficiently far away from your home will be much cheaper (at least 4-5 times chapter) per month than Purism's AweSIM. (Just make sure the physical SIM card is activated in time before its expiration date.)

Actually, I just found the page: \$100/month with a \$15 sign-up fee! That's atrocious! Hypothetically (I haven't all of this proposed plan out yet), I can get a 1 year Mint Mobile SIM card with a prepaid credit card, entirely bought with cash (and false PII) for \$45 for 3 months or \$180 for a period 12 months to get a rate of \$15/month. On paper, you don't even effectively pay Mint Mobile for the SIM card itself — the company itself knows that SIM cards themselves are dirt cheap. The ISP's PII for cell phone tracking is what will be the true data gold/oil mine for intelligence agencies, but that's a separate matter...

Even “too easy” Henry knows AweSIM is a rip off.

As I said before, Purism is “Apple, but open source/reasonably repairable”. Not bad things, but you're curtailing all potential to be even greater by keeping the “Apple” part of its economic differentiation branding identity.

There's finally a compilation post of Purism documentation, and one points to the anti-interdiction page. However, most will want to see the original anti-interdiction page.

As I discovered from watching bunnie's video, I realized that the glitter protection is rather limited. In fact, an old location of the glitter seal guide from Mullvad was mentioned.

Actually, there are all these guides from Mullvad... and it's not because there are corresponding articles in Swedish. They're all short and to the point. (Also, scary flashbacks to Tyrell Wellick from Mr. Robot.)

Discovering the server list for Mullvad and IVPN

I also discovered that Mullvad and IVPN have server lists, mostly to display where their servers are located and their online/offline status.

Yay, I guess.

Heads (for coreboot and whatever)...

I discovered the GitHub page for Heads. Libreboot/coreboot is what made me aware of SPI clips for firmware flashing.

@flawedworld submitted a few GH issues during late 2018 and early 2019 adjacent to Intel ME/Heads projects. So, this is a circumstantial clue that @flawedworld did attend 36C3 in 2019 and asked a question about exploring the idea of smithing a nanometer-scale component silicon processor chip that could be inspected with a microscope.

Anyways, I'm not sure if this really matters, but Heads hasn't had a release since April 2017. I can't tell if this is a good thing or a bad thing. However, Heads really only works on older ThinkPads that are eligible for the firmware downgrade so that Intel ME can be disabled (which isn't as good as removing Intel ME — but removing Intel ME is only possible on very old hardware that the more well-known Libreboot hardware works on, such as the 32-bit ThinkPad X200, so that's better than not being able to do anything about Intel ME on all newly produced modern laptops post 2012-2013).

So, qualitatively Heads is rather tied down to very specific hardware, i.e. older ThinkPads that aren't too old to objectively be completely obsolete in 2022.

Heads is the payload for coreboot, which is important to keep in mind for the Insurgo PrivacyBeast X230.

Based on the initial post for Heads from key figure Trammell Hudson in 2017, I'm as convinced that this is sustainable as the Novena laptop from “bunnie” Huang and Sean “xobs” Cross, which sort of stopped in 2017... for some nebulous reason I can't remember. It's probably why Huang started the Betrusted/Precursor projects in the first place.

Breaking out the SPI clip for any future System76 laptop

I know flashing your own firmware that you built from source won't protect you against spy implants, but then again I'm pretty convinced that it would be rather expensive for the NSA or any similar adversary to perform a nearly invisible spy implant that can only be revealed with destructive inspection methods — that is, if the schematics of your laptop even exist in the open wild.

This seems like an atrocious waste of (potentially taxpayer federal and) contractor dollars against someone like me who can't even figure out how — why the frick did the FBI put me on its blacklist for darknet marketplace customers when I can't even figure out how to use Bitcoin???

That being said, apparently customers can submit their model and serial number via e-mail to get schematics — even if no one else is allowed to receive these schematics without System76's permission. I'll have to consider a clear opsec plan for this, but at least this avenue pro-Louis Rossmann avenue getting closer to the “schematics or die” sentiment exists.

Still better than anything from HP or Dell — even Lenovo.

There is a page about flashing System76 firmware manually. Apparently from the page's top warning, I would definitely be a very abnormal user/customer compared to what it is used to dealing with.

So, apparently there's a specification for an Ubuntu LTS install on the Rasperry Pi (for the more difficult yet faster SPI clip method) — but at this point, since flashrom is universally the same across Debian Stable, Testing, and Unstable according to the corresponding Debian Tracker page, I could do this by flashing Debian Stable or Unstable on my Raspberry Pi and call it a day — assuming nothing wrong happens.

There's also some info that isn't required for the instructions regarding UFEI and Intel ME being disabled but not removed (else in layman's terms, which are probably incorrect, you'll brick the motherboard... that sounds permanent — at least you'll have a good reason to burn it in a correctly devised thermite fire pit recipe to destroy all evidence of non-compliance in our increasingly Minority Report world).

According to the News sidebar on the right hand side of the project's homepage, the latest version (1.2) of flashrom came out in February 2020, so I guess that's how slow Debian Stable (via Backports?) is. Just don't use Old Stable — that version of flashrom is stuck on 0.9.9+r1954-1. What is up with Debian appending these weird hash suffixes at the end of version numbers?

Anyways, I hope I don't brick my System76 laptop when I finally do get one.