Lenovo: Companies working in China may have to install local backdoors
Does Lenovo put backdoors in if the Chinese government asks? "If they want backdoors globally? We don't provide them. If they want a backdoor in China, let's just say that every multinational in China does the same thing."
"We comply with local laws. If the local laws say we don't put in backdoors, we don't put in backdoors. And we don't just comply with the laws, we follow the ethics and the spirit of the laws."
And then, with a final flourish, the answer. "Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they're asking."
See also: Lenovo CEO: 'We're not a Chinese company, we're a global company'
(Score: 2) by DannyB on Thursday September 20 2018, @02:03PM (3 children)
Develop a mentality that computers are a temporary thing. Nothing permanent. Every instance disposable.
Keep permanent files in some sort of append-only storage servers. Maybe running ZFS with a file server protocol that versions everything and is append-only. No actual deletion takes place. Only in the current version of the filesystem does the file appear to be deleted or overwritten. Then such a server must be regularly backed up to portable offline storage -- ideally read only once written. (Not necessarily present day technology. This is speculative about how to practice paranoid computing.)
Cheap disposable laptops. (eg chromebooks?) The web browser is your only tool. All apps in "the cloud" even if your own private cloud. Again, that server accesses files on some type of versioned append-only file server.
All these servers, eg cloud servers, web server, database server, etc could be containers. (eg docker or similar) Disposable. No persistent state within the container. Persistent state is only on that append-only file server -- which itself is a containerized process running against a filesystem, like maybe ZFS.
Now at some level you have to trust the OS and hardware. As for the hardware, maybe you don't trust it for certain parts of the system. Eg, your disposable cheap laptops. After all, nothing is ever permanently stored on that device. Making it disposable.
Maybe you don't trust the hardware running your append-only file server. But that box would not be internet connected. So how would a remote spy command the management engine to start spying? The boxes that are internet connected, and maybe remotely exploitable can only append information to the file sever.
Other thoughts?
I suppose start looking harder at using non-Intel processors. ARM. New open source chips.
In the long term, imagine a scenario like this. Suppose the processor were an FPGA. You "flashed" it with a processor design, and then loaded software compiled for that processor. Open source groups could develop new instruction sets and matching compilers. As long as these came out at some reasonable rate it would be more difficult to maintain binary exploits against a single architecture. Even if new processor instruction sets (and their compiler back ends) were changed not primarily to improve performance, but to deliberately be binary incompatible with all existing compiled binaries.
Now I suppose the source code and/or the compilers become the target of exploitation.
It's always something.
The lower I set my standards the more accomplishments I have.
(Score: 2) by takyon on Thursday September 20 2018, @02:42PM (1 child)
Google Fuchsia may have more paranoid privacy features [soylentnews.org] than ChromeOS, although it is still Google so you get things like this:
Maybe it can be easily modified to regain such anti-tracking features. In the meantime, everything on Fuchsia will be sandboxed cloud stuff.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by DannyB on Thursday September 20 2018, @05:11PM
Chromebooks are only one possible element of what I was describing.
But if you can put your own stuff into the cloud (Linode, Digital Ocean, etc) for a few bucks a month, then you could use just a browser. With VNC via the web browser. Log in to the chromebook as guest. At this point what does Google know about you?
* that someone initialized a chromebook
* someone used it as guest
* someone went to a certain domain name and IP address using SSL
Now I suppose the browser could then spy via screen shots, key logging, etc. But at this point we're talking a whole different level of spying than tracking you to put better ads in front of your eyeballs.
If you're worried about TLAs and APTs then you are wanting something very different. Unusual hardware. Probably no Intel / AMD management engines. Something like Qubes, etc.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Friday September 21 2018, @08:07AM
Everything we do is on a VM in a protected environment. The local machine doesn't even have email. No net access. Can't save files. Can only open a VM.
Good luck.