[Freedombox-discuss] Hardware Platforms; more problems...

Thu May 12 08:53:29 UTC 2011

Hello.  Lots of cool hardware news that folks are bringing to the list,
but I'm afraid I have a few bits of hardware paranoia to bring to the
party.  It's this gift I have.

First, since there have been cases of hardware shipping with "phone
home" and physical tracking programs hidden in the BIOS or otherwise
concealed, shouldn't we be concerned about being able to audit the
entire system, starting with hardware?  It probably wouldn't be too
early to start up a list of "trusted vendors", if such an audit could be
accomplished.  I mean, most of the computer hardware that I'm aware of
is made in China these days, and they might not be so friendly towards
the FrBx project.  Certain companies also might have an interest in
tracking capabilities.

How many of us really, truly KNOW what is in the hardware?  If we don't,
it should be on our list of things to learn, or at least to learn to
test for.

It also occurs to me that a very small tracking chip (RFID) might be
added at any point between manufacture and delivery, and some of those
are very tiny, nearly invisible.  The problem is that ten seconds in the
microwave probably wouldn't do the Freedom Box a world of good, either.
 Again, is there any Q&D way to test for RFIDs?  -And how do you remove
them intact so you can feed them to various rodents?  -"The dissidents
are hiding in the sewers!!!"

Of course, this also leads to the question of what might be in firmware,
or software.  I read somebody's opinion here that Open BSD might be a
better OS choice, as it was audited.  I don't know what that might mean
in relation to an OS, but if it means to check that it is the OS and
nothing else but, then that would be a plus.

Also, it seems that we should definitely narrow the FrBx hardware down
to one, or very few, platform(s).  This would make the software easier
to maintain, and thus to keep rock-solid stability.  More importantly,
it would make the hardware audits that I'm talking about MUCH easier.

IMO, if a company fails us on the "don't be evil" front, they should be
off the "trusted provider" list for permanent.  But then I'm a bit of a
hard-ass when it comes to trusting giant multinationals.

I know there's a roadmap for the software.  Maybe we need a check-list
for the hardware, as well.

I promise I'll try to post something more upbeat and happy about
hardware and UX, soon.  Just not tonight.