Stallman’s One Mistake

We all owe [Richard Stallman] a large debt for his contributions to computing. With a career that began in MIT’s AI lab, [Stallman] was there for the creation of some of the most cutting edge technology of the time. He was there for some of the earliest Lisp machines, the birth of the Internet, and was a necessary contributor for Emacs, GCC, and was foundational in the creation of GPL, the license that made a toy OS from a Finnish CS student the most popular operating system on the planet. It’s not an exaggeration to say that without [Stallman], open source software wouldn’t exist.

Linux, Apache, PHP, Blender, Wikipedia and MySQL simply wouldn’t exist without open and permissive licenses, and we are all richer for [Stallman]’s insight that software should be free. Hardware, on the other hand, isn’t. Perhaps it was just a function of the time [Stallman] fomented his views, but until very recently open hardware has been a kludge of different licenses for different aspects of the design. Even in the most open devices, firmware uses GPLv3, hardware documentation uses the CERN license, and Creative Commons is sprinkled about various assets.

If [Stallman] made one mistake, it was his inability to anticipate everything would happen in hardware eventually. The first battle on this front was the Tivoization of hardware a decade ago, leading to the creation of GPLv3. Still, this license does not cover hardware, leading to an interesting thought experiment: what would it take to build a completely open source computer? Is it even possible?

A Thought Experiment

Although open source doesn’t really apply to hardware itself, would it be possible to build a computer where every single line of code is available? Is it possible to build a complete computer from only printed documentation and a keyboard? Yes, for varying values of computer.

Comp
Even simple computers can run Linux. [Steve Chamberlin] built a four-chip computer based on the 68008 that runs a very old version of Linux.
We can start with the simplest case, the most basic computer anyone could possibly build. Fortunately homebrewers have this type of build on lockdown. The simplest open source computer would probably be based on the 6502 CPU, with a few handfuls of RAM and ROM, tied together with 74-series glue logic. Video could be done with a Motorola 6847 video display generator, and input through a keyboard could be done with a 6522 VIA.

For software, there are dozens of choices to choose from. Forth, Basic, and CP/M have been built for a computer like this. With just a few bytes in ROM, it’s rather easy to build a completely open source computer with everything – firmware, schematics, and all program code – open for inspection.

Starting at the bottom is the easy way to build a completely open source computer, but it doesn’t make for a good machine. WiFi is out of the question, serial ports are the best networking you’ll get, and any modern workflow is completely impossible. What about starting at the top and working our way down? Let’s extend this thought experiment to taking a modern computer and paring everything down until it becomes an open source, usable computer.

The Usable Open Source Computer

Intel is right out. The Intel Management Engine (ME) is a small coprocessor embedded in every Intel PCU made since 2006. This chip has access to the cryptography engine, the ROM, RAM, and network access. It is a complete computer by itself, and very few people know how it works. While it makes a perfect backdoor, it goes against every open source ideology, and won’t be found in a completely open source laptop.

Going even further back the Intel chip timeline, every x86 chip from the 8080 onwards contains microcode, low-level software that tells the circuitry how to behave for each instruction. Microcode is found in nearly every CPU architecture of the last 20 years with one significant exception: ARM chips.

The motherboard of Novena, the open source hardware laptop. source
The motherboard of Novena, the open source hardware laptop. source.

[Bunnie], the engineer behind the Chumby and the original XBox hack, built himself an open source laptop. It’s called the Novena, and after three years this laptop is finally making its way into the hands of its crowdfunding supporters. The Novena is built on Freescale’s i.MX6 chip, a quad-core ARM Cortex A9 running at 1.2 GHz. This CPU does not have any microcode, and the entire datasheet and programming manual is available from Freescale without an NDA. There are very few powerful processors out there that do not require an NDA, making [Bunnie]’s choice of chips obvious.

Despite one of the most open CPUs on the market, not all is Free in the Novena. Choice of WiFI card is very much limited because of binary blobs, and 3D acceleration though the Vivante GC2000 GPU cannot be used for the same reasons. Still, the Novena is the most usable open source and open hardware computer in existence.

That said, the Novena is just a motherboard, and a computer is much more than a piece of fiberglass and copper. There are hard drives, monitors, keyboards, and even webcams to consider.

Keyboards And Webcams And Hard Drives

If the goal of an open source computer is making yourself secure from attackers, you must consider everything attached to the computer. This includes peripherals, drives, and everything else that turns a large circuit board into a Facebook machine.

trackpointWhile the Novena might be the first usable open source computer, the peripherals are not. The recommended keyboard to be used with the Novena is a Lenovo keyboard, basically a Thinkpad keyboard repackaged into a USB desktop keyboard, torn apart, and thrown into a laptop chassis. It works, and until the mechanical keyboard community rediscovers Cherry ML switches, it’s the best we’re going to have.

Similarly, the best way to put a webcam on the Novena is through USB. This is a problem. In 2014, BadUSB came to the community’s attention, and it means we are screwed. BadUSB adds nefarious abilities to the microcontroller in any USB device, allowing an attacker into a computer over a spoofed Ethernet connection. As long as a BadUSB-infected keyboard or webcam is plugged in, the computer is at risk. Surprisingly, a BadUSB attack is one of the easier ones to counter with open source; building a USB keyboard is as easy as programming an Arduino, and building a USB webcam is possible with smaller ARM chips. To date, though, I haven’t seen many arguments for open sourcing peripherals in the light of BadUSB.

[Sprite_TM]'s hard drive hack from OHM2013
[Sprite_TM]’s hard drive hack from OHM2013
If keyboards and mice are easy to build under the auspices of open source, hard drives are not. Inside even the most basic hard drives are triple core controller chips that are nearly impregnable to any code inspection.

Nearly impregnable doesn’t mean impossible, and again, the hardware community lays the groundwork for an open source hard drive. At OHM2013, [Sprite_TM] gave a presentation on reverse engineering hard drive controller boards. While this is a project that has no precedent, it also has no antecedent; it appears no one really cares about the software that’s running on a hard drive. This is a little surprising, as the hard drive contains all the data on a computer. That said, you can now install Linux on a hard drive in the wierdest way you can imagine.

Stallman’s Solution

With the near impossibility of a completely open source computer, one has to wonder what [Stallman] uses. This is well documented. It’s an old Thinkpad loaded up with the Libreboot open source firmware. The drive in this computer is surely running proprietary code, and the laptop’s keyboard is a USB device that could be compromised.

It’s not an ideal solution by any measure, and this presents the largest obstacle to an ecosystem of open source hardware that matches the diversity of open source software. If anything, not considering hardware in the creation of GPL is [Stallman]’s one mistake. We’ll eventually get to the point where you can inspect all the code running on every peripheral connected to a computer, but it won’t be soon.

142 thoughts on “Stallman’s One Mistake

      1. And those of us who work for the FSF and who also happen to just come from having (before seeing this article) an hour long conversation about hardware certification and free hardware designs with Richard Stallman, find this article to be conspicuously lacking in actually stating the thoughts of Stallman and the FSF when it comes to free hardware designs. I encourage people to read ‘Free Hardware and Free Hardware Designs’ http://www.gnu.org/philosophy/free-hardware-designs.en.html and to consider that our ideal solution and goal is not hardware that has proprietary firmware in use in secondary processors and peripherals but a begrudging acceptance of using those nonfree firmware components until they can be replaced with free software. We want computing devices in which all designs, code, and documentation are distributed under free licenses. And, further, the GPL does take into consideration free hardware designs to a certain extent.

          1. That is fine — I’m certainly not going to try to convince you to care about Stallman or what he has to say. But, if that is your position, then why go to a discussion thread on an article that is framed around the notion of “Stallman’s legacy”? I engaged in the discussion thread because I felt it was misrepresenting Stallman’s views and the views of the FSF and I wanted to provide useful information in that context. Why are you here?

        1. HEY YOU!!!
          If Brian said Stallman said something, or didn’t say something, then that’s what happened! Brian has spent decades designing fully open source computers from scratch. Didn’t you know that Brian has Richard Stallman’s personal phone number and talks with him on a daily basis! I bet he’s on the phone with him right now! They are practically best friends! I’m sure if Brian was actually able to grow a real beard then they would be beard buddies too! WHO ARE YOU trying to say you actually know what you are talking about because you are actually involved in the subject the article in real life. Quit treating Brian like he’s just some guy with a liberal arts degree and show some respect for a real tech pioneer!

          Keep up the great work Brian. Let me know when your fully open source computer is ready so I can buy one on Kickstarter.
          Love,
          AC

  1. The i.MX6 isn’t completely open source with respect to firmware. It contains a boot ROM that hunts for a boot device, loads the boot image, and does some early peripheral init based on parameters in the boot image header. To my knowledge there isn’t any source provided for this image. Unlike, say, the HC11 serial bootstrap ROM which has a commented assembly listing in an old Motorola appnote.

    Of course if you want to be really pedantic about insuring your computer is fully vetted, you must first create the universe…

    As for Cherry ML, they are excellent. They have a feel similar to the revered Cherry MX brown switches: not clicky but a tiny bump at the actuation point.

    NOS prefab ML keyboard modules with headers for matrix scan are fairly cheap on eBay, as are USB and PS2 keyboards built around them. But the mechanical keyboard nuts won’t touch them because of audiophool-grade imperceptible quirks and the MX-incompatible key stem that won’t accept $500 custom skull keycaps forged by the ancients from the rarest of plastic.

    1. For the FSF the boot rom doesn’t matter, as long as it cannot be updated by the user. Of course this is a bit hypocritical. I guess it also makes the truly free systems somewhat less secure in the sense that you cannot upgrade if a bug is found in the rom (not really applicable to the iMX6 bootrom, but very relevant for a cellular baseband).

      1. This is not true. The boot ROM matters. We want such firmware/microcode/etc to be released as free software and for it to be user upgradeable. It is true we do not draw a line and say that all firmware in all places must be free software or else we will reject the use of that hardware altogether. For us to continue using computers as an organization and to allow the creation of free software to continue it would be almost impossible for us to set a requirement and expectation that all non-upgradeable firmware and microcode be free software. However, a lack of such boycott does not imply we do not care about the creation of free firmware/microcode at all levels and that is run on all processors in a given computing device.

        1. The problem with any user upgradeable firmware is that it could also be replaced by malware. Firmware encoded as a masked ROM or in a write once PROM is safe from any tampering that could be used to compromise the security of the computer.

          1. While such a firmware ROM can not be used to store the malware, the firmware can still have (obviously unfixable) bugs or backdoors that allow easy access for malware writers, evil government agencies, and anyone else.

          2. I disagree.

            One of the advantages of getting down to hardware components, is you can insert hardware measures against changing things (like the BIOS jumper in you computer). You’re assuming that the firmware can be changed at any time by software running on the computer. If you add a jumper that must be physically changed, then the task for malware to overwrite firmware becomes massively harder, as the user has direct control over when the firmware can be changed, and under what circumstances. Just because something can be changed, doesn’t mean it can be changed.

  2. You didn’t touch on the chemistry and manufacturing processes not being open-source (the most valuable are probably trade secrets). And why wouldn’t you find a crypto chip in an open-source laptop, freedom loving hackers still want to be secure and having uncompromised crypto is a big key to this.

    1. The other irony is that Open Source hardware would simply not be possible without patents. Otherwise the hardware would be forever a trade secret, since you couldn’t prevent competitors from selling clones by slapping them with a lawsuit. The only way to make -any- money would be by keeping it all a secret.

      The tradeoff of seeing what goes into your computer is that you can’t legally do anything with the information.

          1. False. I can build a copy of Apple’s iPhone straight from their patents and they can’t touch me, even if I publicize it and the designs (anonymously). Who copyrights circuits anyway? Stupidest thing I’ve ever heard. That’s like copyrighting your recipe so nobody else makes your cake.

          2. You can’t exactly copyright a circuit other than the actual artwork and the layout. If both of these are done differently while keeping the electrical connectivity, there isn’t much they can do about it, On the other hand if you copy the CAD files and make a PCB from their gerber, you are violating the copyright.

            Patent is a bit different as it deals with idea or ways of solving a problem. The whole point of a patent is about disclosure (vs a trade secret) You can build a lab sample for yourself for educational purposes without violating the patent law. Not like a patent filling has that level of details any more.

          3. I’ve read some patents and the most of the time they don’t really explain how to replicate, but what is considered a replica. Nice for inspiration, but useless even when expires. Patents for mechanical parts often include useful cad renderings, but products have hazy descriptions in legal slang…

          4. You have to read all the citations etc. and any research papers published in the years before them that contain keywords or common authors, they are not cookbooks.

      1. Open Source hardware doesn’t need patents, there’s nothing to stop anyone making their own versions, “competitors” or not. It’s more of a cooperative idea. Arduino would be useless if it was patented.

        As far as proprietary stuff, patents stop Open Source from cloning it anyway. Sure, patents eventually wear off, which is better than a secret, but then companies are free to keep secrets as well, whichever method they think works best. They risk being unable to act if their secret is found out, but that’s for their own judgement.

      2. The obvious reply is that Stallman isn’t interested in anyone’s ability to make money, individual or corporation. He thinks everything should be free-as-in-beer as well as free-as-in-liberty, and we should all be paid for our labor under what amounts to a communist system.

        1. His point, well, one of them, is that software isn’t like most products in the past. I can copy your software and we both still have software. I can’t copy your bike, your house, your TV set. Software is something you can take without depriving anyone of it.

          I’m not aware of any statements he’s made regarding physical chattels.

          1. Software is like an industrial process.

            It’s a tool for some end, where all the cost is in coming up with and implementing the process. The process itself is not valuable – the product of the process is. In a similiar way, the software itself is not valuable, but what you do with it.

            But in the same way as an industrial process has to be protected by patents or else your competitor snags it and beats you to the market – leaving you with the cost and none of the profits – software has to be protected from copying by -something- or else there’s just no sense in going through the effort of making it.

            If you come up with a program to let’s say calculate someone’s taxes, and you make your business to help calculate peoples taxes, then I can come along and copy your program and steal your customers by offering the same thing a dollar cheaper. How’d you like that?

            Of course you can do it for free, or if some company hires you as their private programmer and makes you sign a stack of NDAs, but other than that there’s no reason to sit in front of the computer from 9 to 5 making a spreadsheet program or a video game for the ordinary people – because you’ll be starving in the end.

    2. I can think of one reason being the conflict between “crypto chip” and “uncompromised”. Chip manufacture is still in the hands of megacorps, particularly the sort of VLSI and whatever comes after VLSI that’s required for stuff like that. Megacorps aren’t trustworthy to start with, they have their own interests. Add in the government spooks either forcing them to put backdoors in, or the idea appealing to business anyway, and I wouldn’t trust them with my freedom, if I were doing something they really didn’t want me to.

      Still, far as I know FPGA hardware can’t tell if it’s being used for crypto. It’s *possible* for FPGA development software to perhaps recognise some crypto processes being compiled in, and add a backdoor, but it’d be ludicrously complicated, and hiding it from other tools puts it well past being practical. Although it’s not like there isn’t enough money and Powers That Be who could push for it. That said, divining a programmer’s intention from code is a lot of decompiling, and that’s still barely useful, requiring very skilled hands to get anything out of it. So compiling your own FPGA crypto might be OK.

      That’s if you can’t afford to just wait while it’s done in software, where you have the source code. That’s pretty good and I think I’d trust that even if I was some “enemy” country. More and more powerful CPUs make this easier, and real-time crypto for some processes is possible.

      The hard drive controllers are a worry, particularly since Sn*wd*n (I think) tipped us off that They have attacks already that use that vector. Still, hard drives use known principles, would perhaps take a small team with enormous brains not too long to be able to roll their own, reverse engineering existing hard drives. They must all use the same basic principles, even between different storage methods (ie GMR and the like). If I really cared I might do it in some country not allied with the West’s spook-friendly corporation-ruled intellectual property laws.

      I wonder if you can be charged for reverse engineering you did in another country, if you then move back to the West? Or would China, say, have to extradite you to prosecute you themselves? Which they’re unlikely to do, of course.

      I think probably HD controllers are the next big thing that needs addressing for a truly trustworthy computer. Still, flash chips are much easier to control, and use, could be sticking a few flash chips on a board and writing your own block-level interface would be fine for an OS to use.

  3. It is the second time you name “The Intel Management Engine”… would anyone be so kind to link some good reads about it?
    All I find is Corpo Capitalized Confusing Names and Technologies™

    1. I figure that you could build a system where all your interfaces are wired up to FPGAs and the end user could chose what processors they want to be burnt on the FPGA. Oracle has released a LGPL version of the SPARC T2 core (8 cores / 16 piplines / 64 concurrent threads) so there is something pretty powerful already. With the wealth of projects out on OpenCores, you have a pretty good starting point for customization, and with a project like this, the number of projects on OpenCores could grow exponentially as developers build bigger and better cores.

      Imagine the developments that could happen if everyone had a system where nothing couldn’t be changed. Don’t like the way SATA works? Just re-use the port and build your own protocol. Graphics chip doesn’t support the latest version of OpenGL? Just grab the latest VHDL file for the GPU and reboot your system. Don’t like the CPU architecture? Just swap it out with something new. Hell, with some engineering, you could change your CPU on the fly and have your application cores change based on the task they are doing, such as removing unused instructions and adding optimized instructions as needed.

      As for Wireless cards and other such peripherals, all it would take is an FPGA with a couple DSP cores to roll your own, and with programmable clocks and adjustable antennas, you could support whatever protocols you want (or start making your own).

        1. What CA is describing does not require an “open-source” FPGA – FPGAs are already the most open hardware architecture in existence. And better yet: you don’t need a $100MM fab house to realize your hardware designs – just an FPGA dev board and the free (as in beer) tools the silicon vendors have spent the last 30 years perfecting.

          1. It’d be pretty hard to do that given how many possible ways there are to implement an encryption engine at the gate level, let alone the many different engines you can use. In software, identifying encryption routines can be done by looking for the section with the most math operations; not so much at the hardware level. There isn’t much difference between a media-acceleration routine (MPEG, JPEG, MP3) or a bus encoding / protocol acceleration routine, and an encryption engine. Besides, I would figure that people wouldn’t be implementing such things in hardware until after open-source tool-chains have matured enough (Although I would prefer people leave encryption to the experts rather than trying to roll their own)

    2. Ya, but RISC-V is an open-source instruction set (ISA) , not an open-source CPU. The way the CPU is organized is not necessarily open (free or whatever) even though you’re free to design your own CPU using this ISA.

          1. That’s quite dated. Stallman changes his mind. He’s adjusted and clarified his views over the years. Today, he has become outspoken in rejecting soda and recognizing how unhealthy it is. He sticks to tea now (mostly herbal I think).

    1. Yes Benchoff is setting an too high a bar to be cleared, by faulting Stallman for his inability to predict the future. The only position Stallman and everyone can operate in is from a position that they can make suggestions. The creators of tangible items will always have the power to reject any suggestions

    2. This stuff about publishing manufacturing techniques is hilarious. People really think they can manufacture an Intel chip in their bedroom or basement? With the current state of home-hacker work (using toner-transfer out of habit when photolitho is 10x better & easier) the idea of making even a single transistor on current scales with modern techniques is silly.

      Even making a 68000 chip is straight impossible without spending $10s of K on equipment, and by then you have to do so much fine-tuning on processes that anyone else’s recipe is basically useless. Making atoms obey is way harder than making bits do what you want.

      This point is one of the biggest disconnects I’m able to see between people that write software and people that build hardware. You can’t just magically conjure an FPGA out of thin air and command it to mine bitcoins; dozens of decades have gone into making them barely work at all. If/when we move away from silicon, this may change.

      Techno-anarchism is funny because you’d end up with computers from “The Matrix.” If big semiconductor cos go out of business, everyone gets stuck in 2015, and when our hot new i7s fail we’ll be stuck in the 90s.

      It should be noted that methods and procedures for semiconductor work are already available all around the web, as published by the guys who designed and made the chips as their day jobs. The plans are just not in a single place.

      1. Even if you had the gear and knew how to use it you still have the problem of sourcing materials, some of which are pretty tightly controlled. I think that as far as independent or DIY computers go you’d have more luck looking into some of the more exotic ideas from the 60’s that were viable but where set aside for economic reasons due to the development of the IC.

        It is an interesting thought experiment to try and work out what could be reasonable fabricated on a small scale and without access to exotic materials. Silk screened lead-tin (superconducting) cryotrons on ceramic supports are one interesting option. http://www.freepatentsonline.com/3234439.pdf There are some neuromorphic possibilities with these devices that haven’t been fully explored either.

  4. “every x86 chip from the 8080 onwards contains microcode”

    That is a strange sentence. The 8080 isn’t an x86 chip, and the 8080 had hardwired control logic. “every x86 chip since the 8086 contains microcode” would be more precise.

    1. No, but the x86 are 8080-compatible, I think even now they’ll run 8080 code. Unsurprisingly enough, the 8086 was an 8080 derivative.

      As for microcode, it’s not really software. More sequencing. It’s a choice in how you design CPUs, and using it as an attack vector would be equivalent, and just about as hard, as just doing a bit of rewiring on any other chip’s design. The hardware, and instruction set, of a CPU, very much limits and defines the microcode, there’s only really one proper way of doing it. Not like software where you have a freer hand. Software is a bit of an art, microcode is definitely engineering.

        1. What, you personally? You can do what you like with a CPU if you’re manufacturing it yourself. Microcode or not.

          “LOL”. Did you laugh out loud? Really? Next time why not attach it as a small WAV, so I can tell what kind of humourous reaction I provoked.

          1. I often LOL when I read your comments, when it is obvious you are just been narcissistic and don’t actually know what you are talking about, but thanks for your “expert” opinion anyway, LOL!

            If you don’t “own” the microcode you cannot be entirely sure what your CPU is going to do with instructions, a microcode update that is correctly signed could change your CPU so that some obscure instruction behaves completely differently, including jumping to an area of memory that can be seeded with malicious code, just enough code to install a BIOS level root-kit, then after that reboot and it is game-over.

            CPU’s (some) passed the billion transistor count ten years ago, yeah that long ago, so tell me how a human could audit all that logic, even if they had the information, to be sure that all possible working permutations of the microcode store did not allow for a backdoor?

            The question of if the average user should even care about this is completely different from the question of if the potential risk exists. Most people need not care, they run operating systems full of holes anyway (LOL), but the theoretical risk is real so stop telling lies.

          2. Well, I’m stunned. I’ve just found out that Intel make CPUs where the user can update the microcode. This is such a stunningly stupid idea I’m surprised to find out anyone would do it.

            So you’re right, yes, if you can add new instructions you can do what you like.

            Silly me thought they’d have the microcode as ROM, and just rely on getting it right before they made the chips, and rely on software patches if there’s any F00F-type bugs.

            This shipping shit half-finished is getting more common, especially since we’re all expected to be online all the time and able to get at stuff like that. It’s bad enough when companies ship unfinished software, and iron the bugs out months after release, this even happens on console games, which used to be burned into ROM or a CD. Oh well, another hole to worry about.

          3. There’s lots of shit I know, and some of it, if I’m pretty sure of, I’ll share. But I don’t keep up with everything, so sometimes it’s out of date. For a long time microcode was fixed, and I think that was a good thing. That Intel would open up such an obvious attack vector, so now malware can fuck your hardware too, is something I didn’t see happening, and haven’t heard about. Or perhaps I did, then forgot.

            There you go.

            I’ve no idea who you are, and I haven’t followed you round Hackaday trying to throw little digs in. I’m secure in myself. I’m loved, and respected, by people who know me. Sometimes I fuck up. I don’t find that particularly shameful, or hilarious.

            So there you go, ROFL on, dickface.

    2. “every x86 chip from the 8080 onwards contains microcode”

      This is misleading at best, and flat out wrong at worst. The article implies all microcode is accessible and upgradable – but upgradable microcode came out with the Pentium Pro in 1995. (see http://imgur.com/zmobAmz ). Intel had to spend a lot of $$ physically replacing Pentiums before that which had glitches.

  5. Thanks for the article. Having heard Stallman at a conference, I wanted to point on something that might require further clarification, and maybe even a full article. This article is about Stallman, and yet you employ only the term “open source”, I guess he would strongly disagree with that. He began with “free software” and sticks with that term today. I think you should mention at least once his part in the foundation of the free software movement, and then talk about open source.

    From wikipedia [1]:
    However, Richard Stallman and the FSF harshly objected to the new organization’s approach. They felt that, with its narrow focus on source code, OSI was burying the philosophical and social values of free software and hiding the issue of computer users’ freedom. Stallman still maintained, however, that users of each term were allies in the fight against proprietary software.

    [1] https://en.wikipedia.org/wiki/History_of_free_and_open-source_software#The_launch_of_Open_Source

    On the hardware part, I think I heard him mention that you can release hardware in the “free software spirit” under the GPLv3 as this license should cover hardware matters. But I am clearly not expert on license issues.

  6. Stallman’s one mistake? I’ll add one to the list of ones. How about creating conditions under which code signing violates GPL? Which is more important to actual adoption of open source software, ideological purity regarding the compiled binary matching the source code, or the ability of end users to seamlessly get integrity checking during distribution and launch of executables? How about just decent security for end users by having a signed trust chain in general? Nearly impossible under GPL. It’s a train wreck.

      1. That’s not what it’s for. The point is at least you can trust that the person in question really did sign it. Whether they themselves are trustworthy is a much more complicated problem. Code signing is mean to keep out unauthorised software, either viruses, or if you’re Sony, people who aren’t paying you a fee to write games on your console. Or if you’re Microsoft, people who aren’t paying a fee for your console, and also any competing office software you might want to lock out from your PC operating system. Although that’s not coming for a couple of years.

  7. “It’s not an exaggeration to say that without [Stallman], open source software wouldn’t exist.”

    I hate when people say something to that effect, the implication that the lack of a creator is the lack of a creation. Sure, he was an important man for the open source movement, but it’s ridiculous to think that the idea of open source software was inconceivable to anybody but him.

    /pedanticrant

    1. I came down here to say the same thing, but now I’ll just +1 you. The mistake is widespread though. Same, nay much worse, with regard to “corporate heroes” like Zuckerberg, Gates and Jobs. It is the central myth of contemporary capitalism that those who make it to the top are godlike and that no one else could do what they do.

      1. Yup, some cunt other would have.

        In the case of those three “heroes”, their skill was in business, their products are all pretty awful, or at least horribly overpriced in the case of Jobs. Who was also a complete cocksucker to his fellow human beings. Zuckerberg fucked his friends over, Jobs ripped off Woz, I dunno about Gates. Though his business success is largely through breaking laws, and being predatory, monopolistic, and thoroughly dishonourable.

        Now Microsoft have laughable chair-throwing inadequate Ballmer in charge. Not really like the heroes of the past, are they?

        1. Gates lied to MITS when he said he was already working on a BASIC that would run on their Altair computer. Instead of developing an operating system for the IBM-PC from scratch, Gates first bought a license for 86-DOS from Seattle Computer Products for $25,000, then later paid another $50,000 for exclusive rights. When SCP discovered that Microsoft had bought 86-DOS to rework for the 8088 (SCP wrote it for the 8086) to sell to IBM for really huge money they sued and won a million dollar settlement.

          If not for SCP, IBM very likely would have waited on Digital Research to get CP/M-86 ready for prime time – and the PC computer world would be completely different now.

    1. Unlikely – the problem is that such computer is of at best academic interest to a few people. The rest of us has actually work to do and couldn’t care less whether or not some firmware is open sourced or not.

      Yes, it is a problem from a security point of view, but from the practical one it just isn’t going to happen – way too much technology is locked up under restrictive licenses and trade secrets with no reasonable replacements in sight nor being feasible without enormous investments (anyone fancy an open source chip fab? Or FPGA?).

      1. I don’t see why it’s any more academic than the entire OS. I don’t personally audit every line of code my computer runs; I trust the distribution team to pick from known projects, each of which specialize in their one area (well, before systemd). The CPU could be treated the same way, the major company releasing a CPU and the verilog/VHDL/whatever that designed the core. Someone could sit down with a compiled version of the code and make sure the gate layout matches an X-ray, someone else could read through the pipeline to make sure it’s working right, while someone else handles the crypto chips; and so on.

        Or put together a team and build the CPU the other way around, perhaps starting with an ARM license. If I win the powerball $1.5B tonight, I’ll start hiring a team to do just that.

  8. Lol? No? OpenRisc running Linux is so much more open ;) I even made an open graphics accelerator for it (orgfx) as a thesis work. It requires a FPGA that is not that open but still.. you are free to roll your on ASIC ;)

  9. > until the mechanical keyboard community rediscovers Cherry ML switches, it’s the best we’re going to have.

    Nonsense. First, have you ever used Cherry ML? They feel like the worst membrane keyboards out there. I have G84 and it’s pretty much unusable. Second, replacing the PCB of a keyboard with your own circuit board is trivial, even for a laptop keyboard. Add a bunch of diodes and a 32u4 if you want USB, or better, connect it to your main board through GPIOs and simpler protocol, and you are done.

  10. It is an interesting question, how far back in time do we need to reach to find enough technology to create a completely open system from components that are still readily available now? It would seem that even the CPU without microcode is still enough of a black box that it could potentially respond to an undocumented (and complex enough to avoid accidental detection) instruction sequence. Has anyone actually decapped and checked every single core of the i.MX6? I’m not suggesting you will find anything nefarious, but as a matter of principle the question needs to be asked. So how fast a computer can one build now if the instruction decoding section is completely open, possibly discreet components?

  11. The m68060 is superscalar and has a fully hardwired, microcode-less design. It’s well supported by BSD and gcc.

    If one wanted to continue this thought experiment, BadUSB wouldn’t matter unless the USB device had other ways of communicating with the rest of the world. Nobody says an OS has to care about any device that gets connected to it, so if the computer is only configured to allow a USB keyboard to connect, then who cares if the keyboard pretends to be a USB-ethernet adapter? Just ignore it, or better yet let the end user know and otherwise ignore it.

    Disks are a little harder, but that’s not too tough – set up two separate data channels, put a drive on each from two different manufacturers, then mirror the two with one drive having the data negated. If the bootstrap loader is loaded from PROM (the ones where you can literally see the bits with a microscope through the little window) which sets up disk I/O, then either the drives would have to have identical backdoors which are smart enough to look for certain patterns both in regular data and negated data. If the data ever differs between the two drives, you know something’s not right.

    Or, better yet, encrypt the data and have the decryption routines in the PROM chips with the windows.

    These aren’t just useless thought experiments – exploring various possible ways of compromising machines helps look for places where we shouldn’t necessarily assume things are secure. Look at the “cloud” – it introduces many more attack surfaces, yet people somehow have bought the Kool-Aid and think everything should be put in to the “cloud”.

    1. For the Bad USB phantom Ethernet adaptor, the problem is it can send stuff to the host that makes it behave in a certain way. Sure you could just disable it, IF you’re smart enough to be aware of it. Which is just geeks, really, I bet even most government workers and others who handle confidential information know nothing about good computer security practice.

      As far as hard drives, it’s not the PROM that’s the problem (and to write enough code to drive one, in a PROM, where you could see the bits, would need a PROM the size of a dinner table. Probably.), it’s knowing what software to write in the first place. The hardware is undocumented, and the software doesn’t have to stay the same (but probably does stay substantially simillar) with each new model, and especially with each new advance in hardware. It’s knowing WHAT to write that matters!

      Far as I know the flash on HD controllers is rewritable from the host, there’s the odd case of people downloading updates for their hard drive’s internal software. So if you had some code, you could rewrite it. Although you’d need to read the code that’s there, to understand the hardware, which isn’t supposed to be possible (even though it sometimes is, if you’re a Dutch genius). I think an open hard drive BIOS would be a good idea, but I wouldn’t want to have to support the million variations you’d need, and there’s so much potential for trouble, an HD controller needs to be rock-solid or else the whole system topples.

      Maybe an OSI-style stack would make the problem more managable, having SATA comms as one module, block management another, actual head reading one more, etc. It would still not be something for your grandmother to deal with though.

      It’s also possible HD controller software is signed. Although the existence of proof-of-concept viruses and known spook backdoors might mean that most aren’t. Still that’s not insurmountable, just means you’d need a high-voltage programmer rather than just asking the drive nicely. Or you could always just desolder and replace the whole chip.

      Still, it’s a lot of hassle. Flash chips would be a lot easier. Until perhaps a government wants backdoors in those, although their many and varied uses might preclude that.

      1. Since the early 21st century, hard drives have a built in secure erase function. It triggers when a built in password removal backdoor is used. There’s a small program, not maintained for some years, that will set it off.

        It works by first checking the drive for a password. If there is one, it removes it to trigger the secure erase. If the drive does not have a password, it sets one then removes it.

        No way yet that I know of to remove the password without triggering the secure erase.

  12. Mistake:

    “… then either the drives would have to have identical backdoors which are smart enough to look for certain patterns both in regular data and negated data” or the data would be different and therefore could be flagged as nefarious.

    1. HEY YOU!!!

      (Please see above rant under first post)

      Love,
      AC

      ps…. Joshua, Thanks for doing what you and the other FSF guys do. Sorry about Brian. We are all waiting for his next article titled “10 questions that will tell you what kind of microcontroller you are most like”.

  13. Put me in for an open-source RPN pocket calculator. Not an Android app, I need the tactile feel of hard plastic buttons. Ever since the HP-15C, which was before my time but reputed to be damn near perfect, every HP calculator has gotten some things right and some things horribly wrong. I’d love to decompile the firmware and make a few modifications, but it’s all locked up.

    1. You could probably knock one up with an Arduino. Or even, if you’re good, hack an actual calculator up yourself, any microcontroller should be able to do RPN at least, there’s bound to be one that can handle whatever the HP-15C does. Driving an LCD native isn’t too hard in theory, at least a 7-segment one, just low-voltage AC at around 100Hz. There’s information about on the web. If you’re skilled you might be able to replace an HP calc’s controller chip.

      Aussie Dave made his own calculator watch. MPUs are so easy to program nowadays you could paste in standard examples for mathematical functions in C.

  14. > It’s not an exaggeration to say that without [Stallman], open source software wouldn’t exist.

    Yes it is. The GPL was in ’89. The MIT license first appeared in ’88. Even before that, people gave code away without any licensing, just read the history.

    Stallman is really not a great figurehead for open source. Sure he’s done some awesome stuff, but he’s also kind of obnoxious. (You have to admit it. Saint IGNUcius? Really?) Worst of all, is the sexism he’s displayed in the past. Search for “Emacs Virgins” for example. That’s a deal breaker. We need more women in computing.

    One last thing, a plea to my fellow programmers: please don’t use the GPL, or even the LGPL. Especially for libraries, it’s a nonstarter. Viral licenses are just stupid. Real programmers use permissive licenses.

    1. “Worst of all, is the sexism he’s displayed in the past. Search for “Emacs Virgins” for example. That’s a deal breaker. We need more women in computing.”

      I think you have the wrong room, the Political Correctness Nazi Party are meeting in the room across the hall. —>

      If you want more women in computing you can start by convincing sufficiently talented females to make the required sacrifices to acquire the skills they need to compete then they can pick who they work for and with. That will sideline the small number of genuine pests that exist without demonizing the occasional social clutz.

      1. Funny, I made my sacrifices, got my skills, and still decided that I’d rather do something else rather than hang around the “boys only club” mentality that pervades the “hard computer science” corners of the internet and academia. To suggest that I’m not alone in being a woman interested in tech with skills, look at Lady Ada, Leah Buechley, the authors of Soft Circuits . . . and if you want to see the problems that women face in the tech industry, stop thinking that their stories of hardship are somehow part of a “Political Correctness Nazi Party” and listen when the ladies tell their stories.

        1. Or I could just talk to the successful ones who know how to deal with humans, whatever their particular flaws are. If you think that females are the only people sexually harassed in IT or business in general you are deluded. Many humans are predatory or judgemental, it is the nature of the animal. My daughter is actually very good at coding, for her age, and may well end up in IT, but I am raising her to compete on talent and effort alone, and punch as hard as anyone else.

          BTW at least my kid is actually related to the real lady Ada.

          1. I think you’re delusional if you don’t think there’s a problem. Every job I’ve ever worked at has been a total sausage fest. Why not try a little empathy?

            P.S. I don’t think Lady Ada had a particularly happy life. She was a woman living in the Victorian era, after all. She couldn’t even vote.

          2. I have empathy for ASD people who get demonised for political reasons when they are just socially retarded, but bloody good programmers and systems engineers. If the kids act up you separate them, you don’t start executing people (career wise) because it is a waste of human resources to do so. Don’t forget ASD is a disability, being female isn’t, so you should be careful who you discriminate against and how you undermine the principle of diversity by playing political power games.

            Read what I have actually posted above, and get back to me when you want to discuss the actual points I have made because I have no empathy for self indulgent idiots who think they are the centre of the universe and that nobody else has problems with how some humans treat them.

            For every female I hear moaning about “evil men” I know another who prefers to work with men because woman can actually be far more psychologically abusive, especially in groups (even school girls). If you suggest that they can’t be like that you are, ironically, being sexist. Over decades of experience, at least in my country, I have seen nothing to suggest that a person’s sex was an indicator of how nice a human they were, or not.

        2. If there’s not enough women in the subject, it would be helpful for you to stick around and increase their numbers. As well as fighting your corner, so that things might eventually change. Of course arguing with people who are never wrong is challenging, but there’s ways of making progress. Think of it like bringing light into darkness.

          I can understand if you’d rather not be bothered with the arse-pain of it. But people generally change their minds more based on experience, rather than lecturing them (which I’m not saying you personally do).

          Jeri Ellsworth is massively respected among geeks, just because she’s got the chops. She’s BETTER at it than many men. That gets respect, anyone who doesn’t have respect for her has a genuine problem with women, rather than just being mistaken and inexperienced.

          1. are you referring to the urban dictionary definition or the 1930s/40s political party? i love the urban dictionary definition: it drives people absolutely nuts when used accurately and correctly to describe someone’s behaviour. the only down-side is that they can wiggle out by claiming you said they were a genocidal murderer… oh well….

        1. It’s a joke, not “commentary”. Jokes aren’t serious, they’re not what you really think. It was some awful nerd-pun about sex. He didn’t mean it to sound insulting, even if it did. Blame social incompetence, not malice.

          The “fascist” aspect comes in when you start to force people to act a certain way, rather than asking them to change their minds. Ultimately it doesn’t work, cos people resent it. If you’re right about something, ultimately persuasion works best in the long term. Doesn’t mean you don’t have to make a fuss to get noticed, of course. That’s how the Suffragettes got what they wanted, a mixture of reasoned argument and refusing to take shit. They didn’t lecture, they showed they had determination, and people came to respect them for that.

          Same with Stonewall, same with lots of things. Rioting and being right. Not trying to control people. Fighting your corner shows you have passion, shows you seriously believe in what you say. Lecturing is often the action of a dick who just likes bossing people about, it’s an ego thing, which isn’t honourable.

          You can tell the difference, Tumblr is an obvious example. If you show you’re honourable, serious, and genuinely aggrieved, people are more likely to listen to you. People like a brave, honourable underdog, they don’t like a jumped-up schoolteacher.

    2. > One last thing, a plea to my fellow programmers: please don’t use
      > the GPL, or even the LGPL. Especially for libraries, it’s a nonstarter.
      > Viral licenses are just stupid.

      no tim. this is a very subtle and dangerous plea that, historically, you will regret ever having been one of the people who made it. the libre software movement is fighting the consequences of pathological corporate greed in a very real way (see the film “The Corporation” if you do not understand this concept), and every please like this and every piece of software released under a permissive license is a betrayal and a step backwards.

      the GPL and the LGPL encourage cooperation and collaboration instead of competition, secrecy and greed. BSD and other permissive licenses were created during a time of trust when *everybody* released the source code (and even the hardware schematics of products). that trust has been betrayed by companies like Apple (who stopped releasing the BSD-based source for their kernel a few years back) and Microsoft (whose MSRPC and TCP/IP stack are all based on BSD-licensed source code, at the very least).

      i’ve been working with software libre since 1994, now. i was the key reverse-engineer who brought Samba its NT Domains interoperability, and also reverse-engineered Exchange 5.5 and MAPI so that companies world-wide could save billions in proprietary licensing fees and avoid the polarising trap between the W32 and POSIX worlds. do you REALLY think those efforts would have succeeded quite as much without the GPL? because i don’t. corporations would have taken the work that i did and created proprietary competing variants, and they would have carried on developing them and FAILED TO RELEASE CRITICAL IMPROVEMENTS AND SECURITY FIXES. in other words there would never have been a central location where the information and expertise was required, according to the license, to be the “canonical” reference implementation that everyone first goes to, to find out how to interoperate with NT.

      because of my background, i understand the critical strategic importance of the GPL in ways that the current generation of “superficial” free software developers simply fail to comprehend. such people i’ve even advocate that all free software projects should be converted to python or lua, that autoconf should be abandoned whole-sale, failing to comprehend that python is so low-level that it *has* to be implemented in c, and that it *has* to use autoconf as a way to ensure that it is cross-compilable on a huge range of platforms (including, amazingly, mingw32).

      yes i’ve heard the stories about dr stallman: yes i’ve heard some more stories privately from people that i will never repeat publicly. despite that: NO – i will never lose my respect for what he’s achieved, and i will stand with him – on the internet, not in person :) – and fight against the effects of corporate greed until i feel that the fight has been truly won.

      right now, my primary focus is on creating Libre Hardware that is RYF Certifiable: Software Libre right to the bedrock, just as this article endorses. you can help support that by financially sponsoring me to continue to develop products like the 15.6in eco-conscious Libre Laptop. http://rhombus-tech.net/community_ideas/laptop_15in/news/

      1. Keep up the good work! Yep, with businesses doing some incredibly shady things, some illegal, the fight to keep them from controlling software is important. Because software is important, everyone in the Western world relies on megabytes of the stuff every day, stuff in the things you use, and stuff keeping governments and businesses running.

        All businesses, when they get big enough, tend toward monopolism. They tie up markets, stopping real competition. Their rampant misbehaviour, lobbying or corrupting governments, and many other things, is a big problem right now. Not directly related to software, but software has a lot of power, and that should belong to ordinary people.

        Control over software is control over money, and people’s lives. Sure not everything you do has computers in it, but it does affect many choices you make. Understanding technology gives you power most people don’t have, and more freedom of choice.

        1. thanks for the support greenaum. to explain what my research and reading into corporations uncovered: the key is that the Articles of Incorporation pathologically and legally require the Directors to pursue profit to the absolute maximum extent permissible by law. this sounds fine in theory – mostly because “everybody does it” and “our entire western business culture norms of at least the past decade are based on the principle of Capitalism” – until you watch that film i recommended (“The Corporation”). then it starts to sink in.

          in effect, we’re living in the era equivalent to slavery. imagine being the first people to go “but slavery is inhumane!!” – what would the reactions of your friends and family be to that. they’d laugh at you, wouldn’t they? they’d tell you things like “don’t be stupid – everbody has slaves, and we know for a fact that they’re not human, so what are you talking about? are you ill, man? have you seen your doctor recently?”. people saying “BSD / MIT licenses do no harm, the GPL is against freedom! surely this is true!” are in that category – of not fully comprehending either the problem, the consequences, or the effect that their arguments might have, long-term.

          there’s a beautiful phrase from Professor Yunus’s book, “Creating A World Without Poverty”. professor yunus was the joint 2006 nobel peace price winner: he started the Grameen (micro-lending) Bank. the phrase is that he describes “Corporate Social Responsibility” as actually being “Corporate Financial *IR*-responsibility”.

          to go through it logically: what takes absolute precedence? The Articles Of Incorporation. what takes precedence when a Director says “We Prioritise Our Corporate Social Responsibility”? The Articles Of Incorporation. therefore, by logical deduction, what can we conclude about a Director who says “We Prioritise Our CSR Policy For Your Benefit”? we can conclude that they’re either completely deluded as to their legal responsibility to pathologically enact the Articles Of Incorporation which require that they absolutely maximise profits over and above all other considerations… or that they are absolute flat-out lying through their teeth.

          classic example: google’s “don’t be evil” policy (now “do no harm” policy) – is a flat-out lie. it’s actually, “do no evil… except where doing no evil interferes with profit-maximisation”.

          so now you start to understand: Corporations are required BY LAW to ignore any kind of trust obligations that would result in returning source code back to the community. if it affects profits, they’re required BY LAW to not do it.

          there do exist legal frameworks where profits do not need to be maximised: in the UK there is “Community Interest Companies” – many Co-Operatives have converted to this – and in the USA there is the “Benefit Corporation” legal framework. both these frameworks have “non-loss” clauses replacing the “profit maximisation” clauses, so that as long as they are solvent, the Company may continue to legally exist. both may therefore LEGALLY pursue prioritisation of social, environmental or other considerations *AS LONG AS* they remain solvent.

          …. which still leaves us with profit-maximising corporations to deal with.

          the only way in which we can fix this is to work out ways to affect their profits. set up a “NANonymous” for example (yes pun on NAN intended) which targets their customer service divisions – nicely and politely – tying up EVERY SINGLE customer service representative on every single possible forum and phone they possess – draining their profits in a polite but persistent way, reminding of their legal and moral obligations to release source code.

          1. VERY much so! Not just articles of incorporation…

            If Company A does some evil thing, but it increases their share price, Companies B and C have to do the same thing. Because if they don’t, their share price will suffer, people will sell B and C to buy A, and eventually B and C will die. It’s not good enough to just make a profit, you have to make the most profit, or at least people have to think you will. A publicly traded business cannot sacrifice profit for any reason.

            People don’t buy shares in companies based on their virtuousness or social responsibility, at least most don’t. And shares are traded by computer programs more and more anyway. A company is just 4 letters on a list, the greater details mean nothing.

            Publicly traded companies have to chase profit above all else. They have no choice. Ethics are only possible if they’re free, or if they generate enough PR to increase share prices that way.

            It’s not just the fault of corporate psychopaths (although that’s suspected to be a major cause!), it’s the system itself. It’s innate. It’s not enough simply to be profitable, profits have to increase, constantly, which means all sorts of horrible schemes end up implemented. Apparently there’s not many ethical ways of making money.

            Anyone who talks about corporate responsibility, social or environmental, is selling you a pig in a poke. Corporations CAN’T be ethical, if it’s at the expense of profit. It’s impossible. This is why we need regulating forces, ie government, to act in the interest of the people. And of course corporations are going to try sneak round them, and lobby, and corrupt. It’s only to be expected. It’s as much a force of nature as it is malicious, you can’t just blame bad apples, it’s the nature of the whole system.

            Which means that corporations, powerful and rich as they are, are going to lobby politicians, many of whom are rich corporate men anyway, to remove regulations. And they are going to say anything that might get them results. They’re going to plead, and cry about unfairness and how it’s costing jobs, and all the other shit. Because they have to do whatever works, to increase profits. They have no choice.

            Which is why we really, really, shouldn’t listen to them! “We” as non-corporate, flesh-based citizens who aren’t millionaires, that is.

      2. Superficial? You wound me. Well, I’ve written a couple thousand lines of M4 if that helps. But I do like Python and Lua, too, oh well.

        I might be a little mainstream, but I work for a company, and my company sells hardware and software. It’s… proprietary! And I’m totally ok with that. They have a right to create something and sell it. I believe they also have a right not to hand you the schematics, source code, etc, if you buy it. You can always buy something else, or make it yourself.

        And I think that’s what open source is all about, building software. It’s not about some weird utopia where money doesn’t exist. When I write open source software it’s for two reasons: I wanted to write it anyway, and I don’t mind giving it away. I don’t care if someone uses my library and doesn’t open source their code. It’s there code, they should do whatever they want with it. I don’t care if someone improves my library and doesn’t send a pull request. It’s their decision because it’s their code. (It might be a bad decision for them, but it’s still their decision.)

        1. That would be reasonable, in an ecosystem where everyone’s reasonable and well-behaved. Unfortunately big companies act unfairly, in ways that are bad for everyone. They try and cheat the intentions of the people who created the software that they use in their products (ie Linux, Busybox), by getting around restrictions, meant to increase the sharing of code, in clever ways. Free software is a way of fighting back.

    3. Maybe Stallman’s a bit weird socially, and doesn’t quite get what you’re not supposed to say to people. Sure there’s plenty of Star Trek fans are worse. It often goes with the sort of brain that does well with technology but not with social conventions. I dunno why, but I think it’s obvious it exists.

      So maybe he said something stupid, as a joke. Doesn’t make him evil. And I don’t think he hates women, or thinks they’re unintelligent. I also can’t think of any women I know that would let some beardo somewhere saying something like that, put them off a career in technology, they’re just not that sensitive.

      It doesn’t make him evil. A bit of a dork, maybe, yes. But his principles are good. There’s plenty of plain bastards out there, who know the right thing to say all the time, they’re more destructive to society.

        1. Well, he knows his subject, and he’s passionate about it, they’re two good qualities.

          Sure he might be a bit of a sped. But that’s actually preferable, at least you know he’s not lying, he’s speaking from the heart. Of course people say that about Donald Trump, but the difference there is in the content of what he says.

          I think weaknesses like that make someone more trustworthy. You know he’s a dyed in the wool geek, you know he loves his subject and it’s something he knows a lot about. He’s not some dishonest spin-doctored fucker, like practically everyone else you hear from in public life. He’s probably incapable of telling a convincing lie.

          That, and while I support much of Germaine Greer’s idea of feminism, there are plenty of Dworkin-style who are on the prowl for something to complain about. Seemingly just advancing their own career and ego, and support from other empty barrels to whom logic is a stranger, as well as an oppressor and a rapist. People like that are gonna complain anyway, you shouldn’t let it affect anything that matters.

          1. > He’s probably incapable of telling a convincing lie.

            dr stallman is nothing but literal-minded if you could patiently explain the concept of “lie” to him, then justify to him that telling the lie did not interfere in any with software freedom, you MIGHT be able to get him to pull it off. however, i’m fairly certain that the level of patience required to have such a conversation with him would drive you completely nuts :)

  15. funnily enough, the creation of a 15.6in eco-conscious Libre Laptop is exactly what i have been working on for just over a year, now. the keyboard is implemented using an STM32F072 with 8×16 matrix scanning. the processor, memory and storage is on a separate removable module, a standard created specifically for the purpose, known as EOMA68. there are two CPU Cards in active development: one is EOMA68-A20, the other is EOMA68-jz4775. the first is a dual-core 1.2ghz ARM Cortex A7 (the A20 from Allwinner), the second is entirely FSF-Endorseable: an Ingenic 1.2ghz MIPS processor called the jz4775. the source code for the casework is GPLv2 and is available *right now* for anyone to 3D-print their own laptop case or adopt it for any other project. the source code for the STM32F072 firmware is GPLv2, uses libopencm3, and is again available *right now*. if you’re interested you can follow the projects here: http://rhombus-tech.net/community_ideas/laptop_15in/news http://rhombus-tech.net/allwinner_a10/news/ http://rhombus-tech.net/ingenic/jz4775/news and if you’d like to sign up for the upcoming crowd-funding you can do so here: https://www.crowdsupply.com/eoma68

  16. I would actually guess even ARM processors have some sort of microcode, as that’s relatively standard mechanism to implement complex state automata. Quick google search suggested they might… Even if they don’t, what’s exactly so wrong with having CPU with a microcode? The fact Intel can patch it to fix flaws doesn’t mean that everyone can do that, as the structure and meaning of the bits in the patch isn’t known. I’ve seen some analysis of Intel’s microcode, and it was interesting to read, but there’s definitely not enough information to come up with a microcode patch that would let’s say implement a new instruction. Not mentinoning the CPU itself most likely verifies the signature of the patch before using it.

  17. Dick Stallman sounds like a communist.

    His “Free Design Hardware” concept, the one where all hardware is forced open, eliminates the innovation revenue stream by making all manufacturing a commodity and devaluing innovators to be nothing but line workers.

    Hardware is currently open by default as no parts are covered by Copyright. Licenses on hardware are as pointless as Moon deeds.

    If you want hardware documentation, then request it. Most companies will give it unless doing so negatively effects their ability to survive due to patents being inadequate. Don’t like that? Petition for patent reform that or an alternative that doesn’t make you sound like a ‘everything should be free because I want it and don’t care if it causes all innovation to leave the country and eventually decreases my ability to afford the things that are now open’ hippie talk.

    Damnit, now I’m a Hackaday commenter. Brian has won this round.

    1. As far as hardware patents and information goes, Bunnie did an article on what I think he called gongkai. It’s an informal network of information sharing in China. Look it up, very interesting. Probably more suited to Chinese society, as patents and the like are to Western. But it’s an alternative, seems to be working well for the Chinese. It’s how there’s so many cheap cellphones available in China, made by all sorts of little factories.

  18. Whoa, tons of culture war in the comments. Haha.

    Thanks for the article! Though I cringe at the phrase “open source”, I still appreciate the work put into this.

    Just want to make one point..
    Years before the GPL, Stallman held these freedom of software views and practiced them. The software-freedom-supporter to NDA-signer ratio was way off. If it wasn’t for Stallman we wouldn’t be where we’re at with free software today.

  19. I am grateful for having software freedom and user freedom graces at Mr. Richard Stallman. He’s GNU Project founder, that began so many applications in free software, the way we are all going today. While GNU means Gnu’s Not Unix, meaning that he is not the Unix System, the Linux is only a clone of the Unix kernel. A little piece of gold in the GNU System.

  20. Thank you for this very informative article about free/libre hardware! There are a few things I would like to point out, though: While it may be true that Open Source would not exist without Richard Stallman’s conributions, he did not start that movement. He started the Free Software movement and while there is significant overlap on the practical issues, the Free Software movement and Open Source differ on principles. Free Software is about changes in society and Open Source is a development model (it even says so on opensource.org). When talking about Richard Stallman and the Free Software movement he started, it is also a good idea to use the term GNU+Linux for the operating system because that way we mention what he actually started, the GNU project for developing a fully free operating system. In the early 1990s, that operating system was completed by Linux, thus creating the GNU+Linux system.

    If someone hears about freedom as the ideal behind Free Software and decides there are more important things, that is their choice, but I think it is important to present Richard Stallman and the Free Software movement in the correct context and to point people to the ideals behind the GNU system by saying GNU+Linux instead of saying Linux and only pointing them to “Just for Fun” (a book by Linus Torvalds about his motivation for writing the kernel).

    For more information, have a look at these articles:
    http://gnu.org/gnu/linux-and-gnu.html,
    http://gnu.org/gnu/gnu-linux-faq.html
    http://gnu.org/gnu/the-gnu-project.html

  21. Some mistakes (and forgetten things) in the article:
    -> RMS is against “open source”, the article makes it think,
    for a non-careful reader, that RMS is related to it.
    Instead RMS created the free software movement, which
    main difference with open source movement is the advocacy
    of software freedom.
    For open-source freedom is not the issue. “open source” advocates
    practical advantages, such as a better development methodology,
    better software quality, and so on.
    Here your article is talking about free software
    (you talk about freedom/privacy/security).

    -> The article forgott to mention the difference between hardware and software.
    That might be obvious for some but it’s somehow tricky to define.
    The lenovo keyboard is purely mechanical, so that’s hardware.
    RMS and the FSF consider things as software if you can change its code.
    Even if it’s some hardware design flashed to an FPGA SPI chip.
    They consider hardware as something no one can change once fabricated.
    Example: the bootrom instructions of a SOC is hardware since no one can
    modify it once the SOC is fabricated.

    Some notes about the attack vectors:
    ————————————
    -> Free software keyboards do exist[1]. They are made with an arduino micro
    or other microcontroller boards and a thinkpad keyboard.
    In your article you are suposing that thinkpad keyboards are USB.
    While they also exist in USB format for desktops, the ones in the laptops aren’t.
    The laptops keyboard are purely mechanical, they are connected to the laptop’s
    embedded controller which, sadly, still runs non-free software.
    That is a big issue given how you can abuse it.
    Chromebooks often(always?) have free software embedded controller.
    However not all can boot without blobs, the C201 can. It’s an ARM rockchip SOC.
    The novena also has a free software embedded controller.

    -> The non-free HDD firmware is a huge issue for freedom/privacy/security,
    however as bad as it is, it can be worked around if you boot from SPI flash chips.
    On the libreboot supported computers, the computer boots from a small SPI flash chip.
    Libreboot is a 100% free software coreboot distribution.
    Coreboot/Libreboot only inialize the hardware, once that’s done,
    it jumps to a payload.
    The payload can be SeaBIOS(on x86) to have BIOS compatibility,
    GRUB, a linux kenrel and an initramfs, tianocore, and many other.
    Let’s assume the HDD firmware is totally untrusted and is trying
    to actively screw you. It would for instance try to patch your linux
    kernel. It will try to do TOCTU(time of check, time of use) attacks.
    It will also try to break your crypo.
    GRUB can verify signatures but I’m not sure about TOCTOU issues,
    so let’s use something else.
    GRUB can open LUKS partitions, so that’s good. you can then put your / rootfs on
    a LUKS partition. Howver the ciffers supported only encrypt the partition.
    It won’t do any integrity checking, and I’ve no idea how resilient LUKS is
    against malicious firmware trying to modify, in real time, the encrypted parition.
    I’m not sure that GRUB supports dm-verity and that’s read-only anyway.

    The novena boots from a microSD by default, which has a non-free firmware.
    The novna has no SPI flash by default, I’d like to know if anybody succedded
    at booting it from SPI flash, as the I.MX6 supports that. I didn’t check if
    the right pads are exported.

    Note that there are two good papers that sumarize the situation:
    (1) http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
    (2) http://blog.invisiblethings.org/2015/12/23/state_harmful.html

    In (1) Mention of the dock connectors and LPC’s LDRQ# (That can permit DMA
    to the CPU’s RAM) was forgetten.

    References:
    ———–
    [1]https://flashandrc.wordpress.com/category/thinkpad-keyboard/usb/

    Denis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s