With an estimated market of more than 400 million Windows laptop and desktop computers that haven't been upgraded in more than six years, a lot of people are now using computers that are very insecure. Windows computers can be hacked and halted at a moment's notice. Hundreds of millions of people are therefore faced with the decision of what they will use for their next computer. There are also millions of high school and college students every year who need a computer to help them complete their assignments. Previously, we explained why Linux computers are the fastest, safest, most dependable and secure computers in the world. The only reason they are not more popular is that, due to Microsoft and Apple monopolizing the computer market, it is very difficult to even purchase a Linux computer. In this article, we will explain why you can and should create your own Linux computer.
A Brief History of Computers
To better understand why nearly all of our current computers are so unreliable, we will take a brief tour down memory lane. As we explained in Section 1.4, the software that runs all computers consists of basically three parts – a startup program, an operating system program and a series of application programs.
The startup program sets the power levels of all the hardware in a computer when it first starts. It checks basic settings and then passes control of the computer over to the operating system. Historically, up until about 2012, all computers used a simple startup program called BIOS – which stood for Basic Input Output System. In 2012, with the introduction of Windows 8, Microsoft forced computer manufacturers to switch to a much more complex and much less secure startup program called UEFI. Apple now also uses the UEFI startup program. The benefit with UEFI if you are Microsoft is that is gives Microsoft the ability to remotely turn off any computer they think is running software they do not like by turning off the startup program – preventing the computer from even starting. This is commonly called a Kill Switch. The drawback of UEFI, if you are a computer user, is that your computer is open to remote attack – not only by Microsoft or Apple – but by any computer hacker who wants to turn off your computer. Partly in response to this security risk, the Linux community created a free open source startup program called Core Boot. However, the only current computers using Coreboot are Google Chromebooks and Purism Librem.
The second software component, the operating system, can also present a security risk. In the 1990s, programs were created for computers to exchange information over the Internet. We call such programs Web Browsers. Unfortunately, these interactive web browsing programs are the primary way that computers are attacked with weapons we call computer viruses. It was recognized early on that web browsers were a security risk to the operating system. Before 1997, the makers of all operating systems including Microsoft, Apple and Linux kept their web browsers separate from their operating system. They even put up a series of walls between the operating system and the web browsers (and all other applications) to protect the operating system from being altered by or harmed by programs that we loaded while on the Internet.
This all changed in 1997 when Bill Gates made the shockingly bad decision to incorporate the Internet Explorer Web Browser inside of the Windows 98 operating system. The benefit of doing in the eyes of Microsoft was the ability to remotely turn off the Windows operating system on any computer that was running programs it did not like. Every Windows operating system version since 1998 has had this “feature.” To their credit, both Apple and Linux continued to keep their operating systems separate from their web browsers – which is why Linux and Apple computers were more secure and much harder to attack than computers using the Windows operating system.
In 2012, with the introduction of Windows 8, Microsoft made the security program much worse by adding a second operating system, commonly called the Metro or Mobile operating system to their former operating system. This was supposedly done in order to make their computers more compatible with their mobile phones. But whatever the reason, it was, and still is, a disaster as it requires two separate control panels and two separate web browsers – both of which are inside of their Windows operating system. This means that Windows 8 and Windows 10 both have two back doors – in addition to the UEFI kill switch. This gives hackers several ways to enter the Windows 8 and 10 operating system. This is why security experts warn that Windows 8 and Windows 10 computers are not secure. This is also why the vast majority of web servers (the computers that run the Internet) use Linux.
For many years, folks who cared about security and/or privacy typically had to buy a Windows computer and replace the Windows operating system with the Linux operating system – a process that involved changing a couple of settings in the BIOS startup program and only took a few minutes.
Sadly, as we noted above, in 2012, Microsoft forced all computer manufacturers to replace the simple BIOS startup program with the UEFI startup program. While BIOS did not have a kill switch, UEFI does. Contrary to claims made by Microsoft, this kill switch cannot be turned off. In fact, the code for UEFI is copyrighted and encrypted. Anyone who claims that they know what is in UEFI is mis-informed. Like most dangerous products, the ugly truth of UEFI is deliberately kept hidden from the public. It therefore does no good to put Linux on a Windows 8 or Windows 10 computer – or any Windows or Apple computer made since 2012 – because Microsoft still control the keys to UEFI and can remotely turn off or alter your computer without notice. If we want to avoid UEFI, then we need to get a computer that already has Coreboot installed on it.
As we noted above, this means you should either convert an Acer C910 Chromebook to a Linux Mint computer – an option that costs $300 to $600 – or buy a Librem 15 laptop with Linux already installed – an option that costs $1600.
What about Libre Boot laptops and the NSA High Assurance Platform?
Richard Stallman recommends getting a Libre Boot laptop. While these laptops technically use a modified version of the Coreboot startup program, the problem is that they are essentially 10 year old reconditioned Lenovo ThinkPad T500s that sell for about $400. The reason Richard recommends these very old laptops is that all Intel processors made since 2008 use a very terrible program called Intel Management Engine or ME for short. This program runs before the UEFI startup program and can remotely reprogram your computer even if you have turned off your computer. All that is needed is that the computer be plugged into an electric outlet and have WIFI access. Richard claimed that this was yet another NSA backdoor into your computer – in addition to the Windows Backdoor and the UEFI Kill Switch.
It has since been proven that Richard was right about the dangers of the Intel Management Engine. However, this does not mean that the only option is to use 10 year old processors. Chromebooks have found a way to disable the Intel Management Engine and replace ME and UEFI with the Coreboot startup program. So while this is certainly a major security problem for Windows and Apple computers running UEFI, it is not a major problem for Chromebooks. Google has now sold more than 30 million Chromebook laptops using modern Intel processors with Coreboot and the Management Engine has not been a problem with any of them.
In addition, in August 2017, computer researchers at Positive Technologies (PT) were trying to figure out how to disable the Intel Management Engine. Intel had encrypted the code which had blocked researchers for years. But PT researchers were able to unscramble portions of the code for UEFI and for ME. What they found was amazing. They found that UEFI has more than one million lines of code and more than 1,500 modules or blocks of code. With ME, they found that there was already a way to turn it off built inside of ME. The PT researchers found code buried in ME called 'reserve_hap' with a comment next to it stating it was to enable something called the 'High Assurance Platform'. The PT researchers then did a Google Search for High Assurance Platform and found that (drum roll please), HAP was an NSA program! This sure makes Richard Stallman look like a genius. https://blog.ptsecurity.com/2017/08/disabling-intel-me.html
But there is more to this story. Intel admitted that they made the HAP platform at the request of “a US government agency.” What HAP does, if enabled, is to turn off ME. To make a long story short, the NSA wants all the rest of us to have insecure computers by leaving ME on with our computers– but the NSA wants the NSA to have secure computers by turning ME off on their computers.
The PT researchers published their results and suddenly, thanks to the NSA, all of us can now turn off ME and have secure computers just like the NSA. The fact that we can now turn off ME makes the argument for using 10 year old modified Lenovo computers much less persuasive. One of the first companies to turn off ME using this method was Librem. Another was one of the biggest distributors of computers preloaded with Linux – a company called System 76.
What about System 76 laptops?
The problem with System 76 (and about a dozen other distributors of computers preloaded with Linux) is that they are all selling computers with UEFI – the Microsoft Kill Switch. They are all basically rebranded Windows laptops with Linux installed. As we noted earlier, any computer running UEFI is completely worthless- as it is impossible to fully disable UEFI – even if we have disabled the Intel Management Engine. While you can supposedly run UEFI in Legacy mode with Secure Boot turned off, Microsoft (and any other hackers) can remotely access your computer and turn your computer off at any time through the UEFI backdoor. It is not enough to install a secure operating system. To have real security, you also need to have a secure Startup program.
If you have any doubts at all about the drawbacks of UEFI and the benefits of Coreboot, please watch this 30 minute Youtube video posted by the Linux Foundation in October 2017 and featuring Ron Minnich, the founder of Coreboot and the leader of the Google Coreboot team.
In the next section, we will look at various Coreboot laptop options with high resolution 15 inch screens. As we have already noted, there are only about four options.