3.1 Problems with Current Computer Options

There are more than 300 million Windows 7 computers that haven't been upgraded in more than 8 years. Millions of people are now using Windows computers that are very old, very insecure and can be hacked at a moment's notice. These people can not update their computers to Windows 10 because their old computers do not have enough RAM. What will they use for their next computer? There are also millions of high school and college students who need a computer to help them complete their assignments.


Previously, we explained why Linux computers are the fastest, safest, most dependable and secure computers in the world. The only reason they are not more popular is that, due to Microsoft and Apple monopolizing the computer market, it is very difficult to even purchase a Linux computer. In this article, we will explain why you can and should seek out a real Linux computer.


A Brief History of Computers

To better understand why nearly all of our current computers are so unreliable, we will take a brief tour down memory lane. As we explained in Section 1.4, the software that runs all computers consists of basically three parts – a startup program, an operating system program and a series of application programs.


The startup program sets the power levels of all the hardware in a computer when it first starts. It checks basic settings and then passes control of the computer over to the operating system. Historically, up until about 2012, all computers used a simple startup program called BIOS – which stood for Basic Input Output System. In 2012, with the introduction of Windows 8, Microsoft forced computer manufacturers to switch to a much more complex and much less secure startup program called UEFI. Apple now also uses the UEFI startup program. The benefit with UEFI if you are Microsoft is that is gives Microsoft the ability to remotely turn off any computer they think is running software they do not like by turning off the startup program – preventing the computer from even starting. This is commonly called a Kill Switch. The drawback of UEFI, if you are a computer user, is that your computer is open to remote attack – not only by Microsoft or Apple – but by any computer hacker who wants to turn off your computer. Partly in response to this security risk, the Linux community created a free open source startup program called Core Boot. The Purism Librem uses Coreboot with a payload called SeaBIOS. The Pinebook Pro uses U-Boot which is the same open source payload for Coreboot used by Chromebooks.


The second software component, the operating system, can also present a security risk. In the 1990s, programs were created for computers to exchange information over the Internet. We call such programs Web Browsers. Unfortunately, these interactive web browsing programs are the primary way that computers are attacked with weapons we call computer viruses. It was recognized early on that web browsers were a security risk to the operating system. Before 1997, the makers of all operating systems including Microsoft, Apple and Linux kept their web browsers separate from their operating system. They even put up a series of walls between the operating system and the web browsers (and all other applications) to protect the operating system from being altered by or harmed by programs that we loaded while on the Internet.

This all changed in 1997 when Bill Gates made the shockingly bad decision to incorporate the Internet Explorer Web Browser inside of the Windows 98 operating system. The benefit of doing this in the eyes of Microsoft was the ability to remotely turn off the Windows operating system on any computer running programs it did not like. Every Windows operating system since 1998 has had this “feature.”

To their credit, both Apple and Linux continued to keep their operating systems separate from their web browsers – which is why Linux and Apple computers were more secure and much harder to attack than computers using the Windows operating system.

In 2012, with the introduction of Windows 8, Microsoft made the security program much worse by adding a second operating system, commonly called the Metro or Mobile operating system to their former operating system. This was supposedly done in order to make their computers more compatible with their mobile phones. But whatever the reason, it was, and still is, a disaster as it requires two separate control panels and two separate web browsers – both of which are inside of their Windows operating system.

This means that Windows 8 and Windows 10 both have two back doors – in addition to the UEFI kill switch. This gives hackers several ways to enter the Windows 8 and 10 operating system. This is why security experts warn that Windows 8 and Windows 10 computers are not secure. This is also why the vast majority of web servers (the computers that run the Internet) use Linux.


For many years, folks who cared about security and/or privacy typically had to buy a Windows computer and replace the Windows operating system with the Linux operating system – a process that involved changing a couple of settings in the BIOS startup program and only took a few minutes.

Sadly, as we noted above, in 2012, Microsoft forced all computer manufacturers to replace the simple BIOS startup program with the UEFI startup program. While BIOS did not have a kill switch, UEFI does. Contrary to claims made by Microsoft, this kill switch cannot be turned off. In fact, the code for UEFI is copyrighted and encrypted. Anyone who claims that they know what is in UEFI is mis-informed. Like most dangerous products, the ugly truth of UEFI is deliberately kept hidden from the public. While you can still put Linux on any Windows or Apple computer made since 2012 – Microsoft (and hackers) control the keys to UEFI and can remotely turn off or alter your computer without notice. If we want to avoid UEFI, then we need to get a computer that already has Coreboot installed on it.

One of the biggest challenges in obtaining a secure functional Linux computer is that all Windows and Apple computers made since 2012 use an insecure startup program called UEFI that suffers from hidden back doors and a remotely controlled Kill Switch. There is not much point of replacing Windows with Linux if one still is stuck with a UEFI computer that has a remote controlled kill switch. In the past, one could buy a Windows computer and switch from UEFI to legacy BIOS mode. But support for legacy BIOS was eliminated in January 2020.

Rapid Storage Technology is a Rapid Way to Brick your Computer
The difficulty of replacing Windows with Linux has been made even worse with newer Windows 10 computers purchased since 2017. Due to the ever-increasing size of the Windows operating system, which causes Windows to take a very long time to start and to update, Intel was forced to modify their Rapid Storage Technology (RST) to essentially keep Windows running even if you turn off the power. While this makes it quicker to restart Windows (which never really turned off), it also makes it more difficult to replace Windows with a Linux operating system. Often Linux computer on a stick USB drives will not even appear as one of the boot options. There is a work around for this problem, but it is a pretty risky process. https://askubuntu.com/questions/1237557/ubuntu-installation-problem-with-intel-rapid-storage-technology

To make matters even worse, some newer Windows laptops come with Finger Print Readers which replace the traditional, reliable password log in process. This creates problems for Linux as root passwords are an important part of Linux security. Thus, finger print readers are a bad idea because they reduce security.

Why You Now Need to Look for and Avoid Soldered EMMC Hard Drives
Prior to 2015, most laptops came with replaceable spinning or solid state hard drives. This made it easy to replace a corrupted drive just by pulling out the bad drive and putting in the new drive. However, in order to increase profits (and because most computer buyers do not even know what a hard drive is), computer manufacturers started using soldered EMMC “flash storage” drives on cheaper models. This despicable decision is the equivalent of selling cars where the tires are soldered to the rims and can not be replaced! Today, as many as half of all laptops come with soldered EMMC drives which are not durable or reliable and will soon wind up in some landfill.

Why We No Longer Recommend Google Chromebooks
In past years, we recommended getting a Google Chromebook, which is based on a stripped down older version of Linux, and reflashing it with a complete and newer version of Linux. However, two problems make this option no longer a wise choice. The first is that most Chromebook now come with Emmc soldered in hard drives. This makes it impossible to replace the hard drive. An equally bad problem is that Google has not kept current with the Linux kernel. This means that even if you get a Chromebook with a removable drive, you still have a laptop that crashes frequently.

Many Bad Options – Very Few Good Options
Buying a new secure laptop that comes with Linux or can be easily converted to Linux is becoming much more difficult. While Microsoft switched from using Windows to using Linux on their server farm in Quincy Washington more than 4 years ago, they apparently want to stop you from also switching from Windows to Linux. More roadblocks are being added all the time to keep the Windows monopoly going. This is why we recommend buying a computer that comes with the Coreboot BIOS Startup program.

Currently, there are only two brands of computers that we can recommend. These are the Pinebook Pro, which is an amazing 14 inch laptop that costs only $200 (but it takes months to get one) – or the Purism Librem 15 laptop which costs $1200. Neither of these options come with Linux Mint preinstalled.

What about Libre Boot laptops and the NSA High Assurance Platform?
Richard Stallman recommends getting a Libre Boot laptop. While these laptops technically use a modified version of the Coreboot startup program, the problem is that they are essentially 10 year old reconditioned Lenovo ThinkPad T500s that sell for about $400. The reason Richard recommends these very old laptops is that all Intel processors made since 2008 use a very terrible program called Intel Management Engine or ME for short. This program runs before the UEFI startup program and can remotely reprogram your computer even if you have turned off your computer. All that is needed is that the computer be plugged into an electric outlet and have WIFI access. Richard claimed that this was yet another NSA backdoor into your computer – in addition to the Windows Backdoor and the UEFI Kill Switch.

It has since been proven that Richard was right about the dangers of the Intel Management Engine. However, this does not mean that the only option is to use 10 year old processors. Purism has found a way to disable the Intel Management Engine and replace ME and UEFI with the Coreboot startup program. So while this is certainly a major security problem for Windows and Apple computers running UEFI, it is not a major problem for Purism or Pinebook laptops.

In addition, in August 2017, computer researchers at Positive Technologies (PT) were trying to figure out how to disable the Intel Management Engine. Intel had encrypted the code which had blocked researchers for years. But PT researchers were able to unscramble portions of the code for UEFI and for ME. What they found was amazing. They found that UEFI has more than one million lines of code and more than 1,500 modules or blocks of code. With ME, they found that there was already a way to turn it off built inside of ME. The PT researchers found code buried in ME called 'reserve_hap' with a comment next to it stating it was to enable something called the 'High Assurance Platform'. The PT researchers then did a Google Search for High Assurance Platform and found that (drum roll please), HAP was an NSA program! This sure makes Richard Stallman look like a genius. http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

But there is more to this story. Intel admitted that they made the HAP platform at the request of “a US government agency.” What HAP does, if enabled, is to turn off ME. To make a long story short, the NSA wants all the rest of us to have insecure computers by leaving ME on with our computers– but the NSA wants the NSA to have secure computers by turning ME off on their computers.

The PT researchers published their results and suddenly, thanks to the NSA, all of us can now turn off ME and have secure computers just like the NSA. The fact that we can now turn off ME makes the argument for using 10 year old modified Lenovo computers much less persuasive. One of the first companies to turn off ME using this method was Purism.

What about System 76 Coreboot laptops?
To make matters even more confusing, another Linux computer maker, called System 76 claims to make laptops that use Coreboot. But the problem with their Coreboot laptops is that they use a Coreboot Payload called TianoCore. TianoCore in turn loads UEFI into Coreboot. It is not enough to install a secure operating system. To have real security, you also need to have a secure Startup program. If you have any doubts at all about the drawbacks of UEFI and the benefits of Coreboot, please watch this 30 minute Youtube video posted by the Linux Foundation in October 2017 and featuring Ron Minnich, the founder of Coreboot and the leader of the Google Coreboot team. https://www.youtube.com/watch?v=iffTJ1vPCSo


What’s Next?
In the next section, we will look at various Coreboot laptop options. As we have already noted, there are currently only two good options.