[anonym29]

>I think their processors are not including management engine, so you are safe to buy one.

There are no new AMD or Intel processors that come without ST (formerly PSP) or CSME (formerly ME).

>The management engine that included in chipsets can be switched off permanently.

This is factually incorrect. me_cleaner cannot neutralize or disable modern CSME, there is no way to verify the HAP bit does anything at all, nor that the included TCP/IP stack on the Minix OS cannot accept remote commands to disable the HAP bit, if set. To our current knowledge, only the onboard GbE controller is accessible to CSME's TCP/IP stack, but we're working with extremely limited information. These are closed-source, hardened opaque-boxes that are deliberately designed to be inauditable and tamper-proof. Adding firmware support for other ethernet controllers or wireless cards would conceivably be trivial.

>In general usage, it does not matter while you use third party controlled CAs, distro repositories and automatic updates,

I compile from source. OS, drivers, browser - all of it. I don't care if you think this is "unrealistic for the average user", my objective is not to have the security model that the average user has.

>not speaking about microsoft, google, nvidia, valve, mozilla spyware that can do anything with your data anytime they (or US/EU government agencies) want.

I do not run Windows, I do not use chromium (or firefox) based browsers, I do not use a discrete GPU, I don't have anything remotely gaming related (like steam) installed.

What I do have is a constitutional right to privacy that does not end where my CPU begins, and an unshakeable resolve wherein I refuse to voluntarily cede that right to privacy just because so many others do.

[CamperBob2]

What I do have is a constitutional right to privacy that does not end where my CPU begins, and an unshakeable resolve wherein I refuse to voluntarily cede that right to privacy just because so many others do.

Anger might help, if channeled properly into lobbying your representatives in Congress. Making up imaginary constitutional rights to a DRM-free PC won't help at all, though. Intel and AMD have the right to shove their spyware into their silicon, just as Microsoft has the right to shove theirs into their OS. You have the right to decline to buy it. Your rights end there, given that nothing they are doing is actually illegal.

That last part could change, which is why I recommend lobbying. It should be completely illegal to use a Wintel PC for a vast number of things that people are currently using them for, from healthcare to government services to military applications. If we can convince Congress of the threat, they can pass legislation that will wreck the business model of anyone who doesn't give the user -- or at least the admin -- control over what information the PC sends out and what it can receive. They will change their tune in a hurry when that happens.

[landemva]

> If we can convince Congress

That sounds good yet in practice even medical hippa privacy is bunk. Last week I went to a big hospital for a walk-in xray. They refused to take the pictures until I consented to their standard forms which provide for my results to be given to unnamed research groups. The check-in person acted like I was the first person ever to try to strike out that part of the form/contract. They literally refused treatment and the 'patient advocate' played her role of being pleasant and clueless.

I complained to hospital licensing at State which was rejected because it was not an unsafe care issue.

[anonym29]

Not completely related to privacy, but I do know of one state-level initiative to enshrine into law a requirement that the state largely end the requirement of proprietary software usage to interact with the state's various digital interfaces - "prohibiting, with limited exceptions, state agencies from requiring use of proprietary software in interactions with the public" - HB 617-FN in New Hampshire.

It's not a one-and-done solution but it's a big step in the right direction for government, especially for digital privacy.

More info: https://libreboot.org/news/usa-libre-part2.html

[CamperBob2]

How come you didn't want your results shared with research groups? It's not as if they're tagged with your name and SSN, are they?

[anonym29]

>Intel and AMD have the right to shove their spyware into their silicon

Correct.

>just as Microsoft has the right to shove theirs into their OS

Correct.

>You have the right to decline to buy it.

Ding ding ding!

>Your rights end there, given that nothing they are doing is actually illegal.

Correct. I am making a market demand with my money, not a legal order for these companies to stop producing untrustworthy hardware and snoopy software.

[sweetjuly]

What hardware setup do you use that you feel secure on? In my own searching I haven't found any off the shelf SoCs that have meaningfully more secure architectures. You either have IME or a garbage ARM based SoC that doesn't have an SMMU and forces you to fully trust your wifi card not to scribble over kernel memory. Most vendors really just don't care about system security. Maybe you should look into running your computer off an Ultrascale FPGA :)

[anonym29]

Currently, my main workstation uses a Power 9 processor made by IBM, which is definitely much more expensive and much slower than modern Intel & AMD processors, but comes with the privilege of having a completely open ISA, open hardware schematics, and 100% open source firmware & microcode for the CPU itself.

I am not a big fan of ARM as many ARM chips have a TrustZone core, which is in the same camp as (CS)ME and AMD ST (PSP).

Fun fact: AMD ST (PSP) is actually implemented using an ARM TrustZone core.

[landemva]

Are you internet disconnected or how do you manage CAs?

[anonym29]

I have airgapped boxes, but in general, I don't mind connecting to sites that aren't inherently trustworthy as I do not have javascript enabled by default, I enable it on a script-by-script basis. Is it possible someone has an n-day in the HTML rendering engine of my browser? Sure, which is why all of my activity is compartmentalized and isolated by way of virtualization. I'd love to run Qubes on my Power 9 workstation but Xen and Power 9 don't play nicely at the moment :(