Is Trisquel a safe choice for more recent hardware?
- Login o registrati per inviare commenti
Hello!
I am currently using Debian on my laptop, and looking into switching to Trisquel. I have used it before, and enjoy the guarantee of a 100% free system. I notice that Trisquel does not include any microcode packages. While that is necessary for freedom, I do wonder if it could possibly hurt the security of my system. My laptop is fairly recent, a Dell Latitude 5320 from 2021, so there is no free BIOS available for it. I try to run only free software when possible, though I've had to make an exception for JavaScript on websites. Would Trisquel be a safe choice for me? How risky is the lack of microcode updates in practice? I previously had an account under the name "circuit", which I've since lost the details to, and I believe I asked a similar question then.
Try it live: https://trisquel.info/en/wiki/starting-installable-live-system
You may even opt for the latest alpha for a better hardware support out of the box: https://cdbuilds.trisquel.org/ecne/
Nevertheless, even if you download the latest release, Trisquel 11, I believe only the Wi-Fi will not work. Besides using Ethernet, the freedom-respecting solution is to acquire a dongle with an AR9271 chipset. You can go for https://ryf.fsf.org/categories/wireless-adapters or search "AR9271" on a site such as ebay (that would be cheaper, but you would not support vendors dedicated to respecting your freedom): https://www.ebay.com/sch/i.html?_nkw=AR9271&_sop=15
I am a translator!
How risky is the lack of microcode updates in practice?
I don't know. What I know is that Trisquel has mitigations for Spectre and Meltdown, as mentioned at https://trisquel.info/fr/forum/meltdown-and-spectre-attack#comment-172451, so there should be no issue with those. From that discussion, I understand that Trisquel considers having such kind of mitigations desirable, but I don't know whether there are mitigations for all issues discovered later.
I am currently using Trisquel on two rather recent laptops (Lenovo T14s and novacustom I forgot the exact reference). Perhaps because I am used to Trisquel I don't feel too much concerned with that question, but I agree that it a real question.
In practice?
That may be hard to answer, since I am quite certain that no one here has ever had their machine exploited due to a lack of cpu microcode updates. In fact, there has never been even one single instance of a successful spectre/meltdown/etc exploit in the wild reported anywhere in the world. All the security reports on spectre/meltdown/etc are from security research labs, with all reports of security failures having occurred under controlled laboratory conditions.
In fact, the only people with the money and the expertise to exploit your machine via spectre/meltdown/etc would probably be nation-state spy agencies. And they are unlikely to go to the expense or the trouble to run a complicated exploit when they could simply bonk you on the head with a $5 wrench until you give up your password, a la this xkcd comic strip: https://xkcd.com/538/
I am a translator!
they are unlikely to go to the expense or the trouble to run a complicated exploit when they could simply bonk you on the head with a $5 wrench until you give up your password, a la this xkcd comic strip: https://xkcd.com/538/
I am not sure it is that complicated actually. Developping the initial demo may be some work, but if someone makes a tool to exploit it, it may be usable by a far greater number of people. We have mitigations that prevent spectre and meltdown anyway, so they can't use it. Are there things we know for which no mitigation exist? That is a good question.
Besides, I have always found this xkcd comic somehow inaccurate: the main cost is to pay the person using physical violence, not the cost of any tool. Also, this is far less discreet.
I'm not going to debate with you whether or not a comic strip should be taken as literal instructions on spycraft, or the financial and intellectual costs of creating a spetre/meltdown/etc exploit. If you prefer to feel overly paranoid then you should - Edward Snowden showed us over ten years ago that various spy agencies are actively exploiting us all day and night, and have backdoors into most of our online services. I doubt that the situation has improved in favor of better privacy and security since then. But then again, those proprietary cpu microcode updates aren't going to protect you, and likely make it even easier for the spy agencies to snoop on you.
I am a translator!
those proprietary cpu microcode updates aren't going to protect you, and likely make it even easier for the spy agencies to snoop on you.
I entirely agree. I just want to say that we should take all existing free software mitigations for known issues, and I understand that this is Trisquel's policy, which is good.
If you prefer to feel overly paranoid then you should
Should what? I like the post that says that, when it comes to privacy, one is most often oneself's worse enemy, due to careless or ignorant behaviours. Avoiding using a computer when not necessary looks like a good idea.
>"Should what?"
My poor attempts at English grammar might be different from French:
>If you prefer to [feel overly paranoid] then you should [feel overly paranoid] - [because] Edward Snowden showed us over ten years ago that various spy agencies are actively exploiting us all day and night, and [those spy agencies] have backdoors into most of our online services.
The way people should think about it is this: We are being actively exploited
It's not a matter of whether or not, we have the most update to date packages in any case, it's a matter of how people in the world actually use technology at all.
A better question would be, is my usage of my technology protecting my own hardware?