We Need A Better PC

My challenge: I'm trying to get a computer that doesn't suck

Like lots of people I spend about half of my waking life on my laptop, so this really matters.

However, I don't want a Mac.

Apple has great design, but they sell things that are locked down, both physically and in software. You're not supposed to open them, you're not supposed to replace parts, and if they break you're supposed to take them to your nearest "Genius Bar". Not my style. Also, Apple makes beautiful hardware, but their software is getting worse.

Whatever your opinion about Apple, we can agree that there should be a least one good alternative.


No problem, I thought, I'll get a PC

So a year ago I bought a System76 Galago UltraPro, because it's fast and sleek and it comes with Ubuntu. It's also modular and hackable, easy to take apart and put back together.

Unfortunately, it turns out System76 doesn't actually make their own stuff. The Galago is just a rebranded Taiwanese Clevo W740SU. Here's my Clevo compared to one of iFixit's Macbooks:

Like most computers that don't have a glowing white apple on the back, the Galago has questionable build quality. It's made of plastic, the screen flexes a lot, and the battery lasts three hours on a good day.


No problem, I thought, I'll get a Thinkpad

Lenovo is pretty much the only PC manufacturer that has a reputation for good industrial design and quality hardware. So I went to their website to see what I could buy.

Wow, that is some bad web design. Tons of fonts and colors. Tons of tiny text. Popups. And that's just one of their many series. They display low ratings for their own products on their own website. What.

Among all of this information overload, simple information is missing.

For example: I did my own research. For what I need, their best computer by far is the 2016 X1 Carbon, which Lenovo introduced at CES recently. It is thin and beautiful, it's solidly built, it has ten hours of battery life and a screen sharp enough that Apple would call it a Retina display. When is it coming out?

Apparently it's already available--sweet!

Except that page is deceptive, because that's actually the old X1 Carbon, with a low res screen and without the new Skylake processor. The new X1 Carbon will ship later this month according to third party news sites, so buying the old one today would be a bad deal. Intentionally or not, Lenovo's own product page tries to trick you into doing just that.

Then there's the part where Lenovo, like most PC manufacturers, bundles crapware with every computer they sell. A few months ago, in a perfect storm of malice and incompetence working together in a big corporate environment, they went one step further and decided to factory-install straight up malware. They completely broke HTTPS and left their customers insecure--all to further "monetize" you by injecting extra ads into websites you visit.

The 2016 X1 Carbon still looks really good, but after all that I would rather not give Lenovo my business.


It's downhill from there.

Lenovo comes closest to Apple in building quality hardware. Other PC manufacturers, like Acer and HTC and HP, have the same problems Lenovo has, but with worse build quality and an unfortunate penchant for injection-molded plastic. Their designs look cheap. The Microsoft Surface is well built, but that's a tablet, not a laptop. The Chromebook Pixel is good, but that's not a full PC, it's a limited system designed to run Chrome and Chrome Apps.


Conclusion: everything sucks... so far

What I want is a computer with:

  • Decent build quality
  • Decent performance and battery life
  • A decent website. It doesn't have to be an icon of web design, like apple.com. It can be simple and utilitarian, like an Amazon page. It just has to be honest and up to date. It should contain pictures, text, and a Buy button.
  • A clean OS without crapware or malware factory installed

Is that too much to ask? Make one and you can have my money!

Read next: Panopticon

Panopticon

There’s dark and scary trend in technology. A true panopticon, where bureaucrats can plot the movements of every citizen on a map minute by minute, read every message, know at all times who's talking to whom, is technically possible today to the extent that it’s not already here.

That kind of power imbalance between people and their government is a threat to freedom everywhere, both in places that have democracy and in places that don't have it yet. More powerful tools for an authoritarian state to suppress a group who desire rights or freedom or a more participatory government have never existed.

Fixing this, not just through policy but through technology, is critically important.

Panopticon refers to a 19th-century prison design. The wardens can always see you, but you can't see them. Surveillance is about control, especially when it affects a whole population simultaneously and continuously.

Here's what I think needs to happen.

  • E2E must be the norm for all personal communications. Signal and WhatsApp have delivered huge progress toward that for calls and texts. I’m working on end-to-end encrypted email.

  • Software distribution must use deterministic builds and multisigs. Gitian and bitcoind are great examples. The current norm, where every device you own can be auto-updated to run anything by a bunch of different organizations at any time, is not OK.

  • Software must be open and auditable. Closed source is acceptable on the server, but everything I run on my device should be either open source, sandboxed, or both.

  • Hardware must be open and auditable. I should be able to check that my phone is not hardware backdoored. Anything that is not open--such as the baseband processor--should be untrusted at the hardware level.


Where do we start?

Easy Email Encryption

First, the good news. There's been a lot of progress toward letting people talk to each other securely. Signal is amazing, and it showed the world that strong cryptography can be clean and easy to use even for our smart but nontechnical friends. It proved that end-to-end encryption is not just for nerds who use PGP and Linux and go to "keysigning parties".

WhatsApp is rolling out end-to-end encryption to 800 million people, most of whom have never heard the word "cryptography" and have no idea what a "key" is. It's incomplete and imperfect, but still a huge step forward.


Unfortunately, while been lots of progress for messaging apps, email is still insecure. This sucks because email is the system of record. Messaging apps come and go. The messages themselves are often ephemeral as well. If you lose your phone, all your SMS and all your Signal messages are gone. Messengers deal in plain text... sometimes you can add pictures or emoji.


Email is more real. It's an open standard. It lasts forever. It's global. It supports rich text and attachments and everything. It's the modern replacement for mail, for quills and parchment and envelopes. Here in America, the Fourth Amendment guarantees people

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures

That there could be a big building where bureaucrats rip open every letter, read it, reseal it, and send it on to its destination, like in East Germany, sounds ridiculous. We're a free country, that's not how we roll. And yet that extra letter, the e in email, the implementation detail where mail is sent digitally rather than on literal paper, seems to void those protections. In countries like China and Kazakhstan, people are even more vulnerable. It's a chilling thought: a democracy movement, like the one that liberated Chile 25 years ago, might be impossible today because we've accidentally made it easy for states to read all mail.

 

To fix this, end to end encryption must be the default--not just for WhatsApp, but for email. We also need metadata security. To protect freedom of association, an observer shouldn't be able to tell who's talking to whom.


An idea...

1. You install a new mail app on your laptop. It's open source and well vetted.

2. You log into Gmail, your university mail, all the accounts you have. The app syncs your mail. You have a modern mail client with a nice UI and fast search, even when you don't have internet.

3. Bob installs the app as well. The next time you send him an email, it's automatically encrypted, signed, decrypted, & verified.

I want to do for email what Signal did for texts: I want to make end-to-end encryption easy.


Under the hood

Key exchange is automatic and centralized, like Signal. Encryption using Axlotl provides forward secrecy.

Finally, we want metadata security. We don't want to leak who's talking to whom, so we'll send all encrypted mail with a hardcoded From and Subject.

Of course, Bob's app will show him the real, decrypted From and Subject.

The last piece of the puzzle: we can’t just connect to our outgoing mail server directly. That would let it see your IP address and your recipient’s email address, again revealing both sides of the conversation.

Instead, we'll send all outgoing encrypted mail thru Tor.

Easy to use encrypted email, with modern crypto, providing both content and metadata security.


Could this work? Would you use it?

Let me know your thoughts!

Playing to Lose

Ever since the Citizens United Supreme Court decision in 2010, you can give as much money as you want to political candidates. $1000, $1m, $100m, any amount at all, through the pretty thin legal fig leaf of a Super PAC.

So people worry about corruption: about donors buying elections. Lots of people have already written about that. Glenn Greenwald wrote about it especially eloquently. I've got nothing to add there.

However, I noticed a second, more subtle bit of fuckery: donors not buying elections.

Check out this sweet graphic of all the big 2016 donors. The usual suspects, like Jeb Bush, have lots of them: Ray and Nancy Hunt gave him $2m, Trever Rees-Jones of "CHIEF OIL GAS LLC" gave him another $2m, and so on for another 45 big donors. Presumably they're hoping that he'll become president and then remember them as his supporters. In short, they're trying to buy an election.

(Not that it worked, in this case. Bush is at 3% in the latest polls, in sixth place, right behind Rand Paul. LOL!)

Bobby Jindal, by contrast, has just one single big donor: a guy named Gary Choest, who have him a nice round one million dollars. But unlike Jeb, Bobby Jindal was never expected to win. He was never in any danger of becoming the Republican nominee, let alone president --- so why would someone discard $1m like that on an extreme long shot?

Gary Choest's company gives a clue: EDISON CHOEST OFFSHORE. Offshore means offshore drilling, and a lot of that happens in the Gulf of Mexico. Sure enough, they're based in Louisiana, where Bobby Jindal is governor.

Bobby Jindal is a serious politician with real local clout. Jindal has already ended his presidential run and is back to governing. He has veto power over new Louisiana laws. He decides where bridges are built (hint: to the offshore oil hub of Port Fourchon, using some of the BP oil spill settlement money).

My guess is that Mr. Choest knew that Mr. Jindal wasn't going to be President, and gave him $1m anyway! Because running for President is fun. It flatters the ego. And it's cheap! A mere $1m wouldn't get you into Jeb Bush's top 10 donors, but with Jindal it makes you his one big supporter, the one who made the whole adventure possible. 

And for the CEO of a big offshore oil services company in Louisiana, that's got to be worth something.

Auto Pwn

Once upon a time, a software upgrade was a physical box with a CD. It looked like this:



Then the internet happened, and companies started using “update managers”.



Things got spammy. Every time you’d turn on a computer, it would ask you if you want to update Java and please upgrade to the latest Adobe Acrobat Reader.

A lot of people just ignored the upgrades, leading to version skew. (That where people are using many different versions of the same software.)



So if you made a web app as recently as 2011, you had to make sure it works in Internet Explorers 9, 8, 7, and best of all 6. Fun!

But in 2008, Google shipped Chrome with a new invention to fix this problem.

As Chrome developer Ben Goodger explains,

Autoupdate is one of Chrome's killer features. [...] Long before we launched publicly in 2008, the autoupdate project was one of the very first we started working on. The idea was to give people a blank window with an autoupdater. If they installed that, over time the blank window would grow into a browser.

How cool is that! 

No more version skew. No popups. Every time you run Chrome you get the latest greatest version. 

There was just one problem.

It worked so well that auto update became ubiquitous. Today, the thermostat where I live auto updates itself, over WiFi. Things that used to be simple are now complex and flaky. For example, my phone will occasionally just grow a new bug one morning and, say, the camera stops working. Not all teams are nearly as reliable and careful and awesome as the Chrome guys.

Not all teams are as trustworthy as the Chrome guys, either, which means there's a much bigger problem:


Through ubiquitous auto updaters, we’ve totally pwned ourselves.

There are now probably 10+ separate organizations that can run arbitrary code on my laptop whenever they want. Same for my phone. Fundamentally, that’s how most auto update mechanisms work.

Most updaters connect to a central server, and if there’s a new version available, they automatically download it and run it.

That’s convenient, but now you're at the mercy of whoever controls that server and has that signing key (assuming they even sign updates, which not all of them do). Just last week, Kazakhstan announced they’re going to MITM all HTTPS traffic in their country. Other governments with similar impulses but a bit more subtlety can leave HTTPS alone but compel their companies to issue an autoupdate. If they want to be sneaky, they can serve a clean version to most users and a compromised version only to specific people, filtered by IP. Compelling Google to do that for you is probably hard, but what about some dude who wrote a Notepad++ plugin?

A popular program with an autoupdater is a lot like a botnet. The owners can push some code. Within a few days and without any more human intervention, millions of computers are running it. The difference is users install them by choice!


How can we fix this?

Autoupdaters aren't going anywhere. They're too useful. So the question is not "how do we get rid of autoupdaters", it's "how can we make a secure autoupdater".


If we must have autoupdaters, I’d like mine to use multisigs and deterministic builds.

It works like this: multiple people have to sign each update, say four out of a list of six trusted keys. Those are held by six different trustworthy people and organizations, the same ones who are doing the code reviews and audits. When a new version is ready, each of those six checks out the code and builds it themselves. Because it’s a deterministic build, if they’re all using the same commit hash, they’ll all get the same binary, byte for byte. Finally, they sign with their key.

This makes pwning people thru the auto updater a lot harder. There’s no single private key that one person can lose, giving an attacker that power. Getting four out of the six signers to sign an update with, say, a backdoor, is a lot harder than one.

Finally, it would add some accountability. Companies, auditors, and open source developers would be signing their name to each release. I’d like to know which people have the power to run code on my machine. Today, there are a lot of people who have that power, and I have no idea who they are.