Has physical switches to turn off wifi, bluetooth, camera, and microphone. Uses FOSS boot code. And more… Even shuts off the Intel Management Engine. It’s pricey though.
Jack Wallen
March 23, 2018
Purism Librem 13: A Security-Focused Powerhouse of a Linux LaptopPurism is now shipping a line of laptops: the Librem 11, 13, and 15. The hardware can be configured all the way up to an i7 CPU, 16GB of RAM, and 2TB SSD internal storage. So Purism isn’t skimping on power.
There’s more. The Librem 13 and 15 laptops now ship with the addition of the Trusted Platform Module (TPM). This module is a specialized computer chip dedicated to enabling hardware-based security. With this addition, users can secure the operating system and boot process at the hardware level. And that, my friends, is the driving force behind the Librem laptops … security. In fact, you’ll find features in the Librem line that you won’t with many other laptops. But, are those features enough to make what many might consider a steep price point worth it (Librem 11 starts at $1,199, the Librem 13 at $1,399, and the Librem 15 starts at $1,599)?
Let’s take a look and see.
NOTE: The laptop shipped to me for review (Librem 13 with 16GB RAM and 250GB SSD) retails for $1,707.00.
Not a price I’m likely to pay, but for folks with a fatter wallet wanting a quick answer, this looks decent.
The switch on the left is a killswitch for wireless and Bluetooth. The killswitch on the right is for the camera and microphone. A killswitch for wireless is actually fairly common on laptops. Traditionally, it was thought these switches made it easier for laptops to conserve battery. If your battery was dangerously low, you could switch off the wireless to make those last dregs of power last. On the Purism Librem laptops, these switches are all about privacy. If you’re working remotely, and you suspect the slightest bit of impropriety, quickly move both switches to the off position and your wireless, Bluetooth, camera, and mic will no longer function. But, unlike some other laptops you’ve installed Linux on, when you move those switches back to the on position, the hardware actually functions as expected.
That’s yet another bonus of the Librem laptops—the hardware works out of the box. You close the lid, and Linux suspends. The backlit keyboard works perfectly. Shut off wireless and (when you turn it back on), the laptop doesn’t require a reboot to get wireless working. Although that should be a given, with many laptops, it’s not the case.
Their was only a small complaint about the trackpad being less than perfect. I’d expect that to improve over time. Trackpads are becoming much more common these days.
During the installation, you will be prompted to configure a password for disk encryption. You are not offered the option for disk encryption … you have no choice. This means, every time the laptop boots, you will be required to type your encryption password; otherwise, the boot process will not continue.
Purism has also done some work on the kernel level. They’ve done the following:
Included a patch for Meltdown and Spectre
Neutralized Intel’s Management Engine
AppArmor activated by default
Even before the kernel boots, Purism has opted to use Coreboot, for a fast and secure booting process.
Out of the box, the Librem laptop makes use of Purism repositories. Although I don’t mind this one bit, I have found that updating and upgrading software is significantly slower than it is on other machines on the same network. Also note: those out of the box repositories don’t include the likes of Firefox. Why is that significant?
Pure Browser
The only other (obvious) user-facing change to be found is within the web browser space. The Librem ships with a fork of the Firefox browser (developed by the Trisquel development team), called Pure Browser. This take on Firefox does the following:
Blocks third party trackers and advertisers by default.
Uses HTTPS where ever possible by default.
Is Free/Libre Open Software (F/LOSS).
Never “phones home” any personally identifying information surreptitiously.
Sounds t me like they’ve done their homework…
The conclusion
I have to say, I came out of my Librem 13 experience really impressed. Not only is the laptop top notch, the PureOS distribution does an outstanding job of adding to the security features baked into the hardware. If you’re seriously concerned with mobile security, the Purism Librem 13 or 15 would serve you well.
Their web site: https://puri.sm/
They also make a security oriented phone:
https://puri.sm/shop/librem-5/
Librem 5 – A Security and Privacy Focused Phone
$1,500,000
Funding Goal$2,738,235.10
Funds RaisedRaised Percent :
182.55%Short Story
Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers.
A fully standards-based freedom-oriented system, based on Debian and many other upstream projects, has never been done before–we will be the first to seriously attempt this.
The Librem 5 phone will be the world’s first ever IP-native mobile handset, using end-to-end encrypted decentralized communication over the Internet.
Note: This was an “all-or-nothing” campaign, but we crossed well over the $1.5m goal, and will be delivering on the Librem 5 phone. If you would like a Librem 5 you can simply pre-order one of the appropriate rewards now, and we will add you to the shipping queue!
Librem 5 – A Security and Privacy Focused Phone
Golly!! If I’d known you could get a couple of $Million for a devo effort, I’d have started one! No idea what the price might be or when it is expected to become available. Looks like basically just a Linux with an IP Phone app on it. One presumes it has some kind of Telco based “hot spot” for the wireless connectivity built in.
I actually made a “proof of concept” kluge like that in concept about 3 years back. That Walmart $10 IP phone gizmo, a $10 regular phone handset plugged into it, and a hotspot. Instant luggable IP phone ;-) Even if a very dumb one…
I still have the parts. In theory I could do it again. But making a secure smarter and smaller phone would be better.
Musings from the Chiefio 
Just looked at pureos.net
Seems their Debian comes infested with “systemd” ….
Gotta be some mosquitos in Paradise, eh?
Thanks.
I’ll stick with eLive, which strained and finally has Version 3.0 out — and no “systemd” . . . !
Thanks for information. I thing this is something that I would be interested in getting. I like the kill switches. There is nothing worse or more intrusive than thinking you device is off and finding adds within sites you visit or emails that got past the intended screening mechanism which appear next time you’re online that’s related to something you were discussing near your turned off device.
I already have my camera lens covered; but I haven’t been able to muffle the mic to prevent my device from “listening”. It’s very disconcerting. I also think the F/LOSS is a real bonus! The price seems well worth the price as far as I can tell. What’s not to like?
Well, Eric seemed concerned with systemd. I had to look around to see if I could find out what systemd was and what the issues might have been. There were six of one and half a dozen of another complaints and rebuffs. I couldn’t figure it out in detail but found two good articles that helped me see systemd likely wasn’t an issue for me and my needs.
https://www.pcworld.com/article/2841873/meet-systemd-the-controversial-project-taking-over-a-linux-distro-near-you.html
https://wiki.debian.org/Debate/initsystem/systemd
Thanks again Chief for all your work. I’m beginning to learn a tad. I’ve got miles and miles to go; but I have my walking shoes on.
@Eric:
As there is a path to upgrade a Debian to Devuan, and be rid of SystemD, I’d just sort of assumed that was what I’d do if I had one of these…
Not looked at eLive (so many Distros, so little time ;-) so what makes it special?
@seabrznsun:
THE major issue with SystemD is just there there is no need for it to be taking over so many critical functions and putting them into one gigantic ball of inscrutable code only understood by a couple of people on the planet. It violates the “if it ain’t broke don’t fix it” and the “Keep It Simple Stupid” or K.I.S.S. principles.
The consequences of this are a half dozen new and bizarre system failure modes that have shown up (some unrecoverable without a crash / restart – shades of Microsoft…) and the problem that it is now impossible to really KNOW there isn’t some hidden security issue lurking in that mess. This is my main reason for wanting it gone.
Then the “comfort issue” is that it capriciously changes how most of the most important systems administration tasks are done. System V init methods have been around since about 1982 or some such (prior to that was the rc.d type that is still in BSD and Slackware). I still use the same commands and options I learned then. So now someone wants to say “Everything you know is wrong. Start over.” Nope, not seeing the gain in that.
Then the sidebar issue is that these changes FORCE application writers to comply with their new “bright idea”. Now the applications guys have to choose to maintain parallel incompatible versions or remove my “init freedom” by only coding for one init system. A choice of two evils (and one that need not have been forced on them had systemD been even 1/2 smart.)
So the good:
SystemD does work. It is a little faster at boot time (that matters to places like Amazon and Microsoft running millions of Virtual Machine instances that they want to boot in seconds, but is irrelevant to me at home or work in small to medium sized shops.). In theory it could give more fluid control of the system status (IF you can ever figure it out and IF it worked as advertised and IF it didn’t step on it’s own toes so much).
The Bad:
It’s a PITA to use, especially to folks who have any notion of how a *Nix ought to work, at the administrator level. (This also means looking up a how to page – of which there are millions and millions, will now often give incompatible advice to the novice). It is a giant cluster F* of code that WILL have significant unknown failure modes and security risks. It is NOT needed at all. It has persistent “mission creep” and is slowly becoming a defacto OS that *nix services make requests of, perniciously creeping into applications too. The folks pushing it know this and love expanding it even more.
Personal Issue:
IMHO, it is a product of TPTB trying desperately to get entry points into the Linux world where they can insert the same kind of PRISM crap that Microsoft and Intel embraced and Apple has slowly been beaten into accepting. Were I going to bypass Linux security, I would first make UEFI, then shove SystemD into the OS, and then bugger the chips (“management engine”). We’ve seen all three and NOT because me, the consumer, asked for them… so who did?
Sidebar On Use:
I’ve got a couple of SystemD infested systems I use. Not my main ones. Not anything with major security needed. Why? 1) To learn it. (The argument that Old Systems Admins are against it just because they are too lazy to learn is bogus.) 2) To evaluate if the suspicions are valid. 3) It DOES work, so for some low use low risk system, why fight with converting it? So some “boot to browse then reset” chip is fine that way. Any crap that crawls in gets a reset anyway. 4) Some experiences can only be had on systems that have “gone that way”. Want that platform, you deal with it.
So, for example, I’ve got Armbian running on an Orange Pi. That’s the OS that works best on it (as of my evaluation a year-ish ago). I did show I can do a Devuan “uplift” on it, but the optimizations of the Armbian folks get a bit buggered. As it sits behind 2 firewalls and does a job that has zero internet connectivity, and gets my attention for about 10 minutes a /year… why spend the time fighting to make Armbian SystemD Free? So that minor use dirt cheap board is left with SystemD on it. I treat it as a closed appliance anyway.
For my main desktop “boxes”, I used a SystemD free OS. Devuan on the R. Pi systems. An uplifted Armbian on the Odroid (as the Devuan Odroid release has not loved me on the XU4. It’s an XU3 port and the claim is they are binary compatible, but something isn’t quite right. Maybe next release ;-) I’m waiting for a good Devuan on the XU4.
I’m way “back level” on the Android Tablet, so it doesn’t have SystemD. Eventually it might ( I don’t know what the Android folks plans are) but by that time it will be unable to be ungraded anyway and I’ll put a *Nix on it. (Which one TBD at that time as things will have changed). It’s about 5? Maybe 6 years old now and many Apps report they will not run on it now. So limited lifetime ahead of it. Will there even be a non-SystemD *Nix for it when the time comes? As I use it for ‘disposable things” (like web browsing in coffee shops) I really don’t care what it runs.
The old MacBook I use is also significantly back level and can not be upgraded. It will eventually die “as is” (the keyboard is already worn through to white plastic on about 1/4 of the keys and the SSD died – which is why I got it – so it boots from an SD card image. It’s down to CPU, memory, and display already…) or I’ll finally succeed at putting a *Nix on it. (So far all my attempts have hung on the fact it doesn’t have wired network, so you must get WiFi working step one, which needs things from the network… oh Doh!… or you could put them in via USB – which is booted from USB / SD adapter and has target SD in the only OTHER USB port… so I would need to disassemble something else to put a USB hub on it and it’s just not important enough to bother.) IF I ever get a *Nix to run, it will be whatever it is. I’m more likely to do a DIY laptop as this thing slowly collapses. I use it as it was “free to me” and it’s an OK *Nix on Chromebook analog. (What I was going to do before this came my way).
Into that mess goes “Moving To Florida” – so a lot of this old “Reuse the junk” kit is likely to hit the bin on the way to the moving truck… Why take 6 old White Box PCs with early AMD Pentium class chips and 64 MB of memory that run a kernel that might have a security exposure all the way to Florida? Nostalgia? Not booted them up in the last 3 years… and that was just to assure I’d sucked all the data off them. (OTOH, they are clean hardware without buggerage or buggered bios… or SystemD… or…) My R. Pi stack has much more performance and power and runs Devuan native… in a space the size of a 6 inch Subway sandwich… So “when the time comes”, I’m likely going to one newer laptop, and a Pi Stack, and call it done.
In Conclusion:
Like all things Computer or Security, it’s a compromise of goals. Yes, I hate SystemD as a brain fart of a system design that’s a massive risk. It is betting that the writer of it is nearly perfect, and just looking at the design of it screams Brain Fart; so that’s not likely. At the same time, it mostly works and everything has some kind of security exposure, while replacing it is still a bit of a PITA; so you choose the lesser PITA. Tolerate it some places of low exposure (to attack or to me ;-) and put in the effort to avoid it on major platforms you use a lot and for exposed to the internet uses. IF a real security AwShit shows up, the folks making this kind of security laptop would rip it out in a heartbeat… and I’d expect to use that hardware for a decade, so plenty of time for a Devuan port to show up on it ;-)
I *very much like* (by the way) that Purism neutralized Intel’s Management Engine; it seemed, when I first read of that Ghost in the Machine, that there had to be some way, in Linux, to choke off that nefarious scheme…!
Why eLive?
Call it Inertia: I would up there, as I like the Enlightenment window manager, and I had to Go Somewhere after Novell swallowed SuSE…
I have my audio editors (Windows environment, on WINE) running on eLive 2.0 on my 11-year-old laptop, though the Online Experience through that OS is getting slowly discombobulated by the online transition to HTTPS-everything.
Outdated SSL certs, and I had failed to find what to Update.
I am still hoping to make a transition to a newer version, and keep the audio-editing workable, as that keeps my music collecting reasonably current…
…and the Old-Time Radio shows I overhaul, before listening to them….
I do most of my online reading with Links2, with Mozilla’s Iceweasel 31.3.0 for the “SSL error” pages.
Qwant put a blurb up a week os so ago: they are the default search engine on the new Brave browser; it will be Interesting to try that out, on eLive 3.0.
I seriously doubt I can install Brave on this older Beta (2.5.8) of eLive, as the libraries are aging….
All that said, it is still Wonderful to hit http://www.thelivecdlist.com (updated 2017??), and take one’s pick of OSes for a Test Drive…!
Thanks Chief. I’ll just stay where I am until something better comes along. Dang I sure hate the mic though. I can’t tell you how many times I’ve been talking about something only to see pop up adds offering remedies as they scrolling top or bottom of web sites. It’s just spooky to know my iPad listens to my conversations.
Start talking about jihad, seabrznsun. See what ads pop up.
Maybe, “Goats For Sale?”
On digital security related issues:
https://www.theregister.co.uk/2018/10/01/nz_border_customs/
Just an idle ponder here, design a smart phone which has two passwords for access, one password opens up the real stuff you do, and the other password like a valet key for your car, opens up a restricted plain jane phone, and lets them poke around the phone but only see a sterile default system.
Technically I see no reason someone who wanted to block such invasive practices could not develop such a configuration.
@Larry:
The direction I’m going is a removable mini-SD card that’s encrypted. One pwd for the phone, a different one to mount the SD card (where you put anything you want to keep private – I do this already minus the encryption on the tablet. I’d encrypt it but their encryption is horrid.)
The alternative is a stenographic file system. One file system with 2 or more decryption passwords Nobody but you know how many levels are real. It was already written some time ago and I’ve saved copies of the source code. It looks like it has now moved to Source Forge if the name has stayed the same (and originally out of Italy like this one… so I think it’s the same)
TCFS Transparent Cryptographic File System
https://sourceforge.net/projects/tcfs4/
http://www.tcfs.it/
So yeah, pretty easy to do it given the code base already exists…
Just curious EM, what are you protecting that is that important? Sandboxing, white listing, CSP and other stuff is out there. Most sites or apps I use, I can limit or authorize access to with standard OS stuff to a great degree. All my banking is done via secured connections etc.. I use Touchdown for my email that segregates business email from the rest of my mobile devices to eliminate the need to encrypt the whole thing. Changing phones with full encryption in place was a major PITA. Just sayin, I don’t think I have much anyone wants outside of business. Just my toss out for feedback.
@Ossqss:
Well, not nearly as much as I needed to protect in the past. But old habits die hard.
So start with remembering my professional roles. Systems Admin. Private Consultant. Security Guy. Management. Then ask what happens if the data those roles use “leaks”.
Yes, for most folks the thing they need to protect most is their “porn” stash. Personal reputational damage (or in some locations IF they decide it LOOKS LIKE an underage person even if a cartoon you go to prison and get permanent tracking). But a similar reputational damage problem exists for the “security guy”. How many contracts do you think you will get if “Site Hacked After FOO Consulting Lost Data” is what attaches to your name? Eh? A “lack of money prison” for life…
So first off it was (and might be again if I pick up new gigs) things like:
Network Diagrams and Architecture.
Router Configurations.
Passwords.
Site Photos, maps, floor maps of server locations, physical deficiencies.
Server Lists (and security configurations)
Results of Tiger Team attacks and port sweeps. (i.e. “Attack here, it’s open” lists…)
Make and Model of security features (like IDS / IPS systems and their configs).
etc. etc.
Then there’s organization stuff:
Contact lists. Phone numbers. Notes about personnel.
Organization Charts (official or my hand made for me bits)
Personnel Reviews. Reprimands. Bonus amounts.
Saved email bits.
Contracts, proposed, accepted, signed, rejected, bids outstanding
Finances / Budgets.
Meeting notes.
etc.etc.
In short, anything and everything to do with the Client and my work for them, along with My Company docs and work product. (And any Vendor information – bids, RFP results, etc. IF you ever burn a vendor with a competitive leak, it will not go well with them in the future.)
PII Stuff:
In most cases Personal Identifying Information is a crime if you let it out, but certainly reputation destroying. So Names, Addresses, Phone, Credit Card# of any of MY clients or of THEIR clients and customers. (Yes, I’ve had this in my possession as part of a contract before. You look to see where FOO data goes and “there it is” and you need to show the client “this was where it ought not be”…)
Essentially anything to do with work in any way ought to be held confidential.
Personal Stuff:
Nobody in any border station needs to read my email to the spouse saying I don’t like her brother, or the letter from my daughter with “Dad Issues”, or my Son getting all soft over his kid. Just not their business. They don’t need to know I have a weakness for {whatever} to be used against me or for bribes (though really good Scotch is a start ;-)
Notes To Self are TO SELF. Nobody else.
Personal draft legal documents – like wills, contracts, homes you want to buy / sell. All private.
Stock Portfolio ideas and changes.
Anything personally financial, really.
Even my spreadsheet of cars and what tires they take. (Paranoid? Maybe… but it is not some snoops business how many cars, of what kind, and what tires they use.)
Home network layout, passwords, hardware, etc. etc. as above for client sites.
Saved archive of pictures, videos, texts, PDFs etc.etc. As copyright laws change from nation to nation and some folks can be ‘vigorous’, better to have it pulled and locked up prior to departure.
My photographs. Nobody needs to know where I was when taking pictures of what. Yes, it is mostly boring stuff like a series of clouds as you cross the country or some odd BBQ place & signs in the back country where the food was good. BUT, they don’t need the metadata about when and they don’t need to know I like pulled pork. Besides, it is easier to just lock down all of it and not worry if there’s one picture of a secret CoLo location or map to it in the mix.
There’s more but I think you get the idea.
My basic rule is that if it didn’t ship with the vendor or is not just incidentally in transit as a new document being worked on now; it ought to be on removable media and left at home on a flight to anywhere (any time you go through “inspections” really).
But what else would you expect from a “Security Guy”? 8-)
FWIW, once, while bored at a client site (I’d gotten all my work done and needed to stay sitting there on an “availability charge”) and being the kind of person who doesn’t do “nothing” well: I figured out how to put all the Microsoft Outlook (LookOut!) files on a removable thumb drive. So ALL my email and saved email and stuff landed there instead of on the hard disk. Useful for a few reasons. First off, you don’t need to scrub the disk to make the bits go away (deleting is NOT enough) and second you need not leave bits on a “shared workstation” with the contractor du jour being assigned to it. Then for the next dozen months worked exactly that way (more to see if issues developed than for any actual need). So in that case the “dongle” was all the email to / from me for that particular site / contract and it was easy to secure it at the end of the business day. Unplug and into the locked briefcase. Nothing can leak. Nothing can be hacked.
Now that’s not my usual “need”; but it does indicate a mindset and approach. Sure corporate Outlook is reasonably secure… BUT, I know how to boot a Knoppix in this station and get into the bits saved by any other user in the Contractor Pool. “Is there a way to stop that?”… leads to a solution… Most “Security Guys” work like that. Playing the ‘reflective game’ of how do I defeat myself… FWIW, that same site had hardware locked down and logins and such locked, so in fact a Knoppix was hard to boot. HOWEVER, I was able to run a VM application from a USB stick and in that virtual machine launch Solaris (yes, Solaris on a PC in a VM … slow but it goes) and then using that, see the disks…
And yes, I’m sure glad I’m not up against me ;-)