Open Source

For most Linux desktop users who want a ready-to-run Linux laptop, I recommend the latest high-end Dell XPS 13. I can also suggest System76 or ZaReason PCs or laptops for those who want top-of-the-line Linux hardware. But if privacy, security, and free software are at the top of your “Want” list, then you should check out Purism, maker of free software and Linux-powered laptops, and its next-generation Librem 14 laptop.
This newest model, which is scheduled to ship in early Q4 2020, comes with the following hardware:
Screen: 14-inch matte 1920×1080
CPU: Intel Core i7 10710U, 6 cores and 12 threads
RAM: up to 64GB
GPU: Intel UHD Graphics
Network: Wi-Fi and Gigabit ethernet card with built-in RJ45 connector 
Storage: 2 x NVMe-capable M.2 slots
External Monitor Support for two displays via HDMI and USB-C
Power:  USB-C power delivery besides a standard barrel connector
It’s default low-end configuration with 8GB of RAM and a 250GB drive is available for pre-order now with an “early bird” base price of $1199. Later, the same model will, it appears, sell for $1,499.
But you’re not buying a Purism laptop for its price or hardware specs as you might any other computer. You’re buying it because it puts security and free software first. It starts with PureBoot.
This disables part of the Intel Management Engine, so only the essential code for your PC to boot is left. For the BIOS firmware, it uses Coreboot, a free software BIOS replacement. 

The laptop, and other Purism hardware, also comes with a Trusted Platform Module (TPM) chip. This is used by Heads, Purism’s tamper-evident boot software that loads from within Coreboot and uses the TPM and the user’s own GPG keys to detect tampering within the BIOS, kernel, and GRUB config. You can use this with the company’s two-factor authentication Librem Key, a USB security token. This works with Heads to alert the user to tampering with an easy “green light good, red light bad” alert.
Heads is an open-source computer firmware and configuration tool that aims to provide better physical security and data protection. It’s built on Trammel Hudson’s Heads security firmware. This firmware combines physical hardening of hardware platforms and flash security features with custom Coreboot firmware and a Linux boot loader in ROM.
While still not a complete replacement for proprietary AMD or Intel firmware blobs, Heads — by controlling a system from the first instruction the CPU executes to full boot up — enables you to track steps of the boot firmware and configuration.
Once the system is in a known good state, the TPM acts as a hardware key to decrypt your LUKS encrypted drive. Additionally, the Xen hypervisor, Linux kernel, and initial ramdisk (initrd) images are signed by user-controlled keys. 
Purism’s Debian Linux-based PureOS uses a signed, immutable root filesystem. With this, software exploits that attempt to gain persistence should be detected. While these improvements can’t secure your laptop against every possible attack vector, they harden it against several known classes of boot process attacks.
PureOS is one of the few GNU/Linux distributions to be endorsed by the Free Software Foundation (FSF). PureOS earned this, according to Donald Robertson, FSF Licensing and Compliance Manager. “An operating system like PureOS is a giant collection of software, much of which in the course of use encourages installation of even more software like plugins and extensions. Issues are inevitable, but the team behind PureOS worked incredibly hard to fix everything we identified.”
This Linux distro uses the GNOME desktop. Currently, PureOS uses the Firefox Extended Support Release (ESR) as its default web browser on PureOS 9 Amber. But the company is moving to the GNOME Epiphany web browser in its next release, PureOS 10 Byzantium. With both, Purism edits the programs to make them more free-software friendly and more secure. 
To help lock down its applications, PureOS comes with some programs secured with AppArmor. This, like SELinux, is a Linux security system. It binds access to programs rather than to users via Linux kernel loaded profiles. Purism also uses the Flatpak packing system for extra security. Flatpak installed programs, like Snap, run in containers, so they can’t interfere with each other. 
Last, but not least, Purism comes with hardware kill switches to physically disconnect the camera and mic and/or Wi-Fi and Bluetooth to keep snoopers away.
For those who are truly paranoid, you can use Purism’s anti-interdiction services for added security in transit to verify your new laptop has not been tampered with during shipment.
Todd Weaver, Purism’s CEO and founder, said: “I am beyond excited to see the Librem laptop journey arrive at the build quality and specifications in the Librem 14. This fifth version of our line is the culmination of our dream device rolled into a powerful professional laptop. We have invested heavily so every customer will be proud to carry our laptops, and the Librem 14 will be the best one yet.”  
I’ve been using Purism’s Librem 15 myself over the last few months. This system, which comes with a 3.50GHz Core i7 Kaby Lake Processor, 8GB of RAM, and a 256GB SSD, has worked well for me. I’m sure that, for any user whose top requirements are security and free software, the new Librem 14 will make you happy, too.
Related Stories: More

Outsourcing key banking data and services to a small number of cloud service providers means that those providers have the power to dictate their own terms.  
Getty Images/iStockphoto
Banks’ growing reliance on cloud computing could pose a risk to financial stability and will require stricter oversight, according to top executives from the UK’s central bank. In a report focusing on financial stability in the UK over the past few months, the Bank of England drew attention to the increasing adoption of public cloud services, and voiced concerns about those services being provided by only a handful of huge companies that dominate the market. Outsourcing key banking data and services to a small number of cloud service providers (CSPs), said the Bank of England, means that those providers have the power to dictate their own terms, potentially to the expense of the stability of the financial system. 

For example, cloud providers might fail to open up the inner workings of their systems to third-party scrutiny, meaning that it is impossible for customers to know if they are ensuring the level of resilience that is necessary to carry out banking operations. “As regulators and people concerned with financial stability, as (CSPs) become more integral to the system, we have to get more assurance that they are meeting the level of resilience that we need,” Andrew Bailey, the Bank of England governor, told reporters in a press conference.  In the past years, financial institutions have accelerated their plans to scale up their reliance on CSPs. From file sharing and collaboration to fraud detection, through business management and communications: banks have used cloud outsourcing both to run software and access additional processing capacity, and to support IT infrastructure. Until recently, cloud services were used mostly to run applications at the periphery of banking operations, such as HR systems with no direct impact on financial services. According to the Bank of England, however, this is now changing, with CSPs being called in to process operations that are more integral to the core running of banks.  

“We’ve crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud,” said Sam Woods, the chief executive officer of the Prudential Regulation Authority (PRA). “As you’d expect, we track that quite closely.” Last year, the Bank of England opened bidding for a cloud build partner, with the goal of creating a fit-for-purpose cloud environment that could better support operations in a digital-first environment. At the time, the institution said that it had already been in talks with Microsoft’s Azure, Google Cloud and Amazon’s AWS, and that it would likely be targeting Azure in a first instance. The possibility of adopting a multi-cloud strategy was also raised. There are many benefits to moving financial services to the public cloud. For example, while using old-fashioned, on-premises data centers incurs extra expenses, a recent analysis by the Bank of England estimated that adopting the ready-made services offered by hyperscalers could reduce technology infrastructure costs by up to 50%. Another advantage of public cloud services is that they are more resilient. The sheer scale of CSPs enables them to implement infrastructure that integrates multiple levels of redundancy, and as such, is less vulnerable to failures.  Moving to the cloud, therefore, is not intrinsically detrimental to banking services – quite the contrary. But the main sticking point, according to the regulators, lies in the concentration of major players that dominate the cloud market. According to tech analysis firm Gartner’s latest numbers, the top five cloud providers currently account for 80% of the market, with Amazon holding a 41% share and Azure representing nearly 20% of the market. “As of course a market becomes more concentrated around one supplier or a small number of suppliers, those suppliers can exercise market power around of course the cost but also the terms,” said Bailey.  “That is where we do have a concern and do have to look carefully because that concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the information they need in order to be able to monitor the risk in the service. And we have seen some of that going on.” As Bailey stressed, part of the reason for CSPs to remain secretive comes down to better protecting customers, by not opening up key information to potential hackers. But the regulator said that a careful balance has to be maintained on transparency, to enable an appropriate understanding of the risks and resilience of the system without compromising cybersecurity. Leighton James, the CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country, explains that these issues are not unprecedented, and it is unsurprising to see them trickle down to the financial services. “We’re anxious about cloud providers becoming so big that the terms and conditions are pretty much ‘take it or leave it’. We’re definitely seen that happening already in the public sector, and we can definitely see it happening in the financial services sector if we are not careful,” James tells ZDNet. According to James, part of the risk stems from traditional banks attempting to compete against new disruptive players in the sector. Financial institutions are now rushing to overhaul their legacy infrastructure and catch up with the digital-native customer experiences that were born in the cloud and are now widely available thanks to fintech companies.  “It’s clearly imperative for the financial sector to modernize and adopt digital technologies,” says James. “The question becomes how best they can do that by balancing the risk of digital transformation.” And in this scenario, the risks of placing all of banks’ eggs in a handful of CSP’s baskets is too high, argues James.  The Bank of England has similarly urged financial institutions to exert caution when developing their digital transformation strategies, and is currently in talks with various regulators to discuss how to best tackle those risks. With cloud concerns widely shared by other nations, especially in the EU, those discussions are likely to become international, and the UK’s central bank predicts that global standards will be created to develop a consistent approach to the issue.  More

Credit: ReFirm Labs
Microsoft has acquired ReFirm Labs, the developer of the open-source Binwalk firmware security-analysis product, for an undisclosed amount. Microsoft officials announced the deal on June 2, saying that the acquisition of ReFirm will “enhance chip-to-cloud protection” capabilities that Microsoft offers on the IoT front. Fulton, Md.-based ReFirm Labs says that its Binwalk open-source technology has been used by more than 50,000 organizations worldwide. (The ReFirm team introduced Binwalk Open Source in 2010 and founded Refirm Labs in 2017.) Its tagline for Binwalk Enterprise is “Find the holes in your device security before attackers do.” Microsoft is touting ReFirm as enabling it to better provide firmware analysis and security on intelligent edge devices, ranging from servers to IoT. “The addition of ReFirm Labs to Microsoft will bring both world-class expertise in firmware security and the Centrifuge firmware platform to enhance our ability to analyze and help protect firmware backed by the power and speed of our cloud,” according to Microsoft’s blog post. Microsoft already offers Azure Defender for IoT and recently acquired CyberX to help bolster IoT security. Microsoft officials said last June that CyberX’s technology would provide a complement to other Microsoft Azure IoT services, as well as products like Azure Sentinel in a way that will help identify threats that may span converged IT and operational technology (OT) networks. More

Missouri governor Mike Parson is facing criticism from technologists and journalists after he issued a scathing, technologically inaccurate statement threatening to arrest a reporter for discovering that the social security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education.St. Louis Post-Dispatch reporter Josh Renaud wrote a story on Thursday indicating that the newspaper discovered issues with a web application that allowed anyone to search through a database of certifications and credentials belonging to more than 100,000 of the state’s teachers. Payment data and social security numbers were also vulnerable due to the issue. The newspaper contacted the department and the pages were removed. All of this was done before the story was published to give the state time to rectify the vulnerability. The newspaper also held off on publishing the story to allow other state agencies to fix similar vulnerabilities in other web applications. State officials said they were investigating how long the data was exposed. But later in the day, Parson held a press conference where he bashed Renaud and the newspaper, threatening legal action for their decision to notify the state about the issue. He then doubled down on the threats in a Twitter thread that drew widespread ridicule and outrage from technology experts who questioned whether the governor and his team truly understood what they were discussing.Parson claimed that “an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.” He said his office notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit and ordered them to investigate what happened. 

“Upon receiving this notice, DESE immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code. This matter is serious,” Parson wrote. “The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.” Parson went on to say that Renaud committed an offense because it is a crime to “access, take and examine personal information without permission.””This data was not freely available and had to be converted and decoded. The state does not take this matter lightly and we are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is owning its part, and we are addressing areas in which we need to do better than we have done before. We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.”Other local news outlets noted that Parson has long expressed a deep hatred for the state’s major news outlets over their coverage of his handling of the COVID-19 crisis and his penchant for doling out no-bid contracts. Even members of Parson’s own party criticized him for his statements, with Republican Rep. Tony Lovasco writing on Twitter that it was “clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. “Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” Lovasco said. The St. Louis Post-Dispatch defended Renaud in a statement and said he did the right thing by reporting his findings to DESE before it could be exploited.”For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” said the newspaper’s lawyer,  Joseph Martineau, in a statement provided for Renaud’s story. 
Governor Parson
The governor’s statements were thoroughly bashed by experts who noted that what Renaud did was as simple as pressing the F12 key on certain devices. BreachQuest CTO Jake Williams told ZDNet that organizations should be careful not to shoot the messenger when security vulnerabilities are disclosed. “This is certainly not hacking in any sense of the word. It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the social security numbers,” Williams said.”While Governor Parson said the reporter ‘decoded the HTML source code’ in reality they simply used the feature built into every web browser since the dawn of the Internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the social security number of the teacher. The question of whether this was a crime might be more black and white if the reporter had enumerated all records before reporting the issue.” Williams noted that even Parson’s mention of only three records taken seems to contradict any malicious intent. He added that instead of focusing on this so-called hacking, Parson should be concerned about the security of the state’s applications, particularly those that are available for public use. Renaud’s story noted that the state has previously faced criticism for its data collection practices. “Finding a flaw like this in 2021 should frankly be embarrassing for the state. It wouldn’t be the first time that a politician has fired on all cylinders claiming that accessing publicly available information was hacking,” Williams said. “Threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand Effect.”Vectra technical director Tim Wade said the situation underscored the need to protect security researchers operating in the public good and the backlash they typically face for discovering vulnerabilities. The outrage directed toward those who discover data loss and vulnerabilities needs to be redirected to the root causes of why these security failures continue to occur to the detriment of individual safety, Wade added.  He noted that most courts recognize limits to protections from unlawful search when activities occur clearly in a public context and explained that it’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.John Bambenek, principal threat hunter at Netenrich, said government leaders should be thanking people who notify their government of problems, not threatening them.”Throughout human history, emperors have responded to those telling them they were wearing no clothes by lashing out in anger at the audacity of those who’d dare say such a thing,” Bambenek said. “Life would be better if they, you know, just put on pants. I’m sure every actual criminal hacker on the planet noticed this tirade and you can bet their adjusting their targeting accordingly.” More

Why we like it: While most payment gateways started online, Square began at the counter with a pocket-sized card reader. Over time, it’s grown into a platform that now spans software, banking, and hardware for small businesses.Every so often, I see entrepreneurs who stick with Square for more than one reason. Yes, mostly it’s their payment gateway, but many pair it with Square’s point-of-sale system, which tracks inventory, books appointments, and even rolls out loyalty programs without extra software. Also, with Square, the money you make doesn’t just stop at the checkout. Sales can drop straight into a Square Checking account, savings goals run automatically, and loans show up within minutes when cash flow runs thin. Customers get flexible options like Afterpay through which they can split purchases, while merchants see the money up-front.Also: How Square can create a best-in-class customer experienceIf you’re looking to keep your customers coming back, you can start text-message marketing for just $10 per month to send promos and updates, or launch gift cards where digital ones won’t cost you a thing, and physical packs start at 50 cents each, with starter sets getting delivered in a day.That said, Square only supports eight currencies tied to countries like the US, UK, Canada, Ireland, Australia, Japan, Spain and France. This makes Square limited for brands looking to scale their businesses. Likewise, rolling reserves can frustrate sellers who need fast access to funds.Who it’s for: -Cafes, restaurants, and retail stores that benefit from Square’s POS hardware and management tools.-Freelancers and service providers who need to send invoices or accept remote payments easily.-Local merchants who want built-in marketing, loyalty programs, and fast deposits into checking accounts.Who should look elsewhere:-Global businesses that need multi-currency support and international reach.-Enterprises with a high volume of transactions that are looking for the lowest possible processing fees.-Hybrid businesses that cross categories (like a cafe that also sells retail), since Square’s plans can be restrictive.Square features: Hardware choices like handheld readers | Remote payments | Team tools like payroll | Developer APIs | Encryption and fraud prevention More