On 04/12/2021 15:56, Spiros Bousbouras wrote:
> On Mon, 29 Nov 2021 14:34:56 -0500

Sprios, where are you located country wise?

On 12/4/2021 11:00 AM, Spiros Bousbouras wrote:
> On Sat, 4 Dec 2021 15:56:11 -0000 (UTC)
> Spiros Bousbouras <spibou@gmail.com> wrote:
>> On Mon, 29 Nov 2021 14:34:56 -0500
>> Paul <nospam@needed.invalid> wrote:
>>> Is there a specific objective this computer has to meet ?
>>> Is it running the heating system, recording security video,
>>> stuck in the loft ?
>>
>> General desktop usage : writing text , computer programming (nothing too
>> long) , watching videos and DVDs , listening to audio CDs , internet browsing
>> (mainly with a text browser.I'm not worried about slowness with a graphical
>> browser so lets not get stuck on that) , running chess engines (I don't need
>> maximum performance). See also <A+E9DrGA11MTXVeuJ@bongo-ra.co> in this
>> thread.
>
> I describe my current usage also in <kAJYUx0G5jRDy4UK5@bongo-ra.co> .
>
>> I also have an external hard disk which I connect through a USB port. The disk
>> mostly has videos in 360p or 720p resolution and I want the transfer rate to
>> be good enough that I can watch them at normal playback speed (using mplayer) .
>>
>> I also want to be able to connect a DVD reader/writer ; no need for blu-ray.

The playback of videos seems the most demanding thing.

The reason I advocate for hardware acceleration, is there
is a lot of variation in the software code written for
the decoding of video. There can be a 10:1 difference between
the best and worst codes, for a particular video format.

This might be similar to Skybucks system. The caps failed on his
two boards, so that's a negative.

https://pcper.com/wp-content/uploads/2005/11/2ce0-blockdiagram.jpg

But chipsets like that at least have PCI Express slots. You can
fit a more modern video card to get the benefit of hardware
video decoding. But even the used prices of video cards like
these, can be too high.

https://developer.nvidia.com/video-encode-and-decode-gpu-support-matrix-new

To do better on an Intel, you'd want a processor with QuickSync,
which is the Intel built-in decoder.

And AMD systems more modern than the S939 in the above block diagram
(where the RAM is connected directly to the S939 processor),
some of those have built-in graphics. Those have variously
been called "APUs", because they are both CPU+GPU. If a built-in
graphics is provided, then it can mean not having to shop for
a separate video card to reap the benefit of hardware video
decode.

Paul

On Mon, 29 Nov 2021 20:05:24 +0000
Richard Kettlewell <invalid@invalid.invalid> wrote:
> Spiros Bousbouras <spibou@gmail.com> writes:
> > Richard Kettlewell <invalid@invalid.invalid> wrote:
> >> Spiros Bousbouras <spibou@gmail.com> writes:
>
> >>> The Intel management engine and the analogous from AMD creep me out
> >>> so I want to put a computer together using old processors from
> >>> before these facilities came into the picture.
> >>
> >> Is there a reason why you don’t want to buy a current platform and
> >> disable the feature in the firmware? You might need to do a bit of
> >> research to ensure you get something where disabling it is possible
> >> but it seems a lot easier than building a computer from old parts.
> >
> > Is it possible to disable them ?
> > https://en.wikipedia.org/wiki/AMD_Secure_Technology does not say
> > anything.
>
> https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdisablingintelamt.htm

This page is about disabling AMT :
https://en.wikipedia.org/wiki/Intel_Management_Engine :
The Management Engine is often confused with Intel AMT (Intel Active
Management Technology). AMT runs on the ME, but is only available on
processors with vPro. AMT gives device owners remote administration of
their computer,^[6] such as powering it on or off, and reinstalling the
operating system.

However, the ME itself is built into all Intel chipsets since 2008, not
only those with AMT. While AMT can be unprovisioned by the owner, there
is no official, documented way to disable the ME.^[citation needed]

Although it says "citation needed" , I find it unlikely that , if there was a
way to disable the ME , someone would not have added it to the article by now. In
any case see also

https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/ :
Various sources report that Intel's latest x86 chips contain a secret
backdoor. SoftPedia cites security expert Damien Zammit as revealing that
these Intel chips come with an embedded subsystem called the Management
Engine (ME) that functions as a separate CPU and cannot be disabled, and
the code is proprietary.
[...]

However, the ME contains the AMT instructions, which can function
similarly to wake-on-LAN. That means if the right person used the ME to
gain access to a machine, they could then take advantage of AMT and boot
the machine. Viola! Your PC is now readily available for someone with the
requisite skills to pick and choose what they want--this could include
company data.
[...]

The good news is that you can disable the AMT feature. Here's how.

* In the PC BIOS, go to Advance Chipset Feature | Intel AMT
(Enabled,Disabled)
* During boot, CTRL+P to go to AMT Menu | Intel ME Control State
(Enabled,Disabled)

There is no way to know if the ME has the ability to re-enable AMT on its
own. Why? Because no one except Intel knows what exactly it contains. So,
you could disable ATM on the machine and not know if the ME can
circumvent that BIOS setting.

--
There's a definition of horror: the genre where all the decisions are
wrong ones.
James Nicoll
https://groups.google.com/group/rec.arts.sf.written/msg/292fed66d24dc0cf?dmode=source
<7u7q7k$mmm$1@watserv3.uwaterloo.ca>

On 12/5/2021 10:39 AM, Spiros Bousbouras wrote:
> On Mon, 29 Nov 2021 20:05:24 +0000
> Richard Kettlewell <invalid@invalid.invalid> wrote:
>> Spiros Bousbouras <spibou@gmail.com> writes:
>>> Richard Kettlewell <invalid@invalid.invalid> wrote:
>>>> Spiros Bousbouras <spibou@gmail.com> writes:
>>
>>>>> The Intel management engine and the analogous from AMD creep me out
>>>>> so I want to put a computer together using old processors from
>>>>> before these facilities came into the picture.
>>>>
>>>> Is there a reason why you don’t want to buy a current platform and
>>>> disable the feature in the firmware? You might need to do a bit of
>>>> research to ensure you get something where disabling it is possible
>>>> but it seems a lot easier than building a computer from old parts.
>>>
>>> Is it possible to disable them ?
>>> https://en.wikipedia.org/wiki/AMD_Secure_Technology does not say
>>> anything.
>>
>> https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdisablingintelamt.htm
>
> This page is about disabling AMT :
> https://en.wikipedia.org/wiki/Intel_Management_Engine :
> The Management Engine is often confused with Intel AMT (Intel Active
> Management Technology). AMT runs on the ME, but is only available on
> processors with vPro. AMT gives device owners remote administration of
> their computer,^[6] such as powering it on or off, and reinstalling the
> operating system.
>
> However, the ME itself is built into all Intel chipsets since 2008, not
> only those with AMT. While AMT can be unprovisioned by the owner, there
> is no official, documented way to disable the ME.^[citation needed]
>
> Although it says "citation needed" , I find it unlikely that , if there was a
> way to disable the ME , someone would not have added it to the article by now. In
> any case see also
>
> https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/ :
> Various sources report that Intel's latest x86 chips contain a secret
> backdoor. SoftPedia cites security expert Damien Zammit as revealing that
> these Intel chips come with an embedded subsystem called the Management
> Engine (ME) that functions as a separate CPU and cannot be disabled, and
> the code is proprietary.
> [...]
>
> However, the ME contains the AMT instructions, which can function
> similarly to wake-on-LAN. That means if the right person used the ME to
> gain access to a machine, they could then take advantage of AMT and boot
> the machine. Viola! Your PC is now readily available for someone with the
> requisite skills to pick and choose what they want--this could include
> company data.
> [...]
>
> The good news is that you can disable the AMT feature. Here's how.
>
> * In the PC BIOS, go to Advance Chipset Feature | Intel AMT
> (Enabled,Disabled)
> * During boot, CTRL+P to go to AMT Menu | Intel ME Control State
> (Enabled,Disabled)
>
> There is no way to know if the ME has the ability to re-enable AMT on its
> own. Why? Because no one except Intel knows what exactly it contains. So,
> you could disable ATM on the machine and not know if the ME can
> circumvent that BIOS setting.

It's not a "secret" enclave, as there was at least one slide
deck about the feature set.

I've not seen a slide deck since the Wifi was added to
the more modern setups. The Intel NIC is dual-headed
(so certain NICs are needed to make it work). And it is
possible the Intel Wifi modules have dual head as well.

http://pds4.egloos.com/pds/200706/04/57/ps_adts003.pdf

Since it potentially can be used for anti-theft purposes,
that's why there can't be a hardware jumper plug to
guarantee it is off. A thief would just use that.

Paul

On Mon, 6 Dec 2021 03:10:00 -0500
Paul <nospam@needed.invalid> wrote:
> On 12/5/2021 10:39 AM, Spiros Bousbouras wrote:
> > On Mon, 29 Nov 2021 20:05:24 +0000
> > Richard Kettlewell <invalid@invalid.invalid> wrote:
> >> Spiros Bousbouras <spibou@gmail.com> writes:
> >> https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdisablingintelamt.htm
> >
> > This page is about disabling AMT :
> > https://en.wikipedia.org/wiki/Intel_Management_Engine :
> > The Management Engine is often confused with Intel AMT (Intel Active
> > Management Technology). AMT runs on the ME, but is only available on
> > processors with vPro. AMT gives device owners remote administration of
> > their computer,^[6] such as powering it on or off, and reinstalling the
> > operating system.
> >
> > However, the ME itself is built into all Intel chipsets since 2008, not
> > only those with AMT. While AMT can be unprovisioned by the owner, there
> > is no official, documented way to disable the ME.^[citation needed]
> >
> > Although it says "citation needed" , I find it unlikely that , if there was a
> > way to disable the ME , someone would not have added it to the article by now. In
> > any case see also
> >
> > https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/ :
> > Various sources report that Intel's latest x86 chips contain a secret
> > backdoor. SoftPedia cites security expert Damien Zammit as revealing that
> > these Intel chips come with an embedded subsystem called the Management
> > Engine (ME) that functions as a separate CPU and cannot be disabled, and
> > the code is proprietary.
> > [...]
> >
> > However, the ME contains the AMT instructions, which can function
> > similarly to wake-on-LAN. That means if the right person used the ME to
> > gain access to a machine, they could then take advantage of AMT and boot
> > the machine. Viola! Your PC is now readily available for someone with the
> > requisite skills to pick and choose what they want--this could include
> > company data.
> > [...]
> >
> > The good news is that you can disable the AMT feature. Here's how.
> >
> > * In the PC BIOS, go to Advance Chipset Feature | Intel AMT
> > (Enabled,Disabled)
> > * During boot, CTRL+P to go to AMT Menu | Intel ME Control State
> > (Enabled,Disabled)
> >
> > There is no way to know if the ME has the ability to re-enable AMT on its
> > own. Why? Because no one except Intel knows what exactly it contains. So,
> > you could disable ATM on the machine and not know if the ME can
> > circumvent that BIOS setting.
>
> It's not a "secret" enclave, as there was at least one slide
> deck about the feature set.
>
> I've not seen a slide deck since the Wifi was added to
> the more modern setups. The Intel NIC is dual-headed
> (so certain NICs are needed to make it work). And it is
> possible the Intel Wifi modules have dual head as well.
>
> http://pds4.egloos.com/pds/200706/04/57/ps_adts003.pdf

If you mean the slides on the link , it's not clear to me which particular
slide you have in mind. In any case , there is no precise definition of what
counts as secret. One might say that , since we know that the management
engine exists , it's not secret.

> Since it potentially can be used for anti-theft purposes,
> that's why there can't be a hardware jumper plug to
> guarantee it is off. A thief would just use that.

Are you saying that the management engine serves anti-theft purposes ? How ?

On Sun, 5 Dec 2021 15:39:49 -0000 (UTC)
Spiros Bousbouras <spibou@gmail.com> wrote:
> On Mon, 29 Nov 2021 20:05:24 +0000
> Richard Kettlewell <invalid@invalid.invalid> wrote:
> > Spiros Bousbouras <spibou@gmail.com> writes:

[...]

> > > Is it possible to disable them ?
> > > https://en.wikipedia.org/wiki/AMD_Secure_Technology does not say
> > > anything.
> >
> > https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdisablingintelamt.htm
>
> This page is about disabling AMT :
> https://en.wikipedia.org/wiki/Intel_Management_Engine :
> The Management Engine is often confused with Intel AMT (Intel Active
> Management Technology). AMT runs on the ME, but is only available on
> processors with vPro. AMT gives device owners remote administration of
> their computer,^[6] such as powering it on or off, and reinstalling the
> operating system.
>
> However, the ME itself is built into all Intel chipsets since 2008, not
> only those with AMT. While AMT can be unprovisioned by the owner, there
> is no official, documented way to disable the ME.^[citation needed]
>
> Although it says "citation needed" , I find it unlikely that , if there was a
> way to disable the ME , someone would not have added it to the article by now. In
> any case see also
>
> https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/ :
[...]

There is also
www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu :

You can't disable the Intel ME. Even if you disable Intel AMT features in
your system's BIOS, the Intel ME coprocessor and software is still active
and running. At this point, it's included on all systems with Intel CPUs
and Intel provides no way to disable it.

--
And in the movie's center, circling warily, are Reynolds and Deneuve,
both so worn, so worldly, so cynical, they don't even realize what
total romantics they are.
www.rogerebert.com/reviews/hustle-1976

On Mon, 29 Nov 2021 20:23:46 +0000
Richard Kettlewell <invalid@invalid.invalid> wrote:
> Spiros Bousbouras <spibou@gmail.com> writes:
> > SH <i.love.spam@spam.com> wrote:
> >> what is it about the intel management engine that creeps you out?
> >
> > That there is a part of the processor running secret code which has
> > access to everything on the computer (memory , storage media ,
> > internet communications) and nothing in the software that you choose
> > to run on your computer can affect this.
>
> You could say much the same about the CPU microcode or the platform
> firmware (e.g. UEFI, or BIOS if you can find something old enough).
>
> > Note also that these management engines are an additional large and
> > complicated attack surface which doesn't buy *me* anything. I'm not
> > even sure why they're there , I mean what is the official
> > justification ?
>
> Platform-level remote management.

This applies to Intel Active Management Technology , not the management
engine.

> > I'd rather avoid Intel since their processors have had too many
> > vulnerabilities over the years even unrelated to the management
> > engine.
>
> How many is too many? AMD and ARM CPUs have had vulnerabilities too, and
> almost certainly will have more in the future.

I don't have a precise criterion. I don't keep precise statistics either but
I see in the news announcements about vulnerabilities on Intel processors a
lot more often that I do for AMD (not just related to the management engines).
Also , en.wikipedia.org/wiki/Intel_Management_Engine mentions many more
vulnerabilities than en.wikipedia.org/wiki/AMD_Secure_Technology .

> In all cases I suspect
> you’re more at risk from vulnerabilities in the software you run on
> them.

Possibly. But I don't run software I don't need and I try to use the simplest
software which achieves what I need although there are other criteria than
simplicity. The problem with the management engines is that they offer a large
attack surface and they don't offer any functionality of use to me , at least
to the extent that we know what functionality they offer.

> Disabling this stuff may reduce your total risk, but not necessarily by
> as much as you hope.

--
vlaho.ninja/prog

On Mon, 29 Nov 2021 20:23:46 +0000
Richard Kettlewell <invalid@invalid.invalid> wrote:
> Spiros Bousbouras <spibou@gmail.com> writes:
> > SH <i.love.spam@spam.com> wrote:
> >> what is it about the intel management engine that creeps you out?
> >
> > That there is a part of the processor running secret code which has
> > access to everything on the computer (memory , storage media ,
> > internet communications) and nothing in the software that you choose
> > to run on your computer can affect this.
>
> You could say much the same about the CPU microcode or the platform
> firmware (e.g. UEFI, or BIOS if you can find something old enough).

Sorry , I forgot to reply to that part.

If you mean that CPU microcode potentially has access to the same things then
yes. But if you mean that it actually does then there's no reason to think
so. If for example I learned that , microcode of some CPU , which microcode
ostensibly exists to compute the sine fucntion , tries for access to the
network , I would be worried.

Regarding firmware , similar considerations apply but I only have a vague
idea what firmware duties are. But one central criterion is the same : do the
accesses follow from the nature of its functions or are they arbitrary ? If
it's the latter , I'd rather avoid the extra risk.

Spiros Bousbouras <spibou@gmail.com> writes:
> Richard Kettlewell <invalid@invalid.invalid> wrote:
>> Spiros Bousbouras <spibou@gmail.com> writes:
>>> SH <i.love.spam@spam.com> wrote:
>>>> what is it about the intel management engine that creeps you out?
>>>
>>> That there is a part of the processor running secret code which has
>>> access to everything on the computer (memory , storage media ,
>>> internet communications) and nothing in the software that you choose
>>> to run on your computer can affect this.
>>
>> You could say much the same about the CPU microcode or the platform
>> firmware (e.g. UEFI, or BIOS if you can find something old enough).
>
> Sorry , I forgot to reply to that part.
>
> If you mean that CPU microcode potentially has access to the same
> things then yes. But if you mean that it actually does then there's no
> reason to think so. If for example I learned that , microcode of some
> CPU , which microcode ostensibly exists to compute the sine fucntion ,
> tries for access to the network , I would be worried.

It’s not close to things like network interfaces, and it’s not very
large, and it’s not well documented outside CPU vendors, but it does
control the semantics of many machine instructions, so in practice it’s
pretty powerful.

> Regarding firmware , similar considerations apply but I only have a
> vague idea what firmware duties are. But one central criterion is the
> same : do the accesses follow from the nature of its functions or are
> they arbitrary ? If it's the latter , I'd rather avoid the extra risk.

It can interrupt the OS at any time (into SMM) and do anything it
likes. Powerful and, I suspect, a lot more flexible than microcode

--
https://www.greenend.org.uk/rjk/

On 12/6/2021 5:57 AM, Spiros Bousbouras wrote:

>
> Are you saying that the management engine serves anti-theft purposes ? How ?

https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

"But troublingly, AMT is only one of many services/modules that come
preinstalled on Management Engines. The best recommendation we can make for addressing
this vulnerability today is to disable that specific AMT module, because Intel doesn’t
provide any way to generally limit the power of the ME.

But vulnerabilities in any of the other modules could be as bad, if not worse, for
security. Some of the other modules include hardware-based authentication code and

a system for location tracking and remote wiping of laptops for anti-theft purposes.

While these may be useful to some people, it should be up to hardware owners to decide
if this code will be installed in their computers or not. Perhaps most alarmingly,
there is also reportedly a DRM module that is actively working against the user’s
interests, and should never be installed in an ME by default.
"

The description here doesn't even mention location tracking.
Instead, AMT locks up the laptop, preventing things like boot
from happening.

https://support.hp.com/ca-en/document/c02558764

The feature set then, is a function of what module happens
to be loaded in ME MINIX.

Paul

On 29 Nov 2021 22:35:14 GMT
Jaimie Vandenbergh <jaimie@usually.sessile.org> wrote:
> On 29 Nov 2021 at 18:46:48 GMT, "Spiros Bousbouras" <spibou@gmail.com>
> wrote:
>
> > On 29 Nov 2021 15:16:44 GMT
> > Jaimie Vandenbergh <jaimie@usually.sessile.org> wrote:
> >> Definitely put as much RAM in the machine as it can take, in order to
> >> keep it even vaguely viable. Use SSDs as well - give the old thing every
> >> possible advantage.
> >
> > As I say in <A+E9DrGA11MTXVeuJ@bongo-ra.co> , 2 gigabytes RAM work fine at
> > present and I don't expect that my computing needs will go up.
>
> You don't use the modern web much, I take it - that forces higher specs
> on you otherwise, or your view of the Internet will slowly constrict.

I do but mostly from a text browser and it's lightning fast !

> > But if it's
> > easy to add more , I will add more. I also don't see why SSD vs hard disk
> > would matter to me because my current hard disk doesn't get much work.
>
> Swap.

Do you mean swap memory ? My understanding is that if your applications require
so much memory that they need to use swap memory then it's going to make the
computer very slow whether you use a SSD or hard disk.

> >> What I'd actually suggest is a Pi4 or CM4/8gig though.

[Information about the Raspberry Pi snipped.]

Thanks for all that. If I have any further questions , I will post them on
comp.sys.raspberry-pi .

On 03 Dec 2021 13:56:52 +0000 (GMT)
Theo <theom+news@chiark.greenend.org.uk> wrote:
> Jaimie Vandenbergh <jaimie@usually.sessile.org> wrote:
> > On 29 Nov 2021 at 18:46:48 GMT, "Spiros Bousbouras" <spibou@gmail.com>
> > wrote:
> > > - Do ARM processors have anything analogous to the Intel management engine ?
> > > If not then yes , that's a plus in my book. Plus I want to learn some ARM
> > > assembly so having an ARM processor would be a bonus.
> >
> > I am fairly sure (but not 100%) that they do not. Raspberry have solid
> > documentation, and I've not found an extra controller inside but also
> > they don't make a statement that there isn't (I mean why would they
> > think to?)
> > https://www.raspberrypi.com/documentation/computers/processors.html#bcm2835
>
> Arm designs processors, it doesn't design chips. It's up to the chip designer
> to decide what else to put in there. For example you can get the same Arm
> core with an Arm, Qualcomm or Broadcom GPU.
>
> It is quite common for systems on chip to have additional microcontroller
> cores for managing things, for example booting, clocks, power and DDR
> timing. Some of those may be exposed (as a 'system control unit'), but
> others aren't. For example the battery will have a microcontroller in it to
> keep an eye on the charging/discharging profile, the touchpad will have a
> microcontroller for speaking USB, etc etc. Many of those microcontrollers
> don't have access to system memory (especially not the ones off-chip), but
> some do. They don't often appear on the datasheet as a 'processor' but
> simply as a functional block for doing those things (eg a battery monitoring
> unit). Almost none of the firmware that runs on all of these pieces is open
> source.
>
> In the Raspberry Pi case there's a GPU that runs closed-source firmware, so
> it's not unusual in that respect. Whether it's analogous to the Intel ME
> depends on what you're concerned about: the GPU doesn't have a network
> socket on it, but then it can reach the ethernet controller (maybe another
> CPU!) over the memory interconnect. (Arm offers a System MMU to provide
> some degree of protection here, but the RPi doesn't use one).
>
> So if you were worried about a supply chain attack providing you malicious
> GPU firmware then it's not going to help. If you're worried about malicious
> network traffic attacking the GPU, that won't get to the GPU in normal
> operation.
>
> I'm not familiar with the internals of the 15-20 year old AMD systems you're
> talking about, but I would be unsurprised if there were similar control
> processors in there for doing similar kinds of tasks - just more basic ones.
> And of course those systems haven't had a BIOS update in 15 years so any
> vulnerability lurking in there is not going to be patched. When you start
> building a system with a GPU, network card, storage controller, etc, that's
> all firmware that hasn't seen updates in a decade or more.
>
> TL;DR: you need to boil down to exactly what is objectionable in the Intel
> ME before asking whether the same threat exists on other platforms. 'Other
> things running software you can't see / isn't open source' is a given, on
> anything more complex than a Sinclair Spectrum.

What is objectionable is the increase in the attack surface created by the
management engines (both Intel and AMD) without sufficient explanations on
what functionality they offer (useful to the user or in general). There is
also the fact that many respectable sources express similar concerns. The
question "Do ARM processors have anything analogous to the Intel management
engine ?" indirectly also asks whether similar concerns have been expressed
about ARM processors ; and it's not just a matter of existence but also of
degree. By degree I mean the degree of at least the following 2 parameters :

- Complexity of the functionality ; larger complexity means greater opportunity
for security flaws.

- Justification of the functionality from the point of view of the end user
(me !).

There is of course also the binary parameter of whether it's secret or not.
The more things are secret , the worse. I probably can't avoid all secret
firmware (as you point out) but I will try to avoid what I can. I note also
that there is a political component which seems to parallel the time when
Stallman started his GNU efforts towards open source software , at least
according to how he tells the story. According to Stallman , most software
used to be free , not necessarily in the modern legal sense as embodied by
the GPL and other licenses but in a practical sense in that you could inspect
the software and modify it. Then the trend started to move towards close
source and Stallman tried to oppose this with some success. In an analogous
fashion , in hardware the trend seems to be towards more secrecy and more
taking control away from the end user and owner of the hardware for unknown
ends. I'm trying to resist this. I don't expect I will be anywhere near as
successful as Stallman was with software but I (will) do what I can.

Anyway , thanks for all the technical information. Even if I don't manage to
mitigate my risks with my proposed measures (you seem to think that I may
even be increasing my risks) , I'm learning useful relevant information.

--
vlaho.ninja/prog