1. 3

    This looks interesting. Of course it’s a shame it’s based on Intel, but:

    • PCI-e
    • SATA
    • 2 x gigabit ethernet
    • x86
    • VT-x + VT-d
    • 32 GB ram
    • 4 okay-ish cores

    At first glance this looks like the first SBC that actually will be usable for stuff like routers, virtualization host/hypervisor (in a cluster for example) or a simple linux desktop stuck to the back of a monitor. Price will be important though, since you also need to get memory while a lot of other SBC’s have memory on the PCB.

    1. 8

      The fact that its based on Intel is, imho, a good thing .. I’ve got a drawer full of SBC’s that started out with lots of promise - ultimate power, great battery life, etc - but are sitting there unused because the vendors failed to keep the kernel promises.

      That’ll be less likely to happen with an Intel-based SBC, imho.

      1. 4

        Most ARM SoCs are decently supported by mainline operating systems. Which boards do you have and what would you like to use them for?

        1. 2

          Which ARM SoCs do you have that are supported on mainline? I’ve had nothing but all kinds of issues with ARM. I tried using an overpriced SolidRun as a router and ran into nothing but issues and terrible support.

          I wrote another post on seeing these issues in Android devices. ARM is not a platform. It’s just random shit soldered to random pins. At least Microsoft phones had ARM + UEFI. I mean we have device tress, but they’re usually broken to hell too and most phone vendors don’t use them.

          Is the particular device in this post a 3rd party x86 clone? Is it free of Management Engine or other 3rd party controllers? I realize all x86 stuff has non-free binary blobs everywhere, where as you can get a lot of totally free ARM chips/boards, but long term support is often an issue. With x86+UEFI or even classic BIOS, you can run mainline Linux on them for years to come. There are even forks of Linux for older unsupported 386 chips if you really want to buy a ton of old 386 stock and use them in embedded applications. ARM is a clusterfuck by comparison.

          1. 3

            Rockchip RK3399/RK3328, Allwinner H3/H5/A64, Nvidia Tegra X1, the Broadcom junk that’s in the RPi…

            I run FreeBSD (actually I worked on RK3399 support), so there’s no non-mainline :) but for Linux, Rockchip is actually mainlining their official drivers, and for Allwinner it’s the community.

            Of course the cheap embedded boards aren’t as good as the high end server stuff (ThunderX/2/Centriq/eMAG/…), but there is a lot of support.

            1. 2

              OLIMEX has some interesting hardware and according to SUNXI Buying guide “Currently, Olimex is the only company creating Allwinner based OSHW, and Olimex actively contributes to the sunxi project.”.

              For some cheaper but less open options(I use an orange pi zero as a home media server/nas/cups/whatever) armbian provides quite decent support.

            2. 2

              I bought the original PINE64 and found the is support to be pretty terrible, even today it feels like it’s all been hacked together by guests in China rather than the manufacturer doing much about it.

              1. 1

                It’s very well supported in FreeBSD.

                For Linux, just don’t go to the vendor, ever. Check Arch Linux ARM and Armbian. (Apparently Ethernet support was merged into mainline as late as 4.15, but it’s there now)

            3. 4

              I think the parent was implying AMD would have less microcode updates and more trustworthiness due to better QA than Intel. Likely inspired by Meltdown/Spectre vulnerabilities. Also, AMD has been in the low-power, SoC game for some time. I don’t know if you’ll get lots of problems out of them that you wouldn’t out of Intel. It would surprise me a bit. I remember Soekris was using AMD Geodes.

              Oh shit:

              “Due to declining sales, limited resources available to design new products, and increased competition from Asia, Soekris Engineering, Inc. has suspended operations in the USA as of today.”

              Glanced at their page to see product updates. Got sadder news than I was looking for.

              1. 5

                I don’t know much about the Soekris boards, but pcengines.ch sells surprisingly affordable AMD Jaguar-based boards for embedded and network applications. I’m using one for my OPNSense firewall and have been perfectly happy with it.

                1. 1

                  Thanks for the tip!

                  1. 3

                    From corebooting my ALIX2C3 I recalll the geode microcode has another issue in that it’s reliant on legacy tooling to build so you are encouraged to just use the blob (tooling is either DOS based or related to visual studio, can’t recall).

              2. 2

                If I remember properly HardKernel had everything for their C2 platform mainlined so you could use modern kernels without having to use a vendor specific one.

              3. 2

                it’s a shame it’s based on Intel […] Price will be important though

                I too immediately thought “why not Ryzen?” but, price is actually the reason they went with Intel, according to the blog post that’s linked here. Excerpt:

                2017 December, We considered AMD Ryzen 5 2500U 3.5Ghz mobile processor. The performance was very impressive, but the price of the CPU was also very impressive. Fortunately, Intel also announced the Gemini Lake processors. It was slower than Ryzen but much faster than Intel Apollo Lake, and the price was reasonable.

                Looks like the board will be considerably cheaper due to the Intel chip.

              1. 12

                Lenovo X260 with Linux (mostly Fedora or Debian) and OpenBSD. It’s a 13-14 inch model, so it doesn’t meet your requirements on screen size, but maybe there are 15 inch equivalents available. My laptop runs Linux perfectly and I couldn’t be happier with it.

                Some things I like:

                • Keyboard quality and feel
                • Keyboard backlight
                • Double batteries for easy swaps
                • Modifiable and expandable to your taste
                • Rather good Linux/BSD support
                • Not so many gimmicks or dumb features I don’t use
                • Matte screen (oh how I hate glossy panels)
                • Quite sturdy enclosure
                • Price! I bought it nearly new from someone for about 400 euros. Even now (some years later) they are very cheap second hand, and if you look at the right place they will be practically new.

                What I dislike about it is that malicious companies like Intel have their spyware and backdoors in it. But going for Purism or alternatives is simply too expensive for me, so it isn’t an option for me.

                I hope you find this info useful!

                1. 2

                  I hope you find this info useful!

                  I did, thank you.

                  1. 2

                    I have a friend at my local hackerspace who does a lot of stuff to cripple/disable the Intel stuff. I helped him flashing some BIOS chips of ThinkPads. It’s kinda easy once you get the hang of it, we did two together and I think he did like 10-20 in total now. Also super interesting to learn a bit about how stuff works.

                    1. 2

                      I had my work get me one of these, but I forgot to specify not to get the low-res version, because it never crossed my mind that in this day and age it would still be possible to buy a 1366x786 display, but unfortunately it still is. I’d imagine it’s a decent machine if you don’t get stuck with the lousy-display variant tho.

                      My personal machine is an X301 which is a lot nicer since it’s from the 16:10 days, plus it has a carbon-fiber/magnesium palm rest instead of plastic like the newer models. The performance isn’t nearly as good, but it’s serviceable once you put ublock origin on it.

                    1. 5

                      GnuCash will probably be your best bet. It takes a while for most people I know to get the hang of it, since it is quite bad in that area. But it can do pretty much everything you can wish for in a budgeting app (or accounting program for not too large businesses for that matter).

                      1. 3

                        I use Keepass for both work (very sensitive for others) and private (very sensitive for me), where the kdbx file is stored in a Cryptomator vault that gets synced through a private NextCloud instance that is only exposed over my own p2p vpn. All of these components are open source (which is a requirement for me), cross platform (linux, bsd, windows) and are quite consistent (which I find important). Of course, Keepass is a bit more work to setup and less fancy GUI wise than say LastPass, but it suits me fine. It has autofill anyway, so I rarely have to copy paste the passwords myself.

                        The only thing I find a bit annoying is decrypting the vault every day, but I don’t feel syncing kdbx files over the internet is secure enough. How do others here feel about this? I always believe in layers of security (encrypted database + encrypted vault + tls + vpn + strong certificates and passphrases, everything under my own control) but there are also people that use Keepass only with Dropbox and only rely on the strenth of the kdbx file itself. Any thoughts? :)

                        1. 8

                          Is that blog satire? The author links in his second paragraph to articles he wrote praising DRM and dismissing all criticism[1], to articles claiming that repairability or the ability to replace firmware is unnecessary, as you can always throw a device away and buy a new one[2], and he’s arguing that modifying the way a website is displayed in your own browser – e.g. by restricting the JS, or modifying it – violates the site owners’ rights, and is wrong[3].

                          I absolutely can’t tell.

                          [1] http://www.technologicallyadvancedhuman.uk/why_eme_is_great.html

                          If someone wants to sell a movie but they don’t want it pirated or modified without their permission, that’s fair-enough. It’s their content and it took them a lot of effort to make it. I don’t see why you would think you have the right to take someone elses work and do what you want with it without permission.

                          [2] http://www.technologicallyadvancedhuman.uk/the_freedom_to_destroy.html

                          The type of freedom we need over these practically immutable hardware components is what I call “The Freedom to Destroy”. This means that we can throw it away and replace it with something else if we need to. So if it malfunctions, whether due to a bad microcode or a dead transistor, we can simply destroy it.

                          [3] http://www.naughtycomputer.uk/a_response_to_the_javascript_trap.html

                          Also consider if it’s polite to run your modified JavaScript on someone else’s website. Imagine if you maintain and distribute a modified JavaScript to use with e.g. eBay. And imagine it malfunctions causing a DDOS on eBay or people to have their financial details stolen. Who’s fault is it?

                          1. 4

                            I read the DRM and firmware blogs, and was like “he can’t be serious”. I just closed the tab and went to check here if people understood the blogs haha. I guess not looking at your reply.

                            In addition it’s also written rather simplistic/shallow. But the thought of satire didn’t cross my mind, but you might be right! Also because of the banner.

                            1. 3

                              The weird part is, the author’s posts have been previously tagged as satire on lobste.rs, or marked as April Fools joke, and he’s protested that they’re not. All of his websites have similar content as well.

                              I’m super confused.

                            2. 2

                              So I think these positions are a bit different than what you summarised on those blog posts (and I agree w/ the finer points)

                              • “EME is great” post:

                                • The writer doesn’t like piracy
                                • => DRM helps prevent that
                                • existing DRM schemes, however, are messy and rely on stuff like Flash
                                • EME allows for a “minimal” amount of obfuscation in order to prevent privacy. A solution that is cleaner than others, while preventing privacy
                                • basically, if DRM is non-negotiable, EME is a good implementation of such
                              • “Freedom to destroy” post:

                                • IME lead to comments as CPU as a service
                                • but even non-IME CPUs are basically a service (magic circuits, impossible to grasp)
                                • Linux is built off of a lot of small software, where each component can be easily replaced (you can rewrite cd and put it into your own version)
                                • “Freedom to destroy” = “Freedom to remove a part and put in a new part”. Basically you can replace things with “nicer” things that meet your objectives
                                • CPUs aren’t really this yet (gotta replace whole motherboards) but… maybe one day
                              • “Javascript Trap” post:

                                • Javascript is running on you computer, but not easy to modify
                                • Javascript’s “user” is the server runner, as they can modify it easily
                                • (aside: running modified JS on someone else’s site could cause problems. For example a site extension could add way too many API calls bringing the site down. It’s not super nice to the site runner)
                                • Free software helps to fight stuff like Google Maps, where we don’t have a real copy of the software (because JS isn’t usable in a real sense as a piece of free software)

                              If this is satire, they unintentionally fell into real points. Don’t agree with everything, but this stuff has some basis in reality.

                              1. 1

                                The problem is that half of their points are completely irrational.

                                For example, his EME post’s arguments rely on “I don’t see why you would think you have the right to take someone elses work and do what you want with it without permission.”, which assumes that the fair use doctrine isn’t a thing. If you assume the fair use doctrine exists, then EME removes a right that you otherwise would’ve had.

                                The freedom to destroy post also applies to other hardware, not just CPUs, and assumes that users manually repairing devices isn’t a thing. I’ve just replaced some parts of one of my monitors, and had to modify the firmware afterwards. The freedom to destroy post assumes no user is ever going to modify or repair such devices. The same issue applies to flashing the firmware of routers. Even the EU considered the right of people to flash the firmware of devices they buy as so essential that they required that no router manufacturer may prevent users from flashing custom firmware.

                                Regarding the Javascript Trap, his argument would declare Ad Blockers as problematic – every browser extension you use to modify a site, be it Reddit Enhancement Suite or uBlock Origin, modifies the JS of the original page, or runs its own. This even came to court in Germany, where the courts ruled that it’s an essential right of a user to run ad blockers and that whoever runs the browser is the user and can modify the document requested in whatever way they wish to display it.

                                In general, each of the post has some points – but only under assumptions that require removing many legal rights that users have.

                                1. 2

                                  Poe’s law applies here at some level.

                                  1. 2

                                    Or the turing test. If it’s indistinguishable from satire/trolling…

                              1. 2

                                We use OpenStack for all our internal virtual machines (which are quite a lot). I think it’s quite (too?) complex to setup, but the ease of use after the initial setup is really good. There are a lot of OpenStack-compatible images available and it also isn’t difficult to make them yourself for some BSD’s of lesser used Linux distro’s. I really like the automatic SSH-key deployment, IP address configuration (we use public IPv4 and IPv6) and ACL/firewall in the gui. I know some more organizations that use OpenStack, but most (like us) aren’t very public about it. We actually added more/new nodes to it recently :). Hope this helps!

                                1. 12

                                  No VPN provider is going to go to jail over the illicit use of its services by its users. It’s quite possible that prior to the FBI knocking on their door, they didn’t keep logs. I’d imagine the following scenario:

                                  1. FBI investigates, sees the suspicious traffic coming from PureVPN
                                  2. FBI gets a warrant/subpoena for PureVPN
                                  3. FBI knocks on PureVPN’s door with a warrant/subpoena
                                  4. PureVPN says “can’t fulfill that right now. We don’t keep logs.”
                                  5. FBI responds “You’ll keep logs starting today.”
                                  6. PureVPN complies, eventually providing the logs FBI needs of future accesses of the suspect

                                  This is exactly why people should use Tor before connecting to a VPN and not the other way around. Tor hides you before you connect to an entity that can be coerced to hand over identifying information to law enforcement. But, hey, I could be completely wrong.

                                  1. 3

                                    This is a little tangential but I have to ask…

                                    What do you gain by going home → Tor → VPN → internet instead of going home → Tor → internet? In the latter you have one place (home) which all your connections pass through where a wiretapper could correlate them and glean information about what you are doing from the timing information about how many packets you send when. In the former, you have two (home, VPN). This seems like a net-loss of privacy?

                                    1. 3

                                      There’s only two reasons I’d use a VPN for while behind Tor: to gain UDP support, which Tor lacks; or to ensure that my traffic appears to originate from a certain geographic area.

                                      1. 1

                                        The VPN (before TOR) can hide TOR traffic.

                                        If I remember correctly, in one case of a false bomb threat a suspect was pinned because they were the only ones on the whole school using TOR. That is, the metadata of using TOR can turn you into a suspect, as it’s not a popular service and TOR usage is scarce.

                                        I’m curious about the other way around. How can you connect to a VPN after connecting to TOR? Routing all your traffic throuth TOR using a SOCKS proxy?

                                        So if I’m not mistaken, a full setup (with drawbacks of course) could be:

                                        home -> vpn (hides tor usage) -> tor -> vpn (allows UDP and hides exit node IP)

                                      2. 2

                                        Some sites don’t allow traffic from Tor exit nodes - routing through the VPN works around that. It also avoids the constant Cloudflare CAPTCHAs. And as @lattera said, UDP support. Some Freenet users use an anonymous VPN, via tor, to hide their IP and Freenet is UDP only.

                                      3. 2

                                        A VPN with more foresight could instead use a warrant canary to let its users know whether the FBI may be keeping logs.

                                        1. 6

                                          We looked in to this for our privacy focused VPN service for the higher education and research sector in the Netherlands. Unfortunately, the legal status of warrant canaries is unclear at best. When a intelligence agency (most have quite far-reaching powers) with jurisdiction and a legal ground compells you to cooperate, not updating the canary probably is a violation of the subpoena and/or gag order because there is no real legal difference between saying “We got a gag order!” and not saying something because you had a gag order.

                                          Of course you can calculate the risk and potential consequences when deciding whether a warrant canary would be a good idea or not. Maybe the use of a warrant canary is worth much more to you/your organization than the potential risks of not complying with gag orders.