Insurgo Privacy Beast X230 - Still Available?

Insurgo Privacy Beast x230 still available?

Link returns 404

@Insurgo may be able to advise here , however the entire site seems offline currently and 404’s for me.

Is a good vendor so asking why.

It’s no longer available for a while now, unless he has changed his mind recently. He decided to put all his Heads efforts elsewhere as the PrivacyBeast wasn’t giving him the results he was hoping for (in terms of advancing the Heads project).

I’m not attempting to speak for him, these are all things he’s said elsewhere. This is just a short answer to suffice until he sees this topic and answers it himself.

Advancing the Heads project in what way? Heads is the re-ownership wizard UI and TPM, Librem Key initialization tool. Coreboot is boot firmware.

The Librem key stores the public/private key pair, and the TPM stores the measured boot hashes.

There are other vendors, but they are not using Heads as a re-ownership

wizard for owning the firmware using a GPG key and email?

I’m afraid he’ll have to answer that. I don’t want to say much more because I don’t want to misrepresent him. I just wanted to confirm he did stop selling the X230. IIRC, he went over why in a conference or such like, but I don’t remember which one nor the finer details.

At a cyber security conference?

Why isn’t Heads popular, because it is more technically challenging maybe,

learning curve can be steep, maybe having more user friendly. It’s a technically

able crowd, sure but even then it’s

a process to learn it.

Heads needs maybe more better documentation or easier to use UI.

Flashkeeper, a write-protect switch in collaboration with @Dodoid to prevent the boot block from being remotely tampered with.

So what kind of chip is that? Fuses?

There are various configurations based on your use case(s), and the project itself is not fully mature just yet, so I recommend taking a look at the documentation.

It always seems like they just move on to the next feature, instead of addressing existing bugs. The nature of technology I suppose.

Heads needs an update, that’s why there’s very little adoption, I hope he gets that.

I hope they continue Heads development for measured boot and for firmware

re-ownership using TPM and Librem Key.

Librem Key could be improved also to match product like Yubikey, which is

more user friendly.

Imagine having Yubikey for measured boot and firmware integrity, would be good also, not just user credentials.

Why did no one mention —

Nitrokey has services for $$ which might help you with any troubles with Heads.

Notice the T-480 for sale as well.

As someone pointed out to me about Yubikey, it does not have a flashing LED that says, translated means, “passed.” Some things are all right.

Because it is off-topic against the main question.

Question still unanswered. Where did Insurgo go? It is 404.

I think, user-friendliness-wise, the best things for Heads to do would be:

• To migrate all TUI to GUI. I don’t see why anyone needs to see any text in a successful boot, except a password prompt if the key is stored in TPM and the PGP fingerprint/info. I would say the TOTP would be good, but that’s already only visible on new versions if automatic boot is interrupted. But it could be shown at the same time as the password prompt (along with PGP info) to save boot time. The HOTP LED is the visual root of trust for verification anyways, so cut out the middlemen.

• To speed up the HOTP check (the main time component in booting, enable Heads basic mode to see what I mean). If the boot process didn’t wait for this before verifying signature, that would probably help a bit as well. An error is an error, no need to wait for each step to complete. Also, no automatic boot delay. If a user needs to get to the menu, hold a button on poweron or allow an appropriate button to be pressed at any time instead of essentially asking the user every time. An error already boots the user into the menu.

• To support other hardware tokens (if a reasonable option)

• To move the HOTP counter to the TPM or CMOS (or somewhere similar) so that the BIOS is self-contained and a disk can be easily swapped while retaining the tamper-resistance qualities. There isn’t a reason I know of why I can’t Heads-seal two separate disks and swap them painlessly. The HOTP measures BIOS integrity not disk integrity, so why link it to the disk at all? I can’t see a reason it can’t permanently live on the TPM and have all the generation happen there. Although, the Heads folks are very intelligent, so I’m sure there’s a good reason, I just can’t think of one. I’d like to see it solved.

• Sigh Windows support. Pretty sure this is technologically impossible with Windows’ Secure Boot and UEFI requirements (officially, at least) and impossible unofficially with the design limits of Heads. I’m not really rooting for this as a feature, though, just admitting that Windows users could benefit from Heads in theory, and that it would also be nice to be able to boot windows once in a blue moon if necessary. In practice, EDK2 exists for precisely this purpose.

But then again, ‘users’ as I understand it aren’t configuring, building, flashing, etc.; they’re just using. Clear documentation for customization I’d say is the biggest thing for those configuring and building, and pictures for each board the best thing for flashers. At the end of the day, though, everything is in service of the user and therefore the most fruitful work, in terms of increasing Heads usage, would be to make it more user-friendly.

TOTP/HOTP check is conducted by Heads, is the slowest process?

TUI converted into GUI would be helpful.

More clear, easier to read.

This is comlicated part, generating GPG keys and writing them to the Librem

Key

Also signing the firmware in the TPM using the key.

Should be GUI process explaining to user in simple terms.

usually the TOTP requires QR code reading and generates code.

This requires a cell phone, tablet with app.

Cell could easily be compromised, this is a weak point in the Heads boot

step. Cell camera driver snaps photo of QR code and generates TOTP/HTOP.

[Librem Key modification] [HOTP CODE BUTTON]

→ Modify the Librem key to include a button that generates an HOTP code

using a Heads API call (Heads has a HOTP app built in).

→ This would be more like the Yubikey where you press a button

and an API call populates browser with user/password.

→ This Librem key generates the HOTP by pressing a button installed

into the USB.

→ Heads contains the HOTP code generation API.

→ GPG key is stored in the USB.

To summarize:

HOTP code generator coded into Heads (HOTP Generator API)

Librem Key Modification to have button push generate code using this Heads

update (API call to HOTP code generator).

If entropy is required, just use mouse to generate it.

Conversion of TUI into GUI wizard.

This is more how Librem Key works.

Librem Key could work for boot firmware integrity verification, including CPU

microcode.

https://insurgo.ca Website is back on but nothing to sell there. Heads is alive and maintained, but under funded for now. I sold the PrivacyBeast with quebeos preinstalled on older reasonably secure hardware to fund R&D. Doing so prevented me to do R&D by lack of time since doing supply chain, import export, refurbishing, reprogramming of hardware, packaging shipping returns and user support. I think I did an amazing job doing so, but at the cost of not having time to do research and development. I went NLnet funding and got some in the past (3 times now: Accessible Security, Authenticated Heads and Flashkeeper) but this alone doesn’t bring back contribution and steady funding toward Heads nor Linuxboot. Heads is a Linux payload of coreboot, and depends on kexec and whole ecosystem to move forward. This is a lot to do without more collaboration. I decided to focus on Heads while looking for more steady sponsoring, consultancy which outcome would be back into the project, or direct employment from an employer that believes into linuxboot/heads goals while being willing to pay with real money to make things progress while having economical stability to continue to do research and development.

All recommendations here are interesting points of improvement. But research and development takes time and should be paid (in form of employment, consultation or funding, while funding pays AFTER the work is done, which requires other source of funding while the work is done, so funding would be more interesting if reimbursing employer; not a stable source of income).

Heads is alive, don’t get me wrong.

Docs are at: https://osresearch.net
Rendered from source: GitHub - linuxboot/heads-wiki: Documentation for the Heads firmware project
Heads source : at GitHub - linuxboot/heads: A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.

Please collaborate under github.com. I love reading discussions here, but information all over the place proved not serving Heads in the past, so I hold into answering all questions everywhere now.

You can’t get NL grant from EU, or Canada?

I did get funding from NLnet from Canada (thanks to their trust in me).

Issues related to outcome of past finished funded projects

• Nlnet past funded work placeholder for Accessible Security project (2019) · Issue #1729 · linuxboot/heads · GitHub
• Nlnet past funded work placeholder for Authenticated Heads project (2022-2024) · Issue #1741 · linuxboot/heads · GitHub

Again, most of repeatedly answered questions are over github for a reason. That’s where collaboration happens. That’s where you all should as well collaborate if goal is to make things go forward.