Looking to replace my (damaged) work laptop. What I want:
- good specs (recent fast processor, great screen max 14", average graphics card)
- excellent build quality (no flimsy keyboards or cheap plastics)
- portable (thin, great battery life)
- privacy features
My choices so far:
System76 Lemur Pro: great specs and comes with Coreboot and disabled Intel ME BUT the build quality doesn't appear to be great
Apple M2: great specs and build quality BUT it can't really run Linux – except for Asahi Linux which is a work-in-progress (no sound, no brightness controls, etc). Maybe I could run MacOS until Asahi gets good enough?
Thinkpad X1 carbon (latest): great specs and build quality and probably my favorite BUT it has Intel vPro / ME enabled and I can't figure out if it's possible to disable (Most of what I found dates from 2017-18 and I would have to dive into the bootloader rabbit hole to really understand if it's even possible – anyone know?)
I read mixed reviews about Purism, not convinced at all about the build quality. Starbook from Starlabs looks nice but they are UK based and would take 5-6 weeks to ship. Frame.work laptop looks interesting but it's out of stock and the new one pre-order only.
Any other suggestions?
Use the ThinkPad or System76, if you wont use anything else and just Linux then go for that. They stock quite well unlike some of the others. I have never been able to get a Librem, judging by people's complaints I probably wouldn't. If the System76 uses Coreboot then it is a plus, you get open-source BIOS firmware.
Do not worry about the Intel ME / bootloader stuff. An open-source BIOS fixes the issue enough, which System76 does have. Most of what is written about it is horseshit made to advertise, you can find mainstream providers like Dell sell laptops without it:
https://www.dell.com/en-us/shop/dell-laptops/latitude-5430-laptop/spd/latitude-5430-laptop/s149l5430usvp
Only Intel vPro (a variant with features for enterprise) processors do anything substantial based on Intel Active Management Technology (AMT) - which did have known vulnerabilities. All known exploits for AMT are only functional with access to the PC of the target and/or require credentials. Non-vPro processors don't have this.
Intel vPro processors also aren't widespread and you can find variants of laptops without it. You have to explicitly use Intel Wi-Fi hardware and contact Intel to get special management software that allows remote access of the PC. When they say ME can be exploited remotely, the CVE descriptions always mention you need the valid administrator credentials provided aka. non-existent for someone who isn't using AMT in an enterprise.
Example: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
Avoid a vPro and Intel networking card combined and the minimal risk is averted, this is Librem's exact approach - their old No ME marketing was just horseshit made to sell to those people:
https://web.archive.org/web/20170607022409/https://puri.sm/learn/avoiding-intel-amt/
Note that they stopped advertising or mentioning Intel ME anywhere now:
https://puri.sm/products/librem-14/
Need to manually find this page hidden in the cracks, which has the same talking points I've said: https://puri.sm/learn/intel-me/
The ME Cleaner is basically a hack job of replacing that section of firmware with
0xff. But if you don't trust Intel ME, why trust every other piece of proprietary firmware in your processor or any other PC component? Threat actors can put malicious firmware in motherboards, and even your hard drive:https://www.f-secure.com/weblog/archives/00002791.html
Local device management is also common on every major processor i.e. AMD PSP and even a phone forensics tool uses a Qualcomm processor feature for forensic analysis.
Appreciate your insight very much. I know little about security and I have a hard time telling if the Intel ME scare is horseshit or not.
Agree that any non-open firmware has to be trusted. What I really don't get is why they insist on pushing that "remote management" technology to ALL their chips when it would only make sense in a few enterprise settings.
Ok no vPro so this rules out the X1.
What are your thoughts on Apple M series SoC from a security standpoint? I really like their hardware but I'm fed up of their software.
Apple devices are extremely secure with well designed hardware and have a lockdown mode which was made to combat sophisticated threats after the whole Pegasus situation with iPhones. Big issue is that you have to basically use their services and there's no avoiding it.
Interesting. Intel with me_cleaner vs Apple silicon: Which is less likely to have backdoors?
https://reddit.com/r/privacy/comments/wdb0je/intel_with_me_cleaner_vs_apple_silicon_which_is/iiprkgu/?context=3
It's really up to who you trust more for your Linux usage
I use Intel but if you trust Apple then go Apple all the way because I don't doubt they are built extremely well. I prefer trusting less on online services though.
For the sake of reference I am very Windows-focused so I use this: https://uk.dynabook.com/laptops/portege/portege-x30l/
This is mainly due to me being able to configure Windows myself and being able to see what it can't do. I only rely on Microsoft for security updates and Office. They are Secured-Core PC's, so they are Microsoft validated to run all security features including an exclusive System Management Mode Protection which is meant to counteract threats from the processor's management mode i.e. Intel ME. Secured-Core PC's often don't include OEM-specific bloat either.
Never used Linux on these so I cannot validate how good of an experience it is, nor how to get one, but they have fingerprint unlock, smart card and pretty good I/O. Good battery life and build quality too.
Do you mean because of OIK? But if it's regarding MacOS I have some plans to harden it and mitigate all those online services, while I wait for Asahi to mature
By the way found this: https://github.com/ubuntuAsahi/ubuntu-asahi/ . Very cool, running Ubuntu on Apple bare metal.
Not at all, I just am not a fan with how integrated Apple services are to the entire OS. I prefer them to be a bit more distant like with Windows 11 when configured properly to do so. I imagine MacOS is perfectly fine for people if they trust Apple enough.
Do you really need a modern spec? I ask because I found recently you can build a half decent machine for ~500USD using a used T440p Thinkpad. You can upgrade to the following specs:
Pros
Cons:
You can get the parts easily on ebay, aliexpress, Amazon. You will need a programmer to flash the BIOS chip to install Coreboot. Recommend upgrading the touchpad to a Synaptics T450 touchpad.
Here are some good online resources:
Unofficial guide to install Coreboot: https://blog.0xcb.dev/lenovo-t440p-coreboot/
Ultimate buyers guide for T440p https://octoperf.com/blog/2018/11/07/thinkpad-t440p-buyers-guide/
Another upgrade guide: https://seiba.gitlab.io/thinkpad-t440p-upgrade-guide/
Buy ready built machines from the UK: https://minifree.org/product/libreboot-t440p/
Thank you for the detailed answer! For the kind of work I do (and my lifestyle) portability and battery life, on top of decent processing power, are a must.
I think some other people would definitely benefit from these slightly older setups.
That said it would be great to find a longer-term solution for these "remote management" "features" or we're going to keep stuck in the past with processing power.
deleted by author
I saw those "Qubes certified" on Insurgo I believe (out of stock)
I can tell you, System76 has fantastic build quality. Personally, I think this would be your best choice. I just bought my first System76 laptop, Onyx Pro, a few months ago and I’ll never get another laptop from anyone else. This includes laptops for my family, not just me.
Thanks. Do you recall which payment methods they support? I can't find it anywhere
I just used my credit card. I think they will take debit as well.
Yep saw that. Had to sign up to see which payment methods they accept (only cards). So basically there's no way around it - you need to give them your personal information if you want to buy from them. Apple at least lets you purchase with cash or gift cards.
Use https://paywithmoon.com/
Yes and there's Bitcoin Co as well. For some reason I assumed these had a lower limit not enough to buy a computer, but I'll check.
I didn't realize you could use Bitcoin to pay, but it's good to know. I also have the original launch keyboard from them, and am looking to get a launch heavy in the next few months. Everything System76 makes seems to be amazing build quality. I have no complaints except maybe I wish the speaker was front facing. I think they're going to start releasing laptops that they build the body for in house in the next year or so, and this may be "fixed" at that time. Don't get me wrong though, the speakers are great you just have to right in front of the laptop to hear it. This is no different from any other laptop I've had in the past.
Good to hear again about the build quality. They do not accept Bitcoin or cash, only cards.
I've talked to two people using a System76 running POP! OS and both act like they've found the fountain of youth or something. So I downloaded POP! and I have to admit, it's smooth as buttah & probably my new favorite distro of all times.
Can't speak to the hardware but if you're up for a new distro make sure to try POP! OS.
Awesome. Will definitely try it out
the thinkpad x1 carbon is good. i would take it with linux installed. you can switch the distro later and you do not pay for useless windows spyware.
linux runs on all thinkpads. check out other thinkpads too. the x1 carbon is much more expensive but the other ones like the t-series and the p-series which are only a little bit heavier (not much) but more powerful and real workhorses.
dell xps 13 is excellent too and you can also order it with linux.
lenovo has great service. my ssd crashed in another country. they replaced it and even sent me a third one to my address in the first country.
Nice, I'll have a look at the xps and maybe other Thinkpads. I just don't want the ones with that vPro rubbish
i have a system 76 lemur, it's been my main laptop for the last 3 years or so. i also have no complaints on build quality, and will be replacing it with another system 76 when the time comes
We use Lenovo Thinkpads at work for linux. Usaly Ubuntu linux. Works great.
Thanks. My only doubt is the unnecessary "remote management" tools from Intel
I got a Purism. Pre-sales support was excellent, but as soon as the product delivered, they won't respond to anything.
The keyboard on the machine is terrible, from the stupid right shift key to the lack of stiffness of the keyboard, to the shape of the keys, to the fact that I don't think it detects key presses all the time.
Sometimes the power cord sparks when plugging it in.
Sometimes it won't charge when plugging it it. Great way to start the day finding out your battery is dead.
Battery drain in suspend mode is about 25%/day (I've read that System76 has the same problem). So, if you plug in and it doesn't charge as stated above, you can come back to find you've lost your state after a few days.
Battery that was in the machine that I received was 52.8Wh but their website advertises 66.8Wh.
Camera/mic kill switch is super hard to toggle.
Ethernet port is super hard to use.
Placement of the USB-C port with charging/video is in a dumb spot.
Speakers are really bad.
Doesn't resume from sleep when opening the lid, you always have to press the on button.
All of this was a real disappointment considering I really liked the mission of their company.
Thank you! This totally matches what I've been reading about Purism. As you say, too bad because it's a company with a worthwhile mission.
https://starlabs.systems/
Thanks. They take too long to ship
Thinkpad x200 or x200. Yeah it's old tech but with coreboot it loads faster than a top-line gaming computer. No need for graphics cards if you're not gaming. I sold my Asus vivobook (with excellent dedicated graphics etc) and made the switch to a corebooted x230. Everything on it - every driver and every firmware is FULLY open source. No blobs, no unknowns and no mystery code running on it.
You may also want to research the intel management engine back door all modern CPUs have. Though system76 says they disable it, you're still relying on non-open source drivers for your graphics, Bluetooth, WiFi etc.
I took the plunge and am 100% satisfied. Bye bye windows , hello full control and as a plus, the x230 is MUCH faster and snappier than my old gaming laptop.
Only downside: it's a battery hog, I can last 4-5 hours on battery. I do have my laptop plugged in most of the time. I am okay losing some convenience for full control and peace of mind.
Fantastic, thanks! I assume you meant x200 or x230. Due to my particular lifestyle battery life is very important but otherwise I really like the idea of running a fully open source machine.
I am currently looking to buy new laptop as well, currently my plan is to look at refurbished business ThinkPad. My brother says T4xx series are good. And he owns both ThinkPad and MacBook, said I will have less problems with ThinkPad. Besides, they are also cheaper than MacBook.
I like the Dell XPS series, they are a beautiful and sleek beast and run Linux without any issues
They look very good. However, I'm still unsure about Intel ME with newer Intel processors. It seems like you have to live with a backdoor if you want to connect the computer to the Internet
I'm not saying the backdoor is being used, or by who it's being used - at all. But it exists, it's opaque and it's undeniable.
I have a System 76 Darter Pro and while I like it, the build quality leaves something to be desired. The speakers are probably the worst speakers I've ever had on any computer ever. Would I buy it again? Maybe. I've only had one problem (blown speaker) and System76 sent a replacement without hassle which I was able to replace myself. Apart from that everything has worked great but as stated earlier, I wish the feel of the laptop hardware was nicer.
You could consider Dell XPS 13 - slim, portable, you can get it with Ubuntu from Dell (or just flash whatever). The 12th gen one has a better keyboard - I don't like the touch keyboard on the 13th gen.
Yep I saw the one with the touchbar... why make the same mistake as Apple?
I'll have a look! Not sure if Intel ME can be easily disabled on those
Ordering from Dell it's possible to opt out from vPro (in theory).
This customer, however, ordered "no out of band" and still got it. Not sure if Dell can be trusted
https://www.dell.com/community/Precision-Mobile-Workstations/Dell-Precision-7540-no-out-of-band-systems-management/td-p/7390851
What about a Tuxedo Laptop? https://www.tuxedocomputers.com/
Very cool
Thanks. I'm not in Europe and I can't easily get an idea of how long it would take to ship. Found their website a bit confusing.
Tuxedo computers in the EU provide linux laptops with Intel ME disabled. I have one, it's ok.
Not as fast as the M2, but with this and Graphene I am free of the Apple ecosystem. Planning to try out Asahi once it gets a bit more mature.
Has anyone feedback from using a framework laptop ? https://frame.work/
I use it for almost a year now as my main development machine. Currently on Fedora, but planning to move to Debian. I don't have much to say because it just works, also I am using external display, keyboard and mouse, so I don't really touch the laptop much TBH. I love Framework and I hope this is the last laptop I ever buy. Went through 10 years of Apple hell and no thanks, never again. Got rid of my iPhone as well. Life has never been better than since I moved off Apple. Linux is solid and everything works as expected, and Framework is a beautiful laptop.
I don't doubt Linux works great. What was so horrible about Apple?
I think their hardware is excellent and that is why I'm definitely considering Apple hardware + Linux (even though we're still not there). It's basically the same principle as Graphene software on Google hardware.
The Framework Laptop looks amazing plus they accept bitcoin. Only issue is I need to replace this very soon and the only option they have is in pre-order :/
I didn't have much luck with Apple hardware. Every MBP I had mysteriously broke in some way or another.
The thing is, I just never cared, for about 10 years when I was an Apple user, because I would always ask my employer to buy new ones (for some strange reason MBP was a staple in most companies I worked in), so I never had an issue with spending a few k every couple of years to get a new MBP, because it was never my money.
When my last MBP (not even 2 years old) broke beyond repair (one morning it simply refused to come back from sleep) I decided to put an end to the abusive relationship and that's how I got to Framework.
I can't say that Framework components are better than the ones used by Apple, but when the laptop is designed in such a way that when something breaks it is impossible to fix (for example due to components being soldered to the motherboard) - then I call that bad design to the point that the quality of the components themselves is not relevant anymore.
What good is a machine that you can't (easily) replace the SSD or the RAM, and you have to buy a new one if something breaks? To me this is the pinnacle of terrible design.
Of course these terrible design anti-patterns reflect in the OS as well, and to the whole ecosystem, to the point that after many years of Apple use you become a brain-dead zombie. Things as simple as "plug a cable into your phone, open a file manager on your laptop, and copy your pictures or text files over" are simply impossible and you have to come up with clever ways of using iPhoto to copy over your pictures without duplicating them in some way that is hard to understand for mere mortals. How do people even manage to get anything done is beyond my understanding...
So given all these, I also feel like I have a moral duty to not buy anything from a company that makes such hard to use products.
You definitely have a point.
Too bad I need a laptop asap and several of the recommendations here I liked the most (specifically Framework, Tuxedo, Starbook) would take at least 6 weeks to get
A 2nd hand Thinkpad is also great choice, which you can then keep as a backup. ;)
System76 pissed me off.
Not a single FAQ or anything related to payment methods. I had to add to cart, sign up, provide a telephone number, valid address, etc... just to know which payment methods they accept.
Which is only stupid fiat cards. They only sell online so there's not even the option to pay with cash.
And then the icing on the cake: https://safereddit.com/r/System76/comments/13ksaww/does_system76_accept_bitcoin_yet/ , their Reddit page full of retard comments.
I'm not rich but I've been living on a bitcoin standard with no fiat income since 2013. Want to know how?
Credit cards (yes, stupid fiat ones) have been my layer two this whole time. I buy anything and everything I need, pay the rent, hospital bills, taxes, you name it, and even get rewards points for all those purchases. Then when it's time to pay the credit card bill I use cashapp to trade my coin for enough fiat to pay that and then pay it with the bank routing info, instantly, all inside cashapp. Never actually touch fiat, just one coin sale per month.
Stop the credit card hate, it's a very useful tool until lightning is accepted everywhere.
Nice! I like cash app too. Not completely related, but I’ve started messing with Strike because I wanted to shift my DCA buy from daily to every minute.
Appreciate your point of view. What if I didn't have access to cards?
This "reward points" thing sounds very American. I am not American. I don't have access to services like Fold or Cash App.
Maybe, just maybe, it's the banks and some regulated institutions that started hating me first.
In addition - I don't need my name scattered around associated with all kinds of purchases. In exchange for what, a few "points"?
I don't blame you for doing that but you need to recognize that some of us care about privacy, and might not be in the exact same regulatory condition as you.
Touche. I'll give you a hall pass to hate all the credit card companies you want.
They're only useful for those of us lucky enough to be offered them, of course. Still, I can't wait to cut mine up after lightning spreads to all the service providers I use.
Strike just rolled out in a bunch of new countries, are you able to get one of those cards yet?
I think there is Strike in my country but not sure about the card
I'm looking for a similar laptop for similar reasons..
Currently I like Acer with AMD Ryzen 7 7840U, but I'll wait some reviews https://news.acer.com/acer-announces-new-swift-edge-16-with-amd-ryzen-7040-series-processors-and-wi-fi-7
I have purchased multiple refurbished business-class dell laptops over the past half decade. These laptops always come with windows pre-installed which I immediately overwrite. I like these laptops because they are easily/cheaply repaired. You can get 16Gb ram and 1tb ssd for pretty cheap.
Do you remove Intel ME? That's my main concern. Happy to pay more for a computer without it. Installing Linux is the first thing I'd do, too
I have not removed ME. I haven’t tried to but am now curious now.
My first choice would be the slimbook series, anybody with any experience with it?
https://Frame.work is another option
Thanks
deleted by author
deleted by author