"Security and data integrity" focused build

[carrierPigeon]

I am looking into building a desktop computer. I think that to start, it makes sense to narrow down the motherboard options.
Here are the focuses of my build: security, data integrity, open source (to reduce abuse to the user), affordable.

I will run Debian based linux, Ubuntu or Linux Mint. I am not really ready to delve into less newby friendly distros. Although I suppose that during the ownership of this computer I could get into that, depending on how difficult that is. I will also run some virtual machines. Probably the most "taxing" workload level that I would have is 2 browsers, 5 browser windows, a couple of LibreOffice spreadsheets, and Windows 10 with a program or two running in it.

So far, I have looked into open source motherboard firmware. My understanding is that the hardware for this is limited-- have to go old hardware (5+ years), Chromebook (too weak for my tastes), or high end (perhaps computer hardware retailers, System 76 or Purism, have something). So, I have somewhat thrown out the idea of open source motherboard firmware. I am open to the old machines if it is high on the security "scale." Maybe the open source motherboard firmware is more privacy focused vs security focused.

Next, I focused on ECC ram (data integrity). Probably a little pricy but not off the table.

Right now I am mostly focused on AMD vs Intel, and which motherboard manufacturer is good about providing security updates to their firmware.

 

[cdabc123]

Honestly I would take a look at some IBM power 9 gear. The tallos workstation comes to mind and may be the closest you will get to open sourse.

It hits all your check boxes except perhaps affordability. You have a budget?

 

[carrierPigeon]

Honestly I would take a look at some IBM power 9 gear. The tallos workstation comes to mind and may be the closest you will get to open sourse.

It hits all your check boxes except perhaps affordability. You have a budget?

I don't really have a budget per se. I wouldn't be thrilled about going over $500 but I might be able to use some parts that I already have (psu, Blu Ray drive, SSDs) and buy some parts with store loyalty points (probably will be limited on what I can buy with those, not much motherboard selection, for example).
Edit: I am ok with used parts.

 

[cdabc123]

I don't really have a budget per se. I wouldn't be thrilled about going over $500 but I might be able to use some parts that I already have (psu, Blu Ray drive, SSDs) and buy some parts with store loyalty points (probably will be limited on what I can buy with those, not much motherboard selection, for example).
Edit: I am ok with used parts.

I want to recommend a older dual xeon rig as you could easily do lots of ecc ram and it should play well with some of the other enterprise hardware I would recommend for a drive setup. However I dont believe that is going to be any more "secure" then any modern hardware. Maybe amds new cpus would be a decent direction to look but you still wont be talking about anything open source. You could hit a pretty low budget with the right dual xeon setup and be able to run a few browsers and vms with no issue.

What ssd(s) do you have? when you talk about data integrity I think of more then a single consumer level ssd (in addition to proper backups)

 

[carrierPigeon]

I want to recommend a older dual xeon rig as you could easily do lots of ecc ram and it should play well with some of the other enterprise hardware I would recommend for a drive setup. However I dont believe that is going to be any more "secure" then any modern hardware. Maybe amds new cpus would be a decent direction to look but you still wont be talking about anything open source. You could hit a pretty low budget with the right dual xeon setup and be able to run a few browsers and vms with no issue.

What ssd(s) do you have? when you talk about data integrity I think of more then a single consumer level ssd (in addition to proper backups)

What you are saying sounds good.
In terms of security, I should probably invest time in improving software/ user practices. To invest in security focused hardware might involve a substantially increased budget.

What the first poster recommended sounded interesting but might touch more into the $2k price range. I am guessing that it uses a fair bit of power, judging from the hype on the IBM website.

I just have consumer level SSDs. Probably more on the junky side, based on the prices I paid. I am not sure that I could devote all 3 of these to the computer but maybe.
Western Digital 250 GB WDS250G1B0A
Kingston 240 GB SA400S37240G
Sandisk 480GB SDSSDA-480G-G25

Like you touch on, I think it would be very interesting to compare some older hardware to newer hardware and understand the pros and cons. There is a pretty good chance that I wont be buying for a while (like 6 mo or more) but it would be good to have things on my radar.

Maybe I can add in the consideration "stability" instead of security.

Another thing that I just thought of is hosting video data from some security cameras. I have yet to buy the security cameras. But, maybe I should just do that from a different machine. Off site probably has a lot of advantages anyway.

 

[cdabc123]

What you are saying sounds good.
In terms of security, I should probably invest time in improving software/ user practices. To invest in security focused hardware might involve a substantially increased budget.

What the first poster recommended sounded interesting but might touch more into the $2k price range. I am guessing that it uses a fair bit of power, judging from the hype on the IBM website.

I just have consumer level SSDs. Probably more on the junky side, based on the prices I paid. I am not sure that I could devote all 3 of these to the computer but maybe.
Western Digital 250 GB WDS250G1B0A
Kingston 240 GB SA400S37240G
Sandisk 480GB SDSSDA-480G-G25

Like you touch on, I think it would be very interesting to compare some older hardware to newer hardware and understand the pros and cons. There is a pretty good chance that I wont be buying for a while (like 6 mo or more) but it would be good to have things on my radar.

Maybe I can add in the consideration "stability" instead of security.

Another thing that I just thought of is hosting video data from some security cameras. I have yet to buy the security cameras. But, maybe I should just do that from a different machine. Off site probably has a lot of advantages anyway.

It may be worthwhile to go with a dual Xeon rig then. Lga 2011 or 2011v3 depending on your budget. You can easily get 48gb of ddr3 ecc ram for cheap.

I like supermicro motherboards for any type of virtualization.

As far as stability goes. I would grab a new good quality psu. If your really trying to stretch a budget used enterprise supermicro psus are great (I used to use them heavily for mining)

Grab a cheap raid controller and throw some identical ssds in a raid config (also backup your data) if you need capacity sas hdds are dirt cheap ($10 a TB or so)

I would agree invest time in the software and practice of security as your only going to get so far with hardware until you are talking about somthing outside the scope of what amd or Intel offers.

 

[carrierPigeon]

It may be worthwhile to go with a dual Xeon rig then. Lga 2011 or 2011v3 depending on your budget. You can easily get 48gb of ddr3 ecc ram for cheap.

Dual Xeon looks interesting. Seems like the advantages are (1) good "bang for the buck" on the processor performance; (2) might help with access to inexpensive ECC ram; (3) good for programs that can use a lot of threads. Drawbacks: (1) more power consumption; (2) could be some downside with running old motherboard firmware; (3) poorer single-thread performance.
Seems like there is not much on the market with ECC ram. Modern AMD consumer (household) processors can support it?

I like supermicro motherboards for any type of virtualization.

Thanks. One thing that I did read is, "Chinese manufacturer added a very suspicious chip to a small number of Supermicro boards. That's obviously very bad news." Could be untrue or not applicable.

As far as stability goes. I would grab a new good quality psu. If your really trying to stretch a budget used enterprise supermicro psus are great (I used to use them heavily for mining)

I have a bronze Corsair power supply. I forget the wattage but probably a little weak for dual Xeon. Also, it sounds like dual Xeon does not use the processor as the GPU. So I guess that adds more to the power need.

Grab a cheap raid controller and throw some identical ssds in a raid config (also backup your data) if you need capacity sas hdds are dirt cheap ($10 a TB or so)

I like the idea of being able to swap drives out.
The logic is malware protection. For example, with 2 external drives, connecting only 1 at a time, you have more of a chance that some data lives through the storm.
But, raid seems good. Maybe it's good primarily against bitrot.

I would agree invest time in the software and practice of security as your only going to get so far with hardware until you are talking about somthing outside the scope of what amd or Intel offers.

Yes, maybe hardware for security is high hanging fruit. Then again, maybe there is something available. For example, to stay on top of motherboard firmware, maybe you could 1) use a Chromebook for the more seedy internet browsing; or 2) upgrade motherboard frequently/ go with supplier that is reliable and doesn't "end of life" the motherboard too quickly. The other thing that I wonder about is whether the open source motherboard firmware is privacy focused or security focused (which one is it focused on, or how each is weighted).

 

[carrierPigeon]

I wonder how Oracle VM VirtualBox & Windows 10 home will do with dual Xeon.
Seems like Windows 10 home supports only 1 physical processor.
Maybe you can assign Windows 10 1 physical processor and the other processor can be for the host operating system.

 

[cdabc123]

Dual Xeon looks interesting. Seems like the advantages are (1) good "bang for the buck" on the processor performance; (2) might help with access to inexpensive ECC ram; (3) good for programs that can use a lot of threads. Drawbacks: (1) more power consumption; (2) could be some downside with running old motherboard firmware; (3) poorer single-thread performance.
Seems like there is not much on the market with ECC ram. Modern AMD consumer (household) processors can support it?


Thanks. One thing that I did read is, "Chinese manufacturer added a very suspicious chip to a small number of Supermicro boards. That's obviously very bad news." Could be untrue or not applicable.


I have a bronze Corsair power supply. I forget the wattage but probably a little weak for dual Xeon. Also, it sounds like dual Xeon does not use the processor as the GPU. So I guess that adds more to the power need.


I like the idea of being able to swap drives out.
The logic is malware protection. For example, with 2 external drives, connecting only 1 at a time, you have more of a chance that some data lives through the storm.
But, raid seems good. Maybe it's good primarily against bitrot.


Yes, maybe hardware for security is high hanging fruit. Then again, maybe there is something available. For example, to stay on top of motherboard firmware, maybe you could 1) use a Chromebook for the more seedy internet browsing; or 2) upgrade motherboard frequently/ go with supplier that is reliable and doesn't "end of life" the motherboard too quickly. The other thing that I wonder about is whether the open source motherboard firmware is privacy focused or security focused (which one is it focused on, or how each is weighted).

I am on mobile so I cannot easily format my response to have it directly address the points. Let me know if anything is unclear.

Your advantages and disadvantages look mostly correct. I would like to note that although it will be more power consumption we are still talking less then 300w full load. You will also have to look at mitigation strategies for spectre/meltdown. On a decent dual Xeon rig it may be worthwhile to consider disabling hyperthreading instead of taking the prefermance hit of the patch. I have a lga 2011v3 es xeon that faired pretty well through this as it was a 10core 10thread chip so wasnt impacted by the vulnerability. Ddr3 ecc is extremly easy to find. Its about $0.50 a GB.

The only other thing I would consider worthwhile to look at is modern consumer ryzen chips. However they are currently kinda difficault to find for a good price and you would most likely have to give up ecc ram (they do support ddr4 unbuffered ecc but that would be more expensive)

I read that story on the supermicro motherboard chips as well. If I remember it right it shouldnt impact any of the boards you are looking at. I also wouldn't think less of supermicro as a result as they do provide quality boards and support them well.

Who are you trying to have privacy from? If you are seriously trying to have privacy from foreign and domestic governments I dont believe you can do that with any Intel or amd combination (or cromebook). It *might* be possible with a IBM power setup as they do allow for a serious degree of controll over almost all aspects of the system.

The only other soulution would be design a fpga or asic for a specific workload or possibly draft a arm based system from carefully soursed components. I dont belive either of these solutions are practical so just be aware of the degree of privacy you can practically obtain.

Raid is a decent idea if you want to get by with cheaper hard drives and less downtime however proper backups are essential.

Dont use windows 10 for any security, privacy, or performance based workload. Dont use win 10 home. (Win 10 home will only work with 1 CPU unless your running it in esxi)

Use linux where you can and if your virtulizing stuff esxi is a decent option.

2019 server is a much better experience then windows 10 in almost every way

 

[robijito123]

I would suggest looking at exploits available for the gen of processors you are looking at, and seeing if Supermicro has actually put in hardware or firmware fixes for the major exploit vectors that are in the wild, like spectra meltdown and the numerous varians. Since you are saying your workload is very light I would suggest getting on silicon that has as much patched out as possible, maybe even moving to a 11th gen intel i3 or what ever quad they come out with for sub $100. Also I would be very weary of long term support say past 2 years where you actually are getting manufacture patching unless you stick with something in AMD relalm (note am4 maybe has a refresh left in it), or a major mfg like dell.