Help us Obbie, Juan, and Kenobi…
You’re our only hope 
In my mind, there is a major difference between when someone tracks you because you choose to transmit a signal and they tri-angulated your position while you transmitted, and the case where someone uses your own hardware against your will, to track you. For all practical purposes, maybe the tracking result is the same. But then again, maybe not. But the morals of these two different cases say everything about the difference between having a free country and living under an oppressive regime.
It’s all about who owns the phone and about consent. But when you show up in a public place, yeah, people are going to see you there. That doesn’t mean they have the right to search you simply because you showed up.
4 Likes
I think you’re missing the point that to receive a call the provider has to know where you are to send you the call. If you don’t want to receive calls and don’t want to be tracked turn the hardware kill switch off.
I’m not saying I don’t want the baseband fully freed, I do, just that the particular concern you’re presenting is already addressed as best as is feasible and even with everything fully freed the kill switch is the most user-friendly solution that I’ve heard presented.
4 Likes
Exactly. The issue with the untrustable baseband is it is a ‘beachhead’ from which further attacks against the phone can be launched. We’re seeing lots of sidechannel timing attacks against multithreaded CPUs. We now are putting untrustworthy devices on a USB bus. Sure, that keeps it from having DMA to the system memory, but it can still potentially exploit security problems with the kernel USB driver or similar. I’d far rather have an attacker have to get past a firewall on the modem first.
1 Like
Yup I do agree that baseband on usb it’s just a modem. Yes, modem could be compromised, and there are some attack vectors via usb (eg to emulate input device and attempt to control by sending keystrokes) but that’s a bit different security plane.
3 Likes
@kieran, you could have self found information from manufacturer that scheduled date of introduction to production of Revision 4 was by PCN on CW10/2019. I have no further or current comment and don’t know if this helps at all, but might help if nothing changed in scheduled production, even though I don’t think that such information would be available to the end user. There is nothing that I can guess about linked info, other than that I might have some fear as for every product exists something that is called EOL. Furthermore, I believe that Purism searches continuously for best solution or already have adequate modules (PLS8-E and PLS8-US) that they are able to control (USB serial drivers, firmware, etc.) on Linux OS. But if another adequate module manufacturer comes from China and have “better” product like, just speculating, N75-X (FCC ID PJ7-N75-NA) from Shenzhen Neoway Technology Co., Ltd why should I care where it is manufactured. Purism knows much better than I what they do and I trust them (like yourself). I think that my bottom line is like this: who makes final decisions for Gemalto nowadays is not my concern, but, IMO, it is not making life easier (or cheaper) to Purism either if Thales Group invests rather somewhere else / produces something else. And, if small companies are indeed making their decisions based on papers like the one I linked here it is just coincidence because I’m just customer (not subject matter expert).
While I almost completely agree with what you are saying, this part
is flawed and led to situation we have today with big techs who knew better what average user needs, So we do need as peer-reviewers so watchdogs who can flag issues before it’s too late (even in form of Jay). I trust purism way more than others but in general I can say - I don’t trust purism (as myself). Which is why I want to understand rationale behind choosing this or that component, because obviously all of the hw/sw choices will be highly criticized the more success this phone will be spinning. And I want to know (not believe) that those are still right. I can make my own opinion in sw world but in hw I never went further than cortex m4 isa/architecture (if going from discrete logic via mcu/fpga to cpu).
2 Likes
You make a good point about how trust should work, I like it. IMO this type of technical decision making stuff is where transparency matters. As opposed to the internal details of schedule slippage or unexpected issues, where I wonder if transparency hurts more than it helps, but is still expected by backers.
the way this usually works is neither belief is completely devoid of knowledge nor knowledge is completely devoid of belief … you have to FIRST believe you will find something somewhere based on certain past experiences of you or somebody else or something/someone drawing you there BEFORE you will KNOW what exactly it is or IF it is (at all - like REAL - based on how our current reality works)
naturally this example is completely VOID for closed hardware/software because there is no way to establish a public precedence with current state-of-the-art hardware/software unless it’s reverse-engineered instantly as it is released to the market (and even then it might already be too late for that) > results in no conscious trust or trust that is not trust because it isn’t firmly anchored in anything TRUST-ABLE … 
2 Likes
I don’t want to go to the depths of absolute knowledge and 42 but I want to know reasoning.
2 Likes
@ruff, your point have clear message and I agree with it and with what @muon and @reC added to it. Big tech treat myself sort of like I am already settled down in old people’s home, so there is everything I need, daily/nightly program, same bothering, but proofed music/approach and game.
Partly, I was referring to linked Product/Process Change Notification where it says: “Resulting in findings with some of our products that were damaged on their way to the customer. Hence Gemalto reduces the number of modules per reel from 500pcs. to 400pcs. Given this change the minimum order quantity of said products changes from 1.000 pcs. to 800 pcs. Customers are kindly asked to adjust order volumes to this granularity.” So “what they do” means deciding how many they are going to order, how many of those will be “alive”, just 95% or even less. In general there are many more things to be coordinated with BOM supply, production, etc. chain. As said, not familiar with every step, but aware it is very complex task and project that I believe in and wish (by eventually buying another phone from Purism) to succeed, with taking needed time.
In my age, it doesn’t matter any more to complete marathon run under five hours but (just) to see finish line and run through it somehow, but with joy. And, as said here many times before, besides healthy environment and many more hours of regular training with some errors/bad days, a lot of patience … to finally get to there (finishing line) without any self-injuries and by respecting all of the rules that apply (marathon registration fee inclusive) … is needed. Let us help Purism stay focused on to succeed on very first half marathon race, at the first place (without saying I’m actually helping much, just trying to). Ah, to myself, now is time for silence (even though there is new day just coming).
3 Likes
Apple would argue that it had reasonable quality control in China and perhaps that is because of their ongoing inspections or the pressure of their larger investments there. In any case, quality control can vary more or less wherever something is manufactured and inhumane conditions in some manufacturing has been found in the US as well as in China. So long as profit is more important than anything else, quality suffers. Slave labor may well be less prevalent in the US where at least other than prison labor, there is no state sanctioning of slave labor (or at least the trivial salaries given inmates in the US for their work while incarcerated).
Assumptions about quality are best left to specific enterprises discussed as versus on the supposed superiority of one nation’s overall performance versus another’s.
3 Likes
How does anyone outside of Apple know that? All I could find searching for “apple china quality control” were negative stories: iPads arriving bent from the factory, early hardware failures, and overheating issues in MacBook Pros, among other defects (Tom’s Guide); 5 million phones having to be returned to Foxconn in 2013 (China Business), (another article on this in English); and the “you’re holding it wrong” antenna issues with the iPhone 4 (Gizmodo). And on the note of inhumane working conditions, I’m not aware of any company in Germany or the US that has had to put up suicide nets.
Also, I don’t know why you’re going off about the US when the discussion is between modems “made in Germany” vs. China. That’s completely off topic.
My take is
- if you speak out publicly about China or its activities, or
- if you were born in China or have close relatives who were born in China, or
- if you are in possession of commercial Intellectual Property or government secrets that would be of interest to the Chinese government
then you should definitely be worried about “Made in China”. Otherwise you should be at least as worried about your own government or a number of other governments.
My ultimate goal is 100% security. That isn’t achievable today. It may never be achievable.
I’m satisfied that Purism is doing as much as it realistically can for v1.
That assumes that the chip actually is ‘Made in Germany’. Noone has confirmed that. (It doesn’t matter for my own Librem 5 because the bands supported by the Gemalto modems are no good for me.)
Trust isn’t the ultimate goal. Someone once said “trust but verify” 
but really “verify is a substitute for trust”.
I need to echo that comment too. I understand that there are wider considerations but I am commenting only on the security aspects.
3 Likes
Try yelling “I support Hong Kong and I don’t care who knows!” in a house with Google Home. Then check to see if Nest locks the doors, the Huawei phone dials 911 and your Facebook and Twitter posts are demonitized or blocked.
3 Likes
I stated Apple would argue, not that it would prove anything. Quality control is never likely to be perfect, but considering the number of units and the attempts to deliver something new and unique early on and perhaps better performance more recently, the record is good, if not perfect by any means.
The working conditions are abysmal and we can see if the Texas facility for Apple just toured by Trump is any better.
As to the competitors in China and abroad, I have limited ideas as to how well facilities operate in other countries attempting to compete with China. As I compose this, I am at the keyboard of a Tuxedo Computer (Infinity Laptop) running Linux, assembled in Germany (Augsberg?) and built on a Chinese Clevo Chassis with a combination of a German main board and a variety of peripherals. I have no idea as to the conditions at most any of the facilities employed, though I hope that EU regulations can suggest some better conditions employed in the management of the workers there.
Perhaps you should try with ‘Alexa is much better than Google Assistant.’ 
Kidding aside, visas to Harvard stipends have been denied because of what friends have written on social media. Granted, that is not incarceration or worse. But it is not like what happens in your home in front of Alexa will never end up in the hands of the FBI if a crime is suspected.
2 Likes
yes just like in the Minority Report film they would be there BEFORE you actually said anything … or was that only in case of murder ? 
1 Like
Above statement led me to: FCC Supplier’s Declaration of Conformity (SDoC) - § 2.906 - ET Docket 15-170 - FCC 17-93,
Above led me to: EU Supplier’s Declaration of Conformity (SDoC) - ISO/IEC 17050-1:2004. Link to Nager IT PC Maus Konformitätserklärung by “encouraging humane working conditions in the factories of the electronic industries”.
Maybe someone experienced within field of SDoC creates separate topic, when suitable, on U.S. Conformity Assessment System (or broader) / Authorization of Radiofrequency Equipment because “SDoC may be an appropriate conformity assessment approach”. How is this related to CE marking, Japanese Giteki mark, etc. would be as well interesting to find out / get answer if applicable to Librem 5 (through SDoC approach, as “the market demands or allows it”).
Since I might not be the only one affected by this, I will answer my own question.
The shipping address that you see under My Account is not updated by your “Pre shipping alert” e-mail to ops. In fact, it still says Awaiting Shipment after receiving a tracking number. The e-mail with the tracking number contains the updated address.