An email yesterday says that they are considering a process where the mobile ca be reset/wiped with a pin number. The aim being that if compelled to open your phone this allows you to wipe it.
I love this idea and wonder is such a development is possible on something like the L5.
The idea, as such, is not new, but kudos to them for implementing it. It’s by far not the only security features (or way to implement them) that login could and should have… (In one related discussion, it was said that in linux we could do it ourselves, but as I see it, it would need soneone familiar with login system very well to make it secure and auditable. I was thinking of setting a code bounty on it, if Purism doesn’t update their poor pin login - which has been hinted, if memory serves)
I don’t view such a feature as strictly necessary, if you have full device encryption, which the librem 5 is supposed to have eventually. Since any person that could compel you to unlock your phone would likely have the authority to punish you for destroying the data (or replacing it with randomly generated but plausible data).
Also, you’d have to remember the wipeout PIN, which is difficult since you’d probably rarely ever use it.
I mean, maybe it could serve well if whatever you’re protecting is worth what they’d do to you if you deleted the data.
You are thinking only in terms of one particular type of entity compelling. This entity may not have legal authority, nor governmental, and the data destruction penalty may be less than the damage done to the lives of third parties - you may not be thinking of yourself. Think global. And remembering how to do that is easier for those that have such threat profiles and not something you have to use. Also, this, I think, is in general only one potential thing such features could be used for: there are several additional and alternative things a device could be made to do in varying scenarios, given the possibility to have login options - many of them quite posititive.
I did think of one really unpleasant scenario that I don’t and probably shouldn’t think about every day, but I edited it out of my post because I was concerned about some of the words I’d have to use to describe it.
So, I should instead say, that the feature is nice to have, but I would imagine you’re probably not in a good place if you can even expect to need something like that, not necessarily though any fault of your own.
For example, you might be selling the phone or handing it down and just want a simple way of not giving away any data along with the phone.
No matter the reason, you do want to ensure that wiping the phone does not occur accidentally!!
If you are concerned about a duress scenario then it’s not as if you will want the phone to prompt for confirmation: Do you really want to wipe all data on the phone?
Also, for instance one way would be to have PIN/PW plus one additional number, 0-9. Each number could be assigned an additional function. One could login with SW locks on all sensors on, another could send location to mum (provided HW lock is not on), third could open system without decrypting certain folders or drives, fourth could start voice recording and fifth could start video streaming or take a pic to your photographic random Twitter-feed. And so on.
Do you have a reason for wanting to do that surreptitiously? Otherwise all of that could be achieved by having 10 buttons on your main screen (the screen that is displayed after you unlock).
Where does surreptitiousness sit on the scale between negative and positive?
That was only one example of the implementation possibilities. With some of those actions it may be a benefit, with some it doesn’t matter that much. In some cases I’d imagine different user situations might alter that equation. Some actions may need to be executed before GUI and system initializes, so that actions could not be prevented from happening (say, delete and overwrite x100 drive decryption keys). I don’t think we should set the limits how a user wants to set that up - just make it possible to use more alternatives (such as some that I previously described with “Malform”).
I’m not personally a fan of duress codes that wipe data as a security measure for that threat. In some jurisdictions that would be considered evidence tampering and may cause you more grief. In the “rubber hose” threat model it would just cause you a different type of grief.
So I personally won’t be pushing for that kind of spycraft for the L5, but of course you are free to develop it yourself if you want it. Instead, I favor what I’ve described as “user personas” in this article as well as in a few places here in the forum whenever travel spycraft on the Librem 5 comes up.
To summarize, I think the safest approach is one that allows you fully comply with customs/border agents or other officials, and not one that requires you to lie (you are not as good a liar as they are lie detectors), conceal, or smuggle something. So with user personas, before you travel you backup your home persona, and replace it with your “travel persona” or “border persona” that only has the data, accounts, and information you need while traveling. Then if someone compels you to turn over your phone, you can comply without putting anything at risk. Then when you get home (or get through a border checkpoint, or whatever the situation is) you can potentially (depending on your threat) restore a different persona from local or remote storage.
Just to add to this, we don’t have an automated way to swap user personas today, but due to the simplicity of Linux users and the fact that sensitive data and settings tends to live under your home directory, it would be easy to do this manually:
- Use the GUI Backup app to backup your home directory somewhere (microSD card, network storage, etc)
- Erase the contents of /home/purism completely and reboot.
- Start with no personal settings and set up your new travel persona with saved accounts/passwords/files/app settings you need.
- Back that up as your travel persona, erase /home/purism again, and restore your original /home/purism persona.
- To swap between personas, just erase/restore /home/purism.
If no one beats me to it, this seems like a relatively simple GUI project to script up with yad using deja dup behind the scenes, if I find some time.
Does this mean … leave the /home/purism
directory itself present but remove all the files from that directory?
I don’t think I’ll be rushing to test this procedure.
Fortunately crossing borders is not something that people can really do at the moment anyway.
Yes. You’d erase all the files (including hidden files that start with ‘.’) underneath /home/purism but leave /home/purism intact. I double-checked with others on the team and because all of the settings you set at first boot ultimately get stored there, it should just reset you back to your first boot state (at least in terms of user settings, any system-level apps or packages you installed previously would still be there).
[Edited to add] I should note that this is essentially what I’ve documented in my backup and restore article and perform each time I’ve migrated my settings and files from one Librem 5 phone to another. The main difference is I backup and restore a few additional things from like my openvpn configs from /etc and my user crontab, as well as restore any uninstalled apps (as I assume I’m starting from a blank, new image).
It looks as if shred
is installed by default on the Librem 5. Tick. However there isn’t really any foolproof way of erasing content on a solid state device.
With switchable personae, what do you do about, for instance, email/call/chat connectivity and history, and contacts, which are things that would be of definite interest if your phone is being targeted at international borders? (And things you wouldn’t want to be without while traveling.)
All of that would be erased if you switched to a different persona. So you would set up the travel persona only with the contacts you need while traveling (perhaps hotels/restaurants/etc and people you are traveling with, credit card contact numbers and perhaps an emergency contact if you need it).
For example, see here for call history: Sound on Librem5
On the other hand, you can’t erase the copy that the government is storing.
And I guess you would have to use only web-based email (inconvenient), delete any chats, and not store any passwords on the device.
It is assumed that all of that is buried somewhere in ~purism
but you ought to audit that if you are seriously concerned.