Is Librem 5 a "Cloud Phone"?

boom !
@derptacious if it weren’t for those crazy Stallman types we would have been living in a VERY different world and perhaps NONE of the steps already taken on the path to liberate our digital lives would have been possible.

if it’s a personal freedom you are afraid of loosing then nothing stops you from using a Samsung and a Librem 5 each with it’s own philosophy intact.
you keep the Samsung in your left hand and the Librem 5 in your right hand and don’t mix them together … and when you are ready you can do what you please.

it’s more like a fetish nowadays to mix things up so in the end we don’t even know what is what … i’m just glad that with Purism we still get that “pure” spirit

3 Likes

hmm … i think you have a very narrow view of what Snowden has unraveled.

from the above

In summer 2018, Abdulaziz’s cellphone was infected with a surveillance tool. This was first revealed on 1 October 2018 in a detailed forensic report by Citizen Lab,[44] a University of Toronto project that investigates digital espionage against civil society. Citizen Lab concluded with a “high degree of confidence” that his cellphone was successfully targeted with NSO Group’s Pegasus spyware and attributed this infection to an operator linked to “Saudi Arabia’s government and security services”.[44] NSO’s Pegasus, of which KSA has emerged as one of its biggest operators, is one of the most advanced spyware tools available. It is designed to infect cell phones without being detected. Among other known cases, KSA is believed to have used NSO software to target London-based Saudi dissident Yahya Assiri, a former Royal Saudi Air Force officer and founder the human rights organisation ALQST and an Amnesty International researcher.[45][46]

1 Like

@reC are you suggesting that the Librem phone cannot be hacked by determined government agencies
with budgets higher than what we will make in our lifetime? That would be a naive assumption.

first of all it’s not really about budgets.

the non-free infrastrucutre itself is designed to facilitate intrusion and cover-up. sure it would be possible to hack/spy even if it were 100% freed but that would be significantly harder to do. most of the time the weakest link is the victim himself. that and the fact that each user in his circle who probably used the same compromised infrastrucuture added to the information collection rate and succes of the overal picture by the inteligence services.

the idea is to not rely on technology if you don’t know how it works. basically the victim above was slain by his own TRUST of the hardware/software he was using. could “they” have got to him in a different way ? sure - but the idea is to make it very hard in the first place … sad thing is this happened after Snowden warned us of the high-level tech employed by government nowadays.

2 Likes

Free/Open Source does not always equal more secure. See Android vs iOS, and the poor state of security
in the former, without using projects like CopperheadOS (or what is now GrapheneOS) your devices will stay
vulnerable unless the vendor decides to update them.

In the vulnerability acquisition world, it’s all about budgets. If Librem 5 will be popular enough, it will be
added to the list here: https://zerodium.com/program.html and to similar companies “bounty” list, researchers
will find a way to exploit it and sell it to those companies, which they will later sell to governments.
Open Source is good for transparency, but did not prove itself at least in the mobile security area.

Those hardware kill-switches will certainly help though :slight_smile: If you don’t want people to know where you are, flip the baseband switch. For good measure, flip the bluetooth/wifi switch too.

You definitely hit upon a weakness in the Android environment, that very few people run on the latest version of Android, so the phones are not updated with the latest security patches. Though if you buy a (expensive) Pixel, that will help, since what software is available for that is in Google’s control, not Samsung/etc.

Also, the firmware code on the mobile phones are proprietary. So that can be hacked too, and no one can inspect it. (Another advantage of Purism).

1 Like

true. but we as individuals do not live directly inside that world but we can be influenced by it or influence it based on our willingness/knowledge.

how ? at first each of us must be made aware that personal liberties and choices ALWAYS affect other peoples personal liberties and choices even though it might seem far fetched at first.

a simple and direct explanation to this is the example set by the movie “Snowden” from 2016 by Oliver Stone - in the scene when the operator digs inside the social-media/chat circles and by the 4th degree circle it is revealed that a couple million people might be indirectly involved at any given point in time for “honey” gathering by inteligence agencies or other similarly equipped/willed third party companies/individuals. and that was an example used on someone who was considered “clean” by modern standards.

1 Like

just make sure and properly understand what is free from a hardware/firmware standpoint inside the librem 5 13/15 and what is not. it is not 100% free yet but the INTENTION is to use the incoming cash to direct it to further improve that goal.

I doubt that Purism got the source code for the Gemalto PLS8 baseband they are using.
So this part is not as different as with Pixels.

Nice read:

It’s very different. you can turn it off, even remove it completely. When it’s on, it is a slave with no access to other components, especially memory. It only knows what you let it know, which is preferrably encrypted data you send and receive. No modern phone gives you that.

Nobody in their sane mind would use Android as an example of free software.

1 Like

Sorry my friend, I’m not sure you understand how basebands work. Encrypted data between the basedband and userspace? How exactly, even if they had the Gemalto source code, it would still require tremendous coding on top of it. The baseband receives raw radio packets and parses them. Perhaps you should read the paper I attached above for this purpose.

To turn it off? Yes you can with any other phone, it’s called Airplane mode. But can it really be a solution? Definitely not, since if you have a malicious flash SMS in the queue, anytime you bring it back on you are going to be exploited:

Or again, just read the research I attached, and there are many like them over the past years.
Here is one from a previous year, from other researchers:
https://www.usenix.org/conference/woot12/workshop-program/presentation/weinmann

The baseband sees all your carrier data in clear, including calls, SMS, IMSI, location (based on LAC/Cell ID you phone is currently connected to) and basically everything.
Once you exploit it - there is no difference in what kind of free open source apps you run on
your phone, those are a different attack surface mainly for advertising companies but not a
sophisticated adversary.
Any company that will claim to have an unhackable phone will be pwned and laughed about in the community,
probably on the next infosec conference, and even Purism themselves don’t claim it is the case.

https://replicant.us

They do it, but practically it means nothing security wise, except outdated free firmware.

I respect what Purism does, but you sound like a fanboy.

Oh, and you trust that?
I thought you were the one who is suspicious.
You certainly know that your baseband is never truly (reliably) off, unless you remove the battery.

Sure. Um… and why would that be a problem? So the baseband knows everything my carrier knows. And then? It sends this “secret knowledge” to the carrier, where the NSA collects it and… wait… why don’t they just keep tapping the ISP, like they always did?
As a bonus, from the ISP they (usually) also get my Name, address, etc. pp.

All the important data MUST already be encrypted when it passes the baseband. Why would you even think trusting (plain) SMS is a sane thing to do?
(Of course, applications exist that encrypt a SMS message before sending, but the meta data (timestamp, sender, receiver) is of course always there.)

The problem with other basebands (which are usually integrated in the with the CPU/SOC), is that you cannot reliably turn them off and can therefore always be tracked. Also, they usually have full access to the system (e.g. shared memory). Thus, if compromised, it can do basically everything with your phone.
I mean, isn’t that just the perfect crime: The payload resides only in memory and is installed every time you go online (but not if you’re a known security researcher).

Think of the baseband in the Librem 5 like a VirtualMachine vs. a device driver. You control the former, the latter can do as it pleases. Do we know about exploits to escape the sandbox? Sure. Yet, nobody would say sandboxing is just marketing.

I would be surprised if Purism would claim such a stupid thing.

Can’t argue with that :sunglasses:

2 Likes

The calls, SMS, Cell ID location, IMSI - are known to the carrier anyway. We will have the option to not use SMS and voice calls at all, even further reducing what the carrier knows. The basically everything bit is behind USB interface in Librem 5, so unaccessible to the baseband. In the most paranoid mode (but still online), the carrier will know what VPN service do you use, and that you use it at max capcity 24/7.

4 Likes

once EVERYBODY starts doing that it won’t be a factor anymore except the fact that in general just using a librem 5 makes you stand out period. buying a librem 5 marks you as #hacktivist ?

Well, either you flood vpn with constant stream of data, or you give away information of when and for how long you used internet, what were the response times of services you accessed, and amount of data transferred. That might be a lot.

I still think I’m not paranoid enough :slight_smile:

3 Likes

I think the only thing worse than ordering a Librem 5 (and now mentioning NSA for the 8th time) I ever did, was to read something LinuxJournal article. Think twice before clicking. #StaySafeOnline
NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance

3 Likes

just had a brief Shawshank Redemption moment

Late to the party I know, however, instead of the cloud why not just back it up at home. Think old-school iPhones. A script to auto backup every time you are on a preselected WiFi network (make it user selectable, nightly at 1AM, etc) shouldn’t be that hard to write.

1 Like

https://www.ezeelinux.com/bash-scripts/ - look at BU

this is an example about how even a bash script (no UI) can be good enough - but it’s probably not quite what your are looking for

That is reasonable, but it should become an official Librem software or something… Can have a community bash script that we change some variables in and knows the locations of most things one would need backed up.

1 Like