Is Librem 5 a "Cloud Phone"?


#21

Librem One has taken me by surprise and my initial reaction was to feel uneasy. I don’t think they’ve communicated about it very well.

Nowhere in the initial announcement did they mention it will be available on Android and iOS, or that it will use interoperable standards. Given the name, I assumed it was specifically for people with Librem hardware, and not using existing protocols and networks. That seemed out of character for Purism, and quite offputting.

I feel more comfortable knowing they’re not reinventing the wheel and that this won’t be forced on anyone. I suppose I was expecting them to offer something a bit like it eventually, but the branding caught me off guard and made me think it was something it wasn’t.

Nevertheless, I don’t trust Purism enough for me to use Librem One.

[Edit: sorry, I didn’t mean to reply to @derptacious with this, just to the thread.]


#22

All good - your input is appreciated; and I agree.

Part of being free is to be spied on if one wants. I just think it would be a shame to truncate the potential customers by millions due to making it hard for them to do some of the basics. Of course something like WhatsApp doesn’t need to be default, but it should be as easy as possible. With that many more customers, you can put that much more effort into privacy, security, and the whole project…


#23

To add to that … carefully explained, so that the user is giving informed consent.


#24

i would be curious what Edward Snowden would say to hear these words. i bet he would say it’s irresponsible and highly irational - both for you and everyone else to think and act like that. no offense to you or to anyone else but we really haven’t done anything worth a damn on these forums if you afford to casually say things like that in public. then again maybe it’s an honest mistake and maybe you didn’t read my post above (and everywhere else)


#25

If you count using WhatsApp as being spied on, then yes I think it was a reasonable thing for me to say. This is not to be conflated with what Snowden is talking about: mass NSA data mining, etc…

The feeling so far here is that after buying a Puri.sm phone, I will just use it as a hobbyist phone and thus gain no benefit because I’ll never be able to use it as my primary - or at least most people won’t. Personally, I’ll probably be able to rig some programs to work that Puri.sm wants to keep out - but 99% of people won’t know how to do that… So if I buy them a Puri.sm phone, then they will end up going back to their old big brother tracker phone just to be able to message someone on WhatsApp (I keep using this example because I think it is a good one).


#26

Shouldn’t the objective be to get away from the services/apps/platforms that spy on you not just the devices? Sure you have the freedom to choose to be spied on, but if that’s your choice there are easier ways to be spied on.

I think your larger point is you would prefer a more gradual transition instead of a rip off the band aid approach. Neither the faster nor slower approach is objectively better than the other, they each have their own pros and cons. I think purism’s objective is to make the rip and replace approach as viable as possible by providing alternatives for people to move to and providing those alternative apps on non-free devices so that the slow transition is not to have the apps that spy on you on a phone that doesn’t but rather to use apps that don’t spy on you until you can transition to a device that doesn’t.

At least for the average non-technical person. The more technical will put those apps that spy on you on the phone that doesn’t because they can and that is ok, but that is not something I think is wise for purism’s to actively develop because then they are essentially endorsing the spying which goes against their objectives. It also takes resources away from making progress on the parts that aren’t freed yet.

Just a thought.


#27

“Shouldn’t the objective be to get away from the services/apps/platforms that spy on you not just the devices?”

– Exactly what I’m saying. I’m saying this objective is much more easily met by first making it easier for more people to switch. The cause of the lack of choice is the other platforms being locked down. There is no evidence that being open to some “surveillance software” at first to allow people to switch (and then cracking down on it later when some critical mass has been reached) is a bad idea so far, I think. In fact, I think my experience working for software and hardware startups that were successful & have failed (no I’m not gonna dox myself here) – has shown me that some critical mass is imperative for a hardware/software company to succeed in the long run. I don’t want another n900, as I’ve said: I had 4 of those, and its lineage’s failure was so preventable. And I guess I’m spending so much time wasting in this forum is to sway opinion. However, I realize there are probably more effective ways for me to influence the decision making at Puri.sm. Maybe I just believe in grass roots wisdom in OSS… However… Haha… Maybe the quality of public discourse has gone down so much that it is impossible to transmit nuances ideas any longer online.

I view the “closed first” OSS smartphone strategy to be subversive since I predict they will prevent long (or even medium) term success.

“Neither the faster nor slower approach is objectively better than the other, they each have their own pros and cons.”

– I don’t agree. If one method totally prevents a hardware platform from reaching critical mass, then absolutely!

Maybe this is really hard to see… Maybe I should just be writing letters to the Puri.sm or pay an SF friend to go to events with them to influence them… But that seems exhausting. But it is frustrating being so close, yet so far from a platform that you can continue to use. Non-stop transition between modern, unstable technologies.

"but that is not something I think is wise for purism’s to actively develop "

– I’m not saying they need to… I haven’t even suggested it. Certainly they shouldn’t interfere every time something in this line is brought up on their forums… This is the place that like minded people are going to meet and actually work on things and plan their relationship with this technology. If people search for info about the phone they might buy to de-Google their lives, read this main forum, and reach the sentiment that so many things they’ll need to do day-to-day on their phone is not going to be possible (or even prevented) - then they certainly won’t even bother spending on it. At least sell a vision for being able to use it as their main phone in the future, but many people like myself will see through the idea that you’re going to force all of your friends to switch to special apps to talk to special-you… This is a delusion of the Richard Stallman-types.


#28

Rejoice, for Purism has listened to you - and invented Librem One, a way for ordinary people to start enjoy some privacy in their current eco system, and when they are “ready”, they can do the switch very easily!

I know, you’ll not accept it. But that is because you think it is a reasonable position to say “I want to de-Google my life, but I’ll keep the good Facebook stuff!” You can safely assume you’ll waste your energy trying to swing anybody on this. And now I’m going to mathematically prove to you how unreasonable your approach is in comparison.

There are already millions of people using Matrix, building up a critical mass. Everybody using Librem One on their existing phones adds to that. By the year 2025, Purism will NOT have sold millions of Librem 5’s. And I very much would like to be wrong here. I hope you don’t want us to believe that a “slow transition” should take anything longer than 5 years. However,
by the end of the year, there will be ~10,000 Librem 5 users, and
by the end of next week, there will be ~10,000 Librem One users.
By the end of the year, Librem One might well have 6-digit figures.

Buying a pure, privacy minded phone for $600 and planning to install surveillance capitalism apps on it is like… buying a pure, white wedding dress to ride a motor cycle on a dirt track - just without the comical aspect of the latter.

Isn’t it just adorable how you don’t see the irony in trying to do exactly the same thing, convincing us that your way is the better one? (just not based on an ethical believe system)

More than 95% of the people in my surrounding were willing to install Threema, despite it’s entry barrier of paying a few bucks. Only two are stubborn enough to say “Wanna talk to me? Use WhatsApp”. So, they are not very different than your delusional Stallman types, just that they don’t have reasons.
“Everybody uses this” is not a reason. It’s a statement of submission.


#29

boom !
@derptacious if it weren’t for those crazy Stallman types we would have been living in a VERY different world and perhaps NONE of the steps already taken on the path to liberate our digital lives would have been possible.

if it’s a personal freedom you are afraid of loosing then nothing stops you from using a Samsung and a Librem 5 each with it’s own philosophy intact.
you keep the Samsung in your left hand and the Librem 5 in your right hand and don’t mix them together … and when you are ready you can do what you please.

it’s more like a fetish nowadays to mix things up so in the end we don’t even know what is what … i’m just glad that with Purism we still get that “pure” spirit


#30

hmm … i think you have a very narrow view of what Snowden has unraveled.

from the above

In summer 2018, Abdulaziz’s cellphone was infected with a surveillance tool. This was first revealed on 1 October 2018 in a detailed forensic report by Citizen Lab,[44] a University of Toronto project that investigates digital espionage against civil society. Citizen Lab concluded with a “high degree of confidence” that his cellphone was successfully targeted with NSO Group’s Pegasus spyware and attributed this infection to an operator linked to “Saudi Arabia’s government and security services”.[44] NSO’s Pegasus, of which KSA has emerged as one of its biggest operators, is one of the most advanced spyware tools available. It is designed to infect cell phones without being detected. Among other known cases, KSA is believed to have used NSO software to target London-based Saudi dissident Yahya Assiri, a former Royal Saudi Air Force officer and founder the human rights organisation ALQST and an Amnesty International researcher.[45][46]


#31

@reC are you suggesting that the Librem phone cannot be hacked by determined government agencies
with budgets higher than what we will make in our lifetime? That would be a naive assumption.


#32

first of all it’s not really about budgets.

the non-free infrastrucutre itself is designed to facilitate intrusion and cover-up. sure it would be possible to hack/spy even if it were 100% freed but that would be significantly harder to do. most of the time the weakest link is the victim himself. that and the fact that each user in his circle who probably used the same compromised infrastrucuture added to the information collection rate and succes of the overal picture by the inteligence services.

the idea is to not rely on technology if you don’t know how it works. basically the victim above was slain by his own TRUST of the hardware/software he was using. could “they” have got to him in a different way ? sure - but the idea is to make it very hard in the first place … sad thing is this happened after Snowden warned us of the high-level tech employed by government nowadays.


#33

Free/Open Source does not always equal more secure. See Android vs iOS, and the poor state of security
in the former, without using projects like CopperheadOS (or what is now GrapheneOS) your devices will stay
vulnerable unless the vendor decides to update them.

In the vulnerability acquisition world, it’s all about budgets. If Librem 5 will be popular enough, it will be
added to the list here: https://zerodium.com/program.html and to similar companies “bounty” list, researchers
will find a way to exploit it and sell it to those companies, which they will later sell to governments.
Open Source is good for transparency, but did not prove itself at least in the mobile security area.


#34

Those hardware kill-switches will certainly help though :slight_smile: If you don’t want people to know where you are, flip the baseband switch. For good measure, flip the bluetooth/wifi switch too.

You definitely hit upon a weakness in the Android environment, that very few people run on the latest version of Android, so the phones are not updated with the latest security patches. Though if you buy a (expensive) Pixel, that will help, since what software is available for that is in Google’s control, not Samsung/etc.

Also, the firmware code on the mobile phones are proprietary. So that can be hacked too, and no one can inspect it. (Another advantage of Purism).


#35

true. but we as individuals do not live directly inside that world but we can be influenced by it or influence it based on our willingness/knowledge.

how ? at first each of us must be made aware that personal liberties and choices ALWAYS affect other peoples personal liberties and choices even though it might seem far fetched at first.

a simple and direct explanation to this is the example set by the movie “Snowden” from 2016 by Oliver Stone - in the scene when the operator digs inside the social-media/chat circles and by the 4th degree circle it is revealed that a couple million people might be indirectly involved at any given point in time for “honey” gathering by inteligence agencies or other similarly equipped/willed third party companies/individuals. and that was an example used on someone who was considered “clean” by modern standards.


#36

just make sure and properly understand what is free from a hardware/firmware standpoint inside the librem 5 13/15 and what is not. it is not 100% free yet but the INTENTION is to use the incoming cash to direct it to further improve that goal.


#37

I doubt that Purism got the source code for the Gemalto PLS8 baseband they are using.
So this part is not as different as with Pixels.

Nice read:


#38

It’s very different. you can turn it off, even remove it completely. When it’s on, it is a slave with no access to other components, especially memory. It only knows what you let it know, which is preferrably encrypted data you send and receive. No modern phone gives you that.

Nobody in their sane mind would use Android as an example of free software.


#39

Sorry my friend, I’m not sure you understand how basebands work. Encrypted data between the basedband and userspace? How exactly, even if they had the Gemalto source code, it would still require tremendous coding on top of it. The baseband receives raw radio packets and parses them. Perhaps you should read the paper I attached above for this purpose.

To turn it off? Yes you can with any other phone, it’s called Airplane mode. But can it really be a solution? Definitely not, since if you have a malicious flash SMS in the queue, anytime you bring it back on you are going to be exploited:

Or again, just read the research I attached, and there are many like them over the past years.
Here is one from a previous year, from other researchers:
https://www.usenix.org/conference/woot12/workshop-program/presentation/weinmann

The baseband sees all your carrier data in clear, including calls, SMS, IMSI, location (based on LAC/Cell ID you phone is currently connected to) and basically everything.
Once you exploit it - there is no difference in what kind of free open source apps you run on
your phone, those are a different attack surface mainly for advertising companies but not a
sophisticated adversary.
Any company that will claim to have an unhackable phone will be pwned and laughed about in the community,
probably on the next infosec conference, and even Purism themselves don’t claim it is the case.

https://replicant.us

They do it, but practically it means nothing security wise, except outdated free firmware.

I respect what Purism does, but you sound like a fanboy.


#40

Oh, and you trust that?
I thought you were the one who is suspicious.
You certainly know that your baseband is never truly (reliably) off, unless you remove the battery.

Sure. Um… and why would that be a problem? So the baseband knows everything my carrier knows. And then? It sends this “secret knowledge” to the carrier, where the NSA collects it and… wait… why don’t they just keep tapping the ISP, like they always did?
As a bonus, from the ISP they (usually) also get my Name, address, etc. pp.

All the important data MUST already be encrypted when it passes the baseband. Why would you even think trusting (plain) SMS is a sane thing to do?
(Of course, applications exist that encrypt a SMS message before sending, but the meta data (timestamp, sender, receiver) is of course always there.)

The problem with other basebands (which are usually integrated in the with the CPU/SOC), is that you cannot reliably turn them off and can therefore always be tracked. Also, they usually have full access to the system (e.g. shared memory). Thus, if compromised, it can do basically everything with your phone.
I mean, isn’t that just the perfect crime: The payload resides only in memory and is installed every time you go online (but not if you’re a known security researcher).

Think of the baseband in the Librem 5 like a VirtualMachine vs. a device driver. You control the former, the latter can do as it pleases. Do we know about exploits to escape the sandbox? Sure. Yet, nobody would say sandboxing is just marketing.

I would be surprised if Purism would claim such a stupid thing.

Can’t argue with that :sunglasses:


Why do Librem laptops ship with Manufacturing Mode enabled?