Librem 5 concern

Thanks I was legit searching and trying to figure that out. I appreciate the insight.

I would like to thank everyone who has contributed here. The discussions nudged me closer to the edge and so I jumped and order a Librem5. I bought the Librem13 after years of running linux on inferior hardware and now cannot imagine running anything else. Why should I discount my experience with the laptop (which has been fantastic) so when it comes to the phone, I hope it will be the same. It will take some change after 11 years of iOS but I went from 18 years of MacOS to linux and would not go back.
Now time has already slowed in anticipation… Psyched.

I work within the industry. Been in the game for 15+ years. Specifically pen-testing and security. Plus I’ve worked previously in project management and budgeting. So I have a basis to sift through the nonsense on this forum and give facts.

Anyone who has called the OP a troll should be ashamed of themselves. Unfortunately, this community is no different than any other forum such as security software forums, investing forums, cryptocurrency forums, or what have you. Anyone that comes along who posts something contrary to the hive mentality is branded a troll, a basher, a hater.

That is just pathetic. It’s also offensive in that it is just plain online forum bigotry. It’s the behavior of people who are emotionally involved, overly sensitive, and intolerant to anyone that does not praise whatever with all “rainbows and unicorns.” Fanbois are classically the ones that get defensive and immediately lash out against posts that they do not like.

Meanwhile, people here routinely bash the choices of others who instead choose Android or iPhone. But that hypocrisy is OK because it is part of the hive agenda. It’s OK to be an online bigot when people come along that don’t agree with every last bit of your “social movement” device and the general attitude here.

Removing apps from a mobile device improves privacy. It also increases security insofar that reduces the removed app attack surface. However, it is false to claim that increased privacy increases security. No it does not.

I find it curious that people are obsessive-compulsive about their devices, yet their data is already out there. Anyone who has a bank account, a credit card, was a student, has a student loan, has gotten medical or dental care, shops online, and so on, has shared their personal data with 2nd, 3rd, 4th parties. And that data resides within many databases on servers that are very often insecure.

Moreover anyone’s data can be compromised when they use their device to communicate (interface and exchange data) with another device via that device being hacked and pwned. So the data you send to another system can be stolen without involving your device in the first place.

Furthermore, the OP and others have stated some very valid points. Usability and convenience are the primary market demand. And those demands are what drive the market.

Libre products appeal to a microcosm of all users. What I’ve observed within the industry across years is that niche, boutique products that appeal only to geeks, techies, and security enthusiasts rarely become widely adopted. The economic model and reality is that such products will always be only marginally successful, if at all, over the long term.

Just FYI, your message landed in a moderation queue. I would have asked you to tone down some of the language - “hive agenda” and “online bigot”, for instance - but I don’t think the admin interface gives me the option to ask you to edit your message. It gave me the option to edit it, but I don’t want to get into that.

Lots of people have made valid points in this discussion, and also thrown around quite a few invalid points, too. However, when the OP complained about things that go against the goals of the project, then I think it’s understandable that others feel that they’re being trolled. Especially since this isn’t the only thread that covers what people feel are shortcomings in the Librem 5 as they perceive it at the moment.

Anyway, I think this discussion seems to have run its course, so perhaps we can avoid fanning the flames and going over everything once more. I’m sure someone will start another topic along similar lines, so we should all save our strength for that.

One of the forum’s golden rules is to treat others with respect. However, a bunch of people violated that rule here. Now I am calling out what happened in this thread for what it is - which was a forum mob attacking others that they didn’t like. You’re telling me to tone-down my language. The language I am using is not offensive. The language I’ve used very accurately describes what happened in this thread.

The OP has that right to ask. It was he who started the thread. People here didn’t like what he posted, so they immediately ganged-up and attacked him for no justifiable reason.

And anyone has the right to disagree or make comments that are contrary to the goals of the project without being attacked and called a troll and other derogatory remarks.

The shortcomings of the Librem5 are not just perception - they are a reality. Anyone who points out the issues and wants to discuss them should be able to do so freely and openly without retaliation from other forum members. I have observed time and again here where discussing the plain, obvious facts results in people being labeled trolls or otherwise mis-treated.

The OP might have been uniformed, but he wasn’t trolling. The hive mentality is that if someone comes along and posts something that the hive doesn’t like, then call the poster a troll and attack them. That’s exactly what was allowed to happen here.

You should promote people respectfully disagreeing instead of justifying their intolerance and online bigotry - because that is exactly what it is.

What I see in this thread is that some people immediately became defensive and lashed out against both @pureman48 and @cybercrypt13. It’s inappropriate, childish behavior and most definitely should not be tolerated nor condoned by the forum moderators.

However, like I said… it’s OK for the hive to attack the OP and others here, but it isn’t OK when those that are offended by the insults push back. It’s utter hypocrisy.

Unfortunately, I see this kind of behavior in forums across the web. It’s regrettable that over-sensitivity and intolerance prevail.

In post #10, about 14 people (mostly frequent posters here and waiting for the phone) signified that they don’t think @pureman48 is a troll. If you see the need to create an account just to show your support, this would have been a good place.
The overreaction, IMO, was triggered by some real trolling experienced shortly before. In general, most people here prefer a civil discussion and I hope we as a community can get even better at that.

This is true, every app has increased security vulnerability and removing apps removed potential security holes. However, you’ve missed a large potential security hole. If the OS itself is designed to track you you cannot remove that threat. Please see:
Google tracks everything.

Sure. This is correct. However, an OS that tracks you is not a security threat. It is an invasion of privacy. People should stop stating that data collection is a security hole.

Even the most privacy-focused OS is still full of vulnerabilities that could result in a system pwn and data theft. This is true of any Purism product.

Google might be the most aggressive data harvester, however Chrome OS is one of the most secure operating systems out there as long as you do not use Android Apps on it.

I work as a professional pen-tester. The claims of vastly increased security on Linux and Purism devices just ain’t true for the reasons I posted previously.

What Linux and Purism devices give you are security by obscurity. That means that they are running OSes and applications that are targeted by a tiny number of malcoders. Malware and attacks are for financial gain. And that means you have to target the most widely distributed and popular software and OSes. This is Windows, Microsoft Office, Adobe products, Oracle products, etc. This methodology provides the attacker with the greatest probabilities of success.

What is much more likely to happen than a security breach with your personal Linux device is that some 2nd, 3rd, 4th, 5th,… party systems will be hacked and your personal data will be stolen from there.

Despite the noble claims and goals of the project, there rest of the infrastructure that everyone uses daily has to operate at the same level of security for all of it to provide a significant increase in overall security. That just isn’t true of networking and the vast majority of devices and software that Purism devices will interface with. Networking and devices\applications were never designed nor implemented with security as a primary consideration. So even with a Purism device you are participating digitally within a flawed, insecure larger system. That is the greater security “hole” that no device can overcome as it is beyond the control of the device.

People feed true trolls by reacting in the first place.

There is no justification for lashing out. Ever. Most importantly when the person is a true troll. Because all that troll really wants is to see others upset and displaying their anger and hurt feelings in publicly. Once anyone responds to a troll, that troll has won. The person responding to the troll just beat themselves.

People need to control their emotions and learn to ignore things that they do not like.

People who cannot control themselves are just as much of a problem, if not more so, than the troll itself.

In the pen-testing sense (security issues per lines of code) I guess I agree with you, and I always felt the privacy aspect to be stronger than the security aspect. However, I think you can look at security from other perspectives, too: One is, not being able to update after a CVE because the vendor doesn’t bother (and of course, no source code), another that it’s harder (not impossible) to hide backdoors in free software. Also, a modem that does not have full access to memory should be much harder to remote-exploit. But ultimately, many privacy issues can become (personal) security issues, depending in which part of the world you live.

If a person is targeted, and the attacker has the will, the skill, and the patience… then it is just a matter of time before the attacker breaches the target system(s) and gets what they want.

Like I said previously, being obsessive-compulsive about privacy on one’s personal devices is more about “feeling” safe than actually being more secure given the fact that virtually everyone’s most valuable, personal data is already out there in the hackable ether void. A person has virtually no control over their data on systems which they do not own. Without that control one cannot secure the data. Furthermore, you cannot trust others to protect your data. That is a time-proven fact.

Can’t speak for everybody, but I think most people are aware that free software and as-free-as-possible hardware are not a silver bullet.
Just like using passwords with more than 8 characters is not a silver bullet.

The aspects and motivations to be excited about the phone vary.
Increased privacy is part of it, but the joy of having a real Linux system without corporate-imposed restrictions would probably already win most of us over.
Contributing to free software and open hardware by buying a phone is also a win.
You don’t need to agree. That’s a philosophical thing. Nobody brainwashed us to want this thing. We were waiting for this.

From what I see here, there are enough mis-understandings about “security” that people are over-estimating the security benefits. Sure, Linux is more secure via its obscurity factor.

I am not so enamored with open source as I know from experience that it really doesn’t offer that much in the way of increased physical device security over other platforms. As far as security is concerned, open source is not the answer to security to the same extent that anti-malware products are not the answer.

I don’t disagree with the philosophy. In fact, I find the economic and ownership parts of that philosophy appealing. Android’s 2 to 3 year lifespan is nothing but a scam while Apple’s offerings are over-priced to the extent that even at their maximum possible lifespan they’re a scam too.

My concerns are the use of obsolete hardware, carrier limitations, and lack of apps. If I’m going to sink $650 into a phone, it better have a hardware lifespan beyond 5 years. And I better damn well be able to use it everywhere I use any other mobile device - including domestic and international roaming, and I better be able to get apps that provide functionality that I rely upon at a level of reliability and usability that I get from Android or iOS.

People who have such concerns are just not the target group. Seriously.
If you say ‘obsolete’ because a rather new chip is not on par with current flagships, okay. You do you
I’m currently on a Galaxy S3, which is 7 year old technology. I’m content.
The Librem 5 has sufficient apps for me. I’m content.
The modem can be changed / upgraded, no need to throw it away if some bands are missing. And I don’t care the slightest about 5G. I’m content.
And if the performance is good enough for me now, why would it not be good enough in 5 years?

Maybe it will, maybe it won’t. This is v1. Who invests in it, is certainly aware that v2 will be better, but won’t come along without v1. It is totally fine if it is not good enough for you.
Come back in a few years and see if we helped create something that you might enjoy

I stick to my original point. I think it would be better for Purism to just say they are working on a new Linux phone and quit acting like they are taking care of society. I honestly don’t trust people when they start acting like what they are doing is for the good of humanity. 99% of those claims over the years prove to be a scam anyway. Lets just focus on getting a linux phone (which would be freaking cool) and stop trying to act like we need Purism to take care of the world from all the evil corporations. It is way over blown and unnecessary.

Here is another food for thought. I would bet my bottom dollar that the majority of the people on this forum are using a google Android phone. Even despite the fact that Apple is 100 Times better at protecting your data and has never been shown to use your data for anything at all. So you’re all sitting around saying you need Purism when you can stop 99% of your problems right now by switching to Apple. Oh, and then removing ALL of your apps (still confused why you don’t all just use a flip phone).

But it is cooler to sit around and say you need open this and open that because it is safer. And if there is a bug you can fix it. When in reality 99.9% of you would have no hope of fixing and even less of even finding any bug that might exist in the Purism devices. And they’ve already said they aren’t releasing the hardware designs any time soon to protect their investment. (Sounds like typical corporations to me)

Lastly, please stop with the “Don’t use offensive words” bull crap because you offend me every time you say stupid crap like that. Why is it more important I don’t offend you than you offending me?

G

1. It’s not Linux. No advantage over Android for me
2. Doesn’t have a SD card slot
3. Even more expensive than Android or Purism
4. Kicked out apps (for invalid reasons) that I would want, no alternate app stores
5. Prevents installation of alternative OS
6. I don’t buy overpriced goods. Except when the money is used for something I care about.

Of course, the Librem 5 will have a limited market appeal when it is first released, because there are limited apps and you have to grow the mobile Linux ecosystem. The battery life probably won’t be very good on such an energy-inefficient SoC, the camera will probably be subpar, the cellular modem doesn’t support enough LTE bands, and it will only have 1 SIM slot, the four Cortex-A53 CPUs at 28nm are outdated, etc. These issues have been discussed ad naseum in other threads on this forum. If you check my posts, you will see that I have pointed out many of these same issues, but we also know that the Librem 5 will improve over time. Version 2 will probably use a much better i.MX 8M mini processor, and the software will get much better over time. The first iPhone in 2007 and the first Android phone, the HTC Dream in 2008, weren’t that great either. However, we can see the thousands of Linux desktop applications that can be adapted to use libhandy and we can see the enthusiasm of developers in the community for this project, so the prospects of creating a decent app repository look very good.

As Todd Weaver explains in his interviews, the goal of the Librem 5 is to offer privacy, security and convenience, while guaranteeing user digital rights. There is a huge unmet demand in the market for a phone that can provide these things. There are millions of people who want encrypted communication and want web services that don’t share their personal data with Google, Facebook, etc, and Purism is trying to provide that for ordinary people. The potential market for the Librem 5 is very large, but nobody thinks that it will happen with version 1 of the phone. Everyone understands that we are playing the long game here and working toward a better future over time.

The Linux kernel is used in about 4 billion devices, compared to 1.5 billion running Windows and 1.4 billion running iOS or Mac OSX. Linux servers run the majority of the world’s critical infrastructure (web servers, email servers, DNS servers, file servers, supercomputers, etc.), and it is attacked daily. I have run web servers since 2006 and I work at a company that creates an open source web-based business application, so I have some idea about the ways that web servers are attacked. UNIX is an inherently more secure architecture, which benefits Linux, iOS, MacOS and BSD, since they are all based on the UNIX model.

I write code for a living and I know the kind of sloppiness that happens when coders don’t think that anyone will ever see their code, which happens in a lot of proprietary code. Being open source isn’t a silver bullet, since there is a lot of code sitting in the repositories that was written by one person as a hobby and it has never been reviewed by anyone. However, most of the open source code which is mission critical and is widely used has been looked at by a lot of eyeballs. 4,300 developers from over 500 companies contributed to Linux 4.8 - 4.13 (which is roughly 1 year of development). There are 900 developers who contribute to GTK+ and GNOME, and 3000 who contribute to Debian (which is the parent distro of PureOS). Maybe some of the code currently being written by Purism (phosh, libhandy, Chatty, squeekboard, etc.) hasn’t been looked at by many people, but that will change once the Librem 5 gets released and more people get interested in the project and want to start writing mobile Linux apps.

Most proprietary code gets reviewed by two people before it is committed and then it gets a pass by a profiler and security scanner, and then it never gets looked at again, until someone is hunting for a bug, which is why open source code is generally better because it gets more scrutiny. The code security scanner Coverty found that proprietary code in 2013 contained 0.72 defects per 1000 lines of code compared to 0.59 defects per 1000 lines in open source code. The results of the Coverty tests match my own experience. I’ve worked on both proprietary and open source projects, and the open source code was looked at by more people and better tested for bugs.

AV-Test reports the following breakdown of the malware that it found in the first half of 2016:
Windows 67.21%
Script: 19.10%
Android: 7.48%
MacOS: 0.07%
Mobile: 0.01%
DOS: 0.01%
Linux: 0.02%
Other: 6.10%
(Note: this was the last time that AV-Test bothered reporting Linux malware, since it is so insignificant.)

Clearly, Windows is an inherently insecure system, considering that Android has twice as many users as Windows but Windows has 9 times as much malware as Android. According to StatCounter, 0.8% of all users are using desktop Linux, but 0.02% of the malware is for Linux. Once we consider the fact that 4 billion devices are running the Linux kernel and most of the servers and IoT devices are running Linux, then Linux should be a huge target, but we see that very little malware is created for it, because Linux is very hard to attack, just like MacOS is hard to attack.

What the evidence shows is that the Linux kernel is very secure. I see no evidence that the Linux user space is not equally secure. It is based on mostly the same security model as the kernel. I have been using Linux since 1999 and I have never once encountered any malware in my systems (aside from malicious JavaScript inside the web browser that is operating system agnostic).

More malware has been written for MacOS than Linux, and maybe that is simply because there are 6 times more desktop users of MacOS than Linux, but given the huge number of machines running the Linux kernel and amount of valuable data stored on Linux servers, you would expect far more malware for Linux.

Every security expert will tell you that open source systems that have been widely studied for exploits are much safer than proprietary code which tries to hide exploits through obscure binaries. Given that Purism is creating very little of the code that provides security to the system and what it is using is standard code which has been widely vetted, I see no reason to believe that it is insecure. Chatty will use end-to-end encryption, but those encryption algorithms weren’t designed by Purism.

Frankly, it is very premature to argue whether an Apple device is more or less secure than the Librem 5. We will only discover in time. However, every good system needs scrutiny to verify its security, and Purism’s model of making everything transparent makes it easier to verify its security claims, whereas it is much harder to do with Apple.

There are a couple areas, however, where we know that Purism is better than Apple in terms of protecting the security and privacy of its users. Apple is collecting data from its users to train its AI, whereas Purism has nothing like Siri so it doesn’t need to collect user data. According to the documents leaked by Edward Snowden, Apple was allowing the NSA to access its servers to obtain information about its users. In contrast, Purism has a warranty canary to inform its users if it is served with a secret government subpoena to give up information about its users. One study found that an idling iPhone running Safari sends 0.76 MB / day to Google servers and 0.63 MB / day to Apple servers. In contrast, the Librem 5 will be configured out of the box to not send any data to Google, Apple or Purism, and the Pure Browser will be configured by default to not let the user be tracked.

“Apple’s privacy issues are by no means unique among smartphone companies. Rather, Apple’s claims about its robust protection of privacy are what set it apart from its competitors, and journalists should continue to point out the gaps between the company’s claims and reality. But as findings from the 2019 Ranking Digital Rights Corporate Accountability Index show, while Apple ranks relatively well on transparency about policies and practices affecting user privacy, it has persistently fared even worse with respect to another fundamental human right: freedom of expression.” Ranking Digital Rights link from May 31, 2019 is here and I don’t know why should I join such a party.
Maybe is Apple trying to reach me as a friend but because of my stupidity they aren’t impressing me much, not anymore. It was maybe just coincidence that years ago I bought HP Dreamcolor monitor even though there was nothing to complain or say something against Apple monitor with true 10-bit display so what Apple collected over myself is equal to zero and therefore I don’t care much but same report continues: “This begs the question: how meaningful are policies governing third-party developers if Apple doesn’t enforce them? If Apple is to live up to its promise that “What happens on your iPhone, stays on your iPhone,” it must substantively evaluate the content of apps’ privacy policies and verify that each app adheres to its own policies, notably regarding collection of user data (see P3).”

This part you may not have much influence over, but it also varies depending on where you live. That kind of data sharing is very much illegal in some countries, and those laws have some pretty large teeth (GDPR is a very good example). Some of that data might well not even be collected in the first place (medical/dental records, for instance).

But for each case, I do what I can to minimise the data which is collected about me. There’s no one single silver bullet, just a thousand cuts which I can try to inflict. Swapping to a phone which is designed from the ground up to give me more control (eg. killswitches, hardware support is part of the mainline Linux kernel and therefore guaranteed core updates for decades, modem isolation designed in) is one of those.

Yes, this is true. It’s the reason why I have steadfastly refused to give out contact details to anyone who runs Facebook software on their device. Again, defence in depth.

You fix what you personally can, try to influence those around you to stop giving themselves away to Facebook and other suchlike, and hope that the laws will change to fix what you can’t (again: GDPR).

While the phone I use did originally come with Android (Samsung S5), the very first thing I did when getting it was to completely wipe it and stick LineageOS on in its place. Only software from F-Droid (https://f-droid.org/) is permitted on there. There is absolutely no Google taint. Despite that, I still ordered a Librem 5 and I still plan to make that my primary device.

As for why not a flip phone (technically, it would be my old trusty Nokia E55), the sole reason I even got a smartphone is SnoopSnitch (https://opensource.srlabs.de/projects/snoopsnitch). I’ve also made use of OsmAnd to turn my phone into a pocket map (running in offline mode, of course - there’s no reason to download maps on the fly when you can pre-load several countries beforehand and save on data bills).