Consider malware that transmits your audio/video to some interested party. Just because your OS is OSS, that does not mean there can never be malicious software on your phone. And that is not to speak about the trust in the hardware components that live a life of their own in your device. Yes modem, I am looking at you!
Many devices that I have worked with in the past have had the ability to draw running current from a driven port pin that is set as an input and is pulled externally to a logical high state which can also (unintended) source current in to the device. I have seen this happen several times on different devices. There have been times when running an IC where I scratched my head and asked myself “how can this device possibly run with VDD dis-connected?”. I have never followed-up to test in those instances, whether grounding VDD stops the device or not. But when I find the correct port pin and disconnect the logical high to it, the device will abruptly stop.
Some devices can even draw running current from a driven oscillator pin alone. This isn’t a rule, but more of a semi-common anomaly in some IC chip devices. Hopefully the hardware kill switches in the Librem 5 were actually tested under several different operating conditions. This may seem to be unnecessary to some people. Applying stimulus to IC pins without having a specified VDD applied first is usually a bad idea. Some PCB-level hardware application designers count on the device not working without an applied VDD.
Most devices don’t sustain damages if you apply stimulus to other pins while the device is powered-down. You can always lower the number of hardware components or lines of required code in your application in most cases by ignoring the universal rule that says to never apply stimulus to a device pin without applying VDD to the device first. But most often, the device with a detached VDD will at least run impaired to some degree if it does run.
None-the-less, I have witnessed accurate code execution and ADC conversions and the corresponding delivery of accurate 12-bit ADC data to port pins from an MCU with no VDD applied on a few occasions. The first time I saw it happen, it kind of freaked me out a bit. You stand back and say to yourself, “what I am seeing is impossible”. Then you troubleshoot, just to figure out how this impossible thing can be happening. In silicon, not all current paths in a circuit are always simulated in the design phase. Especially the undesired modes are not tested. After all, no one is going to complain to the semiconductor manufacturer about the device operation in any condition wherein a VDD is not applied.
Typically in most applications, you would always leave VDD applied when the application is running and then use the “Enable” or “not-Enable” pin to turn the device on or off as the application runs. The only guaranteed way to prevent a device from operating is to disconnect not only VDD, but to also remove all stimulus including any driven oscillators. However, application testing could validate whether or not any stimulus to the device causes the device to work without a VDD input.
Even a car with an empty gas tank will run for as long as you continue to spray ether in to the carburetor. The engine requires fuel and doesn’t care where the fuel comes from.
Back in the 80’s I remember a 1200 bps modem model that would run off the power of the land line’s dial tone. The phone company didn’l like that. Future models had a power supply. (It was blue.)
Then there is the classic issue of powering down a disc abrubtly (especially a spinner). You didn’t want your application writing at that moment. With today’s SSD speed and protections for sudden power loss there is enough latency to finish the write in most cases.
Too bad most cars are fuel injected and carburetors have become rare. I have to junk an old car that has a cracked fuel injector. Costs me more to fix it it is worth. It still drives but one smells the fumes at a stop sign. I determined to take it to the place where it gets weighed and you get money for the metal when it gets low on gas. (It had a full tank when the mechanic diagnosed it.)
Has Google found the Librem5 flaw yet?
Wednesday March 8 around 3:00 pm I say, “I need to buy some mustard.”
Wednesday March 8 around 4:00 pm I am forced to use Youtube because I can’t find an essential video on Peertube.
I open Youtube: the first video that appears is a mustard commercial. I freak out. The microphone of my Librem5 was closed (kill switches), I checked. The mic on my Librem 14 was also closed I’m sure. I thought it was just the NSA that could get through that protection… I’m pissed! Is there any other explanation? Could I have been triangulated by the Android cell phone of the person who was with me and the lap top of my co-worker in the next office?
Translated with www.DeepL.com/Translator (free version)
Its either a coincide or the ability to predict what you’re going to buy based upon the data they already have on you is more accurate than you think.
Sometimes a cigar is just a cigar.
If I understand correctly, you also use a GAFAM and you never found that they could have heard you despite your closed kill switches? I’d feel better if it didn’t happen to anyone else. It would show me that it was really a coincidence.
How do you figure they can listen through a microphone that doesn’t have any power connected to it?
Someone say that :
" But for me that is not enough. What about the other sensors in the phone? What stops someone using the speakers as a microphone, or stealing information from the accelerometers? For that matter, couldn’t the accelerometers potentially be used as a microphone? Is there an ambient light sensor, or a proximity sensor? And if so, will the power to them get cut too?? " Kill switches, but what about the other sensors?
Yes that was brought up, and after some discussion, dismissed because it would be too much work for the listener to implement, even if the listener could get good results.
But my main point is you no longer have any reason to be upset about the HKSs.
Thank you for cheering me up! I hate Big Data!
And were there any other sensors in the room when you declared intent for the mustard?
Do you have a TV in your house? If so, follow: https://www.komando.com/kims-column/your-tv-is-spying-on-you-but-you-can-stop-it/873894/
the problem is that I was not at my house. I was at work and the TV is in the name of the company and I never use it (I couldn’t put any data about myself on this device) and my colleague has an Android cell phone. But how could the mustard ad have appeared on the Youtube page that I was looking for on MY Librem14?
Google analytics on the websites that you visit with your Librem 14 give Google your IP address, which is shared with Andoid users on the same network. Those Andoid devices report locations down to the meter. The TV shares the same public IP address. WiFi scanning can identify devices near by, including your laptop’s WiFi MAC address. Bluetooth scanning might also be used between Android devices, not your Librem 14. If you want to avoid this, then you need to block Google analytics or use a VPN and randomize the WiFi card’s MAC address before turning on WiFi. There are downsides to this: Blocking trackers can cause websites to think that you are a “robot” and may prompt you to solve a puzzle and using a VPN ties your traffic to your credit card (as opposed to mixing your traffic with others).
In short, unless you’re a real connoisseur and totally on guard, they follow us with all the Big Tech devices that surround us… even if you’re personally equipped with devices manufactured by Purism. Everyone would have to decide to switch only to ethical technologies to totally block Big Data? I console myself by saying that I do my part and that when I’m at home, I’m more protected since I’m careful about what I buy and there are no televisions or other connected toys in my house.
Yes. Also, I have noticed that a lot of companies are asking for mobile phone numbers for the purpose of sending security codes. Because of SIM cloning and other hacks that involve tricking the mobile phone provider, I consider this to be a bad security practice, but I suspect that the other reason is that it forces people to provide a useful unique identifier that can track people across all sorts of services.
I would say that creating privacy in your own home is a great start. Purism is more focused on the phone right now. Randomizing the MAC addresses is something that I would like to see some day. You could use one web browser for home and anything that requires signing into an account, and use a separate browser out in public and either use different accounts or stay signed out on that one. Using privacy mode in pubic works too, assuming that you do not have any non-private tabs open (to avoid those web pages that know your home IP address from tracking you in public). Just remember to shut the home browser down before joining a non-home WiFi.
This may not be perfect, but I am not sure if everyone needs to be. It certainly reduces the amount of data that they collect, and that may be enough. I remember one tip that said that if you cleared your cookies once a week, it would make things more difficult for Google. I am not sure if that was true, or is still true, but I could see how that might help. Clearing your cookies after leaving one network and before joining another network may be enough. It may be fine to stay signed into some non-Google accounts. Google analytics might not be tracking things at an account level. In other words, it may be fine to use a non Google account across multiple networks provided that you clear your cookies between network changes.
I am not an expert. I won’t be able to keep up with everything all the time. Really… I’m thinking that the surefire way to be tracked as little as possible is to have as few devices as possible.
On your Librem 5 and with opensource browsers, there are no agreements nor terms of service that give Google a license to spy on anyone. I am looking forward to the day when Librem 5 users and Pine Phone users start class action lawsuits against Google for violating our privacy and stealing our data without any permission. Google thinks they own the internet and everything on it. It might be next to impossible for Google to turn off all of their spying machines when they suddenly realize they’re committing crimes against thousands of people who did not opt-in on their free opensource devices. In the meantime, after I get my Librem 5, I don’t plan to flirt with them nor be tempted to use their technology. I’ll have an Android phone at home for banking. My Librem 5 will not have Waydroid nor any other Spyware compatability layer nor unreasonable terms of service. Everything I use will have to live in native Linux software. We can all create a new community and eco-system there.
It made me think of one of the “Alien” movie franchises but with a mutated phone on a gurney saying “Kill me… Kill me …”