Off-topic from shipping

Before there was a L5 USA, there was a L5, which was supposed to be a phone designed for privacy. I submit that implied in that is that the phone does not contain Chinese parts - certainly not critical parts. We believe that Pegasus used exploits in the baseband modem to spy on people. I was very surprised and disappointed (even shocked) when I was first told that the L5 used Chinese modems. I find the concept that we were all buying “privacy” L5 phones for $700 and then suddenly those phones are made from Chinese parts - but you can suddenly buy a “really” private L5 USA phone for more than $2000, and on you’re now promised the phone sooner - more than a bit contrived.

It reads more like “Purism has run out of money, let’s see who we can shake down for more money on the basis of a promise they’ll get their phone sooner (which promise we know we won’t deliver on either)” than “L5 USA is an improved product”. L5 USA doesn’t sound a lot different from what L5 was described to be when that was the only product that existed.

How do you build a spying-free phone delivering reasonable privacy using Chinese-made critical components?

May I humbly suggest starting your own new thread, e.g. “Is the Librem 5 USA a Scam?” or something like that?

These multi-comment digressions are interfering with @spaetz’s ability to update the timeline of L5 deliveries, the important information that everybody is anticipating.

I agree. I kept the post hidden. Feel free to repost as an associated thread - but not in this thread.

I note that Purism (dcz) consistently censors comments pointing out uncomfortable truths. They have censored my comment and StevenR’s but not those comments which are pleasing to the censors. It’s far from the first time either. Says it all really. You could just deliver the phones, or give refunds, if you don’t like people like us around pointing out uncomfortable facts.

dcz now censoring also my posts pointing out her censorships. OK I wasn’t going to write to the Attorney General to complain, but now I will.

I moved the off-topic here, as I should have originally done. Sorry for hiding your posts, moving posts is a tool I forgot I had.

Maybe the title should be changed to something more representative…?

I’m going to change it if you, or dr_t propose something better.

In response to the first post in this (now moved) thread:

When the Librem 5 USA was first announced, many here professed to trust US products LESS than Chinese ones. So from the standpoint of many people (certainly not me) a Chinese modem was preferred to a US one.

Based on that many will be unsympathetic to your claim that the Librem 5 USA is what the Librem 5 should have been in the first place.

(Case in point, guru’s reply directly below this one.)

At least there is now an element of choice. A customer can decide which country’s parts he trusts more and buy a phone with those parts in it.

That is, of course, assuming Purism ever actually delivers the product.

First of all, you can use the HKS to shutdown the modem completely. Second, why I should trust a modem made in USA o Israel (from where Pegasus is coming) more than one made in the PR of China?

dcz, you probably should have put the split a little higher than you did, to capture/move StevenR’s posts.

You’re probably right, but I don’t want to risk making a complete mess now. I’ll be on the lookout for future misplaced posts.

I’m not saying I trust a USA-built component absolutely, but (a) the hardware has to be built somewhere, (b) in the USA or Israel, you have the freedom to build your components more or less however you like, including you can have open-source hardware etc. And there are some constitutional guarantees and the rule of law, even if those are increasingly violated and ignored by the government and 3 letter agencies. But at least there is some oversight, an ability to challenge matters in court, FOIA, etc. and the government is not supposed to do certain things. In China, there is no rule of law (as in: zero), the government is unlimited, the government can and does do whatever it wants to, the national security law requires all nationals to work for the secret services if they are ordered to, the government are involved in anything they want to and in everything. There is no high-tech equipment made in China which the Chinese government does not meddle in. In other words, you cannot trust anything made in China, but there are other places in the world where things may be built in a way which are not designed for some government to spy on you. What’s the best such a place? Certainly not China. Is the USA one of the better places? Maybe. Where is better?

There are a whole bunch of separate concerns in this text.

 1. Everybody always knew that the modem would be a blackbox and hence unverified and indeed unverifiable. This is why the modem is in various ways separated from the main system in the Librem 5. This is why the modem can be killed.

This has nothing to do with whether the modem is manufactured in China, the US, the EU or anywhere else. Modem manufacturers generally choose to keep their source to themselves. That is unfortunate and true.

The assumption in the Librem 5 is that the modem is untrustworthy and hence why in theory you can use the modem purely for internet access and place your calls securely over the internet. That means that the modem has no visibility of whether you are calling, whom you are calling, how you are calling.

How much of the above you embrace depends on your threat model.

 2. There is always a concern that an individual company may be compromised by a government.

Some people assume that a company is more likely to be compromised by the government of the country where the company is domiciled. While there is some merit in that assumption, it is only an assumption and it is false that a company will never be compromised by a foreign government.

On this basis though some people would not trust a Chinese modem while they would trust an EU modem.

There are limitations to how logical that is but it’s a choice (when it actually does become a choice!) and you can go whichever way suits you.

 3. Pegasus is a whole different ballgame.

Whether it is accurate that Pegasus exploits the modem I don’t know. I suspect this is not accurate (having read some fairly detailed discussion linked from this forum q.v.).

In mainstream phones the distinction is mostly irrelevant anyway because the modem is wholly integrated within the overall phone. Exploit the modem part of it or exploit the kernel, it doesn’t really matter. You are toast either way.

What we do know is that Pegasus exploits security vulnerabilities. Noone on any phone wants security vulnerabilities but the exploited vulnerabilities are presumably unintentional and that is quite different from intentional vulnerabilities inserted by the company voluntarily for their own purposes or inserted by or on behalf of a government.

You can bet that Linux-based phones will from time to time have their own unintentional security vulnerabilities. If Linux-based phones get enough profile and usage, you can bet that those vulnerabilities will show up in the Pegasus toolbox. (It doesn’t matter that Linux vulnerabilities are generally fixed in a timely fashion because there are enough slackers who don’t keep their phones up to date. It is still worthwhile to probe for vulnerabilities for which a fix has already been released.)

All kinds of things can be compromised by all kinds of actors, but all equipment capable of being used for spying made in China will be compromised by the CCP and only some equipment made outside will be.

Furthermore, if any equipment made outside China is compromised by the CCP and that is discovered, this will generally be a scandal and it will generally be corrected, whereas everyone knows that anything made in China is compromised, but no one can even talk about it unless they want to disappear and have their organs harvested.

We are largely in agreement and largely saying the same thing, but

I think it is more accurate to say that everyone knows that anything made in China is subservient to the CCP and hence potentially compromised by the CCP and hence actually compromised by the CCP if the CCP so desires.

It is sadly true that if the CCP so desires and the Chinese company says “no” then disappearance is a very real possibility, even likelihood.

However if you looked outside of China you might be discomforted by similar legal regimes for compromise in operation in other countries.

I think given how total the surveillance and control is in China (and totalitarian regimes generally, but particularly China), it’s safe to assume that anything manufactured in China contains government spyware and backdoors routinely. You can’t even illegally cross a road in China without cameras detecting that and automatically recognizing your face and debiting your social score account, or post a social media post without government surveillance bots monitoring it immediately and deleting it, also immediately, if it is not of the approved variety. It is an entirely and totally controlled society, it’s not like in the U.S. where security services reserve the right to do this and that and supposedly do it whenever there is a good reason but more or less often abuse those powers … over there, it’s just total control, everywhere and all the time.

You are completely wrong there. Due to the thorough scrutiny of all exported components from China (and China is aware of that fact) no backdoor is put in those devices. Even the car electronics is free of any backdoor, none found so far. This in contrast to USA communication equipment where backdoors are often found (e.g. CISCO routers).

I therefore propose to a privacy conscious company as purism to exclusively use China components.

Or, you know, give customers the choice and customers can decide which of these narratives to run with.

The reality of manufacturing today is that neither edition of the Librem 5 is exclusively components from one country.

Just as the post to which you were replying is a bit extreme in its claims, so is yours.

You can’t possibly know this. Noone can. China exports a zillion components per second.

For components with embedded firmware or software, it would be very difficult to verify whether there is or is not any kind of backdoor or other malicious functionality intentionally put there. It may not even be possible to access the firmware or software.

You sound like a naive Westerner who has grown up in a normal country and has never known anything else. I don’t blame you, this relaxed attitude is fairly universal in the West. The evil that communism is is impossible to comprehend unless you have actually lived it. I spent several decades of my life behind the Iron Curtain and I have experienced directly how it works. Unfortunately, this attitude is also the reason why China is taking over the world unimpeded and will do so completely once they take over Taiwan. I won’t bother responding to Jan2 because he’s either a troll or a Chinese shill.

Every Chinese component has a back door which the CCP can exploit. China has 1.5 billion people and their average IQ is 105. The USA has 300 million people with an average IQ of 98. Assuming both have a standard deviations of 15, that means that at IQ of 170, there are 40 Chinese for every American, more as you go higher. All the smartest people in China have the choice of either working for the government if so ordered, which they are, or having their organs harvested and being put 6ft under. All the smartest people in America become entrepreneurs and make billions. The government only employs morons. Western intelligence agencies are full of woke soft lefties who either got in on a racial or a gay or a trans quota and are incompetent or they are just plain Chinese agents. Fact. Western intelligence agencies are completely infiltrated by communist spies, and have been for decades. First mainly KGB, now mainly CCP. They may employ some smart people but they can’t get anything done because their woke dumb commie-sympathizing bosses outnumber, outrank and overrule them. It may even be true that no backdoors have been found in Chinese hardware (I somehow doubt it) but that doesn’t say a lot. Even so, the said Western intelligence agencies have banned Huawei equipment from mobile networks. Do you think they’d do that if it were true that “Due to the thorough scrutiny of all exported components from China (and China is aware of that fact) no backdoor is put in those devices.” and they were confident of this fact?