How many Librem users on this forum have taken advantage of the anti-interdiction service with an order before?
- Yes, added anti-interdiction service before
- No, never added it to an order before
Feel free to say why or why not.
How many Librem users on this forum have taken advantage of the anti-interdiction service with an order before?
Feel free to say why or why not.
Originally twice: one each for my Librem 14 and Librem 5 USA order. Then another one time thereafter for the Librem 14: an installation of a second M.2 bracket and a 3-cell battery.
As far as I knew, no government/state actor entity is after me nor really cares about me. So, I assumed that this service is most important for folks who are likely active targets and know they are active targets.
But when we think about the Ed Snowden revelations and this idea that – at least in my country – all citizens are being stalked in case they might in the future become a criminal (or be otherwise useful for data harvesting)… I would respect someone who told me they felt it was naivete for me not to buy the anti-interdiction services.
But I was also coming from an already digitally compromised existence, filled with a lot of proprietary software in my personal life.
I did not apply it to my order. My main concern with computing devices is always the trustworthiness of the manufacturing chain, not the shipping chain from the “store” to my home. (If I could think of any reason that my own country’s intelligence or law enforcement agencies would target me personally, then I would change my mind, I guess.)
I may as well tell my story then all those years ago, since everyone else is sharing their reasoning.
Originally, I ordered anti-interdiction services to confirm whether or not I did have active attackers. This information was deemed vital at the time as it was a dependency for further mission-critical operations. However, out of precaution, I still carefully mitigated my trust in its authenticity as I deemed all of its security measures highly experimental.
As I became more familiar with using anti-interdiction over the years, I also learned a lot about physical security due to my threat model, and discovered circumvention methods to defeat the security seals, “proprietary” nail polish patterns, and PureBoot Bundle (Plus). Due to this, I started to disassemble the products and manually audit each component; I reflashed each device’s operating system and firmware(s) using a “known good state” PureOS live image on a USB drive. The Librem Key, however, remains at firmware version 0.10, as Purism has not provided a newer firmware version (0.15) or hardware reflashing documentation.
Since then, I no longer use PGP, nor trust Purism for anything relating to anonymity/privacy/security, except their hardware kill switches, although that seems to be being removed from their products as of recently.
I’ll mention that while I didn’t order it because I don’t think I personally need it, I think it’s a very cool and unique service that Purism offers.
I figured that it would not be so popular because then other vendors would offer a similar service. I requested it before because I figured the more freedom you have, the more responsibility you have over security. I wouldn’t consider myself a target either but then again it’s not much of a choice to be had when the marketing creates a target for the user. I do believe the service can make a difference even if it adds merely an additional minute, for example, to the process of interdiction. It is a unique service, and I did not expect that the email exchange from that service would inform me about gpg for e2ee.
Do you have any links to further reading on this perspective?
For my security practices and values, you can simply ask me in the dedicated thread or via PM.
For multiple reasons, I also use SMS and email, but they require bootstrapping via PM to reduce solicitations. If you want to meet me in person, I would be happy to explain and demonstrate all of the above. Additionally, I can teach you how to defeat each anti-interdiction security measure, although if you have not ordered it yourself, you are going to have to trust my attack to simultaneously bypass PGP-encrypted email and PureBoot Bundle (Plus).