It is not easy to compromise such a system designed for high security but it might be worth it because of the high value targets. I don’t think that it’s happening now in case of Purism. So this stays theoretical here.
On the other side we have incidents like operation Rubikon which tells us how impudent state actors are and how far they might go.
Also I always thought that the Snowden revelations were not only an event causing several messengers to be born which calling themselves secure. It also would have been a good point in time for intelligence services to create an own pseudo secure messenger as honeypot. Just a thought. I have no solid indicators in that direction. So this is speculation.
In other words, it depends on whether it is targeted and what the motivation is.
Criminals won’t target Purism products because the payoff is many orders of magnitude poorer than targeting Microsoft / Apple / Google products.
Corporate and government criminals might target Purism products but more likely if the specific person of interest is known to be using Purism products.
Trying to backdoor the supply chain would lead to a lot of noise, a lot of false positives, a much higher risk of detection before mission completion.
Canaries are in place to detect government-mandated secret backdoors, albeit that there is always a window of opportunity of up to 3 months. (Does this mean that if you are a high risk individual, you should purchase the device and then not use it, not even power it on, until the next quarter commences?)
Trying to backdoor through interdiction is more focused. Purism’s anti-interdiction service in no way stops targeted interdiction. It intends to detect interdiction. If you are a high risk individual, use the anti-interdiction service.
If you are at high risk of targeted interdiction, I don’t see how you are better off using products from companies that haven’t even thought about these problems. ???
If that is the concern then you are a potential customer for the Librem 5 USA Edition.
One more comment: Be an early adopter. Governments are usually reactive, and slow to cotton on to things. Get your device before governments wake up. Get your Purism order in now.
So is Zyxel (software not hardware), so is Juniper at the NSA’s behest and Huawei thinks (FT.com paywall) the USA ditched them because there are no US-backdoors in Huawei products.
Not that I condone anyone’s backdoors, but I don’t think it is as easy as China bad, USA good (or Europe for that matter, see e.g. British GCHQ hacks into Belgacom (German))
Just out of curiousity, is Purism on their own servers? Self hosting? That seems to be the easiest way to take down their site and ability to sell, as well as credit cards, paypal, etc blocking them, as they did with Gab, who then had to build their own infrastructure, even their own email. I just don’t underestimate big tech’s reach, and what they are willing to do, and their apparent ability to get away with it. Then maybe big tech strong arming manufacturers, suppliers, etc.
Maybe there’s a bigger picture and multiple ways to hinder their production and sales?
And while they may not present a big threat now, maybe prudent to begin preparing now, as I am certain Purism is.
on their Librem one page they say they use PureOS to HOST their services but they don’t say what cloud-provider they are using and certainly nothing about the underlying infrastructure ( no virtual-machine/container, bare-metal information, etc.)
PureOS is all well and good … what about the rest ?
Further discussion on the Qubes forum led to the famous (to Purism community) Interview With Zlatan Todoric and Jay Little posts, which were discussed here many times. I am sure I’ve seen most of the claims debunked, but I have a hard time finding that. Perhaps @amosbatto could help?
If this was triple letter agency backed and they wanted to get the things into the hands of dissenters they would have ensured the thing was available in mass numbers and wouldn’t have customers lined up now reading about how the guy who ordered two years ago just got notification his will be shipping soon. I think the theory can be debunked on that alone. Looking forward to getting mine.
If I continue the line of conspiracy here, then this topic was created with a sole purpose to whitewash the company from the agency, as now one would argue - agency would not allow a topic questioning the authenticity of the cover story on this forum.
Which means you’re an employee of the agency ordered to reinforce the cover and disprove any suspicions/doubts.
And since I’ve started ridiculing this question and the author of the question - that means I’m an employee of the meant organisation, which means whatever I’m saying is part of the whitewashing strategy.
the LEFT and the RIGHT are there to make one forget about the MIDDLE … if you’re focusing your attention on the arms you will have a harder time figuring out what the rest is doing …
i.e. Get the device before the twenty-seven-B-stroke-six forms are filled out and your device will be bureaucracy-free.
Also and related -
The more work “they” have to do to compromise a supply chain or the harder an interdiction is - the less likely “they” are going to blow their cover for little ole me.
My point is - check your own threat and risk profile.
Also generate a whole bunch of canary tokens to trip the bastids up. Including fake crypto wallets - or ones with just some dust.
here is a good start:
[This was supposed to be posted over here but an accidental tab scroll ended it up here instead, and the spam detector won’t allow me to move it to another thread. Just as well. Perhaps this is actually a more appropriate thread.]
Thanks for the meaty thread. I think we need to consider that:
Conspiracy happens, especially in places like China where the state exerts maximum control. It’s very easy to silence people who have no human rights to begin with in order to get them to work in a coordinated manner to interfere in a manufacturing process. (You think I’m kidding? They’re starting to use brainwave monitoring on the manufacturing floor in some facilities in order to “assist” troubled workers. Google it.)
Malware injection in software, firmware, or hardware is the holy grail but generally superfluous. All we need is a floor board ready to buckle as soon as someone puts enough weight on it. That much has been engineered by accident as Rowhammer and all its various manifestations have proven. Imagine if a well-funded group actually tried.
There seems to be this assumption that either (1) Purism is too small to care about or (2) Purism’s customers are implicitly high-value and so therefore nation state actors really care. We should be honest with ourselves and admit that we just don’t know.
This problem should be attacked, at first and perhaps exclusively, through packet sniffing. We could all actually participate if Purism offered a router with builtin sniffing functions. That’s not strictly necessary, as this sort of testing could be done at Purism to some degree, but it would explode the number of eyeballs analyzing outgoing traffic, and total outbound bandwidth. It would also avoid the problem of malware or flaws only being injected late into the production run, after initial samples have passed authentication. Purism Internet Telescope, anyone?
eyeball, meet spoon ! but seriously, do NOT snoople it … maybe use another search engine through TOR if you don’t want to be instantly FLoCed …
edited : i must apologize ! contrary to what the people bellow have said in regards to the verb and noun, it appears i initially wrote ‘google’ as a verb but then i thought that writing it like this is gonna’ make less sense for ‘noobs’ so i decided to correct to ‘snoople’ …
@irvinewade@reC Sorry for my casual use of terminology. Yes, I meant “google”, not “Google”. Nobody should be Googling (capital “G”) anything these days unless they’re attempting to contrive their social footprints or sitting behind some hefty anonymization software (in which case it might not even work). +1 for Tor and more anonymous search engines. [I know this is off-topic, but I felt compelled to clarify because I really don’t want to be leading the noobs off a security cliff with ambiguous language.]
