Purism products feel like an obvious vector for targeting

The way I see it is simple
First -

i.e. Get the device before the twenty-seven-B-stroke-six forms are filled out and your device will be bureaucracy-free.

Also and related -
The more work “they” have to do to compromise a supply chain or the harder an interdiction is - the less likely “they” are going to blow their cover for little ole me.

My point is - check your own threat and risk profile.
Also generate a whole bunch of canary tokens to trip the bastids up. Including fake crypto wallets - or ones with just some dust.
here is a good start:

https://www. stationx .net/ canary

@fsflover

[This was supposed to be posted over here but an accidental tab scroll ended it up here instead, and the spam detector won’t allow me to move it to another thread. Just as well. Perhaps this is actually a more appropriate thread.]

Thanks for the meaty thread. I think we need to consider that:

  • Conspiracy happens, especially in places like China where the state exerts maximum control. It’s very easy to silence people who have no human rights to begin with in order to get them to work in a coordinated manner to interfere in a manufacturing process. (You think I’m kidding? They’re starting to use brainwave monitoring on the manufacturing floor in some facilities in order to “assist” troubled workers. Google it.)

  • Malware injection in software, firmware, or hardware is the holy grail but generally superfluous. All we need is a floor board ready to buckle as soon as someone puts enough weight on it. That much has been engineered by accident as Rowhammer and all its various manifestations have proven. Imagine if a well-funded group actually tried.

  • There seems to be this assumption that either (1) Purism is too small to care about or (2) Purism’s customers are implicitly high-value and so therefore nation state actors really care. We should be honest with ourselves and admit that we just don’t know.

  • This problem should be attacked, at first and perhaps exclusively, through packet sniffing. We could all actually participate if Purism offered a router with builtin sniffing functions. That’s not strictly necessary, as this sort of testing could be done at Purism to some degree, but it would explode the number of eyeballs analyzing outgoing traffic, and total outbound bandwidth. It would also avoid the problem of malware or flaws only being injected late into the production run, after initial samples have passed authentication. Purism Internet Telescope, anyone?

1 Like

eyeball, meet spoon ! but seriously, do NOT snoople it … maybe use another search engine through TOR if you don’t want to be instantly FLoCed …

edited : i must apologize ! contrary to what the people bellow have said in regards to the verb and noun, it appears i initially wrote ‘google’ as a verb but then i thought that writing it like this is gonna’ make less sense for ‘noobs’ so i decided to correct to ‘snoople’ …

3 Likes

I would like to think that “google” was being used as a generic verb. Perhaps that battle is lost - a triumph of marketing for Google.

1 Like

@irvinewade @reC Sorry for my casual use of terminology. Yes, I meant “google”, not “Google”. Nobody should be Googling (capital “G”) anything these days unless they’re attempting to contrive their social footprints or sitting behind some hefty anonymization software (in which case it might not even work). +1 for Tor and more anonymous search engines. [I know this is off-topic, but I felt compelled to clarify because I really don’t want to be leading the noobs off a security cliff with ambiguous language.]

2 Likes