Where was Purism moving?


#4

Same here, shipped after 3 weeks.
Probably they are busy with all those Librem one / Librem 5 quirks instead of focusing on hardware.
That’s unfortunate, this is exactly what happened to Mozilla when they started to add stuff instead of
focusing on making Firefox a good browser :slight_smile:


#5

A normal day at the office :roll_eyes:

ring, ring
“yeah?”

“Hey, John, can you come over with your car to the assembly facility and help me move stuff to our new location?”

“Wait, what? I’m a hardware engineer!”

“Haha! Yeah, that’s what they told you in the job interview, right? Listen, move your buttocks here. I need you to engineer those 900 laptops from here over to the new location until the end of the week, got it?”

“New location?”

“Yeah, sales are growing and we also need to prepare for shipping the phones soon”

“Oh. I thought, this ‘new location’ thing is just what we tell the customers when they complain about delays, so we don’t have to admit that each laptop is first ‘inspected’ by the NS…”

“SHUT THE F*** UP! I HAVE NO CLUE WHAT YOU’RE … err… sorry. never mind. Okay, can you help?”

“Well, actually… I wanted to upstream that coreboot fix and then help out with some PureOS bugs, but then Jane asked me to fix several weird hiccups in the campaign order processing, which kept me busy most of this week so far, and…”

“Wait. Aren’t you supposed to finish the PCB schematics for the phone? Isn’t there a deadline next week?”

“Haha, yeah, I call it the walking dead line… got it?”

“Huh?”

“Never mind. Anyway, you know I never really get to that part, because I’m also the guy who patiently and politely answers all those … well-meaning questions and concerned inquiries in the forums and unsocial media”

“Like what?”

“Like, we certainly had bad intentions when we disabled the trackers inherited from Riot, but then a static code analyzer still found traces of them. Try explaining that to the mob. Why would I think the linker would still put them in the…”

“You’re way over my head, bro…”

“…”

“More accessible examples?”

“Apparently we’re supposed to write blog posts when we move to bigger rooms or if somebody leaves the company, detailing the implications and reasons leading to these changes.”

“Plausible. That all?”

“Well, people want the phone to be 10mm slim, but with two weeks of battery. The screen should be less than 5 inch, but also at least 6 inch, borderless, but with rounded, ruggedized bezels, 4k glossy matte, readable in direct sunlight, but dim with blueshift at night, with an input delay below 50ms, 16 separate kill switches (easily accessible, but aesthetically pleasing), a high-end stereo camera on the front, at least triple camera on the back, but for half the price we ask, with a RISC-V CPU, but at least as fast as the current flagship, zero proprietary blobs, with all parts produced and assembled in a country where no secret services exist, at least two USB-ports with full thunderbolt, DP and HDMI support, dual SIM, TTS, AI enhanced secure speech-control and image enhancing. And blockchain. Also, …”

“Bro… I think I can handle the move. Still 15 hours until midnight, right? And in case I get the remaining 392 custom-configured laptops shipped before the sun rises, I’ll stop by at the office and lend you a hand. You need all the moral support I can muster.”

“Thanks man.” tearing up

“Man, was good talking to you. But this better stays between us. I think the general public would be unable to understand which parts are factual, fictional, ironic, and which are outright sarcastic.”

“Totally!” acts like he got the sarcasm

“Hang in there, man!”

click


#6

So https://openstreetmap.org/node/4741830471 is the “old” location?


#7

Duuuuude! That was masterful. RESPECT.


#8

What … Riot has trackers embedded?


Trackers in Riot
#9

Yes, Riot has some trackers like Firebase (analytics software). You can get a lot of information from Firebase.


#10

I ordered my Librem about 3 months ago, similar story: estimate of shipping within a week, it took closer to a month in reality. Inquiring resulted in the same bit – “we are moving to a new location” … cool.

But if you’re moving to a new location and you know it will cause delays (ongoing for months now, based on your story), update your shipping estimates.

All of that aside, now that I have it, I love my Librem. This is just one of the many rough edges that this otherwise wonderful company has.


#11

I’m just afraid someone got to our devices after (or worse, before) they were shipped.
Our devices, my laptop and your librem phone, may well be rigged.

I don’t mean to be rude or to spread FUD. This is not my intention at all. But the lack of seriousness, the cavalier attitude in this thread really troubles me, I’m sorry to say.


#12

I acknowledge that it was somewhat undeserved to you and there were multiple other factors that influenced my response. Sorry bout that. :slightly_smiling_face:

A delay before shipment should not inspire suspicion of tampering IMO. If a secret service does this, it will try before stuff reaches Purism or after it leaves. Assuming of course Purism itself is not an NSA honeypot.
In general, Purism says, in their own best interest they try to take care, but ultimately you can never know. Which is not a Problem unique to Purism.

Related:


#13

No, this is just bad customer relations and inventory management on their side, simple.
When it’s rigged, you will get it actually ahead of schedule because it’s not something that
takes long if you are an interesting target.

Do you really think the 3 letter agencies want to backdoor a person who is not even patient enough
to wait a few more days for just a laptop? No offense, but it doesn’t look like a high value target :slight_smile:


#14

This is a valid concern, one I have, too. I could deal with the delay, it was but a minor annoyance.

My concern came from four places:

  • Firstly, my shipment stalled out mid-transit with a day-long delay with no explanation from the carrier. No foul weather, no broken truck, etc. I called, they said they could not say why, it was just delayed.
  • Secondly, the outer box had been cut open and resealed with another piece of tape, with someone taking care to align the pieces damn near perfectly. I had to look very close to realize it.
  • Thirdly, the round sticker seal on the white inner box had been removed and reapplied, or replaced. Again, almost perfect, however there was adhesive residue that picked up forensic dust, showing there was another seal there at one point.
  • Lastly, the round seal that kept the innermost bag was not actually stuck down at all.

In the end, it was all I could do to inspect the machine for obvious anomalies, re-flash the bios, and do a clean install of the OS. I am not technical enough to analyze the machine any more thoroughly than I did, so I am still not certain it is clean, but what can I really do beyond keeping data worth protecting in offline storage?


I agree with this 100%; I trust that Purism does their best and understand that there is really no way to know. Purism could do more in terms of anti-interdiction, though. They began advertising it in September, and it is still not available today. There are talks on these very forums from Purism staff discussing possible anti-interdiction methods going back even further, and still nothing is available. The simplest means would be to allow in-person pickup, but they do not allow for even that.


#15

How far did you take it :slight_smile:
This is just a regular mid-range laptop, nothing special except a clean ME from factory and an option to run
Coreboot. Many Lenovos and some Chromebooks can offer the same setup with a few manual tweaking.
Nothing exceptional that will worth extremes such as traveling to their headquarters to pick it up, unless you live
in the same city or have a trusted person around that area.
If you believe you are a high value target, one that might get some “special treatment” in transit, order the laptop under a different name and pay with crypto. If you don’t know how to pay with crypto, re-consider the previous sentence, you are probably not.
You just have to make sure the address is “routable” and you can social engineer convince the post office to hand over the laptop to you under the pseudonym you used during shipping.


#16

@dc3p, man that sounds really freaky. Was that all within US borders?
I mean at customs it’s something different. But I don’t know whether they take so much care there.


#17

Yeah, all within the US.


This is assuming how much a direct handoff from a trusted source is to a person. I could get a flight to CA fairly inexpensively, and would gladly have made the trip if it was an option. While I might be in the minority, there are almost certainly others that would appreciate such a pickup option.

True, however I believe in the values of FOS and want to contribute to Purism’s success in any way I can. Plus, those other options introduce other possible vulnerabilities.

We have no way of knowing what criteria might make one “high value”. To keep it simple, there is a chance I could be of interest for one reason or another, just as you or anyone else here might be. Remember those 3-letter budgets are big, their roots are deep, and their guiding light is largely unknown.

As for implementing my own means of anti-interdiction, as you suggested, I am aware of those kinds of methods, however I do not have the resources to realistically complete a transaction in such a way. While I say I may be interesting enough to have my machine interdicted, I am largely your average family man that is very concerned with preserving life and liberty for all, and not some sophisticated activist, etc.

A thought on the method you described, paying with crypto, ordering with a pseudonym, shipping to an address not associated with me… for all we know, such a shipment might in itself be flagged as of interest and be interdicted for that reason alone. With AI crunching data in real time, we really cannot know what gets flagged and how quickly.


#18

It’s pretty simple. To stay safe, don’t click this link :wink:
NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance

and… maybe don’t order laptops from the company that employs the author of said article. :sunglasses:


#19

If something as simple as reading LJ can get you flagged, imagine what sorts of other seemingly benign things could do the same.


#20

This is highly scary!
Has anyone else heard of such in-transit tampering?

re-flash the bios

How we re-flash the bios? What other steps should we take after receiving the laptop?


#21

IF you’d actually need THAT you’d need to have physicall acces to a compatible hardware-flasher and know how to use it (or just rely on someone else to do it for you - Purism or someone you TRUST)


#23

@pureismfan If you can, email them and export their response here.
Doesn’t look like any Purism employee has responded to this, yet.


#24

You will find: