Will the Librem 5 be a white elephant or the first in a wave?


#21

I agree that they won’t team up with Purism. They will simply use its code. The great thing about free software is that it brings in companies, who may not have an ethical commitment, but for practical reasons they end up contributing, because the license forces them. Its cheaper to use Chatty and Calls with a GPL3+ license than develop their own apps.

Companies care about security and privacy when they see a market for it. Apple decided that it could market the iPhone based on security and privacy, and Google is now trying to convince everyone that cares about those issues too. The problem is that Apple and Google can only offer ersatz versions of the security and privacy that Purism can offer.

Most phone makers don’t like being under Google’s thumb, and Linux offers them a way to escape, but they will have to see people buying the Librem 5 and PinePhone, and thousands of apps being added, before they risk their business on mobile Linux.

It won’t happen overnight, but there are solid reasons for optimism, when we consider all the benefits to the phone makers:

  1. No licensing fees for Google Web Services.
  2. No requirement to install Google’s spyware on their phones.
  3. No onerous certification process by the Open Handset Alliance.
  4. Much lower costs to perform upgrades, since they don’t have to pass any compatibility tests. It cost Fairphone €500,000 just to upgrade to Android 7 because of Google’s onerous certification requirements.
  5. No more restrictions that prevent them from customizing their software so they can distinguish themselves from their competitors and avoid the commodity trap.
  6. The goal of Google is to keep driving down the prices of smartphones at the low end of the market, so that more and more people can afford them and Google can collect data on the other half of the planet that doesn’t currently own a smartphone.

The inability to customize causes the commodification of Android phones and Google’s efforts to keep inviting in more and more competitors in order to drive down prices have driven profits out of the industry. Linux solves many problems for the phone companies. It just has to get good enough that the phone companies are willing to start offering a few Linux models as an experiment. Even if Linux just gets 5% of market share, it will scare the dickens out of Google, and Google will be forced to respond with better policies toward the privacy of its users. The regulators will look at mobile Linux and start asking why Google can’t provide better user rights to privacy.

Maybe I’m a dreamer, but I see a path for Purism to reform the tech industry, which is one of the goals of the company. What I know for sure is that we are guaranteed to end up in a very bad place as a society if nobody tries to stop what is happening right now with surveillance Capitalism. Lots of people are disturbed by it, but they don’t have a convenient way to avoid it, so they simply accept it. If people have a viable alternative, we might be surprised how many people will choose the alternative.


#22

I nominate this sentence for Understatement of the Year 2019. :slight_smile:


#23

The truth is that Apple and Google both have top notch security teams, so I would really refrain from claims about security. Note that the latest issue in Apple devices was using a Webkit exploit (https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html), which is used by … the Librem browser.

Security is very hard, and once you’re an interesting target, people with lots of creativity, knowledge and money will come at you.


#24

I don’t doubt that both Apple and Google have top-notch security teams which are much better than what Purism can provide, but it isn’t security which is verifiable or controllable by the user, which is why I call it “ersatz.”

However, the only data which I can find shows that Linux is roughly as secure as MacOS and much more secure than Android, so Purism is starting with a good base to create a secure platform.


#25

About the future of linux on phones, I didn’t think Samsung would be providing a linux environment for galaxy devices, but they are doing it, so it is a matter of time, and the smartphone’s market will have another OS than Android or IOS.


#26

I believe that has been true for Sony throughout their history. Beta, digital micro audio cassette, …
They never get a break to go their way (apart from being a gigantic corporation with worldwide reach).


#27

#Word. (he said in the vernacular)


#28

On top of that top notch security is the government-mandated compromise of security in both platforms.

Security counts for very little if you intentionally backdoor your platform.


#29

Do you mean OnePlus and OnePlus One?


#30

I’m just talking from memory here, but no. It’s great to be proactive but like the USA’s method of airport security (aka: window-dressing), we only stop attacks other people already found and announced to the public.

The class is called different names at various universities, but mine was Intro to the Theory of Computation, and part of that class is finding out that security is too hard of a problem to work on with certainty. If somebody presents a claim of a security problem, it’s very easy to test it, but finding a generic. problem is hard. The proof has to do with the set of real numbers being way bigger than the natural numbers; a coded program can be represented by a natural number by translating the binary string into a single number; a sequence of inputs to a program is represented by the set of real numbers because infinite input is possible on a program.

It’s proveable that we cannot algorithmically tell if a program is stuck in a loop or if it will run forever never concluding the desired outcome. An ordinary computer virus is merely a sequence of inputs on a program that causes an undesirable but repeatable outcome. We cannot test all the possible inputs because the real numbers are an infinite set. These ramifications apply to hardware too.

A hardware designer can build into the solid-state logic a pathway for a specific sequence of inputs that will produce an outcome beneficial to the maker but not to the people who are buying that hardware. It’s like a clandestine virus was preprogrammed into the DNA of the hardware. Because of the same reason we can’t try all inputs to a program, we also can’t try all the inputs to a piece of hardware.

Their’s organizations that try to keep the hardware chain clean and verifiable, but due to the way things go from paper logic to engineered chips, to the fabricator of the chips, anybody along the way can alter the design to make a backdoor.

Security is much the work of Sisyphus.


#31

While your post is interesting and correct, there are two things that “verifiable” could mean. A computer theoretic meaning is not what @amosbatto had in mind I would guess. The more practical meaning is what most of us are after.

  1. The Closed scenario (Apple / Google)

You, the user, can’t even start to verify that the platform is secure.

  1. The Open scenario (including the Librem 5)

You can at least try to verify that the platform is secure. You may fail for any number of reasons but you can at least start and you can at least make some progress.


#32

Oh, sorry. OpenPlus should be OnePlus. I changed it in the original post.


#33

Sony is definitely the biggest loser among…

I believe that has been true for Sony throughout their history. Beta, digital micro audio cassette, …
They never get a break to go their way (apart from being a gigantic corporation with worldwide reach).

Sony deserves to be a big loser. Crappy user interface design, consistently.

I still remember the Sony portable CD player that would reset the volume to full blast whenever it powered up. Very painful with headphones!! And their DVD player that would go directly to “standby” on powerup (is it not reasonable to suppose that if someone powers the unit up, they intend to use it at that time?).


#34

What I mean by verifiable security is that you can compile the code yourself and verify that it is the same code installed on your device. You can check the code to see whether there are backdoors. You can use the Librem Key to verify that the device is in the same state and hasn’t been modified. You can use an OpenPGP card for an unalterable ID, so you know that it hasn’t been changed with software. You know that components (Wi-Fi, Bluetooth, cellular baseband, GNSS, sensors) haven’t been turned on when you intend them to be off. You can verify that none of the components with proprietary binaries have access to the RAM or Cache in the CPU.

None of these things can be verified with an iOS or Android device. The best that you can do today is install AOSP (or derivatives like LineageOS) with proprietary firmware and drivers, which lets you verify most of the software.


#35

respectfully there is no TRY. if i know i’m not up to the task or if i’m time impaired or i suffer some other handicap i will HIRE a firm to do it for me. if i’m poor and can’t afford it i will associate with a “few” people and we will be able to afford it (if it’s necessary to audit)


#36

Or, if for whatever reason I do not reach a point of being satisfied that some software component of the system is secure, with open source I may be able to uninstall it or otherwise disable it. This may specifically be the case if I don’t need that functionality.

That may be somewhere between infeasible and impossible with iOS or Android i.e. unless it happens to be covered by a setting on the device.


#37

or i’ll take advantage of the fact that i have ordered a few L5s and use one of them as an interesting LFS project (see how many years that takes me :smiley: ) and see how bare-bones i can get it without loosing strictly necessary functionality and how efficient i can custom-build mine and compare to the other “factory-just-works” and i’ll smile at iThings and DroidThings arround. the possibilities are there. the question is what each of us makes of theirs.


#38

Wow, LFS on a phone… It would be incredible. But I guess only for the braves


#39

[quote=“amosbatto, post:21, topic:6883, full:true”]Even if Linux just gets 5% of market share, it will scare the dickens out of Google, and Google will be forced to respond with better policies toward the privacy of its users. The regulators will look at mobile Linux and start asking why Google can’t provide better user rights to privacy.
[/quote]

Google executives are sociopaths, they cannot be scared nor be respectful. We need regulators overhaul, perhaps even to purge out currently regulators since they might be pocketing Google’s bribes or overruled by certain politicans. Regulations are meant to protect all parties, including consumers, without baised.

Google’s behavior reminds me of a story from hundreds years ago before the toilets were installed into homes and hooked up to sewers. People were dumping buckets of their wastes out of windows down to the street in large city. There was an obessive stalker standing across the street watching a woman behind her bedroom windows. After that woman flushed her bucket out of windows, this stalker walked up to her feces on the street and bended his back to gain a closer look, not minding being noticed by this woman and other people on the street. Indeed. this stalker resembles as icky much like Google’s behavior. I’m afraid I don’t have an idea on how this stalker reacted when the toilets arrived, perhaps he found an access to a sewer.

Thus, I doubt Google would start nixing their icky business behaviors even if pro-privacy mobile phones ever do beat them in marketing. Pro-privacy phone companies like Purism may need to reach as many people as possible, perhaps open at least a store in every large city to get noticed. But it might bring more trouble like when Microsoft became so popular, there were decades of virus, worm, and malware outbreaks. Apple and Google are beginning to face similar problems. Most people aren’t educated enough on today mobile phones, they just go get what’s supposedly to be the most popular then they become easy targets for attacks or spying. Staying off the radar might be better for us. If only pro-privacy Linux phones had started 10-20 years ago.