Mobiles phones

I will prove you wrong right now:

• You can literally just stick a Yubikey into a Google Pixel and there is your PGP smartcard. Easy. There is nothing special about it. No NFC needed either - just stick them straight into the USB port.
• I will contend that the whole smartcard business is rather theatre. When you sign and encrypt stuff, all you are seeing is a prompt - you have no idea what is signing or encrypting. I am not sure how you are even supposed to log into a mail server with a PGP smartcard, but at the end of the day, the OS has access to both your email and the password to the key anyways, so you have gained exactly 0 security.
• Even if we were to completely ignore the second point I made - with a Yubikey you can enforce touch confirmation (by setting UIF = permanent). If you put the PGP smartcard inside the phone like you do with the Librem 5 - how are you touching it for confirmation? So even for the purpose of hope and prayers that you can limit a bit of damage because the attacker can’t just go sign and decrypt stuff at max speed, the Yubikey is a far, far more approprieate option.

This is snake oil they are selling.

• Prevents data contamination between applications/services located in containers

Android sandboxing already provides this.

Uses classified data and services from several separate organizations as each container

Different Android user profiles?

• Isolates also personal applications, data and network traffic from work data

Android work profile, android user profiles.

• Services in containers can connect to isolated back-ends via container-specific VPN tunnels

Same as above.

• Services within the containers are protected and managed with Bittium Secure Suite

What is this even suppose to do?

This is not to mention that they are basing their stuff on an ancient Android version (Android 11 ) and are missing out on new security/privacy improvements on newer versions. Stuff like a global mic/camera toggle, seperation between coarse location/exact location permissions, and so on.

And I have to stress that these are standard Android features, it’s not the fancy stuff that GrapheneOS adds.

There are a bunch of stuff they tout on their website that are just pure nonsense. “Non rootable firmware” → There is no such thing as rooting the firmware. And all they have done is probably removing the OEM unlocking toggle lol.

There was another possibility.

Edward Snowden once made a video, where he took an iPhone apart. Removed the Camera, clipped the wires to the Microphone/Speaker. saying if you needed this, you could use headphones. Then is the matter of not using some Apps, at all. That was when Apple Corporate was much better thought of as being concerned with Privacy.

Purism, in their stuff offers a thing they call “AweSIM” a good idea, but I do not know if the implementation matches the article.

No one has mentioned the former version of Blackberry, or Nokia, those versions, supposedly more secure. In those days. Maybe not now.

I am also thinking that real security depends on both phones be secure / and the people using the phones being aware of best practices, and committed to keeping the communication being kept secure.

Anyone want to build an new BlackBerry network, and it is what Black Berry used to promise to do.

In addition, the Bittium Tough Mobile 2C are only available for the government and authority sector to purchase.

Gotta scam all that sweet sweet money out of clueless bureaucrats

But yeah it’s just straight up snake oil lol

Edward Snowden once made a video, where he took an iPhone apart. Removed the Camera, clipped the wires to the Microphone/Speaker. saying if you needed this, you could use headphones. Then is the matter of not using some Apps, at all. That was when Apple Corporate was much better thought of as being concerned with Privacy.

There is a difference between doing this on an Android/iOS device and what the Librem 5 provides.

Android/iOS already provide per app toggle (and Android 12 or 13 - don’t remember which - also provides a full OS toggle). Removing the mic and camera makes sense if you are worried about exploits against these OSes which will bypass the sandboxing system.

Meanwhile, on a Librem 5, you have an OS incapable of keeping the mic protected. So the only time you are private is when you turn of the mic. When you actually need to talk - well, everything under the sun with access to the PulseAudio socket will be able to record you. This doesn’t need an exploit, its just how it works because the sandboxing mechanisms are so bad.

Purism, in their stuff offers a thing they call “AweSIM” a good idea, but I do not know if the implementation matches the article.

It’s hilarious. All they are doing is just acting as an MVNO. The only thing they can do is not providing your payment information to the underlying carrier. Any MVNO who pinky promises to do the same will be about as private as AweSIM - which is not very private at all. Cell towers can still track you as usual, and everything you say and send over the Teleco network can still be recorded. Hell, even Google Fi protected me by not giving my payment information to T-Mobile so when T-Mobile got hacked my payment info wasn’t leaked. It’s amazing! Such privacy.

No one has mentioned the former version of Blackberry, or Nokia, those versions, supposedly more secure. In those days. Maybe not now.

Unless they can provide actual technical information on how they are secure (they aren’t), then it’s just marketing.

Anyone want to build an new BlackBerry network, and it is what Black Berry used to promise to do.

That’s what An0m did and the criminals are stupid enough to fall for it

Next on Efani’s 2024 list is the Murena 2:

It has two hardware kill switches and uses /e/OS, which do fit my use case, although it is not as fine-grained as either the Librem 5 or the PinePhone. However, at least the hardware kill switches are on the side of the phone instead of behind the back case.

The rest of Murena’s smartphones except the Murena One are white-label products:

I am sure you understand computers and software and hardware much more than I do.

As someone with limited understanding, if I had a Pixel phone, I wouldn’t know what is going on with the chipsets and hardware. Anything could be showing on my screen, and I have to have trust that the open source code isn’t somehow changed by the chipsets and hardware and showing something on my screen that’s different. I have to trust that there isn’t some 0day that made it so things I have disabled with software are really disabled.

With a kill switch, I know it’s disabled based on schematics and even if I am concerned I have a tampered or faulty device, I can just open the device and look with some phones. I can’t look inside a Pixel without breaking it.

If my threat model is I’m an ordinary user and I don’t want malware breaking my software sandbox, then it may be better to use something like Graphene with very good software.

However, if my biggest concern is a loss of control of my own hardware settings due to sophisticated adversaries, possibly advanced and knowledgeable adversaries trying to target me specifically, then kill switches are much more useful to me. In a linux phone, I can use rkhunter to check the integrity of the files. I may not store my most important things in such a phone knowing it could be hacked when I use it. Yes, a phone like that would be easily hacked by a sophisticated adversary, but with a phone with kill switches, there is at least the ability to absolutely control access to when it’s connected to the Internet and hackable. I could connect it only when I need to make calls and be sure it’s not connected. I can feel more at ease knowing my hardware is doing what I want and not trusting the screen.

You’re saying the best option is to rely on a phone that uses some of the most advanced chips in the world, no one who is a normal person knows what they do, and trust the software protects from what we don’t know. I have seen your posts before and I know how smart you are and you know way more than I do.

But what about people who don’t always trust Google and those that have access to advanced knowledge about google hardware?

If you are someone who sees Google as benevolent and a vector that will never hurt you or create an exploit (possibly after a demand) that could hurt you, then you’re right. With extreme respect for your abilities, I still have a reaction that whenever someone suggests trusting google is clearly the best option, i get nervous.

These are also terrible and I’d avoid them lol.

Let’s start with the hardware - the SoC is some 2018 Mediatek SoC. You’ll be lucky if the SoC has not gone EOL yet, let alone supporting stuff like memory tagging or having a Secure Element lol.

Next, to the OS - /e/ OS in general is just god awful. They have a history of shipping months old versions of Chromium, bundling years old Orbot in the OS and calling it “Advanced Privacy”. The whole maintained list of how outdated and terrible the OS is used to be available at https://divestos.org/misc/e.txt, but it seems like it no longer exists. /e/ OS didn’t support verified boot (standard Android feature) even on the hardware that supports custom key enrollment. Not sure if they have fixed any of that now but I wouldn’t gamble 500 euros on the Murena 2 with their OS.

Now, to their cloud services. They had an incident where their cloud service mishandled session keys and give users access to each other’s files, then proceeded to mislead the users that the server cannot see their files despite there being no end-to-end encryption. This is so bad, you can use Google’s cloud services with no E2EE and still have better privacy. At least, they don’t mislead you. Or, you can use iCloud with Advanced Data Protection which provides E2EE for everything except mail, cardav, and caldav. The iCloud stuff is like heaven compared to Murena cloud.

Thank you for the citation, but I only trust myself with managing my own data. Regardless of e Foundation’s transparency handling the issue, everyone still loses.

But I only trust myself with my own data.

Good. Then that’s better.

All I am saying is that the Murena phone is just worse than a standard Google Pixel with stock OS or an iPhone, and people shouldn’t waste their money on it. Obviously, I’d still recommend a Pixel + GrapheneOS before the other stuff, I am just showing how bad Murena actually is.

What about the Google Pixels with CalyxOS instead?

Significantly less bad than the /e/ stuff, but GrapheneOS + the latest Pixels (with the Tensor G3 - so not counting the Pixel Fold right now) are still better: you have much longer support from Google and the SoC supports new fancy stuff like memory tagging.

GrapheneOS also has more fancy features like contact scoping + storage scoping, Sandboxed Play Services, and other stuff.

As someone with limited understanding, if I had a Pixel phone, I wouldn’t know what is going on with the chipsets and hardware.

There are many people who do research into this, though that stuff is way above my pay grade. Ask yourself this:

• Would you really understand it anyways if it was anyone else’s SoC, even if their stuff is somehow open? You wouldn’t (you said you have limited understanding). Yeah, open hardware would be nice if it is actually secure and easy to study, but who’s providing that right now?
• Are the chips on the Librem really open? No, they are proprietary. Do you know what’s going on? No, you don’t.

With a kill switch, I know it’s disabled based on schematics and even if I am concerned I have a tampered or faulty device, I can just open the device and look with some phones. I can’t look inside a Pixel without breaking it.

If you are worried about an attacker sophisticated enough to open up the phone and tamper with your system, wouldn’t you want verified boot?

However, if my biggest concern is a loss of control of my own hardware settings due to sophisticated adversaries, possibly advanced and knowledgeable adversaries trying to target me specifically, then kill switches are much more useful to me.

It is easier to attack your normal Linux install than an Android install, FYI. You need strong sandboxing and multiple layers of protections to stop this sort of threat.

In a linux phone, I can use rkhunter to check the integrity of the files.

If you think the OS is compromised, why do you think the malware won’t just subvert rkhunter? It’s like trusting an antivirus to tell you the computer doesn’t have any virus left after it has been compromised. It doesn’t make much sense.

You’re saying the best option is to rely on a phone that uses some of the most advanced chips in the world, no one who is a normal person knows what they do, and trust the software protects from what we don’t know.

Does a ‘normal person’ know anything about any chip? I am only saying use stuff like the latest Pixels because of the features they actually provide, like verified boot support for third party OSes, memory tagging, monthly firmware updates for years, with fixes for stuff on their security bulletin.

But what about people who don’t always trust Google and those that have access to advanced knowledge about google hardware?

Why would be so afraid of Google hardware but then go trust some random piece of hardware? Is there any technical basis to this?

I still have a reaction that whenever someone suggests trusting google is clearly the best option, i get nervous.

I am not telling you to blindly trust Google and or they can do no wrong. I wouldn’t recommend stuff like Chromebooks because of how they handle encryption there for example. But in the case of Android vs a phone running traditional Linux, you can see that Android is much better with system hardening, verified boot, and app sandboxing.

I suppose another argument to support Linux phones is to further their development and maturity. I appreciate more choices than Android or iOS, but such options are not readily offered locally, especially fitting my use case.

“Supporting it” is 1 thing, pretending that Android and iOS are so evil then selling them a much worse product while claiming it’s more secure or private like Purism does is unethical.

There are linux phones with switches made in China. Those may have backdoors too. I don’t know. But I know with switches, if I turn off the WiFi, Bluetooth, and Modem, then I am not being hacked or tracked while just using the device and having that sent to somewhere else (unless it’s through some technology not in the device).

I don’t need verified boot if I can verify the hash of an open source distro. I’m more concerned about a hardware level backdoor compromising the OS at all times, and I just have no idea, than someone tampering with the OS.

Most of the data on any mobile device that someone like me (who believes many things are easily hacked) would use is not going to be that sensitive because either it’s a normal closed-source phone (and then there are built backdoors in the software probably) or it’s an open-source Graphene phone (with Pixel chips that do things I don’t understand or trust) or it’s a phone that could get compromised in the software more easily because it’s experimental or new.

I am less concerned with a hack on the phone getting a bit of data than I am with my phone secretly tracking me at all times and I just don’t know.

If the government told google “You must put in a new chip backdoor, and if you tell anyone you get arrested” then google would do that. We don’t know if something like that is in these chips, we can’t know how such things, if they are there, may or may not interact with Graphene. The only thing we know with Graphene is that it’s built for 1 type of phone and that phone has no way to physically turn off the part of the phone that connects to the Internet.

With a phone that has linux and is in development, yes, there could be a hack more easily, such as some XY package hack that gets in, or if I decided to be really risky and used snap to download any sort of software unleashing who knows what. But, I can still turn off the Internet, I can turn off being tracked.

Google is controlled by the US government ultimately. The USA stands for a lot of great things, including free speech, free religion, the ability to work hard and become something. The USA, in my opinion, also stands up to some really bad organizations and people that want to hurt minorities and that’s a good thing. The USA also engages in behavior that some in the international community thinks violates human rights. Whether you think waterboarding people and executing people with developmental disabilities is philosophically justified, and whether that means you can or can’t trust Google, and whether some exploits may benefit society overall, is a complex discussion.

For some people, even if they have a low threat model, they may just not want to be tracked. I know with hardware switches a phone can’t be tracked and as society moves toward the expectation that everyone use either iPhones or Androids, this silent rule, I just think it’s a mistake to presume that all the great open source features of something like Graphene mean everyone, with every threat model, should gravitate toward one of the two standard phone types.

Yes, Graphene is probably very good at protecting people from those who don’t have access to any Google backdoor that could be in a chipset, and if there’s no backdoor in the chipset, then it’s completely great and everyone should use it. But like I said, I’m not that good with these things, I can’t look at open source software and trust that it protects me from chip-level attacks, I don’t understand chips or software well, and so I am just left wondering, trusting, hoping.

With switches, I don’t have to trust anyone. We live in a society in which the government is allowed by law to lie to people in certain circumstances and can also force people to not divulge their deceptions. Whether that’s a good thing or a bad thing is a debate, but it certainly means you can’t just trust what a company or government says is always truthful. None of these things should be controversial.