(05-06-2022, 07:18 AM)danimations Wrote: (05-06-2022, 06:54 AM)tckosvic Wrote: And how would the 3 letter agencies or google or apple sabotage the PPP development process? Would they tamper with things at the factory; like tampering in parts, assembly, or software? I would assume there is some form of post assembly QA and QC at pinephone that would detect some descrepencies.
or
Would they tinker with all of the OS/desktop software packages on the software acquisition sights? Have any developers seen their posted code to be changed?
Posting and running with unsupported conspiritorial claims is running rampant in our country now.
tom kosvic
Since the Pinephone user pool is so small at present, said agencies or other entities could target individual users' devices once they are online, rather than repositories or development branches that could be easily reviewed. Anything that is posted by physical mail is subject to transit through customs and can be intercepted there, if there is a desire to physically tamper with a phone. One unboxing video on Youtube comes to mind, where a Pinephone recipient tries to start up his Pinephone and the OS is broken/corrupted. This user's intention to make a video review would have been known to agencies watching this space, and this result could have been choreographed.
If the users have been studied by agencies or other malicious hackers, their tolerance/intolerance for particular faults could be exploited. By that I mean, hacks could be tailored to deter individual users. Extra effort I suspect would be invested in deterring potential "influencers" with higher visibility on social media channels.
How many active Pinephone users are there? A few thousand globally?
And how many of those would be considered "influencers"? Less than a hundred, at a guess?
If people think that agencies and competitors are likely to wait until something gains traction before attacking it, I'm afraid that position is rather naive and divorced from reality. PPP doesn't start and run right out-of-the-box until you put a system on it through a user supplied sd card. That's pinephone's legacy not likely the NSA's.
if we look where big tech companies make money, like amazon, google, meta and apple. google and meta sell ads. apple sells overhyped products. amazon try to monopolize markets and products. all of them have interest getting power to make more money, way to get power is locking users their systems or monopolizing services and products. if we follow money trails we start see bigger picture.
certain companies definitely have interest to kill competition. but i don't think big tech is after pinephone or its software. it is too small at the moment. some methods would be even illegal. reality is that pinephone community is rather small and relies on donations.
how this surveillance agencies fit to this formula is weird. i just point out that world has surveillance agencies outside of anglo-world as well, many cases could be worse ones. surveillance agencies usually are not motivated by money, they may not like unhackable devices though.
some things mentioning here. apple created so called M1 chip, i think real reason is software control. apple can control everything in macs and idevices. google has fuchsia project, which is closed enough for locking users into something.
generally speaking i think it is small pine community with donations why pinephone is still beta product mess more or less.
I imagine more so, certain mainstream, high volume selling, well known phones *required for <insert that most commonly recommended privacy phone OS here> would be a much more likely target at supply chain level (I'm sure you can guess which one).
Numerous more sales, increases likelihood of getting 'interesting' user/ high value targets.
As is, GNU/Linux on a phone used as openly as one would installing apps to Android (installing various random convenient apps) is open to all kinds of targeting.
I ask myself: is PP, a relatively lower volume selling phone, more prototype realm than mainstream, carrying a community of developers exploring hardware at deeper levels than many flagship communities, to increase support, really more likely a target?
On average, GNU Linux is not something that comes relatively secured (Ubuntu Touch offers a better start).
If you, yourself are the one interesting enough, someone will reach out, with a valuable link, something you might like, or from someone you know.
I'd say the chances are greater, if you were compromised, that you downloaded or ran something harmful. That's usually the case.
- RTP
"In the beginner's mind there are many possibilities, in the expert's mind there are few." -Shunryu Suzuki
[ Pinephone Original | Pinetab v1 / v2 Enjoyer ]
Linux Device Privacy / Security Playlist
I think the common goal of both commercial competitors and state-based agencies would be to keep Pinephone and other Linux phones out of mainstream circulation. This could be best achieved surreptitiously by attacking individuals who might accelerate the uptake/mainstreaming of the device. Obviously highly technical users would, by their level of expertise, make much harder targets for saboteurs. The less technically-inclined user, however, is vulnerable. And that provides the opportunity to slow the uptake of these devices. The core tech users will continue to find genuine bugs and gradually correct them as we would all expect for a prototype device, while less technical users may experience attacks that manifest in ways that the developers never see.
As past and ongoing target of sabotage (vehicles, other equipment and phones/computers) I'd like to share some observations based on my own direct experience. The preferred approach of the saboteur when attacking offline devices seems to be: to enter your home or workplace surreptitiously in your absence and swap over your device with one of theirs. The replacement device they leave in place of yours has one or more prepared physical faults. This preparation approach allows the saboteur to test the fault and prove that it has the desired effect before deploying it. The saboteur also seems to value precision and economy, so tends to make the smallest gesture possible, intended to cause maximum harm. A simple example is a light panel of mine where I found one wire had been cut. I had the same thing happen with a portable vintage organ (musical instrument). One wire cut. In the most obvious and absolute example of substitution I've experienced, the brand logo on a pair of my headphones changed colour from silver to green!
I suspect, but cannot prove, that these same principles would apply to sabotage of online device(s)... that the hacker would replace or modify a single package/file on a Pinephone to cause maximum damage to a user's experience while remaining as difficult to detect as possible. If there is risk of detection, provided the saboteur can re-enter the device, they can restore the original package/file and exit covering their tracks. Else the hack is "papered over" when the OS or program in question is next upgraded.
If anyone's able or interested to troubleshoot for me next time this happens on my phone, could someone suggest the best way to take a rapid disk image of my phone's eMMC contents for diagnosis? I guess the easier alternative is to stick with running the OS from a microSD.
Given that desktop linux hasn't got past ~1% usage despite being a genuine daily driver for years, and Pine64 is a _long_ way behind that both on software and on phone hardware design, I don't think any major companies are likely to think we're worth even bothering with. That assumes no inexplicable/illogical behaviour like the eBay exec harassing minor bloggers...
On the government level, if that's the sort of thing you have to worry about then the PinePhone is probably the wrong device as apart from any other potential issues we have no way to secure or verify the boot process, apart from perhaps by keeping a separate uSD card to check that the bootloader and unencrypted parts haven't been altered. I'm taking it as read that you're using one of the full disk encryption options to cover the rest of the content. I'll repeat the Citizen Lab suggestion as they have a track record of expertise in this area, unlike random people on a forum.
(05-07-2022, 04:53 AM)wibble Wrote: Given that desktop linux hasn't got past ~1% usage despite being a genuine daily driver for years, and Pine64 is a _long_ way behind that both on software and on phone hardware design, I don't think any major companies are likely to think we're worth even bothering with. That assumes no inexplicable/illogical behaviour like the eBay exec harassing minor bloggers...
On the government level, if that's the sort of thing you have to worry about then the PinePhone is probably the wrong device as apart from any other potential issues we have no way to secure or verify the boot process, apart from perhaps by keeping a separate uSD card to check that the bootloader and unencrypted parts haven't been altered. I'm taking it as read that you're using one of the full disk encryption options to cover the rest of the content. I'll repeat the Citizen Lab suggestion as they have a track record of expertise in this area, unlike random people on a forum.
Actually, my policy is simpler than that- don't keep or hold anything sensitive on my phone. The attacks seem to be intended to inconvenience and or isolate me temporarily by breaking up my communications. What I need personally is reliable, old-school telephony, without the cloying data-grabby features of corporate devices and operating systems. I also like having a GPS option, as my work requires travel and that was a major drawcard of upgrading to the PPP. So far, Pinephone and Pinephone Pro have appeared to offer the best match for my needs.... but the hacks are tedious and ongoing. Switching back to a dumbphone is another option, but that seems too extreme for my situation.
Citizen Lab sounds like a very good lead for extra ideas. Thanks for endorsing it.
|