05-04-2022, 06:11 AM
I have experienced extraordinary and inexplicable behaviors with my Pinephone (Community Edition) since using it as a daily driver from late 2020.
I've asked myself why what I believe to be temporary hacks may be undertaken and have formed a few hypotheses that I'd like to share with fellow users.
Firstly, many people here should be savvy enough to realise that the Pinephone represents a threat to the otherwise aggregious access into users lives that Android and Apple devices provide. As such, there is a case for three and four letter agencies in various countries to conspire to degrade the user experience of Pinephone users in a targeted way. Why do this? To deter their use as daily drivers, quell early adopters' enthusiasm and generally slow the device's spread into the wider community. That I believe is the potential government motive for such nefarious activity.
The other parties interested in achieving similar goals are Pinephone's commercial competitors, of which there are many. The likes of Google, Apple, Samsung, Sony, LG, Nokia etc. would all consider Pinephone a small but real threat to their business interests. Would tech corporations commission hackers to target early adopters to damage the reputation of Pinephone and slow its uptake? I can only speculate... but I can see a clear motive for them to do so.
So where does this leave us, as determined enthusiasts that want to see Pinephone and other Linux phones thrive in the wild?
I think it would be helpful for people here to compare notes on how to best secure our devices against cyberattacks/hacking, and combine resources in investigating cases where it occurs or is likely to have occurred.
My own circumstances have an extra layer of confounding context, due to my ongoing, personal soft advocacy for the release of Julian Assange, founder and publisher of Wikileaks, who faces extradition to the USA after years of torture in the UK. Last year, it became a matter of public record that the CIA had cast a dragnet to intrude into and interfere with the lives of his remaining supporter base, after years of malicious attempts to erode it and smear Julian's character. That agency's interest in my life has made itself known in Australia, so if you think "this couldn't happen to me" it may pay to reflect on the far-reaching nature of the surveillance state today, our political context and what Pinephone represents. Pinephone is a smartphone for the people, by the people... and one that allows those of us who seek to, to draw the blinds on the covert use of our devices for commercial or political purposes.
I look forward to other users' thoughts on this subject.
05-04-2022, 09:52 AM
(This post was last modified: 05-04-2022, 09:52 AM by tophneal.)
As per the Pine64 forum rules:
Quote:No politics, religion or other sensitive topics is permissible on any of our platforms. Simply put, there are better places to discuss such topics. This rule also applies to #OffTopic chat and Community and Events subforum. Posts referring to such subject matter will be removed and may result in a warning, and even a temporary ban if the activity does not cease.
I ask anyone participating in this thread to be cautious and avoid any politically-charged conversation. Any such violation will result in either/and a warning for each offender, removal of the offending post(s), or locking of the thread,
You should probably be taking to people like Citizen Lab since they have a history of exposing use of such tools against individual journalists and small advocacy groups as well as larger organisations.
Other options would be working towards some verifiable boot process broadly equivalent to HEADS on a PC, and a distro like TAILS or Qubes. Assuming it's a viable option with the current hardware...
For most of us simply following best practice for securing linux is a more viable tradeoff between security and convenience, and already more inconvenient than the mass market would be willing to put up with.
05-04-2022, 11:45 AM
(This post was last modified: 05-04-2022, 11:54 AM by tckosvic.)
You made a big leap in your 3rd para hinting that android and apple interests might be subverting pipephone, ergo, three letter government agencies are also involved in your plot scenario. How did you bridge that gap?
Personally, I believe that PhinePhone is fully capable of creating this mess on their own without help.
tom kosvic
I agree with tckosvic. Hanlon's Razor applies here. Shortcomings in Pinephone software functionality don't need to be blamed on malicious sabotage by outsiders. I'd never say the software developers are "incompetent" but it's a lot of work with limited resources, it's no wonder progress has been a bit slow.
That said the mere fact that mainline Linux smartphones are regarded as protecting privacy will I think make them a target of three letter agencies. To be honest if a nation state is targeting you specifically and really wants in, they are getting in whatever device you use. But we can defend ourselves against undirected attacks such as "dragnet" surveillance and most ransomware gangs.
The hardware "kill switches" do provide some protection if you meet their use case. Besides that, follow general good security practices. Install a minimum of apps to limit your exposure, this is I feel particularly critical for mainline Linux because most apps that run have access to everything your user account does.
Getting into more hypothetical ideas. There are SD card lockers that can render a microSD card read-only. Perhaps that could be used with an overlaying file system to provide an anti-tampering measure. The uSD becomes unwritable by the phone itself until it's unlocked by a separate hardware device. The idea is that an attacker who manages to exploit a code execution vulnerability is unable to change the installed software, impairing their ability to persist the attack.
05-05-2022, 07:28 AM
(This post was last modified: 05-05-2022, 07:31 AM by danimations.
Edit Reason: Clarifications
)
I have friends who work in the security industry who assure me that corporate espionage and sabotage are commonplace. It strikes me that since the cellphone industry is so large and lucrative, it could be safely assumed that corporations would use covert methods to undermine or attack their competitors. It is entirely plausible that commercially-motivated hacking could target the limited pool of Pinephone users for the reason I gave above... to slow the uptake of Pinephone to advantage those presently dominating the mobile phone industry.
Commercial and state-based interference with internet connected devices occurs, and to be clear, I'm not conflating the two or suggesting that they conspire together. Both occur for different reasons. I also accept that Pinephone is essentially still a prototype and things can and do break sometimes, or not work as the user might expect... but that may not account for all problems experienced by all Pinephone users all the time. Pinephone's development status also provides the perfect cover for clandestine attacks, as non-technical users, or those who haven't given much thought to the subject of external interference, would assume, quite reasonably, that is it all just beta bugginess.
Thanks to the folks above who shared advice and ideas for taking extra steps to secure the Pinephone. I have experienced many years of targeted political interference, which was a major driver for me switching to Pinephone in 2020. I have no regrets, but I have had some extraordinary things happen during my Pinephone years... for example, SMS being "held up" for as long as 24 hours, but only between certain contacts... my wife and I, or other specifically time-critical messages pertaining to my professional life.
I note the flagging of group rules and hope this thread remains open so that it can continue to stimulate more rational discussion and idea sharing.
Perhaps the 3 letter agency folks could give out the solutions they have found for all the operational problems on PPP.
tom kosvic
I don't think this idea is entirely implausible, but I doubt that there's much effort being put into such sabotage yet. When the phones are more usable, I would fully expect all sorts of attacks from many directions. Microsoft certainly used to express outright hostility to Linux, so it wouldn't surprise me if more than a few companies had eyes looking in this direction. But as of now, it's such a tiny target that it would make more sense to prioritize other mainstream alternatives like LineageOS, BraxPhones, or something.
05-06-2022, 06:54 AM
(This post was last modified: 05-06-2022, 07:00 AM by tckosvic.)
And how would the 3 letter agencies or google or apple sabotage the PPP development process? Would they tamper with things at the factory; like tampering in parts, assembly, or software? I would assume there is some form of post assembly QA and QC at pinephone that would detect some descrepencies.
or
Would they tinker with all of the OS/desktop software packages on the software acquisition sights? Have any developers seen their posted code to be changed?
Posting and running with unsupported conspiritorial claims is running rampant in our country now.
tom kosvic
05-06-2022, 07:18 AM
(This post was last modified: 05-06-2022, 07:20 AM by danimations.
Edit Reason: Expanded
)
(05-06-2022, 06:54 AM)tckosvic Wrote: And how would the 3 letter agencies or google or apple sabotage the PPP development process? Would they tamper with things at the factory; like tampering in parts, assembly, or software? I would assume there is some form of post assembly QA and QC at pinephone that would detect some descrepencies.
or
Would they tinker with all of the OS/desktop software packages on the software acquisition sights? Have any developers seen their posted code to be changed?
Posting and running with unsupported conspiritorial claims is running rampant in our country now.
tom kosvic
Since the Pinephone user pool is so small at present, said agencies or other entities could target individual users' devices once they are online, rather than repositories or development branches that could be easily reviewed. Anything that is posted by physical mail is subject to transit through customs and can be intercepted there, if there is a desire to physically tamper with a phone. One unboxing video on Youtube comes to mind, where a Pinephone recipient tries to start up his Pinephone and the OS is broken/corrupted. This user's intention to make a video review would have been known to agencies watching this space, and this result could have been choreographed.
If the users have been studied by agencies or other malicious hackers, their tolerance/intolerance for particular faults could be exploited. By that I mean, hacks could be tailored to deter individual users. Extra effort I suspect would be invested in deterring potential "influencers" with higher visibility on social media channels.
How many active Pinephone users are there? A few thousand globally?
And how many of those would be considered "influencers"? Less than a hundred, at a guess?
If people think that agencies and competitors are likely to wait until something gains traction before attacking it, I'm afraid that position is rather naive and divorced from reality.
|