Pinephone user experience - Possibly compromised by commercial & state-based hackers?
#11
(05-06-2022, 07:18 AM)danimations Wrote:
(05-06-2022, 06:54 AM)tckosvic Wrote: And how would the 3 letter agencies or google or apple sabotage the PPP development process?  Would they tamper with things at the factory; like tampering in parts, assembly, or software?  I would assume there is some form of post assembly QA and QC at pinephone that would detect some descrepencies.

or

Would they tinker with all of the OS/desktop software packages on the software acquisition sights?  Have any developers seen their posted code to be changed?

Posting and running with unsupported conspiritorial claims is running rampant in our country now.

tom kosvic

Since the Pinephone user pool is so small at present, said agencies or other entities could target individual users' devices once they are online, rather than repositories or development branches that could be easily reviewed. Anything that is posted by physical mail is subject to transit through customs and can be intercepted there, if there is a desire to physically tamper with a phone. One unboxing video on Youtube comes to mind, where a Pinephone recipient tries to start up his Pinephone and the OS is broken/corrupted. This user's intention to make a video review would have been known to agencies watching this space, and this result could have been choreographed.

If the users have been studied by agencies or other malicious hackers, their tolerance/intolerance for particular faults could be exploited. By that I mean, hacks could be tailored to deter individual users. Extra effort I suspect would be invested in deterring potential "influencers" with higher visibility on social media channels.

How many active Pinephone users are there? A few thousand globally?

And how many of those would be considered "influencers"? Less than a hundred, at a guess?

If people think that agencies and competitors are likely to wait until something gains traction before attacking it, I'm afraid that position is rather naive and divorced from reality.
PPP doesn't start and run right out-of-the-box until you put a system on it through a user supplied sd card.  That's pinephone's legacy not likely the NSA's.
  Reply
#12
if we look where big tech companies make money, like amazon, google, meta and apple. google and meta sell ads. apple sells overhyped products. amazon try to monopolize markets and products. all of them have interest getting power to make more money, way to get power is locking users their systems or monopolizing services and products. if we follow money trails we start see bigger picture.

certain companies definitely have interest to kill competition. but i don't think big tech is after pinephone or its software. it is too small at the moment. some methods would be even illegal. reality is that pinephone community is rather small and relies on donations.

how this surveillance agencies fit to this formula is weird. i just point out that world has surveillance agencies outside of anglo-world as well, many cases could be worse ones. surveillance agencies usually are not motivated by money, they may not like unhackable devices though.

some things mentioning here. apple created so called M1 chip, i think real reason is software control. apple can control everything in macs and idevices. google has fuchsia project, which is closed enough for locking users into something.

generally speaking i think it is small pine community with donations why pinephone is still beta product mess more or less.
  Reply
#13
I imagine more so, certain mainstream, high volume selling, well known phones *required for <insert that most commonly recommended privacy phone OS here> would be a much more likely target at supply chain level (I'm sure you can guess which one).

Numerous more sales, increases likelihood of getting 'interesting' user/ high value targets.

As is, GNU/Linux on a phone used as openly as one would installing apps to Android (installing various random convenient apps) is open to all kinds of targeting.

I ask myself: is PP, a relatively lower volume selling phone, more prototype realm than mainstream, carrying a community of developers exploring hardware at deeper levels than many flagship communities, to increase support, really more likely a target?

On average, GNU Linux is not something that comes relatively secured (Ubuntu Touch offers a better start).

If you, yourself are the one interesting enough, someone will reach out, with a valuable link, something you might like, or from someone you know.

I'd say the chances are greater, if you were compromised, that you downloaded or ran something harmful. That's usually the case.
- RTP

"In the beginner's mind there are many possibilities, in the expert's mind there are few." -Shunryu Suzuki


[ Pinephone Original | Pinetab v1 / v2 Enjoyer ]


Linux Device Privacy / Security Playlist



  Reply
#14
I think the common goal of both commercial competitors and state-based agencies would be to keep Pinephone and other Linux phones out of mainstream circulation. This could be best achieved surreptitiously by attacking individuals who might accelerate the uptake/mainstreaming of the device. Obviously highly technical users would, by their level of expertise, make much harder targets for saboteurs. The less technically-inclined user, however, is vulnerable. And that provides the opportunity to slow the uptake of these devices. The core tech users will continue to find genuine bugs and gradually correct them as we would all expect for a prototype device, while less technical users may experience attacks that manifest in ways that the developers never see.

As past and ongoing target of sabotage (vehicles, other equipment and phones/computers) I'd like to share some observations based on my own direct experience. The preferred approach of the saboteur when attacking offline devices seems to be: to enter your home or workplace surreptitiously in your absence and swap over your device with one of theirs. The replacement device they leave in place of yours has one or more prepared physical faults. This preparation approach allows the saboteur to test the fault and prove that it has the desired effect before deploying it. The saboteur also seems to value precision and economy, so tends to make the smallest gesture possible, intended to cause maximum harm. A simple example is a light panel of mine where I found one wire had been cut. I had the same thing happen with a portable vintage organ (musical instrument). One wire cut. In the most obvious and absolute example of substitution I've experienced, the brand logo on a pair of my headphones changed colour from silver to green!

I suspect, but cannot prove, that these same principles would apply to sabotage of online device(s)... that the hacker would replace or modify a single package/file on a Pinephone to cause maximum damage to a user's experience while remaining as difficult to detect as possible. If there is risk of detection, provided the saboteur can re-enter the device, they can restore the original package/file and exit covering their tracks. Else the hack is "papered over" when the OS or program in question is next upgraded.

If anyone's able or interested to troubleshoot for me next time this happens on my phone, could someone suggest the best way to take a rapid disk image of my phone's eMMC contents for diagnosis? I guess the easier alternative is to stick with running the OS from a microSD.
For byte-sized tech and software tips check out my Danimations Digital Media tips channel on Youtube Big Grin
  Reply
#15
Given that desktop linux hasn't got past ~1% usage despite being a genuine daily driver for years, and Pine64 is a _long_ way behind that both on software and on phone hardware design, I don't think any major companies are likely to think we're worth even bothering with. That assumes no inexplicable/illogical behaviour like the eBay exec harassing minor bloggers...

On the government level, if that's the sort of thing you have to worry about then the PinePhone is probably the wrong device as apart from any other potential issues we have no way to secure or verify the boot process, apart from perhaps by keeping a separate uSD card to check that the bootloader and unencrypted parts haven't been altered. I'm taking it as read that you're using one of the full disk encryption options to cover the rest of the content. I'll repeat the Citizen Lab suggestion as they have a track record of expertise in this area, unlike random people on a forum.
  Reply
#16
(05-07-2022, 04:53 AM)wibble Wrote: Given that desktop linux hasn't got past ~1% usage despite being a genuine daily driver for years, and Pine64 is a _long_ way behind that both on software and on phone hardware design, I don't think any major companies are likely to think we're worth even bothering with. That assumes no inexplicable/illogical behaviour like the eBay exec harassing minor bloggers...

On the government level, if that's the sort of thing you have to worry about then the PinePhone is probably the wrong device as apart from any other potential issues we have no way to secure or verify the boot process, apart from perhaps by keeping a separate uSD card to check that the bootloader and unencrypted parts haven't been altered. I'm taking it as read that you're using one of the full disk encryption options to cover the rest of the content. I'll repeat the Citizen Lab suggestion as they have a track record of expertise in this area, unlike random people on a forum.

Actually, my policy is simpler than that- don't keep or hold anything sensitive on my phone. The attacks seem to be intended to inconvenience and or isolate me temporarily by breaking up my communications. What I need personally is reliable, old-school telephony, without the cloying data-grabby features of corporate devices and operating systems. I also like having a GPS option, as my work requires travel and that was a major drawcard of upgrading to the PPP. So far, Pinephone and Pinephone Pro have appeared to offer the best match for my needs.... but the hacks are tedious and ongoing. Switching back to a dumbphone is another option, but that seems too extreme for my situation.

Citizen Lab sounds like a very good lead for extra ideas. Thanks for endorsing it.
For byte-sized tech and software tips check out my Danimations Digital Media tips channel on Youtube Big Grin
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  PinePhone - boot from microSD laserpyramid 5 307 03-06-2024, 06:37 PM
Last Post: aular
  Are you using the Pinephone as your daily driver? jro 157 105,202 02-18-2024, 11:33 PM
Last Post: aular
  2020 PinePhone Manjaro CE EU for sale, name your price astrojuanlu 7 1,527 02-14-2024, 04:51 PM
Last Post: astrojuanlu
  pinephone is not bootble for the box. ijij 1 464 01-19-2024, 01:29 PM
Last Post: fxc
  Multiple issues with the Pinephone MTXP 12 1,946 12-28-2023, 07:55 AM
Last Post: MTXP
  pinephone repair shop shengchieh 0 385 12-26-2023, 02:42 PM
Last Post: shengchieh
  sudo nano file saving pinephone beta edition CharlesGnarley 4 1,483 12-22-2023, 03:44 PM
Last Post: Kevin Kofler
  Can't get Mobian on PinePhone to recognise USB-C docking bar duncan_bayne 9 6,611 12-04-2023, 02:14 AM
Last Post: Peter Gamma
  Pinephone not booting, always vibrating alexander12 7 4,675 11-22-2023, 06:46 PM
Last Post: Scary Guy
  Pinephone on Verizon chachi 3 995 10-09-2023, 11:26 AM
Last Post: alaraajavamma

Forum Jump:


Users browsing this thread: 1 Guest(s)