[liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Fri Sep 13 02:33:21 PDT 2013 

On 13 Sep 2013, at 09:39, Erik de Castro Lopo <mle+libs at mega-nerd.com> wrote:

> Bernard Tyers wrote:
> 
>> Firstly: I agree with you in principle but these tools need to be
>> available to all. 
>> 
>> Technology is not used in a sterile, hygienic environment, it is used on
>> the streets, by people who can't write, who use it for their purposes,
>> not necessarily the purpose it was invented for.
> 
> I do agree, but its important to note that smartphones offer a
> significantly higher risk than say laptops.

By design though. Is there any reason why (leaving aside business reasons for the moment) why smartphones can't be lower risk?

Is there any technical reason why open source (read verifiable, publically auditable) baseband software can't be created for mobile devices? I don't expect it to be easy. 

>>> Smartphones are horrendously complex, rely heavily on untrusted
>>> binary blobs, have mutiple CPUs some without direct owner/user
>>> control (eg the CPU doing the baseband processing) [1]. 
>> 
>> I agree with your points about running untrusted binaries and lack of
>> user control. 
>> 
>> Firefox OS (OS level at least) is open source, right?
>> 
>> Cyanogenmod is open source, right?
> 
> Yes, but Firefox OS and Cryanogenmod only control the user facing part
> of the smartphone.

Agreed.

> Loading eg Cryanogenmod onto a android phone leaves
> the software running the radio part of the phone untouched (otherwise
> the phone would never have passed the regulator auhorities). The second
> link I posted reported a vulnerability in that software.

Yep, I'm aware of those baseband attacks. To carry them out you need access to a Node-B (telecoms equipment mobile phones connect to), real or simulated, and advertise to the device to attach to it.

Granted, not impossible, beyond the realms of an average radio-network engineer in a government run telco. Possibly Finfisher have a point-and-click tool for it.

However, that threat (ie threat of firmware compromises) can be applied to carrier grade IP switch, router firmware also. Making all IP based traffic vulnerable. 

But again, in my opinion it's down to the "what is the level of your threat".

> Secondly these phones connect to the cell phone network and you and I have no
> tools to examine what happens on that network.

Heh, I used to, but not any more.

> Compare this with a laptop. If you buy a new laptop and are sufficiently
> paranoid you can use widely available software tools to monitor all
> network connections from that laptop to the wider internet.

Agreed, but shouldn't those tools be available for mobile devices too? The trend in technology use is moving (it's already there) towards mobile devices. These tools should be available for mobile devices, as this is where people are. Otherwise, they will continue to use cleartext SMS, or worse whatspp, viber, gmail, and unencrypted phone calls. 

People need these tools to be available. They need to understand how they fit into the kinds of threats *they face*, and where they should not be used.

>> My threat is from the local governmental goons and their smarter
>> colleagues in the government controlled telco, who will surveil my
>> calls, SMS, and e-mail.
>> 
>> If I can use any tool to protect myself from them, isn't it worth seeing
>> that tool exist?
> 
> As long as you are aware of the limitations.

I absolutely agree with you on this. This is one area that I see as being an issue at the moment. Most users don't know what they (limitations) are. They are users of the tools, not experts. "I use Firefox and HTTPS everywhere, so I'm secure, right…?"

Developers of these tools need to communicate, in an understandable way, to potential users where the limitations are.

Developing a tool and releasing it is wonderful, but you need to communicate where it works and doesn't work.

<rant>
I would argue the HRD and NGO people on this list understand threats and threat-modelling better than the technology people, certainly in the offline world. The tech people understand threat-modelling in terms of where and how to use technology.

Both groups clearly are in need of each other. The issue is they're talking on different planes.
</rant>

thanks,
Bernard

--------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

More information about the liberationtech mailing list