[liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Fri Sep 13 02:55:17 PDT 2013 

On 13 Sep 2013, at 10:04, Eugen Leitl <eugen at leitl.org> wrote:

> On Fri, Sep 13, 2013 at 06:39:35PM +1000, Erik de Castro Lopo wrote:
> 
>> Yes, but Firefox OS and Cryanogenmod only control the user facing part
>> of the smartphone. Loading eg Cryanogenmod onto a android phone leaves
>> the software running the radio part of the phone untouched (otherwise
>> the phone would never have passed the regulator auhorities). The second
>> link I posted reported a vulnerability in that software. Secondly
>> these phones connect to the cell phone network and you and I have no
>> tools to examine what happens on that network.
> 
> Baseband processors leave the system wide open to all kind of attacks.
> Countermeasure would be running the 2G/3G/4G stack in an open
> source SDR radio, or using an open source VoIP device that connects
> by WLAN to a MiFi, which is considered part of the untrusted
> Internet.
> 
> The open source WLAN VoIP handset is more difficult than it appears.
> In practice you'll have to use e.g. Jitsi with an USB headset on a
> portable computer. Not exactly painless, and it opens you up to
> system compromises.
> 
> If anyone is aware of suitable dedicated hardware, I'd be thankful
> for pointers.


You've reminded me of an episode of the RiskyBusiness podcast, I was listening to a few weeks ago with the grugq. He was talking about the small USB powered device the "TPLINK MR11U" or "TPLINK 3040". [1, 2, 3]

He does talk exactly about the same issues - seperating your devices (in his case a laptop) from the GSM network using a portal device. He use is however a laptop, not a mobile device. But what he talks about is figuring out what you need to defend yourself against.

I was listening to this thinking, if its so easy (The Grugq is using it! It must be secure!) then why isn't everyone using one? I have one on order from a trustworthy Chinese trader on ebay. ;) 

What I also thought was interesting was his *recommended* approach was buying a pay-as-you-go phone, presumably closed platform, with closed firmware.

Secondly his choice of mobile device was *an iPad*! 

Seriously though, his advice was interesting. Has anyone else heard it? I'd like to hear opsec peoples' opinions.

Hope that helps.

Bernard


[1] http://risky.biz/RB285 or http://media.risky.biz/RB285.mp3 (it starts at ~ 28:00 mins).
[2] http://www.amazon.co.uk/TP-LINK-TL-MR11U-Portable-150Mbps-Wireless/dp/B0098AU7HY
[3] http://www.amazon.co.uk/TP-Link-TL-MR3040-Portable-Battery-Wireless/dp/B00842KJOS
--------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

More information about the liberationtech mailing list