[liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption

[Rich Kulawiec]

On Fri, Sep 13, 2013 at 09:14:27AM +1000, Erik de Castro Lopo wrote:
> No such agency and the like are almost certainly able (with the
> help of carriers and manufacturers) backdoor and exploit all
> the major smartphone brands and models [0].
> 
> Smartphones are horrendously complex, rely heavily on untrusted
> binary blobs, have mutiple CPUs some without direct owner/user
> control (eg the CPU doing the baseband processing) [1]. 
> Currently these devices are impossibly difficult to secure.

I strongly concur: this echoes something I've said before, here and
elsewhere.  We've already seen code of dubious provenance and
nebulous justification (CarrierIQ); I would be very surprised
indeed if that was the only such piece of software in the field.
And of course smartphone-based malware is epidemic: the app
stores are full of it.  (Given recent events, I think it's reasonable
to wonder how much of that has been authored by miscreants and
how much by various governments.)  Whatever the origin, it won't be long
until that malware is accessible (for a price) to any government on this
planet wants it.

Perhaps this has already happened.

Add to that the unquenchable thirst of (telcos, governments, marketers)
for as much data as they can get any time they can get it, and "carrying
a smartphone" can reasonably be viewed as functionally equivalent
to "wiretapping yourself".  (And let's not think for a moment that
even allegedly-benign data collection will remain so: it's all within
the reach of any sufficiently-powerful/wealthy/stealthy government
that wants it.)

And if you (generic "you", the reader) think this is unduly pessimistic,
I invite you to consider the plethora of security problems already
publicly known, and to further consider that attacks always get better:
they never get worse.

---rsk