• chevron_right

      Thousands of phones and routers swept into proxy service, unbeknownst to users

      news.movim.eu / ArsTechnica · Tuesday, 26 March - 19:56 · 1 minute

    Thousands of phones and routers swept into proxy service, unbeknownst to users

    Enlarge (credit: Getty Images)

    Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

    The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon , a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

    In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      Ambient light sensors can reveal your device activity. How big a threat is it?

      news.movim.eu / ArsTechnica · Tuesday, 23 January - 16:20 · 1 minute

    Ambient light sensors can reveal your device activity. How big a threat is it?

    Enlarge (credit: Getty Images)

    An overwhelming majority of handheld devices these days have ambient light sensors built into them. A large percentage of TVs and monitors do, too, and that proportion is growing. The sensors allow devices to automatically adjust the screen brightness based on how light or dark the surroundings are. That, in turn, reduces eye strain and improves power consumption.

    New research reveals that embedded ambient light sensors can, under certain conditions, allow website operators, app makers, and others to pry into user actions that until now have been presumed to be private. A proof-of-concept attack coming out of the research, for instance, is able to determine what touch gestures a user is performing on the screen. Gestures including one-finger slides, two-finger scrolls, three-finger pinches, four-finger swipes, and five-finger rotates can all be determined. As screen resolutions and sensors improve, the attack is likely to get better.

    Always-on sensors, no permissions required

    There are plenty of limitations that prevent the attack as it exists now from being practical or posing an immediate threat. The biggest restrictions: it works only on devices with a large screen, in environments without bright ambient light, and when the screen is displaying certain types of content that are known to the attacker. The technique also can’t reveal the identity of people in front of the screen. The researchers, from Massachusetts Institute of Technology, readily acknowledge these constraints but say it’s important for device makers and end users to be aware of the potential threat going forward.

    Read 10 remaining paragraphs | Comments

    • Ha chevron_right

      Find My AirTag

      pubsub.slavino.sk / hackerfactor · Tuesday, 30 May, 2023 - 19:45 edit · 14 minutes

    I'm doing more traveling these days and I've finally decided that I need something to track my luggage and laptop bag. There are a couple of different options (Tile, Samsung Smart Tag, Apple AirTag, etc.). I went with the AirTag because it has the widest support. (Anyone with an Apple iPhone will help you track the AirTag, and Apple devices comprise about 52% of the US market .)

    Making a Case

    Physically, Apple's AirTag is a coin-shaped disc that is little larger than a bottle cap. However, it doesn't have any holes for mounting it to a keychain, laptop, or anything else. Since I'm certain that I would lose it, I used my laser cutter to make a little case for it. This took me a few days to design, test on cardboard, and eventually make on leather. I used red leather dye so that it would be easy to see. (I used waxed cord for binding it together and attached a snap to the strap.)

    analysis.php?id=141ab9e74b6c71f594cfb8368cd4f079c50bb0c8.2127591&fmt=orig&size=600

    Eventually I will need to remove the AirTag from the pouch in order to change the battery. For that, I just need to remove the strap and slip the AirTag out the top. (I could have bought a cheap AirTag case on Amazon, but I think mine is better made.)

    Tracking with an AirTag

    The AirTag itself is mostly battery (a CR2032 coin battery) and it is supposed to last about a year. The devices does not contain GPS or other sensors. It only contains two things: a near-field communication (NFC) chip and a Bluetooth Low Energy (BLE) radio.

    NFC devices are usually found in smart cards and they normally have a range of a few inches. If your employer requires you to touch your badge to a door sensor in order to gain entry, that's NFC. If your credit card has a "tap to pay" option, that's supplied by an NFC chip in the credit card.

    If you turn on your iPhone and touch it to the AirTag, the phone will detect the NFC device and prompt you to open a link in your browser. The link will show you the AirTag's serial number and the last four digits of the owner's phone number. You can also use the 'Shortcuts' application to automate a task. For example, I've configured a custom task that will start a 3-minute timer when I touch my AirTag to my phone. (If I can't get out of an in-person interaction, then I can subtly touch the AirTag to my phone and then get an alert a few minutes later that I can use an an excuse to leave.)

    The BLE is the more exciting part. It sends out a small beacon every two seconds. The beacon has a range of about 30 feet (9 meters). Any iPhone that hears the beacon will report it to Apple. This is how it does tracking:
    1. The iPhone knows its own location. This can be via GPS, WiFi access point location, cellsite location, or IP address geolocation. These options are determined by the iPhone's "location services" setting.
    2. If the iPhone is moving, then it can determine the AirTag's direction and distance to within a few inches. This means the iPhone knows the exact location of the AirTag relative to the iPhone's position. And since it knows the iPhone's position, it knows the AirTag's position.
    3. The iPhone will report the AirTag identifier and location to Apple. It reports roughly every 10 minutes, but the reporting rate seems to dynamically change.

      I haven't worked out the exact cause for the variable update rates, but sleeping, sleeping while charging, and actively in-use all have different reporting rates. The iPhone also seems to change the reporting rate based on the time of day. From 9-10pm last night, it reported the AirTag 5 times, but from 9am-10am, it reported the same AirTag 110 times. (The 110 sightings exclude updates where the last-seen time and lat/lon remained the same, even if the accuracy field differed.) Even though the reporting frequency changed, I had not touched either device.
    4. The owner of the AirTag (me) can use the "Find My" app to view the current location of my registered Apple devices. For me, this includes my Mac, iPhone, and AirTag. Each record contains the last time and location where the device was heard.
    Now we can get to the caveats:
    • If no iPhone hears the AirTag, then it won't be reported. This means that either there were no nearby iPhones or the phone had bluetooth turned off.
    • If the iPhone doesn't know it's location, then it won't be reported. This can happen if GPS and location services are disabled.
    • If the iPhone isn't online (no WiFi and no data plan, or in airplane mode), then it cannot connect to Apple and it won't report the sighting. Sightings are not queued up for later delivery. (It's now or never.)
    As far as I can tell, there is no way for an iPhone to opt-out of reporting AirTag sightings to Apple's "Find My" service. If it hears an AirTag, knows the location, and has network connectivity, then the AirTag's information will be reported by the iPhone to Apple.

    Find My

    The "Find My" app is pretty primitive. It lists your devices (and friends) on a map for real-time tracking. I know people who use it to track their children. I've used it to find my misplaced iPhone. And there are plenty of people who have used it to track lost luggage .

    Personally, I'm not very pleased with Apple's "Find My" app. While it shows the devices (Mac, iPhone, AirTag, friends, etc.) and their current locations, it doesn't retain any kind of history. I want a history of where my AirTag (and iPhone) has been because I may not be watching the application at the moment a thief takes off with my device.

    What I really want is to harvest the "Find My" data for my devices and store it in a database. If you look online, there are some people who had reverse-engineered the web interface. However, all of those scripts seem to have stopped working a few years ago, when Apple rolled out some updates. (The updates broke third-party connections to the Find My interface.) Today, Apple effectively requires you to use their "Find My" application to access the Find My service. (Fortunately, I have a Mac in my office. I originally got it for testing browser compatibility for my online web services. However, it's also good for this little project.)

    All of the current Find My data is stored in a couple of files in the $HOME/Library/Caches/com.apple.findmy.fmipcore/ directory. The "Devices.data" file is a JSON that stores the location of your computers and phones, while the "Items.data" file uses the same JSON format and records the location of your AirTag(s). As long as the Find My app is running, these files are updated as often as every few seconds, but it can be less frequent if the screen saver turns on.

    I wrote a little script that watches for any changes to these files and uploads them to a server-side script: 
    !#/bin/bash
    
# Change these to match your system
    
URL="https://hackerfactor.local/findmy.php"
    
MYDIR="$HOME/Library/Caches/com.apple.findmy.fmipcore"

    
fswatch -o -l 5 "$MYDIR/" | while read i ; do
    
date +'%Y-%m-%d %H:%M:%S'  # show the current time

    
# Copy data files to the server
    
curl -f -s \
    
  -F "json1=<$MYDIR/Items.data" \
    
  -F "json2=<$MYDIR/Devices.data" \
    
  "$URL"

    
if [ "$?" != "0" ] ; then
    
  # An error can happen if Apple changes a data file during the upload attempt.
    
  echo "Error: Retry"
    
  sleep 1
    
  curl -f -s \
    
  -F "json1=<$MYDIR/Items.data" \
    
  -F "json2=<$MYDIR/Devices.data" \
    
  "$URL"
    
fi
    
echo "" # blank line for readability
    
done
    This client-side script watches for any changes to these data files and uploads the new files to my local (internal) web server. On the server side, it receives the JSON data, extracts the device name, location (latitude, longitude, altitude, and accuracy), and last-heard time. This data is stuffed into a simple sqlite3 database. (It also has special rules in case the data didn't change since it was last reported.) I also wrote a server-side script that extracts the locations from the database and graphs them using Google Maps.

    For testing, I have been taking the AirTag with me as I go on errands and walks around town. The next time I go on a trip, I should have a great map of every place the AirTag was seen. (Remember: this isn't every place the AirTag went. It is only the places where there was an iPhone that reported hearing the AirTag's beacon.)

    The downside is that I'm now seeing how (in)accurate Apple really is for tracking.
    • If the iPhone uses GPS, then the location information is very accurate. (As long as you are outdoors and not surrounded by skyscrapers.)
    • Without GPS, it will fall back to location services based on WiFi, cell site, and IP address. These are seriously lacking. For example, my Mac Mini has a wired network address and no GPS. Every few minutes the detected coordinates (latitude, longitude, and accuracy) changes. At any given moment, the stationary computer's location may be anywhere within a three house radius. (Apple's data makes it move around a lot!) If I average all of the locations, then my Mac is clearly located in the furthest part of my backyard. Even taking the "accuracy" into account, it's often still wrong by over 100 feet (30 meters).
    • The inaccuracy also applies to my iPhone. After walking around the block without GPS enabled, it had me located all over the place. Inside houses, in the nearby river, and as much as a half-street away from my actual location. The "accuracy" is supposed to be +/- meters, but it's more inaccurate than the location detection.
    Knowing this inaccuracy, the location services should get you close enough to a lost AirTag so that you can use the Find My app's "Find" function. This is the feature that permits accurately locating an AirTag if it's within 30 feet of you. The geolocation coordinates gets you to the general area and the "Find" function helps you narrow down the precise location.

    Stalkers

    The intended use for the AirTag is to allow the owner (me) to track the device. I can put it in my suitcase and see where the suitcase goes. The most vocal fear online is someone slipping an AirTag into an unsuspecting victim's pocket, purse, or car and then following that person. This fear is definitely reasonable, given the number of complaints where stalkers used AirTags to track victims.

    Apple has made some changes to the AirTag. For example, if your iPhone notices that an unknown AirTag is following you, then you can see an alert and maybe hear it beep . However, you might be carrying a stalker's AirTag for 8 to 24 hours before getting the notification.

    There are downsides for sending an alert or making a sound:
    • Let's assume your luggage was stolen. A thief will quickly learn that there is an AirTag nearby, and they may be able to disable it before being caught. (You can deter stalkers or deter thieves, but you can't stop both.)
    • The AirTag is designed to beep if it has been separated by its owner. The beeping is random and happens 8 to 24 hours after the separation. If I'm out of the hotel for more than 8 hours, I don't want my AirTag to start beeping just because I'm not there! The same concern applies if I go out for the day but leave the AirTag at home, or if you're on a long flight and separated from you bag. Any luggage with an AirTag will likely start beeping. (What a great way to freak out the flight attendants!)
    With Android devices, there are a couple of different apps that can detect AirTags. However, you must run them manually. (I'm not listing any of those apps here because I can't authenticate the quality or whether there is malware.) Unfortunately, I haven't found any apps for manually detecting nearby AirTags on the iPhone. (There are a few apps that claim to do it, but they are so heavily burdened with ads and clickbait that I couldn't tell if any of them actually worked.) At best, you can use one of the BLE scanner applications, but those don't explicitly identify AirTags or other tracking devices.

    Alternate Uses

    With AirTags, the intended use is to track your own property. The illegal use is to stalk people. But I was wondering: How else can it be used? I've found a few other possibilities:
    • Count the number of nearby iPhones. The "last heard" time in the Find My app is checked every few seconds (app refresh) but the time for any particular device should update every minute (iPhone beacon reporting). If you see a timestamp in the Items.data file updating more often, then it means that multiple iPhones received the beacon and reported it. I recently went to the local deli. There was a long line of people waiting to place orders. Based on how often the Items.data file was updating, there had to have been at least 5 other iPhones within 30 feet of me. On another excursion, I went to the post office. The building was mostly empty. My database recorded one sighting and it happened when I walked past the only other person in that part of the building. That person had to have had an iPhone. (I don't think it was an employee behind a nearby wall since it was only reported once and I walked the same path twice -- to and from the mailbox drop-off.)

      Keep in mind: I can't identify any information about the nearby iPhones other than "they existed". I don't know their model, serial number, phone number, or anything else. But if you're the only person near my AirTag and "someone" reported hearing it, then that someone is you.
    • Alert me when someone comes near my stuff. If my AirTag is in my suitcase, my suitcase is in my hotel room, and the "do not disturb" notice is on the door, then nobody else should get within detection range of my AirTag. If any devices report hearing my AirTag, then there's someone near or inside my hotel room. And if my AirTag starts moving, then there's a theft in progress. Given the number of iPhones in a given hotel, it should be really hard for a thief to get my stuff out of the building without being detected. (Unless they find the AirTag and remove the battery first.)

      The only times I've ever had some unknown visitor enter my hotel room and rifle through my suitcase has been in Las Vegas. (It's happened three times.) Previously, I would report that someone entered my room without permission and went through my luggage, but the "when" spanned a multiple-hour window. (Each time, hotel security wrote down brief notes but seemed to not show any interest since stuff inside my zipped suitcase was moved but nothing was stolen. Never leave valuables in your hotel room.) With the AirTag, I may be able to determine the exact time someone entered the room. (If this happens, I wonder if a warrant to Apple could produce the identity of the iPhone that spotted my AirTag?)
    • Carry the AirTag with you (without an iPhone) and walk through a parking lot. If any device reports hearing the AirTag, then there must be a nearby iPhone. You can probably determine when someone left their iPhone in their car. (Potential for theft! Don't leave your iPhone in your car!)
    • Confuse the AirTag owner by recording the AirTag beacon and replaying it at random locations. As far as I can tell, the AirTag beacon doesn't change contents. (In the comments , Knox noted that the MAC addresses automatically change often, so any attack that relies on replaying the beacon has a limited viable duration. Thanks Knox!)
    • Record the AirTag beacon and wait until you see it again. You can identify who has a specific AirTag and you know that they own an iPhone and/or Mac. (An AirTag really can't be used without an iPhone or Mac, so if you see and AirTag, then you know what the owner must also own.) Then again, this works with all BLE devices and is not limited to the AirTag.
    • Stalk people from a distance. BLE receivers are supposed to have a limited range. However, I've seen custom directional antennas that can boost the reception to much more than 30 feet. If you own an AirTag, then you are definitely stalkable from a distance.
    • Force someone to recharge their iPhone. If you can put a bunch of AirTags (or fake beacons that sound like AirTags) near an iPhone, I wonder if you can drain the battery and suck up their bandwidth as it continually reports each new AirTag? (BLE is low energy, but WiFi and cellular connectivity suck battery.) This could force the user to stop what they are doing and recharge the phone. In my experience, people are usually near their recharging phones, so you could force someone to remain in a location for a while.
    I'm sure there are other things that can be done with an AirTag. Now I've got something else to look forward to during my next trip.

    Značky: #Network, #Phones, #Programming, #Privacy

    • Pu chevron_right

      Librem 5 and Librem 5 USA: What are the Differences?

      pubsub.do.nohost.me / Purism · Friday, 26 March, 2021 - 16:37 · 2 minutes

    We sometimes get questions from customers who are trying to decide between the Librem 5 and Librem 5 USA , such as whether someone living in the USA must buy a Librem 5 USA (Answer: both Librem 5 and Librem 5 USA work in the US) or whether the Librem 5 is $1999 (Answer: the Librem 5 is $799, the Librem 5 USA is $1999). If you are trying to decide between the two phones and want to understand what makes the Librem 5 USA a premium product, in this post we’ll highlight the differences between the two.

    What’s the Same

    Librem 5 and Librem 5 USA have the same Purism authored schematics, Industrial Design (ID), and Mechanical Design (MD), they both run the same firmware, kernel (Linux), operating system (PureOS), and applications from the PureOS Store. Both products are from Purism, a US-based Social Purpose Company . Both phones work in all the regions of the world by using a removable region-specific modem module included and installed in the phone.

    Trust & Verify

    Both the Librem 5 and Librem 5 USA have public schematics (they’re the same schematics, since they’re our schematics) for public verification. They both have X-rays released after manufacturing of the PCBAs to verify hardware chips and placement. Both phones are fully Purism designs top-to-bottom. Both phones have all source code released for reproducible verification of no tampering and public verification.

    What’s Different

    The core differences between the products are based on the Librem 5 being contract manufactured in China while the Librem 5 USA is manufactured at our facility in Carlsbad, California.

    Librem 5

    The Librem 5 PCBAs (the two boards inside the chassis) are manufactured in China. The PCBAs are then assembled into the Librem 5 Chassis, and imported to our facility in the USA for final assembly, flashing, testing, and fulfillment.

    Librem 5 USA

    The Librem 5 USA PCBAs are manufactured in our facility in Carlsbad, California—therefore are Made in the USA Electronics—for a secure hardware supply chain in the USA. The PCBAs are then assembled into the Librem 5 Chassis (engraved with ‘USA’ on its side), and have final assembly, flashing, testing, and fulfillment all done at our Purism facility.

    The immediate benefits of the Librem 5 USA are to support US labor laws, Made in USA Electronics, secure hardware supply chain, and US manufacturing.

    Price

    The Librem 5 is $799 while the Librem 5 USA is $1999

    Both are Great

    Regardless of which product you choose, you will end up with a phone that’s on your side, designed from the bottom up to respect your freedom and protect your privacy and security.

    The post Librem 5 and Librem 5 USA: What are the Differences? appeared first on Purism .

    • Pu chevron_right

      My First Week of Librem 5 Convergence

      pubsub.do.nohost.me / Purism · Tuesday, 2 March, 2021 - 15:08 · 11 minutes

    I talked at length in my article Investing in Real Convergence about my decades-long wish to have a single computer I could carry with me that had all of my files, ran all of my favorite programs, and that I could use as a mobile computer, laptop, or desktop. This past week I have finally realized that dream.

    I put away my personal Librem 13v1 and tested out whether I could replace it with a Librem 5, USB-C hub, and Nexdock 2 laptop dock. I also spent a couple hours most work days trying it out for work as well (including writing this article from the Librem 5). In this article I will talk about my setup, experiences and impressions from the past week.

    The Setup

    First let’s talk about the hardware involved.

    Librem 5 docked to a Nexdock 2 using a Baseus USB-C hub, running Tootle, Lollypop, and Firefox

    The first thing that is necessary for this setup besides the Librem 5 itself is a laptop dock. From the outside, a laptop dock looks just like a regular laptop, but it is really only a shell with a display, keyboard, mouse, internal battery, and a few ports on the side. A laptop dock has no CPU, RAM, storage or networking of its own and instead is designed to act like an all-in-one monitor, keyboard and mouse that you can connect to a phone. The phone then extends onto the display and you can run your phone’s applications on the larger screen and take advantage of the physical keyboard and mouse while the dock charges your phone.

    Because the Librem 5 is designed to have Real Convergence , it runs the same PureOS applications as Librem laptops. All of its applications were simply adapted to work well on the smaller display. This means when you connect the Librem 5 to a laptop dock or monitor, you don’t just get phone apps blown up two times their size, you get the same desktop PureOS applications as on Librem laptops.

    On laptop docks like the recent Nexdock Touch, you can connect the Librem 5 directly to the dock with a USB-C cable. In the case of the older Nexdock 2, the support isn’t completed yet so I used the foolproof method they provide for other computers like Raspberry Pis–a HDMI port and USB-C port–only in my case I connected them to a Baseus-branded USB-C hub that is well-supported by the Librem 5.

    This hub provided the extra benefit that it kept the Librem 5 upright, which was particularly important to me since I actually use my laptop on my lap. To make this work with the dock I simply attached the underside of the hub to the underside of the laptop dock with a small metal bar and some removable 3M tape like you’d use to mount pictures to a wall.

    Using Convergence Mode

    To use the Librem 5 like a laptop, I just dock it into the USB hub and press the power button on the laptop dock. The Librem 5 detects the keyboard, mouse and display and automatically enters “convergence mode” which extends the desktop to the new display and changes the windows so that they have close buttons on them and aren’t automatically maximized, so they can be more easily moved between desktops.

    Once in convergence mode you can drag applications over to the larger screen with a mouse, however there are also already a number of useful key bindings using the “Super” key (the key between the left Fn and Alt keys) that make convergence mode very keyboard friendly:

    • Super + (Left|Right): Tile the focused window to the left or right side of the active screen
    • Super + Shift + (Left|Right): Move the focused window to the left or right display
    • Super + (Up|Down): Maximize or unmaximize the focused window
    • Super + a: Open the App Launcher, where you can type in the name of the application to launch, or select it with arrow keys
    • Super + s: Open the App Switcher (similar to hitting the bottom section of the touchscreen on the phone). This allows you to switch between running applications using the arrow keys

    While in convergence mode, the dock is keeping the phone charged. I found the Nexdock 2 could run for about two to three hours of steady use unplugged while powering its own display, the hub, and charging the Librem 5. It lasted longer if I closed the display when I wasn’t using it. Since the laptop dock is powered via its own USB-C port you could extend this time with a large battery bank if you didn’t have access to an outlet. Since I normally use my laptop from the same place every day, I tend to leave it plugged in anyway.

    When I’m done using the Librem 5 like a laptop, I just remove it from the hub and it automatically leaves convergence mode. All of the running applications move back to the phone screen and resize and maximize to fit. The laptop dock automatically powers itself down.

    My Experience

    I don’t do video editing or other heavy tasks on my laptop and for the most part my needs are pretty simple: web browsing, chatting, email, writing, listening to audio and watching video. In many ways even before this experiment my Librem 5 had already replaced my personal laptop. It had already become the primary computer I used for podcasts and videos (using gPodder and VLC), as well as for social media and light web browsing. That said, I still found myself opening my laptop in the past whenever I needed to type more than a few sentences in chat, an email, or a document. I also found it a bit more convenient to do heavier web browsing (like when researching something across multiple tabs) on a larger display.

    Given my relatively simple use case for my personal laptop, I had high hopes that the Librem 5 could replace it and the Librem 5 didn’t disappoint . In fact, what I found was that the addition of a laptop dock made the functions I had already moved over to the Librem 5 even more useful. With a large screen, I could more easily multitask, such as chat in one window while a video was playing in VLC tiled to the side of the large screen. The addition of a physical keyboard also made chat, email, and overall writing much more convenient.

    I found that I preferred the multi-monitor setup that convergence mode defaults to and use both screens at the same time. I leave certain applications like my social media applications or gPodder on the phone screen. Then terminals, email, web browsers, chat applications, and video playback would be on the laptop screen with windows tiled either to the left or right-hand side.

    Since the phone is close to my left hand, I found I use the phone touch screen to interact with applications there instead of the mouse. It’s convenient to reach over and scroll through new social media posts on the phone screen instead of moving the mouse over. The fact that the Nexdock touchpad defaults to multi-finger scroll that moves in the opposite direction of the Librem 13 touchpad took a lot of getting used to.

    I tend to be keyboard-centric on my regular laptop and this is no different on this setup. I made heavy use of the existing keybindings along with alt-tab to switch between and manage windows. After a short amount of time I got used to hitting Super-a, typing the name of an application, and hitting Enter, then hitting Super-Shift-Right or Left depending on which screen I wanted it on. I find the keyboard to have good tactile feedback and while it’s no Model M keyboard (but sigh , what is?) it’s pleasant to type on and better than some island keyboards I’ve tried.

    My Impressions

    The Librem 5 can definitely replace my personal laptop and I’ve already transferred any remaining files from my laptop over to it, powered down my laptop, and put it away. My laptop has a faster CPU and more RAM, so I expected when I used the Librem 5 like a laptop I might more readily see any performance differences it might have compared to using it like a phone.

    I have to say, though, that this Librem 5 surprised me in how well in performs, in particular how well it works when multi-tasking between applications. Web browsing works surprisingly well, and although I do typically keep Firefox in “mobile mode” so I get lighter weight websites designed for a mobile browser, I actually prefer that mode on the larger screen as it often results in cleaner, simpler web pages.

    While it’s still early days for phosh acting as a full desktop shell, it already works quite well in that mode. While it’s not as full featured as the default GNOME shell on the desktop, many of the basic important features are already there (since they are already there when in phone mode) and work as you might expect on the larger screen. As more of us use the Librem 5 in convergence mode now, we are seeing rapid advances for the desktop use case.

    My hacky USB hub mount works surprisingly well and is strong enough to hold up the weight of the phone while the laptop dock is on my lap, but I also make a point not to put too much extra pressure on it, just in case. While I’ve seen other mounting options that attach a phone to the screen, I find I like having the phone’s touchscreen within a closer reach.

    One area that’s a bit less convenient is the extra step of having to dock the Librem 5, open the laptop dock lid, and power it on to switch to “laptop mode” compared to just opening the lid of a suspended laptop. It’s a minor inconvenience though, since I just use the Librem 5 in “phone mode” for quick tasks anyway–if I’m breaking out the laptop it’s for a longer session. For people who would use the phone in “desktop mode” connected to a monitor and keyboard/mouse, it wouldn’t be any less convenient than docking their laptop into a docking station.

    Using the Librem 5 for Work

    Something that surprised me even more was how well the Librem 5 performed to replace my work laptop. My work use case is a bit more complicated than my personal one, mostly due to the security requirements. Otherwise for the most part my primary work tasks involve email, chat, and web-based tools, along with some writing and light development work from time to time.

    I should note that my work laptop is a Librem 13v4 with twice the RAM of my personal laptop because I make heavy use of Qubes and its compartmentation features on my work laptop to provide me extra security. I separate chat, web browsing, email, and other functions into separate VMs that can’t directly talk to each other. I also make heavy use of disposable VMs whenever I have to open a potentially risky document or website. Because of those extra compartmentation features Qubes provides, I don’t know that the Librem 5 could replace my work laptop, yet, but wow is it close .

    Now that the OpenPGP smart card reader is supported , I copied my Purism GPG subkeys over to a new smart card and migrated my email settings over to the Librem 5 along with my password manager database for work. I also set up a new compartmentalized web browser with its own profile and settings that I used only for work.

    Email works just like it did on my work laptop. Web browsing and web tools also work reasonably well. Chat is probably the main area that, today at least, still needs a bit of work to replace my work laptop, due to the fact that Matrix with e2ee support is still under heavy development. I’m actually trying out an experimental branch of Chatty that contains support for encrypted Matrix chat, but it’s not quite ready to replace a traditional client.

    My conclusion for work is that the Librem 5 as it is today would at least be able to replace the need to take my work laptop with me when traveling. Fully replacing my work laptop would probably need to wait until we make further advancements in flatpak sandboxing using bubblewrap, so I have some of the protections I’ve gotten used to in Qubes that give me extra peace of mind.

    Welcome to the Future

    Using a phone that has real convergence like the Librem 5 is a complete game changer. It feels like I’m getting a sneak preview into the future of personal computing. In many ways it’s hard to explain what it’s like, you kind of have to see it yourself to understand why this is so groundbreaking. Having all of the same desktop applications and all of my files with me in my pocket, and having those same running applications morph to a larger screen automatically, changes how you think about phones and their potential.

    Calling the Librem 5 a phone doesn’t do it service. It’s really a mobile computer, a desktop in your pocket. Using it like a laptop or desktop computer really opens your eyes to all of the possibilities, and underscores to me all of the things I’ve been missing with other phones.

    Discover the Librem 5

    Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

    Order now

    l5-hand-v2.png

    The post My First Week of Librem 5 Convergence appeared first on Purism .

    • Pu chevron_right

      Parler Tricks: Making Software Disappear

      pubsub.do.nohost.me / Purism · Monday, 18 January, 2021 - 16:47 · 5 minutes

    Much has been written and broadcast about the recent actions from Google and Apple to remove the Parler app from their app stores. Apps get removed from these app stores all the time, but more than almost any past move by these companies, this one has brought the power Big Tech companies wield over everyone’s lives to the minds of every day people. Journalists have done a good job overall in presenting the challenges and concerns with this move, as well as addressing the censorship and anti-trust issues at play. If you want a good summary of the issues, I found Cory Doctorow’s post on the subject a great primer.

    Sawing the Market in Half

    Instead of rehashing any of those arguments, I wanted to highlight one area that wasn’t covered quite so much. Regardless of how you feel about Parler, an important thing to note is that this is far from the first time, nor will it be the last time, that Google and Apple remove controversial software from their stores. Because of their duopoly over the phone market, when they want to, Google and Apple can simply make software disappear .

    What should concern you is that if the industry continues on the path they have started with phones, this same control will be coming soon to a laptop near you. The end result will be that whether or not you are allowed to install and run software on a computer you own, would no longer be up to you. It would be dictated not by laws or governments, but by a small group of Big Tech companies. This will all be in the name of security, but is all about control.

    Sleight of ARM

    It’s well-established that iPhones are locked down with an App Store that tightly restricts what software can be installed and run. I’ve written much in the past about how they exert that control and more recently about how that control is already extending from their phones into their laptops . These changes are happening gradually with tweaks in each OS update and added security features in each new piece of hardware. In particular, in light of the new ARM-based Macbooks the trend is clear: a future where Apple laptops behave like iPhones and Apple can remotely control what software you are allowed to install and run on their devices, in the name of security, but really so that they can control competitors .

    Tricks Up Android’s Sleeve

    This is part of the article where Android users feel smug. After all, while much more of their data gets captured and sold than on iOS, in exchange they still (sometimes) have the option of rooting their phones and (sometimes) “sideloading” applications (installing applications outside of Google’s App Store). If Google bans an app, all a user has to do is follow a list of complicated (and often sketchy) procedures, sometimes involving disabling protections or installing sketchy software on another computer, and they can wrench back a bit of control over their phones. Of course in doing so they are disabling security features that are the foundation for the rest of Android security, at which point many Android security experts will throw up their hands and say “you’re on your own.”

    Also, while Android allows the same kind of restrictive features as iOS (and is working toward the same advances in secure enclave enforcement of them), they are often a generation or two behind. Due to Android fragmentation, the level of control the vendor enforces on a particular phone is left up to that vendor. This allows the vendor to make extra money pre-loading third-party software on your phone you can’t remove. That means whether you can sidestep Google App Store bans largely depends on which phone you have and which vendor sold it. But if you look at the app restrictions already on ChromeOS, and understand that the ultimate goal for Google and Apple is to merge their phone and desktop OSes into one convergent OS (like we’ve already done ), you can see that what happens on the phone will ultimately happen on the desktop.

    Straightjacket Escape

    If the industry continues down this path with this same duopoly, the future promises more restrictions on users as their computers get more locks they can’t escape. Software developers for these platforms will face the constant risk that their apps might get banned and disappear from computers whether because of legitimate policy concerns or just because Big Tech decided to make a competing app. Customers will live under the uncertainty that their favorite apps might disappear just because the company that made them got into a fight with the App Store owner.

    Fortunately there is an alternative. The solution is to choose hardware and software from companies that value your freedom . One reason that Purism believes so strongly in Free Software (and why PureOS is 100% Free Software) is because of the freedom it gives users to escape any locks a vendor may try to impose. If you don’t like what an app does, you can change it. With Free Software, if an app store were to remove software, or even if a developer were to abandon a project entirely, the source still exists so others can package and maintain it independently.

    The Librem 5 phone runs the same PureOS operating system as Librem laptops, and it features the PureOS Store which provides a curated list of applications known to work well on the phone’s screen. Even so, you can use the search function to find the full list of all available software in PureOS. After all, you might want that software to be available when you dock your Librem 5 to a larger screen .

    We aim to provide software in the PureOS store that respects people’s freedom, security, and privacy and will audit software that’s included in the store with that in mind. That way people have a convenient way to discover software that not only works well on the phone but also respects them. Yet you are still free to install any third-party software outside of the PureOS Store that works on the phone, even if it’s proprietary software we don’t approve of.

    You don’t need our permission to use your computer how you want with the software you want.

    Discover the Librem 5

    Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

    Order now

    l5-hand-v2.png

    The post Parler Tricks: Making Software Disappear appeared first on Purism .

    • Pu chevron_right

      Librem 5 Update: Shipping Estimates and CPU Supply Chain

      pubsub.do.nohost.me / Purism · Tuesday, 12 January, 2021 - 22:29 · 6 minutes

    It’s been a busy holiday and New Year’s season at Purism as we continue to ship out Librem 5s to backers each week. We know for those who haven’t received their Librem 5 yet, what they most want to know is when their Librem 5 will arrive. In summary, we will be providing shipping estimates within the next week to the backers within the original crowdfunding campaign (orders through October 2017), but not all backers yet, based on our confidence in the estimates . The rest of this post will explain what is going into our shipping estimates, and why we can’t yet provide shipping estimates to every backer.

    When we published the shipping FAQ we explained some of the factors in the shipping calculation:

    That calculation depends not only on their place in line, but also on our knowing our average and maximum weekly phone throughput in advance, which we don’t expect to know until we are at least a few weeks into the process. We expect to have a good idea on these projections by the end of the year, however.

    Now we are happy to say that we not only have a good idea on our shipping throughput, we actually exceeded our expectations for how many we could ship! So hopefully by the end of this week, or possibly the beginning of next week, we will be contacting a large group of backers who we feel we can provide a reliable shipping estimate. Note that this will be a separate email from the emails we already send out each week to confirm shipping information to the next group of backers who are ready to receive their Librem 5.

    The Road to Shipping Parity

    Back when we published the shipping FAQ, we expected that by this point we would be able to provide every backer with an accurate shipping estimate and be able to predict when we would hit shipping parity–the moment when all of the backlog has cleared and a new order would be fulfilled in our standard 10-business-day window. Once you know how many Librem 5s you can ship in a week, it seems like it would be a relatively straightforward calculation to apply that to a person’s place in line and estimate a shipping date.

    Making Librem 5 Just In Time

    In our case the calculation is a little more complicated due to the fact that we employ a “Just In Time” manufacturing process for the Librem 5s, which is pretty common in the industry. We estimate our shipping throughput and make slightly more Librem 5s than we think we can ship in a period of time. The next manufacturing run of Librem 5s then arrives around the time we complete shipping out the previous run. This has a few benefits, but the main benefit is if we were to identify a hardware problem in the existing Librem 5 manufacturing process (whether a systemic flaw, or a flaw in a particular manufacturing run) it impacts a smaller number of Librem 5s and can be fixed for future batches.

    So when making these shipping estimates, we not only factor in our shipping throughput, but also the size of future manufacturing runs, which we now are increasing based on the fact we’ve exceeded our initial estimates. We can then calculate which run a particular order would be in, when we will make that next set of Librem 5s, and be able to estimate when a particular Librem 5 will ship. We also factor in and plan for events like Chinese New Year, which cause essentially everything in China to shut down for a few weeks.

    CPU Supply Chain

    One downside to using Just In Time manufacturing is that you must factor in all of the different lead times for all the different individual components that go into the Librem 5. While some components have relatively short lead times, others sometimes have lead times extending out multiple months. You have to factor all of this in to ensure that everything is ordered in advance so that it arrives just when you need it.

    If you talk to anyone in manufacturing they will tell you that this has been a particularly challenging year for the supply chain. Whether you are talking about toilet paper, N95 masks, rubber gloves, or semiconductors, the global pandemic has made supply chains less reliable, and lead times and shipping times incredibly unpredictable. It’s left everyone in the industry scrambling from source A to B to C down to Z sometimes to find inventory. It even added a delay a few months back to our Librem 14 timeline due to Intel having trouble fulfilling all of their CPU orders.

    Our customers have told us they want ever more information on what happens behind the scenes of making a phone like the Librem 5, so in the interest of transparency we are sharing what we’ve been hearing from our own suppliers. The iMX-8 processor we use in our Librem 5 is also popular in the automotive industry, and currently NXP has been hit with a global semiconductor shortage due to a dramatic increase in demand from auto makers .

    This shortage has increased the lead times for CPU orders, which is of course a critical component in the Librem 5. As we started getting word about this shortage we were proactive in sourcing and purchasing all the CPUs we can, and continue to do so, while also factoring these increased lead times into future orders.

    What Does This Mean For Me?

    What does this mean for you? Based on our efforts thus far there’s a good chance it will not affect your shipping time as we continue to track down new CPU supplies and plan for future manufacturing runs. So far it hasn’t caused a delay.

    However we wanted to let everyone know about this potential issue far in advance, because it will impact how many people get shipping estimates. We only want to send shipping estimates when we know for sure we have the CPUs to fulfill them, so this week instead of sending estimates to everyone like we had planned, we are only sending estimates out up to the point we have CPUs that will arrive just in time. This happens to coincide with all the orders placed through October 2017–the end of our original crowdfunding campaign.

    As we secure more CPU supply, and feel confident about the supply chain for future manufacturing runs we will send out additional shipping estimates. Hopefully soon we will be able to account for the whole backlog and can calculate when we hit shipping parity.

    Certification Update

    We’ve also gotten some questions about the various hardware certifications for the Librem 5 including Respect Your Freedom (RYF), FCC and CE. While we designed the Librem 5 to qualify for each of these certifications, we had to wait to start the certification processes until we had the final mass-produced “Evergreen” Librem 5 since changes in the hardware would require re-certification.

    Each of these certification processes are under way. While the transmitters in the Librem 5 (the removable cellular modem and WiFi card) already have FCC and CE certification, we are seeking certification for device as a whole. We are still in the middle of these time-consuming certification processes and will post an update to our site when there is any news on any of these fronts.

    Thank You

    We want you to have your Librem 5 as soon as possible and appreciate everyone’s patience as we continue to process orders and get through our backlog. It’s everyone’s support through this monumental process that has made the Librem 5 a reality.

    The post Librem 5 Update: Shipping Estimates and CPU Supply Chain appeared first on Purism .