Let's see now. A device that has no onboard microphone, no camera, and an architecture that makes the surest it's possible to be that nothing unknown is between your keyboard, screen or headset, and the (inspectable) encryption algorithm. No binary blobs, not even uninspectable CPU microcode. Given the political situation in certain places in Asia, a device that either communicates securely or doesn't communicate at all, with no grey area inbetween, is more than a geeky obsession. It's a tool. Compare to all those fancy "hardened" Android phones where it turns out afterwards that the authorities had them tapped all along...
> Given the political situation in certain places in Asia, a device that either communicates securely or doesn't communicate at all, with no grey area inbetween, is more than a geeky obsession. It's a tool.
If one is worried about nation state actors, the ownership of a device that's secure and uncommon enough is likely to attract additional scrutiny or just be seized, legally or not.
It's a pretty cool device, mind you. The fact that they're going out of their way to make sure the device is fully inspectable and trustable is pretty impressive, as you point out. It's just not very usable as a privacy tool in a hostile environment due to it being rather conspicuous.
> If one is worried about nation state actors, the ownership of a device that's secure and uncommon enough is likely to attract additional scrutiny or just be seized, legally or not.
The distinction between "tamper evidence" and "tamper resistance" seems to provide a good analogy here. Without secure devices, a state can spy on you in a clandestine way. With secure devices, a state can spy on you in a more overt way. You might still care about making the tampering evident!
That's true, but the more overt way would be seizure of the equipment, imprisonment, or worse. It's not unlike the XKCD about encryption vs a $5 wrench [0].
That being said, I'd love to have a reasonably modern device that's auditable and has enough functionality (email, calendar, web browser, GPS, VPN, phone, SMS) to be both useful and respectful of the user (eg. dark patterns to send location data to Google). I love the form factor of the Precursor and the fact that it has a keyboard on it.
If it allowed me to ditch the Android phone with a less distracting alternative, that would be amazing. It's definitely not there yet, since I don't think they have started doing that much work on the software side of things, but definitely something to keep a look at.
> That's true, but the more overt way would be seizure of the equipment, imprisonment, or worse.
And for some people for some causes those risks, including "worse", might be worth it.
Besides, if you're the sort of person who might be the target of "worse" you're probably going to have a hard time regardless of if the oppressive power gets into your device. ... but maybe the security protects some of your friends from befalling the same fate.
As far as seizure goes-- it has an accelerometer in it: "Zeroize on throw" is probably implementable. Alternatively, time-lock where if the device is moved from its hiding spot at the wrong time of day or without the right gestures it get wiped.
The most important difference between a jail and a home is who controls the lock on the door. Most smartphone companies want you to believe that the gilded jail they’ve designed for you is the safest place to spend your time. Precursor takes a different approach. By giving you the keys to the lock, it gives you a home.
It is a false dichotomy though. I agree that smartphones are not a home. However jail is not the only alternative to home. Smartphones are a lot more like hotels.
But at a hotel you at least get one of the keys to the room (not just a padded little section of it) and they don't expect you to buy the building before you check in.
You get keys to a room on a smartphone, but just like a hotel, there are a lot of rooms that are locked to you, and you can’t replace the furniture, remodel etc.
We are both arguing that you don’t really own a smartphone, so you aren’t buying the building.
I don't quite get why they say that it's trustworthy because it uses a soft-CPU running on an FPGA. Doesn't that just shift the potential attack from one vendor to another? e.g. instead of trusting a CPU from Mediatek, now you have to trust an FPGA fabric from Xilinx
This is true, but the difficulty of making a general purpose FPGA fabric manipulate generic bitstream descriptions in an undetectable way is much harder than putting hidden backdoors in well defined ISAs. What amount of hardware validation is reasonable?
It depends on what you'd like to accomplish, but given that powerful FPGAs are now more affordable and plenty of great FPGA friendly libraries are emerging which work with open source tools, the barrier for Soft-CPU implementations has lowered significantly. This sort of project looks great for cases where trusting blackbox chips was questionable.
> This is true, but the difficulty of making a general purpose FPGA fabric manipulate generic bitstream descriptions in an undetectable way is much harder than putting hidden backdoors in well defined ISAs.
Could you (or anyone else) elaborate on this? If possible, ELI5 please because I know very little about hardware. :)
I think a somewhat useful analogy would be the difference in difficulty of making a backdoored compiler versus a backdoored binary. The former has to deal with a lot more things than the latter if you'd like to effectively subvert it.
You're correct, but from my understanding shifting the trust to the FPGA is a productive move as an potential attack is much more difficult to execute. Bunnie explains on his blog [1] better than I can:
> The CPU is, of course, the most problematic piece. I’ve put some thought into methods for the non-destructive inspection of chips. While it may be possible, I estimate it would cost tens of millions of dollars and a couple years to execute a proof of concept system. Unfortunately, funding such an effort would entail chasing venture capital, which would probably lead to a solution that’s closed-source. While this may be an opportunity to get rich selling services and licensing patented technology to governments and corporations, I am concerned that it may not effectively empower everyday people.
> The TL;DR is that the near-term compromise solution is to use an FPGA. We rely on logic placement randomization to mitigate the threat of fixed silicon backdoors, and we rely on bitstream introspection to facilitate trust transfer from designers to user. If you don’t care about the technical details, skip to the next section.
An attacker would go after the weakest link. Does this device provide any way of verifying that a bitstream loaded onto the device during development is the same one being run when it's actually in use in the field? That would be the simplest way to compromise it. It would be detectable of course but anyone going to these lengths can compromise the unprotected device programmer hardware or workstation that reads the bitstream back out too.
It does, but as far as I've understood, FPGA's are much simpler and more regular so hiding backdoors into those would be harder than hiding one into a hardware cpu.
Ultimately, we have to build our own chips. In the coming decade, getting a custom chip built will be on the same level as getting a PCB done 20 years ago. That brings many other concerns, such as slipping some snooping logic onto a corner of a chip, which is activated only when some 2048-bit string is sent to wake it up. Therefore, even when we have a Chip House build our chip, we're still going to have to knock the tops off and do something similar to what Ken Shirriff does https://www.righto.com/ to make sure there are no 'extra' circuits. Trust is Hard. https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
Hopefully if/when they make the next generation with the custom silicon instead of being all FPGA based they'll have enough space and power budget for some internal modules.
I think it would be pretty interesting to have a Lora radio for participating in networks like meshtastic (https://www.meshtastic.org/).
I get why many people would find cellular interesting, but since it's not possible to use cellular without device level location tracking by the cell network... I think it is less useful.
In either case bridges from other networks (such as LTE cellular) to wifi exist and are readily available, including tiny battery powered ones... So the lack of external cellular shouldn't prevent you from using precursor with cellular.
> In either case bridges from other networks (such as LTE cellular) to wifi exist and are readily available, including tiny battery powered ones... So the lack of external cellular shouldn't prevent you from using precursor with cellular.
This does not provide access to native cellular functionality like voice calls or sms/mms messaging. Obviously cellular connected wifi hotspots are an option for data service, I'm not clear why you're presenting that as if it's equivalent.
Oh. The omission was my mistake... one I made because I was assuming that offering voice calls isn't particularly credible with the isolation technique used in the device.
For SMS/MMS do none of the wifi hotspots offer a similar interface to serial cellular modems?
> Oh. The omission was my mistake... one I made because I was assuming that offering voice calls isn't particularly credible with the isolation technique used in the device.
The isolation technique AIUI is not really any different from what purism does with the librem; hang it off the USB bus, expose power control to the user.
But that still provides convenient first-class software integration as a cellular modem when that's functionality the user wishes to access.
A wifi hotspot your device uses over wifi which just happens to be reaching the internet via a cellular network has absolutely no software-level integration as a cellular modem providing voice/SMS/MMS services.
> For SMS/MMS do none of the wifi hotspots offer a similar interface to serial cellular modems?
Not AFAIK, my experience is limited to a ZTE mobile hotspot on at&t prepay, but it's a bog standard wifi hotspot. Sure I can do the sms-over-email dance through the data link, but i could also use voip or skype or whatever over data, that's besides the point. To be useful as a hardened even basic feature phone substitute, it needs to be able to make/receive calls and sms/mms, at most requiring the flick of a switch toggling the cellular modem.
I've been waiting for crowdfunding of the Precursor to start, but I'll have to think more about whether I can cost-justify $512, if I don't know when I'll have time to hack the software I want for it.
