Hey #InfoSec, I am starting to look for a new phone and am considering #Copperhead:
Any thoughts? Is it worth its salt?
@mkern and what, pray tell, is Librem 5? What OS is it using?
@rysiek Librem 5 is a phone by Purism, which aims to be as secure as possible with no nonfree microcode on cpu, separated baseband/cpu, and hardware killswitches. It runs PureOS which is a linux distribution recently approved by FSF. They're still developing it so first batch of prototyping boards will be shipped June 2018, and first batch of complete phones will be shipped January 2019. You can learn more on their website: https://puri.sm/shop/librem-5/
@rysiek Yes, I know the people making it. It's really good. Life is different without Google hand-holding you but the devices are solid security/privacy. My next phone will be one.
@PeteHerzog yeah, I am a Jolla user, never owned an Android nor iOS device. Google hand-holding is precisely the reason I stay away from Android ;)
@PeteHerzog can't see any info on their site about a). price; b). when is Pixel 2 going to be available. Am I missing something?
@rysiek You probably need to contact them. Not sure if Pixel 2 is even ready yet.
Strongly recommended. I use it on my Nexus 6p quite a long time. (Beware of the life spans.) These guys are not too friendly ;), but extreme hardcore professionals.
@mastor sounds good!
Roughly quoting Joanna Rutkowska: I would have ordered your phone if there would have been a way to pull out the microphone.
Corr.: to pull out ALL the microphoneS. ;)
(2/2) »Copperhead is also the only Android ROM that supports verified boot, which prevents exploits from modifying the boot, system, recovery, and vendor device partitions. Coppherhead has also extended this protection by preventing system applications from being overridden by Google Play Store apps, or from writing bytecode to writable partitions (where it could be modified and infected).«
@mastor thanks, this sounds great.
You're very welcome. I'm not a fan boy, by the way. It was a long and hard decision after testing various »libre« systems.
I don't know anything about actual prices, sorry. I bought a 6p back then and installed Copperhead. The 6p's dead this autumn, I think.
@mastor what does it mean 6p is dead this autumn if you're not using the official Android release anyway? Won't Copperhead support it still?
They stop supporting it as soon as Google stops (security) updates. So they depend on Android development, AFAIK.
@mastor I see
@mastor ah. bit expensive, but sounds like it's worth it
Absolutely (not cheap). But if I have the money at the end of this year, I'll definitely go for it again.
The update system is excellent. I started with Mike Kelly's torified version, but unfortunately that wasn't realistic as a daily phone.
Okay, and yet another ;) : »Unlike stock Android, CopperheadOS treats sensor access as a user-facing permission with a toggle. For compatibility, it’s enabled by default for apps targeting the modern Android platform unlike other runtime permissions. Stock Android only treats heartbeat sensor access as dangerous.«
And here's where/how I discovered Copperhead (in 2015): https://airvpn.org/topic/15527-how-to-improve-cell-mobile-phone-security/
@mastor perry? Or are there more?
@ln4711 perry, if course. sorry.
i'm really in here in about an hour.
@mastor I still do not see any info on the price though...
@rysiek been running COS as my daily driver on a Nexus 5x for a few months now - it's really nice if you can live without Google crap. Fast, secure, everything you need with nothing you don't.
@rysiek if you're looking to get something new, though - Librem 5 all the way. My COS phone is a temporary stopgap until it drops.
@enron I will wait for Librem to drop and then see where it goes. Don't want to be the tester. ;)
Why is COS just a stopgap? Why is Librem 5 better?
@rysiek Librem 5 promises to be a full Linux system, so it will inherit the ability to control what's going on in the system to a greater degree than with any Android. Even AOSP systems have security issues. There's also the promise of separating the baseband from the CPU, which keeps any binary blobs from being able to do as much damage. The hardware switches for camera and mic are huge, too. And Purism is wildly committed to privacy and ownership of hardware.
@enron this sounds nice. I'll wait for the first batch to go out. In the meantime I will probably need to by the COS.
@rysiek oh, and there are hardware kill switches for baseband and WiFi/BT. It's essentially a little Linux tablet that's capable of joining the cellular network - exactly what a smartphone should be.
@rysiek using it on a nexus 5x and am more relaxed and happy about carrying a phone around than ever, so yes that's good stuff. Now, for pixels you'd have to build yourself or pay for a binary. Situation for European handsets still unclear to me, but I don't have to sort that out until nexus EOL in November so pushing that ahead.
@ln4711 ah this is useful. I'd love to get a Nexus and just install it myself, but EOL is EOL.
@rysiek I’m probably the odd one out here but your best bet at a secure phone these days is to get a recent iOS device.
@jeff depends on your threat model™.
For most people I work with that's what we're doing. For myself, Apple's stranglehold on their devices is unacceptable. Things like these are absolutely revolting:
Plus, Apple's security track record during the last few months is... less than perfect:
I get it. My response would be that as far as I know there was no user data leaked when the iPhone crashed and that while scrappy thing for anyone moving in China the VPN apps meeting removed doesn't effect me for the most part.
My threat model is not the same as someone living in China. This is not to belittle the plight of those living in China just to point out that in the US the most secure off the shelf phone is iPhone.
@rysiek from what i have read they seem pretty well respected. there are a few YT videos with their CEO discussing their plans.
Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!