[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Phones for Tor

grarpamp wrote:
This phone appears to be Windows-based.

We have some trust in the MS stack concerning
ability to execute code and move packets properly.
Sniffing and sending the cleartext... that's an uknown
but is reasonably verifiable by watching the network.
You trust M$/Windows if you want to, but I'd steer clear of them whenever I can.

I see that they are banging on about their FOSS on
every web page on their site

They give away the source. There's some blurbs about verifying
their published binary hash with what you compile.
Yeah, but it is still a Windows source (besides, there is no mention whether they distribute the whole source of their product, including the Windows components/API, or just their source code alone) and I certainly don't have the resources/manpower to audit that stuff, which is why I prefer Linux-based systems - it has always been open source, it has been around for more than 15 years and it has a large number of community members who have contributed to it and made it for what it is today.

that the whole software is based on the Windows-platform.

I don't like cryptophone due to the cost and non-community
model. But they do offer an Android unit now.
Care to point me out to a link? There isn't anything on their web site that I could see, offering Android-based unit.

Interesting feature is the Baseband firewall

I saw that but didn't get what it is. Please tell...
The term "firewall" is a bit misleading, since this feature is supposed to prevent over-the-air attacks by your network operator/malware "specialists" (see http://www.theregister.co.uk/2013/03/07/baseband_processor_mobile_hack_threat?page=2 for a brief introduction to this). More advanced versions could also filter the modem commands sent by the network operator/others. The sad thing is that I have not seen full FOSS implementation of this yet.

Don't even know if anyone has truly audited android.

Unless it involves money or rep, auditing is largely a myth.
Indeed. To me, Android is the lesser of the two evils - ideally, I would have liked to have "standard" Linux on my phone (as far as I know, Ubuntu are the only ones which could offer this, discarding Jolla for the time being as they have not made anything official yet), but this is a pipe dream, so Android is the next "acceptable" option - at least for now.

The other two options, as far as I can see, are either having Windows or closed-source/propriety system, both of which are a no-no for me.

There are some crypto programs you can install but it requires
the other party to have the program as well.

This is not a problem in this community.
And a proper app would recognize your incoming number
and use that app when you call people who aren't techs
(friend/family) but told to install it under threat of no calls.

I'd have better luck buying burn phones for people than
getting them to install software and use it properly..

For them, yes. For you, no, your graph will instantly point
to you. With that, encrypted content is your last bastion.
Apart from the "locked-in" system (which, again, appears to be Windows-based) and the baseband firewall, I don't see anything they could offer, which isn't already present.

Secure communications could be accomplished with existing tools/protocols (zrtp/ssl for media, tls for signalling) and there is a plethora of Android-based apps already offering that - OSTel/CSipSimple to mention just two such apps, so I don't really see any benefit of Cryptophone at all.

fancy menus which don't tell me much

As in my former note, all we really want is opensource voice/SMS
encryption over the cell network, preferably without a data plan
(but not required).
Because cell's coverage area is better than wifi (which we can
already use for crypted wifi to wifi with any old app of the day,
(provided access to the mic and speaker) but not to interoperate
with cell, see the former data plan for that).
Everything after that is likely to be much easier... full disk encryption
of data, call lists, texts, mails, metadata, etc.
Can't you accomplish this with existing "standard" Linux tools? I could think of a number of packages in Linux, which deal with disk encryption and are quite good for example.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to