> Why not go a bit further - the most secure device is the one you can't use to do anything at all.
That's not far off a reasonable criticism of Purism's security model, that a device so wholly compromised it requires one to activate all physical kill switches to disable the hardware in order to so much as safely enter one's device PIN (per Purism's own site content), that it's no longer useful.
Everyone has to make their own trade-offs, but for me that's a model so questionable that its utility value rapidly approaches zero.
I have absolutely no idea what you're talking about. You're either misunderstanding something or something really needs to be changed in the docs.
Citing an article [0], a post[1] on the site states, "Security researchers over the years have discovered ways to detect what you are typing on the screen simply by looking at variations in the accelerometer." (Infomercial-esque strikethrough not retained here.)
Purism's solution, apparently, is hardware switches. As I understand it, the accelerometer isn't disabled via hardware switches unless all hardware switches are disabled, as there is no discrete accelerometer switch: "To trigger Lockdown Mode, just switch all three kill switches off. When in Lockdown Mode, in addition to powering off the cameras, microphone, WiFi, Bluetooth and cellular baseband we also cut power to GNSS, IMU, and ambient light and proximity sensors."[1]
[0] https://phys.org/news/2013-10-accelerometer-tracking-potenti...
[1] https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-h...
I'll try my best to take this seriously.
I don't care much about hardware kill switches myself - but many people clearly do. I've seen it when I was involved in the Neo900 project, I've seen it in discussions about the Librem 5 and PinePhone, I've seen it in reactions when Purism has released a tablet that lacked them. I guess it's because, unlike software, they're easy to understand and easy to trust. Most people don't understand or particularly trust software, for various reasons. Even with Android's security model, I don't think a regular user trusts that Google Play Services that run on their phone always do what they told them to, so they often long for something tangible that would give them a peace of mind. Hardware switches do that.
There's a matter of the modem being a whole separate device that's not really under the user control too. The only way to be sure that it's actually off is to not give it access to power. You can trust your OS, but the modem could still do its own thing regardless of what you asked it to, so I can get that too.
> The Purism model increasingly looks fatally flawed for anyone who doesn't have a very particular and narrowly defined threat model: one who trusts all software they run from the kernel to their applications completely, trusts their hardware completely, yet for [reasons] somehow fully mistrusts the sum total of the device at very specific, limited, and irregular intervals.
The Librem 5 is a general purpose computer that you can run whatever you want to on. I have no reason to distrust the GNU/Linux distribution that runs on it, but I could very well run Android, perhaps even with Play Services, on it if I had to for some reason, just like I used to boot into Windows on my PC many years ago. If I wanted to make sure that it won't access the radios or sensors while I do so, the switches would indeed not just be helpful, but effectively effortless.
The "lockdown mode" in particular is an answer to a UX issue. People want to have switches for various things, but if you just gave them all they ask for you'd end up with nothing but tons of switches around the screen. I believe the main motivation for the lockdown mode was squeezing the control over GNSS in when it was decided to use at most three switches, and the sensors then followed as adding them there could be done almost for free. You could do the thing PinePhone did, with plenty of tiny inaccessible switches behind its back cover; Purism opted for a limited amount of easily accessible switches, and I'm actually glad they did (it happened long before I got involved), because...
> Per Purism, it's perfectly usable in the same way any Linux slab with no radios or sensors of any kind is perfectly usable, yes, but that's stretching things in practical terms for a phone, and it's all very divorced from the reality of what most people expect from their phones.
I said that I personally don't care about the switches, but I also have to say that I surprised myself and ended up using them quite a lot. Not the mic/cam one, this one stays basically unused, but I'm using the cellular and Wi-Fi ones regularly - they're just super convenient. Whenever I want to save power or not be bothered by anything, I toggle the switches. If I had to unlock the phone and swipe through some menus, I probably wouldn't bother most of the time, but I don't have to, so I do. I used to be completely indifferent to these switches, but they ended up being really nice to have when I actually started using the phone. Let's not pretend that having an airplane mode option on a phone makes it a "slab with no radios", there are contexts where you do want to disable some things and continue to use the others.
> Still, it's entertaining. The marketing, the switches, the sweeping technical proclamations and bold self-assessments of high corporate ethics.
I don't see anything wrong in Purism providing what people have often requested. This is not exactly a kind of device that will just market itself, the more niches it can serve and differentiators it can tuck in without diminishing other aspects of the device the easier it will be to sell. I don't think the Librem 5 project would be economically viable if it only ever targeted people interested in Linux. Kill switches, modularity, smart card reader, replaceable battery, separate GNSS module, audio jack etc. are all attempts to extend its appeal and serve a yet another niche, as a device like this would never be able to compete on thinness or specs with what's offered mainstream. It makes perfect sense to me. Some of these things I enjoy, some I don't care about, but none bothers me.
> Beyond all that, installing packages from Debian stable on a mobile phone is a very enjoyable thing. I'm a former N900 and PinePhone user who's not opposed to making reasonable compromises for significant upsides, and would love a truly viable and fully open Linux phone that can run a variety of distros, but I remain unconvinced that the Librem 5 is that device.
I'm a former Neo Freerunner and N900 user, and a current Librem 5 user (with a PinePhone around too, but I already had a Librem 5 when I got it so I barely ever used it). Installing Debian packages is the only way I know how to use a smartphone. Well, okay, I used opkg in the past too :) I got involved in the project because it was clear to me that this was the device worthy of being the successor of my N900 and I'm happy with it and proud of what we, both Purism and the wider community, managed to achieve with it. In fact, I'm starting to get worried about it aging with no viable successor in sight. It's still fine today, but the arrow of time only points one way.