Email addresses have been hidden. ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Librem5 questions Date: Fri, February 15, 2019 4:07 am To: i**o@puri.sm Hi, I am very interested in the Librem5 phone and I have some questions: 1. What measures have you taken against IMSI catchers and similar? Reference info: - CryptoPhone - Please also check the links *inside* the article by EFF: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers 2. Is the phone safe from Spectre/Meltdown (and the like) side channel vulnerabilities 3. Do you guarantee there is absolutely no single piece of proprietary code (including proprietary CPU microcode)? 4. Is the Matrix encryption you write about only useful over WiFi/Ethernet or also through the mobile network (e.g. for "normal" calls) 5. Some laptops have a battery life saving function: it charges the battery only half way which makes its life longer (compared to 100% charging). Have you considered such feature for the Librem5 (and/or your laptops)? 6. When do you expect to have the Librem5 ready for purchase? ------------------------------------------------------------------------------- From: Mladen Pejaković Subject: Re: Librem5 questions Date: Fri, February 15, 2019 4:24 am To: [QUESTIONER],i**o@puri.sm Hello, On February 15, 2019 12:07:43 PM UTC, [QUESTIONER] wrote: >Hi, > >I am very interested in the Librem5 phone and I have some questions: > >1. What measures have you taken against IMSI catchers and similar? >Reference info: > >- CryptoPhone >- Please also check the links *inside* the article by EFF: > >https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers Active measures: none planned do far. But it may be possible to add something like IMSI Catcher app for Android later. >2. Is the phone safe from Spectre/Meltdown (and the like) side channel >vulnerabilities https://puri.sm/faq/is-librem-5-vulnerable-to-meltdown-or-spectre/ >3. Do you guarantee there is absolutely no single piece of proprietary >code (including proprietary CPU microcode)? For OS: yes. For hardware: no, baseband modem will have the firmware inbuilt. But this is considered as "part of hardware" according to FSF. Modem will be isolated and connected to the rest of the phone via USB interface, so there is no direct access to CPU, RAM, mic or other parts of the phone. This may also be the case for wifi/bluetooth card. >4. Is the Matrix encryption you write about only useful over >WiFi/Ethernet Yes. >or also through the mobile network (e.g. for "normal" calls) No, normal calls will be the same as with other phones. >5. Some laptops have a battery life saving function: it charges the >battery only half way which makes its life longer (compared to 100% >charging). Have you considered such feature for the Librem5 (and/or >your >laptops)? Not yet. >6. When do you expect to have the Librem5 ready for purchase? You can pre-order it now. Kind regards, -- Mladen Pejaković Purism support ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Fri, February 15, 2019 11:05 pm To: Mladen Pejaković Hi, Thanks for the info. > Active measures: none planned do far. [...] > For OS: yes. For hardware: no, baseband modem will have the firmware > inbuilt. But this is considered as "part of hardware" according to FSF. > [...] > This may also be the case for wifi/bluetooth card. > [...] The concern is not about merely conforming to FSF definitions but about real security and openness. Why not use Risc-V like HiFive? > No, normal calls will be the same as with other phones. Good clarification. All the articles you write (especially those about Todd Weaver's daughters etc) leave the impression that you are working on security and privacy focused phone. Now it turns out that (unlike the CryptoPhone) it gives privacy only when not used as a phone but as a pocket PC + it is not 100% free down to the silicon. It would be good to clarify all those openly in an article. Otherwise sooner or later someone else will write about it. >>6. When do you expect to have the Librem5 ready for purchase? > > You can pre-order it now. The question is not when I can pay but when I can receive it :) ------------------------------------------------------------------------------- From: Mladen Pejaković Subject: Re: Librem5 questions Date: Sat, February 16, 2019 4:54 am To: [QUESTIONER] On Saturday, 16 February 2019 at 08:05, [QUESTIONER] wrote: > Hi, > > Thanks for the info. > > > Active measures: none planned do far. [...] > > For OS: yes. For hardware: no, baseband modem will have the firmware > > inbuilt. But this is considered as "part of hardware" according to FSF. > > [...] > > This may also be the case for wifi/bluetooth card. > > [...] > > The concern is not about merely conforming to FSF definitions but about > real security and openness. Why not use Risc-V like HiFive? RISC-V is not ready yet, plus, we want to compete with high-performance devices like the ones that major laptop manufacturers are offering. > > No, normal calls will be the same as with other phones. > > Good clarification. All the articles you write (especially those about > Todd Weaver's daughters etc) leave the impression that you are working on > security and privacy focused phone. Now it turns out that (unlike the > CryptoPhone) it gives privacy only when not used as a phone but as a > pocket PC + it is not 100% free down to the silicon. We want to release a phone available to everyone. If I am not mistaken, the Cryptophone is using a special chip to encrypt the voice signal and send it via standard GSM signal. You cannot make encrypted phone call to "normal" phones. So there will always be "some catch". Our "catch" is that you will have to be connected to internet, which, today, is true for many people. But the difference is that our phone will have baseband modem isolated, communicating only via USB interface to the rest of the hardware and controlled by the free and libre operating system. This is NOT true for almost every smartphone today (I am not sure about the cryptophones though). > It would be good to clarify all those openly in an article. Otherwise > sooner or later someone else will write about it (like the critics in the > Trisquel forum etc). > > >>6. When do you expect to have the Librem5 ready for purchase? > > > > You can pre-order it now. > > The question is not when I can pay but when I can receive it :) The planned release date is April 2019, for any delays we might experience we will make announcements on our news blog: https://puri.sm/news Kind regards, -- Mladen Pejaković Purism support ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Sun, February 17, 2019 12:21 am To: Mladen Pejaković Thanks for the answers. > RISC-V is not ready yet, I read companies already use it: https://en.wikipedia.org/wiki/RISC-V#Commercial > plus, we want to compete with high-performance > devices like the ones that major laptop manufacturers are offering. It is quite weird to read that the non-mentioning of non-free components and the non-usage of a truly open hardware is justified by FSF's definitions and commercial interest. Quite different from the message your articles send - about some digital utopia of privacy absolutism etc. I hope you understand. > We want to release a phone available to everyone. I understand but what you are really planning is a pocket PC which gives no better privacy or security when used *as a phone* (the name of the product you sell). Considering you don't even take any measures to prevent known mobile network attacks and vulnerabilities (which you confirmed in the first reply) - how is that better *as a phone*? > If I am not mistaken, > the Cryptophone is using a special chip to encrypt the voice signal and > send it via standard GSM signal. You cannot make encrypted phone call to > "normal" phones. Similarly: Your phone (used as a phone) can still be made to have encryption capability in case the other party uses a Librem5 too. > Our "catch" is that > you will have to be connected to internet, which, today, is true for many > people. The actual "catch" (or rather a concern) here seems to be: - This is a pocket PC with regular phone with no special protection (phone-wise). In fact the modem has non-free components (as per your first reply) - E2E encryption is available only via Internet connection (3/4G or WiFi) but: -- The modem contains non-free components -- The WiFi also uses non-free components The only "escape" from that is to use the wired Ethernet port (killing the wifi and modem) which makes it a non-mobile device any more. So the "catch" is that you call that "free and libre" "phone". I still think that: >> It would be good to clarify all those openly in an article. Otherwise >> sooner or later someone else will write about it (like the critics in >> the >> Trisquel forum etc). Will you do that? ------------------------------------------------------------------------------- From: Mladen Pejaković Subject: Re: Librem5 questions Date: Sun, February 17, 2019 1:54 am To: [QUESTIONER] On Sunday, 17 February 2019 at 09:21, [QUESTIONER] wrote: > Thanks for the answers. > > > RISC-V is not ready yet, > > I read companies already use it: > > https://en.wikipedia.org/wiki/RISC-V#Commercial I read "announced", "embedded", "development", we need something that is working good already with current modern free software and has high-performance. We are closely monitoring progress of RISC-V though. > > plus, we want to compete with high-performance > > devices like the ones that major laptop manufacturers are offering. > > It is quite weird to read that the non-mentioning of non-free components > and the non-usage of a truly open hardware is justified by FSF's > definitions and commercial interest. Quite different from the message your > articles send - about some digital utopia of privacy absolutism etc. I > hope you understand. I am not sure where's the confusion here. There is NO baseband modem currently that works without proprietary firmware. Firmware embedded in modem is considered as a part of hardware, the much same like the firmware inside/microcode embedded/burned into modern chips today. By your logic, there is no a single piece of "open-hardware" today. I have already explained: the modem we will use will NOT have direct access to other parts of the phone and will be controlled by software. Much like the external wifi USB adapter. Plus, you will be able to turn it off when you want, using hardware kill-switches. That's advancement compared to phones available today (including cryptophones). > > We want to release a phone available to everyone. > > I understand but what you are really planning is a pocket PC which gives > no better privacy or security when used *as a phone* (the name of the > product you sell). Considering you don't even take any measures to prevent > known mobile network attacks and vulnerabilities (which you confirmed in > the first reply) - how is that better *as a phone*? Simply because it does not spy/track its users, and provides means of encrypted communication online, by default. In the future we might consider adding features like IMSI catcher detection capabilities (this is actually a software thing so it's doable with current hardware, IIUC) or perhaps even cryptophone-like features (that's something still left to discuss). > > If I am not mistaken, > > the Cryptophone is using a special chip to encrypt the voice signal and > > send it via standard GSM signal. You cannot make encrypted phone call to > > "normal" phones. > > Similarly: Your phone (used as a phone) can still be made to have > encryption capability in case the other party uses a Librem5 too. We will use Matrix protocol, clients available on many platforms. So technically, you will be able to establish private calls from a desktop computer to Librem phone. > > Our "catch" is that > > you will have to be connected to internet, which, today, is true for many > > people. > > The actual "catch" (or rather a concern) here seems to be: > > - This is a pocket PC with regular phone with no special protection > (phone-wise). In fact the modem has non-free components (as per your first > reply) > > - E2E encryption is available only via Internet connection (3/4G or WiFi) > but: > > -- The modem contains non-free components > -- The WiFi also uses non-free components Wifi/bluetooth chip is still being evaluated, it will perhaps not use any firmware at all. > The only "escape" from that is to use the wired Ethernet port (killing the > wifi and modem) which makes it a non-mobile device any more. > > So the "catch" is that you call that "free and libre" "phone". What would you consider free and libre phone, then? Also, please read once again our phone page here: https://puri.sm/products/librem-5/. > I still think that: > > >> It would be good to clarify all those openly in an article. Otherwise > >> sooner or later someone else will write about it (like the critics in > >> the > >> Trisquel forum etc). > > Will you do that? We published numerous articles about upcoming phone, some of them explained this (https://puri.sm/news). Also, have a look at our FAQ (https://puri.sm/faq) please (phone section). Kind regards, -- Mladen Pejaković Purism support ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Mon, February 18, 2019 12:25 am To: Mladen Pejaković Hi and thanks for the info. > I read "announced", "embedded", "development", we need something that is > working good already with current modern free software and has > high-performance. We are closely monitoring progress of RISC-V though. Why are you not part of that development considering it is the only open hardware architecture as of today? > I am not sure where's the confusion here. The confusion comes from the fact that the way all your articles are written suggests that what you sell (a pocket PC with not all components 100% free) matches what you aim for (100% freedom in a phone as in the digital utopia). Add to that the other facts: justifying that with definitions by FSF and prioritizing commercial interest. > There is NO baseband modem > currently that works without proprietary firmware. Firmware embedded in > modem is considered as a part of hardware, the much same like the firmware > inside/microcode embedded/burned into modern chips today. That is a fact and you should write that in the articles instead of talking about non-facts (digital utopias etc). > By your logic, > there is no a single piece of "open-hardware" today. That is not "my logic" but an actuality. However RISC-V aims to change that. It is good that you are keeping an eye on it but a little strange that you don't work in that direction. > I have already > explained: the modem we will use will NOT have direct access to other > parts of the phone and will be controlled by software. Much like the > external wifi USB adapter. Plus, you will be able to turn it off when you > want, using hardware kill-switches. That's advancement compared to phones > available today (including cryptophones). I appreciate the clarification and agree that is a step. My point is that the overall impression your articles create is about full freedom. Hence all these emails. >> I understand but what you are really planning is a pocket PC which gives >> no better privacy or security when used *as a phone* (the name of the >> product you sell). Considering you don't even take any measures to >> prevent >> known mobile network attacks and vulnerabilities (which you confirmed in >> the first reply) - how is that better *as a phone*? > > Simply because it does not spy/track its users, and provides means of > encrypted communication online, by default. But your answer is still in the field of a pocket PC wired to an Ethernet cable. That is not a phone. > In the future we might > consider adding features like IMSI catcher detection capabilities (this is > actually a software thing so it's doable with current hardware, IIUC) or > perhaps even cryptophone-like features (that's something still left to > discuss). Good. But IMSI catcher detection (the software part) is not the end of the story. That can simply be mitigated by a function like "use only 3G/4G and don't fall back to 2G" - which current Android phones have. But there is more to all that tapping business and it is worth looking into. Imagine: one goes for a walk in nature without being tracked but still wants to be reachable by phone (in case a family member has an emergency and needs to contact him). No WiFi. What do you suggest? Killing the modem with a switch? You see: this is not a phone. So from all your replies so far I still don't understand how the *phone* part is better. You just keep explaining how good it is when *not* used as a phone (to which I agree). > We will use Matrix protocol, clients available on many platforms. You keep answering withing the field of a pocket PC. > So > technically, you will be able to establish private calls from a desktop > computer to Librem phone. Also technically, current desktop PCs are not open hardware with 100% free software (+ CPU vulnerabilities). Why would anyone want to communicate "securely" with a device which has built in back-doors? > What would you consider free and libre phone, then? Open and verifiable down to the silicone with no proprietary components. > Also, please read once > again our phone page here: https://puri.sm/products/librem-5/. That is an article tailored to make the reader believe that you sell something more than you actually sell. "Not convinced yet? Read more below." Cheap marketing language, forgive me. The article accents on the freedom of the software, not digging deep into the actual issues as we do in these emails. Similarly you can write an article claiming that you install free software on any machine which has freedom issues on firmware level and claim that the software doesn't track you, implying that the whole machine is with excellent security and privacy. It is weird that I have to clarify all that considering that Todd Weaver's own words are that "security is about depth". So this is very misleading: "Parents will love the Librem 5 because it will allow them to communicate with their child, while having peace of mind that they are not being compromised or tracked without their permission." But the moment you use the device as a phone - you can be tracked. "Developers will love the Librem 5 because it will allow them to control their software and the freedom to really own the hardware they rightfully purchased." However you confirmed several times that the customer does not own the modem (and maybe the WiFi). I really don't know what you are trying to say by forwarding me to that marketing article. I do agree that it is a much better device compared to what is currently on the market. But I maintain that the articles are not 100% honest and the information which you reveal there is not explained there. That is much like creating a false sense of full security. >> >> It would be good to clarify all those openly in an article. >> >> Will you do that? > > We published numerous articles about upcoming phone, some of them > explained this (https://puri.sm/news). Also, have a look at our FAQ > (https://puri.sm/faq) please (phone section). This doesn't answer the question. ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Wed, February 20, 2019 11:09 pm To: Mladen Pejaković Waiting for your reply please. ------------------------------------------------------------------------------- From: Mladen Pejaković Subject: Re: Librem5 questions Date: Thu, February 21, 2019 2:29 pm To: [QUESTIONER] On Thursday, 21 February 2019 at 08:09, [QUESTIONER] wrote: > Waiting for your reply please. I have forwarded your email to our marketing team, someone will take over. Kind regards, -- Mladen Pejaković Purism support ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Tue, February 26, 2019 12:02 am To: Mladen Pejaković > On Thursday, 21 February 2019 at 08:09, [QUESTIONER] wrote: >> Waiting for your reply please. > > I have forwarded your email to our marketing team, someone will take over. I haven't received any answer from anyone. I also don't quite see what these technical questions have to do with marketing. ------------------------------------------------------------------------------- From: [QUESTIONER] Subject: Re: Librem5 questions Date: Wed, February 27, 2019 2:31 pm To: Mladen Pejaković Cc: t**@puri.sm Mladen, I have sent to you: On Thursday, 21 February 2019 at 08:09, [QUESTIONER] wrote: > I haven't received any answer from anyone. I also don't quite see what > these technical questions have to do with marketing. No reply whatsoever. CC to Todd Weaver too. -------------------------------------------------------------------------------