[Community] Next generation OpenPhoenux devices

Sven openmoko at maricon.de
Sat Apr 20 22:30:25 CEST 2013


 >> If I don't have control of the binaries running on my phone's modem, 
through access to the source code, then
 >> the modem is wide open for abuse.
 >
 > But only if it implements over-the-air updates or someone makes you 
click on an installer from unknown sources...

No! I still need to state that I already had to make the experience that 
modems can include serious malware already from original production!

I can confirm that the modem that GD built into the GTA04A4 up to now 
didn't show any malfunctions, at least none that I could notice. But I'm 
cocksure that this is only because the modem that GD uses obviously 
never had been designed to be used within private phones. It seems to be 
a modem dedicated to be used within wind power plants and such things. 
Only for this reason no efforts had been made to implement malware into 
it already by the manufacturer.

 > But my opinion is that it is not necessary as long as there are two 
separate processors using some well
 > known - and open - interface. This allows to inspect for suspicious 
code and protect all the data on the
 > application processor against remote access. It is even possible to 
disable the interface driver in your
 > kernel or make it do additional safety checks. So the firmware in the 
modem isn't more harmful than
 > things going on in the network.

Yes, indeed that helps in most cases affecting malware software. But up 
to now we haven't discussed any possibilities of malware hardware!

Without any further explanations I want to say: I'm absolutely not sure 
if the upcoming Ubuntu phone will behave as secure as the GTA04A4 up to 
now does. And in case the Ubuntu phone will contain malware hardware, I 
don't think that it will be Canonical's guilt. But I think they will use 
a modem that from the scratch has been designed to be within private 
phones. And that's the problem!

 > The final question about this article is if *we* (community/society) 
should really help suspects like those
 > mentioned in the article to protect themselves against prosecution 
better than before. I think it is also
 > in *our* interest that police can catch people doing e.g. tax fraud 
(and other bad crime). Otherwise we
 > all have to pay *their* taxes...

Openmoko already answered this question: Yes, we should!

And Germany's highest court also already answered this question:
It decided within a spectacular decision that *all* already collected 
data had to be deleted *at*once* and *none* further data may be 
collected without the explicit decision of a court! And therefor no 
malware affected phone is necessary!

The remaining questions are pure politics and there're at least two 
political parties in Germany that discuss questions like these at great 
length. This list most probably is the wrong place for such discussions. 
Perhaps you should do the same as I did: Become a member of one of them...

    Sven





More information about the Community mailing list