[Replicant] Assembly at 36C3 - Illustrate freedom, privacy and security issues

Fil Lupin fillupin at protonmail.com
Thu Nov 21 18:38:59 UTC 2019 

Here are a first shot of captions:

A title with "privacy issues" and three imaginary phones:
- the good enough/good utopia (but utopia can also define an infernal system like 1984 or brazil where everything is strictly ruled so I prefer good enough ;))
- the bad hack
- the ugly subjugation

each of those case is illustrated by hierarchical risks in the order app > system/drivers > firmware

The captions could be:

- good enough:

  * app (arrow from the caption to the screen): "letting user free to install app means user should be cautious about authorizations an app is aksing for (a notice read too fast). For example, flashlight (https://www.wired.com/2014/10/iphone-apps/) or Angry Birds (from https://www.postandcourier.com/business/which-apps-are-invading-your-privacy/article_e7513b6c-23ea-5031-897e-177b5e8f0b86.html) give unnecessary rights to the app
  * system/driver (arrow to ??): no issue so no caption
  * firmware (arrow to the bottom of the imaginary phone) : no issue so no caption

- bad hack:
  * app (arrow from the caption to the screen): "letting user free to install app means user should be cautious about authorizations an app is aksing for (a notice read too fast). For example, flashlight (https://www.wired.com/2014/10/iphone-apps/) or Angry Birds (from https://www.postandcourier.com/business/which-apps-are-invading-your-privacy/article_e7513b6c-23ea-5031-897e-177b5e8f0b86.html) give unnecessary rights to the app
  * system/driver (arrow to ??): OS and drivers can include bugs or and/or backdoor, intentional or unintentional. For example, Samsung sold phones and tab with a backdoor (https://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor)
  * firmware (arrow to the bottom of the imaginary phone): no issue so no caption

- the ugly subjugation
  * app (arrow from the caption to the screen): flashlight (https://www.wired.com/2014/10/iphone-apps/), Angry Birds (from https://www.postandcourier.com/business/which-apps-are-invading-your-privacy/article_e7513b6c-23ea-5031-897e-177b5e8f0b86.html)
  * system/driver (arrow to ??): OS and drivers can include bugs or and/or backdoor, intentional or unintentional. For example, Samsung sold phones and tab with a backdoor (https://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor)
  * firmware (arrow to the bottom of the imaginary phone): the firmware is designed with flaws allowing the hardware to let access to private data. For example, Galaxy S5 Neo, Geeksphone One and Geeksphone Zero, LG Nexus 4 have bad modem isolation allowing modem to access data it should not (https://redmine.replicant.us/projects/replicant/wiki/TargetsEvaluation), Motorola Defy check the kernel signature which forbid to replace it by a free/libre OS

A final caption downside would include the title and the link : Freedom and privacy/security issues about phones (https://replicant.us/freedom-privacy-security-issues.php)

I just gave a few examples to illustrate (hope it is legal since it is like teaching material) and give some (ideally secondary) sources since it is important to make people free to understand the issues.

Please feel free to enhance and fix this.

Also, I did not understood if we have a shape of an imaginary phone. Could someone let me know? If not, we could find a Creative commons picture (ideally in svg).

- Fil Lupin.


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, November 6, 2019 8:40 AM, Fil Lupin <fillupin at protonmail.com> wrote:

> Hi,
> I completely agree with this conclusion: this was what I wanted to talk about when I wrote "shape". It allows to talk about pure ideas (good and bad ;)) without any issue to fear from brands.
>
> I will try to give a first shot about captions.
> For the short paper, I am not sure we can produce this before 36C3 but well, we can try.
>
> -   Fil Lupin.
>
>     ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>     On Wednesday, November 6, 2019 12:37 AM, dllud dllud at riseup.net wrote:
>
>
> > I had a fruitful discussion with Denis about the ideas for the flyer.
> > This email summarizes our conclusions.
> > To get everybody on the same page: Fil and I were exploring the idea of
> > creating a double-sided flyer/handout that would have the mockup of the
> > front and back sides of a phone on either side of the flyer. There would
> > be arrows pointing to the internal components or to the icons of some
> > apps shown on the screen. These arrows would be captioned with a short
> > text explaining a freedom/privacy/security issue present on most
> > commercially available phones (check the attached sketches).
> > Denis pointed out that creating the captions would be virtually
> > impossible without picking a specific phone model. The
> > freedom/privacy/security issues vary too wildly between phone models.
> > Take for instance the satellite navigation system (satnav). On some
> > phones the OS has to ship a non-free firmware and use a non-free driver,
> > for others there are free drivers and no need to ship firmware, others
> > have non-free firmware and free drivers, others have proprietary apps on
> > top that track users and relay their whereabouts.
> > A generic caption would become a mess.
> > On the other hand, we do not wish to pick one single specific phone
> > model. That would make the info much less relevant and would age
> > quickly. Denis thought about going for the extremes: What about
> > portraying the worst possible phone? Or the best possible phone?
> > I very much agree that this is the right direction. All captions become
> > much simpler. Creating multiple flyers, where only the text captions
> > change, is easy enough for us, as the base illustration would stay the same.
> > Denis came up with the following reinterpretation of the "The Good, the
> > Bad and the Ugly":
> > "The Good enough, the Bad hack, the Ugly subjugation"
> >
> > -   "The Good enough" would be an hypothetical RYF[1] compliant phone,
> >     which is the "minimum required". Personally I would also like something
> >     such as "The Good utopia", that portraits a phone that goes beyond the
> >     RYF minimum and has free hardware and free firmwares every.
> >
> > -   "The Bad hack" would be Replicant at it's current state (perhaps on a
> >     i9300).
> >
> > -   "The Ugly subjugation" would be the worst phone we can think about
> >     (freedom/privacy/security wise).
> >     What do you think about this direction? Fil?
> >     If it seems good, any help creating the captions would be highly
> >     appreciated.
> >     Also, help creating a shorter and less technically of the article would
> >     be welcomed too.
> >     As previously decided, all flyers will prominently point (link and QR
> >     Code) to the main article where it is all explained in detail. But as
> >     Denis pointed out, we should probably have a shorter version of that
> >     article. As is, it is too extensive and only understandable by people
> >     with a tech background.
> >     Regards,
> >     David
> >     References:
> >
> >
> > [1] https://www.fsf.org/resources/hw/endorsement/respects-your-freedom

More information about the Replicant mailing list