People often ask me for security advice, but before I can offer any recommendations usually I need to ask people specific questions about themselves to understand the threats they face. That’s because the security measures you take depend on your threats, and because everyone faces different threats, there are few one-size-fits all recommendations. When I wrote Linux Hardening in Hostile Networks, I intentionally split each chapter into three sections with each section recommending more extreme (and sometimes more complicated) hardening measures than the last. The reader was instructed to read up to their level of comfort and threat, and then revisit the more advanced sections later.
Each person not only faces different threats, the threats they face can change. Security needs to be flexible, and should be capable of offering strong protection by default, and extra protection during a crisis. Doors typically have a regular lock and a deadbolt, and many people only lock both at night or when they are leaving the house. We also expect to be able to lock our doors ourselves, with keys under our own control. Likewise our security measures should not only offer a strong defense, they should do it while maximizing our freedom and our control.
We are very thoughtful about the security measures we build into our products at Purism. We design measures so that they can provide a baseline of strong but convenient security for our customers, while also providing options for extra protection for customers facing more extreme threats. It might be tempting to build security measures as though everyone is an international spy, and you will find plenty of people in information security who can’t think outside of that box. Unfortunately that threat model is not only unrealistic for the average person, it also leads to impractical security advice that often does more harm than good. Balance and flexibility is important and in this post I will provide a few examples of how one can use our security measures to adapt to changing threats.
One of the more common threats people might face is a creepy stalker. The stalker takes the form of a random stranger that tries to compromise the victim via phishing campaigns or malicious applications and once they have remote control of a computer, use that access to install a RAT (Remote Access Trojan) to spy on, abuse, and extort the victim. There are even online communities where these RATers share tips and tools along with pictures and videos of their victims. This kind of attack has become mainstream enough that there is even a motion picture thriller based on it.
We address the threat of stalkers in a few ways. First, we use the same privacy-respecting, free software PureOS on our Librem 14 laptop and Librem 5 phone. Some operating systems are built to enable the vendor to track what you do, and enable app developers to do the same, so stalking becomes just another privacy-defeating app in the list. Because PureOS was built for privacy and control, not data collection, none of its applications track you, and because it is 100% free software, all the software can be audited to prove it. PureOS is also easy to re-install and we provide installation media so our customers can easily re-install the OS from scratch if they are ever concerned about a compromise.
Second, our laptop and phone ship with hardware kill switches that give you full control over the webcam and microphone, and WiFi card. RAT software has been known to disable the red LED in some webcams so they can spy on their victims without their knowledge. With hardware kill switches, you can ensure that your webcam and microphone are actually powered off at all times, and only enable them when you actually need them. The average person may not use the hardware kill switches normally, but it’s nice to know they are there if you need them. It’s one of the best examples of a security measure that is simple, convenient, and that puts you in control.
One of the most challenging threats to address is an angry ex-lover who becomes a stalker. They take all of the worst parts of the stalker threat, and add intimate access to the victim’s computer, phone, and sometimes online accounts as well. The angry ex takes their stalking and harassment to a different level, because they don’t just want compromising pictures, or some money. They want control over the victim and to track their every move. There are unfortunately many different tracking apps available for smartphones that are explicitly designed so someone can spy on their partner. Because of the level of access the angry ex often has to a partner’s technology during the relationship, and how hard it can be to inspect proprietary software, it can be incredibly challenging to purge all traces of their access on most computers.
While our products are designed with privacy in mind and PureOS Store doesn’t offer tracking applications, for the sake of this example let’s assume the angry ex was able to implant tracking software on a Librem 14 anyway. Our first line of defense is similar as with regular stalkers so victims can easily reinstall their OS to purge anything malicious, as well as use hardware kill switches in the mean time to ensure they aren’t being watched. This is also an area where a WiFi kill switch can come in handy. Remote control depends on the angry ex having access to the computer over the network, and with our WiFi kill switch you can control when the computer is on the network even if the angry ex has full remote control of the OS.
A particularly motivated ex might go to extra lengths to ensure they have persistent access to the victim’s computer, even if they remove the malicious app. To do this they might exploit the OS with a root kit that grants them hidden control over the OS, even if the victim finds and deletes the malicious software. This is where our PureBoot boot firmware comes in. With PureBoot, you will get an alert if your kernel or even boot firmware has been tampered with. Just boot with the Librem Key inserted and look for a flashing green LED to tell you the firmware is safe, then look for any alerts on the screen about changes in your boot software.
Travel is a great example of why security must be flexible. People often add additional security measures when traveling that they don’t do normally, such as wearing a money belt. If you work at home on computers that rarely leave your property, your security measures might be more relaxed. Yet when you travel, the risk of theft, data compromise, and tampering is greater, especially depending on where you go. While I still advocate for setting aside special equipment just for traveling, not everyone can afford to do that so it’s important their day-to-day tech can adapt to changing threats.
We offer a number of flexible options to detect tampering while traveling including adding glitter nail polish to screws to detect physical tampering, and PureBoot for digital tampering. This post provides a video to guide you through implementing the same physical and digital tamper detection steps we use for our anti-interdiction services. PureBoot is ideal for detecting digital tampering while traveling, but even if you don’t normally use PureBoot on a daily basis, we make it easy to replace our standard coreboot firmware with PureBoot using our standard firmware update utility. Then when you return home you can re-install our regular coreboot firmware.
Security measures should be flexible and adaptable, and PureBoot is no different. If you need extra security, you can extend PureBoot by enabling our recent root tamper detection feature. This allows PureBoot to detect tampering not just in the kernel, but also tampering with core applications on the system.
While using these tamper detecting features on a day-to-day basis may be overkill for some people, it may not be while traveling. Most of what makes tamper detection less convenient is dealing with false positives each time you intentionally change your computer. Yet there is little reason to perform software updates or other major changes while traveling. This means you can set up all of these additional security measures ahead of time in a safe environment, knowing that once you travel, you won’t perform software updates or any other changes until you return home. That way you can trust that any changes that PureBoot picks up are legitimate tampering.
One of the best examples of the extremes between security measures one might take on a daily basis versus a special occasion is protesting. The threats a protestor faces at a protest from a privacy and security perspective are entirely different from what they may face on a daily basis and demand different defenses. It’s well known that law enforcement often uses IMSI trackers (also known as Stingrays) and other technology to not only track who was at a protest, but sometimes even intercept network traffic to track communications as protestors organize their movements.
Preparing for the threats faced in a protest can be difficult, and may even call for special equipment in some cases. Yet even here we can find examples of how flexible security measures can help. I’ve written before about how the hardware kill switches in the Librem 5, including lockdown mode, can help take the sting out of Stingrays. Unlike airplane mode on other phones that disable the modem using software, the hardware kill switches on the Librem 5 actually cut power to the modem, disabling it entirely. Instead of fumbling with a touchscreen, having switches on the side gives you quick and easy access over the modem and the rest of the hardware on the device that could be used to track you. Lockdown mode (switching all of the kill switches) takes it a step further and disables all sensors including GPS, compass, accelerometer and others so the phone turns into an offline tablet computer.
A journalist can face extreme threats that end up being a combination of all of the threats I’ve already mentioned above and then some. They may have people take extreme measures to stalk them, may face strong tampering threats while traveling on assignment, and also might find themselves covering protests or other events where the government might deploy technology like IMSI catchers. Journalists may even face the risk of having their computers interdicted when they are being shipped.
Preparing for such extreme and wide-ranging threats requires even more flexibility to add stronger security measures than an average person may require. I often get asked what my strongest security recommendations would be for someone ordering a Librem 14, and recently I wrote an article that outlines my recommendations for the most secure Librem 14 configuration. These recommendations include selecting our anti-interdiction services so you get a fully-configured PureBoot plus additional tamper-detection measures, pre-installing the high security QubesOS, which runs very well on the Librem 14, and adding root tamper detection to PureBoot, along with other options.
Someone facing these kinds of threats may also want to consider our Librem 5 USA which features a more secure hardware supply chain, and add our privacy-protecting AweSIM cellular service so they can protect their privacy from the major cellular carriers. Because our modems are removable, they may also want to order spare cellular modems so they have one with the best support for North America, EU and Asia-Pacific bands when they travel. Or they may just want extra cellular modems for their own region that they can swap as they compartmentalize their communication.
Regardless of the threats you face, it’s important that your technology adapt to your changing security needs. It’s also important that you be in control of the security measures you rely on. We understand that everyone faces different threats, and those threats can change. We have built a wide range of flexible security measures that when combined can provide you with very strong security while leaving you in control. Even if you don’t use these security measures every day, you can have peace of mind knowing they are ready for you when you face your own “Shields Up” moment.
Model | Status | Lead Time | ||
---|---|---|---|---|
Librem Key (Made in USA) | In Stock ($59+) | 10 business days | ||
Librem 5 | In Stock ($699+) 3GB/32GB | 10 business days | ||
Librem 5 COMSEC Bundle | In Stock ($1299+) Qty 2; 3GB/32GB | 10 business days | ||
Liberty Phone (Made in USA Electronics) | Backorder ($1,999+) 4GB/128GB | Estimated fulfillment February | ||
Librem 5 + SIMple (3 GB Data) | In Stock ($99/mo) | 10 business days | ||
Librem 5 + SIMple Plus (5 GB Data) | In Stock ($129/mo) | 10 business days | ||
Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | ||
Librem 11 | In Stock ($999+) 8GB/1TB | 10 business days | ||
Librem 14 | Backorder ($1,370+) | Estimated fulfillment December | ||
Librem Mini | Backorder ($799+) | 10 business days | ||
Librem Server | In Stock ($2,999+) | 45 business days |