Slashdot Mirror

While it's great that you pointed out the problem, I wish that you would also mention the projects that are working on solutions, such as Replicant and Libreboot. The world needs more people working on stuff like that, and you could lend those sorts of projects some of your fame and credibility.

Replicant

Android. Fork of Cyannogen Mod that is fully Open source. Even the drivers and firmware. Latest phone supported is the international version of the Galaxy S III (I9300) (2G and 3G but no 4G LTE). (Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.)

Stable release is a couple years old (4.2) due to thinning of the development crew. But the project got new blood (post-Snowden) and a 6.0 port (for the 19300 so far) is in alpha.

Some devices (WiFI, Bluetooth, user-facing camera) require closed firmware, which you can load separately. (It's supported but not distributed with the base distribution.

Some (3-D graphics acceleration, GPS) are just not supported. (Use 2-D graphics and, if you really want your phone to know where you are, a plugin GPS device based on a different chip.) GPS is not supported because the phone's GPS chip also requires a proprietary CPU-land driver, which is an open-source no-no.

your best bets are Replicant

Given that their list of supported devices are all no less than five years old and even then with missing support for any feature other than making calls, Replicant is currently a joke.

If you run Windows Phone or Windows 10 you should say goodbye to any sort of privacy.
https://www.gnu.org/proprietar...

As of now there are no commercially available smart phones that respect your freedom entirely. Depending on where you draw the line,
your best bets are Replicant or at the very least CyanogenMod without any Google Apps.

F-Droid is a package manager for Android that only contains software that respects your freedom.

OMG! I might get...oh, it's too much! I might actually get...ads that for things I might actually be interested in! Oh the horror!!

I guess I should just buy an iPhone. Oh wait, they hoover up your info too. MS? Yeah right.

There's always replicant for the truly paranoid.

The poster isn't exactly *wrong*.

He just have poorly understood and reinterpreted in own words, an actual problem that does exists for real:
Some qualcom chipset have the modem inside the main SoC and that modem works as a "sort of northbridge" for the SoC.
The modem is in charge of handling RAM, audio hardware, GPS, etc.
That modem, for legal reason - runs a 3rd party firmware that is provided by the phone service provider.
Android runs on a CPU core that is client to this modem to access the phone resources.

See my other answer in this thread.
And see the Replicant wiki.

It's not the CPU core and memory that is inside the physical SIM.
As I have explained in my other answer in this thread, it's the modem part.
The modem - which for legal reasons runs a 3rd party closed source firmware provided by your service provider - of several Qualcomm chipset works as "sort of northbridge" to the chipset.
The modem (and its 3rd party firmware) is in charge of several critical parts of the phone, which may include RAM, audio hardware, GPS, etc.
Android runs on a CPU core that function as a client to this modem an accesses everything thourgh it.

Replicant have complained about this in the past and documented in their wiki.

It's not the physical SIM-card itself.

See my other answer in this thread.
And see the Replicant wiki.

On some chipsets by Qualcomm (which are extremely popular) the *modem part* serves as a northbridge to the chipset.
It handles some critical component like RAM, sound hardware, and OS is running on a CPU core that is a client to that.

And for legal reason, the entity responsible for the code running both on the physical SIM card it self and running in the modem firmware is the service provider.

Regard TFA, that means that even if Google decide to say "Screw you!" to NY and CA legislation, the phone service provider is just one governemnt letter/order away from getting all your data.
(because, remember: all your data is on a flash medium that is directly plugged into the modem running the service provider's firmware. Your Android is running on a CPU core that is a client to this modem).

I think, the poster might be referring to some recent Qualcom chipset, where the modem is part of the northbridge.
Thus some core critical part of the chipset run a firmware that is *NOT in anyway modifiable or accessible by the end-user* (for legal reason).
Instead that part of the firmware is controlled by the service provider who pushes automatic update over the air (to both the SIM card it self and to the modem).

Due to its critical position in the chipset, that firmware can also have access to some critical parts like video buffer, RAM, GPS, etc.
That's often the case with Qualcomm chipsets.
Replicant has a wiki explaining the difference between good and bad platforms.
My personal experience: my WebOS powered HP Pre3. Runs on such a Qualcomm chipset. OTA update to the modem firmware will cause THE WHOLE PHONE TO HANG AND CRASH.

As mentioned by the wiki, there are also phone that use a Qualcomm chipset without a modem (for tablet) and then eventually (for phone) plug an *external modem* into it as it should.
My personal experience:
- my Sailfish powered Jolla Phone. According to specs, it runs on a Qualcomm chipset that doesn't have a built-in modem. When my ISP sends an update, the *separate modem* part reboots gracefully, the rest of the phone barely notice it (i just get a pop-up asking me to re-enter my PIN).
- similar behaviour used to be with my older webOS Palm Pr : used an OMAP chipset (those don't have any modem inside) and a separate modem chip. Phone didn't crash on modem-firmware problem (but, back then, OS wasn't that good at rebooting the modem. Some time turning 3G on/off could do the trick, sometimes I would need to ask the whole phone to reboot. SIM card can be changed live, but won't necessarily work without a reboot).

To make a metaphor:

Classic style smartphone chipset :
(like the Ti OMAPs, the Qualcomm without modems, etc. : modem is a separate chip.)
It's like your laptop. You have a laptop, you're in charge of your laptop, you connect whatever you want on it. You can install the OS you want on it.
Like on your laptop, if you want to have connection, you plug a separate thing into it like a USB 3G/4G modem.
This modem only takes care of the connection.
If anything goes wrong you can simply unplug and replug the USB modem.
(Well as the modem in a smartphone isn't a physically separate circuitry, but only a separate chip, you don't actually take it out physically. It requires a bit additionnal circuitry. But the basic image stands: the modem doesn't and can't affect the rest of the system).

Qualcomm style smartphone chipset :
(i.e.: with the modem built right into the northbridge of the smartphone chipset):
It's like your fiber/DSL/cable modem. It has USB ports where you can plug additionnal storage. It has analog ports where you can plug phone handsets.
BUT it's a device that is basically lent to you by the ISP. The ISP is in charge of remotely upgrading the firmware that runs it.
The equivalent of "getting Linux to run on it", is plugin an USB keyboard and USB screen on it, and trying to do something with it (or using a raspbery Pi, while using the modem as a NAS to access everything that stays plugged into its USB ports).
You have access to an interface with you keyboard and screen, the it's still the modem which is in charge of everything, not only the connection, but also all the storage you pluged into the USB port.
If the ISP wanted (or received a government letter ordering them to), they could access your storage and siphon your data: because it's plugged into the modem's USB port and they are the one in charge of the system running here.
That the case with some recent Qualcomm-based smartphone, where the modem is in charge of controlling the RAM, the mass-storage, the GPS, etc.

Modem isolation is the point; if modems aren't isolated they can read/write to the main processor's memory. Having it implemented as a device that can't DMA is a vast improvement from a privacy/security standpoint, and few devices do so.

http://www.replicant.us/freedom-privacy-security-issues.php

Ahahahahahaaaa...

"Secure tablet"

Oh wow that was funny.

If you want secure, then maybe Replicant will prove slightly less p0wnable, not sure.

Don't trust Samsung or BlackBerry though.

What market gap does it fill?

As I see it, Android's big problem is privacy, we're just waiting for the time when politicians and journos realize that every App on their Android phone is tracking them, their kids, their families, and their personal and private lives.

When that happens, the public will get a rude wake up call, and so a fork of Android will likely be the next Android. A fork that is privacy focused.

Tizen at the moment can run Android apps, but then why wouldn't you simply fork Android and ditch the Google/Facebook/Skype/Samsung etc. spyware?

There is already a fork Android project out there w/ the goals you mentioned: it's called Replicant Not sure what state that project is in.

Depending on how you feel about drivers that load firmware.
This is very open source:
http://www.replicant.us/

You can also just not install many of the firmwares if you don't want the feature.

replicant?

For several of android tablets there are some working linux distributions (that may or not have working all hardware), even without counting ubuntu touch. But the point on that tablet was that it had open hardware too, ubuntu touch solves the drivers problem taking directly the manufacturer's android drivers, so closed hardware also leads to closed source running there too, with potential backdoors (like the ones found in samsung devices) builtin.

That's why you don't trust Apple or Samsung's proprietary blobs. With Android, you can install Replicant http://www.replicant.us/ for a complete open source system which you can audit and verify (or re-code) yourself. Russia has the tech chops to do this.

As long as the domain ends in .US instead of .SU, the Russians are not going to buy into this NSA operation.

CM is full of binary blobs which are as closed and proprietary as they can get. If you want Android without the nasty bits you'd better look at Replicant - that is if it works on your device, of course...

Stick with Replicant http://www.replicant.us/ or Cyanogenmod and you don't get that bloated proprietary crapware.

That's why you don't trust Apple or Samsung's proprietary blobs.
With Android, you can install Replicant http://www.replicant.us/ for a complete open source system which you can audit and verify (or re-code) yourself.
Russia has the tech chops to do this.

The obvious question that everyone will be asking is "why should I install this rather than cyanogenmod, firefox OS or replicant if I really mistrust big business?

Doesn't matter if it's proprietary software or just adware you want to cut back on (or possibly even eliminate almost entirely if using Replicant), F-droid has you covered. It's not that hard to give Google Apps the flick with all the alternative free software out there, if one can be motivated to do so.

Im also lookign to replace my N900 (which i like), previously had an OpenMoko Neo (which was a great talking piece, bad phone).

Im currently keeping an eye on the fairphone, they are just finishing there first batch of 25,000 phones and looking at a new order soon. Second release is usually a good one to get in one as they have had a chance to find and fix hardware bugs.

The replicant project has done a review of the fairphone, there biggest criticim of it is that it doest have good hardware isolation to prevent NSA type spying. It isnt supported by replicant yet, but say it should be possible.
http://www.replicant.us/2013/1...

It looks like the project is more driven ideology rather than profit, but that ideology is very much focused on the phone. I hope they do well.

http://www.fairphone.com/

because it uses 1) non-free libraries 2) proprietary drivers and 3) firmware blobs. http://replicant.us/about/ is an attempt to free android.

I've seen this before, but I've never actually looked at any phones' schematic to prove it's true.

Take a look at Replicant, a fork of Cyanogenmod for people who are religious about software freedom. Replicant aims to have absolutely no proprietary software, but so far, none of their supported phones achieve that. They all have a statement along the lines "Modem firmware is non-free and there is no free alternative" and another saying "The modem controls CPU memory (read/write)".

The closest thing to a free phone is one of the OpenMoko phones. They still use a proprietary modem, but it communicates over SPI, and the main CPU is the master.

Just a reminder that Replicant is a thing that exists. It doesn't work 100% for everything (I hear camera support especially is bad), but to be fair, it is still pretty early in its life. If you are opposed to using locked down, restricted software, then using fully free software like Replicant is one way to break free from that.

Ok.
http://www.cyanogenmod.org/
http://replicant.us/

Is harder to hide a backdoor when the code of the OS is open source and the apps are in html5.

This helps a bit, but not as much as you would think. When they say "unlocked" what they mean is that this phone comes unlocked for use on multiple operators but probably (unless this changes close to market time) not not unlocked for using your own OS. That makes the whole phone OS close to a binary blob that you can't replace and which they will be able to change without you having true control. If you use cyanogenmod you might argue that the reduced number of binary blobs would allow some kind of auditing. However without true openness like replicant it's almost impossible to be sure.

Maybe worth calling up our ZTE friends and persuading them to provide an easy way to unlock the bootloader on the EBay phones.

Just a reminder that the Replicant project is trying to make a completely free and open source version of the Android software stack, including the parts that interface with the hardware.

Here's another http://replicant.us/

It seems as though they are trying to prevent fork's even at the the sdk level.

Sparking a fork at the SDK level.

Ah, bitter-sweet irony!

What does it bring new to developers that isn't there in Android?

Real openness?

The AOSP is perfectly open, you're more than welcome to grab the source and do with it as you please, like Amazon did. The license doesn't require you to publish the full source code but it doesn't prevent you from doing so either.

This allows Android distributions like Replicant to exist. Currently 4 OSs dominate the smartphone market, Android, Blackberry OS, iOS and Windows Phone. You'd think people would show a little apreciation for the fact that the dominant OS is the only Open OS out of the bunch.

Instead they come here and spew bile.

Even RMS admits that (final paragraph) the Android project is a huge step in the right direction. However, the binary blobs are still a big problem. You have no control over what's going on there, cannot use the device to its full potential without them, and have no guarantee that the code is not used against you (if you are of the paranoid kind; which many of us on Slashdot are, after all.. ;-)

In the same paragraph, he recommends the Android derivative Replicant, which just last week announced a new version matching Android 4.0. Depending on your use-case and point of view, you might or might not miss the Google specific applications, which are not under any free or open source license. That includes the GMail reader, the native Google Maps app, the Youtube app, and a few others.

What is your view on the Replicant Project? Is it on the right track or something you could imagine yourself using? or are there important parts of the puzzle still missing? or another similar project you have more faith in (e.g firefox os)?

Give it to one of the Open Source mobile distribution developers! For example: Replicant, SHR, Debian:

http://replicant.us/
http://shr-project.org/
https://wiki.debian.org/Mobile

Android: You have open access to the actual source code all the way to the metal and no restrictions writing any manner of apps.

I say this as an Android developer, and an Android developer who has _never_ writen an app that even uses the NDK, let alone is concerned with bare metal... but I'm sure that "all the way to the metal" is a bit misleading as the drivers (esp graphics, network) use binary blobs. This is a problem for the Replicant ppls who are trying to build the "to the metal" openness you mention.

I see your point. It's a terrible starting point and the trust of the company is broken anyway so why give them the business.

However, that viewpoint is directly against Replicant just a little too quickly:
http://replicant.us/faq/
You're also going against the companies out there advising and customising phones including Android for corporations.

I was thinking of going back to Symbian. I had a E55 and E71 before this Galaxy and prefered the battery and maps coverage but is that any better? What phone do you use?

Other best plan I have is carrying 2 phones; an old phone for phone operations and then something bigger but somehow definitely offline somehow, that can be made online quickly if I need it (quicker than a battery pull). I think breaking the usefulness into separate devices is another strategy. How's about putting the darn things in a metal box?
Another strategy I can think of is to act like a businessman with corporate secrets to protect and go with whatever they use. Can you comment on Blackberry?

I don't know why I take such an interest in privacy, it's thankfully feels like an intellectual exercise. But by doing it we learn things that are useful in less paranoid situations. For example, saving battery when there's no source of power for days... or when innocent but on the run.

Hackers wanted: Replicant

I would also suggest using webDAV at home or setup remotely, and configure your calendar, contacts, bookmarks and other file-syncing that way (of course encrypting everything before it hits the wire).

Additionally, in September RMS wrote a great piece on Android that might be of interest to you. Also, this little nugget from Firefox developers doing a pseudo-Q/A on Reddit (i know, i'm sorry) regarding your privacy in the browser might also be of concern to you.

You might like to try putting Replicant on it.

And where's the Free Android distribution? With an own market with only Open Source apps? No, there's MeeGo instead... yet.

There is a fully free Android distribution called Replicant: http://replicant.us/

Then there is a free software repository for Android at http://f-droid.org/