I was interviewed about supply chain security (around 15 min mark) in a longer CNBC feature about manufacturing phones in the USA. In short, it's less about trust concerns with any particular country/govt., and more about reducing the links in the supply chain to reduce the opportunities to tamper with hardware.

Our Made-in-USA-electronics Librem 5 USA phone also got a number of shout-outs. Pretty neat!


I'm not that enthusiastic about Google, Apple and Microsoft doing away with as an factor, because it's one of the few areas left on these platforms where people have some control over their own . puri.sm/posts/microsoft-ruined

I realized I hardly ever add topical hashtags to posts which probably makes it tougher for folks around the fediverse to see things I write that they might be interested in. I'll try to do better with future posts about , , and and topics.

I wrote about our unique set of high security features for the Librem 14 such as anti-interdiction, Qubes, hardware kill switches, and PureBoot. What other security features would you like to see us add to this in the future? puri.sm/posts/my-recommendatio

One of the most damaging philosophies copied from IT is a belief in user inferiority. Too many security decisions are rooted in a patronizing notion that users are children and that trust and agency must be taken from them and given to infosec staff/vendors.

I recently sat down with Brent Gervais for his Brunch with Brent show. We covered topics ranging from my history with @linuxjournal and @purism, safety razors, how ideals shape how I approach , and the current culture clash in the Linux community.


Surveillance vendor NSO Group pitched hacking tools to US police forces that would "turn your target's smartphone into an intelligence gold mine" vice.com/en_us/article/8899nz/

Many of the arguments in the encryption backdoor debate (life-or-death, manpower vs automation, tech ineffectiveness, + freedom vs benefit, govt. + big tech power) apply to -19 app tracking debate, but with many ppl changing sides.

Attacks like this are likely not limited to Zoom (it just has attention now). If your computer has a hardware kill switch (HKS), disable camera+mic except during video conferences. If you don't have a HKS, cover the camera in between uses: 9to5mac.com/2020/04/01/new-zoo

If you are going to this weekend check out my talk on Saturday at 15:00 titled "Heads: Tamper-evident Firmware with User-controlled Keys" socallinuxexpo.org/scale/18x/p

I've really enjoyed processing our new-and-improved anti-interdiction orders. So far I have to say out of all the glitter nail polish, orange is my favorite (looks so cool against the black case) followed by rainbow.


A reminder that biometric auth security is not based on secrecy ( aren't secret), but on the difficulty of making a copy that can trick a sensor. Now there's an app for that.


I've said it before and I'll say it again: the most persistent, resourceful and difficult adversaries to secure against are kids behind parental/school controls and employees behind corporate firewalls: washingtonpost.com/technology/

"The researchers have named their attack NetCAT, short for Network Cache ATtack"

Seriously, netcat? I guess what they say about the two hardest problems in computer science is true... arstechnica.com/information-te

After decades of suffering through ipchains/iptables syntax, and seeing how easy fw and ufw made common firewall workflows, it's disappointing that the best Debian's iptables replacement can do is:

nft add rule inet filter input tcp dport 22 accept

When syntax for common workflows is complicated, you increase the chance the admin will make a mistake that exposes them to attackers. See S3 bucket permissions for more examples of this.

It's not too late for bug bounty companies to source practical grasshopper-plague-related swag. Swatters, bug spray, mesh netting: nytimes.com/2019/07/27/us/gras

I ran into a new security measure the other day: my bank has added complexity requirements to *usernames* now, presumably to make them harder to guess and brute force attacks more difficult.

Whoever named this needs a lesson in modern malware branding. "eCh0raix" really? NASty NAP is the obvious choice: zdnet.com/article/this-new-ran

I imagine many in will conclude the ends justify the means, and I imagine most Apple users won't care, but I still think silently pushing non-interactive 3rd-party app updates to consumer devices is creepy: techcrunch.com/2019/07/10/appl

Show more
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml