Let's see now. A device that has no onboard microphone, no camera, and an architecture that makes the surest it's possible to be that nothing unknown is between your keyboard, screen or headset, and the (inspectable) encryption algorithm. No binary blobs, not even uninspectable CPU microcode. Given the political situation in certain places in Asia, a device that either communicates securely or doesn't communicate at all, with no grey area inbetween, is more than a geeky obsession. It's a tool. Compare to all those fancy "hardened" Android phones where it turns out afterwards that the authorities had them tapped all along...
> Given the political situation in certain places in Asia, a device that either communicates securely or doesn't communicate at all, with no grey area inbetween, is more than a geeky obsession. It's a tool.
If one is worried about nation state actors, the ownership of a device that's secure and uncommon enough is likely to attract additional scrutiny or just be seized, legally or not.
It's a pretty cool device, mind you. The fact that they're going out of their way to make sure the device is fully inspectable and trustable is pretty impressive, as you point out. It's just not very usable as a privacy tool in a hostile environment due to it being rather conspicuous.
> If one is worried about nation state actors, the ownership of a device that's secure and uncommon enough is likely to attract additional scrutiny or just be seized, legally or not.
The distinction between "tamper evidence" and "tamper resistance" seems to provide a good analogy here. Without secure devices, a state can spy on you in a clandestine way. With secure devices, a state can spy on you in a more overt way. You might still care about making the tampering evident!
The most important difference between a jail and a home is who controls the lock on the door. Most smartphone companies want you to believe that the gilded jail they’ve designed for you is the safest place to spend your time. Precursor takes a different approach. By giving you the keys to the lock, it gives you a home.
It is a false dichotomy though. I agree that smartphones are not a home. However jail is not the only alternative to home. Smartphones are a lot more like hotels.
But at a hotel you at least get one of the keys to the room (not just a padded little section of it) and they don't expect you to buy the building before you check in.
I don't quite get why they say that it's trustworthy because it uses a soft-CPU running on an FPGA. Doesn't that just shift the potential attack from one vendor to another? e.g. instead of trusting a CPU from Mediatek, now you have to trust an FPGA fabric from Xilinx
This is true, but the difficulty of making a general purpose FPGA fabric manipulate generic bitstream descriptions in an undetectable way is much harder than putting hidden backdoors in well defined ISAs. What amount of hardware validation is reasonable?
It depends on what you'd like to accomplish, but given that powerful FPGAs are now more affordable and plenty of great FPGA friendly libraries are emerging which work with open source tools, the barrier for Soft-CPU implementations has lowered significantly. This sort of project looks great for cases where trusting blackbox chips was questionable.
> This is true, but the difficulty of making a general purpose FPGA fabric manipulate generic bitstream descriptions in an undetectable way is much harder than putting hidden backdoors in well defined ISAs.
Could you (or anyone else) elaborate on this? If possible, ELI5 please because I know very little about hardware. :)
You're correct, but from my understanding shifting the trust to the FPGA is a productive move as an potential attack is much more difficult to execute. Bunnie explains on his blog [1] better than I can:
> The CPU is, of course, the most problematic piece. I’ve put some thought into methods for the non-destructive inspection of chips. While it may be possible, I estimate it would cost tens of millions of dollars and a couple years to execute a proof of concept system. Unfortunately, funding such an effort would entail chasing venture capital, which would probably lead to a solution that’s closed-source. While this may be an opportunity to get rich selling services and licensing patented technology to governments and corporations, I am concerned that it may not effectively empower everyday people.
> The TL;DR is that the near-term compromise solution is to use an FPGA. We rely on logic placement randomization to mitigate the threat of fixed silicon backdoors, and we rely on bitstream introspection to facilitate trust transfer from designers to user. If you don’t care about the technical details, skip to the next section.
An attacker would go after the weakest link. Does this device provide any way of verifying that a bitstream loaded onto the device during development is the same one being run when it's actually in use in the field? That would be the simplest way to compromise it. It would be detectable of course but anyone going to these lengths can compromise the unprotected device programmer hardware or workstation that reads the bitstream back out too.
It does, but as far as I've understood, FPGA's are much simpler and more regular so hiding backdoors into those would be harder than hiding one into a hardware cpu.
Hopefully if/when they make the next generation with the custom silicon instead of being all FPGA based they'll have enough space and power budget for some internal modules.
I think it would be pretty interesting to have a Lora radio for participating in networks like meshtastic (https://www.meshtastic.org/).
I get why many people would find cellular interesting, but since it's not possible to use cellular without device level location tracking by the cell network... I think it is less useful.
In either case bridges from other networks (such as LTE cellular) to wifi exist and are readily available, including tiny battery powered ones... So the lack of external cellular shouldn't prevent you from using precursor with cellular.
> In either case bridges from other networks (such as LTE cellular) to wifi exist and are readily available, including tiny battery powered ones... So the lack of external cellular shouldn't prevent you from using precursor with cellular.
This does not provide access to native cellular functionality like voice calls or sms/mms messaging. Obviously cellular connected wifi hotspots are an option for data service, I'm not clear why you're presenting that as if it's equivalent.
I've been waiting for crowdfunding of the Precursor to start, but I'll have to think more about whether I can cost-justify $512, if I don't know when I'll have time to hack the software I want for it.
Readit News
If one is worried about nation state actors, the ownership of a device that's secure and uncommon enough is likely to attract additional scrutiny or just be seized, legally or not.
It's a pretty cool device, mind you. The fact that they're going out of their way to make sure the device is fully inspectable and trustable is pretty impressive, as you point out. It's just not very usable as a privacy tool in a hostile environment due to it being rather conspicuous.
The distinction between "tamper evidence" and "tamper resistance" seems to provide a good analogy here. Without secure devices, a state can spy on you in a clandestine way. With secure devices, a state can spy on you in a more overt way. You might still care about making the tampering evident!
("can" here probably means "can somewhat easily")
The most important difference between a jail and a home is who controls the lock on the door. Most smartphone companies want you to believe that the gilded jail they’ve designed for you is the safest place to spend your time. Precursor takes a different approach. By giving you the keys to the lock, it gives you a home.
It depends on what you'd like to accomplish, but given that powerful FPGAs are now more affordable and plenty of great FPGA friendly libraries are emerging which work with open source tools, the barrier for Soft-CPU implementations has lowered significantly. This sort of project looks great for cases where trusting blackbox chips was questionable.
Deleted Comment
Could you (or anyone else) elaborate on this? If possible, ELI5 please because I know very little about hardware. :)
[1] https://www.youtube.com/watch?v=Hzb37RyagCQ
> The CPU is, of course, the most problematic piece. I’ve put some thought into methods for the non-destructive inspection of chips. While it may be possible, I estimate it would cost tens of millions of dollars and a couple years to execute a proof of concept system. Unfortunately, funding such an effort would entail chasing venture capital, which would probably lead to a solution that’s closed-source. While this may be an opportunity to get rich selling services and licensing patented technology to governments and corporations, I am concerned that it may not effectively empower everyday people.
> The TL;DR is that the near-term compromise solution is to use an FPGA. We rely on logic placement randomization to mitigate the threat of fixed silicon backdoors, and we rely on bitstream introspection to facilitate trust transfer from designers to user. If you don’t care about the technical details, skip to the next section.
[1] https://www.bunniestudios.com/blog/?p=5706
I think it would be pretty interesting to have a Lora radio for participating in networks like meshtastic (https://www.meshtastic.org/).
I get why many people would find cellular interesting, but since it's not possible to use cellular without device level location tracking by the cell network... I think it is less useful.
In either case bridges from other networks (such as LTE cellular) to wifi exist and are readily available, including tiny battery powered ones... So the lack of external cellular shouldn't prevent you from using precursor with cellular.
This does not provide access to native cellular functionality like voice calls or sms/mms messaging. Obviously cellular connected wifi hotspots are an option for data service, I'm not clear why you're presenting that as if it's equivalent.
https://www.crowdsupply.com/sutajio-kosagi/novena/updates/no...
Deleted Comment