When you read "Linux malware", do you interpret it as "malware baked into Linux"?

In this case, I definitely interpreted it as "baked into PinePhone" like the commenter.

Admittedly the same headline that says "iPhone Malware Surprises Users" would probably read the other way. It depends a bit on the subject. If it said "Lenovo Malware Surprises Users" I'd it expect it baked in too rather than just malware that just effects Lenovos.

"Malware for PinePhone" would make it clearer.

Thank you, I see this viewpoint better now. Not certain I'd make the headline different knowing this, but this is good to keep in mind.

> In this case, I definitely interpreted it as "baked into PinePhone" like the commenter.

Pinephone doesn’t make software, it just makes hardware. It’s philosophy is they make hardware that’s easy to hack. All the software is community maintained and not official.

I also read it as "baked into PinePhone". As to why, well the headline didn't include the fact that the PinePhone ships with no software. So that's not information I had at the time.

I was wrong the new ones do have software but nothing official, so its not really baked as much as random distros from random people.

Most SBC don’t come with software.

Pinephone ships with software, and aside maybe from some early dev units, it always did.

What does it ship with? I don’t thing mine did, and Pine64’s philosophy was we make the hardware, you make the software, aside from PineBook’s KDE edition off the top of my head.

UT, Manjaro, Mobian, pmOS. Even the back covers had logos of what each batch shipped with. Now it's just Manjaro on all the Beta phones.

That they don't write the software doesn't mean they don't ship with it.

Thanks! I don’t remember mine having it but it had been a while, the unlocked bootloader is a security threat that xiaomi had where malware was flashed, so it’s probably a good idea they don’t ship with software for security reasons, it’s such an easy target.

To be fair if I were to read it paired with, 'surprises users' like this headline - I might be prone to assuming an out-of-the-box discovery

I hate having to install VM-specific guest utils all the time when I just want to paste some text into the VM. Here's a script that emulates keyboard input and just works. ASCII-only, sadly.

Also, in VirtualBox, when you turn host-guest clipboard sync on in the VM settings (or set it to "Bidirectional"), it automatically syncs host clipboard contents to the VM clipboard, even if you never actually paste the clipboard contents into that VM. If you're running untrusted software in a VM and have guest utils installed, this might be a data leak vector you're not even aware of. So, install this script and only use guest-host clipboard sync if you really need it.

Oh, I do agree. The problem is - who's going to write it? I'm an one-man army so far, this is going to change once people get their hardware from the first batch I'm finishing now, but for now the project still needs contributors.

The baseband OS is separate from the Linux running on the Raspberry Pi, the modem can be put in hardware RESET state - so, there's unlikely to be a way to execute malicious code on the Linux side by using a modem exploit, if that's what you're interested in =) And yes, the OS has access to GPIOs that control the GSM modem, so that's entirely possible.

Well, I was thinking more that I would want to set up the phone so that the baseband OS is only operational at the time I decide I want to make a phone call. Would something like that be possible and practical?

There's a GSM hardware switch - https://hackaday.io/project/19035/log/60071 - so this is the way to go then, simple as that =) So far, the software is going to assume that the modem is on at all times - however, I'll solve that in the next PCB revision.

You're mostly right on your assessment - I don't intend it to be a good burner phone. There's the possibility to swap in GSM modems (thus changing IMEI) - except that the "manufacturer" part in IMEI is going to stay the same, or very similar, so it'd be like that story about a guy who sent in a bomb threat on his college campus through Tor, and it turned out he was the only one using Tor on the campus. IMO characteristics for a good burner phone are just like you're describing, and best practice is to throw those out or destroy them, after all.

And keep in mind that there's also the fact that you have to buy the phones somewhere - that can be tracked, whether it's a package from eBay with 10 similar phones or just a guy buying the cheapest prepaid phones in a supermarket.

My estimates show about 5 hours for the assembly time, so unless you get paid $1000/hour, this is not going to cost that much =) As for the time invested in software and hardware development - yep, it takes time, like any project is going to.

Answering to your "GSM not open" comment - yes, the GSM baseband itself is not open-source, and I won't be able to change that alone - I have neither skills nor time. My plan is to make all the other parts of the phone open-source, so that when an open-source baseband appears, there's a platform to attach it to.

Hey, other programmers manage to write software that isn't riddled with bugs, I hope to be able to keep up with them =)

It's a mighty goal and you're probably more than capable developer but even bigger organizations have failed to produce working phone sw stacks while leveraging open source components.

Therefore while it's a great tinkering project I'm really sceptical about the actual value this could have for "end users" unless the value is the tinkering itself ;-)

+1 for this. A GSM/3G/LTE stack isn't something you can write in an afternoon. I'm on such a project for my company for several months now and I'm probably still a year away from just being able to push a single IP packet through it.

That's why I won't be doing it myself - I'm just going to provide the platform, there are already people working on an open-source baseband, and they're much smarter than me =)

Well, I see it as a fantastic place to play. I look forward to digging into it myself.

You can use a spare Bluetooth keyboard (or even a USB one), and I hope to produce a QWERTY keyboard attachment for ZeroPhone this year. In general, this is going to be one of the most important addons I'll be working on this year - both in hardware and in software.

Ah, good to know. Best of luck!

I don't think that any commercially available GSM modems actually have open-source GSM implementations - SIM5320 isn't an exception, sadly =( So, compared to AOSP, the main difference is that this project is open hardware (excluding the Pi Zero, mainly).

The GSM module manufacturer has taken care of IMEI, same with certification, AFAIK =)

So at least if you are concerned about the IMEI number because of privacy it's easier to change than on a regular phone.

Yep, that's one of the side effects - you can plug some 2.4G transceivers (like NRF24L01, using an adapter) in the expansion port to talk to 2.4GHz stuff, or use some TI sub-GHz chips for 433/900/868. Also, I'm wondering about POGSAC (the networking standard that pagers use) - somebody on Hackaday suggested it to me, and soon, when I'll have some free time, I'll get some POGSAC receivers and will make a test environment (as in, imitate a POGSAC basestation for testing).

Awesome! I'm really curious to hear how that goes. Is it best to follow https://crimier.wordpress.com/ for such things and/or do you tend to post about your projects elsewhere?

I generally post all things ZeroPhone on Hackaday.io - https://hackaday.io/project/19035 - the blog is just for short random notes that might be useful to someone.