Like with our Librem laptops, our Librem 5 smartphone will also feature kill switches; but unlike the laptops it will have three kill switches, not just two:
cameras and microphone
WiFi and Bluetooth
cellular basebandLater in this post I’m going to describe an exciting new feature for our Librem 5 phone we are calling “Lockdown Mode” that extends our normal kill switches to provide even more security and privacy
[...]One big challenge when protecting your privacy on a phone is that, unlike an average laptop, a phone is full of more sensors and other hardware that could be used for tracking and spying. A lot of security research over the past decade has demonstrated just how much information can be derived by seemingly harmless sensors that are included on a phone.
[...]While we could add kill switches for every individual piece of hardware, having three kill switches already pushes the limits with respect to space on the phone, the complexity of the hardware and the overall user experience. So if you set the upper limit on kill switches to three, there are a number of different ways you can address the problem with these extra sensors including:
Only disable those sensors with software
Group sensors with one or more existing kill switches
Lockdown ModeWe have thought through all of these different options, among others, and we decided that it was better to offer the option for extra security to those who really need it. We have selected a solution we are calling Lockdown Mode, that gives people who need this extra level of protection the option to turn all sensors off easily, without imposing extra complexity on an average user.
[...]To trigger Lockdown Mode, just switch all three kill switches off. When in Lockdown Mode, in addition to powering off the cameras, microphone, WiFi, Bluetooth and cellular baseband we also cut power to GNSS, IMU, and ambient light and proximity sensors. Lockdown Mode leaves you with a perfectly usable portable computer, just with all tracking sensors and other hardware disabled.
https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-hardware-kill-switches/
(Score: 3, Interesting) by pTamok on Tuesday March 26 2019, @01:49PM
I agree.
If it is simple enough to be demonstrably bug-free, then it is not complex enough to be useful. (cf Gödel's incompleteness theorems)
Note that even in formally-proven code, there is a meta-problem of assuring that the code actually implements the intentions of the designer. As the intentions can be open-ended, there is no process for demonstrating that the code meets all possible intentions of the designer. It is an 'unknown unknowns' problem, or as Iain M. Banks might have put it, the problem of how to deal with unknown, and unknowable Outside Context Problems [wikipedia.org].
If you operate code in a virtual sandbox that is isolated from the real universe, then you can demonstrate that it operates as designed/intended within the constraints of the unreal/logical world you are analysing. Unfortunately, code has to operate in the real world, on imperfect hardware, subject to challenges not envisaged by the designers. As a result, anyone giving you a '100% security guarantee' is lying - either to themselves, because they do not understand the scope of the problem and think that they do, or to you, because they are knowingly selling you snake-oil.
Being able to physically turn of the power acts as a pretty good backstop.