[HN Gopher] NitroPhone 2/Pro with 4.5 years of software updates
___________________________________________________________________
NitroPhone 2/Pro with 4.5 years of software updates
Author : heavyhephaistos
Score : 76 points
Date : 2022-01-04 12:41 UTC (10 hours ago)
(HTM) web link (www.nitrokey.com)
(TXT) w3m dump (www.nitrokey.com)
| badrabbit wrote:
| EUR250 to solder off components seems steep. It takes me less
| than 30min, i can imagine it takes a lot less to
| disassemble+desolder+reassemble if you do it all day. Can't see
| this taking up more than 1 manhour. If they added a switch
| instead of desolder the price would have been more reasonable
| (but still steep, it can buy a usable phone on its own)
| nbernard wrote:
| They are from Germany, part of the cost may come from them
| needing to fulfill the legal 2 year warranty, once the
| components are desoldered.
| i_like_waiting wrote:
| I wouldn't see it that much about how long it takes once you
| know how to do that. Its time it takes to learn how to do it.
| E.g. I bought cheap phone and I wanted to debloat it/ install
| lineageOS. After week or something, 2-3 soft bricks, and
| constant issues I have semi-debloated original OS phone, with a
| bit more control but far from what I wanted.
|
| To get somebody the same as I have now? 2 hours max. Would I
| overpay somebody else to give me the same thing, if I knew how
| long it takes to do from scratch? Definitely
| kadoban wrote:
| It takes some skill, entails some risk (can fuck it up or the
| customer could be a tool), takes some time. Between skilled
| labor and risk, sounds about fair to me.
| 999900000999 wrote:
| What a scam.
|
| Something like Pine phone which allows you to customize the OS to
| your liking seems much more reasonable.
|
| I also would prefer a hard switch for things like cams and mics,
| removing them seems lazy.
| imagineerschool wrote:
| As the proud owner of a Pinephone, it's not ready to be a daily
| driver.
|
| I wish it were, but it ain't there yet. They have my money and
| my support and my spiritual energy, but I need a dependable
| phone today too.
| kaba0 wrote:
| Physical kill switches are completely useless though. They
| provide no added benefit, if you can't trust the OS you already
| lost. It is even possible to reconstruct speech from gyroscope
| data.
| estaseuropano wrote:
| Fairphone guarantees five years of updates and you van change
| parts yourself. Can't beat that deal.
|
| (Not affiliated, just a happy user)
| imagineerschool wrote:
| I'm excited to see this, but I have the same questions as other
| comments:
|
| Is there anything extra here that I couldn't do myself?
|
| (I'm still likely a customer since getting it done for me is a
| valuable service)
| c7DJTLrn wrote:
| The 4.5y of updates comes as part of Android AOSP. GrapheneOS
| supports handsets for as long as AOSP does.
|
| I hope this company is contributing to the project or donating a
| slice of the profit to Daniel Micay otherwise that's an asshole
| move.
| pSYoniK wrote:
| I honestly hope they fund the Graphene OS project if they do this
| or if nothing else, make it clear that you could also do this
| yourself. /e OS tells you that you can install it if you havr
| compatible hardware or buy it from them, same for Calyx OS.
|
| For those wondering why you'd want this - I use Graphene OS on an
| old Pixel 3 and battery lasts 2-3 days easily. I dont have to
| constantly fight all anti-patterns in modern day Android, but I
| can still chat, email, text, browse and watch videos...
| joemazerino wrote:
| "Comparison With e.g. LineageOS, CalyxOS, /e/
|
| LineageOS, CalyxOS, /e/ and other Android distributions
| essentially rely on the standard Android which only comes with
| its own selection of apps. GrapheneOS, on the other hand, is an
| elaborately hardened Android and should therefore be seen as its
| own operating system. In addition, security updates are often
| provided late by the distributions mentioned at the beginning."
|
| Pretty low to call out other Android projects in a marketing
| release but falls directly in line with how the GrapheneOS
| project treats the community. Won't be buying this or
| recommending it.
| kaba0 wrote:
| First of all, I am fairly sure GrapheneOS is in no way
| affiliated to NitroPhone which just packages their work and
| sells it with no work done by themselves.
|
| Second of all, the only accusation I see is on your part.
| strcat wrote:
| We don't have any issue with Nitrokey selling phones with
| GrapheneOS. They're one of several vendors providing users
| with a way to buy a phone shipping with GrapheneOS. Our web
| installer is very easy to use and even very non-technical
| users are able to use it with the help of our community.
| There are always many people in our Matrix room willing to
| provide lots of help to new users around the clock. Some
| people are still going to want to purchase a phone with it
| instead of needing to install it, and Nitrokey is a
| trustworthy vendor providing it. Our recommendation to most
| people is using the web installer and asking for help if they
| experience any issues. It's very easy to do from another
| Android phone, ChromeOS or macOS. It's a little bit more
| involved on Windows due to needing to install a special
| driver. The web installer works well for people with barely
| any technical knowledge. The main roadblock people experience
| is trying to use a non-spec-compliant USB-A to USB-C cable
| which is resolved by them getting a proper one or using the
| official USB-C to USB-C cable from another device like
| another Android phone.
|
| joemazerino has been spreading misinformation about
| GrapheneOS including personal attacks and libel targeting our
| developers for years. You can see a bunch of it in their
| comment history among other gems like
| https://news.ycombinator.com/item?id=26974901. They've been
| regularly promoting a proprietary fork of GrapheneOS which
| falsely pretends to be the original project. It's barely
| maintained with the last release in September and almost zero
| development since they forked our project in 2018. That
| product is pure grift and very openly scamming people. It's
| unfortunate that a product depending on our work has invested
| substantial effort into harming us but that's the reality for
| us. A small number of people got duped by that and it
| snowballed into further attacks on the project which are
| worse than ever thanks to the help of an certain faux
| 'privacy activist' charlatan on YouTube. joemazerino made
| sure to spread a 1 hour hit piece with a whole bunch of
| fabrications about myself and the GrapheneOS project from
| that person. We're used to this and it comes with the
| territory in an industry with more scammers than people doing
| useful work.
| CountDrewku wrote:
| How is this any better than just buying a brand name android
| phone and putting calyxOS or some custom ROM like lineage on it?
| heavyhephaistos wrote:
| They do the work for you. You could just buy a Pixel 6 and
| throw GrapheneOS on it, but this is not financially viable if
| you count the hours needed, especially if you want to recommend
| a secure phone to non technical friends and not configure it
| for them.
| CountDrewku wrote:
| For 899 Euro? Unless you have money to blow that's
| financially stupid. Buy a pixel and pay someone with tech
| experience to configure it for you.
|
| I can't imagine anyone without tech skills wanting a phone
| like this anyway.
| strcat wrote:
| https://grapheneos.org/install/web is easy to use and
| GrapheneOS has broad app compatibility these days via
| sandboxed Play services
| (https://grapheneos.org/usage#sandboxed-play-services). We're
| working on making the out-of-the-box experience nicer via a
| first party app repository and client which can be used to
| bootstrap installing other app stores too. There are over
| 6400 users in the GrapheneOS Matrix room with many
| experienced people always around at any time of day that are
| willing to spend lots of time helping new users.
| jnsie wrote:
| If you're in the market for such a phone may I ask, without
| judgement, why? I'm very interested in whether this is aimed
| particularly at certain professions, if more and more people fear
| violation of personal privacy, etc. Again, no judgement or
| preconception - I'm asking in good faith.
| acd wrote:
| People say they have nothing to hide. Yet would you hand your
| unlocked cell phone over to a stranger? People give away all
| kind of personal data for free to adtech.
|
| If you have serious privacy concerns phones like this makes
| sense.
| jabej wrote:
| A total stranger? Sure, why not. That's why I don't care
| about big tech having my info.
|
| Friends or relatives? No way.
| mobiletoss1337 wrote:
| What if those strangers were going to attack your friends,
| neighbors, or elderly parents with every scam and shady
| advertising/phishing scheme that they could invent?
| webmobdev wrote:
| Two major reasons:
|
| 1. _I don 't want my data used against me politically_ - there
| are legitimate reasons to shield your personal data to protect
| yourself from political persecution from ordinary people to the
| government. E.g. A gay man may fear his homophobic colleagues
| will bully him, a migrant may fear that his right-wing boss may
| fire him if he knows his origins, a muslim may prefer to not
| grow a beard or a Sikh not wear turban to hide his identity to
| safeguard himself from unwanted hostile attention from
| strangers etc. etc. E.g. 2 - The United State government now
| demands that you tell them about all your email and social
| media accounts when you apply for a US visa.
|
| 2. _I don 't want my data used against me commercially_ -
| BigTech want more and more data about us to determine how to
| influence our behaviour. Preventing them access to my personal
| data protects and allows me to make rational purchase
| decisions, rather than those based on impulses influenced by
| BigTech overt or covert advertising.
|
| Denying corporates access to our personal data does both,
| because BigTech now also sell our data to government agencies.
| Since the government is one of their target customer base with
| a big purse, BigTech have now also started using our personal
| data to try and influence us politically.
| kadoban wrote:
| I'm probably vaguely close to the market for this. My reasons
| would be privacy and security concerns. Phones are creepy, they
| have access to _everything_, are carried everywhere, and we
| have little knowledge or control of what they're doing.
| encryptluks2 wrote:
| Maybe they grow/sell marijuana or shrooms and want to learn
| about things like that without worrying about being put on some
| list, or just have concerns about censorship or being flagged
| based on their political beliefs.
| bunkydoo wrote:
| bunkydoo wrote:
| Closi wrote:
| birdman3131 wrote:
| The Vatican.
| nisegami wrote:
| If you don't bother to click, the linked phones are the Google
| Pixel 6/Pro with Graphene OS and some (optional?) hardware
| modifications.
|
| I know it's probably not in their best interest, but I really
| wish they specified the source of their features individually
| (whether something comes from the Pixel 6 Titan chip, Graphene or
| their own custom hardware or software). It makes it difficult to
| evaluate their value-add over buying a Pixel 6 and throwing
| Graphene on it.
| dblbaguette wrote:
| rhamzeh wrote:
| All the description seems to be just generic Pixel 6 (Pro) +
| GrapheneOS. The one addition I found was that they would remove
| the hardware if you ask them to:
|
| "Optional: For very high security requirements, both
| microphones and acceleration and rotation sensors can be
| removed. Indeed, acceleration and rotation sensors can be
| misused as microphones. This physically prevents conversations
| in the environment from being recorded. Phone calls can still
| be made with an external headset."
| legrande wrote:
| > "NitroPhone is a much better product than we did with
| Blackphone." Phil Zimmermann, inventor of PGP
|
| Hard to believe this is some sort of Anom[0] type scenario when
| it's endorsed by Phil Zimmermann.
|
| The only potential issue would be if the device entered a
| clandestine facility to be backdoored as it gets delivered to a
| customer. Supply chain attacks are real and plausible.
|
| [0] https://www.vice.com/en/article/n7b4gg/anom-phone-
| arcaneos-f...
| kornhole wrote:
| Of course most of us will flash our own, but I applaud Nitrokey
| for filling this niche for those who need a marketed ready to use
| phone.
| mt_ wrote:
| Why do you need to insert a man in the middle vector? I mean
| GrapheneOS even provides it's users a web based installer. I
| really hate these marketing schemes based on privacy buzzwords.
| jazzyjackson wrote:
| Right? How do I know this isn't a CIA front shipping bugged
| phones to the users with something to hide? [0] NitroPhone's
| target demographic is very paranoid^B^B^B security conscious
| types, they should at least have a FAQ convincing me they're
| not the feds :)
|
| [0]
| https://www.washingtonpost.com/graphics/2020/world/national-...
| francis-io wrote:
| You can be security conscious but not have the technical
| skills to flash an OS on to a phone.
| encryptluks2 wrote:
| I can be conscious of my health, but unless I make healthy
| choices it doesn't help much. Same with security. If you
| can't be bothered changing your bad habits, you may be
| security conscious but it isn't going to help much.
| dimitrios1 wrote:
| > NitroPhone's target demographic is very paranoid^B^B^B
| security conscious types
|
| Let's not add anymore stigmatization in an area where it
| would serve us all to be a little more paranoid about the
| amount of spying and corporate+government intrusion that is
| now the norm in our lives. So many things I would have
| thought were conspiracy theories a mere 10 years ago are now
| true. The slippery slope is not a fallacy anymore.
| jazzyjackson wrote:
| apologies for making my sarcasm too subtle, as evidenced by
| my wa-po link, I'm well aware that intelligence agencies
| really do set up fronts to sell bugged goods to a person of
| interest. Hell, if nothing else works they'll even arrange
| a vaccination drive for all the kids in your village to try
| and suss you out.
| heavyhephaistos wrote:
| Just found their "About the company" page:
| https://www.nitrokey.com/about They say that they are totally
| self-financed and produce their Nitrokeys only in Germany to
| prevent supply chain attacks.
| jazzyjackson wrote:
| I wondered if Crypto AG (the swiss company selling
| backdoor'd hardware) would have said the same thing and
| looked up their old about page. [0] In light of the CIA's
| involvement I find it exceedingly cheeky:
|
| > We are present around the globe in all cultural
| environments. The threats, challenges, and fears you are
| likely to encounter are known to us; they are the source of
| our innovative thrust. Thanks to our world-wide network and
| regional offices, our presence and services know no borders
| or limits.
|
| [0] https://web.archive.org/web/20110516233908/http://www.c
| rypto...
| deltaonefour wrote:
| Serious question; not trying to be snarky. Other than just
| personal privacy preferences what would are some practical
| reasons for why someone would use this phone?
| tristor wrote:
| Serious Answer:
|
| 1. I think that I have a right to participate in the digital
| commons without selling my soul to my choice of two possible
| corporate masters (Apple or Google).
|
| 1A. Corollary, the digital commons necessarily includes the
| ability to interact with the Internet in a mobile way.
|
| 2. There are mobile applications that have such a marked and
| clear positive impact on my life that doing without them is not
| merely an issue of convenience, but an issue of capability.
|
| 2A. These applications, through market forces, are only
| available on mobile devices running common mobile OSes.
|
| 3. My means of income requires me to fit as much as possible a
| societal mold that includes availability during reasonable
| hours via a mobile device.
|
| 3A. My employer is not one of the corporate masters, and they
| have no right to interject themselves in my relationship with
| my employer that I entered into voluntarily.
|
| When put together, these leave you only one viable option which
| is running secured hardware with a de-Googled version of
| Android. I don't see why /this/ device is any better than a
| Pixel + GrapheneOS done yourself, but the above explains why
| someone would want a Pixel + GrapheneOS.
|
| You are welcome to disagree with my reasoning, but it is sound.
| [deleted]
| deltaonefour wrote:
| I agree with this answer, but I'm not sure how to express the
| question. I mean something different when I say "practical."
|
| It's like a person who buys a gun because he wants to
| exercise his second amendment rights versus a hunter who buys
| a gun to hunt or a cop who buys a gun for law enforcement.
|
| I'm looking for more examples of the later type.
| tristor wrote:
| I think I understand your point, but I'm not sure how
| anyone could formulate an answer to satisfy it. The split
| is fundamentally philosophical, because there's no new
| capability gained by regaining your privacy vs simply
| accepting the status quo of letting Google interject itself
| into every aspect of your life. The absence of something
| cannot add any new capabilities.
|
| On the flip side, I think the mere existence of people who
| are successfully living a 'normal' life in the current era
| while regaining some reasonable measure of privacy is
| enough evidence to support the use case, beyond merely
| theoretical philosophical ideals.
| deltaonefour wrote:
| I was thinking there could be use cases like plausible
| deniability when doing illegal stuff or maybe these
| phones are useful for the same reason in espionage? Maybe
| these phones are required in the defense industry for
| secret or top secret clearance? Stuff like that was what
| I was guessing maybe these phones are useful for.
| tristor wrote:
| I'm sure those use cases do exist. I know that there are
| already special secured handsets made by defense
| contractors like that for use by top officials, generally
| in partnership with other companies. I believe
| Halliburton supplied specially modified Blackberries for
| years to the White House and Department of State, and the
| last I heard was that a different org was modifying
| Samsung handsets for similar purposes. Given that shift
| to Android, it would not surprise me if there was a
| market here for government officials working on
| confidential work to need secured handsets running
| Android where their government could lock the device to
| only a whitelisted set of apps. The US government for
| instance already has published STIGs for Android
| handsets.
|
| The reality is that for me, at least, government use
| cases don't interest me for a number of reasons, and I
| don't necessarily think they align with your
| clarification to the questions either. I think drawing
| the parallel to firearms is fuzzy, but if we go with
| that, there are obvious use cases a government has for
| firearms that don't support an argument in favor of
| civilian ownership, but there /are/ arguments that
| support civilian ownership. Perhaps nothing else makes me
| more anxious than that thought of a world where privacy
| and crypto are considered to be something only allowed
| for elites and government officials, where all of us
| normies have to be surveilled 24/7. This is already a
| reality in some parts of the world and fast becoming a
| reality in the West. Hence, I am not really concerned
| with how useful this may be to government, I am /only/
| concerned with how useful this is to normal every-day
| people who just don't want to be spied on. Most of the
| modern surveillance isn't even done for a reason, it's
| just dragnet surveillance on everyone "because they can",
| which is the worst type.
| mobiletoss1337 wrote:
| In terms of user experience, it's pretty obvious that
| GrapheneOS suffers by comparison. For example, the camera app
| isn't as amazing as it is on Pixel with full Google Android,
| and _it probably never will be_. You can install apps from the
| Google pay store with Aurora -- even things like Google maps
| and Gboard for swipe typing, but you will probably prefer them
| to be more secure and so you 'll lock them down as much as
| possible, lessening their utility.
|
| So, in "practical", non-privacy/non-security terms, it's crazy
| to want something like this instead of the "real" Pixel 6 Pro
| experience (or Samsung S21 Ultra, or iPhone 13 Pro Max, etc),
| or perhaps until you read e.g. the shockingly bad Samsung
| privacy policy.
|
| However, there are some other benefits derived from the privacy
| aspects that aren't strictly privacy benefits themselves:
|
| * Hobby enjoyment
|
| * Trusting (to a degree) your device
|
| But, for me, I love my GrapheneOS phone and it's all of the
| above. I can live with the limitations, for the most part, and
| I've also purchased a wonderful Fujifilm camera when I really
| want to take amazing photos, which of course blows away any
| phone camera system anyway. The Pixel itself is still a really
| great smart phone experience, and way beyond my Pine phone
| (current generation) in terms of both security and usability,
| even without the few things that are taken out when you switch
| from Google to open source Android.
| strcat wrote:
| > In terms of user experience, it's pretty obvious that
| GrapheneOS suffers by comparison. For example, the camera app
| isn't as amazing as it is on Pixel with full Google Android,
| and it probably never will be. You can install apps from the
| Google pay store with Aurora -- even things like Google maps
| and Gboard for swipe typing, but you will probably prefer
| them to be more secure and so you'll lock them down as much
| as possible, lessening their utility.
|
| GrapheneOS recently added our own modern Camera app replacing
| the legacy AOSP Camera. You can also use the Google Camera
| app included in the stock OS on GrapheneOS if you want more
| features. It only depends on GSF which can be installed
| alongside it as another fully sandboxed app. They work the
| same way as any other apps. There's a guide on the camera at
| https://grapheneos.org/usage#camera. GrapheneOS has the same
| camera quality and features as the stock OS. It's the apps
| which are different, and you can use the stock OS camera app.
|
| It's also possible to use Play services (GMS) and the Play
| Store as fully sandboxed apps due to the sandboxed Play
| services compatibility layer on GrapheneOS. You might be
| choosing to use it without that but it does have broad app
| compatibility for users who want it. You don't have to give
| up much to use GrapheneOS anymore. Not every Play services
| feature is available but the functionality that's available
| is steadily expanding as we make extensions to the
| compatibility layer.
|
| https://grapheneos.org/usage#sandboxed-play-services
|
| The compatibility layer enables using GSF, GMS and the Play
| Store as fully sandboxed apps with exactly the same
| restrictions and permission model as any other user installed
| app. That includes the improvements offered by GrapheneOS
| such as the Sensors toggle, Network toggle, stronger sandbox
| and other privacy/security improvements protecting the OS
| from apps.
| xanaxagoras wrote:
| > For example, the camera app isn't as amazing as it is on
| Pixel with full Google Android, and it probably never will
| be.
|
| I haven't used Graphene but I assume most users do what most
| Calyx users do, which is extract the gcam apk before
| flashing, install it, and completely block its internet
| access with the firewall. We can and do use the stock camera,
| and it's great.
| samwhiteUK wrote:
| Does anyone actually buy these things?
| Belphemur wrote:
| Does anybody knows this company or use any of its products?
|
| Because this looks like a scam or another company providing
| security service for criminals (or will be mostly used by them).
| staunch wrote:
| I've bought a number of their Nitrokey HSM 2's and been very
| happy with them. But that is pretty much the extent of my
| knowledge of them.
| nbernard wrote:
| I'm not using any their products, but I believe they are known
| for providing an alternative to yubikeys.
|
| EDIT: actually, it seems that Purism's Librem key is (was?)
| based on the Nitrokey.
| heavyhephaistos wrote:
| I am using their FIDO 2 USB-Keys for 2FA. First I was sceptical
| too, but they are on the market for quite a while and I like
| their fully FOSS approach which Yubikey does not provide. Some
| of their products seem a bit overpriced, because you can do
| everything by yourself, but if I count all the hours and days
| spent with unlocking Bootloaders, searching ROMs and debugging
| them, this offer seems worth the price.
| alkonaut wrote:
| Why are they advertising 4.5 years of software updates? Is it
| because Android phones usually have an even shorter compat period
| than 4.5 years? How many years should I expect if I got the same
| model otherwise (Pixel?)?
| kaba0 wrote:
| > Is it because Android phones usually have an even shorter
| compat period than 4.5 years?
|
| Yes, most of them. But the Pixel is an exception with 4 years
| of software and 5 years of security updates promised directly
| by Google.
| pyther24 wrote:
| Easy to offer 4.5 years of software updates, but will the company
| be around in 4.5 years?
| djrogers wrote:
| Well, realistically they're not the ones providing the updates.
| Graphene is providing them.
| mrweasel wrote:
| 4.5 years also isn't that much. I just replaced my 5 years old
| phone, but only because it's not actually my own, but paid for
| by work. Had it been my own, I'd get the battery replaced and
| the charging port cleaned instead. The battery replacement
| isn't even that expensive.
|
| Using a five year old phone isn't an issue anymore, they are
| fast enough that it doesn't matter.
___________________________________________________________________
(page generated 2022-01-04 23:02 UTC)