Are you seeing the problem with targeted downvotes towards my comments? I got precisely 5-6 downvotes suddenly in the past hour (for every single post and comment I have made for the past week or so) suddenly for a reason - vote manipulation via sockpuppets - this is the kind of crap they precisely do. What does a leftist do? Stop supporting and using that product, and switch to something that works just as fine. Continuing using something made by such horrible entities while saying otherwise is a kind of faux virtue signalling US govt does via news media.
Calyx if you want one of these pre-configured custom ROMs for Pixels only, and Lineage or /e/ if you want more device support.
If you think the part about locked bootloaders is so important, just know that they lie to the extent of going around in tech YouTuber comment sections and claim they have $1M Cellebrite Israeli toolkits to verify grapheneOS is safe against bootloader attacks like Evil Maid. https://i.imgur.com/woNxPhx.jpg
Okay, first of all: Chill, and let me lay out an observation here.
You are very passionate about that topic, maybe a little too much. The way you talk about it is too heated, and gives people the idea that a civil discussion might not be possible.
The fact that you immediately start conspiring about where your downvotes come from doesn’t make it any better.
Now, the issues you describe are very much real, and a problem. There are merits and downfalls in each project, each one handles these differently, and it is for us to decide how to react to that.
So, you’re saying that as a reaction, I should neither use Graphene nor DivestOS, am I understanding this correctly?
What then? Compromise my privacy by using less optimal systems? Why would I do that?
Doing things out of principle vs doing them out of practical use is something this community is quite aware of, isn’t it. Sometimes the decision isn’t easy, sometimes it is.
This is not about “passion”. I have been monitoring and documenting the “security zealots” in FOSS community for the past 5 years. If you think that’s nuts, I recommend you take out an hour or two and go through this stuff. It will be worth it.
There is no conspiracy btw, regarding voting manipulation and sockpuppet trolling (they admittedly do it). GrapheneOS is by far the most vicious entity in FOSS/privacy community for a while now, to the point Techlore community openly calls them “rabid dogs”. Lemmy is just seeing this stuff afresh, what has been going on Reddit for over 3 years. They would have imported that culture onto Lemmy long ago, if I was not here for the past 3 years, and not a moderator acting as a defense line.
There are only 3 things they ever did on their own as extras, and even they have basically no value in the grand scheme of things, them being offering:
instead of 16 character, 64 character password limit on lockscreen
PIN scrambling
Morula method of exec spawning instead of Zygote method used in most AOSP projects
Now, I will elaborate on these 3.
Elaborating on first one, it is kind of useless as you can see for obvious reasons.
For second one, you already understand why fingerprint avoids the issue of someone peeping at your PIN/password entered across your shoulder. Fingerprint is infinitely superior. Even more so with Android and iOS both offering biometric Lockdown features.
This one is somewhat half credible, but the goal is to destroy the memory blocks used by an app after it is exited, so that memory blocks do not retain essential text strings of data to exploit. For this, you can just go to Developer Options and enable “Don’t keep activities” and it will achieve the same effect as Morula method of exec spawning implemented by GrapheneOS.
So out of the 20-30 features GrapheneOS claims they developed, everything is either a modification of app permissions or firewalling or AOSP feature rebranding.
Also, as you may have famously heard about “Sandboxed Play Services”, it is not developed by GrapheneOS, but a project called ProtonAOSP, whose developer is kdrag0n. GrapheneOS copied that off and rebranded it as their own developed thing.
As you can see, GrapheneOS is basically a lot of marketing and in reality, there is negligible or nothing beyond the surface. This is called snake oil, or selling bridges/dreams.
A civil discussion is not possible with people that always lie about things for years (https://old.reddit.com/user/lo________________ol/comments/1314x2x/why_did_i_do_this/), then manufacture lies about how they were swatted to manufacture drama and gain fame, never to give evidence, label everyone neonazi or complicit in this hoax murder attempt, censor any attempts of being questioned and go underground, and use “autism” label to dodge accountability, and to be a witch hunting liar and an asshole to everyone.
Whichever system you can navigate through easily and freely, none of which is a smartphone. Smartphones are only temporary vessels on-the-go for calling, texting and photos/videos. Keep your computing as much as possible to a real, dedicated computer or laptop. Any mainstream Android phone in the past 3-4 years, if you do not root or unlock it, has been “secure” at this point, as long as you are not installing calculator apps that need your credit card info and camera access, and as far as your adversary is not the TSA airport agent with Israeli Cellebrite kit or you are not a state actor target for malware like Pegasus.
Funnily enough, Pixels have been horrifically insecure for a while now, besides their garbage QC issues. Google took months to fix these security issues for 6A, 7 series that were more easy to exploit than the security issues any other Android maker has had for the past few years.
Any decent Android phone post Android 9 version, provided you:
do not root or unlock it
you debloat it thoroughly
install apps carefully
put a firewall with nice DNS provider
restrict app permissions as much as possible
keep OTA security patches updated
is a secure phone to use. There is full disk encryption for years now, and iPhones are cheaper and easier to exploit than Androids since 5-6 years.
I have had a non-root smartphone guide for years now (https://lemmy.ml/post/128667), letting anyone have a private and secure Android device without any Safetynet tampering or bootloader unlocking complexity, which also allows to use Android Auto, bank apps and any of those Safetynet apps comfortably. This, to the best of my knowledge, is the Pareto frontier of usability, privacy and security on smartphones, provided you have an actual computer as well.
Someone made an Android app that allowed me to solve the issue of physical phone theft as well, effectively disallowing anyone (unless million dollar Cellebrite-like kits can exploit the stolen locked phone) to extract data out of your phone, in case someone took your phone on the street and ran away. This requires locked bootloader, which is the default state of any Android phone you purchase commercially, unless later unlocked or rooted.
Are you seeing the problem with targeted downvotes towards my comments? I got precisely 5-6 downvotes suddenly in the past hour (for every single post and comment I have made for the past week or so) suddenly for a reason - vote manipulation via sockpuppets - this is the kind of crap they precisely do. What does a leftist do? Stop supporting and using that product, and switch to something that works just as fine. Continuing using something made by such horrible entities while saying otherwise is a kind of faux virtue signalling US govt does via news media.
Calyx if you want one of these pre-configured custom ROMs for Pixels only, and Lineage or /e/ if you want more device support.
If you think the part about locked bootloaders is so important, just know that they lie to the extent of going around in tech YouTuber comment sections and claim they have $1M Cellebrite Israeli toolkits to verify grapheneOS is safe against bootloader attacks like Evil Maid. https://i.imgur.com/woNxPhx.jpg
Please read the paper by Ken Thompson, co-creator of Unix and C, on why we should be able to trust the developer and NOT the code. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Okay, first of all: Chill, and let me lay out an observation here.
You are very passionate about that topic, maybe a little too much. The way you talk about it is too heated, and gives people the idea that a civil discussion might not be possible.
The fact that you immediately start conspiring about where your downvotes come from doesn’t make it any better.
Now, the issues you describe are very much real, and a problem. There are merits and downfalls in each project, each one handles these differently, and it is for us to decide how to react to that.
So, you’re saying that as a reaction, I should neither use Graphene nor DivestOS, am I understanding this correctly?
What then? Compromise my privacy by using less optimal systems? Why would I do that?
Doing things out of principle vs doing them out of practical use is something this community is quite aware of, isn’t it. Sometimes the decision isn’t easy, sometimes it is.
This is not about “passion”. I have been monitoring and documenting the “security zealots” in FOSS community for the past 5 years. If you think that’s nuts, I recommend you take out an hour or two and go through this stuff. It will be worth it.
https://old.reddit.com/r/privatelife/comments/ug9qnc/writeup_criticism_of_rprivacyguides_grapheneos/
https://old.reddit.com/r/privatelife/comments/13teoo9/grapheneos_corporate_foss_loving_witch_hunting/
There is no conspiracy btw, regarding voting manipulation and sockpuppet trolling (they admittedly do it). GrapheneOS is by far the most vicious entity in FOSS/privacy community for a while now, to the point Techlore community openly calls them “rabid dogs”. Lemmy is just seeing this stuff afresh, what has been going on Reddit for over 3 years. They would have imported that culture onto Lemmy long ago, if I was not here for the past 3 years, and not a moderator acting as a defense line.
As for “security” and features of this AOSP fork, look no further. https://i.imgur.com/pQHoq84.jpg
There are only 3 things they ever did on their own as extras, and even they have basically no value in the grand scheme of things, them being offering:
Now, I will elaborate on these 3.
So out of the 20-30 features GrapheneOS claims they developed, everything is either a modification of app permissions or firewalling or AOSP feature rebranding.
Also, as you may have famously heard about “Sandboxed Play Services”, it is not developed by GrapheneOS, but a project called ProtonAOSP, whose developer is kdrag0n. GrapheneOS copied that off and rebranded it as their own developed thing.
As you can see, GrapheneOS is basically a lot of marketing and in reality, there is negligible or nothing beyond the surface. This is called snake oil, or selling bridges/dreams.
A civil discussion is not possible with people that always lie about things for years (https://old.reddit.com/user/lo________________ol/comments/1314x2x/why_did_i_do_this/), then manufacture lies about how they were swatted to manufacture drama and gain fame, never to give evidence, label everyone neonazi or complicit in this hoax murder attempt, censor any attempts of being questioned and go underground, and use “autism” label to dodge accountability, and to be a witch hunting liar and an asshole to everyone.
Marketing, lies and deception aside, what is the most secure and private Android system?
Whichever system you can navigate through easily and freely, none of which is a smartphone. Smartphones are only temporary vessels on-the-go for calling, texting and photos/videos. Keep your computing as much as possible to a real, dedicated computer or laptop. Any mainstream Android phone in the past 3-4 years, if you do not root or unlock it, has been “secure” at this point, as long as you are not installing calculator apps that need your credit card info and camera access, and as far as your adversary is not the TSA airport agent with Israeli Cellebrite kit or you are not a state actor target for malware like Pegasus.
Funnily enough, Pixels have been horrifically insecure for a while now, besides their garbage QC issues. Google took months to fix these security issues for 6A, 7 series that were more easy to exploit than the security issues any other Android maker has had for the past few years.
https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
https://twitter.com/ItsSimonTime/status/1636857478263750656
https://www.notebookcheck.net/Google-Pixel-6a-reviewers-claim-to-encounter-a-potentially-serious-device-security-issue.637266.0.html
Any decent Android phone post Android 9 version, provided you:
is a secure phone to use. There is full disk encryption for years now, and iPhones are cheaper and easier to exploit than Androids since 5-6 years.
I have had a non-root smartphone guide for years now (https://lemmy.ml/post/128667), letting anyone have a private and secure Android device without any Safetynet tampering or bootloader unlocking complexity, which also allows to use Android Auto, bank apps and any of those Safetynet apps comfortably. This, to the best of my knowledge, is the Pareto frontier of usability, privacy and security on smartphones, provided you have an actual computer as well.
Someone made an Android app that allowed me to solve the issue of physical phone theft as well, effectively disallowing anyone (unless million dollar Cellebrite-like kits can exploit the stolen locked phone) to extract data out of your phone, in case someone took your phone on the street and ran away. This requires locked bootloader, which is the default state of any Android phone you purchase commercially, unless later unlocked or rooted.
That is the most elaborate way of dancing around a simple answer I have ever seen, I am impressed.