hypothetically how well would it work to move the verification and decryption to a flash drive that is either remove after boot or non writeable by physical switch? Say if a device didn't support Secure Boot?

That is an option

That's what Hackintosh does to enforce verified boot

BTW there can be a chkboot for that

The system does reverse verification on the kernel that booted it

If it's not matching it stops booting

that could be comprised by smart mlaware though no?

Yes

The best bet is

Fully encrypted boot

<anupritaisno1[m] "Idk how you can get dm-verity wi"> It's in mainline sar

spaceinfinite: Kinda makes sense

<madaidan[m] "It's in mainline sar"> The tools are not

That's the problem

You guys this CloudReady stuff is interesting

But how is it privacy wise

Also why tf didn't this take off like linux distros

Like it's open source wtf

@bulletproofman:matrix.org I mean it's not bad, but it does need a Google account. You can opt out of all the concerning stuff though

cn3m: Do you HAVE to use a google account? Why not make a version without Google accout

I don't trust Google to honor settings. They were caught many times.

since I'm too lazy

jk I am busy helping GrapheneOS on Reddit

cn3m: Go on do your job boi

<bulletproofman[m "I don't trust Google to honor se"> Google has not exactly lied these things were documented. The definitions are under debate

cn3m: Location data collection is the biggest proof

Google documents things very well

Even if you don't have location on

<bulletproofman[m "cn3m: Location data collection i"> that was a surprise to no one

very well documented

They STILL collect location data

Is it safe to run MicroG on a second user profile on GrapheneOS to be able to run my bank app? Is there any alternative better than MicroG?

<adamso[m] "Is it safe to run MicroG on a se"> microG needs signature spoofing to work

<bulletproofman[m "They STILL collect location data"> they document all these features very well

What's the other alternative to MicroG!

people don't research this stuff well

I knew every Google "scandal" before it happened

I probably know some that are yet to happen

<adamso[m] "What's the other alternative to "> Web Apps

cn3m: thank you.

Google implementations are all open source on ChromiumOS @bulletproofman:matrix.org

cn3m: It's honestly hard for me to.trust google. I'm not just interested in Security. But Privacy as well.

Do I need to setup a new user profile to use Web Apps securely?

cn3m: Do you know about this xda-developers.com/fydeos-chrome-os-brings-android-apps-pc

@adamso:matrix.org no just use the browser

<bulletproofman[m "cn3m: Do you know about this htt"> that doesn't have any local accounts it is temporal

use CloudReady

cn3m: the point is the Android app summort

Support

CloudReady doesn't have that though''

it's an insecure implementation

CloudReady isn't going to do a shitty job

they rather not do soemthing than do it blatantly wrong

Hey, guys

Wickr started not working on my grapheme on pixel3. About a month ago. It's the only app that doesn't work

cn3m: But but it's closed source.

Some mates have the same problem. The app just turns off as soon as I open it

@korma:matrix.org hey sorry I took so long to get to your post. Had a modmail issue

@bulletproofman:matrix.org CloudReady?

cn3m: Yes

what's closed source on CloudReady?

@analogpathy:synapse.travnewmatic.com isn't it open source?

Cn3m : no worries, which post are you talking about, on grapheneOS subreddit?

<cn3m[m] "@analogpathy:synapse.travnewmati"> Yes it is.

was that you who posted? @korma:matrix.org

on the sub

about Wickr

@analogpathy:synapse.travnewmatic.com thank you sir!

cn3m: alright sorry.

cn3m: usually alternativeto.net is accurate.

Cn3n : yes!

welcome to matrix

I've contacted wickr support to, Friday, no reply yet

I don't use Wickr sadly

cn3m: Have you tried it? I don't see any of my machines being certified.. also why are the machines certified for a limited time?

it runs on everything

Hey korma[m], I wonder if they ended up doing something like hard-coding it with a dependency on Google Software Frameworks without a fallback, or if there's a bug in the client software that causes it to access memory out of bounds.

might be worth trying to on Stock with Google disabled

if it works fine it might be a security issue

Interesting. So basically when I re-install the apo with aurora store, it works fine for a few mins/hour and then keep crashing again

Stock is the rep for app without signing in to google right?

does anyone have that link to the 174 malicious programs that went through the open source supply chains?

that was a good study

Hey cn3m[m], I don't offhand, I will keep an eye out for it!

thanks @freenode_TheJollyRoger:matrix.org

exactly what I mean

TheJollyRoger: cn3m I will test root certs in another profile with my extra tablet. Does anyone which app?

I am trying Packet Capture right now

Is there any recommended way to charge your phone? I mean some say its better if it never reaches 0% and doesn't get charged to 100% and that you keep it in between like 10 and 90 ,but is there any science to it, tried searching and every website is just a copy of a copy

The certs appear to install on Android 7.1.2. They however don't appear to seem to actually work and it doesn't carry over to the owner profile. This could be different in newer versions

* TheJollyRoger: cn3m I will test root certs in another profile with my extra tablet. Does anyone know which app?

mxnorvak: my understanding is that all modern phones take care of this on there own. 0% doesn't actually equal 0% battery power

j3ghprjfo: i agree

Has anyone here used Habitica? It says it's open source but i'm not sure if it's good for privacy

<radixed9[m] "The certs appear to install on A"> thanks man

bulletproofman: Daniel talks a lot on this channel

<j3ghprjfo[m] "mxnorvak: my understanding is th"> So it's safe for the batteries health to reach that low?

overheadscallop: Yes, i got it :) ty

<mxnorvak[m] "So it's safe for the batteries h"> No

The best way is to keep your phone plugged in all the time

You'll never have any degradation at all

<anupritaisno1[m] "You'll never have any degradatio"> Hah take that dad. He keeps telling me to unplug the phone it will explode if u leave it charging too much lol

<bulletproofman[m "Hah take that dad. He keeps tell"> Okay that's not very realistic as nobody can keep the phone plugged in for years

Well I never take my phone outside my home so I can

But even then no Bluetooth headphones so I need to disconnect for music

anupritaisno1: headphone jack ftw

Otherwise I remember my old oneplus 2 on the charger for periods longer than a week

Ok i lied i like bt

But i like a backup hole

That sounds wrong

Very wrong

Oh

Oh i mean jack

Lmaooi

😂😂😂

I know

<anupritaisno1[m] "The best way is to keep your pho"> I can't tell if you're being sarcastic or not

<mxnorvak[m] "I can't tell if you're being sar"> I do it all the time

My battery life depends on usage though

Who do u guys think of LBRY as a platform?

Idk why team viewer sucks battery that way

BTW anyone know the rattlesnake dev?

He's here but need to message him for something

<anupritaisno1[m] "I do it all the time"> So a noob question

When it reaches 100

Guys

Are you still alive

Am i lagging

What do you guys think of Lbry as a platform

<bulletproofman[m "Are you still alive"> No

madaidan.: *resurects u*

Only a CFI binary in Linux can resurrect Madaidan

overheadscallop: is that pic from BnS ?

overheadscallop: how do i dm

No, it should be over top of the Direct Messages.

Yipes that's one heck of a netsplit.

radixed9[m]: oh, no, I wasn't testing with an app, I was just seeing if they would install for other users. Unfortunately, it looks like the "non-owner" profiles hide this function.

<analog[m] "Only a CFI binary in Linux can r"> That's why we use Chromium

@madaidan.:matrix.org windows master race though

hack my Edge Chromium WDAG

<mxnorvak[m] "Does it still use the battery or"> It still uses battery

Oh man that'd be funny.

The charger provides intermittent current

You can't really run your phone off it without a battery

Explosion will not occur unless you use a bad charger

No one can exploit my system

<cn3m[m] "No one can exploit my system "> Never have that attitude.

Always tag your sarcasm :P.

Says the guy with the magisk profile pic

cn3m: Why did u pick edge chromium?

TheJollyRoger: hey hey cap

anupritaisno1: 😂😂😂😂

Hi!

What can I do for ya?

<TheJollyRoger "What can I do for ya?"> Nutt

But to a pic of the NSA

I'm eating nuts as we speak. Quite delightful.

analog: omg i love nuts

Dammit analog[m] now you have me in the mood to go and buy those chocolate covered nuts again at BulkBarn.

Wait

Warning: may contain nuts

No

That sounded weifd

I like

Nuts in chocolate

Dark chocolate is great

Ya know what i'll judt stfu

But chocolate is a fruit

So you like nuts with fruit

anupritaisno1: wtf no

Chocolate is chocolate

It's made

Speaking of chocolate

You guys windows got a package manzger

A package manager?

TheJollyRoger: Yes !

Yes

Winget

Wow.

Chocolatey

<bulletproofman[m "Chocolate is chocolate"> By definition a fruit is anything with an edible part and seeds

This is why people think tomato and cucumber are vegetables but they're fruits

Same applies to chocolate

anupritaisno1: No. It can't be. Tomato and cucumber are fruits??!!!! Wth wth that-s weirdds!!

Yeah. Same with walnuts, technically.

Well

Unless you use fake chocolate

Eggplants are also a fruit

This is..

Fruity

This is blasphemy

You can't say that

That's like saying linux is the most secure os ever

<bulletproofman[m "That's like saying linux is the "> Yes

Just remove the init code

It will become secure

Wait until you hear peapods are fruits too

anupritaisno1[m]: hehehehe, sounds like the time I found I could disable the Intel Management Engine on my old PC by shorting the power supply!

It stank really bad, but now that computer is IME free :D

<anupritaisno1[m] "Just remove the init code"> But that's the one that starts all the processes

Wait

Oh i get it

I'm slow sorry

Hehe no worries XP.

😑

We need a wooshproofman here

analog: u___u

(No kidding though, I fried the thing really good. Smoke was pouring out of the case.)

TheJollyRoger: ur insane cap

Hee hee... I think that computer's time had come :P.

If i'm being real. I hate IME

Arm doesn't have these problems right?

Well, here's my take on it:

Management interfaces are actually a part of modern, performant CPUs these days, there's no two ways about this.

If you want the CPU to start, that is.

There's actually *nothing* wrong with using a smaller, less powerful, and *MUCH MUCH MUCH less complex* discrete computer system to start a larger, more complex and much more powerful system.

Even my Talos II has a management interface, it's called the OpenBMC.

*It's called the BMC, which runs OpenBMC.

TheJollyRoger: Buuut it'S OPEN

Yes, which brings us to part two: I think the big problem that rubs a lot of security researchers the wrong way is that Intel is fascinatingly tight-lipped about theirs, despite its highly privileged position.

TheJollyRoger: Yeah i mean shit that's a lil.... weird

And.... suspicious

Hmmmmmm

To Intel's credit, one of the reasons they can't, is because they've signed deals with content publishers and vendors for protected playback and content protection.

Since unfortunately, hollywood loves its DRM.

Sadly enough as well, the IME's role in maintaining platform security is also unknown.

Which I think is really depressing.

TheJollyRoger: :S

It makes me maad

Yes. In the 1990's, System Management Mode was originally designed as a way to allow for power state to be managed by the host, without having to trust the host with that kind of responsibility.

But since then, System Management Mode ended up being ended up used for a lot of other things and becoming more and more bloated with functionality of "Hey we don't want the host OS to futz with this? Just throw it into System Management Mode."

Without having to trust the host is the key right

Yeah. Then it became apparent that SMM wasn't enough, and they needed something that could reign in SMM...

And the bloat is what introduced attavk surfzce?

Not quite. SMM presents some attack surface on its own, but it's distinct (and separate from) the Intel Management Engine.

TheJollyRoger: Oh roger that

The Intel Management Engine's role in /keeping SMM in check/ is something I really don't know and for that matter, I don't know if anyone else does.

So what about

Amd

What's their deal?

So this is why running me_cleaner could actually be doing you a disservice.

AMD has their own which is analogous. Around ~2012 the Platform Security Processor (AMD Secure Technology) became non-optional.

AMD is in a similar position to Intel. If they want to be able to give their customers things like the ability to play DRM-protected or copy protected content, they need to make that same deal with the devil that Intel did.

I'm glad talos exists

Similarly though, I don't believe these "PSP Kill Switches" or "Disable Bits" are worth much more than virtue signalling and marketing gimmicks to people who don't know any better, since if you were to disable the PSP, what unparks your cores and initializes your DRAM timing prior to host initialization?

Me too :D

Even tho it's expensive as shit

Heh, yeah... but everything's relative. At my old company, we used to lease our workstations.

One thung i fail to understznd

We would fork over $7000 over a period of /three years/ for those crappy workstations, and at the end of those three years, you had to give the station back to Dell.

How will apple keep software working

If they switch to Arm

I'm not sure.

Wouldn't that change things a lot or am i understanding things weird

It would.

They'd have to release both arm and x86 versions of their software. But I don't think switching architectures has actually stopped them before, since they've done it in the past.

Back in 2005 I think they made the jump from PowerPC (back then, this was 32 bit big-endian PowerPC, which is not the same as POWER9) to i386.

Wasnt that like a Loong time ago

Yeah. Fifteen years!

Boooooi what are they doing

I don't know. But I think if anyone could do it, it's probably Apple, since they do all their software development in parallel with their hardware development.

So they have much more awareness of what their buyers are doing and buying and what platforms are out there.

I guess

Partially open sourcr

Arm

Isn't arm partially open source

Given that these days when you buy software only dinosaurs and gaming consoles actually get a physical copy on physical media (and sometimes, not even then), they're actually in an even better position to do this /now/ than they were fifteen years ago.

Fckin hell my sausage fingers

It's up to the vendor.

TheJollyRoger: There was this processor

A while back

Called Risc v

ARM Holdings actually makes its money licensing the IP to other vendors, so no, it's not open.

Yep, what about it?

TheJollyRoger: Is it good securiry wise?

Well, RISC-V is not a processor, but rather, RISC-V is a sheet of paper. It's an ISA that's BSD-Licensed. So this means that RISC-V chips are only as open as their vendors will /make them./

It's a sheet of paper.

It's an ISA.

The Linux and FOSS community seems to forget this and the hype around it has translated into confusion that because the ISA will be open, the chip will be open.

This isn't the case: the largest deployment of RISC-V processors is, in a hilarious irony, in Nvidia GPUs.

Because it allows NVIDIA to not need to pay big fat profits licensing its falcon processor.

TheJollyRoger: :(

:"(

And NVIDIA has the dubious honour of being the only company that Linus Torvalds has called "the worst company ever to work with" and cussed them out on-camera with his middle finger.

TheJollyRoger: lol i remzmber that

Hehehe yeah :D

What do you think about buying old thinkpads

You see from what i gathered from the infobu guys give

So... all in all, that's the thing about hype. While it's really nice to think about, sometimes people (especially in echo chambers like Reddit) get carried away with unrealistic hopes and then end up confusing their unrealistic hopes with "what will be."

It's technically a bad idea right? You know the IME fre thinkpads

Well...

It's the microcode isn't it

Damn, makes me feel nostalgic, I remember when those were a dime a dozen and then December 2017 hit and the prices got jacked way up!

Some Question if you have Bluetooth enabled won't it brodcasts its ID and somebody could find out this way where you were by your ID? (by ID I mean the BSSID that can't be changed and it seems like Bluetooth has that aswell?) (I understand the BSSID part about WI-FI but still not about Bluetooth(if it exists)) (sorry if I'm wrong about that)

Yes. Many of those old CPUs, like old Core2Duos and Dual Cores are no longer recieving microcode updates for chip level vulnerabilities.

twitx: innit how contact tracing works

TheJollyRoger: Oh i feel like i'm starting to understand and reason better and i just joined this sub yesterday

For real thank you guys i feel like i'm learning, albeit slowly

Hi twitx[m], I haven't dug into or looked much into Bluetooth at this moment, maybe somenoe else will be able to chime in. GrapheneOS doesn't include play services for Google's COVID tracking though.

bulletproofman[m: hey man no worries we all start somewhere! :)

So without those microcode updates that provide the mitigations, it's kinda like... what would be the best way to describe it...

TheJollyRoger: I have an image in my mind. A ship with holes

it'd be kinda like removing the screws from your front door, tearing your front door off its hinges, then nailing it over your rear bay window and saying "There we go, nobody's going to break in now!"

Yes, ahahahaha, or that :D

TheJollyRoger: lmao yeah mine was simple i guess

fishingtackle[m]: oh hey you got one of those soft fabric cases? Nice!

<fishingtackle[m] "c7f581ab-b03b-4200-8719-2d21dbb1"> Don't ever buy this cover for a Pixel 3aXL... I dropped the phone twice and both times the screen shattered.

<TheJollyRoger "Hi twitx, I haven't dug into or "> I'm just talking about normal Bluetooth since I've used Wigle which also scans for Bluetooth and shows an BSSID which I'm not sure if its like on WI-FI where its permanent (and what I've said could be completly false)

Oh. WOW fishingtackle[m] yipes, not nice then! Jeez.

Good to know O_O.

<TheJollyRoger "Oh. WOW fishingtackle yipes, not"> Third time lucky...$3 rubber case.

twitx[m]: ah, okay. I don't know anything about Bluetooth, someone else will have to answer for me, sorry.

fishingtackle[m]: jeez >_<.

<fishingtackle[m] "Don't ever buy this cover for a "> Happend to me aswell that's why I would recommend buying a screen protector aswell

<twitx[m] "Happend to me aswell that's why "> I had that too.

<TheJollyRoger "twitx: ah, okay. I don't know an"> Okay

Did it still not help fishingtackle ?

<twitx[m] "Happend to me aswell that's why "> I almost shed man tears the second time.

I like privacy screens. Makes peaking a lil harder

<twitx[m] "Did it still not help fishingtac"> I am opting for the non glass screen protector and the $3 rubber case this time.

I've got two cases (one I accidentally ordered by mistake when I forgot to click "remove from cart") one is a UAG case which has high rubber curbs around the sides, the other is a slimmer Spigen case.

Yeah, and glass screen protectors work wonders!

TheJollyRoger: I saw those UAG cases. They are so sexy.

Saved my phone once when it slipped out of my pocket and smashed screen-side down onto my front steps.

Yeah! They look great :D

The screen protector shattered into pieces but luckily the phone beneath it was saved, so I peeled it off, wiped it off and stuck another one on in its place.

Why me?

fishingtackle[m]: Jeez :( That's really bad luck :(

It isn't fair...

Yeah :(

I have the Google Pixel case currently it once fell on well rocks but I can still use my Phone I just can't use the Notification Bar and sometimes the Keyboard just randomly types but expect that it still works

If you guys really need the protection I really recommend those Spigen hard glass screen protectors, they're great and I think they come in 3-packs. If you have some sealast packing tape you can even save them if you put them on wrong, as well.

twitx: My phone screen is cravked the HOUSe. And the return button doesn't always work. Did I mention that the friggin phone is old

Does anyone one know what I did to make this wire stick out?

Did I break my speaker?

The speaker is at the bottom

Oh. Uh... shoot. I don't know.

I haven't tried taking my cellphone apart.

<twitx[m] "The speaker is at the bottom"> support.google.com/pixelphone/answer/7157629?hl=en

<TheJollyRoger "I haven't tried taking my cellph"> Add it to my bucket list once i get an iphone

Oh boy, ahahaha. Luck!

Is it supposed to be attached to that blob?

Why do I do this to myself?

fishingtackle: count 1,2,3 then make a wish, and blow on it

I'll go back the way it was

I do this everytime i break anything

Works well

Do I really have to have Google Camera on a sparate profile to improve privacy/security? I don't see how can it be bad if I disable the network permission to it...

Remember when I said I despise surveillance and don't want to live in US? I might have changed my mind now due to a new law to be passed there. (This gives the more necessity to seek for a secure phone this time around.)

furofuro_01: I wanna move to the EU so bad

I'm in africa

<bulletproofman[m "furofuro_01: I wanna move to the"> Same

There goes my threat modeal being deeper.

* There goes my threat model being deeper.

Guess who's decided to move to GrapheneOS soon.

furofuro_01[m]: what law?

Basically, the military can surveil messages and calls from telco

<JTL "furofuro_01: what law?"> Dont want to disclose due to this being logged and public

* Basically, the military can surveil messages and calls from telco for like 2 months. Definitely keeping my silence, for the best privacy is when you dont say it. However, I might keep myself here (matrix) due to E2E encryption on private messages, or use Signal with random numbers.

Just check r/privacytoolsio

furofuro_01: ur in china right ?

Nope. Definitely not in China

I would not like to live there at all

* Basically, the military can surveil messages and calls from telco for like 2 months.

More reason to use VPN

fun fact

I just wrote a big guide

on all the ways to get your real ip with an app on iOS or Android

cn3m: drop it

In short, I should not use VPN on 2 profiles?

No wonder I had the same bug (even on LineageOS I cant just reformat rn due to circumstances)

it's the same across all Androids would be a safe assumption

Kinda a bummer I cant compartmentalize personal with main profile where both have VPN

Unless I have a router with VPN

Why not just get a vpn router

Problem solved

I dont have one right now

I cant flash any other VPN-supporting firmwares in Tenda F3

send help

well you can use multiple vpns and it works for browsers and webapps it'll just screw up your apps

if you only run trusted apps and keep all untrusted code in the browser it's probably fine

Does "Frost" count as webapp?

As far as I know, it is a webapp wrapper for facebook...

<cn3m[m] "well you can use multiple vpns a"> And yes, I mostly use webapps and browser for browsing... (Guess thats why my download speed on newpipe is way too fast I guess?)

<furofuro_01[m] "Does "Frost" count as webapp?"> yes it's using the Vanadium hardened Trichrome WebView on GrapheneOS. It's a trade off security wise with Bromite so YMMV

I get the most questions about VPN and Firewall bypasses. People forget just how powerful apps are ha

Nice.

So, if I get it right... I am getting way faster download speed on Newpipe because it sees my real IP?

<furofuro_01[m] "So, if I get it right... I am ge"> it's not impossible

it would take a bit of testing to certify that as related

cn3m: is the number of threads related

To speed

@bulletproofman:matrix.org in?

When it comes to downloading

It's a question

in what context?

cn3m: Downloading videos from newpipe

Technically

it depends tho

usually not slower... usually

it should be faster

here's an interesting comment I wrote if anyone wants to see more Android and iOS flaws

It does feel faster

it depends, you can look up multithreaded downloads

it's not a priority for me to explain a non privacy or security related technical topic

Alright, imma just say i saw that link

I friggin love your explanations, which is why

I need to understand how tf

Does this whole PRISM thing work

I see conflicting info everywhere

And it's VERY confusing.

I'd say probably not, but maybe

keep in mind all these programs worked since no one uses HTTPS and crazy legal gymnastics

both of those things are dead (at least right now)

there could be more creative ways of course

PLEASE

Elaborate

I genuinely trust what you say bro

Cause i know u know wtf u talk about

so Section 215 is deaf

dead*

for now at least which is the whole FISA court and that bullshit

the beating heart of the NSA program

Coronavirus delayed the renewal and Trump says Biden is spying on him with the NSA so it's just dead at this point

now everything is encrypted too

in transit so no more easy spying on the Google Yahoo link

and a zillion other spy methods

security has also come a very long way making exploits harder, domain verification is obviously a thing now

People can't even phathom how much better privacy and security tech is now

Congress also passed that transparency law so now we can see the number of national security requests and even get some copies of NSLs

NSA Mass Spying is probably dead. There's some limited targeting left related to actual crimes. I highly doubt any of us are effected

<cn3m[m] "for now at least which is the wh"> Shit ur right i just checked that

Hold on what about things like XKeyScore

And and tempora and all those scary program

No way those aren't being used in one way or another

It's too powerful to now be abused

Even illegally

XKeyScore is a search engine

tempora is fucked up by HTTPS

everything is illegal now or broken or well recorded at this point

Xkeyscore and optic nerve are what scare me most

California and the EU are also making this stuff even harder. Apple using their encryption on almost all sensitive services and focusing on offline processing means there's almost no data to collect. Google even has the option for full e2ee Chrome Sync(which is partially anyway) and e2ee Android backup. Google is slowly following Apples lead moving the live captions to local processing.

<bulletproofman[m "Xkeyscore and optic nerve are wh"> XKeyScore is just a search engine no?

It searches PRIVATe things too

Optic Nerve was an HTTP dealio iirc

Like ur fb messages emaild comments etc.

<cn3m[m] "Optic Nerve was an HTTP dealio i"> Wait what i don't get it

that's what I'm saying that information is much harder to get if not impossible

XKeyScore is probably no more than an archive at this point

@bulletproofman:matrix.org back in 2012 you could go to a coffee shop and capture everything anyone did

there was no real usage of HTTPS. Sometimes passwords, but then they cookie would be insecure

the web was fucked

this is why so much of the spying worked

people forget how bad it was

Optic nerve works even with ur gafgets turned off

> 00:28 <cn3m[m]> @bulletproofman:matrix.org back in 2012 you could go to a coffee shop and capture everything anyone did

that was a Yahoo app hack

Firesheep existed back in 2010

@bulletproofman:matrix.org he said she forgot to close it. that's a drama anyway

That whole clip and everything in it scared me tbh

Facebook isn't encrypted

or wasn't

What about all that contact info and and the friggin camera and mic can be turned on with a laptop that is turned off

worth keeping in mind that the internet is fundamentally a different internet than when Snowden was sharing info

Optic Nerve takes advantage of a Yahoo program bro

Facebook isn't encrypted

wasn't*

they could gobble up this data like anyone else could if they had that much access to the net

<cn3m[m] "Optic Nerve takes advantage of a"> Which one was it

NSA spying is incredibly crude in design it's not impressive

Yahoo! Messenger

it was unencrypted

Apple for instance forced all apps to be encrypted 4 years ago

everything

the web is completely different

it sounded like Voodoo, but it wasn't

It's all like voodoo to me i'm just

It's like a christian got proved that god doesn't exist

This is how i feel

I'm so overwhelmed. I'm sorry

NSA is more of a devil than a God

You probably won't understand how much pressure all this stuff was to me

It was negatively affecting my mental health cause i felt watched alAys

Always.. and now it's like.. was i over catastrophizing things?

the problem is people who know their shit like Daniel and others are too busy to really spread their message. I'm getting rusty when I would be researching

since I'm helping people

cn3m: I'm really grateful to you man. Istg. I'm crying like a lil bitch rn.

Fuuuck i'm such a wimp 😢😢

So yeah NSA Mass Spying is almost certainly dead for the moment. It's not impossible and it's probably going to take another form in the future, but rest easy

the thing is I can't sell you anything if I don't say the world is fucking ending

I also can't do my serious research

neither of those problems matter to security and privacy charlatans

I disagree!

There are people who want truth

I want truth

I don't have any reason to explain this shit to people beside helping the project. It's a waste of my time and skill beside helping this project

I don't care about tribalism

Fuck that fuck that FUD bs

@bulletproofman:matrix.org great, but I don't get anything out of it

I want

TRUTH. This should be spread.

It does help

I think it genuinely changes minds

People who care about logiv sill listen

Will listen*

I agree, but I spend 3-6 hours a day explaining this to people and it doesn't really pay off for most knowledge people

cn3m: have you considered writing an article or a mini book of sorts?

To explain all of this fiasco with facts anf sources?

fuck no

I can't commit that much time to something people won't read

Maybe we should just nuke r/privacy

people need it in bite sized pieces and I need to argue with them and explain how they think about everything wrong

That shit is a pit of cancer

it's gotta be one on one

I barely care

I only really care about helping GrapheneOS and a little PTIO

I believe in those projects

I can help in this way

Alright. But i want to thank you for this. It's an eye opener. You may not.understand the depth of how much this conversation affected me. But it really did. Positively. Thank you.

I'm so glad man we've all been there

the problem is the frightened hoards are very hard to deal with

smart people like this community and serious researchers no better than to waste their time

the ROI for me is shit

I'm not that knowledgeable either. Compare me to Daniel and I'm toast. Madaidan knows more than me too

countless other guys

the people who really know stuff don't have much time beside research and development

which is how they stay informed

I had to do a bunch of research and correct a mistake I made today

You keep doing what you do. I think your skills are needed in such things more.

Yeah that's the thing I'm in a weird limbo mode

I don't know enough to really be useful doing a lot of work and research

I could help GrapheneOS with some development, but I need people to take over what I'm doing

We all start somewhere

:)

10 people working hard to fight misinformation would be great. If they each did 30 minutes a day

I'd go to working on GrapheneOS or a personal project even research

I'd love to do that but i have to learn more first. Learn the facts.

yeah you'll get there if you try

I just remembered something important. My country is preparing to get 5G soon. What are your thoughts on it everyone?

Another Graphene phone is born..

I'm actually asking about privacy and security effects of 5G

Cause some people say it's fine, some people say it's bad. I looked up information on it

But i get conflicting info and most of the results are talking about health stuff

Annd the fact that some people think it causes corona which is..... interesting // eyeroll

it's no different than the jump with 4g

nothing too special

might make e2ee make more sense

right now FaceTime is hot garbage due to end to end encryption not allowing you to rencode

@bulletproofman:matrix.org that's my main hope. That there will be more support for internet intensive solutions that benefit privacy and security

welcome

<addikted2graphene[m] "RiotIM from FDroid also not comp"> what?

RiotIM from FDroid also not compatible?

RiotX is working but I also had this issue with Orbot.

Me?

addikted2graphene: i'm using RiotX

what issue?

cn3m: thanks!

I was using RiotIM and the last update says that RuotIM not compatible.

RiotIM

weird

Orbot is the same atm.

But it makes me glad I have my graphene

I love GrapheneOS

It rox

I just can't wait for issues #156 and #213 to be fixed

Sorry I am not technical.. What is this issue?

just common just like apps getting ip and firewall bypasses

Damn.

GrapheneOS is still ahead on both, but could use a little love on those issues

I can give you a more technical explanation of you'd like

if*

Sure if I am not wasting your time.

<addikted2graphen "Sure if I am not wasting your ti"> Firewall the system has a ton of leak points so GrapheneOS fixes this by using a slightly modified network permission toggle. Apps still freely talk together

K

that means your untrusted app you run without network permission can talk to another app that can explicitly or accidently share that data

this can be solved by a toggle to disable all ipc per app

this would also give security benefits as well

Firefox had a hijack vulnerability that used ipc to effectively get around the sandbox due to a Firefox flaw

this would be a great feature

the other one is that VPNs are really leaky, but that's an upstream issue. The current advice is use a VPN in only one profile that blocks connections beside the VPN

Is that toggle automatically blocked in Grapheme?

<addikted2graphen "Is that toggle automatically blo"> which toggle?

I mean, toggled to block the leak.

that toggle doesn't exist yet

Oh, OK, sorry. Sounds awesome.

iOS effectively is the only OS with it, but it's on by default

So is it OK to use a VPN like Wireguard?

<addikted2graphen "So is it OK to use a VPN like Wi"> how many profiles do you have with VPNs?

shelter counts too

I don't know what a profile is...

<addikted2graphen "So is it OK to use a VPN like Wi"> worst case it's just going to leak your ip which was going to happen with it off

<addikted2graphen "I don't know what a profile is.."> a user on the phone or a shelter work profile

Oh, I only have one phone profile.

Should I have more?

and you're blocking connections without the VPN?

Yeah, block all

<addikted2graphen "Should I have more?"> depends on your needa

it obviously can cause VPN issues right now (all of Android), but the isolation is incredible

So like have the same chat app in each profile?

Like one profile for work, one for everyday?

well that too but

it protects your app list, contacts, storage, calendar, and other stuff

Oh, cool.

it even "partially" isolates powerful user allowed malware like accessibility settings

Awesome. I might have to mess around with profiles. Thanks.

yeah basically it allows you to mix the freedom of Android with the privacy and security of iOS

Sounds amazing.

on iOS every app is in what would best be described as a hybrid profile

there's nothing quite like it on Android

Profiles are a more bruteforce method to the problem that offers you more freedom, but at a large usability cost

Thanks, I am going to see what I can do with profile settings. I have a social problem which is that a number of friends can only use WhatsApp. I use a shitty old phone for that app but it will soon die. If I have an additional GrapheneOS phone would it reduce the risks of malware from WhatsApp?

Like if it was a dedicated Whatsapp phone.

<addikted2graphen "Thanks, I am going to see what I"> WhatsApp won't hack you

They cannot use Signal where they live.

cn3m: The fact that it's FB irks me. I hate FB and anything under it.

i have noticed that apps in work profile can still see the connections made by apps of the main profile, i thought the network was isolated as well because you can use separate vpn and vpn in main profile don't affect the work profile

<yolotrolo[m] "i have noticed that apps in work"> you're going to need to explain that a little more

<addikted2graphen "Like if it was a dedicated Whats"> WhatsApp isn't a threat to your phone really

it doesn't query packages afaik

your VPN setup shouldn't leak

<cn3m[m] "you're going to need to explain "> well it's simple, apps in work profile can see the connections of the main profile, at least on aosp android10

the issue with WhatsApp would be more if you had gapps

install net monitor from fdroid on your work profile and check it

the names of apps are not shown but you can still see to which server they connect to

<cn3m[m] "WhatsApp isn't a threat to your "> I thought it was easier for people to send malware through it. If I made a phone setup for this purpose would that app be best installed in a separate profile?

that's using a VPN right? @yolotrolo:matrix.org

no without vpn

well i'm using netguard

on both profiles

privacy breaching malware is a little bit of a concern

<cn3m[m] "> <@addikted2graphene:matrix.org"> That is what I was hoping.

<cn3m[m] "privacy breaching malware is a l"> Yeah, I hate using it but no way to get around it on their end.

WhatsApp is pretty safe on GrapheneOS

cn3m: How does FB make money of Whatsapp?

<bulletproofman[m "cn3m: How does FB make money of "> gonna be ads soon I think

cn3m: But what about now?

WhatsApp used to be partly paid

that's how they made money iirc

Facebook bought it to maintain market dominance and to support their long term goal of a cross messenger network using Signal

Facebook wants to have all the world using a massive 2 billion person network based on the most secure communications protocol available

people would not have any reason to leave since they would have the reach and security to dominate the market

But.. when the ads join in the chat

That'll change

Isn't it?

not necessarily

Metadata alone is gonna be helpful

ads don't have to read your messages in that app to be effective if they get data from how you use other platforms (mainly Instagram) they are gold

Instagram has the key advantage of being the only Facebook product you can't opt out of targeted ads

How is that an advantage i-

so if WhatsApp security and privacy draw people in and can talk to everyone people won't want to leave the Facebook ecosystem which means Instagram becomes more appealing

which means they can data harvest Instagram to feed your private and secure WhatsApp with relevant ads

that's their view any way

Ohhhh

Now ur making sense

So it's by proxy

the other thing is

if you can message WhatsApp people on Instagram and vice versa

more people will use Instagram as it will also be Signal powered

Instagram can be good on messaging and creepy on everything else

Facebook has the best secure messaging on any mass scale ever seen

BUT

Whatsapp backups are unencrypted

I trust Apple orders of magnitude more and Google a little more, but they just don't have as good as a technical setup

On drive

<bulletproofman[m "Whatsapp backups are unencrypted"> very true

See this is where the big issue is

iirc Facebook can't see it though

The backups donlt even take space from ur drive

That's weiird

Google can.

only Google can which I trust a lot more especially the cloud

And mine it.

They scan evrrything on ur drive.

for child abuse

Meh I don't want any of them near my data.

Google doesn't even read your email for ads anymore

cn3m: How come?

they switched to G-Suite privacy policy for Gmail in 2017

they cut off their email ad targeting in 2017

cn3m: Maybe they're secretly doing it.

Google is big on transparency

They lied before, will you trust them? (facebook, Apple, Google...), not me. But who knows

and security

they aren't going to lie about that

their privacy policy for G-Suite is pretty clear

Security sure. But transparency... questionable.

@freenode_jalb:matrix.org when did Google lie?

Many times these past years

Even when you disabled the localiation it continued working

etc

everything is very well documented and as an app developer I knew every scandal way before it happened

@freenode_jalb:matrix.org clearly documented and a different system

Google advertising id is a sham, but they don't hide that in docs

In the app permissions for Gallery, what is the background data toggle for?

disable localization and check the connections of the gps, it connects to Google

you can't opt out really

In a normal android phone

cn3m: Isnlt the locztion tracking code in Google play service?

Sorry, I can't trust what they say, and Snowden talked about them

<bulletproofman[m "cn3m: Isnlt the locztion trackin"> yeah

it's all documented though

yea i think he mean the location service not the gps

But you're free to believe them, of course

Maybe you're right

I am not saying to trust them. though they follow their privacy policy and documentation

they don't technically lie

ok

Technically.

I worked a lot with Apple and Google. I feel like Apple is vastly more trustworthy. However, Google is more transparent

They are being sneaky about it

Now all iPhones have a 0-day

It's like "hey it's in the docs. We didnlt lie" sure. But u were being sneaky.

As a developer, I take Apple at their word. They have made mistakes, but they fix it quickly. Google I have to vet everything they say against themselves.

<jalb "Now all iPhones have a 0-day"> yeah that's interesting, thankfully they have a good store model for this. GrapheneOS needs a store with out the Janus attack badly

When your business is to track people to gain money, who knows what could happen...

haha yeah I'm glad I'm away from that

cn3m: When you delete your Google account. Does Google reallly delete it from their servers and backup?

cn3m[m], lol :)

bulletproofman[m, I don t think so, Amazon saves them too

<bulletproofman[m "cn3m: When you delete your Googl"> if they don't I'm suing them even if I go bankrupt when they get hacked

Facebook, etc

they won't risk not deleting data they are legally required too and that they outlined their deletion plan

I know Yahoo does. FB certainly keeps what they have on you.

I wouldn't be surprised if some day you discover all your information and voices in Google/Amazon/Facebook servers

Google takes 90 days I think to actually scrub everything which is longer than full deletion takes

cn3m: I hope so.

there are technical grounds to support not deleting immediately

<bulletproofman[m "I know Yahoo does. FB certainly "> Facebook's policy is too specifically scrub the backup servers after a while

they would get their asses sued to a hack

<renlord "there are technical grounds to s"> yeah of course I'm just being technical

cn3m[m], yes, that's what they say, but their history is not very good about it

i can't even access to my old account they ask my to verify using my ID or something like that

And also the USA government to discover some information in there

They track users who do NOT have fb. Therefore NOT agreed to the TOS.

Via shadow profiles.

And trackers in almost very website

We all saw the congress stuff.

*every

They would get sued to hell if they don't delete the data in takeout. Shadow profiles they'll keep I'm sure

the data you explicitly give them is toast

cn3m[m], they gain more money that paying that penalty

The like button is basically an embedded full fb site. It's alwzy there in the background. Watching..

Who knows...

<jalb "cn3m, they gain more money that "> Facebook is facing up to a $600 billion fine from Australia. Who knows fines are climbing

But i never agreed for a profile of me to get harvested even a shadow one.

especially when they still have shadow profiles why not delete the real ones?

A trillion dollar fine would do

But you know what else would be best?

cn3m[m], how many times EU has sued them?

<bulletproofman[m "A trillion dollar fine would do"> that's more than they are worth...

Not respecting users

If facebook breaks up

Fb a company

They gain money with all that stuff

<jalb "cn3m, how many times EU has sued"> never that much and it gets higher every time

Whatsapp a company

And instagram a company.

cn3m[m], yes

That's how it was

cn3m[m], I really miss the old internet when it began

I knowwww it's frustrating

Fck i wish i was born in myspace days

anti trust laws should slash companies up a little Alphabet being Google, Android, Chrome, and Maps as separate companies could be interesting

FAANG is the new standard oil

<bulletproofman[m "Fck i wish i was born in myspace"> *music plays in the background*

More than 50 years old here...

cn3m: AND YOUTUBE

yes YouTube should be it's own company

Many people are moving to libr or a name like that now...

From youtube

lbry

cn3m: It's my main concern actually. They have monopoly for everythingg.

Lbry

I'm interested in it.

cn3m[m], yes!, what do you think of it?

Very slow in my laptop

@bulletproofman:matrix.org at least it's an open source based monopoly

<jalb "cn3m, yes!, what do you think of"> I have no idea

I haven't researched it at all

ok, it seems to use p2p but very slow with only 2 GB RAM here

It's decentralized

Pays with crypto

U earn crypto watchinng videos

I hope it's not mining crypto...

yeah it sounds sketchy I'm gonna nope out

U can pay ffav creators with crypto too

I rather just use YouTube without an account

their code is fine

cn3mLbry is open source

I'll pass thanks

anti-trust does not apply since google does not necessarily sideline other video services

if you search there are still vimeo videos and what not

I thought they had something about that

anti-trust applied when they preferenced google shopping hits before other providers IIRC

in anycase, apple should be slapped with anti-trust

with their wall-garden

especially that NFC lockdown

they also had the advertising exclusivity clause iirc

your consumer rights to purchased hardware is infringed.

search too

Thiss

i have a much more negative outlook on apple than Google

I love Google tries to tell me Chrome is more secure than Edge no way in hell..

Edge (IE) -- maybe

Edge (Chromium) -- maybe not

Smartscreen is much better and WDAG is so cool

the edge branding is so weird

alternative to is really nice i wish it was more used

Edge Chromium

@freenode_renlord:matrix.org I rather have Apple screw my right to repair and such than Google screw my data

both options are bad I know

cn3m[m]: not just right to repair

and such that's what I mean related stuff

its a lot more than just that

you're limited how you use it

yolotrolo: often visit it

which is fine. I can't find an iPad alternative. I'll pay for that

if that's how they need to make money I'm cool with it

:(

<bulletproofman[m "yolotrolo: often visit it"> yea i do it as well

I'm cool with

Gettingn some sleep

It's late boys

Goood night

😉

night mate

Also thanks cn3m ur awesomeee

the problem with Apple is there's no alternative that balances safety with usability. I have to recommend them to all my friends and family. Everything is just too creepy or broken for the average person

Safty? What are you protecting if your data is alresdy in their hands? I mean if we are still talking about the average joe

I tell them to turn off the big 4 iOS settings

How do you remove the warning message at boot?

orge_td[m]: not possible

OK this is kind of built in reminder but yes it's what i was after anyway

What is the top ten apps i should install?

<orge_td[m] "What is the top ten apps i shoul"> Depends on your needs to be honest, but if you need free VPN, ProtonVPN works enough.

Thanks

Do I really have to have Google Camera on a sparate profile to improve privacy/security as commented here before? What privacy implications could it have by having it on my main profile? I don't see how can it be bad if I disable the network permission to it...

<orge_td[m] "What is the top ten apps i shoul"> Also look at NewPipe (youtube app), Should I Answer (call blocking app), Slide (reddit app), simple gallery pro (free on fdroid), vlc (video player), tor browser, binary eye (barcode scanner)

> <@orge_td:matrix.org> What is the top ten apps i should install?

* Also look at NewPipe (youtube app), Should I Answer (call blocking app), Slide (reddit app), simple gallery pro (free on fdroid), vlc (video player), tor browser, binary eye (barcode scanner), classyshark3xodus (tracker scanning)

Just a hypothetical question, which device is worth more buying for, Pixel for GrapheneOS or Thinkpad for QubesOS?

In terms of security, privacy, convenience and compatibility in daily life, given ISP and huge company as threat model.

Is there any security or privacy issues I should look for?

More on QubesOS though

* More on QubesOS issues I mean, compared to GrapheneOS (although they are quite a different model, the former focus on compartmentalization)

Has anyone run into packages failing to install?

I'm trying to install wireguard from fdroid but keeping getting a failed to install warning

I kinda wonder why do people like Thinkpads so much?

In the past it was because of build quality and ease of repair

Particularly when IBM owned the brand

Afaik, they have a good keyboard

They have also been possibly the only laptop with manuals online for how to take them apart and replace parts.

Also were built reasonably well, although build/design quality has been falling

Possible to pick up old ones fairly cheap, where corporates or governments have replaced them & often can fit a load of RAM and get something reasonable.

<EssentialChaos[m " Afaik, they have a good keyboar"> Some have horrible keyboards / touchpads.

On thinkpad p52 here is all good workstation

I like it's rétro look

<twitx[m] "I kinda wonder why do people lik"> Good build quality, good linux support, easy to repair, dirt cheap when bought second hand

You can get qubes running with a thinkpad x230

Plop in an extra 8 gb of memory for 16gb in total and plug in an ssd and you have quite a capable qubes machine for about 300 bucks

Myself i waiting for the new thinkpads with ryzen 4800u's

8 cores 16 threads which only use 15watt , together with a terabyte nvme ssd and 32 gb off ddr4 ram, awwwwwwwwh yeah baby

<blacklight447[m] "You can get qubes running with a"> Interesting but I currently rather use a PC instead of a Laptop (yes I know you can make it similar to a PC experince but yeah) (hmm I'll might buy a Laptop in some years)

I currently still have a Laptop but its kinda broken and repairing it wouldn't make sense

Can anyone comment on whether Aegis Authenticator app is safe to use?

<blacklight447[m] "Myself i waiting for the new thi"> Verify it doesn't look suspicious (no network permission would be a good sign). This one only needs Camera and fingerprint for me. I got from F-Droid and am careful with updates (Janus vulnerability)

it also doesn't have any broadcast receivers too assess

That's the kind of things anyone can do with an app like Stanley

I use aegis from f droid store

Noticed this issue and questioned using andOTP

This blog post made me think the aegis devs are somewhat competent

yeah apparently my crypto guy who found the NextCloud bug said Aegis is best

I'm going with that now

I don't know jack about crypto that's just one area I trust companies that have good track records in other areas

<cn3m[m] "yeah apparently my crypto guy wh"> Sweet thanks. What is in it for them to develop and maintain a free app like that?

One thing I will say about andotp is that the developer acknowledges the problems with it

In the post you linked they already state they are rewriting the app

I love how people complain about GrapheneOS short device support. You totally miss the goal for the project.

@brenneke:matrix.org it has encrypted backup

probably for a resume

It's always for a resume or a personal project to fill a need

<cn3m[m] "yeah apparently my crypto guy wh"> github.com/lynn-stephenson/analysis…r/Aegis%20Authenticator%20v1.1.4.md

That's the guy who got paid $150 for a bug bounty for NextCloud.

sometimes the only product you are is a user that inflates the value of the project to a potential hirer

keepass support otp code generating too, so i keep passwords and otp in the same place, at least if a hacker somehow manage to get my database he don't have to go through the pain of getting into another app for the codes

* keepass apps support otp code generating too, so i keep passwords and otp in the same place, at least if a hacker somehow manage to get my database he don't have to go through the pain of getting into another app for the codes

<yolotrolo[m] "keepass support otp code generat"> your phone is dramatically harder to hack than your PC

it's safer to keep a separate app on your phone only

I keep an encrypted backup of my otp on my desktop with a password I never use on my PC. it's the lock password of my OTP

Especially using GrapheneOS + Vanadium

* keepass apps support otp code generation too, so i keep passwords and otp in the same place, at least if a hacker somehow manage to get my database he don't have to go through the pain of getting into another app for the codes

if all memory exploits were impossible on Graphene/Vanadium(they aren't, but let's say they were) there would be a 3% chance that any given exploit chain for a Pixel running Stock Android with Chrome would run on the GrapheneOS and Vanadium

do you know that xkcd 😂

* do you know this xkcd 😂

it won't load

hmm

didn't u had a problem previously already with images

fix your damn browser, i bet u use chrome

chromium*

I use fluffy chat

chromium is the best

hey that's Whonix

strcat

Can you tell me a good value for ssp-buffer-size?

obsolete option

just use -fstack-protector-strong

SSP is not a particularly useful security feature anyway in reality

Does it not work anymore?

it doesn't do anything with -fstack-protector-strong

read definition of strong

Also I was looking through vanadium

No shadow call stack yet?

it is a no-op with strong

anupritaisno1: not yet

anupritaisno1: chromium is more focused on x86

Is there any inline assembly?

shadow call stack is arm only

For scs

I mean

chromium can't easily use it because it needs libc support

and it can't assume it's on android 10

Does chrome have asm code?

yes

why

<strcat[m] "why"> Might need to fixup anything that uses x18

I want to try enabling it

Anyway strcat

If the phone is on Q

It definitely works?

android uses ShadowCallStack for the kernel (on Pixels) and some of userspace itself

cn3m you shared a video on Reddit to a redhat talk about an issue in android where APIs could be abused and send data

doesn't mean it will work via NDK

you will have to figure that out

I can't help

<strcat[m] "doesn't mean it will work via ND"> Does

I have compiled a binary with it

The cve-2019-2219 and I think it has just been patched in the June 2020 patches

There's an issue where a wallpaper can crash the phone

crash system ui

Well

Boots to rescue party for me

BTW strcat is there documentation on attestation server?

anupritaisno1: the same as Auditor

plus the README there

don't know what extra documentation you'd expect

same thing as Auditor in server form

No running the server

README

plus same things that apply to Auditor

if you make your own build you need to update the key fingerprints in sources

and it won't be interoperable with the official builds

for obvious reasons

Yeah looking to run my own

Unless you can accept a couple samples on the official one

Well 2 to be exact

cdesai: let me know when you start on the June update

running into some issues

an apk seems missing

strcat: Hello daniel, can i ask for how lonh.have you been developing ? You strike me as a young person if you don't mind

for taimen, walleye, crosshatch, blueline

<strcat[m] "for taimen, walleye, crosshatch,"> Also what happened to the pull request?

Any edits needed?

what pull request?

The pdf.js one

anupritaisno1: don't know, don't have time to deal with it atm

busy working on the June release

The one on pdfviewer

there are issues to resolve

help wanted

<bulletproofman[m "strcat: Hello daniel, can i ask "> the project started in 2014

<cn3m[m] "the project started in 2014"> He did stuff before the project too

<strcat[m] "anupritaisno1: don't know, don't"> Well a new pdf.js is out

anupritaisno1: update it to that if you can

cn3m: Not the projet, i'm curious about how long he has been developing

Should I close that pr and open a new one?

anupritaisno1: if it's a stable release

we don't use the dev releases

anupritaisno1: yeah just close it

and make sure to use the latest stable release

Okay will do

He seems pretty young, i'm curious

gotcha

strcat[m]: trying now

Oh okay

That's a prerelease

So I'll not touch that pr

anupritaisno1: did you just use the upstream code btw

no changes?

and did you use their build or your own

cdesai: just need to figure out if it's actually removed or just moved

and if it is removed we can probably drop it for all devices?

embms.apk

strcat[m]: it might be gone, there's a vendor/etc/permissions/embms.xml in may which isn't found anymore either

and so system/framework/embmslibrary.jar is gone too

.git is 23G

<anupritaisno "BTW how huge is chromium these d"> my chromium/src is 40G

Yeah resolving deltas be like

strcat: btw I tried to fix 83 build without enable_reporting, but it's a rabbit hole :(

cdesai: it's not used anyway

it just disables unused code

anupritaisno1: where did you get the pdf.js you used exactly

github.com/mozilla/pdf.js/releases/…oad/v2.4.456/pdfjs-2.4.456-dist.zip ?

I'm probably going to do our own build but need to know where you got this

I don't see minified builds in their dist zip

Is there anyway to remove the google bootanimation?

Apparently no

xabi: use a device from a different vendor with a different bootloader splash

I dont think that grapheneos would work o a device without that silly logo xD

but there's no other supported device from vendors besides google?

another alternative to start your own multi-billion dollar prefab and flash your own bootloader splash

do you need financing?

lol renlord

xabi: it can work fine on other devices

can already be built for them without much work

you're free to do that

<renlord "do you need financing?"> I could launch a kickstarter

i like it.

<strcat[m] "can already be built for them wi"> I don't have the skills, I built a kernel for htc magic and custom cyanogenmod ROM, i havent done anything since that day :( it was fun but there are more skilled people that know how to do things properly

@freenode_renlord:matrix.org laughs in HiKey

/s

Do you casually carry a ups with that hikey to use as a mobile device?

@renlord:matrix.org my commitment is immeasurable

what are all your thoughts on Gboard with the toggle? I use it, but I know it's technically flawed until #156(I think it's that one)

List of used packages get phoned home?

wait nope it's #213 crap

the ipc it could leak data I highly doubt it is

nope not that one either

ipc leak data? @_@

oh wait yeah it's #156

@freenode_renlord:matrix.org I mean you can have any two apps talk together

Gboard could talk to any app with mutual consent and send your data to the homeserver it's extremely unlikely to be in the wild, but the firewall is far from perfect

now bypassing NetGuard and AFWall+ is very real world even by accident

apps communicate with each other using intents

i dont think they can bypass each other unless explicit user permission has been granted

i dont use netguard/afwall+ its likely that these apps dont even work properly in android since they dont control access/policy in the networking stack directly

(shrugs)

<renlord "i dont think they can bypass eac"> it's not all user approved there's data exfil that can be done between apps without user consent. A good example being Gboard controls your clipboard entirely

you can do storage of course (which Gboard doesn't need to have)

you can do storage of course (which Gboard doesn't need to have)

if you're not comfortable with gboard being your IME, you can always just use the stock keyboard

that's very true, I am a bit rusty on the technicals of leaking beside AFWall+ and NetGuard which I bypassed both on accident

i have a suspicion that they just dont work on android

and they provide a false sense of security.

Doesn’t it seem just a bit suspicious that gboard doesn’t request any permissions at all? Doesn’t request network permissions, but is opt-out of analytics, usage statistics, etc...

cx2[m]: please.

<cx2[m] "Doesn’t it seem just a bit suspi"> it has network permissions

cx2[m]: open up app info and you can see that it has 6 permissions toggles.

it has almost 15 permissions

dont know, didnt check manifest. But in App Info, it is 6 permissions that are user-toggable.

*user-toggleable

this disproportionate amount of scrutiny and suspicion towards google applications is just weird

it probably makes more sense if people apply this level of precaution towards FDroid applications instead.

I”m only seeing 4... I installed it while trying to pay attention to what you guys are saying.... out of the box it at least doesn’t request permissions at all.... “No Permissions Allowed”

That’s on CalyxOS though...would it even install on Graphene?

21 total permissions and 7 broadcast receivers

@cx2:matrix.org CalyxOS is missing two permissions

they dont implement sensors/network permissions

@freenode_renlord:matrix.org I trust Google, but someone was pushing me for a black and white answer on a filtered post if Gboard could spy on you

*user-toggleable

I don't think they would go that far to get data

the best answer is probably along the lines of "dont install apps that you dont trust"

Ok.... threw it one of the Graphene handsets, I see the 6 permissions there

I m quite happy that stock aosp keyboard works well enough for me

<renlord "the best answer is probably alon"> that's what I ended up with. It's too hard to give it a black and white asnwer

<cx2[m] "Ok.... threw it one of the Graph"> I've got pixel envy

I only have one

cn3m[m]: do you use your hikey as a server?

I'm sticking with Gboard

no I have an old laptop with Arch and some hardening

I think what people want to know, and don’t know how to find out on their own is wether or not Google is siphoning off their personally identifiable information. Really that’s what it comes down to.

AOSP is fine.... OpenBoard is decent.... AnySoftKeyboard feels a little bloated.... But Gboard is just really good

What s so great about gboard?

<xabi[m] "What s so great about gboard?"> better tracing

if i had to speculate, probably not anymore, they care more about personas as oppose to personally identifiable identities

Predictive texting, swipe or just more accurate key presses?

personas are what they sell for revenue-generating ads

collecting personally identifiable data is a really big liability these days

all it takes is for a relatively disgrunted software engineer to whistleblow and they are fucked.

Gboard is good imo privacy wise I opted out of everything and blocked network they would really have to be sketchy

I also only run it though a VPN

yeah Google is pretty reasonably transparent

so on the balance of probabilities i dont think they do malicious things to collect personally identifiable data

but obviously they do collect data to categorise/build personas

personally I trust it

if people don't there's a technical way it could leak

but they don't have my IP, they have almost no network paths, and they have no ad id, and I've opted out of everything

<renlord "if i had to speculate, probably "> Good point.... personas. For me personally, it’s “are you taking every keystroke and thus have a carbon copy of every text input...”

@cx2:matrix.org you'd have to MITM the whole system and long term I think if they were really doing that

MITM works mostly to catch strange behavior

like if a chip was trying to bypass system networking

<renlord "but obviously they do collect da"> That’s the creepy part. I don’t have a “threat model” per se, I’m not a person at risk, etc. Other than the microsofts and googles, and amazons of the world constantly trying to sneak in.

@cx2:matrix.org yeah just use Gboard

people who have genuine threat models probably should engage in tradecraft

to blend into ordinary personas

I trust Gboard just can't say that with an absolute guarantee

I think “threat model” is thrown around WAY too much IMHO.... i mean. You have a threat model of X and you’re openly posting to unencrypted matrix channels? Come on freetard

the scientific community has a very specific usecase for threat models

that's the funny part the people who really know stuff aren't on /r/privacy

it lets them justify why something is a problem and how it is solved by the proposed solution

<cn3m[m] " @cx2:matrix.org yeah just use G"> I plan on it. I mean, threw calyx on one of the handsets for a reason... don’t tell

I'm only there for purely selfish reasons to fight misinformation for GrapheneOS

that benefits me the more accurate the image GrapheneOS has

the real experts at hiding aren't in the open

threat modeling is a little bit of a buzzword

most people only are active in the privacy community if they are trying to sell something or have a superiority complex

<cn3m[m] "threat modeling is a little bit "> A little bit?? I’d say a MASSIVE bit.

Or they are talking about their actual research

that's rare though with the backlash no wonder Daniel keeps stuff in the community

<cn3m[m] "most people only are active in t"> Right, a superiority complex derived from self “taught” notions.... which is the most irritating part

I really don't care what people use. I personally want to see GrapheneOS succeed and misinformation gets in the way of that

I want to see all good projects succeed

even iOS deserves a lot of credit in my book

Not a super huge fan of iPhone... but that’s purely from a usabilty standpoint. iPad on the other hand? Put it this way... I just got the new “magic keyboard” what an awesome combo.....

People are talking shit about it already... of course, but the thing is pretty great if you ask me.

Tor Project generally

I haven't seen anything sketchy on the MITM for my iPad

That seems to be the general consensus. Do you have an iPad Pro? If so, would HIGHLY recommend the new keyboard. Literally came in today.

I don't have that one yet

thanks

“Compelled access....” gotta love lockdown mode.

Then again, you’d be hard pressed to find me in a scenario where I would need it, I still like the idea of it.

I don't use fingerprint

I only check my phone for here/Reddit, Twitter, and email

Good move.... I need to get on that band wagon....to help I have just recently discovered all of the things I can do with the Feeder app... like piping in twitter feeds..... invidious, blogs, etc.

Thought he camera with Visual Core is prettty bonkers if you’re into photography

Though*

Twitter is on fire with politics lately

I stay away from that shit

good to see people standing up for what they believe in

No disagreement there.... but new / social media have been nothing but in your face politics. Round the clock.

News*

for me attacks on mail in voting was my line for I no longer want to avoid this stuff

I was were you were totally

Attacks on mail-in voting?

you haven't been following the news? the president is suggesting states that voted on this should be punished

officially bully pulpit to steal an election

OHHH..... you mean not allowing it.

I think there’s an argument to be had there for sure.... But the opposite side is blatantly obvious. folks have the ability to counterfeit currency.... currency that has some pretty advanced anti-counterfeit features..... Mailing in votes seems like ridiculously easy target

the fascist line has been crossed in America that's the final straw for me

I have had mail in voting rejected so I question that

my signature wasn't quite right so I had to redo it

I’d have a really hard time then... my signature changes ALL the time. I have trash handwriting...they would reject every vote hahaha

haha yeah I've actually had to revote twice I almost always vote by mail

No doubt there are some cases where it should be allowed. Folks that are traveling abroad, business abroad, those that are handicapped and have difficulty leaving the house etc. But mail in voting as a rule seems pretty sketch

Who knows. It’s all sketch to me.

gets more people to vote

it shouldn't be forced, but if a state votes to allow it for public health they shouldn't have their money taken away

True.

on the grounds it will cause mass fraud which is purely FUD. No one is going to jail to vote twice. A vote isn't worth that much

Eh, dead people have been voting for years, and people do shit everyday that they COULD go to jail for, they just aren’t caught

@cx2:matrix.org proof beyond 0.005%

I'm genuinely curious

I've never seen a case of a vote audit going that high

But it’s not the people voting twice that I think would be the problem. The potential is there for bad actors to take advantage for sure.

this is trending towards ##politics

true

As far as proof beyond whatever percent... I don’t have it because I really don’t care if I’m being honest. I know that I have been fortunate, so I am doing what I can help help those that aren’t in the same position. That is not to say that I am totally selfless, don’t get me wrong. But as far as politics goes, that’s why I originally said I stay out of it.

oof I just saw a whopper from Reddit

Android and iOS have trackers, but Linux phones don't

that's just wow...

<cn3m[m] "Android and iOS have trackers, b"> Duh. This is common knowledge. Ubuntu are all they use in high security super max ultra secret places.

is that sarcasm? I can't tell sorry

My keyboard is wet from how much those words were dripping with sarcasm.

okay good just making sure haha

Speaking of trackers.... as far as classy shark is concerned, I have successfully eliminated them from the Graphen handsets (except the one I just put GBoard on)...

...but too scared to even attempt ClassyShark on the Calyx handsets 😬

How many pixels do you have?

5... I only use one as my actual phone haha.... I’m not a weirdo

here's what I posted "Exodus Privacy shows none of my apps have trackers. I can also run Linux apps with Termux and my OS has zero telemetry and strong sandboxing even if I did have trackers. My Linux laptop has Fedora telemetry code and Firefox telemetry code on it and no effective sandboxing (only Flatpak)."

honestly GrapheneOS is highly underrated for privacy

the security sure people agree there

<cn3m[m] "honestly GrapheneOS is highly un"> I think this is more because folks as TheJollyRoger would put it, “want more toggles and such to ‘futz’ around with.”

LineageOS doesn't practically impact the privacy model of the OS

as an ad tech developer you give me phones to track the iPhone and GrapheneOS phone scare me more than the Lineage ones with Magisk and Xposed

<cn3m[m] "as an ad tech developer you give"> What do you mean? I think I’m misreading

I worked in adtech and I would find it much easier to futz with the stupid stuff on Lineage

Ok got it... That’s what I thought.

Dang, it’s great to have someone like you around the project then!

honestly I thought I knew a lot about breaking stuff

but Daniel boggles me how much he knows

he knows more than me on this stuff

Pretty sure he's been working on this stuff for over 5 years at this point

6 years on this project

right

on top of all that AL contribution, GRSec, LKML and friends lulz

he has a security mindset

and Rust contributions also

he's a security master

probably dreams code at night hehe

I can't code that well for a developer who actually had a job doing it

I need to learn that stuff well

THATS where i remember seeing that name... cn3m that Nitter link you posted earlier....

:)

RAGE for me.... but still

I love Pixels so much

Same.....clearly

software matters so much