extract the platform tools again and leave everything in the `platform-tools` folder, then run `$env:Path = "$pwd\platform-tools;$env:Path"` in powershell to add that folder to your path, then run `fastboot --version` to check again

please don't edit the install script, it was specifically coded to prevent messing up the install and bricking the phone

C:\GrapheneOS

wherever your powershell prompt is open

I'm assuming C:\GrapheneOS

ok when you do fasboot --version what's the version and where does it say it's installed?

Is it fastboot.exe in Windows?

I don't use Windows

ok very good

you made sure the usb cable is connected to a port in the back of the pc?

not a front usb port?

ok

it should be fine now to run the script if the phone is in bootloader mode

and unlocked

You're welcome

Bridge test.

Huh wow. I don't see foos from the other side.

I noticed that too

Might have to wait until tomorrow. :(

Glad to see you guys got it working!!

foos: oh no it's not your problem, sometimes what happens is that matrix seems to forget someone in a room is in the irc channel.

Usually this problem sorts itself out eventually and it goes away on its own.

I like to joke that between being bridged by IRC and Matrix I get about maybe 60% of the messages sent to me :)

I'm uninstalling the riotx app, it use too much battery, 22% of my phone battery over the last 2 days while I barely use it, there should be a feature to poll the server only when you open the app instead of constanly!

Maybe the other riot app have this feature, not sure

I'm going to try minivector instead

Yea the other client have multiples features related to that, perfect

JollyRoger: I'm back

Done with work

Though I think I'm beyond 48 hours of no sleep

Probably another 4-8 hours before the caffeine reduces to 6.25% (using standard elimination half life)

lol

JTL: yep

BTW anyone uses syncthing on grapheneos?

I'm getting this weird crash

Syncthing yes, problems no.

I used syncthing on graphene before and didn't have problems either

anupritaisno1[m]: aaargh! Go and rest up!

And drink some water X(...

Sadly the coffee still there

Will see if I can fix that build error

Ack! Okay :(

Please rest as soon as you get the chance.

I'm good

So, I'm not a dev, but Im curious as to what the best programming language to get into is as a beginner, but also that will help the Foss community on projects such as this one.

qyo3462572445: any language that gets you interested in development is the best way; there is no one path

qyo3462572445: it depends on what layer you want to work on

<qyo3462572445[m] "So, I'm not a dev, but Im curiou"> probably python, go, knowledge of C

<qyo3462572445[m] "So, I'm not a dev, but Im curiou"> actually nevermind, definitely C# and SQL ;)

SQL isn't even a programming language

Structured query language even the name says it

Unless you're PL/pgSQL?

But then you'd better look at ada

Thank you for the answers. Appreciate it.

<anupritaisno1[m] "SQL isn't even a programming lan"> trolling 😇

I'm hoping to do Python and Java!

I've heard python is a good language and can be pretty useful too. Seems like that's a good stepping stone

c is a good starting language

other languages do too much for a beginner to learn the ropes

I'm imagining the first programs I write in C...

...and now I'm imagining typing "run" and then watching liquid memory starting to drip out of the computer :P.

"Why is the memory leaking?" "Peter, because you didn't release the memory at the loop." "No I mean WHY IS MY COMPUTER MELTING AND NOW DRIBBLING OUT THE CASE AND PUDDLING ON THE FLOOR!"

<TheJollyRoger ""Why is the memory leaking?" "Pe"> int a[10];

TheJollyRoger: BTW try building now

main things requiring help atm: Pixel 4 and 4 XL support for Auditor, Pixel 4 and 4 XL support for the OS, handling Auditor samples to expand device support

also every 6 weeks porting Vanadium to new major release of Chromium

strcat: i can help or take-over porting Vanadium ✋

hello

could i ask you to help with the steps to rebase properly strcat in PM

yes

just checkout new tag

cherry-pick commits one by one

checkout the latest stable branch and cherry-pick which commits?

all the patches

* [correction] checkout the latest stable chromium branch from <chromiumdash.appspot.com/releases?platform=Android> and cherry-pick which commits?

the grapheneos patches?

<aeonsolution[m] "could i ask you to help with the"> Honestly if you must ask that you should read up more on it

Anyway what you want is definitely a 3-way merge

git am -3 ../patches/*

Are there already people actively working on Pixel 4 and 4 XL support for the OS?

Git will stop at conflicts

Arhu: I am

paintedman is working towards it

Painted man is

really need the kernel commits submitted

you is paintedman?

proper 1:1 port

o_O

hasn't been submitted yet

renlord: no

going to run out of time to add Pixel 4 support

i need more handles

Will do once I get the patches cleared up for pixel 4

anupritaisno1[m]: how do you do it without a pixl4?

WiFi needs a couple patches more and we can't exactly release with a major feature broken

With testers

And reading logs and dmesg

like getting antoher person to test your patches?

Yep

that latency must be huge

strcat[m]: out of time because you want to focus on Android 11?

yes

among other things

no progress that I see being made on Pixel 4 support

and lack of landing the kernel support means people can't build and help debug atm

I could spend 30 minutes porting the kernel stuff and testing it

the whole point is trying to find maintainers

if we can't find others to do that it won't work out

also not ready to wipe stock OS off the devices until Auditor support for stock is done

Arhu: main issue on pixel 4 is that when QCACLD=y due to config_modules=n there is no WiFi because the driver needs more patches to work in built

On stock QCACLD=m

anupritaisno1: getting everything landed for kernel would still be helpful

fixing that later

4a is also coming out soon

<strcat[m] "anupritaisno1: getting everythin"> I think painted man already has those

Only thing we need to change is that he split the configs for pixel 4 and xl but there are no device specific drivers that need the split

strcat (@strcat:matrix.org): Is there anything I can do for the P4 without access to a device? If so I'd be willing yo take a crack at it when I get home tomorrow.

not really other than a 1:1 port of the kernel commits

anupritaisno1: there are also some extra commits in crosshatch now

the ASLR and FORTIFY_SOURCE stuff is added back

I see. Sorry to bother you

I already have a merge of that on 4.14

anupritaisno1: I can undo the split of configs

anupritaisno1: i do appreciate the feedback but some of your comments aren't really helpful and even condensing; the whole reason anyone asks questions new or experienced is to make sure we dont duplicate work and mistakes

anupritaisno1: undid the split of configs in device repo

aeonsolution: apologies

anupritaisno1: thank you for understanding

anupritaisno1: can you rebae out the split then

* anupritaisno1: can you rebase out the split then

I removed that commit for device repo

the way it was done there was off anyway

aeonsolution[m]: you need to rebase and then reapply all the patches, during the re-application process, there will be conflicts you need to resolve, resolve them and make new patches.

<skwisgaar[m] "cn3m I decided to try 1password,"> Bitwarden security design flaws are my only concern

s/make new/update the existing/g

There's one change I still want to ask paintedman about

wa

lovely bot

Also strcat I'm not sure why this is needed but without it this is a compilation error paintedman/kernel_google_coral a4a553c

anupritaisno1: if drivers are the same it shouldn't be split

anupritaisno1: are you using the right version of clang

it has to match the one in the config they provide

The right version?

it isn't necessarily same as other kernels

yes the right version of clang

for the build script

it has to match their config

I'll check that against my build

look at the build.common config stuff

build.sh is supposed to take the version from there

anupritaisno1: I removed the device/google/coral commit splitting them

anupritaisno1: so build is probably broken now

need to fix that

I'll do that in a bit

First will pull request the aslr changes

renlord: thank you!

the kernel commits need to be submitted soon properly

anupritaisno1: I think you need to do it in your repo and submit it

if this isn't done by around the 20th I'm probably calling it

because this is step 1

getting the kernel commits ported is just a 30 min time block

also if the slab canary feature doesn't break on the new kernel it shouldn't be reverted

anupritaisno1: essentially nothing has happened for 2 weeks

that's how I see it

I don't see hope for getting it added atm unless other people step up to help

you're not going to be able to do it without a device

I shouldn't have to do it all myself

it's not sustainable

I'm deliberately not doing everything

I could spend a day on it and get it all working but the whole point is that takes my time away from the rest

and it's not sustainable, there is too much stuff my time needs to be split between

if there aren't device maintainers we can't support any devices

I can't add Pixel 4 support if it takes so long to address issues

because that means I will be the one always dealing with it

so ~20th is deadline for having everything landed to build it, and then everything else by the 30th (wifi working, Auditor support added)

anupritaisno1[m]: you don't have a Pixel 4 (XL), or you don't have both the Pixel 4 and the XL?

realistically it's 2 days of work

atm no one seems to be actively working on it that has a device

so it's not going to get added

Man I wish I had more skills and time

so Pixel 4a support won't be added either and it will be really problematic having no available devices supported

I see this as the final chance for people to start doing their part

it's not optional

if people are mistakenly thinking that

the project continuing requires turning things around

it's not a good situation right now and putting 100% of the burden on me doesn't work

I have less time/energy to dedicate to it than ever

if I stop working on it how is it going to continue?

it won't

I've been working for almost 1.5 weeks trying to fix the problem with wifi in qcacld

and yesterday I, apparently, found code in qcacld which we need to make it works

the changes need to be merged 1st

so people can build it and work on stuff

but there is still another problem with android-prepare-vendor

ok, we have 1:1 commits in my github

step 1 is getting kernel changes merged today

paintedman: no it's missing the ASLR and FORTIFY_SOURCE stuff

and need to make sure it's using the right version of clang and need to undo the device split if they don't need diff modules

haven't seen that yes

*yet

Shoot.

if the modules are 100% the same for both rebase out the split

<strcat[m] "step 1 is getting kernel changes"> I'll add this commits today

and fix build script

and make sure clang version matches the config

and get ASLR / FORTIFY_SOURCE added

it matches

can refer to linux-hardened for versions of those commits that apply cleanly if needed

paintedman: I mean matching the common config not necessarily other kernels

haven't looked at it

I've tried original google's build script and it fails on tsens too

I don't mean their build script

I mean the version of clang has to match

alright it matches

but just for future reference

github.com/paintedman/kernel_google_coral/blob/10/build.sh#L23 ?

also need to squash the SCHED_BATCH commit into build script one but I can do that

btw, do we have to split coral and flame configs?

paintedman: if the modules are the same it shouldn't be split

I undid the split in device repo for now

got it, so I'll add your new commits and undo split

Oh god

There are so many changes to defconfig

I'm still trying to rebase each commit it is taking a while

<paintedman[m] "btw, do we have to split coral a"> Already discussed in PM

Besides the configs for flame and coral are 100% the same

paintedman: also squash the SCHED_BATCH commit into the build script commit

or I can do that

I did it for the others

just hadn't cleaned it up yet

ok, I'll do

once kernel stuff is done / merged

paintedman:

just need wifi issues resolved (kernel and userspace) and Auditor support added

You haven't sent your WiFi patch yet

easiest to add stock OS Auditor support 1st

I can start on it

Send it in pm

Sorry.

Anybody having issues with the clock app? The alarm doesn't seem to work. Any suggestions?

eligiblecoffee: have you tried resetting the app or looking at the github issues to see if others are experiencing this error?

aeonsolution: yes, I did clear the cache and the data. Still it doesn't work

eligiblecoffee[m, it doesn't work if you use the battery saver

jalb66: battery saver is disabled.

eligiblecoffee[m, ok, then IDN, mine works

jalb66: okay.

did you close the app or tried resetting the phone?

I haven't tried resetting the phone.

give that a try, if that doesn't work check out github.com/GrapheneOS/os_issue_tracker/issues

aeonsolution: okay. Thanks

np

eligiblecoffee: it should work at least if you clear the clock app data

maybe try rebooting and setting the alarm again

is it normal that enabling WIFI only when I'm in another user or profile and then disabling it before changing to the main profile I see that I received messages in the main profile and so it was connected too?

jalb66: yes

strcat[m], thanks!

jalb66: disabling network access for a profile is something we could support

jalb66: certain things are already done upstream like disabling audio recording when a profile isn't active

so if a profile is running an app that has been granted mic permission in the foreground

it can't record if the profile isn't active

but that's not done for networking by default

and networking not per profile

like if you enable a VPN, the Updater app and other system stuff goes through it too

and they use the same network connections

strcat[m], I thought in that VPN problem I read people commenting here and in the issue tracker, maybe it has something to do with this?

That would be great 🙂

Yes, that's what I mean with VPN

Thanks

I always thought if Vanadium webview needs Network access or not, it works well without it

But IDN if it can't be bad

So, I allow this permission

Which pixel 3a model should I get G020F, G020G or G020H?

G020E is out of question due to Verizon's crap.

Whoops. Maybe I shouldnt have disturbed you yet...

<jalb66 "I always thought if Vanadium web"> If the extra permissions being off on certain built in system apps would be meaningfully more secure I'm free it would be off by default

cn3m[m]: yes, but I don't know if that permission is really necessary for some reason or not, do you allow it?

strcat : I have just bought a Pixel 4 XL. Let me know what I can do to help you or paintedman

> Which pixel 3a model should I get G020F, G020G or G020H?

> G020E is out of question due to Verizon's crap.

I don't see those numbers in my Pixel 3a

> I don't see those numbers in my Pixel 3a

Its on the box

furofuro_01: it seems that any of those should be fine

> Its on the box

Oh ok

dallemon: strcat, paintedman, and anupritaisno1 are working on the migration; just try to be on standby when they need testers

Oh damn the latest news is that the pixel 4a is pushed back to October

At this point I should just get a pixel4

<greenmoon[m] "Oh damn the latest news is that "> The Pixel 5 is going to end up launching with the 4a ha

strcat: github.com/paintedman/kernel_google_coral/commits/10

cn3m[m]: how weird

prefab must be closed long time due to covid

does slab_canaries still not work on the pixel4?

:(

<renlord "does slab_canaries still not wor"> how to test this?

paintedman[m]: remove the reverted commit, compile and then see if it boots

on the pixel3, if you removed the revert commit, it will fail to boot

Should we consider GOS as Android or not?

jalb66: we pass CTS so yes we are android-compatible.

and therefore can run android applications

I mean if GOS is something different than android now, or a hardened fork of the Android Open Source Project

it is a standalone mobile operating systems project

I think Daniel posted something about it, IDN where, if it was in reddit or what

renlord: thanks

we implement features on top of stock aosp and also harden standard aosp stuff

Yes

they are written up in grapheneos.org

hey who has the pixel 4 in the chat that is willing to help with testing? i can help you setup your device to prime it for when testing pixel 4 is ready

you'll have to setup your computer to install the development branch too

People turned paranoids on matrix servers 😂

?

irc ftw

Maybe that

<cn3m[m] "The Pixel 5 is going to end up l"> Really ?

aeonsolution: I do.

dallemon: try setting this up grapheneos.org/build#development-branch

send a message if you have any questions on the setup

if the devs manage to get an initial pixel 4 setup for development testing, you'll be able to complete the build

do backups survive factory reset?

dallemon: these are the dependencies you need grapheneos.org/build#build-dependencies

I'll see if I can get it running on my new laptop using WSL. Otherwise I do have sightly older laptop running Manjaro

if there are others with pixel 4, please hit me up; its crunch time so ill help you get setup so you can help out the devs that may not have the device

i dont know if you can build it on WSL

i can help if its manjaro

Got it running on Manjaro previously, like, a year ago.

dallemon: get these dependencies for manjaro

sad no archlinux on WSL

<renlord "sad no archlinux on WSL"> Well, no official.

Lineage has patches for building in wsl, and some should be in aosp master too

<renlord "on the pixel3, if you removed th"> on pixel 4 xl it doesn't work too

renlord: so I'll leave "slub: add multi-purpose random canaries" reverted

$30k initial + sales % + bonuses offered to negotiate development and support, leading to the release of an alternative, yet specific hardware platform to a Pixel phone. Graphene OS long term support and updates are required. Hardware configuration negotiable. Graphene OS ethos is appreciated. No hostility. No stealing of code. No hard feelings. Just hardened software & harware. - Contact: TranquilKaos⊙Ti

* $30k initial + sales % + bonuses offered to negotiate development and support, leading to the release of an alternative, yet specific hardware platform to a Pixel phone. Graphene OS long term support and updates are required. Hardware configuration negotiable. Graphene OS ethos is appreciated. No hostility. No stealing of code. No hard feelings. Just hardened software & hardware. - Contact:

TranquilKaos⊙Ti

* $30k US (cash, bitcoin or whatever you prefer) is on the table + sales % + bonuses offered for the successful negotiation of OS development and support, leading to the release of an alternative, yet specific hardware platform to a Pixel phone. Graphene OS long term support and updates are required. Hardware configuration negotiable. Graphene OS ethos is appreciated. No hostility. No stealing of code. No hard

feelings. Just hardened software & hardware. - Contact: TranquilKaos⊙Ti

What is your intended purpose with your message MacGyver ?

To get Graphene OS ported and supported on retail hardware that is not produced by GOOGLE

* To get Graphene OS ported and supported on specific retail hardware that is not produced by GOOGLE

> To get Graphene OS ported and supported on retail hardware that is not produced by GOOGLE

Is this Real ?

<MacGyver[m] "To get Graphene OS ported and su"> What specific retail hardware? Is it commercially available?

What is this "specific retail hardware"?

Hardware configuration negotiable.

> <@11wtf11:matrix.org> To get Graphene OS ported and supported on specific retail hardware that is not produced by GOOGLE

* What specific retail hardware? Is it commercially available? Is there at least a prototype? What specs? That is some questions I have immediately in mind

My company and I wish to develop a phone, that is not marred by Linux issues, does not require a geek to operate it - is not produced by the very company one seeks to avoid in the software realm.

It's hard to trust unknown sources tho

* My company and I wish to develop a phone, that is not marred by Linux issues, does not require a geek to operate it - and is not produced by the very company one seeks to avoid dealing with in the software realm.

<MacGyver[m] "My company and I wish to develop"> Does your company have a name?

Indeed it does.

Though as we are in the tentative process of negotiation with other companies, this is probably not the best time to be openly stating the company name

Of course - Graphene OS came highly recomended.

So it's secret company which work in the shadows ?

Not particularly secret. And once we have chosen our final OS partnership - we will most certainly NOT be in the shadows.

alpine

I wish you success , since you're working hard and beginning from the zero . But take into minds big success doesn't come over night it needs time

I thank you sir. Indeed - we appreciate the pitfalls, and the requirements to become a success. Certainly why it is indeed critical to make sure the hardware & OS we will be using must be of high standards.

* I thank you sir. Indeed - we appreciate the pitfalls, and the requirements to become a success. Certainly why it is indeed critical to make sure the hardware & OS we will be using must be of high standards. But our focus is not on profit. It is on the average customer, and what we consider to be 'affordable' for most anyone.

MacGyver: awesome idea! All the best with it! Did you speak to strcat yet about grapheme hardware requirements?

Is there any way to stop a user? GrapheneOS nicely bumped the maximum supported users from 4 to 16, but to save RAM and battery, or just not wanting the background services from users to be active all the time, it is often desirable to explicitly stop users, like what "adb shell am stop-user [user id]" does, but from the phone itself

I have attempted to make contact with Mr Micay, but so far to no avail. Other than that - I have no idea whom I should be addressing. Hence my reason for posting here.

<fll[m] "MacGyver: awesome idea! All the "> I have attempted to make contact with Mr Micay, but so far to no avail. Other than that - I have no idea whom I should be addressing. Hence my reason for posting here.

> <@fll:matrix.org> MacGyver: awesome idea! All the best with it! Did you speak to strcat yet about grapheme hardware requirements?

* I have attempted to make contact with Mr Micay via email, but so far to no avail. Other than that - I have no idea whom I should be addressing. Hence my reason for posting here.

Arhu: it's not exposed in the standard UI

> * I thank you sir. Indeed - we appreciate the pitfalls, and the requirements to become a success. Certainly why it is indeed critical to make sure the hardware & OS we will be using must be of high standards. But our focus is not on profit. It is on the average customer, and what we consider to be 'affordable' for most anyone.

Avereage customers considered a majority that would be more profitable too:) . And they need to be set free from Google's controlling policies

> -they need to be set free from Google's controlling policies - **that is the goal. Not the money. The money is a by-product.

**

MacGyver[m], the question is if something will change or not?, I mean if Daniel will be free to work without problems and owning his work apart from the company with total freedom and only working with Google Pixels for example. I don't think Daniel will accept a company but maybe I'm wrong

MacGyver[m]: have you read why Daniel only supports the pixel?

lol

You still need the money and you have to sacrifice time effort and resources

> MacGyver, the question is if something will change or not?, I mean if Daniel will be free to work without problems and owning his work apart from the company with total freedom and only working with Google Pixels for example. I don't think Daniel will accept a company but maybe I'm wrong

I am familiar with the issues as far as 'Copperhead' goes - so I can appreciate any hesitance he may have in dealing with any outside entities.

> MacGyver: have you read why Daniel only supports the pixel?

Because he does not make his own phone I guess?

MacGyver[m], maybe you can help with your money hiring developers to add more work done in GrapheneOS

> MacGyver, maybe you can help with your money hiring developers to add more work done in GrapheneOS

Exactly devs need to get paid

<jalb66 "MacGyver, maybe you can help wit"> I and my company would be very happy to support this community

And he act if it's not all about the money

3 years of support for firmware, blobs and aosp, that s what pixels have. Titan hardware is also pixel only atm

MacGyver[m], GrapheneOS needs some hardware and security requirements to work in some smartphones, that's why he works now in Pixels, IDN about other models

xabi[m]: is onpoint here.

The code is opensource and you could help with developers and testers and then maybe use the code to your company

Apart from Daniel

<jalb66 "MacGyver, GrapheneOS needs some "> Certainly why we are prepaired to make the hardware fit better - if the software can also give a little towards the average consumer.

> > <@freenode_jalb66:matrix.org> MacGyver, maybe you can help with your money hiring developers to add more work done in GrapheneOS

> I and my company would be very happy to support this community

Such great people are always hated by the major players

MacGyver[m], do you mean to create a new smartphone from zero?

<MacGyver[m] "> <@magntcf:matrix.org> > > <@fr"> Ethical people like you who had a conscious and principles are very rare these days in a world full of greednes

<jalb66 "MacGyver, do you mean to create "> Something along those lines, though of course - there are many existing peices of hardware that exist already to be implemented into a new development.

conscience*

Well MacGyver[m] good luck 🙂

strcat[m]: I was afraid of that. I suppose a regular app can never have the privileges to do this.

"Android 9.0 added a log-out button to the lock screen so that a person using the device can end their session."

I think this only applies to fully managed devices. Maybe it would be possible to enable that button at build time?

> > <@freenode_jalb66:matrix.org> MacGyver, do you mean to create a new smartphone from zero?

> Something along those lines, though of course - there are many existing peices of hardware that exist already to be implemented into a new development.

Man you saying too much info which may put you in trouble

magntcf: I do appreciate your concern. But I have a lot more than that to say, that I certainly would not be posting here 😉

* > MacGyver: have you read why Daniel only supports the pixel?

Because he does not make his own phone I guess? Seriously though - Hardware Security is the impression I get.

> 3 years of support for firmware, blobs and aosp, that s what pixels have. Titan hardware is also pixel only atm

What xabi said here is the important and hard part. Especially hard to realize affordable

What exactly is a titan M

strcat can you explain

anupritaisno1: blog.google/products/pixel/titan-m-…s-pixel-3-our-most-secure-phone-yet

anupritaisno1: the implementation of the security chip for Pixel 3 and later providing the citadel APIs

anupritaisno1: provides the implementation of the StrongBox keymaster (HSM-based keystore) which is a more secure replacement for the traditional TEE-based keystore (TrustZone)

anupritaisno1: and also Weaver, which is one of the key hardware-based encryption features

Weaver has a slot for each profile

mapping auth token -> randomly generated token used as part of key derivation

the security chip only provides the token for key derivation to the OS after it has provided the correct auth token for the profile

this allows the security chip to implement exponentially increasing throttling (quickly throttles up to 1 day of delay) for decryption attempts

it's hardware enforcement for the previously UI-based exponentially increasing delay

Pixel 2 has Weaver too, via an NXP secure element (doesn't have the other APIs)

anupritaisno1: also provides secure storage / enforcement for the bootloader lock state and verified boot key

anupritaisno1: and it has the concept of 'insider attack protection' which requires that the owner account authenticates before it will accept a firmware upgrade, so malicious firmware can't be created to bypass Weaver

anupritaisno1: it's also where the factory reset protection data is stored for Pixels, as opposed to a dedicated partition on the regular flash, but we don't use that feature - the rest is all relevant

anupritaisno1: you can look at citadel in AOSP to see the software / drivers for it

Looking to install a Matrix client on Graphene. Is the standard Riot app recommended, or RiotX?

anupritaisno1: it might be called citadel in the kernel too, I forget, I think it has a lower level name there too

strcat: cool also does it do wrappedkey?

Since pixel 4 uses the CAF kernel the kernel sure does support ICE+wrappedkey

This is not the standardized R stuff. CAF had wrappedkey for a while now

Yekip, riotx is alpha and riot app is beta. I recommend riot app still

whats CAF?

Or minivector from Fdroid, its a fork of riot android with less permissions, tracking (also doesnt do calls)

Code Aurora Forum

Honest question, how do we know the Titan M doesn't have anything malicious going on?

lol

jiibus[m]: have you checked out their website?

anupritaisno1: doesn't seem relevant due to weaver

anupritaisno1: read qualcomm.com/media/documents/files/file-based-encryption.pdf

renlord (@freenode_renlord:matrix.org): whose?

strcat: so there's coldboot security?

jiibus[m]: open titan project

<hitchhooker[m] "Yekip, riotx is alpha and riot a"> Thanks. I thought alpha was better than beta. hahahaha. I will keep quiet now and install Riot app. :D

Is Titan M related to opentitan?

renlord: grapheneos shipping self built titan firmware when?

anupritaisno1[m]: you own a fab?

anupritaisno1: firmware is signed

i was hoping you can print some

<renlord "whats CAF?"> Qualcomm's hacks for snapdragon devices

<strcat[m] "anupritaisno1: firmware is signe"> So you mean it can't be replaced?

anupritaisno1: in general, firmware is signed

renlord I didn't know about it, I take it that's what graphene uses?

Hmmm

jiibus[m]: the pixel phone

anupritaisno1: whether or not firmware is open source, you can't replace it, unless it's an insecure implementation which would be very problematic

So it is a look but don't touch?

anupritaisno1: the Titan M would not be useful if it didn't have firmware signing

and you could not have verified boot if the firmware on the device wasn't signed/verified

part of verified boot is that all firmware is signed/verified

So why can't we pin own keys?

you can't have verified boot for the OS without verified boot for the SoC firmware, etc.

For the titan m

renlord: ah, gotcha. Good to know

anupritaisno1: I don't know how you expect that to be done when it is what implements setting a custom key for the OS

👍

anupritaisno1: have another security chip that secures the Titan M?

where does the key go

the AVB key is flashed to the Titan M

what if fab leaked keys?

that's how the Pixel implements verified boot for a custom OS

<strcat[m] "anupritaisno1: have another secu"> That'd probably drive the production costs up a lot

root of trust so hard to solve

anupritaisno1: it also demonstrates why it just doesn't make much sense

anupritaisno1: I don't know how other devices implement verified boot or if any even have a real implementation

the Pixel 2 used Qualcomm SoC features to implement it

earlier devices didn't have the same kind of verified boot (AVB) and instead relied on displaying the key id + the TEE enforcement (which still exists)

anupritaisno1: like a Pixel 1 or a Nexus 5X

they have verified boot

isnt TEE already broken

lets say an attacker exploits the device and gains root/kernel access

renlord: TEE is a generic term

renlord: don't know what you mean by broken

it doesn't have unpatched public vulnerabilities

anupritaisno1: lets say an attacker compromises the OS, gains root/kernel access

anupritaisno1: and replaces the OS partitions with their own, using their own key, and they have valid signatures / dm-verity trees

anupritaisno1: on a Pixel 2 or 3, it sees the key doesn't match, fails verification

red boot state

anupritaisno1: on the Pixel 3, the bootloader retrieves the key from the Titan M (in addition to whatever SoC enforcement there is)

anupritaisno1: when you do 'fastboot flash avb_custom_key avb_pkmd.bin' like our factory images do

that stores the key on the Titan M

the Titan M tracks bootloader lock state and is the main thing responsible for verified boot state storage for the OS

i.e. storing the AVB custom key (which can only be flashed when unlock), storing the OS rollback index, storing the bootloader lock state, storing the OEM unlocking state

How do I make f-droid work properly on GOS? I'm aware of the issue when downloading an older version of the app, but I don't think my problem is about that. I just installed f-droid for the first time, and it works for a while but then stops. Now I can't list apps, can't search apps or anything.

anupritaisno1: this is extra enforcement on top of the usual enforcement (like on a Pixel 2)

randomuser: nothing needs to be done that's special for GrapheneOS

randomuser: F-Droid is buggy, that's a problem everywhere, try clearing the app data/cache

Buggy indeed. Clearing the app storage worked though. Thanks!

randomuser: try aurora droid, I find it a better client, you can install it in f-droid.

thanks, I'll try aurora droid.

randomuser: this may be useful hub.libranet.de/wiki/graphene-os/wi…ki/Apps#Alternative_F_Droid_clients

I think my user account is at a different homeserver, rather than the Matrix one. Is it possible to move it, or do you have to sign up for a new account at the desired homeserver?

there's much better channels to get that knowledge like #matrix:matrix.org but its account per server just like you cant log in to gmail with outlook email

Anyone using keepass? Looking for suggestions on what port to use on grapheneos.

Dx

I will have to give Aurora Droid a try.

<BalooRJ "I will have to give Aurora Droid"> What's the difference with Aurora Store?

It's for F-droid, not Aurora Store

I just tried aurora droid. It doesn't seem to be able to download/install anything, even though I've given it the permissions...

there's also g-droid I think

a fork of fdroid with a nicer interface

and ratings

If I have two users on the phone, and one of them has wireguard installed (but not the other), set to "always-on vpn" and "block connections without vpn". Will the other user automatically use the vpn connection, or does it just use the internet without it?

<jalb66 "It's for F-droid, not Aurora Sto"> But it's made by the same developer

There is one called Aurora Store and other called Aurora Droid and it's the same developer

Ok, its an alternative to F-Droid

meltedcheddar[m], of course, but I was answering about what you posted before. This app is for F-droid

Aurora Store is for Google Store

Thanks!

Np

hi all, is there any news on definitive EoL date for the Pixel 2?

<AppAraat[m] "hi all, is there any news on def"> Most likely October 2020

Pixel 1 was guaranteed till October 2019 and got a December update (but interestingly not a November update)

Think there was a Pixel tablet that got 6 months longer than guaranteed

Dont think Google ever announced any of that.

<dazinism "Pixel 1 was guaranteed till Octo"> Same thing with the Nexus 6P iirc

Just have to wait and see....

dallemon: yeah, right, something like that

hmm, that should be just in time since I'll probably be able to get a Pixel 3(a?) in Sept.

Its a bit weird that they dont announce what they are upto.

<dazinism "Pixel 1 was guaranteed till Octo"> Pixel 1 was dropped in October here. The November update was not very important for Pixels specifically. December heavily effected Pixels

But I guess its similar with like iPhones

And I think maybe OnePlus, somewhat strangely recently released an update for a phone that was ~ 4 years old?

<dazinism "And I think maybe OnePlus, somew"> Samsung and it was a lot longer back than that due to their own specific issue. Though do keep in mind Samsung only has monthly patches on flagships only and it's only for 3 years. Galaxy S is the ONLY line that matches Pixel on updates. And that hasn't historically fared well.

Samsung A and M line start at quarterlies such is not acceptable

Samsung has Enterprise Edition lineup of phones that has better support than consumer devices

For the Enterprise Edition devices they also announce end of sales and end of support dates

Theres also android rugged devices, from various manufacturers that get 5 years...

They are more like warehouse / stock taking devices

Think it was the OnePlus 5 I was thinking of, which recently got an update

Update to android 10

Its 3 years since launch

unfortunately all those fancy enterprise devices are useless for the GrapheneOS project

including the samsung ones

but I really like the way manufacturers announce planned end-of-life dates for such devices

<dazinism "Theres also android rugged devic"> They don't get the latest Android version though

Will GrapheneOS be able to run apps that relay on Gapps in the future? I mean, is there any roadmap for a workaround?

> Will GrapheneOS be able to run apps that relay on Gapps in the future? I mean, is there any roadmap for a workaround?

There are plenty of apps that say they rely on Google, that still function fine on GrapheneOS.

That said, GMS will likely never be in the future for GrapehenOS.

Thanks God 🙂

I have an app called Vinyl on Graphene. Its a music player. I created a playlist but can't see it in Android File Transfer window. Does anyone know where playlists would get stored so I can drop tracks in it please?

Maybe seems a silly question but... I have a lot of music on my device, but I also listen to a lot of audiobooks. Always was a pain on iphone in that it would 'forget' which chapter of a book i was listening to, randomly, and obviously when I accidentally played a music file. Being a noooob to android completely, i just had an idea. Could I install two different audio player apps, and 'point' one to music folder and the

other to audiobooks folder, so the two players are separate with one doing music and one doing audiobooks?

<yekip[m] "Maybe seems a silly question but"> Usually yes, but it is of course app dependent

hi, I have a question. Suppose I want to use both mobile data and wifi, but... I didn't have Internet on my wifi. Since the reason I'm connected to wifi with my phone is to connect to a host that is only available via the wifi network. Would it be possible to have Internet via mobile data while still having access to that host via wifi?

Brave is currently 26 days behind Chromx on patches..

ForeverNoob: are you by any chance using your phone as a remote control of something?

yes, I want to connect to a server running on a raspberry pi (which is used as a wifi AP) running a service (mpd)

haha I did a very similar thing, I'm basically using my Pi Zero W as a jukebox connected to a nice DAC :p

It's sad when Firefox is a more secure alternative.. Brave needs to get on top of this

portable too, connected to 20MAh battery and everything. Could last for 12+ hours.

AppAraat: same here but I don't have it that portable, just as a media server for my living room

<cn3m[m] "Brave is currently 26 days behin"> No, it's not. It's at the latest version: github.com/brave/brave-browser/blob/master/package.json#L32

<cn3m[m] "It's sad when Firefox is a more "> Firefox isn't more secure. I've already told you this.

ForeverNoob: having said that, I remember trying and failing. IIRC you can't do the whole "host with no Internet" on a rootless phone.

(but if anyone here would suggest otherwise, I'm all ears (pardon the pun :)))

aww that sucks ☹︎

thanks dallemon

my potential "fix" for this is to get a cheap phone and basically use that as remote control, although I haven't tested it.

wtf, get another phone? :S

you can get pretty cheap Android phones these days AFAIK

<hapssmak[m] "Will GrapheneOS be able to run a"> Hey Gapps, the short answer is no because the goal of the project is not to add Google Play services to GrapheneOS. grapheneos.org/#grapheneos

> <@hapssmak:matrix.org> Will GrapheneOS be able to run apps that relay on Gapps in the future? I mean, is there any roadmap for a workaround?

* [Correction] Hey hapssmak, the short answer is no because the goal of the project is not to add Google Play services to GrapheneOS. grapheneos.org/#grapheneos

GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. GrapheneOS also develops various apps and services with a focus on privacy and security.

from the website

<aeonsolution[m] "Hey Gapps, the short answer is n"> GrapheneOS/os_issue_tracker #204

madaidan.: that's a way better response; thanks for jumping in

<madaidan[m] "No, it's not. It's at the latest"> That's for release 1.12.23. The most recent is V1.9.80

They are over 3 weeks out of date. I can't see how the security architecture lead will help there

hey everyone, here an open call to those that have pixel 4 phones that want to help with the migration but dont have development experience

<cn3m[m] "That's for release 1.12.23. The "> The most recent stable release is github.com/brave/brave-browser/releases/tag/v1.10.90 in which the Chromium version is github.com/brave/brave-browser/blob/v1.10.90/package.json#L32

i will help you setup your device and your computer-if you have the system requirements-to prepare for the changes the developers are trying to test and push

please send me a message if you want more details

there are very few developers working on the changes

I just checked Android, Windows, and Linux and today I have 1.9.80(81) on all 3

so asking them to help you do that setup is not a great use of their time, given that we have a deadline for the 20th of this month

madaidan.: They might get in a few days, but that's creeping up on a month. I clean installed it just now

My Ungoogled Chromium took 3 days to switch to 83

without support for the Pixel 4, no other models will be supported

for that line

Ultimately Brave and Firefox both suck for security so it is moot

<cn3m[m] "Ultimately Brave and Firefox bot"> How can you put Firefox and brave in the same box?

Not saying brave is great, but that seems kinda silly

skwisgaar: I think he is making a reference to how they are marketed not necessarily that they are the same

as very secure browsers

aeonsolution I can agree with that, except for brave actually delivering on some of what they promise

And he specifically said for security

<skwisgaar[m] "Not saying brave is great, but t"> Brave is 26 days out of date and that's been a theme with them. I kept thinking it would get better after they stopped using electron (which was so stupid). Both are tremendously flawed browsers

<cn3m[m] "Brave is 26 days out of date and"> I agree with that, but being one month behind on chromium is still way better Firefox

Firefox has a terrible sandbox and lacks basic hardening. It patches on time. Brave has an excellent sandbox and basic hardening features. It doesn't patch on time. Both are terribly bad

I get what you're saying, also I can't validate most of this stuff myself. I'm just surprised to hear an equivalence like that, it seems to gloss over a lot of details.

cn3m: what do you recommend for browsing then? I am currently using chromium but would like to switch to ungoogled. Only thing holding me back is the lack of proper installation (only over aur not with pacman)

<stuux[m] "cn3m: what do you recommend for "> Chromium, Ungoogled Chromium, Whonix, Edge Chromium, Chrome. Any of those are going to be up to date

Edge Chromium with WDAG is great if security is the top concern. Ungoogled Chromium if privacy is

* Chromium, Ungoogled Chromium, Safari, Whonix, Edge Chromium, Chrome. Any of those are going to be up to date

ungoogled chromium shows up as unique on amiunique

Pale Moon has a good dev team

any privacy concerns with chromium?

even with ubo and https installed

Avoid Firefox, Brave, Iridium, Waterfox, and especially Pale Moon

no cookies enabled as well

<stuux[m] "any privacy concerns with chromi"> No just turn off a few less than ideal settings and you are good to go

great, thanks

any extensions recommendations?

currently using ublock and umatrix

<generateduser392 "ungoogled chromium shows up as u"> Fingerprinting can be far more advanced than that sites shows. However, fingerprinting is slow and not widespread(3.5% of sites use Fingerprinting and it's mostly canvas). Don't worry about this

<BalooRJ "Pale Moon has a good dev team"> Thanks for the laugh

Pale moon removed the little security Firefox had

They removed the sandboxing, Rust, etc.

Oh dear

Along with using an ancient version of Firefox

<madaidan[m] "They removed the sandboxing, Rus"> I wonder why

> Safe: forked from mature Mozilla code and regularly updated with the latest security patches

> Secure: Additional security features and security-aware development

Press (X) to doubt

<EssentialChaos[m "I wonder why"> They like old Firefox

<stuux[m] "any extensions recommendations? "> Less is more

<cn3m[m] "They like old Firefox"> But why disable security features?

<EssentialChaos[m "But why disable security feature"> RAM is a major one. Compatibility with old "insecure" extensions is another. Pale Moon is a great browser, but they security is abhorrent

* RAM is a major one. Compatibility with old "insecure" extensions is another. Pale Moon is a cool browser it does a lot of stuff I miss, but they security is abhorrent

cn3m: ubo and noscript together considered overkill?

<generateduser392 "cn3m: ubo and noscript together "> Just use uMatrix

Or a clean browser with network level blocking is what I do

No need to trust extensions

cn3m: setting up umatrix, best settings?

do I need https everywhere since umatrix already has force https in settings?

What are the best extensions for Firefox?

@altoslos:tchncs.de: umatrix

seems to combine multiple extensions into 1

> We recommend against trying to achieve browser privacy and security through piling on browser extensions and modifications. Most privacy features for browsers are privacy theater without a clear threat model and these features often reduce privacy by aiding fingerprinting and adding more state shared between sites. Every change you make results in you standing out from the crowd and generally provides more ways to

track you. Enumerating badness via content filtering is not a viable approach to achieving decent privacy, just as AntiVirus isn't a viable way to achieving decent security. These are losing battles, and are at best a stopgap reducing exposure while waiting for real privacy and security features.

<altoslos[m] "What are the best extensions for"> Open with Chromium

generateduser710: do I need that with ublock origin

<generateduser392 "cn3m: setting up umatrix, best s"> It's kinda pointless everything is all hosted by AWS and friends

<cn3m[m] "Open with Chromium"> Huh

@altoslos:tchncs.de I think it was a subtle reference that you should be using Chromium instead of FF

cn3m is expert

* @altoslos:tchncs.de: cn3m is expert

I don't like chrome on desktop

Does he have a github

<altoslos[m] "I don't like chrome on desktop"> Safari on a Mac then?

Or anything to prove that

<altoslos[m] "I don't like chrome on desktop"> ungoogled chromium

Firefox looks better on my windows

I would not sacrifice security for aesthetics

What virus cna I get on Firefox that I can't with chrome

beer virus (can't say that word without getting censored)

* beer virus (can't say that word without getting censored) /s

* beer/crown virus (can't say that word without getting censored) /s

Firefox has many CVEs used in the wild

Its security model is abysmal

<generateduser392 "cn3m is expert"> My expertise really is only for app design and privacy for mobile OSes. I've never worked in anything else directly

we're talking about mobile or desktop?

best browser for both still unG chromium?

<altoslos[m] "What virus cna I get on Firefox "> Firefox's sandboxing and exploit mitigations are terrible

@altoslos:tchncs.de mentioned desktop.

<generateduser392 "best browser for both still unG "> Nah, for mobile Vanadium is the best

using that

There's too many variables to determine the best browser for desktop, so it's inconclusive and is mostly usecase-oriented

<cn3m[m] "My expertise really is only for "> better than someone without any expertise in said field

Meh

I don't really care to switch

I consider Ungoogled Chromium the best for my usecase but others are different

does it support multiple profiles?

What is ur GitHub

<altoslos[m] "I don't really care to switch"> That's your decision, which is fine. I just wouldn't have have that mentality myself against security

IDK of ur just saying you're an expert,cuz I met a lot of people on here that just say that with no job in security

When did I claim to be an expert?

Not u

C3m

<altoslos[m] "IDK of ur just saying you're an "> Nobody said they were an expert

<generateduser392 "cn3m is expert"> madaidan.

I meant that c3nm has experience in this particular area

So what's the GitHub

<concat[m] "madaidan."> cn3m didn't say that

<madaidan[m] "cn3m didn't say that"> He didn't, but you said *nobody* did.

Unless generateduser710 is a nobody

I'm not tryin to start a fight here

that's fine, I'm anonymous

could be a bot

or not

I was just wondering

<concat[m] "He didn't, but you said *nobody*"> I meant that nobody claimed themselves to be an expert

What a coincidence I am also a bot

madaidan. Could've phrased better then.

madaidan. "they" could be interpreted as "cn3m" in that particular context

english not everyone's first language

concat: does ung chromium offer same amount of "hardening" firefox allows in about:config?

generateduser710 Elaborate on hardening, as most Firefox "hardening" is just theater

You still stand out with certain configs

that

most can be done by changing settings

I use that qbestie a lot

W e bsite

hence the " " marks

good start to learning about this stuff

Chrome has settings too but IDK if it is as customxieable as firefox

<concat[m] "generateduser710 Elaborate on ha"> damn boyo roast the fox some more

Changing a few settings will not substantially improve security

Most of those aren't sufficent for privacy or security in general.

At most you can reduce attack surface by disabling a bunch of things but I doubt anyone does that enough for it to matter

<madaidan[m] "At _most_ you can reduce attack "> Tor Browser obv does but it has its issues

Didn't u guys say you were not experts,so how do u know

<altoslos[m] "Didn't u guys say you were not e"> You don't have to be an expert to have a particular level of understanding. And madaidan is an expert

I'm not a browser expert but I am a Junior cybersecurity analyst associate in training

U do need to be an expert to understand hardening otherwise u don't know what ur talking about

just compare chromium.org/Home/chromium-security with the browser you want to use, and then make statements about how "x" browser is better

there's no need to fight over which browser is better based on personal feelings

nor is it productive to call out people for not being experts

<altoslos[m] "U do need to be an expert to und"> Nonsense. You can still have knowledge on hardening without officially being an "expert".

Show me ur guys GitHub contributions to security and I'll believe u

everyone has something to contribute

<altoslos[m] "Show me ur guys GitHub contribut"> github.com/madaidan

@altoslos:tchncs.de: you should read madaidans-insecurities.github.io/firefox-chromium.html

U are not madaidan

Let me see urs

<altoslos[m] "U are not madaidan"> No shit.

according to their ["brag sheet"](chromium.org/Home/chromium-security/brag-sheet) - "We dedicate thousands of CPU cores to fuzz projects such as WebKit, Adobe Flash or Chrome's PDF viewer." - holy crap.

<altoslos[m] "U do need to be an expert to und"> It's really not that complicated to look at the code and determine privilege in a sandbox, if they try to mitigation certain attacks at all (such as code reuse attacks). Firefox is so far behind a casual observer of the code would pick up on that

<AppAraat[m] "according to their ["brag sheet""> Google's fuzzing is amazing

They fuzz tons of open source projects

Pls link ur GitHub

@altoslos:tchncs.de: As an unbiased third party madaidan is the only one here who has been claimed to be an expert. The others are referencing information others much more knowledgeable have shared on twitter. Much of what they're saying is consensus among the security community. Check some of the people Daniel follows on Twitter, for example. They will agree with concat

Madidian has a good github

madaidan.: I wonder whether fuzzing would still be effective against Rust codebases.

<altoslos[m] "Pls link ur GitHub"> if u dont use gitlab, u're a scrub kidd0

Thankfully I do use GitLab

Who is making the recommendations for you to tweak a bunch of about:config tweaks to harden firefox? And why? A consensus of people in PTIO's issue tracker? I can believe that. But I don't believe for a second if you're saying people with more experience than any of us scrubs are suggesting it makes a significant difference

IDK I think it's weird ur avoiding a basic question and it's kinda reg flaggish

But it's only web development

Red

<AppAraat[m] "madaidan.: I wonder whether fuzz"> It would be. Just found github.com/rust-fuzz

<altoslos[m] "IDK I think it's weird ur avoidi"> *u're

I see a lot of people use firefox

<altoslos[m] "IDK I think it's weird ur avoidi"> Nobody here said, "I'm an expert" so I don't see why you're ranting about this

What are those people's credentials, since that seems to be your goto arguement?

<altoslos[m] "I see a lot of people use firefo"> I see a lot of people use shoes that don't fit them properly which hurts their health

It doesn't matter that you want about:config to make firefox's security comparable to chromium's

The fact of the matter is it's not

<altoslos[m] "I see a lot of people use firefo"> that is not a good metric for browser security though...

It's weaker in both semantics and implementation, to varying degrees on all platforms

<altoslos[m] "I see a lot of people use firefo"> Firefox has a very petty market share, and is only popular amongst the false permeating echo chambers that don't understand basic security models.

IDK why u guys are so defensive lol

<altoslos[m] "I see a lot of people use firefo"> I see a lot of people that don't drive well. They would do much better to use turn signals

concat: where can I find link to download ung chrome?

not able to find it on their site

generateduser710 ungoogled-software.github.io/ungoogled-chromium-binaries

I have already left too many rooms for randoms giving me uneducated opinions,I don't wanna leave this one too, I wanna know who is trying to give me opinions

And what experience they actually hace

I don't think that's crazy

<concat[m] "generateduser710 ungoogl"> Don't use that random builds from random people that are mostly out of date. Build it yourself

If I said I know a lot about medical stuff would u let me do brain surgery on u

<altoslos[m] "And what experience they actuall"> most people, especially in security, prefer not to explain their actual titles and positions

@altoslos:tchncs.de: The way I've seen this conversation unfold, The conversation in general heated up when people's credentials were all called into question. If you want recommendations my advice (as I mentioned above) is to follow Daniel and the people he follows on Twitter

They do this for a living and know more than us

<fluoridatedsheep "most people, especially in secur"> at least in the classified realm

Is a good guide aimed at people in the real world, with easy to follow suggestions

<cn3m[m] "Don't use that random builds fro"> He was asking for a place to download them, not build from source. Also the Debian maintainer is not from a random and is usually updated oftenly.

Introduced to me by Daniel himself on the sub some time ago

<cn3m[m] "Don't use that random builds fro"> can I send you a direct message for more info?

Building from source is more preferable if you have free time on your hands (which I do often)

<concat[m] "Building from source is more pre"> noob at this, don't know how to build

It takes me 30 minutes to compile UC

<altoslos[m] "IDK why u guys are so defensive "> Idk why you're so offensive

<generateduser392 "noob at this, don't know how to "> I assumed as such.

precompiled next best thing

<jcpicard32[m] "techsolidarity.org/resou"> That's a very good underrated guide

If I was hiring someone and asked for their resume, and they got angry at me and handed someone else's resume, would u trust they are capable

<generateduser392 "can I send you a direct message "> It's got a guide on the GitHub

<altoslos[m] "If I was hiring someone and aske"> people are asking you for credentials too though

cn3m: Thanks. At one point on the sub Daniel brought it up in conversation. Since I definitely trust his advice I saved the link and bring it up when discussing as I'm not knowledgeable enough to make better recommendations yet.

generateduser710: just use Chrome or Microsoft Edge. You can opt out of data collection and they are very safe and good

madaidan.: Reading your github.. I knew about somehow inversing speakers to act as a microphone.. but I never knew gyroscope could be used effectively as a mic

@altoslos:tchncs.de Firstly, nobody was angry. And that's a false equivalence as stating your own rule of thumb is not the same as applying for a job. And you're building this illusion that people were pretending to be experts when they're not.

<cn3m[m] "That's a very good underrated gu"> 6. "Don't use an Android phone, use an iPhone instead."

<fluoridatedsheep "madaidan.: Reading your github.."> Lots of sensors can. Accelerometers, compasses, etc.

Now I know why techlore said this room is bad

<altoslos[m] "Now I know why techlore said thi"> techlores security channel is mediocre at best tbh

<altoslos[m] "Now I know why techlore said thi"> lmao

<altoslos[m] "Now I know why techlore said thi"> ¿

<madaidan[m] "Lots of sensors can. Acceleromet"> so you're saying i stabbed my microphone with a screwdriver for no reason?

<AppAraat[m] "6. "Don't use an Android phone, "> That's always good advice. Android shouldn't be used unless you are very knowledgeable. The stores and permissions are too bad. If you really know what you are doing use GrapheneOS

madaidan.: read your github on linux, which os do you suggest?

cn3m: but GrapheneOS is based on Android and only supports Android phones, no?

AppAraat I think you're taking what he said out of proportion.

AppAraat GrapheneOS accounts as an Android phone but he was specifically referring to stock

<fluoridatedsheep "so you're saying i stabbed my mi"> Probably

<madaidan[m] "Probably "> :'(

I think they were comparing stock android to ios

<generateduser392 "madaidan.: read your github on l"> Mobile devices have a great security model.

concat: in that case the guide should say so as well. Even when tech-oriented people read it, they'll think that about Android phones in general.

<madaidan[m] "Mobile devices have a great secu"> for desktop

<concat[m] "AppAraat GrapheneOS accounts as "> I was referring to Android in all it's forms. There are issues with all them. GrapheneOS with a knowledge user is the only one I consider superior to iOS, but it's close

<generateduser392 "for desktop"> QubesOS (as long as you use a secure guest), Windows 10 S, ChromeOS and macOS are the only good options really.

AppAraat: This guide was written with most stock builds in general. If an average user wants the most private and secure phone available today, they should get a current generation iPhone. GrapheneOS seeks to do substantially better than that. In its current state it is largely comparable. However it's an a very early state of development and requires the user making compromises, as apps they are used to may not

work or have reduced functionality. It's also much less accessible as the user has to flash it themselves

iPhones are what the average person and all their family should use

AppAraat I don't think it should, it's targeted at novices and GrapheneOS is certainly not for a complete novice. The article is meant to be short and simple without any nuances.

The desktop in general is pretty insecure though.

Keep in mind who the guide was targeted for. All of the recommendations made in it were designed for an average user to follow easily

qubes is so cumbersome as to be not usable for most people

Qubes is jsut a one-trick pony.

* Qubes is just a one-trick pony.

plus relying on tor for everything

iOS and iPhones are 5 years ahead of Android in general for privacy and security. GrapheneOS is around the same lead

<madaidan[m] "The desktop in general is pretty"> Part of the reason why I think phones with a mimicked computer set-up could be the future

* iOS and iPhones are 5 years ahead of Android in general for privacy and security. GrapheneOS is around the same lead. The Android ecosystem holds GrapheneOS back even though it's largely better

> QubesOS (as long as you use a secure guest), Windows 10 S, ChromeOS and macOS are the only good options really.

I should show this to someone, who's using Linux-libre :P

i always assumed an airgapped PC with an easily pullable external battery, no mic or webcam with kicksecure would be the best bet over a device that is constantly pinging towers and receiving inbound connections

Windows S on a Secured Core PC is probably the way to go right now

<cn3m[m] "Windows S on a Secured Core PC i"> i want that cloudready without a goog account

ARM MacBooks are appealing too

<cn3m[m] "Windows S on a Secured Core PC i"> More of a ChromiumOS guy personally but W10 does try when it comes to security

Wait, I have a question: if you use Windows 10 S, is the Sandbox also S or can it install win32 apps?

<fluoridatedsheep "i always assumed an airgapped PC"> Use airplane mode. It works on Pixels and iPhones

<EssentialChaos[m "Wait, I have a question: if you "> You are looking for Windows 10 X, but that's not out yet

<cn3m[m] "Use airplane mode. It works on P"> Ah, it's usually on if im in my apartment

<cn3m[m] "You are looking for Windows 10 X"> I mean Windows Sandbox™

Windows 10X is Windows 10S with a Win32 sandboxed domain

<cn3m[m] "Windows 10X is Windows 10S with "> No, it's different in more ways

It breaks anti cheat, but that's pretty much it

jcpicard32: concat : If the guide is for novice users, then I think some thing should be clarified. Like the word passphrase. People know what a password is, but wouldn't know what a passphrase is.

It has atomic updates and a design closer to a microkernel

* jcpicard32: concat : If the guide is for novice users, then I think some things should be clarified. Like the word passphrase. People know what a password is, but wouldn't know what a passphrase is.

That's fair. I didn't write the guide, so I can't immediately change it of course. I suppose I could contact the author with that suggestion.

<EssentialChaos[m "It has atomic updates and a desi"> That's true it's pretty awesome

Maciej Cegłowski runs the site

<cn3m[m] "That's true it's pretty awesome"> I hope it'll still have WSL

<EssentialChaos[m "I mean Windows Sandbox™"> I'm not sure, I'd love that

cn3m btw, have you used OneGet?

<cn3m[m] "iOS and iPhones are 5 years ahea"> There are trade offs, android is generally cheaper, offers a broader variety of devices and can run apps that iOS would dream off.

My dream right now is to have several laptops with different OSs to test which setup suits me best

<concat[m] "cn3m btw, have you used OneGet?"> What's that?

Uhh some Windows package manager thing I've mostly just heard about it

Interesting. How does it compare to Chocolatey. That's the only other like it I've heard of

* Interesting. How does it compare to Chocolatey? That's the only other like it I've heard of

Oh just looked it up and looks like they're the same?

<AppAraat[m] "jcpicard32: concat : If the guid"> It's meant for everyone. It's very reasonable for 99%+ of the population

Apparently it can use Chocolatey's repos

Never mind they're not but looks like there's a plugin that lets it get chocolatey stuff

cn3m: I think you are severely overestimating the knowledge and skills of the vast majority of the people that use a computer.

<xabi[m] "There are trade offs, android is"> Privacy and security is what's being considered

I guess it's a similar case with Android and iOS where there's too many variables to truly conclude which is better than the other. Like, iOS is usually better as an out of the box sort of thing but GrapheneOS could be better for some people. In terms of stock I think iOS is a clear-cut winner though.

<AppAraat[m] "cn3m: I think you are severely o"> He isn't, most of the advice requires the most basic comprehension skills. I think it's you that's lowballing them.

<AppAraat[m] "cn3m: I think you are severely o"> I disagree. Most people don't see the problem with SMS or email. There's a reason they're still standard in the US and other places despite objectively superior replacements being available. For as much good information as there is there's a lot of bad information on the internet, particularly regarding privacy and security. For example, guides recommending users

secure themselves using desktop linux, firefox and lineage OS

Substance largely doesn't matter to people, who are often unwilling to examine the veracity of their sources past what Google tells them

What's obvious to us may seem pointless but keep in mind this room is a self-selecting group to begin with

It's best practice to assume people know nothing, especially when they can secure themselves quite well without having to learn to code or install obscure software

But I mean like... most people don't even know what a web browser is. Like the really really basic stuff. If this is written for those kind of people then I have my doubts about its efficacy.

But I do only now see the first thing that's pointed out: "Basic security precautions for non-profits and journalists in the United States, early 2019." - So I guess that narrows it down a bit.

<AppAraat[m] "But I mean like... most people d"> Who is "most people"? In general? No freaking way. Elderly people and infants? Ok, maybe.

I have to go eat dinner. Nice talking with you all!

jcpicard32 Bon appetite.

I know it sounds silly and unbelievable, but it's common to think this way. It's normal behavior to surround ourselves with people that are more like us, and thus know more about technology, but the vast majority of people are just really in the dark when it comes to technology.

I believe reading a few years ago that 80%+ smartphone users in the US don't install any additional apps on their smartphone.

(let me try and find the source)

It is just silly considering how standardized technology such as phones and computers are for our millennials. To say that most people don't know what a browser is without any sort of source makes it hard to believe. Not to be fallacious and say you're wrong because it sounds absurd, but without any evidence and seemingly appeal to common sense I quite frankly stand by my perspective that most people do know what a

web browser is if we're speaking in general. Especially if they're looking for security/privacy guides.

* It is just silly considering how standardized technology such as phones and computers are for our millennials. To say that most people don't know what a browser is without any sort of source makes it hard to believe. Not to be fallacious and say you're wrong because it sounds absurd, but without any evidence and seemingly appeal to assumption I quite frankly stand by my perspective that most people probably do know

what a web browser is if we're speaking in general. Especially if they're looking for security/privacy guides.

<AppAraat[m] "I believe reading a few years ag"> That doesn't necessarily indicate they don't know what a browser is. They could just like their default browser.

That wouldn't be a valid statistic to base your claim.

<concat[m] "I guess it's a similar case with"> iOS largely dominates for all but the 1% of technical users which really should only use Graphene and maybe CalyxOS

If there were a study on how many people actually understand very standard terminologies and it supports your narrative then I'd concede.

I can't find that article, but I bet if you ask most of those people whether they know what a web browser is, they wouldn't know.

<cn3m[m] "iOS largely dominates for all bu"> Yeah but that doesn't really matter. That wasn't about the article but a statement regarding which can be concluded overall better objectively. I think for a more in-depth guide I would mention GrapheneOS but seeing the demographic the guide previously linked was attempting to target it makes sense to just advice the general best option for everyone rather than additional

suggestions for technical users.

Also, I base my claims based on stuff I read (wish I'd bookmark more) and also working in tech support :p

<AppAraat[m] "Also, I base my claims based on "> Anecdote isn't really a viable source to base claims.

I know, I was only half-kidding.

I'll try to find better sources once I have more sleep in my system.

Do you have any specific sleep schedule?

On weekdays I usually go to sleep at 21:30 - 5:30

I have a very specific sleep schedule, it's called "Try falling asleep anywhere except sitting in the bathroom"

* I have a very specific sleep schedule, it's called "Try falling asleep anywhere except in the bathroom"

it's hard, but I try my best

especially in the bathroom*

I mean falling asleep isn't the hard part, it's usually the waking up that takes getting used to