<TheJollyRoger "anne232: github.com/Pete"> That's a link I hadn't seen, I saw the other one and had read it several times. Brilliant write up, thanks for putting your time into producing that JR.

My messages on GrapheneOS aren't populating normally. My phone will send and receive messages fine but the message, when sent, will be found at the very top of the conversation. I've reset the phone, force stopped the messages app and have deleted conversations. Any ideas for fixing this issue?

Hey yekip[m] glad you could make use of it!

Hi lucky[m]2, can you check your clock for me...?

Its local time

Okay, huh, odd.

It was set to be about 5 hours behind today though. I manually fixed it

Since I noticed semewhat similar problems when my phone's clock was set to the wrong day, it would cause messages to arrive "yesterday" even seconds after they came in.

Hmm. Maybe that's not it then. I'll keep an eye out.

Just curious...what do people use as their default SMS app for GrapheneOS?

I've been using it for over a year now, been rolling with Silence but curious if there's anything better out there. Signal gave me serious problems of lots of unreceived text messages so I won't be using them for SMS ever again.

I usually use Signal as the default SMS app, but I don't usually get many SMS messages these days.

Aah. I need my phone to not have messaging problems. I'm trying to have a conversation with my realtor

Ah yikes.

Well - hopefully it works

Fingers crossed!

Thanks man TheJollyRoger :)

<BalooRJ "Just curious...what do people us"> I just use the default one inside Graphene. I keep gettin tempted to use Signal but being a forgetful sod I worry that I will get some overlap and forget. The SMS app feels dirty to me as it's only for SMS which reminds me to minimise my use of that technology as much as poss! SMS app seems to work nicely though

I have just installed Riot on Graphene, never used it on any device but desktop before. I haven't even signed into my account yet, and when i booted the phone up I saw a background process running for Riot app. Is it possible/advisable to disable that for battery?

JR - deciding between which apps to run in second user account, versus inside Shelter work profile. If we say second user option is 10/10 for security/privacy (even if it isn't!), what would you rate Shelter option at, out of 10?

i just made a folder for apps i didn't want./need to look at often/at all. Calendar for example. Not sure if that's what you mean by hide

homescreen, or in my case, the second one after swiping right, extra layer of "hidden" :D

i have a few handy but rarely needed apps like scrambled exif and others. i stick those inside a folder of home screen icons and drag that off my main homescreen. hidden enough for me, but the feds will find it ;)

in About Phone under "Phone Number" mine says "Unknown". Is that normal? (I have a sim in)

<BalooRJ "Just curious...what do people us"> Personally I'm a fan of QKSMS - looks great and works great from my experience, highly recommend.

> <@freenode_BalooRJ:matrix.org> Just curious...what do people use as their default SMS app for GrapheneOS?

* Personally I'm a fan of QKSMS - looks great, is available on F-Droid, and works great from my experience, highly recommend.

Welcome

<yekip[m] "I have just installed Riot on Gr"> On riotX you can't disable that and it use a lot of battery for me, on the old app you can dusavke background sync

I

thanks I'll have to give OKSMS another try

* On riotX you can't disable that and it use a lot of battery for me, on the old app you can disable background sync

QKSMS

* On riotX you can't disable that and it use a lot of battery for me 20% in 2 days, on the old app you can disable background sync

* On riotX you can't disable that and it use a lot of battery for me, 20% in 2 days, on the old app you can disable background sync

* On riotX you can't disable that and it use a lot of battery for me, 20% in 2 days, on the old app you can disable background sync but can't edit messages and there is some others missing features

<greenmoon[m] "On riotX you can't disable that "> thanks. i dont have RiotX so hopefully my battery will survive

So you can adjust sync settings on the Riot app

The default setting is to optimize the battery and sync every 60secs, not sure his much battery it use compared to riotx which sync constantly, it probably use less battery

* The default setting is to optimize the battery and sync every 60secs, not sure how much battery it use compared to riotx which sync constantly, it probably use less battery

* I think that the default setting is to optimize the battery and sync every 60secs, not sure how much battery it use compared to riotx which sync constantly, it probably use less battery

* I think that the default setting is to optimize the battery and sync every 60secs, not sure how much battery it use compared to riotx which sync every fez seconds, it probably use less battery

* I think that the default setting is to optimize the battery and sync every 60secs, not sure how much battery it use compared to riotx which sync every few seconds, it probably use less battery

Hmm, looks like only the default messages app is compatible with KDE Connect

anyone know if there is a way to restore the plain text export of text messages from silence into the default messages app?

I was wondering why I couldn't get that working earlier...I wonder why that is in KDE Connect

Wow I just checked my messages sent and in the old riot app it don't show edited messages and it's like I was spamming lol

so i have a somewhat ignorant question here so.

Does graphene OS do anything w/ regards to IMEMI IDs, hardware ids whatever

Does it do anything to prevent, change or spoof the IMEMI? bc i know imemi is a unique identifier that is sent to the carrier when you connect to a network

No it don't do anything

So, in other words, the unique IMEMI that every phone has, will always be the same no matter what you do?

You mean IMEI probably

IMEI* i meant

yes

LOL

sorry im a little drunk

IMEI or MEID depending on your carrier

or if you're lucky your phone has both and you can switch between the two

anne232_: From grapheneos.org/faq#cellular-tracking

"GrapheneOS always considers the network to be hostile and does not implement weak or useless mitigations. Therefore, it does not have the assorted gimmicks seen elsewhere providing privacy/security theatre to make users feel better about these issues. One of the core tenets of GrapheneOS is being honest with users and avoiding scams/frills based around marketing rather than real world privacy/security threat

models."

Emei is not depending of your carrier, it's tied to the phone

eh, that is a little vague but i get you

so let me just ask straight up, is there anything to do about imei and similar unique device identifiers?

Because I don't like the idea of buying a device online, having those unique identifiers tied to that device forever

therefore being tied to my name or purchase method, etc

Buy it from a physical shop then

Buy it from a physical shop with cash if you're concerned

hmm. you think it may be hard to find the device i want exactly? and it having an unlocked bootloader and such?

According to the FAQ only privileged apps included in the base system can access hardware identifiers such as the IMEI.

that wouldnt really protect me from the carrier tho would it?

I feel as if the main barrier to privacy w/ regards to IMEI is probably your carrier?

If I were you, I would have the potential seller ensure that they "enable OEM unlocking" is not greyed out in the developer options

And don't buy the phone if they aren't willing to refund/replace if it doesn't work for you

i mean i'd like to prevent spending an extra 300$ if i can help it

As was alluded to in the excerpt above, Graphene considers the network to be hostile. If the cellular network tracking is a concern, the official advice is to put the device in airplane mode, disabling the cellular radio capabilities

If you're walking into a physical store, rather than buying second hand, the device will most likely be new

yeah, i get that, its just not exactly always practical.

Don't put a SIM and use only WiFi then

I just wish there was as way to spoof your IMEI or something.

anne232_: JSYK apps can't see your IMEI

as i mentioned a minute ago, thats not really my concern.

Use VoIP?

I think it's illegal in most countries to change imei

LOL like i'd care about that.

Its legal in the usa

well i dont have to worry anyways in that case

ID bet it legal in Canada as well

even if it is illegal ppl should do it anyways lmao

but seriously, is there any easy way to change it?

i guess im probably asking this in the wrong place but idk who else i'd ask

in some phones the IMEI is just in the nvram and you can change it, in older phones

this probably wouldnt apply to any of hte pixel phones?

in more modern phones it can only be set once at the factory, and then some one-time fuse burns and you can't change it any more

I don't think you can in newer phones with snapdragon SoC

if someone wants to figure out how to do it on pixels the calyx institute will pay a bounty

and then we will release the code for free

for the purpose of privacy

It hasn't been figured out yet afaid

not fraud

* It hasn't been figured out yet afaik

See reddit.com/r/GrapheneOS/comments/fb05oo/imei_and_esim_and_imei

I'm sure there are lots of things you can do with qualcomm SoC's that are not documented

strcat: the build finished successfully, but getting an error when trying to use avbtool

Invalid syntax when trying to extract_public_key

Could this be python2/3 related?

dallemon: run it with python2

python path/to/avbtool

Will do. Just finishing breakfast. :)

hm. i made the the avb.pem without a passphrase and avbtool is constantly prompting for a passphrase

so i just put something in and it proceeded a little bit, now errors with "unable to load public key"

nickcalyx: I do not think it's legal to make / sell hardware where changing the IMEI is possible

nickcalyx: devices often have bugs that make it possible

but I don't think anything short of exploiting the baseband (which has sandboxed components within it) would accomplish anything

it's legal as long as you don't do it for the purpose of fraud. I had lawyers from harvard research it for me

regenerating keys with a password

nickcalyx: it's legal if you build the radio yourself

nickcalyx: I'm talking about selling commercial products

like, it's not illegal to figure out how to exploit the modem and make it do this

what's illegal is a company like huawei, qualcomm, intel, etc. making it possible to configure

because part of them selling the radios is having them certified and part of that is not supporting this

nickcalyx: it is possible on some flip phones, etc. because of vulnerabilities - not because it was intended to be that wayt

* nickcalyx: it is possible on some flip phones, etc. because of vulnerabilities - not because it was intended to be that way

for example broken / incomplete verified boot or storage access controls

where people are able to load custom firmware or overwrite provisioned IMEI

a security update would fix that correct?

it's not intended - at least they would need to claim it wasn't intended

strcat: setting a password for keys fixed it.

I've always heard stories of shady phone repair kiosk type people having some type of diagnostic / maintenance software that lets you change those settings

dallemon: maybe you only set a pass on some keys not all

dallemon: not using a pass works but it has to be consistent - all no password, or all with password

nickcalyx: flip phones often did this insecurely and it was possible to overwrite the data where they stored IMEI

or overwrite their firmware

because they had insecure / incomplete verified boot, etc.

You can edit the imei

there are still phones and products like that

yeah, I think it was in nvram

But not on grapheneos

And probably not on the pixel stock ROM either

anupritaisno1: editing the actual IMEI used by the radio? on which device

Google would patch it and then it would be useless in my limited understanding

If you have a Qualcomm device that isn't from google you can probably enable a hidden engineering mode strcat

From where you can enable Qualcomm diag

anupritaisno1: I don't think it's possible on modern Qualcomm devices

anupritaisno1: not on production ones

You can write the imei yourself and even do band unlocking

Well oneplus allows it

I think a couple of xiaomis do too

anupritaisno1: do you have any references on that

yeah probably as part of their other security flaws - it is not supposed to be certified if they allow it though

The imei is written in reverse and padded with 0s to a modemst{1...9} partition

so the problem is you'll only ever find devices with other issues

I think it might be possible on pixel

there's a common feature phone where you can edit it because they have broken verified boot

Nothing stops you from dumping modemst partitions, hex editing them and flashing them back to the phone

and there's a huawei family of cellular dongles

where you can edit it because they screwed up the security

Those partitions aren't verified btw

There is no verification for the imei partitions

anupritaisno1: afaik it's not supposed to be possible to change on production devices

Well it is

As long as carriers make carrier locked phones

Such obscure interfaces are going to exist

They want to set bands, change IMSI on their will and a lot of other stuff and lock users into their ecosystem

I was saying earlier that if someone wants to help me figure out how to change the IMEI on the pixels then calyx would pay a bounty. And then I will release the software as open source

The stock Qualcomm backdoor used to flash the operating system on the first time cannot write imei so this interface is used to write imei

You just have to set USB mode to diag

nickcalyx: no

Just because you can do it doesn't mean you should

This feature exists so that a service center for instance can rewrite your imei

Or a carrier could band unlock your phone

I am interested in finding ways to prevent easy geolocation spying

that's my angle

Not because you want to change the imei

That's illegal

no it's not illegal, not in my country anyway

As for google

Only the angler edl tool was leaked

it's totally legal as long as your purpose is legitimate and not fraud

And we don't have a way to use edl on angler

Nah not gonna try this in India

Anyway the answer is Qualcomm diag

oh you're in india, yes I actually also got a legal opinion from lawyers there. it's not legal there.

well if you have any pointers to more reading, or if you know someone that knows about this stuff but isnt in india...

Would this be immune to a vendor patch? That is the part I am lost on

XDA is your friend

^ heh

Also the drivers you'll need are on windows update

For Linux use bkerler's diag tools

radixed9: yes

good tips thanks

If you visit 4pda

You'll also see some tips on how to use the unbrick tools to recreate your own bootloader

Now whether your own boots or not depends on your OEM

do you guys always have the latest Android version as a rule?

@nickcalyx:matrix.org what is your Android version policy like?

cn3m: well you could easily build pixels

But other devices not so

right someone asked me privacy wise what the difference CalyxOS is from Stock with gapps disabled

not sure exactly what you're gaining privacy wise as a rule across all devices

cn3m: tell him about the whorls of a flower and what calyx means /s

will do salutes

strcat: so, final step of release.sh failed when calling signify_prehash.sh due to ubuntu using signify-openbsd and not just calling it signify

Is anyone here involved in the CoraLibre project? Might be interesting for you as well: github.com/theScrabi/CoraLibre-android-sdk

<cn3m[m] " @nickcalyx:matrix.org what is y"> come ask in #calyxos .. don't want to hijack this channel

dallemon: just disable that step

dallemon: well you have everything anyway

it's the final step

@nickcalyx:matrix.org will do is that irc only?

dallemon: I could hack around that, it's annoying

i just made a symlink for signify > signify-openbsd

running release.sh again

no it's matrix-irc bridged

dallemon: you should probably remove out/release-BUILD_NUMBER before running it again

dallemon: you didn't really need to run it again but need to now

cest la vie :)

#freenode_#calyxos:matrix.org right?

cn3m: invited you

Thank you

dallemon: archlinux it is

paintedman you free today?

anupritaisno1: I'll be free in 5-6 hours

anupritaisno1[m]: iirc modemst1 and friends don't exist on Pixels

anupritaisno1: you want me to check something?

strcat (@strcat:matrix.org): it boots fine and can lock bootloader. As expected WiFi is broken. Cellular data works. Face unlock works.

dallemon:

WiFi fix coming today

 

I will try other stuff a bit later, need to leave for work now.

I found a rather weird stuff today. I saw a G020G pixel 3a which is supposed to be unlocked, yet it is found in verizon imei database..?

That seems to be confusing. Isn't it supposed to be just fine and OEM-unlockable?

That... wasn't supposed to happen right?

so far most stuff seems to work :)

graphene coming to pixel 4?

I think there is exprimental support in the developement branch

furofuro_01: it's the device model that matters

you can use a non-Verizon model Pixel with Verizon - no problem with that

the package says if it's a verizon pixel or not (device model)

ok, i have tested the following: face unlock, camera, usb dac (audio), flashlight, camera, gcam (with minimal provider), alarm, cellular data, location, calls, sms, bluetooth transfer. and it all works

auto rotate as well

dallemon: but does WiFi work?

Anyway don't test it like that

There's a CTS Verifier app

Use that

Test whatever you can reasonably test

anupritaisno1: no, because the source is from yesterday :)

where would i find this cts verifier app? :)

this?

dallemon: you probably want the normal CTS

if you want to test it like that

CTS == the normal test suite (uses apps and adb to do extensive automated tests)

CTS Verifier == tests that cannot be automated, mostly extra camera stuff on top of the main automated camera tests

<strcat[m] "the package says if it's a veriz"> Impossible sadly because it's secondhand

Not sure what are the chances that regulatory model is tampered or something

strcat: currently i have just been using the phone with some of the usual things i will use, not noticed any issues yet, apart from wifi not working :) want to do a bit more thorough testing if ican though

<strcat[m] "CTS == the normal test suite (us"> CTS at the moment is useless

We need to have all hardware features 100% except some like active edge working for CTS

CTS verifier failures can be noted though

I installed K9 Mail. Its doing background refreshes. I would like to limit syncing to when I open the app and drag down to refresh. Is that possible? I went through all K9 settings and nothing relates to this

also found a strange oddity in call settings. I opened up call forwarding options and it offered to forward all calls to some cell number i have never heard of. wondering if that's the old owner of this phone i bought second hand. Need to be careful with that if so!

Its the voicemail probably

<yekip[m] "also found a strange oddity in c"> Call settings are usually pulled from your provider

If you removed the number you have disable your voicemail

Disabled

haha. thanks, I have just turned my voicemail back on!

<notmyname723[m] "turn on limit background data us"> thanks. so is that two separate things 'background data usage' and ' battery in background'?

thx

sorry but can't find anythijg in settings for background data usage. searched and wentt through all results.

ha, can't find background battery usage either. i found battery optimizer, and K9 Mail is set to optimized so I guess thats the only option and its already sey

<notmyname723[m] "go to k9 mail app in settings"> i dont see K9 Mail app in settings. do you mean go to K9 app's settings?

i found background sync in K9's own settings page. that's set to off. weird, because it pinged for a new email when the app wasn't in focus. maybe i actualy have to quit the app altogether to stop it syncing. i can live with tyhat if so

Update folks: i was in contact with tutanota

Apparently, they don't have any partnership with copperhead at all

They just asked for their permission to post their image on the copperhead website as they come with tutanota pre installed

wow, good to hear!

They do NOT endorse it

I have it confirmed

hopefully after hearing a few grumbles they will never endorse it

Im trying to get them to retract the permission

This truly is one of the pros of being behind the wheel of a significant privacy organization, services take you seriously

<blacklight447[m] "This truly is one of the pros of"> just don't get drunk behind the wheel ;)

<notmyname723[m] "or touch n hold the app on homes"> did that. there are some settings but i have already seen them. so there is network settings and its either allow network access, or not. nothing about background syncing. still hunting around thanks

ah. GOT IT! thank you!

tucked away in there was anotgher network option for background data. weird it didnt come up on search, but then it isn't in main settings app so that makese sense. sorted. much appreciated

does anyone know if it makes a significant difference on battery life to have two user accounts running permanently?

<blacklight447[m] "This truly is one of the pros of"> What about theymir partnership with that random af linux phone

?

renlord I need help with an selinux denial

avc: denied { execute_no_trans } for comm=4173796E635461736B202331 path="/data/app/com.nutomic.syncthingandroid-CrK2Oi_6UwwLkTcdpnHw8w==/lib/arm64/libsyncthing.so" dev="sda13" ino=2573634 scontext=u:r:untrusted_app_27:s0:c104,c257,c512,c768

tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.nutomic.syncthingandroid

Should I allow it?

It causes an app crash

I'm asking because it is an _app domain and editing stuff is risky in those

Is it the same to stop an app in GOS than stopping the app in Android 10?. When it's stopped, will it be like disabled?

<jalb66 "Is it the same to stop an app in"> Yes.

cx2[m], thanks, and the second question?

I see it remains stopped

Right, it will be disabled.

THanks, sometimes you can't disabled an app and the only option is to stop it

THanks, sometimes you can't disable an app and the only option is to stop it

Keep in mind that theirs a small battery tax for continuously enabling and disabling apps.

cx2[m], in this case it was to change the SMS stock app to QKsms

<jalb66 "THanks, sometimes you can't disa"> Likely system apps

Message app can't be disabled

So I stopped it

That should work....besides if you set qkms to your default sms, that should work anyway.

<blacklight447[m] "?"> I can't remember the name of it, but there was a Linux-based OS phone specifically marketed at privacy folks that Tutanota had a partnership with

Yes, I did

And it works very well, at least it has Dark mode 🙂

And I removed the permissions to the Messages app

And gave it to QKSMS

I hope it's safe to use this app

hypokeimenon[m], maybe Pine64?

No, it was smaller

I'll never remember the name, ugh.

I think it had an O in it.

Probably crowdfunded.

UnaPhone Zenith

UnaPhone.. was what I was trying to remember. tutanota.com/blog/posts/una-phone-zenith-crowdfunding

Yeah, thanks.

hypokeimenon[m], I'd like to know what are they using... We developed UnaOS, an Android based OS, with security and privacy in mind

Or if they are some scammers

It seemed pretty scammy from the outset, to be honest. I'm surprised Tutanota associated themselves with it.

Ok, thanks

is there any way to turn off this silly "say why you called" prompt after making phone calls?

* is there any way to turn off this "say why you called" prompt after making phone calls?

UnaOS seems to just market themselves

Not even FAQs, Github or similar for the codes, nor as clear installation insturction or proofs (that are rigorous) as GrapheneOS

-sighs-

Also, using Android 6.0.

lol

Yeah haha

I rather have a minimalist design but informative website like GrapheneOS

Ha ha

The future is here they say 😀

Android 6... it's like a meme

<jalb66 "Android 6... it's like a meme"> It's a post from 2016

Lol, they didnt even release a new phone

Not even a single word from privacy community about it

EssentialChaos[m, ah ok

<EssentialChaos[m "It's a post from 2016"> Oh. Still though, what happened to them

It kinda just died flat

GrapheneOS is an open source project rather than a product so it doesn't make sense for the website to be some flashy product site

when it's at the point where we're partnered with a company and selling a phone with it

there can be a site for that product

🙂

No it's not that though. I prefer it that way.

Yeah

I actually appreciate it, that there are developers who had made an actually secure and private OS for android users.

<strcat[m] "GrapheneOS is an open source pro"> To be honest, yeah. Wasn't being that rational earlier.

right now we are focused on keeping the project going and we can figure out how to actually achieve the goal of making custom hardware that's truly privacy/security focused

at the very least it needs to match Pixel security which is HARD

Do you remember what was the bad thing about xmpp?, in fact I love it and I use it but... I know it's not very secure

cannot just partner with some manufacturer and produce some reference device with minor changes

because it'll be substantially worse (missing security chip and so on) and they'll probably lack the same effort put into securing it - so very easy to miss stuff and have a totally fucked up device with a lot of security holes just like companies like OnePlus

it's not easy just to match the status quo

<strcat[m] "cannot just partner with some ma"> I agree with that, especially with previous expetiences.

Treble makes it a lot easier than before to support a device that fits the usual norms but doesn't mean much

it's the security of the device itself that really matters

the hardware, firmware and device support code

* I agree with that, especially with previous experiences.

so for example if it uses a past generation SoC we'll be providing something worse, or we use some SoC with less security focus or w/e

and we'll be missing all the work put into security above the SoC layer

since each OEM has to do that

most don't

it's hard enough to just make something close to a reference device and ship it in a properly secure / production state without any mistakes or missing anything

let alone actually adding what's missing to match Pixel security

Are there any manufacturers that would even care to meet that sort of standard other than Qualcomm themselves or Google?

if it was an explicit goal of making the device, probably yes for the company making the phone

it just never is

at most security is a marketing frill not something they truly care about

even companies like blackphone didn't succeed in making something on par

it's difficult and a small company will take a lot longer to get it to market so it starts off as a past gen device

esp. if not starting with the bleeding edge stuff from the start

In short, it is either not feasble for small companies to match the security standards required or large companies care more about money than security more often than not

* In short, it is either not feasble for small companies to match the security standards required or large companies care more about money than security more often than not.

Edit: Unless I got that wrong.

I guess mediocre security just doesn't hurt the bottom line enough

furofuro_01: there's little reason for them to invest in security if they don't actually care about it

because it's not taken into account by anyone

and marketing / branding is all that seems to count

people consider something private/secure if it's successfully branded as such - has little to do with privacy and security it offers

<strcat[m] "furofuro_01: there's little reas"> I would agree with that. Honestly, somehow I had a feeling that it is a possibility that they exactly planned for this, to create a low-effort phone for easy profit.

people can already just buy an iphone

<strcat[m] "people consider something privat"> That's on the outlets and mediums that facilitate the marketing though, the average person cannot verify if security features have been properly advanced or implemented

hypokeimenon: neither can journalists they aren't security experts

they know no more than the average person reading it

<strcat[m] "people can already just buy an i"> True.

they just pretend to and repeat press releases, etc.

All casted aside for convenience.

<strcat[m] "hypokeimenon: neither can journa"> yeah but if you're a journalist worth your salt you can point to the industry experts research and analyses and highlight recent audits and breakdown the whitepapers into good summaries with a contextual industry-wide comparison

but there are only a handful of those

and people can't tell the difference

where is there news coverage on privacy/security like that

true enough

even lwn.net is bad at covering it and doesn't do that at all

hypokeimenon: most are not really journalists though. Just enthusiasts trying to make a living of their interests

somewhere in the deep net lol

the way actual journalism works as in doing more than pushing press releases, etc.

tends to be that the journalist comes up with their story / angle

then builds the case for it

what experts say only matters to them when it fits the narrative they want

Ultimately we have to demand this of outlets like 'androidauthority' and such ourselves

they'll just ignore / cherry-pick as needed

it's not like the nytimes or w/e has good coverage of stuff like this they just bullshit like almost every other journalist

that's their profession

<strcat[m] "what experts say only matters to"> Sadly that's the case for most of them.

professional bullshitting

when you actually know about the subjects you can see how inaccurate news coverage of all kinds is

<fll[m] "hypokeimenon: most are not reall"> Yeah but how can you call yourself an enthusiast if you don't know shit, that's just dishonest and falling prey to the system

<strcat[m] "professional bullshitting"> You worded that nicely and rightfully

also one time publishing of stuff without review / editing and going through iterations of it

That's just what the internet brought us: everyone can be a "journalist"

is not a recipe for accurate coverage

fll: yeah and people just cherry pick the information they want to be true to fit their biases

live in the bubble they choose

everyone just chooses their own reality now

there isn't a shared reality anymore

strcat: i will look at setting up CTS on a linux laptop tonight. is there anything else you want me to test specifically?

dallemon: not really specifically also a lot of stuff won't work due to wifi not working

dallemon: I'm curious how well the camera works for one thing tho

dallemon: camera, bluetooth

hypokeimenon: yes but sadly I interpret tech enthusiast as very interested consumer now

a bit of stutter/slowness using built in camera app

dallemon: CTS media tests are a good set to run

using gcam and gcam provider works quite well

haven't tried opencamera yet

Wi-Fi known to be broken

<strcat[m] "dallemon: not really specificall"> That was an interesting series of thoughts and information there. Many thanks for that informative chat.

<fll[m] "hypokeimenon: yes but sadly I in"> The problem isn't that everyone can be a journalist. That's a wonderful thing imo. The problem is that we lowered the bar for journalism

They can't though

They could always claim to be one but people don't scrutinise

And experts are too busy lol

Sadly.

hypokeimenon: true, that's a different angle on it: we all are too trusting now. And those who can't handle all the source checking anymore believe the earth is flat now :P

Sounds like a failure of the education system and culture

<fll[m] "hypokeimenon: true, that's a dif"> Haha

strcat: i will flash your build momentarily

strcat: are the equivalent of beta channel?

dallemon: well it's not really released so it's just stable/beta/testing together

cause something has to initially be in each channel

otherwise the Updater app would fail at checking for updates when set to stable

also possible I may rotate the keys before actual release

if I decide to change something about that

ok :)

> Sounds like a failure of the education system and culture

Sure, to a degree. But I don't think we can expect average users to check all details in infosec and still they might want secure and private services and devices. It's just difficult right now.

verified boot is SHA256_RSA4096 now - was wary of using a different algorithm than they did officially in case it ended up having bugs

although was probably safe to use it before

fll: well applies to anything not just privacy and securitty

* fll: well applies to anything not just privacy and security

people are not actually in a position to evaluate all these things about products

what's the equivalent to Consumer Reports for privacy and security

and that is still a pretty shallow evaluation itself

even for way simpler things

like a washing machine or whatever

it's not like they actually look at how it's made or do particularly rigorous testing

<strcat[m] "what's the equivalent to Consume"> We need actual experts to pass some law for privacy and security protection, or at least to inform them.

Also we can expect people to do that when they are less concerned about bells and whistles and the first question you ask a friend who buys a new piece of tech is, oh what company is it from, what are they known for, what's their rep, what research have they published etc.

Unfortunately, this hits counter to other companies' goals, which may cause defamation and other underhanded ways to sabotage the truth.

<hypokeimenon[m] "> <@fll:matrix.org> > Sounds lik"> Yeah.

expecting people to use critical thinking is going way too far

not gonna happen

<strcat[m] "expecting people to use critical"> Not when they are taught it from birth in school though

What's critical thinking? /s

> what's the equivalent to Consumer Reports for privacy and security

The closest thing we have are Foss advocating orgs and those are far from technically capable to evaluate security apart from maybe applying Mozilla's crypto recommendations

Also the marketing industry needs to be torn down and replaced with research/journalism

> > <@strcat:matrix.org> expecting people to use critical thinking is going way too far

> Not when they are taught it from birth in school though

Even then you can not expect them to see through fe. Purism's librem5 marketing

there's no perfect solution

but I think we can be more reasonable

idk feels better to me than giving up anyway

The needed background knowledge, while maybe basic to us, is too much and would require days of research

it's not basic lol, speak for yourself

Most don't know the difference between OS and firmware

basically I meant consumer reports, for example as an organisation, should be devoted to breaking down those privacy/security details for people with non specialised interest

I bet the implications of not being able to update firmware are basic to you too ;)

> basically I meant consumer reports, for example as an organisation, should be devoted to breaking down those privacy/security details for people with non specialised interest

And the only ones I remotely see doing things like that (EFF fe.) often overlook security in favour of foss evangelism

I have an iphone, used it for years, kept it for all the spam callers, dont want to cut them off just yet as i like having fun with them when they call :P - I am horrified to see it just forced an update to iOS 13.4.1. I have NEVER had a forced update before, I never allow them (except for Graphene of course!). WTF

ipsw?

iphone software

Nice.

matrix is so dumb

just goes and kicks 84 people

<strcat[m] "matrix is so dumb"> Just the irc appservice being dumb

it could at least just not put them in the irc channel

I don't get why it kicks people

I know y'all don't like telegram but I swear it is ages ahead Matrix for the purpose of community open group chats

<strcat[m] "just goes and kicks 84 people"> Technically 85 btw.

<joshman[m] "I know y'all don't like telegram"> Imo, Telegram is the best, apart from the lack of encryption by default

ah yeah

the wording

What about xmpp?, security problems or something?, it works fast

the way telegram saves your contacts, i would stay fucking far away from that app

Telegram uses the most non-standard shit for encryption so I'm not sure I'd rely on it for secure messaging

But for communities it seems to have a bigger and more organized platform

OMEMO and OTR are pretty good encryption wise but using XMPP for communities doesn't sound like a good idea

<concat[m] "Telegram uses the most non-stand"> "But the performance!1!!!1"

What old ass toaster do you need to be using for IGE to actually make a performance difference

overall the amount of data telegram saves as plaintext on their servers is terrifying

<hitchhooker[m] "overall the amount of data teleg"> Uh, can you elaborate? I only know technical details about their protocol and supposedly releasing source code late. You're being pretty vague.

mobile.twitter.com/tqbf/status/678065993587945472 i dont think anything has changed from 2015. its amazing when code is open source and lead dev still has balls to deny what the code does

also your whole contact list persist on their servers

actually every single contact list you have hive access to

<hitchhooker[m] "the way telegram saves your cont"> You can just stay away from saving contacts instead..

concat[m], why not xmpp?

Your basis basically consists of some random Twitter user making a critical claim against Telegram with little to nothing to support his assertion.

It's fast

<concat[m] "Telegram uses the most non-stand"> What standard of encryption are you using in this Channel?

In channels is not encrypted, but...

joshman[m], I think it's not

<jalb66 "concat, why not xmpp?"> jalb66 XML development kinda stinks, not feature-rich, lacks stable userbase.

<joshman[m] "What standard of encryption are "> There's no encryption in this room.

<strcat[m] "matrix is so dumb"> Thats not matrix though, thats the matrix bridgr

Why would a public room be encrypted?

concat[m], I use xmpp a lot and it works very well in PC,s or Android with Conversations

concat[m], I use xmpp a lot and it works very well in PC,s on Android with Conversations

concat[m], I use xmpp a lot and it works very well in PC,s or Android with Conversations

jalb66 Sure, that's anecdote. But objectively speaking XMPP would not be a good place to host a community.

concat why would you brag about TG shit encryption at all?

jalb66 Stability of a client doesn't determine the quality of rooms.

concat[m], there are many servers out there, I don't understand why not

<joshman[m] "concat why would you brag about "> Where is the brag? I'm pointing out Telegram uses very non-standard shit for their encryption so they wouldn't be reliable for secure messaging. Never did I say it was bad for communities.

Read my initial text My point was TG would be ages ahead Matrix for this group full stop

What does having many servers to make an account with have to do with basing a community within XMPP?

<joshman[m] "Read my initial text My point w"> I was responding to EssentialChaos that said Telegram was the best apart from the lack of encryption by default.

> > <@hitchhooker:matrix.org> the way telegram saves your contacts, i would stay fucking far away from that app

> You can just stay away from saving contacts instead..

im fine staying away from app thats lead developer is liar and shares misinformation about the software

Nobody was even talking to you.

I was the who proposed telegram and I'm very sorry y'all FUDed it

* I was the 1 who proposed telegram and I'm very sorry y'all FUDed it

<joshman[m] "I was the who proposed telegram "> Stating Telegram is good for communities rather than secure messaging is not FUD.

At least Matrix lead dev is not a liar. Let's let him kick 85 people just so

<joshman[m] "At least Matrix lead dev is not "> That's not Matrix's fault though, it's the creator of the IRC Appservice.

What does having many servers to make an account with have to do with basing a community within XMPP?: I thought that you were talking about this kind of problem, IDN

why do you use matrix if you have so much issue with it?

Or irc

why wont you just bridge telegram with matterbridge to irc channel?

I use Riotx. And I hate it

the amount of tears you have cried about subject in this channel, with same effort you would have implemented own bridge by now.

Bridging lags. Lacks functions

jalb66 Maybe you misunderstood then. My point was that XMPP doesn't sound like a good place to host a room/build a community off. XMPP for secure messaging is secure, but in terms of making rooms for it I'd be wary due to JSON being better for development, the lack of features, poor UI on desktop and unsustainable userbase.

No problem with xmpp and channels here. I am here even using xmpp

concat[m], ok, I get it

Bridging is not for average Joe who needs support installing Graphene OS

<joshman[m] "Bridging lags. Lacks functions"> Bridging lagging doesn't really have to do with your UI

> <@josh.man:matrix.org> Bridging lags. Lacks functions

* Bridging lagging doesn't really have to do with your Matrix client

concat[m], I can tell you that Conversations app is great, even calls and videoconference now, in PCs Gajim works great and many others with many features. But maybe it's not what you're looking for.

It's a problem with the homeserver hosting the bridging

well ideally somebody would selfhost matrix server for community so there would not be lag.

Y'all not offering a single fully working option. If someone needs help to install Graphene he needs it fast and reliable

> Bridging lags. Lacks functions

so you use alpha phase matrix client and whine about lacking functionality

jalb66 Eh, Gajim sucked in my experience. But Conversations was fine on mobile.

concat[m], I use Dino in GNU/Linux and also Profanity in terminal

well by far best option would be hosting community matrix homeserver with bridges

Now using Dino and bridging to irc here

jalb66 Dino has almost no features at all lol

concat[m], you're right, if I need more features then I use Gajim or PSi+

But only to talk it's great and modern looking

jalb66 Never used Profanity though, admittetly. But I've heard about it.

concat[m], it's great

Matrix lags, riot lacks functionality, bridging is not a one click option. Not all Graphene OS current and future users are tech savvy

concat[m], it's like the old BitchX for irc lol

But in xmpp

jalb66 Yeah if your usecase is just PMs then you'll probably be fine.

Then try Psi+

> Y'all not offering a single fully working option. If someone needs help to install Graphene he needs it fast and reliable

If someone needs help installing graphene despite the instructions on the homepage, I'd argue that grapheme is not for them right now

<joshman[m] "Matrix lags, riot lacks function"> > Matrix lags

Gajim works very well for me, IDN why it sucked in your experience 🙂

The best feature is that xmpp is fast, even now bridging here

<jalb66 "Gajim works very well for me, ID"> Would randomly crash on me, felt slow in my experience. Maybe I'll give it a try on a different machine and see how it goes.

🙂

If I wanted to start contributing to the grapheneOs project should I learn java?

igioo[m] yes.

The AttestationServer and Auditor are written in Java. A lot of the android ecosystem is written in Java.

Okay I'll get started with that then thank you.

Good luck man. I've been wanting to learn Java but it's been slower going. However I do have something for you that's helped me along...

Stanford Engineering Everywhere posts the entirety of the course including videos and transcriptions of their lectures, coursework, and assignments!

You can get it here:

see.stanford.edu/Course/CS106A . The lectures are both transcribed, and recorded.

You can simply download them!

Oh that should be really helpful! Much appreciated.

igioo Java is a very good language, you'll adapt to it in no time.

Idk, fully oop language is not my thing

I hear that a lot.

I am not against OOP in general

Like how Python does it

Python doesn't really prepare you for other languages as well as Java does, and there's a lot more shooting yourself in the foot with that language

Also, someone who's used with dynamically typed languages would be easier to transition to statically typed than vice versa in my opinion

I mean, I started learning programming with C++ :)

My first language was C++

Java for me. I did do a bit of C++ in high school but can't say I'm in a big favor for it.

Honestly Haskell taught me the most about programming than any other language

I want to learn more of Rust, but since I don't get it in unversity, idk what to do with it right now

I don't have a lot of positive things to say about Rust other than memory safety and speed

Rust has amazing documentation

cn3m I'd disagree. Their documentation isn't "amazing".

I mean it's fine but it's not any better than other langs.

I love the book and the compiler is very detailed. The documentation is reliable

You don't have any SICP versions for Rust.

Compared to other languages I've learned through documentation they're not anything special

Hi everyone, forgive me if this a bit of a noobish question, but please bare with me, I'd be really grateful if someone could could help me out. Basically I really want to get myself a pixel with graphene os. However, I realized google only promises support and updates to these devices for two years??Does that mean after buying this device, it won't be long before the firmware updates and such go out of date? Again I'm

sorry if this is a noob thing to ask

zozu Yeah, Google generally supports their devices for 3 years if I recall correctly.

zozu You still have a decent amount of time to use Graphene but it won't be anytime soon you'll be getting a replacement.

I code Java, Kotlin, and Swift and I still prefer Rusr

cn3m Do you have any repos of the projects you code in those languages?

cn3m I'd like to read the Java ones especially, I like reading Java Syntax

<concat[m] "zozu You still have a decent amo"> Okay I see, thank you!

Hi zozu[m], yes. Google negotiates with Qualcomm and gets their agreement that Qualcomm will supply firmware updates for the System-on-Chip in your phone for three years.

<concat[m] "cn3m Do you have any repos of th"> Nope, all for work. I'm tempted to write a firewall bypass though

Proprietary code sucks

Qualcomm then supplies the firmware (which is signed and validated) to Google and partners, so we can update the firmware provided that Qualcomm continues to provide it.

<TheJollyRoger "Hi zozu, yes. Google negotiates "> And then it's over right? Or is that just the warranted time?

Yes, once Qualcomm says "Your support's ending" then the device is what I call a "Pop Tart."

The device will still function, but there won't be any more updates to the firmware to continue preventing or mitigating exploits or closing vulnerabilities.

Okay okay, very helpful thank you. Do you think it's worth buying a pixel now? Or should I wait for a Linux phone?

zozu[m]: I definitely think it's worth buying a Pixel 3a.

Linux phones are insecure, don't buy them at all if you care even the slightest about security.

concat[m]: heh, took the words right out of my mouth.

<concat[m] "Linux phones are insecure, don't"> I mean the librem 5 in like a year?

The thing with "Linux Phones" as they're billed... let me try and break it down a bit,

Okok

Thank you

<zozu[m] "I mean the librem 5 in like a ye"> Librem Phones are a scam, they overcharge you for theater and poor security model.

grab a pixel, never a wrong time while graphene is around :)

Actually, one of my good friends has an article regarding them.

ebay used factory unlocked pixel 3a off a reputable seller would be my vote

zozu TheJollyRoger madaidans-insecurities.github.io/linux-phones.html

<concat[m] "Actually, one of my good friends"> Oh can you share that?

I just did so.

Android goes through great lengths in its design to establish a security model where the apps aren't fully trusted and the separate components of the operating system are built to be mutually distrusting.

Okok, thank you! Sorry, it was sent at the same time

Pixel 3a > iPhone > everything else

As a result, on Android, there are only a tiny, tiny number of processes that have root-equivalent access, and everything is designed to be trusted with /only what it needs to do, in order to do its job/.

The applications themselves each run as what would be considered a separate userspace, so each of them are confined to /their own process space./

<cn3m[m] "Pixel 3a > iPhone > everything e"> Got it! Thank you people!

This means that no two apps can intrude on each other's memory without breaking the kernel of the operating system.

With iPhone you'll get at least 5 years of support. I don't care as I don't use phones more than a year anyways

"Linux phones" on the other hand? Well, enjoy throwing all your eggs into the same basket, and not only that, but if you're concerned over firmware updates? The Librem 5 is essentially going to be vulnerable at the time of its release and won't be updateable.

TheJollyRoger I think the link I supplied is good enough, but I appreciate the extra pedanticism.

Because to gain the FSF's rubber stamp of approval, they've used what's called a secondary processor exemption, and essentially placed persistent firmware in EEPROM where it's loaded by a secondary processor prior to host initialization.

This gives the /illusion/ that your phone isn't loading firmware to the host.

But really, all it is just means as soon as an exploit is discovered, that phone is now permanently vulnerable, or updating the firmware (which is still signed and validated by the vendor) is going to involve a screwdriver, a soldering iron, and an SPI flash programmer.

And this doesn't solve the problem that it's still signed, validated, and verified and still ultimately dependent on vendor support... it's essentially burying one's head in the sand.

concat[m]: ah, heh, got it. Sorry, I get carried away a bit.

Oh another thing, the firmware updates to the pixel 3a are not open source right? Any possibility Qualcomm/google could sneak in something evil?

zozu[m]: The firmware is not open source but it is available to partners on request. One of the reasons GrapheneOS chose Google and Qualcomm is also because of this exact threat vector:

Google devices are the only ones with Insider Access Prevention which is designed to mitigate that precise one.

TLDR: to discourage legal or extralegal insider access attacks, the Titan M hardware security module installed in your phone will not allow the phone's firmware to be updated until you authenticate to it using the user's passcode.

Also: as far as I know there is no open hardware so that you even could built a remotely up to date phone with it

specifically the Titan M firmware

other firmware can be updated

yeah one day maybe there will be an open hardware RISC-V phone but there's just as much trust

placed in manufacturer etc

Yeah.

and atm there isn't

Ohh okay! Thank you!!

zozu[m]: if you'd like to remove the firmware's root of trust from your vendor, I suggest you save up $7k and buy a Talos II Secure Workstation from RaptorCS.

nothing even close to an open hardware phone atm

the closest thing would be an open hardware RISC-V SoC / dev board (note RISC-V doesn't imply open source at all)

But that's unfortunately not going to fit into your pockets unless you're Andrei The Giant.

(it just can be unlike ARM)

(The Morgan's Revenge probably weighs more than 40 pounds fully loaded)

<TheJollyRoger "But that's unfortunately not goi"> Hahaha, I think I'll go for the 3a instead

Ehehe :)

Also, can we expect to see graphene anytime this year on the pixel 4?

That said... by "Fully Loaded" I mean having ~12 hard drives in the same chassis.

Ooooff

Haha

I think so. Right now, I think it will compile and can be installed for the P4, but it's not "production quality" yet.

Huh, is it worth waiting a few months and get a pixel 4 instead?

I'm not sure just yet. If you're short on time and money, a 3a will offer you a substantially lower price and it has some features that are curiously absent on the 4.

I see, it's more for durability with updates and all

(The 3a has the fingerprint reader on the back, and a 1/8" Sound Jack. If I recall right the 4a omits both of those and eschews the fingerprint scanner in favour of infrared-scanning facial recognition)

Yeah.

...I won't be using any facial rec hahaha

In that case then, the 3a was released about a year and a month ago, and the 4, a little over half a year ago. Depending on how much you can find the device for this could boil the difference in device support down to only six months.

Which should factor into your cost calculation of "how long will I use my phone for?"

<TheJollyRoger "Which should factor into your co"> Yes!

An additional half a year is still pretty respectable for someone who wants longevity

What he said. You'll have to make the call, depending on how much you see on that sticker at the store.

Okay thank you! I'll have a think about it

Yep!

Correction - I just realized I accidentally typed "4a"

The 4a isn't out yet, I meant to say "4." My bad.

>_<.

<TheJollyRoger "(The 3a has the fingerprint read"> Oh NOOOOO! That's me on the 3 as long as humanly possible then. Damn I hate 'progress' sometimes.

Yeah, I really liked the fingerprint reader.

<TheJollyRoger "The 4a isn't out yet, I meant to"> I got that!

just fwiw - I have tested both 3a and 3 (from usability standpoint, NOT technically!) and I do like the slightly thinner profile and smaller overall size of the 3, as i was coming from an iphone 5 and hate large phones. But I haev to say, I am still holding onto the mint 3a i got off ebay, can't bring myself to sell as I think i will still head back to it for that 1/8" jack. I also found two quite noticeable adbvantages

of the 3a - better sound (subjective perhaps) and much more reliable camera. less crashes than the 3. as i said...... fwiw :)

Hey that's also something to think on too, haha

<TheJollyRoger "Yeah, I really liked the fingerp"> its my favourite feature, its just so damn tactile there. coming from iphone which didn't have a working fingerprint reader for like 3 years !! i love the 3/3a. I dread the day I have to let my phone scan me

maybe worth mentioning the 3 has wireless charging, if that's a thing for you.

i still love my old high def wired headphones and its pissing me off watching them gather dust and hae to use bluetooth stuff like some gym freak :D

<yekip[m] "maybe worth mentioning the 3 has"> Ahh, 3a it is hahaha

It is. It's kind of going to sound a little frivlous, but every night not having to plug my phone in saves a lot of wear and tear on the USB slot. This saved my bacon once after I broke the USB and had to get my phone fixed.

plus price is significantly less (where i am anyway) of the 3a, so there is much to love about it. mostly the extended time it should be supported

anyway. ramble over, thanks for the great info above JR, always a pleasure (and a bit of pain if honest :p)

X) Always fun.

<TheJollyRoger "It is. It's kind of going to sou"> yes that's very true. i like placing the 3 on gthe googvle wireless stand/charger i got with it in a wicked ebay bargain!

cheers all. safe seas skip

<TheJollyRoger "It is. It's kind of going to sou"> Would these magnetic cables that support fast charging be good in this case if the concern is wear and tear on the USB slot?

Huh, I didn't know they even had those!

Yeah lemme find the link

Volta Charging Cables – VOLTA Charger

I guess there are many more brands ,I've just heard more about these

but does it support high speed charging?

Oh I see, you have a stub that fits into the slot and remains there all the time... makes sense.

<TheJollyRoger "Oh I see, you have a stub that f"> like those old macbook chargers

<notmyname723[m] "but does it support high speed c"> Apparently it does

Yeah!

so uh

Huh. That would be damn cool.

does anyone else have fingerprint sensor issues on pixel 2 xl

it was saying hardware unavailable at first then the option to set fingerprint disappeared altogether

Ah, shoot, I don't have a 2.

weird issue

maybe the sensor just died? idk

I'm not sure. Someone here is bound to have one though...

<TheJollyRoger "Huh. That would be damn cool."> Yup :)

One of these would be boss!

Thanks :D

<TheJollyRoger "Thanks :D"> Haha you're welcome, I really like to get one and see if it is the solution to all of my cable failures

Volta - What a fantastic idea!

does it support data transfer?

does anyone in here use Amplifi network gear? if so, anyone know of their ethics on privacy? Not expecting much considering they pushed so much social stuff but I am sure people have said good things about them here some time. I could do with installing the Amplifi WiFi management app but not sure if they are to be trusted

would be good idea to pick one up for charging at airport/public places

* would be good idea to pick one up for usb charging at airport/public places

<Biv[m] "maybe the sensor just died? idk"> You could've accidentally disabled it, is my guess.

<notmyname723[m] "does it support data transfer?"> No idea

@yekip:privacytools.io: idk I installed then and never really liked them

seemed like a dumbed down AP

anyone using firefox here

<Biv[m] "seemed like a dumbed down AP"> ha, I had exactly same feeling too. I have had a fair bit to do with the company and my feeling is they have some very good marketing peiople. They basically took the "Apple" approach, i.e. make something a bit better than the competition, then sell it as if it is 10 times better, spdnd a fortune on pretty packaging and let that work its magic on the psyche of customers :D.

Overpriced stuff which my TP Link gear has beaten hands down in every test! but..... I have it now (yep, I fell for it!) so I am sticking with it. You can't manage wifi through browser via LAN IP like other routers, so the app is a requirement which annoys me a bit. but I just read their FAQs and I sent a request for a confirmation of exactly what the app does. Will see what they say. Last time I spoke to support it felt

like they thought I had cheek asking a question after spending $350 on wifi gear I could have got for $100, instead of 'asking the community'. haha. I don't do the "ask our other customers" crap.

Biv Did you check if your fingerprinting sensors are enabled?

<williamstopus[m] "anyone using firefox here"> yes

<williamstopus[m] "anyone using firefox here"> Not for anything secure

Biv: using a 2 XL for little over a year. No issues with fingerprint reader

TheJollyRoger: got a few Volta XL cables. Work pretty well for charging

<williamstopus[m] "anyone using firefox here"> Everyone makes mistakes so yeah probably

seems like only yesterday i was learning how to make FF private with extensions and such like. I just about got the hang of it, and shit moves on leaving me behind again. :p - need to find time to switch, but not too concerned for now as its only on desktop. I use vanadium on phone, or occasionally DDG browser (i just like the burn feature!)

concat: Uh wut. how do you disable your sensor

<dallemon[m] "TheJollyRoger: got a few Volta X"> Can it transfer data?

<Biv[m] "concat: Uh wut. how do you disab"> Playing around somewhere in ``/system/`` iirc

its grapheneos so that's not really an option for me

<mxnorvak[m] "Can it transfer data?"> Don't think so.

<cn3m[m] "Everyone makes mistakes so yeah "> is there anything you guys would suggest for people who cant build ungoogled chromium (which I recognize as one of the better options) themselves instead of firefox? pushing building their own software on people who just want reasonable privacy and security in their browsers is not really an option.

Biv Invs

mxnorvak: the Volta 2.0 cables support data transfer though

It looks like Volta has a new USB-C cable in the pipeline though

rosarium: I'd recommend Edge

<rosarium[m] "is there anything you guys would"> Someone suggested Chromium to me as a better option than FF. but I had no idea I had to get my overalls on and start "building" anything!

yekip: you usually don't have too

<dallemon[m] "mxnorvak: the Volta 2.0 cables s"> That's awesome, i gotta get one!

if nothing else, can keep crap out of that sensitive port!

i have no clue how they get data to transfer, i sit in awe as usual

Hot damn yes X(. I sometimes put a piece of tape over the USB slot to keep the dirt out, this would be great.

yeah. i did hot melt glkue once. don't ask. i never said i was smart (though it did work :D )

yekip radixed9 thanks for suggestions

Hey there guys, another thought just came up. Correct me if I'm wrong but, graphene is developed by one person right? Do you think it could happen that this person goes tired and drops the project as a whole anytime soon?

Or is this just extremely unlikely?

It is not developed by one person.

How private is the stock GrapheneOS keyboard?

Lots of people don't realize that android is developed by just one person at google, chained up in a basement electrical closet

<yekip[m] "i have no clue how they get data"> Same xD

Would I be better off using AnySoftBoard or OpenBoard, or is the official GrapheneOS one just as private and secure?

Renlord is very active as wellzozu:

faxing: the Official GrapheneOS keyboard is ideal for privacy and security

So its even better than anysoft or open board?

yes

trust is the point

Oh wow-- that's not what I was expecting, thanks!

You trust GrapheneOS and the keyboard falls under that. OpenBoard and AnySoftKeyboard are both from different sources which increases the trusted parties which is not ideal

<nickcalyx[m] "Lots of people don't realize tha"> Can you explain a bit more?

It goes for all preinstalled apps especially Vanadium faxing:

Oh, should I be daily-ing Vanadium? When I installed Graphene yesterday I instantly installed Tor, Fennec, and Bromite for compartmentalization -- is that not what I should be doing?

<faxing[m] "Oh, should I be daily-ing Vanadi"> Yes Vanadium has stronger hardening and minimizes needed trust

You trust GrapheneOS as it is your OS and you rely on it to use your phone. Vanadium is based on that same trust. Every browser you add that's more trusted parties.

<zozu[m] "Hey there guys, another thought "> let's stay with the glass half full :D

faxing[m]: use the defaults.

If you use Vanadium and GrapheneOS you only trust one offline signer. Only one person complies the code everyone contributes for that setup(beside the Qualcomm code). You don't want to add weak links into a chain

faxing[m]: also use Vanadium. It's the best browser for GrapheneOS and takes advantage of the security improvements in GrapheneOS. The golden rule of actual, meaningful opsec applies: the less custom tuning you do, the better.

Okay, thank you all so much for the detail I had no idea

*yekip just saw duckduckgo fall off his device

Btw, won't using vanadium with for change my fingerprint?

I was under the impression that I should just kind of build from the ground up with privacy respecting services and just have graphene as the OS, never trusting one party with more than they need to know

<zozu[m] "Btw, won't using vanadium with f"> It is designed to mirror a Pixel running Chrome

But I see that my interpretation was wrong, thanks all!

<radixed9[m] "It is designed to mirror a Pixel"> I mean as opposed to using the tbb alternative on fdroid

<faxing[m] "I was under the impression that "> Yes, that's a good approach. But think about it, if you trust one party fully (and I do, re Graphene), then why 'go looking' for someone else to trust with your browsing?

if Graphene ran a messenger like Signal, I would use it. but they don't, so I use Signal.

more trusted parties means more chance of being wrong to trust one of them. and as someone said, if you're thinking that placing more trust in Graphene is like putting all eggs in one basket, then you shouldn't be using the OS. And you definitely should :D

faxing[m]: It's interesting how the philosophy has changed: these days, we're starting to try to move away from "leave it to the users to find what they want" and real, meaningful security is being seen as being something we need to /build into things from day one/ rather than burden the users with that kind of responsibility.

<faxing[m] "I was under the impression that "> Anything GrapheneOS offers you should consider first. You have to trust them unless you build the system yourself from source and audit the changes they made to upstream. The steps GrapheneOS takes to minimize risk are generally the best reasonably possible. Trust unfortunatley is not something you can ever fully avoid, but cosolidating trust is the best option. I use

Edge on Windows for example. Safari on Apple devices. I use the built in email client or my providers webmail. If you trust someone with your OS(which is essentially your whole device) you should trust everything they make first if you have to pick.

Because there's been a lot of that mentality of "more user control = better" in open source circles, the open source community which is now deeply intertwined with the privacy/opsec community hasn't quite gotten onboard with this yet, but hopefully this should start to change.

amen to that

no, i mean THANK YOU for that! I couldn't find all the things I get in Graphene, even if I do know where to look, how to verify code....

someone who can trust nobody, should not have a phone of any kind. but if you have space/ability to trust anyone, you can trust in Graphene and everything built into it. Just look at the attestation.app - superb shit

atta boy. now can I get first dibs on all his browsing data please? bwaaa haaa. silly me, time for sleep. tadaaa

<yekip[m] "someone who can trust nobody, sh"> It's pretth much compromise, rather than trust at this point though.

Not compromised, but as in compromise similar to trust, but to a lower degree.

well not really, you need to compromise, so you need to trust. the compromise is what forces you to find someone trustworthy enough for you.

<yekip[m] "Yes, that's a good approach. But"> Yeah, I suppose that is just more of the approach for other things with privacy -- I do trust Graphene though so I'll stick with it.

<TheJollyRoger "faxing: It's interesting how the"> I had never really thought about it but you're totally right, I guess as the precautions change so does the advice and products focused to it

* It's pretty much compromise, rather than trust at this point though.

Like, I rather use X than Y, because Y does this better than X.

I have a very small trust budget. I trust Microsoft Software, Dell, GrapheneOS, and Google Pixel. I try to avoid or isolate any software not from Microsoft, Google, or GrapheneOS from my system. I will not spend that trust budget on something I can't trust. It is not since

Mostly on privacy-security though.

for me, genuinely, having a smart phone at all is a compromise. some people i know dont, and I often envy them. But needs must, therein lies my compromise. Finding graphene made that SO much easier and more comfortable. without it, i would honestly probably dump the phone, smart ones anyway, and do all chat and stuff on laptop only.

Using Linux I trust anyone with a signing key for my repos(which can be a large network of unpaid people)

<radixed9[m] "I have a very small trust budget"> google pixel is hardware. and as JR can explain in wondeful detail, you can trust their hardware with their software removed, and only then in my view! But did you just say you trust Microsoft software? have you read Win 10 privacy terms? how they even call it that i dont know. haha.

good luck anyway. graphene rocks

I have read Microsoft's privacy policy. I have an Enterprise install and I manage the settings and group policy myself

I dont know about software from Google (unless open-source, as long as I can read the codes for myself). They made a pretty good hardware to be fair though, guess that one is trustworthy.

Windows 10 is the only option that meets my personal requirements for security and privacy

Fair enough.

The security measures GrapheneOS takes to protect the keys and get quick updates are likely higher than you could do yourself. It is good to be able to build it yourself and it does help you learn how to contribute barrikade:

</joke>

<JTL "mods are asleep, post cats /s"> concats or strcats?

nice

<concat[m] "concats or strcats?"> I figured out your name finally

concat[m]: Part of the joke :P

Concatenate sure, but it is very much like strcat

🐱

<cn3m[m] "Concatenate sure, but it is very"> actually concat was already an old alias of mine