<faxing[m] "What do you all think about the "> Thought we should be getting away from SMS in the name if privacy...how about running Signal as default SMS app?

Is signal still asking for pin code every fez days? It was a pain when I tried it

Few*

Only if you setup so?

I had set up pin as 2fa factor for registering with phone number, but it was asking me for the pin every few days

<radixed9[m] "faxing: the Official GrapheneOS "> Are you referring to AOSP keyboard?

Plus MMS were not working in signal, I had to install

Uninstall*

<greenmoon[m] "Is signal still asking for pin c"> Holy fuck, PIN whiners here too? Your phone asks for a PIN every time you start it.

I just uninstalled signal, no more pin asking

If you say so

<greenmoon[m] "Plus MMS were not working in sig"> Get them to send pic or whatever by Signal instead of MMS.

Yea but 99.9% of people don't want to

Pretty sure you can change PIN settings in the settings area of Signal.

<greenmoon[m] "Yea but 99.9% of people don't wa"> Doubt it, that is your fictitious number.

They added that feature recently so, I will retry later

<greenmoon[m] "I just uninstalled signal, no mo"> Sweet, nice secure and private GrapheneOS setup for sending SMS and MMS.

For receiving

I don't want to cut relationship with people because of 'security'

Some people don't even have smartphone

<greenmoon[m] "Some people don't even have smar"> They wold be the 0.1% left over from your 99.9%.

i'll call myself strstr one day

concat[m]: ^

do we have a strlen?

renlord Why not rencat?

strstr sounds dope

go for it

I'll be strcpy

Since I'm copying you

there's still strcmp and strtok for the taking

i can only remember the ones i use

lol

lol strfry

this is a good one

quite literally stir frying characters lol

<renlord "lol strfry"> Why are you forgetting *str*ing

<renlord "lol strfry"> Daniel should've chosen that one

btw I made this nickname because people always used to message me asking for help based on my github username

so I needed a name that didn't match for IRC

before this project

strfry would have been ideal

strcat[m]: heh fair enough

I like both nicks myself

<jknsec[m] "What triggered it was some fucki"> Link

Ah wait

r/privatelife?

Of course it was...

jknsec: that guy is off his rocker

dunno why he's even pissed at me

he is mad we don't support a huawei device basically

we have a moderator called trai_deep?

That dude is a nutcase.

not my fault we haven't found a good one to support and no one volunteered as a device maintainer

renlord: he's talking about /r/privacy

<renlord "we have a moderator called trai"> r/privacy does and he hates that guy

Love how he's played the victim card after his attacks are responded to with reason on like every other sub

so he started his own

trai had enough of his bullshit and banned him so now he's going on a tantrum

trai is way too lenient with modding imo so to get banned by him

you really have to fuck up

gives people 100 chances

unbans them gives them another shot

He's literally pming random people posting on the sub now slandering people

Since he's banned

He also claims anyone contradicting his beliefs is just an alt joint and ironically makes his own sock puppet armies

He thinks madaidan and cn3m are the same person

lol

It's pretty hilarious tbh

Also a little sad

idk why you guys are giving him the time of day

I'm like 65% sure he's just a troll

He does too much for attention

He's already been talked a bunch

<jcpicard32[m] "He thinks madaidan and cn3m are "> We don't even write similarly

<concat[m] "I'm like 65% sure he's just a tr"> Idk if he is

It's like someone gave the average r/privacy user meth

Reddit is one of the worst

<madaidan[m] "It's like someone gave the avera"> It's more accurate to describe it as Shipp and Terry Davis performing a fusion dance

<concat[m] "It's more accurate to describe i"> Lol

I mean reddit in general is a shitshow when it comes to privacy info. I just try to hop in and correct the blatantly wrong stuff sometimes.

If I get even one person to a good resource it's worth it to me

the type of people attracted to /r/privacy arent really reasonable people

<jknsec[m] "bUt WhAt AbOuT mUh FiReFoX"> Sir I can harden through about:config

Disable WebGL and all of Firefox's security issues are gone

LOL

Lol

it’s funny until you realize there are actually people like this :/

Fun Trivia: Study showed Google Chrome is less privacy invasive out of the box than Firefox

<travankor_ "it’s funny until you realize the"> The guy we were talking about seriously thinks this

I brought up the X11 hole in Firefox's sandbox and he just went "bUt I dIsAbEl WeBgL!1!!!"

<concat[m] "Fun Trivia: Study showed Google "> scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

Firefox actually has some hella invasive telemetry

I read through it once a couple months ago.

It was pretty interesting from what I remember

<concat[m] "Firefox actually has some hella "> Firefox just loves to push privacy/security theater

<concat[m] "scss.tcd.ie/Doug.Lei"> That's not too far-fetched acrually.

<cn3m[m] "> <@madaidan.:matrix.org> > <@jc"> That's a bit much

<jknsec[m] "Been pretty happy with Ungoogled"> that's what we're here for

<concat[m] "Firefox actually has some hella "> True

<jknsec[m] "Been pretty happy with Ungoogled"> I'm hot for Ungoogled Chromium man

<cn3m[m] "that's what we're here for "> Yes, scaring people

Ungoogled Chromium is bae. Sorry not sorry girlfriend

I write quantity over quality since the sheer amount of misinformation

Glad I learned from you guys. I'd still be on add-on "hardened" firefox for everything

I can't even proofread anything I write

Since then I've actually started reading about security for myself from the sources that people recommended to me and I've learned so much

<jknsec[m] "Used to be a Firefox guy, hence "> I still like and use firefox despite it's horrendous security

Well I mainly use the Tor Browser

<jcpicard32[m] "Since then I've actually started"> you should read Gibson /s

<madaidan[m] "I still like and use firefox des"> Tor Browser is the only Firefox I like/use personally

I use Tor Browser in Windows Sandbox and a seperate profile on Graphene

cn3m: I've learned to avoid the Windows 10 telemetry by running a special patchset on Windows 95. It gives me the latest updates without the telemetry and I can game thanks to the Dx12 backports /s

@madaidan.:matrix.org do you actually use vanilla Firefox or no?

<cn3m[m] " @madaidan.:matrix.org do you ac"> Tor Browser but it's still essentially firefox

Web tracking makes me uneasy

Firefox Nightly with Fission WebRender and CFG ftw

* Firefox Nightly with Fission WebRender and CFG ftw /s

<radixed9[m] "Firefox Nightly with Fission Web"> Nightly has CFG?

<madaidan[m] "Nightly has CFG?"> no Windows can force it

it runs well

cyredanthem found that too

Firefox works with a ton of hardening settings from Windows. Almost all work. I had to dial it back for the Tor launcher though

<jknsec[m] "Windows 10 LTSC Enterprise is th"> Just use Windows 10 2004 Education

I believe so. Education build works well too

You don't need to activate Education

Cortana is dead

<radixed9[m] "no Windows can force it"> Ah

You need an M$ account now

14/22 system overrides work on Firefox iirc

ACG crashes which is sad

Obvious, but sad

<radixed9[m] "ACG crashes which is sad "> code integrity guard make firefox slower

so i turned it off

it's off by default anyays

StackPivot, CFG(Strict), CallerCheck, SimExec, Bottom-up ASLR, IAF, Mandatory ASLR, EAF, Disable extension points, DEP, Block Untrusted Fonts, and some random image stuff is what I have on for Firefox. I am sure a lot of that is redundant

* StackPivot, CFG(Strict), CallerCheck, SimExec, Bottom-up ASLR, IAF, Mandatory ASLR, EAF, Disable extension points, DEP, Block Untrusted Fonts, and some random image stuff is what I have on for Firefox. I am sure a lot of that is redundant

That is the Tor settings. I could tighten it up a bit more for Firefox

<yolotrolo[m] "code integrity guard make firefo"> CIG should crash it completely no? It is not written by Microsoft

botom up alsr is on by defalt for all programs if you check in the system settings

This is an LTSC box here

1809 is what that list is for

<radixed9[m] "CIG should crash it completely n"> maybe i'm confusing with one other setting, i had to turn one of the non default setting which made firefox slower

Still using Firefox with all your patches is very insecure

¯\_(ツ)_/¯

I do not use Firefox it was a test

😁damn

windows 10 is hardly spying on you

everything important is on setup

<jknsec[m] "Aren't you supposed to leave TB "> run it in Windows Sandbox and call it a day

the sad thing about sandbox is that the group policies of the host do not applie to it

so you have all the ms features on

<yolotrolo[m] "the sad thing about sandbox is t"> good thing sometimes

what data do it collect exactly, because i'm really into watching all those things and i don't see much

about everything can be adjusted using group policies

what is suspicious?

microsoft even provides detailed guides such as the security baseline or privacy guides or guide to manage connection endpoints

this one is pretty complete

<jknsec[m] "Could be very possible that I fu"> pro has fake group policy settings

nothing too crazy though

you can't disable telemetry in pro the group policye settings do not apply to it, it's for EDU and enterprise

* you can't disable telemetry in pro the group policy setting do not apply to it, it's for EDU and enterprise

it's written

in the =description

also there is more things than the telemetry settings, if you want to prevent datas from leaving your computer

* also there is more settings than the telemetry settings, if you want to prevent datas from leaving your computer

check the first and third links that i have send for more infos

but don't disable the License Manager otherwise store apps will refuse to launch, remember that =)

basic telemetry isn't bad at all

also there is some good settings to pick from the security baseline files, just extract the baseline zip and look into the GP report folder where all the settings used for it are listed microsoft.com/en-us/download/details.aspx?id=55319

i dont know, i just use the enterprise which i reactivate every 180days.. that's 2 commands to type in terminal

i don't know but ltsc is lagging behind in features so i don't like it

anyways disabling telemetry should not be recommended it prevent microsoft from finding and fixing bugs

i don't know about ltsc, but for example i thing it don't have windows sandbox feature, not sure

* i don't know about ltsc, but for example i think it don't have windows sandbox feature, not sure

hm yea 😁

People desire for better security but do not reduce their attack surface or vulnerable points -sighs-

you mean we should use some other os? 😁

i'm waiting for the day that i will be possible and usable to plug a graphene os phone into my screen and use it as as pc with a keyboard and mouse but the actually it's not that great, i don't even know if the android desktop mode can be used on grapheneos

* i'm waiting for the day that i will be possible and usable to plug a graphene os phone into my screen and use it as as pc with a keyboard and mouse but at the moment it's not that great, i don't even know if the android desktop mode can be used on grapheneos

I find using the emulator target with keyboard+mouse a bit clunky

But maybe a proper desktop mode would be better

there's a hardening guide put out by the ASC

*ACSC

looks sane

oh look -- canada has one too cyber.gc.ca/sites/default/files/publications/itsp.70.012-eng.pdf

looks harder to read compared to the australian one though

i see many things are a part of the microsoft security baseline but there is some other things, will look into it :D😁

i can probably cherry pick some useful things

Fuck yea. The privacy.com app works without GSF. It's the little things.

do it work with a vpn? it's for US customers only if i remember

I mean I have a VPN on my firewall and have no issues

do it need to be used with a US card?

probably

You need to link your account with a Bank account or debit card

oh ok

I assume they'd be able to tell if one of those isn't US

<yolotro[m] "i'm waiting for the day that i w"> No video signal output through Pixel's usb-c

oh ok, that's a bug?

anyways desktop mode isn't ready

maybe in android 13 or 14..

they didn't even improved it in android 11

maybe they are just going to kill it

<joshman[m] "No video signal output through P"> Aww, kinda planned to use it as PC (welp, guess a close one is scrcpy (although that's just screen) (yes, it exists, it's a software), but sadly it needs adb))

Probably not secure enough

did u saw that flow desktop app?

seems to be an improvement over the built in thing

but it seems kinda buggy

Pixel 3 and 4 don't have HDMI over USBC. Only data and charging. Samsung and Huawei have had this for years though

wow

yea many phone had it, incredible that the pixels don't support it

josh.man: what about audio?

if i remember there is no audio as well, you need to use usbc headphones with builtic dac

builtin*

so you can't use an usb to jack adapter

or you need one with a built in DAC

yolotro: it used to be supported on Nexus devices, it went away from lack of usage probably

yolotro: there is digital USB-C audio - adapters work fine as long as they have a DAC like the one that comes with the device

yea i know but some devices can work with an adapter without dac

sure, modern headphones using USB-C digital audio

instead of having a low quality DAC in a phone send a poorly converted signal through a long poorly shielded cable

and there isn't the issue of not having enough power to drive fancy headphones

no, i mean on some android you can use a usbC to jack adapter that don't have a builtin dac

if they still use analog audio why did they remove the analog jack>

that's all, i'm using usbC headset

* if they still use analog audio why did they remove the analog jack?

i don't know

analog USB-C audio is weird and really shouldn't be a thing

causes a lot of confusion for users

and they waste money on products that won't work

maybe that's the point

i see that the DAC is a part of the SoC so they don't have to add a DAC

I've had similar thoughts too and wouldn't be surprised

:/

yolotro: it's an anti-feature confusing to end users giving them lower quality audio - that's why it's not supported

USB-C audio should be digital only

but they came up with a hack to still support analog audio by sending it over the data pins

I was going to ask how USB-C analog audio works

and you'll get lower quality than an actual analog audio cable/jack

I've always thought that was rather janky

because it's not meant for that and not shielded for that

JTL: it's just an awful hack to support switching to a mode where it sends analog audio signal via data pins

right...

should not exist

really confusing for users that there is a lower tier class of USB-C audio hardware using analog audio instead of digital audi

* really confusing for users that there is a lower tier class of USB-C audio hardware using analog audio instead of digital audio

there is even usbC headsets that use analog lmao?

i guess so

yolotro: yes and they are terrible

it's an even worse way of doing it than the legacy analog jack + cables

i would probably not notice lol i'm one of those guys that can't differentiate "good" sound vs "bad" sound anyways

since the cable isn't properly shielded for that - the lines it uses aren't really shielded from the others

and headphone companies can use power from the phone since it's USB

so it fucks up the signal even more

they are shielded a bit but not to protect an analog signal

yolotro: well it's easy to notice the static, etc. with analog audio

yolotro: ideally gets converted to analog right next to the speakers in a properly shielded place

a cable basically acts as a big antenna

and now you have

analog headphones drawing power from the phone (which they couldn't do before) via the same cable they use to send this janky signal

for noise cancelling, amplifying the sound (since the phone doesn't dedicate much power to producing a strong signal), and whatever gimmicks they do

like making fake surround sound with some high latency stupid garbage in the headphones

yolotro: it's just dumb that analog USB-C audio exists

yolotro: users shouldn't have to worry about analog vs. digital and compatibility

yolotro: and shouldn't have to deal with quality of cables, etc.

i get it

<yolotro[m] "i get it "> lmao that's actually kind of a funny response, dude rambles too much

lol

at least i have learned some things

now i wonder if my noise canceling usbc headset is analog or no

but i don't mind much the sound is great

and the noise canceling is working well

i will try it on a pixel when i will get one so i will know

analogs are a good blast to the past

analog computing is interesting historically

If your headset has the placebo effect or actually work it doesn't matter as long as you don't notice

at least I've always thought that way

i'm no sure if i should get a pixel 4 with a big top bezel and a power hungry SoC or wait for the borderless pixel 4a with a less power hungry SoC

i have been waiting forever already

i may just buy some used pixel3

you can get them pretty cheap. saw decent unlocked refurbs at wallymart for 174$

yea i'm going to do that i guess, i feel like its a downgrade from my almost 2017 bordeless mix2 with a larger battery but i can't handle the terrible security part anymore

thats fair.. my biggest problem is that I have my google voice as my main... and gapps not be an option :/

i"m already google free so that's ok for me

lucky you

id like to be sim card free

Or at least a Sim provider that doesn't ask for large quantities of info...

i mean they still have your daily routines

even if you do a prepay like mintsim, privacy is there.. but its still routing through the same shit thats collected by ICs

come inEU, they don't sell those datas

even if they dont sell, guarantee they collect and analyze

oh i don't mind about that if they dont sell it

thats the main thing i do mind

😀

why do u mind?

because i don't believe they have the right to know whether i have something to hide

turn in airplane mode if you want to do some secret thing :D

hah, that supposedly sends a response back to the towers. Straight to faraday boyo

argh

<fluoridatedsheep "hah, that supposedly sends a res"> How do I determine if an online merchant sells legitimate faraday bag?

Before buying it, that is.

i guess by buying from the legit sites and not ebay or amazon

but the price isn't the same

i have no clue of the cheap ones are working well, there is probably some reviews on internet

fair enough, was talking about the specs of faraday itself, or a well-known faraday bag seller

I kinda doubt it if it comes from China though

No offense though, CCP is an adversary against privacy, and companies built there must be regulated by them.

At least, most of them...

isn't the same in the US?

they have to comply as well if i remember

lavamail had to close for exemple otherwise they had to comply

CCP is slightly tighter than US, given their government

US is the slightly better option here.

<yolotro[m] "lavamail had to close for exempl"> Talking about products, but yeah.

are they spying on the whole world like americans do?

On faraday bags, maybe it isnt too bad wheerever the origin is, just use precaution.

i guess they would like to

* On faraday bags, maybe it isnt too bad wherever the origin is, just use precaution.

<yolotro[m] "are they spying on the whole wor"> On Chinese phones, yes.

Xiaomi, Huawei are some of those products.

Not meant for discussion though... Just telling that US is not the only adversary, China too.

They have the vulnerabilities of Android and Linux 1 month ahead, according to an ad-tech

didn't it have been debunked? trump itself said that it's was ok to authorize huawei again if the US can make a market deal with china, so if they are spying why authorize them?

* didn't it have been debunked? trump itself said that it's was ok to authorize huawei again if the US can make a market deal with china, so if they are spying why allow them ?

Authorization != no spying

You're expecting China to tell the truth, just like any other government?

Just look at covid 19 cases.

oh yea you see governments as hostiles, i get it

ok i go take a shower now, see u later =)

and i don't think there was ever any proof about that huwei spying, if i remember it was a part of the trade war

<yolotro[m] "and i don't think there was ever"> There may be not, because China is good at hiding things, but remember the same government who lied about covid-19 has also control on Huawei company.

I rest my case.

if i remember they fired the local government of that region when they found out that they were trying to hide it

It is a possible PR move.

WHO, who is in coordination in China, once said covid-19 isnt communicable disease.

little was know about it in the beginning

anyways yea they spy, for example one of their army plane is the exact copy of an american plane lol

Then why did they hoard PPE in December?

i don't remember the name

everyone is spying

<yolotro[m] "everyone is spying "> If so little was known on that disease, there shouldnt even be a shortage in PPEs.

I doubt that.

But that's enough, I'm going off-topic.

praise china

can't wait for the social score 😁

i think grapheneOS have them ahead as well

there was a post from daniel about that

this time it's not too much off topic

Do you have that link?

it's for enterprises that a part of the some android alliance

i don't have a link at the moment but i'm sure about that

someone with knowledge will come here later for sure

🙂

<yolotro[m] "i think grapheneOS have them ahe"> GrapheneOS is an Android security partner

how about others popular phone makers, i remember reading something about it as well

What do you think...? thehackernews.com/2020/06/mobile-internet-hacking.html

yea otherwise samsung and others would not be able to ship updates that fast

<jalb66 "Do you have that link?"> i finally found the link about the partner thing reddit.com/r/Android/comments/ckdyp…ust_got_the_august_security/evmpmw0

yolotro[m], thanks!

not sure how many are partners, if it's only the most popular brands or no

<yolotro[m] "not sure how many are partners, "> I think everyone that ships with Google play

<defconanon12[m] "Hey there. Graphene community. I"> dontasktoask.com

Yeah you're man

GrapheneOS is of course on there without Google Play, but that's a good indictor

* Yeah you're good man

About Google Play... xda-developers.com/google-play-billing-v3-app-bundle-requirement-2021

Google will require Android App Bundles for new apps in Play, thereby forcing developers to give Google their app's private signing key.

<jalb66 "Google will require Android App "> That's only for apps over 50mb no?

cn3m[m], IDN, I read this news just now

According to guardian project:

Google will require Android App Bundles for new apps in Play, thereby forcing developers to give Google their app's private signing key. This further centralizes the ecosystem and strengthens their monopoly by making it harder to publish outside of Play

Thats pretty nasty

wire.com/en/blog/new-partnership-to…bring-secure-android-communications Wire deleted the blog post!

Nice

Thanks to everyone who helped and wrote

Great

wow

i would be mad and search for revenge if i was him

<jalb66 "Google will require Android App "> It's not really hard..

cn3m[m], I suppose so

They can make it another way

Google Play used to be so amazing

But maybe it will be more work for many devs

I'm a bit out of the loop, what was up with that blog post?

<DarkUranium "I'm a bit out of the loop, what "> Wire partnered with Copperhead

People wrote letters to them about it

And Wire has taken down the post

Ah, I see.

Ideally if people could ask them to take their tweet down that would be great. At least it's a dead link, but still

<jalb66 "Google will require Android App "> Bad news

I have set up a second user account. I can't see any apps installed on main profile, as expected, but I thought I would be able to find them somehow without downlading apk's again, am I wrong there?

Could someone please explain what kind of attacks that the auditor app informs you about?

Like, is it a malicious OTA or?

yekip[m]: you'll probably have to install them again on the second account, although that shouldn't take up more space since the app files are shared, only the user data is not

with adb you could install for other users without redownloading, but unless you have really shitty internet, that is more effort than it's worth

<Arhu "yekip: you'll probably have to i"> thanks Arhu. related question - android nooooob question - if I delete an APK from downloads folder, that won't uninstall an app will it?

it won't

<Arhu "with adb you could install for o"> if that means CLI then yep it's more effort than it's worth for me anyway! thanks

<Arhu "it won't"> it wont uninstall an app to delete apk?

The APK file in your Downloads is an installation file, like Install.exe for a Windows app. After you've installed the app, it's not necessary anymore and deleting it won't delete the app

dallemon, anupritaisno1: I just received a Pixel 4 XL, can I help with testing?

thank you

Hi. I'm trying to install graphene on a new Pixel 3a and I'm stuck at flash-all.sh. It looks like it hangs at flasing the bootloader. I don't have any output on the shell and the device only shows the bootloader. Any idea what i'm doing wrong?

i have no clue but no one is replying, so are you use the correct fastboot version?

bauruine: does your PC show the phone when you enter 'fastboot devices'?

RTFM. Had to "Reboot to bootloader" on the device.

sorry for bothering you :-(

ya RTFM! :D

yolotro: are you considering a non-XL Pixel 4?

I did my research and opted for the XL because of the battery

<bauruine "Hi. I'm trying to install graphe"> I had the same problem, I don't know how I solved it. But it's easy. Now I have it installed.

Maybe something about location?

For the non-XL, battery life shouldn't be that much worse than the 3 if you turn off all the battery consuming features like 90Hz display, always listening Google assistant, and Soli gestures

I recommend you read carefully the isntall instructions and keep trying

If you don't want the XL, I'd wait for the 4a

Latest rumors are that it might still be months before you can actually buy it

<Arhu "I did my research and opted for "> not anymore, no fingerprint reader is totaly dealbreaker for me i think i'm goint to wait even more, for the 4a or i may get a 3 if i can find a good deal used

<Arhu "yolotro: are you considering a n"> not anymore the missing fingerprint reader is deal breaker, i may wait even more for the 4a or get a used 3 if i can find a good deal

yea, i waited years already i can wait some months more

Are you in the US?

no in EU and there is no good deal for a used 3

i checked ebay US and the 3 price is much lower

<Arhu "Latest rumors are that it might "> also some months more for a grapheneOS port, if it ever come

Question, im testing something on a minimal ubuntu build

When i type: adb start-server, it will do run for two whole minuted, and then finally claim the daemon is not running and starts it

So it seems like the command is waiting for something before it decides to launch the daemon, does anyone have an idea what it might be, or how i could discover it?

fastboot --version

<defconanon12[m] "I am having a fastboot firmware "> If your fastboot version is out of the date the script will tell you.

> <@defconanon12:matrix.org> I am having a fastboot firmware problem. It is up to date. Can two fastboots cancel each other out? I still have minimal adb fastboot that is outdated. Could this be my problem if it won't use the flash-all file cause of fastboot not being up to date?

* If your fastboot version is out of date the script will tell you.

and yes an outdated version can cause issues

oh yea they added a check in the script, it will tell you

yekip: the Auditor app uses hardware-based attestation, it doesn't rely on software checks to verify the OS but rather verified boot, attestation and hardware-backed keys in the HSM (Titan M on a Pixel 3)

yekip: the hardware provides extremely strong verification of device identity (the fingerprint of the key that was generated for the pairing), the OS verified boot key, verified boot state, patch level, etc.

and the way it works chains trust to the app within the OS

the OS tells the hardware the app id and signing key fingerprint

and the hardware includes that in the signed attestation

and it's done in a way that the OS chains trust to the app

so you can't just install an Auditor app signed with a different key and pass verification, doesn't work

which means Auditor can do meaningful checks in software too

which is why is gathers information on other ways an attacker could have persisted access after a compromise

like an accessibility service, device manager, etc.

the purpose of Auditor is to verity identity of the device (the cryptographic pairing) and through that (pinned public keys) strong verification of the attestation information

since it has pinned the keys used to sign the attestation by the hardware

so it's strong verification of OS integrity + authenticity, identity of the device (and when I say that I mean via the cryptographic pairing - if you clear it a redo the pairing that's a totally fresh identity)

and with trust chained to the app, the app can do all kinds of checks and gather interesting information in a reliable way

even if an attacker exploits the OS in the current boot to gain root access successfully, they CANNOT fake the core device information provided by Auditor (identity, OS, verified boot hash / state, OS patch level)

and if they do not CURRENTLY have root access, they can't fake the 2nd section in the output of software-based checks

they would have had to successfully exploit the OS in the CURRENT boot to fake the 2nd section

so, important to note that the patch level is provided via hardware in the first section (which is the hardware-based attestation info) which provides more assurance for the 2nd section of info from the app which has had trust chained to it through the OS

A popular tipster suggests that Google Pixel 4a could launch in July but release in October.Another leaker reports that the phone could have a different name.A third tipster believes that the Pixel 4a is launching “very soon.” androidauthority.com/google-pixel-4a-release-date-delay-1128965

can't they just shut up?

there were also rumors that the Pixel 5 would not have a top tier CPU

maybe Google is like "fuck it, the Pixel 4a is the Pixel 5 now"

strcat[m]: how is Sony with security? They are relatively nice with releasing AOSP kernels, builds, and binaries. Even very old devices get Android 10 AOSP. No custom verified boot I think. Any idea what kind of HSM their recent phones have and if it's implemented in a sensible way?

Arhu: most phones don't have an HSM

they only have the TEE

Qualcomm introduced their SPU which is an HSM provided as part of the SoC

but I don't know how broadly used that is on current generation flagship devices where it's available

and I somewhat doubt it supports Insider Attack Protection

I see the the attestation app website only lists the Samsung Galaxy Note 10(+) as having an HSM with StrongBox support used by Auditor

They probably use ARM TrustZone

<defconanon12[m] "I am running the lastest version"> If you're on windows:

the install guide only recommends powershell

About what the news I posted here some hours ago, F-droid says: Also of note, if you are a play store user but still get some apps from F-Droid, Play Store billing will stop working for apps in F-Droid. xda-developers.com/f-droid-android-apps-google-play-purchases

About the news I posted here some hours ago, F-droid says: Also of note, if you are a play store user but still get some apps from F-Droid, Play Store billing will stop working for apps in F-Droid. xda-developers.com/f-droid-android-apps-google-play-purchases

"This would mean developers have to upload their signing keys to google play even though there's no technical benefit in doing that. You can achieve the same efficient download sizes by using bundletool locally and uploading all generated apks. But it seems google will stop allowing that and just wants your signing keys."

Wanted to hear some thoughts here. At a practical level, how bad can it be, –from a scale of not ideal, to horrific just don't let it happen ever– to keep a phone for one year after it is no longer getting firmware updates and so on?

for example recently there was an exploit on many samsung phones that allowed anyone to hack you and steal all your data and files by just sending an MMS to your phone, if you didn't update you would stay vulnerable

But was that a firmware based attack?

Or is that wrong?

oh i thought you mean the whole thing, sometimes firmware refer to the whole rom sometimes to only a part of it

it was a bug in the rom

I mean theoretically you'll still get support from graphene a little after you lose firmware support no?

i don't think graphene is going to support phones that do not longer receive firmware updates

This is probably something of a novice question, but I'm wondering if the Pixelbook would be a potential target for GrapheneOS. I know Daniel has said in the past that laptops are not worthy targets, but the PB has Google's Titan M implementation and verified boot. Presumably the Pixelbook Go, as well. Would this qualify the device for further research?

it doesn't have a Titan M, it's a different thing

and a different kind of verified boot

<yolotro[m] "i don't think graphene is going "> Isn't it supporting the already legacy pixel 2?

yea but the pixel still receive firmware updates

zozu: the Pixel 2 is not EOL

we consider it legacy because it doesn't meet our current standards

Ohhh, okay sorry my bad.

* yea but the pixel 2 still receive firmware updates

So in getting a pixel 3a, by may 2022, even if I really like the phone, it's urgent to get a new device?

> it doesn't have a Titan M, it's a different thing

> and a different kind of verified boot

I see. Are these implementations beneath the standards of the project?

it is not really the same thing - it's not meant for AOSP

Has anyone worked on developing a de-Googled version of Chromium OS with verified boot?

alzxjm: The Pixel Slate and Pixelbook Go (but not the Pixelbook) have a Titan C. Also Intel vs Snapdragon CPU so the verified boot works completely different. There is a good chance the Pixelbooks don't even support verified boot with custom keys, in which case that security is only for ChromeOS, and not ChromiumOS and derivatives. There aren't even properly deGoogled ChromiumOS builds, let alone attempts at verified boot. ChromiumOS can't really be

compared to AOSP, it relies on the Google Cloud.

<alzxjm[m] "Has anyone worked on developing "> ask concat he know well about that, cloudready fork support some features of verifiedboot

If you harden your Firefox with no script, ublock origin, https everywhere, umatrix, decentrilayers, self distruct cookies and so on, and tweak with the settings, is it still that bad for security?

Or am I still better of with ungoogled chromium?

zozu: yes

Yes to which?

both

Please enlighten me!

it's bad for security and you're better off with ungoogled chromium

is there some specific extension or something why you want Firefox?

<yolotro[m] "ask concat he know well about th"> I've seen an attempt before but it's not very well maintained, and CloudReady does support rootfs and bootloader verification (w/ secure boot) but it's missing the other verified boot ChromeOS (on Chromebooks) have.

<Arhu "is there some specific extension"> But doesn't google have influence even over ungoogled chromium?

That's my main thing

what do you mean with influence?

it's based on Google code

in that way, Google has influence over GrapheneOS too

Just that the code it's based on comes from Google doesn't make it bad

it makes it better than being based on code than comes from Mozilla :)

(Perhaps this be complete crap what I'm saying) but say google decides to push some kind new protocol

<concat[m] "I've seen an attempt before but "> Thanks for that response.

What about tor browser vs ungoogled chromium linked to tor?

zozu: Mozilla is just as privacy hostile as Google, maybe even more

How so?

<zozu[m] "What about tor browser vs ungoog"> You don't have homogeneity.

at least Google is more competent when it comes to security

Enlighten my innocence

<zozu[m] "How so?"> Firefox ranked worse than Google Chrome for phoning home out of the box by a study.

Is that it? Any more complaints?

<Arhu "at least Google is more competen"> Okay but with using ungoogled chromium over tor browser, won't that spoil your fingerprint?

Tor is something different

Let's focus on that now

Chromium is better than Firefox

Got it

But with tor?

Which would you use?

And why?

I would bet that if they would rewrite the Tor browser now, they'd start out with Chromium instead of Firefox

It doesn't help the question. For the closest to anonymous experience, what would you use today?

With what we have

Arhu: nice you got a 4xl and ready to help - paintedman is also working on pixel 4

Regular webbrowsing -> Chromium, Tor -> Tor browser (which is FF based)

So tor browser is your final vote here?

zozu: best to use tor browser over tor

For best security and privacy?

To lower the chance of compromise set safety slider to safest (then no JavaScript can run)

Of course

Okay cool

What about on android?

I'm talking android

Ohhh cool cool

Same logic applies for pc then?

Right!

*?

<Arhu "Regular webbrowsing -> Chromium,"> There's a Chromium-based Tor? What?

No, but you can link them

dazinism: I'm afraid I can only be of limited help because I have almost zero Android development experience (although I am a programmer), but installing and testing builds is no problem

<zozu[m] "For best security and privacy?"> Tor Browser for everyday browsing, Vanadium if Tor breaks the site (or Bromite if you're not on Graphene OS)

If you want to be extra safe and are worried that tor browser may have been compromised can clear the app data.

Ohh, right! That's good to know

Use it better in a different user/profile

After each data clear, you have to reset safety slider (if you want it higher)

This also breaks the default way tor works

IIRC by default you use the same entry node for some time, as this is statistically safer than using a different one.

Clearing app data means you use a new entry node next connection

Have to weigh up that against possibility that browser has been exploited, and they have gained persistence within the app sandbox

particularly since the browser it's based on has no inner sandbox

and trusts persistent state completely

dazinism: where did you get the idea of being persistent in the app sandbox?

no output as in an error message?

Not sure if this is relevant to this room, but has anyone tried CalyxOS? It seems quite similar in scope to Graphene.

CalyxOS is great but it's not really similar to GrapheneOS. It doesn't work on hardening the OS.

So it's considered trustworthy? I have a Pixel 4 XL and I'd like to flash GrapheneOS when it is available, but CalyxOS might be a good middleground for now. Side-question: what sort of hardware do I need to build and test GrapheneOS for the Pixel 4 XL? I'm happy to try and test it out.

I'd consider it trustworthy. Build requirements are grapheneos.org/build#build-dependencies

<defconanon12[m] "What do I have to do in powershe"> In powershell:

you're welcome

Scallops with dollops of flavour on top...

That was for overheadscallop - no The Herd fans here I guess...: (

googleprojectzero.blogspot.com/2020…-sandbox-escape-cve-2020-12388.html

hehe

never "heard" of them before skratchnsniff

Hehe

Well, there is a song about your handle.

"Scallops"

renlord: yikes

Manouchehri: just thought that escaping the app sandbox was an extra, I think potentially more difficult layer. While tor browser vulns can possibly be gathered more easily

dazinism: trying to read the backlog, but I'm not sure how Firefox is relevant. Do people actually use it on Android?

Manouchehri: yes, in some circles its very popular. The fact its had support for add-ons / extensions, while nothing else has many find attractive

on Android!?

Yeah

<defconanon12[m] "Another question is this the bes"> GitHub issues

<alzxjm[m] "So it's considered trustworthy? "> I consider it trustworthy too. You can see the long term commitment and their funding. The Calyx Institute has been around for a while. It's definitely got some security and privacy drawbacks. However I've used it before

<defconanon12[m] "I am trying to use the Auditor a"> Try restarting the process?

You could try that

defconanon12: also maybe try holding the camera a bit closer? If I'm not getting confused with something somewhere else, that can sometimes help?

(Closer so the runs outside the target box on the screen)

*the code runs

A little late....do you have two phones with auditor?

You have to actually tap the QR code after the first scan.

The whole process takes mere seconds.

I just did it a handful of times back and forth on a few handsets, cannot reproduce the problem.

And both was with Graphene to Graphene....Graphene to Calyx.....calyx to calyx.

<defconanon12[m] "Wait does the other phone need t"> If it's a supported device

defconanon12: try it with the QR code bigger than the target box

Out of curiosity, do Coral and Flame share the exact same kernel? It looks like no arguments are used for building the kernel for those two.

<alzxjm[m] "So it's considered trustworthy? "> one nice thing about CalyxOS and Graphene both supporting Seedvault backup is that it could make it easier to try one and switch to the other

TheJollyRoger: yes same kernel

strcat[m]: oh wow, that's good to know.

Does Chromium on desktop use `-ftrivial-auto-var-init=zero` by default? It looks like it from the makefile but I'm not sure.

madaidan.: no I added that

<strcat[m] "madaidan.: no I added that"> I mean on desktop

I know you added it to Vanadium for Android

it doesn't use =zero

Do you mean it uses it but with another value than zero?

they use an unsafe pattern

yes

thanks to upstream trying to discourage using zero since they don't like that it isn't disruptive

I mean LLVM

<strcat[m] "they use an unsafe pattern"> Is that still better than not using it at all?

<dazinism "defconanon12: try it with the QR"> So I did try it and still nothing. I am going to reboot both phones and see if that fixes my issue. Will update. I am still stuck on the secondary QR code.

Everyone that supports GrapheneOS should donate to support the development : github.com/sponsors/thestinger ... github will match your contribution

anyone else Signal take forever to send text?

Though it's also true that Daniel needs devs and device maintainers more than anything

proof_jr Not really, no. I occasionally have issues but it's usually the receiver having issues.

> Though it's also true that Daniel needs devs and device maintainers more than anything

True but possibly some may want to support but are not developers

Agree. Simply casually mentioning it. I am in no position to do development work and will probably donate because of that.

Auditor finally worked. Thanks everyone who was trying to help.

<notmyname723[m] "anyone else Signal take forever "> Rarely, sometimes I have issues sending to people with Google Play Services when I don't have Google Play Services but even that is rare