no

Android and ChromiumOS both run on x86

verified boot on x86 is problematic on most hardware though, doesn't really work well

Chromebooks are designed for it

Windows only has good verified boot if you count the xbox as Windows

it's a work in progress for laptops

but it's making progress

needs to be one of their 'secured core' laptops to have any hope

otherwise it's a hardware issue

Forgot to state specifically for desktop equating Android out. I didn't really know ChromiumOS verified boot on x86 to be honest.

<strcat[m] "needs to be one of their 'secure"> Yeah I've heard some hype about the secured core laptops

ChromiumOS is just what they build ChromeOS from with their added stuff

So does CloudReady get the blessing from the Graphene community?

just like AOSP vs stock OS but much less different

alzxjm: no

what's wrong with CloudReady

the same reason putting current AOSP on a Nexus 5 doesn't make it secure

all of this is off-topic and getting boring anyway

<strcat[m] "the same reason putting current "> Sure, but I'm not sure that is exactly an accurate equivalence. You still have the ChromiumOS security model and (some) verified boot. For desktop it's a severe upgrade from Linux.

You still have the virtualized Crostini environment

you don't get verified boot without proper hardware support

which most machines don't really have

and as I said

it's like putting current AOSP on a Nexus 5 in most cases

the purpose of it is flawed

hardware without firmware updates, etc. isn't fixed by putting another OS on it

<strcat[m] "hardware without firmware update"> That's not why people use CloudReady

<strcat[m] "you don't get verified boot with"> CloudReady does support some of the security features that comprise Verified Boot

concat: also seems verified boot is totally broken for them

concat: they allow disabling it - so how the hell is it supposed to work when it can be disabled from persistent state?

they allow disabling it from the OS

and they have transitions to root within the OS

why would an attacker care about verified boot if there's a switch in persistent state to turn it off

<strcat[m] "they allow disabling it *from th"> You mean disabling rootfs with crosh?

disabling it at all via persistent state

means it was never doing anything in the first place

Ok, can you show me that?

show you what

they document that it can be disabled within the OS persistently

and it's apparent that the OS exposes persistent root access too

so there's no meaningful verified boot

I haven't seen that in their documentation.

and if that's the approach - i.e. security theater and pretending to have features while having a totally useless implementation with a switch for the attacker to turn it off when they have the control that the feature is supposed to contain

If that's true, then that does suck. But would that negate all of the other system hardening?

when they completely ruin stuff like this in such an obvious way

doesn't bode well for the rest of it

makes it apparent they don't care / don't know what they're doing

<strcat[m] "they document that it can be dis"> Do you have a link to the documentation you're referring to? I tried doing some searching, didn't find it there.

<strcat[m] "makes it apparent they don't car"> If that's true, regardless I'm unclear how this ultimately rejects the virtualized Crostini environment and ChromiumOS own security model which for the most part to my knowledge hasn't been tampered with. I'm taking what you're saying with consideration as well.

what I'm saying is when they so obviously break the entire purpose of a core security feature

strcat Yeah, so that's with crosh that I asked you earlier.

that doesn't bode well for the rest of it

This is the impression I got of CloudReady too. They are not entirely sure what they are doing. They are based on a solid base. I am concerned they will mess up their Android support

concat: having a way to disable it within the OS means it has a branch on persistent state to decide if it should use it

therefore the feature doesn't work

<radixed9[m] "This is the impression I got of "> They're just porting ARC++ for Android support, I thought.

there's a reason you can't unlock the bootloader inside AOSP, and there's a reason why unlocking wipes data

<strcat[m] "concat: having a way to disable "> You need developer mode to do this

Without developer mode you can't disable the verity

chromebooks have special hardware support to deal with that stuff

hmm. Wonder if there's something special or special arguments that need to be passed to ./build.sh for coral? I'm getting this: jollyrogers.ca/public/coral-build.txt

So if an attacker can get developer mode on CloudReady then it's game over already, not just verified boot. Developer mode in general adds so much attack surface

concat: they have developer mode by default

also an attacker doesn't need to 'get it'

you seem to be missing the whole point of verified boot

strcat No they don't.

Chromebooks have special hardware support to implement developer mode

strcat My developer mode has always been disabled, and I tried disabling verity just now.

strcat I launched crosh and I am running as a yellow uesr

* strcat I launched crosh and I am running as a yellow user (developer mode is green)

TheJollyRoger: I don't know about the erorr but aren't the coral and flame kernels already prebuilt

Oh.

Oops.

concat: did you type `shell`?

strcat Yes.

It could be that I did extra setting changing

I can try on my other laptop that I haven't configged

doesn't match what their documentation says

and again

since this stuff is controlled by persistent state the OS can write

verified boot model doesn't work

if you don't get that you don't get verified boot

<strcat[m] "doesn't match what their documen"> I'll try on my other machine and see if I get thrown the same error.

<strcat[m] "since this stuff is controlled b"> Fair enough, assuming you don't do the same configuration as me then that's not good. But I still don't see how that negates the rest of what it has to offer (especially Crostini, most system hardening don't seem tampered with).

you can't do configuration to change this

that's the whole point

that misses the point of verified boot

Must've done something to get the ``shell`` to malfunction

If the documentation contradicts that

you're assuming that other hardening is still in place as it would be

and that they use comparable kernels, etc.

I'm not going to make that assumption

especially when I can see verified boot is not intact

That's why I don't recommend ChromiumOS

strcat Me and my friend have grep'd a good amount of their work.

anyway it's not a discussion I want to have - it's off-topic

So I have a question is it true that Tor Project and Graphene are working close together or is that just a rumor?

Not to be anecdotal but for the most part almost everything seems identical

defconanon12: it is not true

strcat: Thanks for the clarification.

on Chromebook there is hardware support for the hardware-based security features

hardware support for developer mode without having insecure persistent state to toggle it

hardware support for verifying the firmware and OS properly

so the OS can chain from that and do real verified boot

<strcat[m] "on Chromebook there is hardware "> CR doesn't have the hardware-based security features

hardware support for attestation, etc.

That's one of the problems I acknowledge with it

hardware support for encryption

It didn't sound legit. Just misinformed sprouting it around.

the ChromeOS hardware support isn't as nice as the hardware security features on Pixels but it's still important

<furofuro_01[m] "How do I determine if an online "> I know a guy who could get you a decent one for a phone for $35, works like a charm for me. otherwise silent pocket is a good option

* It didn't sound legit. Just misinformed people sprouting it around.

will be back later, going for now

Are Faraday bags even effective or just theater?

jknsec: What is a faraday bag?

jknsec[m]: theatrics.

<jknsec[m] "Are Faraday bags even effective "> certainly not theater. try pinging those bitches. real faraday bags that is

there are plenty of shitty ones, no doubt

Nothing is out of box secure.

True. I just meant most of which are sold. Silent pocket is reliable?

Don't trust preconfigures.

defconanon12: en.wikipedia.org/wiki/Faraday_cage

<jknsec[m] "True. I just meant most of which"> I have no beef with silent pocket, but ive only used their wallet for rfid blocking

If the device is compromised to the point you need to physically keep it isolated physically, you might as well use thermate, because then it could simply store what it wants to exfiltrate, wait until it gets reception again, and then dial out.

<TheJollyRoger "If the device is compromised to "> do you trust graphene enough not to get popped?

overheadscallop: Thanks.

fluoridatedsheep: yes.

I just keep my phone in airplane mode and activate when needed because I trust the security of the device and the main issue is cellular radio.

im currently using shelter to isolate things like spotify and groupme on my graphene phone.. i just want the apps completely offline when not in use. I know shelter gets some flack, but im not looking for full sandbox, just app downtime

Even though, you know, Wi-Fi

<TheJollyRoger "fluoridated sheeple: yes."> what about by nation-states?

This honestly sounds like privacy theater. I need to see it in action.

fluoridatedsheep: An adversary with unlimited resources is outside of my threat model, considering my roommates have shown me that thirty-five bucks and a bit of DIY can go a long way to a full compromise.

And a trip to home hardware.

Kinda reminds me of poorly designed router boxes. Though don't if even those actually work?

<TheJollyRoger "fluoridated sheeple: An adversar"> therein lies the problem for me

If you want to protect against nation states you pretty much need speciality hardware created by opposing nation states.

And software ofc

A truly determined adversary won't bother spending $300,000 from an exploit broker to purchase an Android Zero day, no, they'll spend about $35 on plaster of paris, paint, a drywall knife, and then another $300 on a small camera they'll install into the lighting fixture of your room.

* Kinda reminds me of poorly designed router boxes. Though don't know if even those actually work?

is graphene's airplane mode actually affective?

fluoridatedsheep: yes.

<fluoridatedsheep "is graphene's airplane mode actu"> Yes

ill be switching over from linux shortly.. just a lot of apps that i could use :/ id like to run with no sim but that proves difficult in some situations

* ill be switching over from lineage** shortly.. just a lot of apps that i could use :/ id like to run with no sim but that proves difficult in some situations

Huh you learn something new everyday.

strcat: are you sure ChromiumOS uses Clang CFI? I've checked their kernel and couldn't find anything.

defconanon12[m]: with respect to those "router enclosures" are you talking about those plastic ones you simply fit over your home router and fasten with a padlock?

Like the one in the talk "AirBnBeware?"

The threat model of those is "dissuade the casually curious/opportunistic but otherwise honest" types.

concat: CloudReady really doesn't seem to understand their shortcomings which definitely makes it questionable

cn3m How do you know that it wasn't an intentional design choice?

* cn3m How do you know they aren't aware?

So ChromeOS is like, not an entirely unreasonable choice for security? It seems most of the pernicious privacy invasions can be opted out of.

I could make a strong argument for you that's not a hasty generalization; either they don't know or they intentionally did so. Both are bad.

I wouldn't slander them that way but still point out the error more efficently.

cn3m Has Hackintosh acknowledged their OpenCore verified boot was improper?

I could slander Hackintosh the same way.

> It's not unreasonable at all. So far we can tell they've ruined major parts of the security model. It's naive to think they haven't done more, especially when they've shown a clear lack of knowledge on these features.

It's not unreasonable to assume the plausability, but overall concluding is just induction.

madaidan. en.wikipedia.org/wiki/Problem_of_induction

dazinism:trying to use shelter.. Isnt clone to work profile supposed to put the app into it? Mine does nothing

<interceptingfist "dazinism:trying to use shelter.."> its a bit buggy on graphene, but i got it to work

just restart a few times lol

<fluoridatedsheep "ill be switching over from linux"> What apps are you worried about not having access to?

<jiibus[m] "What apps are you worried about "> well i dont use my real number anywhere.. i have a google voice. fortunately calling/text forwarding should work

fluoridated sheeple: it only let's me clone the apps graphene came with

Ah! I was in a similar pickle too. I resolved it by going with [jmp.chat](jmp.chat). Android has a built in SIP client and I've been using them for a bit. Works like a charm. I use Conversations for texting.

<interceptingfist "fluoridated sheeple: it only let"> You restart? make sure to check permissions, turn off shelter as well

Is that normal

shelter struggles on graphene lol

not like shelter is anything crazy for security, i just want to keep a few apps offline

Doesn't let you install apks to yours

Does it*

It did for me, but I had to try a few times

As others have mentioned shelter on Graphene is pretty buggy

I'm just asking cause I don't want to spend a lot of time messing with it

<jcpicard32[m] "As others have mentioned shelter"> took me a few minutes, only have it for a few bad apps like waze

Yeah fortunately I didn't have to do too much. Pretty much have it for Facebook/Whatsapp/Spotify so I didn't have to futz with it too much

fluoridated sheeple: jcpicard32 do you all use multiple user accounts?

I just use the work profile right now, but I've used multiple accounts in the past

It's more secure to use separate accounts at the cost of convenience

What makes it more secure though

<interceptingfist "What makes it more secure though"> just keeps the bad apps offline, i wouldnt argue for its sandboxxing, it even says it shouldnt be relied on

I'm not sure of the exact explanations, but Daniel has said it here in the past. At the very least the reliance on external code increases attack surface, but I'm sure there's more to it than that.

Shelter works great for me. I never had an issue with it on my 3a.

TheJollyRoger: Correct.

Shelter adds a ton of attack surface and clipboard leaking opportunities

cn3m: I sent you a DM by the way.

qyo3462572445: I'm on 3a

Yeah isn't shelter privacy from invasive apps at the cost of security?

<defconanon12[m] "cn3m: I sent you a DM by the way"> I'll check it later

Will do.

jcpicard32: fluoridated sheeple I got it to install apks, thanks for the help

<faxing[m] "Yeah isn't shelter privacy from "> i wouldnt say at the cost of security, it keeps those bad apps frozen. give and a take

<interceptingfist "jcpicard32: fluoridated sheeple "> np

Glad you got it. Happy to help

I know this is going to sound silly but Discord anyone? Not asking for usernames no. Just stating on Graphene OS I am having a problem with notifications. As to be expected though. I got it from the Aurora store. Would this be different if I would get it from APKmirror?

<defconanon12[m] "I know this is going to sound si"> doubtful, im certain discord uses google firebase or whatever else for notifications

I believe it. Discord isn't exactly so secure as people may think. plsbrespectfulguys

<defconanon12[m] "I believe it. Discord isn't exac"> nobody really parades it as secure tho

I mean security of the system, not security of individual applications.

<faxing[m] "I mean security of the system, n"> ah, i mean adding anything to a system adds a certain level of risk. for my use case, i prefer it

plsbrespectfulguys: You would be surprised. It doesn't remove all EXCIF data by default for an example.

<defconanon12[m] "plsbrespectfulguys: You would be"> what do you mean? i didnt think shelter removed any exif.

Oh yeah, for certain use cases it can certainly be adventagous.

plsbrespectfulguys: Talking about Discord am I screwing up a convo?

while security is essential, i certainly want my privacy. My employer would love to tap my shit

<defconanon12[m] "plsbrespectfulguys: Talking abou"> you're good, discord doesnt remove any exif

and unfortunately comsec is hard when you dont want to be a total hermit, and you end up with shitty apps like groupme and discord lol

plsbrespectfulguys: Yes, yet I met Discord artist that think they do. Misinformation on the Discord forums.

* plsbrespectfulguys: Yes, yet I met Discord artists that think they do. Misinformation on the Discord forums.

Photographers also. More vulnerable.

<defconanon12[m] "plsbrespectfulguys: Yes, yet I m"> ah, just refrain from saying anythibg sensitive and remove the exif with another app like mat2

plsbrespectfulguys: So true but the average user knows nothing of that.

<defconanon12[m] "plsbrespectfulguys: So true but "> yeah, but thats people. most things they believe in are a feeble countenance at best, a pipe dream without action

I personally never heard of mat2 myself.

<defconanon12[m] "I personally never heard of mat2"> its built into tails and parrot. not a mobile app. use eggspliff from fdroid if you eant an app on mobilr

Oh I got what you mean. Talking about if I was running a desktop environment.

I am probably just going to stick with the desktop Discord it is more user friendly and can work on it better.

I used Tails. Just never had a reason to use Mat2.

[Mat2](0xacab.org/jvoisin/mat2) is interesting. Good to learn about, thanks!

<cn3m[m] "The freezing is a client side ch"> ah

I'm just using that open source app Simple Camera there is an option to take pictures without saving Exit data, but not sure if the photo quality is the best

Also: gizmodo.com/facebook-knows-how-to-t…u-using-the-dust-on-your-1821030620

^ link does not work

Camera fingerprinting is much easier than that

"We kill people using metadata."

interceptingfist: had a look at the multiple users toggle. It apparently doesnt shut down active user profiles, just hides the icon to select them.

Think the safe/easy way to shut down user profiles is to restart the phone.

Flicking the toggle at the bottom of the work profile app draw does kill everything running in the work profile

> The freezing is a client side check don't expect much

cn3m: thing I found interesting is how much shelter froozen apps disappear from the OS.

Dont show up in the app draw, or in settings>apps

But yes, the big issue with work profile / shelter is that shelter app has device admin permission for the work profile. Has more power there than the user.

Shelter being compromised would be very bad for anything running there.

<dazinism "cn3m: thing I found interesting "> Also worth considering other apps in the work profile can't see them when they are frozen.

Interesting that Fairphone is about to roll out an OS update, 5 years from launch of the Fairphone 2

As we've seen there security can be a bit patchy

Wonder if they are including firmware updates from Qualcomm

*their security

Whoops Australia is being hacked

Fun

hey guys! a quick question. I have a Pixel 3 running GrapheneOS. When the phone starts up there is a warning saying that a custom OS is about to start on the phone. Is this normal or have I done something wrong when setting up GrapheneOS?

"athyla" (matrix.to/#/@freenode_athyla:matrix.org): no all is fine

great, thanks

<athyla "hey guys! a quick question. I ha"> Normal, everybody with GrapheneOS has it.

<dazinism "Interesting that Fairphone is ab"> Now only if Google does the same...

pixel and grapheneos would be more worth it

Wouldn't be surprised if EU did something about it in near future.

Guess theres also hardware issues though. Lots have changed in those 5 years

Updates are conducted without trust between the device and the server.

Since trust is not needed between the device and the server, updates work well over VPNs and Tor.

What its this supposed to mean?

hitchhooker: updates are verified by the device and a compromised update server or MITM can't serve a malicious update.

> internal US politics right now that threatens @OpenTechFund, who funded #LetsEncrypt, #CertBot, @TorProject, #NoScript, TLS ESNI/ECH, @DNSPrivacyProj, #ReproducibleBuilds, #Wireguard, @DeltaChat, @OpenKeychain, #pypi, @GuardianProject, @SignalApp, and more. Looks like a couple proprietary software companies are trying to take over this #FreeSoftware money. Please sign on to the campaign to try to stop it:

"TheJollyRoger" (matrix.to/#/@freenode_TheJollyRoger:matrix.org) "JollyRoger" (matrix.to/#/@JollyRoger:matrix.org) I talked with the app dev guy he says he'll take a look

I just linked him to the issue trackers for the app projects, he'll see what he can do and pull request if he has a solution

K9 notification problem : I am having a hard time to have k9 mail sent me notification on new eMail when phone is Locked / not used. Battery savin is off, k9 is setup to Fetch email every minute but still, When the screen is turned off/phone locked, my new GrapheneOS Pixel 3a install is perfect except for not getting my new eMail notification. And k9 sometime show Sycning disabled.... Anyone has went trough this and have some steps I could check ?

it's something basic but crucial to me.

Noobie question I know...

jfbourdeau, yes, wait

In the general configuration (I don't know how it is in English language), go to Network and choose Always. Done.

Synchronize in second hand or something like that

jalb66, in k9 (accounts setting or k9 general setting) ? or Setting of Grpahene ? I am presently looking for it

K-9

General setting

ok found it

I will see how it goes with this setting Tk you so much jalb66 for taking the time to reply to that simple question...

I think it was that problem, I can't remember very well now, try it

will do tks have an nice day !

In the new version I can't see the Accounts setting

No problem

jalb66, it's working perfectly well ! tks I don't have to fect folder every 1 minute as I tried... ONly doimng what you said fixed my problem ! I work from home and now if I go in car or working outside, I won't miss important work emAils because of your help !

jfbourdeau, glad it worked 🙂

I discoverd it some time ago, I was like you before

I discovered it some time ago, I was like you before

now I am testing your setting with Battery saver on... But I think it's not working, so I will turn off Battery saver

jfbourdeau, it works

Ah ok, sorry

I thought you meant about optimizing apps

you mean if battery saver is ON, it should still work ?

NO, sorry, IDN

I mean that I'm optimizing K-9 and it work

I mean that I'm optimizing K-9 and it works

I don't need to make an eception in it

non it doesn't... At least according to my tests. Tks ! I am still happy... About App optimizing, I need to read / play with that ( come from the IOS world... A lord to learn in Android and Graphene)

jalb66, about " I mean that I'm optimizing K-9 and it work " What do you mean it work ?

in settings Battery or somewhere else that Battery Optimizing thing ?

jalb66, where do you that " I mean that I'm optimizing K-9 and it work " ? And what work ?

not sure to get it...

If you go to Advanced permissions

The first option

Settings - Apps - Advanced - Special access for apps or something like that (IDN in English)

BAttery optimization?... I use Spanish language, sorry

I see it

Normally if you don't want problems you add your app there

so you mean to put my k9 or whatever app I want to run, to "NOT OPTIMISED" ?

But with K9 is not necessary, it works without it

I think it's not optimised, check it

by default it'S " OPTIMISE" I will set it to not optimise tks !

Sorry, wait

No, it's the opposite

Hi, is it possible to change the OS accent color in Graphene OS other than green teal one ?

When you want an app (like your messenger app, etc) to be very active you choose Not optimised

In this case, even being K9 optimised, it works well

And it's the default option, you don't need to "Not optimise" this app

in battery, Battery saver on your phnoe,m Battery saver is on or off ?

If Battery Saver is on, then I don't get the notification when phone locked, I " think ", will try again...

now the battery shows in RED at the top right of the screen when battery saver is " ON"

Battery saver?: always off

With battery save on all many background apps won't work correctly, maybe your alarm won't sound, etc

Yes because if On, then when phone locked, k9 do not fetch (get email and do not notify me)

that is what I noticed

With "battery save on" many background apps won't work correctly, maybe your alarm won't sound, etc

Do you use Whatsapp, Telegram or signal ?

It's something normal

No, Conversations (xmpp)

Using it right now to write here with a bridge from xmpp to irc

xmpp, will google it :-)

Conversations is the best in my opinion

But I use an account from another server (it costs money if you want an account from Conversations server)

F-droid to download the app

ok taking not tks !!

But Signal is probably the best. The problem is I don t want to give my phone

" The problem is I don t want to give my phone " I understand... I found something recently cool that do not require our phone one sec...

Yes, there are many apps like that, I tested a lot

But in what I need I only use Conversations: some channels, few friends and my wife

briarproject.org/how-it-works (for Android)

Ah Briar, yes!, very good and decentralized

I tested it

retroshare.cc ( for Computer Win or Linux)

And loved it

TEsted too, and also qTox in Linux

xmpp is not so safe but in individual messages Omemo as encryption is very good

channels are not encrypt

But you can create a small group (not channel) encrypted

And it's very fast

This app isn't optimised

An exception

jalb66, when we change an App from OPtimized to " not optimized" can we do that with any Apps from what you know ? Of they need to have been coded for it, meaning, "yes we can do it in the interface" but may be not all App can be set to " optimized" ?

Whatsapp ( in Shelter / work profile mode / isolated) stop updating itself, unless I clicked it.... trying to understand why... May be it simply absolutly need microG to run well in the background ( or when phone locked)

IDN but normally the developer includes a warning to choose the option in the Settings to be Not optimise

ok

Whatsapp needs Google services I think

I don't use Shelter, IDN

I just tried setting Whatsapp to " not optimized " to see if it now work better when phone locked

I am new to android, but the concept behind shelted made sense to me ( not access my contacts, media, etc) so we can isolate an Dangerous App in a more CLOSED environnement

Maybe it's something only Google services can do, if the app includes that code, I don't use it, sorry

but all Apps in the shelter WORK profile /Mode can all access eachother infos if they try ( are malicious)

Maybe another member could help you with that

ok tks

I use a different user

Only for Tor browser

yes someone told me " Profile", was may be safer than SHELTER... I didn't tried it yet. not even sure how to anyway LOL (Google)

WHATSAPP QUESTION FOR YOU GUYS : Do some of you use Whatsapp ? I use WhatsApp within Shelter Work profile, and when phone is locked, whatsapp stop updating... I then need to unlock phone, lick whatsapp, and then it update itself... Anyone was able to find a fix, workaround for that ? I would love to not use it, but TONS of people around me use it for work...

Shelter could be dangerous if you give admin permission

"jalb66" (matrix.to/#/@freenode_jalb66:matrix.org): no

I was guessing than having 2 profiles was complicated, as on a PC' log to the other profile to use this or this app etc... But I should try... We do that in settings, Accounts ? wHERE ? it's even more secure than Shelter I think,... COuld install all my dangerous apps there instead of using shelter

> WHATSAPP QUESTION FOR YOU GUYS : Do some of you use Whatsapp ? I use WhatsApp within Shelter Work profile, and when phone is locked, whatsapp stop updating... I then need to unlock phone, lick whatsapp, and then it update itself... Anyone was able to find a fix, workaround for that ? I would love to not use it, but TONS of people around me use it for work...

"lick whatsapp"

anupritaisno1[m], does shelter has device admin permission for the work profile?

Epic

using whatsapp in separate profile right now to not be able contacts and files, but its kinda painful for ux

Yes

tks anupritaisno1[m] and hitchhooker[m]

anupritaisno1[m], and isn't it dangerous if the app is compromised?

Whatsapp with Shelter ( isolated) is simple and cool...Buty stop updating if not active

jalb66, " does shelter has device admin permission for the work profile " I will look, not sure where to look though LOL

So what they call WOrk profile (it's all the app in that are dangerous, you put them there)... And those in personal profile have more access ( contacts, media etc) simple to use...Secure ? I hope

ANDROID noobie question PROFILE : jalb66 where do we create a 2nd profile, I can google to but as you're already talking about this... I would try to put Whatsapp there to see if it's convenient / easy to use... And easy to move from one profile to the other, if we get notification from apps in the other profile ( surely not... )

System- Advanced- Users

ok LOL Shame on me.... tks

jalb66, and they fastest / easy way to move from one user to the other is ?

ok I found it

forget it :-)

jalb66, most of the time, when do you use your 2nd user ? When using dangerous apps or doing " special" stuff ? SO this profile do not acces any of your personal infos ?

Yes, in the place where notifications are 🙂

and last question ( I can move from one user to the other easily now), how do we LOGOUT that user so it doesn't consume CPU, Memory etc ? if we're to not use it for a while ?

New grapheneos user here (last night) on Pixel 3 XL

fordude[m], : me tool Pixel 3a. I am long time IOS user and tried 1 /e/ 1 month on an old MOTO E phone I bought and now just bough a Pixel 3a used and installed GrapheneOS and love it

1 day old GraphenOS user and 1 month old, android user LOL

Any suggestions to get notifications in Slack? I have to unfortunately for work purposes.

Nice jfbourdeau !

So far liking GrapheneOS! Been android user for a long time

SHELTER or 2 profiles ( question experienced Graphene/Android user ) : I am new to Android and Graphene but experience IT consultant ( not at the App level). AM I loosing my time using Shelter to put Apps like FaceBook, WHatsapp, Telegram and ot her in it ? or yes, it worth using Shelter ( Better than nothing) so dangerious apps do not access all our personnal info ( Contacts, Phone logs, Media etc) I am sensible to security but still, need a "

functionnal phone LOL"... I am forced, for work to use Whatsapp, Facebook, Messenger, Telegram etc). So Shelter = " GOOD" or " BAD " ?

jfbourdeau, it consumes ram, the user is active, not possible to logout

<fordude[m] "Any suggestions to get notificat"> No, it only supports GCM/FCM for notifications

ok jalb66 I will continue with Shelter, unless someone tells me it's stupid / illusion of security / isolation of malicious apps... Shelter is more convenient

dallemon[m], I am sensible / interested to the " Notification topics" So the right working is : if an app uses GCM / FCM or MicroG( can we say that LOL?) then notifications won't work well ?

I meant Right " wording " dallemon[m]

I am a noobie, but experience IT, trying to learn fast and not bother all of you with noobie question LOL

Thanks dallemon! I may have to investigate some middleware for notifications.

Yes. Many applications have alternative implementations that work fine. But if they only have GCM/FCM then you won't get notifications. Some apps even refuse to work.

So far slack works normal. Just no notifications.

jfbourdeau, it doesn't consume much, it's ok to use another user

ok

dallemon[m], does GCM/FCM = microG ? Or not, an app could run well without microG and GCM/FCM do not need microG ? ( trying to learn )

I am asking that because it will influence which application I install so they work well and notification works well

Maybe you need another system: calyxos, and GrapheneOS is not what you were looking for

if my question si not clear, is GCM/FCM a " microG thing"

microg is like amulation of it

Something to make those apps work, but if you use GrapheneOS maybe you shouldn't use apps with Google services

jalb66, I don't know if you were talking to me but I do like Graphene... I tried /e/ 3.fundation that is cool but I wanted to go farther / more secure... Even if some Apps would cause problem to me

I mean that Grapheneos doesn't include Google services and you use apps with Google services

SO many ot them will not work or they won't receive notifications

GOS is secure but also avoid Google services

jfbourdeau: MicroG pretends to be Google Play Services, so that most apps that require GSF work without problems. MicroG is incompatible with GrapheneOS.

Many apps that use GSF work fine on GrapheneOS, just without notifications

ok I get it jalb66 but still, will continue with Graphene for now... But so many choices... what are prox and cons of calyxos.org ???? THere are several choices ( Graphene, LineageOS, /e/) LOL I heard a lot of good about graphese, one of the most secure etc etc...So I went with graphene

ok tks dallemon[m] (notifications)

sorry for my typos !! ( I'm french and typing too fast)

<jfbourdeau "sorry for my typos !! ( I'm fren"> Used to it here, many people do it on purpose to try and reduce tracking.

GOS is more secure, Calyxos has verified boot and other features they share in common but it also uses microg, F-droid, etc: calyxos.org

LineageOS and /e are not secure

LineageOS and /e/ are not secure

jalb66, this is what I though I learned / understood... Tks for confirming... So my choice is Good GOS (tks for the acronym !!)

jfbourdeau, Gos is the best now 😉

But maybe you must change your apps or IDN, sometimes I know it's difficult if you want more privacy but your friends donj't care about it

But maybe you must change your apps or IDN, sometimes I know it's difficult if you want more privacy but your friends don't care about it

the installation steps were even good for a noobie like me ( unlock my boot loader, install, locked back the boot loader etc) If an IOS guy was able to do it, then GOS is not only for " Nerds or programmer / coder"

Yes, I"m no expert but I installed it without problems

yea... Some apps I am forced to keep but try to minimize the risks ( Shelter)....

I was using a Nokia 7.1 disabling Google apps and only apps without Google before 🙂 And I was looking for a more secure OS, so I found GOS

Nokia 7.1: android one

my first Android / e/ experience was with /e/ on an Moto E 2nd generation XT1527, so slow LOL LOL but wanted to see if I liked ANdroid... After 1 month, I was going crazy and bough a pixel 3a OMG it runs smoothly. I have some apps that lost some features with GOS but it's tolerable ( Example my TESLA APP ) LOL

Bought a Pixel 3a and installed it

Going root and without verified boot is dangerous

If you value security

ANd more problems like updates, firmware updates, etc

oops not sure to get it jalb66 I bought a used Pixe 3a, as it was listed as compatible and recommended by GOS site, I followed instruction and installed GOS... I am not secure ??

I'm more than happy with GOS 🙂

Yes, of course you are, like me, I did the same

I mean about LIneageOS and /e/

ha ok... ok I agree and now understand.

ok tks all, will talk to you another day... need to work outside, now that my notification works LOL I learned a lot with you today and took some notes

See you

> my first Android / e/ experience was with /e/ on an Moto E 2nd generation XT1527, so slow LOL LOL but wanted to see if I liked ANdroid... After 1 month, I was going crazy and bough a pixel 3a OMG it runs smoothly. I have some apps that lost some features with GOS but it's tolerable ( Example my TESLA APP ) LOL

Very similar to , i started my degooglesing with /e/ on redmi note 5 pro and a week ago bought a pixel 3a for GrapheneOS

cool nikoleos[m] similar story ;-) (I'm from Canada)

jalb66, k9 notificaiton / syncing stopped working LOL :-( If I find why I will let you know. If I open it it shows syncing disabled, for I don't know what reason

forn ow I am trying with OPtimise OFF but it doesn't seemed to be the problem

jfbourdeau, you must check the options. Go to the options in your account and check if you have Notify sinchronization enabled

Inside the Notificacions options

But IDN all your other options in K9

Sorry

And also change the time you'll receive them

I hope you have battery saver off

And frequency of verification, mine is at 15 min

Sorry, I must leave now, I'm working

<dannyknoll "EteSync, Davx^5, DecSync"> I highly recommend EteSync

You can self host if you wish.

anupritaisno1: woah fingers crossed!! Thank you!

Is it possible to enable voLTE in GOS and how because i don't find the proper setting

"nikoleos" (matrix.to/#/@nikoleos:matrix.org): the setting probably isn't there

Set to 4g only and make a call

If the call goes through

It works

hapssmak: If simulating the GServices is a hard requirement for you, probably want to check out CalyxOS

"hapssmak" (matrix.to/#/@hapssmak:matrix.org): better as in? It already passes CTS so

As for donations

Donations are just being spent on the legal battle with James Donaldson

hapssmak: I'd also recommend making moves to get off of apps that don't run without Google Play Services, can't be great for your privacy.

<DannyWorkOrderPr "hapssmak: If simulating the GSer"> Already looked a bit into it. Sadly it isn't as focused on security. Is it trustworthy?

"Danny@WorkOrderPro" (matrix.to/#/@dannyknoll:matrix.org): but this is a security focus ROM?

<anupritaisno1[m] "Donations are just being spent o"> That doesn't mean people should stop though. That would for sure kill the project, if he should pay everything himself

<anupritaisno1[m] ""Danny@WorkOrderPro" (ma"> It's both, if you choose your apps correctly.

<hapssmak[m] "That doesn't mean people should "> That's definitely very true

<DannyWorkOrderPr "hapssmak: I'd also recommend mak"> Sadly not a choice for everyone.

I personally don't support microg

But you do you bruh

<anupritaisno1[m] "I personally don't support micro"> Why not?

Nobody updates it anymore

It's like it just works

Building it is also getting increasingly difficult

isn't that the best kind of software? ;)

<hapssmak[m] "Sadly not a choice for everyone."> Mind me asking your usecase? I like to keep a personal list of what apps are holding people hostage to the Goog.

Not to add there are several breakages that unofficial forks by organizations like nogoolag are trying to fix

But if upstream doesn't accept them

It's all a fragmented mess if you ask me

"hapssmak" (matrix.to/#/@hapssmak:matrix.org): well there's a way to get microgay and have comparable security to grapheneos

> Mind me asking your usecase? I like to keep a personal list of what apps are holding people hostage to the Goog.

I have a lot of bill credits on Google Fi, and I have a Pixel 4 XL so I'm kinda stuck on non-Graphene OS's for a bit.

Danny@WorkOrderPro: Pretty much just that. Android Auto is nice, too but not a deal-breaker.

<DannyWorkOrderPr "Mind me asking your usecase? I l"> While I use gos, i really miss my bank app. It was compatible with the major banks from my country. I could send people money throw the phone number. I had discounts or free drinks if I paid with it

Not a perfect solution, but for these uses, I carry another device, and turn on/hotspot to it as needed.

Is there any other ways someone could break out of guest mode other than restarting the phone?

> If the call goes through

sounds logical , i will try , thanks

<defconanon12[m] "Is there any other ways someone "> Could you explain what you mean?

cn3m: Multiple user feature. If I was say for an example didn't want my friend to see what I am doing on my phone and I wanted to show him Graphene OS. Is there a way they could break out of guest mode? The user guest.

* cn3m: Multiple user feature. If I was say for an example didn't want my friend to see what I am doing on my phone and I wanted to show them Graphene OS. Is there a way they could break out of guest mode? The user guest.

no

You can even use screen pinning

Well I have that enabled if they turn off my phone. If they were a more technically inclined user they could break the pin. I need to safeguard it more.

The Titan M will rate limit attempts

It would be much easier for your friends to hack you than that tbh

Hidden camera

What is the limit? All I am seeing is 30 seconds time frame based on the screwed up attempts. Is there a certain point where it wipes the data from the phone?

defconanon12[m]: I have something for you.

TheJollyRoger: So do I actually.

github.com/Peter-Easton/GrapheneOS-…en-incorrect-guesses-at-the-pincode This is what it will do. TLDR - even a 4-digit pincode on a Pixel 3 would take ~650 years to brute force.

Assuming it's not something like your birthday, your high school graduation year, etc.

And has been chosen with perfect randomness.

Heh not a novice but I will read up on that.

Which is never the case

Thanks.

You could use some D&D dice to generate the password.

*the pin code.

or an EFF Diceware sheet.

and some game dice.

That is an idea, but 4 digit pincodes are meh.

GrapheneOS supports passwords of up to 64 characters in length.

Which is great for me because I find it easier to memorize four words, rather than four nonsensical numbers.

Yeah, if you have the option to use a normal password, why would you use a pin?

TheJollyRoger: You were talking about light bulbs and I think we should know about this if you haven't already.

Simply put, Google took a very pragmatic attitude with this and realized that for many users, that's what they /expect/.

Pin is fast

defconanon12[m]: yep!

dominusart[m]: TLDR, Google realized that most users not only expect, but take for granted bombproof security out of a four digit pin code. The lengthening timer and the hardware bound key derivation function is their way of doing their best to protect users who expect that a short pincode will be enough.

And bolstering the cryptographic strength of that four digit pincode.

Because let's be honest, a majority of users aren't going to create EFF diceware passphrases for their phones, and it's entirely unrealistic to expect them to.

Related question: if you don't expect to be coerced by law enforcement, why is it generally recommended to avoid biometric authentication on Pixel phones?

alzxjm[m]1: It's not. In fact, I suggest using the fingerprint reader because of the increasing prevalence of insecure "home surveillance" or "home security" cameras.

Or people looking over your shoulder on the subway.

Plus its easy to quickly enter "lockdown" mode to require passcode if needed.

<alzxjm[m]1 "Related question: if you don't e"> In certain jurisdictions, L.E. are legally allowed to use your biometrics to open your device for collection of evidence.

Which I think is a FAR more realistic threat than someone using microfine fingerprint dust and a cyanoacrylate mister to lift your fingerprints off the glass you touched at last night's party.

But I like TheJollyRoger's train of thought

I use a PIN and have no shame in that

I've gotten into the habit of covering with one hand while entering my pattern

For shoulder-surfers and cameras of all kinds, sky, pole, and building-based

Paranoid? Sure. Effortless? Also sure.

Let me put it this way: when you threat model, stop thinking about "the sexy" attacks involving superpowered ninjas from the Nebulous Secret Government Bio Tech Laboratory and start thinking about what's an attack that could be relevant right now, because it's those that'll be tried first.

And it's those where people mess up.

There is not shame in that, it's just not the best option. Also the google pin thing someone mentioned above applies only to Google, my banking app has pin as the only option and they sure as hell don't have the google approach to it.

Biometric can be great but don't rely on it. Just like with anything.

dominusart: Wait - your bank has PIN only, no password?

<DannyWorkOrderPr "dominusart: Wait - your bank has"> Mobile app, yes :)

If you go the fingerprint route use a less common finger.

This unfortunately's going to be the problem with your bank :(

Which is retarded if you ask me

<dominusart[m] "Mobile app, yes :)"> Ah, okay, so not the account itself, just opening the pre-auth'd app. Makes sense. There are still some non-western banks that use a 6 digit PIN as their entire password...........................

Was hoping someone here was not using one of those, lol

The banks here where I am are pretty lackadaisical towards security.

Don't use the mobile app unless the website is the same? dominusart

<dominusart[m] "Mobile app, yes :)"> Good news is, you still have to get into your device to get to that app, so

For years, Royal Bank of Canada had its landing page in plaintext, without SSL.

Yeah, but it's still kind of meh.

Then you'd have to click "Log in" to go to the login page, and the URL was so hugely long it was effectively un-memorizable.

Banking mobile apps usually do.

<defconanon12[m] "Don't use the mobile app unless "> Website is actually pretty good, you have to authorise a device to even login to the web panel

So it would've taken one BGP hijack to simply get everyone from the landing page to a phishing site.

And they also didn't even have STARTTLS when they E-mailed you your banking reciept so the last couple digits of your credit card and your entire account balances were essentially public on the Internet.

Along with your real name.

I'd like to give whoever thought that was good enough a stern lecture.

I don't think anyone thought it was a good idea, they just didn't give a shit.

<dominusart[m] "I don't think anyone thought it "> Their board probably did

Because their checks kept clearing

Which ties into the "Upton Sinclair" not giving a shit idea you mentioned lol

> I don't think anyone thought it was a good idea, they just didn't give a shit.

I think this statement explains most problems in the world.

That wouldn't be my prefer. Banking on the go. It is convenient but that usually comes with more security threats. You don't want to leave yourself more vulnerable when you are out in the wild than you are already are.

* That wouldn't be my prefer. Banking on the go. It is convenient but that usually comes with more security threats. You don't want to leave yourself more vulnerable when you are out in the wild than you already are.

<defconanon12[m] "That wouldn't be my prefer. Bank"> What do you mean by being vulnerable when out in the wild?

hapssmak: Talking about when you are out and about in public. You are more at security risk.

<defconanon12[m] "hapssmak: Talking about when you"> How so? Not sure which country you're from, but doesn't it sucks to living in a world where you're paranoid of everyone always?

You will never be happy that way.

Not like there is any real increased risk in checking your bank on the go.

My emotions of no concern to you. Think of it like this. If you don't know how to protect yourself when hooking up to a public WiFi hotspot simply don't do it. If you don't trust strangers around you don't enter your password if one decides to glance over. This also depends on how well your area is monitored.

You do you.

Same to you. ^^

New user questions (APPS ) : What " photo / Camera " software most of you are you installing in GOS (Graphene) as the one provider misses some features compares to the default one provider in Android ? I have a Pixel 3a. And what calendar app (Agenda) most of your are adding to GOS as the one do not allow to schedule appointement ? tks !

sorry for TYPOS !!!

jfbourdeau opencamera is a decent choice, the ui is not best unfortunately. not sure about the calendar, check etar or simple calendar

Tks Kurai. ( jfbourdeau on phone now )

"anupritaisno1" (matrix.to/#/@anupritaisno1:m.apex.to): what so you think about 'private lock'?

<plsbrespectfulgu "its built into tails and parrot."> You talk about scrambled exif android app?

I like the name eggspliff ! Could be an awesome name for a band.

nickcalyx[m]: I hope if we have a band here in this channel we could start it simple with singing sea shanties.

:p.

Arrrrgh what do you do with a drunken sailor, early in the morning

~~Ban his account on the production server, ban his account on the production server, ban his account on the production server, early in the morning!~~

I remember this :D

\o/