TheJollyRoger: it returns zeroed data to avoid breaking stuff

<strcat[m] "madaidan.: because apps (built i"> Sure but it doesn't seem like it'd be much effort to add it.

the effort is dealing with the fallout of stuff not working anymore

and there are a ton of things that need to be done

<TheJollyRoger "madaidan.: it's enabled because "> That's not what I'm talking about. I mean the apps preinstalled in GrapheneOS that are written with it in mind.

including upstream bugs causing pretty bad usability issues we need to resolve

and other kinds of problems

<strcat[m] "the effort is dealing with the f"> So allow it for the apps that need it. I doubt there are many.

madaidan.: someone has to go implement that

same with other features / improvements

Alright I don't know if this is a bug on Graphene's part or the app I am using. I have a password manager KeepassDX. My passwords aren't clearing automatically. Does the clipboard in Graphene OS have timeouts or is this just the app I am using?

Also, to clarify when the database is locked.

* Alright, I don't know if this is a bug on Graphene's part or the app I am using. I have a password manager KeepassDX. My passwords aren't clearing automatically. Does the clipboard in Graphene OS have timeouts or is this just the app I am using?

To fix this I have to manually go into the keyboard and clear all data.

apps can't access the clipboard when they aren't in the foreground

password managers are NOT supposed to use the clipboard

that is an incorrect, legacy implementation

password managers are supposed to use the API created for apps like password managers (autofill API)

* apps can't access the clipboard unless they are the currently focused app

this is not tied to GrapheneOS

this is tied to modern Android

GrapheneOS used to make changes to this but they became unnecessary

Oh that is what I meant thanks for clarifying.

you should use a password manager that can be set up as an autofill service

don't copy passwords to the clipboard as the way of doing passwords

it's a bad approach

I will look thanks for the advice. ^^ I always wondered about autofill. Huh.

<defconanon12[m] "Alright I don't know if this is "> You should be using the autofill feature, or the built in KeePassDX keyboard.

strcat[m] - Any recommendations for this? I use KeePassXC on Linux but don't know if KeePassDX for Android has a similiar feature

For OTP tokens it's fine to use the clipboard. But only for OTP tokens. Not passwords.

LynnStephenson[4 just saw your comment. So the KeePassDX keyboard has an autofill feature?

If you're using KeePass, or KeePassXC on desktop, make sure to use the auto-type feature. It'll help mitigate key loggers.

Can't believe I didn't know this...

I use KeePassXC Ctrl+Shift+V function

didn't know KeePassDX had its own keyboard that used similar

KeepassDX does have an autofill feature. BalooRJ

* If you're using KeePass, or KeePassXC on desktop, make sure to use the auto-type feature. It'll help mitigate key loggers and clipboard watchers.

Lynn Stephenson: doesn't really do anything since they'll just grab all the stuff from it since there's no application security model

on desktops

<BalooRJ "didn't know KeePassDX had its ow"> It has both a built-in keyboard that must be enabled, and an autofill feature.

defconanon12[m] Thanks, this is great to know. Here I was opening the app and copying every single time

Same here the more you know!

Are there any camera scanner app recommendations?

<thelearner[m] "Are there any camera scanner app"> Binary Eye.

Whats a camera scanner app

For qr codes?

Not for qr codes sorry, but rather PDFs, photos etc.

nickcalyx I'd assume so, plus Binary Eye supports more than QR Codes.

You'd probably want a printer, then.

I know of no such tool.

Lynn Stephenson (@lynn:spitetech.com): thanks for the suggestion. Use to use Camscanner app. Might just find something like that and just use in a different profile.

If anyone else might know, please let me know.

strcat: Is there anyway I can help contribute to the project as a non dev at the moment? I am already a beta tester. I heard about a campaign to fight misinformation provided by the adversary Copperhead.

talk to cn3m

Yep already did still waiting on a response in DMs.

strcat: Do you distribute builds the Auditor app outside of GrapheneOS only on the Google Play store? Not APKs or an F-Droid compatible repo?

thelearner: I've been using SimpleSanner from Aurora and it works just fine for what I need. It has an ad but adguard DNS has blocked it since I first set that up.

Arhu: they are part of the github releases

Indeed there's an APK there. Sorry for bothering you

<jcpicard32[m] "thelearner: I've been using Simp"> ClearScanner seems good.

jcpicard32: thanks. Will give it a try.

brenneke: thanks will try that also.

<strcat[m] "madaidan.: someone has to go imp"> I might work on it.

Anyone know of a good Thunderbird alternative for GrapheneOS or Android?

Does K9 Mail work for GMail accounts?

<BalooRJ "Does K9 Mail work for GMail acco"> Yes (last I tested), you have to disable third-party apps security thing in Google Account settings.

I see, that's what I'm doing wrong. Thank you!

strcat: The Auditor app correctly verifies Pixel 3 GrapheneOS and Pixel 4 XL Stock (Japanese versions) against each other. I've read somewhere the app development needs sample data. Is there anything useful I can send in?

<defconanon12[m] "Yep already did still waiting on"> Hey I have a huge backlog of work. I haven't forgotten you

cn3m: All good. Do what you gotta do first my guy.

Is anyone here good with minicom? I'm having a tad bit of trouble, I need to figure out testing of the newer debugging harnesses and I'm just wondering if I just managed to wire the entire batch incorrectly.

Or if Minicom is crapping out.

Oh no wonder. It keeps saying it's offline.

Alright, I need help, if anyone knows anything about minicom.

TheJollyRoger: make sure to unlock bootloader and use the command to enable it

JollyRoger: twitter.com/bcrypt/status/1275159687776702464

Okay! Currently "fastboot oem uart" reports "(bootloader) enabled OKAY [ 0.013s] Finished. Total Time..."... I'm wondering what I did wrong with minicom...

nickcalyx[m] checking now...

nickcalyx[m]: AHAHAHAHAHAHAHA

:D

Ooooooh baby XD. Apple courting a breakup with Intel, ohhhh boy :D

<TheJollyRoger "nickcalyx: AHAHAHAHAHAHAHA"> Okay

I'd find it even funnier if Apple ever decides to go back to PowerPC >:D.

Wait another 15 years :D

Ahahahaha maybe X3.

cn3m: Thanks buddy. It is all good. Not impatient just noticed.

TheJollyRoger: it's more than courting - they announced concrete plans to transition their entire line away from Intel within two years

Good. Intel can't die fast enough

Outside of the Apple ecosystem, ARM laptops are a viable alternative too already

The Snapdragon 8cx is competitive with Intel CPU's, although not the top of the line ones yet

It's too bad Google Pixelbooks still use Intel

Snapdragon based laptops are rare and Windows-only

Almost all ARM based Chrome(ium)OS devices are MediaTek

That will soon change I imagine

<defconanon12[m] "cn3m: Thanks buddy. It is all go"> I have to test hardened malloc with anu, I have to take care of a day's worth of moderation, and rewrite my guide I forgot to save when my phone died. Probably a day off

Has anybody tried flashing Graphene on Fedora 32/31?

And had no issues afterwards?

MediaTek security is terrible. Remember the root exploit they didn't patch and Google had to mitigate it? Arhu I hope everyone switches to Qualcomm

Hi furofuro_01[m], it should work just fine, provided you use the official Fastboot from Google and install your proper udev rules.

I've done it on 31.

<TheJollyRoger "Hi furofuro_01, it should work j"> Wdym udev rules? Can I read it on installation documentation?

The udev rules aren't included on the official documentation, but I can walk you through it, it's only four or so commands.

Fedora, like many other distros, uses udev for device management. I am not quite sure I understand udev, but udev more or less has a series of permissions that basically say "deny access unless this is whitelisted."

So you'll have to download the correct udev rules and add them to /etc/udev/rules.d/

The easiest way to do it is by running this command:

assuming you have `wget` and `sudo`:

wget raw.githubusercontent.com/M0Rf30/an…-udev-rules/master/51-android.rules && mv 51-android.rules /etc/udev/rules.d/51-android.rules && sudo udevadm control --reload-rules

sudo I definutely have one

wget not so sure

Whoops,

cn3m: Well I will be here when you are ready. ^^ Take your time.

wget raw.githubusercontent.com/M0Rf30/an…-udev-rules/master/51-android.rules && sudo mv 51-android.rules /etc/udev/rules.d/51-android.rules && sudo udevadm control --reload-rules

There you go, I was missing one sudo.

furofuro_01[m]: then `dnf install wget` should get you what you need. Fedora should come with it.

This is so you don't have to take the sledgehammer approach of simply running it all as root.

Thanks, will try a little later

Afterwards, I should more or less follow the documentation

If it doesn't work, I'll try on windows

* Thanks, will try a little later

Afterwards, I should more or less follow the documentation, right?

Yep. Follow the official documentation. That's a step that's specific to distros that use udev for device control and don't have the correct udev rules preinstalled.

Ok, thanks. Any battery prerequisite before flashing?

Will <30% do?

Well, your phone should be plugged in before you even think about it... but make sure it's not critical.

Ok, guess 24% should work. I want to try this on fedora first, since I'm already uses to it

Draining the battery completely can cause lithium batteries permanent damage, I heard, so I try to keep them near their comfort zone.

* Ok, guess 24% should work. I want to try this on fedora first, since I'm already used to it

Alright. What is the comfort zone though?

I think most lithium batteries tend to enjoy being at 60-70% full as much as possible, but I think nowadays it's generally better to let the device manage the battery life.

Just never let the batteries completely die. That I've been told repeatedly will dramatically shorten their effective working lifespan, it kills them.

<TheJollyRoger "Just never let the batteries com"> Alright ^^ thanks

For some reason, it doesnt update even though the patch is at Jan 1 2020

The batteries in most devices are designed to reserve a little charge past where they shut off to prevent overdischarge. Overcharge or discharge will greatly reduce capacity. Modern firmware manages this so the average person doesn't screw things up and carry a bomb around all day.

Also keep it cool. That's a big thing too.

batteryuniversity.com/learn/article…_to_prolong_lithium_based_batteries is a pretty good resource that's pretty easy to understand

I work with Li-ion cells for my Master's so this is something I actually know a thing or two about

My portable WiMax/LTE router has this option to charge it only to 70%, not matter how long you leave it plugged in, and the Playstation Vita has an option not to charge from USB, meaning you can connect it to your computer for data transfer without it starting a charge cycle. Sadly very few hardware makers implement these kind of features.

jcpicard32[m]: oh hey cool that's good to know!

cn3m: I believe MediaTek tried to get vendors to roll out mitigation patches, but most vendors didn't want to do it because they mostly use MediaTek for budget devices they don't care about supporting. Then MediaTek tried to get things fixed through Google

TheJollyRoger: It's been fun so far. I've done a lot of reading and design so I can hopefully test some stuff out when campus opens back up

There isn't an Android phone maker besides Google that does have good security

<Arhu "cn3m: I believe MediaTek tried t"> They patched it partially and late the patch failed

Samsung is probably the only one besides Google that has real Strongbox HSMs, but their phones come loaded with spyware

Doubt they implement it properly anyway

The real low bar is getting patches out

Samsung is real nasty, if you unlock your bootloader, they cripple your phone forever, even if you put back the official stock ROM

And unlocking your bootloader in the first place is only possible for certain regions

There's no good options for GrapheneOS support right now beside Pixels

Yeah, and that's a same because Pixels are crippled by design (low storage and no SD card because they want you to store your stuff on the Google cloud, no Displayport Alt mode)

And they're not available in many countries

I wonder if it would be possible to make a Pixel clone if Google finally open sources the Titan M - you could have a device with different screen size and battery, SD card support, but the same wifi chipset etc so that AOSP will run on it with minimal modification

Motorola is the most promising, but people would need to buy, test, and develop for devices. Even then might not meet all the requirements

In a word no

Moto could be solid. I've had a lot of issues with them in the past but it seems like I've just been unlucky. Still lacking the hardware features in any case. The updates were good though.

The latest devices Motorola lets you unlock the bootloader on are from February 2019

Typical behaviour of a Chinese owned company

Sony is way better with allowing that on more recent devices, and supporting AOSP for a long long time

No custom verified boot unfortunately

Damn

<Arhu "No custom verified boot unfortun"> Moto X4 would like to argue that point

I was talking about Sony

Whoops

Also they took a very unfortunate design direction imho with those ridiculously long and narrow phones

I think price wise pixels A are the best

The Moto X4 is from 2017

What company makes the pixel 3a? Anyone know... I know one of their flagships was HTC

Google owns HTC now no?

I believe they do

Still from all the manufacturers I have the highest hopes for Sony - maybe maybe if Google open sources the Titan M they'll implement it and release a goog candidate phone for GrapheneOS

Sony doesn't do enough for updates

cn3m: you mean not fast enough? They are providing Android 10 AOSP builds for phones from 2016

Just flashed GrapheneOS on windows ^^ thanks for the advise.

If you take forever to get the security patches it doesn't matter

cn3m: my phone lagged and wouldn't let me post earlier for some reason

cn3m: I was wanting to ask you why you have such faith in iOS/apple

Since I have both iOS and graphene I want to understand the pros and cons of each

Apple takes iOS security very seriously. Them wanting to keep total control over their platform and preventing jailbreaks gives them a very strong incentive to be on top of security. You could argue that their high level security is a side effect of them making sure they're the only ones that can sell apps for iOS

Does apple mine data or is it actually privacy focused

If I use VPN turn GPS and cloud off and what other permissions it asks, they respect that?

Apple mines less data than Google, although if you believe that they do what they are saying, Google's data mining can largely be turned off

And important consideration here is 3rd party apps

iOS is much better locked down than Android for 3rd party apps

Kinda off topic, but I've MITMd Apple software they do the best they can

Mitmd?

cn3m: how recently have you looked at macOS? Catalina sends a hash of everything you execute to Apple. Even bash or python script. There is no option to turn this off

interceptingfist: man in the middle

Arhu: that's a reasonable approach. Your OS knows what programs you have anyway when you check for updates. GrapheneOS with its own store would. That's the long term goal

It's not an issue

It is reasonable if you can opt out of it

Like Google Safe Browsing - it's a security feature that comes at the expense of privacy

You should not be forced into it

It's a false sense of privacy in the case of malware checking

It makes sense to not let root(or the human) to change this. Especially in a verified boot situation

It just makes no sense to fixate on this

What do you mean a false sense? If macOS doesn't send a hash of everything I execute to Apple, that does give me more privacy than Apple knowing that

Long term your OS will update all programs. That puts them in a position to see all your programs should they choose too. Should they have an opt out maybe?

It's a very minor privacy or security discussion that's very unclear if it's positive or negative

There are much more relevant topics

cn3m: thanks for your info

<Arhu "iOS is much better locked down t"> I agree

cn3m: if you trust first parties like Apple, Google, and Microsoft with your privacy and you think their telemetry is fine, why do you care about GrapheneOS?

I mainly disliked the price ios buts getting way more affordable now and I do feel like out of the box they are pretty private

interceptingfist: the new iPhone SE is a very budget friendly choice right now if you go by the amount of years you can likely use it while it's fully supported

<Arhu "cn3m: if you trust first parties"> GrapheneOS comes up clean on an MITM and it has very strong privacy. It also is built by one person/org.

I never said their telemetry is fine either

Apple can track with wifi scanning though

Graphene can't BC no google

Isnt that the main difference

Apple sending hashes of everything you execute is purely telemetry/data gathering. It just sends it to Apple, and if that fails, or it's a hash of known malware, it still executes

<interceptingfist "Graphene can't BC no google"> That's false. GrapheneOS could if they wanted

Being able to do something /= to doing it

<cn3m[m] "That's false. GrapheneOS could i"> So they disabled it by choice

Big difference is that you can verify the code by yourself that it doesn't ever do that

It really just sucks that these big companies just spy on us and make money

I'm grateful for graphene

There's 50 million lines of code in Android. Open source is not a panacea

MITMing might show you that it probably doesn't do anything bad at the moment you're looking at it

Neither is MITM by the way

<Arhu "MITMing might show you that it p"> You get a feel for the traffic and you'll see if anything stands out with regular monitoring

I think not letting 3rd party spps see hardware or communicate with other apps is most important

Other options where to install apps safely with fdroid repo?

Is github releases better?

cn3m: unless you're using a jailbroken device with custom root certificates, you don't know what's hiding in those encrypted packets

You can load a custom root cert

Without jailbreak

It's critical for enterprise

also there might be a very nasty backdoors / spying that are off by default but get triggered in certain conditions

<Arhu "also there might be a very nasty"> That applies to anything

At least they aren't like Purism shipping known backdoored devices

did you know that Apple support can at any time remotely login to your iPhone as long as it's connected to iCloud?

yeah, Purism is snake oil

<Arhu "did you know that Apple support "> You get a prompt

It seems you need to do some more research. I would recommend reading what Daniel has written about these companies on Reddit

<cn3m[m] "It seems you need to do some mor"> Ill try to find some, I'm quite curious

I did. And what you written. I don't share your confidence about these companies, or that nothing showing up by MITMing is reason to assume they are behaving

<cn3m[m] "At least they aren't like Purism"> Can you provide a link to read more about Purism backdoors? I didn’t know about this.

Jeff: Intel CPU's are riddled with bugs that need to be patched by microcode updates

by disabling the ME you disable that update mechanism

<Arhu "by disabling the ME you disable "> That's very important

Thanks, Arhu

Apple is a pretty good example to learn from security and privacy wise. They make smart choices. They genuinely put their users first when designing security and privacy even to the point they lose employees and users. They are sure not perfect, but they know more than most other big companies and open source communities.

At the end of the day GrapheneOS and Signal the only projects I fully support

<Arhu "by disabling the ME you disable "> That's a PureOS issue. That's what the issue is

Nothing is perfect in life

I share the concern that the Intel ME contains NSA exploits, but if disabling that means leaving a whole bunch of other holes open that are available to the NSA *and* thousands or random hackers, it is stupid to do so

*sigh*

Intel ME is not an ideal target for backdoors. It's also somewhat useful

You have to trust the hardware fully or not at all

You're trusting hardware and software vendors

cn3m: I'm always puzzled by this trust in Signal. At best they are the least of evils currently available. They have made so many privacy hostile choices. The latest is forcing storage of your contact list on their servers, and encouraging you to do that with a 4 digit code.

Always try to minimize the numbers of trusted parties

Arhu: Signal strikes a balance between usability and being competitive for the less technical and leading on technical security and privacy

It's important that these tools are accessible

Look at why Signal didn't choose to use F-Droid. They are methodical in their choices

System76 disabled it on their laptops

I agree, but an ability to opt out of remote contact storage would not make it any less usable for normies

<Arhu "cn3m: I'm always puzzled by this"> Forcing contact lists on their servers?

They have the new PIN system you can use. They are focusing on encrypted transfers like the iOS update

LynnStephenson: yes, recently Signal uploads your contacts to their servers. Encrypted, but there is no way to opt out of it

<cn3m[m] "Always try to minimize the numbe"> Android's diverse ecosystem has protected large portions of users by having different flavors and custom Android systems.

cn3m: "can" -> "have to"

<Arhu "LynnStephenson: yes, recently Si"> Wow. With a 4-digit PIN?

<LynnStephenson[4 "Android's diverse ecosystem has "> I'm saying on your device trust as few parties as you personally can

They default to a 4 digit PIN, but you can choose a proper long password

Lynn Stephenson: signal.org/blog/signal-pins

Check it out

it will ask you to input it from time to time to force you to remember it

<Arhu "it will ask you to input it from"> That's been around forever with the registration lock

Arhu: Lynn Stephenson here's a better write-up signal.org/blog/secure-value-recovery

Joshua wrote it

Was already there.

Seems OK, but honestly everyday It feels as if Signal is becoming more and more centralized.

Signal has almost always been centralized

Signal is very helpful to get younger people on and stay with it

They had a brief experiment with a federated network, but decided on full centralization 'because of the user experience'

That there is no option to use an anonymus random ID instead of a phone number is also a red flag

In many countries, you cannot get a phone number anonymously

That's being designed. It even works with the TextNow number

The goal is to make Signal accessible to people

I think they're finally rolling out a new identifier scheme at some point

That's good

About time

TextSecure in ye olde days

Yup :)

Well, I would have to review the design further, but it looks pretty good.

So it kind of makes sense they'd rely on the schemes when transitioning from TextSecure->Signal. Those days are long gone though, and this is long overdue imo

same schemes*

Signal is the only thing I can get people on

Tbh, Signal is amazing. Buttttt it can't suit everyone's needs, and that's kind of an issue ...

Specifically the crypto part.

What about the crypto?

It would help getting people on if it doesn't require a phone number anymore, not just for people like me that don't want to register with a phone number, but for people that want to communicate with people without exposing your phone number to them

If people learned how federated services worked, it would be a lot easier to make federated services.

<JTL "What about the crypto?"> The amazing part.

I just started using graphene a Werk ago and I miss the feature of disabling trackers in apps.. Do you guys know a better way besides maybe DNS?

Arhu: Assuming this rumoured new identification scheme works out I think that's another issue solved

We'll wait and see

<Alsatai[m] "I just started using graphene a "> It's impossible to fully disable them(I used to write them for work).

<LynnStephenson[4 "If people learned how federated "> And to increase adoption.

JTL: what kind of time frame are we talking about here for the rollout? Months?

I don't know

The contacts sync is a prereq

And Moxie and co are rather infamous for "Half-Life 3" types of schedules for new features

I'm sure they have their reasons

They are working on it actively

I'm aware

They are infamous for not wanting to listen to their users :)

<cn3m[m] "It's impossible to fully disable"> Take a look at com.merxury.blocker

<JTL "And Moxie and co are rather infa"> These cryptography features are no joke. They aren't going to risk their user base's security by shipping out beta, untested crap.

Of course not

<Arhu "They are infamous for not wantin"> It's more complicated than that and you know that

<cn3m[m] "It's impossible to fully disable"> With blocker I could decide which trackers and parts of the app to disable

<cn3m[m] "It's more complicated than that "> Well ... there has been a couple/few cases, that were definitely not well dealt with on their end.

But it's not as bad as people make it out to be, either.

Everything that some minor issues

LynnStephenson[4: I won't deny they had some "growing pains" (as I'd call them, in the past)

Signal and GrapheneOS are the ones have the least

Well, I understand their publicly stated motivations for not listening to their users, but I just don't agree with the sentiment behind it - for example refusing to release and APK for a long time and forcing people to use the Google Play Store

Anyway, better than Telegram "let's store chats on our servers in plain text by default, you can trust us"

It it weird how popular Telegram is with people that say they care about privacy and security, but are obviously not very knowledgeable about it

<Arhu "Well, I understand their publicl"> That's a very good call. F-Droid is a security nightmare

For a developer

<Arhu "Anyway, better than Telegram "le"> I'm pretty sure they are not stored in plain text 🤔

Alsatai: Normal Telegram chats are not E2EE

wait...

They are stored unencrypted or encrypted with a key that is not just only on your device

Did somebody say Signal has issues on GOS?

<furofuro_01[m] "Did somebody say Signal has issu"> No it doesn't

One update had a notification issue a few weeks ago that was fixed quickly

<Arhu "Alsatai: Normal Telegram chats a"> No, but that still doesn't mean they store the messages unencrypted

<cn3m[m] "That's a very good call. F-Droid"> How is F-Droid a security nightmare?

cn3m: Not saying they should have put in on F-Droid. They could have put in on their own server just like now. Earlier, and not begrudgingly because people were not taking their intentions seriously anymore

<Alsatai[m] "No, but that still doesn't mean "> Telegram's encryption is a meme.

<LynnStephenson[4 "How is F-Droid a security nightm"> It users v1 signing which doesn't verify everything leaving the possibility of another Janus and it centralizes signing

<cn3m[m] "It users v1 signing which doesn'"> Current stable release?

I'll look into it.

Oh thankfully

Alsatai: encrypted with keys that are on their servers too is as good as unencrypted

<Arhu "cn3m: Not saying they should hav"> They did it since people were sharing questionable builds

<LynnStephenson[4 "Current stable release?"> Yes it does it's on the server. It would use v2 signing

How insecure it is to use public phone number on signal

<furofuro_01[m] "How insecure it is to use public"> It's fine I do it

I want people to find me bc

That's the point

Alright thanks

furofuro_01: it's not in any way insecure, it's just not private

anyone you chat with will see that number

It's private ish

Welp, yeah...

So theoretically, anybody else cna use it if you dont refresh the pin weekly?

Signal has good anti metadata

no, they would have to have access to that number

<Arhu "anyone you chat with will see th"> Sure I don't care about that

> <@furofuro_01:matrix.org> Welp, yeah...

> So theoretically, anybody else cna use it if you dont refresh the pin weekly?

Oh you mean an actual public number

Yeah

Just use TextNow

Searching it en

if you register Signal with a prepaid SIM and that number gets recycled, the new owner of that number can register the number to his account, but will never be able to see your messages

* Searching it rn

At last, an alternative to Twilio?

The registration lock is only 7 days

How does a number gets recycled though?

I mean, if I refresh the lock weekly?

furofuro_01: depends on the provider

If you lose control of your phone number

and renounce ownership of it

most pre-paid SIM numbers get recycled after you don't top up for x months

true

does whatsapp block textnow?

Oh. I see...

Should I isolate textnow in another profile though?

Oh wait... It's open source nvm

No TextNow is not

they publish some libraries on gibhub but not their app

Oh

Welp. Another app to trust, I guess. Better than having a number recycled

of course, otherwise anyone could compile it without ads

^^ =.=

Ads... Adguard should block it right?

Or should I use nextDNS for it?

It recycles numbers if you don't text someone every month

Network blocking is not a robust privacy solution

It's privacy theater

Well...

I had to make so many compromises sadly

I kinda dont want my phone number to be linked if possible

Then run TextNow in your main profile so you can use your VPN

Alright. VPN only on main profile, right?

To minimize leaks?

Ideally

Or at least quite paranoid mode, dont use wifi, use ethernet, disconnect when changing profiles?

If one wants to use VPN on all profiles

Just use block connections without the VPN on in only one profile

Alright then. I'll try, though I want to use two accounts with VPN on Signal, or is it not necessary?

I meant, two Signal accounts. Is there any risk of having your ISP see the Signal traffic?

Assume ISP is adversary here

They can see you use Signal

That's it

At worst, they only see metadata about using it, right?

Yes

Thanks. Guess not much to worry provided nothing abnormal activity is being done.

I think you can have an always on VPN you just can't force the block setting

I just kinda don't trust corporates who provide internet here. They openly express their data collection and interest on big data.

You could have always on VPN without the blocking our

Iirc*

Ok. Will try that as well

Do try it though I never tested it

Loving this project tbh

Ethernet and phone-to-phone data transfer works well

Never had such usability that remained quite functional in another OS without Google.

furofuro_01 is the phone to phone data transfer as simple as plugging them together?

Yeah

Works on me using a charger of microUSB, then adaptor of USB 2.0 (big) female to USB C male

It's not a wire though, it's kinda like a flash drive with a female and male plug

Works out of the box

<furofuro_01[m] "Works on me using a charger of m"> I mean the connector (wire)

I plan on starting from scratch with another 3a with GOS and if I can transfer files between current and new that would be great

<cn3m[m] "The registration lock is only 7 "> What is 7 days lock? Explain

Signal

If I get a recycled number I still have to enter registration passcode

"Microsoft uses a whitelist policy. This means that initially, everything starts off on a blacklist, and a specific procedure is required to validate your email server."

wtf, so hostile

fkin microsoft email centralization enabler

and the recommended pathway to whitelisting is to pay returnpath.com a hefty sum

for their certification

wtf

so bullshit

Hopefully Apple cuts the price on ARM Macs and Microsoft dies

strcat[m]: you should check maybe auditor users on outlook dont get your emails

Half kidding

cn3m[m]: weren't you shilling for microsoft here earlier lol

email really sucks in terms of protocols and standards to follow

email would be 1000x times better without gmail or outlook dictating what's spam

and what's not

what outlook is doing is not standard

its blackmail

s/blackmail/extortion/

collusion with returnpath.com

anti-trust behaviour

right, email is bad enough with just the _open_ standards

now, outlook wants to eee email since they have a certian % marketshare

<travankor "cn3m: weren't you shilling for m"> Hrmm

he was just saying Windows actually has effective sandboxing and mitigation measures, as opposed to Linux

Linux desktops make for horribly insecure web browsers, especially because most distros come with Firefox as default

i should have added the /s

but fsck microsoft as a business

Nvm haha, public number with signal is a bad idea... Just tested it again

If the lock doesnt refresh weekly, basically you'll lose it within a week welp...

Registering through textnow isn't particularly pleasant

tried making an apple id and the email doesnt get sent at all

So is nobody here blocking any trackers in apps? I really miss this feature as I need to use some apps with inbuilt trackers

<Arhu "Linux desktops make for horribly"> Isn't Firefox with custom user.js way securer than using a browser with google code?

<Alsatai[m] "Isn't Firefox with custom user.j"> You talk about privacy or security?

> If the lock doesnt refresh weekly, basically you'll lose it within a week welp...

How to refresh it? It just asks for reg pin sometimes

dont think fs-check can fix microsoft as a business... travankor

<thelearner[m] "If anyone else might know, pleas"> adobe scan

<meltedcheddar[m] "You talk about privacy or securi"> I meant privacy.. Plus ublock etc

Wish I knew it myself tbh

<Alsatai[m] "Isn't Firefox with custom user.j"> No

One sad thing on GOS keyboard is no Japanese keyboard

<furofuro_01[m] "One sad thing on GOS keyboard is"> Complain to Google

Not sure if there's a way to contribute that code. Since GOS has network toggle anyways, guess I can use any 3rd party one with network block.

That's AOSP keyboard

<cn3m[m] "Complain to Google"> Yeah lel

<cn3m[m] "No"> How come?

Install Gboard. You'll get the best keyboard experience

Not too good privacy wise, but cant phone home if no internet though I guess?

Shall I grab last Gen Mac or shall I use Linux till Arm is out?

<Alsatai[m] "How come?"> Firefox is extremely bad

<furofuro_01[m] "Not too good privacy wise, but c"> You have to sacrifice something. You can disable all accesses though

MacOS will use ARM and run iOS apps. It's a privacy and security dream come true wait for that

<furofuro_01[m] "Not too good privacy wise, but c"> It can phone home through download manager

<cn3m[m] "MacOS will use ARM and run iOS a"> Whoa

cn3m[m]: not really sure if its a dream come true

<Alsatai[m] "It can phone home through downlo"> An internetless profile would do the purpose I guess

it just means more wall garden for macos

I can upgrade Mac to Arm when it's out though. Tired of Linux

Total wall garden

* An internetless profile would do the purpose I guess. As in never connect it to internet.

not sure also if they can pull off ARM for the pro series

<Arhu "Apple mines less data than Googl"> Apple's products have a high epsilon value "Based on those observations, Korolova says, the research team determined that MacOS's implementation of differential privacy uses an epsilon of 6, while iOS 10 has an epsilon of 14."

developers would be so unhappy if they need to cross-build using ARm

<cn3m[m] "Firefox is extremely bad "> Even with custom user.js? A lot of people in the nogoolag group in telegram swear on it and don't trust chrome based browsers

telegram users are a bit stupid already

not sure why anybody would use telegram

<furofuro_01[m] "An internetless profile would do"> This is not proven

<renlord "not sure also if they can pull o"> They predicted 2 years transition period

<joshman[m] "This is not proven"> Wdym?

<renlord "not sure why anybody would use t"> I use it because of the different groups.. Aurora store, development for phones etc

<renlord "not sure why anybody would use t"> Nothing is better for open group chats. Unfortunately

Anysoftkeyboard then?

joshman[m]: two years transition period before ARM becomes mainstream?

the next x86?

<furofuro_01[m] "Wdym?"> Can you show me logs Gboard ringin home through DL manager?

<joshman[m] "Can you show me logs Gboard ring"> I didn't say it though. I just quoted what they said.

<furofuro_01[m] "Anysoftkeyboard then?"> Sucks big-time. I use 4 languages simultaneously. Nothing is better than Gboard. Said to admit

finally, apple has full control over OS and SoC

it is a FU to hackintosh users

lol

<renlord "josh.man: two years transition p"> Correct

If you revoke the internet permission the download manager won't connect

<Arhu "Well, I understand their publicl"> just build your own

joshman[m]: irc is quite good for open group chats

and matrix

telegram is cancer

<renlord "finally, apple has full control "> So,

alright, thanks

So anyway my Main question somehow went under.. Is there any way to block trackers in apps that you guys use?

Irc is only good for people over 50. Gen pop won't use that UI from 1980s

irc is a protocol, you can wrap around it with very fancy UI

No one does though.

<renlord "not sure why anybody would use t"> In some authoritarian countries is used by political activists

"it is a FU to hackintosh users" hahahaha

<Alsatai[m] "So anyway my Main question someh"> No that's enumerating badness and a block bypass is easy

TG is invasive but fluid. Just like Google and Apple are

privacy_based_li: source?

<cn3m[m] "No that's enumerating badness an"> Even with apps like blocker? I used it disable parts of the app and it seemed to work

<joshman[m] "TG is invasive but fluid. Just l"> And you can use e2ee if you want.. Not in groups though

<travankor "privacy_based_lifeform: source?"> for?

the apple stuff? here wired.com/story/apple-differential-privacy-shortcomings

<Alsatai[m] "Even with apps like blocker? I u"> It's privacy theater

TG is being blocked in many oppressive regiment countries. Signal is free to use everywhere. That means something

privacy_based_li: thanks

<privacy_based_li "the apple stuff? here ww"> Don't use telemetry. Google does a good job with it though

cn3m: its not just telemetry

<travankor "privacy_based_lifeform: thanks"> 👍

ARM is damn fast. Apple did great job with that. Security side of things is unknown though

<cn3m[m] "It's privacy theater"> So you mean it doesn't really do anything?

<Alsatai[m] "So you mean it doesn't really do"> It's not enough to ensure privacy and gives you a false sense of privacy

joshman: Signal is blocked too in some places

China for sure

it's more than blocked

it's dangerous to have it on your phone, for example when crossing their borders

<cn3m[m] "It's not enough to ensure privac"> But isn't it better than not blocking it at all?

<Alsatai[m] "But isn't it better than not blo"> No it makes you comfortable so you overshare

It's psychology no one is immune

You need real privacy measures

cdesai: what makes you say that? China is not in the habit of checking phones and laptops when crossing the border, unlike the US

I suppose all bets are off if you're a Hong Kong activist

<cn3m[m] "No it makes you comfortable so y"> So whats the best to do when having to use apps with trackers? Just using them anyway?

<Alsatai[m] "So whats the best to do when hav"> Not using them in a way that you feel you need privacy

Arhu: something I've heard, don't want to say more.

<cn3m[m] "Don't use telemetry. Google does"> oh well, google's epsilon is 2

cdesai: how do they determine what apps you have?

even if you are not parnoid, i think you should use a burner phone for travelling to these suspicious countries

@cdesai: not denying that they they sometimes do it, but people are always bashing China while giving the Western countries a free pass. In this case, demanding access to phone or laptop at the border of people that are not charged with breaking the law, is something the US does way more than China.

Arhu: yeah agreed, I'm not saying they're the only ones doing it at all

travankor: they can ask you to just unlock so burner makes sense

Phone, laptop too

<cn3m[m] "Firefox is extremely bad "> privacytools.io/browsers they also say to use Firefox and adjust settings

Quantitative differences are important too. China restricts freedom of speech way more that most Western countries, but strictly speaking most Western countries don't have freedom of speech either. The chances of getting prosecuted for it are just way less, but not zero. In the case of inspecting laptops and phones at the border, the US is way worse than China

<Alsatai[m] "privacytools.io/brow"> So?

imho unGoogled-Chromium is the best choice for a secure and private desktop browser

*of the normal browsers, not considering tor

Tor is a joke security wise. Privacy that's a different story

<cn3m[m] "So? "> How come they would recommend an extremely bad browser

Or would you say privacy is okay but it's not secure?

It's bad at both

I'd highly recommend you read all of madaidans-insecurities.github.io

By default, Firefox sends your every move to Mozilla, but with a custom user.js, it's reasonably good privacy wise - that however does not mean security wise - and in the end, if something is insecure, it's also not private for bad actors

chrome's security is better compared to firefox

however privacy ...

that's why I'm saying Ungoogled-Chromium

<privacy_based_li "however privacy ..."> There's no however

yeah

Iridium and Brave are too far behind on mainline Chrome

why dosent tor use chrome?

Chromium wasn't around when they started

well they can make a switch now?

They don't have unlimited manpower

yeah, well, always the case

<cn3m[m] "I'd highly recommend you read al"> interesting

why does he use telegram tho

Testing testing 123

I gave up ;n trying to get my mail server to work with Microsoft stuff. They blacklisted Amazon EC2 IPs and now I can't mail to outlook.com or hotmail.com. they toldvme they wouldn't whitelist me at all, so now I can't send mail to them. DGAF anymore.

Telegram isn't good as a private messenger, but it has its uses for insecure / group chat

IRC is far from secure too, but here we are

yeah but he was recommending users to switch to signal, should have put his signal contact to encourage them

also about

> This is all it takes to get your sudo password:

in his madaidans-insecurities.github.io/linux.html

what about shadow passwords?

it is phishing, that example gets the password from user input

oh okay, sorry i just read the code😅

i was just skimming through and i thought it was trying to fetch it from the storage

There's so many ways to get the root password on Linux

yeah

i have basically no social life so i have no sensitive things to store😂

<Arhu "it is phishing, that example get"> It's not the same as it's undetectable and it's not the only method. You're ignoring the many other keylogging examples listed there.

just use a pc to transfer some photos to the hard disk, that also is rare

other than that just programming and playing around with system

i break my system way too often

oh BTW, i finished updating my new pc's bios ad cloning windows to ext hdd

i wanna ask you guys what's your build setup

You're asking what kind of desktop setups we use?

i meant os

i was planning to go with arch

I've seen people here mention they use Windows 10, Qubes with Whonix guest, macOS

i dont want resource heavy systems

If you just want to use a plain Linux that's up to date, Arch seems a reasonable choice

Whonix Kicksecure if you want a more privacy focussed distro

Or Artix if you want something like Arch without systemd

TempleOS

as light as possible so it can commit most resources to the build

i bought it strictly for development

TempleOS has a good track record - no remote holes *ever*, take that OpenBSD

it wont be connected to internet often, only for git sync and some trusted online forms for help

<Arhu "TempleOS has a good track record"> hows the performance

That was a joke, TempleOS isn't useable

i tried fedora workstation caz i read somewhere linus uses it, so i thought lets give it a shot

but it was noticeably slower

<Arhu "That was a joke, TempleOS isn't "> oh ohkay

what does Daniel use?

Plan9

seems nice, I'll dual boot it and arch

but seriously? it seems old

privacy_based_lifeform: it's a meme. Use Windows 10

🤦‍♂️

i dont really use gui, and windows cli is not nice

linux might not be as secure but its really powerful compared to windows

correct me if im wrong

<privacy_based_li "i dont really use gui, and windo"> Windows has WSL 2 now

> uses virtualization technology and a Linux kernel to enable its new features.

so why not just use linux directly, more efficient

windows really gets on the nerves often

privacy_based_li, Arhu I saw you were having a discussion about secure messaging; I liked DeltaCHat ( Messaging App look but using PGP email under the hood), retroshare.cc (based on TOR... Chat, forum, email, peer to peer/ onion network), briarproject.org are all cool.

Anyone checked out getsession.org ?

Retroshare is terrible btw

I used Retroshare once and it was okay but it turned for the worst.

the0: So Session is a fork of Signal? Is it still a battery hog like Signal is or did the devs of Session eliminate that?

Session wrote an article that made my eyes bleed

I'm from adtech I known permissions when I see them

Session wrote the most bullshit article on permissions to make it look good

I lost a lot of respect for them

So it is all privacy and security theater from there is what you are saying cn3m?

* So it is all privacy and security theater from there is what you are saying cn3m? cn3m

* So it is all privacy and security theater from there is what you are saying cn3m ?

<defconanon12[m] "So it is all privacy and securit"> They have dishonest adverting and they have a white paper that makes it sound like they do things they don't

Does anyone know what to do after building the default build target with `m`? Is there a flash script or am I supposed to copy the `out/target/flame` and run the flash commands line by line for each `.img` file? I've successfully built the development branch for Pixel 4 but I can't generate a regular release since my build server ran out of space.

Email / PGP are a terrible foundation to build an messaging app on

Briar and Tox depend on the clients always being connected, otherwise they can't exchange messages

cn3m: You know what is funny they don't want you to verify it is truly secure on the user end and network end. They only want an independent 3rd party to do that.

<Arhu "Email / PGP are a terrible found"> Session isn't using either

That makes them unsuitable for iOS and probably are battery drains on Android

Both Briar and Tox are really nice from what I heard. In the past I used to use Keybase and those are better. I read through Keybase and personally I don't trust it myself.

Signal is still the best

Signal is the best just a battery hog. It is good to get into a habit of having it shut down when you are connected to WiFi with Airplane Mode on.

I used Signal in the past and I still love what the devs do.

Is Signal more of a battery hog than Briar and Tox? You would expect it to be better on the battery because it is centralized

From what I have seen it has drained my battery when I had it running in the background. By quite a good margin too.

Signal is my #1 go to app. No battery drain noticed. Ever

Not sure why it is draining mine down.

Sessions and Jami are heavy because of the decentralized structure

Riotx is just about 3x more battery drain than Signal

Imho the ideal messaging app would connect to a server of a federated network

Kind of like XMPP but without the suck

I need to test Riotx cause I really have not seen a battery problem. josh.man

* I need to test RiotX cause I really have not seen a battery problem. josh.man

Hi , is volte activate in grapheneOS with LTE (recommend) or LTE only ? voLTE is not working for me maybe it is provider related because in *#*#4636#*#* on the dialer it says that IMS is not registred , but they tell to activate voLTE in setting but i can't find it in grapheneOS settings. Thanks alreay

<joshman[m] "Riotx is just about 3x more batt"> Did you check if the battery optimization is turned on?

cn3m: What's that article of Session that made your eyes bleed?

<Arhu "cn3m: What's that article of Ses"> The comparison

nikoleos: From my experience VoLTE works only when the setting is LTE (Recommended). When it was on LTE only I couldn't text or call. Nothing was going through or coming back to me.

<defconanon12[m] "nikoleos: From my experience VoL"> Same

I believe voltle isnt supported yet

LTE only mode needs some more dev work cause it can't function without the bloatware carrier apps.

the0[m], why you are saying " Retroshare is terrible btw " ? I use it a lot without any problems.

jfbourdeau: Am I wrong that it went downhill?

blacklight447: It goes in and out from what I have seen. LTE needs to have fallbacks to function properly on Graphene OS. If it has no fallbacks it doesn't work at all. One of the fallbacks being 4G then sometimes going lower depending on where you are at.

defconanon12[m], For me it's still running well. Very cool tool.

Alright I might have misjudged. I have to look into it again. I always see Retroahare floating around. Thanks for letting me know. jfbourdeau

* Alright I might have misjudged. I have to look into it again. I always see Retroshare floating around. Thanks for letting me know. jfbourdeau

defconanon12[m], download the AppImage if you're Linux, else the Windows version. once you'll linked to a lot of people/node, you'll access a lot of content / cool. I used the " hiddend withTOR " mode. (2nd one)

take care

Nice to know! One more thing I dealt with a media playback issue. I can't recreate it so it must be rare. I don't know if this is on Graphene's part or hardware with my headphones. So I connected my Bluetooth headphones and I could hear the right side more than I could hear the left. When I repaired everything worked fine. Minor issue.

anupritaisno1

defconanon12: interesting

anupritaisno1: Now I will say that you aren't taking advantage of the hardware when you have the Disable Bluetooth AD2P hardware offload toggled on. Cause it is essentially not using the main CPU.

Therefore, you have a lot more audio restriction. You can hear it more if you have headphones wired or wireless.

This video is relatively new as in the year but this is where I learned Bluetooth AD2P hardware offload toggled on.

If you want to go to directly to where he talks about it 5:25.

you shouldn't need to set that opetion any more. I think it was fixed

overheadscallop: I had it set at first but disabled it thankfully.

Honestly, it reminded me of my days having a cheap China phone that didn't care about the audio output quality. When I did have it enabled.

* Honestly, it reminded me of my days having a cheap Chinese phone that didn't care about the audio output quality. When I did have it enabled.

Techlore is a great advocate of Graphene OS though and his channel is great. Has a good message too. Has a small user base but he gets the word out no matter what.

jfbourdeau: You should fuzz it

it's not secure software

tks the0[m] I appreciate. Sometime we don't like some software (I just told my sister in law to not use MIcrosoft Edge) but it's more an opinion than a FACT. How do you know it's not a secure software, if the code is open source, thousands of people have been using it for years etc etc ? Are your a programmer / coder ? Your opinion is much appreciated... Just trying to know if it's a FACT or " opinion / Guess" LOL tks for your time

I'm a researcher, I make more money the less secure your phones are

Microsoft Edge is definitely the best browser for Windows

the0[m], my logic is : 1) if something is opensource 2) been there for several years 3) used but thousands and more or people there are good chances that it's way safer than non open source product

I can't say too much without giving away bugs, but, retroshare falls over if you write a fuzzer for the protocol

So that's sort of true, but take VMware vs Virtualbox

Virtualbox is a train wreck, VMware is quite well written

it's not about the length of time or even community, it's about the code quality

You are too kind to VirtualBox

It's truly awful

the0[m], my english is not perfect, what does this mean " retroshare falls over if you write a fuzzer for the protocol " ?

From code to management

He's saying a fuzzer would find security bugs

So typically speaking when you're auditing a software for vulns, you can read the code and find bugs, or you can write a fuzzer, which throws 'intelligent' random data at it and sees how it falls over

I can pop anyone on Retroshare right now, including latest win10 w/ ASLR defeat

so the0[m] you seem to know things I don't know about retroshare. So if I only use it to access some files, movies, over TOR, are your saying I put my station at risk ? I use the AppImage on my linux station (Debian)

Yes

AppImage will be 'sandboxed' quote un quote

Debian ew

tks cn3m[m]

Looks like fantastic code

Crashing due to image parsing

tks

Hello Good Folks. New here. Has anyone successfully and happily flashed GrapheneOS on a Google Pixel 2XL?

Yes pretty easy

defconanon12 i think my carrier rely on OS settings and not an app

blacklight447: if what you say is right then it's a little bit sad

cn3m: Hi there. Have you installed GrapheneOS on your mobile?

Yes I'm using it right now

Oh nice.

How do you like it?

What do you like / dislike most?

How long have you been using GrapheneOS?

It's really out of the way

It's not really anything you notice

I hope you don't mind me asking all these questions.

<BeingFrey[m] "What do you like / dislike most?"> There's really only two downsides, and I don't consider them downsides: lack of "virtue signaling" privacy-theater options/themeing shit, and no Play Store

I just found calyxos but somehow there isn't much on it online.. Do you guys know it?

cn3m: You aren't able to use the AuroraStore?

Or F-Droid?

@JollyRoger:matrix.org: riotx bugged out on me and I can't reply to your encrypted chat any more

Please start a new encrypted chat with me for future messages

<BeingFrey[m] "cn3m: You aren't able to use the"> Yes you aee

* Yes you are

How long have you been using it for?

..GrapheneOS that is.

BTW who had that volte issue?

I think we're just missing a couple symlinks in a few places

cn3m: And you say converting is easy?

Or maybe just missing a few package declarations

BeingFrey: you can use both

And yes

BeingFrey: never is

Installing grapheneos is a commitment in itself in the first place

anupritaisno1: Never is what?

You are installing something you haven't used before

How do you mean a commitment?

There will be things that need getting used to BeingFrey

anupritaisno1: Of course, I'd expect that. What might some of those things be?

For instance most of your apps that rely on gms won't work at all

anupritaisno1: I've successfully escaped Windows OS with Linux and now working to escape Google too.

BeingFrey: depends on your use case

anupritaisno1: Not a mobile gamer. I'd say mostly notes, Audible, banking, Riot.IM, Signal, Bitwarden.

BeingFrey: then you shouldn't have much of an issue

anupritaisno1: Nice. And you use GrapheneOS?

Not yet

But definitely will soon

anupritaisno1: Did you see my response to the pm yesterday?

BeingFrey: instead of thinking so much

anupritaisno1: Understood. Just searching for the best flash OS experience for my Pixel 2XL.

Just install it

overheadscallop: there should be a build available

BeingFrey: just use one of the supported operating systems to install from and be sure to use the official fastboot from Google. Other "minimal" or third party fastboot versions are likely to leave you with a device that will give you the "No OS found" error.

BeingFrey: Just install it. Follow the guide at grapheneos.org/install

anupritaisno1: I checked the channel backlog and there's no new release zip?

If you run into trouble we can help walk you through it

overheadscallop: okay I'll do a build the moment my friend decides to leave the build server alone

Sweet! 😃

Thank you so much!

BeingFrey: because the phone verifies the signatures on the device itself and there are multiple levels of signature verification and attestation once the bootloader is locked, the installing computer does not need to be more trustworthy than your phone.

JollyRoger: it does

anupritaisno1: I already built it, but don't have space to generate a normal release zip. Do I just flash the images in the `out/target/flame/` folder?

I'm new to this and just want to get it right.

anupritaisno1: sure a malicious computer could sign a counterfeit install but the auditor will catch it.

I appreciate your guidance.

How can I use Chromium with data sync? I don't want to use a Google account with it

just note that the initial attestation is not nearly as strong as paired attestations

JollyRoger: no need to rely on the auditor

The bootloader will read the custom key while booting

Just match that key

anupritaisno1: it doesn't output a long enough ID

And you're good

for that to be a security feature

except on certain devices where I reported it and got them to change it

like the original Pixels IIRC

Any good how-to videos, demonstrating and explaining?

strcat (@strcat:matrix.org): but doesn't the avalanche effect apply?

Changing 1 bit is enough to change the entire fingerprint

anupritaisno1: the issue is the fingerprint output is too small

that's it

a 32-bit fingerprint doesn't offer any security

that's not a security feature - it's not meant to be one atm

<anupritaisno1[m] "BTW who had that volte issue?"> What was the issue? I've had that turned off for a while, I know it's safe from basically everything besides DOS attacks, just...gives me a weird vibe.

there is no value in checking it

Will need to see this firsthand to understand what you mean

anupritaisno1: it is a 32-bit truncation of the hash

it has no security value

it is not a security feature and is not usable for security

it wasn't intended to be a security feature as currently designed

making a collision with a 32-bit truncation of sha256 is not hard

Okay

attestation uses the full fingerprint

Thanks folks! 😄

BeingFrey: I strongly recommend following grapheneos.org/install and ignoring any videos

BeingFrey: someone making a video is probably not an expert, it was not reviewed or signed off on by the project and it will be out-of-date

strcat: Understood. Will review this information today. Thank you! =)

a video can't just be trivially edited each time there are updates to the process / improvements

and mistakes can't be easily correctly

without redoing it

and people don't do that

strcat: Do you use GrapheneOS?

so there are no official install videos and probably won't ever be any unless they are carefully made according to our instructions

BeingFrey: He's the developer

which would include splitting up the video into 12 different segments and REDOING them every time anything is change

* which would include splitting up the video into 12 different segments and REDOING them every time anything is changed

BeingFrey: he does

jcpicard32: Oh, no kidding?! 😁

Even better!

LOL

strcat: not to mention a video can't even be a definitive guide

Who knows what kind of errors users will hit

Just read through the guide at least once (ideally twice) in its entirety before you start. It's not too bad but there are a couple little things that people miss sometimes

the only way to use video would be making a video for each section in the install guide

and any time the install guide is changed the video would be removed until it is remade

JollyRoger has walked many people through since I joined. I can also probably help if you have issues

I have a hard time seeing how it could actually help much though

also would need one for each supported OS?

Understood. I'm using Ubuntu 16.04 currently and noticed it mentioned using the most recent OS version, such as Ubuntu 20.04. Will this be an issue?

too much

BeingFrey: might be an issue

we only officially support the most recent release

Good to know. I was thinking of upgrading anyway.

😋

strcat: these are just annoying demands by users really

I bet if we post grapheneos on XDA people will ask for screenshots

How's that?

Like what the hell? It looks like android

LOLOL

Hilarious!

Isn't it normal to have screenshots

People want to see what they get, it's only natural

<anupritaisno1[m] "Like what the hell? It looks lik"> Yes but some people assume it might look different

@Icy-Sprite ;^): I mean if you shot your phone after installing grapheneos we'd like to hear why

ahahaha

(Sarcasm)

BeingFrey: that's really disservice to the user

What is?

You can slap on a wallpaper, install some random icon packs and launchers

There you've created an experience no user will really ever experience

<anupritaisno1[m] "@Icy-Sprite ;^): I mean if you s"> lmao

Does it matter which mobile provider I'm with?

BeingFrey: screenshots

Same goes for updates

Understood

Even if we are doing automated updates

We need to make sure users do take some initiative in applying those themselves

I purchased my Pixel 2XL from Verizon.

The same also goes for videos

Does that matter?

About installation

You can't run GraphneOS

Yes

Me?

Yes

Verizon phones are locked down

The fact that there's a fastboot image for the Verizon tells me the bootloader is unlockable

Awwww damn.

Unless I'm wrong

Well damn...

So no real alternative options in this case huh?

I may have that elsewhere.. just wasn't sure. That's why I asked.

@Jollyroger

Please start a new chat

Riotx bugged out

I can't reply to that one

So I need to buy an unlocked phone then to install GrapheneOS and that would still work with Verizon?

Or even read what you're sending

BeingFrey: yes, don't buy a Verizon phone

Okay, understood. VERY good to know.

Any recommend places to purchase an unlocked phone?

*recommended

How often do you recommend rebooting a phone running grapheneOS?

strcat: oneplus got this thing where you could pay off your device and get an unlock token from Verizon

anupritaisno1: roger. One moment...

Nothing like that for pixel?

j3ghprjfo: never? Unless the updater asks for an update

there are generally 2 updates a month and ofc you should reboot ASAP after getting the update

Eventually, once I successfully convert, I'd like to convert mobiles and flip for a profit.

Set people free!

if you're really paranoid you could reboot before doing something sensitive to take advantage of verified boot making it hard for an attacker to persist after a compromise with privileges

use the auditor app

too

Ok I was just going to ask about being compromised and whether or not a reboot would help

set up remote verification with attestation.app and you can also check it manually (ideally both before and after a reboot if you want to be super paranoid)

* set up remote verification with attestation.app and you can also check it using local verification (ideally both before and after a reboot if you want to be super paranoid)

Perfect thanks. I'll set that up

Many thanks everyone! I appreciate your guidance and insight 😁

How can I sync Chromium data without Google account ,

anupritaisno1: Amazon is one of the places. You have to make sure you are buying directly from Amazon though and no third party company using the platform. For unlocked phones.

There is a few different places but it all depends on your location. Unlocked phones are preferred. You can always buy it directly from the company. If you choose to go that route.

I can tell you I got one secondhand unlocked it through said carrier put my own carrier on there flashed Graphene OS. Haven't had an issue. That is my personal user experience.

strcat I have a device that is not listed on the supported devices for the attestation app. How can I help to get it on there?

submit a sample and then start contributing to Auditor development

atm there isn't a developer working on Auditor regularly so there is no one to go through the submitted samples and add support for each device

there won't be any progress on that until there's a developer actively working on it

Is Graphene being developed only by Daniel Micay?

no

I used to think that after copperhead went down Graphene became a thing

but was solo

strcat: What if I have a device that didn't work properly with the Auditor app and it is in the supported list? Like it didn't work as a good Auditor?

don't know what you mean

the supported list is for Auditees

any device can be used as an Auditor

some have screwed up camera implementations and the code doesn't currently use a modern library for working around those

there are not any requirements aside from the OS version and having a working camera implementation for the Auditor side

strcat: That is what I mean screwed up camera implementations.

use a device without a screwed up camera implementation

What would you advise?

nearly any android device?

I don't understand where this question is coming from

@Icy-Sprite ;^): GrapheneOS is the continuation of the open source project, look at the repos

@Icy-Sprite ;^): github.com/GrapheneOS/platform_manifest/network/members

@Icy-Sprite ;^): github.com/CopperheadOS-Tab-S as an example of a fork of GrapheneOS in 2016

and if you look in the forked repositories you can see that the project it was forked from has all the commits made by me and attributed to me (author / owner of the code) using my personal email address

can look through the other forks too

github.com/spacekitteh/platform_manifest here's a fork from 2017

strcat

oops forget about this message

<BeingFrey[m] "Eventually, once I successfully "> Make sure you know enough to keep your entire toolchain as secure as possible. It's defeating the purpose if you're just one place to be compromised to compromise hundreds of others.

<BeingFrey[m] "Any recommend places to purchase"> I've been recommending Swappa.com

Danny@WorkOrderPro: Hi there.. Sorry, I had stepped away from my machine.

Sweet.. I'll check it out. Thanks for sharing! 😄

You're referring to software security, correct?

No doubt. Spread The Good News™︎, project always looking for more devs, public praise, and donations.

Nice. I sure know how to spread good news and sing praises from rooftops alright!

<BeingFrey[m] "You're referring to software sec"> Hardware security, software security, the whole stack

Hmm.. I definitely need to do my homework, but am eager to move this project forward.

Danny@WorkOrderPro: Thanks for the Swappa.com suggestion. Are you using GrapheneOS?

How to I know if my GOS installation updates itself properly ( I come from IOS and as for Android, am use to obvious Android Store notification). SO with Graphene, 1) it will update itself ? 2) I don't have to install the latest version over the one I have ?

as for the apps, I know f-froid and aurrora will offer me Apps updates

Excellent question.

<BeingFrey[m] "Danny@WorkOrderPro: Thanks for t"> With multiple devices

How long have you been using it?

Can't recommend it enough. If you're looking for social proof, you came to the right place, lol, lots of users here.

jfbourdeau: See grapheneos.org/usage#updates

NICE!

When you have an installation it will use delta updates to download only what is necessary in the background

jfbourdeau: BeingFrey OTA updates not unlike most other OSes

I'm very excited.

And then tell you when it's done so you can reboot

OTA?

Over the air

<BeingFrey[m] "How long have you been using it?"> Since the beginning of the year. I was a user of the project back when it was tied up with a company before this, and then became a pure FOSS project again after some controversies of the political and security flavor.

You don't have to plug into a computer to update

Nice.

See GrapheneOS.org pages for more history on this.

tls to all !

Interesting..

Any recommended quality unlocked mobile phone that will be best with GOS?

BeingFrey: The most popular recommendation is the Pixel 3a because it's affordable, runs well and has just under two years of guaranteed updates left

But any of the devices at grapheneos.org/faq#supported-devices work well

Just note that the 2 series support will likely end this fall

Wonderful. I'll start searching for an unlocked Pixel 3a immediately.

Perfect!

Pixel 4 is also being worked on, but may not be ready for someitme

I'm bookmarking ALL of these site recommendations! THANKS A MILLION!

No problem. The whole project has very good documentation on the site. I'd highly recommend reading through the whole thing when you have the time

<BeingFrey[m] "I'm bookmarking ALL of these sit"> Just go to top level GrapheneOS.org and read until your eyes bleed.

Then probably read it again.

LOLOL

This is good stuff folks! Wish I discovered this sooner.

strcat: thanks btw!

I appreciate all the info!

Actively deGoogling my life now.

One more thing. When you get your pixel, if you're getting one second hand, make sure you get one that's BOOTLOADER unlocked as opposed to CARRIER unlocked. There is a difference and you'll need the former

jcpicard32: Understood. Will definitely do that. Thanks =)

I am really happy after one month in the Android world, with IOS since it exist, to have ended up with GOS :-) Up to now th experience is very cool. Some apps do not work or have some features not working, but nothing major

jcpicard32[m], BeingFrey[m] I am new to Android, and was able to unlock the bootloader myself, but, it was a bit challending LOL ( Pixel 3a) if it's already unlock, it's sure it will save you time ans stress.

As people pointed out earlier, the Verizon versions come with a bootloader that can't be unlocked, even if someone pays to unlock it to all carriers

Hence the distinction I madde

@Icy-Sprite ;^): Surprising, isn't it, all that can be collected. Especially when signing into Google (Facebook) services.

jcpicard32: Ohhhh, very good to know!

jcpicard32: I hear ya. No more locked mobiles for me!

question about OTA update BETA. If I enable Beta : 1) Can I go back if it's unstable or crash ? Or I am stuck with the last Beta I installed and need to continue updating to fix my problems. 2) is there a list somewhere of what the current beta version offers ? Wondering if I will " tick the box " LOL

jfbourdeau: if you find the beta too unstable, you can select "Stable" and it will update to stable on the next release, which is usually released on the first or second week of the following month.

I run the beta and have had no problems with it - I prefer to run the CTS though.

(Compatibility testing suite)

This is so I can hook the phone up to a testing rig and have it run standardized tests and type up a report.

jfbourdeau: you can't revert back

Flashing stable will be detected as a downgrade

You can however upgrade to a newer stable release from a beta

tks TheJollyRoger !!! Will try. Is there a list somewhere of what the beta add, fixes etc ? anyway ticking the box right now as I can " downgrade"

oops

Most of the time there are no difference between the two AFAIK

Yeah. If you want to go back, you either have to wait until it's upgraded to a later revision (about one month) -- OR -- you can back up your phone, unlock bootloader (which nukes the phone's data), and then reinstall and restore.

ok I get it... I can go back to stable in a sense, but the next " stable" month after,,,, I get it....

I remember GOS asking about a backup when I first started up (I am a new user for 3 weeks)... With what tool DO I need to backup ? and as I can't put a SDCard in my pixel 3a, how would GOS at startup, when asking for a backup to restore, how would GOS (where) access that backup ? (noobie question)

Yeah. If the bootloader is locked, you can *upgrade* but you cannot *downgrade*. This is not a bug, but it's an important defense-in-depth feature to prevent a downgrade attack where someone confiscates your phone, and either finds an exploit to take control of the update client or cuts the SSD out and flashes a validly signed but older and vulnerable version of the operating system onto it.

jfbourdeau: your best tool to back up to seedvault is actually a USB-A-to-C converter, and a simple USB drive, which doesn't have to be a big one.

TheJollyRoger: honestly both are equally unlikely

*where someone either finds an exploit to take control of the update client or confiscates your phone and cuts the SSD out

anupritaisno1[m]: yeah?

ok I will google seedvault and I get it, my simple 1 TB external drive would do the job (I know too big)... WOUld a USB stick (with proper cabling) also be ok ? now going to read about seedvault as I don't use CLOUD ANYMORE', I need to manage / take care of my Backup strategy (for my contacts, picts, etc etc )

Nothing is really going to target the update client

Oh I see.

A kernel exploit for instance is much more a concern

jfbourdeau: an ordinary USB drive will do the trick nicely. The apps don't take up much space at all.

Oh that makes sense, given the large attack surface of the Linux kernel.

There could be kernel exploits that allow you to write anywhere to storage

The update client is a difficult target actually

It verifies what you're flashing

Then also checks AVB signatures

Not very easy to attack it

The kernel? A lot easier

TheJollyRoger, " seedvaul " is an app name lol ??? if yes, when GOS ask for a backup to restore, it understand that backup file format ?

jfbourdeau: SeedVault is not accessible through the home screen. You will need to go to Settings -> System -> Backup to find it. It replaces the cloud backup.

it will understand the file format. The backups are stored encrypted and are authenticated.

However it MUST BE restored by the launcher.

So if you skip that step you will not be allowed to go back and restore later.

Be advised: SeedVault will back up the apps that /allow it to/ (some app developers set a "Please do not back me up!" flag for their apps, which Seedvault will respect), but will **NOT, REPEAT, NOT** back up your shared storage. That, you should back up to the computer by plugging it into the computer and browsing your files via Media Transfer Protocol.

Hummm clear but now I have a question.... I use Shelter and now have a Personal and work profile. Will I be able to restore both ?

I haven't messed around with that yet.

anupritaisno1[m]: huh, makes sense about the kernel versus the update client. The kernel's pretty overcomplicated, that's for sure >_<.

" , but will **NOT, REPEAT, NOT** back up your shared storage. " what is shared Storage ? long story short, I should backup on my PC which Folder to play it safe ?

Danny@WorkOrderPro: Help me understand why I should also use Swappa in the feature?

now trying to backup on USB tks !!!

Shared Storage on Android is your common files, usually where your pictures are stored, where all apps can access and browse.

(All apps you've given permission to, that is)

jfbourdeau: shelter apps might not be backed up

jfbourdeau: when you run SeedVault, you will very often get a "Backup was incomplete" indicator. This is because again, some apps opt out of backing up. SeedVault will respect those apps' request to not be backed up.

The shared storage is just your internal storage

* Danny@WorkOrderPro: Help me understand why I should also use Swappa in the future?

tks anupritaisno1[m] so the FOR DUMMIES ANSWER to what do I backup manually, above what SeedVault will backup is " everything just in case" ?

jfbourdeau: back up your internal storage on the phone. Seedvault does not back that up.

Which hardware is most secure to run qubesos ????????????????

icy-sprite[m]: Asus KGPE D16 running Coreboot.

<TheJollyRoger "@Icy-Sprite ;^): Asus KGPE D16 r"> That was quick, but why?

@Icy-Sprite ;^): not the channel for this

PM me.

ok I get it LOL i just plugued it, and now see that INTERN Shared Storage is the name of the " folder" that shows when we plugg it LOL As I mentionned, I'm an IOS guy ;-)

anupritaisno1: Okay, i'll post it on PT

<defconanon12[m] "Danny@WorkOrderPro: Help me unde"> I've had better experiences with its community > eBay when buying used hardware, and the prices can be pretty reasonable, too.

Danny@WorkOrderPro: I heard of Swappa just never looked into it.

It's like eBay for people who know what a computer is and want "gently used hardware".

Don't tell your mama about it, and it'll stay halfway good, haha

Danny@WorkOrderPro: Well the key or idea like with anything is tell what is a scam and what isn't.

Even of the platform itself is legit it is also about the userbase.

* Even of the platform itself is legit it is also depends on the userbase.

* Even of the platform itself is legit it also depends on the userbase.

* Even if the platform itself is legit it also depends on the userbase.

PayPal makes it so buyers always have the upper hand.

The only benefit of their platform, and why they have retained user trust, even though sellers almost universally wish they were dead.

<defconanon12[m] "Danny@WorkOrderPro: Well the key"> Swappa also has human moderators that confirm each listing is up to their standards, not just algos/random audits after reports on a user.

Even if that just enforces good screenshots on listings, that's a leg up from some of the shady angle-shots you get on other platforms

Are the Whitechapel rumours from a couple of months back about Google designing and looking to move to their own ARM SoCs legit?

Danny@WorkOrderPro: credit cards are similar

seller charged 3-4% fee

buyer gets 1-2% cash back

buyer can do chargebacks and end up in a dispute massively biased against seller

Danny@WorkOrderPro: Paypal is great in that regard. Swappa is very interesting. I have to look at it myself. Thanks for the info.

Paypal is also great if you have been scammed. You don't even need to talk to the scammer. Not too great for transfers back to a bank though.