The former sounds right

<plain_dust[m] "Hello everyone, am a little curi"> so there are a few technical reasons this is almost impossible

1. Insider attack resistance they can't update firmware without you PIN this means even Google couldn't try to unlock your phone

2. Rollback protection means the firmware will only run a newer version

3. Titan M doesn't have networking and has to pass CTS(open source) as matching the encryption output

Those 3 reasons is why it is essentially impossible for the Titan M to be backdoored. Otherwise it would be noticed in testing. Google won't take a risk. They will pay a million per exploit against it and fix it

I wouldn't say "impossible" moreso "much more tricky"

But otherwise I agree with that

yeah, if Google was forced to make a backdoor it would only work on currently unlocked phones and Google would kill that backdoored version with the next update

Google would have to be completely taken over and then it would more than likely be caught

The other factor is Qualcomm and Google allow to lock GrapheneOS with your own keys which protects your system even more. That is Canadian

<plain_dust[m] "gov tell tech companies "build x"> you know that Section 215 and the FISA court stuff expired a few months ago right>

Google is now even sharing some NSLs on their transparency site due to improved privacy laws

plain_dust: storage.googleapis.com/transparency…/NSL-18-447570-request-redacted.pdf here is one NSL for example

<plain_dust[m] "why isn't the titan chip open so"> I don't know it is something they are planning and they are building an open hardware option too

Google has traditionally been quite good on open source for example the coreboot usage on Chromebooks

plain_dust: you have to trust the hardware of any system

though we have never seen a real case of a backdoor

Google is very focused on the Enterprise and Education which they have to be privacy sensitive for

they also need good security

most of the Google issues are in consumer software

hardware wise Pixels and iPhones are the only devices confirmed to have WiFi privacy

they are the only devices with insider attack resistance to keep away government pressure

really nothing comes close

you need to trust everyone en.wikipedia.org/wiki/Underhanded_C_Contest

it is very easy to hide a backdoor in extremely well audited FOSS code

its kind of hard to have honest conversations about security when most avid users are looking for silver bullets

that is a good point whatever you choose there are always limits. Mainly you and root certs

there isn't any, you can try your best to educate yourself and look at the compromises and why they are made

cn3m: i really appreciate how you you out of your way to help people with their questions

its beyond thoughtful

<aeonsolution[m] "cn3m: i really appreciate how yo"> thank you, I appreciate how open you are to help people build GrapheneOS. We make a good team

* cn3m: i really appreciate how you go out of your way to help people with their questions

any time 😇

<aeonsolution[m] "its kind of hard to have honest "> like killer nano bots

<cn3m[m] "Google is now even sharing some "> hey I know how those laws got improved :D

<nickcalyx[m] "hey I know how those laws got im"> could you improve the laws to make killer nanobots legal too?

someone would have to sic nanobots on me first, for me to be able to establish legal standing

plain_dust: doesn't seem like the end of the world to me

I feel that Open source software is inherently less secure than proprietary because if anyone can view the source code its much easier to look for vulnerabilities

But FOSS software is typically more privacy-respecting

<bonerdose[m] "I feel that Open source software"> depends if you have a good internal auditing team closed source is probably better. If the maker doesn't self audit they will probably be better off as open source to lower the barrier to entry

I'd argue that to audit software well, you should understand reverse engineering anyway

Doesn't reverse engineering proprietary software take a very long time to complete

It can

it depends yeah

But I'm saying irrespective of the software being open or closed source that RE skills are good to have for an audit

cn3m, Regarding the previous conversation about firewalls, do you think that apps like google camera will leverage the vulnerabilities of the GrapheneOS firewall to access the internet?

renlord, madaidan.: are there any resources you can share about kernel security development? i would like to help out in that but don't have any idea where to start

aeonsolution: gist.github.com/madaidan/2031b844d760683af19e85bda184b623

oh heck yeah, this is good

aeonsolution: you know how to find the legacy features right?

i do not but you got my attention

aeonsolution: so there are a lot of features that haven't been brought back(they probably won't be a priority until the Android 11 switch)

I can help point you in the right direction though one sec

yeah that would be great

after watching this <reddit.com/r/GrapheneOS/comments/bj…nd_the_tale_of_thousand_kernel_bugs>

and reflecting on the patching migration

a lot of things clicked and now im super curious

aeonsolution: here is another interesting writeup a little closer to home

ha

thats me!

this works on regular and linux-hardened, but it doesn't work on grsecurity if you want a more real world impact

textmate: welcome

thanks

aeonsolution: my view on the weakest parts of GrapheneOS right now is definitely the kernel. I think the remote attestation isn't pushed hard enough to make sure a root exploit can't install accessibility services without the user being notified. Accessibility services should have to be approved every boot. Also dynamic native code execution should bring back the toggle and scoped apps would be great. Strengthening those

systems would go a long way

✏️ 🗒️

And a warning for when you are about to install an app with v1 signing. That could be very helpful

<bonerdose[m] "Doesn't reverse engineering prop"> not if they don't obfuscate their code

<cn3m[m] "this works on regular and linux-"> oh wow, yeah that is relevant

hey, is there a legacy features list?

I am working on that right now. I have to check all the issues and the archive

i really dont mind forking the 11 branch i have and dabbling with that, it would be fun to try getting some of that back

<aeonsolution[m] "oh wow, yeah that is relevant"> only thing I have found that really put the kernel through testing. Though some other bugs have been neutralized

<aeonsolution[m] "i really dont mind forking the 1"> of course there are a lot of old features so I will send those your way sorry I didn't remember where they were as much as I thought I did

i do remember strcat talking about that

but its hard for him to do it all

if people saw that video, they would realize how much work that is

the most important feature to me imo is the accessibility approval at boot. Around half the people here do not use remote attestation is the impression I get which means one kernel level exploit and now someone has spyware persistence

my mind was blown

since that is one of the most important parts of GrapheneOS the verified boot

if there is a number of people that aren't using remote attestation that could be a bad thing

how to fix that issue is debatable for sure

<aeonsolution[m] "if people saw that video, they w"> yeah I think there are still over 800 unpatched bugs

there are some serious exploit candidates in there I am sure

<cn3m[m] "the most important feature to me"> is that a legacy feature, if it is i'd be happy to work on that

here is the list of past features

I couldn't find a better list

but if there is any specific code or details you need me to find let me know

I am here to save devs time so whatever you need ^

^^

for the level im at, just getting old features restored would be a great start

and if it is something of interest for you all and strcat, then thats all the motivation i need

developing new features is beyond my skillset at the moment

yeah focus on bring back the old stuff there has been some great old stuff :)

Im sorry for probably being the 100th person to ask about this, but do you guys think its a chance that someone will maintain support for Pixel 4a if it comes out tomorrow?

<textmate[m] "Im sorry for probably being the "> pretty solid the 4 laid the groundwork for it and they will more than likely use the same kernel

<textmate[m] "Im sorry for probably being the "> getting more people to donate to the project <grapheneos.org/donate> and finding people willing to help the devs test out the changes will increase those chances

<cn3m[m] "pretty solid the 4 laid the grou"> alright epic

<aeonsolution[m] "getting more people to donate to"> Understandably

So I'm looking for secure alternatives to desktop OS. Would Chromium OS be a good choice? Does Chromium OS (as opposed to Chrome OS which only exists for Chromebooks) have support for Android apps? Also, are there any ways one could make Chromium OS privacy friendly too, since I think it still requires you to login to Google?

murderous_rabbit: try the offtopic

murderous_rabbi4: iirc Chromebooks don't support custom verified boot and attempting to graft these features onto standard x86 systems is asking for a pail of fail...

OT, but join the Qubes OS channel.

<cn3m[m] "murderous_rabbit: try the offtop"> I'm really not able to open this link from my phone for some odd reason. It says "Not implemented in RiotX: Open not joined room"

That Pixel 4a leak looks quite nice. 6gb RAM, 128gb storage, Snapdragon 730G, 5.81 inch hole punch, FHD+ HDR, 3140mAh battery, 12.2MP rear, 8MP front, headphone jack (apparently), Titan M Chip... For $349.

Does anyone know why on AMOLED screens there's a ghost effect when going from dark blue/grey to black?

I think that's a inherent thing with AMOLED tech

<SchismXL[m] "That Pixel 4a leak looks quite n"> Nice! I hope this gets supported in Graphene soon.

<bonerdose[m] "Does anyone know why on AMOLED s"> low brightness issue

Pixels have bad brightness usually

so it seems really bad on Pixels

Samsungs and iPhones never had an issue

Every Pixel I have used is pretty bad on it

beside a friend's Pixel 2

I don't get ghosting, but I get a green hue at the lowest brightness.

Oh, so no way to fix it?

<bonerdose[m] "Oh, so no way to fix it?"> Maybe using a custom kernel, but I wouldn't recommend.

Nah I don't want to flash any compromised software

I guess I'll deal with it, its not bad with the default max brightness

What device you got?

3a xl

Just setting up my pixel 3a xl. incoming emailsettings in K9 works , but the outgoing doesn't. My setup or some security thingy?

hello fellow graphene os usersmay i ask if there is another channel for random topici'm in the market for a new laptop and not sure is switching to linux will help with privacy and security and if so sould i go system 67 or purism both are expensive does it worth it

massivly_d: matrix.to/#/!NKqyWWNTlbuXwOPMCt:mat…g&via=privacytools.io&via=tchncs.de yes go to the offtopic chat

thank you

effectively speaking purism is a scam and should be avoided for anyone checking here

noted will not consider there laptop

why? only heard good things about purism?

<cn3m[m] "effectively speaking purism is a"> How?

PureOS doesn't ship microcode leaving devices on it insecure to known attacks

they also oversell their closed hardware and firmware systems as something they are not

you get an expensive POC

but this is better fit to the offtopic channel

they really fucked up the phone security wise though

Do they know this in their own OS? If so, they might be scammers. They will go bankrupt.

<MRK[m] "Do they know this in their own O"> they consider shipping known vulnerabilities a feature

apparently updates from Intel are scarier than known flaws

still running insecure code

How about Pine64, are they good?

any known issues for K9 / IMAP?

<lovesausage[m] "any known issues for K9 / IMAP?"> No. I use Davx5 and it works fine.

<MRK[m] "How about Pine64, are they good?"> offtopic, but they aren't nearly as bad. Just zero security model

I hope Apple would do the same thing PinePhone does? killswitch

* I hope Apple would do the same thing PinePhone does. killswitch

<MRK[m] "I hope Apple would do the same t"> really should use offtopic guys. Though Apple does make good use of hardware for privacy like the detaching microphone when an iPad or Macbook closes. The MacBook LED is connected to the camera, if the LED starts failing the camera is bricked

#freenode_#grapheneos-offtopic:matrix.org

hardware switches aren't that helpful anyway

you record data and upload it when connection is restored

on Android and iOS sensors are restricted but on Linux systems you can even track movement when the killswitches are off and even record 10% of audio

It prevents someone from spying on you resistant. That is why phone killswitch is important.

if you have a sensor switch that helps, but at some point hardware switches have limited usefulness considering they assume a fully compromised device and you have to trust the setup of them that they actually work

<MRK[m] "It prevents someone from spying "> it is not a priority imo

MTE on the other hand

SchismXL ty

here is an example of Purism manipulation of data

Google Chromebooks for example use Coreboot, they have an open source kernel, they have a mostly open OS(the debate is on where ChromeOS is bundling closed Applications or if it is a closed OS), they have a freed bootloader, software applications are almost entirely free, repository is debatable, recommending free software again debatable

but Chromebooks are very strong against this chart(if these metrics are all you care about which you shouldn't)

Daniel has gone as far to say Librem is less open than Chromebooks freenode.logbot.info/grapheneos/20200520#c3925070

that is referring to hardware not the out of the box experience of course

Chromebook C201 for example walks all over the Librem if you load Libreboot

I dunno. I actually give them more credit than most. I think they have a different definition of "freedom" and they're actually trying in good faith to make products that reflect that kind of freedom.

They think the user should be able to "control" their firmware, even if it means a kind of hobbled, insecure implementation.

(we can take this to offtopic, if you want)

Google is more secure and more open on their hardware(and cheaper). Pine64 is more open, more secure(barely), and cheaper(vastly)

yes please

Any idea why I can't join the off topic room?

It says no known servers

Could someone please send me an invite to off topic?

<trismous[m] "Could someone please send me an "> #freenode_#grapheneos-offtopic:matrix.org

Or matrix.to/#/!NKqyWWNTlbuXwOPMCt:matrix.org

Hi all. Dropping in here because the Pixel 4a announcement is imminent, and I'm considering buying one. Given that Graphene already supports the 4, is it likely that an image will be available for the 4a in the near future? If not, what's required to compile it? I'm not a developer but am comfortable in a linux CLI and building things from source, so if it's likely just a question of compiling with a few flags and the

right kernel I'm happy to give it a go.

<SchismXL[m] "#freenode_#grapheneos-offtopic:m"> Thank you 🙂

Thoughts? Should I enable these flags

Reduce default 'referer' header granularity.

If a page hasn't set an explicit referrer policy, setting this flag will reduce the amount of information in the 'referer' header for cross-origin requests. – Mac, Windows, Linux, Chrome OS, Android

Prefetch request properties are updated to be privacy-preserving

Prefetch requests will not follow redirects, not send a Referer header, not send credentials for cross-origin requests, and do not pass through service workers. – Mac, Windows, Linux, Chrome OS, Android

#prefetch-privacy-changes

* Reduce default 'referer' header granularity.

If a page hasn't set an explicit referrer policy, setting this flag will reduce the amount of information in the 'referer' header for cross-origin requests. – Mac, Windows, Linux, Chrome OS, Android

#reduced-referrer-granularity

<murderous_rabbi4 "So I'm looking for secure altern"> nah just Qubes is good

Are there anyway to use fingerprint for stuff except unlock?

Yes

You can go around town pretending you're scanning people's prints

<lovesausage[m] "Are there anyway to use fingerpr"> You meant something like that double tap fingerprint gesture?

I mean using the fingerprint for unlocking my keepass and other apps, but not using it for the unlock feature?

Nope. They use keystore afaik. So you need to set fingerprint unlock.

Hi, I need some advice. I want to use the google camera app. I got it working by installing microg but other apps crash now.I tried using cgit.typeblog.net/Shelter/about to isolate microg and the camera app but that did not work. The Install APK into Shelter" feature of shelter seems to be broken on Graphene.

Has Google released Pixel 4a yet?

Too bad, feels like a bad choice for unlocking , I'm quite sure i had it set up that way on my last rooted phone. Cant remember how :)

Hi, I need some advice. I want to use the Google Camera app but have some issues. It works when Install microg GmsCore but other apps crash on startup if i have that installed.

I tried using cgit.typeblog.net/Shelter/about to isolate microg and Google Camera. But that app seems to be broken on Graphene.

Any thoughts?

<textmate[m] "> <@johannesneyer:matrix.org> Hi"> what? nope

Ok, just assumed from your name

<textmate[m] "Ok, just assumed from your name"> it's german :)

yeah

<lovesausage[m] "Screenshot_20200802-160037.png"> Don't do it

Not recommended to use device admin app

<za_warudo-vilfp8 "Not recommended to use device ad"> Can the device admin app do more than listed above?

Yes

Afaik, let me grab my sources for a while

Oh geez too late

You shouldn't have installed it

But it's your usercase

freenode.logbot.info/?q=device+admin&ch=grapheneos

Is Network a permission in GrapheneOS?

That bad?

<za_warudo-vilfp8 "Afaik, let me grab my sources fo"> web.njit.edu/~ineamtiu/pubs/mobicom19shan.pdf

<lovesausage[m] "That bad?"> Especially if closed source

essentially giving that app control on your device

<textmate[m] "> <@johannesneyer:matrix.org> Hi"> Can help

<theultron[m] "web.njit.edu/~ineamtiu/p"> Thanks

Replied to wrong person lol

Moreover, Google have deprecated this "USES_POLICY_DISABLE_KEYGUARD_FEATURES" device admin policy. So such apps will be thrown out of the store soon.

can confirm it works fine

<lovesausage[m] "Screenshot_20200802-160037.png"> You could have done that with the "Lockdown" feature within the OS itsrlf

But alas

tested everything

* You could have done that with the "Lockdown" feature within the OS itself

* You could have done that with enabling "Lockdown" feature within the OS itself

Welp

Time to start over then..

<SchismXL[m] "> <@johannesneyer:matrix.org> Hi"> You are amazing! Thanks, it works fine. Do you know why other apps crash with gms core is installed? And where do you download the Google Camera apk? I don't really trust these apk mirror sites and I could not figure out how to check the signate of the apk.

johannes: I'll give you a repo for it, invite me privately in a convo, I cant with elementx

<lovesausage[m] "Time to start over then.."> Yeah, sadly. Enable lockdown mode on settings, (then by holding off button then press lockdown button, you'll disable biometrics).

* Yeah, sadly. Enable lockdown mode on settings, (then by holding off button then press lockdown button, you'll disable biometrics every time you lock).

<johannes[m]2 "You are amazing! Thanks, it work"> Directly from the play store or on the XDA forums. Dunno about gms core thing, but think you'd have to have all of microG installed for it to work? Either way, that's out of the scope for GrapheneOS

<SchismXL[m] "Directly from the play store or "> how do I get it from the play store, it does not work with aurora

But I welcome you to join the off topic chat at #freenode_#grapheneos-offtopic:matrix.org where someone may be able to answer the question

<johannes[m]2 "how do I get it from the play st"> play.google.com/store/apps/details?…oogle.android.GoogleCamera&hl=en_IN and in the browser, open the link using Aurora and install it that way.

<SchismXL[m] "play.google.com/store/ap"> ah nice, that actually worked :)

It installs an older version however. But it does not matter because I can update it with the apk i got from an apk mirror site which means the signatues match.

Thabk you "SchismXL" (matrix.to/#/@schismxl:matrix.org) you were really helpfull 😀

No worries :)

I feel like foxy droid is a better fdroid, if it does update automatically index file

annoying it doesn't work with original client …

so I went back and reflashed , locked the bootloader, turned of oem unlocking, but it still gives me the warning in the start that its loading a different system. do I need to reflash stock first also??

<lovesausage[m] "so I went back and reflashed , l"> Back and reflashed what? Stock or GrapheneOS?

its normal

warning is expected

graphene OS, hmm must have missed the warning before then i guess

<lovesausage[m] "graphene OS, hmm must have misse"> On stock, it shouldn't say that. On GrapheneOS, it is normal.

<g65434-2[m] "I feel like foxy droid is a bett"> I just tried this and I really like it

might try it then if it handles update correctly

how clear large amount user data in fdroid app?

have option keep cache app for 1 hour

Imagine installing graphene just to not look the bootloader and root it

<bonerdose[m] "Imagine installing graphene just"> I don't need stuff root offers, and I have a locked bootloader. If I ever need to give an Android app a permission like WRITE_SECURE_SETTINGS, I just use ADB. Also, I used the guide provided by The Hated One (invidious.snopyta.org/watch?v=xIXAzA555xk) to flash GrapheneOS

I'd understand if there wasn't an official guide, but it does exists

<g65434-2[m] "I'd understand if there wasn't a"> That guide is actually based on the official guide found on grapheneos.org, it's just made into a video. I don't really like reading stuff (kind of)

Is anyone aware if Mint Mobile VoWiFi and VoLTE works on GrapheneOS?

As far as I know only a MVNO of Verizon has issues

r357 T-Mobile prepaid vowifi/LTE works perfectly. Mint uses their network so it should.

* As far as I know only a MVNO of Verizon has issues

And sprint. Screw sprint.

larncat bonerdose Thank you! Currently on postpaid VZW and would like to make the jump to Mint.

r357 same situation with Vz here :(

<r357[m] "Is anyone aware if Mint Mobile V"> Has worked flawlessly for me

What are the downsides of choosing a cheaper MVNO over a major carrier?

bonerdose: guess its an extra party that gets access to your calls, SMS & your cell based network activity

Also think MVNO sims get second class priority compared to sims of the cell network provider

All that isnt based upon any actual research

Metro is at least owned by T mobile so at least in that case its not really 3rd party

lovesausage: I strongly recommend against using device admin apps

But that game I got from Aptoide said it need device admin perms to work properly

<LinusSexTips[m] "But that game I got from Aptoide"> oh yes, I petition for a preinstall of Aptoide /s

vyce: welcome

<cn3m[m] "oh yes, I petition for a preinst"> I thought aptoid was generally pretty dangerous?

Its where I get my clash of clans infinite gem hacks

oh was this a joke? woosh?

yea, woosh. ok

Yea lol

The /s he put at the end means its sarcastic

^

<Knull[m] "I thought aptoid was generally p"> Petition to make proprietary software illegal

Black Winner Yoshi: we would all be using Linus' MIPS laptop

<cn3m[m] "Black Winner Yoshi: we would all"> PineLaptop exists

it is not fully open afaik

<cn3m[m] "it is not fully open afaik"> Not much of a problem to deproprietize it, I think

* Not much of a problem to deproprietize it, I think

Kind of like how Linux-libre can be otherwise called unproprietized-linux

Isn't aptoide open source?

Any updates yet on the Google Pixel 4a?

Noticed to my suprise that banking app relying on google , that was tricky to get working on MicroG before, worked perfectly on graphene. Have they changed things in their app or do graphene handle request on google somehow? Or is just the pixel thar does the magic?

<bonerdose[m] "Isn't aptoide open source?"> Maybe, but the app store itself has illegal stuff. Better install F-Droid instead.

<textmate[m] "Any updates yet on the Google Pi"> Not since the leak this morning.

I must be one of the lucky ones for my bank app to not rely on Google Play Services at all

<BlackWinnerYoshi "Maybe, but the app store itself "> I have f droid I just use aptoide for apps that cost money with no way to purchase unless you have a google account.

<BalooRJ "I must be one of the lucky ones "> Mine will run without G play services but it crashes when trying to do certain things. Installing microG services core from f-droid and revoking the network permission fixed the issues, though.

I should say according to Aurora my bank's app is not even built with GPS

google play services

Nice

<BalooRJ "I must be one of the lucky ones "> My bank app is apparently GSF-dependent (source: Aurora Store), but I haven't tested it

I just check my balance via SMS, probably a terrible idea

When apps don't rely on G play services how do they give you notifications?

<internetshogun[m "I just check my balance via SMS,"> You should do it via Signal, probably

I do, doesn't really matter since the message being sent is through regular SMS, no?

<bonerdose[m] "When apps don't rely on G play s"> Signal just asks you to disable battery optimizations to send notifications that way

<internetshogun[m "I do, doesn't really matter sinc"> Yeah, it doesn't matter. SMS is SMS, regardless of if it is in Signal or not.

<internetshogun[m "I do, doesn't really matter sinc"> Well, the only thing that happens is that the SMS is stored locally and encrypted, I think

b-but my bank offers the service, so it must be secure!

<SchismXL[m] "Yeah, it doesn't matter. SMS is "> I think everyone should just stop using SMS and use Signal instead. Maybe someone should create an app called "Force Signal" that blocks SMS and calls, and then sends an SMS saying that one does not use SMS and calls, and instead Signal, and then asks to switch to Signal and also to install "Force Signal"

I've never even thought about checking my bank account info with SMS

anyone else us privacy.com

<BlackWinnerYoshi "I think everyone should just sto"> Agreed, however the real world does get in the way sometimes unfortunately

I like that they're really the only service allowing for single use debit cards so you don't have to go and stick your card numbers in any old website to buy something anymore and fear a hack will leak them

<internetshogun[m "Agreed, however the real world d"> The "real world" is my "friends", in this case. Imagine having hundrends of friends and then it turns out most of them are fake

I think the problem can be friends who aren't security conscious and having to install another messenger app of which some people already have a few.

SMS, Facebook Messenger, GroupMe, Twitter, Instagram, etc. So many ways of communicating.

I've tried getting my friends to switch to signal

They actually did for a bit but they didn't like having to use a different messaging app just for me

And since I'm obviously not gonna just not stay in contact with 99% of my friends I just use SMS and accept that its part of the deal

I just use iMessage on my iPad with email

SMS sucks less that way and everyone goes for it

It would be nice to have a I message android app.

Isn't imessage e2ee

I've gotten quite a few friends and family to switch to Signal. Hopefully they don't sell out like Telegram did, and the pin controversy is bad enough

<bonerdose[m] "It would be nice to have a I mes"> I'm pretty sure Google is working on that.

I thought Google was pushing for RCS

which is still not cross-platform encrypted like iMessage

<bonerdose[m] "Isn't imessage e2ee"> yeah, disable sms fallback though

also, did anyone else notice that AOSP now has built in video calling?

RCS is not e2ee sadly the backed odwn

I was able receive a video call from someone on a Samsung phone on my GrapheneOS phone

which very much surprised me as I thought Google didn't bother to develop that to force everyone onto Duo or whatever stupid messaging app they have out there right now

<BalooRJ "I was able receive a video call "> Natively, huh?

<BalooRJ "I've gotten quite a few friends "> how has telegram sold out?

<BalooRJ "I was able receive a video call "> sure it wasn't through signal?

Is there any technical limitation for apple to release an imessage app for android?

internetshogun: Yep, natively through the calling app

<bonerdose[m] "Is there any technical limitatio"> I don't think so, it just goes against their business model

<bonerdose[m] "It would be nice to have a I mes"> and have the metadata in Google's hands?

I'm more comfortable with google having metadata than my carrier having everything through sms

Apple supports devices too long to improve iMessage yet. The only reason it is good is since it is apple and everyone uses it

<bonerdose[m] "I'm more comfortable with google"> RCS has no encyrption

<cn3m[m] "Apple supports devices too long "> but it fails at proving its end to end encryption

you can't verify the keys

it's worse than whatsapp's implementation

Joeri: Telegram's ban in Russia has now been lifted

WhatsApp is Signal so yea

for what it's worth, I'm not an anonymity over all type, I just want data retention

the less cloud the better, encryption for security. I think a lot of the movement focuses too much on anons and therefore criminal behavior. Just my 2c

<cn3m[m] "WhatsApp is Signal so yea"> do keep in mind: they say they use the signal protocol, ultimately there's no real way to verify as it's a proprietary app

Wickr gang rise up

(Yes I know its proprietary)

Although isn't their encryption method open source?

<Joeri[m] "do keep in mind: they say they u"> Moxie says it is not backdoored and he built it and I(mostly) trust him

Signal built WhatsApp encryption and say it is trustworthy and not backdoored

yeah, I meant more from a theoretical perspective, ultimately there's no way to verify whether any of moxie's code is in the actual whatsapp version shipped. takes off tinfoil hat

I know WhatsApp is huge overseas but I don't know anyone who uses it in the US

<Joeri[m] "yeah, I meant more from a theore"> Generally, if its not a Chinese based app, owned by google or microsoft, and it claims to be E2EE I trust it.

RE it?

any code is open source if you try hard enough

Google uses Signal too

(((Reverse engineers GTA V)))

<BalooRJ "I know WhatsApp is huge overseas"> it has a lot to do with free sms not being free in most of the rest of the world

<bonerdose[m] "I'm more comfortable with google"> Are you in offtopic?

Yeah, I've read that elsewhere as well. Apparently SMS is like 10 cents a message in lots of other places and no one uses it, so they've all been pushed to WhatsApp

Google is far more trustworthy than Facebook. Differential privacy and e2ee is more widespread

<BalooRJ "Yeah, I've read that elsewhere a"> absolutely, I don't think there's necessarily all that much wrong with WhatsApp's encryption, it has more to do with the cloud backup 'solution'. It gives a false sense of security. I'd rather have someone be slightly surprised by an SMS message than give them a false sense of security when I message over WhatsApp

Thats why I'm surprised Signal moved to cloud storage as well

Also WhatsApp logs everything you do, metadata is everything

Do you guys trust Mega for cloud storage?

I'd rather just do local backup.

bonerdose: Why not just buy a Raspberry Pi device set it up for Nextcloud

Mega honestly is just another piracy outlet...considering the owner was criminally charged. But this is probably better for offtopic.

<bonerdose[m] "Do you guys trust Mega for cloud"> just encrypt it beforehand lmao

<Joeri[m] "Also WhatsApp logs everything yo"> moxie even made a subtle jab at whatsapp in the blog post about there being no back door:

<BalooRJ "bonerdose: Why not just buy a Ra"> Because I don't want local cloud storage

<Joeri[m] "absolutely, I don't think there'"> at least they backup to Google not Facebook

<cn3m[m] "at least they backup to Google n"> In a relative sense, Google is at least more private and secure than Facebook

true

Google is much more at both

Google and Facebook collect MASSIVE amounts of data esp. If you use stockOS

Google uses good tech for differential privacy and a reasonable amount of e2ee

"users concerned with the privacy of their message content" I interpreted that as: "we know the metadata isn't protected and are hinting at it here"

Also I guess Trump straight up didn't ban TikTok

Will never touch WhatsApp. I rather use Telegram

Literal spyware

<za_warudo-vilfp8 "Will never touch WhatsApp. I rat"> Iff Signal isn't an option

<Joeri[m] ""users concerned with the privac"> well,it is what it is, what's said is the only thing that's private

I remember reading a reddit post (take with a grain of salt) that some dude RE'd the TikTok app and found insane amounts of telemetry/phoning home in china

<bonerdose[m] "I remember reading a reddit post"> emphasis on the grain of salt

he says he REd a ton of programs himself

that is an insane amount of work

<cn3m[m] "emphasis on the grain of salt"> Yeah that's what I figured

Theoretically, would it be possible for one dude to reverse engineer something as large as GTA V in a month

<bonerdose[m] "Theoretically, would it be possi"> depends on what you mean

<cn3m[m] "depends on what you mean"> Exposing the entire source code

gotta say I'm pretty surprised by OpenCamera's iq on the 3a

speaking of video games

will be interesting to see what happens with this gargantuan nintendo leak and all the source code in it

that was illegally obtained

Since i have to use stuff i really dont like , such as whatsapp and other for work. I was hoping for something like lineage privacy spoofing. Say i have to allow position for a bank app. In lineage that wasnt a problem since all info could be faked. Is there something like that for graphene?

<lovesausage[m] "Since i have to use stuff i real"> you mean like XPrivacyLua?

XPrivacyLua runs client side checks to fake location

can be bypassed

<bonerdose[m] "Do you guys trust Mega for cloud"> If you encrypt your files, it doesn't matter. I'd choose nextcloud with ops one or wölkli as providers

Cloud service provider comparisons are offtopic here.

<thejoker11[m] "If you encrypt your files, it do"> Isn't mega e2ee and open source tho?

can you really trust them tho? even if the code is open source that doesn't mean the server is running it

imo just assume everything is bad and encrypt them yourself

* imo just assume everything is bad then encrypt them yourself

<bonerdose[m] "Isn't mega e2ee and open source "> It's shady and there are rumors, but I can't say something for sure, especially it's in New Zealand. But if you encrypt your stuff, the provider doesn't matter so much.

Hey guys. I'd really like to cut down on the amount of privacy veganism here, it's offtopic for this channel.

This channel's for discussing GrapheneOS development, but what happens between you and your service provider's really outside of our control, and I don't want to see this channel devolve into a game of "more distrusting than thou." That direction breeds toxicity.

Okay

Thanks.

As a side to that, I don't know how long the channel description can be, but if we could put the off topic room link there, it might help, too

<TheJollyRoger "Hey guys. I'd really like to cut"> Sorry

SchismXL[m], I've actually begun to wonder about that, to be honest. The thing is, it's kinda more work and mental bandwidth for the team to be herding cats in two channels.

When we could be spending more time on productive tasks. I know that a certain amount of off-topic ness is meant to build cameraderie and community, but I don't want to see us go the same way as a lot of privacy communities which end up conducting themselves in a nearly cult-like fashion.

thejoker11[m]: all is well! :)

Ideally, I'd really like for the community to have the responsibility to moderate itself and not spend its time bikeshedding, especially where speculation is involved, since those topics always go downhill fast.

Well, if you need help, hit me up. More than happy to herd and/or lighten the load.

Well, not desperate yet P.-). Let's keep it that way!

Is that.. Yes, it is an eyepatch smiley face. Brilliant lol

Yarr!

Hypothetically, if the NSA is determined to obtain data on my phone, how will GrapheneOS stand up to them if they were to acquire it

bonerdose[m], hypothetically, they could simply use rubber-hose cryptanalysis to obtain the password from you directly.

(ie: tie someone to a chair and hit them with a rubber hose until they give away the password)

Total cost: very little.

I think fantasizing about worst-case scenarios like "State sponsored adversaries" isn't a great way to spend your time when that's the elephant in the room.

Yeah that's why I said hypothetically, assuming they comply with laws and the constitution

From a technical standpoint, would grapheneOS be better than iOS if they obtained my phone

I really can't answer that about "if they comply with the laws" for you. GrapheneOS will try to protect you against memory corruption/memory handling vulnerabilities and mitigate exploits, and the hardware backed keystore will protect you against password guessing/brute force attacks, but I don't want to speculate on the capabilities of a hypothetical attacker with an unlimited budget.

there isn't a one size fits all answer sadly, the project is open source and is trying to make strides to improve security on mobile

Because in the end, your imagination and hypothesis won't really be establishing a meaningful limit.

Hey aeonsolution[m], good to see you.

likewise friend!!!!

bonerdose[m]: what aeonsolution[m] said. This topic is really nuanced and really complex. In a large number of ways the devices are very close.

<aeonsolution[m] "old.reddit.com/r/Graphen"> So basically apple is the way to go in terms of security, at least that's what I've gotten from it

Daniel seems to know a metric f-ton about mobile security

W A L L O F T E X T

that's one interpretation, yes

it comes down to what you want to make compromises on

noone can tell you, this is the defacto way to go because there isn't one

<aeonsolution[m] "it comes down to what you want t"> Personally, what do you feel more secure with?

im a stranger on the internet

That doesn't mean your opinion is meaningless

oh not at all but im biased because i avoid Apple products

and not because of security lol

I will politely recluse myself from topics on whether I would go with an Apple product or GrapheneOS because I have a conflict of interest ;).

yeah same

it doesn't mean i don't think they are good security wise, Daniel breaks that down better than anyone else

even Apple

but if we were to be strictly talking about the Android ecosystem

then yes hands down more secure

<bonerdose[m] "Daniel seems to know a metric f-"> It's part of the job description

If anyone wants to buy a great condition pixel 3a with graphene offer $10 less and I'll accept

If you want to be 100% anonymous I can accept payment in crypto

I want to avoid fingerpointing here, and just say that for many of these items, it's been a long time coming and I finally decided to just put it all together. Nobody's being singled out on this.

Although I've sorta tried to take pride in an honour system, I really think some basic guidelines need to be established to facilitate that.

good ruleset

Thank'ee.

Hi everyone is there anyone in the chat that has a Pixel 3 family (blueline,crosshatch, bonito, or sargo) device that would like to help test the Android 11 kernel+GOS patches on GrapheneOS? This isn't endorsed by the project but it would to help get the migration to Android 11 going.

I can be up for it shortly.

The only requirements are being able to build the development branch <grapheneos.org/build#building>

Oh heck yeah jolly!

The computer's in use right now but I can start syncing sources ASAP and getting it underway. Well er... as best I can.

it would be great to get more people, the more the merrier

Yarr. Anyone else?

that would be great

heres project you need to clone and branch you need to checkout

Oh boy. Git, git, git, the program that makes me throw a fit, ahaha.

lolol

no sweat, ill put the commands

`git clone github.com/theaeonsolution/kernel_google_crosshatch.git`

`git checkout 11`

then rename the folder from kernel_google_crosshatch to crosshatch

Once I build the kernel, I need to copy it back into my GrapheneOS source tree, overwrite the kernel there, and then build the GrapheneOS development branch?

I'm backing up my phone now.

when you get to this step, swap out kernel/google/crosshatch with the cloned crosshatch

and then follow the steps

so i had good 0 issues with the phone i used (pixel 3a) but i dont know if thats the case with the other phones

Okay! Might take me a bit to get everything prepared and move everything off my phone again.

Cripes. I should have bought a second blueline. >_<.

no rush

anything at this point is good, besides hopefully more people will be willing to chip in if they see there

is no pressure

Thanks. I'm trying to prepare what I can now, have to get everything off this phone >_<.

lol i just saw we had the same idea in mind about the kernel section

eyyy

I want to use GrapheneOS but the pixel phones are so damn expensive

either the pixel3a is in bad quality or just over the top expensive

anyone got a lead on cheapos?

the pixel 3a is good and pretty affordable considering the market, when was the last time you checking pricing?

You ain't gonna find cheaper than Motorola devices before you head into Chinese knockoff territory

Here's the way I see it: I won't buy any of those other android handsets because they're too expensive. Not expensive to acquire, the issue is the cost of replacing them every year when the vendor abandons them because they didn't negotiate with Qualcomm for more than a year or so.

"Dust to dust" it just doesn't make sense for me to spend $300 on a phone that's going to be a pop tart in a year.

Yeah. My Pixel 1 is still working and received updates until last year. Lasted 3 years. That's about $300 a year for a decently secure phone.

(XL / 128 G, the most expensive you could buy)

And now that we have the Pixel a phones, it's an even better deal.

Yeah!

I have an OG Pixel that by the time GOS and the exploit to unlock the bootloader rolled around was too far into the cycle, bought the 3a and its been great. Plan on using this phone for a long, long time

at least the next two years, have already had it for two. At $400 MSRP that's basically $40 a year

and I still have my OG Pixel though I took GrapheneOS off of it after initially flashing it with it due to the fact that support was discontinued though it got quite a few updates

How is it $40 a year if you keep it for four years at an msrp of $400?

Am I missing something?

Sorry, $80

O alright

All good just wanted to make sure I wasn't missing something lol

Yeah my math was not good there haha

I meant to say that basically I think the phone can last quite a few years, 4-5 years with Google's update timeline

and so in the long run like TheJollyRoger was saying the phone won't be expensive

I bought my original Pixel in 2017 and it got security updates until last Fall

sorry no, 2016 or early 2017

basically you can get 4 years out of the Pixel line

I picked up a Pixel 3a that looks brand new for $200 pretty recently. If you aren't looking to spend the $350 for a 4a, just find a used 3a

Two hundred dollars for a 3a in "like new" condition, that's a good deal, alright!

Nice rules, i can't access the links with Riot android app tho, gotta copy and paste the whole topic section

Hopefully in the future they'll allow hotlinking in topics.