-
bypassbob[m]
Imagine you could set the biometric so you it only recognised a page of a book on that would be more secure
-
cn3m[m]
people would catch on quick
-
analtenderloin[m
Anyone know if there's a way to disable system webview webrtc so no IP leak?
-
faxing[m]
Are there any plans to implement a system where you'd need to use a password and a fingerprint?
-
bypassbob[m]
Is there not 2FA password and biometric already?
-
faxing[m]
I couldn't find anything on my 3a XL for needing both a fingerprint and a password to login
-
faxing[m]
I could just be missing something, though
-
cn3m[m]
<analtenderloin[m "Anyone know if there's a way to "> there should be no issue in general
-
lev[m]
<aeonsolution[m] "As a fall back, there is nothing"> I've always taken that to mean, "degoogle my life," as in remove the influence/filtration imposed Google from the way you ingest data and experience the world
-
lev[m]
though I do also appreciate the desire for technical specificity
-
lev[m]
* I've always taken that to mean, "degoogle my life," as in remove the influence/filtration imposed by Google from the way you ingest data and experience the world
-
aeonsolution[m]
i understand the sentiment but it doesn't apply to AOSP, i hate the semantics of it but its an important distinction we have to make because of how the phrase is being used to describe GrapheneOS
-
aeonsolution[m]
and then users and the community only use that a reference point to all features and apps
-
lev[m]
yeah that's totally reasonable, language is important
-
aeonsolution[m]
is this or that degoogled, etc without understanding what that means
-
aeonsolution[m]
at least with regards to GrapheneOS
-
Iusearchbtw[m]
This conversation is just cringe
-
lev[m]
my elevator pitch for this project is usually just, "Android derivative focused on hardening/security/privacy"
-
lev[m]
hey you take that back... my own mother is 48% cringe, so you're insulting my people
-
Iusearchbtw[m]
We don't ship google apps because they literally won't run
-
Iusearchbtw[m]
You wanna go ahead? Try it. See what happens when everything comes crashing
-
Iusearchbtw[m]
We also do remove a fair amount of apps that rely on gms
-
cn3m[m]
what requires GMS in AOSP?
-
Iusearchbtw[m]
Also we don't want to ship gms for security reasons
-
lev[m]
tbf gboard, gcam, gmaps (I think), gphotos all work fine
-
Iusearchbtw[m]
They are apps that we technically can't sign ourselves
-
lev[m]
though authentication into a Google account fails, I would presume
-
faxing[m]
I just added a fingerprint and still kept my passcode but I can get in to my phone by just using one
-
Iusearchbtw[m]
faxing: yes
-
snowkeld[m]
<faxing[m] "Is it better to use the default "> Signal is for signal messages. Using it for regular sms has no benefit over stock app besides having everything in one place. Signal<>signal communication is much better than sms.
-
faxing[m]
<Iusearchbtw[m] "faxing: yes "> That's what I was asking someone earlier and it sounded like you could have it force both to get it, you can't?
-
Iusearchbtw[m]
No
-
faxing[m]
Oh yikes
-
faxing[m]
Are there any plans to implement something like that
-
faxing[m]
* Are there any plans to implement something like that?
-
Iusearchbtw[m]
Firstly faxing let's say your face hardware breaks
-
lev[m]
using biometric auth requires a pin I think, but you only use one
-
Iusearchbtw[m]
How do you unlock now?
-
faxing[m]
I don't keep much on my phone so I'd just reset it if my fingerprint scanner broke
-
Iusearchbtw[m]
But that's not realistic for almost everyone else here
-
faxing[m]
I was just asking for the increased security
-
faxing[m]
Thanks for the answer
-
Iusearchbtw[m]
There is none
-
Iusearchbtw[m]
For one you cannot access face data until you decrypt the phone
-
faxing[m]
<snowkeld[m] "Signal is for signal messages. U"> Thanks! I know Signal encrypted messages are better, but sometimes I still need to use SMS, so I was just wondering if one was better than the other to use.
-
ninjahmeh
hey folks
-
bypassbob[m]
<Iusearchbtw[m] "For one you cannot access face d"> This maybe a really stupid question but how does the facial recognition even benefit security if the scanner can’t read the encrypted data
-
ninjahmeh
what distros are folks using for graphene building? i just finally got a fairly stable install of mint running on my macbook but figured i would ask here if anyone had any suggestions on any that might be better suited, been a little while since i had a linux box and years back when i worked with zombi guys we mostly ran backbox
-
cn3m[m]
the website covers that
-
cn3m[m]
"Arch Linux, Debian buster and Ubuntu 20.04 LTS are the officially supported operating systems for building GrapheneOS."
-
cn3m[m]
-
ninjahmeh
ah fair enough, hmm not a fan of ubuntu really so may look into the other 2 before i go down into preparing my boxes environment
-
ninjahmeh
i guess arch may be a learning curve thats worth the time if im going to get back into learning my arse from my elbow again
-
snowkeld[m]
I've been on Debian for over 10 years.
-
snowkeld[m]
Highly recommend
-
cn3m[m]
not for security, but that is a topic for the other channel
-
lev[m]
have people had issues building on mint? I would kind of suprised if the instructions for ubuntu were unworkable on mint
-
lev[m]
don't they share a very similar package base?
-
snowkeld[m]
Mint is Ubuntu or Debian depending on version, though it is highly customized by mint devs. You would likely be fine with anything meant for the corresponding Ubuntu release, if using the Debian version of mint you might have a few more hiccups because it's rolling with Debian testing, or it was last time I looked
-
aeonsolution[m]
if you dont want to have a bad time just use the officially supported operating systems, its not a good use of your time to figure out why your distro doesn't have the packages you need to be productive
-
user937
i was looking to get a pixel phone with grapheneos to replace my samsung galaxy, but seeing all the problems people report in here, i'm not so sure anymore :(
-
cn3m[m]
If you can handle a system with no gapps(disable it on your Samsung to test) go for it
-
user937
the only i'd want is Google Maps
-
cn3m[m]
I guess you could get an iPhone if that doesn't cut it if you want a serious GrapheneOS competitor
-
user937
i'm not a fan of the iphone's UI
-
cn3m[m]
<user937 "the only i'd want is Google Maps"> it works iirc
-
user937
but i need a google account to use it right?
-
Vappy[m]
<cn3m[m] "it works iirc"> Doesnt work on a fully degoogled phone, checked plexus
-
Vappy[m]
It does work fine with microG
-
cn3m[m]
<user937 "but i need a google account to u"> no
-
cn3m[m]
It has worked with fully degoogled phones recenetly iirc
-
cn3m[m]
it doesn't need an account
-
user937
oh nice
-
cn3m[m]
or you can use Maps Go
-
cn3m[m]
which is Google
-
cn3m[m]
no issue
-
user937
perfect
-
user937
is there a way to install grapheneos in a virtual environment to test it out?
-
Iusearchbtw[m]
user937: no
-
user937
ok thanks
-
faxing[m]
And he's gone lol
-
Iusearchbtw[m]
faxing: indeed
-
Iusearchbtw[m]
Sometimes it is better to begone
-
Iusearchbtw[m]
(This is sarcasm, for all the snowflakes)
-
renlord[m]
i have a systemd-nspawn container if anyone wants
-
renlord[m]
* i have a systemd-nspawn container image if anyone wants
-
renlord[m]
i gave up on docker
-
renlord[m]
it is always broken with ipv6
-
aeonsolution[m]
<renlord[m] "i have a systemd-nspawn containe"> im interested ✋
-
renlord[m]
gotta tidy up a bit before i share
-
louipc
what does fully degoogled mean?
-
louipc
i refered to plexus too, but i guess its wrong
-
louipc
Vappy[m]:
-
aosidaisudh2039u
hi which build do i pick for building kernel for 3a ? , blueline ? crosshatch?
-
cn3m[m]
aosidaisudh2039u: crosshatch is Pixel 3, blueline is Pixel 3 XL
-
Vappy[m]
<louipc "what does fully degoogled mean?"> Uh, degoogled and fully degoogled are technically the same thing, but I was referring to the fact that degoogling your device means you would need to rid yourself off of Google services framework and Google play services, which some apps depend on to make their apps usable. If you remove GSF and GPServices from your device, some apps lose some functionality while other apps
-
Vappy[m]
refuse to start.
-
louipc
aosidaisudh2039u: sargo i think
-
aosidaisudh2039u
it says invalid codename when i do ./build.sh
-
aosidaisudh2039u
with sargo
-
louipc
aosp_sargo?
-
louipc
oh i see
-
louipc
-
louipc
it crosshatch
-
louipc
lol.. maybe bonito im confused
-
aosidaisudh2039u
lol
-
aosidaisudh2039u
what's right?
-
aosidaisudh2039u
"Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL: crosshatch - separate crosshatch, blueline and bonito builds due to hardening"
-
aosidaisudh2039u
i don't get this
-
louipc
i would bet on bonito
-
aosidaisudh2039u
because 3 is blueline, and 3a is bonito
-
aosidaisudh2039u
2 and 2
-
cn3m[m]
aosidaisudh2039u: they use different kernels between device familys for hardening
-
louipc
yea
-
aosidaisudh2039u
cool
-
cn3m[m]
families*
-
cn3m[m]
so crosshatch is for 3, 3 XL, 3a, 3a XL
-
aosidaisudh2039u
thx guys
-
louipc
i do recall strcat saying long ago that the new phones between normal and XL variant use the same build
-
louipc
if im not mistaken
-
strcat[m]
the crosshatch kernel sources cover 3, 3 XL, 3a, 3a XL
-
cn3m[m]
<louipc "i do recall strcat saying long a"> they are separate builds and even testing
-
cn3m[m]
the kernel is shared
-
strcat[m]
the stock OS uses the same kernel for 3 + 3 XL
-
strcat[m]
and then another for 3a + 3a XL
-
louipc
ah
-
strcat[m]
we also use same for 3a + 3a XL
-
strcat[m]
but we have a different kernel for 3 and 3 XL because we disable dynamic kernel modules and build in those modules instead
-
strcat[m]
and the touchscreen driver is different for 3 and 3 XL
-
strcat[m]
that's why we have blueline, crosshatch and bonito as the parameters to the script
-
strcat[m]
docs try to explain this
-
strcat[m]
if we did what the stock OS does, it'd just have crosshatch and bonito parameters
-
strcat[m]
but we split blueline/crosshatch due to different touchscreen driver, which we built in
-
Iusearchbtw[m]
louipc: 4 and 4xl use the same kernel btw
-
Iusearchbtw[m]
There was no difference in drivers
-
louipc
cool
-
Ultron[m]
<louipc "google maps wont work"> It works but without the sign in functionality.
-
aosidaisudh2039u
so far it has been ``./scripts/link-vmlinux.sh: line 93: 69661 Killed ${LD} ${LDFLAGS} -r -o ${1} $(modversions) ${objects}make[1]: *** [/home/shifted/Desktop/grapheneos-QQ3A.200805.001.2020.09.11.14/kernel/google/crosshatch/Makefile:1106: vmlinux] Error 137make[1]: Leaving directory
-
aosidaisudh2039u
'/home/shifted/Desktop/grapheneos-QQ3A.200805.001.2020.09.11.14/kernel/google/crosshatch/out'make: *** [Makefile:152: sub-make] Error 2```
-
aosidaisudh2039u
i've been unable to build the kernel for 3a
-
aosidaisudh2039u
it always stops at vmlinux
-
aosidaisudh2039u
LTO vmlinux.o
-
aosidaisudh2039u
my laptop has 6gb ram, maybe not enough?
-
inthewaves[m]
aosidaisudh2039u:
grapheneos.org/build#build-dependencies says you need > 16G ram
-
aosidaisudh2039u
is this absolutely impossible to build on 6gb ?
-
JTL
aosidaisudh2039u: Some aggressive use of swap might be a workaround, but LTO seems to be quite memory intensive
-
Ultron[m]
Can any body give me how much time it takes to build GOS on a decent 4c/4t cpu, 16 gb ram and ssd?
-
JTL
I don't have any recent benchmarks handy
-
JTL
but I remember wih a skylake era xeon and 4 (around) 5400 rpm drives in RAID10 it took about ~3 hours I think?
-
JTL
haven't done that in awhile
-
inthewaves[m]
* aosidaisudh2039u:
grapheneos.org/build#build-dependencies says you need >= 16G ram
-
Ultron[m]
<JTL "but I remember wih a skylake era"> Nice. I have a skylake cpu as well but consumer. i7 6700K.
-
JTL
it was roughly the same performance as the 6700k
-
JTL
except as a xeon
-
JTL
that good enough for you to start with? :P
-
Ultron[m]
Haha yes.
-
Lia[m]
`PS I:\vanadiumtest> adb install TrichromeChrome.apk
-
Lia[m]
Performing Streamed Install
-
Lia[m]
adb: failed to install TrichromeChrome.apk: Failure [INSTALL_FAILED_MISSING_SHARED_LIBRARY: Reconciliation failed...: Reconcile failed: Package org.grapheneos.vanadium requires differently signed static shared library; failing!]`
-
Lia[m]
`PS I:\vanadiumtest> adb install -r TrichromeChrome.apk
-
Lia[m]
Performing Streamed Install
-
Lia[m]
adb: failed to install TrichromeChrome.apk: Failure [INSTALL_FAILED_MISSING_SHARED_LIBRARY: Reconciliation failed...: Reconcile failed: Package org.chromium.chrome requires differently signed static shared library; failing!]`
-
Lia[m]
Problems I encountered as I followed the building instructions in Vanadium and installing it on other stock Android OS phones
-
mekanation[m]
Hello, I am trying to figure out which build to run for the pixel 3a, sargo is what is listed for the AOSP, but my options on the kernel are blueline, crosshatch or bonito. None of which are sargo. I've poured over the github and the readmes inside the kernel directory as well as looked at the bash script, but nothing is jumping out at me as "use this one!"
-
Lia[m]
bonito?
-
louipc
bonito
-
Lia[m]
<Lia[m] "Problems I encountered as I foll"> Need help here, I can't test patches without it being able to be installed as user app
-
louipc
mekanation[m]: yea i guess the build instructions could be worded better
-
mekanation[m]
Awesome thanks! I was really trying to not ask a stupid question but its a bit of a big build to get wrong
-
Lia[m]
I used the default args.gn, changed it, generated my certdigest
-
Lia[m]
But nothing works
-
strcat[m]
Lia: you're not using the correct cert digest
-
strcat[m]
or you're not signing it
-
mekanation[m]
Id love to help out grapheneOS more, but I dont have a ton of experience with android development, just core java and some C. Are there any devs willing to mentor? or maybe some beginner friendly bug fixes?
-
cn3m[m]
mekanation: I can recommend some starter issues that you would have no problem with basic knowledge thanks for the interest
-
cn3m[m]
do you have the build setup?
-
mekanation[m]
Most of the way done. How reliable is a emulator build over a for device build?
-
mekanation[m]
* Most of the way done. How reliable is an emulator build over a for device build?
-
strcat[m]
the emulator is reliable, you're just limited in what you can work on since it doesn't have the full functionality of a real device and doesn't have features like verified boot from a root of trust
-
strcat[m]
and GPU performance isn't good
-
strcat[m]
especially on some poor quality drivers
-
louipc
mekanation[m]: you could make cool non-google apps too :D
-
mekanation[m]
Is the correct order of operations write some code then buiild, or build so you have a base, write some code then build only difs?
-
mekanation[m]
I'm game for anything louipc
-
louipc
i think that depends on the changes youre doing
-
louipc
refactoring gonna need fresh builds usually
-
strcat[m]
very few changes require fresh builds
-
strcat[m]
mekanation: get working builds without any changes first
-
strcat[m]
make changes, do an incremental build, test it
-
strcat[m]
you do not need to do a fresh build except in rare cases or before you're going to send in changes in a PR to make sure it works properly
-
louipc
yea good idea
-
Lia[m]
<strcat[m] "Lia: you're not using the correc"> Made and signed one before, probably because I initially cancelled the ninja with wrong certdigest
-
Lia[m]
Not sure if I should delete the files in vanadium/src/out/ and start over
-
strcat[m]
Lia: did you run gn args again with the new certdigest?
-
strcat[m]
if you change args.gn you need to run gn args again
-
Lia[m]
<strcat[m] "Lia: did you run gn args again w"> Yeah
-
strcat[m]
I would recommend double checking it's the right certdigest and doing a clean build with it
-
Lia[m]
Cancelled and changed it
-
strcat[m]
make sure you matched the case it uses
-
strcat[m]
needs to be same format
-
Lia[m]
Retrying before rebuilding cleanly as it takes a long time
-
Lia[m]
Should the build not be interrupted? Leaving my device the whole day is not an option for now
-
strcat[m]
interrupting it is usually fine but may sometimes cause an issue
-
strcat[m]
I don't think that's the issue
-
strcat[m]
the issue may be that you cannot change that part of the build configuration without a clean build
-
Lia[m]
Just to be clear, it's not only the src/out I should delete?
-
Lia[m]
Tested one last time and it failed
-
Lia[m]
* Just to be clear, it's not only the src/out I should delete for a clean build? Like from the start
-
-
anonymous821[m]
Also, my alarm sometimes does not work.
-
anonymous821[m]
I was told it might be due to battery life, however last time it did not work, the power was on 39%.
-
anonymous821[m]
Are there other settings I need to play around with?
-
mekanation[m]
Are you using default sms?
-
anonymous821[m]
yes
-
mekanation[m]
is DND on or off if you swipe down from the tray?
-
anonymous821[m]
dnd turned off
-
strcat[m]
Lia: out is the only relevant directory to remove
-
strcat[m]
if you did a clean build with what you think is the correct certdigest and you think you signed it, the problem is you didn't actually do one of those things
-
strcat[m]
you made a mistake somewhere
-
mekanation[m]
Put your build number and model in here for someone more experienced to respond. anonymous821
-
mekanation[m]
I dont know any more than what I told you.
-
strcat[m]
Lia: maybe the certdigest is incorrect
-
strcat[m]
Lia: sha256 in lowercase iirc
-
Lia[m]
<strcat[m] "Lia: maybe the certdigest is inc"> Will redo the certdigest. I just copy-pasted it which is odd
-
strcat[m]
Lia: make sure it has no :
-
strcat[m]
you could also try getting it from keytool itself
-
strcat[m]
instead of piping to sha256sum
-
strcat[m]
just to double check that's working right
-
anonymous821[m]
<mekanation[m] "Put your build number and model "> pixel 3a QQ3A.200805.001.2020.09.11.14
-
strcat[m]
keytool has a way to list keys and you can pass -v and maybe -sha256 to get it to show that
-
strcat[m]
forget the exact keytool commands
-
Lia[m]
I redo the command
-
Lia[m]
But now I have no build.ninja
-
Lia[m]
`ninja: error: loading 'build.ninja': No such file or directorh
-
Lia[m]
* `ninja: error: loading 'build.ninja': No such file or directory'
-
Lia[m]
* `ninja: error: loading 'build.ninja': No such file or directory`
-
Lia[m]
Is it fine to do gn gen out/Default?
-
Lia[m]
* Is it fine to do `gn gen out/Default?`
-
Lia[m]
* Is it fine to do `gn gen out/Default`?
-
lickidyspl1t[m]
If I were to donate $500 AUD to the project could you guys implement an imei changer of sorts 😱
-
strcat[m]
no, $500 doesn't cover developing custom hardware with that kind of feature
-
Seplx[m]
<lickidyspl1t[m] "If I were to donate $500 AUD to "> Changing imei is illegal
-
louipc
what if theres no imei to start with
-
cn3m[m]
louipc: yeah I use VoIP for everything
-
louipc
good idea
-
Ultron[m]
<cn3m[m] "louipc: yeah I use VoIP for ever"> But your device can be still traced via the IMEI, right?
-
bypassbob[m]
<louipc "what if theres no imei to start "> What about the imsi?
-
strcat[m]
Wi-Fi doesn't have an IMEI
-
strcat[m]
prefer Wi-Fi
-
Lia[m]
What do they mean when your location can be traced by wifi?
-
Lia[m]
By the way, rebuilding is in progress (will take days probably)
-
bypassbob[m]
WiFi triangulation is built into iPhones and android
-
bypassbob[m]
Them google street view vans scanned WiFi data also
-
louipc
bypassbob[m]: same
-
Lia[m]
Any case where wifi > ethernet?
-
strcat[m]
bypassbob: not sure what the relevance is
-
Lia[m]
In GrapheneOS
-
Ultron[m]
<Lia[m] "Any case where wifi > ethernet?"> None. Ethernet wins in every scenario except mobility.
-
strcat[m]
bypassbob: Wi-Fi supports anonymity, suggest reading the usage guide
-
Lia[m]
Since there is full randomization on MAC on GOS.
-
louipc
no wires to trip over with wifi
-
bypassbob[m]
strcat: you said prefer WiFi. It’s relevant to you.
-
strcat[m]
it's not relevant
-
strcat[m]
read the usage guide
-
bypassbob[m]
WiFi triangulation isn’t relevant to WiFi?
-
strcat[m]
don't post misleading / false information here
-
bypassbob[m]
How’s it false
-
strcat[m]
explained above
-
strcat[m]
Wi-Fi supports anonymity, which is the default
-
bypassbob[m]
-
strcat[m]
it doesn't use unique / persistent identifiers
-
strcat[m]
bypassbob: not relevant
-
strcat[m]
we're talking about phone privacy
-
louipc
-
strcat[m]
not a STATIONARY Wi-Fi AP
-
strcat[m]
using nearby Wi-Fi networks as a way to detect location has no relevance to the topic
-
lickidyspl1t[m]
Wi-Fi and Bluetooth scanning for improving location detection are disabled by default, unlike the stock OS. These can be toggled in Settings ➔ Location ➔ Wi-Fi and Bluetooth scanning. These features enable scanning even when Wi-Fi or Bluetooth is disabled, so these need to be kept disabled to fully disable the radios when Wi-Fi and Bluetooth are disabled. GrapheneOS doesn't yet have an implementation of a coar
-
lickidyspl1t[m]
location service to supplement GPS location, so enabling these options doesn't actually do anything at the moment. Implementing a supplementary location service is planning but we need a robust, secure and private implementation via a local database. The initial focus will likely be a cell phone tower database, so these features still wouldn't be relevant.
-
lickidyspl1t[m]
> of a coarse location service to supplement GPS location, so enabling these options doesn't actually do anything at the moment.
-
lickidyspl1t[m]
🤔 confusing lol. So they're useless features at the moment ?
-
strcat[m]
what are you asking specifically?
-
strcat[m]
I don't see anything confusing
-
strcat[m]
it says there that we do not provide an implementation of those features, and regardless, that has no relevance to the topic
-
bypassbob[m]
Do you think 2FA will be implemented in Graphene soon?
-
strcat[m]
as explained there, Wi-Fi scanning is anonymous on these devices (without GrapheneOS too)
-
strcat[m]
bypassbob: 2FA works fine on GrapheneOS, what exactly do you mean?
-
strcat[m]
you mean 2FA to unlock?
-
bypassbob[m]
Yes and power on
-
bypassbob[m]
I haven’t got GrapheneOS yet just going off what I’ve read
-
strcat[m]
bypassbob: there is only an unlock method (which decrypts), not a boot password, not how it works
-
cn3m[m]
<bypassbob[m] "Yes and power on "> that won't happen
-
strcat[m]
there is per-profile encryption
-
bypassbob[m]
Here to learn more and ask questions
-
strcat[m]
bypassbob: we aren't going to be implementing a 2nd factor for the main passphrase, it would result in people losing their data and a strong encryption is already more than enough
-
strcat[m]
the plan is to extend how secondary unlock works
-
strcat[m]
recommend reading the planned feature on the tracker about having fingerprint + PIN 2 factor unlock
-
strcat[m]
* recommend reading the planned feature on the tracker about having fingerprint + PIN 2 factor secondary unlock
-
strcat[m]
does not impact primary unlock which should be a strong passphrase
-
bypassbob[m]
How does it work on boot? I’ve had some expensive encrypted phones. That you have to press a certain button combination to boot the device if you don’t it boots a dummy os. After booting it requires password
-
cn3m[m]
it takes 650 years to break a Titan M with a 4 digit random PIN
-
strcat[m]
bypassbob: as I said, there are per-profile encryption keys based on the unlock method
-
strcat[m]
it isn't tied to booting, it's per-profile
-
strcat[m]
so your question isn't applicable to GrapheneOS
-
strcat[m]
there is no boot passphrase, and there won't be one, each profile has a separate encryption key derived from the profile's primary unlock method (as with AOSP)
-
bypassbob[m]
So it’s like turning on windows then logging into a user?
-
strcat[m]
just go by what I said
-
strcat[m]
> there is no boot passphrase, and there won't be one, each profile has a separate encryption key derived from the profile's primary unlock method (as with AOSP)
-
cn3m[m]
and of course that primary unlock method is super strong since the Titan M
-
strcat[m]
it's super strong if you use a strong passphrase regardless since it uses scrypt combined with hardware-accelerated, hardware-bound encryption with the Titan M protection added on top of that
-
strcat[m]
the Titan M protection added on top is what makes it so that even a 6 digit PIN will take a ridiculous amount of time to brute force unless they can exploit the tiny attack surface of the Titan M
-
strcat[m]
so even a profile protected by a weak unlock method has that
-
strcat[m]
if it's a strong passphrase then it doesn't really matter, but of course it benefits that too
-
strcat[m]
the strong key derivation + hardware accelerated portion of it helps make passphrases inherently stronger
-
strcat[m]
it does scrypt in software and then the hardware portion of key derivation is delegated to the TEE implementation so that's device specific
-
strcat[m]
TEE ideally uses something like HKDF via a hardware accelerated implementation (Qualcomm SoC has hardware-accelerated HMAC for that with a hardware-bound key as an option)
-
strcat[m]
anyway encryption is per-profile, and could be made more granular than that
-
bypassbob[m]
So a very long passphrase would take a lot longer than 650 years
-
strcat[m]
it's not just 1 encryption key for everything with a passphrase entered on boot
-
strcat[m]
bypassbob: far longer than that
-
strcat[m]
and if the Titan M is not exploited successfully, then even a crappy PIN unlock lasts that long
-
strcat[m]
and Titan M firmware cannot be updated until authentication of the owner account is done successfully so you'd actually need to exploit it, can't do something like bribing insiders millions to steal the keys to sign firmware
-
strcat[m]
it's a nice approach
-
strcat[m]
would like to see other companies deploy OpenTitan chips with a comparable implementation of the APIs supported by AOSP in their devices
-
strcat[m]
this is just 1 of several features it offers (this is called Weaver)
-
strcat[m]
basically Weaver is a table of slots, 1 for each profile
-
cn3m[m]
Yeah Google and GrapheneOS could both work together and still couldn't break open your locked phone with malicious firmware it is super cool
-
strcat[m]
when you set the unlock method for a profile, it derives an auth token which is passed to Weaver
-
strcat[m]
Weaver generates a random token, passes that back to the OS
-
bypassbob[m]
That’s usually the method to breaking security as well blackmail or bribing workers
-
strcat[m]
and the OS uses that as one of the inputs to derive the encryption key (along with the other inputs like a token derived from the auth method, etc.)
-
strcat[m]
and Weaver enforces a rate limit that's exponentially increasing quickly going up to 1 day per attempt
-
bypassbob[m]
What type of encryption is used?
-
strcat[m]
so - if you use a strong passphrase this is a nice extra layer, but you don't really depend on it
-
strcat[m]
bypassbob: depends on device
-
bypassbob[m]
4 XL
-
strcat[m]
4 XL Is AES-256-XTS for data blocks, AES-256-CTS for file names
-
strcat[m]
with file names rounded to 32 byte lengths on GrapheneOS
-
strcat[m]
it depends on the device though
-
bypassbob[m]
In your opinion is the 4 the most secure to date?
-
aln124[m]
I have a question regarding trojans on graphene os. How safe can someone be?
-
strcat[m]
devices without hardware accelerated AES will use
en.wikipedia.org/wiki/Adiantum_(cipher)
-
bypassbob[m]
* In your opinion is the 4 the most secure device to date?
-
aln124[m]
For example, swedish government has now a new law that gives the police right to secretly monitor your phone/pc etc if they "suspect" you of some sort of crime that can give 2 years of prison time...
-
bypassbob[m]
<aln124[m] "For example, swedish government "> A lot of countries are doing this.
-
strcat[m]
Adiantum is probably a lot nicer than using AES-256-XTS really
-
strcat[m]
but when you have hardware accelerated AES it's hard to justify using a software implementation
-
strcat[m]
it exists for devices without hardware accelerated AES
-
strcat[m]
aln124: don't install malware and grant it a bunch of permissions particularly quite powerful ones - about all that can be said
-
Ultron[m]
<aln124[m] "For example, swedish government "> Key Disclosure Law is there in many countries. None of the protection will work out there as you will need to reveal the key.
-
Ultron[m]
to the government ofcourse.
-
strcat[m]
aln124: I don't think malware that you installed yourself and granted permissions is really an interesting topic beyond mentioning that Auditor is a great way to detect that there's an accessibility service, etc. (not really the core purpose of it, but it's a nice way to do that)
-
strcat[m]
Ultron: this is why using profiles is important
-
cn3m[m]
if you are worried about malware use another profile to install sketchy stuff you are going to grant permissions too
-
strcat[m]
how can you decrypt a profile on your device made for your friend in another country? you don't have the passphrase
-
strcat[m]
there are per-profile encryption keys
-
strcat[m]
the owner account can't decrypt secondary profiles
-
Lia[m]
I'm excited for the VPN profiles fix in Android 11
-
cn3m[m]
Yeah, I name my profiles after people
-
strcat[m]
Lia: inthewaves implemented it, our next release will be Android 11 though so that's why we have it there
-
strcat[m]
Android 10 GrapheneOS branch is EOL now
-
Ultron[m]
<strcat[m] "how can you decrypt a profile on"> Hehe. Seems like a decent excuse to go with.
-
strcat[m]
GrapheneOS development team is working on porting everything over, I'm mostly reviewing / correcting their work
-
Lia[m]
<strcat[m] "Lia: inthewaves implemented it, "> Skipping the current release and waiting for Android 11 due to beta reasoms
-
Lia[m]
> <@strcat:matrix.org> Lia: inthewaves implemented it, our next release will be Android 11 though so that's why we have it there
-
Lia[m]
* Skipping the current release and waiting for Android 11 due to beta reasons
-
strcat[m]
Ultron: you can legitimately have a friend in another country who you made that profile for
-
strcat[m]
Lia: yeah there won't be another Android 10 based release afaict (can't see a reason to) so might as well wait to handle that
-
strcat[m]
we just still had to do that release for everyone not beta testing
-
strcat[m]
and ofc it had to be beta tested itself
-
strcat[m]
and we couldn't release the problematic one we had to cancel
-
strcat[m]
not ideal for beta testers on 3a / 3a XL but yeah
-
Lia[m]
Is it possible to sideload the OTA skipping a release? asking for a beta tester friend
-
Hugh[m]
Is anyone able to actually get nextcloud to install during a seedvault restore?
-
cdesai
That is not supported at the moment
-
cdesai
Next cloud backups didn't work so well, but a lot of improvements have been made in that area
-
Hugh[m]
Fair enough
-
Hugh[m]
Also is there a way to trigger a restore at a point after initial setup
-
strcat[m]
not via the supported UI
-
strcat[m]
technically you can via adb shell to run the activity but that's not really supported
-
Hugh[m]
What would be the adb command or can you point me in the direction of the instructions?
-
Iusearchbtw[m]
Hugh: adb restore
-
Hugh[m]
This will trigger seedvault?
-
Iusearchbtw[m]
Remember that adb backup/restore is deprecated
-
Iusearchbtw[m]
No
-
Hugh[m]
Ah I meant the seedvault adb activity strcat mentioned
-
strcat[m]
I meant that it is technically possible to launch the same restore activity as SetupWizard but this is unsupported by Seedvault
-
Hugh[m]
ok, no worries. Thanks anyway
-
OdwoRyn
I am thinking of getting an unlocked Pixel 3XL to install Graphene. I saw a used unlocked phone that seems reasonable but it has android 11 already installed on it. Would that be a problem? Thanks!
-
xnaas
iirc it’s not too difficult to downgrade?
-
xnaas
(If you have to)
-
strcat[m]
OdwoRyn: that's not a problem
-
strcat[m]
the install guide suggests updating the stock OS before flashing anyway
-
vpsvrm[m]
Hi, when do you expect first beta release for 4a?
-
strcat[m]
no one is working on that
-
strcat[m]
devices require a device maintenance team to step up and work on them, and commit to long-term support
-
strcat[m]
so far no one has done that
-
strcat[m]
if that's the case in 6 months, it will be no closer to having support for it then either
-
strcat[m]
if no one steps up to do that we won't support it
-
strcat[m]
same goes for the Pixel 5
-
strcat[m]
if there aren't device maintainers for future Pixels, we won'
-
strcat[m]
* if there aren't device maintainers for future Pixels, we won't support them
-
neopetsarecool[m
<vpsvrm[m] "Hi, when do you expect first bet"> Calyxos for pixel4a is coming out soon in the meantime if you wanna check that out
-
vpsvrm[m]
<strcat[m] "if there aren't device maintaine"> Thx for info
-
vpsvrm[m]
Is it good option to get 3a? I thinking about long-time support.
-
jpds
vpsvrm[m]: If you can find one, Google stopped production - I believe
-
strcat[m]
the newest supported device is a Pixel 4
-
strcat[m]
and the 4 / 4 XL are the only devices with a dedicated maintainer right now which is required for all future devices too
-
strcat[m]
we support 8 devices, 6/8 lack maintainers
-
vpsvrm[m]
<strcat[m] "we support 8 devices, 6/8 lack m"> ok 4 is probably the best for GrapheneOS for me right now
-
vpsvrm[m]
Which Messaging Apps are running on GrapheneOS? Signal, Telegram, WhatsApp, Viber ... ?
-
dorrimi23[m]
<vpsvrm[m] "Which Messaging Apps are running"> Whatsapp works with no issues
-
palette1[m]
Whatsapp works great.
-
dorrimi23[m]
Dont know the others, check the log
-
Lia[m]
<vpsvrm[m] "Which Messaging Apps are running"> Signal, Telegram, Whatsapp work
-
vpsvrm[m]
<Lia[m] "Signal, Telegram, Whatsapp work"> Great - Any experience with Viber?
-
Lia[m]
No
-
M8383n550n[m]
<aeonsolution[m] "Your monetary donations support "> I am new in GOS channel and willing to jump from LineageOS to GOS for privacy&security matter. I will donate to this project for sure. I want know which phone I should buy first 3a or 4a (with some small patience) from my preference list. I need phone with audio-jack. If development guys have this Pixel4a in target I prefer wait for and buy it.
-
mekanation[m]
anonymous821: Hey didnt see anyone get to your question. I would try using signal as your default messaging system and see if that works. If it doesnt, consider a reflash of an older build that worked.
-
Autopsy[m]
> <@8383n550n:matrix.org> I am new in GOS channel and willing to jump from LineageOS to GOS for privacy&security matter. I will donate to this project for sure. I want know which phone I should buy first 3a or 4a (with some small patience) from my preference list. I need phone with audio-jack. If development guys have this Pixel4a in target I prefer wait for and buy it.
-
Autopsy[m]
> Thank you for reply.
-
Autopsy[m]
The 4a will be supported for longer, once it has a build.
-
Autopsy[m]
CalyxOS almost has a build ready for the 4a, so you could give that a go?
-
Autopsy[m]
I say supported for longer because it is newer. Google could pull the plug any time for any device, though. Just remember that!
-
arouzing[m]
So i have a pixel 3 and i was wondering who else here has it. how much screen time battery life do you normally get on it. Because it seems to me like it's burning through battery.
-
Autopsy[m]
The question is, what apps do you have installed, what are you using the phone for etc? Haven't seen many reports of draining battery life.
-
M8383n550n[m]
<Autopsy[m] "I say supported for longer becau"> Thank you very much, clear. I will consider your advice. Hope will be supported long time.
-
Lia[m]
No guarantees, but you'd have CalyxOS while you wait
-
mastercakex[m]
<vpsvrm[m] "Great - Any experience with Vibe"> Works even better than Signal and WhatsApp
-
arouzing[m]
<Autopsy[m] "The question is, what apps do yo"> Nothing out of the ordinary. I'm just wondering if someone can give me there average battery life under heavy video consumption for example.
-
mastercakex[m]
I don't use WhatsApp but I tried it for few days. Notification don't arrive until I open the app
-
arept
hey there
-
arept
thinking about buying a pixel 3a tomorrow, is it worth it? How long will the support last?
-
Lia[m]
1 year and 6-7 months
-
Lia[m]
* 1 year and 8 months at least
-
arept
k thx thats long enough for me
-
Lia[m]
(The guaranteed by Google updates)
-
arept
google updates?
-
Lia[m]
Reword: The guaranteed OS/security updates by Google
-
Lia[m]
Pixel 4a is cheaper probably and has 34-35 months support left
-
arept
is graphene supportet on 4a yet
-
Lia[m]
Not yet
-
Lia[m]
Waiting for a maintainer for it
-
arept
also what do you mean with google updates. Does graphene always support the same time span as google?
-
Lia[m]
Yeah
-
Lia[m]
I advise reading the FAQ
-
Lia[m]
-
arept
ok ill look into it, last question: i heard you cant unlock the bootloader on verizon models. Verizon models = pixel with verizon contract, right?
-
Lia[m]
Yeah, the one you buy from them, carrier variants
-
Lia[m]
Their models are a search away
-
arept
ok thanks for your help, I think I'll buy a 4a and use android 11 until graphene is supportet
-
vvodenus[m]
auditor attestations failing for everyone on android 11 or just me? (pixel 3 xl / stock android)
-
Lia[m]
Is it the latest version?
-
vvodenus[m]
auditor version 18. think it is the latest from play store
-
Lia[m]
Use 19
-
Lia[m]
-
Lia[m]
Not yet in play store I guess
-
vvodenus[m]
Got it. will install
-
dazinism
arouzing: I've found Signal can drain a lot of battery sometimes. I think possibly when network connection isnt great
-
arouzing[m]
ahh
-
arouzing[m]
i mean this was before install
-
arouzing[m]
* i mean this was before install of that
-
arouzing[m]
* i mean this was before the install of that
-
dazinism
arouzing: search in settings for 'battery usage'
-
dazinism
Can see which apps are using power
-
dazinism
PIA VPN may use a lot. Think VPNs that use wireguard give best battery performance
-
mekanation[m]
do yall need any help writing more hand holdy guides?
-
Autopsy[m]
<mekanation[m] "do yall need any help writing mo"> What for, hombre?
-
Autopsy[m]
<dazinism "PIA VPN may use a lot. Think VPN"> Mullvad barely sips battery
-
dazinism
Think I'd use the Wireguard app with a VPN that supports that rather than the VPN services own app
-
mekanation[m]
Theres some cleanup in some sections that can be done if people dont know how to google. But i dont know if you really want users that dont know how to google cuz then theyd ask how do I install my google play apps which is bleh
-
Autopsy[m]
Fair enough, dazinism. Mullvad app is alright, though. After 8 hours and 44 minutes (since last charge) it has used 1% battery.
-
Autopsy[m]
<mekanation[m] "Theres some cleanup in some sect"> All well and good, but some people need to fail and learn from their mistakes before they come running for help.
-
dazinism
mekanation: I dont think documentation changes would get much attention right now, because Daniel likes to oversee/give the final edit/rewrite, and all his attention is on porting to android 11
-
mekanation[m]
makes sense.
-
Autopsy[m]
I wanted to make a "GrapheneOS for Dummies" installation guide, but I haven't had time yet. The documentation is fine as it is, but some people get stuck on certain parts or just like pictures to follow
-
mekanation[m]
Yea thats what I was thinking. Like if you do platform tools via linux you have to add your user to the right group to run fastboot commands, but you also have to log out and back in for the changes to take effect. Easy to google and fix, but if something like that was just as a warning in the guide it might make the install process easier for people.
-
mekanation[m]
But at the same time what is the mission of GrapheneOS? Power users who wont be annoying about things, or get everyone on it for more privacy focus everywhere
-
mekanation[m]
* But at the same time what is the mission of GrapheneOS? Power users who wont be annoying about things, or get everyone on it for more privacy focus everywhere?
-
Autopsy[m]
<mekanation[m] "Yea thats what I was thinking. L"> I take the lazy (unrecommended) way of using root or admin most of the time. Having to explain what to do to not use root or admin would take longer than just downloading the files and getting them to run the script
-
Autopsy[m]
<mekanation[m] "But at the same time what is the"> The latter, imho.
-
Autopsy[m]
Can't talk for the project, but the latter for me.
-
dazinism
Could write something in the community wiki
-
dazinism
Dan could use it if he likes the look of it
-
dazinism
Anyone could add/edit/improve
-
dazinism
-
Autopsy[m]
Linky plsnxoxo
-
Autopsy[m]
Oh, you did!
-
mekanation[m]
Sounds good, do we have a bug/features/sprint/whatever people call it these days board?
-
dazinism
I set that up had a couple of folks other than me do some stuff there
-
dazinism
No, but could just start a list in a wiki page
-
mekanation[m]
I'm just looking to help however I can, but I havent found a good work on this spot.
-
dazinism
mekanation: if you think the documentation is missing anything and want to write stuff. Probably not terrible idea to write in the wiki. Others can edit/improve and it can be submitted, or picked from for the main site if appropriate
-
sad_plan[m]
strcat how come theres so few maintainers? I wouldve thought there were more interest in keeping this great project running 🙃 in any case, what *requirements* would one need to be a device maintainer? Know C langauges?
-
Iusearchbtw[m]
sad_plan: tbh way more than just knowing how to code
-
Iusearchbtw[m]
Like you should somewhat have a picture of what you have to do and how you're going to do it before you can write the code for it
-
Iusearchbtw[m]
Past experience may make things easier but won't guarantee a result
-
adeus[m]
Can anyone point me to where I can find more information on how GrapheenOs handles backups ?
-
adeus[m]
What is included in backups, limitations, etc.
-
renlord[m]
-
renlord[m]
this is the backup provider used in Graphene OS.
-
renlord[m]
all applications that implement the backup API can be back-up
-
renlord[m]
* all applications that implement the backup API can be backup-ed
-
renlord[m]
-
anonymous821[m]
mekanation: i might repost at a different time. I avoid Signal as it requires a phone no. Doesn't it also have access to contacts too?
-
adeus[m]
<anonymous821[m] "mekanation: i might repost at a "> Just use a virtual number and set a strong 2FA. It does not require access to contacts.
-
adeus[m]
Anyone that has used the backup and restore process in GrapheneOS can you tell me when you restore does Signal require re-registration ? Or is the app restored exactly how it was at snapshot?
-
anonymous821[m]
adeus: how do I setup a virtual number? is it free?
-
adeus[m]
anonymous821: just get a virtual number from any of the million services you can buy them for as cheap as 99c
-
anonymous821[m]
adeus: ok. I can potentially be doxxed via the payment though.
-
anonymous821[m]
Also, will I still be needing the vitual number for future verification purposes on Signal?
-
adeus[m]
> <@anonymous821:matrix.org> adeus: ok. I can potentially be doxxed via the payment though.
-
adeus[m]
> Also, will I still be needing the vitual number for future verification purposes on Signal?
-
adeus[m]
Use bitcoin
-
adeus[m]
No, it won’t ask you to verify the number again.
-
anonymous821[m]
lol, pseudonymous