Secure Smartphone Graphene OS on Google Pixel 4A

94 Antworten [Letzter Beitrag]
SwissScientist
Offline
Beigetreten: 10/29/2020

Hi, I'm using a Google Pixel 4A cellphone, running 'Graphene OS'.

Graphene OS is open source, and 'hardened' to be more secure agianst hacks.

I highly suggest anybody with the budget to afford the Google Pixel 4A to buy it, and flash Graphene OS on it.

PublicLewdness
Offline
Beigetreten: 03/15/2020

It's always nice to see more mobile OS alternatives. Is Graphene OS a degoogled version of Android similar to Linege or /e/ or is it more similar to Ubuntu Touch; Mobian; Manjaro Arm in that it is closer to a desktop Linux OS ?

I took a look at the specs of the Pixel 4A and doubt it is for me. If a phone won't give me a removable bettery then I want at least 4000 mah and the 4A is 3140. I am more interested in the Volla phone if I will overlook a non removable battery.

Jorah Dawson
Offline
Beigetreten: 12/13/2020

I think Daniel Micay is doing a great job with GrapheneOS. However, What about non-free Google firmwares on those devices?
Everybody knows big G is a untrustworthy company.
Besides, giving them money? No way.

What is more, think of Titan M chip that runs sensitive information and has closed source firmware.
On the other hand, there is a free implementation (Opentitan) However, nowadays is not running on such phones.

Am I the only one that see a similarity between it and Intel ME?
Security versus privacy. I prefer privacy. That's my point of view. So I use Replicant.

traxter
Offline
Beigetreten: 03/23/2018

> What about non-free Google firmwares on those devices?

Isn't the baseband on a Samsung Galaxy S2 or S3 always running non-free firmware, even when Replicant is installed?

> Security versus privacy. I prefer privacy

But there can be cases in which weak security compromises privacy.

Replicant is based on Android 6 and has not received any updates in years. This is not something that should be taken lightly.

It's a dilemma :-(

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

As far as I understand, yes, all baseband chips on all cell phones run proprietary software.

Jorah Dawson
Offline
Beigetreten: 12/13/2020

>Isn't the baseband on a Samsung Galaxy S2 or S3 always running non-free firmware, even when Replicant is installed?

Non-free baseband processor OS is inherent to almost every mobile device. Anyway, there is one exception, OsmocomBB.
What I mean is those firmwares (camera, wifi...) provided by the devil Google.

>But there can be cases in which weak security compromises privacy.

Undoubtedly.
However, nowadays this is a common excuse for losing more and more privacy.
For instance, Intel says IME is a security feature or think of Google safebrowsing.

Nevertheless, Replicant insecurities are almost always related to local storage.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

The comparison with the Intel Management Engine looks appropriate: it is a whole proprietary operating system with total access and total control over the rest of the hardware... and almost certainly a backdoor.

On the contrary, the comparison with Safe Browsing makes little sense. https://trisquel.info/forum/abrowser-what-dangers-removing-all-https-web-addresses-aboutconfig#comment-156568 sums up what Safe Browsing does and https://trisquel.info/forum/abrowser-what-dangers-removing-all-https-web-addresses-aboutconfig#comment-156585 the results of a technical investigation on Safe Browsing by academics. They conclude: "Use of the Safe Browsing API therefore appears to raise few privacy concerns".

lutes
Offline
Beigetreten: 09/04/2020

So in fact, Safe Browsing has nothing to do with Google?

EDIT: sorry, I had forgotten about this, from the first post your reference:

"So, through Safe Browsing, Google only knows:

  1. every 30 minutes, that an IP address has a Web browser opened;
  2. that the user may (or not: because Firefox adds noise) have visited a URL whose hash was sent: it may be one of the unsafe pages having this hash or a safe page with the same hash."

So it appears that Safe Browsing is in fact totally dependent on Google, as things stand.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

It does depend on Google. That does not automatically mean it raises privacy concerns.

For many users, being warned that a page is phishing (maybe imitating the page of your bank) is worth having Google know every 30 minutes that they have a Web browser opened and having it possibly guess (but never be sure) that they visited such unsafe pages.

I very much doubt Google exploits such weak information to profile users. It has many more reliable ways to to do so: the advertisement it displays on most of the Web, the Google fonts most of the Web pages download from Google, Google Analytics, which dominates the market, etc.

lutes
Offline
Beigetreten: 09/04/2020

> I very much doubt Google exploits such weak information to profile users. It has many more reliable ways to to do so: the advertisement it displays on most of the Web, the Google fonts most of the Web pages download from Google, Google Analytics, which dominates the market, etc.

Totally agreed.

As I said on that other thread, my concern is less about the privacy risks arising from that particular leak than about one more dependency to the same sworn enemy of privacy. It simply does not make sense not to take into account the larger picture. Is there really no other place where these data could be sent, with the same results in terms of browsing safety?

> For many users, being warned that a page is phishing (maybe imitating the page of your bank) is worth having Google know [...]

I will not pretend to be shocked that Abrowser is allowing this by default, but I fully understand that the same users worrying about phishing might find it unsettling never to be asked - and, by the same occasion, informed - about who they are willing to depend on for safe browsing services.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

I believe Safe Browsing is disabled by default on Abrowser.

And yes, it would be preferable to have an organization such as the W3C administrate Safe Browsing.

lutes
Offline
Beigetreten: 09/04/2020

> Safe Browsing is disabled by default on Abrowser.

Indeed, as I just corrected in the other thread, but you replied here before I had time to replace "Abrowser" by "Mozilla Firefox", in effect kicking me out of my own edit.

So yes, there is still hope with Abrowser. The Firefox people, on the other hand, seem to find it perfectly OK to rely on Google by default.

Avron

I am a translator!

Offline
Beigetreten: 08/18/2020

Perhaps GrapheneOS does a good job to protect against malware in apps but it probably can't do anything against malware in the modem and wifi firmware, which most likely have some direct access to the main memory.

For me, finding a Pixel phone is not easy, so I just got some easier to find phone that has LineageOS support, I don't put any personal data on it and I avoid using it by not putting anything convenient on it.

gaseousness
Offline
Beigetreten: 08/25/2020

https://teddit.net/r/GrapheneOS/comments/bddq5u/os_security_ios_vs_grapheneos_vs_stock_android/ekze9n6/

^ Wow, doing commercials for spyware microsoft and apple it appears with a quick skimming. I saw Edward Snowdon do commercials for non-free signal on his twitter in the past, so I can't take that character serious.

Avron

I am a translator!

Offline
Beigetreten: 08/18/2020

For my curiousity: what apps are you using on your phone?

I am using phone calls, SMS, Conversations, Tusky, OSM and Organic Maps (I keep location services permanently off).

If I had a Pixel phone already I would give GrapheneOS a try. I would try to check the long list of security features listed on the website and see what I need to configure to get the expected benefits. Due to the non-free software that remains on the phone, I would still try using it as little as possible.

gaseousness
Offline
Beigetreten: 08/25/2020

Don't really use apps on the dumb-phone. I installed an android-x86 on a desktop computer I wasn't using much, may not be that ideal for freedumb and security, and a bit tricky to get most applications to work, and in general, but get access to a some sort of tty, and I can boot up gnu+linux live cd and backup the partition and restore from that backup.

"firejail security

Can’t rely too much on Daniel Micay as security export because he’s (often justified…) critical on “everything”… Could as well as give up and go home following that sentiment. Reference: https://forums.whonix.org/t/daniel-micay-quotes/8509 "
https://www.whonix.org/wiki/Dev/Firejail

^ Was an interesting debate, but firejail works with and without user namespaces, and suid are more necessary evil in general? Maybe it's not that bloated for all it does, is gpl, community seems good, and firejail's devs seem like they enjoy fixing bugs.

gaseousness
Offline
Beigetreten: 08/25/2020

"Houdini is an ARM translation layer for android developed by Intel and Google to run ARM apps on x86 architecture. The project is closed source and nowadays android x86 doesn't have it pre-installed in the system."
https://github.com/SGNight/Arm-NativeBridge

^ If I recall correctly? Not sure if it'd be that problematic for f-droid programs. Unfortunately, android-x86 only has only a regular android and lineage version.

Perhaps the "experts" would find it difficult explaining how a non-free android virus would contaminate a finalized gnu/linux cd, and also could avoid some potential planned obsolesce, audio surveillance while we wait for the pinephone to become more user friendly? Easier to deal with a regular desktop than trying to disassemble some of the dumb-phones? Screenshot is of https://f-droid.org/en/packages/com.drodin.tuxrider/ with a 4:3 aspect ratio monitor that seems to be working well, and I prefer mouse and keyboard over touchscreens.

bbb3384e051bfa1245da247183acbf3e.jpg
gaseousness
Offline
Beigetreten: 08/25/2020

I only use one account, and no sockpuppets. I only brought up firejail because the names Danial Micay and Madaidan were mentioned, and because I was looking into firejail, I happened to run in to some major red flags with those characters. And these forums are for trisquel, mainly and other free software perhaps, so please excuse that some people may not know about some new "open source" android. I've seen the absurd privacy policy lineage has, and other contenders that have promoted garbage like non-free signal so forgive my skepticism. Buying a pixel to get away from Google, makes sense?

Checking out the reputation of the devs is bad for security? Doubtful, perhaps less chances of being phished, if super paranoid? I posted a link of the grapheneOS dev apparently doing ridiculous commercials for non-free malware. It appears legit, Madaidan linked to it, in his spams, so it's not likely Danial was impersonated on the social control media. Questioning that is definitely not throwing mud, because it is his public "opinion?" on security, and not like some unrelated political view he has. In my honest opinion, I'd never use grapheneOS, probably, because Danial looks compromised or sold out due to the wild commercials on his reddit. Maybe this grapheneOS is slightly better for you than the typical garbage android experience, and good to hear if so, but others could have various degrees of paranoia, and perhaps could deal with less usability? The amount of people I know of who have had bad times with non-free "security" compared to freedumb... well that'd be just hearsay, but way worse for non-free.

https://www.hyperbola.info/packages/?sort=&q=firejail
If firejail is too bloated, then why hasn't hyperbola removed it? They seem to be more on the side of extreme minimalism.

https://github.com/netblue30/firejail/issues/3046
^ In my opinion, the firejail devs were cool, they explained things, look open to suggestions about general design, and have over a thousand programs specifically sandboxed. Madaidan, on the other hand, in my honest opinion, basically just spammed, by continually repeating his "concerns" of firejail having a "large attack surface". 9 times if i counted right. And now, two years later, I'm not aware of Madaidan's superior sandboxing program.

On that reddit link, weird place to look for support, they could consider better places, such as firejail's website, or their distribution's forums, irc, or even read the manual instead? Trisquel should be getting firejail "LTS" version to my knowledge, and the firejail devs have claimed like 40 percent reduction in its size or something like that. I'm not a fan of the amount of CVE's argument, but appears there's only been three Debian Security Advisorys for it https://security-tracker.debian.org/tracker/source-package/firejail. Looks like quite the reduction with their "LTS" approach, percentage wise? Any program could have bugs, not yet discovered, hopefully over time more and more will be fixed? You're example of some race condition that was fixed just makes firejail look more good to me, because fixing bugs is good. I don't have that much knowledge on "modded Android(s)?", and I've never used grapheneos, but have seen not appealing results with sysctl using stuff like termux, on multiple devices in the past.

"The Pixel 4 and Pixel 4 XL have comparable security but won't be supported as long"
https://grapheneos.org/faq#supported-devices
^ Counting the decades with gnu+linux, still getting support on a quite old computer.

I highly doubt that one person could do all the work of trying to sandbox all your apps, one by one, and fix the mess of android. I've seen older topics in the forum of good experiences with firejail, just search https://trisquel.info/en/search/node/firejail
If it doesn't sound good to you or you don't like it that's fine, we all can have our own preferences? Is there a way to boot gnu/linux live cd with a dumbphone? Said I didn't know if desktop was ideal, maybe better for some things, but not for fitting in the pocket.

https://raw.githubusercontent.com/Whonix/sandbox-app-launcher/master/COPYING
The licensing seems weird for Madaidan's program? Is it even free software, seems like quite the difference with "proprietary" wording?

And the github link you mentioned, bubblewrap would be setuid for me, as well, since I don't use chromium, or user namespaces, and I'm looking to use something, and as he said "bubblewrap isn't really designed to be a user-facing tool". firejail devs seem more than reasonable, and the best option that I know of right now, and works well with apparmor, for me.

--nosound makes applications I don't want to play sounds silent. Way better than disable sound service on slowdows, and didn't see an option for sound permission for android's "sandbox", if I remember right. Good to see free software getting better and better.

gaseousness
Offline
Beigetreten: 08/25/2020

https://trisquel.info/en/forum/dpkg-errors-installing-firejail
^ This looks likes a case of one who maybe was installing random debs, or mixing other incompatible distros in sources.list, my guess https://packages.ubuntu.com/bionic/amd64/emacs25-lucid-dbg/download. Not fun stuff can happen from doing this.

https://github.com/netblue30/firejail
"Summary: A vulnerability resulting in root privilege escalation was discovered in
Firejail's OverlayFS code,

Versions affected: Firejail software versions starting with 0.9.30.
Long Term Support (LTS) Firejail branch is not affected by this bug."
^Looks like this bug may have not been for us.

https://wiki.archlinux.org/title/Security#Sandboxing_applications
^ firejail is their first suggestion, perhaps that reddit page was some unoffical "social" "media"?

gaseousness
Offline
Beigetreten: 08/25/2020

"Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux, where it can hardly be considered a sandbox at all) and lacks support for isolating sites from each other rather than only containing content as a whole."
https://grapheneos.org/usage#default-connections

I didn't find the apps he suggested on f-droid, so looks suspect, but anyways Chromium needs username spaces, or basically it'd be all weird, and like javascript websites don't work well at all. Proof proceeds

"I am not sure if it's that big of a deal but you should know Debian is the only major distro that has user namespaces disabled. All the other distros and the official linux kernel don't disable user namespaces by default and actually can't disable user namespaces. Even Ubuntu which is based on Debian has it enabled.

There have been some vulnerabilities with enabling that feature (all the known ones are fixed now) but I don't think it should be that concerning for the majority of users. For the most part it's safe"
https://github.com/flathub/org.chromium.Chromium/issues/31#issuecomment-739184005

"Unprivileged users should not have access to netfilter administration code. It exposes far too much attack surface and is one of the reasons unprivileged user namespaces are such a security risk."
https://github.com/netblue30/firejail/issues/3046#issuecomment-555591615

Looks like a different view?

"His views are far more worthy than any of ours. Take your pointless insults elsewhere."
https://forums.whonix.org/t/tor-browser-hardening-hardened-malloc-firejail-apparmor-vs-web-fingerprint/7851/54

I guess this would make his view, unworthy? "Experts"

gaseousness
Offline
Beigetreten: 08/25/2020

I didn't really do that, and that wasn't my intention, and if you read my responses you could see why I did, and it did bring out reasons why one would be weary of GrapheneOs's probable fake security and freedom issues. At least I have some possible examples, that could be true, of why I'd avoid a dumbphone, maybe things have changed since my memories of previous experiences? If you have reasons or experiences to explain I'd prefer to hear those. Of course, perhaps, I could cut to the chase or be more clear about what I mean, but no one is perfect? I didn't even know pinephone had hardware switches, until someone told me in these forums. Also, you sent several links about firejail yourself, and I responded to them. I'm not going to buy a new google phone just to see how wrong or right I am about it. Also, both trash Android and gnu/linux use the linux kernel and many or not all of the sandboxing options utilize the linux kernel to my knowledge, so could be very relevant. "Security" might be a bit subjective and complicated, but " It's just the fallacy that open source is more secure and privacy respecting." https://teddit.net/r/GrapheneOS/comments/bddq5u/os_security_ios_vs_grapheneos_vs_stock_android/ekzo6c0/#c is a flat out deception or lie. Theoretically, one could make some nasty pure non-free super spyware and slap on a free software license on it, but in reality slowdows, IOS, and Android are so much worse, and that's much easier to prove to yourself without a doubt. Apple's (iThings) a bit harder, I suppose, but theirs a "recent" scandal how apple is snooping on users files in your mainstream propaganda news. Also, heard that it's always been in their privacy policy that they are snooping, so if you want to weigh that against their publicity stunts? There's also a "you"tube video entitled "GrapheneOS: The Most TOXIC Privacy Community (Attacks on CalyxOS, Seth Simmons, Techlore, & More)" and I don't know if it's true, but if it is I woudln't consider it a check-mark in the pro column, because community support, and allies are probably a good thing. Towards the end was claimed he was starting drama with pureos and pinephone. Last I knew, google ruined how you can set a processes niceness in gnu/linux with android with their linux kernel with micromanagement on that, has any of the others resolved that annoyance? Time and time again "media" has been reporting ransomware printnightmare or whatever, slowdows, must be way to much of a bloated mess, or their backdoors were a bit too sloppy, if they can't seem to fix their problem fast?

As far as I can tell firejail has nothing to do with GrapheneOS other than to confirm just how good GrapheneOS is.

Firejail, I don't think can be used on android, probably due to it's lack of options, at least we ain't stuck with one option in gnu/linux, but Danial Micay's "opinions" can be taken into consideration, and the fundamental technology of firejail = the linux kernel. So yes and no, I believe. and LOL, can you convince me how good GrapheneOS is, I mean might be hypocritical that you can, apparently, bring up firejail as your "argument", but I cannot?

gaseousness
Offline
Beigetreten: 08/25/2020

https://omertadigital.com/

^ This link says Edward Snowden promotes it, so it is a major red flag to me, he promoted non-free signal in the past, which killed off libresignal in the past, and there's better choices. Edward Snowden, is suspicious, and why would the mainstream "media" always talk about him so much if he's leaked stuff the corporations don't want us to hear?

"By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause." https://manpages.debian.org/testing/openvpn/openvpn.8.en.html

^ Of course, this didn't work last I knew with android's buggy vpn api, perhaps android is just too much a lost cause?

gaseousness
Offline
Beigetreten: 08/25/2020

I've never used some less non-free android, yet, low interest level and so... disclaimer?

gaseousness
Offline
Beigetreten: 08/25/2020

https://tube.cadence.moe/watch?v=odNNmL42WMQ

^ fun stuff that happened a bit back before the more publicized heartbleed, from upstream openssl being a bit too toxic, and appears their code was such a mess even they didn't understand it, and one wrong line deleted, and could have been a game over? Appears gnutls or gnupgp would have been the safer choice for cryptographic key generation?

gaseousness
Offline
Beigetreten: 08/25/2020

I haven't tried myself, but appears one who prefers to keep user namespaces disabled with linux the kernel, may have some luck with chromium trying something like

ungoogled-chromium --no-sandbox

"chromium has hundreds of undocumented command-line flags that are added and removed at the whim of the developers. Here, we document relatively stable flags. "
https://manpages.debian.org/unstable/chromium/chromium.1.en.html
Welcome to the modern web?

"The reason that Google and other companies want to have these kernels live longer is due to the crazy (some will say broken) development model of almost all SoC chips these days. Those devices start their development lifecycle a few years before the chip is released, however that code is never merged upstream, resulting in a brand new chip being released based on a 2 year old kernel. These SoC trees usually have over 2 million lines added to them, making them something that I have started calling “Linux-like” kernels.

If the LTS releases stop happening after 2 years, then support from the community instantly stops, and no one ends up doing bugfixes for them. This results in millions of very insecure devices floating around in the world, not something that is good for any ecosystem."
http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/
Opinion of one of the linux kernel devs.but from 2018, so maybe it's become better or worse, but doesn't surprise me, planned obsolesce probably a goal on the hardware side so why would they really care?

Screenshot is of no luck with trying openvpn with some additional paranoia.

2bff85447d457fec209eb9b984a41e85.jpg
lanun
Offline
Beigetreten: 04/01/2021

Snowden famously said the safest place for your mobile phone is the fridge.

He was wrong. The safest place for a mobile phone is the electronic waste recycling center.

gaseousness
Offline
Beigetreten: 08/25/2020

"Off the bat, let me explain that I expect a tool which claims to be secure to actually be secure. I don’t view “but that makes it harder for the average person” as an acceptable excuse. If Edward Snowden and Bruce Schneier are going to spout the virtues of the app, I expect it to actually be secure when it matters - when vulnerable people using it to encrypt sensitive communications are targeted by smart and powerful adversaries.

Making promises about security without explaining the tradeoffs you made in order to appeal to the average user is unethical."
https://drewdevault.com/2018/08/08/Signal.html

The clown, Bruce Schneier, perhaps wasn't so bad in the past, but sold out later on, I speculate or guess. All of my comments have been censored that I made on his site, and they weren't that bad. He was promoting non-free like signal, and what's funny about these "experts" is that from most cases if you check out their contact pages, you won't see signal, so why not practice what you preach? https://www.schneier.com/blog/about/contact/

Interesting site from an "expert" that was mentioned proceeds.

https://madaidans-insecurities.github.io/index.html

LOL, what a funny site advertising unverifiable non-free "security" from corporate monopolistic malware makers. More hypocrisy, than just sandbox methodology. At the main page it says

"My name is "madaidan". I'm a security researcher who works on various open source projects, mainly Whonix. My website provides information on security and privacy-related topics — it aims to highlight security issues within popular technology, debunk misinformation and provide free security guidance for everyone. This website was created by me, with help from concat and a few other friends.

You can contact me on various platforms, including Reddit, Matrix and Telegram. I operate a bridged Matrix room and Telegram group that I'm often active in. "

So why is madaidan involved with forking a gnu/linux distro or using a telegram group chat, if he's got deceptive articles about both of them being like so insecure. As usual, this "expert" is promoting signal, but wasn't using it himself or herself? Also using proprietary garbage like snap from ubuntu, or flathub for free software example being soooo insecure is very deceptive. Perhaps the underlying technology of flathub could be used in a better way with free software, but package managers we have like apt pacman, etc., really make it nice and free of malware mostly, easy updates, just be careful. Mostly lies and some truth in such a biased way that's clearly just a spin is a deception in my opinion. Like, the "expert" makes it out that the slowdows 10, spyware "telemetry" evasion is an easy tasks, but I got bored before and played around with it, and Microsoft made it much more of a pain, than earlier less bloated versions of slowdows. Microsoft will install updates to change what you tried, and even use svchost.exe for their spyware. Microsoft, to my knowledge, isn't even hiding it that well yet, and one can just type netstat in a slowdows command prompt to see many unexplained connections. https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ Recent non-free malware is really bad, from my personal experiences, just mostly bloatware with even more additional bloated anti "virus", spyware prisons, bugfests. Majorly cutting down on non-free is way better than having to reinstall slowdows, update and reboot, get mockery error codes, do factory resets, installing itunes to try to get an Ithing to boot, because all it does it show it's silly logo at boot. When my last laptop broke with gnu+linux, I just dd'd the partition over to another and besides having to get the network interface names to match up again, it just worked. Perhaps non-free used to be much better, quality wise, in the earlier days of gnu\linux? Gnome 2 was way better in my opinion, but good thing it was free software and so I can use it with mate, if I prefer that to gnome-flashback, but what if I liked the gui in slowdows xp? LOL, what confusion!?

gaseousness
Offline
Beigetreten: 08/25/2020

"desperate bombing"

... The majority of my points, you haven't convinced me otherwise on, I didn't see clown Snowden say this is my signal hit me up, in his advertisements of the trash application. Hollywood made a movie of him portraying him in a good light, sorry but not gonna be a false idol for me?

In the past I tried rooting usb, unlocked bootloader, but just got slowdows garbage, like spyware addons in mozilla, usb is just so annoying. Mozilla's walled garden of many digitally signed non-free add-ons approach, didn't work, and oh well, didn't care too much not much a loss to delete windows again. I'm not looking to purchase a new stalin's dream anytime soon. Starting with non-free android route might be a lost cause, who knows, even pinephone route might be a as well, the minichips are some nasty proprietary black boxes and I don't want to get my hopes up, but no one can predict the future? Android-x86, that I tried was based off of a recent google android, and was severely out of date linux kernel wise. And the site you sent "You will require a PC/Laptop and a USB cable." and that's quite a shame the same problem hasn't been fixed. I'd want the option to use root, or change the operating system easily, if I want to.

"It is not on my phone’s GrapheneOS"

Any proof though, of it running with lowest possible privileges, ideally paired with some link from some other website?

Maybe I'll check out that "you"tube video sometime later on one of these days.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

The majority of my points, you haven't convinced me otherwise on

Your points are bullshit. You obviously know nothing about security or free software (claiming programs are proprietary when they are not). You are even apparently proud to *not* be an expert. Yet you feel legitimate to bitch about those who actually do a lot for our freedoms.

The best is to ignore you. There is no point in "convincing you". I have tried. It is a pure waste of time. You just ignore the response and come up with more bullshit that has nothing to do with what you previously claimed. Typical of conspiracy theorists.

gaseousness
Offline
Beigetreten: 08/25/2020

I'm not into CONspiracy, and have told you this before. You can skip more towards the end of this "you"tube video https://yewtu.be/watch?v=EXi1emH7xsY and hear Richard Stallman himself talk about signal, he's also mentioned it in a video with Bryan Lunduke. Seek to about 58:20

"#This project was abandoned because Moxie Marlinspike said he was not OK with LibreSignal using the Open Whisper Systems servers and the name "Signal"."
https://github.com/LibreSignal/LibreSignal

If you look online you can find evidence of signal bodyguarding even whatsapp and skype.

Even, Jamie Zawinski has referred to signal as pretend open source, in a blog.

"The best is to ignore you. There is no point in "convincing you". I have tried."

Not that true, chaosmonk let me know that pureos phone wasn't the only cellphone with physical kill switches, and pinephone had them as well, looks like he was telling the truth, worst case, learn something new, and I don't care if I'm wrong. Opinions can't really be wrong or right in some cases? Someone who has a degree in computer science, admitted to me that programs he's written in rust without "unsafe" could still have memory unsafety, or whatever, just that it's a lot less of development time than C.

"Yet you feel legitimate to b**** about those who actually do a lot for our freedoms."

Not really? please remind me of who I have and how?

http://www.gnu.org/proprietary/malware-google.html

Google ain't deeply involved with monopolistic malware? It's weird how they donate to reproducible builds project, the "media" claim they use something called glinux so maybe that's why?

" You obviously know nothing about security or free software (claiming programs are proprietary when they are not). You are even apparently proud to *not* be an expert. "

LOLOL! wow, if I am so stupid, being a meany you think will learn me something?

Ubuntu snaps autoupdate, there's a ton of non-free ones. just like flathub (not auto-update but seen stuff like spotify if I recall correctly), you visit their website, and it's not like f-droid or other similar free software ways where you can download the apk or download the source code. Flathub didn't even work without javascript, non-free?

gaseousness
Offline
Beigetreten: 08/25/2020

CONspiracy is such a far stretch, not like I have some website trying to sell things, and spreading half truth mixed with lies just trying to confuse, as a not officially admitted to, probably mainstream media in disguise, they can controllably debunk, who knows for sure? Some motives (officially), if I remember right, was money and popularity seeking, and clearly not the case with me?

Edits*
bruce s's about page on his blog (full of too much non-free promotions when I used to try to follow it) has him as a member of multiple groups that signed the anti rms defamation letter. Let's pretend something like freenode hijacking\betrayal has never happened and I'm just the dumbest of the dumb?

I guess this could make my tale of slowdows viruses more believable, which I got trying to root android unlock bootloader? Can't remember the exact specifics, default search was changed. Was a bit ago.
https://www.zdnet.com/article/mozilla-has-banned-nearly-200-malicious-firefox-add-ons-over-the-last-two-weeks/

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

Not that true

I will try one more time.

hear Richard Stallman himself talk about signal

He says that a confrontation, which got resolved, between the developers of Signal and somebody who released a modified version of the client leaved him (RMS) with a "bad feeling about the developers of Signal".

That is very different from claiming that Signal is non-free, what you did at least three times in this thread alone.

"#This project was abandoned because Moxie Marlinspike said he was not OK with LibreSignal using the Open Whisper Systems servers and the name "Signal"."

This has nothing to do with Signal being free or non-free either.

There are actually good points to make to defend that Signal raises freedom issues, although Signal's code is free: "all official APKs include multiple closed source Google dependencies including Firebase Cloud Messaging (for notifications), Maps, and Authentication", as written on https://www.twinhelix.com/apps/signal-foss/ which is a modified client solving those problems and using Signal's servers.

The developer of Signal-FOSS, tw-hx proposes his code for the main Signal client and Signal's developers actually correct the freedom issues: https://github.com/signalapp/Signal-Android/pulls?q=author%3Atw-hx+

Compare tw-hx's behavior to yours.

Someone who has a degree in computer science, admitted to me that programs he's written in rust without "unsafe" could still have memory unsafety, or whatever, just that it's a lot less of development time than C.

Show us the code that does not use the "unsafe" keyword but segfaults. Until then, your claims are worthless.

Not really? please remind me of who I have and how?

You called Edward Snowden a clown. To raise public awareness about NSA's disrespect of our privacy, the guy has knowingly abandoned any hope to go back to his country, his family, his friends, etc. What have you done?

LOLOL! wow, if I am so stupid, being a meany you think will learn me something?

I have never said you are stupid. I said you are ignorant about the topics you comment with much animosity. You actually acknowledge it: "I'm basically like a complete novice when it comes to dumbphones and tablets", you have just written.

In fact you are apparently proud of not being an expert, a word you only use ironically. You should definitely try to learn something about the technical/legal topic you comment before expressing any strong opinion on it. You are currently toxic to the free software community.

gaseousness
Offline
Beigetreten: 08/25/2020

Killing off forks, not being on f-droid, requiring javascript to download an apk from their website, only on snap? That's free? Google play, not in the repos, not gonna trust them via their apt repo, or snap :)
https://directory.fsf.org/wiki/Signal
https://search.f-droid.org/?q=signal&lang=en
Some random website, I don't trust, f-droid, I find to be the most trustworthy for apks, why should someone else be able to let you download it, but not f-droid?

"A program is free software if it gives users adequately all of these freedoms. Otherwise, it is nonfree. While we can distinguish various nonfree distribution schemes in terms of how far they fall short of being free, we consider them all equally unethical." http://www.gnu.org/philosophy/free-sw.html
Am I misunderstanding something, adequately, or "to a satisfactory or acceptable extent", so I thought it was more than just the license, or some technicality, well that's how it seems to come across?

"That is very different from claiming that Signal is non-free"
And that's very different, from him saying "Signal is free software".

"This has nothing to do with Signal being free or non-free either."
Well idk... f-droid has a promotes non-free network services antifeature, kinda a grey area, like the ways to view youtube without non-free javascript, these days? Still relying on them at the end of the day? The way which it was done was no good, imho.

"You called Edward Snowden a clown. To raise public awareness about NSA's disrespect of our privacy, the guy has knowingly abandoned any hope to go back to his country, his family, his friends, etc. What have you done?"
I don't believe in the snowden story, you can if you want to, and we can get along with different opinions on certain things? Is this your cherry pick, or do you think I was right about the others? Edit* https://www.imdb.com/title/tt4044364/?ref_=tt_sims_tt_i_1 Oscar award from hollywood, and not the only movie. Someone so qualified with low taste in software?

"Show us the code that does not use the "unsafe" keyword but segfaults. Until, then, your claims are worthless."
It's just hearsay, maybe I was just lied to, or maybe not, and maybe will do, and I didn't make any claims, just was questioning rust, in general, because there's more than enough conflicting information about it online. And, I'm not going to go out of my way for you, when you won't go out of your way for me, and gotta dish out disrespect with "worthless" :) But perhaps if a dependency was one of the ways if I recall right?

"In fact you are apparently proud of not being an expert, a word you only use ironically. You should definitely try to learn something about the technical/legal topic you comment before expressing any strong opinion on it."
Yes, because I have little experience with those, and I didn't mean for things to become hostile in any way or that much off topic as they did. Also, one just needs some uncommon sense to see that there's quite the hypocrisy going on.

"I have never said you are stupid."
LOL, you've mentioned that I was CONspiracy theorists, or like one, or whatever, and that's clearly to make me look stupid. Imply is a better term for you?

"You are currently toxic to the free software community."
But I haven't been that much down-voted yet (that much so at least), or asked to leave by someone in a leadership position, so maybe I'm not toxic, and you don't have the authority to say things like this?

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

I am back to ignoring you Mr. I-don't-believe-in-the-snowden-story.

gaseousness
Offline
Beigetreten: 08/25/2020

Okay, if that's what you'd like to do, magic banana. I tried sticking a stalin's dream in a fridge before, and it didn't block getting a call. Maybe a louder more older one from an a less classy hotel, would prevent some audio snooping via the speakerphone, but could be water damage risk?

*Changed the wording from clown to is suspicious, in what I could hit edit on, maybe a better way to say it?

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

https://en.wikipedia.org/wiki/Burden_of_proof_(philosophy)

lanun
Offline
Beigetreten: 04/01/2021

> "Your points are bullshit. You obviously know nothing about security or free software (claiming programs are proprietary when they are not). You are even apparently proud to *not* be an expert. Yet you feel legitimate to bitch about those who actually do a lot for our freedoms.

The best is to ignore you. There is no point in "convincing you". I have tried. It is a pure waste of time. You just ignore the response and come up with more bullshit that has nothing to do with what you previously claimed. Typical of conspiracy theorists."

Community Guidelines:

Respect among community members

Discrimination -- Do not discriminate against people based on [...] religion, ideology, ideas [...] intelligence, or any analogous grounds.
Profanity -- Do not curse or use hard language here. Social norms differ from place to place; hard language can deter people from our community.
Incivility -- Do not insult others here. Disagree and challenge ideas instead.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

I should not have used such a hard language.

As for challenging ideas, I maintain it is a waste of time in this case. gaseousness makes strong claims. Here, that Signal is non-free, that a Rust program that does not use the "unsafe" keyword can be memory-unsafe, that Snowden's story is untrue, etc. Yet gaseousness only provides bad evidences. That Stallman, asked about the problems with Signal, neither says that it is free or nonfree, that "someone" had written an undisclosed Rust program without "unsafe" but with memory unsafety, that believing that Snowden did what essentially everybody acknowledges he did is a mere matter of "opinion", etc. When challenged (to point out the non-free code in Signal, what I actually did for him, to show the incriminating Rust code, etc.), gaseousness shifts the burden of the proof ("I'm not going to go out of my way for you, when you won't go out of your way for me") and provides additional bad evidences.

gaseousness
Offline
Beigetreten: 08/25/2020

Some stuff about Snowden, could have gotten quite off topic, and perhaps to divisive, like questioning the official story from our beloved and always truthful corporate media outlets? I didn't mean any offense with "opinion", I'm not the best with cutting to the chase, if you have a better suggestion on how to word it, I'd be glad to take it under consideration. However, his promotion of proprietary signal was extremely questionable to me, so I'd take any advice or promotion from Snowden with a grain of salt.

https://signal.org/android/apk/
^ Doesn't work without javascript, google play "safest" promotion.

https://signal.org/assets/vendor/jquery-3.5.1.min-a6ed45d15e46615f8c15931ca254e398a912e770b10122a4435529a1a523180d.js
obfuscation, a good way to explain it?

I haven't seen undeniable evidence of signal being free software yet, and if I did, and I'd stop calling it non-free, if that's erroneous, but appears due to mainly legal intimidation, all four freedoms aren't granted to the users of signal.

It'd be quite strange to contact someone out of the blue to discuss it, or something like that, and even if I did might not be believable enough or good enough? I sent a link in the discussion we were having in the other topic forum, from perhaps not much of a vendor rigged study? Let's discuss rust here? https://trisquel.info/en/forum/there-way-rank-programming-languages-terms-how-security-oriented-they-are

gaseousness
Offline
Beigetreten: 08/25/2020

Should be obvious that what someone has told me, isn't like the best evidence, what if they lied to me, doesn't mean I'm a liar, not deliberately, who can't be mistaken or misunderstand something on occasion?

Legimet
Offline
Beigetreten: 12/10/2013

By your standard, Trisquel is also nonfree because the website includes minified Javascript: https://trisquel.info/files/advagg_js/js_9b8b6262d4890d5dd4e7dd1924e502b0_2.js

gaseousness
Offline
Beigetreten: 08/25/2020

It doesn't suggest that I install it via the microsoft store, for the "safest" way, and haven't needed to enable javascript, works nicely with various browsers. If recollection serves me correct, librejs didn't recognize it for signal.

view-source:https://trisquel.info/files/advagg_js/js_9b8b6262d4890d5dd4e7dd1924e502b0_2.js shows the source code apparently with firefox based.

Legimet
Offline
Beigetreten: 12/10/2013

There's nothing wrong with minified Javascript such as JQuery, as long as the source code is available under a free license.

Also, Signal making their software available on nonfree operating system app stores doesn't make it nonfree. As an example, Libreoffice and Krita are also available on the Microsoft store.

gaseousness
Offline
Beigetreten: 08/25/2020

Both of those I believe you can download nicely from their website, torrent for libreoffice, and it's in default repos? So Definitely is strange to require javascript? But is it free?

Legimet
Offline
Beigetreten: 12/10/2013

Actually I don't even see a link to the Windows store on the Signal website, so idk what you're talking about.

I'm not sure if there's any nonfree javascript on the Signal website, but the file that you linked to is just JQuery which is free. You can find the source code on Github (although knowing you, I think you'll probably say that JQuery is nonfree because it's hosted on Github)

gaseousness
Offline
Beigetreten: 08/25/2020

I meant it as an analogy like trisquel doesn't try to encourage you to install trisquel from the microsoft store like

"The safest and easiest way to install Signal for Android is through the Google Play Store."
https://signal.org/android/apk/

I prefer apt source :)

Legimet
Offline
Beigetreten: 12/10/2013

You can't use apt to install Android apps...

gaseousness
Offline
Beigetreten: 08/25/2020

Just because a program is on github, doesn't make the program non-free. Microsoft owned github, I guess there is a scandal with something called copilot.

gaseousness
Offline
Beigetreten: 08/25/2020

apt source can be used to download the source code of a program, and meant it like might be a option to choose over github in some cases, and was trying to make a joke about github, or whatever.

30fb737ab6dfdf454596f9e240561fb4.jpg
Legimet
Offline
Beigetreten: 12/10/2013

What's your point? How does this make Signal nonfree?

gaseousness
Offline
Beigetreten: 08/25/2020

Just wild, heard such good things about this new so "private" "open source" signal, visit their website but javascript just to download an apk, and trying to trick one into using google play, good thing I had librejs and avoiding running some potential non-free javascript, and instead learned about how they killed off a fork https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165

Instant messaging is interesting when one company owns the whole "protocol?" basically, but can go out of business or betray later on? Some grey areas with techinicalities with regards to freedom? https://f-droid.org/docs/Anti-Features/#NonFreeNet Some number of years ago was possible to use facebook chat with pidgin, even with private chat. Somewhat recent more publicized scandals that I recall with signal include adding some cryptocurrency to their application, and issues with how they dealt with the domain fronting was cut off by amazon and google?

https://github.com/signalapp/Signal-Android/issues/7130

https://www.techtimes.com/articles/256798/20210207/signal-app-tls-proxy-vulnerability-gets-exposed-researchers-bans-instead.htm