Secure Smartphone Graphene OS on Google Pixel 4A

94 Antworten [Letzter Beitrag]
Legimet
Offline
Beigetreten: 12/10/2013

> javascript just to download an apk, and trying to trick one into using google play

The nonfree javascript is problematic, but that doesn't make Signal nonfree. Google Play is the standard way to install apps on Android (which usually includes a lot of nonfree Google stuff) so I think it's reasonable to put an app on Google Play. That is how the average nontechnical Android user installs apps. I wish they would put it up on F-Droid, but they don't want to.

> instead learned about how they killed off a fork

They are hostile toward forks, unfortunately. However, despite moxie's angry comments on Github, it's perfectly legal to fork it as long as you don't use the Signal name, because the code is released under the AGPL.

> Instant messaging is interesting when one company owns the whole "protocol?" basically, but can go out of business or betray later on? Some grey areas with techinicalities with regards to freedom?

Yes, the centralized nature of Signal is a downside. But the client and server code that implement the protocol are available under a free license, so you can modify it as much as you want. If they go out of business, someone could take over.

The cryptocurrency thing seems kind of shady, but again, that doesn't make Signal nonfree.

gaseousness
Offline
Beigetreten: 08/25/2020

"reasonable to put an app on Google Play"

It's mostly on google play, sketchy javascript, Too similar to non-free modded applications, updates via google play = can change the permissions on you, and had like a slowdows antivirus with it. GNU Gimp is in the repos, flatpak, source code on their website, slowdows downloads available.

"fork it as long as you don't use the Signal name, because the code is released under the AGPL."

Libresignal wasn't the same name, and they seemed down to negotiate. Can't compete with their servers, or connect with, so basically useless? irc, xmpp, maybe a more suckless xmpp? Can have your own server and email people that are on gmail or microsoft's, but not the case of non-free signal?

"free license, so you can modify it as much as you want. "

Just like a black-market non-free android application, a few people will "mod" it and some will get legal threats?

"The cryptocurrency thing seems kind of shady, but again, that doesn't make Signal nonfree."

if it was free a community could fork it and have a better version, lol weak pin, phone number hooked to it, think their snoopy proprietary backdoors in the hardware can read the disk?

gaseousness
Offline
Beigetreten: 08/25/2020

Weird how the lawyers selectively go after people, but not after others?

gaseousness
Offline
Beigetreten: 08/25/2020

https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217218091

^ Looking more than reasonable? The other looking like quite the baloney, telegram which is similar in some ways, some random billionaire just wants to make a chatting app, but it's popular and on f-droid and not problematic as well?

gaseousness
Offline
Beigetreten: 08/25/2020

https://www.gnu.org/licenses/gpl-violation.html

"Once you have collected the details, you should send a precise report to the copyright holders of the packages that are being wrongly distributed."

Strange pick of the gpl, and agpl, if they don't want others to fork it. Good license, but not so good copyright holders = could be something like quite a loophole? Sounds like you can only get watered down partial versions perhaps of just freedom 0 and 1 with signal, and you need all of 4 at the very minimum basically?

gaseousness
Offline
Beigetreten: 08/25/2020

Was thinking that perhaps if upload speed was really really bad that it could prevent a lot of potential spywares, from going out, but oops, not so lucky, apparently.

gaseousness
Offline
Beigetreten: 08/25/2020

Some progress, appears casual web browsing, watching vidoes, appear to work well enough, but maybe it'd be more likely that some sloppy bloatware with many trackers would not?

Legimet
Offline
Beigetreten: 12/10/2013

That's not true. Since they chose the GPL (or AGPL) they can't prevent forks no matter how much they want. Once they've released something under the GPL, they have granted those four freedoms and they can't revoke them. Here's an example of a fork of Signal: https://git.silence.dev/Silence/Silence-Android. They didn't use the name Signal, so there is nothing the Signal team can do about it.

gaseousness
Offline
Beigetreten: 08/25/2020

"they can't prevent forks no matter how much they want."
They prevented libresignal.

"They didn't use the name Signal, so there is nothing the Signal team can do about it."
Libresignal was more willing to change the name from the looks of things, but this wasn't enough for some reason.

Well patents are said to be a threat, in general not aware of that being involved with signal? Maybe it's just useless without their servers mixed with network effect, or legal intimidation?

https://f-droid.org/wiki/page/org.libresignal
https://github.com/LibreSignal/LibreSignal/issues

Silence ins't like a fork of signal, maybe silence was similar to signal in the past, or silence was only via text messaging portion of signal in the past. Maybe signal wasn't that bad years ago, or was planning to trick a lot of people to install google play?

"SMS and MMS are a security disaster"
https://signal.org/blog/goodbye-encrypted-sms/
Signal requires a phone number though?

gaseousness
Offline
Beigetreten: 08/25/2020

https://www.gnu.org/prep/standards/standards.html

"Whether to support Mingw64, and Windows in general, in your package is your choice. The GNU Project doesn’t say you have any responsibility to do so. Our goal is to replace proprietary systems, including Windows, not to enhance them. If people pressure you to make your program run on Windows, and you are not interested, you can respond with, “Switch to GNU/Linux — your freedom depends on it.”

gaseousness
Offline
Beigetreten: 08/25/2020

Was just seeing if there was a good way, or perhaps the least worse way of cross platform messaging, in the past. Didn't encounter any rationale reasoning from signal deciding to kill of libresignal. Doesn't make too much sense, I think it'd would have been quite obvious that libresignal was different from the vanilla version of signal, not like someone on some odd rampage spreading a virus version called signal pro? Signal claims to be reproducible, so it's very odd that they wouldn't want to be on f-droid, since if I am not mistaken, reproducibility is a requirement for f-droid, and the more people who can reproduce it is the main point of reproducibility, because more targets?

gaseousness
Offline
Beigetreten: 08/25/2020

"As of our latest Android release, Signal builds are reproducible. Reproducible builds help to verify that the source code in our GitHub repository is the exact source code used to build the compiled Signal APK being distributed through Google Play."

"Getting the Gradle NDK support set up and making its output reproducible will likely be more difficult."

https://signal.org/blog/reproducible-android/

gaseousness
Offline
Beigetreten: 08/25/2020

Connection test site said network communications error or something like that for upload speed. Another asked if should proceeds with errors, so appears possible that some common spyware could be too thirsty and bloated?

Legimet
Offline
Beigetreten: 12/10/2013

They never changed the name though. If they had done so, there would not have been a problem. There are no patents involved here.

Actually, Silence is a fork of Signal, back when it was known as Textsecure. It's the same codebase. Take a look at the Readme.

gaseousness
Offline
Beigetreten: 08/25/2020

Some possible timeline
https://en.wikipedia.org/wiki/TextSecure#Open_Whisper_Systems_(2013–2015)

"It's the same codebase"

There may have been some more non-free with "redphone" in the vanilla older signal pre-betrayal?

"They never changed the name though. If they had done so, there would not have been a problem. "

Looks like the libresignal people offered to do so, but it was not enough. "It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult." Appears multiple forks may have been killed off.

"mimi89999 commented May 5, 2016

@moxie0

I'm not OK with LibreSignal using the name "Signal."

LibreSignal is using the name "LibreSignal". The name "LibreSignal" contains "Signal". If you prefer, I can rename "LibreSignal", so that it doesn't contain "Signal" in the name... I can also change the icon if you want.

If you think running servers is difficult and expensive (you're right), ask yourself why you feel entitled for us to run them for your product.

You are receiving donations for developing Signal-Android and running the servers. I am not.

If I finance running a TextSecure server for LibreSignal, will you federate with us?
Also, I won't be able to run a RedPhone server because it is not open source.

What about other Signal forks like Signal Plus (https://play.google.com/store/apps/details?id=org.privatechats.securesms) (https://github.com/WizDom13/SignalPlus-Android) Their app name also contains "Signal" and they are also using OWS servers.

"
https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217218091

"If you prefer, I can rename "LibreSignal", so that it doesn't contain "Signal" in the name... I can also change the icon if you want.

Thanks, that would be great!

You are receiving donations for developing Signal-Android and running the servers. I am not.

You're capable of doing that as well, though. We're barely able to support our own apps, and having to support products outside of our control would make our lives even more difficult. If you think that collecting donations to run and maintain servers for your own project is difficult, why would you expect us to do it for you?

If I finance running a TextSecure server for LibreSignal, will you federate with us?

It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult.

What about other Signal forks like Signal Plus (https://play.google.com/store/apps/details?id=org.privatechats.securesms) (https://github.com/WizDom13/SignalPlus-Android) Their app name also contains "Signal" and they are also using OWS servers.

Yep, we're working on it.

"
https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217231557

"Law is difficult, I don't know what trade/wordmarks OWS holds and what it can enforce with it. My common sense tells me that's a joke to have any such thing for a general word like "signal" in any way, but law is not common sense.

As for F-Droid: As I said, I wont be the in merging it into mainline. And even if there is a vote, I will not be in favor of it anymore. It's clear that OWS will (or might) take actions, thus leaving users out in the rain... (giving OWS yet another reason to say "see, that's why we dont support fdroid").

Let's just use XMPP/Conversations and be done..."
https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217290117

Legimet
Offline
Beigetreten: 12/10/2013

> view-source:https://trisquel.info/files/advagg_js/js_9b8b6262d4890d5dd4e7dd1924e502b0_2.js shows the source code apparently with firefox based.

Take a look at the very long line at the beginning. It's not source code.

gaseousness
Offline
Beigetreten: 08/25/2020

True, most* commented though so could find it? Is on signal's free confirmed?

Legimet
Offline
Beigetreten: 12/10/2013

Sorry, but I don't understand what you're trying to say.

Legimet
Offline
Beigetreten: 12/10/2013

I consider Signal problematic for various reasons (hostility to forks, lack of transparency, centralization), but it's not nonfree. I use it myself, because at this time there doesn't seem to be any better, end-to-end encrypted alternative that I can use to communicate with the average person.

gaseousness
Offline
Beigetreten: 08/25/2020

Are those all newer devices, planned obsolesce style? And you basically instantly replied to the rant I made on madaidan's, did you even read it, confirm it, consider it?

gaseousness
Offline
Beigetreten: 08/25/2020

https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165

^ More information about signal killing off libresignal.

https://f-droid.org/en/docs/Anti-Features/#NonFreeNet

^ What f-droid folks refer to it as, yes technically the client software could be free, but one centralized entity can impact your freedom, idk more confusing to think about? Like imagine if there could only be one freenode, and no escape to another or hosting your own? Maybe the more free looking fork of signal could be killed off later on by signal, if its not bad, but legal threats in the past, then no choice but to use the main one that added useless cryptocurrency that most seemed to not want in it because it is non-free?

gaseousness
Offline
Beigetreten: 08/25/2020

https://teddit.net/r/GrapheneOS/comments/du23la/rooted_or_root/f7169bi#c

No root option in grapheneos apparently?

"the insecurity of traditional Linux distributions without an application security model or a way to approach privacy and security in a systemic way."

Some spyware branch of twitter appears to have no problems with the non-traditional ways based off their "privacy" policy? https://www.mopub.com/en/legal/privacy

Really think that google or apple's "security teams" are gonna come to your rescue with some popular non-free application having issues? "Secure?" boot bugs can be a brick? If an app was disk usage hogging, appears it'd be most practical to just delete the files with root as opposed to clear app data, or apktool, usb?

Legimet
Offline
Beigetreten: 12/10/2013

As I understand it, GrapheneOS doesn't come with the nonfree Google apps/services.

gaseousness
Offline
Beigetreten: 08/25/2020

Can't all that preinstalled bloatware be disabled? DM seems to mention some questionable programs, don't know the specifics? What's an sm app?

"Turning the entire application / user interface layer and beyond into root attack surface obviously massively reduces security. It destroys the security model and a huge amount of the effort that has gone into systemically improving OS security over the years."

xorg isolation appears to have been available since at least 2007 https://en.wikipedia.org/wiki/Xephyr ? And it's not like some crap store of mostly malware designed to last only a few years with some sort of all in one "sandbox"? Shouldn't be careless with su, sudo, doas? Android-x86 let's you use root without the regular UI, and even if it was less safe on android I'd prefer it because would make things more amusing and a lot less annoying for me?

Qubes is using xen, a vm that we can install on gnu/linux?

Legimet
Offline
Beigetreten: 12/10/2013

Xen doesn't run on GNU/Linux, it's a hypervisor that boots directly from the bootloader (e.g. GRUB), and then loads virtualized operating systems (such as GNU/Linux).

lanun
Offline
Beigetreten: 04/01/2021

"Most installations run with Linux as the main control stack (aka "domain 0")."

https://wiki.debian.org/Xen#Domain_0_.28host.29_installation

Legimet
Offline
Beigetreten: 12/10/2013

Yes. Linux runs on Xen, not the other way around. Xen runs on bare metal and is started by the bootloader, that's why Xen has it's own GRUB entry. It's different from QEMU/KVM where the virtual machine runs on an underlying operating system.

gaseousness
Offline
Beigetreten: 08/25/2020
Legimet
Offline
Beigetreten: 12/10/2013

It's not lightweight, because it runs multiple virtual machines in parallel. If you run each application in a separate VM you will need a lot of system resources.

gaseousness
Offline
Beigetreten: 08/25/2020

"It's not lightweight, because it runs multiple virtual machines in parallel. If you run each application in a separate VM you will need a lot of system resources."

Bet slowdows and big sur "sur for surveillance?" are planning to continue to add more and more bloat with future "upgrades" as well? Maybe in some cases like a cross
platform developer with a fast computer xen could be quite useful, though? https://www.linux.com/news/why-use-xen/

root is not for us, the dumb users is the new "security" ideology? It's reserved only for google or DM, even if they are so much smarter, does that guarantee that they have our best interests in mind, and more docile users could be easier to torment later on?

There's ways to use root more safely in gnu/linux, like runuser?

Interesting android-x86 "terminal" prompt proceeds?

x86:/ # whoami
root
x86:/ # pm uninstall com.android.chrome
Failure [DELETE_FAILED_INTERNAL_ERROR]

whoami? "root"

gaseousness
Offline
Beigetreten: 08/25/2020

"Do not use Linux (QubesOS is not a Linux distribution). "
https://madaidans-insecurities.github.io/security-privacy-advice.html

"Qubes OS is a security-oriented, Fedora-based desktop Linux distribution whose main concept is "security by isolation" by using domains implemented as lightweight Xen virtual machines."
https://distrowatch.com/table.php?distribution=qubes

"OS family Linux (Unix-like)"
"Opening an application for the first time in that session for a particular security domain will take around 30s (depending on hardware)"
https://en.wikipedia.org/wiki/Qubes_OS

"Operating System Freedom

Can't decide which Linux distribution you prefer? Still need that one Windows program for work? With Qubes, you're not limited to just one OS. Learn more"
"With Whonix integrated into Qubes, using the Internet anonymously over the Tor network is safe and easy."
https://www.qubes-os.org/

Slowdows and freedom? Whonix is a fork of debian gnu/linux?

Legimet
Offline
Beigetreten: 12/10/2013

They're not talking about freedom in the sense of free/libre software, which should be clear from the context. Anyway, I'm not sure what your point is.

gaseousness
Offline
Beigetreten: 08/25/2020

Just was odd?

gaseousness
Offline
Beigetreten: 08/25/2020

Seeing slowdows, freedom, secure used together is strange?

Legimet
Offline
Beigetreten: 12/10/2013

I mean, the goal of Qubes isn't software freedom (in the FSF sense), it's security. When they mention freedom it's actually about being able to run different OS's (kind of like how some people who dislike systemd talk about "init freedom" which has nothing to do with software freedom).

Being able to run Windows in a virtual machine to run a Windows application that you need, actually fits with the goals of the Qubes project. If you have to use a Windows application, installing Windows in a virtual machine (perhaps without network access) to use just that one application will give you pretty good security. But it doesn't give you software freedom in the FSF sense.

gaseousness
Offline
Beigetreten: 08/25/2020

True

gaseousness
Offline
Beigetreten: 08/25/2020

"We need the best of both worlds - isolation, yet full control."
"A desktop Linux distro that theoretically gets close to what's needed is Qubes OS."
"In practice though, there are severe security risks even with Qubes OS. The in-VM systems need to be updated, and each update is a risk of bringing in malicious code. When most VMs are based off the same Fedora template, updating that means trusting all installed packages' Fedora maintainers."
"Then there's the issue of attack surface and of few layers of security. Linux kernel is quite poor in this respect when it comes to attacks by a locally running program. Even Android doesn't change that."
https://www.openwall.com/lists/oss-security/2020/10/05/5

Looks a bit more of on the unbiased, and not just paid a few bucks by Microsoft, side of paranoia opinion? Interesting how qubes os got called a "linux" distro. I'm not trusting IBM with a bloated security "theatre?", they killed off centos, anti-rms defamtion letter? apparmor and firejail might be more difficult, but can get security updates and is free software as much as possible?

gaseousness
Offline
Beigetreten: 08/25/2020

https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/

Tails has like an optional root, maybe something like that might make more sense on a mobile device, no need to do administrative configuration all the time?

"Other Security Researcher Views on Linux

Many security experts also share these views about Linux. "
https://madaidans-insecurities.github.io/linux.html#security-researcher-views

He posts several links to Brad Spengler or grsecurity which runs a business of linux kernel hardening. Some general historic background info. https://wiki.debian.org/grsecurity

https://perens.com/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/
https://grsecurity.net/setting_the_record_straight_on_oss_v_perens_part2
Looks like Bruce Perens, one of the early on Debian people, got sued by grsecurity, for claiming gpl violations, or whatever.

"A rant will be the least of your worries if this
continues, and as creator of the KSPP and effective figurehead/spokesperson
you'd be wise to start taking it seriously."
"You appear to be justifying plagiarism and copyright/trademark infringements
in the name of making Linux "more" secure. Please stop."
https://www.openwall.com/lists/kernel-hardening/2017/06/03/20
https://www.openwall.com/lists/kernel-hardening/2017/06/04/19
Appears Brad Spengler was making some pretty serious accusations about Danial Micay and others in Linux's kspp, like of plagiarism, making legal threats, etc.

"Linus Torvalds slams 'pure garbage' from 'clowns' at Grsecurity
'I stopped trying to be polite about their BS', says Torvalds who plans Linux 4.12 next week"
https://www.theregister.com/2017/06/26/linus_torvalds_slams_pure_garbage_from_clowns_at_grsecurity/

Anyways, after all of this, astonishingly , we can find a video of Brad Spengler or grsecurity on the linux foundation's own "you"tube channel? If you seek to 19:45 says some very juicy stuff potentially about google's kernels and some big tech censorship?
https://tube.cadence.moe/watch?v=CT4G-Rn-sHc

Looking like a bit too much drama, and potential selling out with some people involved with all of this, and maybe it will be too hard to know the full true story or a more probable version that makes some sense?

gaseousness
Offline
Beigetreten: 08/25/2020

"Let us time how long it takes the spammers to add "off topic" cr4p to smother just how good GrapheneOS is!"

Android is somewhat an "off topic" topic by itself, so perhaps more off topic comments are just inevitable or more likely?

"So – Another plus besides security"

Some of this "security" depends on non-free though, and some other possible security that's not, I suppose that I don't follow, and questioning it to gain a better understanding is spam?

Glad to hear that you are having ease of use, but wasn't the usb features already in regular android for a while now?

https://developer.android.com/studio/images/run/dev-options-select-usb-config_2x.png

"USB tethering is available since Android 2.2 "Froyo". "
https://wiki.archlinux.org/title/Android_tethering

PS side note: firejail has several x11 isolation options.

"X11 [archive] does not have GUI isolation [4] so it is trivial to escape sandboxes with it. There is no protection against this vector at present, but the plan is to either switch to Wayland [5] or use a nested X11 server like Xpra. "
https://www.whonix.org/wiki/Sandbox-app-launcher

PublicLewdness
Offline
Beigetreten: 03/15/2020

For those who are interested in GrapheneOS but not sure if you are able to install it yourself, you should check out the Nitro Phone which is basically a Pixel 4a with Graphene OS preinstalled.

https://shop.nitrokey.com/shop/product/npo1-nitrophone-1-199

gaseousness
Offline
Beigetreten: 08/25/2020

... I'm not spamming, keep accusing me as much as you want, what's the point? As for rude, please tell me how I was impolite?

gaseousness
Offline
Beigetreten: 08/25/2020

"Not sure about rude you refer to but it is rude"

"So yes guys; it is that good that spammers get so worked up into a petulant frenzy." Message 125

"having to wade through a full page worth of irrelevant cr4p about Signal"

In message 17, you brought up Edward Snowden, who also did a commerical for non-free signal.

gaseousness
Offline
Beigetreten: 08/25/2020

Note, same "you"tuber techlore appears to have made the video I mentioned earlier "GrapheneOS: The Most TOXIC Privacy Community (Attacks on CalyxOS, Seth Simmons, Techlore, & More)
Uploaded by Techlore"
https://tube.cadence.moe/watch?v=Dx7CZ-2Bajg

He promotes crapple's safari in this "you"tube video https://tube.cadence.moe/watch?v=a1i-3xwcSGA

I still have to check out the video link that you posted, Andy.

gaseousness
Offline
Beigetreten: 08/25/2020

I get what you mean, and yeah wasn't the most interesting video that I've ever seen.