pull down to refresh
@final
stacking since: #193385
223 sats \ 0 replies \ @final 19 Nov \ parent \ on: France Attack On Graphene OS tech
No idea why these articles always try and reference a criminal case to attempt to make us look bad and responsible, when the example is always someone caught red handed, arrested and being charged. We also can't know who any users are because it's an open source project anyone can change the code and run their own version of... Shocking! Doesn't sound like we are enabling any crime to me if theyre being caught. Maybe they should ask the same questions to the teams of Android, LLVM or Linux who make most of the code.
There is no feature that just 'mysteriously' resets itself. The only feature is the duress password, which is an overt and well documented feature. This is not characteristic of GrapheneOS. If there is an app doing this, ANY Android device can do it.
Or that they are a important or at-risk individual with additional security needs other commercial off the shelf device and operating system setups aren't providing? Why do they make malicious assumptions?
Is enabling Lockdown Mode on your iPhone also an intent to conceal?
Anyone getting GrapheneOS from "unlisted YouTube channels" and the "darknet" lacks reading comprehension. Whatever these are, they aren't by us and would be an infringement on our trademarks. We have a public chat bridged to many mainstream platforms and a surface web site... Not to mention we ban anybody suspected of being involved in anything universally considered criminal activity.
Note they kept talking about us like we are a business selling a product. We aren't a business and aren't selling anything.
Not even a GrapheneOS feature. Completely made up attribution. If there's an app doing this, then again, any Android device applies.
You can see from our releases page that releases with the patches have their own separate channel. Versions ending in 01, 03, 05 [..] are security preview variants. Their changelogs are separate by listing the CVEs patched in that version.
I'm pretty sure this means Graphene security patches become not-open-source until about 3-4 months after they actually release them (correct me if I'm misunderstanding this).
These are strictly Android's upstream patches, not our patches or any code that we create. We only have access to these through a new OEM partnership. They're simply an opt-in for people who want to benefit getting all of these patches the moment they are made, rather than waiting for a quarterly release like every other Android OEM / distribution will do. If you don't want to run embargoed code, then you'll just wait like everyone else / how we used to wait for patches before this month.
Standard GrapheneOS is completely open source and reproducible. This is simply a separate addition to a standard GrapheneOS install and that's why the first boot will give you the choice to do so. We recommend security patches for obvious reasons.
We openly call out people to try and download our update packages to reverse engineer them and review any changes. People can make their own code which standard GrapheneOS and other Android distributions can get earlier. We have source code access but we cannot disclose it ourselves.
What we do and any additions we make are totally open source and will remain that way.
I am for having that stricter search from the past. Makes searching a post about a certain thing on a common word harder for me. Also made me take extra steps when I need to do help/support replies about GrapheneOS as I didn't always see who was discussing at first.
GrapheneOS is focused on privacy, the security benefit isn't mutually exclusive. There's a lot of privacy features for per-app privacy like Storage and Contact scopes, sensors and network permission toggle for apps and other features like per-connection WiFi MAC randomization for the OS. Unlike CalyxOS we also are not connecting to Google services by default, which they do for their connectivity check, DNS check, network time, hardware and DRM attestation services. Their MicroG service also runs with privileged access and isn't sandboxed.
Posted a link to a comparison table at: #1065801 that explains things, but there's a lot more to it.
OP should be aware CalyxOS development is officially halted and they no longer officially provide any instructions for new installs.
If they want a comparison, they can check out:
People employed at these organisations have been going to news organisations claiming that when they see a Pixel phone, they think it's a drug dealer (insane and ludicrous hyperbole) and that it is apparently our fault.
Since then, numerous news sites in different languages have been posting that, mainly repurposing the same talking points. It's just a news campaign trying to claim we are enablers of illicit activities.
In a swing of irony, here's an article from Citizen Lab on how the same Spanish government used exploits against political opponents in Catalonia:
Bear in mind that even police using these will almost entirely be using them against people not convicted of a crime based on suspicion. GrapheneOS would have been more likely to protect them.
I work for GrapheneOS but I'm not a developer, it would conflict with other stuff and I don't do any Kotlin app development. That may change soon. As it stands GrapheneOS has 10 developers, at least 7 of them work as full time developers who the Foundation pays. There's also GrapheneOS Foundation staff, OS support, and some volunteer community mods.
Usually I help the team with matters to do with support, or any discussion about forensic kits like Cellebrite. I also help proof the more technical posts like #774701 #670170 and #455267.
I may be partially to blame with their interest in posting on Nostr... but it needs to be done right.
I didn't get a notification to reply to this - I didn't mean to ignore this! I just saw when trying to search recent Cellebrite news on here.
As far as I know, most cellebrite devices work by plugging in the device. If you enable lockdown mode and your phone is locked even after AFU, iOS will refuse any data connections over USB
They can bypass this restriction. Cellebrite do not mention Lockdown Mode in the Premium documentation as it doesn't change anything for them. Users from a law-enforcement forensics chat room we previously monitored also still tell that this is the case (they claim to have special cables that have a payload to bypass that) and that it isn't exclusive to Cellebrite. Potentially Apple could make a fix for this, as they did make an automatic reboot feature recently that pissed the forensic companies off.
People are still leaking chats there saying this is the case like in here: (source)
For bespoke cases, the client would pay Cellebrite to have their expert teams find a way in themselves (called Advanced Services).
They’d have to either exploit something from inside the phone or do a memory extraction which isn’t exactly easy.
It's absolutely possible they could do that but they'd hate to do the former. They're both exploits that would meet the objective but it's apples and oranges.
They like their exploits to have as minimal data footprint as possible because if their extraction methods are modifying the owner's data then it can be used as a defence in court that the evidence is tampered which risks making it inadmissible. For example, Cellebrite have an APK downgrade feature for downgrading apps or OS components to outdated, vulnerable versions on Android to aid extractions. They say it is an absolute last resort when every other method has been exhausted, including attempting physical attacks. They could do it, but remote access a la NSO Group is for a different type of customer than what Cellebrite sells to.
I don’t think graphene can protect from a memory extraction? I haven’t looked at the latter in much detail
Hardened memory allocator in GrapheneOS zeroes memory when it is freed. It protected against a forensic company that exploited the Stock OS by RAM dumping from a bootloader exploit to get a derived hash they could brute force the OS PIN/password with. GrapheneOS recieved bounties and ASBs for reporting it and building a fix for that (post here) but the stock OS still falls behind what GrapheneOS does.
Nope, some shitty EncroChat-style service by some Dutch(?) criminal gangs. They'd sell phones with their own messaging service at an unreasonable price markup. The Matrix they're talking about has their website seized it looks like.