reply on: Cyperpunks v. Wall Street \ stacker news ~bitcoin

pull down to refresh

100 sats \ 7 replies \ @siggy47 OP 22 Feb \ parent \ on: Cyperpunks v. Wall Street bitcoin

Yes, I'm sure I'm identified on my smart tv. It's what my family uses for everything. My graphene pixel rarely lets me watch a youtube video. I don't use any Google apps on the graphene, but it sounds like I have more security holes than what you are doing. You're obviously pretty in tune with this stuff. Have you ever compared notes with @final about graphene here? He's actually one of their developers, I believe.

136 sats \ 2 replies \ @final 27 Feb

I work for GrapheneOS but I'm not a developer, it would conflict with other stuff and I don't do any Kotlin app development. That may change soon. As it stands GrapheneOS has 10 developers, at least 7 of them work as full time developers who the Foundation pays. There's also GrapheneOS Foundation staff, OS support, and some volunteer community mods.

Usually I help the team with matters to do with support, or any discussion about forensic kits like Cellebrite. I also help proof the more technical posts like #774701 #670170 and #455267.

I may be partially to blame with their interest in posting on Nostr... but it needs to be done right.

0 sats \ 0 replies \ @optimism 27 Feb

It's my favorite OS at the moment. Keep up the good work ❤️

0 sats \ 0 replies \ @siggy47 OP 27 Feb

Sorry for the mischaracterization. Bottom line is you're a generous source of knowledge.

36 sats \ 3 replies \ @optimism 22 Feb

So graphene is the starting point, because it offers security (and sandboxes google play.) F-droid has reasonable policies to protect you from spyware by excluding non-open framework use (I'm not sure if gms is allowed.) This is already 200x better than any app you download from the play store.

However, if you're an actual target because of what you work on and a somewhat-pleb, then applying "don't trust, verify" becomes really important. So I just download source for everything, review the code (search for patterns), remove all the crap like gms, remote debuggers, call-home functions that aren't needed (they never are) and compile it. Then I packet capture the app and use it and see what it does on the network side, and audit storage.

This is way too much work if you're not a target. Just using f-droid should be good enough.

100 sats \ 2 replies \ @siggy47 OP 22 Feb

I have been mostly using Obtainium and the zapstore (nostr based). Do you have opinions on those. I was steered away from fdroid a while ago for reasons I don't remember.

36 sats \ 1 reply \ @optimism 22 Feb

I don't see how publicly sharing what apps you use w/ zapstore gives you a security benefit. If anything, it would increase your chance of success if you wanted to target me and know which apps I run?

As for Obtanium - the benefit could be reducing third party risks, but are these apks it installs actually deterministically and reproducibly built (like bitcoin core or lnd are)?

0 sats \ 0 replies \ @siggy47 OP 22 Feb

Good questions that I can't answer.