GrapheneOS, Pixel 8 Pro or Pixel 9 Pro?
https://lemmy.world/post/19813124
=> More informations about this toot | More toots from autonomoususer@lemmy.world
Fuck all that noise, Pixel 6a + graphene £130. Why waste so much money!?
=> More informations about this toot | More toots from theskyisfalling@lemmy.dbzer0.com
Pixel 8 Pro — minimum 7 years support and hardware memory tagging support
=> More informations about this toot | More toots from autonomoususer@lemmy.world
These devices aren’t even constructed to last 7 years. I don’t see that either of those things are worth £600 personally.
=> More informations about this toot | More toots from theskyisfalling@lemmy.dbzer0.com
Well if the support ends, GrapheneOS support ends too. That’s why more years of support is important here.
=> More informations about this toot | More toots from GolfNovemberUniform@lemmy.ml
What relevance does that have to what I said? If the physical phone isn’t going to last that long then I’d argue it is of little importance.
=> More informations about this toot | More toots from theskyisfalling@lemmy.dbzer0.com
Whatever idea you have to phones, you‘re wrong. They can easily make 5 plus years if you treat them right. The more problematic part is daily use and battery degradation/repair.
But google sucks anyway so I‘ll stay with postmarketOS on my oneplus6 and wait for my camera to come to life some day (hopefully).
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
Why not DivestOS on the OnePlus 6.
=> More informations about this toot | More toots from Lemongrab@lemmy.one
Because android. PostmarketOS is linux (based on alpine linux)
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
Interesting. I have a vastly divergent opinion on linux for mobile, mostly that it is not secure. This is true for Desktop linux but is more important considering the threat model necessary for mobile device Security.
=> More informations about this toot | More toots from Lemongrab@lemmy.one
Feel free to elaborate. Everything I have read over my life (couple thousand pages I guess) suggestd that linux can be a lot more secure than windows and ios.
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
Linux is not security hardened. It does not properly sandbox applications (and there is nothing as secure as android’s sandboxing on linux). In fact, most linux package managers do not feature any sandboxing of applications, period. Linux does not implement verified boot. It does not harden against physical port attacks. It does not use a hardened memory allocator. Privilege escalation is simple because of how straightforward it is to compromise a wheel user (sudo user). Linux does not harden it kernel flags by default. Alpine (and most linux package managers are not secure (aka does not pass the TUF threat model). Most linux distros dont feature a read-only root filesystem, which would help to improve security. Also, Systemd is a bloated init system and has a massive attack surface. GNU’s tooling is also bloated and freebsd’s would make a good alternative (like what is done by Chimera Linux
Here are some readings on linux security:
Article by one of the Whonix Devs madaidans-insecurities.github.io/linux.html and also are hardening guide from them …github.io/…/linux-hardening.html
Wiki page of Whonix considering many linux distros for whether they make a good base for Whonix’s security distro: www.whonix.org/wiki/Dev/Operating_System#Alpine_L…
Kicksecure’s wiki: www.kicksecure.com/wiki/Documentation
Here are some Security hardened distros (Note that neither meet the threat model for a mobile phone OS as they dont feature verified boot):
www.kicksecure.com
github.com/secureblue/secureblue
github.com/NixOS/nixpkgs/blob/…/hardened.nix.
Special mention which isnt hardened but has great potential: chimera-linux.org/
=> More informations about this toot | More toots from Lemongrab@lemmy.one
You do realize that this is bullshit, right?
Its typical fearmongering (in fact the same article too) that I have been sent a ton of times by low tech users that fanboy for graphene.
There is no such thing as „physical port attacks“. It also works very different on phones then on computers. You can for example use i2c on an iphone to crack it open which somewhat straightforward to do but still has zero implications for daily use. The linux apps are desktop apps and as such dont have any chance to get through all of the open source community‘s eyes undetected.
Its a completely backwards take that assumes using bad faith software written in the dark by proprietary vendors which just isnt real.
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
I only mentioned physical port attacks in a much larger list of things Linux MUST improve on. I am not a grapheneOS shill, nor did any of the supporting articles I sent relate to GOS, so I don’t really understand your response. Read through the links I posted and learn more about the operating system you use. I am NOT saying linux is dogshit, I very much love linux. Why not just educate yourself on this topic instead of assuming things from a place of ignorance or constructing a strawman. I spend multiple hours per day reading and putting into practice Linux hardening techniques, I am not just working with a surface level understanding of Linux security.
Even open source is vulnerable. Two questions: do you examine all the commits on every app you use? Do you compile every update to the apps you use from source? Sandboxing is important because if an application is compromised it cant lead to privilege escalation or userspace spyware.
=> More informations about this toot | More toots from Lemongrab@lemmy.one
I‘m not that bad at rhetoric either but I avoid it when I can.
Your argument is empty. Privilege escalation attacks are plain old cves that get found, evaluated and fixed. You need access to the phone, mostly in an unlocked state to get anything to work like that, same as with a computer.
I know a couple of pen testers and I would definitely know if there were large differences between operating systems securitywise.
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
CVEs are often go mislabeled as normal bugs and dont get the attention needed. It also may take a bit for such vulnerabilities to make it downstream.
A simple privilege escalation attack on basically every system goes as follows: add a function into the bashrc file of a users that runs a script, have the script intercept the users sudo credentials and pass the command on normally as if it was just the regular sudo command. Now you have root. Nothing here requires priveleges beforehand. Anything, be it a script, appimage, malicious binary, etc can follow those steps and gain root access by compromising the wheel user. Even without compromising a user, it could simply add a Systemd user service that keylogs (keylogging is still possible on Wayland without security hardening)
A prerequisite of course is getting that file onto the user’s computer. There are a plethora of ways. Simplest way is to learn what applications the user installs, find the weakest link, and compromise them.
There are of course much more sophisticated and better ways, some of which are detailed in the supporting links I sent. Every Security expert and researcher I have talked to can recognize that Linux has an outdated security model. The best links to read would be the hardening guide and “linux isnt secure”.
=> More informations about this toot | More toots from Lemongrab@lemmy.one
I did quite some reading in my time, as I mentioned. The methods you are describing are riddled with ifs and buts. The reality is that even online systems arent hacked if they dont have obvious flaws like passwords in root ssh. on the other hand tools like john the ripper can break each and every common encryption given the right circumstances. Its no difference. Its all just marketing.
=> More informations about this toot | More toots from haui_lemmy@lemmy.giftedmc.com
Neither of the methods I mentioned are hard. They have no its or buts, only the same perquisite as any bit of malware, get run. Do you know how to protect against either of the attacks I mentioned? You can poke some holes in them if you like.
The attacks I mentioned (and even more in the articles and wiki’s for the “Security focused linux distros” I shared) are often not possible on Windows or OSX because of the hardening present on basically every other modern OS. Linux just makes it easy. I don’t really understand what you mean by “I did a lot of reading in my time”, Security research is continuous and you can never get to a point where you understand everything or anything. I learn new things everyday, I suggest you expand your horizons and learn more about the topic you have such confidence in. Nothing that I shared is a long read, there are no tricks and I am not trying to tell you to stop using Linux mobile. Just that it isn’t “secure”, or more specifically it isnt as secure (out of the box or even with moderate hardening) as OSX/Windows/BSD/Android. Default Linux IS more private than any closed source systems, but when compared to other open source OSes like DivestOS (deblobbed hardened AOSP), Kicksecure (Debian Linux), Secureblue (Fedora Atomic), or hardened BSD, it is missing out on a lot of necessary hardening policies/changes.
=> More informations about this toot | More toots from Lemongrab@lemmy.one This content has been proxied by September (3851b).Proxy Information
text/gemini