removes so much attack surface from doing this lmao
Yes, it can get worse. Why fuck yourself with JS when you can fuck yourself with natively compiled JS bypassing memory protections?
I want a new phone but I cannot afford to pre order a 6a right now
https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/
@itzzenxx @getimiskon @inference A sophisticated cyberattack would involve much more. Let me just hit a switch and I'm definitely not going to be bothered by my other devices or the IoT at home. I wonder if they are still giving the information to the government. If one hits that button, I'm fairly certain the government will know if they are watching.
Gotta love apple for making it easier to stalk people and spy. They don't have a great track record for human rights.
@inference @getimiskon @itzzenxx That's pocket change when compared to developers have. Remember that wifi exploit that required being reflashed to make wifi work again? That wasn't the real bug that was turned down as part of their alleged bug hunt. They are trash like many other bug hunting programs.
@itzzenxx @getimiskon @inference They've been known to screw over talented bug hunters. They will just release to 0day solutions again. Even if they didn't have a poor history with bug hunters, they don't pay anywhere near a fair price.
I have a Pinephone. I am responsible for how secure my system is. I don't daily drive it anymore because I have beta hardware which was later considered Alpha hardware. It only has thermal problems, poor battery life because the screen adjusts from off to painful to look at in full sun light. It runs full GNU/Linux.
It was development hardware and yes I helped.
I can flip physical kill switches. That's what real control looks like.
https://madaidans-insecurities.github.io/linux-phones.html
I currently have an unrooted install but with an unlocked boatloader
If your phone supports locking the bootloader with a custom AVB key, you can also sign your custom OS to enable verified boot.
>If your phone supports locking the bootloader with a custom AVB key
Not as far as I know. Plus I wouldn't want to risk permabricking my phone, I spent 400$ on this.
I'm not *that* confident in my modding skills
I could relock my bootloader but only with 100% stock firmware
I don't really feel like using the stock ROM. I doubt it has better security anyway (besides VB) and I'm not particularly concerned about someone getting physical access to my phone.
Ik. I'm not *that* scared of it though. I tend to use common sense and not run random executables.
And I use a hosts blocklist for ad and malware domains so that helps. I highly doubt anyone will target me personally.
@inference @itzzenxx @srestegosaurio @getimiskon You know that your work on Gentoo could be applied to the Pinephone. It's not as vulnerable as it sounds. This was a phone that came without an operating system and has firmware that was reverse engineered by the community. There's a good chance that a device chosen at random is going to be a nightmare to get into. It might be a nightmare after the ingress. It's an interesting community.
it's why GrapheneOS is only avalible for Google Pixel phones, and it's also why I abandoned my Thinkpad T420 over a month ago. You need something like Titan M, PSP, etc, technologies like those are needed to make the computer more secure.
@itzzenxx @srestegosaurio @getimiskon @inference Do you know what a Pinephone is? You should like you don't know what it is. You want to integrate a Yubikey or something similar too? It's trivial to add these.
@itzzenxx @srestegosaurio @getimiskon @inference I've seen enterprise security modules get bypassed and do nothing but make my job longer. Those modules are still relatively new. It's laughable how it's considered security and not just DRM protection. I can assure you that typing in the Manufacturer of that old Laptop will form many pages in CVEs. I still have some source that exploits a few.
That manufacturer needs Coreboot as they can't make anything correctly. They won't implement Coreboot because it would stop forced obsolescence.
> I've seen enterprise security modules get bypassed
I've worked in security for a long time. I've seen *everything* get bypassed, including the lock on your front door. Does it mean it's pointless? Stop being a FOSS cultist and use logic.
> It's laughable how it's considered security and not just DRM protection
*My* keys, generated on *my* PC, are not DRM, they *are* security. The definition of security is having unique keys no one else has. As for PSP, encrypting RAM so programs can't access it is "DRM"? Come back with a better joke.
> That manufacturer needs Coreboot as they can't make anything correctly
Coreboot? You mean one of those FOSS cultist UEFIs/BIOSes which break RoT and disable 90% of the security which would keep people out of my shit? Dream on.
> They won't implement Coreboot because it would stop forced obsolescence
If obsolescence is security being broken over time because of advancement, such as SHA-1 TPM 1.2s being broken and requiring a SHA-256 TPM 2.0, or how about processors which were found to be vulnerable to Spectre and Meltdown while manufacurers tried their best to fix them? The only thing FOSS projects in their current state are giving you is an easy backdoor and a loss of privacy directly resulting from the lack of security they provide.
You seem like one of the typical Church of Stallmantology cultists who obey Stalin-man like one of his sheep. Come back when you use practicality and not cult teachings.
>Coreboot? You mean one of those FOSS cultist UEFIs/BIOSes which break RoT and disable 90% of the security which would keep people out of my shit? Dream on.
coreboot is based
stop advocating for consumerism. "BUY PRODUCT! BUY NEW PRODUCT! THROW AWAY OLD PRODUCT!"
it's not that big of a deal
If it's well designed, sure, open source can be great, but using it in a broken and insecure state is certainly not better than just using the stock firmware. Same goes for Firefox and its poorly implemented and still leaky sandbox vs the proprietary browsers. People complain about Chromium taking over the web, but they don't work on improving the alternatives, they just complain. Firefox and other browsers caused their own demise.
Not once did I state that. License is irrelevant to the security of a project.
I have not once seen you say that Microsoft is bad, you constantly talk about how Microsoft is good, Google is good, all these proprietary companies are good. but when someone mentions FOSS you're like "this is terrible! cultism!".
@straw @itzzenxx @srestegosaurio @getimiskon @inference While being on Mastodon too. This is how one loses credibility.
Talking down to others and only using insults with very little substance to counter. Showing ignorance about the areas claimed to be an expert in. Insulting people based on what they believe in.
They sound like someone who works in security. Mocking the decisions of others with far more credibility and making it abundantly clear that the only reason they don't like the FSF or people who even partially believe in it is because they respect the ability to choose.
The harder they come, the harder they fall.
https://inferencium.net/blog/foss-is-working-against-itself.html
My thinkpad t420 runs Gentoo and I installed coreboot
Still slow asf and insecure as shit lmao
@inference @itzzenxx @srestegosaurio @getimiskon Arguments are supported by facts, not insults. Have fun with your security and check your hubris at the door. There's going to be a day when your best efforts are going to be defeated and you will be humiliated with it. Those who aren't humble will find themselves humbled.
It ultimately does not matter how talented that one is or how much they know, hubris will be their downfall. Perhaps I know it all too well.
Make sure you don't miss today's church meeting with Lord Stallman.
>uses a pinephone thinking it's even remotely secure
classic
bUt MuH sOuRcE cOdE!
@itzzenxx @getimiskon @inference I wonder what dead activists and humanitarians would say about that.
@inference @itzzenxx @getimiskon It's more about muh Freedomz. You know what is worse than a GNU/Linux distro that the end user hasn't setup properly or hardened? I can only think of IoT devices. It has its problems but it has what no other phone has, potential.
I've seen security researchers' claims and it is hilarious they believe their own work. For an open phone that allowed them the ability to approach nearly any vector they wanted, they act like it was an accomplishment.
Think about how much it can be hardened before hardware additions. There's really no way to say it's vulnerable without admitting they used a device focused on developers and full access. It's not a legitimate finding but more of an advertisement of a researcher being biased. In such works, one has to cite sources or it's plagiarism. It's hilarious what people will believe.
Applel soft is still locked down crap that is borderline unusable for my usecase. I'm on LOS currently.
LineageOS is an insecure mess, I highly recommend against it.
>use GrapheneOS
One slight issue, I don't own a Pixel.
https://divestos.org/
LOS is the best thing I can get on this basically. The stock ROM was a bloated mess.
DivestOS is as close to GOS as you can get for these types of phones, and does what LineageOS was too incompetent to do, such as making release builds instead of debug builds.
@inference @itzzenxx @getimiskon It's not going to be enough of a first step. I won't talk about it but our governments have a massive lead on them and if our governments have tools, it's probable that APTs have some level of capability to do the same.
Apple is only selling a brand. If the wrong people are coming, it doesn't really matter and that extends to criminal organizations too. It should be replaced with a screen that reads, "You have fucked up." That's not going to sell phones.
This same logic can be applied to Google, but look at what they are doing with their Titan M in Google Pixels: https://www.youtube.com/watch?v=yTeAFoQnQPo
Also assuming that they have bounties open encouraging people to try to break this I think they really are going in on this.
Or, you can try GrapheneOS