How good is it for the environment / e-waste? If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.
If I said "I buy new phones regularly, but I sell them in second hand, for the environment". Would you consider I actually make an effort for the environment?
> If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.
Because when someone says "buy used" they're obviously telling you to buy the antiques your grandma used to love back in the day on an annual basis. Anything newer than that especially from the last year or two would be new and insane to consider, especially if you keep it more than a year. You really owned me with the flawless argument there.
How many is many? Fairly sure hardware development is very hard and expensive. Are we talking about 1 million people worldwide (peanuts, will probably not recover the investment) or 50 million worldwide (might be worth it)?
I think you're an order of magnitude out. Motorola shipped 36.6 million handsets total across 2024. They seem to have had 33 handset models available in that period, and they were in profit, so the break-even point is presumably somewhere below 1.1M handsets.
If I'm off for the second group I'm probably also off for the first one. I'd be surprised if a purely privacy focused phone sells more than 200k units per year.
It's hard to find them now with all the AI slop being propped up but the best search terms may be "Iranian tunnel bunkers full of missiles". It is mostly YT channels run out of India. The oldest video I have seen was from CNN ten years ago. Iran will occasionally let journalists see their latest tunnel.
This is a short one showing the 2nd to last generation of tunnels. [1] The latest tunnels are painted white including some that are under water. The older tunnels are not painted and one can see what appears to be reinforced concrete. When completed every tunnel is lined on both sides with missiles. This one [2] shows a couple generations of the tunnels. Found the old CNN video. [3]
Even with Google's changes, F-Droid will continue to work with Android phones that do not use Google GMS.
If you care about your actually owning your device, install something else than stock OS. I would recommend GrapheneOS, since the security of some/most other alternatives is pretty bad.
Indeed. Sadly the reality is that most other Android devices are simply not secure enough. Many Android phones do not have a separate secure enclave (outside Pixel and IISC Samsung flagship and A5x range), so they are vulnerable to breaking PIN-based unlocking, side channel attacks, etc. Besides that they often only provide old vendor kernel trees, old firmware blobs, etc.
So, you have to wonder whether you want such a phone anyway if you care about security and privacy. If you don't care about security anyway, you could as well run /e/OS, etc.
Above-mentioned Samsung phones could perhaps make the cut, but don't support unlocking anymore (and when they still did, would blow a Knox eFuse).
Reduced security has always annoyed me a bit as an argument. Sort of in the same way as signal deprecating SMS because it's insecure.
I get all or nothing when your threat model is state actors. However, for most people, the benefit is just freedom from corporate agendas.
Not everyone needs kernel hardening, or always E2EE (as with signal). Personally I just like the features it provides (e.g. scoped storage, disabling any app including Google play services, profiles etc etc
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does (for whatever their reasons may be).
All that said, I get they're limited in funds and manpower, plus the things mentioned at the end there, so I can only be so peeved they chose a target and stuck with it. They typically cite security as the reason, not those other ones, however.
Oh man, I am still annoyed about Signal removing SMS support. Had to add another app to my phone and I can now no longer accidentally discover that someone I'm texting has Signal, which happened more than once to me!
I only just installed Signal in some abandoned corner of one of my devices to be able to communicate with my 'highschool' classmates (in reality a Dutch Gymnasium so a totally different school system and age group but you get the idea) and had to get the blasted thing working without Google services on a device which for some specific purposes sometimes enables these but mostly has them disabled. As soon as Signal gets a whiff of even a stub of Google services is refuses to work without a fully fledged Google services implementation. To fix this I had to add 'disable Signal' to my 'enable rudimentary Google services' script and to do that I had to find the package name:
org.thoughtcrime.securesms
So yes, they're still called 'secure SMS' even though that is no longer part of the deal.
I'll only use it for the specified purpose since I far prefer my own XMPP server with OMEMO encryption - which is based on the same 'double ratchet' keying as Signal uses.
Reduced security has always annoyed me a bit as an argument.
Security is one of one of the main selling points of GrapheneOS, I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
I think a nice side-effect is that they only focus on a small number of devices (Pixels) and support those really well. I have followed the /e/OS forums for a while and many devices have constant regressions because it is hard to validate each release on tens of devices.
I get all or nothing when your threat model is state actors.
People do have different thread models, though I think up-to-date software should be the baseline for everyone and where pretty much every phone outside iPhone, Google Pixel, and a subset of Samsung phones fail. Also, I think having a secure enclave should be the baseline, since phones do get stolen.
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does
That's really a weird example though for supporting the argument that GrapheneOS should support more devices. Isn't Pixel + GrapheneOS then pretty much iPhone + iOS? Privacy-respecting, secure, not pushing AI subscriptions all the time (though iOS is getting worse in that respect), offering useful functionality?
At any rate, I understand if you have another phone, you wouldn't buy a Pixel for GrapheneOS, but it does make sense to buy your next phone for running GrapheneOS. Pixel covers a pretty wide price range to, e.g. the Pixel 9a was 349 Euro here recently, all the way up to the Pixel fold.
> I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
Except that there is nothing fundamentally insecure about them, they just don't support a specific convenience feature. You can straightforwardly support PIN-based unlocking by encrypting the PIN in ordinary persistent storage using a longer passphrase that only has to be entered during boot.
This is arguably even more secure because it allows the PIN to be dumped from active memory and require the longer passphrase again after a timeout, a limited number of bad attempts or in response to a panic button on the lock screen. Then the device doesn't contain the long passphrase whatsoever, instead of having it permanently stored inside of an opaque enclave that itself could (and often does!) have its own vulnerabilities.
> I get all or nothing when your threat model is state actors.
The problem for those of us in the USA, that labels anyone who disagrees with the current administration and ICE as a domestic terrorist, means that now everyone's threat model is a state actor.
The threat model of every citizen that dares to exercise their first amendment rights now escalated beyond corporate agendas to "How do I make sure Israeli & Palantir spyware doesn't end up on my phone? How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
Even if that weren't the case, I see no valid reason to be lax with security in 2026. There's no excuse anymore, I mean we still have OEMs selling phones that they do not issue security updates for after purchase. That's just gross negligence.
How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
In this context one super-nice feature of GrapheneOS (do check the legal ramifications though, IANAL) is that it supports a duress PIN. It's an alternative PIN that immediately erases your phone (probably throws away your FDE keys?) and clears your eSIM.
Besides that, it also supports configurable time to reboot after no unlocks. This is relevant because it is typically much harder to exfiltrate data BFU (before first unlock) than after. iPhone also supports this, but only does it after I think 3 or 4 days. On GrapheneOS, this can be set as short as 10 minutes when there is a risk of your phone getting confiscated. Of course, you can also manually reboot, but that's not possible in every situation.
Graphene is OSS, so if you want to create a fork that supports other phones, you are free to do so. The maintainers have limited amount of resources, why wouldn't they focus those resources on the most secure hardware if that is what aligns with their goals? If you have different goals, create or fund a fork to support more hardware.
>Not everyone needs kernel hardening, or always E2EE (as with signal).
If application processors and hardware crypto accelerators are good enough to make this invisible to the end user, then why not? Why not have everyone be on hardened kernels by default and let them opt-in to insecure ones instead of the other way around?
It really isn't; the project acknowledges numerous existing compromises. Take a look at their roadmap or any number of threads if you think they only ever implement perfect features.
That's also an unfair take when one considers how many improvements they've upstreamed to AOSP and how many quality of life features they've implemented.
> Sadly the reality is that most other Android devices are simply not secure enough.
This seems like a bad reason for not supporting a device. If the device doesn't have a hardware feature then the OS it came with can't be doing it either, and then all you're doing is leaving the user with all of the other security problems in the OEM OS that otherwise could have been improved by replacing it.
The point of GrapheneOS isn't improving a generic device's security, it's about setting an example for a highly private and secure OS. It's a FOSS project, so nothing stops a committed individual or community from using other device targets, but the main project chooses specifically to use their smaller resources to pursue excellence rather than mediocrity.
I've had people tell me that nobody should use anything but GrapheneOS and stop supporting alternatives to throw all support into that because the others are "less secure", and now that GrapheneOS isn't for everyone and anyone -- the majority of people -- without a specific narrow selection of hardware should get lost.
We need the people who buy $100 phones to have the ability to put a better OS on them than the burning mudslide that comes with them, is all I'm saying.
>I've had people tell me that nobody should use anything but GrapheneOS and stop supporting alternatives to throw all support into that because the others are "less secure"
Without having an kind of authoritative knowledge or experience on the topic, those people are wrong and please ignore them. The argument has generally been that if you are specifically after privacy and security in your personal device then GrapheneOS or post-MIE iOS will be your most sensible choices. You CAN choose devices for other reasons, as has always been your prerogative.
The question of whether to support 'alternatives' is fraught. It used to be that there were two other OS projects that happened to be collaborating and adopting features from GrapheneOS and that would have been reasonable. The main argument (from GrapheneOS) in that case has been for people to please invest in alternatives with approaches to privacy and security that stand up to threat-model driven design and real world attacker/defender experience.
GrapheneOS was never meant to be alone in pushing for things like hardened secure element-based protection of secrets and side-channel resistant rate-limiting of unlock attempts, memory tagging/hardened memory allocators/secure application spawning/dynamic code loading control, anti-persistence hardening, prompt security patching, network/sensor permissions, contact/storage scopes, PIN scrambling, auto reboot etc. Unfortunately very few other projects that I am aware of are looking into doing things like this to give the device owner control and mastery over their data.
>and now that GrapheneOS isn't for everyone and anyone -- the majority of people -- without a specific narrow selection of hardware should get lost.
GrapheneOS tries to make most of their hardening transparent and non-intrusive by default. They also spend a lot of time and resources working on usability (sandboxed-Google-play and the web installer) and now accessibility (upcoming text-to-speech implementation?). The idea is that if you have a Pixel and choose to use GrapheneOS then it should be as easy to use as they can manage without compromising their efforts improving privacy/security. In that sense, GrapheneOS is for anyone and not just security nerds or tinfoil hats.
The exclusivity to Pixels is an unfortunate consequence of being the only platform equipped to provide what they need to achieve their goals. If multiple devices supported what they needed from the beginning, they would have probably supported three or four models from different brands as targets (for example you could imagine a couple Pixel lines + one Samsung line (Europe/North America/Oceania), one Xiaomi line (East Asia/South East Asia/South Asia/South America), one Tecno line (Africa). This is speculation on my part, but the main point is that the Android OEMs have been seriously slacking on basic privacy/security leading to this kind of situation.
>We need the people who buy $100 phones to have the ability to put a better OS on them than the burning mudslide that comes with them, is all I'm saying.
No disagreement here. This relies on AOSP adopting improvements and also on Google tightening their certification (for Play Store) requirements to include stronger privacy and security guarantees.
Every GrapheneOS proponent I've seen has claimed that other devices are inferior to Pixel security wise, and that's why they're not supported. That always sounded a bit odd to me and certainly seems to have a bit more nuance based on your comment. Thank you for adding some clarity here.
Graphene doesn't really try to stop you. They just don't spend their own efforts on making it possible. It is OSS so, your free to spend your efforts where you want to.
It would require a significant commitment of limited resources to broadly support insecure devices with very little upside, and to do so would constitute gross mismanagement of the project.
Meanwhile, others are completely free to fork numerous GrapheneOS improvements or benefit from their upstream improvements (as some have, including Google).
I never mentioned any commitment except accepting pull requests, did I? Qubes can do that and doesn't require a fork. Are you saying they have much more resources?
Every accepted PR for supporting insecure phones eventually becomes a maintenance burden, and potentially a security vulnerability. If they don't want to spend time on it, it's okay to decline such PRs.
You're being disingenuous here. What is the value of accepting pull requests with no intent to approve? The rhetoric you're using here is on a I'm-just-asking-questions level.
You're not being consistent in what you're advocating. You mentioned accepting pull requests in the context of wanting to see broader device support. You want broader device support. I do too, which is the value of the Motorola announcement. Your suggestion isn't the way to achieve that. It just isn't viable for reasons you should reasonably already understand. But since you don't...
It shows yet again you just don't understand the project, how it's structured, and what its goals are. I'd say you should try running it, but you're still murky on the actual nature of the OS you use daily, so there would be no point in my suggesting that.
Assuming all you want is broader device support while magically not increasing the GrapheneOS team's overhead, but for reasons you haven't stated won't accept forking it, you're out of luck, which is right where you should be.
Still, why? If you want hardware which lacks security features to run an OS, the primary value of which is its close integration with said hardware security features, what is it you really want, then? A degoogled Android OS? That already exists. Are GrapheneOS's "software" security enhancements (as if we can say "software" in the context of security in total isolation) their quality-of-life improvements to the OS that you're after? Many of those would greatly degrade in value if you couldn't trust the hardware it's running on. You'd get storage scopes, but you'd get it without a file system you could trust. You'd get network permissions but you'd get it without baseband isolation you could trust. You'd get x, y and z, without memory tagging.
If that's what you want, you can get that elsewhere, and should.
But by the conditions you set up, you're also effectively asking for code contributions by outsiders, when the project very deliberately and by all indications very tightly manages who can contribute code, and for good reason. The history of open source is the history of malicious code injection and social engineering attacks. If you want the device to be secure you have to address security from all angles.
Unless you're really, genuinely, nonsensically proposing the project commit resources to allowing people to suggest code changes they have no intention of ever implementing. Though I suspect at that point you'd argue in favor of some code base changes, while not having addressed the fundamental implications of doing so.
You're doing a great job of arguing against yourself, here, and have highlighted a fundamental challenge with Qubes OS. As an active user on the forum I'm sure you've seen the reasoned discussions weighing the pros and cons of accepting code contributions. If your response to that is, again, 'there hasn't been a relevant Xen bug in two decades and my data has been safe this whole time,' that's a dead-end for understanding anything.
Your rhetoric in all this is very similar to the kind of thing one easily finds on normie websites about commonly divisive issues. At some point I just can't keep insisting you're either informed or sincere about all this, HN guidelines notwithstanding.
The problem with laptops is that UEFI is a shadow operating system that keeps running after boot, with a bunch of security vulnerabilities. Furthermore all Intel / AMD chips have a microprocessor state called SMF which if you trigger it basically gives you carte blanche to do whatever you want.
"Trusted Boot" is a meme on x86. If you really want something like that you need to do what Oxide Computer is doing and rip out UEFI for good and implement your own secure boot chain.
Qubes is great but at the end of the day cannot protect against evil maid attacks to the level that pixel or apple phones can. Its great at making sure a browser exploit cannot steal your banking credentials you have open in a different virtual machine but cannot overcome the limitations of the platforms it builds off of.
So I understand why the GrapheneOS folks do what they do.
See also: "X86 considered harmful" by the founder of Qubes OS (posted in 2015!)
You still need to address this part: "Qubes is great but at the end of the day cannot protect against evil maid attacks to the level that pixel or apple phones can. Its great at making sure a browser exploit cannot steal your banking credentials you have open in a different virtual machine but cannot overcome the limitations of the platforms it builds off of."
That's the crux of it you blow past every single time it comes up, and then disparage others as having not stuck around long enough to educate you (as if that's their responsibility).
> "Qubes is great but at the end of the day cannot protect against evil maid attacks to the level that pixel or apple phones can"
Yes, it can. Heads, TPM with a hardware key do exactly that, don't they? I'm not sure what you mean by "level". You would need to use a nail polish, too, to be sure your laptop wasn't tampered with.
> but cannot overcome the limitations of the platforms it builds off of
Yes, it can, if you use it correctly. Tell me your threat model, and I will explain how Qubes can protect you.
Perhaps you are right, and the hardware attestation is more reliable on a Pixel. However, doesn't it rely on proprietary hardware, unlike Heads? coreboot with Heads is not the same as Qubes AEM. Heads is updated regularly: https://github.com/linuxboot/heads/
Heads + TPM is solid but I suspect it is not at the level of Google/Apple secure enclave. And a strong secure enclave provides benefits outside of first boot to secure certain processor state and continuosly ensure integrity.
I think at cold boot as long as one doesn't store the encryption key in the TPM (external hardware key?) then one should be secure. I am not so sure about post boot however, once the system is already running.
This actually prompted me to research a bit on the scale of the security impact of SMM
It seems that coreboot is aware and supposedly for some computers can be implemented to catch calls to SMM (ideally this would prevent the attacker from triggering SMM - if they do it's game over).
I do suspect though that if the system bus is not protected from malicious calls then someone can trigger SMM and have carte blanche to one's computer.
I don't know what processes Apple / Android use but I suspect ARM chips don't have SMM and that they tie certain functions to their secure enclave. In X86 its backwards, with SMM having control over the TPM (at least in some implementations).
Though some SMM vulnerabilities are patched by now given its history I take X86 security with a grain of salt. I think the potential for a secure platform is there, but I suspect one would want to make their own boards engineered with security in mind to be certain (I hope this happens in the future - it seems to be happening in the server space already).
Versus storing the encryption key on a device requiring USB with its many vulnerabilities (even on Qubes OS), storing the key in a dedicated eSE is beneficial.
Beyond that, there have been known vulnerabilities of NitroKey's Librem Key, to say nothing of the Nitro Key App.
Nothing's perfect but I would vastly prefer something like the Titan M2's implementation over a USB key with all of the complexity and attack surface that introduces.
Adding: Qubes is really no better, and maybe worse in some ways, than having a discrete banking VM in your bare metal Xen hypervisor. Sure, there are some improvements such as handing input devices over to an appVM, those sorts of things one could do in Xen manually, but broadly speaking the value Qubes bring is it does an amazing job of making living out of a Type-1 hypervisor barely doable for some small subset of people. And the "barely" and "small" is increasingly shrinking with each major release.
The magic of Qubes isn't its isolation, it doesn't even provide its own isolation. Qubes is an integration layer added on top of an isolation foundation. So you have a clipboard, file transfers, window dressing, easy configuration of device pass-through rules, all that. It's great.
It's phenomenal at that. But you have to understand what it is. You have to layer on a whole bunch of additional cruft to the Type-1 hypervisor, potentially all of which introduces potential vulnerabilities to dom0 and/or relevant appVMs. (Fortunately the project moves very slowly even for its size, which gives me some reasonable degree of confidence in its third-party code contributions, if less than I have in GrapheneOS's team's contributions.)
GrapheneOS solves a lot of these practical issues in very real and excellent ways, and it does it in large part via its tight integration with the excellent hardware it runs on, "Google" notwithstanding. (Now, "Motorola." "Lenovo." "China." A poor architecture even when made in America is not a practical improvement.)
Qubes-by-way-of-Xen does it despite running on pretty horrendous architecture. Even with your labor-intensive and super geeky improvements you've made to your setup, an evil maid attack, a theft, coercion, legal and political forces, all of these factors hit a harder target in GrapheneOS than they do in any QubesOS configuration currently achievable. But, as stated, trying to contain the most dangerous software most people ever run, a web browser, from leaking into your password manager? It's great. If that's your primary threat model, it's difficult to beat. Profiles on GrapheneOS are also excellent for that, if less well-integrated and therefore usable as Qubes.
Qubes still wins in terms of virtualization, of course, and you're comparing the benefits of virtualization to all of the many other benefits GrapheneOS brings (and in many instances iOS too), but you're not comparing them meaningfully.
Type-1 style virtualization is on the GrapheneOS roadmap, and once they achieve that it will be vastly more secure than QubesOS running on any x86 concoction you can devise. Give me a ThinkPad that meets GrapheneOS's hardware requirements running a virtualization-based GrapheneOS implementation and I would have little reason to ever run Qubes OS again. That would be some kind of peak practical end-user security solution, and I'd imagine enterprise and state customers would flock to that, if the broader enterprise requirements of it all were met, too.
As one who has lived out of both operating systems for years, I struggle with the way you invariably make value judgments about GrapheneOS every time it comes up in a thread, based on your (justifiable) appreciation for Qubes OS. The same thing happens in reverse on the GrapheneOS forums, by the way.
Both lines of thinking are faulty, and attempting to directly extrapolate from one project to the other (in either direction) mostly only conveys a lack of understanding of both projects, even (especially?) one's favored project.
Joanna Rutkowska herself admitted that the difficult nature of trying to contain the PC hardware stack made it ultimately feel like she lost the war. Qubes OS is inherently vastly more vulnerable than GrapheneOS, in large part precisely because of their different approaches to hardware. Some of this has been mitigated by developments made since she stepped back from the project, but some of it will always remain. How to deal with this inherent conflict is not a simple matter and the two projects have taken two distinctly different approaches.
In the cases of both projects, I think they made justifiable decisions in their approaches. I use and contribute to both projects.
If you've been using Qubes OS long enough, you'll remember a time when trying to run it on anything that wasn't essentially identical to the ThinkPads used by Qubes OS devs often presented a major challenge.
GrapheneOS is a fundamentally different project in scope, and each project has a subset of users which seem unable to do anything but evaluate the other project based on the criteria set by the one they like.
"The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware."
GrapheneOS achieves significantly more security on the hardware level than Qubes OS, in very large part specifically due to the nature of the project. It's also an infinitely simpler OS to get up and running with, on both current-gen flagship hardware and current-gen value-prop hardware available in just about any store which sells cell phones.
In addition to all that, by the nature of the respective code bases it presents a significantly smaller attack surface than a computer running Qubes OS.
Securing a single device type with excellent hardware security is simply much more viable a project than securing a broad range of devices with hardware security that is, at best, pretty terrible.
Repeatedly criticizing one project without significant familiarity with both is not just pointless, it's counterproductive to aims of FOSS privacy and security.
> In addition to all that, by the nature of the respective code bases it presents a significantly smaller attack surface than a computer running Qubes OS.
I critisize precisely because I don't understand what you're talking about.
The last relevant VM escape was in 2006, discovered by Rutkowska herself. Since then, nothing could access my secrets in an offline vault VM. I would appreciate a clarification, how GrapheneOS can be more secure without reliable virtualization.
AFAIK Xen security relies on 100k LoC. And this is in addition to the virtualization. How many LoC does GrapheneOS require to provide its security? How can it have less attack surface than Xen? Developers replying to me here never provided an understandable reasoning, only keep repeating that it's "very, very secure", without even mentioning any threat model.
Doesn't GrapheneOS rely on closed Google's hardware to provide its security? I would never trust Google with that. How can I not critisize such approach?
Attempting to compare line counts of 'security-related code' in isolation, if such a thing can even be framed that way, as if that's a useful metric indicates a fundamental misunderstanding of the issue. Making very selective hardware comparisons while attempting to compare the relative strengths of the operating systems running on said hardware also indicates the same.
Framing closed blobs as fatal flaws while advocating for other situations also containing different closed blobs is disingenuous.
Saying no hardware designed by Google could be trustworthy while advocating for x86 architecture and hand-waving IME (or PSP to whatever degree) as being "disabled," when no such thing is fully possible, is lazy. You don't get to care about this stuff selectively. IME when disabled to our fullest ability can still receive and apply microcode updates without the user's knowledge, making access to full unrestricted PCI lanes, DMA and USB possible. Wi-Fi certainly, at least in some specific scenarios. I'm not as concerned by IME/PSP as some, though I am much more concerned by it than some others, but the consistent selectiveness of your approach to attempting to understand that (and I'm taking it in good faith that you are) is precisely the kind of thing that makes people give up on attempting to give you additional information by which to reconsider your opinion.
Citing Joanna's research without any relevant context when you find it convenient yet ignoring it when it doesn't isn't helpful, either. You raise issues, people provide relevant research, and you ignore it while accusing broad swaths of people of doing the same. At some point it feels like projection.
I don't like even the appearance of unfairly criticizing the Qubes team publicly, because it's an important yet still-fledgling-in-resources project and they're doing amazing work nonetheless, but "the last relevant VM escape" overly relies on "relevant," and you overstate Xen's security because you're looking at it in isolation as if you can compare the relative security of operating systems while selectively comparing their hardware. The Qubes OS team has allowed significant Xen vulnerabilities to remain unpatched for weeks to months, sometimes not even capturing them in their XSA tracker. The GrapheneOS team seems fairly exemplary in pushing out important patches. I say this not to knock the Qubes OS team which does great work with very limited resources, but there are real, practical, significant differences in the two approaches and so long as you're comparing specific points in isolation of their broader context you're going to miss significant fundamentals.
Qubes OS's encryption situation out of the box is lacking in numerous ways which some Qubes OS users attempt to manually address. Consider the rigor it would take one to replicate your config vs. the rigor it would take to buy a Pixel and install Graphene OS. A journalist or dissident who is massively concerned with being in possession of data, the discovery of which could see them jailed or killed, is significantly better off storing that on a device running Graphene OS. That's not a hand-wavy thing, when you consider the full stack the advantages are numerous and concrete. There are many other practical differences between the two security models, when compared holistically. File system security of GrapheneOS is miles ahead of where Qubes OS is, and it's partly due to the OS, partly due to the differences in hardware. Brute force resistance is leagues better on GrapheneOS in part because the hardware facilitates it, and the OS does a best-of-class job at taking full advantage of that hardware.
At what point will you stop repeating your line of, "I keep asking for examples but they never answer"?
I really appreciate your detailed, good-faith responses.
> Attempting to compare line counts of 'security-related code' in isolation, if such a thing can even be framed that way, as if that's a useful metric indicates a fundamental misunderstanding of the issue.
> Framing closed blobs as fatal flaws while advocating for other situations also containing different closed blobs is disingenuous
Isn't this an important milestone, when the OS has no proprietary bits at all? This not the end, but something worth celebrating, I guess. Apart from that, doesn't Librem 5 has a lower number of blobs in general? I might be wrong of course.
> hand-waving IME (or PSP to whatever degree) as being "disabled,"
It seems you misunderstand me or didn't really read my previous posts carefully. I never considered "disabled" ME sufficiently secure. I strongly prefer "disabled and neutralized" instead, which I btw have on my laptop. It doesn't completely kill it, but it certainly makes it quite unlikely to make any harm.
> yet ignoring it when it doesn't isn't
I guess if I ignored something, I did not notice that it was relevant. Therefore I have no idea what you are talking about, i.e., which exact posts of mine you mean. If you actually want to be helpful, this is not how it's done.
> but "the last relevant VM escape" overly relies on "relevant,"
I admit that, and I specifically mentioned my threat model with passwords in relation to this. You didn't show how my threat model was wrong or not secured against.
Your other points are well articulated, although the corresponding threat model you mentioned is definitely not for everyone. Thanks again.
Noting that they have deliberately added as little code as possible to dom0 to minimize the risk of introducing bugs or attack surface and quantifying it in service of their point is a sensible way of effectively conveying how they're approaching the problem. You attempted to use the same thing as a tool by which to make comparative value judgement, like seeing someone using a hammer to drive a nail and then attempting to use a hammer to drive a screw.
You also continue to shift the goalposts on things which I trust is not from malice but a hazy grasp of some basic fundamental concepts. You've already had it explained to you by people much more qualified than I how the Librem 5 has some entirely closed-source components running woefully outdated firmware, but now it's about celebrating something else entirely.
"Disabled and neutralized" IME is still IME that's highly privileged hardware running a closed-source operating system outside of your ability to monitor it. By the standards of evaluation you set in other comments baselessly criticizing Pixel hardware, you should object all the more to the x86 architecture, even with your ultimately insufficient attempts to reduce harm. The hand-wringing over the possibility that Google has embedded a still-undiscovered way to exfiltrate data from their phones even when running GrapheneOS, is misguided and unfair at best, and if nothing else you should be consistent in your application of these principles.
I trust I shouldn't need to cite every point you repetitiously make in order for you to stop complaining that I'm not limiting the scope of my reply perfectly to one particular comment of yours, as if this is some kind of contest of form.
If you kept current or really spent any time at all researching XSAs you'd know that its shared memory architecture alone has resulted in numerous XSAs, some of which could very much apply to your threat model. Hardware MTE would go a long way to mitigating that, which Pixels have. In the hypothetical scenario of Qubes OS running on more secure hardware than even your home brew situation, that would be a significant improvement over the status quo which you say you can't even imagine. You're defining your threat model overly narrowly by excluding all kinds of relevant factors and then declaring it wholly met. That's not how this stuff works.
If, after all this, you still can't imagine how Qubes could be improved upon for your particular threat model (having passwords in a vault appVM exfiltrated) after hearing just a couple hypothetical benefits of running it on more secure hardware, it's unsurprising you can't recognize the comparative advantages of GrapheneOS and instead want to rely on things like counting lines of security code because you once saw someone else do it in a different context.
My goal here is not to change your mind, that part is up to you and you've already had one of the finest minds in the field address your issues point by point elsewhere (that was a fun surprise to see). My goal is to reduce the ease with which you can continue to filibuster people into moving on with their lives so you can then continue making the same unjustifiable claim that nobody ever offers a meaningful explanation to you when you merely ask simple questions about the benefits of the project. Unstoppable Force Meets Argumentum ad nauseam.
> Noting that they have deliberately added as little code as possible to dom0 to minimize the risk of introducing bugs or attack surface and quantifying it in service of their point is a sensible way of effectively conveying how they're approaching the problem. You attempted to use the same thing as a tool by which to make comparative value judgement
I guess you only opened my first link but not the second. Here is a quote from the second link for you:
> The size of the current TCB is on the order of hundreds of thousands of lines of C code, which is several orders of magnitude less than other OSes. (In Windows, Linux, and Mac OSes, the amount of trusted code is typically on the order of tens of millions of lines of C code.)
Which leads to things like laptop sleep working inconsistently. Instead of having a good reputation, Linux's reputation gets hurt by all the random devices it allegedly supports.
But at least your laptop can run Linux. You get to decide as the user whether the problems that come with it are worth it.
And while some machines have problems like that, there are plenty of manufacturers who will sell you Linux devices with better support.
Also I don't think Linux's reputation is as problamatic as you make it seem. It is astoundingly popular and continues to grow - owing in no small part to its accessibility.
Imagine if Apple had this same mentality, they would never be where they are.
(/s in case it is needed.)
As a smaller project, choosing a small set of hardware and supporting it really well (aside from security reasons) seems like a much better strategy than supporting tens of devices badly (go to e.g. the /e/OS forums to see what regressions people are dealing with after monthly updates).
Indeed. Apple is financially successful, but they're ultimately a minority player in pretty much every market they engage with - including desktop/laptop computers and even mobile devices globally. And for me they are just as inaccessible as GraphineOS.
But for Apple that is not necessarily a bad thing. They're a company. Their goal is to make money and they are highly successful at it. GraphineOS is not a company. They don't make money. Which begs the question of what is GraphineOS's real goal and is it valuable? Creating a maximally secure mobile OS seems valuable on its face, but that value is undercut by its inaccessibility.
You are saying this like GrapheneOS only runs on some unobtanium hardware. I can literally hop on my bike and pick up a phone that runs GrapheneOS in 5 minutes, every day of the week. Also, it's available in pretty much all price classes except maybe a 100-200 Euro phone that runs on a Unisoc CPU. Pixel 9a regularly goes for 350 Euro here and you can go all the way up to an expensive flagship with a Pixel Fold (or anything in between). Even in the 100-200 bracket you can probably pick up a refurbished 8a that should still be supported until 2031.
I know that they are not sold in every country, but worst case it should be possible to get your hands on one second hand or refurbished.
GrapheneOS is working with a manufacturer to change this:[0]
> We're working with a major OEM and the devices will be the future versions of existing models they have now. The devices will be priced similarly to Pixels. The initial devices will have a flagship Snapdragon SoC for the best security and support time. Snapdragon flagships have significantly better CPU and GPU performance than Pixels. Snapdragon provides high quality Wi-Fi, Bluetooth, GNSS and cellular support as part of the SoC. eSIM and other functionality is also provided by the SoC. Snapdragon has decent image processing functionality included too, and good neural network acceleration.
The more, the better. If Google really decides to follow the fruit factory in closing down Android I hope that AOSP-derived distributions fork Android to create a large enough base to make it a worthwhile target for application development. Not matter what happens I'll hop off the Android train since I won't use a device with a Google account - never done so and never will. Nae lairds, nae kings, we are free men!
And I don't really think that people mean using google hardware but rather being mined by google software.
May I ask, if you (a) just want to be technically correct, (b) don't see the difference or (c) are trying to make a point I don't understand and if so would be willing to explain?
Pixel 9 Pro handsets are going for around $500 on the secondary markets like ebay. That's a only a single generation off from their current Pixel 10 models and you still get OS and security updates until 2031.
Not a bad deal and pretty crazy how fast smartphones depreciate now.
The outlook webapp is quite decent. I've never used their native app, but I've manahed to get by fine with their webapp, even though notifications don't work (I just check it regularily). IIRC K9/Thunderbird also has support for exchange now.
Correct. I am using my Dutch bank and credit card apps without any issues. Someone linked the curated GrapheneOS banking list already. If your bank does not support it, you could either contact them. If they require remote attestation, this can be implemented for GrapheneOS as well:
If the bank is very hard-nosed about it, you could consider keeping an old iPhone or Pixel (because long security updates) for banking if it is practical to do for you. 95% without big tech is also a big win. Of course, if you need to have it with you at all times, that might not be a worthwhile option.
can confirm. And there are even some pages that list banking and other apps working on GrapheneOS. It's actually very few that don't work with sandboxed Google Play API.
Can you not setup your work email through a regular email client? I thought the days of being locked into Outlook specifically went away with Exchange. Everywhere I've worked since has been able to.
Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
> Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
Close to every bank in the EU requires their user to have an app, for MFA (both for logging in and for validating transactions - transfers, payments). They use the smartphone's TPM. I have yet to see one that allows you to use your own MFA app.
The few I've seen that don't require it will validate the same through text messages (not everyone has a smartphone); though if you associate their app even once, you're screwed - the app it is from now on.
Here in The Netherlands banks used to offer authenticator devices, which they are phasing out (you can still use them, but they wont replace them once they run out of battery). Pretty much all banks switched to app-only.
No SMS at all (which is not surprising, because SMS is not secure).
Also, IMO fingerprint/face-based authentication is much nicer/quicker, especially for online payment flows like iDEAL (Dutch predecessor to Wero). And banks here work on GrapheneOS, so not much is lost.
> Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
My wording was bad, sorry; but try to install their app just once. After that, I'd bet you won't ever be able to go back to SMS validation (which is what I was talking about at the end of my comment).
If not, I'd be curious to know the banks you're talking about (to consider switching to them, for one thing). What I said above is true of Caisse d'Epargne, HSBC, CCF, among others.
>I'd be curious to know the banks you're talking about
Fortuneo (internet-only subsidiary of Crédit Mutuel) and LCL. I have had both their apps installed at points in the past. In both cases they defaulted back to SMS 2FA upon uninstalling, though I remember worrying I would have the problem you describe.
Ultimately I can't see how a bank could get away with forcing (rather than just pushing) existing customers to install an app. This would surely be a breach of contract.
> Why do people need banking on their phones though? Banks have websites too.
2FA. I was a smartphone hold-out for longer than anyone I know, but banks mandating 2FA with no options for doing it in a standards-compliant way or any way that doesn't involve the app stores was what finally broke my resistance.
This is asked again and again. Apparently you guys in the USA or in other parts of the world are still lucky, but in Europe banks must be compliant with regulation that more or less force them to do 2FA through their app with the biometric authentication of either an Android or an iOS phone. There are other ways (eg giving a hardware OTP generator to customers,) but apps are the cheapest solution.
I'm just wondering since I'm currently using 3 different European banks without any biometric authentication to unlock my phone, password manager or provide a 2FA.
I'm asking so that I can adjust in time to any new regulations I'm not aware of.
Credit cards, which are US companies, use 3D secure. It's a 6 digits PIN plus a code sent to me by SMS. Amazon stores the card data and very seldom asks me for those PINs.
One bank gave me a hardware OTP generator. I type in the code, plus the bank PIN, plus a random number they show on screen.
Other banks send a push notification to their app on my authorized device (only one of my devices can be authorized at a given time). I must confirm the operation with my fingerprint or with the bank PIN. The fingerprint is easier, no password manager to open.
The result is that I can do online banking anywhere around the world but I can't use credit cards online unless I am in my home country, because for some reasons SMSes don't reach me abroad. There might be something wrong in my contract but I've not been able to sort it out.
The last time I've been in Australia I put a local SIM in slot 2 of my phone and used it for local communications and data. I could receive calls on my home SIM but no SMS. I even contacted the customer service of a credit card to attempt to make SMSes reach me on the Australian number. Fat chance.
AFAIK every popular Android phone uses a qualcomm modem chip with a separate OS that has complete access to ram. NSA most certainly has a backdoor there and such complete access to any Android phone. This was common knowledge after the Snowden stuff. I don't think this has changed at all since. Only few niche phones (pinephone) separate these systems or have a hardware switch to disable the cellular system.
There is common knowledge to suggest that it is not the case (or maybe is no longer the case):
>Mainstream smartphones do not provide DMA access from the baseband to the application processor's memory... Yes, getting baseband access then lets you monitor regular voice and SMS comms. But no, it does not instantly compromise the AP so using the Signal app would still be secure.https://news.ycombinator.com/item?id=10906488
>This is false FUD that keeps being repeated. It's not true. No iPhone ever has had a baseband with DMA access to my knowledge, and modern Qualcomm devices have advanced IOMMU systems to firewall away the baseband from the rest of system memory. I'm sure some phones somewhere existed where the baseband was privileged, but it's not the norm.https://news.ycombinator.com/item?id=30393283
>Connecting a cellular radio via USB provides far less isolation than the approach of a tiny kernel driver connected to an IOMMU isolated cellular radio on mainstream devices. USB has immense complexity and attack surface, especially with a standard Linux kernel configuration. Forensic data extraction companies mostly haven't bothered using attack vectors other than USB due to it being such a weak point. Many of the things people claim about cellular radios in mainstream smartphones are largely not true and they're missing that other radios are implemented in a very comparable way.https://news.ycombinator.com/item?id=46841004
> NSA most certainly has a backdoor there and such complete access to any Android phone.
Citation needed?
> This was common knowledge after the Snowden stuff.
Not to me, it isn't? As far as I'm aware, most of the Snowden stuff were centered around PRISM, which allowed widescale wiretapping of internet backbone, as well as agreements with big cloud providers to allow tapping into their data.
I haven't seen anything indicating that there was widespread compromise of personal computing devices at such a deep level of the root of trust. I haven't seen any indication that the NSA has a backdoor in the earlyboot CPU of any device, whether that is the Qualcomm boot processor, the Intel Management Engine or the AMD Platform Security Processor (which all have similar capabilities and hidden firmware).
If I missed anything/have links to research into these backdoors, I'd like to see them!
I agree, but the probability that this is going to happen anytime soon is near-0. The current US administration is not going to rein in the tech broligarchy and if they did, it would be done out of spite and the pieces wold sold to administration-aligned oligarchs (e.g. Ellison), which might end up being worse.
The EU is not going to force this, because it has enough fights to pick with the US, and this is not the hill that they are willing to die on. It would be far more likely for them to financially support an AOSP-based OS.
The EU simply is not (and should not) be able to split up google who operate international. But they can regulate the EU market and declare that a monopolist cannot operate there as a monopolist and introduce any arbitary rule achieving it.
Not sure if you know this, but both Biden and Trump (in his previous admin) had their DOJ file lawsuits against Google. "United States v. Google LLC," which was filed in 2020 and focused on Google's dominance in search and advertising markets. A separate case was filed in 2023 targeted Google's monopolization of digital advertising technologies. The State of Texas also sued them in 2020.
Google lost all three cases. The DOJ in all three recommended the company be broken up, but the judges disagreed. If you want to blame someone, then blame the judges, not the current admin or Bidens DOJ - both of whom said Google should be broken up.
As of now, Google isn't destroying non-Google android installs, so F-droid will still work there (correct me if wrong). So until Google takes android fully closed or succeeds in getting popular/necessary apps to blacklist non-Google-verified devices, F-droid still has a role
I hope so. The changes can mean two things: people can only use it easily in custom roms (I guess there is an overlap there) or they actually would play with Google: i guess technically they could as well register and sign the stuff with a Google key as the software is all FOSS and would allow defining another responsible developer (otherwise Google would have to through out all FOSS without CLA from their playstore). I guess quitting would be an option, but IMHO the outrage outside the bubble would probably be hardly noticable, so what would be the point?
Claude may seem incongruous compared to the others, however it's the only human sounding name, compared to the robotic "chatgpt" or others that sound generic or bland company names (Gemini, perplexity).
They intentionally chose a more bland sounding name, as, I assume, they wanted to emphasise the "safe" nature compared to their competitors.
As more information comes out about openai, people may choose to move to for other reasons, such as
- Openai adding ads
- Openai's president donating millions to a MAGA PAC
- Openai getting closer to the US military whilst anthropic standing their ground and rejecting them.
- Openai's recent products not being at the top of the benchmarks
> They intentionally chose a more bland sounding name, as, I assume, they wanted to emphasise the "safe" nature compared to their competitors.
A lack of creativity seems more likely to me. It’s a GPT in a chat window.
> Openai getting closer to the US military whilst anthropic standing their ground and rejecting them.
Except they didn’t. They folded faster than a house of cards during an earthquake. It boggles the mind anyone thought they wouldn’t. Ultimately they only care about money and winning.
OpenAI has demonstrated a severe lack of ethics, you're right, it's just hard to know how educated the average consumer is about that. The anthropic-military thing is a big deal but I suspect few outside of the tech world really understand the implications of what's going on.
Anectode: My aunt was talking about how she had a conversation with ChatGPT about how bad OpenAI was and the AI said "we need regulations", and that seemed to satisfy her somehow.
Oh funny, I forgot about that. But at the time it didn't seem unreasonable to withhold a model that could so easily write fake news articles. I'm not so sure it wasn't..
Either 3 or 3.5 also had "it tricked our researchers and tried to to escape so we had to dumb it down before release" marketing. What actually happened was someone asked it something like "how would you escape detection" it replied telling the person that, basically just regurgitating a regular sci-fi plot.
reply