this post was submitted on 10 Jul 2024

8 points (70.0% liked)

Cybersecurity

5288 readers

82 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

"Privatephoneshop" and "Myntex" are scam, selling insecure devices, and harrassing a GrapheneOS developer (grapheneos.social)

submitted 1 month ago* (last edited 1 month ago) by boredsquirrel@slrpnk.net to c/cybersecurity@sh.itjust.works

7 comments fedilink hide all child comments

Background & Licensing

How comes GrapheneOS people find themselves in situations like these often?

Their software is all permissively licensed, allowing vendors to make it proprietary. Mainly though, they allow them to restrict user freedoms by not allowing to install another OS than GrapheneOS (which is the most secure OS anyways).

Cryptographic verification of the OS can be done with the Auditor, you dont need to reinstall to verify it is not malware.

Still, they contact stores that sell end of life or insecure phones, to stop doing this under their name.

PrivatePhoneShop sold devices as old as the Pixel 4a with GrapheneOS.

Is an EOL phone not secure?

I have a pixel 4a and GrapheneOS is awesome, I still get security updates at least as frequent as normally on LineageOS. But it is end of life, meaning Google and the hardware suppliers dont support it anymore. This means

firmware issues of any kind will not be fixed (the vendor needs to sign the firmware, this is not possible for anyone else)
the kernel, specificically patched for this device, will not be upgraded to the next LTS kernel, thus losing support in a while. This would be possible, but is immense efford without Google doing it upstream in AOSP.

"privatephoneshop"

Following the Mastodon post, you can see "privatephoneshop"s selection. They sell devices that are not cheap, but pretty cheap.

Ease of Installation by yourself

You can buy a used Pixel 7 for that price and flash GrapheneOS easily, using the webinstaller, even from another Android phone, with zero Terminal knowledge needed.

CalyxOS and LineageOS

PrivatePhoneShop sells devices with CalyxOS, which is a lot less secure in its architecture, and delivers slower security updates. It is less secure, because their webview is not as hardened, they dont use hardened_malloc, they preinstall random 3rd party apps etc.

LineageOS is not privacy hardened at all. It may now be degoogled, after GrapheneOS's effords to replace every connection to Google, even for Widevine DRM or A-GPS (SUPL) with at least their selfhosted proxy servers, stripping sensible data.

Only DivestOS can be assumed as reasonably secure, implementing sandboxed microG and other important architectural security measurements. GrapheneOS recommends DivestOS if your device is EOL or not supported.

So the store is selling phones with insecure software, that are also past or near the end of support by upstream.

Background on Android updates

There is no phone company that supplies as fast and complete security updates as Google. Google publishes recommender AOSP security patches, and a complete set. Pixel phones get all of them, while most other cheaply made devices struggle to even get the recommended ones.

GrapheneOS has updates about once a week, which is insanely good.

Btw, Fairphone plays in the same bad league as the cheap manifacturers, getting only the minimal amount of updates.

Hardware

Google Pixel phones are not just a choice because GrapheneOS devs love Google. They are the only phones that meet their security requirements

Since they expanded their security fixes, like implementing a way to disable the USB port (which involved a ton of lowlevel work and is more secure than what Android ever shipped), this list is a bit long.

But even the minimum requirements are not fulfilled. Samsung is close, but security features like verified and measured boot are arbitrarily blocked for external operating systems.

Debates & Harrassment

I only focus on this case now. GrapheneOS transparently asked them to stop selling EOL devices under their name.

Maybe they also asked to stop selling CalyxOS and LineageOS devices along with them, but "privatephoneshop" didnt give any evidence for that.

As a response, "privatephoneshop" posted this joke explanation

While GrapheneOS remains a top choice for security and privacy, we feel the toxic nature of its founder (and specifically his attacks on our business) no longer make GrapheneOS a viable choice.

For YOU, because you scam people. LOL

Early in November, GrapheneOS sent us a message on X (fka Twitter) stating they did not approve of our selling older phones such as the Pixel 4a with GrapheneOS, nor did they approve of our offering CalyxOS as a choice. Having previously seen how a typical conversation with GrapheneOS goes (more on that below), we blocked them.

Wow. Does this need any explanations?

But it gets better:

Why we sell older phones like the Pixel 4a

Not everyone can afford a newer phone.

You sell outdated devices for up to 650$. People can buy used Pixel 7 phones on eBay for like 200$. You can do that too. Sell refurbished ones, better than insecure ones. Repairing pixels is easy (in contrast to repairing OnePlus phones, wtf OnePlus).

Not everyone wants a phone made by google.

LOL. I think I explained why this is not some fanboy choice.

Not everyone wants a 5G phone.

What? You can just disable 5G in the settings to my knowledge. Also, WIFI is always using something similar to 5G.

These are fake arguments, hiding behind esotheric misinformed people.

Not everyone wants a large phone.

Very understandable, I miss my (honestly underpowered) Pixel 4a, also for the headphone jack. But this is a tradeoff, if you sell "privacy phones".

There is no privacy if you can get hacked.

Everyone has a right to the level of privacy and security that they desire.

So, sell refurbished phones or upload instructions yourself on how to do it yourself.

Thoughts

I honestly think GrapheneOS should switch to a license that actually gives them some teeth. Bitching around back and forth on "social media" sounds like a pretty annoying thing to do apart from delivering the most secure OS on the phone market.

I am also very unhappy about Louis Rossman and Techlore for spreading bad opinions on them.

Yes, the devs can be harsh, yes they are sometimes a bit annoying. But look at their Github issues!, 500 open, over 2,5k closed!

They do free Software that helps anyone to be as private and secure as possible. They are a blessing for our world. Please donate to them, as they are doing an incredible job.

Btw, they are also against Nazis.

top 7 comments

sorted by: hot top controversial new old

[–] eatham@aussie.zone 3 points 1 month ago (1 children)

When did Louis rossman complain about them?

[–] boredsquirrel@slrpnk.net 3 points 1 month ago (1 children)

He made a youtube video, which also appears very high in search results for "GrapheneOS"

[–] sugar_in_your_tea@sh.itjust.works 4 points 1 month ago (1 children)

And he has a lot of valid points. That said, I use GrapheneOS despite not being a fan of how the main dev communicates because it's a solid project.

[–] boredsquirrel@slrpnk.net 0 points 1 month ago (1 children)

Yes there is a pattern in how these security people communicate. Pretty harsh, often in extremes. Closing issues as off-topic, unwanted, external etc.

But that is often needed to have a good OS.

I also dont get any info for example by Mozilla, on how Firefox is secure, while the security people regularly say that Firefox is very insecure.

https://connect.mozilla.org/t5/ideas/security-document-in-detail-how-ff-android-and-desktop-compare/idi-p/61913#M35831

[–] sugar_in_your_tea@sh.itjust.works 3 points 1 month ago (1 children)

I'm not talking about technical discussion at all. Watch the Louis Rossman video you mentioned, in it he praises the OS and the development efforts behind it, while expressing concern for how the lead there handled non-technical issues. Here's my summary (haven't watched the video for a while, so details may be off):

Rossmann leaves a comment on a video critical of something about the main dev, the comment read "that is informative and unfortunate"
Main dev demands that Rossmann remove the comment because the dev has a personal beef with the video author
Behavior continues on different forums, like their chat system and the dev gets increasingly aggressive

I have defended the main dev on multiple occasions on technical issues, such as Firefox for Android being less secure (mostly missing process isolation) or that Google Play has security advantages over microG. Likewise for other points (Google is really good at security). But in the same posts, I'll attack the main dev over how they communicate, it's unprofessional and discouraging. Or in Louis Rossmann's words, "informative and unfortunate." However, I still use the OS.

[–] boredsquirrel@slrpnk.net 0 points 1 month ago* (last edited 1 month ago) (1 children)

Same for me here.

The person behind the GrapheneOS account on the Forum and Mastodon writes i a very specific name.

Always in extremes, always saying people harrassed them or "a developer of the project".

I have had contact with people communicating that way and it is pretty incredible. I was blocked on Secureblue and the GrapheneOS forum, even though the latter was only temporary (to scare me or something?)

[–] sugar_in_your_tea@sh.itjust.works 2 points 1 month ago

Yeah, I try to avoid naming him by name so people don't go on a crusade or something against him. I think he acts unprofessionally, but that doesn't mean I want anyone to go and target him.

I appreciate the work he does, I just don't appreciate his online presence.