According privacy...
26

Which option can be the best to browse in Android (between these options)

  • Bromite ; Firefox
  • Stix
  • Iceraven
  • Icecast
@je_vv
link
9
edit-2
2M

How about mull (on github) instead? I understand it’s based on arkenfox, and it’s like librewolf on android…

Adda
link
5
edit-2
2M

I second this. From all of these, I would use Mull. If that is not an option, probably Bromite then, even though I actually really dislike Bromite workflow from the little time I have played with it (and therefore all the Chromium based browsers on Android, I guess – I have not used any in a long time on Android). It just somehow does not suit me. But its privacy features should be great.

GPL will protect us
link
42M

+1 for Mull. I use bromite as a secondery browser

@dragonhunter056
link
22M

This is my first time hearing of Mull, thanks!

@Lunacy
link
8
edit-2
2M

Bromite it’s more privacy friendly. Doesn’t have any telemetry or trackers, is shipped with real mitigations against fingerprint, an adblocker, and others features, including:

  • remove click-tracking and AMP from search results

  • always-incognito mode

  • make all favicon requests on-demand (supercookie mitigation)

  • reduced referer granularity

  • enable all network isolation features

You can see the full list of features here

These features are enabled by deafult so, you’re going to blend in crowd with others bromite users which is really good because it’ll way harder uniquely identify a single user.

Security wise, bromite is better. Chomium based browser come with useful security features, like site isolation, CFI and JIT hardening. Instead, Firefox lacks several security mitigations, especially on android. You can see more here. Moreover, bromite uses security enhancement patches from GrapheneOS project.

Keep in mind that security is also important as privacy. Actually, security is the first line of defense to protect your privacy.

  • Firefox

Firefox comes with telemetry and trackers enabled by default. However, you can disable the telemetry , in the stable version of Firefox android about:config page is blocked so, you can’t disable all the telemetry. About the trackers I’m not really sure, I think that you can’t disable them using the browser’s settings. Firefox Is shipped with enchanted privacy protection, a tool which protect the users against cross site tracking, social media tracking, cryptominers, fingerprint and more. Ideally, you’d use the standard protection, because is the one enabled by default thus used by majority of users. In Firefox you can use add ons, but keep in mind that every add on installed make you more fingerprintable. I linked some articles regarding these problems here.

  • Iceraven

Irevanven it’s a fork or Firefox with some modifications and not up to date, which is really bad, every software should be always up to date, it’s most important form of protection you have. You can see the full list of features here

Fork of Firefox are almost always not up to date, they doesn’t add useful privacy and security enchantments. Instead, they just remove telemetry and other closed source components like pocket. On Firefox , beside the stable version on android, you can disable pocket, telemetry, google safe browsing and basically everything.

I didn’t find information about stix and icecast.

Adda
link
5
edit-2
2M

Great explanation. Thank you. Btw., you forgot to link the Iceraven feature list. It would be great if you could update it. I have looked around and actually could not find any reasonable full feature list so far.

@Lunacy
link
62M

Thank you. I modified the reply, now you should see the link.

Adda
link
22M

Ah, you meant GH repo, right. I was curious what you would link as a feature list. I will have to dig a bit to get to know Iceraven better than. Might be interesting to know about this browser, at least a few things, I suppose. Thanks anyway.

@Lunacy
link
62M

I understand your pain haha. Lack of documentation drive me crazy. I personality think that the only features are the ones in the github page. I hope I’m wrong.

Adda
link
12M

Exactly, I was hoping for something, but surprisingly (or maybe actually not surprisingly at all), I have found nothing except those initial paragraphs in the GH repo README.md. I would really appreciate there was more information somewhere, but it is at least something.

@TheAnonymouseJoker
link
42M

If I were you, I would not be citing madaidan as a good source of information. He has always engaged in spreading FUD and promotes Windows over Linux, as example. And his Chrome shilling is highly related to his hatred for Firefox’s anti racism political stance, and how deep rooted he is into the toxic filthy GrapheneOS community. Have had a lot of one to one experience with him, his sockpuppets and his friends.

@Lunacy
link
2
edit-2
2M

in spreading FUD and promotes Windows over Linux.

Madaidan doesn’t spread any FUD and doesn’t promote windows over linux. He wrote a purely objective technical analysis about Linux security; many security experts share this view, such as:

He also wrote:

Note that these analyses are purely objective and do not account for threat models or other user-dependent factors.

Users should choose a software according to their own user case and threat model. I personally use Fedora 34 with KDE plasma as desktop environment, I prefer Linux over Windows because of the foss ideology. However, the problems pointed out by madaidan and other security researchers still remain. You said that madaidan spread fud, but you didn’t show any evidence. Madaidan himself uses Linux (I think qubesOS + Whonix because he use Tor for everything)

And his Chrome shilling is highly related to his hatred for Firefox’s anti racism political stance

First of all, madaidan uses Firefox, he said that many times on Spite. Second of all, this is a very serious accusation, you should show proofs.

Have had a lot of one to one experience with him, his sockpuppets and his friends.

That doesn’t mean they spread FUD about software. Drama it’s really a waste of time.

Edit: typo and things that are not revelant to the discussion.

@TheAnonymouseJoker
link
22M

I strongly disagree. Madaidan regularly engages in spreading FUD, most popularly by conflating security with privacy and vice-versa, and I have been a participant in their NoGoolag and SpiteChat groups, both of which he banned me from because he, anuprita (clannad) and a bunch of other fellows are FUD spreaders, opportunists and vile racists.

Let me share with you one of the instances, among hundreds of others where he insults me, and would go on to ban people if they reply (of course which I never did, I always stayed humble).

picture, August 8, 2020

By your logic, if I share same views as Snowden, does that make me a Snowden rivaling security and OPSEC expert? Because you did the sane with lumping Daniel Micay, various grsecurity entities and madaidan together, making it seem like some kind of little coalition or a conflation of expertise levels.

Madaidan was shat on very hard over his Linux hardening guide, because he shows zero consideration of threat modelling, or has knowledge on the same when addressing other users or arguments on various communication platforms on most topics in the privacy and security domains.

It is common knowledge that key GrapheneOS community users engage in using sockpuppets via their strength of virtual compartmentalisation (Qubes, VMs, Tor and so on).

I do not think you have engaged with him or his friends for more than a year, like I have. You can look around the history of his engagement on reddit, unless he sanitised his comments prior to 3-4 months old. There is u/rediii123, u/cn3m and u/Additional-Ad-6738 as well.

A load of more FUD disguised as “criticism”, they directed at me when I released my smartphone 3.0 guide on r/degoogle:

picture 1

picture 2 replies

@Lunacy
link
1
edit-2
1M

Hi.

Again, you didn’t show any proof whatsoever about the “FUD” spreading by madaidan and others.

Madaidan creates a clear distinction between privacy and security, is wrote in the homepage of his site. However, security is the first line of defense if you want achieve privacy.

Picture picture, August 8, 2020

I’m sorry for that, really.

Madaidan was shat on very hard over his Linux hardening guide, because he shows zero consideration of threat modelling,

He made a clearly statement about it;

DISCLAIMER: Do not attempt to apply anything in this article if you do not know exactly what you are doing. This guide is focused purely on security and privacy, not performance, usability, or anything else.

By your logic, if I share same views as Snowden, does that make a rivaling security and OPSEC expert? Because you did the sane with lumping Daniel Micay, various grsecurity entities and madaidan together, making it seem like some kind of little coalition or a conflation of expertise levels.

You said that madaidan spreading FUD, regarding Linux in this specifically case. I linked you different sources who share the same opinion so you can see that madaidan doesn’t spread FUD. You didn’t counter the source with actual information.

Picture 1) cn3m(?) Make a valid point.

Picture 2) you didn’t counter his statements, instead, you accusing him to being a troll and a shill.

You said that Pixel phones cannot be trusted but you didn’t show any proof whatsoever. Closed source software and hardware can be verified, it’s called reverse engineering. Google offers reward extremely high (up to 1,000,000 dollars) for anyone who can catch exploits in the titan M and pixels phones. It’s obvious that can be verified. It’s no sense put some backdoor in the hardware, google already collect every piece of data collectable by users. You’re putting your ideology ahead verified documentation and facts.

@TheAnonymouseJoker
link
22M

Security and privacy are not mutually the same thing, and privacy is not necessarily a derivative of security. This is proven by the security of Windows and iOS, which is obscure, and they are antithetical to privacy.

I teach privacy and security definitions to people in this way.

Privacy means that your content has controlled access (to you, your recipient or a small group). Security means the storage of the content is protected from automated or manual intruder/stealer attacks.

So, both are different properties and one is not a pure, or even partial derivative of the other function.

Again, you didn’t show any proof whatsoever about the “FUD” spreading by madaidan and others.

If you have knowledge in the OPSEC and privacy domains, and use some critical thinking, it is too easy to figure out. I can share one instance, since he banned me off his Telegram groups and Matrix rooms, what strcat and his shills are most famous for.

I can share a few instances with you, as I never bothered keeping a year long list of his FUD spreading incidents. I fetched these randomly from my 2 year spanning old Firefox profile.

NOTE: USE REMOVEDDIT/REVEDDIT FOR ALL THESE THREADS.

Probably it should be enough to make you reconsider them as the arbiter of truths in the community.

madaidan doesn’t spread FUD. You didn’t counter the source with actual information.

Picture 1) cn3m(?) Make a valid point.

Picture 2) you didn’t counter his statements, instead, you accusing him to being a troll and a shill.

You sound very biased towards supporting them currently. cn3m and all these people are fine examples of edgy teenagers who gathered their information via making some up, learning some on shitty 4chan threads and a likely result of having nothing better to do in life than engaging in creating their niche in privacy community and trying to milk that for self pleasure on the internet. Delusional personality type of syndrome, perhaps.

Actually, you are too inexperienced and have not had enough confrontation with them, so you should probably not defend random anons on internet without knowing their history well. A lot of people sadly fall for it these days.

I even remember Daniel Micay once trying to victimise himself by framing me as messiah of privacy community and the arbiter of truths. Maybe it was in this thread. https://removeddit.com/r/privacytoolsIO/comments/gs4uv7/i_dont_fully_trust_grapheneos/fs82fdv/

You said that Pixel phones cannot be trusted but you didn’t show any proof whatsoever. Closed source software and hardware can be verified, it’s called reverse engineering. Google offers reward extremely high (up to 1,000,000 dollars) for anyone who can catch exploits in the titan M and pixels phones. It’s obvious that can be verified. It’s no sense put some backdoor in the hardware, google already collect every piece of data collectable by users. You’re putting your ideology ahead verified documentation and facts.

WHAT. A. LOAD. OF. BULLSHIT.

All of commercially commonly available USA hardware has some kind of security chip in them, that has been hacked and/or found to have networking, telemetry and backdoor capabilities. Be it the Intel ME or AMD PSP backdoors with SIGINT funding evidence, be it the Snapdragon’s Hexagon DSP hack or the hacking of Apple’s T2 chip.

Having faith in Google’s promise of their proprietary closed source chip being clean is like having faith in cyanide not killing a person. Moreover, they are known as:

  • NSA partner and collecting data and spy on users in googolplex capacity

  • AI used by US military for drone bombing in foreign countries based on metadata Google collects on smartphones

  • use dark patterns in their software to make users accept their TOS to spy

  • repeated lies about how their data collection works claiming anonymity

  • forcing users to use their Play Services which is spyware and scareware

  • monopolising the web and internet via AMP

  • use of non standard web browser libraries and known attempts to cripple lone standing ethical competitors like Firefox and Gecko web engine (now with Microsoft making their default Edge Chromium-based too)

Google’s track record of being trusted seems not too impressive, so risking it combined with the flaws and intentional backdoors on USA hardware security chips seems like a very bad move. It seems to be well grounded speculation, considering I have cited examples of Google’s neighbourhood companies, Apple, Qualcomm, Intel and AMD, and their own as well.

I never thought I would have to revisit debunking madaidan, cn3m, Micay and their whole cult ever in my life, yet here I am. Sigh.

@Lunacy
link
0
edit-2
1M

first of all, I think I should clarify this. I personally don’t care about drama, in my opinion it’s a waste of time. I personally support GrapheneOS simply because of their long approach regarding the project. Right now , at least on android, you can’t find a better alternative. For me, the fact that you can install the OS using only a browser -even using a pixel instead of PC- instead of install third party software it’s terrific, especially for users who are not experts. You’ll think that i’m a paidshill(?) of GrapheneOS, i’m really not, if you don’t believe me.

If you have knowledge in the OPSEC and privacy domains, and use some critical thinking, it is too easy to figure out. I can share one instance, since he banned me off his Telegram groups and Matrix rooms, what strcat and his shills are most famous for.

I know a little about OPSEC. However, that’s not what security researchers do. They actually do technical analysis to find vulnerabilities in software (example). Madaidan is a security research, he wrote technical analysis about software like Firefox or Linux.

Thank you for the links, but I actually really hoped for something more useful than deleted reddit comments, like some articles or some research which can counter the ones I just linked to you. However, I read some of it, specifically

This where madaidan counter /u/deleted with actual information and links.

[this] (https://old.reddit.com/r/privacy/comments/j89kpo/im_micah_lee_director_of_infosec_for_the/g8d2hz2/?context=10000]) where madaidan said, among other things.

I’m not denying that fascism is an issue. Of course it’s a serious threat. I just disagree with immediately jumping to the conclusion that an open source project is run by fascists only because of a single, barely used social media account.

Which it seems reasonable. This is why you’re accusing him to be a white suprematist? (Serious question)

And [this]https://old.reddit.com/r/netsec/comments/i80uki/theymozilla_killed_entire_threat_management_team/g162g4r/?context=3 which is actually pretty neat. /u/paroxon make useful criticisms, madaidan reply and eventually he also modified some of the problems in the Firefox article.

Again, it’s really important to understand that my point in not defending any of the people you mentioned, I asked you you for source because I really want to learn more.

WHAT. A. LOAD. OF. BULLSHIT.

My bad here, forgot the link

Now, of course is not a load of bullshit. Closed source can be verified, audited and exploited. That’s what security researchers and bad actors do. In fact, windows -for example- has viruses also because people can find exploit in the source code.

You says that google pixels cannot be trusted, but you didn’t showing any documentation about it. You says that it cannot be verified, but you didn’t show any documentation about it. You just assume that because “of course, It’s Google, you can have faith in google, it has an abysmal past regarding privacy”. It’s not an actual proof. Now, let’s say that google pixels have 100% a backdoor in their phones. how about the others vendors? You have verified the phones? You can say that huawei -example- is a safe phone to use, that has no backdoors? That is not affiliate with NSA or other companies? Or you just assume it? The answer is simple, you just assume it.

Now, why I recommend pixels for people who wants/needs to use google services or install custom OS and get rid of Google services?

Because Pixels, unlike 99% of android phones, support custom custom signing keys so, you’re free to install any other OS without destroy the android security model thus Preserving your privacy. Having a phones without the verified boot enabled is security and privacy disaster, because if you get tampered, you wouldn’t now and malware would get persistent.

Pixels, unlike 99% of android phones, support 3 years of updates guaranteed so, you get security updates every months and also updates for closed source components like the firmware the bootloader.

pixels, unlike 99% of android phones, provide also best hardware, like Titan M, which has many security advantages, including:

• Storing and enforcing the locks and rollback counters used by Android Verified Boot with support of custom signing keys

• Physical isolation of the chip in order to mitigate against entire classes of hardware-level exploits.

• Isolation of the processor, caches, memory, and persistent storage from the rest of the phone’s system in order to mitigate side channel attacks.

• Ensuring that a malicious actor can’t unlock a phone or install firmware updates until the valid lockscreen passcode is entered thanks to Insider Attack Resistance

• Securely store cryptographic material using the StrongBox keystore and protection against bruteforcing attacks.

You can see many more detail here and here.

Along with Titan M, pixels provide many improvements, including full mac randomization, exploit mitigations and a strict IOMMU to isolate physical components and Control Flow Integrity

Finally, Pixels are the only phones supported by CalyxOS and GrapheneOS, because they are the only phones which maintain the android security model.

@TheAnonymouseJoker
link
0
edit-2
2M

GrapheneOS is not all that, and I simply do not trust Pixels. What you are telling me is to trust Google hardware here. If this were a Xiaomi phone with, let us say, HanfuOS, open source and security focused, would you use that? If no, why are you using Google Pixel with closed source hardware and its maker that has deep ties with US intelligence and military?

I never accused you of being a paid shill, so try not to do that with me.

GrapheneOS may itself be a good ROM, but the exclusivity of it being used with Google Pixels is extremely suspicious to me. And I have well grounded conjecture to present for it, not just with Google’s history, but with all of other major USA companies that use such security chips and all of them either are backdoored or got hacked.

Madaidan is a security research, he wrote technical analysis about software like Firefox or Linux.

He is about as much of a security researcher as I am, and that is not much really. I never call myself an expert or anything, but he does in third person more often than not.

actually really hoped for something more useful than deleted reddit comments, like some articles or some research which can counter the ones I just linked to you

I doubt you will ever find extensive research papers and journal books and Buzzfeed articles on anonymous personalities involved in the privacy community.

This is why you’re accusing him to be a white suprematist? (Serious question)

No. You have to figure this out via talking to him and his groups. A lot easier way would be to find the CCP Pooh bear credit score, tr*nny demon hacker and such disgusting stickers in their Telegram groups. There is a lot to it, and none of it is drama.

of course is not a load of bullshit. Closed source can be verified, audited and exploited. That’s what security researchers and bad actors do. In fact, windows -for example- has viruses also because people can find exploit in the source code.

I will cite the famous Underhanded C Contest here: https://en.wikipedia.org/wiki/Underhanded_C_Contest . This proves it false that closed source code can be audited properly.

You says that google pixels cannot be trusted, but you didn’t showing any documentation about it. You says that it cannot be verified, but you didn’t show any documentation about it. You just assume that because “of course, It’s Google, you can have faith in google, it has an abysmal past regarding privacy”. It’s not an actual proof. Now, let’s say that google pixels have 100% a backdoor in their phones. how about the others vendors? You have verified the phones?

I showed you Google’s track record entirely ridden with malicious intent, questionable past, NSA and DARPA involvement. You want to trust Google hardware after theIR AI was utilised to bomb Yemeni kids via US drones? Good luck, whatever your threat model is, relying on closed source Google security.

You can say that huawei -example- is a safe phone to use, that has no backdoors? That is not affiliate with NSA or other companies? Or you just assume it? The answer is simple, you just assume it.

Huawei is a Chinese company owned by its employees, and has no links to NSA or 14 Eyes countries due to stark political and ideological differences. I will use a historical reference as example. You are trying to tell me that 8 Nation Alliance collaborated with Qing Dynasty to sell the Chinese citizens opium to grow British trade?

why I recommend pixels for people who wants/needs to use google services or install custom OS and get rid of Google services? Because Pixels, unlike 99% of android phones, support custom custom signing keys so, you’re free to install any other OS without destroy the android security model thus Preserving your privacy. Having a phones without the verified boot enabled is security and privacy disaster, because if you get tampered, you wouldn’t now and malware would get persistent.

Verified secure boot is such a meme. You think Evil maid attacks need an unlocked bootloader? One needs to be able to use privileged escalation, which is easier to achieve via social engineering instead. Many methods of attacking users exist. Just go and check how Cellebrite and all these kits work in real world.

One can also setup LockUp app on F-Droid to protect oneself against such tampering, which erases phone upon detection of usage of such kits.

Although, I already suggest users to not root phone, which is the simplest way of making users do nothing and increase their security on a general level. And that is how my smartphone guide works.

Along with Titan M, pixels provide many improvements,

CLOSED SOURCE SECURITY BY OBSCURITY IS NOT REAL SECURITY. IT IS AN ILLUSION. IT IS AN ILLUSION. ILLUSION!!!

Pixels have also become the most vulnerable and worst phones to buy now (always were, now botnet loaded), considering Anøm phones are going onto markets as second hand.

And whichever GrapheneOS fanboy is silently downvoting me, try and debate with me, you worthless despicable rat.

@Lunacy
link
1
edit-2
1M

graphemes is not all that

GrapheneOS is all of that. You won’t admit because you have personal antipathy with the lead developer. This is unacceptable because you run a community, and you deliberately choose to spread misinformation about a project instead of actually help people if they needs or wants change OS. You should give them all the possibility available, not the ones you like.

GrapheneOS make substantial security and privacy improvements, such as

  • Hardened malloc
  • hardened kernel
  • enhanced verified boot
  • hardened app runtime
  • strong app sandbox
  • hardware based attestation
  • jitless Vanadium (off by default) etc.
  • sensor permission toogle
  • network permission toggle
  • full mac randomization per-network
  • mitigations against browser fingerprinting
  • reboot the phone after N hours if its locked (off by default)
  • secure application spawning system

Etc.

you can see the full list here

No other android OS makes so much improvements.

They are going to add an implementation to run Google Play Services (aka. Google Mobile Services / “GMS”) and related apps (Google Services Framework, Google Play Store) as regular, unprivileged user apps. This approach is way better than microg, because doesn’t break the security model of android

What you are telling me is to trust Google hardware here.

Not at all, I linked useful source to explain why pixels are the recommended devices. Instead, you didn’t counter the source. The trust is implicit, you have to trust every software and hardware that you use.

GrapheneOS may itself be a good ROM, but the exclusivity of it being used with Google Pixels is extremely suspicious to me.

CalyxOS also uses only pixels, and you suggest it. Instead, you should suggest both CalyxOS and GrapheneOS.

Pixels permit to maintain the android security model, it’s doesn’t matter if is suspicion to You. They use those phone for valid reasons.

He is about as much of a security researcher as I am, and that is not much really. I never call myself an expert or anything, but he does in third person more often than not.

Again, I’m not interested in madaidan, I linked his article because he made an objective analysis about Firefox. I asked you many times to give me useful source to counter his article. Instead, you gave me reddit delete comments about people who you defined sockpuppet. I don’t care to read a thread between you an micay. My point is not defend those people. I asked valid source like the one I linked to you about the Linux kernel by openSSF. You clearly failed to provide this.

I doubt you will ever find extensive research papers and journal books and Buzzfeed articles on anonymous personalities involved in the privacy community.

I simply looking for actual researchers like this one not really related to this discussion, just an example.

I will cite the famous Underhanded C Contest here: https://en.wikipedia.org/wiki/Underhanded_C_Contest . This proves it false that closed source code can be audited properly.

This doesn’t counter my point at all. The underhanded C contest can be apply also to open source software.

The Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake even if discovered. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs.[1] Closed source and open source can be both verified. Depend if there are competent people to audit the software.

Open source it’s not equal to automatic security and privacy. Both open source and closed source software can be audited and you can find malicious code in both. This contest doesn’t mean that you can’t property audited closed source code.

Huawei is a Chinese company owned by its employees, and has no links to NSA or 14 Eyes countries due to stark political and ideological differences. I will use a historical reference as example. You are trying to tell me that 8 Nation Alliance collaborated with Qing Dynasty to sell the Chinese citizens opium to grow British trade?

Not true at all source; the national bureau of Asian research.

Huawei claims it is an “independent, privately-held company…owned by [its] employees through an Employee Stock Ownership Program,” which allows it to pursue long-term growth without shareholder pressure and to act independently of CCP direction. However, significant evidence exists directly tying both Huawei and founder Ren Zhengfei to the CCP and People’s Liberation Army (PLA). This has raised concerns that the CCP could access Huawei clients’ data or compel it to support the party’s espionage work.

Ren, who retains veto power over strategic decisions and strong operational control, served in the PLA prior to founding Huawei. U.S. officials claim that this included a stint with a military intelligence unit. Ren is a CCP member, attended the 12th National Congress, and was honored in 2018 as a leading private entrepreneur who safeguarded CCP leadership.

The links, however, run far deeper than Ren’s personal ties. A 2005 report described a “digital triangle” linking nominally private Chinese tech companies, including Huawei, to state-backed research institutions and the PLA. In 2013, former head of the CIA and National Security Agency (NSA) Michael Hayden stated that there is tangible classified evidence that Huawei has engaged in CCP-directed espionage activities.

In June 2019, a report found that Huawei employees, operating in their personal capacities, collaborated with the PLA on surveillance-related military research that is apparently not connected to Huawei’s legitimate operations. Additionally, earlier in 2019, a Huawei employee in Poland was arrested on suspicion of working as a Chinese intelligence agent. While the charges appear unrelated to the employee’s work, numerous Huawei employees believe that Chinese intelligence agencies regularly embed agents in their offices and monitor their conversations. In July 2019, Czech Huawei employees reportedly passed information on clients directly to the Chinese embassy.

Verified secure boot is such a meme. You think Evil maid attacks need an unlocked bootloader? One needs to be able to use privileged escalation, which is easier to achieve via social engineering instead. Many methods of attacking users exist. Just go and check how Cellebrite and all these kits work in real world.

Verified boot it’s not a meme at all.

Verified Boot strives to ensure all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or corruption. It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system, vendor, and optionally oem partitions. During device boot up, each stage verifies the integrity and authenticity of the next stage before handing over execution.

You think Evil maid attacks need an unlocked bootloader?

That’s security through obscurity. Verified boot it’s not a panacea against all kind of possible attacks but it’s still a very useful security and privacy feature. It prevent the malware to get persistent. Users shouldn’t disable for any reason.

Pixels have also become the most vulnerable and worst phones to buy now (always were, now botnet loaded), considering Anøm phones are going onto markets as second hand.

Two different problems. Pixels didn’t became the most vulnerable because of the anom phones.

@TheAnonymouseJoker
link
12M

GrapheneOS is all of that. You won’t admit because you have personal antipathy with the lead developer. This is unacceptable because you run a community, and you deliberately choose to spread misinformation

Sounds like you are a fan of GrapheneOS and Micay. I acknowledge it is a good security ROM, yet ignored and cherry picked my statements.

GrapheneOS may itself be a good ROM, but the exclusivity of it being used with Google Pixels is extremely suspicious to me.

See? Second paragraph in previous comment.

I do not talk with some emotions in my mind. What do you even know, Copperhead CEO messaged me to engage in joining hands and attacking Micay, and I stalled and ghosted him. This is exactly why I despise GrapheneOS community.

Not at all, I linked useful source to explain why pixels are the recommended devices. Instead, you didn’t counter the source. The trust is implicit, you have to trust every software and hardware that you use.

I countered the source exactly the way Google tells us to trust their blackbox hardware without explanations.on if their hardware is open.source or can be verified via ehitebox testing methods. It cannot. And I cited examples of every other USA major tech company’s security chip failing, so Google’s is only a matter of time, not if. Obscure security has failed repeatedly, and it always will.

CalyxOS also uses only pixels, and you suggest it. Instead, you should suggest both CalyxOS and GrapheneOS.

I refuse to recommend GrapheneOS, and instead recommend CalyxOS, because:

  • I do not recommend Google Pixels due to extra proprietary hardware layer, that does not exist on other phones and is an unverifiable blackbox
  • I do not recommend GrapheneOS because strcat simply bans anyone whoever asks even slightly complex, or a bunch of questions in his Matrix room. It is well documented in Techlore’s video. A custom ROM that claims security, and does not solve queries of its users, is a ROM with garbage after-installation support. This would be worse than recommending a phone with garbage post sales support, as the user of a security ROM likely has harsher threat model.
  • CalyxOS gives post installation support and advices, and has a community not filled with vile racists or unhelpful people, and does not give shitty answers to queries of GSF dependent apps not running properly, as GrapheneOS devs do.

Again, I’m not interested in madaidan, I linked his article because he made an objective analysis about Firefox. I asked you many times to give me useful source to counter his article. Instead, you gave me reddit delete comments about people who you defined sockpuppet. I don’t care to read a thread between you an micay. My point is not defend those people.

Are you purposely changing goalposts? I answered your question to my claim of if madaidan spreads FUD, and he does a lot. Now you do not care about madaidan at all, who is the admin of NoGoolag and SpiteChat Telegram groups, and is a side aide of Micay?

https://arxiv.org/abs/1403.3235

Random anons on internet are not specimens worth being studied by people with academic rigour.

Underhanded_C_Contest . This proves it false that closed source code can be audited properly. This doesn’t counter my point at all. The underhanded C contest can be apply also to open source software

This is false because you can read open source xode, line by line. Open source code is transparent and closed source code is opaque. Are you an antI FOSS shill, by any chance? I find a lot of these quirky people often. Or maybe you have the same problem that folks like Micay have, hurting other open source projects to boost their own and milk it for their popularity gains in community?

Open source it’s not equal to automatic security and privacy. Both open source and closed source software can be audited and you can find malicious code in both. This contest doesn’t mean that you can’t property audited closed source code

You seem to be making exactly same mistakes as cn3m, for some reason. Why is that the case? I think I caught you red handed, or you likely consulted their community to reply to me.

Open source ensures transparency, therefore it will always be superior to closed source. Why are you trying to shill closed source ideology in a privacy community?

not true at all source; the national bureau of Asian research.

Oh my, citing an outlet funded by these entities that want a desperate war with China? Cute. https://www.nbr.org/about/our-funding/

  • French Ministry of Defense
  • Boeing Inc.
  • U.S. Army War College

From https://www.ned.org/events/report-launch-a-full-spectrum-response-to-sharp-power-the-vulnerabilities-and-strengths-of-open-societies/ :

Report Launch | A Full-Spectrum Response to Sharp Power: The Vulnerabilities and Strengths of Open Societies June 18, 2021 11:00 am - 12:30 pm

featuring Nadège Rolland, Senior Fellow, National Bureau of Asian Research

Prior to joining NBR, Rolland was an analyst and senior adviser on Asian and Chinese strategic issues to the French Ministry of Defense.

So you just cited this outlet that has clear links to France military, where France is a country that wants war with and is anti China? I swear you people are so funny to play around with.

That’s security through obscurity. Verified boot it’s not a panacea against all kind of possible attacks but it’s still a very useful security and privacy feature. It prevent the malware to get persistent. Users shouldn’t disable for any reason

Yes and you promoted security through obscurity above via claiming open source code does not mean nothing in the case of Titan M blackbox chip. Decide to stand for something for once. Open source, or closed source?

Pixels have also become the most vulnerable and worst phones to buy now (always were, now botnet loaded), considering Anøm phones are going onto markets as second hand.

Two different problems. Pixels didn’t became the most vulnerable because of the anom phones

Yes two different problems, but I am telling how problematic Pixels are to buy. One security vendor messaged mesometime ago to use my platform for their promotion of GrapheneOS loaded Pixels, and this is why I never responded to them. Also, second handed Pixels are all vulnerable devices now, because that is how an XDA member got hold of this ArcaneOS loaded Pixel.

@Lunacy
link
1
edit-2
1M

You don’t recommend Google pixels and yet you recommend CalyxOS which uses only pixels. I’d would be more honest if you refuse to suggest both OS because they both use pixels. You refuse to admit that titan M it’s not a black box even if I prove you that google will rewards anyone who can find an exploit, of course that means that is not a black box. Your didn’t show any documentation whatsoever. Every Phones comes with closed source components, you have to deal with. You suggest huawei over pixels for no reason despite you know that install a custom os on huawei destroy completely the security model of android. Moreover, huawei delays security updates and lacks long time supports. You said that verified boot it’s a meme which is actually not, of course without show any proof.

You can read closed source line by line, it’s called reverse engineering. Open source it’s an ideology, it’s about freedom, which is good , but it’s not equal to security and privacy, it’s just a misconception. Of course A FOSS project can be secure and private, but It’s not automatic.

Your source doesn’t counter what I linked about huawei. National Bureau of Asian Research have some kind of interesting against China and so they are spread misinformation about huawei, right? But did you actually linked some article that counter the NBAR research? No, you just assumed that they are bad because “of course, it’s plausibile”.

You falsely accuse me to be something that I’m not because you can’t counter the source I linked.

@TheAnonymouseJoker
link
12M

You don’t recommend Google pixels and yet you recommend CalyxOS which uses only pixels.

There exist people who have purchased a Google Pixel already, and may ask me for help with achieving better privacy. I am not going to tell these people to sell off their Pixel, unless 5 Eyes is a threat adversary for them.

. I’d would be more honest if you refuse to suggest both OS because they both use pixels

Your version of honesty is not realistic, and does not help people in reality.

You refuse to admit that titan M it’s not a black box even if I prove you that google will rewards anyone who can find an exploit, of course that means that is not a black box.

Sorry but that is not what being closed source hardware means. Learn about software and hardware testing in an academic manner, as I did during my degree. And this argument “just hack it 1337 haxorman else shut up” is reductio ad absurdum, it is a dumb argument.

Every Phones comes with closed source components, you have to deal with.

“Every phone comes with closed source hardware so one more closed source hardware layer does not matter.” “They are taking our camera permission, let us give them microphone permission too, why does it matter?”

Your logic is utterly flawed. Please learn about how to reduce attack surface. Titan M is not some kind of open TPM chip that you can customise or disable.

You suggest huawei over pixels for no reason despite you know that install a custom os on huawei destroy completely the security model of android. Moreover, huawei delays security updates and lacks long time supports.

Huawei’s security, according to BlackHat hackers, is same as that of Pixels. https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/raw/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf

verified boot

Verified boot working as intended assumes hardware comes from a non compromised source. This seems unlikely to be confirmed, especially with American companies that at this point have baked in backdoors left and right, otherwise they have hacked security enclave chips. You can trust USA as much as you want, but I will be your enemy if you try to shill that to others blindly.

You can read closed source line by line, it’s called reverse engineering. Open source it’s an ideology, it’s about freedom, which is good , but it’s not equal to security and privacy, it’s just a misconception.

Yup, you are an anti FOSS shill most likely. Closed source analysis can only be done via blackbox testing, and closed source is not transparent.

If open source is not equal to privacy or security, then by that logic closed source everything sure as hell is pure malware.

Your source doesn’t counter what I linked about huawei. National Bureau of Asian Research have some kind of interesting against China and so they are spread misinformation about huawei, right? But did you actually linked some article that counter the NBAR research? No

Are you recommending people to rely on 5 Eyes/Anglosphere think tank funded research as your counter points against Chinese companies? I proved how the leading people of NBR are directly linked to French military. This is purely a dishonest maligning attempt with no academic rigour.

You falsely accuse me to be something that I’m not because you can’t counter the source I linked.

I prove each and every point I made, and countered your arguments. You cannot get away with staying in denial mode, when everything is clear as day. You are the one shilling closed source over open source ideology. You are the one who cites madaidan’s FUD as authentic information, and then ignore counter proofs. You are the one spreading misinformation about open source workings. You are the one using think tank articles to prove your points. Your comments partially look like advertisements for GrapheneOS at this point. I am not doing any of this.

xenith
link
02M

I use GrapheneOS as my daily driver and love it. I’ve also been active in the GrapheneOS Matrix community and have never seen anything that I would consider questionable. I’ve never received money, but I guess my payment for this comment is a FOSS, deGoogled, hardened OS.

@Lunacy
link
22M

GrapheneOS it’s fine. The community it’s also fine. Please don’t believe stranger’s words, don’t believe my word either, do your own research. you too are in the grapheneOS community and you can see it’s not toxic at all.

@TheAnonymouseJoker
link
12M

https://tube.privacytools.io/videos/watch/2a693c25-1b44-42a5-a268-3349b278ef04

Maybe you never saw anything questionable, but that is only an anecdote, or you have loyalty towards that community.

xenith
link
12M

That’s weird - it showed that I commented the same thing twice, so I deleted the one you didn’t reply to, and now it shows just the one and it’s deleted.

xenith
link
1
edit-2
2M

deleted by creator

@TheAnonymouseJoker
link
12M

Google Pixel is not the best device, even if GrapheneOS may be a good security ROM.

And for all I care, Techlore presented facts which I can verify from my personal experience. I have a lot more evidence in this thread below, a lot different than what Techlore showed. So yeah.

As for community, all communities are usually tightknit to an extent, even if they are not literal IRL families. Micay straight up bans people that question too much. It is known.

xenith
link
12M

I assume that’s you in the pics below - do you use an iPhone?

@TheAnonymouseJoker
link
12M

No, a Huawei Android, with the hardening using my non-root smartphone guide: https://lemmy.ml/post/54596 and my threat model (https://lemmy.ml/post/34223) between levels 5 and 6.

@je_vv
link
52M

cool that mull is found now on official f-droid repos, I had it installed from the divestos f-droid custom repo:

https://divestos.org/fdroid/official

Perhaps it’s better to use the the official f-drod one, I hope the official f-droid one doesn’t get updates too delayed compared to the divestos ones, :)

@TheImpressiveX
link
72M

Personally I use Iceraven.

@OstoNang@sopuli.xyz
link
32M

I personally use Mull and Tor browser in the guardian project repo.

@TheAnonymouseJoker
link
32M

Kiwi Browser is also great, if you want a Chrome based option. Allows desktop extensions.

Fennec/Mull/Firefox modified are most excellent for primary usage, though.

@dragonhunter056
link
22M

Kiwi is super outdated isn’t it? I think I remember hearing somewhere that it doesn’t get updated often/at all nowadays.

@TheAnonymouseJoker
link
12M

https://github.com/kiwibrowser/src.next/releases

The dev backports security patching of Chromium releases to Kiwi. This is a disinformation usually spread by Bromite/GrapheneOS community, who want to iron grip the security community in nefarious ways. People fall for it because there is less awareness on these problems.

@ThreeHopsAhead
link
12M

How is this connected to Bromite or GrapheneOS? Do you have anything to back up those claims?

@TheAnonymouseJoker
link
1
edit-2
2M

A couple days of researching on r/kiwibrowser threads, and mini wars on browser threads on r/privacytoolsio should get you in the loop on arguments used against Kiwi and/or for Bromite.

Not everyone criticising Kiwi is one of the people from the group I mentioned, but a significant portion exists, and they are indeed a significant portion of what makes up arguments overall against Kiwi, even though security patch backporting happens with Kiwi.

There is a bit more to it, in that Kiwi Browser earlier was not open source, and some of the garbage arguments against it carry over from that time, and even conflated at times. It also does not help that these people take advantage of less thorough discussion and solid threads around Kiwi Browser, as not too many people use it yet. Less usage is most likely because of inertia of Chrome/Brave/Samsung Internet mobile users, and Kiwi only offers desktop extension support feature over other Blink mobile browsers.

I was never a Kiwi user until it became open source, and I only use it as secondary browser because I oppose Chromium/Blink monopoly via using Firefox, and also prefer uBlock Origin in all its glory without Manifest V3 crippling.

@yxzi
link
32M

you specifically asked to choose between the given options, but I’ll throw in Fennec into the mix, since it’s based on Firefox. pro: proprietary bits and telemetry have been removed con: still connects to various Mozilla and Google services that can track users

Tucumano 88
creator
link
22M

Opened a Pandora box

xenith
link
12M

I use Vanadium on GrapheneOS and have no complaints.

Helix
link
-42M

Your title is shit and you didn’t give any criteria on which to compare the browsers, you didn’t even specify why you limited the options to the five browsers mentioned. Please fix.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 67 users / day
  • 104 users / week
  • 185 users / month
  • 620 users / 6 months
  • 3444 subscribers
  • 1858 Posts
  • 8281 Comments
  • Modlog