Hacker News new | ask | show | jobs
by securitypunk 1783 days ago
Anyone who has managed a product security program will tell you that's it's impossible for small groups to keep up with the complexity and attack surface of products like android.

From a consumer perspective, going with A and trusting the company is by far the safest option.
4 comments
trulyme 1783 days ago
Meh. Given the option of a secure but adversarial OS and less secure but open one, I will always pick the latter. Then at least there is a fighting chance my data stays mine.
link
lobocinza 1782 days ago
You're missing the other 'halves' of the problem. Insecurity is a business and it's not profitable for companies like NSO to make their "solutions" compatible with non-mainstream devices.
link
scns 1782 days ago
Sorry to be a pedantic but: Two People created CopperheadOS, one of them now works on GrapheneOS. The security mitigations developed for those were incorporated upstream into Android, decreasing the attack surface.
link
strcat 1782 days ago
> Two People created CopperheadOS, one of them now works on GrapheneOS.

No, that's not true. GrapheneOS is the continuation of the project by the original development team. There aren't any developers who stuck with Copperhead. The project was created 1 year before Copperhead existed as a company.

https://grapheneos.org/history

> The security mitigations developed for those were incorporated upstream into Android, decreasing the attack surface.

https://grapheneos.org/features is a list of the current features differentiating it from AOSP. It doesn't list the many things we've gotten into upstream projects, since they aren't differences anymore.

link
scns 1782 days ago
I'm sorry, if i misrepresented the great stuff you did and still do. English is the first foreign language i learned.

"Two People created CopperheadOS, they had a disagreement. One of them continues to work on it under the name GrapheneOS."

Would this describe it better?

link
FieryBinary 1782 days ago
See grapheneos.org/history/copperheados and verify it for yourself using Github graphs and other resources.

A better description would be "One person handled development of the project and other person CEO'd the sponsor company. The CEO attempted to hijack the project and the developer eventually resumed the project under the name GrapheneOS."

A little longer, but more accurate :)

link
hfkfktnekfm 1782 days ago
If I find an exploit in Chrome and I send a patch to Google, it doesn't imply that single handed I can manage the security of a Chrome fork.
link
runawaybottle 1783 days ago
I can appreciate that but option A actors are now in full dictator mode with respect to how they are willing to breach privacy and monetize their users.

How did Linux keep up with security updates?

link
vngzs 1782 days ago
You have an army of volunteers backporting patches, in the case of Debian. It's been done, but it takes a certain amount of support.
link