[gjsman-1000]

… as long as you trust the developers, and their ability to secure themselves, of course.

I mean, if I was a three letter agency, sneaking into some GrapheneOS developer’s basement to add a camera to record his keystrokes would be the easiest trade ever for all the paranoid people using it. It’d be way easier than sneaking into Apple or Google. Might even be worth violating internal law to do it; because getting caught is extremely unlikely, and forgiveness is easy.

Edit: Also, don’t forget that, if you should get arrested, “he used GrapheneOS” is 100% going to be used against you in court. You might use technical arguments or principled reasoning, but that doesn’t resonate with juries. Unfortunately, using extra-strong privacy tools is perfect for framing you as a criminal.

[tomrod]

You make a convincing argument. I'm switching to GrapheneOS for my next phone upgrade. Here is the source code: https://grapheneos.org/source

> “he used GrapheneOS” is 100% going to be used against you in court.

I look forward to using this as a litmus test for legal representation.

[gjsman-1000]

Are you personally capable of ensuring:

A. The builds match the code?

B. The NSA hasn’t stolen the signing key and isn’t feeding you customized images?

True, you can’t verify that with iOS or Android either. I am saying though that trusting my security because it’s safer… by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.

[neilv]

If your threat model for your phone includes the NSA as an adversary, maybe you shouldn't be using a phone at all.

For the rest of us, who just want to be violated less, we have to choose our poison. The corporate options are shameless violators, and the alternatives are gambles.

[gunapologist99]

Even if this was true, it seems harder to compromise a single paranoid coder working out of his garage than any one of 1,000 corporate developers, their workstations, or associated networking, or servers in any (even high-security) company.

Weakest link in the chain and all that. There are just a lot fewer links in the chain. More likely that a vuln is introduced as part of Android and makes its way into GrapheneOS than directly into a tiny project.

[stavros]

No I'm not. Does that mean I might as well cc the NSA to all my emails?

Your comment is basically "is it perfect? No? Then it's not better".

[gjsman-1000]

I’m saying that, if people who use it aren’t careful, they could end up like the university kid.

There was a university that received a bomb threat over Tor. They found one student who used Tor on the network at around the right time, and because he was the only Tor user, he’s in jail for a very, very long time. That kid was at Harvard, his persuer the FBI.

If you are going to use GrapheneOS, don’t be naive and think it will make you agency-proof. If anything it probably flags you to their attention.

[tomrod]

Why are you under the impression that since I want to use a more secure OS than Android or the equivocating Apple that I must be wanting to bomb a university?

Please.

[gjsman-1000]

Absolutely not. But if anything bad happens, or you are attending a protest and suddenly getting investigated for rioting, you might have second thoughts.

I do not condone or endorse illegal activity. That does not mean your use of GrapheneOS might not be used against you if you use it at an inopportune time. There is currently almost no discussion online about this, so it’s worth a mention.

Edit: I forgot to mention some obvious context in my head. Think journalist, in Russia, using GrapheneOS for “safety.” In such a situation, probably a terrible idea.

[2Gkashmiri]

I remember seeing that news on arstechnica or some tech publication I was following at the time.

It actually put a little fear in me because I look around and not a lot of internet users in my small hell hole of an open prison I call home and i was like "dude. You're like a alert beacon screaming here is a tor user, check him out".

I was using tor at the time and that is the last day I used it because this use case fit me somewhat. Not for sending bomb threats but because the nature of surveillance, I am a target of the government so any outlier gets flagged pretty hard.

[wkat4242]

I always connect to tor over VPN first for this reason. But I guess it makes me even more suspicious lol

[stavros]

Ah, yes, you're right. It's good to use, but it's not perfect.

[tomrod]

> by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.

Let's give some credit to Daniel Micay and assume he isn't coding this by himself, especially after the CopperheadOS debacle.[0]

[0] https://grapheneos.org/history/

[gjsman-1000]

It doesn’t matter who is coding it, it matters who owns the signing key that will make your phone recognize the authenticity of the software. And, of course, if anyone else has it.

Also Daniel Micay no longer works on the project.

[sigmar]

>Also Daniel Micay no longer works on the project.

This isn't true. He stepped down as lead dev. Still one of the main contributors

[wkat4242]

The sad thing is that this is exactly what might happen in the EU since spyware will soon be mandatory.

[neilv]

> “he used GrapheneOS” is 100% going to be used against you in court.

Has that ever happened?

I hadn't heard of that, and people have been running GrapheneOS (and Copperhead before it) for many years.

The first person I knew using it was a lawyer at Harvard Law School.