Hacker News new | ask | show | jobs
by gjsman-1000 975 days ago
Are you personally capable of ensuring:

A. The builds match the code?

B. The NSA hasn’t stolen the signing key and isn’t feeding you customized images?

True, you can’t verify that with iOS or Android either. I am saying though that trusting my security because it’s safer… by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.
4 comments
neilv 975 days ago
If your threat model for your phone includes the NSA as an adversary, maybe you shouldn't be using a phone at all.

For the rest of us, who just want to be violated less, we have to choose our poison. The corporate options are shameless violators, and the alternatives are gambles.

link
gunapologist99 975 days ago
Even if this was true, it seems harder to compromise a single paranoid coder working out of his garage than any one of 1,000 corporate developers, their workstations, or associated networking, or servers in any (even high-security) company.

Weakest link in the chain and all that. There are just a lot fewer links in the chain. More likely that a vuln is introduced as part of Android and makes its way into GrapheneOS than directly into a tiny project.

link
stavros 975 days ago
No I'm not. Does that mean I might as well cc the NSA to all my emails?

Your comment is basically "is it perfect? No? Then it's not better".

link
gjsman-1000 975 days ago
I’m saying that, if people who use it aren’t careful, they could end up like the university kid.

There was a university that received a bomb threat over Tor. They found one student who used Tor on the network at around the right time, and because he was the only Tor user, he’s in jail for a very, very long time. That kid was at Harvard, his persuer the FBI.

If you are going to use GrapheneOS, don’t be naive and think it will make you agency-proof. If anything it probably flags you to their attention.

link
tomrod 975 days ago
Why are you under the impression that since I want to use a more secure OS than Android or the equivocating Apple that I must be wanting to bomb a university?

Please.

link
gjsman-1000 975 days ago
Absolutely not. But if anything bad happens, or you are attending a protest and suddenly getting investigated for rioting, you might have second thoughts.

I do not condone or endorse illegal activity. That does not mean your use of GrapheneOS might not be used against you if you use it at an inopportune time. There is currently almost no discussion online about this, so it’s worth a mention.

Edit: I forgot to mention some obvious context in my head. Think journalist, in Russia, using GrapheneOS for “safety.” In such a situation, probably a terrible idea.

link
SenAnder 975 days ago
The kind of over-cautious cowardice you are displaying is what drives societies to become conformity-enforcing police states.

"You're painting your fence beige instead of white? Are you sure that's a good idea? What if there's a crime committed in the neighborhood - beige-fenced deviants are the first that the police will look at!"

link
smoldesu 975 days ago
People have been trying to stick Linux and the AOSP for the same reasons, but it's quite obviously never worked. Linux and Android are not popular because they are superior security tools, they are popular because they are free and accessible. Governments play poker, they don't want you to know what their hands look like. Condemning any particular software is the equivalent of folding their hand; it's an admittance of defeat. It won't happen unless they face a hopelessly equipped adversary, like Huawei.

GrapheneOS is likely not a secure system, but neither is any smartphone OS. I'll compliment anyone taking steps towards transparency that makes governments and global-scale corporations tremble at the knees.

link
tomrod 975 days ago
> There is currently almost no discussion online about this, so it’s worth a mention.

A mention, not a core argument against use.

In my reading, your core point is an old argument: https://en.wikipedia.org/wiki/Nothing_to_hide_argument

link
2Gkashmiri 975 days ago
I remember seeing that news on arstechnica or some tech publication I was following at the time.

It actually put a little fear in me because I look around and not a lot of internet users in my small hell hole of an open prison I call home and i was like "dude. You're like a alert beacon screaming here is a tor user, check him out".

I was using tor at the time and that is the last day I used it because this use case fit me somewhat. Not for sending bomb threats but because the nature of surveillance, I am a target of the government so any outlier gets flagged pretty hard.

link
wkat4242 975 days ago
I always connect to tor over VPN first for this reason. But I guess it makes me even more suspicious lol
link
stavros 975 days ago
Ah, yes, you're right. It's good to use, but it's not perfect.
link
tomrod 975 days ago
> by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.

Let's give some credit to Daniel Micay and assume he isn't coding this by himself, especially after the CopperheadOS debacle.[0]

[0] https://grapheneos.org/history/

link
gjsman-1000 975 days ago
It doesn’t matter who is coding it, it matters who owns the signing key that will make your phone recognize the authenticity of the software. And, of course, if anyone else has it.

Also Daniel Micay no longer works on the project.

link
sigmar 975 days ago
>Also Daniel Micay no longer works on the project.

This isn't true. He stepped down as lead dev. Still one of the main contributors

link