Hacker News new | ask | show | jobs
by neilv 64 days ago
My gut feel is that Micay is genuine, and obviously also very defensive.

At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.

A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.

(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)

I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".

Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.

(Source: Am long-time GrapheneOS user, and have donated.)
2 comments
microtonal 64 days ago
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.

With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.

In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.

I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?

link
HybridStatAnim8 64 days ago
All of the defensiveness is warranted. They speak neutrally and objectively.

The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.

The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.

Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.

link
ryandrake 64 days ago
> The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.

Responding to attacks so defensively is almost alway a bad look for organizations. They could really use a PR person with a more measured voice that corrects facts and projects confidence, and does not convey victimhood, insecurity or defensiveness. Take a look at the tone of press releases issued by companies when some tech press bozo writes a hit piece on them, for good examples of dealing with people attacking you.

link
HybridStatAnim8 63 days ago
I would not use those words to describe the approach they take. They make the effort to speak neutrally and objectively, but the issues they are making light of are often exactly as extreme and common as they describe. Many people have voiced appreciation that they decide against a "corporate-speak" approach. The GrapheneOS accounts are meant to be accounts that let project members speak to users, rather than take on a corporate appearance.
link
neilv 64 days ago
I'm sure you realize that confident assurances of a random new pseudonymous account on a Web site isn't sufficient for anything of importance.

Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.?

link
HybridStatAnim8 64 days ago
I am a GrapheneOS user and community member, and I am active in the chat rooms. I made this account to assist with misinformation.

As for how such a thing would not be possible;

-GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted.

-Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering.

-GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds.

So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise.

link