GrapheneOS decided to leave France because they would have to implement a backdoor for French authorities.
What about backdoors in #IodeOS as Iodé is a French company?
https://goingdark.social/@watchfulcitizen/115605398411708768
@[email protected] is being threatened by French authorities for refusing to add backdoors and they're dealing with coordinated attacks in French media right now. They're pulling out of France entirely, moving all their servers, and fighting off a wave of bullshit one-sided reporting that makes them look like they're helping criminals. They need us to fight back. Support them however you can, whether that's a dollar, sharing their story, pushing back on the garbage news coverage when you see it, or just telling someone you know about what's happening. All of it matters because they're drowning in attacks from governments and media and bad actors who want them gone. This is the only Android OS that actually makes me feel like privacy isn't just marketing. They fight for us now they need us to fight for them. The EU is pushing Chat Control and creating an environment where governments feel empowered to threaten developers into compliance, and if we stay quiet we're letting it happen. Show up for them in whatever way you're able to. #grapheneos #Privacy #NoBackdoors #encryption #security #chatControl
I am interested in that issue too.
I'm planing to get an IodeOS phone and i highly oppose the idea of "scan-on-device" / cliwnt scanning backdoors in Software.
Not only having a single App with such a backdoor in, but the base OS having one, is even worse...i didn't know this was law in france already.
Even if i am not in danger to be targeted in an legal investigation, does such a backdoor not pose a great risk to be hacked by criminals via that way too?
@GrapheneOS @Uddelhexe @plumeros
Got it...
Looks like there are some nuances as well
https://us.norton.com/blog/mobile/android-vs-ios-which-is-more-secure
@GrapheneOS @globcoco @Uddelhexe
iOS is closed source, so nobody will ever find any backdoors in the software, even if the hardware offers to implement a high level of security. Do I miss anything?
@plumeros @GrapheneOS @Uddelhexe
Nope.
Now, closed source is also problematic as well if decisions were made at the top...
@globcoco @plumeros @Uddelhexe No, it's very inaccurate and is a common misconception among people who aren't developers or security researchers about open source. It does not provide anything close to what you believe it does. You still highly trust the developers of software released as open source and even rare cases of extensive external review do not find all or most vulnerabilities in practice. Finding subtly hidden vulnerabilities would be even more difficult.
@[email protected] @[email protected] @[email protected] No, that's not how closed source and open source work at all. Closed source software is not a black box. Open source absolutely doesn't mean that all or most vulnerabilities get discovered. Linux kernel has many severe vulnerabilities being found on a regular basis which have existed for years and even decades. Most projects are not getting anything close to that much review. It certainly doesn't mean that an intentionally hidden subtle vulnerability will be found.
@GrapheneOS @plumeros @Uddelhexe
True. I don't have the experience and knowledge.
Thank you for sharing what you know.
Much appreciated.
Which devices do you own? (Iphones, ipad, mac...?)
@globcoco @GrapheneOS @Uddelhexe
It's correct that open source doesn't guarantee that all vulnerabilities are found.
But OSS can be reviewed by anybody at anytime, the developers cannot control by whom.
Closed source is sometimes also reviewed. But who prevents closed source developers of removing backdoor code just before a review and add it immediately afterwards again? Who selects the reviewers? It's all in the hands of the closed source manufacturer.
So how can anyone trust closed source?
@plumeros @globcoco @Uddelhexe
> But OSS can be reviewed by anybody at anytime, the developers cannot control by whom.
Your belief that closed source software is a black box which cannot be externally reviewed is incorrect.
> But who prevents closed source developers of removing backdoor code just before a review and add it immediately afterwards again?
Closed vs. open source doesn't work the way you believe it does. Closed source software means not having sources, not lacking the code.
@GrapheneOS @globcoco @Uddelhexe
> Your belief that closed source software is a black box which cannot be externally reviewed is incorrect.
If the manufacturer allows it, it can be reviewed. If not, no way to review the source code. In this case only reverse engineering may help.
> Closed vs. open source doesn't work the way you believe it does. Closed source software means not having sources, not lacking the code.
I think that's no answer to the question.
@plumeros @globcoco @Uddelhexe
> If the manufacturer allows it, it can be reviewed. If not, no way to review the source code. In this case only reverse engineering may help.
No, you have common misconceptions about open source held by people who aren't developers or security researchers. Closed source does not mean the code isn't available for anyone to review. It's not a black box and the code can still be reviewed.
> I think that's no answer to the question.
It's what the issue is here.
@plumeros @globcoco @Uddelhexe
> Who selects the reviewers? It's all in the hands of the closed source manufacturer.
No, that's not how it works. Closed source software still has the compiled code available for review, which is often the best format for finding a subtle backdoor which can be inserted as part of the toolchain or through very subtle approaches. Source code is usually the best form of the code to look for accidental vulnerabilities but a backdoor is a much different thing.
@GrapheneOS @globcoco @Uddelhexe
> You're talking about backdoors where it's deliberately done and hidden.
I meansoftware quality in general and backdoors in particular.
> Closed source software still has the compiled code available for review, ...
Following this logic OSS wouldn't make any sense then, as users have always the binary code for execution and for review.
@plumeros @globcoco @Uddelhexe
> Following this logic OSS wouldn't make any sense then, as users have always the binary code for execution and for review.
It doesn't make it not make sense. Source code is the preferred and easiest format for modifying the code and open source provides permission to do it. That doesn't change that what you're saying about closed source software is inaccurate. Finding backdoors is also far different than looking for accidental vulnerabilities.
@GrapheneOS @globcoco @Uddelhexe
> Even with reproducible builds + open source, the source code can be written in a way which deliberately masks a vulnerability in subtle ways.
This is what happened Easter 2024 with zx library in ssh.
@econads @plumeros @globcoco @Uddelhexe
> and without the sources to compile yourself, how can you be sure they match?
If you're reviewing the compiled code, you don't need to verify anything matches. That's only relevant to reviewing source code and needing to verify the compiled code matches via reproducible builds which are often not supported.
@GrapheneOS @pinpin @globcoco @Uddelhexe
> Pixel with GrapheneOS
I like the intention of GrapheneOS to make a secure and privacy friendly OS.
But how much sense does it make to buy google HW for a de-googled OS?
@pinpin @globcoco @Uddelhexe @plumeros GrapheneOS is a production quality OS. GrapheneOS does not have issues with stability and does not require more maintenance. It doesn't sound like you've used it.
GrapheneOS is not a "custom ROM" and that isn't accurate terminology. It's not terminology we've ever used and we correct it when people incorrectly refer to it that way.
There are official parts and repair kits available for the devices we support for quite a long time.
@econads @globcoco @plumeros @Uddelhexe
> it's the absolute basic of security, not a guarantee. It's the auditability. If something is closed source you can't check whatever claims it wants to make.
Having access to the source code does not provide the ability to avoid trusting the developers in practice. If it did, widely used projects like the Linux kernel would not have a massive stream of severe vulnerabilities being found which have been present for years and even decades in plain sight.
@econads @globcoco @plumeros @Uddelhexe The vast majority of open source projects get little to no external review. Nearly none receive in-depth privacy or security review. In general, people trust open source projects because source code is available and someone could audit the sources rather than because anyone is doing it.
The claim that only sources can be reviewed is incorrect and resembles dubious claims that open source is less secure due to attackers being able to find bugs more easily.
@GrapheneOS @globcoco @plumeros @Uddelhexe wow 4 replies to replay what you already said. And I already said that open source doesn't guarantee security, it actually has to be audited and the rest yes. I can tell you from 18 years in the industry that companies are not completely trustworthy either (audience gasp), and most closed source software doesn't have internal audits either.
But why is closed source not a black box?
@hyc @plumeros @globcoco @Uddelhexe You can read what we said as closed source software not inherently being a black box and reviewing what it does not being an insurmountable task orders of magnitudes harder than reviewing an open source project with the same level of depth. Source code can have very subtle intentional security holes and can take advantage of the medium to hide those. The topic was claims about backdoors in iOS vs. a similar scale open source OS.
Time for purses with Faraday Inlays, i guess.
@v_d_richards @iode I've actually been thinking about something like this, for all sorts of reasons.
They exist; I'm not sure how effective they are.
@kzeta @v_d_richards @iode You'd be cheaper off just getting a sheetmetal box the size of your phone of using fine metal mesh or tinfoil around it.
And this is actually the least of it.
Joshua Graves
iodé 🇬🇧
Plumeros ☮️
Uddelhexe
GrapheneOS
Coralie Renée
Howard Chu @ Symas
econads
Pinpin
Viktoria D. Richards/Uddelhexe
Kate Zimmerman
Kevin Karhan 
DJ Enno
Zot Nobot
My camera shoots fascists
Andrew
Mark Crocker
@stevewfolds
Koantig