There is so much misinformation about GrapheneOS. Other hardware is not supported for very good reasons. Mainly because the most basic security features are simply not available on other hardware. Google goes out of their way to support other operating systems with proper verified boot using custom signing keys. Also Pixels have proper dedicated security module, Titan M, which I believe are missing from most, if not all other options. Also MTE support. Hardware security is important and none of the current options match Pixels.
You are implying Meta and others were able to just siphon data from any website via WebRTC using their native apps, but this was not the case. They were only able to track which websites you visited if that website already embedded the company tracking. Many websites do, but not all.
Sandboxing should be built in and by default, not DIY and glued on, like with apparmor and firejail.
"Your car does not come with a seatbelt? Seatbelt parts are easy to order online and assembled on any car, it's your fault for not using one."
> Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?
The whole point of sandboxing is that one compromised app can not compromise the whole system and other apps. Compromised dependency on my banking app on Android or iOS only compromises that banking app and nothing else.
It’s always felt strange that Linux desktops try to make sandboxing and permissions the responsibility of packaging standards. That strikes me as much more of a system level thing like audio or display output.
How so? I'm writing this from an Fedora Sericea, which is Silverblue but with Sway instead of GNOME. Atomic Fedoras solve only package hysteresis (your package manager being unable to reproduce the intended system state because of unaccounted for changes) by generating the root file system with OSTree. It has nothing to do with sandboxing the applications themselves.
It does in the sense that all the applications you install will be via flatpak, so they get sandboxed that way. Of course it depends on how locked down the sandbox is configured for each of those applications.
Flatpak is primarily a convenience mechanism for app makers. Any security boundary you may find in it is optional, all defaults are always toward not breaking apps. Apps pretty much uniformly either silently get read access to all your files, and even when that is not true they often get permanent read-write access to any file you open in them.
Go look at the permissions for GNOME Papers. Try to argue that it's "sandboxed".
>Apps pretty much uniformly either silently get read access to all your files
This is outdated information. The situation has improved since the publishing of flatkill with flathub loudly warning about permissions and less apps having full R/W access.
Android apps can be configured insecurely too although less severe, still it's the users responsibility to check and modify permission.
In either case it's a substantial improvement from no isolation at all with much easier handling than other sanbox tools or MACs.
It may be in the future, but for now it is no different from Fedora Workstation in terms of security. Please correct me if I am wrong. AFAIK Silverblue has no additional sandboxing or any other improvements to security.
Pretty sure Fedora, being based on Red Hat, has the strongest SELinux policy in place by default, and SELinux is pretty much the best sandboxing option available other than actual virtualization.
Yes, but this was about Silverblue and how it implements some additional sandboxing, which it doesn't. SELinux is great, but maintaining it and creating configs is huge amount of work and where on AOSP, every process is strictly confined with SELinux, on Fedora, not so much. Not to mention the additional software the user installs. Not at all comparable to real Android or iOS sandboxing.
It's generally only initial work to make the policies to maintain a program, maintaining doesn't even really exist unless the program radically changes in some way.
Fedora is notable because any software installed via repositories has a policy written for it, so it is already far more in effect than you might realize.
It's entirely comparable to Android sandboxing because it's part of the foundation of Android sandboxing.
> What concerns me more is that Apple is the only company audibly making a stand.
But still Apple operates in China and Google does not. This is weird to me. Google left China when the government wanted all keys to the citizens data. Apple is making a stand when it's visible and does not threaten their business too much.
Apple is not really in the business of protecting your data, they are just good at marketing and keeping their image.
> Google left China when the government wanted all keys to the citizens data.
Google left China after China started hacking into Google's servers.
> In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company’s source code and even broke into the Gmail accounts of Chinese human rights advocates.
They were working to reenter the China market on China's terms many years later, when Google employees leaked the effort to the press. Google eventually backed down.
China feels like an important difference here though. Google leaving China doesn't protect Chinese citizen's data any more than Apple turning off ADP in the UK does. As far as I know, Apple isn't pretending that the data of Chinese users is encrypted from their government, and the way they're complying with the Chinese laws shouldn't impact the security of users outside of China.
Apple pulling ADP from UK users is similar - the UK has passed an ill-considered law that Apple doesn't think it can win a court case over, so they're complying in a way that minimally effects the security of people outside the UK. If, as someone outside the UK, I travel to the UK with ADP turned on, my understanding is it won't disable itself.
Would you have been more satisfied if Apple just pulled out of the UK entirely? Bricked every iPhone ever purchased there? Google doesn't seem to have made any stand for security ever - them pulling out of China feels more to do with it meaning they wouldn't have had access to Chinese users' data, which is what they really want.
> Would you have been more satisfied if Apple just pulled out of the UK entirely? Bricked every iPhone ever purchased there?
The request/law would be rolled back in minutes in that case. They wouldn't dare though. (wouldn't even have to be bricking - just disable services like icloud)
Apple has 40 retail stores in the UK with thousands of employees. They have a big new HQ in London where they have engineering, etc there.
I cannot see Apple completely shutting down in the UK, firing thousands of staff, selling off any property, and cancelling leases, just for a week long bargaining chip.
>iCloud in China is operated by a local subsidiary
It's not operated by an Apple subsidiary. It's operated by a government owned company. I'm not aware of any local laws that require this particular arrangement.
It’s different. Apple follows Chinese law to operate their services in China, just like Microsoft.
With Google, their services are way broader. Operating a hunk of their search business with a third party Chinese firm just isn’t viable for their services, which are way more complex.
The government, with anti trust laws, could easily force this issue. On the other hand, they really love how few places they have to go with FISA warrants to just take anyones data. This is the long tail of the American security state. So it's really ironic that China takes most of the blame.
Perhaps Apple has a greater leverage in China due to its outsized manufacturing presence. And it's likely they already dont offer ADP to Chinese citizens.
> Perhaps Apple has a greater leverage in China due to its outsized manufacturing presence.
Perhaps china has greater leverage over apple in this case...
China had been an important area of growth for many companies during the 2010s. Apple bent over backwards to cater to that market. It was discussed in every financial release, and they obviously made tons of concessions for iCloud.
The UK just comparatively isn't that much revenue, and not worth the fallout.
Apples revenue from china has been super dependent on new iPhone looking different, and has been steadily declining or flat for years, except for a few quarters when Huawei was sanctioned.
Chinese money was absolutely the forbidden temptress that continues to screw businesses. Luxury goods, cars, electronics, etc were all banking on china’s economic rise to grow their revenue, and post covid recovery saw all that money stay domestic.
China won’t oust Apple because twisting Tim Cook’s arm is way more useful. Same with Tesla and any other company that makes a big bet there. But they absolutely won’t be giving American companies an equal chance at success.
Eh Google had pretty good reasons to not operate in China (not seeing them in this thread, don't recall the details precisely enough to relate here)
Apple is deeply embedded in China (manufacturing) and benefits from a decent (but shrinking) userbase in the country. China isn't asking for the keys to all iphone user data, just data stored in China.
And Chrome had one with severity "High" just three days ago, browsers will always have security issues that seem to be patched reasonably fast in the big three. Might as well pick one that's not part of the monoculture by a big advertising company, depending on your threat model of course.
QubesOS is great if you need to do work and personal stuff on the same computer. I do most of my stuff in the browser and have a separate computer for work. I am mostly interested in making initial access as expensive and difficult as possible.
You are still just as vulnerable or more vulnerable to malware stealing browser sessions, passwords, and everything you have on the AppVM the browser is running on than you are on a regular Fedora Workstation. Unless you only use disposable VMs, which you probably don't. If QubesOS had hardened templates, I would use it. When I used it, SELinux was not enforced, and I believe it still has passwordless sudo. Not sure what other mitigations are disabled in the default templates compared to regular, non-QubesOS Fedora Workstation.
> QubesOS is great if you need to do work and personal stuff on the same computer
This is significantly underestimating the benefits of Qubes. Are you using your online banking in the same browser that you use for random web surfing? I do it in separate VMs with hardware isolation. Same compartmentalization with all other things.
> You are still just as vulnerable or more vulnerable to malware stealing browser sessions, passwords, and everything you have on the AppVM the browser is running on than you are on a regular Fedora Workstation
This is not true. I'm not using the same VM for everything but dedicated VMs for bank, email, HN, instant messaging and so on. A malware on a random website would only get the access to an empty VM, nothing more. Passwords can be securely saved in the related single-purpose browsers and in a plain text file (in an offline VM).
> If QubesOS had hardened templates, I would use it.
You misinterpret the Qubes' approach to security. If your VM is compromised, no hardening will save your data (https://xkcd.com/1200/). On Qubes, you should compartmentalize your digital live into security domains, such that you never run anything untrusted in trusted ones and never have anything valuable in untrusted ones. With such approach, hardening is irrelevant. More examples: https://www.qubes-os.org/news/2022/10/28/how-to-organize-you...
> Unless you only use disposable VMs, which you probably don't.
I don't understand why one wouldn't use them for everything not requiring saving the data. Of course I do use them and wrote this comment from one.
> This is significantly underestimating the benefits of Qubes. Are you using your online banking in the same browser that you use for random web surfing? I do it in separate VMs with hardware isolation. Same compartmentalization with all other things.
What about NetVM? All AppVMs us that so what if that get's compromised? Since the templates are not hardened at all, could the attacker jump from NetVM to AppVM?
> I'm not using the same VM for everything but dedicated VMs for bank, email, HN, instant messaging and so on. A malware on a random website would only get the access to an empty VM, nothing more.
So how many Templates and AppVMs do you have? Each of those dedicated VMs would need their own AppVMs at least. You have Domain: Bank, Domain: Email (do all email accounts get their own domain?), Domain: HN, Domain: Github, Domain: Stackoverflow, Domain: Signal and so on.
> If your VM is compromised, no hardening will save your data
So that means layered security is totally meaningless and instead of keeping it default, let's remove mitigations?
> you never run anything untrusted in trusted ones and never have anything valuable in untrusted ones.
In practice, this is close to impossible.
> I don't understand why one wouldn't use them for everything not requiring saving the data
Disposable VMs were the best part of QubesOS, but unfortunately, it's is pretty common that you need to login to something or save something, which means you can't use DisposableVMs for everything.
I want to use Tldraw as a simpler alternative to Figma. I want to drag and drop Web Components (or React components) into the canvas to play around with different UI ideas. Maybe a built in library of Shadcn components I could mock up an UI with.
> Thing is that Android is probably no more secure than a standard desktop experience specifically due to the very uncontained Play Store, the prevalence of sideloading apps and rooting doesn't really help at all.
This is completely untrue. There is lot more to OS security than where software can be downloaded from. The point about root and sideloading is completely missing the point as those are even worse on desktop operating systems. On desktops you can basically run whatever from wherever and there is usually no sandboxing at all. On Android, there is a strict sandbox and you can't run whatever you want. Android is not rooted by default.
Every app is strictly sandboxed on Android, point me to a desktop OS that has anything close to that. Every process is confined using SELinux policies on Android, which desktop OS has as strict MAC setup? Android has a proper, working verified boot, which desktop OS has something similar? Not to mention all the other hardening and exploit mitigations that are usually completely missing from standard desktop operating systems.
Probably over 90% of what I use my personal laptop for is browsing the web, watching videos, listening to music, and writing notes. In a general purpose OS, I value security above all else. Privacy is a close second, and of course stability, ease of use, resource lightness, and application support are also important factors.
I haven't found a desktop operating system that ticks most of the boxes, especially security and privacy. The only OS that ticks all the boxes is GrapheneOS, but it's not really a desktop OS. That's why I'm so excited about these updates, and why I wish there was either a good keyboard/trackpad case for the Google Pixel Tablet running GrapheneOS, or someone would make a laptop that had the necessary requirements to support GrapheneOS.
I code on my work laptop, and if I really wanted to, I could probably SSH or VNC into a Linux box to code on GrapheneOS. There is also pKVM, which will probably make it easy to run Linux VMs on GrapheneOS at some point in the future.
> I haven't found a desktop operating system that ticks most of the boxes, especially security and privacy...That's why I'm so excited about these updates
Android and privacy are not two things that go together.
Change my view: open source operating systems are bad in practice since good actors rarely audit them but bad actors not only have the usual exploits but also have the keys to the castle.
Edit: guess we’re not having a fruitful discussion about this then. Shame.
This is the classic "security through obscurity" argument. Yes it makes it harder to find vulns and develop exploits when the source isn't available, but once there are enough users to make it worth it, people are gonna fuzz the shit out of it regardless whether it's open or not.
At least with open source, you have white hats (and gray hats to some extent) using the available source to get hints. These end up getting reported a lot more than for closed OSes. There may seem like more CVEs for Linux than Macos for example, but that isn't proportional to the number of vulns, researchers, or exploits out there.
That said though, even if open were less secure (which I don't think it is), it is still a better and more ethical model for software and would be worth the security risk. Luckily for the world, open is more secure (or at least equally secure).
Edit: guess we’re not having a fruitful discussion about this then. Shame.
When you started with the low-grade trope "Change my view" you already indicated you weren't interested in a discussion, just arguing for the sake of arguing on the internet.
I actually wasn’t, I was looking for other opinions. I think my view holds merit, but clearly smarter people than me think differently and I wanted to hear their angle.
Thanks for explaining though, I was genuinely confused at the downvotes. Maybe that meme doesn’t mean what I thought it did.
> Maybe that meme doesn’t mean what I thought it did.
It doesn't. The general implication of that meme is not that someone actually wants to seriously consider alternative views; the implication is "I want to assert my position, which I think is unassailable, using the veneer of an argument".
I think you've been gotten by the Reddit-ification of everything. Essentially, many people assume sinister motives on everyone else's part. If you're saying/asking something like you did, it must be because you have an agenda.
Fortunately with a bit of time it will even out and probably go positive. It's the early voters on comments that are the most negative and quick to judgment.
> Isn't it more the case that all actors audit all software? Open source just has potentially more "auditors" than closed source?
Perhaps bad actors don’t audit more than good actors, but this doesn’t address whether there are more good or bad actors doing the auditing. I think this is a more valuable comparison if we’re talking about risk mitigation and the safety of open-source software. Do you know that there are more good-faith auditors than bad?
Very much related — we should probably acknowledge the disparity between the two groups in terms of motivation, sustainability of said motivation, financial resources, and time.
The idea of burnout among open-source maintainers is long-known and endlessly discussed. They often/mostly volunteer their time — to some thanks, but also to a deluge of “doesn’t work” tickets with no repro, as someone pointed out on this recent post:
Bad-faith actors tend to be highly motivated, with ideological or financial goals. They have more and perhaps better resources, more so if state-funded, and more time to commit.
This doesn’t mean there’s a constant and unmanageable risk to open-source software, and I certainly don’t agree that open-source OSes are a bad idea. But it’s not as simple as having actors auditing on each side or the difference in numbers between closed and open-source.
Usual exploits = using the normal tools to look for buffer overflows and such by attacking the running system and compiled binaries.
Keys to the castle = the ability to also look in the source code for vulnerabilities, run static analysis, fuzzing but also architectural flaws. Basically use extra methods that you can’t do on the running system or binaries. You would expect some tools to be run already by the authors but some tools will find things that others don’t.
Bad actors have an incentive to audit the code (find vulnerabilities) since they were in the process of attacking the system anyway, so why not look at the source? You also have state level attackers who are getting paid to find these sort of things, and others looking to sell 0-days.
Who are good actors? Who is willing to spend their time finding and fixing bugs? There are definitely people doing it out of the kindness of their heart, and others might be researchers and so on, maybe some companies that use the software - but you are relying on these outnumbering the bad actors.
I think there will always be bad actors, and assuming that there is an army of good actors watching your back might not always be correct. But happy to hear other angles, which is why I opened (and accidentally closed) the conversation.
Good actors do it mostly for money and fame, bad actors do it mostly for money. Both actors do it for open source and closed source software.
Isn't it a good thing that anyone can effectively use tools to check for potential vulnerabilities?
This is just speculation, but I think open source projects may mature faster in terms of security because the low-hanging fruit is maybe found faster than in closed source projects?
Another interesting case I think about a lot is the classic AOSP vs. iOS. Apple tried to sue Corellium for making it easier to research iOS. Then Apple started the Apple Security Research Device program to make it easier for researchers to do iOS research. These two things seem to me to be a kind of involuntary open-sourcing of iOS. Why did Apple see Corellium as a threat and why did they provide researchers with these special devices?
