Skip Navigation
Lemongrab Lemongrab @lemmy.one
Posts 19
Comments 526
De-googling and privacy on Sony xperia
  • Yeah, any security focused android ROM won't include root because it breaks the android security model. Breaks the ability to have secureboot and system safety checks by apps.

  • De-googling and privacy on Sony xperia
  • DivestOS is the most degoogled (removes the most proprietary blobs) android ROM. See if your device is on this list: https://divestos.org/pages/devices

  • Why do so many people still hate GrapheneOS?
    1. My point was that standard linux should have those things too if it wants to be considered "secure". Default Linux isn't secure out of the box without a lot of work. It is more private than proprietary OSes but not more secure, therefore compromising your ability to safeguard privacy as a result. Linux is also a great target for threat actors because the majority of servers run Linux, meaning security researchers and cyber criminals alike are looking for weaknesses. I'd recommend looking into Android's Security model because it is interesting and gives insight on designing a secure mobile device. Stock Android suffers from OEMs not providing consistent long-term updates for devices, which 3rd party security hardened ROMs like DivestOS and GrapheneOS help to address.

    Extra reading: see Whonix comparison table to see what they look for when choosing a base OS that can be later hardened for security. Note that some things in the table are not security specific but important for anonymity (which Whonix modifies to Kicksecure to better protect). Whonix is a security focused operating. Here is a comparison of different memory allocators showing their features for preventing different types of exploitation. Memory based attacks consistently are reported to be one of the most common types of attacks.

    1. Here is a link to the Wikipedia page on Linux-libre Kernel. I'm not suggesting this should be the default, was just making a point that binary blobs may be needed in a kernel for compatiblity or security (eg updating firmware that is vulnerable when that happens).
  • Why do so many people still hate GrapheneOS?
  • Point still stands. postmarketOS isn't hardenned. Default desktop linux isn't hardened. Malware could easily infect your device and exfiltrate data, escalate privileges, modify the kernel, etc. Each of the things I have mentioned (hardened_malloc, immutable OS, hardened kernel, hardened firewall, removal of identifiers, full disk encryption, locking of root login [not the same as invoking root], MAC hardening through SELinux or/and AppArmor, service minimization for reduced attack surface, package manager hardening, secure boot, sandboxing of applications, etc) should be implemented for both Desktop or Mobile Linux to have "good" security. Security is preventative. All of these things come together to create a system better equipped to protect against know and unknown threats, which especially true for mobile devices which are near-costantly in unknown environments. A vulnerable device is weak link in the chain of your security, which can be used to compromise your privacy. You may never be attacked or have your device exploited, but that doesn't make it secure as a result.

    I would love to see an actually secure mobile device that is rid of Google's stench. Problem is postmarketOS isn't secure, its just default linux on a phone. If it saw largescale adoption (which we all would like a good alternative to do) it would be easily exploited.

    It says postmarketOS is based based on alpine Linux, which according to Whonix doesn't meet their threat model and it's odd to claim "Alpine Linux was designed with security in mind" when Alpine's package doesn't pass The Update Framework model. A vulnerable package manager can be used to compromise a system, read more package management on TUF's website.

  • Why do so many people still hate GrapheneOS?
  • Did you go to any of my links about Linux hardening? Do you implement any hardening yourself? Do you harden kernel flags or replace malloc with hardenned_malloc?

    If PostmarketOS is just ARM linux with minimal changes than it isn't secure enough for a mobile device. All apps should be sandboxes regardless of whether you can trust the code or developer. Each app expands the attack surface of your device.

    Linux kernel also has proprietary blobs for firmware and device support. That is the difference between Linux normal or libre kernels.

  • Why do so many people still hate GrapheneOS?
  • Nah I dont think that at all. But DivestOS and GrapheneOS are the most security hardened. DivestOS takes extra steps to further deblob Android of proprietary bits to further reduce attack surface. See my other reply for my detailed (barely scratching the surface) insight into why Linux isn't a good mobile OS, but more so how Linux isn't security hardened well at all by default.

  • Why do so many people still hate GrapheneOS?
  • Security through obscurity is not security. There are special considerations that have to be taken on a mobile device. Mobile OSes, while unhardened normally, are still designed to protect against attack vectors that aren't considered by normal linux. Linux can be hardened, but is very open by default. It also offers no default sandboxing of apps from each other. It isn't immutable, unless postmarketOS is, which is a large security threat when considering device integrity. Full disk encryption isn't enabled by default (unless changed in postmarketOS). Root login is enabled by default (a huge attack vector). Linux isn't secure by default, but more private than any proprietary OS like Windows, iOS/MacOS, ChromeOS, and Android. But Linux because of its open default makes it vulnerable to spying 3rd party by apps installed by the user. It is also vulnerable to attacks from a network.

    I recommend a deblobbed Android ROM like DivestOS (my personal fav and more deblobbed of proprietary blobs than any other ROM) or GrapheneOS. See a good comparison between ROMs here: https://eylenburg.github.io/android_comparison.htm

    For linux hardening, check out Kicksecure for Debian distromorphing, Secureblue for Fedora Atomic (immutable) rebasing, and Brace by DevistOS's developer for general security hardening of Fedora/RHEL, Debian/Ubuntu, Arch Linux, and OpenSUSE Tumbleweed.

  • Why do so many people still hate GrapheneOS?
  • Linux mobile is not threat modeled for a moble device. It is quite risky. Mobile devices must consider more known and unknown attack vectors than a device (like a Desktop) that stays in a consistent trusted environment (like home or a personal office in some cases).

  • X Rule
  • No, we need the protocol to always display those annoying popup adware porn ads in the corner with tiny "x" buttons that exponentially increase the number of porn ads on click.

  • Android List Apps for a de-googled phone
  • With mull an tubular I being see ads on my phone anyway.

    So you are or aren't seeing ads? I don't with both.

  • Android List Apps for a de-googled phone
  • I'd always shop used for that through a reputable resale store with quality assurance.

  • Probably a stupid question, but what can I do to 'degoogle' a Google Pixel 8?
  • The assumption I was under for the parent comment's scenario was that the device would remain with its default ROM, in which case Google services are installed as a system app and disabling/uninstalling through ADB would do little to change things (cus of the proprietary kernel and all). Moving to alternative FOSS clients helps a new user get used to alternatives and learn better compromises they can use in the future on a degoogled ROM with services they maybe be forced to use.

  • Probably a stupid question, but what can I do to 'degoogle' a Google Pixel 8?
  • Ditching your gmail account is the hardest step of degoogling and really isn't one step. Ditching Gmail the app is good because it is one less permissive google app you have installed.

    Tubular is just newpipe with sponsorblock and return YouTube dislike, which have their own Privacy Policies to worry about but are great features to have. Either way, you should be using a VPN because otherwise it isn't much different then the scenario you mentioned with a FOSS client for a proprietary google service.

  • Truth rule
  • Never. I go straight under my powerful ceiling fan and dry off.

  • Probably a stupid question, but what can I do to 'degoogle' a Google Pixel 8?
  • I think Rethink DNS would be better in this case because you can block internet to system apps, apply DNS blocklists, and set up a Wireguard VPN with a config file.

  • Probably a stupid question, but what can I do to 'degoogle' a Google Pixel 8?
  • Newpipe isn't an alternative to Gmail, I'm assuming that was just awkward wording. A good alternative to the Gmail app is FairEmail or K-9 Mail. Newpipe (or better yet Tubular) is a good alternative to YouTube (without google signin and local only storage of subscriptions, history, and playlists)

  • Are there mobile apps for RedLib?
  • And install it as a PWA (it might just be a shortcut idk) on Android

  • Ruillotine
  • You lift up the neck restraints, then stick in the king's neck

  • Ruling like an ancient Chinese emperor

    Image alt text: Picture of a tea box with the text "Gunpowder Tea" in large letters and underneath in smaller letters "China Green Tea".

    2

    Class traitor rule

    Alt text:

    Description: 3 panel comic of someone interacting with a cop during traffic stop

    Conversation: Cop says "Do you know why I stopped you?" Driver responds "Because you're a class traitor?" Cop is too stunned to speak.

    32

    Kendama-core rule

    Alt text: Child playing with a kendama-like toy with the catching mechanism and ball being each half of the demon core experiment.

    6

    I want to bring some attention to Slidge XMPP Bridges

    It seems like an awesome project that fulfills a lot of the requirements for bridging many popular messaging platforms (like FB messenger, WhatsApp, discord, signal, and more). I wanted to share because I know a lot of us have friends and family who still use antiquated/proprietary communication platforms. Fair warning, I have not tried self hosting it myself yet since my server is kinda of a mess right now. Lmk what y'all think.

    21

    Thoughts/Experience with OpenSUSE Micro-OS?

    As the title says, I wanted to hear what since other (more experience) self hosters think of Micro-OS.

    3

    concussy rule

    Image transcription...

    Instead of X say Y

    | have a concussion = I'm in my bonked-up state.

    I'm concussed = I'm all bonked up.

    My brain is bruised = I've got a BrainBonk TM.

    I'm in my concussion era = It's serving gonked gourd.

    My concussion may affect the quality of my work = Getting my concussy slonked silly style.

    0

    blood-transfusion rule

    Image transcription: 'Today, I operated on a little girl. She needed O- blood. We didn't have any, but her twin brother has O- blood. I explained to him that it was a matter of life and death. He sat quietly for a moment, and then said goodbye to his parents. I didnโ€™t think anything of it until after we took his blood and he asked, โ€œSo when will I die?โ€ He thought he was giving his life for hers. Thankfully, they both died'

    0

    sharing mononeon cus

    would like to share. He has great patchwork and crocheted clothes, and better mastery over the bass. Sharing this in perticular cus he got a good color scheme going with his clothes.

    1

    Serving rule

    Alt text: "I just realised the lid on medicine bottles is a serving size." Don't do that obviously, unless your goal is to meet the hatman in the ER.

    11

    Hiya, where do yall get memes.

    Hi, as the title says I am looking for meme communities that share memes. My problem with lemmy (or reddits) main meme communites is that the memes are boring normal shit instead of gay boring normal shit. Mostly kidding but main meme subs are just bland and or basic observations about the world.

    24

    testing

    aHR0cHM6Ly93d3cuYmFzZTY0ZW5jb2RlLm9yZy8=

    1