Thread 105953711

The new GrapheneOS TRVTHNVKE just dropped.

>>105953711 (OP)
I'm not buying a Google phone (which probably allows Google to spy on you through hardware) just to use their "secure" OS

What's a secure element?

>>105954047
titan chip. goyphene devs believe you need a proprietary big corpo intel ME on your phone or it's insecure

>>105954047
a chip holding encryption keys. those keys themselves are stored encrypted with the PIN or passphrase of the user. bruteforcing a 4-8 digit PIN would normally be trivial. but the secure element prevents it by throttling attempts. if you failed a few attempts, it will not allow further ones for a while. the cooldown phase continually increases. so suddenly trying 1000 combinatiins can take years instead of fractions of a second.
also the data can't be physically extracted.

so with a secure element, your data can be protected with a convenient 6 digit PIN. Without a secure element you need a 6+ words passphrase to ensure it can't be easily decrypted.

>>105953711 (OP)
I was thinking it's just another drama post, but he's absolutely right. /e/ and Fairphone btfo

I’m not touching anything that has had contact with Google in any way or form

>>105954047
its like when you enter your PIN wrong a few times at the ATM, you won't get your card back. prevents police from cracking your phone

>>105954424
then your only real choice is an iPhone

>>105954377
>there's absolutely no backdoor trust me
why do people take anything securitytards say for granted? If it's not open source/architecture, you can't be sure about the claims. Whether the Titan chip or the bootloader locked down with proprietary keys and the technology. Yeah, the fucking core root of trust on GrapheneOS doesn't exists becasue you DONT HAVE THE KEY. This is no different than shilling proprietary software on /g/.
>le evil maid
do it the ways heads did it
>there's no alternative
yeah, the point is that you can't get FOSS and security at the same time on phones as is. You need to look for other approaches

>>105954448
>people take anything securitytards say for granted
GOOGLE WOULD NEVER LIE YOU STUPID NAZI CHUD I WILL MAKE A POST ABOUT YOU ON MASTODON

>>105954377
This post with anger the anti-Graphene schizo greatly.

>>105954448
strawman.
of course you cannot fully rely on the secure element. it doesn't even have to have an intentional backdoor. there could simply be a flaw/exploit that beats the throttling so suddenly bruteforce becomes viable again.
if you have a high threat model you should absolutely use a strong passphrase instead of a short PIN and relying on the secure element.
but for a regular user whose biggest threat is the phone being stolen or taken by police for a minor offense and private data being extracted, the secure element will protect your data. it is a great security and privacy improvement over it simply not existing.

why are there so many people going after micay?

>>105954555
Monero and Mullvad are involved???

>>105954555
there are a lot of griftes in th privacy/security community. selling gullible people solutions which at best do nothing and at worst highly compromise your privacy/security.
naturally, they don't like being called out with facts and losing users/revenue. so they engage in personal attacks with unfound claims.

>>105953711 (OP)
This guy is the most glowing glowfag i ever saw, literally advocating for locked bootloaders, because then only glowies have the neccessary keys to spy on you.

Someone who recognizes the NSA as an adversary, will consider any lock, that has the key with google, as completely useless.

And i see this more and more.
"Security researchers" who are actually only bothered about the date of the sheeple possibly going to people who aren't glowies, rather than protecting it as an absolute.

>>105954524
>strawman
I'm just calling the obvious, the majority of any community on anywhere is drooling retards going after someone they think knows better than them.
>if you have a high threat model you should absolutely use a strong passphrase instead of a short PIN and relying on the secure element.
If you have a high threat model you should simply stay away from blackbox security like this. It's intentionally lying to say "GrapheneOS is heavily focused on protecting users against attackers exploiting unknown (0 day) vulnerabilities." (from their website) when you depend on proprietary blackbox components. It's really funny when they straight out tell bullshit like this and get angered over when people do the same.

>>105954555
He's a paranoid schizophrenic, so in his head 'doesn't agree with me 100%' is equivalent to 'harassing and gang stalking me'.

>>105954377
Except if you are a glowfag of course, then you have the google keys necessary to just update the firmware of the chip and remove any throttling that might be in place.

Imagine thinking that simple throttling is somehow unbeatable, just because it moved from the OS into the (changeable) firmware of a chip.

>>105954610
a poster asked what a secure element is. I explained it. your post didn't add anything to that.
in the end you can never 100 % trust modern hardware unless you directly control each and every component of designing and manufacturing it. at every step a backdoor could have been added. just think about the exploding pagers. but at this level you have to think about which government or whoever your opponent is might have access to what methods. because they are not given out light-heartedly. on the contrary, they are well-protected so no adversary can easily get their hands on them.

none of this is relevant for the majority of users though. they benefit massively from a secure element. which the fairphone is lacking.

>>105954610
>It's intentionally lying to say "GrapheneOS is heavily focused on protecting users against attackers exploiting unknown (0 day) vulnerabilities." (from their website) when you depend on proprietary blackbox components
I wouldn't just call it lying, i would call it deception.
Obviously the trusted(TM) firmware on that chip, that you can't look into, is far more likely to have unknown (0 day) vulnerabilities.
Especially when we consider that discovered glowfag backdoors are always put into the "0 day exploit" category.

>>105954746
>none of this is relevant for the majority of users though
I would say, it is the most relevant for the majority of users, because the users started to care about privacy with Snowden.
They don't want to be spied on by the government.
To be protected against Jamal stealing your phone, a simple pin will do.

So what is the usecase? To protect you against glowfags from other countries?
Guess what: The ordinary user is more affected by glowfags of his own country than by glowfags from a country from the other side of the world.
If the NSA can decrypt all my stuff, this is a larger threat to the ordinary person in America or Europe than if Iran can do it.
What is Iran going to do to me? They can't touch me. But my own glowfags? They are proven to be hostile to their own people.

why does it have the name of a 4chan board?

>>105954746
funnily, your argument of:
>there is no need to worry about backdoors, because you can't do anything against them anyway
is promoting Chinese phones.

If i have a backdoor in my device anyway. I will choose the backdoor of the foreign government, far away, that isn't going to harm me.

>>105954575
Micay is actually right most of the time. He discredit himself by fixating on trivial stuff and never letting go, mixing criticism with harassment, invalidating his arguments in the process.
His autism is both his biggest strength and his biggest weakness.

>>105954634
Google cannot access the Titan M chip's data. When designing the chip, they considered their own employees to be an attack vector.
It is considered a secure element for a reason, no one can access it's content, not even myself as a owner of a Pixel running GrapheneOS.

>>105954801
>/g/ doesn't have its own android distro
/e/ chads eating good.

>>105953711 (OP)
the more I read their posts, the more I'm convinced they're backed by US agencies. Similar like how Signal kept attacking Telegram. They don't want you to use non-US products.

>>105954819
>Google cannot access the Titan M chip's data. When designing the chip, they considered their own employees to be an attack vector.
>It is considered a secure element for a reason
soooo, you are saying that the CVE in pic related is unfixable, becasue even google itself can't update the firmware within the chip?

>>105954746
>a poster asked what a secure element is. I explained it. your post didn't add anything to that.
because I wasn't meaning to reply to you
>in the end you can never 100 % trust modern hardware
doesn't mean GrapheneOS project can lie to people and get butthurt when the same is done against them. Also this is not necessarily true. A heads+qubes setup is always better for actual fucking high threat models because it makes the job of any glowie less trivial by not depending on proprietary hardware and software for its security.
>none of this is relevant for the majority of users though
until some day it suddenly is and there's nothing you can do about it because the proprietary hardware and software are become standards
>>105954819
>Google cannot access the Titan M chip's data.
the key for encrypting first stage bootloader is not choosen by you. The core root of trust on any phone protected by lockdown bootloaders are handled by corpos

These are all very good arguments for not using https because you have to trust a corpo

>>105954842
>this chip protects you from 0-day vulnerabilities!
>chip itself has a 0-day vulnerability
This is why you don't trust glowfags with your security.
Their incompetency is unmatched.
Even if you fully trust the NSA and Google and consider it no issue to give them backdoors to your devices, you have to admit that those glowfags are so goddamn dumb and stupid, that they WILL fuck up and their backdoors will become public and used by everyone, even Ranjeet.

>>105954857
That is correct.
If you access a website over cloudflare, you might as well not use https at all.
Trusting googles security chip is like trusting cloudflare.

>>105954860
Yep which is why you should only use hardware and software that doesn't even need a backdoor

>>105954865
yet i don't see you banking over http
How strange

>>105954866
That is correct.
If you do not have that chip, you have an os that you yourself can modify and patch and you can fix vulnerabilities.
If you have that chip, you now have an (apparently unfixable) 0-day vulnerability on your device.

The chip makes you LESS secure.

>>105954860
>>chip itself has a 0-day vulnerability
Which vuln?

>>105954857
guess why end-to-end encryption matters

>>105954874
I would never use a bank that uses fucking cloudflare.

You are doing a false equivalent here. Just because googles encryption chip is a scam with vulnerabilities, doesn't mean that is top encrypting everything.
It just means that your encryption is completely worthless if you have that chip.

The equivalent is cloudflare.

>>105954882
CVE-2022-20233

>>105954886
btw not a crypto nerd but I have heard so many people complaining about certificate authorities and several accidents have happened because of it

>>105954860
>glowfags are so goddamn dumb and stupid, that they WILL fuck up and their backdoors will become public and used by everyone
correct

no matter what you use, jews have backdoors for it and they can access it

To sum this up:
>if you are an ordinary citizen, you don't want the glowfag chip that grapheneOS shills, because the NSA isn't your friend
>if you are a zogbot who loves the NSA, you don't want the glowfag chip that grapheneOS shills, because the glowfags fucked up and China inevitably gets free access to their backdoor

>>105954921
just buy a chinese phone

>>105954819
>Google cannot access the Titan M chip's data
What a fucking lie.
They can modify the firmware of the chip on will. The firmware blob just has to be signed with their glowfag keys.

>>105953711 (OP)
Maybe you kidnap and molest children for a living, and need an untraceable phone.
Me, all I want is watching whole marketing departments develop untreatable cancer and slowly die in front of their families (also terminally ill), and to see the end of data harvesting through nuclear annihilation, so all I need from a phone is the ability to disrupt and prevent data harvesting and intrusive advertising.
CIA niggers can rummage through my files all they want, as long as the jew keeps its nose out of it for commercial purposes.
I don't give a fuck about this retarded technical shit. I just want the advertising jew to die throwing up blood in front of its little demon spawn.

>>105954842
The firmware can be updated after a successful unlock

>>105954896
>0d
>CVE-2022
>Patched in the same year
>No poc of any exploit mentioned anywhere
Is this the power of paid shills?

why does this board have so many dunning kruger midwits lmao

What this dude said about openbsd before shitting his diaper and wiping the thread make me permanently ignore him.
Didn't read.

>>105954970
or you force the phone into a reboot and make the bootloader load the update
>b-but your bootloader is locked down
by keys, and who has those keys?

>>105954842
Titan chip firmware isn't stored there you're retarded and don't know how anything works

>>105954828
the different crowds are intermixed in so many things. they both shit on PGP by lying that not having PFS is supposedly a weakness of cryptographic strength. Apperantly, being able to export your own private keys for backup is also a vulnerability. what a fucking clowns

>>105954979
>i-i-it got fixed FOUR YEARS after its release
yeah, and if you wouldn't have had that chip, you wouldn't need that update and you wouldn't need to worry about any other 0-day vulnerabilities that show up

>>105954979
If it would be OpenSource, it would have been found after a month.
But since its your lockdown glowfag black box, it took four years.

>>105955002
The titan chip has its own storage and only accepts updates to that storage when unlocked, the bootloader has no control over it

>>105954970
getting into fastboot doesn't need an unlock

>>105955010
>>i-i-it got fixed FOUR YEARS after its release
No, the "0d" got fixed ten days before it was publicly known. You can't expect a dev to fix a vuln that isn't even known yet.

>>105955015
>If it would be OpenSource, it would have been found after a month.
Maybe, or it could've never been found. Being open source makes finding bugs and vulns easier but not guaranteed.

>>105955003
>b-but you are retarded
nigger, the ones pushing obvious lies and constantly moving the goalposts are:
>105954819
>Google cannot access the Titan M chip's data
factually a lie
>105954970
>The firmware can be updated after a successful unlock
factually a lie
>105954882
>t-there is no 0-day vulnerability
>105954979
>ok, there are some, but they got fixed within a year
>i will not mention that it was there and available for everyone to use for four years
>105955003
>Titan chip firmware isn't stored there
where? the firmware blob is inside android updates

>>105955038
Why can't the bot not properly quote anymore. Who do I need to contact to report this bug and have it fixed in four years?

>>105955033
the points is there are found vulnerabilities for such a hardware that's supposed to do simple security things without exposing additional attack surface. If the chip itself is so complex that it can't even protect itself you don't call it a 'security chip'.

>>105955033
>ten days before it was publicly known
That is called a disclosure period, if you think that nobody used that vulnerability, your security-consciousness is pathetic and you might as well just buy a chromebook.

We went from:
>GrapheneOS is heavily focused on protecting users against attackers exploiting unknown (0 day) vulnerabilities
to:
>well, our 0-day vulnerabilities - that others aren't affected by - got fixed within four years

>>105955053
>the points is there are found vulnerabilities for such a hardware that's supposed to do simple security things without exposing additional attack surface. If the chip itself is so complex that it can't even protect itself you don't call it a 'security chip'.
So far one vuln was posted and it was fixed 10 days before the publication of the vuln. Do you expect the devs to design the perfect product?

>>105955049
Because 4chan has a filter on how many posts you can (You) in one reply.
You lie so much, that a list of your lies hits it.

>>105955063
>Do you expect the devs to design the perfect product?
If you don't have the glowfag blackbox with backdoors, you do not have the risk of being affected by their backdoor being discovered.

>>105955025
That's not the titan m2

>>105955061
>That is called a disclosure period,
Yes, in the time of the disclosure period the vulnerability was fixed so that if you updated your device in the meantime you already had a vulnerability fixed you didn't even know about.
>if you think that nobody used that vulnerability, your security-consciousness is pathetic and you might as well just buy a chromebook.
So where's the poc? Where are the reported cases? Do you even know who found vuln? Prove to me that it wasn't google's red team.
>We went from:
I just chimed in to ask you for a single 0d. You provided 0 since it was fixed before the vuln was even published.
>>well, our 0-day vulnerabilities - that others aren't affected by - got fixed within four years
Oh so only google suffers from vulnerabilities? It's still not a 0d btw.

>>105955067
>Because 4chan has a filter on how many posts you can (You) in one reply.
I'm aware, it's a joke that you're a bot that doesn't even know basic definitions. Don't worry, I bet you'll get a humor module in the next gen.

>>105955073
>If you don't have the glowfag blackbox with backdoors, you do not have the risk of being affected by their backdoor being discovered.
Oh it was a backdoor now? They fixed it out of the blue despite no one talking about it before? How about you offer me sensible alternatives in usable android devices that you can prove have no backdoors? I expect your security report on all android devices on my desk by monday.

>>105955063
>Do you expect the devs to design the perfect product?
Having less binary blobs is higher security.
If you care about security, your #1 concern would be those idiotic firmware blobs.
Some you can't avoid, but this stupid chip? You can avoid that.

GrapheneOS is inherently insecure by not only assuming that binary blob black boxes are safe, but actually promoting them.

Again:
Your grapheneOS is less secure than a random Huawei you import from China.

>>105955078
>but i swear the Titan M2 can't be updated
And i think it can. And if i post proof that it can, will you then reply:
>oh well, but its the Titan M2 revision 2024-12-20, not revision 2025-01-12

>>105955063
I don't even looked into that vuln nor care. the fact is that there exists a fully funcitonal proprietary chip complex enough to have potential bugs and backdoors

>>105954842
>>105954850
Firmware is not stored on the secure element storage. It can be updated. The physical layer of the chip design however cannot be changed, data stored on the secure element cannot be read even if you use a malicious firmware.
Updating the chip's firmware requires the phone to be unlocked anyway, so the glowies and corpos cannot get into your device.

>>105954961
Firmware can be updated but data cannot exit the chip. See above.

>that pic
The Titan M chip is not a bootloader. It's an entire separate computer with it's own memory, CPU and storage. It's sole function is to store cryptographic keys, verify them upon request by the main CPU, and rate limit failed attempts.

just get a fairphone its barely more expemdive than a pixel

>>105955063
>Do you expect the devs to design the perfect product?
Those binary blobs are very very tiny.
I indeed expect the devs to not fuck this up.
Just how i expect the firmware of the ECU in my car to not have random bugs exploding my engine.

Fucking up such little binary blobs requires such a huge amount of incompetence, that i assume malice. That CVE was a found backdoor, not a vulnerability.

>>105955088
>Having less binary blobs is higher security.
Correct.
>If you care about security, your #1 concern would be those idiotic firmware blobs.
Incorrect. It would be using the only OS israeli spyware can't hack into without having to use a barely functional linux distro for phones.
>Some you can't avoid, but this stupid chip? You can avoid that.
Ok, what phone and OS combination do you recommend then?
>GrapheneOS is inherently insecure by not only assuming that binary blob black boxes are safe, but actually promoting them.
Except that it has a proven track record.
>Your grapheneOS is less secure than a random Huawei you import from China.
Ah yes, the false dichotomy of US's soft power vs China's peaceful 'Stop asking why the CEO hasn't been seen publicly for 3 months' approach.

>>105955096
>I don't even looked into that vuln nor care.
Ok, so do you have an actual 0d?
>the fact is that there exists a fully funcitonal proprietary chip complex enough to have potential bugs and backdoors
Yes? We've been having these issues the 80s I'd say?

Why are the privacy-conscious people using GrapheneOS itt defending a binary blob chip that has 0-day vulnerabilities?

>>105955100
>Firmware can be updated but data cannot exit the chip. See above.
Again a lie.
Why wouldn't you be able to just flash a firmware that sends any data you want over it's SPI bus?
Factually data does exit the chip.
Communication is the exchange of information and information is data.

>>105955115
stop noticing

>>105955100
>Firmware is not stored on the secure element storage. It can be updated. The physical layer of the chip design however cannot be changed
I don't know why you tell this to me
>data stored on the secure element cannot be read even if you use a malicious firmware
I never brought up physical data extraction. though you don't know if this is true. there are no open sources of chips design, it's proprpietary.
>Updating the chip's firmware requires the phone to be unlocked anyway, so the glowies and corpos cannot get into your device.
I don't know what kind of retarded claim this is. you say it can be updated and then later say no. The fact is nearly everything on your phone is updateable by using one or more keys that are generated by the manufactoring corpo
>>105955105
>Ok, so do you have an actual 0d?
why do you ask me this after I say the publicly known vulns mean shit?
>Yes? We've been having these issues the 80s I'd say?
we have developed several proper methods for security like memory segmentation that's too simple to be backdoored yet so fundamental. Stuffing a fully functional blackbox chip into a phone with its own proprietary firmware that can be overwritten by software is not good

why are we using a chip to store secrets
whats wrong with doing it the luks way

>>105953711 (OP)
The new grapheneos SHITTHRΣΔ just dropped.

>>105955169
stop asking questions, goy

>>105955115
Those privacy-conscious people also tell you that you should accept additional and known backdoors in your device, because you will have some backdoors already anyway.

>>105955169
Because LUKS is OpenSource, so it is harder to add backdoors to it, and if you add backdoors, they will be easier found.
If you move secrets into a chip, that is running a proprietary binary blob, that you can even update and change whenever you want to, it is all a little easier.

In fact, you probably don't even need to add a backdoor, because you could have a second firmware with a backdoor that you individually flash on targeted phones.
And changing that firmware won't affect the main OS whatsoever, so it is well hidden.
Basically, the user has now no chance to defend against your attack.

>>105954819
>not even myself as a owner of a Pixel
>even
lol we the users are considered the cattle in this system, of course we don't have access to anything

>>105955169
you need a seperate component, a-like air gapping but automatic. it's ok when that component is open and fully defined so you can prove its capabilities and weaknesses

>>105953841
fpbp

>>105954435
>using a smartphone in the first place
ngmi

>>105955100
>The Titan M chip is not a bootloader. It's an entire separate computer with it's own memory, CPU and storage.
hardware-level mossad spyware, got it.

>>105955309
google said it's safe.

>>105955345
I don't believe a word jewgle or any other corpo in the FAGMAN mafia has to say.

>>105955345
>jews said its safe

test

>>105955103
there's also this https://wiki.lineageos.org/devices/axolotl/
should be right to repair friendly but I didn't own it, maybe somebody wants to take a risk and post reviews on this board

I think most confusion about Graphene stems from the fact, that people are confusing security with privacy. Let's assume Graphene is secure. But most people (including me) care about PRIVACY. This means, minimizing your digital footprint. And for this use case, a device like the Graphene phone isn't and can't be the solution, because the data grabbing is happening somewhere else. I don't care, if you can crack my phone with cellebrite. I just don't want to give the corpos my behaviour data. And this can't fix any custom rom.

>>105955131
Flashing a new firmware is impossible without the phone being unlocked.
Did you even read my full post? The "see above" is there for a reason.

>>105955154
>I don't know why you tell this to me
Only "Updating the chip's firmware requires the phone to be unlocked anyway" was meant as a reply to you.

>I don't know what kind of retarded claim this is. you say it can be updated and then later say no.
I never said that it cannot be updated. It was implied by >>105954842 which is not one of my posts and is completely false.
The Titan M chip's firmware can be updated but only if the phone is unlocked which only the owner of the phone can do.

>>105955251
There is nothing on that chip other than the cryptographic keys. Would you store your money in a drawer or on a super secure vault that only you have access to?

>>105955309
It has no internet access, it can only verify and store cryptographic keys. It's completely different from the Intel ME, AMD PSP or ARM TrustZone as those are embedded into the main CPU. Titan M chips sits outside of the main CPU.

>>105953711 (OP)
Post source you nig

>>105955408
>It has no internet access, it can only verify and store cryptographic keys.
and I'm just supposed to take your word for it because it's not open source
I'll just stick to using dumb phones until they become illegal and I just won't have a phone afterwards.

>>105954886
will be illegal in europe

Psyop to make you use a google phone

>>105955408
Guess who can "unlock" your bootloader?
Which is the thing that counts and what you hopefully mean with "phone being unlocked".
The bootloader is just jet another binary blob that can be changed to your liking if you can sign it, which your adversary can.

All the grapheneOS """security""" is based on black boxes locked down and signed by glowfags.
It's all about voluntarily putting yourself into a glowfag controlled jail.
And it's not even a secure jail, because glowfags regularly fuck shit up in their incompetency.

>>105953841
fpwp

>>105955440
Well yeah, not having a smartphone is more secure than having a smartphone.
If you want to go down the rabbit hole even more you should not use even a dumb phone.
The way mobile phones were designed from the very beginning, IMEI and IMSI, cell tower logs, triangulation still applies to dumb phones.
The only solution to this would be no cellphones.

>>105955459
You can't outlaw math.

>>105955440
do you also not use computers because you cannot verify the hardware? how are you posting on 4chan?

>>105955509
unlocking the bootloader erases all data on the phone. but "phone being unlocked" means the normal screen lock in this case. which you need to do before you can unlock the bootloader.

>>105955408
>There is nothing on that chip other than the cryptographic keys.

>With the Pixel 3, Google decoupled the TEE from the chipset and used a separate security module instead. The Titan M, which has now been replaced by the Titan M2, can almost be considered a standalone processor by itself. The chip has its own flash memory for storing sensitive data and runs its own minimal operating system (sometimes called a microkernel).
Maybe it's secure but I don't like it. I didn't yet get control of TEE (in terms of voting with my wallet) and it's already running from me to a separate module. If there's an OS, I want to be root there.

>The Titan M2 also supports Android StrongBox, which is a safe storage space for cryptographic keys used by third-party apps. A payment app, for example, could request the chip to generate and store a private key for your saved cards. And with Android’s Protected Confirmation, the chip also supports the universal FIDO authentication standard.
Didn't understand this part. So when I want to pay, the app (on regular CPU, not TEE, in user space, non root user) makes a request which is confirmed by titan m? And if my phone was hacked and hacker got root access he also can achieve that confirmation with making the same request? If yes then what was the point of moving it to separate module?

>>105955408
>The Titan M chip's firmware can be updated but only if the phone is unlocked which only the owner of the phone can do.
I don't know where did you read this. everything there is is locked with corpo generated keys so it's already unlocked to them in the first place.
>or on a super secure vault that only you have access to?
the whole conversation itt was about that this is not true
> It's completely different from the Intel ME, AMD PSP or ARM TrustZone as those are embedded into the main CPU. Titan M chips sits outside of the main CPU.
I'm not happy that people only talks about titan chip when it's just one part of the whole thing

>>105955561
>If yes then what was the point of moving it to separate module?
Because
>if my phone was hacked and hacker got root access
is a very big "if".

>>105955551
>unlocking the bootloader erases all data on the phone
Why would it do that if you are the one who signed it? You would just put another binary blob inside that doesn't do that. Similar to how you can change the firmware of your titan m chip, if you are the one who can sign it.
>>105955551
>but "phone being unlocked" means the normal screen lock
You can reboot your phone without screen unlocking. That is a very crucial functionality because you somehow have to recover if it freezes.
https://www.youtube.com/watch?v=S8U3JV2uATM
And if you can reboot, you can get into fastboot.

And when you are in fastboot, there is no need for an bootloader unlock either. See:
>This is where the UART console exposed by the chip becomes extremely handy. There are two ways of accessing it, and both of them present different challenges. The first way relies on a special debugging cable called SuzyQable. This is officially mentioned as the cable to debug Chrome OS microcontrollers, and since Titan M is based on the same operating system, it actually turns out to also work with it. To activate it, we only need to boot the Pixel smartphone in fastboot mode, and use the command fastboot oem citadel suzyq on

>>105955615
So for a quick rundown, in order for glowfags to flash any random shit onto your pixel, they would:
>reboot into fastboot (two button presses)
>connect debug cable
>use fastboot oem citadel to flash something on your NSA approved Titan M(TM) security chip
it's literally that easy

>>105955634
>reboot into fastboot (two button presses)
How?

>>105955634
I don't know what shit you two (or more) even talking about. Has any one of you ever had a Xiaomi phone? They unlock your bootloader remotely when you request them to

>>105955539
>If you want to go down the rabbit hole even more you should not use even a dumb phone.
I fucking wish, but I don't yet have the luxury of becoming a hermit with no family and no banking.

>>105955509
If it's so compromised why can't glowies get into GrapheneOS then?

>>105955561
>If there's an OS, I want to be root there.
I agree but only for personal stuff. If I can be root on everything so can bad actors like glowies and hackers. This little compromise is for the entire device's security.

>the app makes a request which is confirmed by titan m?
Yes.

>if my phone was hacked and hacker got root access
You are talking about a different kind of problem. Titan M is a solution mainly for physical access to a device, like the evil maid attack. RCE is a different topic.
If (big if) the hacker would gain access to your device, he would still need presence and interaction of the owner via code unlock, fingerprint unlock or face unlock to get confirmation by the Titan M chip. Access to the device alone is not enough for confirmation in payment apps.

>>105955671
>How?
Do this
https://www.youtube.com/watch?v=S8U3JV2uATM
And when it restarts do this
https://www.youtube.com/watch?v=-Jk2XTXDdKg

>>105955758
>if it's so compromised, why don't glowies tell us that it is compromised?
a true mystery

Probably out of the same reason why nobody told you that CVE-2022-20233 exists.

>>105955758
Don't worry, there is no mass-surveillance and there are no backdoors, Snowden lied and your black box chips with binary blobs are totally safe.

You just kinda get randomly caught by a McDonalds worker or you find yourself owning a laptop full with child porn, that you had no idea about.

>>105955615
and now find a similar exploit for a pixel that's actually still supported and using the titan m2 security chip.

>>105955539
>You can't outlaw math
you can't outlaw Pixels and still CP is illegal
you can't outlaw words and still putting them in a certain order means prison

>>105955769
Who are you quoting?

>nobody told you that CVE-2022-20233 exists.
Which has been solved with a firmware update.

>>105955797
What's your point?

>>105955834
you mean like those: >>105955759

>>105955854
>>105955834
>it was just ridiculously insecure and full of 0-day-exploits that any random pajeet could abuse for years in the past
>and a random chink phone was evidentially more secure than a Pixel with GrapheneOS
>but it is totally fine now
>despite them still having black boxes with proprietary blobs that google and glowfags can change on will, made by the very same people who produced the prior vulnerabilities
>also the guy making GrapheneOS never acknowledged all those security risks and flaws, while shilling for NSA bullshit and bad practices
Truly the most trustworthy people.
Also all those lies that GrapheneOS shills post in this thread, make me trust it even more.

a shitskin on youtube said that feds are angry that they can't hack grapheneOS, so it must be good

>>105955893
that's restarting the phone and entering fastboot mode. that doesn't help you with anything, because CVE-2022-20233 never even worked on it.

>>105955927
if it's so insecure, where are all those vulnerabilities? surely one would have been made public by now?

>>105955927
>>it was just ridiculously insecure and full of 0-day-exploits that any random pajeet could abuse for years in the past
Where's the poc?

>>105956004
>Where's the poc?
here
https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html

>>105956024
>Almost half a year after it was patched
Anon, do you know what a 0d is?

>>105956000
>that's restarting the phone and entering fastboot mode
Which is enough to start a UART console with the Titan M chip, that lets you change whatever you want, if you are a glowfag who can sign it.

This is the magic of black boxes.
Nobody ever has to get into your Android system, if you have a separate OS running on a detached chip.
And GrapheneOS tells you that this is amazing and good.

>>105956050
it's not enough on the Titan M2 chip.

>>105956050
>with the Titan M chip
sorry, with the Titan M2 chip, just in case someone comes along with the
>b-but they fixed it after four years
Being able to change your Titan chip, without having to bother with your OS is INTENTIONAL, it is WORKING AS INTENDED

>>105956043
nta but you know every vuln was once a 0day right?

>>105956061
Absolutely it is.

On the M1, every random person can do it.
On the M2, google and glowfags can do it.
And presumably China and Russia and Iran and everybody else who puts a bit of effort into looking at your binary blob to find the backdoor.

Remember:
The NSA has a long history of getting their backdoors discovered by others who then use it.

>>105956043
It means 0 days you idiot so when was it released? 0 days ago

>>105956024
>Thanks to the leak functionality that we built with this exploit, we can now read arbitrary memory on the chip. This means we can now have access to any readable address. As a consequence, we can dump the secrets stored in the chip

>>105956050
on another not, if glowies have physical access to your phone and you are still using it, you are fucked either way. they could just add additional hardware that spies on you.
but if they take your locked, or even worse (or better for you) shut-down phone, they will have a hard time extracting data.

>>105956066
Every vulnerability was once unknown to the vendor or maintainer. If they are fixed before they are even publicly known, they are not 0ds anymore. Google fixed this vuln 10 days before it was publicized. The article that fren posted was multiple months after it was already patched, that is by definition not a 0d.

Yes, a random chink phone was more secure than GrapheneOS on the approved device with the epic security chip.
Yes, the chip that GrapheneOS advertised as secure necessity, turned out the be a massive vulnerability that can be abused by any random person to hijack your phone.

But this totally isn't the case anymore!
Trust us goy!

>>105956092
>unknown to the vendor or maintainer
Why in the world you you assume that this massive ridiculous vulnerability in the Titan chip was unknown?
This is a backdoor.
This is intentional.
>If they are fixed before they are even publicly known
What makes you think that nobody knew it during all those years?

If you would discover such a massive vulnerability, would you report it?
I wouldn't, i would sell it to China, because i know that only glowfags use GoypheneOS and i want to see you dead.

>>105956105
>there was once one vulnerability found
>that means it is"ridiculously insecure and full of 0-day-exploits that any random pajeet could abuse for years in the past"
>best not use it at all and instead rely on a phone and OS that don't even have the most basic protections

>>105956114
The vulnerability also only affected phones with Titan M chip.
Everybody else was fine. So it isn't a public concern, since only baboons and glowfags use those.

Even more reason to sell it to China.

If you unironically have glowies in your threat model why the FUCK do you still have a phone

>>105956114
>Why in the world you you assume that this massive ridiculous vulnerability in the Titan chip was unknown?
Because we have no reason to assume that it was known.
>This is a backdoor.
Ah yes, the classical "Oh no you found our backdoor. We'll patch it up immediately and now we don't have any other way to perform our illegal operations :(" move. Do it all the time.
>What makes you think that nobody knew it during all those years?
See my first point.
>If you would discover such a massive vulnerability, would you report it?
Yes because I don't have physical access to that many pixel phones.
>I wouldn't, i would sell it to China, because i know that only glowfags use GoypheneOS and i want to see you dead.
So they break into everyone's house and get physical access of their phones? Not a smart move, chang.

It is interesting how this thread started with:
>TItan M is amazing and secure and not even Google can change it! You need it if you want a phone that respects your privacy!
to
>Yes, Titan M has vulnerabilities and is increasing your attack surface with no benefits, but it's no biggie and its in the past

>>105956158
>Because we have no reason to assume that it was known.
That is a very concerning mindset, anon.
That is not how any person who cares about security or privacy operates.
>I have the pin to my phone written on a sticker on its backside.You can't prove that anyone ever used that, so it's fine

>>105956164
M2 has never had any vulnerabilities
M1 was always off the shelf dogshit

>>105956173
>That is a very concerning mindset, anon.
No, it's a mindset that keeps you sane. Otherwise you need to rip open all of your walls to check if someone lives in there.
>That is not how any person who cares about security or privacy operates.
Yes they do. Otherwise they will go insane
>>I have the pin to my phone written on a sticker on its backside.You can't prove that anyone ever used that, so it's fine
Try reducing your strawmen, maybe then someone would respect you the tiniest bit.

>>105956164
rule of thumb: don't expect anything substantial or informative about faggots reskinning android OS and larping as security experts

>>105956176
> approved by US government and made by google
> totally safe, guys! no vulnerabilities at all
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?validation=35561
ah yes. american security. top notch. like using a flyscreen door as a hatch on a submarine.

>>105956158
>Oh no you found our backdoor. We'll patch it up immediately
yeah, because being able to patch it on will, totally doesn't make it possible to deploy a different backdoor.

Since we know in fact, with evidence, that Titan M was a HUGE liability and security concern of such massive proportions, that any system with that chip has to be considered compromised.... what makes you think that the patch, done by the same people, is now perfect?

It doesn't matter if they were the largest idiots known to mankind who fucked up (your opinion), or if it was intentional (everyone elses opinion)... in both cases we have to assume that they produced more such exploits.

Again:
You do not have this concern with any phone that doesn't have Titan M.
It is a liability.
You are LESS secure with a Pixel, compared to any other phone.

>>105956205
Link a vuln instead of schizobabbling

>>105956176
What was GrapheneOS opinion on the M1?
Can you post it?
Did he tell you to avoid and to never buy a Pixel, because of the insecure dogshit chip?

>>105956213
>yeah, because being able to patch it on will, totally doesn't make it possible to deploy a different backdoor.
So where is it then? The last 'backdoor' was found in less than 5 months according to the quarkslab link.
>>105956213
>Since we know in fact, with evidence, that Titan M was a HUGE liability and security concern of such massive proportions,
Already patched out.
>that any system with that chip has to be considered compromised....
Unless it got updated in the last 3 years
>what makes you think that the patch, done by the same people, is now perfect?
I never said anything about perfect. I'm asking you to show me the new backdoor.
>>105956213
>It doesn't matter if they were the largest idiots known to mankind who fucked up (your opinion)
Not my opinion
>or if it was intentional (everyone elses opinion)...
Not really
>in both cases we have to assume that they produced more such exploits.
Show me which ones. Or show me your security chip you produced.
>You do not have this concern with any phone that doesn't have Titan M.
Incorrect. Cellebrite is unconcerned if you use any other phone.
>It is a liability.
It was for -10 days.
>You are LESS secure with a Pixel, compared to any other phone.
Hack me then.

>>105956213
it's kinda wild what apple did. just patch around the problem, instead of doing the right thing and recalling the flawed M-series powered devices. only time will tell if someone finds yet another exploit and then more updates to cover up that hole. all these shitty mobile devices by google, apple etc. do not have security at mind. it's like a selling feature more than what reality is.

>>105956158
>So they break into everyone's house and get physical access of their phones? Not a smart move, chang.
we need more glowfag blood

everyone itt is a glownigger
be careful anons

>>105956220
> list a vuln
don't need to. chip made by americans? using american sponsored crypto algorithms? approved by NIST? yeah lmao. you must be fucking stupid to think there isn't any backdoor or compromised algos. and made by google. what a trustworthy combination of failures.
> trusting american security
my sides. get a load of this glownigger fucking idiot.

>>105956253
You can write textwalls for hours, and it still won't change the fact that the Titan chips are a security concern.
No person who cares about privacy or security would ever buy a phone with such a chip.

And if someone shills such a phone, he is either an idiot or malicious.

That is a fact. No matter how much you cry about "but but they fixed the known vulnerability".

>>105956295
>You can write textwalls for hours, and it still won't change the fact that the Titan chips are a security concern.
How about you read the source you used then?
>No person who cares about privacy or security would ever buy a phone with such a chip.
That is objectively a lie.
>And if someone shills such a phone, he is either an idiot or malicious.
Where's your alternative then
>That is a fact. No matter how much you cry about "but but they fixed the known vulnerability".
They fixed it before it was known

>>105956308
If a phone doesn't have a Titan chip, it doesn't have to worry about any vulnerability in those chips.

Be it a known vulnerability, a backdoor, or an unknown vulnerability.
>Where's your alternative then
The alternative is: Just don't have it!
Just have an ordinary encryption.

>>105956295
same shit with retard itoddlers and ARM m-series cpus. massive vulnerabilities. instead doing a recall of flawed hardware, they just release software patches, hope for the best that nobody finds another way to exploit the flaw, and sneak in new fixed chips into production. these trash corporations have no regard or idea about security. it's used as a marketing buzzword.

>>105956308
> the mental breakdown is real
if you're developing an operating system, and you're relying on US government sponsored chips to keep you secure then you are dumbest and most retarded ape species i have ever seen.

>>105956326
>If a phone doesn't have a Titan chip, it doesn't have to worry about any vulnerability in those chips.
But about vulns in its own chips
>Just have an ordinary encryption.
Oh you mean exactly what all israeli spyware exploits?

>>105956335
>if you're developing an operating system,
No, I'd rather be a disgusting coomer than developing anything for the retard
>and you're relying on US government sponsored chips to keep you secure then you are dumbest and most retarded ape species i have ever seen.
And still it works better than anything ching chong could provide so far :)

>>105956326
>The alternative is: Just don't have it!
>Just have an ordinary encryption.
The security chip is ordinary encryption. It just allows you to use a weak PIN and still be relatively secure. But it's always been said that the secure element might get broken in the future and if you need to be real secure, you should use a strong passphrase. The security chip doesn't weaken your security. At worst it does nothing, and at best it strongly increases it.

>>105956344
>But about vulns in its own chips
Just because there could be vulnerabilities in A, doesn't mean that i have to add B which introduces even more.
Also A never had such massive backdoors like B.
>Oh you mean exactly what all israeli spyware exploits?
idk what the point of this comment is, because israel will be very deep inside your Titan binary blob.
If Israel is your concern, then you are doing something wrong by shilling GoypheneOS on the Google device. Reminder that it was Kaspersky Lab (Russian) that first discovered israeli spyware on Android.

>>105953841
>probably
>sources say
>my ass is heavy
Embarrassing.

>>105953841
google does not make the hardware.
they aren't the one making the secure enclave to store signatures and secret to reconstructs encryption keys, the G chips are just rebranded samsung chips, do you trust samsung less than chinkshit that are required by laws to introduce backdoors?
google can't legally change this and does not own the fabs to make these things anyways.
they're litearlly hopeless even if they wanted to introduce a backdoor in the hardware...
you're also telling me that you'd rather trust chink oem with a proven track record of puting actual backdoors in hardware and you'd rather use an insecure os based on aosp with security features turned off?
this is absolute braindead take, pixel 9 and above are hardware-wise the most secure computer on the planet right now and i'm not even exagerating.
grapheneos is also the most secure non-embedded OS on the planet right now.
no chinkshit oem is more secure than pixel, that's a fact, no matter what hardware fairphone use it will always be less secure than pixel
eos is also notoriously sketchy with shady early-on investors and retarded leadership.
I would never trust these dropout projects over grapheneos which is used by feds and terrorists alike because pixel + grapheneos is the only safe combination outsise phones like the Thales Teorem or something.

>>105956344
> can't address anything
> just has a mental breakdown
really is that easy to expose this board's collective of life's abysmal failures that completely forgot about nsa's programs involving encryption. i guess this basic knowledge is lost when your mental illness is so severe that you think you're a genius because you took someone elses operating system and put your name on it.

>>105956367
Relatively secure against what?
What actual attack are you thinking about?
What is Titan defending against?

Lets first define this, and then we can talk about whether adding this ridiculously huge vulnerability and glowfag backdoor to your system is justifiable by it.

>>105956308
>They fixed it before it was known
Not falling for it glowie. Everyone knows you sit on vulnerabilities without disclosing them for years.
>>B-but!
yeah I'm stutter-posting. get fucked I'm not letting you eternalblue me.

>>105956367
>The security chip doesn't weaken your security
It does.
Because when it is a vulnerability, it is a massive one, since that chip is accessible without ever having to even boot Android.
It doubles your attack surface at the very minimum.

A phone with a Titan chip is less secure than a phone without. That is a simple fact nobody can deny.

>>105956384
>Just because there could be vulnerabilities in A, doesn't mean that i have to add B which introduces even more.
But other phones have vulns too. By your logic we have to assume they are all completely compromised
>Also A never had such massive backdoors like B.
Proof?
>idk what the point of this comment is, because israel will be very deep inside your Titan binary blob.
So why are up-to-date GOS phones the only ones they can't get into?
>Reminder that it was Kaspersky Lab (Russian) that first discovered israeli spyware on Android.
Ok, so where's your battle proven russian phone?

>>105956400
>Not falling for it glowie. Everyone knows you sit on vulnerabilities without disclosing them for years.
Really? How come that the write up above said the vuln was only present for a few months?
>yeah I'm stutter-posting. get fucked I'm not letting you eternalblue me.
Oh no, I'm losing the memetic battle because I can read his sources. AHHHHH!

>>105956395
Against someone (e.g. law enforcement) taking your phone and extracting data. Bruteforcing your screen lock or the decryption keys.

>>105956395
>What is Titan defending against?
Titan is defending against:
>someone takes your phone
>rips it apart
>gets the flash chip out
>mirrors all the data from the chip
>then runs a brute forcing script to crack your weak password
Vulnerabilities that Titan produced:
>someone takes your phone
>plugs in a cable
>reboots it
>runs a script
>he now hacked your phone into a state where you could wipe your OS and it would still be compromised

>>105956442
>Bruteforcing your screen lock or the decryption keys
Doesn't work because the OS already throttles those and locks it down.
You would have to rip it apart and rip the memory out and read that one to run a bruteforce script on it.

Meanwhile Titan allows someone (e.g. law enforcement) to compromise your phone with a few minutes by plugging in a cable.

>>105956474
>Doesn't work because the OS already throttles those and locks it down.
You can't tell me you think people use the OS to decrypt the storage...

>>105956494
read the sentence after the one you quoted

>>105956474

misinformation
/ˌmJsJnfəˈmeJʃn/
noun
noun: misinformation

> false or inaccurate information, especially that which is deliberately intended to deceive.

Fuck you goddamn glowie, here's the documentation proofing you wrong: https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation

>>105956432
>So why are up-to-date GOS phones the only ones they can't get into?
Says who? Israel? LMAO

>>105956532
>Says who? Israel? LMAO
The companies that can be held legally accountable if they advertise themselves with capabilities they do not possess.

>>105956474
>Doesn't work because the OS already throttles those and locks it down.
Without a secure element, it's all stored on vulnerable memory. Memory you can extract and then bruteforce the keys unthrottled.
>You would have to rip it apart and rip the memory out and read that one to run a bruteforce script on it.
... indeed, I should have read further. Yes, that's exactly the issue. You can't do the same with a secure chip.

>Meanwhile Titan allows someone (e.g. law enforcement) to compromise your phone with a few minutes by plugging in a cable.
And why woud the backdoor be in the secure element and not any of the other custom, proprietary chips and hardware? Why would the secure element be able to compromise the OS when it's sole function is exchanging cryptographic keys?

>>105956432
>why are up-to-date GOS phones the only ones they can't get into?
"hello, goyim, here is the list of phones we can't get into. do NOT buy them under any circumstances!!!"

>>105956507
Oh you mean the sentence that ignores that other phones can easily be decrypted while they're turned off? Very interesting one indeed.

>>105956539
Always remember the averager Ni/g/ger thinks that Google Hardware == Insecure and stops thinking after that. They don't understand the TitanM and the issues with chinkphones because they don't want to.

>>105956548
>Yes of course everything else is more secure
>Proof? No I don't have any

>>105956534
what companies?

>>105956562
In the business we call them 'state-level data recovery services'

>>105956551
>that other phones can easily be decrypted while they're turned off
oh, can they?
How would i do that?
Via a backdoor in googles fastboot?

>>105956555
The Titan M is evidentially insecure with practical examples and doubles your attack surface.
>b-but you only say that because it is Google
no, if you would shill for Intel ME, i would also tell you that you are an idiot

>>105956539
>Memory you can extract and then bruteforce the keys unthrottled
Thanks to Titan M, you don't have to extract the memory (how would you do that without taking the phone apart, is for the reader to discover), and can directly hook into a seperate OS that is independent of Android.
It makes an attack much easier and faster.

>>105956569
Do you really think they need to worry about being held legally accountable?

>>105956581
We are at Titan M2 now. Please show proof of any explot on the Titan Chip that allows for extraction of encryption keys on GrapheneOS. If it's so evedentially insecure i'm sure someone can show me where I can download the exploit to run against my devices. I got a Pixel 3a, 4a, 6a, 8a and 9a here for testing. Though I don't think the 3a uses the titan chips.

>>105956598
No dude the glowies have it bro
*hits bong*
The glowies have all the hax that will unlock your device and certainly any organisation with that level of power over you won't just do something else to get your passphrase

>>105956539
>And why woud the backdoor be in the secure element and not any of the other custom
because:
>its a binary blob where it is harder to discover
>it is a chip that survives a total wipe of the phone memory and os
>you can update its firmware on will
>it is accessible without having to interact with the os
>as it got posted before: we already discovered vulnerabilities of it

>>105956598
Please post source code proving the absence of any backdoors/vulnerabilities

>>105954448
> why do people take anything securitytards say for granted?
Because they glow
now be sure to use those nsa approved elliptic curves when rolling your own encryption, they made sure it’s safe ;)

>>105956598
see >>105955759

Or are you now arguing that
>yes, glowfags who can sign firmware updates can do whatever they want
>but jamal can't
If this is the case, then you should say that. Say that you do not consider fed surveillance an issue, and it would all be much more honest.

But guess what:
Jamal can't "extract the memory" to bruteforce either. So if your only security concern is Jamal, you still don't need a Titan.

>>105956617
So much this. Glowies buying those tools form cellekike can't even brute force up to date pixel 3as with graphene os.

But i'm sure the security experts on /g/ with their 10 years of NEET Experience will tell me otherwise.

>>105956638
>can't even brute force up to date pixel 3as with graphene os
https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html

>>105956629
that's why you should create RSA PGP keys and not even 25519

>>105956635
So, i got my device into fastboot mode, now what? I can't get any data, if i try to do any meaningful change on the partition the secure element wipes the key. I have my pixel 3a in fastboot right next to me, what do you want me to do?

>>105956647
>https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html

from that link

> 2022-06-05: Google published the June 2022 Pixel update with fixes for CVE-2022-20233 (Severity: Critical) and 4 other vulnerabilities (3 ranked High severity, 1 Moderate) in the Titan M component.

So your argument is a security flaw that was fixed 3 years ago?

>>105956653
Now you take a debug cable for ChromeOS microcontrollers and enter the console of Titan M2 and do whatever the fuck you want to do.
Sign a compromised firmware and flash it over it, if you feel like it.

>>105956629
Ironically enough, during the development and release of DES, the NSA released and recommended a specific 'S-box' for the algorithm and everyone thought it was a backdoor. Turns out it was actually because the NSA knew of a cryptographic attack that hadn't been publicly discovered yet and it was resistant to that.

>>105956638
prove they cant, why wouldnt they just say they cant as a way to convince people of interest to trust it more? also now they would only need to focus on developing exploits for one platform

>>105956664

Any documentation on that? Because the moment I flash a new firmware the keys on the m2 get deleted.

>>105956660
That is right, goy, the ability to flash whatever you want onto a chip that is independent of the OS and get all cryptographic keys out of it is just a "security flaw".

Being able to decrypt your whole storage without having to brute force it?
Only a tiny issue, nothing to worry about.

>>105956677
>unless Google publishes a documentation on its UART console of the Titan M2, i assume that nobody is able to flash this, even thought that i know it can be flashed!

>>105956674
> Prove a negative
KYS retard

> The best evidence we have is the tools the kikes sell to the police. They can't crack it and Cops in other countries are going apeshit over that fact

https://www.androidauthority.com/why-i-use-grapheneos-on-pixel-3575477/

Unless anyone can show something better is on the market that you can buy, this is all glowie fud and they are raging because their kike frens can't crack even a pixel 3a

>>105956551
>other phones can easily be decrypted while they're turned off
I did not know that.
Can you show us how that works?

>>105956681
You don't know what rollback protection is do you?

>>105956699
This.
Anyone who talks badly about Google is an obvious glowy.

>>105956710
>Anyone who talks badly about Google is an obvious glowy.
Retarded answer because
>>105956638
shows that they can crack the google version, it's the graphene devices that they can't.

>>105956699
>Unless anyone can show something better is on the market
just go to aliexpress and enter "phone" in the search box and every single result will be more secure than a Pixel

>>105956723
my chink phone isn't on their table in the first place

>>105956560
>israel said it's true so unless you refute that, i win

>>105953711 (OP)
>each pixel phone more niggerlicous than the last
>android now closed source
>open source android is autistic bickering
>chinkphones mostly blacklisted on my mutt carrier
yeah i think im going to take the itoddler pill.

>>105956730
Chink Phones with broken Verified Boot Keys that will never see an Android Update in their lifetime are secure because they aren't made by Goooooooggle, don't you know cleetus.

>>105956699
>>Prove a negative
again nta but you're a drooling retard if you think property of being secure needs to be disproven. everything is taken as insecure until it's proven otherwise. There's no prove that blackbox proprietary google platform can be secure because well, it's closed.
It just seems to me that this thread is intentionally being devolved into needless discussions to hide actual criticisms like this >>105954610

>>105956741
you lost when you started posting jaks actually

>>105956590
> how would you do that without taking the phone apart
Why would that be an issue. Law enforcement or whoever is after your data doesn't care about your phone being intact. They care about the data that's potentially on it.

>Thanks to Titan M, you don't have to extract the memory
You're acting like a backdoor or an exploit is readily available for everyone. It's not. And if glowies have one, they won't distribute it to random law-enforcement officers (cellebrite certainly doesn't have it). They risk it being discovered and patched.
If you are a real high-level target, you're supposed to not rely on the secure-element-throttling anyway and additionally use a strong passphrase.

So in conclusion: at worst it does nothing and at best it severly increases your security. There is no point in not having it.

>>105956768
this. so much this. only nazi fascist chuds post them.

>>105956776
no it just means you have no argument

>>105956765
This answers that better than I could
>>105956773

If you don't want to use the scary m2 chip, don't? But then you need to enter a long ass password everytime you want to unlock your phone after it booted and you rely on software to do bruteforce protection once you've done that.

>>105956618
>And why woud the backdoor be in the secure element and not any of the other custom
>because:
>its a binary blob where it is harder to discover
>it is a chip that survives a total wipe of the phone memory and os
unlike cellular radio which literally every phone has? even dumbphones. or the camera.
>you can update its firmware on will
>it is accessible without having to interact with the os
not without an exploit. and that isn't isolated to the secure element either.

>as it got posted before: we already discovered vulnerabilities of it
one single vulnerability

also
>we discovered
ok, glowie

I bet this whole thread is 30+ yo IT techs who understand the technology arguing with 15 yo olds who don't

>>105956833
I have yet to see one gos shill that knows how it all works so the usual conversation usually goes along like this
> ___ is super secure!
> well it might not be so
> yes it can be invulnerable but glowies won't target you so who cares
every single time.

>>105956833
That's the whole board dude

>>105956856
Well we've had some in depth discussions about the secure element in this thread, about exploits in it, where the encryption keys for your device are, what hardware bruteforce throttling is, we've made same progress.

Don't use technology for things you don't want people to know. Technology is not your friend, it is a tool for you and those that work against you.

Not sure why people continue to have arguments about device security when we know every device and network on the planet is monitored by default now.

>>105956930
> Not sure why people continue to have arguments about device security when we know every device and network on the planet is monitored by default now.

because some people actually read a few of the snowden leaks and realized that the glowies aren't omnipotent ubermenschen that can crack everything everywhere all at once.

if this chip is only for storing cryptographic keys and throttling requests a bit, why does it need to have its own serial console available via fastboot?

The existence of this already makes it a larger problem than whatever it pretends to fix.

>>105956946
yeah, so they intentionally pull people in platforms like these so they can use ready-made methods to access your device rather than trying to find actual exploits. do you notice there are absolutely no mention of things like heads or qubes (very rarely) and tinfoil-chat (I have only seen in archives) on this board?

>>105956946
No duuude
*hits bong*
the leaks were limited hangouts they just tell you what you want to hear dude
*hits crack pipe*
the glowies are in my walls dude they're cracking AES and listening to me shit myself

>>105956972
this is going to be completely ignored
(((people))) are somehow okay with fully functional chips and SoCs being used as (((security))) components on their already complex devices with no thought on the attack surface.

>>105956972
>>105956992

((they)) don't want you to understand this post
>>105956773
Please keep buying chinkphones, they don't have a security chip, therefore they are secure. kek

>>105956266
I don't know why they even try. the most elite and capable cia spy would be the biggest bumbling chump in one of their court intrigues

>>105957008
>understand this post
did you not understand this part was for you
>>105956856
>> yes it can be invulnerable but glowies won't target you so who cares

>NOOOOO this chip actually has vulnerabilities that we - I mean, the CIA glowfags can totally have full control over! Never mind that anyone with a Pixel is put on a watchlist in some countries! You should just use a chinkshit phone with no encryption, that is advertised to have backdoors, and just trust me bro, there was one exploit that was found once! That means we have full control over your phone using our magic powers!
The absolute state of glowies

>>105953711 (OP)
I would use GrapeheneOS if they also did a fairphone version since they are only available on pixels that are hard to repair and not modular.

>>105957213
i run graphene because i wanted a smaller phone
i have the pixel 7a, 6,1 inches (i would have preferred it be even smaller)

fairphone is to big and expensive
modularity is kind of a meme anyway for devices that are so small, like phones

i will give fairphone credit for the SD port + the removable battery and i'm not sure, but i think their bootloaders might be as easier to unlock like the pixel ones

>>105956992
I never saw even a single person defend IntelME.
Yet here we have something much worse, and (((people))) shill it as if their life depends on it.

Some random idiot on twitter LARPs as security conscious person and shills his Android ROM and they fall for it.

>>105956773
>Law enforcement or whoever is after your data doesn't care about your phone being intact
>You're acting like a backdoor or an exploit is readily available for everyone
Don't you see a contradiction here?
What is your threat vector here?
Are you defending against Jamal or against glowfags? Because you switch between those two constantly.
Somehow Titan bullshit is ok because "it isn't available for everyone", but a different issue, that requires to desolder a memory chip and is still only theoretical, is a super serious thing?

>>105956539
>Memory you can extract and then bruteforce the keys unthrottled
The brother of my gf offed himself by jumping off a building and if it is so easy to decrypt his stock android samsung, please show me how to do that.
I would have infinite time for this and am ready to spend money on it.

How do i do this?

>>105957353
All those concerns, yet no one has posted any alternative that is even on par with grapheneos+pixel combo. Even iToddlers get pwned by Cellekike.

>>105957373
>no one has posted any alternative that is even on par
that is true, a random cheap chink shit phone isn't on par, it is superior

And the people who argue against this, have to lie and lie and lie.
>>105957144
>with no encryption

>>105957333
If you ever looked in to their community and spent some time, you could see people defending Intel ME because it's part of the security model that Intel built into their cpu like firmware encryption and verification with Bootguard. they are wolfs in sheep's clothing, they come with FOSS label but immediately ditch it for some slightly better closed source alternative. and even hate FOSS and FOSS community openly.

>>105957384
Yes, please buy chinkphones like this:
https://securityaffairs.com/176600/malware/chinese-android-phones-shipped-with-malware-laced-whatsapp-telegram-apps.html

And trust your life on their security. The world will be a better place once you get removed from it.

>>105953711 (OP)
If Secure Element is what makes or break what they consider secure, then only Pixel and Samsung phones are secure, in android land.

>>105954243
>big corpo chip
No, OpenTitan would also count, and that's a fully open risc-v implemention. It's just nobody else seem to be this autistic about security.

>>105957496
That is exactly their argument.

>>105956367
>The security chip doesn't weaken your security
I remember there was a funny vulnerability with Intel ME or AMT (or maybe something else) when they checked password with
for(into i = 0; i < passwordLength; i++) {
if (password[i] != correctPassword[i])
return false;
}
return true;
and it allowed login for empty password attempt

>>105957404
Their whole sense of security is based on cargo culting for glowfags and their DARPA companies.
>>105955758
>I agree but only for personal stuff. If I can be root on everything so can bad actors like glowies and hackers. This little compromise is for the entire device's security.
Daddy government, put me into a pod, lock me in and throw away the keys, only then, i am secure!

>>105956596
>Government asks for capabilities
>Government makes contract because of that
>Company lied
>Suddenly israel loses its biggest ally

>>105956660
>So your argument is a security flaw that was fixed 3 years ago?
No, this argument is that some vuln was fixed 10 days before it was even publicly known AND it's 3 years old. He then will tell you it could be 'Years old' even though his own source says it was less than half a year old at the time of discovery.

>>105956004
There isn't one, he's either a fed glowboy or he's a buttmad fanboi of an inferior project.

>>105957653
https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

>>105958443
>he's a buttmad fanboi of an inferior project.
That's probably it. Glowies normally are better at posting few messages and derailing a conversation completely.

>>105956295
What agency you work for, glowboy? You home-grown burger, or bong from across the pond? Maybe escargo is your cuisine and you answer to Macron. Where are you from? Your argumentation style is atrocious!

>>105956390
He is a paid glowboy. He is here because GrapheneOS is making big memetic splashes lately and gaining in mindshare. They are trying to FUD and poison the project before it gets too big. DEATH TO BIG BROTHER!

>>105958443
but the poc got linked in the reply to that post that you ignored?

>>105958614
No, there's no poc for a 0d. There was a vuln that was patched 10 days before the publication of the vuln and the poc was published almost half a year after that.

>>105958631
What makes you think that nobody knew about that vulnerability for the four years it was deployed?
What makes you think that there is no other vulnerability in this whole separate OS that you put all your trust into?
It's not like its OpenSource. It is a proprietary binary blob made by idiots. And you can communicate with it via fastboot, for some reason that nobody can name.

>>105958650
>What makes you think that nobody knew about that vulnerability for the four years it was deployed?
Can you show me where it says it was developed for four years?
>>105958650
>What makes you think that there is no other vulnerability in this whole separate OS that you put all your trust into?
We were constantly discussion a hardware-based backdoor introduced by Google. Graphene itself is FOSS.
>It's not like its OpenSource.
Aaaaand you're back to talking about the Google firmware.
>It is a proprietary binary blob made by idiots.
Yes, Chang, Google sucks sooooo much
>And you can communicate with it via fastboot, for some reason that nobody can name.
And that lead to one known vuln that was fixed days before the public knew about it and was only present for a few months.
Here I ask again: Can you show me your security chip? Please show me the products you have designed that keep israeli spyware out.

>>105958694
Why is it possible to communicate via fastboot with this separate OS?

>>105958706
So Google can patch it later if the koreans fucked up.

>>105958717
why would someone else be able to fuck this secure chip up?

>>105958706
>Why is it possible to communicate via fastboot with this separate OS?
Firmware is a separate OS?
Can you please show me your security chip? Can you show me your israeli spyware forced to kneel before fortitude of this combination of hardware and OS?

>>105958729
Because the chip is insecure and provides no tangible benefits, but doubles your attack surface (you now have two operating systems that can fail).

>>105958731
>Firmware is a separate OS?
Yes, the Titan M and M2 can be considered a separate operating systems that can be communicated with and flashed, even when the memory is wiped and no main os exists.
>Can you please show me your security chip?
Choose a secure password.
That is literally it. That is the one thing Titan wants to protect you for. You have this horrid vulnerability infested chip inside your phone because you are scared that you yourself could choose a 4 digit pin and want something in between to prevent that.

>>105958773
>Yes, the Titan M and M2 can be considered a separate operating systems that can be communicated with and flashed, even when the memory is wiped and no main os exists.
The Titan M and M2 are physical hardware. Their firmware is not an OS.
>Choose a secure password.
Ah and how do you protect against bruteforcing?
>That is the one thing Titan wants to protect you for.
Not really, you still need to unlock it. It protects against bruteforcing attempts. That means at worst the Titan chips could make it as insecure as any other phone.
>You have this horrid vulnerability
Had* It was fixed before you even knew about Graphene
>infested chip inside your phone because you are scared that you yourself could choose a 4 digit pin and want something in between to prevent that.
You still need a PIN. The chips just guarantee it can't be bruteforced.

>>105958806
>Ah and how do you protect against bruteforcing?
Ddmn, my LUKS encryption on this laptop and my PC must be completely worthless because someone could bruteforce it!
Stop the presses!
Every single encryption on this world worthless, unless you have a hardware chip with sloppy firmware made by Google storing your key!

>>105958853
>Ddmn, my LUKS encryption on this laptop and my PC must be completely worthless because someone could bruteforce it!
Ok, so where's your LUKS encrypted phone with no known security flaws?

>>105958889
btw. just because you seem to not understand how full disk encryption tackles this:
https://linux-blog.anracom.com/2018/11/30/full-encryption-with-luks-sha512-aes-xts-plain64-grub2-really-slow/
Look at the section about determining the time for opening.

You don't need your insecure google chip. Your google chip is obsolete and increases your attack surface.
It ONLY tries to protect you from your own stupidity of using a pin as encryption password.
But why would you need that? If you are such a retarded brainlet, as you yourself say you are, no amount of glowfag chips can safe you, you will fall for some jeet scam by yourself.

>>105958929
>You don't need your insecure google chip. Your google chip is obsolete and increases your attack surface.
Wrong. It works on top of this.
>It ONLY tries to protect you from your own stupidity of using a pin as encryption password.
Oh, I guess *All* smartphone devs are just dumb. How about you release your own secure smartphone then?
>But why would you need that? If you are such a retarded brainlet, as you yourself say you are, no amount of glowfag chips can safe you, you will fall for some jeet scam by yourself.
It saves me from israeli spyware. Btw are you still running sudo despite its multitude of yearly CVEs?

>>105958962
>I guess *All* smartphone devs are just dumb
My smartphone told me to not use a pin as encryption password, it specifically forbid that.
And its just some random stock Samsung.

btw. Google is indeed stupid when its about encryption, they changed their Android encryption from a custom full disk encryption to a file based encryption and their implementation is vastly inferior to LUKS.
If Google would be good with security, we also wouldn't have seen that massive vulnerability in Titan M.

If you argue that Google is dumb... yes, they indeed are.
The Nr.1 rule when you are dealing with encryption is to not reinvent the wheel, if a solution already exists, look at it, improve on it, don't start from scratch. And Google broke this. And then they try to fix the flaw, that LUKS doesn't have, by doing a binary blob chip, and then they have vulnerabilities in their chip and then....
It's all just so stupid.
Basically:
A phone will never be as secure as some ordinary encrypted tinker laptop because GOOGLE IS DUMB.

>>105959005
>And its just some random stock Samsung.
And here's the lie.
Who cares about the rest, has been refuted daily since this anti Graphene shilling started

>>105959028
what are you on about, schizo?

That's it, they are finished.
-sent from my fairphone 4 running /e/OS

>>105959057
Are you using the stock launcher?

>>105958889
>where's your LUKS encrypted phone
But goy! If we use LUKS, we can't sell our Titan(R) M2(TM) backdo... ahm... security solution!
We need to sell a custom encryption, that has flaws, and then sell the solution to those flaws in the form of a proprietary chip that we can change whenever we feel like!

Le Google chip protected PIN seems a bit like a meme but on the other hand if you're at the point you're doubting the hardware what the fuck can you even trust anymore? Libreboot-flashed old thinkpad? How do you know there's not another unknown silicon backdoor keylogging everything?

>>105959089
No, I'm using tinybit launcher. The stock one is too iPhone-looking for my liking.

>>105959091
>But goy! If we use LUKS, we can't sell our Titan(R) M2(TM) backdo... ahm... security solution!
So you got no solution? Got it

>>105959126
Understandable. I hate their stock launcher but I use it anyways.

What happened? Does langley have an outage? Did Iran strike tel aviv? Where are the glowfrens who strawmanned just a few minutes after you btfo'd them?

kek all these replies are invalidated by just using a long password, the secret stored in the chip is partially derived from the password

>>105959273
Us Graphene Chads have better things to do than be engaged by an 8200 agent, or some stinky transsexual otherkin who recently lost his DEI job.

I would never buy a PC without IntelME.
IntelME ensures that i am safe. Thank you, Intel.

>>105959450
Fren, I'm on the graphene side. But check it, the anti-gos shills haven't been active for over 30 minutes

>>105959091
PBKDF cannot rescue digit PINs without making the check time on the order of minutes. 6 digits gets pwned in less than a week (on average) with 1 second per attempt. PINs are just all around bad.

>>105959476
I don't know who's who anymore, apparently.

>>105959497
It's alright, I was vague. I'm the fag who complained that you use Cwtch and then conceded that your reasoning was sound.

>>105959479
Security and Privacy isn't about stopping the user from consciously making mistakes.
That whole mindset, of thinking that you have to protect some retard from choosing a four digit pin, is ridiculous.
You can tell the user: "oh boy, what you are attempting to do seems a bit stupid, you still want to do that?", but that's about it.

Guys, why did the anti-Graphene shill only reply to >>105959479? Something very weird is going on here frens...

>>105959468
This

>>105956390
Man, graphene is a very suspicious project... If it really is was so secure, google would just merge it back to aosp, maybe with exceptions for their own spying apps. It still has a hardware black box (just as other phones but maybe more advanced), it's running in parallell with android and nobody knows what it does except key management.

>>105957371
not saying it's easy. police will have special labs with tools and specially trained personnel for this. I'm sure if you look into hardware modding you will find resources how to extract flash memory from a chip. however the samsung device could be using a secure chip, too. then you're out of luck.

there also might be simple software exploits, however. this is from last year, but cellebrite claims to be able to bruteforce and extract samsung phone.

>>105960140
Google has included and fixed a lot of the security improvements and possible vulnerabilities reported by the GrapheneOS team.

However, GrapheneOS stopped reporting stuff when the Google marketing division had GrapheneOS' vendor-level access revoked. Which gave them early access to new security releases or something like that. Google engineers were happy to work together with them, but their marketing team didn't like that.

>>105960265
>Google has included and fixed a lot of the security improvements and possible vulnerabilities reported by the GrapheneOS team.
so now aosp is just as secure?
>GrapheneOS stopped reporting stuff
google can still take it

It's hard to explain, it was revealed to me in a dream that something is not OK with this project, but seems like nobody has time to find out what exactly or doesn't want to buy pixel only for that purpose. I recommend you to not do anything private there just in case...

>>105960172
>police will have special labs with tools and specially trained personnel for this
The average cops aren't going to decrypt anything.
They get your fingerprint for the biometric unlock, that everybody enables for some reason. Or they do your swipe unlock or whatever you do by looking at trails on the screen.
Or they pressure you into doing it for them.
In the UK, the MI5 declares you as possible terrorist, then your right to remain silent is revoked and you either unlock it for them or they throw a terrorism charge at you.

All those stories about feds decrypting phones leave out some crucial details. And if you believe those stories: "haha, the feds were so angry at not being able to decrypt [os i shill]", just buy an ordinary iPhone.
From my experience with the average cops, i can tell you with confidence that they can't decrypt anything. Even the Israeli spyware is focused on running on your phone during ordinary operation, not on cracking a full disk encryption.
Reading out flash memory and brute forcing it is stupidly high effort, and then it fails when the user did something better than a 4 digit pin.

>>105960365
AOSP didn't implement sandboxed Google Play. Or per-app network or sensor permissons. Or contact and storage scopes. Or auto-reboot. They simply don't want to implement all of the privacy and security improvements.

>>105960397
Not the average cop, no. They will send the phone to a bigger, specialized division.
In the UK you are required by law to unlock and decrypt any device anyway. There is no right to remain silent or not incriminate yourself protecting you against that. There is no need to label you as terrorist.
If you're really cheeky you give them/enter the duress code which wipes your device. I have no clue how bad that work out for you, though.

>>105960397
>>105960458 cont.
Nobody bothers with reading out flash memory because any device where that's possible is also insecure enough that it's not needed. Of course a software solution that exploits the OS is faster and easier.
Yet some anon was claiming not having a secure element would be better because it's additional attack surface. And taking out flash memory instead would be too hard. Except that in order to exploit the secure element over UART you need to disassemble the phone anyway.

Why would a criminal keep anything incriminating on their phone? The easiest opsec seems to be to use the phone only as a mobile hotspot and use secure messaging software through laptop. Keep any sensitive data on a USB, encrypted as a headerless stream of bytes written straight to block device with no filesystem so it's indistinguishable from random. This whole le secure phone thing seems like larping.

>>105953711 (OP)
security updates for android are retarded because you aren't running random apps as much like on windows and there abilitys that apps have are MUCH more limited than on windows.

I run android 11 and I do not fucking care about security patches.

>>105960534
I mainly drive LineageOS on my Samsung Galaxy s6 which has a BETTER display than MODERN HIGH END apple ipads which don't even use fucking oled geg(The s6 does use OLED). and can take photos in 4k. the ONLY thing I hate about the s6 is the lack of a sd card slot.


Samsungs Firmware also has been COMFIRMED via the lapsus leaks which I have on my hard drives to NOT have any backdoors

>>105960529
>This whole le secure phone thing seems like larping.
Because it is. The two largest providers of le secure anonymous phones have turned out to be infiltrated by the FBI and founded by the FBI respectively. Even after just a passing look at that entire industry you'll realize it's all just retards scamming even bigger retards or government run honeypots.

>>105960534
if you unlocked your bootloader and flashed a custom rom just to get google off your ass you'll probably be using apks a lot more unless you're smart enough to use just fdroid and a frontend for google play and those kinds of apks have a much higher chance of containing malware than software on computers

>>105960662
and you think the latest security patch is going to prevent that? Hell no. by the time you install that malware your already fucked.

>phone
>secure
lol, lmao
if career criminals all agree on telling even harmless drug consoomers not to use smartphones for this shit you know mobile phones are not secure by default
I trust more the kind of people who need to avoid legal consequences and surveillance over tinkertroons with dunning kruger or glowies trying to sell you compromised devices
I'm retarded
But not that retarded

>>105954448
Even though you can get foss privacy


the samsung leak from lapsus reveals in their full soruce code which I examined that there are no backdoors in samsungs phones firmware wise.

>>105961372
sure thing, samshill. let's just ignore >>105960172

>>105957496
This and samsung phones won't let you relock the bootloader after flashing a custom rom.
Pixel phones are the only ones that let you do both which is why grapheneOS only exists for pixel phones. They used to support some samsung phone that had a bootloader lock workaround but that was a long time ago.

>>105953711 (OP)
Micay is so truthnuked and truthpilled. And so fucking retarded, too... I'm 90% sure that if it wasn't for him, we'd be in a Graphenian Agartha already...

>>105953711 (OP)
I was actually kinda sad that such a good idea (non-google android phone) was effectively being spearheaded by a genuine schizo like the GrapheneOS guy until I looked at his actual project and what it really is.
>google phone ONLY OS that only works on hardware that contains blackboxed google components you can't use
>you literally lose functionality on the phone while also not having the privacy you would install this schizo shit for in the first place

Laughable and embarassing, the /e/OS guys seem like they have a much better project in principle and I hope they get more publicity since they actually have something that can be installed on a lot of different phones which is the whole fucking point.

>>105963017
Bought fairphone with eos just for this reason. If graphene guys released a version for this phone - I would try it. But until it's Pixel exclusive - au revoir

>>105954819
>Micay is actually right most of the time.
l o l
l m a o
only if you consider google to be the good guys

>>105954555
GrapheneOS is schizoware.

>buy the google phone goy
no thanks, i'm sticking with xiaomi

>>105961739
You aren't allowed to relock the bootloader because someone could have flashed a rom with malware, then lock it, then sell it on ebay.

Thinking about that, shouldn't grapheneos dude be outraged about how insecure Pixel phones are, for allowinf that?

>>105960509
Your "secure element" IS an attack surface, making it possible to do shit per software even when the phone is off.
While extracting flash memory takes effort, talking to you "secure element" doesn't.

>>105964413
Xiaomi is Chinese. At least buy something from Europe, Taiwan, south Korea or Japan.

>>105964480
>buy something we can track you with goy
no thanks, i'm sticking to chinese hardware

>>105960509
>Except that in order to exploit the secure element over UART you need to disassemble the phone anyway
no, it is available via fastboot.
You don't have to take it apart to access its pins, you only need a debugging cable.

Which is the one question grapheneOS shill still fails to answer:
Why is this possible?

In reality, a possibly glowfag operation could look like this:
>they yoink your phone (be it on an airport check or wherever)
>plug in a cable for 20 seconds, your "secure element" now got flashed
>give the phone back (maybe you dont notice that it was ever gone, because its so fast)
>after you unlocked it once, yoink it again
>they now have full access and can do whatever they want with it
Then consider that taking the phone isn't neccessary in the first place if you can push OTA updates. Which they can, even on goypheneOS. And its not OpenSource, so the discovery of an exploit takes four years or more.

Or it might never happen in the first place, because google tried to screw over the last company that discovered such an exploit, tried to deny them rewards and eventually only gave them ten grand for all this reverse engineering work, that was definitelly more expensive than that.
Some random chink will pay you ten times more.

>>105953711 (OP)
tl;dr
That guy is a psychotic schizo and a glowie, fuck him

>>105964508
then China will track you, it's worse

>>105964806
How is this worse?

>>105964525
>plug in a cable for 20 seconds, your "secure element" now got flashed
It could be worse. I heard that (not 100% sure it's true) to manufacture motherboard for Intel or and you have sign a contract that forces you to provide intel ME / amd PSP access to ram, hard drive, wifi and ethernet adapters. In theory they can just ssh into your backdoor and do literally everything in your pc and your kernel will not notice this traffic.

>>105964837
They have actual totalitarian regime, much worse than western one. I understand why you don't want america to spy on you if you are from Europe or mentioned countries, but China is not the solution.

>>105964867
>They have actual totalitarian regime
And how does this bother me? I am not in China.
What are they going to do to me?
>much worse than western one
I think the CPC serves the Chinese people. I do not think my government serves my people.

>>105964881
>how does this bother me
They will expand it to west and you vill live in it.
>CPC serves the Chinese people
All totalitarian communist regimes say it and spread such opinion in west but it's probably (I never lived in China) not true. When faggots like Bernie sanders visited ussr, they were convoyed by KGB during every step and literally everything they saw was lies. They wanted these faggot's to then go home and tell everyone that USSR is a paradise. Remember the case from Yuri bezmenov interview when some western journalists were shown a shelter for homeless children which actually was for children of dissidents that were killed/imprisoned for not liking USSR?

>>105964867
>I understand why you don't want america to spy on you if you are from...
America.
The ones threatened the most by the American government are Americans. Because the three letter agencies have free reign in America, they don't have it in China.

They are the ones who get MKUltrad, randomly shot, arrested by the IRS or ICE on bogus charges, gets a little drug package discovered in his car on a coincidental traffic stop, without knowing that you have one, gets a laptop with child porn discovered, that you again didn't know that you have, arrested for boycotting israel...

>>105964921
>muh totalitarian communists!
i wonder where all the trotsky commies hang out now

>>105964921
>They will expand it to west and you vill live in it.
That would be amazing.
I support this.
One-party states are the peak political systems, because it isn't totalitarian (like you claim it is, i think you don't know what words mean), an ordinary pleb can still rise, if he is interested, while and uninterested pleb keeps his voting power to subjects that affect him personally (like local mayor elections).

Basically, it's an hierarchic democracy.

>>105964413
Why would anyone buy a phone from a company like xiaomi, they're a joke. They even got banned from pwn2own (an annual computer hacking contest) because of their shitty behavior. TLDR: They entered the event, but on the day of the competition they remotely patched the bug so that the researchers couldn't demo the exploit "wow xiaomi phones are so secure during pwn2own!". After the contest ended, they removed the patch and the exploit could work again.

https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Ken%20Gannon%20Ilyes%20Beghdadi%20-%20Xiaomi%20The%20Money%20Our%20Toronto%20Pwn2Own%20Exploit%20and%20Behind%20The%20Scenes%20Story.pdf

>>105964525
>you only need a debugging cable
and where do you connect that in your scenario, genius? USB is disabled when the phone is locked (unless you disabled that). And even if they have time to reboot your phone into fastboot mode, you will notice that they did.

And if glowies have physical access to your phone for longer without you noticing you are fucked either way. they could simply add more independent hardware, tracking and recording whatever you do.

>>105964926
You think it doesn't happen in China? Allowing them to spy on you may seem better now, but you give them your money and blackmail material, you increase the chances that america will be rulled by China. If it happens it will be much worse. Not saying that NSA is good, but if you have no choice but allow some glowies to spy on you, I would recommend you to choose countries with less inhuman regimes.

>>105964931
>where all the trotsky commies hang out now
On the trees, hanged by their comrades

>>105965119
>You think it doesn't happen in China?
But i am not in China?
Even if they are "just as bad", how does that bother me?
Being spied on by the Chinese is infinitely more secure than being spied on by my own glowfags.
How is this so hard to understand?

>>105965119
>I would recommend you to choose countries with less inhuman regimes
That would be China.
China doesn't go to war all over the world to spread their inhuman sadistic ideology.

>>105965077
see >>105955759

>>105965314
you either didn't read or understand my post. congrats!

>>105965339
No, anon, you just have to think about how that would actually manifest.

So when you look at your phone the next time, you get the password entry that you get anyway after not touching it for a while, even when you notice that this got caused by a reboot, what are the chances that you immediately throw away the phone and never touch it again?
I think that isn't very high.
Since it could have just crashed or done some update, whatever.
Reminder that you could wipe the whole OS and the malware would still be there.

Also ponder about the question that got asked so many times:
Why does it have that ability in the first place?
Why can fastboot run a console on the "secure element"?
Is there any logical explanation why it exists?

>>105965339
If only GraphenOS wouldn't be known for rebooting randomly for no reason...
https://discuss.grapheneos.org/d/1905-best-way-to-debug-random-reboots
And i don't see a single person in the GrapheneOS community telling them to immediately throw away the phone after an unexplained reboot.

>>105965366
You failed to account for one thing: I'll suddenly be asked for the PIN of my sim card. That only happens after reboot. I'll know my phone rebooted. And it never does so without reason. It won't be "whatever".

And now YOU should ponder why the exploit would be in the secure element. All it does is exchange cryptographic keys. It cannot run malware on the phone. It cannot communicate with anything else. It stores the keys encrypted and needs your unlock PIN/passphrase to derive them. So after rebooting your phone into fastboot mode the keys can't be simply retrieved.

Also refer to >>105956773 and >>105956811
If a backdoor was added to the secure element, why could it not have been added anywhere else? Why would the phone be more secure without the secure element?
Why would a well-guarded, hidden backdoor be used on you (which only a select few people or organizations have access to), but reading out flash memory (which potentially anyone could do) would be too much of a hindrance?

There is no reason for a modern, secure phone to not have a secure element. On the contrary, not having it while promoting your phone as secure and private is not just negligent, but downright malicious.

>>105965437
>known for
>2022
I've been using mine for more than a year. It has never randomly rebooted. And the one time it did so unexpectedly I was vary of it, before figuring out the reason (it auto-rebooted because I didn't unlock it for 12 hours, which is what I set the auto-reboot timer to). If I had state-level secrets on the phone and figured someone else might have had access, I'd have been even more careful.

>>105953711 (OP)
Ok so the criticisms boil down to:
>/e/ doesn't throttle pin attempts
This is an actual issue but not that big. It can be circumvented by choosing a longer PIN.

An attacker that really wants your pin will hold your family at gunpoint and/or threaten to break your knees for the PIN anyway. Even the police can threaten to send you to jail for not cooperating.
>no secure element
Same as the previous post.
>/e/ is behind on OS and browser patches
This is an issue but again, not that big.
>MicroG has root permissions unlike our implementation of sandboxed Google Services
Why is MicroG with root an issue? MicroG is extrmely small, it's modular and it allows users to control which apps have access to it. Unless he talks about possible MicroG exploits which, fair enough, but still.

These all are hypothetical issues, not really big ones.

>>105965563
>This is an actual issue but not that big. It can be circumvented by choosing a longer PIN.
Not just a longer PIN, you need a 6+ word passphrase for a modicum of safety against bruteforce attacks. Which most people won't use. Which leaves their data wide-open should someone take their phone.

>An attacker that really wants your pin will hold your family at gunpoint and/or threaten to break your knees for the PIN anyway. Even the police can threaten to send you to jail for not cooperating.
"Why do anything at all if it can't help you in all thinkable scenarios 100 % of the time." This is a moot point. What's next? You don't need encryption if you have nothing to hide?

>>no secure element
>Same as the previous post.
Yes, that's literally the culmination of the above. A secure element stops an attacker from simply bruteforcing a weak PIN by encrypting the data with a strong key. Which it will only give out if you provide the correct PIN. It throttles the PIN attempts however, so suddenly a convenient but weak PIN is viable.

>>/e/ is behind on OS and browser patches
>This is an issue but again, not that big.
No, security patches not being applied timely is not a big deal for a supposedly private phone. Absolutely not.

>>MicroG has root permissions unlike our implementation of sandboxed Google Services
>Why is MicroG with root an issue? MicroG is extrmely small, it's modular and it allows users to control which apps have access to it. Unless he talks about possible MicroG exploits which, fair enough, but still.
Because the proprietary apps using google play services (which then use microG instead) will then also have high-level OS access which normal apps can't get.

>These all are hypothetical issues, not really big ones.
It's all hypothetical until they suddenly become real.