>>107492870
ok
now what

Who cares?
Why do you keep making these threads?
I'm tired of you mentally ill waste of space ritual posting useless shit

>>107492870
>chatgpt web app bg color

explain in detail why should I give a FUCK that doesn't make you sound like a HOMO (pro tip: you cannot)

File: os ranking 2.png (99 KB, 1836x489)

99 KB PNG

Not just one user, it seems to be a common view among GrapheneOS community that desktop OSes are generally insecure slop compared to mobile OSes, and Linux is at the bottom of the pile.

>>107492870
That is correct and pretty much agreed on by everyone who is into security. Linux is just completely insecure by default unless you're specifically on SecureBlue or running Qubes.

>>107492910
the biggest criminal you know is running pixel os sending photos of his child girlfriend to his other child girlfriend but mfs selling xanax in some unnamed oblast need a secure mobile

File: 1755083032111.jpg (462 KB, 1873x908)

462 KB JPG

Those of you running old coreboot compatible thinkpads are running a very insecure system, according to whoever was posting behind this GrapheneOS account.

File: 1755082106662.jpg (768 KB, 2880x1238)

768 KB JPG

>the desktop Linux software stack compares very poorly on privacy/security to iOS or AOSP

Yeah, duh. Linux doesn't even support secure boot or passkeys.

i mean yeah, most Linux distros doesn't even have full disk encryption by default (you need to know that you want it) and do you really trust the KDE or Gnome lockscreen to not have some bug known to to glowies that allows them to skip the password?

>>107493005
You don't want to rely on the lock screen at all for security. If you're leaving the computer unattended it's better to turn it off.

>>107493005
You're talking to a mental patient, he's trying to conflate the mobile versions. He seems to shit his pants whenever they announce a new update or progress in the project.
He also doesn't understand anything and will post even unproven rumors.
Like I keep telling him if he hates this project so much he should just make a similar rom with the same timely update and security schedule and just remove the features he deems schizo but he won't.
I think he's angry and can't afford a pixel so he takes it out on us

GrapheneOS official page recommends against using Firefox and strongly recommends using Chromium browsers.

>Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface.
>Chromium-based browsers like Vanadium provide the strongest sandbox implementation, leagues ahead of the alternatives.
>Chromium has decent exploit mitigations, unlike the available alternatives.

https://grapheneos.org/usage#web-browsing

>>107493005
Don't use any lockscreen, login in TTY and run command to display the desktop environment.

>>107493063
Mobile firefox is shit tier
Are you off your meds or are you praying some equally retarded sperg will believe you?

>>107493073
>Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.

Also I think this applies for the desktop version also?
>Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one.

File: IMG_7696.jpg (90 KB, 598x910)

90 KB JPG

>>107492870
>grapheneOS
that vulnerable-ass shit got my nigga up on Murder 1

>>107493090
Is he wrong?
You seem to be putting a lot of stock into spamming this shit and you keep getting laughed out the thread
Again make a non schizo rom that supports more devices, until then you're punching air.

>>107493129
I'm not the anti Graphene poster. I just find this all interesting because it's opposite to what a lot of /g/ recommends.

>>107492870
This is true. Only mobile os were designed from the ground up for app sandboxing and full separation of userdpace and kernel. Only qubes has found a way to do that in desktops.

Macos/windows/Linux all fail at that.
Linux secure boot doesn't work right. You can replace the init system binary the kernel loads with a poisoned one that can do evil things. The kernel features to prevent that are too hard to manage for a distro maintainer

>>107492870
we all know that micay is a big tech shill who wants to rob us of personal computers

>>107493147
Nobody is against degoogled chrome and there has been constant complaints regarding Mozilla shitting the bed and failing to do basic shit while pursing worthless shit ad nasium.
People are existed about Ladybird for a reason and the next browser that can dethrone Mozilla will be EoL for it. We just understand that having no competition is bad for this space and most people don't need chrome or are going to risky sites on desktop. Nobody is arguing in favor of firefox on mobile at all.

>>107492870
they're right, grapheneos on arm9 cpu is basically the most secure computer on the planet right now that is connected to the network, there is just no competition.
>hurr google hardware
and yet glowies seethe because they can't unlock them, curious

>>107493165
Exactly, if desktop linux is so bad, why don't he puts effort into making it great

>>107493172
My takeaway from reading GrapheneOS forums is that you have to choose between privacy and security.

Linux and Firefox are more private but less secure. Chromium and Windows/macOS/Android/iOS are less private but more secure.

Except on devices that are compatible with GrapheneOS, since GrapheneOS is supposed to be (I think) both private and secure.

>>107493090
>>107493063
IronFox applies stronger sandboxing to mobile. A viable setup is ironfox with webview disabled and vanadium as webview. Only use webview when you need to present a browser with more stringent privacy and security ( firefox as webview increases attack service and decreases privacy). Often its acceptable to trade decreased privacy when you are already identified for logged in services.
In practice vanadium is for WiFi portals and anon social media and VPN use. Another browser for identified use. Keep your fingerprints separate

>>107492870
Failure to rank OpenBSD, yikes
Micay is afraid De Raadt will rip him a new asshole

>>107493237
why do you think they only care about pixel?
google is the ONLY manufacturer that regularly update firmware and drivers, that's it, not a single manufacturer is as serious and open as google right now, this is a fact

>>107493237
There needs to be a desktop Linux that is on par with GrapheneOS. Not QubesOS; you can't perform most basic tasks on it, and it's a memory hog.

>>107493325
How about this: have an OS that can run on older hardware with the strictest rules, like how Linux-libre uses all open-source firmware. Well, I know open source doesn't necessarily mean security, but it can be improved upon.

>>107493480
>ave an OS that can run on older hardware with the strictest rules
pozzed hardware, as simple as.
>all open-source firmware.
does not exist, at all.
there is NOT A SINGLE fully open source hardware on the market right now.
>Well, I know open source doesn't necessarily mean security, but it can be improved upon.
only if it exists in real-life.
>inb4 muh fsf recommends this thinkpad
because it's the closest you can go but fully open does not exist, reminder that a cpu has multiple operating systems running on them at all time, we talk about minix but they also have proprietary OS running on other part of the chip.

>>107492870
>GrapheneOS user
literally who

>>107493002
it does, unfortunately

>>107493325
>why do you think they only care about pixel?
because it's mossad approved hardware, that's why.

>>107492914
>>107492914
Qubes isn't technically Linux, so it shouldn't count in that category. But that said, more operating systems need to work like Qubes. It can be said that iOS is generally more secure than most other operating systems because you literally can only install trusted, pre-approved software on it, so as long as Apple isn't compromised, the chance of getting owned by malware on iOS is very small.
But what Qubes gets right is it gives you the ability to safely run software without needing to trust it. You just split up different programs into different security domains. While on other operating systems you basically need to trust every program/app not to be malware, on Qubes you just have to trust the hypervisor to enforce separation between different security domains.

It's also just theoretically a more sound idea, from a security standpoint, to put a hypervisor - which is less than 100k lines of code - at the foundation of your operating system, rather than a kernel (consisting of tens of millions of lines of code) which has a much larger attack surface. And for that reason alone it's more secure than stock Android and probably iOS

>>107492870
Are you that worried about your mom finding your lolis?

>>107492970
>WiFi, Bluetooth
Usecases for these?

>>107492870
Yeah that seems about right. I have no doubts that someone who knows their shit could get into my laptop with self signed secure boot + TPM (with passw backup) + bios passw. It all just stands so that no regular joe gets to snoop around my disk with a live install disk.
On an unrelated note, it appears that in mine, TPM detects charger disconnecting as a HW config change and prompts for password, plugging it back "fixes" it. Just thought it was intersting

>>107493532
I have seen that RISC-V is fully open source, but the legitimacy of the manufacturers producing it is uncertain.

>>107492870
Is that a list of most vulnerabilities in OSes?

>>107492870
Pretty much everything in this thread can be responded to with "depends on your threat model".

>>107493837
lol no it can't

>>107492970
Did he not consider the possibility that the Wi-Fi and Bluetooth can be physically removed?
I mean, I get using Wi-Fi, but who is going to use Bluetooth?

>>107492870
Sure, because many exploits rely on tricking the user into trusting malicious software, and mobile OSes are hardened against both the desires of their user and the software he installs.

>>107492970
>>107492970
>muh unpatched vulnerabilities for WiFi and bluetooth
Another area where Qubes wins because the Xen hypervisor simply passes your USB stack into its own untrusted guest qube by default. Same with wi-fi and bluetooth hardware, so plug a compromised USB stick into your pc doesn't matter, it bypasses dom0 and goes straight to a quarantine zone where you can choose what you want to do with it. Wi-fi and bluetooth hardware are handled in a similar way so even if those physical devices get compromised it still can't easily infect your host or exfiltrate your personal data. Qubes should be at the top of the list because honestly nothing else really comes close to providing security and control in the granular way that it does.

My idea of the most secure system functions similarly to Gentoo: you can only compile from source, but you'll have a local AI that checks for any malicious code and deletes it. For any task related to connecting to the Internet, a temporary VM will be created.

>>107493973
Basically a hybrid of Gentoo and Qubes with AI involved.

>>107492870
Securityglazing needs to stop. Software has never been safer in human history than it is today, that's just a fact.

>>107492870
This is the classic "privacy != security != freedom". GrapheneOS goes hard on the security aspect, not trusting any single app to do anything, even if it's proprietary basedkaf. This focus greatly restricts the usability and composability of the system, every app is its own island and you need to constantly manually give it access to the things it needs, which you then have to assume is going to misuse, because nobody can vet the code.
Linux on the other hand is freedom first. It assumes that you know what you install, and place full trust in it. This allows things to interact and work together, without needing bypasses, and makes it really easy to modify individual programs/libraries that affect everything else running on the system. Apps can sandbox parts of themselves, if they need greater security, and a user can install sandboxed apps they don't trust.
Both provide varying degrees of privacy, but I believe privacy can ultimately be greater when you can inspect and trust the programs running on your system.
You can't go too extreme in either direction without significantly sacrificing on the other.

>>107494048
>Securityglazing needs to stop.
Why? So you can target people more easily?
>Software has never been safer in human history than it is today
That doesn't inspire confidence because software in general has never been very safe at all.

>>107494117
I find this post could be a solution to both privacy and security >>107493973

>>107494147
Going to take time for that, but to be honest what even is the usecase to go that hard?
The real threat level to the average person will always be corpo and we have solutions to cripple corpo overreach and abuse.

>>107494173
I's not meant for the average person, it's made for the ultra-paranoid.

An average person will use anything available and convenient for them.

>>107494217
No I think the average person should not want to be harvested after the sale. We need to realize that companies are making you pay them to make even more money off of you. Data should be harder to get by default it's fucking insane that they often do this under our nose and expose us to bullshit like scammers.

File: Qubesosoverviewv2-1182559441.png (171 KB, 705x539)

171 KB PNG

>>107494147
Qubes has all these features built in by default and it's much more secure than running VMs on top of a Gentoo host because on Gentoo the kernel is always god and anything running as root can just bypass your sandboxing protections. It's better to put the hypervisor first and use that to enforce the sandboxing

>>107493973
I can see AI agents becoming a trend in OS development. In fact, most OSs are already implementing AI agents running in the background.

>>107494122
>That doesn't inspire confidence because software in general has never been very safe at all.
Yes but today the expectation seems to be that if you install buggy and malicious software, the OS will sandbox it and protect you. Before, the expectation was if you install a virus you get what you deserve.

>phones
>have mandated backdoors built into the modems
>operating systems are also set up to send your data to google/apple by default
>computers
>some theoretical exploit to see some metadata if you have a particularly chinky wireless driver but it still requires physical access
>"DURR COMPUTERS ARE ALL HACKED, PHONES ARE HACKPROOF!!!!"

>>107494274
Yes, use QubesOS as the base, but the dom0 will use Gentoo instead of Fedora, with only Gentoo templates for the VMs. Also, a local AI will check the source code before compiling it.

Memes aside, why is there a huge need for security on a phone? You afraid someone will see which instagram thots you've been watching? Guess what, instagram already knows and they sell that info to anyone who wants it.

>>107493731
>Qubes isn't technically Linux
It is, just Fedora with Xen hypervisor.

File: jolly.jpg (2 KB, 160x160)

2 KB JPG

>>107494459
tech illiterate retards are a liability anywhere they go, so phones must be secured, both from malicious actors and their users.
Imagine what would happen if an upper management boomer lost his phone and some rando just had fun with it.

>>107494479
Qubes is Xen. dom0 is technically just another VM on Qubes, but with some special privileges. Xen is the real god.

>>107492870
Then why doesnt GrapheneOS get rid of Linux?

>>107494459
In a more general sense security is pointless because even if you lock all your shit down you're still going to be subject to the security of whatever services you're forced to use, still have zero days in everything you use, still being tracked by Flock everywhere you go

>>107494459
Banking apps. And if phones are more secure than desktops might as well do banking on your phone.

Link the post?

>>107494567
https://discuss.grapheneos.org/d/12746-ranking-os-security

dont have sources for these >>107492987 though

>>107494459
Google and iOS are invasive and have had multiple leaks or loss of that data. The biggest victims of these data leaks and poor handling are our elderly. They are also willing to eat federal fines via overreach and keep getting caught doing it. You do not buy a 1k device just to teach others how to market and manipulate you after. You also don't spend 1k on a device to give said company profit in perpetuity.

>>107494537
My bank's app sucks and doesn't even have some of the most useful features I get on the website version. The app is also closed source and in my threat model that means it's insecure by default.

>>107494243
>No I think the average person should not want to be harvested after the sale
normies don't give a fuck, I talked to a few and they consciously do it. someone told me he actually wants his data used, because he enjoys the targeted ads. I shit you not. he said the ads are good for him as it shows him what he wants to buy, and buys it.
stop caring about normies, stop trying to save them, they do not want to be saved, they know what they are doing, they're complacent, they don't care. corporations know this, based on the harvested data. it's a match made in heaven. few understand this around here

>>107494609
>data leaks
How does a hardened phone OS prevent that? Everything you do online is tracked, sent to a data center, and sold. People will think they're secure for installing graphene os then be surprised when pornhub leaks their viewing history and the same password they use for their bank.

>>107494492
>repost to spread 1kb of christmas joy
>2KB

>>107494631
Where did I say I care about normies?
I'm saying why one would want to not give them access to one's data.
>>107494637
Prevents them from getting the data in the first place, google and apple force you to agree to their data harvesting terms and you even get punished for opting out. For example if you opt out of allowing google to use AI on your gmail account you lose access to features that were available to Gmail before the ai push and new terms.
Custom android roms are the only thing that allows you to do that sadly, While apple is less aggressive apple is constantly fucking you up the ass one way or another especially with device ruining updates because they are too cowardly to reduce the years of support they offer.

>>107494582
Who tf is ivsott
Why are you dumbfucks so gullible in believing anything you read
Pol really ended this once great site
People actually were able to parse bullshit at o e point, before some retard says this place was always shit

>>107494610
>closed source
It's your bank. What are they gonna do, hack you and steal your... bank info? Is the threat model your bank stealing your own bank info?

And personally I'd rather have my banking on a separate more secure platform where I do much less web browsing (biggest vector for viruses by far).

>>107494680
They can gather data from other apps and use that data for marketing and more profit.
Do you even understand how data is used?
Why are you a product when you're a customer?
Do you know who caused our last financial collapse?

File: file.png (4 KB, 457x39)

4 KB PNG

>>107494671
4chud inflates it
https://files.catbox.moe/a4lo4l.jpg

File: woj.jpg (23 KB, 474x517)

23 KB JPG

I just use GrapheneOS on my phone and GNU/Linux on my PC. I realize that feds can access my phone modem (proprietary malware blobs) and my processor's ring -3, but this is the best I can do right now. I don't care, still better than using apple, microsoft or stock android malware. The endless doomposting must stop.

>>107494785
They get fucked up the ass by corpos and seethe when you're unmolested with a tight asshole

I would like to use Android as a VM in Linux, but both Waydroid and Android-x86 sucks. There are issues with vertical display, and most apps only work in vertical orientation. Additionally, it uses x86 architecture, which means many apps are not available.

What I need is an Android VM that displays vertically despite the desktop being horizontal and virtualizes ARM64 instead of x86.

>>107494836
If this can be achieved, then I no longer need to install any apps on my phone. I have always felt compromised installing apps on my phone because I don't have the option to do it on desktop.

>>107494836
Just use flatpak

>>107494884
This is not the case, I use some service that are only available as an android or iphone app.
I would like to contain them in a VM instead of installing on my phone.

>>107492870
GrapheneOS + other AOSP forks and most GNU distributions use Linux as their kernel. AOSP (and especially GrapheneOS) indeed is much more secure than any GNU/Linux distro. Secureblue tries to make the best of it but still doesn't have the sandboxing or hardware security features that GrapheneOS takes advantage of, which makes it much less secure.

>>107494916
I recommend everyone to do the same, don't install too many apps on the phone. No matter how much GrapheneOS claims for it's security, it can't get around that it will always be broadcasting your location and IMEI to cell towers, even without a SIM.

>>107495010
Airplane mode completely disables the modem. Which is recommended if you want to use your phone privately. It still is almost as secure because of how it separates the modem from the rest of the system with iommu. But using a separate device for cellular connection (if you need it) would be even better. If you really are paranoid and afraid of 0days you should also avoid Bluetooth and WiFi and just use a USBC dongle with Ethernet to connect to any network.

>>107495077
A phone have all those built-in to the chip. I don't trust a phone no matter it's features because I want those components to be physically detached.

>GrapheneOS user considers
Stopped reading right there. I guess they seethed about it on xitter?

File: 1764753496614497.jpg (196 KB, 735x730)

196 KB JPG

>>107492870
as long as you are not in control of the hardware software can fundamentally not be secure no matter what
the concept of secure software will always be an absolute meme

>>107493093
>gets charged with premeditated murder
>immediately shares it on Elone Muschetti's website
Uhm, gebaseerd?

>>107493093
Every OS on a phone is a meme. A phone simply cannot be trusted.

>>107495077
Airplane mode only disables user access to the hardware, it is still on and tracking you.

>>107495077
>turn on airplane mode
>phone still somehow knows my location and allows me to navigate in map apps
I guess GPS is some sort of passive receive only signal but if my phone can receive random waves then the feds can still send it a signal to turn off airplane mode.

File: __cirno_touhou_drawn_by_a(...).jpg (365 KB, 900x900)

365 KB JPG

>/g/ still not realizing GrapheneOS is the biggest fed OP since Operation Trojan Shield

>>107495125
I can't speak for proprietary operating systems, but a device with GrapheneOS will completely disable the cellular modem when airplane mode is enabled. If you have any proof it doesn't please provide it.
>>107495504
In some devices with some operating systems it indeed does that. A pixel with GrapheneOS doesn't. But if you have any other experience and/or proof of it doing anything else it says, please provide it.
>>107495531
Depending on the software you use, a lot of data is collected and used to determine your location, including WiFi access points and their physical location. GPS alone normally shouldn't be able to determine your location eternally, but if combined with any spying apps and an internet connection it certainly can and does. So don't expect to use something like google maps privately. Using GrapheneOS with something like comaps or organic maps will certainly be private and nobody will be able to determine your location unless you share it in any other way.

>>107492870
>no reasoning behind it
Why even read a fucking tier list? Are you goddamn stupid, son? You better sort yourself out.

>>107495540
You're upset your phone can't escape google

>>107492870
That's true.
Single library or executable on your system compromised -> all your data as a user can now be extracted, deleted, altered, encrypted, whatever else the attacker wants.
By design. Hardly anything is run as different users, with SELinux/Apparmor or in a namespace.
What kind of "security" does the average Loonix system even have. It's basically just "let's hope the package repos are safe and that the software is bug free".

>>107496322
erm something something non executable memory space

its pathetic

>>107493002
It supports both, its just a pain to set up because Secure Boot was a Microsoft “innovation” that requires you enroll your own keys or use signed kernel versions from some third-party vendor

>>107492870
OpenBSD doko?

Yet all the servers run on linux while grapheneOS is used for nothing serious.

>>107492914
Secureblue and qubes both compromise on performance, so what's the point? Linux still makes the correct choice.

>>107496444
Isn't that mostly containerized

>>107492870
Counterpoint, GrapheneOS runs on the Linux kernel. There is a significant difference between Debian and Android, and it’s in the software deployed on them, not the kernel (although kernel config will vary, it’s still the same code). I’d disagree that stock Android is harder to get an exploit chain on than iOS as well, they tend to play catch-up to whatever Apple is doing, but they admittedly don’t have to deal with the issues that Apple’s small talk inspired message passing can cause.

Furthermore, the average person does not need to worry about complex exploit chains being used to get their shit, they need to worry about installing dumb shit, clicking on dodgy links, and giving their sign-in info to randoms. High-level exploits are reserved for corporate and political targets, not Joe Bloggs. And Linux in that regard typically plays no part in the exploit, it’s normally an exploit in server software.

Regardless, Linux lets you hang yourself, and assumes you know what you’re doing. You can harden the shit out of it if you have the hardware and time to configure it properly.

>>107493093
Without knowing anything I'm just going to guess he posted a selfie from the crime scene with the victims body in the background to his full name facebook account?

>>107494459
Bank apps, photos, emails, all your credentials. The integrated nature of this on phones, and their ubiquity, means having one is a very robust view into someone’s life and a treasure-trove of information that can be used for blackmail, identity theft, targeting further victims and so on. Someone’s gaming PC they use once a week is comparatively worthless.

>>107495531
Typical conspiracy retard. Wifi is used for location as well.

>>107492970
I mean, he's not wrong. Phones are considerably more locked down and thus harder to take advantage of (at the cost of usability). Linux out of the box is also less secure than Windows or Mac (maybe Fedora isn't because of SELinux).

File: insecure.png (98 KB, 817x561)

98 KB PNG

oh

>>107494836
Waydroid can do ARM to x86-64 at a pretty decent speed in my experience, using libhoudini or libndk. There’s a script that largely automates it here: https://github.com/casualsnek/waydroid_script

Graphics can be a bit spotty depending on GPU vendor. Some stuff like Banking or streaming apps won’t work either without dodgy fragile hacks to spoof Google SafetyNet, which is the actual blocker to a more open and accessible android ecosystem. Only devices blessed by Google will pass those checks in full

>>107496444
Yet all linux servers run in virtualized environments hosted on Windows.

>>107496891
What sre you talking about? Docker?

>>107492937
its like fashion, the very top and bottom don't care or don't need security and the middle classes worry about being policed by institutions and peers

>>107496937
No, the underlying environment is Windows. Every major company on earth does this. You will NEVER find a RHEL server running on bare metal at the CIA for example because Red Hat won't guarantee a support contract due to the nature of the OS. It's always virtualized.

>>107496968
The CIA isn't a company and I don't buy that cloud providers like AWS and Google Cloud are virtualizing everything on top of Windows as that would be a huge unnecessary waste of resources and would come with performance penalties for them. OVH for instance uses OpenStack. OpenStack is used by lots of companies around the world for their cloud computing infrastucture and it doesn't use Windows.

These are the same tards that think measured boot is worse than verified boot btw.

File: linux security.png (290 KB, 1864x1248)

290 KB PNG

>>107492870
Linuxsisters it just keeps getting worse. GrapheneOS has exposed desktop Linux as an insecure joke.

>>107498263
actual trvke, the user identity should be inputted prior to the boot sequence with a hardware signature and every application runs under that users context

File: Screenshot_20251209_205127.png (101 KB, 1421x445)

101 KB PNG

>>107498263
Though he also says Windows isn't great either. It seems macOS is doing the best on in the desktop space.

>>107493063
He's not wrong, but imagine browsing the internet with no adblock

>>107492870
>Trust me bro
Tell me about the CopperheadOS. The one that the creator of GrapheneOS was involved in.

>>107493731
qubes is really hard to reliably set up. i've had multiple instances of leaky dns in appvms connected to a sys-vpn netvm. if i cant trust that, how can i trust the rest of the system, which mind you, has outdated tenplates everywhere.

nftables was a mistake and has singlehandedly stopped me from continuing to use qubes

File: debian.png (1002 KB, 1821x3547)

1002 KB PNG

Another blow to desktop Linux, and especially Debian
>They typically go years without shipping important patches unless a CVE is assigned, which it often isn't. If a CVE assigned, it might be shipped quickly but often isn't. They're also notorious for introducing downstream security vulnerabilities, far beyond the most well known examples like the Debian weak key issue.

Even Fedora's famed SELinux, considered the peak of desktop Linux security, gets trashed by Graphene.
>There's very little use of sandboxing and SELinux MAC policies are very basic and barely used to do anything, especially for a desktop. Debian is much worse but privacy and security are very stagnant for that ecosystem as a whole.

File: distros.png (688 KB, 1850x2620)

688 KB PNG

Graphene says Debian is TRASH. Fedora and Arch are better.

Too lazy to keep screenshotting these so I'm just going to drop some quotes. You can go to Graphene forums open his account and scroll yourself to confirm

>No, Debian has a massive amount of people who are trusted with nearly zero vetting or oversight. Many have demonstrated they're highly untrustworthy. Many have actively abused their positions. Debian trusts not only the upstream developers but also this large group of additional people, who are much less trustworthy overall than the upstream open source developers based on their actions and statements. Flatpak does not provide a proper app sandbox or permission model but it's at least substantial progress towards it.

>Firejail also has a history of extraordinarily poor security and does not do what it's supposed to do.

> Debian adds an extremely large number of people, many of whom have demonstrated themselves to be highly unethical and untrustworthy. They're not just writing source code since what they write is trusted to obtain and build the packages. Not doing the builds themselves doesn't mean they can't include and ship binaries themselves. Many Debian packagers participating in things like stalking and harassment heavily draws into question trusting the software. It is a much different situation than most community or corporate projects. It's a huge number of people who are trusted and there's nearly nothing done to make sure that group of people is trustworthy or to address people demonstrating they're untrustworthy.

>Debian has a much worse track when it comes to updates and introducing downstream vulnerabilities than most other mainstream Linux distributions.

>>107492870
i can't believe a frog thread died for this.

>>107498619
You do know the history of Debian right?
Fedora will by nature be more cutting edge on security, how is this even a hot take?

>>107492870
>Pajeet telecum worker can sim swap and rape your ass anytime he wants
>Secure
Phone fags are delusional

>>107498733
>social engineering is a system security flaw
erm

>>107498733
>getting tricked by a jeet
Really nigga?

>>107492870
the linux ecosystem has good privacy at the expense of security. the kernel project is just total amateur hour in general, where dozens of corpo giants rape what few overworked slaves are maintaining the project under pimp linus' rule
>>107492987
the reason everyone in the tech world considers this specimen peak cancer is because of the way he maliciously conflates security with privacy like that.

>>107493093
and like the openbsd fags they'll all deny and deflect. what's the point of a security os that mommies and lectures you harder than apple but not having plug and play security? lemme answer that, it's because security isn't opsec. security isn't privacy. and while privacy is not anonymity, security is most definitely not anonymity.
anonymity is needed for whistleblowers to not be found out and targeted. privacy is needed for glowniggers to not obtain incriminating evidence on you. security is needed so corporations don't get their systems blown wide open for leaks or other forms of PR disasters, or discord kids getting ratted for being retarded (which is bad for corpo PR too). two of them have no use for corpos and one of them has negligible utility for any normal person.

>>107494147
how do you verify that the AI is actually on (you)r side and not (((pozzed)))? running it locally isn't enough, and even it being FOSS might not be enough

>>107494274
qubes uses (((fedora)))?
dropped.

>>107494347
this is precisely why I call micay a glownigger without hesitation

>>107494537
your desktop PC won't be stolen right out of your hands when you're doing banking, but a phone will.

>>107496544
>it requires gayland
dropped

All of the complaints about Linux security they made were before SecureBlue and similar projects came out. Have they explained why Secureblue is shit yet?

>>107496463
>Linux still makes the correct choice.
Yes, Secureblue does. Other distros, no.

>>107501102
>>107501428
I really dislike the many spins of the same OS they produce. Why can't the developers simply create a script that applies to your current OS?
I'm not a fan of Fedora, but I'd like to apply the same hardening on other distro.

>>107501562
>Why can't the developers simply create a script that applies to your current OS?
>I'd like to apply the same hardening on other distro.
artificial barrier of entry that costs money, whether it's your time switching distros or giving it to red hat to do it for you

>>107492870
damn winnie! look at the size of that honeypot!

>>107501562
>Why can't the developers simply create a script that applies to your current OS?
Multiple reasons. This doesn't just simply change settings and configs. Some hardening is done at a compile level, so you have to swap out your binaries. Also, some of the changes are removing parts of Fedora, like fuse2, which would break some people's software since it's a requirement for Appimage. Imagine running a security script which breaks all your apps. This is ultimately much easier for both users and devs.
It's the same reason why GrapheneOS isn't an Android app. That would be some delusional fantasy of a person who has no idea how software and software distribution works.

>I'd like to apply the same hardening on other distro.
You'll have to do it yourself then. Maintaining a script for all the possible distros is moronic and unmaintainable. You'd have to cover every single edge case of every single upstream and DE combination.

They're already pushing fixes to upstream when the upstream wants to accept them. The rest is something regular distros don't want, mainly out of fear of breaking software for existing users.

https://secureblue.dev/features

>>107501770

Kicksecure hardening script covered half of these features. I even tried that on non debian system, although I have to tweaked somethings to work. But I can say the hardening works universally across distros.

Most of these features are just simply install the right packages and set up the right configurations.

About swapping binaries, yeah that requires some testing, but other than that hardening script can be done easily.

>>107501770
>It's the same reason why GrapheneOS isn't an Android app. That would be some delusional fantasy of a person who has no idea how software and software distribution works.
This is an unfair comparison, android by default doesn't allow for root access preventing from any configuration to be made.
As for desktop linux, you can recompile binaries as you wish, having the ability to turn it to completely different system as you desire. Everything is doable. Delusional your ass.

>>107492870
>GRAPHENE

lmao there was post few days ago how police broke into graphene no problem, it was some murderer

>>107501957
If this doesn't prove how useless GrapheneOS is, I don't know what will.

>>107493093
>>107501957
HoneypotOS confirmed.

>>107492870
>stock android
>more secure than iOS
lmao

>>107501947
>android by default doesn't allow for root access preventing from any configuration to be made.
Even if it did, maintaining GrapheneOS and flashing it would still be a more guaranteed way to ensure your system is secure compared to running "graphene-my-android.sh" on any Android ROM. Having a provably secure base OS is far more valuable than a security script that applies onto an existing system.

>you can recompile binaries as you wish
And risk breaking userspace, especially if you've already previously modified your OS by running root-level package managers (something existing Linux users do often) and adding 3rd party repos or AUR packages. A script cannot account for all that. Nor can it account for an already exploited system.
It would only make sense running it after a clean install. And you'd still always have to hope that the upstream doesn't push some incompatible update which either breaks your system or overrides the security patches.

>Delusional your ass.
It is, because it's simply unmaintainable and inefficient. Especially on desktop Linux which is far more fragmented than Android. If Fedora was the only distro to exist and only KDE or GNOME existed then it would be doable, but still less convenient and it would still not fix the issues mentioned above.

>Everything is doable.
Useless statement. Anything is doable given infinite time, resources and money. So yes, you'd have to be delusional to think anyone has this.

>>107502293
As I mentioned, a script can handle the installation of packages (on default repo) and configurations. I didn't mention it needs to do compilation as well.

>>107492870
So they consider Linux less secure than.....Linux.

>>107493731
Windows 10/11 has hypervisor protection (HVCI)

>>107501102
GrapheneOS says SecureBlue is a good project and is making progress toward making security on Linux better.

>>107492870
This retard equates closed down OSes as secure. What a charlatan.

I think I heard one computer security expert (Mikko Hyppönen, guy from F-Secure) say something similar in an interview that phone OSs are more much secure than desktop OSs.

>>107493842
depends on your threat model

>>107492870
If your definition of secure is
>i want to run untrusted, potentially malicious code and be reasonably sure that it won't be able to compromise my whole system
then this list is just obviously correct. A limited, locked down, walled garden system is naturally going to withstand that better than a fully open and flexible one.

>>107502800
>SecureBlue is a good project
Actually I inferred this part but he did say SecureBlue is making progress. Even SecureBlue themselves say desktop Linux is not secure right on their home page
>secureblue is for those whose first priority is using Linux, and second priority is security. secureblue does not claim to be the most secure option available on the desktop. We are limited in that regard by the current state of desktop Linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use Linux. As such, if security is your first priority, secureblue may not be the best option for you.

>>107492870
ITT: Faggots who willingly abandon their liberties for a faux sense of security
99% of modern tech security is basic common sense, if you don't have that then you shouldn't be using any electronics

Have an old Pixel 5a that I've been wanting to resurrect. I had Calyx on it and left it alone. Then come back to find that project is dead or at least severely cropped. Okay, I'll try Graphene. "This device is no longer supported since September 2024".
So now it's just sitting with Lineage 23.0 on it. Still have no use for it, but I just wanted to share that their opinion is moot in my circumstance. Yes the phone is almost 6 years old, but that doesn't mean much anymore when companies now promise 7 years of updates.

File: 1759312430169171.gif (526 KB, 2560x1600)

526 KB GIF

>>107492910
Fifth grader explanation:

If your /usr/bin/firefox gets pwned, what keeps your $HOME from getting uploaded to a zombie host? Typically nothing, maybe some sort of container or sandbox built in by the distro. How about your linux steam games? How secure are they?

There is no mandatory access control limiting your browser or other application from taking anything in $HOME or anywhere readable. Android uses SELinux to enforce security boundaries between apps and app storage. A pwned Firefox on Android is just going to live in Firefox's box and only see what Firefox can see on the device.

Of course, I am sure they give honorable exception to the chaddiest linux on the net... Qubes OS!

>>107503595
Pixel 5a was the last Qualcomm based phone and thus only had three years of support. Pixel 6 and 7 have five years of support and pixel 8 and later have 7 years. Its still possible pixel 6 will be supported longer since they use their own SoCs.

Pixel 6 was released a few months after the 5a and is still supported.

>>107503595
>companies now promise 7 years of updates
Sure, but this wasn't the case 7 years ago. Firmware updates are handled by whoever is making the phone's SoC. That's why Fairphone 5 opted into using a Qualcomm chip made for IoT devices rather than phones, since at the time no other (affordable) chip promised more than 2 years of updates. And that's also why Apple, Google and Samsung are making their own SoCs.

Wow I'm impressed /g/, a GrapheneOS thread that hasn't devolved into pure shitflinging yet.

>>107493837
This, and
>>107499546
>the reason everyone in the tech world considers this specimen peak cancer is because of the way he maliciously conflates security with privacy like that.
This.

Privcymaxxing necessarily means sacrificing some security, but if you make yourself uninteresting through proper opsec it doesn't even matter

>>107492870
>user
users are irrelevant. the thing inside a thing is controlled by the outside thing. there is no security

>>107492987
Graphene devs eternally seething over e/os will never get old

File: 1746389777062047.png (385 KB, 1151x687)

385 KB PNG

>>107498406
>Tell me about the CopperheadOS. The one that the creator of GrapheneOS was involved in.
Not a lot of loyalty for a hired developer!

Yeah GrapheneOS is so secure..
... Until you do something the owner doesn't like and he fucks with your shit, like what happened with Louis Rossman.

>>107492870
>>107492910
Is Linux seriously worse than Windows? Or is this a shovel salesman proclaiming that pickaxes suck?

>>107506164
I can't tell what they think exactly about Windows vs. Linux, but it seems Graphene really insists anything Debian related is terrible.

>>107504829
>Privcymaxxing necessarily means sacrificing some security
In what way? You can privacymaxx AND securitymaxx with tools like Qubes/Whonix. Compartmentalization and identity separation are key components for preserving privacy because it limits the ability of services you're interacting with to cross-correlate your data and build a more complete profile of you.

>>107506314
Graphene says Whonix/Kicksecure is untrustworthy and doesn't provide any hardening anyway.
>Kicksecure has very poor security and is not a hardened OS at all. It inherits the poor security of Debian and has almost no actual hardening included. They used to have more hardening than they do now but dropped nearly all of it. The person who was working on most of it stopped contributing and what's left is a project claiming to be hardened while being significantly worse than many mainstream Linux distributions like Fedora. Kicksecure is even trying to interfere with actual hardening efforts and spreading misinformation about projects like hardened_malloc to discourage people from using them. Kicksecure doesn't do useful work and is harming people. Neither Kicksecure or Whonix is trustworthy and the fact that Whonix gets so frequently naively promoted is problematic. Whonix should be completely replaced by a serious project with developers who understand and care about security.

>The secureblue project is doing actual hardening work while Kicksecure largely does the complete opposite.

>>107506345
Well I mentioned QubesWhonix which is slightly different. Enforce sandboxing through Xen and it doesn't really matter if Kicksecure is secure or not. Under that model, the only code you have to trust is the Xen code, which is a lightweight code base less than 0.1% of the size of any Linux kernel, therefore it is easier to audit for security holes. These projects trying to do OS-level sandboxing while still making the kernel the most privileged component of the OS are all doing it wrong IMO.

>>107492870
Dumbass nigga is dickrding iOS, Mac OS and windows, meanwhile they are all proprietary and have a government backdoor.

>>107492870
I love storage scopes and the fine grain permissions on GoS. Linux has a smelly program call App Armor that's a huge pita to use and operate, and even after configuring it, the confidence I have with it actually, for example, disabling microphone access for vscode, is wayy wayy WAY behind the confidence and peace of mind I have with GoS

>>107508549
Even assuming this is true they are still more secure than Linux. A backdoor only the government can exploit is less of a risk than an unsecure system anyone can exploit.

>>107492870
desktop operating systems (linux and windows in particular) dont have proper sandboxing.

>>107498327
>what is adguard dns

>>107510846
If it was true that anyone can exploit Linux then it wouldn't be used for so many public facing services. The fact is that is that unintended exploits have been found for every operating system - including MacOS and most certainly including Windows. If you use your common sense then you are unlikely to get owned on any operating system. But the way that Windows normies use Windows kind of opens them up to getting exploited. Almost every Windows normie runs sketchy .exes from time to time. Windows might warn them "this might be malware" but everyone just ignores that for the most part. Running .exes without checking signatures is normalized on Windows. On Linux you're supposed to install software through package managers which only contain vetted, signed software from known sources.

>>107506164
most linux distros are less secure out of the box, especially in the de department, because they lack isolation. and wayland is still very far behind macos and windows in the isolation department
selinux/apparmor are ways to counter this, but even if they're installed (debian/rhel based OSs come with one or the other preinstaller) there aren't many software profiles set up. rhel stuff does come with working selinux profiles, which imo makes red hat OSs a step above every other linux distro out of the box. you can create apparmor profiles yourself, if you want, and then your ie debian distro can be pretty locked down, but it doesn't come like that out of the box like windows does

arch is a big outlier with this. i bet most archbabbies don't even know what selinux or apparmor are, or what secure boot is. all of these are a huge pain in the ass to set up under arch

>>107498263
>>107498263
>>107498519
>>107498575
Based

>>107511903
GrapheneOS account says Arch is better than any Debian distro, I think even in the absence of AppArmor. He doesn't seem to put much stock in either AppArmor or SELinux.

>>107493005
Logind protects you there even if the lockscreen fails and the real "password bypass" issue is never in the lockscreen, it's in the PAM modules. The pluggable architecture of PAM is a security nightmare. It does lead to some very cool things like you can extend the authentication to support 2fa or fingerprints or anything you want but that comes at a cost.

>>107514507
Android's entire security model is built around SE Linux so he's a complete retard if he thinks there's something wrong with it.

More likely, I suspect his issue with it is that distros don't really add proper policies for it. SE Linux is only effective when it has policies enforcing security. It's just sitting their doing nothing and occasionally barking at you otherwise.

>>107514617
Yeah I don't want to represent him, reposting what he said from here >>107498519
>There's very little use of sandboxing and SELinux MAC policies are very basic and barely used to do anything, especially for a desktop.

>>107492870
linux is used in over 9000 different scenarios.
grapheneos is a mostly irrelevant phone OS android derivative. btw, i've never used it.

>>107514649
And that's referring to Fedora specifically. So it's as you said it's about Fedora's SELinux configuration specifically and not SELinux as a whole, and Fedora probably has SELinux configured the most out of any mainstream distro.

>>107514718
I think the problem is the guy builds a toy phone OS where as Fedora is used all over the place like >>107514669 said.

You can install the SELinux development policy tools and harden it yourself but I think people would start leaving Fedora in droves if they locked it down as much as Android and iOS is. To a certain extent people have become used to having freedom and liberties when using their desktop operating systems.

Mobile operating systems like Graphene either prevent that entirely or give you death by popup permission window. The Linux desktop is going in this direction a bit with things like Flatpaks, and it's easy to see why some people don't like that, for example "Why can't QBittorrent see my external hard drive? What do you mean I have to expressly grant access to that!? Linux sucks. Grr"

Expectations are bit different on the desktop for better or worse.

File: 1241017716436.jpg (20 KB, 400x259)

20 KB JPG

>>107510846
>A backdoor only the government can exploit

eheheheh
"there's this secret passage here but only the gov can use it mmkay?"

>>107514817
>give you death by popup permission window
Some people consider this a good thing and a major advantage that mobile OSes have over desktop.

>>107494117
/thread
great post

>>107514883
I know, especially the security schizo crowd (like the kind that would run Graphene).
It's not exactly a black and white issue though.

File: G7vH8EeXIAAuu2O (1).jpg (87 KB, 968x677)

87 KB JPG

>>107514836
>https://www.intel.com/content/www/us/en/support/articles/000008927/software/chipset-software.html
yes there is, its called intelME and they even brag about it retarded fucking jewish cattle KILL YOURSELF GLOWINIGGER

>>107515039

I know what that is
it's just a matter of time before people design how to breach it, it's not impossible, so fun times ahead
anyway, it's in hardware, and we're discussing OS security here, faggot

>>107492870
The problem is not the software, it's the hardware. If all chips are compromised it doesn't matter what OS you are using.

the security system of unix and linux is flawed for an user is well known, the main point of its is protecting the system not the user data, which is missing the point in any desktop application
i really hate the guys if you config this that way, doing the groups and etc a malware can only access to the userspace, your system is protected... and i am yeah my famliy photos are the unimportant part but my linux install oh no how it will be deleted...