We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it.
-
@GrapheneOS So if Im understanding this correctly, what GOS wants is for apps to use an API that will interface with a hardware chip like the titan m2 and will report that the bootloader is locked etc and also report the signing key to apps? Then it would be up to the app to trust that key (which necessitates an allowlist of sorts maintained by apps individually). Is my understanding correct?
@pixelsfanryo No, your understanding is not correct. We want apps to start implementing proper server side security protections instead of using obfuscation and weak anti-tampering systems such as this to try to stop people looking at their code and experimenting with their services to find vulnerabilities. Apps shouldn't be enforcing using only specific operating systems. They're welcome to warn people about having an insecure OS but shouldn't be banning users from using what they want to use.
-
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
@GrapheneOS Also ich weiß ja nicht, was in euren Köpfen vorgeht aber: Ob die Menschen Murena, Volla und Co nutzen wollen oder GrapheneOS nutzen, dass sollen die user selbst entscheiden ..... Das ihr euch untereinander nicht leiden könnt okay, sei es drum, aber so ne Aussage abzuliefern ist unterhalb der Gürtellinie..... Da muss man sich als GrapheneOS User ja für eure Aussage regelrecht fremd schämen .... Nur weil ihr nun mit Motorola euch zusammengetan habt, heißt es noch lange nicht das ihr euch so überheblich ablästern müsst ..... Meine Meinung
-
@GrapheneOS If that is the case, then IMO uattest is actually better. A CA like uattest, as bad as it sounds, will probably be more amenable to allowing reasonably secure alternative OS like LineageOS. You only need to persuade one entity. While if each app gets to decide then you have to convince each dev, bank, gov to allow your OS. That doesnt sound very practical. And the uattest proposal can be implemented right now on most devices while most devices dont have a security chip at the moment.
@pixelsfanryo No, your understanding is not correct. We want apps to start implementing proper server side security protections instead of using obfuscation and weak anti-tampering systems such as this to try to stop people looking at their code and experimenting with their services to find vulnerabilities. Apps shouldn't be enforcing using only specific operating systems. They're welcome to warn people about having an insecure OS but shouldn't be banning users from using what they want to use.
-
@GrapheneOS Well, I don't know what's going on in your heads, but whether people want to use Murena, Volla, etc., or GrapheneOS, that's up to the users themselves to decide... It's okay if you don't like each other, but making a statement like that is below the belt... As a GrapheneOS user, I feel embarrassed on your behalf... Just because you've teamed up with Motorola doesn't mean you have to be so arrogant... My two cents.
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
-
@GrapheneOS Also ich weiß ja nicht, was in euren Köpfen vorgeht aber: Ob die Menschen Murena, Volla und Co nutzen wollen oder GrapheneOS nutzen, dass sollen die user selbst entscheiden ..... Das ihr euch untereinander nicht leiden könnt okay, sei es drum, aber so ne Aussage abzuliefern ist unterhalb der Gürtellinie..... Da muss man sich als GrapheneOS User ja für eure Aussage regelrecht fremd schämen .... Nur weil ihr nun mit Motorola euch zusammengetan habt, heißt es noch lange nicht das ihr euch so überheblich ablästern müsst ..... Meine Meinung
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
-
@Paul_stilgar
They have very good reasoning: https://grapheneos.org/faq#future-devicesAnd they will be expanding now with their Motorola partnership. GrapheneOS isn't like Lineage, it can't be put on any phone.
-
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
@Pingitux Here's the founder and CEO of /e/ and Murena linking to harassment content from a neo-nazi conspiracy site targeting our founder with fabrications:
https://archive.is/SWXPJ
https://archive.is/n4yTOTheir founder and CEO has regularly engaged in vile personal attacks on our including spreading harassment content directly from Kiwi Farms.
Debunking lies about GrapheneOS and our team along with providing accurate information countering their false marketing isn't what you claim it is.
-
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
@Pingitux Here's the founder and CEO of /e/ and Murena linking to harassment content from a neo-nazi conspiracy site targeting our founder with fabrications:
https://archive.is/SWXPJ
https://archive.is/n4yTOTheir founder and CEO has regularly engaged in vile personal attacks on our including spreading harassment content directly from Kiwi Farms.
Debunking lies about GrapheneOS and our team along with providing accurate information countering their false marketing isn't what you claim it is.
-
@GrapheneOS The same stuff that you need attestation in a phone for usually can be done using just a computer with a web browser. No attestation needed.
The only thing that I can think of that requires this attention and integrity stuff is anything shady that you want nobody to look at.
And device ecosystem extortion, of course.
@Bebef You can do those things on a phone using a web browser too. On the other hand, a lot of functionality is exclusive to mobile apps from banks and governments which are increasingly locking out users from using anything but operating systems approved based on the business models of companies involved in mobile phones. Whether someone can use a device to run a banking app shouldn't be determined based on a decision from either Google or Volla/Murena/iodé. These companies have no place in it.
-
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
@GrapheneOS Yes, it may be that their products lag behind in terms of security, data protection, and patch levels.... A few independent bloggers/journalists should critically test their software and deliver an honest article.... Okay, and because they are personally attacking the founder of GrapheneOS, we have to stoop to their level, right?
-
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
@GrapheneOS @adfichter
I know what you think of Murena and /e/OS. I know that you prefer hardware attestation for good reasons and reject Google's policy regarding the Play Integrity API. And I know that most banking apps work on GrapheneOS - I myself have been using GrapheneOS with a banking app for many years. But I wonder what to do if more and more app manufacturers get serious and make their apps installable exclusively via Play Integrity API. 1/3 -
@GrapheneOS @adfichter
I know what you think of Murena and /e/OS. I know that you prefer hardware attestation for good reasons and reject Google's policy regarding the Play Integrity API. And I know that most banking apps work on GrapheneOS - I myself have been using GrapheneOS with a banking app for many years. But I wonder what to do if more and more app manufacturers get serious and make their apps installable exclusively via Play Integrity API. 1/3@GrapheneOS @adfichter
Wouldn't it then make sense or be helpful to have something like Unified Attestation as an alternative, even if there are many things to criticize about it? If the only option for me at some point were to have to use stock Android, then I (and many others too) would have a real problem. And it could be that Unified Attestation is then the only usable alternative, even if it's not perfect. 2/3 -
@GrapheneOS @adfichter
Wouldn't it then make sense or be helpful to have something like Unified Attestation as an alternative, even if there are many things to criticize about it? If the only option for me at some point were to have to use stock Android, then I (and many others too) would have a real problem. And it could be that Unified Attestation is then the only usable alternative, even if it's not perfect. 2/3@GrapheneOS @adfichter
Thats why i was asking and I'm specifically interested in what, from your point of view, speaks against the Unified Attestation approach from a technical (not political) perspective. And whether Unified Attestation could also be used with GrapheneOS.
I also think it would be desirable for the EU to intervene with regulations. But it won't do that; the EU won't do anything against Google's will, and it won't mess with the MAGA regime. We shouldn't wait for that to happen. 3 -
@Pingitux Here's the founder and CEO of /e/ and Murena linking to harassment content from a neo-nazi conspiracy site targeting our founder with fabrications:
https://archive.is/SWXPJ
https://archive.is/n4yTOTheir founder and CEO has regularly engaged in vile personal attacks on our including spreading harassment content directly from Kiwi Farms.
Debunking lies about GrapheneOS and our team along with providing accurate information countering their false marketing isn't what you claim it is.
@GrapheneOS Okay, they attacked you, told lies, whatever... Honestly, show some class and don't give a damn about their opinion. After all, you have a community behind you that stands by you... You know, let me put it this way: I tell the world that if it annoys me, I don't give a fuck.. You should try that too when someone gets on your nerves. It works wonders
-
@GrapheneOS Okay, they attacked you, told lies, whatever... Honestly, show some class and don't give a damn about their opinion. After all, you have a community behind you that stands by you... You know, let me put it this way: I tell the world that if it annoys me, I don't give a fuck.. You should try that too when someone gets on your nerves. It works wonders
@Pingitux Our community should help us much more than they do with the attacks being perpetrated against GrapheneOS and our team. If that was happening then it wouldn't be causing nearly as much harm and we wouldn't talk about it as much as we wouldn't feel nearly as much pressing need to provide an alternative to their inaccurate and misleading claims.
-
@Pingitux Our community should help us much more than they do with the attacks being perpetrated against GrapheneOS and our team. If that was happening then it wouldn't be causing nearly as much harm and we wouldn't talk about it as much as we wouldn't feel nearly as much pressing need to provide an alternative to their inaccurate and misleading claims.
@GrapheneOS Have you brought it up in the community? That it's getting on your nerves and that you would like more support from the users?
-
@zaire@fedi.absturztau.be @eskuero@mstdn.io
@GrapheneOS@grapheneos.social it's literally that "OpenTorment" meme
-
@GrapheneOS what the fuck. that is absolutely horrifying
remote attestation is a technology that has no good uses. it's just drm
everyone should have the freedom to run whatever they want on their own devices. this freedom should never be taken away and it should be enshrined in law that it can never be taken away
someone else should not be able to decide whether my device is "secure" enough for their purposes. this is reverse security. the os needs to boot securely and the attestation chain should go upwards, with each stage verifying the ones on top of it. not this opposite world bullshit@lumi @GrapheneOS IMO remote attestation really only has a place in organizations that provide managed devices to members, for verifying the integrity of the device as whatever threat model the organization has requires.
For personal devices it enables a lot of anti consumer uses. -
@lumi @GrapheneOS IMO remote attestation really only has a place in organizations that provide managed devices to members, for verifying the integrity of the device as whatever threat model the organization has requires.
For personal devices it enables a lot of anti consumer uses.@lunareclipse @GrapheneOS in my views it's a pandora's box that should never be opened, the gigantic downsides outweigh the marginal upsides by quite a lot
-
@GrapheneOS and what exactly is your conflict with volla. I get the iodé and Murena part, but what's wrong with Volla?
Sorry a bit unrelated, @ftm but I *don't* get the iodé part?
Locked bootloaders, v7.3 just released is A16 QPR2. Yes it is LineageOS based, but with tracking etc. blocked. Personally I would rather run open-source microG than *full fat proprietary Google Play Services* even if they are unprivileged or sandboxed, etc.
iodé and /e/ are both LineageOS based and use microG but otherwise aren't related. Too bad they always get lumped together.
torment nexus
european torment nexus
