I’m not the author. You can thank @rysiek@szmer.info for this amazing write-up

Wikipedia has way more donors, since it’s basically the only one of its kind. There is no Big Tech alternative to Wikipedia, so everyone just uses it by default. There are lots of other messengers though, so Signal isn’t the default choice.

Finally a good approach at raising money (other than donations)

Btw if you’re still looking for an IRC client, check out Goguma. It’s a better, more modern looking alternative to Revolution.

I’m glad you like it. Consider making a post about your experience so far having switched from iOS to GrapheneOS. The community likes these kinds of posts. Don’t hesitate to use screenshots, etc.

I know about the security issues in desktop Linux, but I still think secureblue fits that level of the iceberg pretty well. I would put Qubes there as well.

You could add secureblue. I would put it in the same category as GrapheneOS and Vanadium.

Chromium-based browsers have arguably better security than Firefox. https://madaidans-insecurities.github.io/firefox-chromium.html

Vanadium further improves Chromium’s security by disabling the JS JIT Compiler, using a hardened memory allocator (GrapheneOS hardened_malloc) enabling ARMv8.5 MTE, and applying other hardening patches (https://github.com/GrapheneOS/Vanadium/tree/main/patches).

The secureblue project maintains a hardened Chromium build for Linux called Trivalent, which uses most of the patches from Vanadium, among others. You can get it from their repo: https://repo.secureblue.dev/secureblue.repo

Tech bros are only interested in getting the results from open source

That’s why we need the GNU AGPLv3

Interesting 🤔
I regularly use both apps and never experienced these issues. You can create an issue on GitHub to report this.

Mullvad: https://github.com/mullvad/mullvadvpn-app/issues/

Proton: https://github.com/ProtonVPN/android-app/issues/

That sounds like a terrible VPN client implementation. Which client do you use?

In my experience, and from what I have heard, it’s quite the opposite.

If you actually read the post, you would have known, it does work, but there are some privacy concerns with it:

“However, in 2024, the situation changed: balenaEtcher started sharing the file name of the image and the model of the USB stick with the Balena company and possibly with third parties.”

If you actually read the post, you would have known, it does work, but there are some privacy concerns with it:

“However, in 2024, the situation changed: balenaEtcher started sharing the file name of the image and the model of the USB stick with the Balena company and possibly with third parties.”

Just use dd. It’s not that hard. You pass it 2 arguments: if= the file you want to flash, and of= the destination. If you’re feeling fancy, pass in some status=progress. And don’t forget to prepend it with sudo. That’s it.

Not sure why we need an abstracted layer for F-Droid.

Because the default F-Droid repository has some security issues: https://privsec.dev/posts/android/f-droid-security-issues/

IzzyOnDroid avoids this by using prebuilt binaries that are properly signed by the actual developers, instead of building and signing apps themselves like F-Droid does

It also doesn’t have as strict inclusion criteria as the default F-Droid repo, so it is able to offer more apps

If you need a traditional, unencrypted DNS service, check out Quad9 and AdGuard’s Public DNS. If you can use DoT or DoH, use LibreDNS or Mullvad DNS. If you want more customization, check out NextDNS.

Signal

No, it’s not a special “FOSS” version, it’s just the official binary distributed through the Guardian Project repo (as I have proven: https://lemmy.dbzer0.com/comment/16230276). If you want a FOSS variant, check out Signal-FOSS or Molly, they also offer a FOSS variant. You can either download it from their custom F-Droid repo, pull the APK from GitHub using Obtainium or get it from Accrescent.

Takes like 2 minutes 😅

I know, it even says so in the post:

I just noticed today that Signal (not talking Molly) is now available on F-Droid via the “Guardian” repository.

I think they ship prebuilt binaries, i.e. the exact same ones you find on the Signal website

AFAIK this also applies to Tor Browser, Orbot and other third-party apps distributed by Guardian

Edit: I downloaded the files and manually verified the signatures. They are indeed the exact same files.

Because I didn’t really know how to grab an APK from the Guardian F-Droid repo, I used their S3 bucket and downloaded the Signal APK. It’s named Signal-Android-website-prod-universal-release-7.30.2.apk, which is the exact same file name as the one of the APK you can get from the Signal website.

I then used keytool to print the signature certificate fingerprint: (renamed the files to make it less confusing)

keytool -printcert -jarfile signal-website.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

keytool -printcert -jarfile signal-guardian.apk

Signer #1:

Certificate #1:
Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
	 SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
	 SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3

The fingerprints are identical.

Another edit: I just noticed that Signal even has official instructions for checking the signature on their APK download page. They use apksigner instead of keytool, but it’s basically the same process.

It’s probably not an official thing. F-Droid can’t distribute apps in the official repo via their own policy if the developer doesn’t agree. Third-party repos like Guardian can.

This is one of the dumbest conversation I ever had on this platform.

Enable JavaScript then

It’s always a good idea to check Internet Archive’s Wayback Machine

https://web.archive.org/web/20250115190623/https://mastodon.social/@protonprivacy/113833073219145503

Sorry, forgot to include a blockquote. I was talking about microG. Ntfy is a regular user-installable app, you just need to grant it permission to run in the background, i.e. disable battery optimization.

You’re damn right

your only other choice is microg

Doesn’t work on GrapheneOS, since it requires root access for signature spoofing. And it’s not any better than Sandboxed play services.

This “app tracking protection” is just a DNS filter. You can achieve the same by setting a filtered DNS resolver like base.dns.mullvad.net in the Private DNS options.

Auditor just verifies that your installation of GrapheneOS is real and unmodified, meaning it hasn’t been tampered with by an attacker or corrupted in any other way.

I would recommend using a VPN. That’s also why I prefer the DNS filter over something like app tracking protection, since it doesn’t occupy your VPN slot. GrapheneOS only improves the actual Wi-Fi connection privacy (by randomizing your Wi-Fi MAC address), but it has nothing to do with the data transmission over the Wi-Fi network. That’s what you need a VPN for. You can check out this comment about the Pros and Cons of VPNs, as well as the criteria for picking a good and trustworthy VPN provider: https://lemmy.dbzer0.com/comment/15631872 Here’s some more advice about VPNs: https://www.privacyguides.org/en/vpn/

AirVPN has port forwarding if you need that. You can also do it with Proton, but last time I used it, it was quite janky.

WireGuard is now even part of the Linux kernel. The protocol and the reference implementation are fully open source, you can just download a WG profile from your provider and you won’t even have to use their application.

On the pros, some offer DNS blocking

You can also set that up without a VPN, or independently of your VPN. The standard WireGuard client doesn’t interfere with your DNS setup.

Yeah. Proton, Mullvad and IVPN are the three best providers out there. That’s also why they’re recommended by privacy/security enthusiasts: https://www.privacyguides.org/en/vpn/?h=vpn#recommended-providers

It matches all the criteria I outlined. IVPN too btw: https://www.ivpn.net/

They’re also on Mastodon, which is also a plus in my opinion (not really significant though) @ivpn@mastodon.social

Pros:

• Websites can’t see your real IP and thus can’t figure out your real location that easily
  • You might also be able to blend in with other users who use the same VPN server
• Your ISP can’t see what you’re websites you’re connecting to
• Your Network operator (e.g. a coffee shop offering public wifi) and you’re ISP can’t see your unencrypted connections (e.g. HTTP, Telnet)
• You can bypass regional censorship or other forms of content unavailability

Cons:

• Your VPN provider can see everything you’re connecting to (but not the content if you use HTTPS, which thankfully has become very common), so you need to be able to trust them
• A good and trustworthy VPN usually costs money
• Slightly slower connection and higher latency

Things to look out for when choosing a VPN provider:

• No-log policy
• Regular security audits
• Open source client applications
• Private/anonymous payment options (crypto currency)
  • Monero is the best option if you want to stay fully anonymous
• Minimal information required for signing up, ideally none (some providers don’t even require an email address, they just give you a random generated Account ID)

So, Android 9 / 10?

In that case, no. I assumed we were talking about up-to-date devices.

We don’t know everything it can do

Neither do we know this about any other CPU on the market. All chipsets on the market are proprietary. All of them. And no, despite many people (who don’t know anything about what they are talking about) claiming this, RISC-V won’t actually solve any of these issues. Sure, the ISA is open source, but the ISA would be the worst place for malicious actors to introduce a backdoor. I can guarantee you that despite using the RISC-V ISA, the chips themselves will still be fully proprietary and the IP will be highly protected as trade secrets. You can build a fully RISC-V conformant chip with a backdoor, there’s absolutely nothing in place that could stop this, and it surely won’t change for the forseeable future.

Do you mind sharing which bank you use?

You can use this website to check if your banking app is supported: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

@HereIAm@lemmy.world

LineageOS itself drastically weakens security even compared to stock AOSP, for example by exposing root access or deploying insecure SELinux policies