-
- The world has become a dangerous, privacy invading, human rights stripping,
- totalitarian place; in order to combat this, people are joining a growing, and
- dangerous, trend, which I will refer to in this post as the "Free and Open
- Source (FOSS) movement". With that stated, I will now debunk the misinformation
- being spread inside of this extremely flawed movement.
- The
- FOSS
- movement is an attempt to regain
- privacy
- and
- control
- over our devices and data, but the entire concept of FOSS-only, at the current
- time, is severely, and dangerously, flawed. What the FOSS community does not
- seem to understand is the fact that most FOSS software cares not about
- security.
- "Security"; keep that word in mind as you progress through this article. What is
- security? Security is being safe and secure from adversaries and unwanted
- consequences; security protects our rights and allows us to protect ourselves.
- Without security, we have no protection, and without protection, we have a lack
- of certainty of everything else, including privacy and control, which is what
- the FOSS movement is seeking.
- FOSS projects rarely take security into account; they simply look at the
- surface level, rather than the actual
- root cause
- of the issues they are attempting to fight against. In this case, the focus is
- on privacy and control. Without security mechanisms to protect the privacy
- features and the ability to control your devices and data, it can be stripped
- away as if it never existed in the first place, which, inevitably, leads us back
- to the beginning, and the cycle repeats. With this
- ideology,
- privacy and control will never be achieved. There is no foundation to
- build privacy or control upon. It is impossible to build a solid, freedom
- respecting platform on this model.
+
+
+ The world has become a dangerous, privacy invading, human rights stripping, totalitarian
+ place; in order to combat this, people are joining a growing, and dangerous, trend, which I will
+ refer to in this post as the "Free and Open Source (FOSS) movement". With that stated, I will
+ now debunk the misinformation being spread inside of this extremely flawed movement.
+ The
+ FOSS
+ movement is an attempt to regain
+ privacy
+ and
+ control
+ over our devices and data, but the entire concept of FOSS-only, at the current time, is
+ severely, and dangerously, flawed. What the FOSS community does not seem to understand is the
+ fact that most FOSS software cares not about
+ security.
+ "Security"; keep that word in mind as you progress through this article. What is security?
+ Security is being safe and secure from adversaries and unwanted consequences; security protects
+ our rights and allows us to protect ourselves. Without security, we have no protection, and
+ without protection, we have a lack of certainty of everything else, including privacy and
+ control, which is what the FOSS movement is seeking.
+ FOSS projects rarely take security into account; they simply look at the surface level,
+ rather than the actual
+ root cause
+ of the issues they are attempting to fight against. In this case, the focus is on privacy and
+ control. Without security mechanisms to protect the privacy features and the ability to control
+ your devices and data, it can be stripped away as if it never existed in the first place, which,
+ inevitably, leads us back to the beginning, and the cycle repeats. With this
+ ideology,
+ privacy and control will never be achieved. There is no foundation to build privacy or
+ control upon. It is impossible to build a solid, freedom respecting platform on this model.
+
+
+
+
+
+ A FOSS phone, especially so-called
+ "Linux phones"
+ are completely detrimental to privacy and control, because they do not have the security
+ necessary to enforce that privacy.
+ Unlocked bootloaders
+ prevent the device from
+ verifying the integrity of the boot chain,
+ including the OS, meaning any adversary, whether a stranger who happens to pick up the
+ device, or a big tech or government entity, can simply inject malicious code into your
+ software and you wouldn't have any idea it was there. If that's not enough of a backdoor
+ for you to reconsider your position, how about the trivial
+ evil maid
+ and data extraction attacks which could be executed on your device, without coercion?
+ With Android phones, this is bad enough to completely break the privacy and control the
+ FOSS movement seeks, but "Linux phones" take it a step further by implementing barely
+ any security, if any at all.
+ Privilege escalation
+ is trivial to achieve on any Linux system, which is the reason Linux
+ hardening
+ strategies often include restricting access to the root account; if you
+ root your Android phone,
+ or use a "Linux phone", you've already destroyed the security model, and thus privacy
+ and control model you were attempting to achieve. Not only are these side effects of
+ FOSS, so is the absolutely illogical restriction of not being able to, or making it
+ unnecessarily difficult to, install and update critical components of the system, such
+ as proprietary
+ firmware,
+ which just so happens to be almost all of them. "Linux phones" are not as free as they
+ proclaim to be.
+ You may ask "What's so bad about using
+ LineageOS?",
+ to which I answer with "What's not bad about it?".
+
+ - LineageOS uses
+ debug builds,
+ not safe and secure release builds.
+ - LineageOS requires an unlocked bootloader. Even when installed on devices
+ which support custom Android Verified Boot (AVB) keys, the bootloader cannot be
+ locked due to lack of the OS being signed.
+ - LineageOS does not install critically important firmware without manual
+ flashing, requiring users to perform a second update to install this firmware;
+ this likely causes users to ignore the notification or miss firmware
+ updates.
+ - LineageOS does not implement
+ rollback protection,
+ meaning any adversary, from a stranger who physically picks up the device, to a
+ goverment entity remotely, can simply downgrade the OS to a previous version in
+ order to exploit known
+ security vulnerabilities.
+
+ LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a
+ "ROM") with such issues, but it is one of the worst. The only things such insecure OSes
+ can provide you are customisation abilities, and a backdoor to your data. They are best
+ suited as a development OS, not a production OS.
-
-
-
-
- A FOSS phone, especially so-called
- "Linux phones"
- are completely detrimental to privacy and control, because they
- do not have the security necessary to enforce that privacy.
- Unlocked bootloaders
- prevent the device from
- verifying the integrity of the boot chain,
- including the OS, meaning any adversary, whether a stranger who
- happens to pick up the device, or a big tech or government
- entity, can simply inject malicious code into your software and
- you wouldn't have any idea it was there. If that's not enough of
- a backdoor for you to reconsider your position, how about the
- trivial
- evil maid
- and data extraction attacks which could be executed on your
- device, without coercion? With Android phones, this is bad
- enough to completely break the privacy and control the FOSS
- movement seeks, but "Linux phones" take it a step further by
- implementing barely any security, if any at all.
- Privilege escalation
- is trivial to achieve on any Linux system, which is the reason
- Linux
- hardening
- strategies often include restricting access to the root account;
- if you
- root your Android phone,
- or use a "Linux phone", you've already destroyed the security
- model, and thus privacy and control model you were attempting to
- achieve. Not only are these side effects of FOSS, so is the
- absolutely illogical restriction of not being able to, or making
- it unnecessarily difficult to, install and update critical
- components of the system, such as proprietary
- firmware,
- which just so happens to be almost all of them. "Linux phones"
- are not as free as they proclaim to be.
- You may ask "What's so bad about using
- LineageOS?",
- to which I answer with "What's not bad about it?".
-
- - LineageOS uses
- debug builds,
- not safe and secure release builds.
- - LineageOS requires an unlocked bootloader.
- Even when installed on devices which support
- custom Android Verified Boot (AVB) keys, the
- bootloader cannot be locked due to lack of the
- OS being signed.
- - LineageOS does not install critically
- important firmware without manual flashing,
- requiring users to perform a second update to
- install this firmware; this likely causes users
- to ignore the notification or miss firmware
- updates.
- - LineageOS does not implement
- rollback protection,
- meaning any adversary, from a stranger who
- physically picks up the device, to a goverment
- entity remotely, can simply downgrade the OS to
- a previous version in order to exploit known
- security vulnerabilities.
-
-
- LineageOS is not the only Android OS (commonly, and
- incorrectly, referred to as a "ROM") with such issues, but it is
- one of the worst. The only things such insecure OSes can provide
- you are customisation abilities, and a backdoor to your data.
- They are best suited as a development OS, not a production
- OS.
-
-
-
-
- What can you do about this? The answer is simple; however, it does require
- you to use logic, fact, and evidence, not emotion, which is a difficult pill for
- most people to swallow. Use your adversaries' weapons against them. The only way
- to effectively combat the privacy invasion and lack of control of our devices
- and data is to become a
- renegade
- and not take sides. Yes, that means not taking sides with the closed-source,
- proprietary, big tech and government entities, but it also means not taking
- sides with any FOSS entities. The only way to win this war is to take
- whatever hardware and software you can, and use it tactically.
- The best solution for device security, privacy, and control, is to use a
- Google Pixel (currently, Pixel 5a or newer) running
- GrapheneOS.
- Google Pixel devices allow you complete bootloader freedom, including the
- ability to lock the bootloader after flashing a custom OS
- (GrapheneOS includes a custom OS signing key to allow locking the bootloader and
- enabling verified boot to prevent
- malware
- persistence, evil maid attacks, and boot chain
- corruption),
- long device support lifecycles
- (minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series,
- and minimum 7 years for Pixel 8-series and newer), and
- guaranteed monthly security updates
- for the entire support timeframe of the devices.
-
-
-
- Use what you can, and do what you can. By neglecting security, you are, even
- if unintentionally, neglecting exactly what you are trying to gain; privacy and
- control.
-
-
-
+
+
+
+ What can you do about this? The answer is simple; however, it does require you to use logic,
+ fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
+ adversaries' weapons against them. The only way to effectively combat the privacy invasion and
+ lack of control of our devices and data is to become a
+ renegade
+ and not take sides. Yes, that means not taking sides with the closed-source, proprietary, big
+ tech and government entities, but it also means not taking sides with any FOSS entities. The
+ only way to win this war is to take whatever hardware and software you can, and use it
+ tactically.
+ The best solution for device security, privacy, and control, is to use a Google Pixel
+ (currently, Pixel 5a or newer) running
+ GrapheneOS.
+ Google Pixel devices allow you complete bootloader freedom, including the
+ ability to lock the bootloader after flashing a custom OS
+ (GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling
+ verified boot to prevent
+ malware
+ persistence, evil maid attacks, and boot chain
+ corruption),
+ long device support lifecycles
+ (minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series, and minimum 7
+ years for Pixel 8-series and newer), and
+ guaranteed monthly security updates
+ for the entire support timeframe of the devices.
+
+
+
+ Use what you can, and do what you can. By neglecting security, you are, even if
+ unintentionally, neglecting exactly what you are trying to gain; privacy and control.
+
+
+