| |
| ▲ | YoumuChan 3 days ago | parent | next [-] | | I hate to say this but I don't foresee Graphene being "mainstream". Most users will stick to the stock ROM. The most "mainstream" custom ROM Lineage is only installed on 0.04% of Android devices as of 2023 [1]. Even if Graphene appears in some mainstream news, I highly doubt any ordinary person can recognize it when they see one. If the threat model is hiding from random people, I think a hidden profile works very well. Now let's talk about motivated adversary as you put it. Hidden profile and wiping are not either-or, they can coexist. If one is really targeted by a motivated adversary, it should be apparent in most cases, and the targeted person can choose to enter the wiping PIN instead of the secondary profile PIN. Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway. [1] https://9to5google.com/2023/11/20/lineageos-number-of-device... | | |
| ▲ | mbananasynergy 3 days ago | parent | next [-] | | GrapheneOS isn't a project that plans to be an aftermarket OS forever. In fact, we're currently working with an OEM to have their devices have official GrapheneOS support. This can mean devices being sold with GrapheneOS without someone even having to install it. We're of the opinion that there's a growing portion of the population that is becoming more security and privacy conscious, and that's reflected in our userbase, which has been growing consistently over the last few years. We're not saying we're going to have iPhone's marketshare, but we're constantly growing. >Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway. Yes, but at that point, the data is irreversibly rendered inaccessible. There are situations where the data itself is the most important factor, and where the owner of the device being hurt doesn't benefit the adversary now that the data is gone. Of course, as with everything, it depends on one's situation, but the duress PIN feature doesn't involve trickery. It's a way to reliably and quickly do a very specific thing. | | |
| ▲ | crossroadsguy 3 days ago | parent | next [-] | | > In fact, we're currently working with an OEM to have their devices have official GrapheneOS support Oh god, yes. Please! I can't wait to leave the walled fruit garden, but can't tolerate Google sniffing everything I do or do not do on my phone either. PS. I just hope it's an OEM that sells devices to a lot of countries including developing ones and not something like Fairphone. | | |
| ▲ | ThePowerOfFuet 3 days ago | parent [-] | | Google has no access to anything you do on a Pixel with GrapheneOS installed just because it's their hardware. | | |
| |
| ▲ | dotancohen 3 days ago | parent | prev | next [-] | | > we're currently working with an OEM to have their devices have official GrapheneOS support.
It's a long shot, but please see if you can get this vendor to include an EMS stylus like the Samsung Note devices and S Ultra devices. That is what is keeping me on Samsung, and I will be one of their first customers if they have an integrated EMS pen. | |
| ▲ | YoumuChan 3 days ago | parent | prev [-] | | I think it is all about audience. There is no one-size-fit-all. Different audience have different threat models and different requirements. For a corporate using an OS in work phones. The threat model is state/corp-sponsored actors. Trade secret leak is unacceptable. When in doubt, data should be wiped. Now wiping PIN makes total sense and is the only sensible option. An ordinary person, on the other hand, often deals with non tech-savvy ordinary people. The threat model is different. Most likely plausible deniability is enough. The threat level is low. Those users may accept to trade some data security for a more friendly feature. The ultimate question is whether Graphene envisions itself an opinionated OS that always follows the "best practice" or a generic OS that allows users to define their own threat models. |
| |
| ▲ | bogwog 2 days ago | parent | prev [-] | | These are ridiculous scenarios to try and optimize for. A smartphone feature isn't going to save someone from an abusive spouse or a serial killer, and if it does, it'll be an exceptional situation. There was a youtuber who got kidnapped in Haiti a while back, and his kidnappers demanded to search the photo gallery on his phone for something. So what he did was delete the pictures, but not empty the trash, hoping they wouldn't know about that feature. They didnt, and he got away with it. Did Apple envision a kidnapping scenario when they were designing that feature? Probably not. Is there a design lesson that can be taken from that situation? Also probably not, because it just as easily could have gone the other way. |
| |
| ▲ | throwaway-0001 3 days ago | parent | prev | next [-] | | Tbh I’d say 99% of the criminals won’t know about this. Let’s say someone have you at gunpoint, you can just give your mains profile pass. If they don’t even know there is a secret profile you’re good to go. You’re right, they might assume you’re hiding, but I’d say 99% won’t know what’s even graphene and from those who know I’d say they might force you and you can have 3 sets of bank accounts: Main profile: 100
Secondary: 1000
Terriary: $$$ Also if you hide all traces of grapheneos would be safer too. Nobody even knows is graphene, so they can’t even check what features you have. Again we are talking about 99% of the criminals, not the tech savvy 1%. I’d prefer plausible deniability like Vera crypt than what we have now. | | |
| ▲ | mbananasynergy 3 days ago | parent | next [-] | | You can argue most bad people won't know about it - but I would say we can't really know. I think the main problem is that people can be affected that aren't even using it, which is why it is such a big problem. You can't really hide it's GrapheneOS either, even just by virtue of the features available on the device, you'll be able to deduce what it is. I understand the idea behind it but it simply isn't realistic to provide and can put people in danger - the very thing it's meant to prevent. | | |
| ▲ | throwaway-0001 3 days ago | parent [-] | | But also in your case criminals can threaten you to give access to bank accounts you don’t have. When I say hide, again for 99% of the people. Splash screen, setting spoofing. Sometimes good enough is better than perfect. And even if the attacker can see the other profile you can just say was your friend’s profile and it’s lost. Or better, not sure if possible: export the profile in a file like veracrypt. Then when you need the profile import from this file and would restore the secret profile. |
| |
| ▲ | AndyMcConachie 3 days ago | parent | prev [-] | | > Tbh I’d say 99% of the criminals won’t know about this. It's not about criminals. It's about the police, government spy agencies, and other knowledgeable threat actors. |
| |
| ▲ | jrexilius 3 days ago | parent | prev | next [-] | | There are certain threat/risk models where having multiple profiles might be helpful (non-forensic examination by an offical at a securtiy screening kinda scenario). But you're right, it's nuanced, requires know-how by the user, and possibly a foot-gun for some caught unawares. NOT an easy problem to solve. Personally, as a user, I'd like the ability to be able to choose that option in the instances where I needed it, but it's likey a TON of work for a very small actual user community who needs it. | |
| ▲ | cromka 3 days ago | parent | prev | next [-] | | I think this feature nowadays would be mostly for the border control checks, especially in the US. Basically to avoid being sent back over a JD Vance meme found at a glance, as opposed to actually being held hostage. | |
| ▲ | rendx 2 days ago | parent | prev | next [-] | | I remember a conversation with a political activist refugee. They were in a group of people who got checked at the border, and were asked to unlock their laptops. The border security personnel then proceeded to do a short inspection of the visible systems. They all used Veracrypt's Hidden Operating System functionality, and while it would be trivially detectable, the border security did not, so they got through without problems. If they had refused to "unlock", or used a duress passphrase that wiped the system without presenting a dummy version, they would have been held, possibly for a very long time, and definitely not allowed to exit. Moral of the story: Different contexts allow for different solutions. It is a sign of false privilege to make assumptions, and not let the user decide. An argument can be made in terms of priority of implementation, but not in terms of "pointlessness". The often used argument of "false security" can be addressed by warnings; yes, some people may not understand the implications, but you do not need to make their own (bad/good) choices for them; that's paternalism, not care. In the real world, where thanks to my political work I am in contact with many people who had to endure real-world security checks, police raids, investigations, and so on, in all the cases no proper (imaginary) forensic analysis was performed. People make mistakes and remain uneducated -- on both sides. The "But NSA!" argument brought forward typically by white techbros kills a lot of useful technology before it even exists, which is unfortunate for those that would actually benefit from it, and when asked would tell you so. It's also not either/or in reality: In many situations, it will buy you time (while e.g. your lawyer may try to get you and your devices out of the situation), and even if they find out you were trying to fool them, they may give you another chance, and then you can still opt for the wipe code. It makes a huge psychological difference to have multiple options and feel in control. | | |
| ▲ | lollobomb 2 days ago | parent [-] | | Yes, 100% this. Plausible deniability for everyone does not hurt everyone, it rather protects everyone, even if you don't use it. |
| |
| ▲ | torium 3 days ago | parent | prev [-] | | [dead] |
|
