So rossmann literally feared of a patch that was like this getting into graphene

if (user is rossmann) {

  // do bad things

}

makes me think who is paranoid here.

▲ fph 2 days ago | parent | next [-]

Note that this patch would have to be sent out to all users though, since I don't think there is an authentication mechanism that lets them send out different upgrades to different users.

And if your whole business is a secure OS, it's a very risky proposition: you get caught doing this once, and your reputation is gone forever.

▲ bernoufakis 2 days ago | parent | prev [-]

Your example is a strawman, as a determined enough actor, especially a security expert(s) like GOS developers could pull it off and get such patch / exploit. The probability is not zero. It will probably not be obvious to spot, would be spread over multiple files of code that don't necessarily relate to each other at first glance, as many documented CVE illustrated (one that comes to mind given HN context is the XZ utils backdoor from last year for e.g.)

Rossmann himself has no confidence to audit the code, so why take the risk ? Good enough reason to be "paranoid", or at least feel uneasy about it if you ask me.

▲

gtsop 2 days ago | parent [-]

Is it really a strawman? At some point, the code would need to identify rossmann. Please elaborate on the techniques required to do it and how it could be obfuscated.

GOS doesn't use an account, so the code would have to perform very targeted heuristics in order to verify this is Luis' phone. It would have to compare his sim number against a known one, or dig into application data to find his logins and compare them against known emails. So the only way to not write `if (user is rossmann)` would be to send various diagnostics over the wire, to a service that contains these identifiers and perform the comparison onlinr, meaning he would introduce an imense security whole into everyone's phone, and everyone would see there is a home calling.

So it's either a patch of if user == rossmann, or a home calling patch.

▲

bernoufakis a day ago | parent [-]

> Is it really a strawman? At some point, the code would need to identify rossmann. Please elaborate on the techniques required to do it and how it could be obfuscated.

I don't have to elaborate techniques. If a determined (and potentially mentally unstable) developer decides to leverage their full control over the OS to make it happen can. I don't have to elaborate on the techniques which might or might not exist yet. Stuxnet only targeted specific Iranian systems, a needle in a hay stack, was spread did not harm random devices across the globe, and stayed mostly undetected. And this was done without "developer access" to the software itself. Is it hard ? Yes. Is it likely (especially given the knowledge of how GOS works) ? Perhaps not. Is it impossible ? Definitely not.

When the lead dev of the OS you use daily threatens to "publicly expose you" as a user, I won't blame said user to stop using the software. And even less, to provide such data point regarding the behavior of that developer.

	▲	other8026 13 hours ago \| parent [-]
		> mentally unstable It's not appropriate for you to be saying these things. > Stuxnet only targeted specific Iranian systems, a needle in a hay stack, was spread did not harm random devices across the globe, and stayed mostly undetected. And this was done without "developer access" to the software itself. Is it hard ? Yes. Is it likely (especially given the knowledge of how GOS works) ? Perhaps not. Is it impossible ? Definitely not. This makes no sense. GrapheneOS is an open source project and anyone can look at the changes made by the project. Even the OS is reproducible and people do check that, apparently, so GrapheneOS would be caught if they were making changes. Like I even found this repository just now after a quick search https://github.com/lucasbeiler/reproducible-builds-grapheneo... GrapheneOS isn't just some random OS that nobody has heard of. There are lots of eyes on it, so sneaking some backdoor into the OS would be very difficult and extremely stupid. One misstep and the project would be gone. Do you really think Rossmann is worth that? I don't. > When the lead dev of the OS you use daily threatens to "publicly expose you" as a user, I won't blame said user to stop using the software. And even less, to provide such data point regarding the behavior of that developer. I've already pointed out in other comments that he had no good reason to fear a targeted update. It's just not possible. He should know that by now, but as far as I know he has never retracted that part of his video.