| > Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.” > The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading? |
| |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | That is a perfectly level-headed response. Signing keys must be protected. In the event of a hostile takeover, where a malicious party seeks to compromise the privacy and security of your userbase, destroying the keys is a sensible decision. Failure to do so, and successful compromise of the keys, will let the malicious party push whatever update they want, and it will be accepted due to being signed correctly. It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it. | |
| ▲ | freehorse 3 hours ago | parent | prev | next [-] | | > Hardly a level-headed response, even if you disagree about the financial share of something According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project) | | |
| ▲ | Avamander 3 hours ago | parent [-] | | [flagged] | | |
| ▲ | ysnp 2 hours ago | parent | next [-] | | Phantom Secure is directly named as one of the parties Donaldson was dealing with, with others being suspected: >Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward. https://discuss.grapheneos.org/d/34369-original-grapheneos-r... | |
| ▲ | HybridStatAnim8 an hour ago | parent | prev [-] | | The claims arent vague, they are quite specific in what happened. This wasnt spiteful and this wasnt disgruntled. It was the logical choice given the circumstances. | | |
|
| |
| ▲ | ForHackernews 4 hours ago | parent | prev | next [-] | | Sometimes deleting it all is the only principled action https://www.theguardian.com/technology/2013/aug/08/lavabit-e... | | |
| ▲ | torvoborvo 3 hours ago | parent [-] | | IMO its a lovely paradox that no one can argue against such a deletion. Either the party choosing deletion is reasonable so there are grounds for deletion or unreasonable and they are the grounds for deletion. |
| |
| ▲ | DANmode 4 hours ago | parent | prev | next [-] | | The keys got wiped for way spookier reasons than Micay wanting money. Intelligence wanted in, and Donaldson seemingly would have been happy to oblige. | | |
| ▲ | Avamander 3 hours ago | parent | next [-] | | [flagged] | | |
| ▲ | DANmode 3 hours ago | parent [-] | | From the story you’re commenting on: > From Wired: > We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them. > Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk? > Yes and yes. | | |
| ▲ | Avamander 3 hours ago | parent [-] | | [flagged] | | |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | They were compromised. Greed overtook the principles on which the project was founded and put the project at risk. They agreed from the start that Micay would own the project and hold the keys. They explicitly accepted those terms. Despite this, they tried a hostile takeover anyway. Forking and building a separate build isnt dual signing, its just forking. You can do that right now with GrapheneOS and its build guide if you want. Im not sure what you mean by the last part, GrapheneOS has been quite upfront with all of this from the start. | | | |
| ▲ | lostmsu 3 hours ago | parent | prev [-] | | From a security-minded user perspective it makes sense to destroy keys when instead of a single entity I receive updates from I get another entity that is not equivalent, and half of my previous entity thinks that the other half is sus. | | |
| ▲ | Avamander 3 hours ago | parent [-] | | [flagged] | | |
| ▲ | HybridStatAnim8 an hour ago | parent [-] | | It wasnt intelligence agency compromise, it was a business partner compromise, who intended to violate the privacy and security of their users. Nothing about this is done out of spite. Im not sure where youre getting that from. You just seem to be attacking peoples character for making the right choice given the circumstances. | | |
|
|
|
|
| |
| ▲ | next_xibalba 3 hours ago | parent | prev [-] | | What is your source for this? | | |
| ▲ | DANmode 3 hours ago | parent [-] | | TFA. Reddit and IRC/etc logs from the period are illuminating, too. |
|
| |
| ▲ | margalabargala 4 hours ago | parent | prev [-] | | "Financial damages". So what? Causing someone financial damages isn't illegal. Your boss causes you financial damages when they fire you. Your competitor causes you financial damages when they offer a discount. If Micay was a 50% owner, sounds like he didn't do anything illegal. Immature maybe, which simply puts him at parity with the other party involved. | | |
| ▲ | kennywinker 4 hours ago | parent | next [-] | | > Immature maybe Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness. | | |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | That is what CopperheadOS, and now GrapheneOS, provides. Its a level of "battle tested" that most OS and app devs never have the opportunity to have. Deleting the signing keys during a hostile takeover attempt rather than submitting to pressure or greed is an amazing quality that is rare to find. Nobody behaved or is behaving immaturely, impulsively, or vindictively. | |
| ▲ | exceptione 4 hours ago | parent | prev | next [-] | | Understandable wishes, but you might have to put something from yourself into it if this is a pressing concern. Or you will be left to your own corporate devices. | | |
| ▲ | kennywinker 3 hours ago | parent [-] | | What exactly are you suggesting? If i go help out at the graphene os project, that won’t change their leadership. Should I make my own fork? | | |
| ▲ | exceptione 3 hours ago | parent [-] | | The GOS (GrapheneOS) lead had responded to criticisms like yours that he gladly retreats inside his tech role if others would take it upon them to refute the claims from rivals. So if you are that balanced, normal person, you could take that work out of his hands. Or help fund a full time PR person. «In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.» Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm EDIT > Should I make my own fork?
You could contact him to offer your help where he falls short. | | |
| ▲ | HybridStatAnim8 an hour ago | parent [-] | | Micay is not paranoid. Paranoia implies unsubstantiated fear. But they acted responsibly under pressure and the project is upfront with what happened to the public and to journalists alike. |
|
|
| |
| ▲ | goodpoint an hour ago | parent | prev | next [-] | | Then avoid GrapheneOS | |
| ▲ | cf100clunk 4 hours ago | parent | prev | next [-] | | Mental health and wellness issues in high tech research and development are everywhere. I would suggest that you focus on the product and what it can/cannot do for you. | | |
| ▲ | kennywinker 4 hours ago | parent | next [-] | | Suggest away. It’s still a factor in my decision making, because if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me. | | |
| ▲ | HybridStatAnim8 an hour ago | parent [-] | | They have proven to "behave well" for years. Destroying the signing keys in the midst of a hostile takeover is the responsible thing to do. Its for the safety of their users. Thats a commendable trait to have. |
| |
| ▲ | HybridStatAnim8 an hour ago | parent | prev | next [-] | | None of the GrapheneOS development team is mentally ill or unwell. | |
| ▲ | goodpoint 2 hours ago | parent | prev | next [-] | | When you have to trust the OS images generated by the authors it becomes a massive issue. | | |
| ▲ | HybridStatAnim8 an hour ago | parent [-] | | You always trust the developers of software. The only way to stop that is to not use the software. |
| |
| ▲ | joyous_limes 2 hours ago | parent | prev [-] | | [dead] |
| |
| ▲ | rigonkulous 3 hours ago | parent | prev [-] | | The path to maturity requires immaturity. |
| |
| ▲ | HybridStatAnim8 an hour ago | parent | prev | next [-] | | Deleting the signing keys for the sake of protecting ones users is the mature and responsible thing to do. | |
| ▲ | ryanmcbride 4 hours ago | parent | prev | next [-] | | Things aren't only bad if they're illegal. There's plenty of bad things one can do that are perfectly legal, and plenty of good things one can do that are totally illegal. | | |
| ▲ | abnercoimbre 3 hours ago | parent [-] | | And there are legal remedies to create deterrents without a court. Boycotts, journalism or new competition. |
| |
| ▲ | 4 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | Avamander 4 hours ago | parent | prev [-] | | [flagged] | | |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | More like the coordinates of a home were burned to protect its occupants. It was a practical choice, not an ideological one. | |
| ▲ | dmbche 4 hours ago | parent | prev [-] | | If you own something you can do what you want with it including rendering it useless | | |
| ▲ | amalcon 3 hours ago | parent | next [-] | | If you own all of it, yes. If you only own most of it, the minority owners do have some rights -- just fewer than you do. | | |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | Micay owns the whole project. Ownership of the project was not exchanged or divided, part of the explicit terms of the agreement were that Micay would hold the keys and ownership of the project just as they always have. | |
| ▲ | dmbche 2 hours ago | parent | prev [-] | | Sure! |
| |
| ▲ | Avamander 4 hours ago | parent | prev [-] | | [flagged] | | |
| ▲ | HybridStatAnim8 an hour ago | parent | next [-] | | Thats a characteristic all modern OSs and modern apps have. You need to trust the key holders, always. Some people make their own builds for this reason. Depends on tge threat model. | | | |
| ▲ | 2 hours ago | parent | prev [-] | | [deleted] |
|
|
|
|
|
