| ▲ | unethical_ban 7 hours ago |
| I know there are bad business reasons, but how can someone classify a VPN leak as "not a security issue" and keep their pride? |
|
| ▲ | jeroenhd an hour ago | parent | next [-] |
| Depends on how you see the role of a VPN. VPNs, at least originally, were designed to provide access to private/business networks across another network. Office to office, home to office, that sort of thing. VPNs were only later turned into some kind of (supposed) security tool. If your take on VPN code is "as long as your phone can reach the office printer over 5G" then this is a tiny bug. QUIC connections aren't being shut down properly, like they weren't before the introduction of the feature. If your take on VPN code is "this wireguard tunnel must keep my identity safe no matter what" or "my security relies on this wireguard tunnel being an exact copy of all traffic exchanged over the internet" then this is a massive problem. I don't think Android VPNs, or any VPN to be honest, were ever designed as a privacy or security measure. Especially not against apps with code execution on the device. The device itself will do all kinds of network interactions, some happening from within the modem chip itself. Closing the bug was a mistake on Google's part, but I can see why they don't consider this a security bug in their bug bounty programme. |
|
| ▲ | boje 7 hours ago | parent | prev | next [-] |
| That assumes there is pride they have to bother to keep. |
| |
| ▲ | k4rli 7 hours ago | parent | next [-] | | Interestingly GrapheneOS being so good brings more money to Google as only Pixel phones are supported. | | |
| ▲ | snapplebobapple 7 hours ago | parent | next [-] | | First motorola grapheneos phone i am buying to get fully off the google pain train. Grapheneos tides me over until a real linux smart phone shows up or i die of old age. Now if home assistant could get thread network join*ng working without an android phone with a google account i could ve fully ris of those eh holes. | | |
| ▲ | iamtedd 6 hours ago | parent | next [-] | | > Now if home assistant could get thread network join*ng working without an android phone with a google account There is already a way to do this. It's fiddly, but not by much. Once set up it's a much better experience, though. https://www.matteralpha.com/how-to/how-to-use-home-assistant... | |
| ▲ | DANmode 5 hours ago | parent | prev | next [-] | | > real linux smart phone shows up What’s most glaringly missing, for you specifically, from the plethora of options available? It seems like plenty of options are getting 7/10 things right. | |
| ▲ | surgical_fire 6 hours ago | parent | prev [-] | | I am patiently waiting for that one. I have been willing to move to GrapheneOS for a while, but I don't feel like buying Google hardware. |
| |
| ▲ | mcraiha 7 hours ago | parent | prev | next [-] | | There should be at least one Motorola phone before end of the year that has GrapheneOS support. | |
| ▲ | winter_blue 6 hours ago | parent | prev | next [-] | | Sadly, Verizon Pixel phones, even after carrier unlocking, seem to be forever blocked from using GrapheneOS. | | |
| ▲ | neilv 6 hours ago | parent | next [-] | | Carrier-sold Pixels generally don't have "OEM-unlockable" bootloaders. Your best bet for now is to buy a new Pixel direct from Google, or a used one from eBay that the seller advertises as already having GrapheneOS on it (or otherwise guarantees that the bootloader is unlockable). These ones are worth a lot more than the ones that can only run Google/carrier Android. https://grapheneos.org/install/web#prerequisites I own two GrapheneOS Pixel 7 units, which should get any Google blob security updates (which GrapheneOS incorporates) through October 2027, and GrapheneOS may still support it with source updates after that. So in a year or so, I might get the GrapheneOS Motorola if it's available, or a later Pixel. (I never buy these new, since I don't want to carry a several hundred dollar phone when a 2 gen old one is still great, thanks to GrapheneOS.) https://support.google.com/pixelphone/answer/4457705 | |
| ▲ | y-c-o-m-b 6 hours ago | parent | prev [-] | | I finally left Verizon after nearly 20 years. I had it with their enshittification, couldn't stand it anymore. I switched to US Mobile and on the Darkstar (AT&T) network. I have no regrets. I caught it on a black friday deal, so I'm paying basically $20/mo for top tier service. You wouldn't have caught me dead with an AT&T service or MVNO years ago because I'd seen so many bad experiences second-hand, but these days it's been a breeze knock on wood I also did the math and determined buying a new unlocked phone outright on this plan was far cheaper than paying Verizon monthly for one. | | |
| ▲ | buu700 5 hours ago | parent | next [-] | | +1 for US Mobile. Verizon was also good, but a few months ago my cofounder and I discovered we were absurdly overpaying for our decade-old small business plan and found that US Mobile offered a better end product for a fraction of the price. Currently running my Pixel on Warp (Verizon) with zero practical difference, and starting Monday I'll also have a backup iPhone with a small $8/mo Darkstar line. The money I've saved since switching more or less paid for the iPhone, and I'll be getting 2x reliability for way less ongoing cost. The better app/website/support and extra features are just a bonus. | |
| ▲ | DANmode 5 hours ago | parent | prev [-] | | > I also did the math and determined buying a new unlocked phone outright on this plan was far cheaper than paying Verizon monthly for one. On any plan. There’s a reason that as soon as you walk into a cell store they immediately try to schmooze you into signing contracts and leasing phones. It’s the way they make the most margin! |
|
| |
| ▲ | oceansky 7 hours ago | parent | prev | next [-] | | So far. Other companies surely will make their devices compatible if the market share increases for it | |
| ▲ | DANmode 6 hours ago | parent | prev | next [-] | | I’ve seen this repeated here, but: Google's Pixel hardware division likely operates at a loss - or breaks even. and even if every active HN user bought $100-$400 used Pixels from Swappa, meaningless money to them. | |
| ▲ | zb3 6 hours ago | parent | prev [-] | | I don't see a problem with supporting their legitimate hardware or cloud business models. But of course I see a problem supporting their illegitimate adware and spyware business models. | | |
| |
| ▲ | SV_BubbleTime 5 hours ago | parent | prev [-] | | We need to bring back shame. Step one… completely reform MBA programs. |
|
|
| ▲ | 2ndorderthought 4 hours ago | parent | prev | next [-] |
| It's a feature for them not a bug. Google is an ad company and an offense contractor they want VPN users leaking packets for both reasons. |
|
| ▲ | helterskelter 6 hours ago | parent | prev | next [-] |
| They're paid not to. |
|
| ▲ | like_any_other 6 hours ago | parent | prev | next [-] |
| How can someone consider unwanted disclosure of personal information a security issue, and work at Google? |
|
| ▲ | bflesch 6 hours ago | parent | prev | next [-] |
| At some point digital security turns into physical security, and there are national security interests that have fine-tuned their detection logic on these kinds of "buggy" behavior. If you patch it, you'd need to find another way to de-anonymize those users. |
| |
| ▲ | hedora 6 hours ago | parent [-] | | So, somewhere, some government or organization might want to blow the user into kibble, and that's an important use case? I feel like this should be toward the top of the terms of service for the phone, even above the mandatory arbitration clause. |
|
|
| ▲ | rexpop 6 hours ago | parent | prev [-] |
| Corporations have no pride. They are soulless, psychopathic accountability sinks. What planet are you from? |
