mlfh

From the grapheneos faq section on device support, which details the kinds of hardware and firmware security features required and present on pixels (but may be missing on other devices):

Hardware, firmware and software specific to devices like drivers play a huge role in the overall security of a device. The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware.
Non-exhaustive list of requirements for future devices, which are standards met or exceeded by current Pixel devices:

• Support for using alternate operating systems including full hardware security functionality
• Complete monthly Android Security Bulletin patches without any regular delays longer than a week for device support code (firmware, drivers and HALs)
• At least 5 years of updates from launch for device support code with phones (Pixels now have 7) and 7 years with tablets
• Device support code updated to new monthly, quarterly and yearly releases of AOSP within several months to provide new security improvements (Pixels receive these in the month they’re released)
• Linux 6.1, 6.6 or 6.12 Generic Kernel Image (GKI) support
• Hardware accelerated virtualization usable by GrapheneOS (ideally pKVM to match Pixels but another usable implementation may be acceptable)
• Hardware memory tagging (ARM MTE or equivalent)
• Hardware-based coarse grained Control Flow Integrity (CFI) for baseline coverage where type-based CFI isn’t used or can’t be deployed (BTI/PAC, CET IBT or equivalent)
• PXN, SMEP or equivalent
• PAN, SMAP or equivalent
• Isolated radios (cellular, Wi-Fi, Bluetooth, NFC, etc.), GPU, SSD, media encode and decode, image processor and other components
• Support for A/B updates of both the firmware and OS images with automatic rollback if the initial boot fails one or more times
• Verified boot with rollback protection for firmware
• Verified boot with rollback protection for the OS (Android Verified Boot)
• Verified boot key fingerprint for yellow boot state displayed with a secure hash (non-truncated SHA-256 or better)
• StrongBox keystore provided by secure element
• Hardware key attestation support for the StrongBox keystore
• Attest key support for hardware key attestation to provide pinning support
• Weaver disk encryption key derivation throttling provided by secure element
• Insider attack resistance for updates to the secure element (Owner user authentication required before updates are accepted)
• Inline disk encryption acceleration with wrapped key support
• 64-bit-only device support code
• Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers
• Support for disabling USB data and also USB as a whole at a hardware level in the USB controller
• Reset attack mitigation for firmware-based boot modes such as fastboot mode zeroing memory left over from the OS and delaying opening up attack surface such as USB functionality until that’s completed
• Debugging features such as JTAG or serial debugging must be inaccessible while the device is locked

A fun offshoot down this rabbit hole: https://en.wikipedia.org/wiki/Embarrassingly_parallel

Hahaha no I’m just an idiot and accidentally swapped the url and text, thanks for catching that - fixed now

modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into make localmodconfig to build a kernel that only includes those modules, or use the data to build a modprobe whitelist.

Sabrina Carpenter 💅

It might yet come back, the page has a banner saying they ran out of storage and the community has donated a bit to add more.

I spun up my own server in the meantime though, and even if sdf does come back, I’ll probably stick to using this one as my primary.

I love lemmy.sdf.org the best - it’s a unixy ragtag underdog cyberpunk kind of place running on a pubnix cluster, whose frequent downtime only adds to its charm. Three-character dot-org domain name (aura). Broad spectrum of users, unified by finding something like a pubnix cluster cool.

Usually the downtime lasts a day or two at most, the plucky pubnix admins get it back online and we celebrate. But it’s been down for over a month now :(

This comment sent me down a fun rabbit hole learning about ARPS and packet radio, and I’m finally gonna get my license now. Thanks!

You have enough failures on each disk to make me suspect an issue with the usb-connected drive bay. I ran into similar issues with a cheap pci-e sata adapter, where little hiccups and latency in the communication layer would cause zfs to take disks offline randomly. Read, write, and checksum errors would slowly accumulate across all of the disks. Switched that machine to a proper enterprise hba, the issues vanished, and the disks are all healthy 3-4 years later.

That’s the problem, unfortunately - being comparably secure to Debian isn’t very secure at all. The state of linux desktop security is very much a nightmare (madaidan’s insecurities is a good primer everyone points to, though you should take it with a grain of salt and it’s a few years old), and without security you’re an exploit away from having no privacy either.

So we’re left with few options, none of them ideal, while the world becomes increasingly more difficult to be participate in without making android or ios a part of your life:

1. Use a stock android phone, which is just straight up and unabashedly a spying device meant to milk you for value like a dairy cow. Sacrifice privacy for convenience.
2. Use an iphone, which is the same thing shrouded in a layer of niceness. Sacrifice privacy for convenience and a bit more security.
3. Use an android variant that focuses on freedom, like lineageos. Sacrifice a bit of convenience for some freedom and some privacy.
4. Use grapheneos. Sacrifice a bit of convenience for security, some freedom, and some privacy.
5. Use a linux phone, running something like postmarketos. Sacrifice security for freedom and privacy.

Read up on the options, understand the realities, and choose the tradeoff that best fits your preferences and lifestyle.

I think that’s the point, unfortunately - create a legal burden that is technically impossible to comply with, targeting speech that the state has deemed immoral.

Islamic cyber resistance to what, snaps?

That’s a really really good story idea, and I love the thought and sentiment behind it - even with my own way of looking at machines, I’d never thought of things that way. You should write it!

I (mostly jokingly, but also a little bit really and sentimentally) believe that physical baremetal computers/servers have souls, and must therefore have hostnames that are names, because names are powerful and soulful and you should have respect for things that have souls. Which is why I kind of hate the “cattle, not pets” model in my own practice.

Stick identifying categorizing prefixes on it, of course, and you can group clusters under the same name with a numeric suffix, but it’s gotta have a real name in there somewhere.

deleted by creator

More laws written by people who have zero fucking idea what they’re writing laws about.

I made it sound a bit like that haha, but no, just the very big loud music

A friend of mine was once the organist at a cathedral with a grand pipe organ. He invited me to see it one day and hear him play, and for the finale he had me climb up into the forest of towering pedal pipes, crouching between the rows, dwarfed by their looming height, while he played Bach’s Toccata and Fugue in D Minor.

The sound hit me like a wave, so vast and tremendous and perfect. I felt utterly annihilated - tiny and shaken apart into nothing, a speck swept away in a cascading ocean of music, like the whole world was exploding in cataclysm and fractal rebirth all around me. Dazzling and enormous.

And when the fugue peaked, I think that’s the closest to nirvana I’ve ever been. Just blown clean off the face of the earth.

Because that cuts into their profits, and they won’t do that until forced to by law. Tale as old as time.

One fun thing I use it for is semi-automated photo/video backups to my storage servers: a grapheneos storage scope makes the media directory available to termux, and then I have a termux shortcut to run a shell script with a bunch of rsync jobs. Works far more reliably than the godawful nextcloud app, and it’s far more fun to watch.