The AnarSec project has written a configuration guide for users who face a well-resourced adversary:
https://www.anarsec.guide/posts/grapheneos
Critical feedback is encouraged! Whether here or by email
The AnarSec project has written a configuration guide for users who face a well-resourced adversary:
https://www.anarsec.guide/posts/grapheneos
Critical feedback is encouraged! Whether here or by email
anarsec
To add on to the part of jmp.chat. Initially BTC can be used as a crypto payment. Once you have an account they have a monero option. Note that when you send monero to the address it gets converted to BCH and the fees are taken from what you sent. So keep in mind what gets put into your account will be a little less than what you originally sent.
If you want to take it a step further you could go over the privacy and security settings that can be changed or even recommended.
Personally I wouldn't recommend RiseUp VPN since I read some anecdotal information that they have given up information to authorities. So take that with a grain of salt. Mullvad or IVPN would be what I am between, though I have chosen Mullvad.
I have a few suggestions:
I'd likely use https://eylenburg.github.io/android_comparison.htm instead of the privacyguides article when saying "There are other alternative Android operating systems, but they don't have comparable security." as while the link above is a table which can't convey a ton of information in detail, it is much more up to date and covers more stuff and more OSes.
Starting with the Pixel 6, Pixel devices will receive at least 5 years of security updates from the date of release.
Should mention that starting with 8th generation devices, they have 7 years of support from launch instead of 5.
Never set up fingerprint authentication. Set a strong password.
This should be revisited once https://github.com/GrapheneOS/os-issue-tracker/issues/28 is implemented (it's being worked on as we speak).
Navigate to Advanced settings in the RiseupVPN menu, click Always-on VPN and follow the instructions.
It's important to note that "Always-on VPN" and "Block connections without VPN" are enabled by default on GrapheneOS.
Software That Isn't On the Play Store
On this section where you mention Obtainium, it might also make sense to bring up AppVerifier, which can be obtained via GitHub Releases (and therefore Obtainium itself), or via Accrescent.
Obtainium has introduced explicit support for AppVerifier so that when you download an app through Obtainium, it brings up the share sheet so that you can share the downloaded app with AppVerifier. This shows you the fingerprint of the signing key for that app, which you can independently confirm in a place that the developer publishes it, or, if it is in AppVerifier's internal key database, it will give you a success message automatically. When you're done verifying, you just go back, and Obtainium then asks you to install the app.
Settings → Security → Auto reboot: 18 hours or less
Given that the article concerns people with a reasonably high threat model, I think that an explicit recommendation to lower the 18 hour default (which we lowered to that from the previous 72 hour default) to something less is advisable. Unless someone needs to be able to receive Signal messages etc. during the night, it might make sense to go lower than 8 hours. When out and about, it might even make sense to set it to 10 minutes, which is the lowest you can choose.
When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
Recommend linking to the usage section for Storage Scopes here, and Contact Scopes should be mentioned too. Exposing your contacts to apps might be a horrible idea depending on who contact list contains.
[deleted] Personally I wouldn't recommend RiseUp VPN since I read some anecdotal information that they have given up information to authorities. So take that with a grain of salt.
I don't use RiseUp, but folks here might be interested in their statements about this FBI Story in an interview in 2020 (scroll down to that section)
https://pramen.io/en/2020/06/interview-with-riseup-tech-collective/
My understanding is that they were ultimatum'd by LE:
That whole canary thing was traumatic for us. We were facing indefinite jail time and fines up to $10k USD per day. It was also a holiday so all of our lawyer connections were not available. So it was very difficult to make a clear statement, that would not jeopardize us.
LE wanted email data from only from 2x scammer accounts:
There were two accounts they wanted information on. The first one was just a mailbox that was full of spam and viruses that had accumulated in their account, they didn’t have anything other than that… so nothing at all interesting or useful for them. The other was the ransomware one, and its email was full of people begging the ransomware person to decrypt their personal data, or swearing at them for screwing them. We had no personally identifiable information, we had no logs, or IP addresses. We did have that mail, in cleartext, but it wasn’t anything that we should burn the whole thing down over. It’s really too bad that people thought we should have burned it all down for that.
They chose to live and give up the scammers, rather than die as an org.
Since then, they've implemented encryption which denies themselves access to email content and insulates themselves from these kinds of LE actions in the future:
We have been using full disk encryption for over a decade now. This means that you cannot just come and take our servers and access the data. Only riseup has access to decrypt these disks.
When the FBI demand happened, we were in the final stages of testing our encrypted mail system. This is another layer on top of our disk encryption. We had been working on this for years, and we were less than a month away from turning it on. Since then we’ve enabled that for all new users, and old users can turn it on as well. The emails can only be unlocked and read using your password. This means that Riseup does not have access to the plain-text versions of your email. We cannot read them, nor can we decrypt them in order to provide them to anyone who might wish to force us to. With this system, we’ve raised the legal bar, because the emails that we have stored are all encrypted, so we cannot provide them in response to a search warrant.
More details in the link.
A black spot on their record for sure, but I appreciate that they're willing to own up to it, fix their mistakes, and continue offering privacy I oriented services to those in need.
Also as far as I am aware, they are the only privacy oriented mailing list service out there, which is important for some organizing activities.
https://discuss.grapheneos.org/d/10634-privacy-respecting-group-mailing-list-service
matchboxbananasynergy On this section where you mention Obtainium, it might also make sense to bring up AppVerifier, which can be obtained via GitHub Releases (and therefore Obtainium itself), or via Accrescent.
They do. Its the "verify them yourself" link, just before the Obtainium paragraph.
Dumdum Ah, you're right. It still makes sense to mention it in the context of Obtainium, though. Obtainium doesn't do any verification on its own as far as I'm aware, it has explicit support for AppVerifier so that you can verify an APK before ever installing it. That interaction should be mentioned I think.
anarsec this is a very good guide. Additional nitpick to what's being said already:
Continuation of my post above:
Overall your article is great already and I learned a thing or two from reading it. Thanks for putting in the time!
Thanks for the feedback. You can find a diff showing the edits here.
We recommend using the phone as an "encrypted landline". If you boot the phone when you wake up, 18hrs is a good amount of time for the auto-boot if you won't be interacting with it except to receive a call, which is why we kept the recommendation "18hrs or less", so that the "landline" doesn't shut down on your half-way through the day.
Molly FOSS is used as an example because it's not available on the Google Play Store.
Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
I missed this. This isn't true anymore. It can do unattended updates. It's not perfect since it's written in Flutter by someone who's not an Android developer and the libraries are a bit wonky, but it does work.
matchboxbananasynergy Hello, I use the link between Obtainium and AppVerifier. The problem of AppVerifier is that its base is quite limited, probably to the most popular apps. Is there any way the crowd can be leveraged to increase its coverage ?
In other words, user profiles are isolated from each other — if one is compromised, the others aren't necessarily.
I'm not sure I understand this sentence completely. It's mentioned in the same context as Qubes. If I understand Android user profiles correctly, they don't provide additional protection against malware breaking out of the app sandbox (beyond the protections that the system already provides). But maybe I'm wrong?
zzz
Take a look at both these scenarios and tell me which you think is best for what the article describes its user as "anarchist."
https://riseup.net/en/about-us/press/canary-statement
https://www.reddit.com/r/mullvadvpn/comments/12swybw/mullvad_vpn_was_subject_to_a_search_warrant/
Would you prefer to recommend a logging policy or a no logging policy? I may have made an assumption on the threat level that this was working off of.
zzz Also as far as I am aware, they are the only privacy oriented mailing list service out there, which is important for some organizing activities.
They are connected to many friendly organizations that offer the same thing.
Do you have thoughts on best practice for verifying AppVerifier, in a way that is accessible to non-CLI users? Bit of a "chicken or egg" problem.
For instance, if the user obtains the AppVerifier apk from Github Releases, installs it, and retroactively uses Appverifier to display the fingerprint of the apk they just installed, they can't really trust that it's showing them the true fingerprint. If AppVerifier was available on Google Play that could be the root of trust, but it's not. It's available on Accrescent, but this just moves the same problem to another apk because you need a (non-CLI) way to verify the authenticity of the Accrescent apk...
anarsec AppVerifier is also published on Accrescent.
Accrescent will soon be mirrored on the Apps app where people will be able to download it.
That means there will be a chain of trust from the OS to Accrescent, and therefore AppVerifier.
matchboxbananasynergy That is excellent news ! Accrescent becomes a store officially proposed by GrapheneOS !