PIN Ordeal

Thank you for your response, GrapheneOS.

I must admit that given that my 2 other forum discussions have just been locked, perhaps what I've typed has offended one or more GrapheneOS folks. What can I type and/or do to try to repair the relationship? The "obvious" answer is "use the latest GrapheneOS," it seems, but that has challenges, which I'll explain later on.

In one of the now-locked topics, I was simply asking a question, then shared a self-answer, which someone else in the community liked, then a response from today seems to be that if I don't use the latest GrapheneOS version, I should not participate in the forum.

In another of the now-locked topics, I explained that I had indeed updated my GrapheneOS version to the latest one available for my device, which then involved obtaining the Google features via that latest GrapheneOS' Google-fetching features, but that Google Maps' Timeline feature still didn't work. Perhaps that was somehow unclear from my message.

Later in that same topic, I'm accused of going on an ignorant rant and attacking GrapheneOS and software developers without understanding how it works. Perhaps that response might be viewed in a different light, given the clarification of my previous paragraph, just above. I don't think that's a fair characterization.

I haven't intended to "attack" anyone. I'm unsure if some of the imagined possibilities I shared in the top message from today might have been offensive, but they weren't meant to be. I'm sure that many GrapheneOS users are distrustful of other parties: that's probably why they appreciate the efforts, time, and money spent by GrapheneOS folks towards extra privacy and security. The imaginary scenarios were intended to be aligned with other scenarios that I've read in other discussions. They weren't accusations, which is why I used the word "imagined." I appreciate your kind response ("no such thing") to one of them, which provides clarity for the community and for the curious.

I am a software developer, since roughly 1991. I am also a person who has major struggles with UI changes. I'm sure that there are many reasons for why much software these days mashes UI changes with security changes, but that causes me no end of grief. Please forgive me for occasionally voicing this concern to other software developers, at relevant times. Some day, maybe they'll be received well. I'd be delighted to enjoy the latest fruits of GrapheneOS, relative to security. Unfortunately, these do not appear to come separately from UI changes. (As an example, the unlock-code entry-dots are circles on my old GrapheneOS, but changed to pointy shapes in the latest Pixel 6a GrapheneOS in October.)

In response to "third party sourced Google Play apps": I've tried to clarify the situation, above: I did try the latest GrapheneOS and thus the latest Google Play software, in October. It didn't help Maps, so I reverted GrapheneOS.

I shared the timeline in today's first message. I disabled all Google items in either November or December. I do not perceive a relationship between that activity and my sudden grief 2 days ago, unless there was a ticking time-bomb or an exploit caused by those disabled apps.

I thought someone in the community here might respond with something like, "Ah yes, the old PIN screen with the weird count-down numbers. This is a known malware by celebrated hacker-group X and you've surely fallen victim to it, doubtless due to your old GrapheneOS version," or with something like, "Ah yes, looking carefully, I see that this fluctuating count-down timer is still the case, today. Neat! What a minor UI quirk, though." I'm sorry if this was perceived as a gripe about GrapheneOS: it wasn't.

In response to "Highly unlikely", as you doubtless known image-processing vulnerabilities come along, from time to time, and not even all that long ago. CVE-2023-41064 is a recent example for a different platform:

• https://nvd.nist.gov/vuln/detail/cve-2023-41064

So that imagined scenario was just a whimsical example. These imagined scenarios were just that: imagined and not projected as reality, nor accusatory of GrapheneOS incompetence.

In response to "used to having an insecure OS," what I'm used to is laptop and desktop and data-centre computers: having trust-keys on a chip, adjusted through a password-protected interface, where those keys are used to verify boot pay-loads, which then boot an OS which requests another password for LUKS-protected data. This is a clean separation between the data and the machine and so yes, the data can be placed into any other machine and accessed, if the data-password is known. If the "standard security model" (in the context of GrapheneOS and/or Android) is that the device should be a single point of failure for the accessibility of the data, then yes, I guess I'm not used to that.

Given some of the responses, it seems that I jumped into GrapheneOS too early: that is, I got used to the UI before backup/restore features were ironed out and now that they have been, I can't access those features without also confronting all the UI changes that will have come along for the ride.

Why are Androids and cellular telephones appearing to depart further and further from the laptop and desktop computer ecosystem, despite these former devices also being computers? I want my data to be conveniently accessible in a non-Android Linux. SeedVault only appears to have unofficial relatives for plain Linux. Why doesn't it produce a .tar.gz.gpg file, or some other format that standard Linux tools can manipulate with ease? Why does it require an already distrustful user to download unofficial software, in order to get at their precious data? Please note that I'm not actually asking this paragraph's questions with the hope of a response to them: they probably belong in a different topic after I am positioned to satisfy the "I'm using the latest GrapheneOS" condition. What I'm trying to do is to share context about the harsh score that I gave to SeedVault. I'm sure that SeedVault developers worked and continue to work very hard, and that their efforts are enjoyed by many or even most users. That's admirable. I wish it had worked well for my goals in its 2022 iteration.

About the secure element's retry-timer, after waiting more than 24 hours since my last attempt and trying again, the count of failed attempts has changed from 192 to 162 and the count-down message indicated that I ought to try again in "653 seconds." I took a picture. After waiting for that count-down to complete and after trying again, the message again noted "162 times" and to try again after 9XX seconds, but I didn't catch it with a picture. If it's true that the UI is reporting what the secure element reports, then perhaps this discrepancy can be explained by malware or perhaps it can be explained as unworthy of any attention because it's from a 2022 GrapheneOS version. I was expecting to be hindered by 1 attempt per day. Surely all of the newer GrapheneOS users having more than 140 attempts will be hindered at such a rate with clarity about that rate.

In an effort to foster a shared understanding of the recent responses to my attempts for discussion, would this be a fair notice for someone considering using GrapheneOS?:

Please note that it should be clear that GrapheneOS project participants (such as developers) have a focus on security and privacy, above all else; we're quite good at it and we certainly strive for it. Without infinite resources available to the project, the fact of the matter is that some considerations rank less than others, in priority. It's also unlikely that everyone can be satisfied by any project, so we make decisions about trade-offs and attention using our best judgment, which should go without saying.

For example, it's convenient for us to make releases in which security enhancements, privacy enhancements, feature enhancements, and user interface changes are all bundled together. The alternative strategy to release these subjects separately would be extremely cumbersome and complicated; you wouldn't enjoy it and we wouldn't enjoy it. We're always hoping to work for your best interests.

With this strategy, we expect, for example, that a tiny majority of GrapheneOS users might object to a seemingly trivial UI change, but still benefit from the overwhelming majority of the rest of the release. Some of our decisions are informed by considering the majority of users, as opposed to a tiny minority. Some UI changes are inherited by other parts of the Android ecosystem; outside of GrapheneOS efforts. If you are a person who suffers greatly from UI changes, GrapheneOS might not be the best choice for you. We know that some elderly folks and some folks having disabilities and even some other folks might be in such a situation. (You are unlikely to find a better alternative, though, elsewhere!)

Also, please keep in mind that sometimes updates don't always work as planned. Sometimes a bug might strike in even the largest crowd of software users. This possibility for GrapheneOS updates is no different than for any other software updates, although we don't find it likely.

If you do not keep up to date with GrapheneOS, not only do you expose yourself to historical risks that we address in our updates, but we're not interested in diverting resources to attend to the fall-out from your out-dated position. GrapheneOS participants want to maximize value.

NOTE: The above is not a quotation from any GrapheneOS project participant. It is imagined by me as the type of notice that might be fair to share with people who are interested in GrapheneOS.

Please try to read what I type with openness to charitable interpretations. I might not be an expert at writing frankly and leading to positive interpretations, such as light-hearted responses. I always hope for those, however. I apologize if what I typed included not-well-received criticism.

Cam: Where is my request for support, please?

yore: Thank you for your kind response.

In October, I took a SeedVault backup of my 2022-09 GrapheneOS, then updated GrapheneOS to the latest version, then attempted to restore that SeedVault backup. I've shared my disappointment about the results. My conclusion from this is that I started using GrapheneOS before its SeedVault backup was mature. ("Too early.") I also conclude from this that a "path" which might have "worked" would have been to have been updating, all along. If that path would have worked, I would conclude that GrapheneOS developers (along with many others) assume that this is the only legitimate path for everyone, but I'm personally aware of counter-examples and challenges to "always keeping all software up to date," including professionally. If only I had a nickel for every "2 steps forward, 1 step backward" update I've encountered, I'd be delighted.

I've seen the trend of "backwards compatibility is not important or too difficult; just keep updating" increase over the years. From my perspective, that attitude is conducive to planned obsolescence. I do not appreciate planned obsolescence. I recognize that there are economic incentives for planned obsolescence. I'm often challenged by those incentives.

My expectation for a well-designed OS is that with the exception of vulnerabilities (which are not relevant for a device which is not communicating with the rest of the world), once the OS and non-Internet-dependent apps are installed, what works at that point will work forever. (Until the hardware degrades or the electricity system changes.) Concern about incompatibility is not relevant for someone who does not update anything and who does not depend upon an external party, such as a party on the Internet. I'm not claiming to be in this position, but this is my expectation for good design.

[...] as they use their device OS as intended. [...]

It seems so automatic an assumption that "as intended" includes "keeping up to date." This wasn't always true.

I do not recall asking any developer to cater to my choices, in this topic. I tried to share a useful story involving GrapheneOS from my "user" perspective. I'm hopeful for compassion from developers with respect to some of the challenges. We often incorporate ramps for people who use wheelchairs, these days; seems like societal progress. Not all challenges are quite as obvious.

[...] you just never knew or cared about it. [...]

n3t_admin: Please refrain from making claims about someone else's inner state because you do not have access to it. I'm not aware of us being engaged in a formal debate, but avoiding discussing the innards of other people as a habit seems conducive to avoiding falling into:

• https://yourlogicalfallacyis.com/ad-hominem

[...] Getting free software updates with security fixes and feature improvements is [not planned obsolescence]. [...]

Please follow the plot. I didn't claim any relationship between GrapheneOS and planned obsolescence. If you perceived such a claim and that is why you consider me to have "twisted views," then I'll suggest that you might be engaging with a:

• https://yourlogicalfallacyis.com/strawman

Having typed that, please consider these 2 scenarios:

I plugged in a light-bulb, I turned on the light-switch, the light-bulb lit up.
[...50 years later...]
I plugged in the same light-bulb, I turned on the light-switch, the light-bulb lit up.

versus:

I plugged in a light-bulb, I turned on the light-switch, the light-bulb lit up.
[...50 years later...]
I plugged in the same light-bulb, I turned on the light-switch, the light-bulb did not light up.

Now please consider this real scenario:

October, 2022: I installed GrapheneOS, I used the Google-fetching feature to fetch Google features.
October, 2024: I installed the same GrapheneOS, I tried to use the same Google-fetching feature to fetch Google features, but I was unable to fetch those Google features.

Now please consider these possible, imaginary, mutually exclusive explanations:

The GrapheneOS service that responded to 2022 requests was found to have bugs, or to have security problems, or was found to be too expensive to maintain, or the original developers were no longer available, or it was found to have other shortcomings, so an alternative service was set up. The new service requires a newer GrapheneOS, which everyone should be using because it is granted that 2 years is "ancient history" in the fast-moving, fluid world of cellular telephones.

versus:

The GrapheneOS service that responded to 2022 requests could have been maintained. A better GrapheneOS service was developed and it could have continued to support the older GrapheneOS requests. Supporting older requests is conducive to people not updating, which is deemed to be against their own interests, so support for those old requests was intentionally removed in order to incentivize updating. It is granted that 2 years is "ancient history" in the fast-moving, fluid world of cellular telephones.

I'm not claiming that these 2 explanations exhaust the space of possible explanations. I'm not claiming that one of these must reflect reality.

Please consider this alternative, imaginary scenario:

October, 2022: I installed GrapheneOS, I used the Google-fetching feature to fetch Google features.
October, 2024: I installed the same GrapheneOS, I used the same Google-fetching feature to fetch Google features.

This is superficially similar to the 50-year light-bulb. The explanations above anticipate an argument about differences and are intended to demonstrate agreement that "there are differences from a light-bulb." I also know that a GrapheneOS release is not expected to include Google features.

Here are some more examples:

2003: I install an OS from a CD, I install some word processing software from a CD, I can make documents.
2025: I have a virtual machine. Inside, I install the same OS from its CD, I install the same word processing software from its CD, I can make documents. Because processors (etc.) are faster than in 2003, my experience of making documents is blazingly fast.

versus:

202X: I buy a computer that has an OS. I buy a license for word processing software. I can make documents. I always keep everything up to date, as far as patches go.
2025: I can mysteriously no longer make documents. I could, yesterday. My word processing software indicates that a newer version of the word processing software is recommended. It will require purchasing a newer license. I examine the system requirements for that newer word processor version. It indicates that I will need to purchase a newer OS. I examine the system requirements for that newer OS. It indicates that I will need to purchase a newer computer. I call a trusted party who explains to me that it's possible to use alternatives which avoid "the sales funnel" and "the subscription model of consumption."

(I'm not personally the victim of that most recent example.)

I've already shared about the old cellular telephone and the DD strategy and how great it is.

de0u: It's not clear to me why the "Secure Boot" example you've shared is any less applicable for mobile devices. If the Google Pixel 6a secure element's firmware's key is published online, then someone skilled in the art can sign a malicious variant of the firmware and it can eventually reach the secure element. Have I misunderstood some fundamental difference? "But a user has to approve the firmware upgrade!" Yes, and "a user" had to expose one of those "Secure Boot" computers to the root-kit, unless it arrived by wind-current. Is this an argument for "security through obscurity?" Something like, "most people use such-and-such OS, so most hackers target that OS, so most hacks are found for that OS, so that OS is less secure than another OS."

How about this?: You adjust your equipment to trust your own keys and you avoid "supply-chain" failures, such as that "Secure Boot" example.

For example, a firmware developer publishes their source-code. You scrutinize it. You trust it. You adjust it to trust payloads signed by your own key. You compile it. You use the existing firmware to authorize the installation of your firmware. A boot payload developer publishes their source-code. You scrutinize it. You trust it. You compile it. You sign it with your own key. One day, an exploit is found. You're paying attention to exploits, so you become aware of it. You decide this exploit is worthy of attention. You apply a patch.

[...] expecting them to lower their security to match desktops [...]

You might be arguing against one of these:

• https://yourlogicalfallacyis.com/strawman

I might not have been clear, earlier. My hope is to avoid a single point of failure, in data-accessibility scenarios. One way to achieve this is to have multiple copies of the data. I'm not currently aware of any cellular telephone software (other than DD, in yesteryears) which can take all data and securely synchronize it to another location, such that it can be accessed without the original and restored to a counterpart of the original. This has been possible with laptop and desktop and data-centre computers for a very long time, and it was possible with older cellular telephones.

Perhaps our disagreement is fundamentally about what "good security" means: if "good security" includes "I'd rather lose all my data during an incident than ever regain access to it," then that's not matched with my cellular telephone needs, in which "good security" includes that "I have different security-levels for different data. For some of those levels, it doesn't matter where my data is physically located, as long as I can access it, and nobody can access it without knowing what's in my mind." These are still both compatible with other security-concerns, such as "I don't want anyone to suspect that I have private data" and "I don't want to give any clues about my data's content" and "I want to blend in with everyone else" and even "I want a particular single point of failure for particular data, such that during an incident, I can forfeit that data, forever." I have lost family pictures during this ordeal; not state secrets. It's my fault for not backing up more frequently.

Maybe a "Venn Diagram" (in text form 😅) would help: if "Owner" profile has family pictures, if "SuperSecret" profile has state secrets, then when "Owner" profile access is lost, both family pictures and state secrets are lost. If only "SuperSecret" profile access is lost, then family pictures are preserved and state secrets are lost.

de0u: Please imagine this scenario:

Monday: You are driving an automobile. When you signal to make a turn, the signal flashes at an interval of twice per second.
The automobile manufacturer had a focus-group study. In that focus-group study, psychological studies showed that participants were happier about a once-per-second signal-flashing rate.
An automobile association report also showed that higher-frequency signal-flashing rates were involved in more automobile collisions than lower-frequency signal-flashing rates.
Given the results of both the study and the report, the automobile manufacturer decided that it's in the best interests of society and for that automobile manufacturer's consumers to reduce the frequency of the signal-flashing rate. The manufacturer sent out the adjustment in a software update.
Tuesday: You are driving the same automobile. It has received a software update. When you signal to make a turn, the signal flashes at a rate of once per second. Concerned, you take time off work and visit a mechanic. The mechanic charges you $50 for a diagnosis. Mystified, the mechanic then searches the Internet for the symptom, just as you could have done. The mechanic's explanation is that the automobile most likely received a software update.
You have gained: a day of worry and a lesson learned. You have lost: time from work and $50. The automobile no longer behaves the same way as the day you test-drove it, prior to its purchase. The automobile has become "fluid" and appears to require that you adapt to changes from its manufacturer, after its purchase. If you do not enjoy those changes, you can purchase another automobile and no automobile manufacturer will complain about that activity. In fact, since all automobile manufacturers issue software updates, you will most likely need to adapt to any automobile manufacturer's lively changes. If you opt to purchase an ancient automobile that has no software updates, a day eventually arrives that mechanics indicate that they haven't learned how to diagnose old automobiles like that and they have come to rely upon software for diagnosis; that you should buy a new automobile; that doing so is also safer and better for everyone.
Wednesday: You complain about the state of automobiles and software updates.
Friday: You are driving an automobile. The automobile receives a software update. The automobile is involved in an accident. You are unable to express further complaints about the state of automobiles and software updates.

Hooray for imagination.

Lucario1829: Thank you for your sympathy. I hope the 2 recommendations are useful to readers:

1. Write down your PIN, in order to bisect between a "you problem" and an "it problem."
2. Back up your data frequently.

yore: How did you know my computer's OS?! 🔮🤯 (Just kidding.)

I respect your conversation-related decision. Good fortune to you!

n3t_admin:

wall of text that tells nothing.

What a nasty, dismissive thing to type to another human being.

You expected a device that relies SOLELY on software (not like your light bulb example) to function without updates.

Wrong. If you cannot refrain from making claims about another person's inner state, then I do not anticipate much fruit from our discussion. I do appreciate that you have spent some effort because it leaves open the possibility that you have tried to contribute value, but I'm concerned. Why not attempt to "steel-man" my position, in order to ensure that you understand it, instead of arguing against a "straw-man?"

You didn't update because you cared more about UI/UX than stability and security.

"Care" is not the word I would choose to use. I wouldn't tell a person in a wheel-chair that they cared more about remaining in their wheel-chair than taking the steps to get into the rampless library. This is one of my complaints: I continue to perceive few indicators that modern software developers will strive for high UI consistency and instead I perceive many indicators that modern software developers seem to think that UI changes are rather trivial: a matter of the user caring about them or not. These days, it's pretty much guaranteed that a person who has severe struggles with UI changes will be screwed over by updates.

I enjoy the terminology described here:

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates

Somehow, that company has had enough resources to be able to keep new features and UI changes available separately from bug-fixes and security-fixes, for years. Yes, they also offer "bundling" them together, but they do offer them separately:

• https://www.catalog.update.microsoft.com/Search.aspx?q=security

One possible argument for bundling UI changes and security- and privacy-related changes together is, "We don't have the resources to keep them separate." (Including resources to scrutinize and/or reëngineer an "upstream" source.) Another argument is, "We don't have that discipline." I suspect that there are other arguments, too. As I typed in my third paragraph at the top of this discussion:

(A case of "beggars trying to be choosers," one could argue.)

(If only that was understood by readers as trying to temper complaint with appreciation.)

I've mentioned how GrapheneOS in October of 2022 had circles for the unlock character-entry and that GrapheneOS in September of 2024 (I've erroneously typed "October" of 2024, in at least one earlier message; even less than 2 years!) had pointy shapes. I wasn't the only person who noticed it:

• https://www.reddit.com/r/GooglePixel/comments/17yufkn/any_way_to_disable_pinentry_shapes/

That person expressed the opinion:

[...] but it's just weird.
[...]

Maybe for that person, it's just a matter of caring about it or not.

I wonder if there was some e-mail thread involving peer-review, somewhere near here:

• https://android.googlesource.com/platform/frameworks/base.git/+/beeabf4b129056da25c25d3b82ff79bc6883c123

If so, I wonder if in that peer-review, someone suggested that the UI difference should be explicitly opted into by users, instead of becoming the default. I wonder if the default in upstream Android is the same as the default in GrapheneOS, or if one or more GrapheneOS folks perceived this to be better for privacy, so it should be the new default for new GrapheneOS.

Which also coincides with my statement that you "didn't care about updates". At least not enough to understand their value?

What an uncharitable expression of an estimation of the intelligence of a participant in a discussion-forum for an operating system having an appeal to users who are interested in security. Thank you for using a question-mark, there.

You also pretty much literally said that developers pushing updates (for VERY good reason!) are, more or less, promoting planned obsolescence by doing so.

No, I did no such thing. Literacy is important. I had typed:

I've seen the trend of "backwards compatibility is not important or too difficult; just keep updating" increase over the years. From my perspective, that attitude is conducive to planned obsolescence.

I believe that there is a difference between promotion and compatibility. For example, given this premise:

There are no laws regulating the production of smog.

We can have a neutral result for smog:

Nobody produces smog because nobody likes smog.

Or we can have a promoted result for smog:

"What we all need is more smog! Let's get to it!"

The lack of law doesn't promote smog, but is conducive for the promoter. Consider this alternative:

There is a law which penalizes the production of smog.

This law is neither conducive to smog nor does it promote smog. Perhaps the distinction in my mind is akin to:

• https://en.wikipedia.org/wiki/Necessity_and_sufficiency

It might very well be the case that many software developers are engaged with planned obsolescence. It might very well be the case that few software developers are engaged with planned obsolescence. The reason I'm not making a claim is because I haven't met all software developers and because even if I had, I do not know what's inside the minds of all software developers. I refrain from making a claim about their inner state.

A side-note regarding literacy and making claims about others' minds: in another discussion, I've typed:

[...] software developers seem mostly ignorant of how UI changes are not universally desirable.

The word "seem" is important, there. It means I could be wrong about that ignorance, but have little indication to the contrary, so far. The word "mostly" is important, there. I am personally aware of software developers who care about a consistent user interface and I suspect there are more than I'm personally aware of. Most of my observations are inconsistent with "consistent UI" and those observations appear to be ramping up, over the years.

Your "expectation" of a well designed OS also doesn't make any sense. Sooner or later the bundled certificates will expire and you will have similar problems if you don't update the OS.

Did you read this part?:

non-Internet-dependent apps are installed, [...] Concern about incompatibility is not relevant for someone who does not update anything and who does not depend upon an external party, such as a party on the Internet.

Which certificates are you imagining being used by a static set of apps and without a relationship to the Internet? Are the apps themselves signed with expiring certificates and cannot be launched after a certain date without adjusting one's clock? If apps are signed with expiring certificates, is that conducive to planned obsolescence or an impediment to planned obsolescence? 🤔