Toiletterider Yet you dont believe FRA (partner to NSA, similar expertise) doesn't have a working exploit for GrapheneOS? :) seems contradictory!
Nothing is contradictory. I am convinced there are very serious and exploitable vulnerabilities in the Linux kernel, including in radio drivers and external device drivers. This fact is widely recognized by everyone in the security and privacy community. The Linux kernel.. is not very secure.
I also do know there are commercial and state actors who do find these vulnerabilities and are able to build complete exploit chains. Cellebrite is a famous example on these forums that are talked about a lot, but they are far from alone.
I don't find it unlikely that FRA or NSA has such exploits. They are certainly competent enough and interested enough in having that. Also, I don't find it unlikely that police agencies might have access to similar exploits too, to reference what we have actually been discussing. There have been no mentions of FRA or NSA before in any discussion both of us have been in. Also, neither would share their exploits with the police for obvious reasons, the police would burn them on in-their-eyes low profile cases.
But- that it is possible or even somewhat likely that they have such exploits does not mean or imply that they actually do have such exploits. That is a pretty far step and pretty much stronger statement. And that they do have such an exploit does not mean or imply that they are actually using it in practice.
It is these two last statements I disagree with, that the Swedish police would actually have access to such exploits and would actually use them. Since nothing mentioned anywhere indicates there is any truth to this. But if they do, we want to know about it, so we can patch the exploits. GrapheneOS have been successful at stopping Cellebrite's exploits, despite not knowing details beyond that they verifiably have them and how they are used.
I think it is much more productive a worry about security vulnerabilities and exploits we do know exists, than those that hypothetically might exist, but for which there is a total absence of indications or even less proofs that they exist.
Toiletterider People really believe GrapheneOS running on a american Google Pixel with mandated gag orders to provide backdoors for the american IC - is safe from exploits....?
It doesn't make much sense to implement backdoors on hardware level. I never heard of anyone being mandated to doing that either. Firmware on the other hand, but GrapheneOS developers claim the firmware on Google Pixel is under much scrutiny by security researchers capable of auditing it, so if there was a backdoor there, chances are it would have been found by now.
All by law or gag order mandated backdoors I have heard about has been at app level. And always in closed source apps.
Toiletterider Same goes for PCs and Laptops. Even QubesOS is no problem for them.
Oh, I actually do believe QubesOS would be quite a bit harder for them to hack remotely or through malicious external devices. QubesOS has some very well designed protections exactly against these kinds of exploit vectors, and is well liked by activists just because of that.
Toiletterider Only way to prevent it is to use completely airgapped devices.
No, airgapped devices are not immune to getting hacked. Unless you never transfer data between that device and others in any way at all, but such a device wouldn't be very usable.