T

tV0gr

I only have a very limited experience with intune (it wasn't great), and there might be one or two thing that you might find desirable, but I don't think it would be a fundamental improvement.

1. A third party authenticator app (e.g. Aegis, Yubikey, or even Google authenticator). The option to enroll an authenticator other than microsoft in your microsoft account is in small text but it is there. There are plenty of tutorial.
2. You could use a different mail client. There are a few email client that support Oath2 for example, assuming it is allowed by policy. This could be time consuming and offers limited rewards. You might have instructions provided by NHS if you are lucky.

I wouldn't expect any of this to limit the type and quantity of data collected, but this might give you the option to better separate your work from your personal profile. I personally wouldn't trust Microsoft to make the distinction between my work and personal account, your opinion may be different. Storing some credentials on a Yubikey might make extracting them more difficult for an attacker. Not many malware survive a reboot and GOS support auto-reboot (Settings>Security and Privacy>Exploit protections). NFC only have a range of a few centimetres and you can put a pin on the Yubikey itself, so that any potential attacker bumping into your pocket will be greeted with a password prompt. There are alternatives to a Yubikey, Nitrokey is one of them.

Again I am no security expert. It's best that you do your own research.

0xsigsev I'd like more people to stop worrying and just use the software as it was intended to be used. No matter if it's android, iOS Linux or even windows. You will be fine as long as you will exercise caution and common sense.

As much as I agree with the part above I have to disagree with this one. 2024 was bad for cyber security for myself and looking at the news, for a lot of people. 2025 might be even worse. Last year I had to replace both my computer and router, and I experienced firmware issue on both of them. I never had that problem before. And somehow isolating my LAN from my ISP is now a lot harder than it used to be. I certainly have my own ignorance to blame but it is still more difficult than it used to be.

I know it's not what you meant but I have a problem on where "how intended to be" technology is heading. I don't need or want my smart TV to find new ways to link to my computer, or my OS to decide for me that I want to put everything on the cloud. Or my router to find new ways to interconnect my IoT devices to my ISP. Might as well be cancer.

I am just a N00b and I am no security expert. I am not saying that flatpak is inherently bad, but my understanding is that it could be used in more insidious way to run code or access resources that otherwise wouldn't be allowed.

As much as I use VM, hypervisor can also increase the overall complexity of the system. I would personally not assume that the hypervisor is hardened by default. I personally would not enable features like shared memory or shared clipboard if there is a need for more security; these are likely not the most important but they might be overlooked. Some hypervisor likely do better than others in term of hardening but I would suggest to read the manpages. Some hypervisor may also come with unnecessary packages, or lack features as provided by the package manager. It's on my to-do list so I can't speak too much for it. There are likely 50 other areas to harden first or I might have underestimated its importance.

raccoondad I meant to reinstall GOS using the command line as a way to regain confidence in his Pixel. I am under the impression that it is not the case right now.

I doubt it would affect GOS as well, but a cloud connected app might be at risk. I am doing my best to not make any assumption on where and how the phone is used, or what the other devices are. edit: I think the other "symptoms" should be necessarily discarded, whatever those symptoms are. I don't have the skills to analyse that.

I have never used this feature but to me this sound like a SIM PIN.

I am not an expert but if you feel comfortable doing this I would suggest that you remove the SIM card and re-install GrapheneOS using the command line. The installations instructions are quite good and needs to be followed to a T. It also works using a USB with a live linux image on it. That's probably not for everyone but once you have done it and needs to repeat the installation in the future it will be quite easy.

Again I am not an expert and I am not up-to-date with threats in real time nor do I pretend to know them all. While what you described might be caused by a SIM PIN, it doesn't necessarily rule out the other things you have observed. Do a quick research about Salt Typhoon and Volt Typhoon for example. They have been known to attack home and SMB routers, and there is a list out there of routers provided by ISP that are known targets and AFAIK those are not being patched. And although it was reportedly targeting high value target, the wiretapping infrastructure in the USA was targeted/compromised to some unknown extent, for months or possibly longer.

What Molasses said.

If AES throughput is an important factor then look at the specifications and choose your cpu carefully. If you are lucky a benchmark already exist. If you have a specific question about a specific motherboard then I would suggest to contact the motherboard vendor.

To me it look like your mind is already made up, short of this or that ryzen 9, and this ASUS TUF Gaming X670E-PLUS Or ASRock X670E Taichi Carrara.

Could be that your usb cable is broken and the phone is flat dead. Or you got heavy dust or debris in your phone usb port. If it's flat dead and nothing happen with a cable you know works, you might want to try to plug and unplug a few times within a few minutes and then let it charge. But that would be quite abnormal. Another possibility is that the charger or outlet or usb port you use is broken.

You might want to try the private DNS feature and compare. For example Cloudflare, Google or Quad9, to name a few.

I did not have the same symptoms but it seems to have removed a lot of "inconsistencies". I am not an expert but one thing to know with dns over TLS is that it's obvious that it's being used, and is reportedly easier to block than dns over https (AFAIK), which might be an issue in certain part of the world. I personally don't mind it to much and kinda like to have that notification that my connection to the DNS server is not working, which sometimes happens every now and then on some wifi but is quite rare.

I forgot. Don't take encrypted memory support for granted. The processor might but some BIOS might not. And you might want to double check that the feature(s) you plan to use out of encrypted RAM is supported by the distro and hypervisors and so on.

1. If you think that Gigabytes has built-in backdoor then I would suggest to stay away from the gaming line of Asus. Its gaming features seems to have a UEFI component (or I had a rootkit) and for the product I had from them I can tell you that some bios settings that should be present in the BIOS were only available with that armoury crate .. in Windows. And bare minimum firmware support. If you can find the words "linux support" in their other lines of products you just made a rare find!
2. I could be wrong as encrypted memory support is poorly advertised but I am pretty sure that only their ryzen PRO support encrypted memory. I don't even know if they are available for retail sale. I have only seem them in a few product from Hp and Lenovo. At least some of their laptops, if that suit your threat model.
3. One company that comes to mind is System76. But just like any other suggestion you would have to do your own homework.
4. If you plan on using virtual functions make sure that what you buy support them. The chip might support it but the BIOS might not. Or vice-versa. If that somethings that matter to you you might need a FirePRO.
5. AMD also has EPYC 4004 series processor, and you might be able to get a motherboard that doesn't have integrated audio. ASROCK, Supermicro and few others make motherboard for them.
6. Why not a mac?

I consider myself a beginner and IMO the biggest obstacle to make your own build that you might face is the ram and disk requirement. Otherwise for the default build its learning curve is mostly time consuming and I am not aware of a make menuconfig or similar that would let you conveniently choose your font. To give you an idea, the folder for grapheneOS alone is 216G after the build process is completed. Expect another learning curve just to build the emulator, which I think you should. Testing and compiling all of this in VM(s) can simplify the troubleshooting process by quite a lot.

There might just be a config setting to modify by hand and then compile everything .. or it might have cascading effect that may or may not be resolve after a few cycle of corrections. I don't think it should but it doesn't mean it won't .. I am a beginner with no experience customizing GrapheneOS.

For the signing infrastructure, the make_key is a standalone file that can be copied and you can generate the keys in a separate machine if you wish; there isn't much to it. I am pretty sure that the public and private key get copied over in quite a few places after its build is completed, including at least one zip file (using the m command provided in the build instruction for a pixel 7). I have not checked whether the encrypt key script handles all of this .. it likely does except for the generated zip files. Right now I am using the KISS principle and I am creating new keys every single times with OTA disabled. Until I am confident enough.

Before you go through all of this, if you choose to accept it .. you might want to double check that the font you are looking for is not in the pre-built font familly. On my device I see Default, Sans-serif, Sans-serif condensed Sans-serif monospace Serif, Serif monospace, Casual, Cursive, Small capitals.

Just did my first build and it worked fairly well (development branches). Hopefully the detail below help more than being annoying. It went surprisingly smooth, unlike compiling OpenWRT, except for one thing. I was a bit confused about signing and generating the certificates (I tried to explore the options); I will recompile after repo diff/ syncing and removing all the changes that I may or may not have done while trying to understand what I was doing. I was able to flash my phone with no issue. And I did made sure that the automated update were disabled as per the warning in the instruction.

My setup is a debian 12 vm using virsh with no graphics installed. What I did was (after following the instructions specific for Debian 12 and yarnpkg) to download repo from Google (manual method) and the required packages listed in "Install required software". Then for adevtool I followed the instruction from (what I hope is the) official github page. Since it mentioned minimum I installed node.js 22 using npm.

The repo tool and the .jar file from adevtool were all installed in the bin directory that I created in the home directory (~/bin). I then exported the path and added it to .bashrc . That's it. That and I found that I needed to restart from the beginning with lunch command if I were to exit the current session.

https://source.android.com/docs/setup/start/requirements
https://github.com/kdrag0n/adevtool/tree/main

And with this setup (no windows involved) I also saw the HOST_CROSS_OS=windows .