Now running…

  • GrapheneOS on the Google Pixel 6a mobile phone
  • DivestOS Mobile on the Google Pixel 3a mobile phone
  • Debian on my self-built desktop computer (for “work”)
  • Arch Linux on my self-built desktop computer (for “fun”, or to see the newest stuff)

Looks like this:

GrapheneOS
DivestOS Mobile
Debian
Arch Linux

Oh, and of course I’m also running the latest jams on the Wikiloops radio. You can participate in these if you like, why not give it a try?

Like always, thanks for viewing, reading, listening, and all that 🙂 Happy holidays 🙂

Update, from Wed Dec 20th, 2023:

According to the German security expert Mike Kuketz, GrapheneOS is the gold standard of all Android operating systems. His article is in German, only the parts where he cites Daniel Micay, founder and lead developer of GrapheneOS are in English.

Privacy Guides has the same opinion and recommendation. See also at Eylenburg’s comparison. And at AndroidAuthority. And maybe the best one at PrivSec.

Be aware tho that in case you reject all Google services and apps, you’ll also lose some of their “AI” and capabilities. Your choice. In that case, user profiles might help – one owner profile without, and a user profile with Google services (still sandboxed in GrapheneOS). And thanks again for reading.

One of the few reasons to start Windows…

… are updates when I read about them in online media. And today I’ve got their 23H2 version of Windows 11 (because I selected to not download and install as soon as possible):

As you can see, I’m using a local account, and that’s also the reason that their news aren’t personalised (and even if, they’re not that interesting anyway):

In fact, I mostly start Windows for these updates, and from time to time because I want to convert a raw photo from my camera with the OM System Workspace – and I probably should try that under Wine on Linux again. But OTOH, I also added another local account on my machine for our daughter, so she could try Genshin Impact on it. And although we only have the integrated graphics from our AMD Ryzen 7 5700G processors, seeing that on my Eizo Monitor with its 1920×1200 resolution is beautiful, and a much more immersive experience than having it on a phone, according to Zuleikha. So for the moment, Windows stays on my SSD, together with Debian (my main OS) and Arch Linux (for experiments).

Like always, thanks for reading.

P.S.: why I don’t download and install software as soon as it’s available? Because I like software when it’s ready, like the Debian Release team says: quando paratus est. For a rolling release and the latest and greatest, I have Arch, which I like a lot more than Fedora. (This article was written on it.)

So many updates…

During the last month or so, quite a number of bugs have been found, some of them prominent, and some severe ones which are actively exploited already, meaning that more or less everyone is affected, no matter what operating system(s) they use. That’s why more or less every operating system and program vendor(s) are offering updates at the moment, and you should install all of them.

For instance: the webp image and vp8 video formats from Google, they are used in every major browser and even in programs you wouldn’t think of, like the Signal desktop and mobile clients which are basically Chrome browsers as well (just with another look). Or in-OS updates like libvpx on Linux and the equivalent ones on Windows, Macs, and so on – even “stable” operating systems like Debian 12 “Bookworm” are offering updates on almost a daily basis at the moment, and you should really care.

On Android phones, look for updates as well – the original Google Pixel devices which are still supported just got Android 14 (which has bug fixes), but ones on A13 or older should still get updates as well – and don’t forget to check the Google Play Store or its alternatives like F-Droid & Co. Play services as well in case you’re on standard Android. And for iPhones and the Apple iOS/MacOS world the same applies.

So do yourselves and us all a favour, and update your engines, ladies & gents. Thanks.

P.S.: older devices are potentially greater risks than newer ones, which is why Apple or Google and also 3rd party vendors like GrapheneOS only support their devices for a certain amount of time. Luckily, for the new Google Pixel 8 phones that supported time frame was now extended to 7 years, for these and older ones see here.

Older ones could still run at home with some risks accepted, and with OSs like DivestOS, like for instance our 11 year old Nexus 10 tablet or the Pixel 3a phone. That Pixel 3a for instance has Android 13 (which Google never gave it), and while the Nexus 10 tablet ist still on Android 7 (which Google also never gave it), it still can have the latest security patches at least for the software side (but not for Qualcomm, ARM, or any other 3rd party hardware vendors of course, blame it upon them):

At least a bit more peace of mind, and even if that’s not a 100% solution, it’s still better than nothing, so we have to thank people like Tad (DivestOS) or Daniel (GrapheneOS) for all of their work. Please support them if you can. And see a comparison table of Android ROMs at eylenburg. Thanks.

Sigh…

Just saw the first little parts of what will become Gnome 45 trickling in, like in:

:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (2) gnome-disk-utility-45.0-1  openpmix-4.2.6-1

Total Download Size:   1.87 MiB
Total Installed Size:  9.83 MiB
Net Upgrade Size:      0.03 MiB

And why does that make me sigh, you might ask? Well, because the guys at Gnome think they know better again, and will again break existing and working desktops for you, me, or everyone (worst will be for “the big guys” who make desktops like Unity based upon Gnome). See this article in The Register:

GNOME 45 formalizes extensions module system

I’m using four Gnome extensions which I’d really like to keep, which are OpenWeather, Freon, the built-in Workspace Indicator, and GSConnect, so I looked up https://extensions.gnome.org/ to search for version numbers, and as expected, none of them has a 45 version yet. And while it’s all documented from the Gnome developers, I’d like to wait until all these – for me – important things have updates before I’ll get a desktop which again throws out the baby with the bath water, many thanks.

Looking for / thinking about alternatives? Nah, not really. I never really loved KDE, and XFCE isn’t an option for me either, nor are others which mostly mimic Windows (like Cinnamon & Co.), or Enlightenment. So let’s see how this turns out.

But there are worse news, especially for those of us who are using Android phones, namely Google’s planned “Privacy Sandbox”. See this article:

Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads

Time to look out for another browser, see also in https://www.androidauthority.com/chrome-ad-topics-rollout-3362364/ – and it’s getting worse, since this will probably end up in AOSP. Chatted a bit about that with Tad who is the lead developer of DivestOS, and he assured me that neither DivestOS nor GrapheneOS would include these bits. But Google with its former infamous “Don’t be evil” mantra seems to turn to Orwell’s Newspeak lately, which is really bad. There’s nothing “private” about their sandbox anymore, so dump these Chrome browsers, and get Mulch or Vanadium (or better, Firefox) instead. Best solution for Android phone users: install GrapheneOS in case you have a current Pixel phone, or DivestOS for those whose devices would also be covered by LineageOS, or whose devices are too old for GrapheneOS.

And no, Apple is not an alternative. Security based upon obscurity never worked, I’m only dealing with Open Source here, no time for walled garden crap.

Like always, thanks for reading.

Update, from September 12th, 2023:

Here are some more links, some new some old, but take your pick or read them all if you care for real privacy:

https://www.theregister.com/2023/09/07/google_privacy_sandbox/

https://lifehacker.com/how-to-disable-google-chromes-new-privacy-sandbox-track-1847276073

https://www.forbes.com/sites/kateoflahertyuk/2023/09/07/new-google-chrome-targeted-ad-tracking-heres-how-to-stop-it/

https://theconversation.com/google-chrome-just-rolled-out-a-new-way-to-track-you-and-serve-ads-heres-what-you-need-to-know-213150

https://techcrunch.com/2023/09/08/google-flips-the-switch-on-interest-based-ads-with-privacy-sandbox-rollout/

https://www.theverge.com/2021/3/30/22358287/privacy-ads-google-chrome-floc-cookies-cookiepocalypse-finger-printing

https://www.zdnet.com/article/heres-how-to-opt-out-of-google-chromes-privacy-sandbox-floc-trials/

https://techcrunch.com/2023/01/17/privacy-sandbox-topics-api-criticism/

https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/

https://en.wikipedia.org/wiki/Privacy_Sandbox

https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

https://www.howtogeek.com/724783/how-to-opt-out-of-google-floc-in-chrome/

By far not the only sites and articles I’ve found, but enough to give you an idea why this is bad. And as I wrote above, it could be even worse on Android phones, where Google almost always has the ‘WebView’ authority, which means that any link you’ll click will be opened in WebView (aka Chrome), no matter if you have Firefox or other browsers set as your default. Only way to mitigate that is to use more private operating systems on your phones, like GrapheneOS (which uses their hardened Vanadium WebView), or DivestOS (which uses their hardened Mulch WebView, partly based upon GrapheneOS’s Vanadium (plus a few other goodies like an ad-fighting hosts file)).

Like always, thanks for reading, and for considering in helping to make the web a safer place to be.

Update, from September 30th, 2023:

Here’s another one. Do yourselves and us all a favour, and don’t use that browser.

Nothing to Hide

If you’re reading this blog regularly, you might have asked yourselves why all the thoughts about security, privacy, freedom, and so on lately? And you might be one of those who say “I have nothing to hide”. Well…

This one is a must see. It helps if you understand English, French, and German at least a bit, but even if you don’t, watch it to the end:

This comes from the PeerTube, and it promotes those free and decentralised services, and for good reason as you will hear. So please do yourself and us all a favour and stop using Facebook, Whatsapp, and all of that – and replace it with something like Signal or even better, XMPP. We will all profit from it.

Oh, and in case you have an old Android phone which isn’t supported with regular updates anymore, try DivestOS. And if you have a new one from Google, try GrapheneOS (or else, DivestOS again). Sure you can’t live without that intrusive Play Store? Have a look at F-Droid instead. Or are you using Apple instead? Maybe think again… and please start encrypting. You can at least do that even if you stay with a standard Google or Samsung or Apple device.

As always, thanks for reading, and for viewing.

Curious. And interesting results… (with update)

Over in the discussion forum of GrapheneOS, there was an interesting topic, or so I thought, titled: “Brave vs Vanadium“. In it, someone asked about how the Brave browser did seemingly offer better protection against tracking and fingerprinting vs. the hardened Vanadium browser of GrapheneOS, tho this one might be more secure. Some others mentioned tests I hadn’t seen before, so my interest was piqued, I got curious myself, and wanted to see results. So here we go.

First, the Brave browser on my Arch Linux, with a test from fingerprint.com:

Aha. As expected, I saw my IP (that comes from the router, not my machine), the slightly false geolocation (our IPs always resolve way too far East for some reason), and a unique visitor ID. So there’s no “hiding”, trackers and advertisers always know exactly where you are as long as you don’t use VPNs or the onion routing network.

Second test, same browser, with EFF:

And yes, this is where Brave shines in my opinion. Randomized fingerprint plus ads and trackers blocked, that’s what I expected to see.

Third test, also found recently, the real blocking of ads:

Ouch. 72% or 108 of 150 tests blocked, here I expected something better…

Ok, someone in that discussion thread mentioned Edge, so same tests with that one:

Ouch again, this one’s definitely out. A unique fingerprint and no ad and tracker blocking whatsoever, this is one of the worst I’ve seen.

Onto my main operating system and browser of choice, Firefox (with uBlock Origin) on Debian:

Wow, far better than I had expected! A unique fingerprint according to EFF, okay, but that’s probably due to some extensions like WindowSizer and so on… but that it was 10% better than Brave in the real world ad & tracker tests, I must say that I’m impressed!

Ok, now it gets interesting – we’re on a phone operating system’s discussion forum, so let’s take phones into the equation, shan’t we? I have a Google Pixel 6a with stock Android from Google on which I normally use Firefox (also with uBlock Origin), so let’s see:

Cool… we’re down to “nearly unique”, and to 87% blocking of real ads & trackers… the best so far, isn’t it?

Wait, what about Vanadium? That I have on a Pixel 3a with GrapheneOS, so let’s see:

Also strong protection with a nearly unique fingerprint, but these 90% blockings of ads and trackers, that’s what I wanted to see, wow…

Subjectively, I see less ads in other browsers, so I guess I still have to continue reading and understanding it all – but kudos to the team over at GrapheneOS, you did a marvelous job!

As always, thanks for reading.

Update, from August 3rd, in the evening back at home:

Some people in the mentioned discussion forum over at GrapheneOS asked if I had an ad-blocking DNS provider configured in the Vanadium browser on that Pixel 3a phone, and another one asked to please also repeat a test using the Brave browser on a phone instead of a Linux machine.

Point 1: doh… (me silly, mea culpa, and so on) – of course I had set up a more or less secure environment with Graphene on that older Pixel phone, and that included setting up a secure DNS which also uses ad-blocking. So I had to repeat that test, could do it only today as I haven’t been home for a few days. So here you go, with:

Vanadium on GrapheneOS on a Pixel 3a, *without* an ad-blocking DNS configured:

Ouch! 4% block rate only, that wasn’t good… interestingly, with the same secure DNS configured again, at the first try it was raised to about 29 or 30% only, but that could have been session-related I guess; a later test with the browser newly opened went back to the 90% which I had before.

Point 2: the test with Brave on a phone. Did that while I was away, so here you go:

The fingerprint test, as you can see that was from a different location and IP address…

EFF’s Coveryourtracks test again, as good as before, and

The real world blocking test, exactly the same as on the desktop with Arch.

Now the *real* question was/is still unanswered, namely how both would compare under the same conditions, and from mobile phones. So to be fair to the Brave browser, I set up the same ad-blocking secure DNS provider in its settings, et voilà:

95%, and only 7 of the 150 tested “attacks” left unblocked, that’s the top position of my tests so far.

So how to answer that initial question about which one to choose? Hard to say, maybe I will install and leave both on that Pixel 3a with GrapheneOS, for me Vanadium will most likely always stay the default browser on Graphene (and its web view part anyway), but I will further test Brave when in doubt, or when I see something unusual and/or new.

I’m sorry that my first test attempt was a bit misleading, and I hope this additional one could clear up things a bit? In any case, and as usual, thanks very much for reading.