Sigh…

Just saw the first little parts of what will become Gnome 45 trickling in, like in:

:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (2) gnome-disk-utility-45.0-1  openpmix-4.2.6-1

Total Download Size:   1.87 MiB
Total Installed Size:  9.83 MiB
Net Upgrade Size:      0.03 MiB

And why does that make me sigh, you might ask? Well, because the guys at Gnome think they know better again, and will again break existing and working desktops for you, me, or everyone (worst will be for “the big guys” who make desktops like Unity based upon Gnome). See this article in The Register:

GNOME 45 formalizes extensions module system

I’m using four Gnome extensions which I’d really like to keep, which are OpenWeather, Freon, the built-in Workspace Indicator, and GSConnect, so I looked up https://extensions.gnome.org/ to search for version numbers, and as expected, none of them has a 45 version yet. And while it’s all documented from the Gnome developers, I’d like to wait until all these – for me – important things have updates before I’ll get a desktop which again throws out the baby with the bath water, many thanks.

Looking for / thinking about alternatives? Nah, not really. I never really loved KDE, and XFCE isn’t an option for me either, nor are others which mostly mimic Windows (like Cinnamon & Co.), or Enlightenment. So let’s see how this turns out.

But there are worse news, especially for those of us who are using Android phones, namely Google’s planned “Privacy Sandbox”. See this article:

Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads

Time to look out for another browser, see also in https://www.androidauthority.com/chrome-ad-topics-rollout-3362364/ – and it’s getting worse, since this will probably end up in AOSP. Chatted a bit about that with Tad who is the lead developer of DivestOS, and he assured me that neither DivestOS nor GrapheneOS would include these bits. But Google with its former infamous “Don’t be evil” mantra seems to turn to Orwell’s Newspeak lately, which is really bad. There’s nothing “private” about their sandbox anymore, so dump these Chrome browsers, and get Mulch or Vanadium (or better, Firefox) instead. Best solution for Android phone users: install GrapheneOS in case you have a current Pixel phone, or DivestOS for those whose devices would also be covered by LineageOS, or whose devices are too old for GrapheneOS.

And no, Apple is not an alternative. Security based upon obscurity never worked, I’m only dealing with Open Source here, no time for walled garden crap.

Like always, thanks for reading.

Update, from September 12th, 2023:

Here are some more links, some new some old, but take your pick or read them all if you care for real privacy:

https://www.theregister.com/2023/09/07/google_privacy_sandbox/

https://lifehacker.com/how-to-disable-google-chromes-new-privacy-sandbox-track-1847276073

https://www.forbes.com/sites/kateoflahertyuk/2023/09/07/new-google-chrome-targeted-ad-tracking-heres-how-to-stop-it/

https://theconversation.com/google-chrome-just-rolled-out-a-new-way-to-track-you-and-serve-ads-heres-what-you-need-to-know-213150

https://techcrunch.com/2023/09/08/google-flips-the-switch-on-interest-based-ads-with-privacy-sandbox-rollout/

https://www.theverge.com/2021/3/30/22358287/privacy-ads-google-chrome-floc-cookies-cookiepocalypse-finger-printing

https://www.zdnet.com/article/heres-how-to-opt-out-of-google-chromes-privacy-sandbox-floc-trials/

https://techcrunch.com/2023/01/17/privacy-sandbox-topics-api-criticism/

https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/

https://en.wikipedia.org/wiki/Privacy_Sandbox

https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

https://www.howtogeek.com/724783/how-to-opt-out-of-google-floc-in-chrome/

By far not the only sites and articles I’ve found, but enough to give you an idea why this is bad. And as I wrote above, it could be even worse on Android phones, where Google almost always has the ‘WebView’ authority, which means that any link you’ll click will be opened in WebView (aka Chrome), no matter if you have Firefox or other browsers set as your default. Only way to mitigate that is to use more private operating systems on your phones, like GrapheneOS (which uses their hardened Vanadium WebView), or DivestOS (which uses their hardened Mulch WebView, partly based upon GrapheneOS’s Vanadium (plus a few other goodies like an ad-fighting hosts file)).

Like always, thanks for reading, and for considering in helping to make the web a safer place to be.

Nothing to Hide

If you’re reading this blog regularly, you might have asked yourselves why all the thoughts about security, privacy, freedom, and so on lately? And you might be one of those who say “I have nothing to hide”. Well…

This one is a must see. It helps if you understand English, French, and German at least a bit, but even if you don’t, watch it to the end:

This comes from the PeerTube, and it promotes those free and decentralised services, and for good reason as you will hear. So please do yourself and us all a favour and stop using Facebook, Whatsapp, and all of that – and replace it with something like Signal or even better, XMPP. We will all profit from it.

Oh, and in case you have an old Android phone which isn’t supported with regular updates anymore, try DivestOS. And if you have a new one from Google, try GrapheneOS (or else, DivestOS again). Sure you can’t live without that intrusive Play Store? Have a look at F-Droid instead. Or are you using Apple instead? Maybe think again… and please start encrypting. You can at least do that even if you stay with a standard Google or Samsung or Apple device.

As always, thanks for reading, and for viewing.

The reasonable OS choice for older mobile devices

In my recent discussion in one of the GrapheneOS forum threads I was reminded not to encourage people to use that system on devices which aren’t supported anymore, like for instance our Pixel 3a. My follow-up question on how to best preserve such older but perfectly working hardware from becoming landfills, one of the suggestions were that if your tasks don’t really need the highest security, one should probably have a look at DivestOS instead.

And yes, I have read good things about it already, both in the German-speaking blog of Mike Kuketz, and also on the blog of a photographer friend from Florida, US of A. Mike pointed to the About page which states:

DivestOS is a full-time passion project (not a company) maintained solely by Tad (SkewedZeppelin) since 2014. It has many goals, but primarily: prolonging the life-span of discontinued devices, enhancing user privacy, and providing a modest increase of security where/when possible. The devices DivestOS supports are not fully free (as-in-freedom) and there are many security issues we cannot solve such as insecure proprietary blobs, insecure firmware, insecure bootloaders, and insecure ancient kernels. We are also fully aware of our “off-the-rails” approach, however mostly attribute it to the sheer effectiveness provided by “80%” solutions instead of mulling around and not doing anything. We genuinely believe that what DivestOS offers is something unlike any other project, especially with regards to the project scope and our persistence. We hope you find some benefit in our fruits, and remind you to have fun!

And just like the guys from GrapheneOS recommended DivestOS, Tad also writes in the Patch Levely page:

If you want a reasonably secure and well-maintained device, please acquire a newer Pixel (6/6a/7) that is fully supported by GrapheneOS and use it instead.

And that is true. GrapheneOS is probably the most secure system I’ve seen so far, and DivestOS does all they can to provide system updates for devices which aren’t even supported by the hardware vendors (and therefore, also by GrapheneOS) anymore. They even have monthly updates for our 11 year old Google Nexus 10 (Codename “manta”) tablet and its Android version 7 “Nougat”, can you believe that? So it’s this 80% effort Tad writes about which goes a long way, and which helps us all a lot – thanks man!

I’ve made three screenshots of the Pixel 3a running it, still unaltered by me (that came later). Looks like this out of the proverbial box:

DivestOS20 (Android 13) on a Google Pixel 3a, home, apps, and system info screens

So that seems to be the system for older devices. For newer ones, it depends on you or me: stock Android with all its AI goodies like Live Translate from the Google Assistant, or a much more spartan but really more secure GrapheneOS? Only you can decide. At least the Graphene web installer makes it easy in case you want to have a look…

So it’s a big “Thank You!” to people like Daniel and Tad. And like always, thanks to you for reading.

Update, from Sun 20 Aug: here’s an updated version of my home screen on the Google Pixel 3a with DivestOS as the operating system, Lawnchair as an alternative system launcher, itself being updated by Obtainium and directly through GitHub. So it now looks like this:

Themed icons and all, very cool. Almost like a stock Android, but better.

Like always, thanks for viewing, and for reading.

Curious. And interesting results… (with update)

Over in the discussion forum of GrapheneOS, there was an interesting topic, or so I thought, titled: “Brave vs Vanadium“. In it, someone asked about how the Brave browser did seemingly offer better protection against tracking and fingerprinting vs. the hardened Vanadium browser of GrapheneOS, tho this one might be more secure. Some others mentioned tests I hadn’t seen before, so my interest was piqued, I got curious myself, and wanted to see results. So here we go.

First, the Brave browser on my Arch Linux, with a test from fingerprint.com:

Aha. As expected, I saw my IP (that comes from the router, not my machine), the slightly false geolocation (our IPs always resolve way too far East for some reason), and a unique visitor ID. So there’s no “hiding”, trackers and advertisers always know exactly where you are as long as you don’t use VPNs or the onion routing network.

Second test, same browser, with EFF:

And yes, this is where Brave shines in my opinion. Randomized fingerprint plus ads and trackers blocked, that’s what I expected to see.

Third test, also found recently, the real blocking of ads:

Ouch. 72% or 108 of 150 tests blocked, here I expected something better…

Ok, someone in that discussion thread mentioned Edge, so same tests with that one:

Ouch again, this one’s definitely out. A unique fingerprint and no ad and tracker blocking whatsoever, this is one of the worst I’ve seen.

Onto my main operating system and browser of choice, Firefox (with uBlock Origin) on Debian:

Wow, far better than I had expected! A unique fingerprint according to EFF, okay, but that’s probably due to some extensions like WindowSizer and so on… but that it was 10% better than Brave in the real world ad & tracker tests, I must say that I’m impressed!

Ok, now it gets interesting – we’re on a phone operating system’s discussion forum, so let’s take phones into the equation, shan’t we? I have a Google Pixel 6a with stock Android from Google on which I normally use Firefox (also with uBlock Origin), so let’s see:

Cool… we’re down to “nearly unique”, and to 87% blocking of real ads & trackers… the best so far, isn’t it?

Wait, what about Vanadium? That I have on a Pixel 3a with GrapheneOS, so let’s see:

Also strong protection with a nearly unique fingerprint, but these 90% blockings of ads and trackers, that’s what I wanted to see, wow…

Subjectively, I see less ads in other browsers, so I guess I still have to continue reading and understanding it all – but kudos to the team over at GrapheneOS, you did a marvelous job!

As always, thanks for reading.

Update, from August 3rd, in the evening back at home:

Some people in the mentioned discussion forum over at GrapheneOS asked if I had an ad-blocking DNS provider configured in the Vanadium browser on that Pixel 3a phone, and another one asked to please also repeat a test using the Brave browser on a phone instead of a Linux machine.

Point 1: doh… (me silly, mea culpa, and so on) – of course I had set up a more or less secure environment with Graphene on that older Pixel phone, and that included setting up a secure DNS which also uses ad-blocking. So I had to repeat that test, could do it only today as I haven’t been home for a few days. So here you go, with:

Vanadium on GrapheneOS on a Pixel 3a, *without* an ad-blocking DNS configured:

Ouch! 4% block rate only, that wasn’t good… interestingly, with the same secure DNS configured again, at the first try it was raised to about 29 or 30% only, but that could have been session-related I guess; a later test with the browser newly opened went back to the 90% which I had before.

Point 2: the test with Brave on a phone. Did that while I was away, so here you go:

The fingerprint test, as you can see that was from a different location and IP address…

EFF’s Coveryourtracks test again, as good as before, and

The real world blocking test, exactly the same as on the desktop with Arch.

Now the *real* question was/is still unanswered, namely how both would compare under the same conditions, and from mobile phones. So to be fair to the Brave browser, I set up the same ad-blocking secure DNS provider in its settings, et voilĂ :

95%, and only 7 of the 150 tested “attacks” left unblocked, that’s the top position of my tests so far.

So how to answer that initial question about which one to choose? Hard to say, maybe I will install and leave both on that Pixel 3a with GrapheneOS, for me Vanadium will most likely always stay the default browser on Graphene (and its web view part anyway), but I will further test Brave when in doubt, or when I see something unusual and/or new.

I’m sorry that my first test attempt was a bit misleading, and I hope this additional one could clear up things a bit? In any case, and as usual, thanks very much for reading.

Still experimenting with GrapheneOS

Still trying to figure out GrapheneOS on my late brother Willi’s old Pixel 3a phone. Turns out that with the sandboxed Google services activated, you can have the best of both worlds – one profile with free and open source apps, one with all the usual Google Android Apps in case you want these. With the same background picture of our late cat Tuna from 2020, that looks like this:

GrapheneOS with different profiles, open source and Google Apps

As you can see, you can even have the famous Google camera. What I have not found yet is the original Pixel launcher, guess you’d have to use a lookalike like Lawnchair2 or so to get the same look and functionality like on a Pixel with only the Google Android on it.

But this here is way more secure, as all of these apps are sandboxed and don’t have system-wide privileges, unlike with Google’s version of Android. I’m tempted to use it on my main cellphone as well…

Oh, and although installing GrapheneOS is easy especially with the web based installer, there are still some nice video howtos from people like Side Of Burritos, Cozy Living Machine, or Naomi Brockwell. Just in case you want more than just *my* opinions…

As always, thanks for reading.

Using KDE Connect / GSConnect for battery life

I’ve had problems with swollen batteries on both the old Google Nexus 5 and also the Pixel 4a devices. Nice as they were, this was probably my own fault: like the company’s laptop/notebook, I had them “plugged in” (into their power adapter) pretty much all of the time, and I’ve only recently learnt and read that doing so is putting lots of stress on those rechargeable batteries.

So with the remaining devices (one Pixel 3a which I re-inherited from my late brother, after originally having bought it for Mitchie who gave it to Zuleikha who gave it to Willi – and my Pixel 6a which was a gift from my family and the first ever new phone I’ve got), I’m a bit more careful. What I’ve read is that you shouldn’t let the batteries run out completely and you also shouldn’t always charge them until they’re really full – an 80/20 rule would be much better for longevity. So I’ve decided to use that 80/20 rule whenever possible – meaning charge them when the batteries reach 20% (turning on their battery saver at that percentage as well, in case I don’t see it), and charge them up to 80% mostly, and only to the max if I know I’ll be out of the house for a while and want them to last as long as possible.

They last long anyway, at least with my way of using them. Here’s a screenshot from the 3a where you can see the reloading to about 80% spike after a few days:

That one lasts long because first, I don’t use it that much (it doesn’t even have a SIM card, so I use it via WLAN only), and second I had its original Google Android operating system replaced with GrapheneOS which doesn’t “call home” as much as the original did. In fact, no Google services on this one at all…

… but also the Pixel 6a is pretty good once I turned off everything I don’t really need, like location history or Google’s “Fit” and other stuff. This one *does* have a SIM card, but I also don’t use it really often, so here’s a screenshot showing that I charged it to 100% last Friday evening, and the screenshot was taken this morning, at 25% battery life left. As you can see, I’ve used it for reading a bit, with a free PDF viewer:

So how do I keep track of charging them up to 80% only, instead of full? Easy: I’ll get a notification from my computer, like this:

And that one comes from a program / an extension on my desktop which is called GSConnect. You can set it like this, like here for the Pixel 3a:

On the phones, the application you have to install is KDE Connect, and you can get that from the F-Droid store in case you don’t want to be logged in into Google just to use their own “Play Store”.

The application can do lots more than just notify you about the battery status, but that is what I usually do with it – looks like this on the Gnome desktop:

According to its Wikipedia page, KDE Connect is also available for Microsoft Windows and for Apple’s MacOS, but I haven’t tried these. Go on and see for yourself if you’re using these. It’s built right into KDE (their “Plasma” desktop) in case you want to try that as well.

Hoping that this is useful for anyone. Like always, thanks for reading.

Containers are good, but…

Recently I have been reading a lot about computer and other hardware (phones for instance) security, and believe it or not, at this moment I think that GrapheneOS on a recent Android phone (it only supports Google’s Pixel devices because of their Titan M chips) is the most secure environment you can run right now – at least as a private person.

The problem with computers start at the kernel, and though Linux or the BSD family of operating systems are better than anything Microsoft or Apple, they are not without faults. A recent Linux kernel has probably thousands of kernel bugs, and the BSDs are only slightly better in that regard.

So what is the solution? The already mentioned GrapheneOS takes the Android approach of process and syscall isolation, with “sandboxing” as much as possible, and in this regard it might even beat Apple’s iPhones which are also quite good. On desktop and notebook computers, it’s the monolithic kernels which are the base of the problem; if an “application” (a program as we called them during my time) gets affected by an attacker, it’s relatively easy for them to break out of the program’s environment, and to take over everything, often with root rights (especially on Windows, tho it’s getting better).

When a few years ago Docker was the next big thing, my reply to it was that this wasn’t anything new – Solaris or the BSD family had containers or “jails” since I could think, so what was the fuzz about? Big Tech wants people and companies to move back to the “cloud”, and there these concepts are really needed, and so Docker and Kubernetes are now really big.

And what about the home desktops and notebooks?

Well there are interesting developments like for instance gVisor or Google’s “Fuchsia” operating system with its “Zircon” microkernel, and Daniel Micay – head of GrapheneOS – thinks that this is the future. But they’re not ready for everything yet, each isolation layer takes its toll (and will probably introduce more and newer bugs as well), and so for realtime processing like we need it for making (recording) music for instance, that’s a no go – maybe we’ll have to really separate the whole (“bare metal”) machines from the internet for these tasks?

Whatever it will be, that will be interesting to follow. Oh, and in the meantime, I’ll have it all, like a Windows 10 *and* a FreeBSD 13.2 on my Debian 12, like here:

At the same time, on another screen:

And while writing this, these “throw away” virtual machines you see in my first screenshot are history already – don’t need them anymore…

As always, thanks for reading.

About phone (and desktop) security

I know at least one former colleague who really cared about privacy and security concerning his mobile phone. And this morning, I’ve heard an interesting interview with Gabe, one of the developers of GrapheneOS, using NewPipe on GrapheneOS on my late brother’s Pixel 3a device – that looked like this:

That’s one and a half hours of a really interesting interview, so it’s really worth it. And I can confirm how secure those mentioned Titan M chips are, not even Google could hack or circumvent those, so if I wouldn’t have been able to guess my brother’s passcode, that device of his would have been an expensive paperweight.

I also liked how Gabe gave lots of credits to Apple because of their long-term support of their iPhones and devices, but yes, with the Pixel 6 and newer, things are improving on the Android side as well.

About desktop security: it’s actually worse than this, the same interviewer has some other interesting videos about that, or tips how to use Tor on your phone.

Recommended listening. And like always, thanks for reading.

Most popular on XDA

Well this is interesting. Over at XDA Developers, there’s an article about the “Most popular custom ROMs for Android in 2023“. And of course on top of that list there just had to be LineageOS, as it’s probably the most popular custom ROM anywhere, not only on the XDA developers’ site.

What’s more interesting than that is the place 2 of the list, which is PixelExperience, or PE in short. And that’s interesting because it supports lots of vendors, and it turns their devices basically into almost original Pixel phones (minus the hardware like Titan chips of course). Haven’t tried it yet, but for the Pixel 3a like for many others there’s Android 13 available.

Until now, and both on the Google Nexus 5 and now on the Pixel 3a, I have tried /e/OS, LineageOS, and most recently now, GrapheneOS – so I’ve had basically every possible experience with and without Google services like microG or even the original ones (also on original phones). And all of these have their virtues, and also their different goals. While some of these ROMs simply prolong the lifespan of your device, others try to avoid Google and are built more on security aspects like application sandboxing and memory isolation. All valid reasons to try something different than a Google or Apple (or Samsung or any other) device.

I find all of that interesting. If the 3a (or the 4a) were still my “daily drivers”, then I’d be glad that I have choices, and would try and check if GrapheneOS and the app from my bank like each other. If not, I’d probably try PixelExperience – or any other one which supports the devices longer than Google does. The 3a is out of support since a while, the 4a will soon be, and so on… and anything is better than throwing devices away, isn’t it?

Thanks for reading.

Trying GrapheneOS

The last update of the inofficial version of LineageOS I had on my late brother Willi’s Pixel 3a phone went bad. Which is okay, not everyone has every device to test, and remember that these developers from XDA do it all for free and in their spare time.

So after reading an interesting poll in AndroidAuthority, together with a test of GrapheneOS on a Pixel 6, I decided to try it on the 3a. And what should I say – it looks *very* minimalistic but is brilliant under its hood, and again I’m learning a lot. Here’s an almost standard home screen from which I removed one app shortcut (the one for the gallery which is empty at the moment anyway):

GrapheneOS on a Google Pixel 3a phone

Wonderful.

So to make it short: for now, I answered that poll with: “No, I’m happy with Google’s default experience” because I wouldn’t flash any third party OS onto a device which is still supported. But for an older one – as long as you can get images for them – this is a good choice in my opinion. So in case you *do* have a Pixel phone which is about to run out of support, and if you don’t need the Google Wallet for payments, GrapheneOS is worth a look. It can even run Google’s Play store in a sandbox in case you’d need that (which I don’t).

Like always, thanks for reading.