David Micay, the inventor and technical lead of CopperheadOS, left the company after a breakdown in communications with his business partner. He now leads the GrapheneOS project which can be considered the Copperhead OS successor.
Between https://grapheneos.org/ with source under an open license along with what reads as a fair attempt at presenting the split, and op... I'd certainly prefer the open os as my secure os...
This is an ironically caustic comment on a matter which has plenty of first hand accounting you could link to, but prefer to simply label him as toxic.
And IMO, it's extremely misrepresentative, but if you could link to some displays of what you're referring to then I suppose we could debate what you mean by "toxic".
> Daniel saying Mozilla is using 4chan posts to attack him.
And of course you don't show any context at all.
> Daniel stating he feels Brave has nefarious intentions.
The DRM is a valid issue. Brave is not impervious to all criticism.
> Daniel Micay attacking the Tor Project for considering use of his hardened allocator
That's not what happened at all. He never attacked them for that. He debunked the nonsense that Tom Ritter was posting. The Tor Project never even considered using hardened_malloc either. I suggested that Whonix use hardened_malloc and so HulaHoop (another Whonix developer) asked if this could affect web browser fingerprinting on the mailing list. No Tor Project developer made any indication that they wanted to include hardened_malloc - quite the opposite.
Considering that hackernews throw a fit every time they see an attempt at monetization via cryptocurrency, and that the guy is seemingly complaining about the same thing, I don't think linking the Brave thing is helping your case...
I have actually seen mozilla(-sphere) people attacking the reputation of people doimg valid criticisms on their bugtracker.
I dont accuse Foundation/Corp members directly. It could be "volunteers".
As for the last point, anyone can clearly see that Daniel is refuting the fact that jemalloc is insecure. There is no discussion of using hardened malloc at all. Nobody is being attacked for using hardened malloc. Only some misinformation has been corrected as others have pointed out
Please read the contents of that link and you'll arrive at the same conclusion
I get why people can be pissed at Micay.
He is very principled and exact. But not false. Always calm even in the tweets around the split.
Its immature to label this as toxic.
Toxic means to me:
- Using drama intentionally to destroy a conversation/community/person
- Creating a personal cult around oneself to farm uninformed defenders.
- Scaring away productive but timid people by actual foul language and tasteless ingroup humour.
I dont agree with a bunch of Micays opinions. But when it comes to technical facts, I cant argue much because he is so exact with this. But I have never seen any emotional insults from him nor any emotional manipulation.
You are either misinterpreting his replies and comments, or intentionally trying to mislead readers into thinking he actually falls into that category when in reality most people just don't like how crude he is in responses. In other words, your labeling of him is inaccurate, regardless of intention unless you somehow misworded your message. Ironically enough, I could just as easily label you as toxic for saying something I don't like, as I'm sure you'll do the same with this comment because it's in your best interest to not look bad, or out of sheer misinterpretation or assumption of tone in text. Depending on context, replying a certain way doesn't really justify others indefinitely labeling you as "toxic".
This isn't even mentioning how others constantly attack him and serve null points as if its a gotcha moment. If you don't like him, just say so instead of slandering him on such a subjective matter.
Not a word about Secure Enclave in iPhone, it should be explicitly stated that the discussion is about Android/Linux Phones only. Otherwise, the conclusion that the most secure phone on the market today is the Pixel with CopperheadOS is not accurate (in my first read I interpreted it as it is the most secure phone not the most secure Android).
The post is on the website of Copperhead, who maintain of CopperheadOS, an alternative Android ROM.
Writing about the Secure Enclave would be pointless because it's completely unrelated to the domain the article was written for. Maybe they should add a line "oh by the way, Apple does things differently" because much more than just the security chip is done differently by Apple, but that wouldn't make much sense either.
The article does have a short bit about the secure element in the phone, which serves a very similar purpose to the secure enclave, except less well-integrated because Android device manufacturers don't control all the hardware.
Even though the article you linked is not about an iPhone, I'll respond as if it was, since there have been published iPhone vulnerabilities recently.
You rarely hear about Android exploits, since the devices are assumed insecure, whereas when an iPhone vulnerability comes out, that's a big deal. iPhones are miles ahead of Android, Pixel is the closest and they're still far.
Case in point: You never hear about how the government couldn't open some bad guy's Android, do you?
The new copperhead site reads like a marketing piece. All the tech explanation looks copypasted or typed while on coke John McAfee Style.
They state on their site (copperhead) that only 2 months after split with Daniel the rom got updated again.
That is not true. I was affected by the split and there was no update that early, while Daniel continued development.
My account has been created solely to defend Graphene here btw.
But this is my usual nick I use everywhere else.
I am a longtime passive reader.
The Copperhead site states that they support Zero Touch Provisioning of devices.
That involves Google and Vendor infra and as far as I know this cant enable installing custom roms from inside Google roms. I might be wrong there because I didnt dig that deep into MDM provisioning. But enough that it didnt seem anywhere open source friendly.
Fwiw the degoogled phone experience is rough: I installed GrapheneOS on my Pixel 4 XL 2 weeks ago (yes I appreciate the irony to have to use a Google phone to ... degoogle your life :)
The notifications aren't working properly: this morning my alarm didn't ring and this evening a reminder didn't fire either.
The Fdroid store is nice but it lacks a lot of well designed apps.
I don't have access to my bank app.
KeepassDX (password manager) doesn't work in the chromium forks available.
The AOSP keyboard doesn't "learn" and doesn't offer suggestions for the next word I might type. I can't change the layout. I tried another keyboard from FDroid, it didn't even have auto completion.
A lot of things aren't customizable like the ugly icons (looking at you Bromite! ;)
So for the first time my phone isn't my enemy but it's so limited that I'm not sure it's worth continuing using it.
For the first time I'm thinking going to Apple. I know their privacy stance is mostly marketing but they scare me less than Google. I don't know.
You can get access to your bank app via Aurora store, available on F-Droid. It is a front end to google play store and allows install/update of the apks. It also shows you the report on what trackers are known in each app.
Note that without google services, some app functionality that relies on it may not work, like notifications. The alarm app is bundled with AOSP so should work, weird.
Keepassdx works fine with Vanadium for me. Magickeyboard is amazing for auto type.
That being said maybe the pixel 4 builds aren't as mature. I am running on Pixel 3a and it has been smooth sailing. A phone experience I have long been waiting for.
Also the project is not as well resourced as big companies, so some bugs and rough edges are expected
. Support the project financially if you want a viable open source and secure mobile os.
Hi, I didn't install the Aurora store because if I install non open sources app I'll get tracked again.
In term of privacy what does it imply to install the Aurora store? I didn't look much into it, I thought I would get everything with FDroid.
The AOSP clock adds an audible notification 1.5 hour before the alarm (this was silent on my regular Google Android build). If I deactivate the notification, the alarm is still triggered but I have to go into the app to deactivate it (and I'm not sure how reliable it is).
I installed the clock from SimpleMobileTools. It's reliable 80% of the times which isn't ideal for an alarm!
A lot of apps on FDroid are outdated and warned me that they were made for an older version of Android.
I would support the project financially if I stay on it, but the way I see it if I want to remain on GrapheneOS I'm going to have to code (or modify) all the apps I need.
I have 0 knowledge in mobile dev, and frankly I'm not exactly thrilled to have to spend all of my next year free time to build what I need.
I'm not exactly thrilled to go to Apple either, and at this point I think I'd rather go without a mobile phone than to go back to Google.
I only have my bank app, RSA token app (needed for work, nonnegotiable) and music app (Deezeer) from Aurora. Blokada blocks trackers well enough. Yes it is a compromise but atm, like you have indicated, no-compromise is not very usable.
I have keepassdx version 2.8.7 installed and it has magic keyboard. Go to settings > Form filling and play around with magic keyboard settings.
Yes F-Droid has some outdated apps, and it seems to by default install an older app version. You can check and usually you can upgrade to a newer version if it's in the repo. Otherwise, some apps or authors do have their own repos you can add.
Magikeyboard is a function you enable in KeepassDX. Gives you an extra 'keyboard' you can switch to just for entering passwords. Stops other apps being able to swipe your passwords from your clipboard.
There are endless launcher apps and icon packs you can get from F-Droid or elsewhere if you want to change the look of your phone.
AnySoftKeyboard is the keyboard on F-Droid with the most features
High security hardware/software is such an awful market.
You get open source fanatics that will cut you down any chance they get. Nothing is ever good enough and god forbid you want to charge money for anything.
Most actually don’t know anything and cant distinguish good products from bad. They are just paranoid.
People who actually want to buy security products listen to the loud mouth fanatics so nothing can actually get made because the fanatics will ensure that only free is good. The ensure the market is dead.
Copperhead tried to make a good run for it. But in the end when you try to tame a fanatic you are going to get hurt.
And then there are mediocre-to-bad products that are suspiciously successful and get deals easily. It is like someone powerful makes sure they become widespread.
This is such a flawed argument.
All of the above is based on a composition/division fallacy. You're assuming a part applies to the whole or majority, when in reality, this isn't the case. Your bias shows in the way you describe this, and your argument makes a presupposition involving the other side where their argument MUST somehow follow a sort of nirvana fallacy. The other side's argument are all invalid because they MUST be based on rejection of an idea because it isn't perfect. Again, this isn't the case, and it only applies to a minority within the open source community involving themselves in security.This isn't even taking into account you calling them fanatics as if its valid; it is on the verge of being ad hominem depending on what your intention was and wether you're aware of what you're implying in the first place. Also, what market? You mean the market that some companies try create where one of the main concerns is the open sourcing of some products so there's no need for audit requests? Is this not a valid concern to you, or does this tie into your aforementioned bias? I understand the concept you try push, but if you want to make an argument, at least make sure it's put out there in a valid way with solid points. Doing otherwise is only a disservice to your side.
Copperhead is just selling a reskinned version of the open source project. They are also not secure as you can see from their website. There is no android 11 release and it's at least 3 months behind in security patches. That is not secure. If you check grapheneos it is using the most recent security patch and android version available
Grapheneos has been around far longer than the commercial project. The commercial project was set up to fund the open source project however James Donaldson, the current copperhead CEO has a criminal background and tried to turn it into something completely different
This is what CopperheadOS has become. Trading off the reputation they gained from before the split.
When they were still publishing their sources they were often lagging months behind with basic AOSP security updates. Still not updated to Android 11 yet, 2 months since it was launched, which, as they support Pixels, means they now have 3 monthly updates worth of device specific security patches that can't of been applied.
GrapheneOS moved to 11 in September, not so long after it was released by Google
The article makes an argument for why you should consider Pixel series phones that still have official support from the vendor if you are in the market for Android phones.
While it may not have been the point of the article it gives no reason why you should consider CopperheadOS.
This is my perspective taking the article at face value as a complete layman in Hardware and OS security who cannot provide any critic or judgement on the technical content of the article.
CopperheadOS is a proprietary fork of legacy GrapheneOS code with most of the legacy hardening dropped due to lack of proper maintenance and it includes no substantial hardening. It also includes tracking in the updater to enforce their subscription fees (which is an exorbitant amount of money by the way, $150 for 3 months).
It's now a scam project focused on attacking GrapheneOS and harassing developers, as evident throughout this very thread with their usage of sockpuppet accounts.
Nice first party links. The Copperhead CEO challenged Daniel to validate the legacy/tracking claims publicly and is supposedly willing to put $50,000 to prove it
There's honestly so many pseudo points and fallacies here. I took one look at the comment section and it served as incentive to make an account so I could dispell some of the bs.
I'm a bit confused here, does copperhead still exist?
From what I gathered everyone moved on to graphene, including the original architect.
I've not seen anyone mention copperheadOS as a modern secure phone in a long time. Not trying to denigrate the post but it's somewhat strange to see them appear out of nowhere.
Also, on my barely secured, out of date firmware phone, the site doesn't work because I block js :/
Truly long for the day people at least attempt to make fallback no-js sites or at least text only static pages like some 90's ftp server for us weirdos who don't need nor want interactivity. Last I looked something like 80% of Android and 50% of apple phones were end of life and yet still used.
An old copperhead employee (lead dev of graphene) went hard on defaming and shutting down info about copperhead which is why you haven't heard of them since 2016 when Dan got kicked from the team. I was confused as well when a friend brought up copperhead.
GrapheneOS is endorsed by Edward Snowden https://twitter.com/Snowden/status/1175430722733129729?s=09