I was a week away from buying a Pixel Pro 10 for GrapheneOS
(midwest.social)
PrivacyIf you're serious about it probably worth just using an old phone as an Auth device and only switch it on for that and still use graphene as your daily driver.
I'm not a security guy, what is the problem that this is supposed to be fixing? Like I guess you wouldn't be able to use a virtuallised os to visit your banking website? Like I understand if you work for a bank you should only be able to access some things from specific computers, but normal people?
phew, feels like I jumped the ship just in time. Installed PostmarketOS on my Fairphone a couple of months ago, and I'm not looking back.
Is there a specific reason you chose PostmarketOS? I'm currently also thinking about ditching Google android.
How is it working for you so far? Thought about doing that as well.
I should be good with sandboxed Google play.
But wtf we’ll need a phone to solve captchas now? What happens if you don’t have one?
Then you are a robot
So what's your plan? Using your fully-googled device instead of using a slightly-googled phone with Play Services?
We seriously need to ask Valve to make SteamOS phones.
Not only will they be good for gaming but imagine being able to put other OS'es on it like PC's. Bazzite, PostmarketOS, etc. Plus Valve will still get revenue from people using the upcoming Steam ARM Game Store, and the current Bannerhub/Gamenative community android apps that enable playing PC games they own from Steam/GOG on Phones
Its such a huge opportunity that we all should be encouraging then to pursue now and after they release their current 3 big projects: Steam Controllers, Steam Machines, Steam Frames
Let's give the billionaire more capitalism. Yea that's it. He needs more.
I get where you are coming from. Out of all of the billionaires he is one that is one of the least bad out of the rest of them, and is doing plenty of good things himself. He got that wealth from Steam doing so well over the years co.pared to other billionaires that did the shadiest things imaginable
I don't agree with his yachts business yet I agree with his side project of making boats specifically for ocean research. I don't agree with him still getting paid so much today, yet I agree that he pays and treats his employees and customers well
End of the day it's another option to get open phones that can have bootloader unlocked to change OS, and not be locked down. It is good to have more options currently where there are few.
Many online PC gamers have this opinion too so overall its more so a matter of time and comes down to if Valve really wants to then they will.
i have one myself, and I can tell you that grapheneos won't be affected by this. the real damage is to people using things like dumb phones or BSD, even windows computers are effectively locked out of the internet.
Sounds like GrapheneOS isn't affected only for now?
As in sandboxed google play may stop working for this at any point.
;(
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
https://support.google.com/recaptcha/answ
er/16609652
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
I run e/OS/. Block me. I'm good. There is plenty out there that doesn't require Google.
Eventually privacy minded people like us will have to start creating and visiting sites on the dark web.
Sheesh, using alternative sites instead of Facebook and Reddit isn't using the dark web.
No fuck that we must continue to grow the movement and get more people on board. We don't give in to those rats and their garbage they try to put on us. Together we all can do together. Fuck them. Many of us already are doing and the more the better
They should be fined so hard for this shit.
A fine is brushed off in a quarter. They should be forced to split into seperate companies.
What you said and my comment response to the person we both responded to
And forced to open-source their OS'es. And have to make their communities owned by the people instead of corpos. We are all beyond pissed and done with their shit. Everyone get more people on board into the movement daily to be focused on getting things done together!! Keep each other in the fight with online and in-person communities
Every company that uses these captcha service should also be fined so hard. This isnt just google here.
And every company that is relying on gsm or the apple pendant to verify anything.
When my current iPhone dies, I'm never having a smartphone ever again.
What do you plan to do? Dumbphone? No phone? Break glass in case of emergency phone in a faraday pouch?
I'm considering a break-glass dumbphone in a faraday pouch. I REALLY fucking hate location tracking. I'd keep it seperate from my IRL ID. Prob is, it's hard. Screw up once, big data pounces. One call tied to your name in any way. One friend puts it in their contacts. One time to forget the pouch and there's a location ping at your residence. Not to mention the difficulty of even buying it and setting up a plan. Ugh :(
I'm a teams app for dumb phones away from getting off smart phones. I'm fiddy and have to use my readers to even see my phone, so I've slowly stopped using it for much outside of random apps for appliances. I can get an ipad for that, though. I'm also a privacy advocate, but I've made peace with the fact that ship has pretty much sailed
I'm using Firefox on GrapheneOS and recaptcha still works normally for me.
Not noticed it and fuck those websites. Happy to boycott.
Let's hope the EU prevents this from happening. We should be able to access every site we wish without Google's permission.
We should all be encouraging Europeans to:
- Force Android and iOS to be given to the people to own and open-source the OS fully in EU with GPL license
- Fine them to oblivion if they do not cooperate
- If they try to double down then piece up their companies into parts
We all tired of their fucking shit. Everyone keep getting people active and informed on all this!! Together anything is possible!!
The EU is busily building the Fourth Reich, so don't expect help from there.
LOL, whatever you're taking, stop, it's doing your brain in! :D
The ongoing battle against online privacy is a symptom of capitalism, the EU is a capitalist state. The only thing the EU would ever do against US-based capitalism is to gobble up those capital gains for themselves. It doesn't matter if it happes or not, the privacy-issues for end-users would never be alleviated by the EU.
I see you have no clue. You will learn, eventually.
Please elaborate.
Yeah, sure, at a really slower pace than USA. Maybe in a century. They still care more for their citizens Trump ever did.
Using graphene on pixel 7 pro. Haven't noticed.
Pixel 6 pro with GOS, also haven't noticed. Starting to think this post is not true.
I use a Pixel 8 with Graphene. I haven't been locked out of anything yet.
Fuck em. If websites use this, I don't need to see their shit or patronize their business. Google can eat a dick.
Smartphones are such an utter wretch nowadays, & I'm not even sure if there was a time they weren't. I don't get the appeal of a smartphone, they do everything a dumbphone does but worse, more expensive & with an unremovable thick layer of scum, yeah a smartphone has some of the features of a laptop or desktop but who needs that baked into their phone for every moment?
People are trying so hard to fix smartphones (even by giving money to the least privacy respecting companies ever by buying Google phones) when they can get a dumbphone and be rid of those problems in the first place. Well that's my opinion at least, I think it might be a bit extreme.
but who needs that baked into their phone for every moment?
Approximately 5.78 billion people.
You really don’t get the appeal or you just feel differently? I don’t like roller coasters but my reasoning doesn’t include me not getting the appeal others have for them.
"even by giving money to the least privacy respecting companies ever by buying Google phones"
To be fair, Pixels are available secondhand, often in Mint condition, which is why my last three Pixels and any other phone/tablet I've bought have been through https://swappa.com/.
This is really bad even just from the perspective of user behavior. Training people to scan QR codes from anything that looks like a captcha box is HORRIBLE for security.
"Thanks for scanning the code, just one more step! Please input your phone number, and type in the code you receive."
Boom, account stolen.
It's almost like they don't really care about your security...
And the phone number thing is already happening too. Google, discord and probably other stuff already ask for a phone number to prove you are a human when they flag your account.
It's a server setting. one of my oldest servers has enabled this and I haven't chatted with anyone there anymore because I need to verify my phone first.
You can still go graphene and isolate play services in a secondary profile.
For a better future: Organisations and services that structure themselves to require third party services need to take contractual responsibility for the actions in their fulfillment supply chain, just as an online retailer takes responsibility for delivery agents. Google play services harvesting needs to be reflected in the privacy policy of every company that doesn't provide alternative access.
Wonder what will happen if we all start making data protection complaints about enforced non contractual third party data harvesting?
You can still go graphene and isolate play services in a secondary profile.
How does that help? Google gets your IP and location. Then they can use the IP to identify the connections in the other profile.
I installed graphene a month or two ago and reluctantly had to install google play for a thing or two. How do the prophiles work?
Under system you can add secondary profiles. You can deni them access to text...not sure if the profile can see your phone number.
https://discuss.grapheneos.org/d/9253-how-do-you-set-up-your-profiles
Neat, thanks
well, I guess i will stop using those websites from my /e/os fairphone
What they are doing is way worse tban what you understood.
These QR codes will show on your Desktop PC and you will need an Android phone or an iOS device with a logged in Google QR code app to get past it.
Guess I'm not going to Youtube, then.
I see a future where we have our mandated government ID shitphone for banking, corpo and government suchn'shit, and the laptop we access Anna's, Yggdrasil and TOR with.
and the days go by!
Not exactly same as it ever was, but seems kinda 2007 to me. I doubt any Lemmy instance or i2p site will enforce Google's QRcode spy-proxy.
It's not 2007. Devices are everywhere now, smartphones, TV's etc. The social dimension (social pressure) and implications are very different now. Their power increases, amount of people caught in the loop is immense now. 2007 was all still fun and games.
Undoubtedly, and more still will be as corporate greed turns the internet into pay-per-view TV. We can't help that.
Make your decision for yourself for what to do with your connections and your own devices. You are in control of at least that, if nothing else.
so they are not only tracking you, but they are trying to reconnect your records across multiple devices.
And through the VPN
Ayup that has been the holy grail of big tech.
They are most of the way there today. Make Identity Resolution inescapable. Bing bang boom.
It is more than just phones and lappys too. It's everything. That smart TV. That fitness watch. That automobile. That streaming music service. The ebook reader you got as a birthday gift.
Your behavior across every single device is data gold. This is today's reality.
Yep, data gold to sell to data brokers and investors so they can sell you shit that you don't need and can't even afford.
I wouldn't scan shit from a website. Random QR codes are a security risk. Just won't visit that website.
That's why you have to use the special google app that will protect you from all these dangers*
*and also collect all your data, sell it to advertisers and forward it to US surveillance agencies (for your own protection of course).
Sad thing is, that argument works against so many ppl. "I can trust this app. It's from Google!"
We(*) are tearing down personal computing. Brick by brick. The very idea of controling our own devs is getting lost. Replacing with Big Tech Feudalism.
(*) Not most of us here. But in the whole pop.
I am in no way condoning Google's behavior, nor am I trying to normalize it. With that out of the way: maybe running Android Studio with an AVD might be a decent workaround. For now...
Is it bad I use this for steam login? I thought that was secure ..
That would make the two of us. My Fairphone 3+ is still kicking well with /e/OS.
I really wish Jolla got their crap together honestly
That would only make me install Graphene even harder if I wasn't already writing from a phone with it
Hopefully this will push Linux Mobile development so that we are no longer completely bound to Android or iOS
This. Time to stand up to Google and completely boycott the surveillance tech that the US is deploying.
How do you even scan a QR code if you're browsing on your phone?
On Samsung phones you take a screenshot and then tap the "T" icon for screenshot OCR, it will let you click any QR code on the screenshot.
Google Lens is also an option if you have that installed
You have to move all the black pixel blocks into the empty spaces and solve the puzzle to open the link. Than cenobites come out of your phone and show you pleasures beyond pain.
Drives me crazy how common this is too
Really? I don't remember seeing it so far...
The "Mobile Verification" option "will initialize the reCAPTCHA app on your device".
Mirrors
Google lens. :facepalm:
Default GrapeneOS camera app has a QR code scanner
And how can the camera scan its own phone screen for the QR?
My solution is take a screenshot and then open the file in a separate QR reader app that can open files.
Yeah I'm just not going to use their website. Fuck all that.
I think apps can have screenshot permission, so just by using that feature
Why would I give an app screenshot permission? That is such a security nightmare.
The answer is always convenience. Me stating that something exists doesn't mean I blanket approve of it
exactly ..
what will this mean for the upcoming motorola phones that can come with gOS installed?
That's probably a reason they're doing this now. To stifle what might start to be a sizable amount of pushback. Sizable is still single digits but if it hits a whole % instead of >1 then we might start getting somewhere
They're still subject to the same dumbassery Google is trying to pull. Any OS that doesn't conform to Google Play standards is a target.
Watch Motorola sue Google for this.
And then Google retaliates by not allowing Motorola to include Google Play on any of their devices. In the end, Motorola just cancels their GrapheneOS partnership.
Monopolies are the number one reason everything sucks, and will continue to suck until we get non-corrupt politicians (which is impossible)
Motorola has two options:
A. Cancel the GOS partnership and cause a boycott on ThinkPads (don't forget, Lenovo owns Motorola).
B. Put their feet in the ground, die a hero and maybe bring Google down.
B(2). Bring this oppressive google privacy issue down. Google would be fine allowing this to continue. Even with the 24hr numpty delay.
It may be impossible to have fully uncorrupt politicians, but voters had a choice and enthusiastically maximized corruption here in America.
This does seem to work with sandboxed Google Play Services on GrapheneOS btw.
I scanned the demo QR code on Google's talk page about it with sandboxed Play Services enabled and it gave me a custom popup asking if I'd like to verify.
and you can do it from a second profile which contains none of your data.
Unless you're doing that from a separate device in a separate location then all you're doing is giving them the data they need to link those two accounts
You're right, you're not going to achieve complete anonymity if you're interacting with Google services in any way, but you can reduce the amount of information that they receive.
Sandboxed Google Play Services doesn't have privileged access to location information, so it can't pull your GPS location or Wifi Positioning information. It would only see a blank profile and doing this would allow for your primary profile to continue to not run Play Services.
Any malicious code which could be injected into the process would find itself in a sandbox, on a blank profile and isolated from the rest of the system.
Google would only see that you are authenticating from a profile without anything installed, from an unknown location and coming from whatever VPN endpoint that you'd like. They could possibly infer that the blank profile and your 'real' profile are different via browser fingerprinting. You can randomize a lot of fingerprinting datapoints with browser extensions, but avoiding browser fingerprinting is a whole other topic.
The 'real' privacy solution is to avoid anything that uses this version of recaptcha. However, if you have to use these services then you can still reduce the amount of information leaked via Play Services by using a blank profile to scan the QR codes.
You're right, you're not going to achieve complete anonymity if you're interacting with Google services in any way, but you can reduce the amount of information that they receive.
its not even about complete anonymity. google has zero business in when I'm logging into my utilities company account, or other semi-governmental portals!
it literally is their business; they make millions of dollars off of it.
then that's a problem we must solve. Because an adtech company should definitely not have any business in that.
That's assuming they know I have another account
I had one of these CAPTCHAs recently and it still gave me the option to verify by clicking the squares. I wouldn't be surprised if they phased out the 'legacy' verification though.
closing the tab works better
AnDrOiD iS oPeN sOuRcE
AOSP is. Android is not.
Please remind me what the "A" in "AOSP" stands for...
Ok?
Android is open source in the same way that Minio is open source.
I know in what way it's open source. I just don't understand what person this idiot thinks they're mocking when they wrote that. It's as if they think there are really people out there claiming that android/Google respects privacy (lol) and that it's proven by part of the OS being open source. People make up fake scenarios to get mad about and they're often rather ridiculous.
Oh, that’s what you mean. Ok, so every time I mention I have an iPhone because a. I value my privacy and b. I try not to support companies that actively harm the internet, someone says “but Android is open source”, as if merely having a few open source components means that Android is better in any way than any other OS.
In this instance, Google is not only making the internet worse, they’re doing it in a way that requires their own closed source libraries to even access a huge portion of the internet. This further makes any functional Android OS closed source.
The most ridiculous thing is that iOS is almost as open source as Android is. There are very few components of an Android based OS that are open source where the equivalent in iOS is not open source.
Also, hey, thanks for calling me an idiot. ;)
Yeah I don't have experience with people really simping for android let alone claiming it's meaningfully open source. The most I've seen is saying it's not nearly as closed off as iOS which is just a fact. And I will say that as well because it's a fact. But that has almost nothing to do with the OSS aspect. Or privacy. So yeah I still don't quite get your point of inserting this here.
AOSP is Android is not.
I wonder how sandboxed Google Play will handle it.
Can we trust that isn’t a campaign to promote Google? What are these websites? Why aren’t they blocking an iPhone? Can any of that be replicated or is this just a Google campaign to create fear and doubt
GrapheneOS user here! Not sure about websites but there are certain apps that don't work properly without Google Play Services, but Graphene's app store has a sandboxed version of it, so I just installed that and revoked all it's permissions. Then if an app needs it, I just turn on the relevant permission, do the thing and then turn permissions off again. It's a bit of a pain at first but I'm used to it now.
Note that some apps will say that they won't work without GPS, but actually will if you give it a try.
Man, I want a phone with physical kill switches for things like Wifi, GPS, Bluetooth, because a lot of things seem to detect when these things are turned 'off' by software. Wonder how they'd react if in software, GPS is enabled, but the actual hardware is not powered at all
pine phone
They most likely won't work. Just speculation, but I would imagine most software that "needs" information like GPS don't care that its on or off, they care that they try to pull data and there is none.
some of them are now straight up refusing to run without the play store.
Then they don't deserve your business
I'd say making a 2nd user for the apps that need Play Services (like banking and Uber/Lyft) is the move. This only allows Play Services to run when the 2nd user is on and also fully seperates it from the main user!
I'm a grapheneOS user and I don't have any google services installed. I havecyetvto hit any major issues with any apps or websites I use. Lucky, maybe?
Because the iPhone has their own spyware to prove you're a ~~product~~ user.
https://support.google.com/recaptcha/answer/16609652?hl=en
https://blog.cloudflare.com/how-to-enable-private-access-tokens-in-ios-16-and-stop-seeing-captchas/
Interesting. Definitely turning that off. (As if it actually turns off)
If you turn it off, you'll have to do the captchas manually.
Yeah I’m okay with that.
Its basically forced by Google. I mean who wouldn't force it after someone deliberately removes your government sanctioned spyware. See if people stopped calling it google or Apple and just USA spyware with backdoor to your lives it would be better at getting to the privacy issues. I mean the NSA already proved this is a fact.
more info here: https://reclaimthenet.org/google-broke-recaptcha-for-de-googled-android-users
Haven't encountered this yet, has it been let loose in the wild?
Good point, this would have to work on iPhones too and people without a phone would just not be able to use those websites at all.
I just loaded a bunch of recaptcha on my GrapheneOS phone. So, I dunno what this is all about.
Yeah exactly. Millions of websites? Which ones? Though I don't see how this would benefit google
It's funny, I hadn't noticed, maybe because any site aleeady using reCAPTCHA or cloudflare alreadt gets blocked by my ad blocker... If those sites can't do better on their own, its just another thing you don't need. This is kind of a nothing burger. Stay strong and let google commit suicide.
Are you blocking Cloudflare at an IP level? Or just when they do that "Are you human?" thing? So much of the Internet goes through Cloudflare for DDoS protection, and blocking AI bots, I'm surprised there's anything left.
How do you do that. I would love a Cloudfare free web experience. They suck.
Welp, everyone buy a Google Pixel 3a from eBay and install Ubuntu Touch I guess
Does Ubuntu Touch work on the 3a? That was my last phone, but after it was no longer supported by Graphene I bought a 7a. I don't really like Ubuntu but would like to experiment with a Linux phone.
The Pixel 3a apparently can run any Linux Mobile distro or custom ROM, or at least most of them. At the very least, Ubuntu Touch says it's officially supported
It works, but its not really usable as a daily driver. None of the browsers render sites correctly and I couldnt make phone calls, but that might be a carrier thing on my end.
Seems ok for me, since the 3a is an old phone, mostly kept around to move this one group to Signal/Molly.
One more reason to switch to a Linux phone like Jollas new phone.
Good luck if you live in an authoritarian state. The governments have Google's dick in their mouths.
Keep a dumb phone for things involving them and then use your Linux phone as more of a pocket computer
I don't use the internet for much these days, but I am on graphine OS and I have yet to be blocked from websites due to it. My adblocker prevents me from some, and not allowing javascript prevents me from some, but I've never seen that QR code or had any site prompt fro Google play services
this seems too new to be widespread yet
Right? Google is extremely well known for its A/B testing.
Lmao, will this include basic degoogled lineage? I bet it does.
Are there any examples of sites using this?
Does this only happen on chrome? Can you just bypass it by using another browser like firefox?
I don't know how widespread this is yet, but I experienced it for the first time yesterday on Chromium. Have not on Librefox.
I didn't know what was going on, so I left the site. Was only trying Chromium because the site had issues with Librefox.
FUD.
I'm running a Pixel 8 rn. Should I deadass switch to an iPhone ATP?
Most likely trolling, but the answer is never.
Just install GrapheneOS and run Sandboxed Google Play Services.
You could switch to a Linux phone...
But then it comes with its own issues that many people do not want to deal with
And you couldn't use your current phone for that? That is in cases where you have no choice left, and where your identity is known regardless. Don't let perfect be the enemy of good: just because this anti-feature may not work, doesn't mean you can't have better standards overall (assuming you're coming from a regular OS).
Not everyone had a Pixel, or even a phone that could be degoogled fully
That's my point. If your non-Pixel or Googled phone is able to support the new Play Services, you could use that device for the verification, instead of using the GrapheneOS device.
Big flex
_
