Andromxda

it originally sounded like I might be able to help with some scripts

Thanks man, I still appreciate it a lot

I feel like I just need to clarify some things. In my initial comment, I was bashing Microsoft, not because it's their fault that my company has such a messy environment and workflows, but because the way Windows Server works is just stupid. Since there's no proper shell (PowerShell is absolute garbage), everyone on the Windows team uses fucking RDP to log in to the server... Most of the stuff can't be reasonably done through a CLI, and requires using the stupid GUI wizards. Configurations can't be replicated as easily, since I can't just use scp to copy a config file, I actually need to go through the stupid GUI wizard again. Active Directory is a huge mess that's been held together by hopes and prayers over the past few decades, and I hope it dies sooner rather than later. Also fuck my company's stupid decisions from 20 years ago... Integrating some stupid Windows/Microsoft specific stuff into all of our products was not the best idea, and they realized this a few years ago. Now we have a huge amount of technical debt though, and it will take decades to get everything ported over.

Err… That component appears to be built from source per Calyx’s Gradle rules? The source is pulled from here: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/telephony/java/android/telephony/euicc

That's apparently not the entire thing though. I haven't used CalyxOS in a long time, could go to the settings menu for adding a new eSIM and take a screenshot of it?

I’m sorry you’re unhappy that I’m happy.

Oh I'm absolutely not. I'm glad you found an OS you like, I just pointed out that GrapheneOS is far superior in terms of privacy and security, and therefore probably the better choice, but you are obviously free to use whatever suits your needs and makes you happy. And it's better than the stock OS I guess.

My actual security relevant machinations happen on my much better protected laptop.

How do you protect a laptop to be more secure than a modern mobile device? Desktop operating systems are inherently less secure, since they lack proper application sandboxing, they often don't even have mandatory access control mechanisms (such as SELinux or AppArmor) in place and don't have a good way of verifying the boot image. Secure Boot is broken and essentially useless, and can't be compared to Android Verified Boot whatsoever. TPMs aren't secure either, and can't even remotely be compared with proper secure elements such as the Google Titan M2 or Apple's Secure Enclave. Do you use QubesOS, or how did you achieve better protection on your laptop compared to your smartphone?

Because I want a secure phone with relatively good specs, relatively good design, battery life and camera quality. And because it is one of the very few devices with a user-unlockable and re-lockable bootloader.

Anna's Archive

Of course it's a Republican senator

Oppo, Huawei, Xiaomi, all do not work on USA cell networks

Wait what? Is that actually true? What if you are a foreigner visiting the US and bring your e.g. Oppo phone with you? You can't use it? Even with a foreign SIM?

Upgrading/reinstalling some company specific software (it's an absolute mess, we essentially build our own tools for everything in C++, there's probably a quadrillion memory vulnerabilities and the software crashes all the time), because random people on the Windows team have been tinkering with the config over the years, and now essentially everything is broken and has to be reinstalled. We have been shipping newer versions of our software to customers than we were running internally... (of course it was tested in the staging environment, but our prod was pretty unmaintained and messy) I'm so glad that I'm usually on the Linux team... I was a software engineer before, but I was tired of C++ and the weird way we do things, so I was probably the first one who asked to move to the newly formed Linux team, when we started slowly migrating away from Windows around 6 or 7 years ago. Unfortunately like half of the Windows team recently quit or was laid off, so they had to find someone who could do this. Since I was a dev before, I'm quite familiar with our internal tools. I'm now working with 3 Windows guys on fixing this insanity. The entire process is not quite as bad as it sounds, but I really don't want to touch a Windows system ever again in my life.

Can you elaborate on MicroG needing root? To my understanding that is only required on ROMs that don’t require Sig. Spoofing, and Calyx does support it, specifically and only for MicroG.

I'm not entirely sure if all of microG needs to run as root, but I'm pretty sure that some parts do. Nonetheless, microG runs in the priv_app SELinux domain instead of untrusted_app, reducing the isolation and granting it more access to sensitive APIs. Sandboxed Google Play on GrapheneOS on the other hand is a normal application that can be installed and uninstalled by the user, running in the untrusted_app domain. It is tightly controlled by the Android permission mechanism, and doesn't have any permissions by default.

If you only care about security, you should keep Play Services isolated in a separate profile. That way, even if there happens to be a memory corruption vulnerability in Play services, which isn't caught by hardened_malloc or the hardware MTE in newer devices with ARMv9 chips, the rest of your system would still be safe, since Play services aren't running as root, and in order to compromise the entire system, there would need to be a privilege escalation vulnerability in all of Android, not just Play services.

And you know what helps reduce risk of exploit? Smaller codebases.

Why does CalyxOS include the F-Droid privileged extension then? It's yet another component running with elevated permissions and unnecessarily increasing attack surface. Why does it include Google's eUICC component with elevated privileges and no proper sandboxing?

300kg of Plutonium

Emulators exist... ...oh wait... FUCK NINTENDO

I love their exclusive titles, but their hardware, and the way they deal with emulator developers make me want to throw up

Probably the walls. Without them, the ceiling would collapse and everything in the room would be useless.