Email or username:

Password:

Forgot your password?
Top-level
CyberSpook🇷🇺
@inference
That's the flaw of Android itself, making root so insecure. It's the design issue. One would think getting root is a core functonality of an OS. Not on Android.
@safiuddinkhan @iska @dushman @m0xee
17 comments
inference replied to CyberSpook🇷🇺
@cyberspook @safiuddinkhan @iska @dushman @m0xee Linux hardening always includes restricting root access, regardless of Linux proper or Android.

root is, by design, the worst security flaw of Linux.
CyberSpook🇷🇺 replied to inference
@inference
Root is flawed if there's no proper permission control system in place like sudo or whatever. Nobody suggests this.
@safiuddinkhan @iska @dushman @m0xee
inference replied to CyberSpook🇷🇺
@cyberspook @safiuddinkhan @iska @dushman @m0xee Even sudo and doas are flawed.

I can give you a simple code block which can save your root password and feed it back:
https://madaidans-insecurities.github.io/linux.html#root
inference replied to inference
@cyberspook @dushman @iska @m0xee @safiuddinkhan root access via any means, on any Linux system, regardless of OS, is fatal. Game over. The end.
inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman Because no Linux hardware other than Android is really using HSMs or TEEs with verified boot. The only company I know which does that is Google, using the Titan.
inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman Verified boot does not exist in normal PCs. Verified boot is not the same as secure boot, it is an extra layer above which protects the OS integrity, not just checking the bootloader signature. You are very wrong.
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

How would google's edition of GNU/Linux have verified boot but not normal?
elinux.org/images/f/f8/Verifie

puri.sm is even more secure, even neutralizing IME. Here's one of their features.
puri.sm/posts/new-pureboot-fea

inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman

"Distributions like PureOS are not particularly secure. They are mostly a reskinned Debian and do not include substantial hardening."

https://madaidans-insecurities.github.io/linux-phones.html
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

I'm talking about the hardware there. You can install a hardened OS on it, including ChromiumOS or Android-x86.

inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman Chromium OS doesn't have verified boot, only Chrome OS does.

There is no system outside of ARM phones and tablets which take advantage of a HSM or TEE to allow storing OS signing keys (not the same as bootloader/kernel keys, which is secure boot).
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

You can boot chromeos there too, but it has at least one backdoor so you're not safe.
google.com/intl/en/chromebook/
(section 4)

chromebooks are bad too.
theregister.com/2019/08/22/buy

Would you trust your house to a thief?

I've already mentioned an article about verified boot on normal GNU/Linux.

MattZ replied to Iska :emacs_thinking:​ :guix:
Computer Security is an unachievable goal, the most reasonable thing to do is not connect your computer to internet 24/7.
Iska :emacs_thinking:​ :guix: replied to MattZ

@colinsmatt11 @safiuddinkhan @inference @dushman @m0xee @cyberspook

Besides you need hardware access or hard fuckups to compromise boot.

Guix with LUKS and SELinux is 99.99% secure, with simplicity and freedom; and definitely better than proprietary jails.

m0xEE replied to inference

@inference @safiuddinkhan @cyberspook @iska @dushman You may be right, but this article is just bad. Hardening in the OS is not good enough so we can just install Android 🤷
Hardware switches are not good enough because we can just use software airplane mode 🤦
Having modem on a separate board so that we can physically disconnect it is not good enough because we can just ask SoC to do it (and trust it) 🤯
It doesn't mean that Liberm5 is perfect, but these points are just awful!

Go Up