The main Matrix homeserver (http://matrix.org) is down and likely to remain down for a while longer:

Matrix.org's Mastodon

The Matrix.org Foundation (@matrix@mastodon.matrix.org)

the matrix.org homeserver is having problems: https://status.matrix.org/incidents/mm9hdm78svgv apologies for the inconvenience…

Our Matrix rooms are still available since those aren't hosted on any specific server. We use our own Matrix server for our project accounts, bridge bot, etc. too.

This month has a MASSIVE set of Android Open Source Project security patch backports due to the move to move patches being quarterly instead of monthly for it. We will be doing a release with the AOSP backpo ts along with GKI LTS kernel updates to the latest. We have more work with adevtool to make it much faster to work on device support. We are closer to fully removing the device trees and instead auto-generating it. This will help with #GrapheneOS porting to Android 16 QPR1 and Pixel 10. We expect Android 16 QPR1 to be released TOMORROW (2025-09-03). This could change. Pixel 10 porting work will begin when Android 16 QPR1 port is complete.

Research has mostly already solved what we need to develop to create a system that is highly secure. We have strong encryption, we have microkernels, we have sandboxes, virtualization, exploit mitigation technology, secure authentication etc. What we need to target is how to make software that is highly secure and also highly useable, and something very private that is also very personalised with great UX. Oftentimes more security means more restrictions therefore less usability and user freedom thanks to a restricted environment. More privacy means a less personalised experience by knowing less about the user. Users frequently self-pwn by using insecure software for the preference of 'freedom' for a feature. The problem here lies that there is no feature in the high-security systems to do what they they wish safely. Unless, of course, that functionality is anti-security in itself. Many of what GrapheneOS develops or are designed to be useable security. Extra settings are opt-in. Some of the most important security work of GrapheneOS are changes invisible to the user, like hardened_malloc. A significant security enhancement while also providing little overhead or interruption to the user. Many useable apps people develop are not security-focused. Same can be said about the reverse. This is something to work on. When your app is only known as being an app for techies or security people, you may have already lost. Security is not selling point to people unless they want security.

#devstr I created a small script to make Free Speech Flags out of Kryptor public keys. A free speech flag is a flag created out of a cryptographic key as a protest art against censorship and freedom of speech. The README has more information. The original Free Speech Flag was designed out of a cryptographic key used in HD DVDs and Blu-Ray discs that the MPAA would send cease and desist letters to any web page that even hyperlinked the hex encoded value of the key. For example, this generated Kryptor public key Ed//e7NelPumXQ8GGsZV/Wmx4A8xhSkrqd8GdrGdLsBCfYw= Creates: Because there is 11 colors, it fits perfectly with 88x31 web page links as well. It is possible to find a way to repurpose this with PGP key fingerprints or potentially Age but neither provide the entire public key in a a fashion as simple as this. Adding all the Hex codes of the colors from left to right plus the text on the bottom right last into one Hex string, decoding it, then encoding to Base64 returns the Kryptor public key. This has potential steganographic use cases. You could embed these colors in a photo (most common to least common color as an order?). Or you could embed the hex input within an unsuspecting image's bytes. I mostly made this in mind as a art piece / cypherpunk fashion statement. It isn't a security or privacy plus. You having this flag is all that is required to encrypt files to me, and the encryption to use is strong. So I think it could be useful to someone. Here is the code:

GitHub

GitHub - final-git/marcottegen: Generate Free Speech (John Marcotte) flags from Kryptor public keys. Public domain.

Generate Free Speech (John Marcotte) flags from Kryptor public keys. Public domain. - final-git/marcottegen

If you do not have the Arial font, then change it in the code. This code is public domain, so I won't accept pull requests not expecting to be in public domain as well. This is because the original flag is public domain. Kryptor is a modern encryption / signing tool designed to be much easier to use than GPG. Try it out:

Introduction | Kryptor

Growing sick of informational audio / video content. I will not group myself with "cyber" influencers. I prefer text and other forms of media should serve to complement the textual content, with exception of accessibility reasons.

Vanadium browser now supports a bottom navigation bar. #GrapheneOS

If you consider yourself a target of a high risk threat, you should do the below. This will be a repost of a past post. However, I updated this. This list is also far from a complete scope of what you should or could do. Device / OS security: - Use the most recent device you possibly can. - Upgrade your device to the newest generation as soon as possible if you can comfortably afford to. - Use the latest version of your operating system as soon as possible. - Use full disk encryption. - Use a long, secure, unique passphrase for your device. Ensure they are unique between all devices. - Never leave your devices unattended. Keep in your proximity or in a safe place. - Turn your device off in a tense situation or when not in use for many hours. - Do not plug devices into unknown ports or with unknown cables. - Never download unknown apps or files. - Uninstall preinstalled applications and disable services you do not use. - Disable WiFi, Bluetooth, NFC etc. when not in use. - Use airplane mode and/or take out your SIM card as much as possible to minimise cellular network tracking. Network / Web browsing: - Only use encrypted protocols i.e. HTTPS, SSH, SFTP and more. You can enable certain applications like Web Browsers to always use HTTPS. Manually type in the https:// part of the URL. - Use a VPN or an anonymity network like Tor if you are concerned about web sites knowing your IP address or wish to obscure traffic from the ISP of your connected network. Understand you are shifting trust by moving your traffic into other servers. - Disable JavaScript just-in-time (JIT) compilation for a significant attack surface reduction. Disabling JS is a massive attack surface reduction, but may cause you to stand out and make web browsing unsustainable. - Disable web browser features you do not need. - Use an ad blocker if your browser doesn't have one. - Use the least amount of extensions as possible. - Use feed readers. Communication: - Communicate only over secure messaging apps. - Only message people you trust or know. - Do not open unknown attachments. - Enable scheduled deletion of messages. - Remember in a private message your communications are as secure as the least secure person there. Accounts: - USE MULTI FACTOR AUTHENTICATION. TOTP is secure, and a hardware MFA like U2F keys are most secure. Avoid SMS or email-based MFA where possible. - Use unique passwords for accounts. - Use email aliases or burners. Not everything needs to be attributed to you. - Lie. If a service isn't required to know about your real world identity, like applying for a passport or deliver a product, then don't use real details. - Delete accounts you don't use. Make new ones when you need services again. - Assess whether signing up for something is necessary. Opsec: - Search yourself on Google, Bing, Yandex, etc. - Post more of what you want everyone to know, not what only certain people should know. - Don't create an incentive for people to try and uncover you or misuse your trust. Be private but not mysterious. Don't be a bad actor people will and target you for. - AI face search / reverse image search yourself. - Do not post pictures of interiors or locations unless you want everyone to know you was at the location at some point. - Opt out of data brokers and public indexes. - If you know too much or too little about something, it's better not to talk about it at all. - Decide whether you want fame or you want privacy, and stick to that. Regret is a mental toll that will distract you. - Use common sense and rationale. Be diligent but do not be paranoid. Growing an obsession over a tiny detail leaves you vulnerable to being distracted by a red herring, attention that could be used to uncover a flaw in your approach. - Learn to concede. Find the answers sources tell you, not the answers you want to hear. Unless you are a professional, then you are not a reliable source. - Disassociate with data. Learn to only keep files or other data as long as it is necessary. If they serve no use, delete. If they serve a future use, then back it up and encrypt. - Remember that you are only as secure as the people you trust. If they do not meet your safety or security requirements, don't enable them to do things that could cause trouble. GrapheneOS users: - Toggle on enabling hardening like memory tagging, Dynamic Code Loading restrictions and disabling WebView JIT by default. - Use a strong diceware passphrase if you are concerned about a sophisticated actor with physical access. - Use user profiles or private spaces if you need something uniquely compartmented or their own VPN. - Set automatic reboot time to the lowest time you have comfort with. - Enable duress password. Make it something easy to trigger but difficult to misfire. - Use your duress password just before shit hits the fan, not when it already has. - Use two-factor fingerprint unlock with PIN scrambling. to prevent shoulder surfing your primary passphrase credential to decrypt the device when BFU. - Use the right USB-C port control setting for you. - Enable LTE only mode for attack surface reduction if you choose to use the cellular network. - Use Storage Scopes and Contact Scopes for apps more often. View quoted note → View quoted note →

Espionage-motivated threat actors have gigantic budgets. You cannot expect a smaller software project to outmatch these people. You're not rich enough. You don't have an elite network giving you intel that your work may be exploited... Unless you're a vulnerability researcher, then it is certain you don't have comparable offensive skills. You are far from being a mega corporation or a government unless you're a major talent. But, it's not all nihilistic. Even if it feels like the odds are against you, you can make these groups work harder and increase the costs of a successful campaign. Difficulty of exploitation increases cost, time and manpower to reach their goals. If a certain conceptual attack is too expensive to come to life, it would not be worth spending it on, and every new victim increases the risk of the technique being burned. App developers, especially those working with apps that load remote content (e.g. messengers and web browsers) should think of security from the beginning. Operating systems should contain apps to add defence in depth if they are exploited to misbehave. Every additional countermeasure to a threat is an increase in cost and minimum technical skills required. Commercial operating systems have security settings that they should enable if they feel at risk. Lockdown Mode on iOS is an example. There's still a lot that these operating systems could do to make things difficult. We do a lot more beyond just what Android's Advanced Protection mode does. View quoted note →

We now have access to the Android Security Partner Bulletins in an official way so we will be able to do the Android Security Bulletin updates after the embargoes end instead of waiting for release tags. We can prepare the integration or even make #GrapheneOS builds with patches in advance too.

We've received the Pixel 10 we ordered and have confirmed it supports unlocking, flashing another verified boot key and locking again. Our Pixel 10 support will likely only be possible to complete after we finish porting to Android 16 QPR1 which is being released in September. A second Pixel 10 we ordered has arrived at a package forwarding service in the US to be shipped to a country without Pixels available. We'll order a Pixel 10 Pro (XL) and Pixel 10 Pro Fold for our main device testing farm today too since we'll supporting all 4 variants of them. Previously, we likely would have been able to implement support for the Pixel 10, Pixel 10 Pro and Pixel 10 Pro XL in the next 48 hours. However, we likely need to wait for Android 16 QPR1 and our port to it since we don't expect a Pixel 10 device branch will be pushed to AOSP. We've received confirmation that Android is switching to having quarterly releases across devices. There will be 3 quarterly and 1 yearly release of Android and the Android Open Source Project. Monthly releases are Pixel exclusive and will have far fewer changes than before. Previously, only Pixels shipped the quarterly releases in practice. Other OEMs will now be pushed to ship those, but not the monthly releases which are now officially Pixel exclusive. Please note monthly Android Security Bulletins are a different thing from the monthly releases. Android Security Bulletins are backports of a subset of patches deemed High/Critical severity to older Android releases. That currently means the initial yearly releases of Android 13, 14, 15 and 16 without the monthly/quarterly updates for those. This will need to change now. The changes are acceptable for us and we can deal with it. We're currently working with a major OEM towards future generations of their devices meeting our requirements and providing official GrapheneOS support. #GrapheneOS on both Pixels and these future non-Pixels will be fine. Pixels are still the most secure Android devices and the only ones combining a high level of security with proper support for an alternate OS. However, it's clear they don't value alternate OS support and won't remain the best devices for GrapheneOS once we have official ones. We could continue supporting future Pixels such as the Pixel 11 and Pixel 12 after we have another option available but we won't depend on them continuing to provide alternate OS support. It's good that the Pixel 10 still provides it since our alternative is a year or two away.

For June 2025, Cellebrite haven't bypassed secure element brute force protection on the Pixel 6 or later and iPhone 12 or later. They do have device extraction support for every iPhone on latest stable iOS without credentials required in AFU state, same with almost all stock OS Android devices. Later Pixels running GrapheneOS have no capabilities, only allowing extraction if they know the user's password already. We will not be publishing documents ourselves to protect sources and to avoid closing our leaks. We believe these companies will watermark these documents to identify a source. I consider these companies hostile to GrapheneOS, as they seek job applications deliberately targeting GrapheneOS as an experience or research target. Older iPhones and Pixels 3 to 5a have brute force exploits available that circumvent or exploit the secure element. This means they can get access to any such devices using insecure credentials, like small length numeric PINs. Second generation Pixels are an outlier, likely due to no demand by their customers to have access for them. A customer could request on-demand help and support through Cellebrite Advanced Services. This likely could change things, since the secure element is the same. Pixels 6 and later moved to a far greater RISC-V secure element based on OpenTitan called the Titan M2. It has proven to be far more resilient thus far. Pixels 5a and earlier have not been secure devices for a long time. They do not receive driver or firmware updates from their component manufacturers. If there are exploits available, they won't be patched. No choice of OS will change this situation.

Anons: Are you free yet? Because we are. #GrapheneOS View quoted note →

Learn to compress information when communicating. Imagine teaching a first day class about $TOPIC. Place the same restrictions: unpredictable questions, time, word count, PRESENTATION. View quoted note →

Seeking to improve writing skills. I hate old technical articles I've made. Here are some notes I am referencing: - Wipe out the added frills... No "really", "a bit", "very" etc. - Remove words that have no purpose to the sentence when put alone. e.g. "I hate old technical articles I've made in the past". "In the past" not needed. - Additionally, examine every word: a large number don’t serve any purpose. - No over-explaining. If you think they know then don't write it. Avoid assuming the reader is dumb. - Try not to put certain adverbs like "surprisingly" to a fact. It manipulates the value on a fact before it could be read. Speak facts as they are truth. - Use more plain and short sentences. Each sentence contains a thought; Or each sentence contains a fact. - If a sentence is troublesome to get right, get rid of it. - What does the reader want to know next? - Write my thoughts, write against it, see a different perspective, then cut it all into a short outline. - Practice one sentence at a time. Separate up sentences. Judge each sentence on its own, and prove its worth.

I just browse Reddit with the browser I already have.