Final's avatar
Final
final@stacker.news
npub1hxx7...g75y
Cypherpunk forensic scientist and security specialist. Associate #GrapheneOS. Matrix: f1nal:grapheneos.org
Final's avatar
Final 3 months ago
The Linux kernel is a gigantic, complex project written pretty much entirely in a memory unsafe language. It is a monolithic kernel with no internal sandboxing/isolation and all the normal code running as part of them is fully privileged. A little typo causing memory corruption can be used to perform dangerous attacks. The Linux kernel alone is focused on performance and compatibility, not security. Even with the countless hardening work and security tools we make for Linux (hardened malloc), Linux is the core security liability in GrapheneOS. If people want the security of the operating system to go beyond, then the Linux kernel must be replaced with something new from the bottom up. Our roadmap page was updated to reflect our approach better. The initial phase for the long-term roadmap of GrapheneOS is to deploy and integrate pKVM and CrosVM. We would securely deploy Android apps in virtualized environments using this virtualization setup. Virtualization will allow us to contain Linux. In the longer term, Linux inside the sandboxes can be replaced with a compatibility layer like gVisor, which would need to be given a new backend alongside the existing KVM backend. Over the longer term, i.e. many years from now, Linux can go away.
Frequently Asked Questions | GrapheneOS
 View quoted note →
Final's avatar
Final 3 months ago
Essential reading for hard-line GrapheneOS users in the quote note. Almost all of the major state-sponsored or mercenary exploits you hear about are possible through memory corruption vulnerabilities in their exploit chain. They make up most of the Critical / High vulnerabilities in Android even when the amount of them have reduced due to an increase in code written in memory safe languages. View quoted note →
Final's avatar
Final 3 months ago
#GrapheneOS version 2025091900 released. - backport latest carrier and cellular radio configurations from Android 16 QPR1 - kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.152 - kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.104 - kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.47 - kernel (6.6): prepare for usage on bare metal arm64 devices by setting up arm64 emulator builds (Pixel 10 uses 6.6 and earlier Pixels will likely move to it soon) - Vanadium: update to version 140.0.7339.155.0
Releases | GrapheneOS
Final's avatar
Final 3 months ago
PSA to content creators: The GrapheneOS logo does not have a hexagon in it
Final's avatar
Final 3 months ago
Hardened Rocky Linux distribution running #GrapheneOS hardened memory allocator. More examples of Linux distributions using work we provide. View quoted note →
Final's avatar
Final 3 months ago
Okay I'll bite, so I did the research on the case. They posted nothing to prove he was arrested for refusing a deal with the FBI. What actually happened is he pleaded guilty to an offence in 2014 and violated the terms of his bond / probation. Unless they go forth and show more, it is horse shit. Here is the individual pleading guilty: https://storage.courtlistener.com/recap/gov.uscourts.mied.374280/gov.uscourts.mied.374280.1.1.pdf He was arrested for not paying his bond, using a computer when he was forbidden to, ignored communications with his probation officer and more. Here is the petition of warrant to see what violations of his Bond he used: https://storage.courtlistener.com/recap/gov.uscourts.mied.374280/gov.uscourts.mied.374280.3.0.pdf How could he have been operating Tor nodes past 2014 if he wasn't allowed to have computers? I hate cops, but he deliberately tried to set them up. He refused to show up so they went to his door and so they arrested him. There were warrants out for his arrest. Here is the arrest warrant: https://storage.courtlistener.com/recap/gov.uscourts.mied.374280/gov.uscourts.mied.374280.20.0.pdf View quoted note →