Claims made by forensics companies, their capabilities, and how GrapheneOS fares

When you review products for long enough you learn to just take everything security vendors like GrapheneOS say with a grain of salt lol

I should note that the context of my original comment was that GrapheneOS was mere weeks ago in a private Discord server used by law enforcement, going out of their way to antagonize them until they got kicked out. And then they tweeted about it.

I guess the context is probably lost on people who don’t keep up with their nonsense, but to pretend they’re not going out of their way to show off in front of the cops is absurd.

I’m obviously not a law enforcement advocate; ACAB etc. but calling attention to yourself seems pretty silly to me. The constant standoffish-ness from them is my only problem, and they proved that’s their default behavior yet again with this Tweet. That’s all it is

No, that’s incorrect… If you actually look into it (and I encourage others to independently do so), here’s exactly what happened:

Forensics companies like MSAB etc. are trying to prop themselves up by boasting that they have “GrapheneOS support”. They are intentionally vague about what that means. It’s only when you actually get a hold of a table with their actual capabilities that what they actually mean is that they can do an extraction of an unlocked GrapheneOS device. These forensics companies are singling GrapheneOS out and talking about it in particular (no other AOSP-based OS that I am aware of gets singled out this way) exactly because it is understood that GrapheneOS makes an actual difference in security that changes their capabilities compared to other AOSP OSes where the capabilities for the same device are more or less the same.

GrapheneOS has been used as marketing for these companies before GrapheneOS decided to focus more on physical attack vectors, as the priority in the past has been bolstering defenses against remote exploitation.

MSAB (a forensics company) released a video as part of their “MSAB Monday” video series that showed them exploiting a Stock OS Pixel by doing a RAM dump (something that they shouldn’t be able to do on a locked device) as well as preventing a factory reset that was triggered by the “Wasted” app. They quickly realized that they divulged too much information and removed the video from their socials.

That video was enough evidence to get Google to act on both of those things, which it did based on GrapheneOS’ reports.

New Zero-Day Attacks Target Google Pixel Phones | PCMag for more information on this, the video from MSAB that made Google care about it, and how it was fixed.

GrapheneOS isn’t “trying to market itself” in this way, forensics companies started using GrapheneOS’ name to do that; get it right.

Coming back to the Digital Forensics discord: do you know who’s present in that Discord other than law enforcement asking for help doing extractions? Basically every forensics company and exploit vendor imaginable. If you actually go to the Discord, you’ll see that GrapheneOS and the project’s features were discussed in the past, with someone even going as far as to say “it’s best not to discuss GrapheneOS publicly”, fearing that talking more about it would likely get us to cancel any of their capabilities. It’s funny to think that what did them in was one of the companies’ marketing material. Regardless, GrapheneOS was mentioned there long before we ever joined it, and just like people had in the past, we informed people of our new defenses and the reports that patched the holes they were using for stock OS, we corrected some misconceptions, and answered some questions. The response was for GrapheneOS to be banned. They have continued keeping up with GrapheneOS, just like they did in the past, such as recently warning each other about new developments like the new max length for passwords and the duress feature.

To claim that GrapheneOS is being “risky” by tackling these things head on is just silly. These groups were well aware of GrapheneOS way before, and will be aware of all updates way into the future.

Divulging info leaked to GrapheneOS to the public (Celllebrite’s capabilities) from an industry whose entire goal is to try and keep as much as possible hidden is the right thing to do. People knowing how they can protect themselves is the right thing to do. Insinuating that Cellebrite and all of these other tools are only used by law enforcement, and are only used on criminals is a wild take that I didn’t expect to see on this forum.

Can we just agree that everyone is being silly and spilling too much ink over something that literally doesn’t matter? Like who cares about marketing holy shit lol

False and inaccurate marketing in the privacy and security space is a gigantic problem and is exactly how people end up making decisions that can hurt them in the future. In many cases, false marketing is exactly what this site is meant to be fighting against.

Forensics companies doing misleading marketing to prop themselves up has real consequences when people see that and misunderstand what it means, especially when scammers in the space try to use it to get people to use something significantly worse instead.

If Lastpass or NordVPN were being marketed as doing things they can’t actually do, or were trying to spread misinformation about Bitwarden or Mullvad in based on intentionally misinterpreting something, wouldn’t you take issue with that?

I don’t expect anything better from forensics company and people working in an industry that basically relies on secrets and gatekeeping to fucntion. I don’t expect anything better from scams peddling something blatantly insecure trying to use that marketing material to push people away from something that works.

I do expect people here to think about this matter a bit more critically and realize that the take in this thread sucks. No two ways about it.

@Jonah or whoever changed my tag on this forum - I would very much like for my “former team member” subtitle to be reinstated. Let’s not forget that I was a member of this team for a very long time.

It does matter, because trolls go around and start screaming that GrapheneOS is compromised, even though that isn’t true.

I think you can change that in settings.

“Former team member” is not a title I can give myself. It seems like it was just taken away.

That’s not fair, you should have the option to pick whichever title you prefer.

I’m a massive cynic and really don’t think that it matters – people listen to whoever says the nicest lies, not the most accurate truths. Trolls don’t need Cellebrite’s marketing to dunk on GOS, they would do it anyway and shill their own Product™️

They already are marketed on effectively lies, and yeah it sucks but ultimately it doesn’t matter because barely anyone is going to “see the light” if you shout the truth into the void because the lies are marketed better, hence, arguing about this is silly

It feels like a very subtle attempt to try and discredit what I’m saying. I’d be more than happy with a “Former team member & GrapheneOS” or similar for a title, but the fact that I was a moderator, team member and contributor to th site for a long time is something that I would like to see reflected on my forum profile as well.

If you truly think that lies and false marketing always prevails, is the mission of Privacy Guides doomed from the get-go? We can tell the current team to pack it up, then, I suppose.

Sure yeah, it’s pretty doomed. I still like having a curated list of resources and a discussion forum though, that stuff is sometimes useful

Privacy is dead!

Signed,
A Privacy Guides forum member

If you truly don’t think misleading and inaccurate marketing and misinformation is worth addressing, then I can see how you wouldn’t see the value in this conversation. I reserve the right to still consider it important though, if that’s okay.

I said precisely what I said, not that privacy is dead. I would prefer that my words not be twisted, thank you very much.

Signed,
Some person who does not appreciate people deliberately misrepresenting them

P.S. I think just making useful tools and writing up accurate information is far more valuable than repeatedly going “nuh uh” about marketing spin or arguing with people online, and yes I recognise I’m doing that right now but shh I’m bored, I have clocked out of work for today

That’s the sentiment that I got from what you said. I didn’t add any quotes to what I said, people can also read up, I’m quite clearly not trying to misinterpret you; just some lighthearted fun.

I’m sorry to hear that you think we’re arguing. My issue here is with other weird claims being made, not anything you said, though I did still think it made sense to address it and explain why I felt it was important to explain.

As for your other statement, I believe that while it is unfortunate to have to spend time debunking misinformation and inaccurate marketing claims is time consuming and not enjoyable for anybody to do, it’s necessary to minimize people being duped by it. Of course, writing accurate information and developing useful tools and features are both things that GrapheneOS does alongside that.

no they don’t. They all sell to private investigators.

Proof: Mobile Forensics with Cellebrite Producten - DataExpert EN

Maybe you stop 1 person being duped by it, but then there’s the 1000 other people who never see your post or video or comment debunking it. This is from experience – it’s far more fulfilling and useful to just not bother directly debunking every single false or misleading claim, because people will come up with 1001 false claims for every 1000 you debunk with Facts and Logic™️Like, critical thinking and media literacy are long dead.

I understand what you are coming from but on the other hand many journalists, activists in many countries (even in the western world) are not treated the best ways by oppressive regimes to say the least. Protecting against that is a feature. Perhaps it would make sense/help their case to explain that it is valid for those people in advocacy and journalism f.x.

This is something GrapheneOS has specifically said, and it’s also obviously implied. It’s as implied as Tor making a product to protect people who need it.

Products that offer actual security and private have to provide it across the board. You can’t choose who is protected - if only some are, that means that there are weaknesses to be used on people who are targeted unjustly.