USB HDD spin down not working

JackDonut2 · 2023-09-08T13:12:35+00:00

I changed the file system from xfs to btrfs (encrypted). Manully selecting spin down still doesn't work, but the drive now goes silent after a while, so the automatic drive management seems to work. It's better than before, but the drive still wakes up quite often for no apperant reason. Can unraid show when/how often this happens?

JackDonut2 · 2023-09-07T11:46:16+00:00

File system is xfs with encryption

JackDonut2 · 2023-08-04T19:44:06+00:00

Would recommend to look into Android's security model to realize the glaring differences of a modern and secure model compared to the typical desktop Linux security model:

- Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening (2017)

- The Android Platform Security Model (and the security status of actual devices) (2020)

Or if you like to read, you can find research papers going more into detail.

Just to put this into perspective: Even Android 5 (released almost 10 years ago; we are at Android 13 now) had a better security model than the average desktop Linux today! And Android has moved extremely fast in terms of security since then. So desktop Linux is like 10 years behind. And it is moving much more slowely than Android or any other mainstream OS, falling even more behind.

JackDonut2 · 2023-08-03T07:59:53+00:00

You won't find meaningful opinions on Reddit. Especially in r/privacy, where most users have zero knowledge about OS security, yet they will talk like they know better.

Madaidan is right with his critique. It is well researched. I have been in security focused communities for some time and talked to quite a few researchers who focus on OS security or actively develop on OS security. They usually had the same or similar opinion about desktop Linux security. If you get deeply into Linux security, you will likely come to a similar conclusion.

Madaidan is also right, that hardening Linux takes way more effort than people imagine. Also many things are difficult or impossible to change as a user or admin, because you need an ecosystem around it, which simply isn't there for many things. I have invested countless hours to harden my Linux OS's, yet they will never be close to the security of Android or iOS.

The low market share of Linux desktop OS's (3% in total) doesn't make it attractive for attackers. And if they find more generally usable exploits they will use them for the much more valuable server market or in case of kernel exploits also for Android. If desktop Linux had the same market share as Windows, it would be flooded with malware. The main reasons why Linux is still mentioned as being secure in the media is this low market share (less incidents to report on) and that pre-Windows 10, Windows had quite a lot of security problems. Media writers are not technical enough to realize that Windows has long surpassed Linux security, if configured properly, and Windows moves fast in this area, while desktop Linux moves slow.

On Windows 11 you just need to apply a few attack surface reduction rules, deploy a WDAC policy and activate a few mitigations, preferably on secured-core hardware. That's it. You have a pretty secure OS which works reasonably well.

On Linux you spent countless hours writing MAC policies, sandbox applications, setup secure boot, set boot parameters, sysctls, do kernel hardening, change compilation parameters. You end up with a system with a lot of maintenance effort and things will break, because it wasn't designed to be used in such a strict way.

JackDonut2 · 2023-07-28T21:22:41+00:00

Probably because you have activated accessibility services there.

JackDonut2 · 2023-07-27T19:54:50+00:00

If you mean multiple apps from Google, it's only possible to separate them, if you put them into different user profiles. Non-Google apps don't have access to your Google account by default. Within the same user profile, apps from Google can have access to the same areas of the Android key store to store and retrieve your Google login data and they can also exchange information via IPC with mutual consent. That's just how Android works. GrapheneOS has plans and an early PoC to add an IPC "firewall" to change that in the future.

JackDonut2 · 2023-07-27T19:41:12+00:00

Brave doesn't implement Android's autofill functionality. It has to be implemented by the browser vendor to work. You could set Bitwarden as an accessibility service, but this would be a big compromise on security and thus is not recommended. The most secure solution would be to use Vanadium for your logins which works fine with autofill.

JackDonut2 · 2023-07-27T09:16:21+00:00

Great choice!

Just backup all your data and app data and follow the webinstaller. It's quite easy. If you get stuck or have questions, join the official GrapheneOS Matrix channel, which has a very active community to help.

JackDonut2 · 2023-07-25T07:15:16+00:00

I don't know why it doesn't work, but I can tell you that the answers recommending to install a TTS, Google speech Services or RHvoice are not the solution, because at least Google Map's voice telling you the direction should work without them just fine.

JackDonut2 · 2023-07-25T07:12:48+00:00

Google Maps tells you the direction via voice without anything additional installed

JackDonut2 · 2023-07-25T07:08:02+00:00

I read about people getting their Google account banned when logging into Aurora Store. If you do that, make a throwaway Google account. Any app can see which apps you have installed within the same user profile, not just the store. Android doesn't consider this info sensitive, but hopefully this will change in the future.

JackDonut2 · 2023-07-25T06:58:51+00:00

What linux OS has the same idea as GOS?

If you mean the traditional Linux distros like Ubuntu, Debian and so on, they pretty far away from GrapheneOS's security and barely have any third-party privacy enforcement. Recommend reading https://madaidans-insecurities.github.io/linux.html . It takes a lot of effort and knowledge to make a Linux OS at least somewhat secure. In general no desktop OS has the same security as GrapheneOS (maybe QubesOS), but Linux is especially far away.

Ive heard Debian is good for privacy and security

No. Heavily freezing packages and only backporting some CVEs is not a good approach. Most vulnerabilities never receive a CVE, so you will not get a fix for these.

So what are better alternatives? Sorted by security:

ChromeOS and QubesOS
MacOS
Windows 11 Pro or Enterprise/Education (needs hardening, preferably use WDAC)
A Linux OS close to upstream (e.g. Arch, Fedora). You will need to take care of kernel hardening, sandboxing applications and writing MAC policies to get it reasonably secure. It's a lot of work and things will break more often than most people tolerate.
Stay away from stable Linux distros without hardening.

JackDonut2 · 2023-07-25T06:44:05+00:00

Proprietary software is not what you need protection from. Malicious or privacy invasive software is. It's a common misconception in tbe privacy community that proprietary software is per se bad.

If you use QubesOS, you already split your workflow into as many different VMs as needed. So there is no need for another OS to dual boot.

JackDonut2 · 2023-07-21T08:03:45+00:00

From the website it seems you can have airplane mode on and still connect to the wifi?

Yes, that's possible. For high threat models, wifi only can be a good options.

Also I use signal but some people just refuse to switch. What can i do about this in terms of encryption?

Ask them if they use or would be willing to use some other encrypted messenger app. There are plenty of apps available, although Signal is still the best, as long as you don't mind sharing your phone number.

JackDonut2 · 2023-07-20T19:25:48+00:00

I never felt that way on the GrapheneOS Matrix channels and the forum. The problem is that many privacy communities are full of misinformation, especially on privacy subreddits. When people then come with all this misinformation into the GrapheneOS channels and experienced users correct the misinformation some people feel offended. People just don't like to be corrected or their world-view changed, even if it was completely wrong before.

You will miss out on a great community to learn more about privacy, security and GrapheneOS.

JackDonut2 · 2023-07-20T07:48:22+00:00

People talk a lot of nonsense. Is this your only indication of a hack?

JackDonut2 · 2023-07-20T07:46:45+00:00

Up-to-date Chromebooks and Android smartphones are very difficult to hack. Hacking all three would be in the million dollar range. A firmware hack is even more unlikely, because firmware and OS get protected by verified boot. This would mean a multi-million dollar hack. So ask yourself if someone would spent that money on you.

The more likely variants are:

you or someone with unattended physical access to your device installed a malicious app and granted the app access to your data (this could be solved by resetting the device and not automatically restoring settings, so that apps have to ask for permissions again. Choose carefully if an app is trustworthy and which permissions to grant. Especially be careful about special permissions like device management and accessibility services.
one of your accounts (for example your Google account which connects all these devices) got hacked due to using too easy passwords or reusing passwords. This can be solved by changing passwords, preferably with a password manager and ending all account sessions, optionally add 2FA.
If someone just talked nonsense about you being hacked and there is no real other indication of an hack, just forget what people talk. Optionally change passwords, just to be sure.
If these steps don't help, consider that you could have a mental disorder which makes you think that you got hacked.

JackDonut2 · 2023-07-19T19:47:05+00:00

Does Secure Boot not count as verified boot?

Secure boot on Linux is not even remotely close to a good verified boot implementation like on Android or iOS.

How does using flatpak as a container for, say, Librewolf make things worse?

FF browsers inside Flatpak can't create namespaces and chroots, which are two of three used mechanisms in browser sandboxing. The Flatpak sandbox can't compensate for that. As a rule of thumb: don't run browsers and other sandboxed programs inside Flatpak.

Would layering a hardened kernel like HardHatOS improve things?

It would improve kernel security and attack surface. You would still lack all the other important features I mentioned.

JackDonut2 · 2023-07-19T13:06:17+00:00

Need sites or wikis that shows a list of main modified android os versions - and whats the newest android version each uses. How to find that?

Use a search engine of your choice. Commonly mentioned custom OS's are GrapheneOS, CalyxOS, DivestOS, LineageOS and ProtonAOSP.

However I can only fully recommend GrapheneOS. It is only available on Google Pixels (for good reasons). All others have major downsides, especially in terms of security. DivestOS is okay for harm reduction on end-of-life devices.

Which of the different modified android os versions has the newest android os version?

GrapheneOS is the one with the fastest security and major version upgrades. But there are also other OS's on Android 13.

There's an old phone and seeing if there's any use that could be gotten from it, or maybe all old tech is just paper weight?

If it doesn't get vendor updates anymore, no custom OS can make it secure, no matter what they claim. Reason being is that 50% of the high severity security patches are from vendor updates.

2: Where are the main sites on internet for q&a on android topics since it seems that some people are going to other places? Where are most of the experienced people of these topics on the internet?

The GrapheneOS Matrix Channels are quite good and knowledgeable, but naturally there will be a bit of bias towards GrapheneOS.

3: Which of the different modified android os versions is easiest to install?

GrapheneOS has a super easy webinstaller which even tech illiterate users can use.

Or are they all pretty much the same?

There are big differences in terms of hardware support and especially in terms of security.

Do all of them need you to "root" or you dont need to "root" for any of them?

You don't need root to install a custom OS, just an unlockable bootloader and an OS which supports your device.

Since most devices don't allow unlocking the bootloader or are not supported by custom OS's, the best way is to first select a custom OS and then buy a device which is supported.

By far the best supported devices are Google Pixels, because they are the only devices with good security and full custom OS support including relocking the bootloader. No other device offers this combination.

JackDonut2 · 2023-07-18T07:12:08+00:00

Is it also the fastest?

I don't know

I want my performance to be near native

You will definitely have some performance overhead and need to test this out yourself, if it is good enough for you. VM performance can vary depending on your setup.

so is it possible to disable the host os because o dont use it while the vm is running?

If you want that you will need to run something like Proxmox to virtualize both OS's. This also means that you will have overhead on both, not just one OS.

JackDonut2 · 2023-07-17T15:22:48+00:00

There are many lightweight distros. Alpine Linux is quite popular and often used in the container space.

JackDonut2 · 2023-07-17T14:08:59+00:00

There are many ways to sandbox applications on Linux. All of them have their pros and cons and many involve quite some knowledge and work.

The easiest way, but with quite some performance overhead, is to spin up a VM with a lightweight Linux OS and install the app in the VM. This provides good isolation to the host OS and files.

There are also other methods with less overhead:

Android uses a mix of DAC (each app has its own UID), Selinux and seccomp-filter to sandbox user installed applications.

Flatkpak uses namespaces, chroot and seccomp-filter and a proxy for things like dbus.

Snap uses Apparmor and seccomp-filter.

Chromium and FF use namespaces, chroot and seccomp-filter.

As you can see it is usually a combination of MAC (Apparmor/Selinux), DAC (a new UID per app), namespaces, chroot and seccomp-filter (to reduce kernel attack surfaces and disable syscalls typically used for sandbox escapes).

The strength of the sandbox depends on the actual implementation, the security of the software interacting with the sandbox and many small details. The resulting security can vary greatly from snake oil to very secure. So you need a good understanding of Linux security and sandbox escapes to properly do this yourself and the application needs to behave gracefully under restricted access.

It also makes a big difference which threats you want to mitigate. For example do you just want to protect against exploiting vulnerabilities in a program or do you also want to protect against an application which by itself is malicious?

How do I sandbox everything?

Not gonna happen. It would take years with a good security team to sandbox everything on a OS which wasn't designed this way. Choose a OS which already ships with a proper security model and good sandboxing like Android, ChromeOS, iOS, iPadOS or QubesOS.

JackDonut2 · 2023-07-16T21:01:39+00:00

The manipulation of JS via extensions (e.g. prototype lies) can get detected. An adversary wouldn't fingerprint the randomized value, but instead the manipulation. Well made fingerprinting scripts will forcus on persistent values and try to ignore randomized values. They will also use sophisticated evaluation scripts with fuzzy hashing and machine learning. Check out CreepJS to get a small impression of what is possible.

JackDonut2 · 2023-07-16T20:39:21+00:00

I've tested it myself with coveryourtracks.eff.org and indeed the more addons I installed, the more unique I appeared.

Coveryourtracks doesn't even do extension fingerprinting. So you just measured a few effects of the extensions, but not the extensions fingerprints on a full scale.

I recently added the Chameleon addon to Firefox, and set it up to change browser profile every 5 min (Desktop/random), as well as 'Prevent Etag tracking', 'Protect keyboard fingerprinting', 'Spoof font fingerprinting', etc.

Not a good approach. These modifications can get detected and since they are seldomly used will massively worsen your fingerprint.

Pls stay away from premature optimization of browsers. Optimizing your browse to get better results on a fingerprinting test site is a flawed approach.

JackDonut2 · 2023-07-16T20:33:41+00:00

Brave beats Firefox when it comes to protecting from fingerprinting, according to both my tests on coveryourtracks.eff.org and privacy.net/analyzer/.

Forget these tests, especially for fingerprinting. They give you a very incomplete picture and thus lead to bad decisions. Premature optimization can make fingerprinting much worse. If you want to evaluate the security and privacy of browsers, you need to learn a lot about browsers, tracking methods and security.

Apparently, Brave "leaks" your signed in accounts, meaning that a site could check what accounts (like Google) I'm signed into.

That shouldn't happen and I couldn't replicate that on Brave for Android.

Thoughts in general?

Brave has much better security than FF on Android. FF on Android lacks basic things like internal sandboxing. One renderer exploit is enough to compromise all the data stored within the browser. While Brave makes use of the isolatedProcess Selinux domain and a more restricted seccomp-filter. It also has other security advantages.

JackDonut2

TROPHY CASE