Friday, 2019-12-13

*** SpeedEvil is now known as Guest7215702:30
*** zbenjamin is now known as Guest8004702:32
*** zbenjamin_ is now known as zbenjamin02:32
artur_0000000Hi everyone! Hope you're doing great!06:47
artur_0000000Came to ask what's the current status of SFOS support on Fairphone and/or Shiftphone?06:54
ViGeartur_0000000: You will probably get better results asking in #sailfishos-porters06:58
artur_0000000Thanks, ViGe!06:58
frojndHi there.09:14
frojndI just got flip case cover (magnetic) but when I close/open case it wont turn on/off display? Any ideas? In settings under Dsiplay I have enabled setting which says use flip cover magnetic case to turn on/off display...09:14
frojndSony xperia xa2 plus09:15
adantesfrojnd: I can relate to that. You know a trick I do? My phone neer lasts less than 3 days a battery09:49
adanteseach time I use it, I activate the services I need; and after I use them , I deactivate them: GPS, network layer, android support, and, guess what: the screen.09:50
adantesIsn't this a smart way to use a smartphone? With sailish battery lasts at least 3 days! Why smart covers? The only smartness existing is the way you use your device :-)09:52
adantesGemini PDA, since I've migrated it to sailfish as well, battery lasts for one week09:52
frojndDo you have a script for that so you can map to a button?09:54
frojndLike press camera shutter button twice and all this happens on/off toffle ;D09:54
adantesSure I use it mainly for SSH, and I do most  of my computing via SSH. And tyhat thing shuts the sceen off automatically when you close. But guess what: I open he device, activate network layer, etc., turn on toeterm, connect, fiisconnect toeterm, disconnect network layer, _shut down the screen_, and close the PDA09:55
adantesThere a simple trick to use your smartphones and PDA, and compurter in general09:55
frojndYou put it in hibernate after work?09:56
adantesYou turn the f* thing off09:56
frojndYa.. been doing so lately. I don't even reddit anymore09:56
adantesthe only thing is aways on are the servers09:56
adantesI'm sorry buddy, but this is the thing about users: they don't know how to use.09:57
adantesOne may buy a 1000$ gadget, and still behave in a dumb way, ike most iPhone users do09:58
frojndWell others started to complain I'm offline lately but I just told them that if it's serious they can allways reach me in person...09:58
adantesalways expecting magic from their devices09:58
frojndThat's just the way things evolved anre are evolving.. I know.. I'm also Android dev09:59
adantesfrojnd: there you go, use well your tech, and you wont complain nomore about it ;-)09:59
adantesreally? so am I.. and iPhone as well09:59
adantesbtw, I must return to XCode :-P09:59
frojndI love sailfishos :) After using it for personal stuff I am more free10:00
frojndI started to enjoy other stuff like fresh air :D10:00
frojndAnd leaving everything @home while outside10:00
frojndsome would even consider me a criminal becaues I have no gadgets on me sometimes10:00
adantesmay I suggest you write a letter to salfish board on how it changed your life?10:01
*** frinring_ is now known as frinring12:16
Guest28Hi, asked this question last night but didn't get a response. How secure is Sailfish X to government snooping? I take it we've all read about Edward Snowden reveals (if nor Thanks.15:17
mkolmanGuest28: I would say there are currently not enough users for massive snooping to pay off, as the system is pretty different to the regular snooping targets. :)15:29
mkolmanAlso the system has a much more introspectable nature by being close to regular Linux distribution, so I guess one has much bigger chance to notice weird activity than in the Android mess.15:31
mkolmanThat's how I see it.15:31
Guest28Thanks mkolman. The number of users is a good valid point.15:52
x2sWell, the newer Android devices should be fairly safe, too. But they don't age well15:55
x2sgovernment snooping on the other hand is its own security case. How to deal with an attacker that as almost infinite ressources?15:55
x2sThe kernel used by all sailfish os versions is pretty old. That's not a bad thing most of the time, but if there are publicly undiscovered holes they might be known to them. On the other hand those holes could be also in the newest kernel version15:58
mkolmanwell, Jolla regularly fixes CVEs in the kernels15:58
mkolmanIIRC, even on the quite old Jolla 115:58
x2sBut the updates take month and aren't done on a hotfix basis.15:58
x2sInbetween you're vulnarable.15:58
mkolmanas long as you are on LTS kernel version & are doing your part (updating to new LTS releases or at least backporting the CVE fixes), you should be secure with an older kernel as well15:59
mkolmanx2s: yep, that's certainly an issue & I don't like that as well15:59
x2sThen there's always the modem, which is a whole computer itself. We have no direct access to it. Usually a very very old linux is running there15:59
mkolmancoming from Fedora/RHEL, where  CVE fixes get out of the door as quickly as possible, definitely not waiting for features & non CVE bug fixes16:00
x2sthere's no direct access from the modem to the phones cpu itself. But I'm not so sure if the memory isn't shared or something like that16:00
mkolmanIIRC memory is sometimes shared, sometimes even the baseband computer boots first16:01
x2sI'm a debian user for most of my life now. I'm used to getting security updates :)16:01
mkolmanbut that varies based on concrete device16:01
mkolmanalso afaik the basebands usually run some proprietary RTOS, not Linux16:01
x2sThey're running linux by now.16:02
mkolmanmaybe the separate modem modules/cards/usb stick do16:02
mkolmanthen I would expect to have more information about them available16:02
mkolmangiven the GPLv2 requirements of the kernel16:02
Guest28I am not sure about any Android devices being safe - NSA-GCHQ have broken into Google/Yahoo data centers.
Guest28If it was just terror activity being analysed - thats not too bad. But I think there's corporate espionage going on too. So if you're a non-US company, you risk (I don't know how big) losing company secrets - roadmaps etc to US competitors in advance.16:06
x2sthe problem is we don't really know what's running there, because the firmware is encrypted. And as we know, not many people care about the GPL in those companies..16:06
mkolmanwell, many modems are done by big name companies with headquarters outside of China16:07
mkolmanlike Qualcom16:07
mkolmanAFAIK those can't really ignore licensing the way many Chinese vendors do16:07
mkolmanthey might play cheap tricks (user space driver blobs, tivoization, etc.)16:08
mkolmanbut can hardly ignore GPL while shouting loudly about their precious proprietary IP being violated16:08
*** BitEvil is now known as SpeedEvil16:08
x2sI can't find the article anymore. I really should start saving everything I read and find interesting. Though, I wouldn't find them in the mess of links and articles anymore, too. :)16:12
Guest28Good points on the modem and security vulnerabilities ( known or otherwise ). I hadn't considered the modem issue. If the memory is shared, then could the modem in real time send out data/packets to multiple locations e.g. authorised and unauthorised?16:13
x2sbut back to topic. If the memory is shared between modem and cpu then there's a way to access the memory from the modem, if there's a bug (or backdoor) in the modem firmware itself.16:14
x2salso sfos doesn't let you fully encrypt the device afaik (haven't installed it lately. XA2s seem to be out of stock for good :/ ) so it's possible to just copy the data from your phone16:15
x2s(or to state it otherwise: Embedded device security is a mess when it comes to mass produced things)16:16
mkolmanIIRC, the encryption on Xperia 10 only covers the home volume16:21
mkolmanrootfs is not encrypted, likely to make unlocking the home LUKS volume easier16:22
mkolmanas you have the UI (which lives on the rootfs) available16:22
mkolmanin comparison, the default encryption layout on Fedora covers everything outside of /boot16:22
mkolmanand initrd/plymouth handle LUKS passphrase entry, resulting in a rather limited environment (such as no way to switch keyboard layouts)16:23
Herrielbt: ping16:24
Herriesage: ping16:24
mkolmanbut in both cases, if someone manipulates the unencrypted stuff that handles your passphrase (on /boot in Fedora, on rootfs on Sailfish OS), it could leak your passphrase16:24
mkolmanstill, that would need to be likely a targeted attack16:25
mkolman+ it might be possible to verify if boot has not been tampered with via secureboot16:25
x2sbut then you have to trust secureboot not having backdoors.16:26
Herrielbt/sage: NEvermind solved it16:26
x2sto be secure from government agencies is hard, really really hard.16:27
mkolmanin general, one needs to also care about the government & trying to improve it16:29
mkolmanas bad government will can do much worse stuff to you than just spying on you16:30
mkolman& it's not a good idea to rely on just technical means to pretect you from a bad government16:30
Guest28The reason why I am so concerned about all of this because just recently I put up 70MB PDF file which contained my company plans for a customer to download. The file was uploaded to a US large data file repository. Within 24 hours of the file going on large file repository, I suddenly had 5 or 6 different people contact me asking me questions. Very16:32
Guest28strange as I don't get so many requests ever.16:32
Guest28I think its corporate espionage. And if it can happen so easily. Then its only a matter of time before my phone could be used.16:33
Guest28You put in long long months or even years of work into something, then somehow its rapidly potentially leaked. Its not a nice thought. And it could happen to any non-US or US company for that matter.16:34
Guest28Its really worth thinking about laptop, phone and network security.16:34
Guest28Thats why I am so interested in learning about SailfishOS. Plus I am an ex-nokian and wouldn't mind seeing meego in action.16:35
tadzikwell, no hardware or software will protect you from your own customer being careless with what you gave them, I'm afraid :/16:40
tadzikit's like sending a nice, encrypted email to a gmail account ;P16:41
Nico[m]Or storing anything on a windows PC :D16:41
Guest28The customer is the European Space Agency. I somehow trust that they are very sensible with security. I think the large data repositories are monitored (or keyword searched). Check outXKeyScore - its an example of a keyword search to track individual data over internet
Guest28Obviously, I need to start using pgp or encryption for big files being sent. But makes sense to ensure my phone is safe.16:45
Nico[m]I don't trust anyone to keep data secure :D16:48
Nico[m]Too many customers, that send me sensible data, secured by a zip file with their company name as the password16:49
mkolmanNico[m]: zip only encrypts file content, but not metadata, right ? so if a file is named after the company, the zip archive might actually even give you the password :)17:45
Nico[m]Well, the file is also pretty obviously names, so yes :D17:48
Nico[m]Hey, paleblueskywithc :D22:26
paleblueskywithcI am guest28 with a better name.22:27
Nico[m]Well, that is a better name, I admit22:27
paleblueskywithcit was meant to be paleblueskywithcirrus but got truncated.22:30

Generated by 2.17.1 by Marius Gedminas - find it at!