Wednesday, 2021-09-15

flypigJust for info (and I guess you're likely already aware), it looks like the 4.3 SDK image is likely to include Rust 1.52.1 (this is an observation, not a promise!):
rubdos[m]It doesn't even need to ship with the SDK to make me extremely happy, flypig10:08
rubdos[m]That also sounds like there'll be some gecko pushes, I guess!10:10
flypigAh, sorry, that message was intended for you rubdos[m], I should have mentioned you in it.10:11
rubdos[m]You should have! :-)10:11
rubdos[m]I don't very often open this channel. Which reminds me, there's a reason that I clicked in the first place and I don't remember.10:11
flypigpiggz[m], rinigus, should I submit pwdhash for promotion from chum:testing myself, or is this something that you do on the first occasion? I wasn't entirely clear on this point from the docs.12:32
lbtpiggz[m]: pong...13:41
lbtnb .. there's a bit of building going on in chum:testing...13:46
lbtcc rinigus ^13:47
riniguslbt: nice!13:57
itexwhy did jolla chose sony phones over any other brand? sony phones don't seem to be the best price/quality ratio13:57
rinigusflypig: as soon as the first submission is done, you are made maintainer in :testing. thus, you can update directly there. when ready, please submit package from :chum:testing to :chum13:58
lbtitex: they're open13:59
ggabrielthe gemini pda isn't sony though ;-) nor are the jolla devices14:02
NicoJolla often is also looking into device suggestions. While supporting newer Xperia devices is usually of course easier, I think they would also be open to supporting other devices, if there is a good reason for it14:03
flypigrinigus, got it. Thank you!14:05
ggabrieldoing the hw adaptation is not easy, iirc, the gemini pda became somewhat supported after the community did a lot of work. Personally, I wouldn't mind seeing sfos officially on the fair phone, now that google can't force you to not have android alternatives, but I can already hear the screams "but but the cpu is not fast enough!"14:05
riniguslbt: let's hope that Jolla will give you time to do the same with the next release as well :)14:07
lbtrinigus: oh it doesn't normally take long - there's a bit of an ugly hack in our internal system to support rust and it causes problems14:09
lbtmainly I forgot what the solution was from last time :D14:10
lbtnow I added it to the docs I have and it should be fine in future14:10
itexi see14:11
itexbut so are google pixels, no?14:12
Nicoggabriel: Yeah, the community will complain in any case :D14:14
ggabrieltoo many devices, too few jolla staff; also, who says the pixels have better quality than the sonys? :)14:14
NicoBut the screen is bad! It is too big! It is too small! The CPU is too slow! The battery is too small! It doesn't have a hardware keyboard! The screen isn't OLED! Where is my tap to wake?14:15
ggabrielI really miss double tap to wake14:15
itex300 euros for a snapdragon 665 phone is mehh value14:16
NicoI found always on screen + fingerprint unlock to actually be somewhat better than double tap to wake :D14:17
ggabriel"value" is a strong word14:18
ggabrielNico: fingerprint is not very good for those security conscious14:18
Nicoitex: Yeah, but if you buy it used you get it much cheaper. Also it does have a headphone jack, which by itself is a 60€ value add. It takes Jolla at least half a year to port, in that time most phones lose 30% of their value on the used market :314:19
ggabrielI got an x10 for about 90 euros :P14:19
Nicoggabriel: Let's talk about that, when I can ue something different than a few digits for the device encryption, I guess?14:19
ggabrielNico: that's not the point14:20
ggabrielI can haz both14:20
NicoFor me the device lock on a device is just to prevent my sister from changing my timezone again :D14:21
ggabrielagain, not the point14:22
itexin my country used Xperia14:22
NicoIf someone steals the phone, it will be easy enough to bypass by just pulling the lvm superblock and cracking the device lock code14:22
itex10 II is 200 eur14:22
Nicoggabriel, then what is the point? I don't see it :314:22
ggabrielNico: again, not the point :) and I'd like to see anybody doing that14:22
ggabrielNico: the point is: double tap the screen to wake up the phone instead of fiddling with the button14:23
NicoI see14:23
itexif someone is ready to do that kind of attack on a phone maybe you shouldn't keep anything on your phone14:23
NicoBut that only makes sense, if you don't use a lock code, don't you?14:23
ggabrielthe lock screen is more powerful than you think: try setting a max of 3 tries, and you'll see14:23
ggabrieland for the luks "cracking", well, I want to see realistically how long it takes, it isn't that easy14:24
ggabrielbut agree there should be a bigger passphrase14:25
ggabrielthe competition doesn't have that either, fwiw14:25
ggabrielin fact, all you have to do is ask apple or google to unlock the device and that's it14:25
NicoBecause only digits are allowed, you only need to try 10^6 different variations (unless you use a longer lockcode). Unlocking on the phones CPU takes a second, I am somewhat sure my 16 cores can do that faster, lets say 100ms, then it would take 3h to crack14:26
NicoUnless I messed up my math14:26
ggabrielNico: I'd like to see you try :)14:26
NicoMaybe after my exams :D14:27
ggabrielsure, you'll find that the speed at which the passphrase is validated doesn't vary too much on cpu speed or number of cores14:27
ggabrielbut by all means write a paper and present it somewhere, it should be interesting14:27
ggabrielthen we can lock apple and google phones with that14:27
ggabrielor rather, that's already possible14:28
* ggabriel double taps14:28
NicoI really don't care about apple or google devices, I never used those :D14:28
NicoI just want an alphanumeric decryption passphrase :314:28
rinigusNico: LUKS encryption with alphanumeric string (either as you entered or further processed by HW bound key) is coming to Tama and sounds like to Volla as well. just few bugs left in
rinigus+ testing by others14:37
rinigusmainly have to fix now actdead, which should be simple compared to the rest. but you never know about possible surprises14:40
Nicoggabriel, I just tested it, took 6 minutes15:00
Nicorinigus, I've been following that with great interest and looking forward to having that on my 10 II too :315:01
rinigusNico: can't promise 10II - you may have to contact the porter in your case. :)15:24
Nicoggabriel: I posted my results here, because I didn't feel like writing a paper:
rinigusNico: excellent! do you know some kind of dict attack software? so I could test the same with LUKS encrypted by alphanumeric one?15:46
Nicohashcat and johntheripper by default do dictionary attacks15:47
NicoI just restricted it to brute force, because it should be faster in the only digits case :315:47
rinigusI suspect that the password generated by hwcrypt (password text | argon | rsa-signed by hw key) is out of that type of test...15:47
NicoThis is a great resource on that topic:
NicoI do know though that cracking a few of my old DES passwords took a few hours, so extra chars help a lot :D15:49
rinigusNico: thanks, I will test it with some simple passwords15:51
rinigusNico: not sure whether defaults changed, but I bumped into
rinigusluks2 + argon2i.16:12
rinigusbut anyway - I am convinced that those PINs can be bruteforced quite easily16:12
rinigusI just better put my time into fixing issues :)16:13
NicoSounds good :316:22
NicoI think hashcat only really supports luks1, which my 10 ii uses16:23
NicoFor luks2 johntheripper is probably better16:23

Generated by 2.17.1 by Marius Gedminas - find it at!