GrapheneOS Attacks Kicksecure! What should the response be?

I do not know what the correct forum category is to post this. I presume that this category is okay? Please move the topic if there is a better forum category for it.

https://xcancel.com/GrapheneOS/status/1861465637886754839#m

Kicksecure is awful. Has a horrible choice of base OS for security and they don’t do valuable work to improve it. They sabotaged security efforts and are spreading misinformation about allocator hardening and other topics they don’t understand.

Secureblue is doing useful work.

The concept used by Whonix for forcing traffic through Tor makes sense but the OS has awful security, just like the Tor Browser itself having awful security. Someone making an equivalent out of Fedora Silverblue or Arch would obsolete it.

Kicksecure/Whonix doesn’t do any significant hardening and the efforts to do that were stalled and then rolled back when the person responsible for most of it left the project. It has some minor anonymity changes easily done elsewhere. Encrypted swap is widely used elsewhere.

Presumably, you all disagree with Daniel Micay / GrapheneOS. What is the rebuttal here?

Thank you for your responses.

Use an exclamation mark as if this is a big deal? So you just made a new account here to start a mud fight?

@Patrick: Don’t waste your time with Daniel Micay. He’s got some issues. Starting fights with everyone as reported numerous times.

Next level trolling.

As far as I can tell, this has no bearing on Kicksecure whatsoever.

External community drama is not a distro problem, it’s that simple. People are entitled to their own opinions about software applications, and are welcome to share those opinions with others. I do it, my friends do it, you’ve probably done it, and I have no issue with someone at GrapheneOS doing it too. (I say “someone” because I don’t know who has control over the official GrapheneOS Twitter account.)

1 Like

Kicksecure is awful. Has a horrible choice of base OS for security and they don’t do valuable work to improve it.

Who is they?

You mean not very many people are contributing enough or working on Kicksecure is what that translates to?
The claim that Kicksecure “doesn’t do valuable work to improve it” overlooks the contributions made by the project in terms of privacy and security enhancements. Kicksecure integrates various security features and tools that are designed to protect user anonymity and data, which can be valuable in the context of its intended use.

They sabotaged security efforts and are spreading misinformation about allocator hardening and other topics they don’t understand.

The understanding I have is it breaking Xorg and both Whonix/Kicksecure use Xfce. Again who is they who is sabotaging security efforts, do they mean more like little to no people working on it compared to GrapheneOS?

Secureblue is doing useful work.

Ok, some of those things look like they could be ported or looked at on Kicksecure/Whonix but take in mind this Secureblue is a Fedora project.

Kicksecure strives to be hardened Debian or rather what Debian out of the box should be. If you have ever manually hardened your Debian installs you understand how valuable Kicksecure or rather the repository is.

Someone making an equivalent out of Fedora Silverblue or Arch would obsolete it.

Again the focus on the base system is Debian.
This is not a Fedora based distro or Arch.

Silverblue uses two things for containerization Podman and Flatpak, but primarily uses Podman for containerization. Podman may be something for Kicksecure/Whonix to look into, but in regards to Flatpak I’m someone who will always avoid it because I think Flatpak is utter trash.

Silverblue and Android both use SELinux. SELinux is more complex then AppArmor but might be better but requires lots of configuration and policy management. Take in mind another Privacy/Security distro Tails doesn’t use SELinux but rather AppArmor instead.

Also as stated by Daniel Micay:

AppArmor is extremely limited in what it can do compared to SELinux. Ubuntu integrated of App Armor and the Fedora and RHEL integration of SELinux barely does anything though. That’s not particularly serious SELinux integration and barely does anything for a desktop setup at all.

Well I will say this Daniel Micay always has always acted like everyone is out to get him.
Unlike Daniel Micay, the main dev that maintains Whonix/Kicksecure @Patrick is the one holding up the project isn’t attacking others and acting like everyone is out to get them.
It’s important to recognize the challenges that come with being the primary maintainer of a project. Burnout can be a real issue for those who are responsible for testing and developing software, and this can impact the pace of progress. Patrick’s ability to navigate these challenges while fostering a positive environment speaks to his character and dedication to the project. I have never felt anything other then a toxic or rather elitist feeling then when I have talked to those in the GrapheneOS space, I don’t feel that reflects their developers, but rather their community. I don’t get that feeling in the Kicksecure/Whonix community.

The only thing I guess I could agree with him on is his/her’s tweet is mention of Wayland and I think a top priority of Kicksecure/Whonix would be swiching to Wayland and a different Desktop Environment instead of Xfce. As it currently stands Xfce doesn’t have Wayland support. I don’t know how Hardened Malloc works with Wayland but once the switch then it could be ported. Whonix workstation and Kicksecure could be better but this involves research/testing and you know like more people contributing, which Daniel fails to mention.

A post was split to a new topic: How does Kicksecure compare to Silverblue?

I am not sure the author of that tweet is seeking a productive conversation. This is what I get from the [Whonix X account](x.com account):

Why can’t you reply to this?

This author has blocked you, so you can’t perform this action

Got it

Generally, I am also not sure Twitter / X is a suitable place for a productive conversation.

If I had to guess, I would say that this is in retaliation for:

That tweet might have been in context of Choosing Your Desktop Linux Distribution | PrivSec - A practical approach to Privacy and Security because another commenter has posted it in that thread (https://xcancel.com/iAnonymous3000/status/1861464122405110098#m) and then the author referring to “encrypted swap”.

Kicksecure/Whonix doesn’t do any significant hardening

I can imagine how one could come to such a mistaken conclusion, if not having reviewed:

They sabotaged security efforts

They’re entitled to their opinion but I would suggest when critizing others, making grandiose accusations, it should always be backed up with actual evidence.

Better:

They sabotaged security efforts [1]

[1] exact link/reference + exact quotation

Otherwise, one first need to ask for clarification what this is even about.

and the efforts to do that were stalled and then rolled back when the person responsible for most of it left the project.

If this is about madaidan · GitHub, then it can be seen that madaidan’s github activity completely ceased in 2022, not only related to Kicksecure/Whonix.

Related: Is this project still maintained? · Issue #77 · madaidans-insecurities/madaidans-insecurities.github.io · GitHub

So this can hardly be blamed on Kicksecure/Whonix.

And I am glad to see, that secureblue was inspired by Kicksecure, forked some of Kicksecure’s configuration files. For example, documented here, quote Comparison of secureblue with Kicksecure and Development Notes

secureblue /etc/sysctl.d/hardening.conf file as of commit a6b58f042b0e9e9036a6d68a5b202eed96a1a892archive.org was inspired by, more or less copied and pasted from Kicksecure as can be seen from the following comment found in that file.

## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 kernel.printk = 3 3 3 3

Can be discussed here:

So I hope this would extend to, “Kicksecure is doing useful work”.

Don’t forget, GrapheneOS/Micay is attacking any privacy project considered competition. These projecs are competing for attention and donations. It’s as if you’re expecting Burger King to say good things about McDonalds.

Cooperation would be preferable over drama. This rivalry is unfortunate and ridiculous. The real competion is Microsoft, who will be happy about any Linux distribution infighting.

A PrivacyGuides team member known as “fria” now thinks that secureblue is better than kicksecure and wants to reevaluate secureblue for their website. See Secureblue - Immutable Fedora Hardening - #149 by fria - Tool Suggestions - Privacy Guides Community

I’m definitely for reevaluating secureblue, I think it’s pretty clear that it’s the superior project over kicksecure at this juncture.

So it looks like kicksecure is going to have some competition.

Encrypted swap is widely used elsewhere.

No swap is the best swap!

and are spreading misinformation about allocator hardening

What misinformation are you guys(GrapheneOS developers) talking about? We reached out to you guys(GrapheneOS developers) who developed hardened-malloc, you guys closed the door!

…just like the Tor Browser itself having awful security

CIA can’t even break it, and you tell me Tor Browser security is awful. What did you do to enhance the security of Tor Browser?

I think we should attack it back, and it will improve people’s knowledge about cybersecurity. I learned a lot from debating and “drama” so please keep do it don’t stop.

We can definitely learn ideas from Secureblue. But don’t forget there’s only one guy @Patrick is behind Kicksecure and Red Hat company is behind Fedora!

CIA can’t even break it, and you tell me Tor Browser security is awful. What did you do to enhance the security of Tor Browser?

In this particular case, Micay is concerned about firefox, which tor is based on. Chromium is supposedly much more secure. See Firefox and Chromium | Madaidan's Insecurities.

This is an even bigger problem on mobile, because according to Micay in other posts. Firefox does not do a sandbox at all on mobile. As a result, tor browser also does not do a sandbox.

Micay also does not like kicksecure in large part because he hates debian, which he considers to be the least secure linux distribution out of all the insecure linux distributions- see Linux | Madaidan's Insecurities for discussion on linux distributions in general.

So that is where Micay is coming from. Because of this, ideally it is probably better to use tor browser on the safest security level, which disables javascript. Unfortunately, there are many times when we need to decrease this security level. For example, in order to use this forum, we need to use javascript. I have been told that the best thing to do in this case is to use qubes-whonix disposables for javascript. In the case of Micay, I do not think he would even like that, since he values the security within the qubes quite highly. He also thinks that qubes runs on insecure hardware, unlike GrapheneOS. You can research some of the things that he says for more information, and you can use the search function on xcancel.com to search the GrapheneOS posts.

Kicksecure is based on debian. It is not all from the kicksecure team. And the kicksecure team is more than just Patrick.

Regardless, secureblue is making relatively fast progress, in part because Fedora maintains the base distro.

No. You can learn a lot about security by reading project documentation. You can learn a lot in debate on Reddit (or elsewhere on the Internet) if you want drama. You don’t have to induce drama in other projects for your own learning experience. :stuck_out_tongue:

2 Likes

I can learn from Reddit, and I can also learn it from here. It doesn’t have to be my “own learning experience” but everybody here, that’s why we need school instead of home-school. The dramas and arguments will turn the forum into a big school. Both GrapheneOS devs and our users can learn something from it.

See Secureblue - Immutable Fedora Hardening - #149 by fria - Tool Suggestions - Privacy Guides Community 1

lol PrivacyGuides I don’t think anymore needs to be said about that toxic community of the moral authority mouthpiece of privacy (look at PrivacyTools as ref) or spend any time in their subreddit or group chats.

Yeah also in regards to not good security there is apparmor profiles that can sandbox Tor-Browser. I agree about the javascript and how most sites require javascript and I avoid it at all costs. The fact that most JavaScript exploits alone are that of the JIT Just-In-Time (JIT) compilation is a key feature of the V8 JavaScript engine. This article mentions that 45% of CVEs issued for V8 were related to the JIT engine.
BTW safer security setting on Tor Browser disables JIT.

lemmy.eus /post /7660

Unlike traditional PCs, which use a BIOS or UEFI firmware to initialize hardware and load the operating system, smartphones have a more integrated approach where the bootloader and other firmware components are tightly coupled with the hardware and the operating system.

The bootloader itself is not part of the GrapheneOS project; rather, GrapheneOS utilizes the existing bootloader provided by the device manufacturer (in this case, Google for Pixel devices). The bootloader is typically proprietary and specific to the hardware of the device.

I do not trust google at all, you can however coreboot chromebooks since they chose to base their firmware of coreboot with their proprietary blobs (actually something that makes sense besides all the other stuff they do wrong like violate privacy and kill ad blockers).

That said does GrapheneOS modify any part of bootloader to make it libre?

1 Like

That describes this whole thread.
While I value criticism I think this persons intention is just trying to start drama.
It’s a shame the privacy community has to be divided or people attack people due to different political differences or personal beliefs. The privacy community should be uniting cuz right now the attacks and stakes have never been more high.