Return to Level1Techs.com

The self-bettering de-google experience (GrapheneOS)

Upon further consideration I made an adjunct post to making Firefox a bit better

Firefox Hardening Tips 2019

3 Likes

I wish GrapheneOS had more devs! The single dev seems stressed out and he isn’t really social enough to ask for help… It would have to be a special person to work with him.

Aye, Crocker’s Rules compliance would be a must I think.

I do, however, suspect he may be correct not to explicitly ask for help; I imagine someone with the appropriate passion and skills for a project like GrapheneOS will be drawn in by looking at the code themselves far more than by explicit request. A “devs needed” post would probably draw in more “noise” than “signal”, and the original developer could end up fruitlessly trying to bring prospective devs up to speed, only for those devs to realise this is not their cup of tea, and leave. Better for the project to grow organically I think.

There’s a reason why “introverted” programmers’ social lives don’t “grow organically” as well as socially normal people… Perhaps there are many engineers who like the project, would be willing to help, but all experienced bystander’s apathy. You can clearly tell by his posts that he’s sick of it and at his limits. Pretty easy for me to make arguments that it is good to ask for help on his behalf, if we want to see it around in years.

I chose a similar path but there are still a few things I can’t figure out: How to get decent adblocking on GrapheneOS? Using the DNS-based (AdGuard & NextDNS) ad blocking doesn’t work in so many cases (i.e. YouTube). Vanadium doesn’t support extensions. And the GOS developer & security expert (Daniel) says that regular browser-based adblocking is terrible for security and dissuades us from using it… So what should we do? We can just ignore him and use a Fennec + ublock extension, I suppose.

Another issue is that I’ve not gotten automatic updates in F-DROID or AuroraStore to work. I have to do them manually each time.

I’m curious - have you tried using the GOS backup feature and then restoring to another phone and seeing how much stuff you lose? It seems every program needs care as to what it might need to backup.

Use your own recurssive DNS server with DNS o TLS + pihole hosting and point android private DNS to the pihole … SEE
Infrastructure Series -- Recursive DNS and Adblocking DoT w/NGINX

I left graphene OS due to a lack of core development. I am on lineage OS currently so unfrotunately no

I value my social life. Not an unsocial nerd. So I kept a lot of stuff like whatsapp and signal and stuff. I still have instagram. data mine what I give you thats fine. I just wont give you what I dont want to. I have sufficient knowledge on how to do that.

I’m having no issues with Instagram, WhatsApp, and Signal on Graphene… But what I was saying about the DNS-based adblocking is that it doesn’t work. You’re saying a custom DNS server can do what NextDNS & AdGuard DNS can’t?

absolutely and you can extend it further. the underlying tech doesnt change. The part that does is you control it :wink:

Also it does work. Study how DNS and how ad serving works. If it doesnt work it means the end user set it up wrong. (period said done)

OK I will try again… Just found this thread:

1 Like

Commendable effort by the dude. One flaw. Youtube just needs to change the IP :joy: which it has 1000s of.

Don’t give up on adblocking simply because you couldn’t get one site to work. Youtube is very tough and they are about to start serving ads through the TLD forcing ads no matter what if you access the page and videos. There won’t be a way to block that save never using youtube lol

Can confirm it works though

#➤ [documents] nslookup manifest.googlevideo.com
Server:         10.31.82.3
Address:        10.31.82.3#53

Non-authoritative answer:
Name:   manifest.googlevideo.com
Address: 172.217.12.14
Name:   manifest.googlevideo.com
Address: 2607:f8b0:400f:801::200e

#➤ [documents] 

pi-hole hosts

[[email protected] ~]$ sudo cat /etc/hosts 
[sudo] password for eric: 
# Static table lookup for hostnames.
# See hosts(5) for details.
172.217.1.14	manifest.googlevideo.com
2607:f8b0:400f:801::200e	manifest.googlevideo.com
[[email protected] ~]$ 

No more ads

1 Like

Super… I basically just wanted to reach uBlock Origin + chromium on desktop-level of adblocking… If DNS-based can do that, plus the improvements from encrypting DNS, then that is two birds with one stone - great!

I exteneded it further. see the bottom of my signature thread in my profile

Content Blocking

My thoughts

My impression that Daniel Micay is actually very much in favour of browser-based blocking, but he sees issues with the methods that several browser extensions use, especially when they modify the page itself rather than the browser’s behaviour. A VPN-service-based app has similar issues, but a DNS-based blocking method can more cleanly and efficiently remove ads, albeit not all ads in all cases.

The extension-based method that Daniel Micay is decrying seems to be when an extension changes the webpage after the browser downloads it, but before the browser renders it. This is akin to a MITM (man-in-the-middle) attack taking place inside the browser. The VPN-service method in comparison is basically also a MITM attack, albeit one that is taking place outside the browser.

     Normal: browser[page load → rendering]
  Extension: browser[page load → manipulation → rendering]
VPN-service: manipulation → browser[page load → rendering]

These manipulations are kind of like someone adding a new <script> or <style> at the very top of the page, that runs before anything else on the page. This gives an extension total control over all the pages you look at, and a malicious extension like this would be in a position to do a lot of damage.

While the description on its wiki about types of blocking suggests uBlock Origin is using something more robust than this for its Network and Hosts filters, I do not know enough about the inner workings of browsers to know if that is actually a safe mechanism. Regardless, Android Chromium does not seem to support extensions anyway.

It looks like the eventual plan might be to add a filter list interface like iOS’s Safari to Vanadium. You can see some discussion about this in the Vanadium Github issue for content filtering using the built-in filtering engine.

In the meantime, Fennec with uBlock Origin seems like a good idea; I also saw mentions of Bromite as an ad-blocking alternative to Vanadium, but I have read very little about it so I would consider doing some research before using it.

If you want to stay with Vanadium, then at the moment all you can use are DNS blocking methods, which are the equivalent of only being able to use Host filters in uBlock Origin, so as an example:

https://example.com/goodpage for this good page
https://evil.ad/spooky.js we can block a bad domain
https://example.com/spooky.js but we cannot block only a particular path

GrapheneOS Dev Context

If you could provide a link next time, that would save me some time searching; anyway, I assumed you were referencing Daniel Micay’s Reddit comments here:

… People should not be trying to implement privacy and security by injecting code into the adversary’s code and hooking various APIs in a way that can be bypassed or detected. In general, browser extensions are not a good place to attempt implementing privacy and security features. APIs for browser extensions are not designed to provide robust or secure ways of doing these things, so extensions implement half-baked solutions or complete hacks involving injecting code and pretend they have working / robust approaches when they do not. Privacy and security features need to be built into browsers to work properly.

In Firefox, extensions are unintentionally constrained by the page’s Content-Security-Policy and sandbox attributes. This is an implementation bug with no solution in sight. …

While looking around, I noticed he also made some related comments in this GitHub issue,

The current API used by extensions is very broken. It’s not fail-safe but rather if it times out or the extension has an error it falls back to permitted the request. …

If you set up a strict Content-Security-Policy with report-uri / report-to , you’ll see that a substantial portion of users have malware / spyware extensions that are messing with your page content and injecting tracking, advertisements, themes creating vulnerabilities in the site, etc. They can and do remove the Content-Security-Policy header or make modifications to it, …

Also the GrapheneOS site itself warns about the flaws of app VPN-service-based blocking,

The approach of intercepting traffic is inherently incompatible with encryption from the client to the server. The AdGuard app works around encryption by supporting optional HTTPS interception by having the user trust a local certificate authority, which is a security risk and weakens HTTPS security …

Using the VPN service to provide something other than a VPN also means that these apps need to provide an actual VPN implementation or a way to forward to apps providing one, and very few have bothered to implement this.

2 Likes

Wow this is amazing. Mind making your own thread in connection with it. ?

You can link to my pihole DNS infrastructure wiki as well

Maybe I’m reading you wrong, but I still see no alternative that functions to the same degree. So, if DNS blocking is not able to do what uBlock Origin (for example) can do, then investing in it does not seem wise. And if uBlock Origin does not block ads in the most secure way, then that has to be fine - because nothing else is blocking ads as well, right? Are there any claims or designs about how ad blocking can be made more secure while also being as effective as ublock? That would be the next step, right?

Probably something to be aware of with GrapheneOS:

GrapheneOS community member’s organized campaign of harassment, slander, and brigading

1 Like

I have spent way too long looking at this, and trying to draft a post.
Anyway, my brief summary:

The earliest and only time I find the two coming into contact with each other on Twitter is here where Daniel Micay sees Seth Simmons’ tweet claiming to be slandered by the GrapheneOS team itself and encouraging users to switch to CopperheadOS, and Daniel Micay interprets this as “more of the same” spam he and the project has been receiving. This interaction closes the loop (see what I did there @PhaseLockedLoop? :wink: ) and now Daniel Micay & Seth Simmons both seem to be convinced that the other is associated with a sockpuppet campaign against the other.


This particular situation (CopperheadOS vs. GrapheneOS) has factors that seem primed to make people act more emotionally:

  • the underlying feud is at some level a personal one between James Donaldson and Daniel Micay
  • we have an ongoing lawsuit between a corporation and a community project
  • and a developer who (assuming you believe his story) almost had his life’s work stolen out from under him by the very company he helped create

So I suspect the what Seth Simmons observed (specifically the reprehensible attempt at blacklisting) is an idiot fan’s misguided and cultish attempt to “defend the honour/reputation/mindshare” of GrapheneOS; which ironically and predictably does the opposite.

I sincerely despise all of this kind of crap that happens in revolves around projects that could actually be decent. I really don’t understand why the high concentration of childishness occurs in open source developers

I abandoned both projects because I honestly found more value in quicker better security updates that are provided through Lineage OS

Every time someone makes a decently secure ROM The problem is the individuals and developers behind it are usually childish or short-sighted so the project just dies.

As I said before I’m not a fan of the mentalities of these developers. I don’t seek to support them even though that’s a very unpopular opinion I know that most will say you should support open source no matter what no matter how bad the devs are and I just don’t believe that because I think respect should be earned

And right now both projects have lost my respect

The code quality on grapheneOS is superior I will say that

1 Like

Because unfortunately:

  • a lot of the development community are in college and thus early on in their dealings with people in the real world. this is because cutting edge open-source project development gets a lot of input from students or those who dropped out as these people have the time to volunteer, and are currently being taught the required skill-set
  • a lot of the development community are also socially inept, as that sort of person is often the type drawn to computers instead of people… which means the socially-young types above are often even less socially developed

Combination of those two factors = you sometimes end up with weirdos doing weird socially-inept things.

2 Likes