Comment by ForHackernews
4 days ago
https://grapheneos.social/@GrapheneOS/115589833471347871
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
https://en.wikipedia.org/wiki/Crypto_AG was a CIA front for 50 years.
The honeypot run by the FBI was closed source and that's why they could do it. while this is open source, which would make it much harder.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
https://grapheneos.org/build#reproducible-builds
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
For more on this subject, here's a book that documents it: https://www.amazon.com/Dark-Wire-Incredible-Largest-Operatio....
Wouldn't be hard to hide a backdoor in a multi million line codebase ...
Unless you think the same backdoor is hiding in AOSP, you can just check the diff and some extra lines for context.
1 reply →
> how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org
No, it's run by a non-profit foundation whose records are public, along with their board of directors who are real people with a paper trail.
It's not some LLC shell company with a fictitious agent listed.
https://ised-isde.canada.ca/cc/lgcy/fdrlCrpDtls.html?p=0&cor...
It's disappointing to see such blatant misinformation on HN. There has been a wave of these low quality trolls and it's increasing everyday
I'm not a troll. Everyone thinks we should trust GrapheneOS...why? Because they're loud and aggressive?
They claim they are audited... by whom? When? Where are the results?
https://grapheneos.org/faq#audit
https://discuss.grapheneos.org/d/5527-who-has-audited-graphe...
> We've built relationships with security researchers and organizations interested in GrapheneOS or using it which results in a lot of this kind of collaboration.
You are clearly talking out of your ass. I couldn't care less on your baseless and outright stupid arguments. Have fun running stock or some shitty custom rom