Rendered at 13:37:22 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
gslepak 4 days ago [-]
> Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.”
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
Avamander 4 days ago [-]
> They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50.
As a response, Micay decided to destroy the update signing keys for all the CopperheadOS devices out in the wild. Resulting in financial damages to Donaldson.
Hardly a level-headed response, even if you disagree about the financial share of something.
HybridStatAnim8 4 days ago [-]
That is a perfectly level-headed response. Signing keys must be protected. In the event of a hostile takeover, where a malicious party seeks to compromise the privacy and security of your userbase, destroying the keys is a sensible decision. Failure to do so, and successful compromise of the keys, will let the malicious party push whatever update they want, and it will be accepted due to being signed correctly.
It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it.
latable 4 days ago [-]
Exactly. It was a bold and necessary move to defend the users and the project. Some users got bricked OSes, but had he handed over the keys it would have put those users at risk and would have destroyed the credibility of the project.
Also, and as from what I understood from the GOS response he was not an employee of the company and had the ownership of his OS, and CopperOS would have been able to use their own signing keys but they never did which is strange, so even legally it looks like a "level-headed" response.
TommyTran732 4 days ago [-]
Important to note that users only stopped getting updates, the phones were not bricked and they can reinstall the OS signed with the new key.
CopperheadOS was always's Micay's project and used his own signing key. The key never belonged to Copperhead the company afaik.
freehorse 4 days ago [-]
> Hardly a level-headed response, even if you disagree about the financial share of something
According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project)
Avamander 4 days ago [-]
[flagged]
ysnp 4 days ago [-]
Phantom Secure is directly named as one of the parties Donaldson was dealing with, with others being suspected:
>Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.
/e/OS (recipient of EU funding) and iodéOS are European projects that have not been singled out by the French government in smearing despite them having the similar self-professed goals to GrapheneOS. That they had any influence at all on the French government directly is speculated but not asserted.
CalyxOS/Techlore are blamed for being complicit in escalating the animosity and furore around what were initially low-key fallouts/disagreements. This led to GrapheneOS/Micay escalating to defend themselves which unchecked fuelled a spiral of influencer content, vile spamming of CSAM in GrapheneOS rooms (I can personally attest these were some of the biggest on Matrix at the time and led to the team giving up on Matrix moderation and self-protection capabilities), intense public speculation/accusations about Micay's character/mental health etc. which eventually resulted in the swatting attempts.
F-Droid project members have publicly aired their dislike of Daniel as a result of direct or indirect disagreements and did have a software quirk that caused an issue for GrapheneOS/possibly other custom OSes' users due to their added permission (which the two parties again disagreed on). Conspires is loaded wording.
But I do not think it is productive for me to dredge up posts and potentially cause more misunderstandings as a complete outsider for something that is directly affecting someone's life like this. They (Micay/GrapheneOS) have posted detailed contextual snippets and information about what has happened so please contact them directly for reference to the original posts and discuss if you really wish to find out more.
handedness 3 days ago [-]
> ...Rossman being a Kiwifarms supporter.
>
> You can't believe someone who has constantly claimed things without receipts.
I had never actually visited Kiwifarms before today so I knew virtually nothing firsthand of what's actually going on there, other than hearing it repeatedly invoked in these discussions by supporters and detractors alike. A brief, cursory look turned up a dox thread thanking @larossmann for providing information.
It also turned up comments from some like, "Daniel Micay is a low-functioning cancer who should have been beaten and/or raped to death by a drunken father."
If anything, Micay appears to have been underselling things.
To be fair, it appears the project also has some supporters in that thread, and I'd have to delve further to figure out whether it's a 4chan-esque deliberate toxicity to keep the unwashed masses out, but it's not difficult to see how Micay isn't interested in dealing with Rossman. Rossman spends a lot of time knocking Micay online, but I'm not finding much in the way of even-handed coverage by Rossman from his considerable YouTube pulpit. Rossman also appears to be active on there recently. A few minutes of researching indicates a non-trivial possibility he has a role in all this and has zero desire to separate himself from it.
Many reasonable people would have zero interest engaging with someone like that, especially after they've donated money and then attached post-hoc strings to the donation.
I also saw firsthand Nick Merrill's chat behavior re: Daniel and GOS, and as one who used to contribute to both projects, I had zero qualms after that pulling all support from Calyx, which still makes me sad, as Nick at his finest was a pretty wonderful force for good. The same could be said of Rossman.
If this sort of thing doesn't at least somewhat moderate the consistent position you've held here every time GOS comes up, I don't see a way to assume good faith on your part in these threads. A number of people in these threads consistently adopt the form of making unsupported claims they could easily research before posting, and when presented with evidence to the contrary then move on to claim to be given unsatisfactory responses to their original questions and/or move the goalposts. When others eventually stop engaging, they claim the project supporters are unable to answer even their most basic questions (which have already been addressed numerous times, with citations).
It's against HN guidelines and its a pretty ignoble way to exist.
So why should we believe you over Micay, or are you willing to change your view after seeing evidence
HybridStatAnim8 4 days ago [-]
The claims arent vague, they are quite specific in what happened. This wasnt spiteful and this wasnt disgruntled. It was the logical choice given the circumstances.
IMO its a lovely paradox that no one can argue against such a deletion. Either the party choosing deletion is reasonable so there are grounds for deletion or unreasonable and they are the grounds for deletion.
spring-onion 4 days ago [-]
Hey! On a quick introductory note, I'm the community manager and the person who was interviewed. Please, read questions 17, 25 and 26 and our respective answers to them in the linked forum thread. In particular the following parts that I'm pasting here for convenience:
Question 17: Did your and Donaldson values begin to diverge? Was Donaldson more concerned with making money than you were?
Answer: [...] In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
Question 25: Did things between you and Donaldson devolve when he approached you about a compliance audit? Did he tell you that he needed to know how the signing keys were stored?
From Wired:
We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
Question 26: Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
Answer: Yes and yes.
The large defense contractor in question was Raytheon. The decision to destroy the signing keys was not based on a financial disagreement, but an existential one. Every single CopperheadOS user back then would have been compromised otherwise. It's of course a big deal given the implications, but it acted as a last resort for Daniel to stop a hostile takeover attempt fueled by greed, which he ultimately took because there was no other way out.
Avamander 4 days ago [-]
Raytheon literally asked for the signing keys of CopperheadOS? After all this vagueposting around it, I find that hard to believe.
Or is it just that Raytheon went against what he thought CopperheadOS stood for?
spring-onion 3 days ago [-]
As part of a contract which Donaldson wanted to pursue, evidently at any cost.
joemazerino 4 days ago [-]
Have any pieces of evidence to support this?
DANmode 4 days ago [-]
The keys got wiped for way spookier reasons than Micay wanting money.
Intelligence wanted in, and Donaldson seemingly would have been happy to oblige.
Avamander 4 days ago [-]
[flagged]
DANmode 4 days ago [-]
From the story you’re commenting on:
> From Wired:
> We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
> Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
> Yes and yes.
Avamander 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
They were compromised. Greed overtook the principles on which the project was founded and put the project at risk. They agreed from the start that Micay would own the project and hold the keys. They explicitly accepted those terms. Despite this, they tried a hostile takeover anyway.
Forking and building a separate build isnt dual signing, its just forking. You can do that right now with GrapheneOS and its build guide if you want.
Im not sure what you mean by the last part, GrapheneOS has been quite upfront with all of this from the start.
Avamander 4 days ago [-]
[flagged]
lostmsu 4 days ago [-]
From a security-minded user perspective it makes sense to destroy keys when instead of a single entity I receive updates from I get another entity that is not equivalent, and half of my previous entity thinks that the other half is sus.
Avamander 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
It wasnt intelligence agency compromise, it was a business partner compromise, who intended to violate the privacy and security of their users. Nothing about this is done out of spite. Im not sure where youre getting that from. You just seem to be attacking peoples character for making the right choice given the circumstances.
Avamander 4 days ago [-]
[flagged]
next_xibalba 4 days ago [-]
What is your source for this?
DANmode 4 days ago [-]
TFA.
Reddit and IRC/etc logs from the period are illuminating, too.
margalabargala 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
Deleting the signing keys for the sake of protecting ones users is the mature and responsible thing to do.
kennywinker 4 days ago [-]
> Immature maybe
Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness.
HybridStatAnim8 4 days ago [-]
That is what CopperheadOS, and now GrapheneOS, provides. Its a level of "battle tested" that most OS and app devs never have the opportunity to have. Deleting the signing keys during a hostile takeover attempt rather than submitting to pressure or greed is an amazing quality that is rare to find.
4 days ago [-]
TommyTran732 4 days ago [-]
So what exactly would you have done? Risk the key being taken over by a shady entity? Does the alternative really scream "mature, stable, and thoughtful" to you?
latable 4 days ago [-]
It looks like a very mature action to me: It certainly avoided the compromission of an OS that aims to be secure after all. It is not some windows OS with encryption keys sent to the cloud, so if security is compromised I fully expect targeted devices to break.
exceptione 4 days ago [-]
Understandable wishes, but you might have to put something from yourself into it if this is a pressing concern. Or you will be left to your own corporate devices.
kennywinker 4 days ago [-]
What exactly are you suggesting? If i go help out at the graphene os project, that won’t change their leadership. Should I make my own fork?
chappi42 4 days ago [-]
The leadership is great. Persistent, patient and friendly.
They were able to improve. I don't think many of the often negative and ad-hominem critics would be able to endure such a pressure as they had in the past.
exceptione 4 days ago [-]
The GOS (GrapheneOS) lead had responded to criticisms like yours that he gladly retreats inside his tech role if others would take it upon them to refute the claims from rivals. So if you are that balanced, normal person, you could take that work out of his hands. Or help fund a full time PR person.
«In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.»
Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm
EDIT
> Should I make my own fork?
You could contact him to offer your help where he falls short.
4 days ago [-]
kennywinker 3 days ago [-]
Ah yes, i’ll definitely be volunteering my time to help with something i have no experience or qualifications about. Great idea.
goodpoint 4 days ago [-]
Then avoid GrapheneOS
cf100clunk 4 days ago [-]
Mental health and wellness issues in high tech research and development are everywhere. I would suggest that you focus on the product and what it can/cannot do for you.
kennywinker 4 days ago [-]
Suggest away. It’s still a factor in my decision making, because if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me.
HybridStatAnim8 4 days ago [-]
Destroying the signing keys in the midst of a hostile takeover is the responsible thing to do. Its for the safety of their users. Thats a commendable trait to have.
aphorism 3 days ago [-]
Same, which is why I'm glad he deleted the signing key in this case. It was the only right play given the situation. I'd have done the same and I'd expect anyone with integrity to do likewise.
majorchord 3 days ago [-]
> if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me.
So you'd be willing to give up Linux because Linus cannot stop verbally abusing people to this day? Because that's what I did. I decided that any project where the main dev(s) openly abuse people in public, is the line I draw.
I know that is an extremely controversial choice that many people will disagree with, but it's my choice to make and I don't regret it.
latable 4 days ago [-]
What does it means to "behave well" for you in this case ?
handedness 3 days ago [-]
I trust you didn't mean it that way, but it's totally improper to go to speculations about mental health in response to discussions about communication styles and maturity.
While I appreciate the second line and think it's generally the right answer with FOSS projects, your speculation poisons the well.
cf100clunk 2 days ago [-]
> > Daniel Micay has a history of absolutely unhinged behavior online
That quotation is from another comment in this discussion. Sadly, it is the sort of personal attack on his mental state that has been commonplace here at HN and elsewhere for a long time. I caution all to avoid such commentary. My long experience in tech r&d has firmly convinced me that mental health and wellness challenges are widespread, and should not be weaponized. I hope that clarifies my comment for you.
4 days ago [-]
goodpoint 4 days ago [-]
When you have to trust the OS images generated by the authors it becomes a massive issue.
HybridStatAnim8 4 days ago [-]
You always trust the developers of software. The only way to stop that is to not use the software.
joyous_limes 4 days ago [-]
[dead]
rigonkulous 4 days ago [-]
[flagged]
ryanmcbride 4 days ago [-]
Things aren't only bad if they're illegal. There's plenty of bad things one can do that are perfectly legal, and plenty of good things one can do that are totally illegal.
margalabargala 3 days ago [-]
It's not clear to me that causing "financial damages" to the person described is even a bad thing.
If you prevent your grandparent from getting scammed, you've caused financial damages to the scammer.
abnercoimbre 4 days ago [-]
And there are legal remedies to create deterrents without a court. Boycotts, journalism or new competition.
4 days ago [-]
Avamander 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
More like the coordinates of a home were burned to protect its occupants. It was a practical choice, not an ideological one.
dmbche 4 days ago [-]
If you own something you can do what you want with it including rendering it useless
amalcon 4 days ago [-]
If you own all of it, yes. If you only own most of it, the minority owners do have some rights -- just fewer than you do.
HybridStatAnim8 4 days ago [-]
Micay owns the whole project. Ownership of the project was not exchanged or divided, part of the explicit terms of the agreement were that Micay would hold the keys and ownership of the project just as they always have.
dmbche 4 days ago [-]
Sure!
Avamander 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
Thats a characteristic all modern OSs and modern apps have. You need to trust the key holders, always. Some people make their own builds for this reason. Depends on the threat model.
Avamander 4 days ago [-]
[flagged]
4 days ago [-]
Cortex5936 4 days ago [-]
I love GrapheneOS and I use it daily for more than 2 years. However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication. Even when they are 99% right most of the time, they sometimes don't come as mature and professional.
neilv 4 days ago [-]
My gut feel is that Micay is genuine, and obviously also very defensive.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
microtonal 4 days ago [-]
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
HybridStatAnim8 4 days ago [-]
All of the defensiveness is warranted. They speak neutrally and objectively.
The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.
The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.
ryandrake 4 days ago [-]
> The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Responding to attacks so defensively is almost alway a bad look for organizations. They could really use a PR person with a more measured voice that corrects facts and projects confidence, and does not convey victimhood, insecurity or defensiveness. Take a look at the tone of press releases issued by companies when some tech press bozo writes a hit piece on them, for good examples of dealing with people attacking you.
HybridStatAnim8 4 days ago [-]
I would not use those words to describe the approach they take. They make the effort to speak neutrally and objectively, but the issues they are making light of are often exactly as extreme and common as they describe. Many people have voiced appreciation that they decide against a "corporate-speak" approach. The GrapheneOS accounts are meant to be accounts that let project members speak to users, rather than take on a corporate appearance.
neilv 4 days ago [-]
I'm sure you realize that confident assurances of a random new pseudonymous account on a Web site isn't sufficient for anything of importance.
Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.?
HybridStatAnim8 4 days ago [-]
I am a GrapheneOS user and community member, and I am active in the chat rooms. I made this account to assist with misinformation.
As for how such a thing would not be possible;
-GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted.
-Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering.
-GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds.
So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise.
ForHackernews 3 days ago [-]
[flagged]
aphorism 3 days ago [-]
Calyx Institute and GrapheneOS are both really great projects. I support them both. I rely on products from both.
You're not doing either project any favors by pretending that hastily generalizing nerd dramas and autism over-corrections is somehow a broad statement on the neutrality and objectivity of GrapheneOS's team or the high-quality product it produces.
This kind of bad faith posting is bad for the whole FOSS/libre community, and it's both dumb and rude, in contradiction of HN's site guidelines.
ForHackernews 3 days ago [-]
[flagged]
spring-onion 3 days ago [-]
The author of that blog got mad we didn't want to implement a feature they wished for. Their duplicate issue was closed and later deleted and they made a public drama out of it for... what reason?
Let me tell you something. I personally reached out to them just a few weeks ago. I didn't argue, I didn't blame them. That was not my intention and I communicated that clearly. Those were not empty words, I went into it with a genuine open mind and with the goal of finding a solution. After all they consider themselves an open source enthusiast.
It didn't go anywhere. They did not seem willing to discuss anything at all really. You see, even if we assume they are 100% in the right, i.e. they did nothing wrong, why would they oppose our attempt at resolving the conflict? I've come to the conclusion there is no good faith argument to be made here. They spread their post all over the internet, heck they even linked it on Facebook.
ForHackernews 2 days ago [-]
[flagged]
aphorism 3 days ago [-]
Not a sock, just finally annoyed enough to actually login and say something.
I can see you can't engage about this without hurling wild accusations, so peace out.
3 days ago [-]
Georgelemental 4 days ago [-]
Personally, I like that they come across as a little paranoid. That's exactly the attitude I want in the people protecting my privacy and security. I hope the developers lie awake at night, unable to fall asleep because terrified that someone somewhere is plotting to attack and exploit them
finalst 4 days ago [-]
While I understand you are trying to be positive about this, I don't think it's good to want our team portrayed like this, sorry. Paranoid people are people who'd easily be influenced into doing harmful behaviors because it believes it will stop their problems. Making a response to inaccuracies and bad journalism platforming an extremely malicious actor isn't a symptom of that. We don't have people with severe mental illness on the team. That would be irresponsible and mental illness is not something to romanticise in my opinion.
Georgelemental 3 days ago [-]
There is a very broad spectrum between "completely average and neurotypical" and "severe mental illness". E.g. "slightly atypical personality". The world would be a boring place if everyone was exactly the same
finalst 3 days ago [-]
I agree for sure everyone should be different and have a diversity of how peoples brains work. The same type of think puts us into a bubble. We are definitely atypical because we are developing something quite atypical as well. Coming as a project member I just sometimes see comments that call us stuff like 'schizos' or 'paranoid' even when it is intending to be positive. I guess somehow they believe someone with a severe mental issue is more likely to an adversary of the government or whatever enemy they perceive? I don't know the justification behind it. I just find that odd, we're quite ordinary people actually. I don't think it does good for mental health awareness and for people who actually have these issues to backseat diagnose how people's minds supposedly work.
4 days ago [-]
busterarm 4 days ago [-]
There's healthy paranoia and there's treating even casual commentary/criticism from anyone as an existential threat & coordinated attack...and responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
That's not healthy for any project.
HybridStatAnim8 4 days ago [-]
This is false. Commentary and criticism is not treated as a coordinated attack. Coordinated attacks are treated as coordinated attacks. Criticism is often used as an excuse to try and hide attacks, and many people unfortunately cannot tell the difference.
3 days ago [-]
Cider9986 4 days ago [-]
Recently, the socials have been more moderate and level-headed, imo.
user_7832 4 days ago [-]
Could you share a link or something about this?
> ...responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
For the rest, in general, I'm tempted to give grapheneOS the benefit of the doubt. Running any FOSS project is hard, running it against the (implicit) wishes of OEMs/Google (who throw in things like Play Integrity) is even harder, and doing it when 3 letter agencies at the US govt actively hate you is harder still.
Being paranoid in responses to FUD campaigns isn't ideal, but save coordinated attacks, I'd say fairly understandable.
4 days ago [-]
microtonal 4 days ago [-]
Well, they have had to deal with multiple swattings, constant misinformation from some competitors (e.g. Murena's CEO doing interviews with various media where they insinuate that security-hardened systems like GrapheneOS are only for criminals and secret agents, complete with 'think of the children'-style arguments), and some local/national governments boosting the narrative that GrapheneOS is for criminals.
So I can understand why they are as defensive as they are.
TehCorwiz 4 days ago [-]
Based on how discourse in the US has been perverted by inches and millions of mosquito bites they may not be wrong. Stamping out bad information fast and hard seems to be the only way to combat mass coordinated disinformation. Being polite just lets people play the "both sides have merit" game.
singing_tartly 4 days ago [-]
not true at all...
There's no coordinated attacks on anyone or projects by GrapheneOS. They respond to misinformation, that's about it.
There have been many attacks on privacy/security projects, not just GOS, recently. If you keep up with the GOS forum you can see posts saying GOS was hacked without evidence. Other claims that GOS is only used by criminals. Theyre not true. Misinformation that aims to destroy the reputation of the project should be responded to.
Realistically Stallman would start lecturing them on how his licenses are not open source.
kibibu 4 days ago [-]
Richard Stallman would most certainly not use the term open source to lecture somebody about free software.
toaste_ 4 days ago [-]
When Louis Rossmann thinks your communication has a problem with going on rants, it must be pretty out there.
joyous_limes 4 days ago [-]
Rossmann is a way bigger ranter than GrapheneOS people. Have you seen some of his videos lol.
Rossmann wanted to work with GOS and they didn't want him. So Rossmann made that video to make Daniel look bad for revenge probably. Saying he was leaving GOS was a lie, not that GOS can push malicious updates which was also a huge lie. Even after pointing that out that part wasn't corrected because Louis doesn't care about accuracy, he only cares about making Daniel/GOS look bad. He used his big following to punish Daniel. Now he works with Nick from Calyx after he got pushed out and are doing business together.
The more you learn about the story, the more you see the Copperhead stuff was just the beginning and those involved held grudges and pushed their grudges onto more people who bought their lies and it continued. Privacy-focused OSes that pretend to compete with GrapheneOS suck. GrapheneOS is led by someone with integrity, unlike some other projects.
handedness 3 days ago [-]
That video of Rossman's was cheap theatrical trash. Disappointingly beneath him.
HybridStatAnim8 4 days ago [-]
Rossmann publicly blasted a private discussion, twisting what was going on, and then lied to his own viewers. Such a claim from an identity verified kiwifarms account holder holds no weight.
akimbostrawman 4 days ago [-]
[flagged]
4 days ago [-]
mrbn100ful 3 days ago [-]
[flagged]
daemonspudguy 3 days ago [-]
No. He is not. He's posted before at times that Micay cannot possibly be online at. He is a different person entirely. This is easily disproven by thinking about the logistics. Unless you think Daniel Micay is up 24/7.
3 days ago [-]
Mhatesmisinfo 3 days ago [-]
[dead]
f--kdonaldson 3 days ago [-]
[flagged]
sqmon 3 days ago [-]
[dead]
retrochameleon 3 days ago [-]
[flagged]
tranq_cassowary 3 days ago [-]
Rossman leaked private messages without properly giving background information about preceding private conversations that they had and about the circumstances that occured just before the conversation he leaked. It was very bad faith.
Cider9986 4 days ago [-]
[flagged]
retr0rocket 4 days ago [-]
[dead]
OsrsNeedsf2P 4 days ago [-]
[flagged]
not_really 4 days ago [-]
The point is, you are a terrible human if you subscribe to that trash. Wake the fuck up man, that shit is awful.
kiwiscum 4 days ago [-]
[flagged]
akimbostrawman 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
Rossmann made a thread on Kiwi Farms because Kiwi Farms members support him, and they support harassing his targets.
Rossmann has an account on Kiwi Farms for the purpose of engaging with his supporters on the site. He acts friendly with them and they choose to actively support him.
Rossmanns thread on the site is in support of him, not a harassment thread against him.
akimbostrawman 3 days ago [-]
>Rossmann has an account on Kiwi Farms for the purpose of engaging with his supporters on the site. He acts friendly with them and they choose to actively support him
Once again. Okay and? Kiwifarms is a legal site in the us. He is engaging in no harassment or doxxing of anyone just talking to people that talk about him. Does micay talking on twitter with other people mean he supports musk or anything else anybody does on the platform?
If all your points are just "guilt by association" then just say that.
handedness 3 days ago [-]
It's beyond guilt-by-platform-use. I just started looking into this today, but the primary dox thread thanks Rossman for information he provided, so I'm not entirely sure about your claim. When Rossman does weigh in on that site he seems fairly unbothered by the fact that people on there are posting every private detail they can unearth of Micay's and calling for Micay's violent murder, at least from what I've seen in my cursory glance.
He's also made highly-viewed videos theatrically (and ridiculously) expressing technically unfounded concerns about the project, laid the blame at Micay's feet, and went on to make verifiably false claims about the project, about himself, about his own relation to it (from everything I can find about it), and appears to have no problem stoking any of it.
I had long appreciated Rossman's work on right-to-repair, but when that video came out I found it pretty beneath his potential. He scored cheap points from his considerably bully pulpit for his own benefit.
KiwiFarms is a platform created for the purpose of cyber bullying, harassment and encouraging self-harm. This is very different from a general purpose social media platform that happens to have people signing up that misbehave. The whole point around KiwiFarms is that it's a place to be the most terrible version of yourself and the promise that it won't be moderated. It says a lot about Rossman that he believes it's worth engaging with such people there. Yes, reasonable and ethical people would indeed choose to not be associated with KiwiFarms.
handedness 3 days ago [-]
It's beyond guilt-by-platform-use. I just started looking into this today, but the primary dox thread thanks Rossman for information he provided, so I'm not entirely sure about your claim. When Rossman does weigh in on that site he seems fairly unbothered by the fact that people on there are posting every private detail they can unearth of Micay's and calling for Micay's violent murder, at least from what I've seen in my cursory glance.
He's also made highly-viewed videos theatrically (and ridiculously) expressing technically unfounded concerns about the project, laid the blame at Micay's feet, and went on to make verifiably false claims about the project, about himself, about his own relation to it (from everything I can find about it), and appears to have no problem stoking any of it.
I had long appreciated Rossman's work on right-to-repair, but when that video came out I found it pretty beneath his potential. He scored cheap points from his considerably bully pulpit for his own benefit.
Reducing that to mere guilt by association hardly captures it.
4 days ago [-]
Matl 4 days ago [-]
> However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication
Not that I disagree but Louis Rossmann giving someone advice to tone down the rants is ironic.
busterarm 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
GrapheneOSs posts are made to combat misinformation. Drawing public attention from those who may be misled and put at risk is how one combats misinfo. Its not ranting and its not somehow unreasonable to defend oneself.
busterarm 4 days ago [-]
Your entire comment history on HN exists across two separate posts about GrapheneOS.
You're not a community member, you're an astroturfer.
microtonal 3 days ago [-]
Ehm,
Astroturfing is the deceptive practice of hiding the sponsors of an orchestrated message or organization to make it appear as though it originates from, and is supported by, unsolicited grassroots participants.
They are pretty much the opposite of an astroturfer, they mentioned several times in the comments that they are an active supporter/community member of GrapheneOS. So, they are not hiding and they are grassroots participants.
Please avoid personal attacks on HN, even more so when they are incorrect.
HybridStatAnim8 4 days ago [-]
I have been a GrapheneOS user for several years, and I choose to dedicate my time supporting the project. Supporting an open source project is not 'astroturfing'.
I am an active chatroom member, and many people see me there on a regular basis. I choose to volunteer my time, and am not paid or compensated in any form.
4 days ago [-]
dooglius 4 days ago [-]
Have you considered that the smooth-talking "mature" and "professional" people are more likely to sell your data to advertisers at the first opportunity?
jasonvorhe 3 days ago [-]
I don't care about messaging or professionalism in marketing. I'm perfectly happy with the way GrapheneOS is being managed right now, including their lengthy technical rebuttals to any attempts of attacking the project to dilute its quality or reach.
neonstatic 4 days ago [-]
It's a personality type / disorder (pick your poison). There's no hope for change. Programming seems to attract such people, because they are fixated on being right and proving that they are right. I know a few more examples. My common sense policy is - if the software these types produce works for me, I will be using it, but I will never allow myself to be dependent on it. That kind of person will gladly burn their own house to the ground, with everyone in it, if that's what's required to prove their truths or maintain some kind of intellectual purity.
4 days ago [-]
cindyllm 4 days ago [-]
[dead]
1attice 4 days ago [-]
[flagged]
throw4847285 4 days ago [-]
One common personality disorder I see is being extremely defensive when encountering any discussion of human psychology. This comes from a deep psychological fragility.
Classic OAD (Obvious Asshole Disorder)
1attice 4 days ago [-]
You couldn't even bother to google an actual disorder! Bah, you insult me :)
u8080 4 days ago [-]
>being extremely defensive when encountering any discussion of human psychology
You just have paranoidal schizophrenia and attributing imaginable things to random people you don't like.
neonstatic 4 days ago [-]
Ok, but what I'd be wrong about here? I'm not even claiming that the person in the article is that way. I don't know enough about them. I have noticed a certain trend, however, and that's what I was noting.
wyldfire 4 days ago [-]
It would be interesting if there were a state sponsored effort to discredit a project that helps some people keep their communications private.
Cider9986 4 days ago [-]
There might be one, in France.
aphorism 3 days ago [-]
So what if they're defensive and cringe in their rants? Are you so indoctrinated into believing performative aloofness is "professional" that you can't see clearly?
mvkel 4 days ago [-]
Being "right" shouldn't excuse bad behavior, especially if you depend entirely on a community to survive, which we all do.
HybridStatAnim8 4 days ago [-]
Defending oneself isnt an unreasonable thing to do. GrapheneOS is entirely funded by donations and receives a lot of donations to this day. Them defending themselves is not an existential risk, the attacks against them are.
aphorism 3 days ago [-]
Which "bad behavior" are you talking about?
balamatom 4 days ago [-]
Why the scare quotes? Being right is the literal opposite of bad behavior.
mvkel 3 days ago [-]
If you have zero consideration for other people, sure.
"I can't believe you wrote this terrible code. You clearly don’t understand how concurrency works. Do it again."
Technically right, but when you run out of people who actually want to work with you, you'll be writing the code yourself.
balamatom 3 days ago [-]
What's worse: good work that I get to do myself, or bad work that I'm forced to accept anyway?
Pr0ject217 4 days ago [-]
[flagged]
balamatom 4 days ago [-]
[flagged]
stevemk14ebr 4 days ago [-]
[flagged]
balamatom 4 days ago [-]
[flagged]
elpocko 4 days ago [-]
[flagged]
balamatom 4 days ago [-]
[flagged]
simianparrot 4 days ago [-]
[flagged]
idle_zealot 4 days ago [-]
Parent is obviously being sarcastic.
simianparrot 4 days ago [-]
Poe's law gets me again. It's getting really rough these days on HN, I have to admit... My bad. Seems the AI-Protectorate Flagging Brigade managed to parse the sarcasm though.
OsrsNeedsf2P 4 days ago [-]
[flagged]
uberman 4 days ago [-]
[flagged]
JumpCrisscross 4 days ago [-]
[flagged]
balamatom 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
Louis Rossmann caused a lot of harm to GOS and blasted them publicly for trying to raise issues privately. That is disgusting behaviour. He then lied to his own viewers about no longer using GrapheneOS, lied about fears of a targeted update despite that not being possible, among a lot of other things. Note he also has an identity verified kiwifarms account.
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
ysnp 4 days ago [-]
There are a lot of judgemental comments here criticising Daniel's character, responses and handling of what was likely a very trying and stressful period in their life.
Barely any comments about the linked thread which is about Wired publishing an article that was extremely poorly researched after having misled GrapheneOS about the intention and content of what would be published. This seems like the sort of thing that should earn a disclaimer on future Wired articles as worthless and get them removed from RSS feeds/have subscriptions cancelled. Complete lack of integrity and respect for standards. Why did they not interview anyone else involved in the project or around at the time?
Accacin 4 days ago [-]
I personally can't understand why anyone bothers doing open source anything.
This Micay guy spends so much time and does something hugely beneficial and we're arguing about how he responds to criticism?
I'd rather direct and blunt rather than the weasel words and lies most companies put out.
aphorism 3 days ago [-]
Some of us embrace our humanity and have an ethical and moral need to engage with the world we want to live in rather than the world dominant economic forces would prefer us to engage in.
Accacin 5 hours ago [-]
I can understand that, but for me he doesn't come across as a "bad" person. He hasn't come out with racism, sexism, etc. he just comes across a bit rude and blunt IMO.
I'm much more concerned with companies that claim to support LGBQT+ and then stick a flag up for 10 minutes once a year, or companies who make 10% of their workforce redundant because they want to pay themselves more, or companies who on one hand support green initiatives and then behind the scenes do the complete opposite.
HybridStatAnim8 4 days ago [-]
The GrapheneOS team does find corporate speak/slop to be undesirable. I appreciate that a lot.
maxo133 4 days ago [-]
The fact that graphane is getting attacked speaks enough for it's relability. First in france now in Wired.
I'm more concerned that Signal incorporated in US is having easy life.
user_7832 4 days ago [-]
> I'm more concerned that Signal incorporated in US is having easy life.
To add - ironically, it was Durov (Telegram founder) who got arrested in Paris.
neonstatic 4 days ago [-]
I don't find it ironic at all. Zero trust for anything Russia related.
u8080 4 days ago [-]
Zero trust does not mean government pressure is okay
kelvinjps10 4 days ago [-]
he is not pro-Putin, the Telegram team was forced to leave and it has been blocked several times in Russia.
Jamesbeam 4 days ago [-]
Not being pro-Putin doesn’t really matter to Putin. If he tells Durov to sit and be a good dog, Durov will sit and be a good dog.
Unlikely the case, Telegram is the app that Russian government is most focused on blocking right now, it's almost impossible to use without proxy or VPN.
Not saying Durov is perfect but video you linked is about guy who has all his assets in Russia while Durov has none.
The man looks on photos like he genuinely loves his long-term girlfriend and the three kids he has with her. Kids are stupid tho. They climb on everything and fall out of windows frequently.
yaro330 4 days ago [-]
Durov is about as anti-Putin and russia in general as one can get. He go fucked hard in russia and has been going extremely hard against the censorship in russia. TG is one of the few chat apps that can avoid russia's suppression measures, when everything else working over internet fails.
TFNA 4 days ago [-]
Durov has been going hard against censorship because the pressure on Russians to switch to MAX might consign his own app to oblivion. But to call Durov “anti-Russia” when Telegram development and servers remained in Russia, is to ascribe to him a dissident status that he doesn’t actually deserve.
(Durov himself is known to regularly visit Russia, while denying he ever visits Russia. Telegram opened a Dubai office claiming that it was now a Dubai-headquartered company, but that was a mere legal formality; no one was actually there at that office, and journalists visiting it found that not even the building staff knew anything about Telegram. In practice, the company continues to exist out of Russia.)
kqp 4 days ago [-]
Do you have a source for any of this? Wikipedia and news that I can find support that he fled Russia after government conflicts. It’s also well known that he keeps his and the dev team’s location secret, so anybody going knocking on incorporation addresses in Dubai then feigning surprise is acting in bad faith.
TFNA 4 days ago [-]
This was all over the news a couple of years ago when Russian entry/exit records were leaked. Doing a Google search for “durov visited russia frequently” will get you plenty of reportage.
"so anybody going knocking on incorporation addresses in Dubai" The point is that Telegram has repeatedly countered claims that it is a Russian app with "Actually, Telegram is a Dubai company”. People reasonably interpret that as more than a mere incorporation address, and it isn’t being emphasized enough that development is still largely done from Russia, and servers are also located there.
neonstatic 4 days ago [-]
Half of Russian military uses it in the field. I do not care what story that guy is spreading around about his affiliations or lack of with Russia. Zero trust. Never touching Telegram.
lofaszvanitt 3 days ago [-]
Being attacked? That doesn't mean anything. Either you know the security domains in and out or you can't make an educated guess how secure it really is.
aphorism 3 days ago [-]
Nah, that's more to do with the fact that governments use Signal and Meredith Whittaker is not to be trifled with.
uberman 4 days ago [-]
Fascinating read. I know nothing about any of this neither the parties involved nor Copperhead though I had heard of Graphene. To that end, I wish the response included a pre-amble for those like me who were not familiar with what was going on. I guess I could probably read the Wired article though. Still. good read and I loved the Q and A at the end.
Frankly insane and speaks to the entitlement of many users that they are against Micay and GOS on this primarily because their online comms are abrasive; I'm used to this having seen the same from many in the Minecraft and Skyrim mods communities, but it still stands saying: You are not owed ANYTHING from a free software developer. They can say anything they want to you and revoke the software at any point or anything they wish - they are providing the software for purely no reason but they want to. If Micay wants to be rude on main he has absolutely every right to do so; if you don't like it, don't use his software. He's not a steward or paragon of virtue just because he has a popular software project, and it's extremely easy to stand on a soapbox and say "If I was in that position, I'd be so much better!" To all the detractors in this thread, I beg you: go make software and give back instead.
P.S. I avoided making any statements about what I personally think about Micay and the GOS team's behaviour above because I don't use it and have never looked into it before reading this article, but from looking at the comments, the WIRED article, the forum thread linked in this post, and some cursory research, it just seems like they are a popular software project that is at odds with many powerful actors with obvious motivations against their existence and popularity - if they are constantly combative online instead of being friendly, don't you think part or all of it may be because they have to defend themselves against attacks instead of having the freedom to be friendly like say SQLite/FFMPEG/Rust/other free software projects? I'm admittedly new to HN but this entitlement and refusal to empathise with the people giving you free shit seems insanely out of character
antonvs 3 days ago [-]
[flagged]
DANmode 3 days ago [-]
Good projects follow their mission statement.
antonvs 3 days ago [-]
Which part of the mission statement mandates publishing rants as official public communications?
oh_fiddlesticks 3 days ago [-]
It doesn't really matter, because their target audience does not care about that.
antonvs 2 days ago [-]
No true Scotsman.
It’s sad to see this childishness around what should be an important project.
DANmode 2 days ago [-]
The point being made is if the project and code were important to you, you wouldn’t be judging it based on the founder’s social media habits…just how it runs, and if it continues to do that year after year.
Spoiler, it’s great, and will continue on.
antonvs 2 days ago [-]
You can't categorically exclude a founder's personality as an indicator of a project's ability to thrive.
All the people basically defending this or saying it's not an issue only makes it worse.
It's a perfect example of the problem: a founder is a leader, and a leader's behavior spreads and can infect the team and community.
DANmode 1 days ago [-]
Simply name a project that’s failed due to this, or suggest a vector through which it could happen here for the first time.
Being okay with someone being unhinged while defending themselves over and over again hardly seems divisive.
Maybe you can frame your objection better?
Genuine question: are you familiar with the controversy of how Linus Torvalds used to frequently operate at the helm of the Linux kernel fiefdom?
fsflover 3 days ago [-]
Yes, because such move decreases the target audience accordingly.
handedness 3 days ago [-]
And yet, you do the same.
fsflover 2 days ago [-]
I don't understand what you mean. Did I add rants to GrapheneOS docs?
mapotofu 3 days ago [-]
It seems very plausible to me that there is a vested interest in seeding drama and chaos into the reputation of GOS. Why wouldn’t there be? Especially when it seems there’s an easy way to trigger Micay, and there are cottage industries online specializing in exactly this sort of thing.
I get the sense a lot of people care about this project and care about defending it but good luck against the propaganda and bullshit like this that comes along with it.
I really enjoy GOS and used it as a daily driver for ~3 years
DANmode 3 days ago [-]
All it takes is comments like this!
Pxtl 4 days ago [-]
I just realized that Lineage and Graphene are two separate projects.
There has been a substantial surge in low quality and Reddit hive mind replies on HN lately. I’m curious what the root cause of it is.
sgc 4 days ago [-]
As far as I can tell (including looking at third party analytics attempts), there had been a massive increase in users over the last 3 years. Smaller communities tend to hold their trademark character a lot better. Pure speculation, but (beyond the bots) I suspect that a lot of the newer users are younger, and the attempt to be a bit more focused and sincere here is something they miss before they start posting.
catlikesshrimp 4 days ago [-]
It is now easier to mass create and program dormant accounts. They can be used later for any purpose.
I wouldn't be surprised to see a "Show HN: I made 1000 accounts with more than 20,000 karma with Claude Opus 6.7" in the future
busterarm 4 days ago [-]
You only just noticed this now? At the very least, HN is subject to the same intellectual capture that's taken over (seemingly) the whole damn world the past decade.
Lapsa 4 days ago [-]
[flagged]
R1shy 4 days ago [-]
[flagged]
other8026 4 days ago [-]
Just read the article again and I'd suggest also reading responses we sent to fact checkers (many answers didn't even show up in the article). James' side of the story is riddled with lies. So, if you read the article with that in mind, you can see that Copperhead got steered in the wrong direction by James. Daniel has been the owner of the open source project from the beginning and Copperhead was never in control of it. It was right to move forward without James. Nothing paranoid about that. It's more a move by someone who is dedicated to doing things right.
See the attacks on GrapheneOS and even other privacy projects trying to make them look like they are designed for criminals. Even French law enforcement took part. We have shared these details publicly and even with links to articles with quotes. There was even news about authorities in Spain assuming anyone with a Pixel was likely a criminal.
Months ago, we saw tons of reports of organizations reporting hacking GrapheneOS without any evidence or links to court cases. We never claim that GrapheneOS isn't hackable, but we still haven't seen any credible evidence showing forensics companies were able to hack it.
These are just a few examples of how GrapheneOS is being attacked. Again, we're not the only ones.
It's also important to note that GrapheneOS has many project members. GrapheneOS isn't a one man show.
Our responses to these things are not out of paranoia. We want our users to know what's going on, so we keep them informed. What's wrong with that?
joemazerino 4 days ago [-]
[flagged]
handedness 3 days ago [-]
I spent several minutes [1] looking into it earlier today because I'd mostly ignored it in the past, but his claims appear completely valid, and if anything, stop short of painting a sufficient picture of how badly he's harassed. I won't link to any of it here, but it took me one query and reading one page worth of it to think Micay is the most reasonable actor in the story. (Yes, I read more thereafter.)
When you have years-long public forum dox threads dedicated to doxing you with people openly calling for your physical harm, all with some non-zero degree of complicity and/or support by a YouTuber with millions of subscribers, let us know if it still seems like paranoia to you.
The claim anyone on the GrapheneOS team is paranoid is unsubstantiated.
Avamander 4 days ago [-]
[flagged]
4 days ago [-]
razingeden 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
I gathered you were being facetious, but I do not appreciate being called a sockpuppet.
I am a GOS community member and I have been for several years. I am active in the GrapheneOS chatrooms, and I choose to volunteer my time assisting others.
razingeden 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
I must emphasise I am not associated with GrapheneOS.
aphorism 3 days ago [-]
I'm sure it's exhausting producing an awesome product, only to get crapped on by governments and corporations that hate privacy and drama-farming Twitter randos, but debunking bad-faith bullshit is nothing if not rational in a world where reputation matters.
handedness 3 days ago [-]
Even here, the same people come out of the woodwork every single time to hit the same bad-faith talking points. I've got a lot of respect for the whole team for doing what they do despite all of it.
htx80nerd 4 days ago [-]
[flagged]
SV_BubbleTime 4 days ago [-]
A lot of the readers here think Wired is still pre-2006 / pre-Condé Nast ownership.
I was personally involved in a story they did in 2015 that was paid for by a three letter gov agency to bad mouth a companies tech into changing. I know only a few of their tricks, and they’re dirty as hell.
antonvs 4 days ago [-]
Wired was so cool… 30 years ago.
ekjhgkejhgk 4 days ago [-]
[flagged]
roughly 4 days ago [-]
Graphene is not a consumer brand and they do not intend to be a consumer brand. They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do. That will absolutely limit their scope and reach, but it also allows them to focus on the one thing they’re trying to do without making compromises.
For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
ryandrake 4 days ago [-]
> They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do.
These things are not mutually exclusive:
You can make a great technical product while being friendly. You can make a great technical product while not being friendly.
You can make a compromised or flawed technical product while being friendly. You can make a compromised or flawed technical product while being unfriendly.
This comes up pretty often in other HN threads, unrelated to Graphene. There's this weird personality type who insists that they aren't legally obligated to be friendly or nice or pleasant, therefore it's fine for them to be unfriendly or jerks or unpleasant.
HybridStatAnim8 4 days ago [-]
GrapheneOS needs to defend themselves. There would be more time for other types of posts other than defensive ones if they did not have to defend themselves.
abnercoimbre 4 days ago [-]
As a community organizer for systems programmers: welcome to my world! I've finally made some headway after a decade, helped by the mass layoff apocalypse. (Turns out social skills help you stay solvent.)
1attice 4 days ago [-]
Actually, you can't make a great product if you've alienated your allies, because all successes are intrinsically social, from the iPhone to Python to even the processor itself.
Going it alone is that nineties libertarian romanticism, a persistent self-destructive tendency that in present market conditions is unsustainable
HybridStatAnim8 4 days ago [-]
GrapheneOS does not consider those who attack them as allies.
DANmode 3 days ago [-]
What allies?
Their allies seem securely in place.
Their popularity and project support have never been stronger…
and they’re partnering with a (popular!) hardware manufacturer.
If they were doing that one thing, they would not have posted this. It's fine not to market to consumers, but this raises additional concerns about the founder's judgement. Someone else claimed that they deleted update signing keys for copperhead devices. That's seriously concerning if true; possibly bad enough to switch away from grapheneOS.
microtonal 4 days ago [-]
He deleted the signing keys because it looked like the other owner of Copperhead OS wanted to make the signing keys available to government agencies and/or criminal organizations. He deleted the signing keys to protect their users against malicious updates, which is the right thing to do and should increase trust in him and the project.
It's worth actually reading the linked post. Relevant segment:
In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
joemazerino 4 days ago [-]
Is it that Donaldson wanted to pursue deals with criminals or he wanted to backdoor an OS for a defense contractor or that he was a government spy? From the article it seems like none. Claims need receipts or they are blind assertions.
Me? I was a CopperheadOS user from the 2021 rebuild era before GrapheneOS existed in its state. All I've seen from GrapheneOS and Micay are claims without evidence and over-moderation of points they don't agree with.
fwipsy 4 days ago [-]
Ah, thanks for setting me straight. That's reassuring. I think I would still have more respect and trust for GrapheneOS if they either didn't respond, or struck a more neutral tone; but that's more subjective.
HybridStatAnim8 4 days ago [-]
GrapheneOS has never concealed this information, it has been publicly accessible on the GrapheneOS website for years, as an article describing the projects history. https://grapheneos.org/history/
Deleting signing keys under threat of a hostile takeover is the responsible thing to do.
joyous_limes 4 days ago [-]
[dead]
orblivion 4 days ago [-]
It's not just about being friendly. If they have a bubble around them of employees, true believers, and people just afraid of speaking out that chills free expression of criticism, the truth has trouble getting out, which hurts trust.
Still a user though.
HybridStatAnim8 4 days ago [-]
GrapheneOS is open to criticism about their project.
The issue is criticism is often used as an excuse to conceal attacks.
orblivion 4 days ago [-]
Maybe true, but but the flip side is that sometimes what is called an attack is actually criticism. That's how it appears to a lot of us from the outside.
HybridStatAnim8 4 days ago [-]
GrapheneOS wants to post more positive things, rather than just defensive replies. But they have very little choice in the matter. If the inhumane levels of attacks werent happening, they would have more time to discuss future features, how they choose to approach features, etc. But ignoring the attacks only make it worse. The suggestions to ignore it, even if genuine, arent helpful.
orblivion 4 days ago [-]
I'm thinking about this a bit more.
It may be the case that Daniel and the project are so under siege that they need to take a hostile attitude toward some of the people they interact with as a matter of self preservation. They may have no other option. But taking this posture while also being fair to all of the people around them (i.e. some people who aren't actually attacking them) may be difficult or even impossible. I can see this behavior in myself sometimes. I just don't have the energy to be fair. "F U".
I wouldn't want to see friendly corporate slop either. I appreciate how down to nuts and bolts the communiques are on Mastodon and how deadly serious they take everything. That part of the communication style makes me trust them more.
I think a good step in the right direction might be acknowledging that being defensive necessarily leads to erring on the side of assuming bad faith rather than good, which leads to some mis-judgements. So far you said that GrapheneOS is open to all criticisms, which (though I haven't followed the space very recently so my memory on specifics is hazy) just does not seem to match my interpretation. I think that if we were having this conversation on Twitter or Mastodon, Daniel would have blocked me by now (if he hadn't already blocked me years ago).
HybridStatAnim8 4 days ago [-]
People can accidentally be spreading attacks with loaded/presumptuous statements even when their intentions are pure. Unfortunately, pure intentions can still cause harm that needs to be countered.
Take your reply as an example, the GrapheneOS accounts are managed by multiple people, so the fixation on one specific project member may not even be accurate to the discussion. Having ones character attacked is immensely harmful on its own, but being attacked for something one may not even be doing is also immensely harmful.
The unfortunate reality is that people tend to believe the first thing they read, and without something countering it, will roll with it, intentionally or otherwise. So countering misinfo efficiently and quickly is vital.
4 days ago [-]
antonvs 4 days ago [-]
[flagged]
other8026 4 days ago [-]
All the stuff about members of our team not being stable is ridiculous and only works in favor of people or organizations that don't like us or want to damage GrapheneOS.
GrapheneOS has multiple people helping out. Many developers as well as people who help out with non-development work. It's a big claim to say that the whole team is unstable.
I'd suggest reading the article again. Considering the situation, the party about deleting the keys should be a good sign for anyone reading it. It shows that the project's leadership cares about doing things the right way. Members of the team are similarly dedicated to helping build and support an OS that improves people's privacy and device security, not to scam users by making a flashy product and rake in cash. Or, in Donaldson's case, work with shady companies and even possibly criminals.
Privacy and security projects like GrapheneOS are important considering the political landscape these days. People really need to stop repeating inaccurate claims about us, like that we're criminals, unstable, crazy, etc.
antonvs 3 days ago [-]
[flagged]
4 days ago [-]
joyous_limes 4 days ago [-]
[dead]
ipaddr 4 days ago [-]
[flagged]
fsflover 4 days ago [-]
[flagged]
ekjhgkejhgk 4 days ago [-]
[flagged]
Avamander 4 days ago [-]
> Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image"
Sometimes they aren't even factually correct and get a bit upset about it when called out.
Anyways, I have gotten the same impression and these seem like red flags to me as well.
Which is why I'd take everything in that response with a mountain of salt (and I'd pay attention to what they're not saying).
Yes, I don't like when anybody spreads falsehoods about any important free software. Do you?
However your example is unrelated. Their arguments were rather reasonable and informative in the discussion you linked to. So I don't complain about that anymore.
HybridStatAnim8 4 days ago [-]
What they said here is accurate, not sure what youre trying to show?
fsflover 4 days ago [-]
What exactly is accurate? Have you seen my reply to that? Hardware kill switches cut power and prevent any recording.
TommyTran732 4 days ago [-]
You have been saying this sort of stuff on the Qubes forum and a bunch of other places for awhile now.
Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic. With your Librem/PinePhone, you cannot even reasonably expect your calls with end-to-end encrypted apps like Signal and Element to be protected. Any app with access to the PulseAudio socket (which happens to be anything that you want to have audio playback with) can snoop on your mic at any moment in time. This does not even require an OS compromise.
This has been pointed out to you repeatedly and yet you choose to ignore it, and instead you just do character assassination whenever a post regarding GrapheneOS or Daniel Micay shows up because what Micay says goes against your favorite ideological products...
fsflover 4 days ago [-]
> Any app with access to the PulseAudio socket (which happens to be anything that you want to have audio playback with) can snoop on your mic at any moment in time.
I said multiple times that I exclusively run trusted apps on the phone. I use Qubes for untrusted staff. Do you understand that threat models can vary?
> Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic.
I never said they were more important. I only said they could reliably protect in sensitive cases.
> instead you just do character assassination
I choose to dispute false information. I don't care about any personalities. And I would be happy to be proven wrong, too.
TommyTran732 4 days ago [-]
> I said multiple times that I exclusively run trusted apps on the phone. I use Qubes for untrusted staff. Do you understand that threat models can vary?
By that logic, you might as well just not have the killswitch at all. Everything is magically "trusted", right?
Yes, I do understand that threat models can vary. Please give an example of a threat model where it makes more sense to use a phone which cannot protect any private calls over a functioning phone that has real protection.
If you are going to say "oh, when you never talk on the phone at all" then you might as well just remove the mic. It's not hard.
As usual, there is nothing that GrapheneOS or Micay says regarding the Librem or Pinephone that is inaccurate. You are just saying stuff that doesn't even remotely make any sense. Perhaps you are being deliberately disingenuous. Perhaps you are just so blinded by an ideology that you cannot see that what you say is just nonsense. I wouldn't know.
> I choose to dispute false information. I don't care about any personalities.
Doesn't seem to be what you are doing here.
fsflover 4 days ago [-]
> there is nothing that GrapheneOS or Micay says regarding the Librem or Pinephone that are inaccurate.
This is completely false:
> Their microphone kill switch also doesn't prevent audio recording
TommyTran732 4 days ago [-]
> Their microphone kill switch also doesn't prevent audio recording
It doesn't prevent audio recording in the super paranoid "oh, the whole phone has been compromised" scenario because it is bypassable via the sensors.
In fact, it doesn't even protect the phone in normal operation, because apps with device=all can access the sensors without the whole phone being compromised.
It doesn't prevent audio recording with any normal usage either because the OS is incapable of protecting private conversations thanks to the PulseAudio socket. "Exploiting" this is significantly easier than any of the stuff involving the sensors.
fsflover 3 days ago [-]
> because it is bypassable via the sensors.
Did you even look in my link, which we are discussing? My quote from there:
And what good is the phone when 3 switches are off? You think that people buy a phone with a "mic killswitch" expects to have to turn off practically everything including internet to make sure that their mics aren't snooped on?
Does that really sound like a functioning "killswitch"?
handedness 3 days ago [-]
The mind, it boggles.
On a long enough timeline he'll probably cite this comment chain as proof you were unable to respond to his concerns, like everyone else who's ever tried.
TommyTran732 3 days ago [-]
Oh he's already done that when I explained to him how stuff like PureBoot has circular logic and doesn't actually work on Qubes forum already.
Unfortunately he will just ignore every single counter argument ever made and blindly believe these companies because their marketing material has "freedom" and "FOSS" in it.
fsflover 2 days ago [-]
On Qubes forum, you had replies from far more knowledgeable people than me. You never could answer to them. You only talk about the lack of security of Pureboot and never showed the code breaking it. "Talk is cheap, show me the code".
TommyTran732 2 days ago [-]
> You never could answer to them.
I did reply to them plenty of times. Here you go doing the exact same thing again - ignoring 100% of what's being said, then claiming "no one can respond".
> You only talk about the lack of security of Pureboot and never showed the code breaking it.
If you think a piece of code is needed to understand why it's a joke, then I don't even understand what is wrong with you. LMAO. The whole thing is conceptually botched, and they pretty much admitted as much.
1. Boot block performs measurements of itself, its settings and everything down the chain for attestation.
2. There's nothing protecting the boot block.
3. A malicious boot block can lie about measurements.
4. If the goal is to defend against an attacker who tampers with the BIOS chip - then it fails at doing so miserably because an attacker can just use a boot block that lies about the measurements.
Seriously, what good is showing you the code if you don't even conceptually understand how the thing works?
You know, there is a famous saying: A farmer does not need to know how to lay eggs to know whether an egg is good or bad. In our case, the egg is already rotten from the get-go. This is not a "Ohhh something has such bad code I can attack it using XYZ method, wait and see!" situation. This is a situation where "Your logic doesn't even make any sense to begin with."
Perhaps, just perhaps, you can benefit from just spending 5 minutes thinking a bit about how the whole thing actually works at a very high level and read what I said above.
handedness 3 days ago [-]
Everything Micay said in that linked thread was and remains correct. You again fail to address what was incorrect in his comment. Going on to later ask people "what is correct about it?" is rhetorically disingenuous at best.
But as you consistently slide any adjacent topic you can into a discussion about the Librem 5 (no matter how tortured a segue), let's go with that and revisit it.
I looked at your puri.sm link, and it mostly served to lower my estimation of the Librem 5's kill switch system. You can't disable the sensors in a trustworthy way without disengaging every kill switch at the same time, entering it into their Lockdown Mode. At that point it's just a still insufficiently air-gapped, highly underpowered Linux device which remains poorly secured against other side-channel attacks. The speaker which, by everything I could find, is still functional, the OS remains poorly secured against software attacks, it lacks proper hardware security, and so on.
It fails in terms of human factors, too. Joe Consumer thinks flipping off the mic switch prevents audio recording, but it doesn't in multiple regards. Even putting it into Lockdown Mode doesn't disable the speaker, which can be used to record audio despite your insistence that the device is fully secured when all switches off. Speakers can also be used to exfil data over short distances, demonstrated to work through walls.
Poor misinformed Joe Consumer is also still left with the same issues the other commenter has already identified in terms of the difficulty of securing any Linux computer.
But that's okay, because you only run trusted software. Until one of those trusted pieces of software include a compromised library, which happens often. You are, at that point, relying on the OS and its relationship to its hardware, which, flawed switch system aside, is highly insufficient. The device offers very little protection at that point. You know all this because you run Qubes OS, but hand-wave that away by appealing to trusted software as soon as the Librem 5 becomes the subject.
If I was modeling threats around protecting sensitive files on the device, not falling victim to attacks that could record audio and/or exfil data or otherwise leak, I'd still go with GrapheneOS on a Pixel 8 or later.
The Librem 5 wins for anyone who just wants a phone which runs Linux (which is a great thing and I wish we had more options which did that), but the security theater of that device is just goofy from top to bottom, as are its more vocal and less reasoned supporters. If one's threat model is, one sometimes wants to be able to turn off all radios and sensors, leaving the speaker functioning, with an otherwise poorly secured device, then, great. It's the device for you. But it's a threat model which will be practically beneficial to very few people, if any.
If your holy grail is having the radios off without other hardware or software considerations, great, you've found the phone for you. It's a brilliantly marketed device for well meaning but poorly informed people with underdeveloped threat models, and, I guess, for someone in your situation who's happy to make all of the above compromises to be able to physically disconnect radios.
Do you always enter Lockdown Mode before typing anything sensitive, due to the attack vector they highlighted about deriving typed data via sensor data? ('No, because I only run trusted software.' See above.) You literally can't disable the sensors without disabling all radios. They acknowledge that sensors are an attack vector worth addressing, yet don't put sensors on a discrete circuit. Like I said, great marketing. Otherwise pretty goofy.
Would I complain if the upcoming Motorola GrapheneOS phone had physical hardware switches? Sure, I'd take an additional layer of containment if all of the fundamentals are addressed properly.
But your argument is like bolting the world's best seat belts onto a motorcycle, and never missing an opportunity to tell the world about your belts, wonderful though they truly are.
TommyTran732 3 days ago [-]
Not entirely sure if the chip they are using (WM8962) can be reconfigured as a mic or not... it probably can't. But yes, the speaker is still active even when the mic is toggle off.
Everything else is pretty much the argument though - who buys a phone with a microphone killswitch so good that for it to actually function you must also flip the other killswitches to kill both wifi and cellular connection? A microphone killswitch so impeccable that in order for you to not be snooped on you also have to give up texting and browsing the internet. Truely impressive stuff.
fsflover 2 days ago [-]
I don't understand you. All I said was that using three kill switches 100% protects you from any listening and tracking.
strcat said the opposite.
We can't be both right. According to the docs and schematics, I'm right. You need a really good proof for the opposite.
TommyTran732 2 days ago [-]
Man, if this entirely thread of people calling out how ridiculous the implementation is and the killswitch not actually working in practice isn't enough to convince you, nothing ever will.
I don't even feel like arguing against the absurdity of your arguments anymore. This is my last attempt at dumping it down a notch:
A "microphone killswitch" is supposed to protect the user against having their convos being snooped on when it's toggled and still be able to use the phone in a meaningful manner. A "microphone killswitch" that doesn't really function on its own and requires turning the entire device into a brick is non-fuctional for all practical purposes.
I might as well just invent a "microphone killswitch" that requires people to pull out the battery to make sure that they are not snooped on at that point.
fsflover 2 days ago [-]
> A "microphone killswitch" is supposed to protect the user against having their convos being snooped on when it's toggled and still be able to use the phone in a meaningful manner
LOL, it's hard to imagine a more ridiculous and self-contradicting statement than this.
1. It's just physically impossible to defend from tracking, when the phone has networking connections on. Not even on all-mighty GrapheneOS.
2. I am using a phone with the kill switches off in a meaningful manner all the time. It is a full computer running a desktop OS and can run any apps, including listening to music from a microSD card, reading saved text/pdf files, showing presentations with original LibreOffice, programming in any language with standard tools, and so on.
3. Even though the phone in the lockdown mode (with all three kill switches off) has no connections, if I'm ever in emergency and need some help, I can turn the phone functionality back on and call for the help I need. Obviously, privacy in such case would be secondary after health.
4. Unlike for GrapheneOS, there is no way to hack my kill switches for any money. I can be 100% certain that they work as intended, even if a state actor is against me. Yes, everything else might be compromised in such case but not the tracking and listening to me when I need true location and microphone privacy.
handedness 3 days ago [-]
> This is completely false:
>> Their microphone kill switch also doesn't prevent audio recording
More dangerous advice. The microphone kill switch prevents audio recording via the mic, not via the sensors or speaker. A Librem 5 user needing to secure against audio attacks would need to switch all kill switches off, not just the mic one (by Librem 5's own estimation), but would still be vulnerable to the speaker.
The effect of your participation in threads about projects you claim to care about is harmful. Please do better.
fsflover 2 days ago [-]
Librem 5 speakers cannot be used for recording, according to the developers. Yes, all kill switches protect you from the sensors.
This is indeed a misunderstanding, again. Reliable protection is possible - this is all I wanted to say. Not everybody means "all sensors" when they say "microphone". I took the phrase literally.
HybridStatAnim8 4 days ago [-]
Their entire post regarding pinephones is accurate.
Hardware kill switches need to be correctly implemented. A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.
Not to mention kill switches assume the device is already compromised, at which point everything on it is likely compromised as well.
fsflover 4 days ago [-]
> Their entire post regarding pinephones is accurate.
I never mentioned Pinephones, although I do believe that the attack on them is still too harsh. Their security is about as good as the one for Linux. And it's not exactly "atrocious". Especially if you only use software from the official repositories. Let's agree that it should be improved though. (I prefer Qubes OS myself.)
> Hardware kill switches need to be correctly implemented.
Are you saying they aren't for Librem 5?
> A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.
I explained in the link above that cutting all sensors is exactly what happens if you choose it.
> Not to mention kill switches assume the device is already compromised
This is not accurate. Kill switches imply that even if the device is compromised (which you can never 100% verify, even on GrapheneOS), your location etc is still private, when you need it.
aphorism 3 days ago [-]
Why would debunking factual inaccuracies be a red flag? It's the rational action to take, actually. Big corporations often don't respond because their lawyers tell them not to. Surely you're not saying that's a green flag?
latable 4 days ago [-]
I think this is the case of a lot of successful OSS. Intrigued people of all horizons comes and interact with few people building something meaningful, mostly on their free time, and expect to be welcomed as customers by the company spokesman. Torvalds had a famous way to express himself freely and hurt some feeling on the Linux mailing list, yet Linux is still a successful OSS project.
I would go on a stretch to say that people that express themselves naturally, without detour, are maybe more trustful than the usual silver-tongued corpo.
fph 4 days ago [-]
One of the main criteria to differentiate "rants" from "correcting falsehoods" is proper citing of sources. In the case of Grapheneos, unfortunately I often see very few sources in what they post online.
(But, if you ignore the rants, that's a fantastic OS.)
HybridStatAnim8 4 days ago [-]
GrapheneOS has plenty of evidence and they post it alongside their claims. They post it carefully though, and are willing to provide it to people upon request.
At the time of writing, I scrolled 4 posts down and found one. GrapheneOS are security researchers, so they often are a first party source. As for the attacks, they have plenty of evidence for their claims. They avoid giving any attacks more publicity, but they usually provide evidence if you ask.
fph 3 days ago [-]
Please provide a link to this post you found, so I can tell which one you think is a citation to a source. If you want some examples of recent posts that should have a source but don't, here they are:
(the linked post in Mastodon is the one displayed with a bigger font, not necessarily the first at the top of the page.)
HybridStatAnim8 4 days ago [-]
They dont have any history of attacking others. They have a history of defending themselves from attacks.
Other organizations having the resources to continue despite the damage does not mean GrapheneOS can or should deal with the damage it causes. That makes no sense and its excusing horrible behaviour from attackers. They arent rants, the truth just often requires more words than a lie, such is the nature of computer science.
Guvante 4 days ago [-]
"They have a long history of long rants attacking people and projects" in response to a long post...
You are very much saying that OP is an attack post.
Or at least implying the point that it is tonally dissonant to claim otherwise.
If you didn't believe it was wrong you would comment on the post but you are explicitly avoiding doing that.
thenewnewguy 4 days ago [-]
Do you have a link to the mastodon interaction where they threatened you with legal action?
I ask because I'd be pretty disappointed in GrapheneOS over that kind of thing and it'd probably at least partially change my opinion of them, but it's better to validate these types of serious accusations and get the full context.
ekjhgkejhgk 4 days ago [-]
I don't. My very vague recollection is that I was alarmed and either deleted it or blocked them. So it either no longer exists, but even if it does I have zero interest in digging it out. I'm always anonymous on social media like HN and Mastodon, but who knows what one can discover if they're the kind of unhinged person who will dedicate enough time to doxing someone...
its-summertime 4 days ago [-]
Do you have links to #2
bokavordur 4 days ago [-]
Agreed.
I like the product, and even recommend GOS to those who want a hardened phone OS.
But goddamn, their social media gives me major red flags and I hate remembering that they exist.
I genuinely think that the information in this post is accurate, and at the same time, I think that it is painted in a way that feels off. Like the data is correct, but there are aspects that are clearly emotionally manipulative and combative.
I also have had some less than great interactions with GrapheneOS devs, when I was not seeking out interaction from them on social media (they came to my post and were combative) and played victim that I bullied them and was in league with the harassment campaign when I just asked them to leave me alone.
Overall, I just think that GrapheneOS is a good product, but unless you want to join their cult, just never talk about it neutrally or negatively unless you are ready for weird interactions.
jimmySixDOF 4 days ago [-]
Is there a similarly bombastic take on Motorola somewhere?
4 days ago [-]
unethical_ban 4 days ago [-]
#1 imo is the fact that some orgs are resilient to libel, and some are heavily affected. If someone is lying about your security protect in order to harm your reputation, I don't find it odd to respond with some zeal.
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
HybridStatAnim8 4 days ago [-]
Its not broad criticism, its attacks that use criticism as a false excuse. Defending themselves neutrally and objectively is not unhinged.
busterarm 4 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
None of this is accurate. Community backlash was not what forced them to step down. The attacks, including attempted murder, was what led them to handing the lead developer position to another trusted project member.
Attacks against GOS have not been quiet for years, attacks have still been ongoing during that time.
trueno 4 days ago [-]
i think a lot of attention is rightly attributed to like, i dunno say tiktok/ig "influencing" and how that can send people who gain a lot of notoriety off the deep end. it absolutely has. but so do software projects.
not enough people talk about how software projects also offer up a similar kind of atmosphere: you're suddenly hyperconnected with a whole bunch of humans you don't know and are receiving feedback from people outside of your immediate community. "hackers" for all the interesting ways they've contributed to computer science over the decades also have branches spawned from the original chronically-online, highly-opinionated and sort of antisocial and poorly adjusted sects of civilization. being the face of a project is like pouring rocket fuel on whatever predispositions you might have, and on more than one occasion we've seen people go from occasionally unhinged person to seriously unhinged.
this comes with a lot of bad outcomes for quite a few people, primarily it always has some serious amplification qualities to egos and narcissism. and for genuinely good and kind people who are just trying to share their value/contributions and are suddenly jettisoned into spotlights, we often see them suddenly step back and discontinue work on a project entirely.
we often see these departures and think solely "must be burn out" and don't put much more thought into what that means. but we don't do enough to frame how software projects just elevate people into a position that most people don't do a good job in mentally and socially, and how it deteriorates the pieces of them that make them feel like they're valuable members of a community/tribe. some have luck making their project communities their tribe, but that's obviously a risky step to take. for many who have a successful project, sometimes it starts as the most validation they've ever received and then they don't know how to reconcile with the exponentially-widened audience when negative reception starts pouring in.
daniel micay is just one of like.. many in these sorts of projects i've seen who are simply unfit for the role. for many reasons, i don't think he's a pleasant person at all. i don't have any answers here. i also see this in homebrew scenes for gaming, it's like my least-favorite human petri dish of software development enjoyers. lot of oddball developers in that space and quite a lot of incredibly dramatic fallouts and theatrics that seem to come with the anonymous nature of not tacking your real name / identity to a project, and a consuming audience that has zero idea what goes into development so the negative feedback/demands that come in are in their own way unhinged.
busterarm 4 days ago [-]
I'm well familiar with what you're talking about. I see it in the emulation space as well. Famously so with byuu/near.
We have all of the parasocial behavior from bystanders as well. Cult mentalities and hero-worship. It's quite a strange phenomenon.
trueno 4 days ago [-]
oh god yeah the emulation space is absurd.
1attice 4 days ago [-]
Welcome to the artworld. 19th century European artist culture resurfaces. Don't cut off your ear :)
cf100clunk 4 days ago [-]
[dead]
bubblethink 4 days ago [-]
[flagged]
Springtime 4 days ago [-]
[flagged]
spring-onion 3 days ago [-]
Speaking of trust issues, Rossmann's claim he was going to stop using GrapheneOS proved to be a lie, he was caught using it for months after. He knew it was impossible for us to target him with an individual update, that didn't stop him from including that supposed fear in his sob story though.
He made it sound like Daniel was going crazy on him for no apparent reason over a single comment he posted on the Techlore video when for one, we were wary of him already due to past disagreements and, more importantly, that very video is responsible for the swatting attacks that were aimed at getting Daniel killed by law enforcement. The swatting attacks were carried out by someone who loved the Techlore video a little too much. Do you see where I'm going? Rossmann had voiced his support for the very video that is responsible for the attempted murder on Daniel's life, I reckon you will understand that Daniel was upset over this.
Not much time had passed since these attacks took place so Daniel messaged Rossmann to figure this out and explain to him what this was all about. In private mind you, whereas Rossmann decided this was peak content and live streamed it while the chat was still taking place. Any human being with a basic sense of empathy and decency would have not done this since it was obvious that Daniel was in a bad headspace.
Yet he did so anyway. I guess that's not all too surprising given it was an excellent catch for his following on Kiwi Farms which he caters to.
Springtime 3 days ago [-]
[flagged]
HybridStatAnim8 4 days ago [-]
Micay was distressed due to ongoing circumstances. Rossmann choice to publicly blast what was supposed to be a private discussion, lied to his own viewers, twisted what was happening, etc. Also note Rossmann has an identity verified kiwifarms account.
joyous_limes 4 days ago [-]
[dead]
rarez 4 days ago [-]
[flagged]
johnnyApplePRNG 4 days ago [-]
[flagged]
neilv 4 days ago [-]
Evidence?
(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)
1attice 4 days ago [-]
Citation needed
0gs 4 days ago [-]
[flagged]
9cb14c1ec0 4 days ago [-]
[flagged]
4 days ago [-]
polotics 4 days ago [-]
that is one extremely unsubstantiated statement
balamatom 4 days ago [-]
[flagged]
joemazerino 4 days ago [-]
[flagged]
other8026 3 days ago [-]
> Hopefully the HN mods will unflag the astroturfing campaign done by GrapheneOS here to allow a good healthy discussion.
A quick Google search shows that you've been attacking Daniel for a long time using this account. You complain about moderation and astroturfing and I find tons of posts by you attacking Daniel. You clearly have some sort of weird vendetta against him. Don't pretend to want a "good healthy discussion" when all you seem to be interested in is attacking him further.
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
As a response, Micay decided to destroy the update signing keys for all the CopperheadOS devices out in the wild. Resulting in financial damages to Donaldson.
Hardly a level-headed response, even if you disagree about the financial share of something.
It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it.
CopperheadOS was always's Micay's project and used his own signing key. The key never belonged to Copperhead the company afaik.
According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project)
>Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.
https://discuss.grapheneos.org/d/34369-original-grapheneos-r...
/e/OS (recipient of EU funding) and iodéOS are European projects that have not been singled out by the French government in smearing despite them having the similar self-professed goals to GrapheneOS. That they had any influence at all on the French government directly is speculated but not asserted.
CalyxOS/Techlore are blamed for being complicit in escalating the animosity and furore around what were initially low-key fallouts/disagreements. This led to GrapheneOS/Micay escalating to defend themselves which unchecked fuelled a spiral of influencer content, vile spamming of CSAM in GrapheneOS rooms (I can personally attest these were some of the biggest on Matrix at the time and led to the team giving up on Matrix moderation and self-protection capabilities), intense public speculation/accusations about Micay's character/mental health etc. which eventually resulted in the swatting attempts.
F-Droid project members have publicly aired their dislike of Daniel as a result of direct or indirect disagreements and did have a software quirk that caused an issue for GrapheneOS/possibly other custom OSes' users due to their added permission (which the two parties again disagreed on). Conspires is loaded wording.
But I do not think it is productive for me to dredge up posts and potentially cause more misunderstandings as a complete outsider for something that is directly affecting someone's life like this. They (Micay/GrapheneOS) have posted detailed contextual snippets and information about what has happened so please contact them directly for reference to the original posts and discuss if you really wish to find out more.
I had never actually visited Kiwifarms before today so I knew virtually nothing firsthand of what's actually going on there, other than hearing it repeatedly invoked in these discussions by supporters and detractors alike. A brief, cursory look turned up a dox thread thanking @larossmann for providing information.
It also turned up comments from some like, "Daniel Micay is a low-functioning cancer who should have been beaten and/or raped to death by a drunken father."
If anything, Micay appears to have been underselling things.
To be fair, it appears the project also has some supporters in that thread, and I'd have to delve further to figure out whether it's a 4chan-esque deliberate toxicity to keep the unwashed masses out, but it's not difficult to see how Micay isn't interested in dealing with Rossman. Rossman spends a lot of time knocking Micay online, but I'm not finding much in the way of even-handed coverage by Rossman from his considerable YouTube pulpit. Rossman also appears to be active on there recently. A few minutes of researching indicates a non-trivial possibility he has a role in all this and has zero desire to separate himself from it.
Many reasonable people would have zero interest engaging with someone like that, especially after they've donated money and then attached post-hoc strings to the donation.
I also saw firsthand Nick Merrill's chat behavior re: Daniel and GOS, and as one who used to contribute to both projects, I had zero qualms after that pulling all support from Calyx, which still makes me sad, as Nick at his finest was a pretty wonderful force for good. The same could be said of Rossman.
If this sort of thing doesn't at least somewhat moderate the consistent position you've held here every time GOS comes up, I don't see a way to assume good faith on your part in these threads. A number of people in these threads consistently adopt the form of making unsupported claims they could easily research before posting, and when presented with evidence to the contrary then move on to claim to be given unsatisfactory responses to their original questions and/or move the goalposts. When others eventually stop engaging, they claim the project supporters are unable to answer even their most basic questions (which have already been addressed numerous times, with citations).
It's against HN guidelines and its a pretty ignoble way to exist.
So why should we believe you over Micay, or are you willing to change your view after seeing evidence
Question 17: Did your and Donaldson values begin to diverge? Was Donaldson more concerned with making money than you were?
Answer: [...] In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
Question 25: Did things between you and Donaldson devolve when he approached you about a compliance audit? Did he tell you that he needed to know how the signing keys were stored?
From Wired:
We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
Question 26: Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
Answer: Yes and yes.
The large defense contractor in question was Raytheon. The decision to destroy the signing keys was not based on a financial disagreement, but an existential one. Every single CopperheadOS user back then would have been compromised otherwise. It's of course a big deal given the implications, but it acted as a last resort for Daniel to stop a hostile takeover attempt fueled by greed, which he ultimately took because there was no other way out.
Or is it just that Raytheon went against what he thought CopperheadOS stood for?
Intelligence wanted in, and Donaldson seemingly would have been happy to oblige.
> From Wired:
> We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
> Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
> Yes and yes.
Forking and building a separate build isnt dual signing, its just forking. You can do that right now with GrapheneOS and its build guide if you want.
Im not sure what you mean by the last part, GrapheneOS has been quite upfront with all of this from the start.
Reddit and IRC/etc logs from the period are illuminating, too.
Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness.
They were able to improve. I don't think many of the often negative and ad-hominem critics would be able to endure such a pressure as they had in the past.
«In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.»
Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm
EDIT
You could contact him to offer your help where he falls short.So you'd be willing to give up Linux because Linus cannot stop verbally abusing people to this day? Because that's what I did. I decided that any project where the main dev(s) openly abuse people in public, is the line I draw.
I know that is an extremely controversial choice that many people will disagree with, but it's my choice to make and I don't regret it.
While I appreciate the second line and think it's generally the right answer with FOSS projects, your speculation poisons the well.
That quotation is from another comment in this discussion. Sadly, it is the sort of personal attack on his mental state that has been commonplace here at HN and elsewhere for a long time. I caution all to avoid such commentary. My long experience in tech r&d has firmly convinced me that mental health and wellness challenges are widespread, and should not be weaponized. I hope that clarifies my comment for you.
If you prevent your grandparent from getting scammed, you've caused financial damages to the scammer.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.
The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.
Responding to attacks so defensively is almost alway a bad look for organizations. They could really use a PR person with a more measured voice that corrects facts and projects confidence, and does not convey victimhood, insecurity or defensiveness. Take a look at the tone of press releases issued by companies when some tech press bozo writes a hit piece on them, for good examples of dealing with people attacking you.
Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.?
As for how such a thing would not be possible;
-GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted.
-Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering.
-GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds.
So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise.
You're not doing either project any favors by pretending that hastily generalizing nerd dramas and autism over-corrections is somehow a broad statement on the neutrality and objectivity of GrapheneOS's team or the high-quality product it produces.
This kind of bad faith posting is bad for the whole FOSS/libre community, and it's both dumb and rude, in contradiction of HN's site guidelines.
Let me tell you something. I personally reached out to them just a few weeks ago. I didn't argue, I didn't blame them. That was not my intention and I communicated that clearly. Those were not empty words, I went into it with a genuine open mind and with the goal of finding a solution. After all they consider themselves an open source enthusiast.
It didn't go anywhere. They did not seem willing to discuss anything at all really. You see, even if we assume they are 100% in the right, i.e. they did nothing wrong, why would they oppose our attempt at resolving the conflict? I've come to the conclusion there is no good faith argument to be made here. They spread their post all over the internet, heck they even linked it on Facebook.
I can see you can't engage about this without hurling wild accusations, so peace out.
That's not healthy for any project.
> ...responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
For the rest, in general, I'm tempted to give grapheneOS the benefit of the doubt. Running any FOSS project is hard, running it against the (implicit) wishes of OEMs/Google (who throw in things like Play Integrity) is even harder, and doing it when 3 letter agencies at the US govt actively hate you is harder still.
Being paranoid in responses to FUD campaigns isn't ideal, but save coordinated attacks, I'd say fairly understandable.
So I can understand why they are as defensive as they are.
There's no coordinated attacks on anyone or projects by GrapheneOS. They respond to misinformation, that's about it.
There have been many attacks on privacy/security projects, not just GOS, recently. If you keep up with the GOS forum you can see posts saying GOS was hacked without evidence. Other claims that GOS is only used by criminals. Theyre not true. Misinformation that aims to destroy the reputation of the project should be responded to.
Rossmann wanted to work with GOS and they didn't want him. So Rossmann made that video to make Daniel look bad for revenge probably. Saying he was leaving GOS was a lie, not that GOS can push malicious updates which was also a huge lie. Even after pointing that out that part wasn't corrected because Louis doesn't care about accuracy, he only cares about making Daniel/GOS look bad. He used his big following to punish Daniel. Now he works with Nick from Calyx after he got pushed out and are doing business together.
The more you learn about the story, the more you see the Copperhead stuff was just the beginning and those involved held grudges and pushed their grudges onto more people who bought their lies and it continued. Privacy-focused OSes that pretend to compete with GrapheneOS suck. GrapheneOS is led by someone with integrity, unlike some other projects.
Rossmann has an account on Kiwi Farms for the purpose of engaging with his supporters on the site. He acts friendly with them and they choose to actively support him.
Rossmanns thread on the site is in support of him, not a harassment thread against him.
Once again. Okay and? Kiwifarms is a legal site in the us. He is engaging in no harassment or doxxing of anyone just talking to people that talk about him. Does micay talking on twitter with other people mean he supports musk or anything else anybody does on the platform?
If all your points are just "guilt by association" then just say that.
He's also made highly-viewed videos theatrically (and ridiculously) expressing technically unfounded concerns about the project, laid the blame at Micay's feet, and went on to make verifiably false claims about the project, about himself, about his own relation to it (from everything I can find about it), and appears to have no problem stoking any of it.
I had long appreciated Rossman's work on right-to-repair, but when that video came out I found it pretty beneath his potential. He scored cheap points from his considerably bully pulpit for his own benefit.
Reducing that to mere guilt by association hardly captures it. I posted some more detail here: https://news.ycombinator.com/item?id=47868159
He's also made highly-viewed videos theatrically (and ridiculously) expressing technically unfounded concerns about the project, laid the blame at Micay's feet, and went on to make verifiably false claims about the project, about himself, about his own relation to it (from everything I can find about it), and appears to have no problem stoking any of it.
I had long appreciated Rossman's work on right-to-repair, but when that video came out I found it pretty beneath his potential. He scored cheap points from his considerably bully pulpit for his own benefit.
Reducing that to mere guilt by association hardly captures it.
Not that I disagree but Louis Rossmann giving someone advice to tone down the rants is ironic.
You're not a community member, you're an astroturfer.
Astroturfing is the deceptive practice of hiding the sponsors of an orchestrated message or organization to make it appear as though it originates from, and is supported by, unsolicited grassroots participants.
https://en.wikipedia.org/wiki/Astroturfing
They are pretty much the opposite of an astroturfer, they mentioned several times in the comments that they are an active supporter/community member of GrapheneOS. So, they are not hiding and they are grassroots participants.
Please avoid personal attacks on HN, even more so when they are incorrect.
I am an active chatroom member, and many people see me there on a regular basis. I choose to volunteer my time, and am not paid or compensated in any form.
Classic OAD (Obvious Asshole Disorder)
You just have paranoidal schizophrenia and attributing imaginable things to random people you don't like.
"I can't believe you wrote this terrible code. You clearly don’t understand how concurrency works. Do it again."
Technically right, but when you run out of people who actually want to work with you, you'll be writing the code yourself.
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
Barely any comments about the linked thread which is about Wired publishing an article that was extremely poorly researched after having misled GrapheneOS about the intention and content of what would be published. This seems like the sort of thing that should earn a disclaimer on future Wired articles as worthless and get them removed from RSS feeds/have subscriptions cancelled. Complete lack of integrity and respect for standards. Why did they not interview anyone else involved in the project or around at the time?
This Micay guy spends so much time and does something hugely beneficial and we're arguing about how he responds to criticism?
I'd rather direct and blunt rather than the weasel words and lies most companies put out.
I'm much more concerned with companies that claim to support LGBQT+ and then stick a flag up for 10 minutes once a year, or companies who make 10% of their workforce redundant because they want to pay themselves more, or companies who on one hand support green initiatives and then behind the scenes do the complete opposite.
I'm more concerned that Signal incorporated in US is having easy life.
To add - ironically, it was Durov (Telegram founder) who got arrested in Paris.
https://www.youtube.com/watch?v=48Kk7kobMQY
Not saying Durov is perfect but video you linked is about guy who has all his assets in Russia while Durov has none.
https://curia.europa.eu/site/upload/docs/application/pdf/202...
https://www.ft.com/content/36a37387-cb71-4851-a56f-de2571d52...
Also, I disagree with Durov having no assets in Putin’s direct reach.
https://istories.media/en/news/2024/08/27/pavel-durov-has-vi...
The man looks on photos like he genuinely loves his long-term girlfriend and the three kids he has with her. Kids are stupid tho. They climb on everything and fall out of windows frequently.
(Durov himself is known to regularly visit Russia, while denying he ever visits Russia. Telegram opened a Dubai office claiming that it was now a Dubai-headquartered company, but that was a mere legal formality; no one was actually there at that office, and journalists visiting it found that not even the building staff knew anything about Telegram. In practice, the company continues to exist out of Russia.)
"so anybody going knocking on incorporation addresses in Dubai" The point is that Telegram has repeatedly countered claims that it is a Russian app with "Actually, Telegram is a Dubai company”. People reasonably interpret that as more than a mere incorporation address, and it isn’t being emphasized enough that development is still largely done from Russia, and servers are also located there.
They Built a Legendary Privacy Tool. Now They're Sworn Enemies https://www.wired.com/story/they-built-privacy-tool-graphene... (https://archive.ph/pbJu9)
P.S. I avoided making any statements about what I personally think about Micay and the GOS team's behaviour above because I don't use it and have never looked into it before reading this article, but from looking at the comments, the WIRED article, the forum thread linked in this post, and some cursory research, it just seems like they are a popular software project that is at odds with many powerful actors with obvious motivations against their existence and popularity - if they are constantly combative online instead of being friendly, don't you think part or all of it may be because they have to defend themselves against attacks instead of having the freedom to be friendly like say SQLite/FFMPEG/Rust/other free software projects? I'm admittedly new to HN but this entitlement and refusal to empathise with the people giving you free shit seems insanely out of character
It’s sad to see this childishness around what should be an important project.
Spoiler, it’s great, and will continue on.
All the people basically defending this or saying it's not an issue only makes it worse.
It's a perfect example of the problem: a founder is a leader, and a leader's behavior spreads and can infect the team and community.
Being okay with someone being unhinged while defending themselves over and over again hardly seems divisive.
Maybe you can frame your objection better?
Genuine question: are you familiar with the controversy of how Linus Torvalds used to frequently operate at the helm of the Linux kernel fiefdom?
I get the sense a lot of people care about this project and care about defending it but good luck against the propaganda and bullshit like this that comes along with it.
I really enjoy GOS and used it as a daily driver for ~3 years
I wouldn't be surprised to see a "Show HN: I made 1000 accounts with more than 20,000 karma with Claude Opus 6.7" in the future
See the attacks on GrapheneOS and even other privacy projects trying to make them look like they are designed for criminals. Even French law enforcement took part. We have shared these details publicly and even with links to articles with quotes. There was even news about authorities in Spain assuming anyone with a Pixel was likely a criminal.
Months ago, we saw tons of reports of organizations reporting hacking GrapheneOS without any evidence or links to court cases. We never claim that GrapheneOS isn't hackable, but we still haven't seen any credible evidence showing forensics companies were able to hack it.
These are just a few examples of how GrapheneOS is being attacked. Again, we're not the only ones.
It's also important to note that GrapheneOS has many project members. GrapheneOS isn't a one man show.
Our responses to these things are not out of paranoia. We want our users to know what's going on, so we keep them informed. What's wrong with that?
When you have years-long public forum dox threads dedicated to doxing you with people openly calling for your physical harm, all with some non-zero degree of complicity and/or support by a YouTuber with millions of subscribers, let us know if it still seems like paranoia to you.
[1] https://news.ycombinator.com/item?id=47868159
I am a GOS community member and I have been for several years. I am active in the GrapheneOS chatrooms, and I choose to volunteer my time assisting others.
I was personally involved in a story they did in 2015 that was paid for by a three letter gov agency to bad mouth a companies tech into changing. I know only a few of their tricks, and they’re dirty as hell.
For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
These things are not mutually exclusive:
You can make a great technical product while being friendly. You can make a great technical product while not being friendly.
You can make a compromised or flawed technical product while being friendly. You can make a compromised or flawed technical product while being unfriendly.
This comes up pretty often in other HN threads, unrelated to Graphene. There's this weird personality type who insists that they aren't legally obligated to be friendly or nice or pleasant, therefore it's fine for them to be unfriendly or jerks or unpleasant.
Going it alone is that nineties libertarian romanticism, a persistent self-destructive tendency that in present market conditions is unsustainable
Their allies seem securely in place.
Their popularity and project support have never been stronger…
and they’re partnering with a (popular!) hardware manufacturer.
https://motorolanews.com/motorola-three-new-b2b-solutions-at...
Respectfully, what are you talking about?
It's worth actually reading the linked post. Relevant segment:
In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
Me? I was a CopperheadOS user from the 2021 rebuild era before GrapheneOS existed in its state. All I've seen from GrapheneOS and Micay are claims without evidence and over-moderation of points they don't agree with.
Deleting signing keys under threat of a hostile takeover is the responsible thing to do.
Still a user though.
The issue is criticism is often used as an excuse to conceal attacks.
It may be the case that Daniel and the project are so under siege that they need to take a hostile attitude toward some of the people they interact with as a matter of self preservation. They may have no other option. But taking this posture while also being fair to all of the people around them (i.e. some people who aren't actually attacking them) may be difficult or even impossible. I can see this behavior in myself sometimes. I just don't have the energy to be fair. "F U".
I wouldn't want to see friendly corporate slop either. I appreciate how down to nuts and bolts the communiques are on Mastodon and how deadly serious they take everything. That part of the communication style makes me trust them more.
I think a good step in the right direction might be acknowledging that being defensive necessarily leads to erring on the side of assuming bad faith rather than good, which leads to some mis-judgements. So far you said that GrapheneOS is open to all criticisms, which (though I haven't followed the space very recently so my memory on specifics is hazy) just does not seem to match my interpretation. I think that if we were having this conversation on Twitter or Mastodon, Daniel would have blocked me by now (if he hadn't already blocked me years ago).
Take your reply as an example, the GrapheneOS accounts are managed by multiple people, so the fixation on one specific project member may not even be accurate to the discussion. Having ones character attacked is immensely harmful on its own, but being attacked for something one may not even be doing is also immensely harmful.
The unfortunate reality is that people tend to believe the first thing they read, and without something countering it, will roll with it, intentionally or otherwise. So countering misinfo efficiently and quickly is vital.
GrapheneOS has multiple people helping out. Many developers as well as people who help out with non-development work. It's a big claim to say that the whole team is unstable.
I'd suggest reading the article again. Considering the situation, the party about deleting the keys should be a good sign for anyone reading it. It shows that the project's leadership cares about doing things the right way. Members of the team are similarly dedicated to helping build and support an OS that improves people's privacy and device security, not to scam users by making a flashy product and rake in cash. Or, in Donaldson's case, work with shady companies and even possibly criminals.
Privacy and security projects like GrapheneOS are important considering the political landscape these days. People really need to stop repeating inaccurate claims about us, like that we're criminals, unstable, crazy, etc.
Sometimes they aren't even factually correct and get a bit upset about it when called out.
Anyways, I have gotten the same impression and these seem like red flags to me as well.
Which is why I'd take everything in that response with a mountain of salt (and I'd pay attention to what they're not saying).
Example: https://news.ycombinator.com/item?id=47247016
However your example is unrelated. Their arguments were rather reasonable and informative in the discussion you linked to. So I don't complain about that anymore.
Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic. With your Librem/PinePhone, you cannot even reasonably expect your calls with end-to-end encrypted apps like Signal and Element to be protected. Any app with access to the PulseAudio socket (which happens to be anything that you want to have audio playback with) can snoop on your mic at any moment in time. This does not even require an OS compromise.
This has been pointed out to you repeatedly and yet you choose to ignore it, and instead you just do character assassination whenever a post regarding GrapheneOS or Daniel Micay shows up because what Micay says goes against your favorite ideological products...
I said multiple times that I exclusively run trusted apps on the phone. I use Qubes for untrusted staff. Do you understand that threat models can vary?
> Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic.
I never said they were more important. I only said they could reliably protect in sensitive cases.
> instead you just do character assassination
I choose to dispute false information. I don't care about any personalities. And I would be happy to be proven wrong, too.
By that logic, you might as well just not have the killswitch at all. Everything is magically "trusted", right?
Yes, I do understand that threat models can vary. Please give an example of a threat model where it makes more sense to use a phone which cannot protect any private calls over a functioning phone that has real protection.
If you are going to say "oh, when you never talk on the phone at all" then you might as well just remove the mic. It's not hard.
As usual, there is nothing that GrapheneOS or Micay says regarding the Librem or Pinephone that is inaccurate. You are just saying stuff that doesn't even remotely make any sense. Perhaps you are being deliberately disingenuous. Perhaps you are just so blinded by an ideology that you cannot see that what you say is just nonsense. I wouldn't know.
> I choose to dispute false information. I don't care about any personalities.
Doesn't seem to be what you are doing here.
This is completely false:
> Their microphone kill switch also doesn't prevent audio recording
It doesn't prevent audio recording in the super paranoid "oh, the whole phone has been compromised" scenario because it is bypassable via the sensors.
In fact, it doesn't even protect the phone in normal operation, because apps with device=all can access the sensors without the whole phone being compromised.
It doesn't prevent audio recording with any normal usage either because the OS is incapable of protecting private conversations thanks to the PulseAudio socket. "Exploiting" this is significantly easier than any of the stuff involving the sensors.
Did you even look in my link, which we are discussing? My quote from there:
> Sensors are also switched off on Librem 5 by the three kill switches: https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-h...
Does that really sound like a functioning "killswitch"?
On a long enough timeline he'll probably cite this comment chain as proof you were unable to respond to his concerns, like everyone else who's ever tried.
Unfortunately he will just ignore every single counter argument ever made and blindly believe these companies because their marketing material has "freedom" and "FOSS" in it.
I did reply to them plenty of times. Here you go doing the exact same thing again - ignoring 100% of what's being said, then claiming "no one can respond".
> You only talk about the lack of security of Pureboot and never showed the code breaking it.
If you think a piece of code is needed to understand why it's a joke, then I don't even understand what is wrong with you. LMAO. The whole thing is conceptually botched, and they pretty much admitted as much.
1. Boot block performs measurements of itself, its settings and everything down the chain for attestation.
2. There's nothing protecting the boot block.
3. A malicious boot block can lie about measurements.
4. If the goal is to defend against an attacker who tampers with the BIOS chip - then it fails at doing so miserably because an attacker can just use a boot block that lies about the measurements.
Seriously, what good is showing you the code if you don't even conceptually understand how the thing works?
You know, there is a famous saying: A farmer does not need to know how to lay eggs to know whether an egg is good or bad. In our case, the egg is already rotten from the get-go. This is not a "Ohhh something has such bad code I can attack it using XYZ method, wait and see!" situation. This is a situation where "Your logic doesn't even make any sense to begin with."
Perhaps, just perhaps, you can benefit from just spending 5 minutes thinking a bit about how the whole thing actually works at a very high level and read what I said above.
But as you consistently slide any adjacent topic you can into a discussion about the Librem 5 (no matter how tortured a segue), let's go with that and revisit it.
I looked at your puri.sm link, and it mostly served to lower my estimation of the Librem 5's kill switch system. You can't disable the sensors in a trustworthy way without disengaging every kill switch at the same time, entering it into their Lockdown Mode. At that point it's just a still insufficiently air-gapped, highly underpowered Linux device which remains poorly secured against other side-channel attacks. The speaker which, by everything I could find, is still functional, the OS remains poorly secured against software attacks, it lacks proper hardware security, and so on.
It fails in terms of human factors, too. Joe Consumer thinks flipping off the mic switch prevents audio recording, but it doesn't in multiple regards. Even putting it into Lockdown Mode doesn't disable the speaker, which can be used to record audio despite your insistence that the device is fully secured when all switches off. Speakers can also be used to exfil data over short distances, demonstrated to work through walls.
Poor misinformed Joe Consumer is also still left with the same issues the other commenter has already identified in terms of the difficulty of securing any Linux computer.
But that's okay, because you only run trusted software. Until one of those trusted pieces of software include a compromised library, which happens often. You are, at that point, relying on the OS and its relationship to its hardware, which, flawed switch system aside, is highly insufficient. The device offers very little protection at that point. You know all this because you run Qubes OS, but hand-wave that away by appealing to trusted software as soon as the Librem 5 becomes the subject.
If I was modeling threats around protecting sensitive files on the device, not falling victim to attacks that could record audio and/or exfil data or otherwise leak, I'd still go with GrapheneOS on a Pixel 8 or later.
The Librem 5 wins for anyone who just wants a phone which runs Linux (which is a great thing and I wish we had more options which did that), but the security theater of that device is just goofy from top to bottom, as are its more vocal and less reasoned supporters. If one's threat model is, one sometimes wants to be able to turn off all radios and sensors, leaving the speaker functioning, with an otherwise poorly secured device, then, great. It's the device for you. But it's a threat model which will be practically beneficial to very few people, if any.
If your holy grail is having the radios off without other hardware or software considerations, great, you've found the phone for you. It's a brilliantly marketed device for well meaning but poorly informed people with underdeveloped threat models, and, I guess, for someone in your situation who's happy to make all of the above compromises to be able to physically disconnect radios.
Do you always enter Lockdown Mode before typing anything sensitive, due to the attack vector they highlighted about deriving typed data via sensor data? ('No, because I only run trusted software.' See above.) You literally can't disable the sensors without disabling all radios. They acknowledge that sensors are an attack vector worth addressing, yet don't put sensors on a discrete circuit. Like I said, great marketing. Otherwise pretty goofy.
Would I complain if the upcoming Motorola GrapheneOS phone had physical hardware switches? Sure, I'd take an additional layer of containment if all of the fundamentals are addressed properly.
But your argument is like bolting the world's best seat belts onto a motorcycle, and never missing an opportunity to tell the world about your belts, wonderful though they truly are.
Everything else is pretty much the argument though - who buys a phone with a microphone killswitch so good that for it to actually function you must also flip the other killswitches to kill both wifi and cellular connection? A microphone killswitch so impeccable that in order for you to not be snooped on you also have to give up texting and browsing the internet. Truely impressive stuff.
strcat said the opposite.
We can't be both right. According to the docs and schematics, I'm right. You need a really good proof for the opposite.
I don't even feel like arguing against the absurdity of your arguments anymore. This is my last attempt at dumping it down a notch:
A "microphone killswitch" is supposed to protect the user against having their convos being snooped on when it's toggled and still be able to use the phone in a meaningful manner. A "microphone killswitch" that doesn't really function on its own and requires turning the entire device into a brick is non-fuctional for all practical purposes.
I might as well just invent a "microphone killswitch" that requires people to pull out the battery to make sure that they are not snooped on at that point.
LOL, it's hard to imagine a more ridiculous and self-contradicting statement than this.
1. It's just physically impossible to defend from tracking, when the phone has networking connections on. Not even on all-mighty GrapheneOS.
2. I am using a phone with the kill switches off in a meaningful manner all the time. It is a full computer running a desktop OS and can run any apps, including listening to music from a microSD card, reading saved text/pdf files, showing presentations with original LibreOffice, programming in any language with standard tools, and so on.
3. Even though the phone in the lockdown mode (with all three kill switches off) has no connections, if I'm ever in emergency and need some help, I can turn the phone functionality back on and call for the help I need. Obviously, privacy in such case would be secondary after health.
4. Unlike for GrapheneOS, there is no way to hack my kill switches for any money. I can be 100% certain that they work as intended, even if a state actor is against me. Yes, everything else might be compromised in such case but not the tracking and listening to me when I need true location and microphone privacy.
>> Their microphone kill switch also doesn't prevent audio recording
More dangerous advice. The microphone kill switch prevents audio recording via the mic, not via the sensors or speaker. A Librem 5 user needing to secure against audio attacks would need to switch all kill switches off, not just the mic one (by Librem 5's own estimation), but would still be vulnerable to the speaker.
The effect of your participation in threads about projects you claim to care about is harmful. Please do better.
This is indeed a misunderstanding, again. Reliable protection is possible - this is all I wanted to say. Not everybody means "all sensors" when they say "microphone". I took the phrase literally.
Hardware kill switches need to be correctly implemented. A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.
Not to mention kill switches assume the device is already compromised, at which point everything on it is likely compromised as well.
I never mentioned Pinephones, although I do believe that the attack on them is still too harsh. Their security is about as good as the one for Linux. And it's not exactly "atrocious". Especially if you only use software from the official repositories. Let's agree that it should be improved though. (I prefer Qubes OS myself.)
> Hardware kill switches need to be correctly implemented.
Are you saying they aren't for Librem 5?
> A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.
I explained in the link above that cutting all sensors is exactly what happens if you choose it.
> Not to mention kill switches assume the device is already compromised
This is not accurate. Kill switches imply that even if the device is compromised (which you can never 100% verify, even on GrapheneOS), your location etc is still private, when you need it.
I would go on a stretch to say that people that express themselves naturally, without detour, are maybe more trustful than the usual silver-tongued corpo.
(But, if you ignore the rants, that's a fantastic OS.)
https://grapheneos.social/@GrapheneOS/116442796907613215
https://grapheneos.social/@GrapheneOS/116442754144530576
https://grapheneos.social/@GrapheneOS/116439834987996043
https://grapheneos.social/@GrapheneOS/116439798112845463
https://grapheneos.social/@GrapheneOS/116439747793648606
(the linked post in Mastodon is the one displayed with a bigger font, not necessarily the first at the top of the page.)
Other organizations having the resources to continue despite the damage does not mean GrapheneOS can or should deal with the damage it causes. That makes no sense and its excusing horrible behaviour from attackers. They arent rants, the truth just often requires more words than a lie, such is the nature of computer science.
You are very much saying that OP is an attack post.
Or at least implying the point that it is tonally dissonant to claim otherwise.
If you didn't believe it was wrong you would comment on the post but you are explicitly avoiding doing that.
I ask because I'd be pretty disappointed in GrapheneOS over that kind of thing and it'd probably at least partially change my opinion of them, but it's better to validate these types of serious accusations and get the full context.
I like the product, and even recommend GOS to those who want a hardened phone OS. But goddamn, their social media gives me major red flags and I hate remembering that they exist.
I genuinely think that the information in this post is accurate, and at the same time, I think that it is painted in a way that feels off. Like the data is correct, but there are aspects that are clearly emotionally manipulative and combative.
I also have had some less than great interactions with GrapheneOS devs, when I was not seeking out interaction from them on social media (they came to my post and were combative) and played victim that I bullied them and was in league with the harassment campaign when I just asked them to leave me alone.
Overall, I just think that GrapheneOS is a good product, but unless you want to join their cult, just never talk about it neutrally or negatively unless you are ready for weird interactions.
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
Attacks against GOS have not been quiet for years, attacks have still been ongoing during that time.
not enough people talk about how software projects also offer up a similar kind of atmosphere: you're suddenly hyperconnected with a whole bunch of humans you don't know and are receiving feedback from people outside of your immediate community. "hackers" for all the interesting ways they've contributed to computer science over the decades also have branches spawned from the original chronically-online, highly-opinionated and sort of antisocial and poorly adjusted sects of civilization. being the face of a project is like pouring rocket fuel on whatever predispositions you might have, and on more than one occasion we've seen people go from occasionally unhinged person to seriously unhinged.
this comes with a lot of bad outcomes for quite a few people, primarily it always has some serious amplification qualities to egos and narcissism. and for genuinely good and kind people who are just trying to share their value/contributions and are suddenly jettisoned into spotlights, we often see them suddenly step back and discontinue work on a project entirely.
we often see these departures and think solely "must be burn out" and don't put much more thought into what that means. but we don't do enough to frame how software projects just elevate people into a position that most people don't do a good job in mentally and socially, and how it deteriorates the pieces of them that make them feel like they're valuable members of a community/tribe. some have luck making their project communities their tribe, but that's obviously a risky step to take. for many who have a successful project, sometimes it starts as the most validation they've ever received and then they don't know how to reconcile with the exponentially-widened audience when negative reception starts pouring in.
daniel micay is just one of like.. many in these sorts of projects i've seen who are simply unfit for the role. for many reasons, i don't think he's a pleasant person at all. i don't have any answers here. i also see this in homebrew scenes for gaming, it's like my least-favorite human petri dish of software development enjoyers. lot of oddball developers in that space and quite a lot of incredibly dramatic fallouts and theatrics that seem to come with the anonymous nature of not tacking your real name / identity to a project, and a consuming audience that has zero idea what goes into development so the negative feedback/demands that come in are in their own way unhinged.
We have all of the parasocial behavior from bystanders as well. Cult mentalities and hero-worship. It's quite a strange phenomenon.
He made it sound like Daniel was going crazy on him for no apparent reason over a single comment he posted on the Techlore video when for one, we were wary of him already due to past disagreements and, more importantly, that very video is responsible for the swatting attacks that were aimed at getting Daniel killed by law enforcement. The swatting attacks were carried out by someone who loved the Techlore video a little too much. Do you see where I'm going? Rossmann had voiced his support for the very video that is responsible for the attempted murder on Daniel's life, I reckon you will understand that Daniel was upset over this.
Not much time had passed since these attacks took place so Daniel messaged Rossmann to figure this out and explain to him what this was all about. In private mind you, whereas Rossmann decided this was peak content and live streamed it while the chat was still taking place. Any human being with a basic sense of empathy and decency would have not done this since it was obvious that Daniel was in a bad headspace.
Yet he did so anyway. I guess that's not all too surprising given it was an excellent catch for his following on Kiwi Farms which he caters to.
(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)
A quick Google search shows that you've been attacking Daniel for a long time using this account. You complain about moderation and astroturfing and I find tons of posts by you attacking Daniel. You clearly have some sort of weird vendetta against him. Don't pretend to want a "good healthy discussion" when all you seem to be interested in is attacking him further.