The Rittenhouse Trial

Because I started my blogging “career” as a gun blogger, the fact that I haven’t posted about the Rittenhouse case may have surprised a few longtime readers. However, I chose to refrain from commenting about it because I wanted to have access to all of the evidence before making an ass out of myself (better to be an ass who analyzed the evidence than an ass who didn’t).

Fortunately, the entire trial was livestreamed. Rather than listen to my usual assortment of podcasts while I worked, I opted to listen to the livestream of the trial. This gave me the opportunity to hear both the prosecution’s and defense’s cases. Based on the cases put forth I agree with the jury’s decision to find Rittenhouse not guilty on all charges.

A quick browsing of Twitter shows that a lot of people disagree with the jury’s verdict. It also shows me that many of the people expressing the strongest opinions, as is the tradition of online debates, didn’t watch the trial and misunderstand how the justice system in the United States is supposed to work (which is different than how it often works).

Let’s start with what I consider to be one of the most important characteristics of a functional justice system: presumption of innocence. When the state brings charges against an individual, the individual is assumed to be innocent. This means that the burden is placed on the state to prove the individual is guilty beyond a reasonable doubt. If you watched the trial, you saw how weak the prosecution’s case was. By the end of the trial the prosecution was leaning almost exclusively on video captured from a drone. The prosecution claimed that the video showed Rittenhouse aiming his rifle at people. This according to the prosecution proved that Rittenhouse instigated the situation and therefore lost the right to claim self-defense. Setting aside the minutia of self-defense law (what qualifies as instigation, when you lose the right to claim self-defense, when you regain the right to claim self-defense, etc.) the drone footage didn’t conclusively show Rittenhouse aiming his gun at people, which means the evidence didn’t prove the prosecution’s argument beyond a reasonable doubt.

I’m highlighting the drone footage because it allows me to segue into another point: trials have rules. A lot of rules. One rule is that the defense must be given access to the prosecution’s evidence. The prosecution provided the defense with a compressed copy of the drone footage. The defense brought this up in trial. A lot of online publications tried to make this sounds like the defense was desperate, but it was raising legitimate concerns about artifacts that are introduced when video files are compressed. Miraculously the prosecution produced a higher resolution version of the video footage and asked to show it to the jury… without first give the defense reasonable time to analyze it. This lead to the defense filing a motion for mistrial. Again online publications tried to make the motion sound like a desperate last ditch effort by a losing defense, but in actuality the motion was filed because the prosecution broke the rules.

This segues into a third point. Judges are basically referees. They ensure both the defense and prosecution (as well as everybody else in the courtroom) play by the rules. A lot of people accused the judge of (amongst other things) being biased in favor of the defense. Having watched the trial I can’t agree with those accusations. The judge came off to me as being pretty fair. Some of his actions did favor the defense, but some of his actions also favored the prosecution. The most obvious action he took that favored the prosecution was not declaring a mistrial (I believe the motion for a mistrial had merit and the judge would have been well within his rights to declare a mistrial).

These are just a few highlights that I chose to explain some of the important features of a trial. In truth the prosecution made a pitiful showing. Not only did it bring a weak case, but it violated some major rules (bringing up the fact Rittenhouse choice to exercise is Fifth Amendment right, which is a big no-no for a prosecutor, being one of the more egregious violations).

So, despite what many Twitter users seem to believe, a criminal trial is not meant to be a mere formality that enacts the desires of the loudest majority. It’s meant to be a strictly defined process to determine whether a person is guilty of a crime. While you’ll find no shortage of criticisms of the United States justice system coming from me, in this case I believe that the trial was executed more or less appropriately and the verdict was correct based on the arguments made by the defense and prosecution.

What annoys me most about this case is that even though the video footage of the entire trial is readily available on sites like YouTube, people will continue to spout falsehoods about it and the events that lead up to it. I still see a lot of tweets claiming that Rittenhouse illegally crossed state lines with his rifle or was illegally in possession of the rifle because he was a minor (those who watched the trial know that neither statement is correct). I also see a lot of tweets accusing the judge of being biased or a white supremacist (which mostly derive from a joke he made about Asian food that was actually, and pretty obviously in context, a joke about the current supply chain issues). Nothing the judge said during the trial leads me to believe he’s a white supremacist (and considering all three of the individuals Rittenhouse shot were white, I’m not sure why this is something people are wasting so much bandwidth arguing) and, as I wrote previously, his actions didn’t indicate any obvious bias.

Preparing for Bad Times

It’s obvious that inflation and shortages are long term trends, not short term “transitory” states as claimed by the current rulers and their mouthpieces in the mainstream media. If history is any indicator, we’re moving towards bad times. However, the effects of bad times can be mitigated with a bit of planning and preparation.

I’m guessing a large percentage of people reading this have been preparing for bad times for a while. If you have been, good on you. You were smart. If you haven’t, don’t worry. There’s still time. Although most goods are harder to come by than they were two years ago, necessities can still be readily had in most places (although you may have to go to several stores to get everything on a list).

If you haven’t been, this post is a primer for you. It’s not all encompassing. It’s a bullet point list meant to get your started.

Creating a Plan

During the first wave of lock downs people snapped up toilet paper and frozen pizzas like they were gold. They did this because they realized that they needed to “do something” but didn’t bother to develop a plan.

When preparing for bad times, you want to allocate resources where they will do the most good. Having a stockpile of toilet paper is good, but all the toilet paper in the world is worthless if you don’t have any food. The first step of developing a plan is identifying what you need. The most immediate needs of a person are water, food, and protection from the elements (shelter and clothing). If you want to avoid disease, you will also need a hygienic environment and medical supplies. I suggest starting with these categories.

Water

Water availability will differ from region to region. If you live in a desert, you will need more stored water than somebody who lives near plentiful fresh surface water (in which case filtration can be an alternative to storage). Unless the water coming out of your tap is poisonous (in other words what I’m writing doesn’t apply if you live in Flint, Michigan), I’d suggest storing tap water over buying bottled water from a store. Do keep in mind that filling random containers with water isn’t sufficient. You need to store your water properly if you want it to last.

Food

Judging by availability immediately after the lock downs, a lot of people believe they can eat frozen pizzas forever. Setting aside the dubious nutritional value of frozen pizzas, putting all of your eggs in one freezer isn’t a smart long term plan. Freezers require electricity and can breakdown. If electricity is unavailable for an extended period of time or your freezer suffers a mechanical failure, everything stored in it will thaw and spoil. You can mitigate the risk of power loss with a generator (so long as fuel is available), but you can’t mitigate the effects of a breakdown unless you have a backup freezer (two is one, one is none). I don’t want to discourage you from making frozen food part of your plan, just don’t make it your entire plan. Having a backup plan for your backup plan is never a dumb idea (again, two is one…).

The good news for your preparedness plan is that there are options in addition to frozen food. Canned goods are the most obvious. Canned goods in good condition can last for a very long time if properly stored. Dry goods are also worth adding to your plan. Dried beans, rice, pasta, etc. store well without the need for refrigeration. Specially prepared foods such as pemmican and hard tack also store well without refrigeration and can serve as alternative ways to store otherwise perishable foods like meat if a freezer isn’t available.

Before you run to the store and buy every can of Spam on the shelf, consider your current diet. If you don’t like Spam, buying pallets of it is foolish. Survival is the primary purpose of preparing for bad times, but there’s no reason you have to suffer to survive. Focus on buying foods you actually like to eat. This will make your life more pleasant in bad times and allow you to cycle through your stockpile during good times (more on that in a bit). Moreover, buy a variety of foods you like to eat. That will allow you to mitigate appetite fatigue (the point where you become so sick of eating the same thing that you can no longer choke it down even in a survival situation).

Protection from the Elements

I’m not going to spend much time on this. You need appropriate living arrangements to both protect yourself from the elements and to store your necessities. Proper clothing for where you live is also necessary (for example, if you live in an area with harsh winters, make sure you have clothing that will protect you from those conditions).

A bug out destination can be included in this category. Depending on the type of bad time you’re experiencing, your home may not be safe.

A Hygienic Environment

Medical care may be limited or unavailable during bad times. That makes getting sick more dangerous. The best way to avoid sickness is to maintain a hygienic environment. You want to have sufficient cleaning supplies to keep your home clean. That means supplies to sanitize where you prepare your food, supplies to prevent mold from growing in your bathroom, and supplies to keep your clothing and body clean.

This seems to be the most often overlooked part of a preparedness plan. Most people remember food and water, but often forget soap, laundry detergent, bleach, etc. Don’t be one of those individuals or all the water and food you painstakingly stocked will be wasted.

Medical Supplies

Speaking of illness, make sure you have stocks of basic medical supplies. Bandages, gauze, medical tape, tourniquets, disinfectant, etc. are all good things to have and usually store for a long time. Again, medical care may be limited so you may have to fend for yourself if you are injured. Moreover, try to stockpile any medications you need (this can be hard because the state artificially restricts access to prescription medications).

Pets

Do you have pets? Do you want them to survive bad times? If so, makes sure you stock supplies for your pets as well. How easy this is will depend on the kind of pets you have.

Cycling Stock

Instead of building a stockpile and forgetting about it until bad times hit, you should use and replace items from your stockpile during good times. For example, if you have a recipe calling for green beans, pull a can of green beans from your stockpile and replace that can with a new one. This serves two purposes. First, it guards against spoilage by limiting the amount of time any good is stored. Second, it increases your chances of discovering spoiled stock when it can be readily replaced. A can of rancid meat is less of a problem when you can go to the store and buy a replacement than it is when canned meat is unavailable.

Allocating Resources

So you put together a plan, crunched the numbers, and realized that this is going to cost a lot of money. Don’t be disparaged. You don’t have to buy everything immediately.

Your plan should be prioritized. This can be done by asking some simple questions. What items do you need immediately? What items can be acquired cheaply? What items will require saving money to acquire? What items are more readily available?

Obviously items you need immediately should be prioritized. If, for example, you were one of those individuals who stockpiled toilet paper during the beginning of the lock downs and still have several months worth in stock, toilet paper should have a low priority. You may want to prioritize items that you need and are already in short supply. For example, many of the recipes my wife cooks require coconut milk. We live in the Midwest where coconut milk is usually relegated to the “Asian section” of the grocery store, which usually has limited stock in the best of times. So coconut milk is prioritized higher on my list.

Items that can be acquired cheaply are good add-ons to your normal grocery list. For example, many canned vegetables can still be found for under a dollar a can (this is being written on November of 2021, if you’re reading this months after I wrote it, inflation may have made this claim look absurd). Adding a few cans of vegetables to your grocery list probably won’t break the bank. Over time a few cans here and there will result in a very comfortable stockpile. Keep an eye out for sales. If your grocery store is having a sale on an item on your preparedness plan, use the opportunity to stock up for less.

What about expensive items like generators and hiring and electrician to wire your house so you can connect your generator to your home? Budget for them. Save some money each month for the purpose of acquiring more expensive items.

Don’t Panic

Preparing for bad times is, in my opinion, a continuous process. If you do a little bit every week or month, you will be in a solid position surprisingly quickly. It’s easy to convince yourself that everything could fall to pieces tomorrow and panic. Remember that things seldom fall to pieces overnight. When you wake up tomorrow, there will likely still be food on store shelves and the money in your wallet will likely still be able to buy it.

Always On Microphones are Always On

Reader Steve T. sent me a link to story confirming my decision to not own smart speakers. A woman going by the name my.data.not.yours on TikTok (I guess this is the new hip surveillance social media network) sent a request to Amazon for all of the data the company had on her. The result? Exactly what you would expect (I sanitize the TikTok link embedded in the source so I’ll apologize here if it doesn’t work):

TikToker my.data.not.yours explained: “I requested all the data Amazon has on me and here’s what I found.”

She revealed that she has three Amazon smart speakers.

Two are Amazon Dot speakers and one is an Echo device.

Her home also contains smart bulbs.

She said: “When I downloaded the ZIP file these are all the folders it came with.”

The TikToker then clicked on the audio file and revealed thousands of short voice clips that she claims Amazon has collected from her smart speakers.

Smart speakers like the ones provided by Amazon have an always on microphone to listen for voice commands. The problem isn’t necessarily the always on microphone but the fact that most smart speakers don’t perform on-site audio analysis (or only perform very limited on-site analysis). Instead they record audio and send it to an off-site server for processing. Why is the audio moved off-site? Ostensibly it’s because an embedded device like a smart speaker doesn’t have the same processing power as a data center full of computers. Though I suspect that gaining access to valuable information like household conversations has more to do with the data being moved off-site than the accuracy of the audio analysis.

The next question one might ask is, why is the data being stored? This is why I suspect moving the data off-site has more to do with gaining access to valuable information. Once the audio has been analyzed and the commands to be executed transmitted back to the smart speaker, the audio recording could be deleted. my.data.not.yours discovered that the audio isn’t deleted or at least not all of the audio is deleted. But even if Amazon promised to delete all of the audio sent to its servers, there would be no way for you as an end user to verify whether the company actually followed through. Once the data leaves your network, you lose control over it.

The problem with Amazon’s smart speakers is exacerbated by their proprietary nature. While Amazon provides the source code necessary to comply with the licenses of the open source components it uses, much of the stack involved with its smart speakers is proprietary. This means you have no insight into what your Amazon smart speaker is actually doing. You have a black box and promises from Amazon that it isn’t doing any shady shit. That’s not much of a guarantee. Especially when dealing with a device that is designed to listen to everything you say.

Gun Control Continues to Fail

I’ve stated many times on this blog that gun control is futile because it’s impossible to control the production of simple mechanical devices. Guns aren’t like semiconductors. Today (however, this will change in the future) manufacturing semiconductors requires highly specialized equipment and knowledge. Guns on the other hand require only the simplest tools and materials to build. The knowledge isn’t specialized either. Books on the topic of gunsmithing are readily available and the information is easily accessible online.

Whenever I brought up these points advocates for gun control (and even some opponents of gun control) claimed that I was full of shit. To them I submit the following:

The proliferation of homemade “ghost guns” has skyrocketed in Los Angeles, contributing to more than 100 violent crimes this year, the Los Angeles Police Department said in a report released Friday.

Detectives have linked the untraceable weapons to 24 killings, eight attempted homicides and dozens of assaults and armed robberies since January, according to the report.

And police expect the problem to get worse, the report said.

During the first half of this year, the department confiscated 863 ghost guns, a nearly 300% increase over the 217 it seized during the same period last year, according to the report. Since 2017, the report said, the department has seen a 400% increase in seizures. That sharp jump suggests the number of ghost guns on the streets and such seizures “will continue to grow exponentially,” the authors of the report wrote.

This is nothing new. Just ask Brazil. But this is a good story to show that gun control can’t even succeed in a city with extremely restrictive gun control laws located in a state that also has extremely restrictive gun control laws. If people in Los Angeles can’t be stopped from manufacturing firearms, there’s no hope of any government entity controlling it elsewhere.

Nothing I said here is specific to firearms. Anytime a government attempts to outlaw a technology it only leads to the creation of a black market. The only difference between a legal and illegal technology is that manufacturing, selling, and buying an illegal technology carries additional risks. These risks are reflected in the higher prices charged by manufacturers and the amount of effort put into hiding them from authorities (whereas little if any effort is ever put into hiding legal technologies from authorities so it’s actually easier for authorities to track them). I’m sure law enforcement agencies and the mainstream media will make this into a big issue over the next few years. Their efforts will be wasted though because there’s nothing government can do to stop this.

One VPN Provider to Rule Them All

When somebody first develops an interest in privacy, the first piece of advice they usually come across is to use a virtual private network (VPN). Because their interest in privacy is newly developed, they usually have little knowledge beyond that they “need a VPN.” So they do a Google (again, their interest in privacy is new) search for VPN and find a number of review sites and providers. Being a smart consumer they read the review sites and choose a provider that consistently receives good reviews. What the poor bastard doesn’t know is that many of those review sites and providers are owned by the same company (a company, I will add, that is shady as fuck):

Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the controversial history of Kape Technologies and its rapid expansion into the VPN industry.

If you’re not familiar with Kape Technologies, the linked report provides a good overview. If you want a TL;DR, Kape Technologies has a history of distributing malware and now owns ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. Because of Kape Technologies’ history, I would advise against using one of its VPN providers. It’s not impossible for a company to turn over a new leaf, but with other options available (at least until Kape buys them all), why take chances?

If you’re a person with a newfound interest in privacy and looking for recommendations, I unfortunately don’t have any good recommendations for review sites. The handful of review sites that I used to trust have either disappeared or been bought by VPN providers (which by itself doesn’t necessary make a review site untrustworthy, but I’m always wary of such conflicts of interest).

As far as VPN providers go, I use Mullvad and I like it. It supports WireGuard (my preferred VPN protocol), doesn’t ask for any personally identifiable information when signing up for an account, accepts anonymous forms of payment (including straight cash mailed in an envelope), and seems determined to remain independent (at least for now).

It’s a Tracking Device, Not a Smartphone

I like to refer smartphones as voluntary tracking devices. Cellular technology provides your location to the network provide as a side effect. Smartphones can also leak your location through other means. But location isn’t the only type of information collected by smartphones. Android has a sordid reputation when it comes to data collection. Part of this is because Google’s primary business is collecting information to sell to advertisers. Another part is that handset manufacturers can bake additional data collection into their Android devices. Another part is that Android lacked granular application permissions until more recent versions, which allowed application developers to collect more information.

Apple on the other hand has enjoyed a much better reputation. Part of this is because Apple’s primary business model was selling hardware (now its primary business model is selling services). But Apple also invested a lot in securing its platform. iOS provided users more granular control over what applications could access earlier than Android. It also included a lot of privacy enhancements. However, Apple’s reputation isn’t as deserved as one might think. Research shows that iOS collects a lot of information:

“Both iOS and Google Android share data with Apple/Google on average every 4.5 [minutes],” a research paper published last week by Trinity College in Dublin says. “The ‘essential’ data collection is extensive, and likely at odds with reasonable user expectations.”

Much of this data collection takes place after the phone is first turned on, before the user logs into an Apple or Google account, and even when all optional data-sharing settings are disabled.

“Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this,” the paper adds. “However, Google collects a notably larger volume of handset data than Apple.”

I can’t say that this surprises me. Apple is a publicly traded company, which means its executives are beholden to share holders interested almost exclusively in increasing the price of their shares. That means Apple’s executives needs to constantly increase the company’s revenue. User information is incredibly valuable. Mark Zuckerberg made a multi-billion dollar company out of collective user information. So it was unrealistic to expect Apple to leave that kind of potential revenue on the table. Even if Apple isn’t currently selling the information, it can start at any time. Moreover, if it has the information, it can be obtained by state agents via a warrant.

This brings up an obvious question. What smartphone should individuals concerned about privacy get? Unfortunately, Android and iOS are the two biggest players in the smartphone market. They are also the only two players readily available to consumers who aren’t tech savvy. GrapheneOS is an example of an Android version that offers better privacy than the stock versions found on most devices. But using it requires buying a supported Pixel and flashing GrapheneOS to it yourself. There are also phones that run mainline Linux such as the PinePhone and Librem 5. The problem with those devices is the state of the available software. Mainline Linux distributions designed for those phones are still in development and likely won’t meet the needs of most consumers.

Right now the market looks grim if you want a smartphone, are concerned about privacy, and aren’t tech savvy enough to flash third-party firmware to your phone.

Before and After First Unlock

If you’ve used a desktop operating system, you may have encountered full-disk encryption. The name is self explanatory. When full-disk encryption is used on a desktop or laptop, the entire contents of the hard drive (minus whatever is needed to properly boot the system far enough to enter the decryption key) are encrypted. The contents are only accessible after the decryption key has been provided during boot up.

iOS and modern versions of Android use a different model called file-based encryption. Rather than encrypt the entire contents of the device, files are encrypted individually per a policy. This is why you can make a call on an iOS or Android phone after is has been booted but before it has been unlocked. But like with full-disk encryption, the encrypted files are only accessible after the device is first unlocked after a boot up.

The states where encrypted data is inaccessible and accessible are referred to as before and after first unlock respectively. Before the first unlock data is considered at rest. The device is unable to decrypt the encrypted data because the necessary decryption key hasn’t been provided by the owner. After the first unlock the device stores the decryption key so it can decrypt and access the encrypted data. How the keys are stored varies. Many devices store the decryption keys in memory, but the more secure method is to store decryption keys in a secure chip such as the Secure Enclave hardware on iPhones or the Titan M chip on Pixel devices (technically the decryption key is usually derived by the secure chip using the provided decryption key and other inputs, but I’ll skip over those details in this post). Using a secure chip adds a barrier between the decryption key and malicious software or hardware able to gain unfettered access to system memory.

When you read stories about law enforcers extracting encrypted data from a device without the owner’s cooperation, they are almost always extracting the data after the first unlock:

The main difference between Complete Protection and AFU relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.

Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It’s true that you need a specific type of operating system vulnerability to grab the keys—and both Apple and Google patch as many of those flaws as possible—but if you can find it, the keys are available, too.

When law enforcers confiscate a device, it’s common practice to both prevent the device from powering off and to isolate it from any network access. This prevents the device from entering before the first unlock state and from being remotely wiped. Mobile phones have their own batteries, which increases the time law enforcers have between confiscation and connecting it to a secondary power source. Placing the phone into a Faraday bag isolates it from network access. Once a device has been prevented from powering off or being remotely wiped, law enforcers can work to decrypt the contents of the phone at their leisure.

Before continuing I will note that law enforcers aren’t the only individuals interested in gaining unauthorized access to the encrypted contents on a device. I’m highlighting them because they receive the most press coverage. Keep in mind that many unauthorized parties such as abusers and stalkers have the same interest albeit for different reasons.

The safest state for encrypted content is at rest. This is why I always recommend people power down their devices before entering airport checkpoints or border crossings. Those are situations where encounters with law enforcers are guaranteed and the chances of devices being confiscated is higher than average. I also recommend people power down their desktops and especially laptops when not in use. That way if the device is stolen, the contents remain inaccessible to the thief. However, powering down devices isn’t always practical, especially when the device in question is a smartphone. If you’re meeting somebody at an airport, you might need to keep your phone powered on in case the party with whom you’re meeting needs to contact you (although I will argue that proper planning can avoid this scenario and, if not, rebooting the device and leaving it in before the first unlock state will allow you to be accessible while keeping your data at rest). If a mugger demands your smartphone, they probably won’t allow you to power it down before handing it over.

This is why I was happy to discover a feature in GrapheneOS. In the settings application under the Security category there is an option called Auto reboot. By default this is disabled, but if you tap on it, you’ll be greeted with a dialog box offering different lengths of time. If you select one of those options, the phone will automatically reboot if it hasn’t been unlocked in the selected period of time. This ensures that the device will return to before the first unlock state after you haven’t unlocked it for the selected period of time. If you unlock your device frequently and don’t mind entering your password when you wake up in the morning, you can select a short time period. If you don’t want to enter the password every morning, you can select eight hours (or slightly more than however many hours you typically sleep). This feature creates a specific window of time between when a device is confiscated or stolen and when it returns to before the first unlock state.

This is a security feature I would like to see adopted by other operating systems. Knowing my laptop had a finite period of time between when I last unlocked it and when it returns to before the first unlock state would give me the convenience of putting it in sleep mode rather than powering it down completely when transporting it (I fully admit powering down isn’t a huge inconvenience for me since I don’t transport my laptop frequently, but a lot of people transport their laptop between home and work twice a day).

My Thoughts on the Pixel 4a Running GrapheneOS

As I noted in my last post covering the fiasco that is today’s Apple, I ordered a Pixel 4a with the intention of flashing GrapheneOS on it. For those of you who are unfamiliar with GrapheneOS, it is an Android Open Source Project (AOSP) operating system that focuses on security. The list of security features included in GrapheneOS is quite long so instead of trying to summarize it, I’ll point you to the project’s feature list.

GrapheneOS only runs on Pixel devices. This is because Pixel devices implement several hardware security features including the Titan M security chip (a similar idea to Apple’s Secure Enclave). Pixel devices also support Android Verified Boot (AVB) 2.0 with third-party signing keys. AVB 2.0 cryptographically verifies that the operating system you’re booting hasn’t been altered. When properly setup, this allows non-Google firmware to boot from a locked boot loader. GrapheneOS supports AVB 2.0 and relocking the boot loader is actually part of the installation process. This is a GrapheneOS advantage since most AOSP operating systems can only boot from an unlocked boot loader. An unlocked boot loader is a majority security weakness.

Installing GrapheneOS is about as easy as installing a third-party operating system on a phone can be. There are two supported methods: a web based installer and a command line based installer. I chose the latter. Both are made straight forward by the step-by-step guides. When you boot GrapheneOS the first time, you’re greeted with a bare bones installation. I prefer minimal operating system installations so I consider the bare bones nature of the default GrapheneOS is a plus.

I installed the same applications on this device as I installed on my Teracube 2e. GrapheneOS doesn’t include a calendar application so I installed Etar, which is the calendar application included in LineageOS.

One of the notable features of the Pixel 4a is the camera. However, you probably won’t be terribly impressed by pictures taken with the camera application included with GrapheneOS. This is because the high quality pictures you see in Pixel 4a reviews requires a combination of hardware and software. The software is Google Camera. Google Camera applies software enhancements to improve the quality of pictures taken with Pixel hardware. Not surprisingly it requires Google Play Services. A recent addition to GrapheneOS is support for fully sandboxed Google Play Services. This allows you to install Google Play Services without granting permissions greater than any other app (normally Google Play Services enjoys additional privileges). If you need Google Play Services, I believe this is a better solution than microG, an alternative used by a number of AOSP operating systems.

I wanted Google Camera without all the additional Google cruft so instead of installing Google Play Services I installed Gcam Services Provider. Gcam Services Provider is a shim that implements just enough of Google Play Services to run Google Camera. GrapheneOS with Gcam Services Provider isn’t enough to run Google Camera though. Launching Google Camera with this configuration will only result in a black screen (information about this behavior can be found here. I resorted to installing a modded versions of Google Camera of which there are quite a few. I settled on this version because it works with Gcam Services Provider and allows me to use a gallery application other than Google Photos (the official Google Camera application is hard coded to display recently taken pictures with Google Photos and I have no interest in installing that).

The installation process for Google Camera that I just described is the only thing on my setup that feels hacky. GrapheneOS is polished. It actually feels like a first-party operating system on the Pixel 4a. It is a major improvement over the user experience of LineageOS on a Teracube 2e (because the version of LineageOS for the Teracube 2e is still unofficial, I didn’t expect a polished user experience, I’m just noting the comparison here because it’s the only baseline I have). I will go so far as to say that GrapheneOS offers a user experience comparable to iOS on an iPhone (and probably the stock firmware on the Pixel 4a, but I didn’t spend any time using that) with the caveat that applications that rely on Google Play Services may not work if you don’t install Google Play Services (thanks to sandboxing doing so isn’t as dangerous on GrapheneOS as it is on other AOSP operating systems). The user experience is so good that my wife, who is not a technical user, is happy with it.

GrapheneOS is a great option for iOS users wanting to flee the panopticon that Apple is dead set on inflicting on iOS users (and probably macOS users).

In Case It Was Unclear, This Is Fascism

Fascism has a number of defining characteristics including dictatorial powers, oppression of opposition, strict governmental control over the populace, and strong governmental control of the economy. All four characteristics were present in the executive ordered issued by Joe Biden this afternoon:

In an address made from the White House on Thursday, Mr Biden directed the Department of Labor to require all private businesses with 100 or more workers to mandate the jab or require proof of a negative Covid test from employees at least once a week. The order will affect around 80m workers.

Dictatorial powers? Biden issued this order by himself through an executive order. Oppression of opposition? This order is a direct attack on individuals who haven’t received one of the available COVID vaccines. Strict governmental control over the populace? If order every person who works for an arbitrarily large company isn’t strict government control over the populace, I don’t know what is. And finally strong governmental control of the economy? Biden just ordered every business with more than 100 employees to either force their employees to get a COVID vaccination or subject them to weekly testing.

Proponents of democracy should be appalled by this. Congress didn’t propose this. It didn’t debate this. It didn’t pass this. It didn’t get to say a goddamn word about this. It was a single man using a tool that I and every sane person has been warning about for ages: executive orders. An executive order is the antithesis of democracy. It creates dictatorships.

Those who claim to fight for the poor and downtrodden should be appalled by this. As Glenn Greenwald noted, this order is going to hurt the poor and downtrodden much more than the well off. And before somebody brings up the fact that COVID vaccines are free (and by free I mean paid for by the federal government with tax money and printed dollars), everybody knows that. The individuals in lower income brackets who haven’t received a COVID vaccine know that. They haven’t chosen to forego the vaccine because they’re ignorant of the cost. But they have chosen to forego it and that makes this order a direct attack against their autonomy.

Advocates of body autonomy should be especially appalled by this for obvious reasons.

In fact anybody who isn’t appalled by this is a fascist. They might not realize they’re a fascist, but they are one.

That ends my rant.

In case my feelings on the matter are unclear, I will close by giving my opinion on the COVID vaccines. If you want one, get one. If you don’t want one, don’t get one. It’s your body. You should be the only person who decides what to put in it.

Apple Gives Users More Time to Migrate

After doubling and tripling down on its decision to integrate spyware into iOS, Apple has announced a delay:

Apple provided this statement to Ars and other news organizations today:

Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material [CSAM]. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

As the Electronic Frontier Foundation explains, a delay isn’t good enough. However, the delay grants iOS users more time to plan their migration. I’m happy to say that my migration has gone well. I received my Pixel 4a and flashed it with GrapheneOS. My initial impressions are very good. I’ll post a detailed initial impression after a few more days of usage. With that said, there are a handful of options available to those wishing to flee Apple’s new surveillance obsession.

I opted for a Google-free Android Open Source Project (AOSP) ROM. Android is a mature and widely support mobile operating system. It offers near feature parity with iOS since the two platforms have been copying from each other since their early days (both also copied a lot of the best ideas offered by Palm WebOS). The biggest flaw in Android is Google. Google-free AOSP ROMs such as LineageOS, /e/OS, GrapheneOS, and CalyxOS keep the good features offered by Android while removing the Google taint.

Another option is a mainline Linux phone like the PinePhone or Librem 5. Neither platform is mature enough to meet my current daily needs, but they might be mature enough to meet your daily needs. They’re worth investigating and I hope to eventually migrate from Google-free Android to a mainline Linux phone.

If you’re one of those odd ducks who uses their cellphone solely as a phone, an old-school dumbphone is worth considering. Because of how simple they are, dumbphones offer a limited attack surface (keep in mind that security updates on dumbphones are rare so if a major flaw exists, the only solution may be to buy a different phone) and aren’t capable of store even a faction of the personal information that smartphones can. They’re also dirt cheap and frequently more durable than smartphones. The tradeoff is they don’t offer any means of secure communications. You can’t install Element, Signal, or any other secure messaging application on them. But if you don’t use those, that’s probably not a deal breaker.

My suggestion to iOS users (and every other computing platform user) is to develop a migration plan if you haven’t already. I try to have at least one migration plan at hand for any computing platform I use. For example, when I was using a Mac, I had a migration plan for moving to Linux. It didn’t end up being an urgent need, but when I finally decided to upgrade from my 2012 MacBook Pro and Apple didn’t offer anything acceptable to me, I already had a plan. Now I use Fedora running on a ThinkPad and have a plan to migrate from that if needed.

When I ran iOS I also had a migration plan. My plan was to migrate to a mainline Linux phone. I knew this plan was a gamble because it would be a few years until such devices were mature enough for my daily use. Because of that I kept a list of Google-free AOSP ROMs and phones capable of running them. When Apple announced its surveillance plan, my migration plan to a mainline Linux phone wasn’t yet feasible. I had to bring myself more up to speed on AOSP ROMs and phones, but I was able to migrate away from iOS within a week of Apple’s announcement.

Apple didn’t provide a time frame for when it will introduce spyware to iOS. It could be months or years before Apple introduces it or the company could spring it on users with no warning. If you have a migration plan ready, you can react even if Apple gives no advanced warning. If Apple pushes back its surveillance plan indefinitely, you can continue using iOS (if you still trust Apple, which I don’t) knowing you’re ready to move if needed.