Hacker Fantastic @hackerfantastic@social.hackerfraternity.org

Finally got the pinephone GTK rust starter app to build on device & pinebook. Had to use Manjaro beta phosh, it appeared like it might build on pmOS edge but definitely wouldn’t on stable. Pretty excited to write a mobile app in rust, glade opened the app UI fine and it builds the same on both devices which will make testing & developing simpler.

Skyhub is using SDR's, Cameras and AI to search for UFO proof - "A world wide search for UFOs using a global network of machine learning, smart cameras and sensor arrays built by you with our open-source software for the largest observational science project in history" - https://skyhub.org/

Positive affirmations of 2020, Windows 2003/XP source code leaked and is buildable, Nintendo ROM's leaked and included prototype games with developer modes never seen before & Pinephone/PinebookPro released making a fully open FOSS buildable laptop/phone solution. I am grateful for all these things, but the most unsettling news of 2020 so far that isn't apocalyptic pandemic viral outbreak is that SETI@HOME is no longer distributing work units :( This saddens me and it only covered 2% of the sky!

This is the pinephone OS I want to become stable, the UX Lomiri is so clean and beautiful to use. It’s in an early alpha state, crashes and has many bugs but if Manjaro gets this UX to stable it will reign king of the Linux on mobile. Ubuntu Touch uses the same UX but comes with too much bloat for my tastes. Great game boy emulator tho.

If you don’t read the code, how will you find the backdoors? As for using libpurple to handle SMS passed over a D-Bus interface... I have concerns. Going up against the pinephone web renderer and jscript engines seems difficult, the radio interface layer is best bet for a good RCE, either Linux Bluetooth / WiFi or some telephony stack bug in handling SMS/MMS. The hardware decisions around the baseband make it more difficult to reach OS from the RIL, but libpurple? It’s more holy than the Pope.

@bamfic I had no issues with Mobian, PostmarketOS, Manjaro and Ubuntu Touch for all of those things. Depending on the OS for battery life though, for instance pmOS doesn't use crust so only lasts 8 hours, Manjaro will run for about a day before it needs a charge. The camera works, both front & back and is quite usable in most distributions. No issues with data or bluetooth, you can even connect an 8bitdo joypad and play some SNES games. I am using v1.2a hardware (latest)

I just spent time digging into the telephony stack of the pinephone, Lomiri uses Ofono and Phosh systems are using ModemManager with D-BUS. It's so much better than any Android or iOS device for so many reasons. I fuzzed the non-common browsers, turns out Morph is basically Chrome wrapped in QtWebEngine. I'm happy with postmarketOS especially now that Anbox works to emulate Android. I really cannot fault this device for the cost and control you get, it's a fully mobile Linux desktop on aarch64.

@fikran I will take a look but unlikely I will migrate from the main code base.

@fikran my password is your password, you loaned it to me. ;)

You can spend 3 months writing a 0day for some obscure mach kernel handling bug to sneak your way to local root but did you try just asking the user for their password? You know which one has a higher ROI? The most simplistic one. This is why you get $22million dollar thefts from a UI, if you ask a user persistently enough in a manner that does not disrupt their usage of the machine or raise inconsistency in machine behavior - the user almost always enters the passwords as normal at the machine.

Exploitation of human behavior always gives better results than a single bug. I wrote this example for macOS in Swift. It's a great LPE attack, by presenting every 15 minutes a UIKit dialog that mimics precisely Apple notices, users will just enter the local admin (or iCloud) password. On every run, this stores clipboard and passwords input from a launchd daemon, once the user gives the right password and it authenticates to root - it clears out the persistence and transmits the logs back to me.