A new #developer #snapshot of our #phosh edition just got online: https://osdn.net/projects/manjaro-arm/storage/pinephone/phosh/beta1-20201024/ Test it out on your #pinephone. They are still in stock: https://pine64.com/product-category/pinephone/
Original tweet : https://twitter.com/ManjaroLinux/status/1320116694325579782
Skyhub is using SDR's, Cameras and AI to search for UFO proof - "A world wide search for UFOs using a global network of machine learning, smart cameras and sensor arrays built by you with our open-source software for the largest observational science project in history" - https://skyhub.org/
Positive affirmations of 2020, Windows 2003/XP source code leaked and is buildable, Nintendo ROM's leaked and included prototype games with developer modes never seen before & Pinephone/PinebookPro released making a fully open FOSS buildable laptop/phone solution. I am grateful for all these things, but the most unsettling news of 2020 so far that isn't apocalyptic pandemic viral outbreak is that SETI@HOME is no longer distributing work units :( This saddens me and it only covered 2% of the sky!
This is the pinephone OS I want to become stable, the UX Lomiri is so clean and beautiful to use. It’s in an early alpha state, crashes and has many bugs but if Manjaro gets this UX to stable it will reign king of the Linux on mobile. Ubuntu Touch uses the same UX but comes with too much bloat for my tastes. Great game boy emulator tho.
If you don’t read the code, how will you find the backdoors? As for using libpurple to handle SMS passed over a D-Bus interface... I have concerns. Going up against the pinephone web renderer and jscript engines seems difficult, the radio interface layer is best bet for a good RCE, either Linux Bluetooth / WiFi or some telephony stack bug in handling SMS/MMS. The hardware decisions around the baseband make it more difficult to reach OS from the RIL, but libpurple? It’s more holy than the Pope.
I just spent time digging into the telephony stack of the pinephone, Lomiri uses Ofono and Phosh systems are using ModemManager with D-BUS. It's so much better than any Android or iOS device for so many reasons. I fuzzed the non-common browsers, turns out Morph is basically Chrome wrapped in QtWebEngine. I'm happy with postmarketOS especially now that Anbox works to emulate Android. I really cannot fault this device for the cost and control you get, it's a fully mobile Linux desktop on aarch64.
Here's what you probably didn't know you needed ... until now:
The @ManjaroLinuxARM @thepine64 #PinePhone running #retroarch 😎🤣
Original tweet : https://twitter.com/ManjaroLinux/status/1318985023350079502
Check out the announcement:
Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch https://arstechnica.com/information-technology/2020/10/a-watch-designed-exclusively-for-kids-has-an-undocumented-spying-backdoor/
You can spend 3 months writing a 0day for some obscure mach kernel handling bug to sneak your way to local root but did you try just asking the user for their password? You know which one has a higher ROI? The most simplistic one. This is why you get $22million dollar thefts from a UI, if you ask a user persistently enough in a manner that does not disrupt their usage of the machine or raise inconsistency in machine behavior - the user almost always enters the passwords as normal at the machine.
Exploitation of human behavior always gives better results than a single bug. I wrote this example for macOS in Swift. It's a great LPE attack, by presenting every 15 minutes a UIKit dialog that mimics precisely Apple notices, users will just enter the local admin (or iCloud) password. On every run, this stores clipboard and passwords input from a launchd daemon, once the user gives the right password and it authenticates to root - it clears out the persistence and transmits the logs back to me.
Fake pop-ups through ElectrumX update notifications have been used to steal $22 million worth of BTC. Security experts need to understand that attackers use *whatever* *works* -if you ask the user to give you access to their computer - they frequently will - as simple as a pop-up notification and trojan wallet installer was all that anyone ever required to exploit the open nature of code and crypto. https://www.zdnet.com/article/bitcoin-wallet-trick-has-netted-criminals-more-than-22-million/
If I were to redo this project I’ve been working on the last few years, I would not have been pedantic about building the GUI in C++ despite the power it’s given me, features take weeks to implement that would take minutes in other languages. I’m glad I chose Lua and Jit VM technology for numerous reasons but the thing that amuses me the most is that innovation in Lua obfuscation is coming from a bunch of Roblox hackers that just want to cheat at video games and protect their mods.
Android ransomware has picked up some ominous new tricks https://arstechnica.com/information-technology/2020/10/android-ransomware-has-picked-up-some-ominous-new-tricks/
Team https://hacker.house cyber security assurance services and professional training ~ UNIX Hacker's Fraternity president https://hackerfraternity.org ~ Author of ISBN
9781119561453, a book on professional computer hacking.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!