And it looks like this is the draft, and it was published on the author's blog here: https://telefoncek.si/2024/05/2024-05-30-grapheneos-and-fore...
Maybe consensus shifts (or goes away) about which problems are the domain of government, buy ultimately it's about efficacy against those. The rest is a distraction.
For example, people "need" access to healthcare, but there's essentially an unlimited amount of money you could spend to keep improving healthcare (e.g. opting for increasingly expensive treatments with diminishing returns on health outcomes). The more money you allocate to healthcare, the less you have available to spend on other things that people "need". Sure, you can tax more up to a point, but eventually that tap runs dry and you're forced to reallocate existing resources.
As another example, people "need" criminals to be punished in order to be able to live in a safe a crime-free society. People also "need" to not be put in prison when they are innocent. But you can never be 100% sure that a convicted criminal actually committed the crime. Locking up criminals implies by necessity that you will also lock up some innocent people. No government can solve both of these problems simultaneously which means they are all "bad".
Even the most competent "good" government ultimately has to select among which "bad" things it is going to allow to continue and which it will solve.
Since the 1980s, we have been consistently taxing less. If the tap is dry, it isn't because of over-taxation - it's because there's a reservoir of wealth hoarded by the relatively few.
A even cursory glance at the trajectory of wealth distribution will make that clear.
Who is "we"? We're talking about governments in general ("good" vs "bad" ones), and I have no idea what jurisdiction you are referring to.
In any case, I didn't say the tap is dry. I said if you keep raising taxes it will eventually run dry. Or to put it another way, taxes are not an unlimited resource that you can keep increasing as much as you'd like. At some point you'll hit a ceiling where raising taxes any further doesn't produce additional tax revenue.
For example, as you raise income tax rates, people have less incentive to advance their careers (e.g. by chasing promotions or improving their skills), and people have more incentive to leave the jurisdiction and go somewhere with lower taxes. Up to a point, the increase in tax rates produces a net extra revenue for the government. Above a certain point, the number of people who stop paying taxes (e.g. by leaving or by working less) outweighs the gains from those who continue to pay. This is why you'll rarely see any government with excessively high top-bracket tax rates (e.g. 60 - 100%), because it results in tax losses.
Assuming "we" means the United States, this is not the case. Tax revenue as a percentage of GDP has been remarkably stable since the end of World War II [1].
The long-term average since 1945 is 16.85%, the average in the 1970s (i.e. the decade before the 80s) was 16.76%, and the average in the 2020s is 16.96%.
In the US at least, that’s the perception because the tax cuts get a lot more publicity than the increases; everyone know that Reagan passed what was, to that time, the biggest (at least in aggregate nominal terms) tax cut in US history, fewer know that he followed it with the biggest increase.
But what has actually happened is a series of tax burden shifts (often, downward from the wealthiest, though some have been the other way or largely orthogonal to wealth.)
Extending this reasoning, we should not blissfully put our data into anyone's hands.
Government mission at least have a veneer of public servants, as opposed to private hands whose only real motivation is fiduciary obligations towards the shareholders.
Of course there is, compare the government of Finland to that of North Korea. Just because there are shades of grey and human institutions are generally susceptible to corruption greed an power politics doesn't mean there aren't governments that are different not only in degree but in kind.
To some degree it feels like bits and pieces of anti-intellectualism getting into folks brains: rejecting the idea that folks can think about things at all.
The latest example: https://en.zona.media/article/2025/08/27/irin
That said, no matter how secure GrapheneOS may be, for this particular threat a permanently clean phone is a necessity.
Governments that public force to kidnap, torture, murder, "disappear" their own citizens, are bad. Plenty of examples to go around, both historically and currently: China, Russia, México, North Korea, Belarus, the balcans, plenty of African governments, etc.
It shouldn't matter that "34% of my neighbors" want me sent to a concentration camp, personally I wouldn't want to end up there.
The example you're giving, the whole "it really depends on people's views, ..." is a bad government.
And the truth is that it's easy to be a good government: don't be bad.
Edit: fixed a word.
At what point does the "good" cross over into the "bad"? Is it ok that having a highly regarded government comes at the price of dead children? How about the sizeable group of people (e.g. in the US and Israel) who don't believe there is any genocide at all? Doesn't that make the whole thing subjective?
> Cellebrite admits they can not hack GrapheneOS if users had installed updates since late 2022.
As for the possible way, you answered yourself already (custom keys and images) :)
How so?
On Linux, I can add an account to the sudoers list, and have the flexibility to configure the level of security appropriate for my use case. I have yet to experience any security issues (that I'm aware of). Why isn't this possible on my mobile device as well?
This absolute stance is not right. Security is not binary, but a spectrum. I should be allowed to have full control over my device without this being a security risk.
> These devices meet the stringent privacy and security standards and have substantial upstream and downstream hardening specific to the devices
It still seems strange. A big part of GrapheneOS is to provide a safeguard from Googles data hoarding, yet it works primarily on Google phones.
There are others e.g. Motorola ones or Fairphone, that also allow this but it's a good idea to focus on a specific set of devices keeping maintenance as low as possible and security focus as high as possible.
There are alternatives like /eOS/ or CalyxOS supporting more devices and I experienced exactly this "no longer supported" issue with my Xiaomi A2, which suddenly disappeared from the list of supported devices (see https://calyxos.org/news/2021/03/29/mi-a2-ten-firmware/).
[1]: https://discuss.grapheneos.org/d/23886-partnership-between-g...
Libertarian rant aside. Governments fund these kinds of operations in secret so they can "effectively do their jobs". There's a ton of subcontractors working on AWS platforms that do analysis of this UFED "dump". (just a zip file of your phones directories). Emails, Phone logs, Carrier settings, Browser History, Text Messages, Cookies, Apps, App Logs, App Data, if it's on your phone, it's in the zip.
According to TFA GrapheneOS can disable the USB port too
Cellebrite doesn't publicly publish the latest support matrix so we have no real idea what progress if any they've made against recent iPhones and iOS versions, nor any real detail on how something like Lockdown Mode influences outcomes for their software.
Nor does this show anything about Pixel 9 or Pixel 10 and the newest variants of Android OS (which for Pixel 10 makes sense given (2024), but for Pixel 9 does it?).
What we do know as both companies disclose this is that Apple implements particularly with Advanced Data Protection enabled significantly more E2EE than Google, and both companies invest significantly through i.e. Apple's SEAR into the security of their hardware, software and platforms.
That GrapheneOS exists is great but I don't think this post helps much.
"Their documentation has explicitly listed GrapheneOS for years due to the high demand from their customers for breaking into it. It shows they were last able to exploit a GrapheneOS release with a 2022 or earlier patch level.
We have their June 2025 documentation and could obtain the newer documentation if we ask for it, but we have much bigger priorities than that right now and we would have been contacted by the main person providing it if anything relevant changed."
One reason GrapheneOS fights these threads is by doing what Google doesn't want to do out of user friendliness, like disabling USB in AFU mode. Unlike Google, Samsung, or Apple in non-lockdown mode, GrapheneOS doesn't need to deal with upset users when they need to unlock their phone before hooking it up to their car/display/flash drive/3.5mm jack converter/etc.
GrapheneOS also enables security features when compiling the OS that have a performance impact but mitigate security risks. They end up with a slower phone with less battery life that's protected better against extremely uncommon attack vectors.
GrapheneOS explained how these security features would've prevented at least one targeted attack from leading to exploitation: https://grapheneos.social/@GrapheneOS/114081909020398165
We don't know the current state of Celebrite's capabilities, but the fact they struggled for at least three years last time intel leaked out does paint a good picture for GrapheneOS. I'm sure the GRU and NSA have exploits that can hack even GrapheneOS, but at least they're not the type that makes it into commercially available exploit kits as of now.
Basically forensics is only needed because of the "principal/agent problem" which is described in game theory science. And in a digital forensics examination, most of the time you will get access to some sort of credentials for the system. Modern companies also have EDR tools installed on their devices which can be (ab)used for evidence collection as well, or are even cloud native so the devices only have a copy of the data while the master data resides on the server.
Now looking only on smartphones the evidence collection also needs to fight against the smartphone vendors, who do not cooperate even though the owner of the smartphone wants to figure out what happend with this smartphone. Biggest reason I see here because the smartphone device stack (incl. communications chips) are still a very black-box entity with many intelligence interests into keeping them easily exploitable. You notice that the more smartphone exploitation is democratized the more the smartphone vendors try to stop the bleeding (because it is bad PR) and intelligence agencies have many different other layers of the hardware/wireless stacks with non-public firmware to exploit.
So in terms of laptop/desktop forensics, I wouldn't say there is a big difference, because you will mostly get the passwords anyways. Negative mention maybe the anti-self-maintenance devices that apple is shipping.
Of course the "have password" does not apply with digital forensics of law enforcement agencies, there is a lot of politics involved in who gets access to which magic tools or not.
For smartphones basically every three letter agency on the planet can own you within 30 seconds and get all your data and use it as a bugging device, and some deep pockets can buy the specialized extraction hardware (incl. exploits) from ex-intelligence public service workes who are looking to "cash out". So all of them are lying to you if they say they are secure in any way.
On top of that, like with all cloud services, there are numerous stories of engineers at all the big tech companies snooping around in your personal data. It's just testament to their good PR teams to keep these issues buried. I can only imagine the private porn stacks going around between senior engineers at some of these companies.
I'll admit that big companies may have some incentive to protect their users' privacy; but they are an easy legal target. If tomorrow the US or EU pass legislation that mandates a backdoor in all mobile devices, the entire world is screwed.
nithssh•3h ago