Daniel Micay Profile picture
Security researcher/engineer working on mobile privacy/security. Founder of @GrapheneOS.
Oct 24, 2022 12 tweets 8 min read
@RichFelker @GrapheneOS Treble makes it possible to easily run AOSP or GrapheneOS on any hardware providing an implementation of Android vendor APIs which have a stable versioned ABI with backwards compatibility for a few major versions of the OS. It provides an easy way to support any Android phone. @RichFelker @GrapheneOS AOSP has official support for a few development boards with an entirely open source implementation of the vendor HALs based on Mesa, etc. It's entirely possible for a phone to provide that and Pixels will likely trend towards that and away from the Exynos tech due to Tensor SoC.
Sep 2, 2022 4 tweets 1 min read
I know several people working as software engineers at Cloudflare. According to one of them, this incident (blog.cloudflare.com/the-mistake-th…) was hardly a mistake. Cloudflare is including block lists sourced from far right evangelical groups as part of their 'family friendly' DNS service. Cloudflare is aware their 'family friendly' DNS (1.1.1.3) isn't blocking sites like Kiwi Farms (kiwifarms . net) or Daily Stormer (stormer-daily . rw). It's a deliberate decision, despite their blog post claiming their filtering is meant to mimic SafeSearch, which filters them.
Aug 31, 2022 9 tweets 3 min read
Cloudflare drops sites from their service on a daily basis for having content they dislike. They remove sites with adult content, support for sex workers, etc. They also drop sites they deem to be posting spam. Cloudflare's censored 1.1.1.3 DNS blocks lots of LGBT content, etc. They're too cowardly to stand behind their decisions so they won't mention sites like Kiwi Farms by name. Their official accounts and executives all have their replies disabled on Twitter to shut down dissent. Their free speech act is a ridiculous sham. They drop lots of sites.
Jul 13, 2022 12 tweets 7 min read
@burnt_disk @MishaalRahman It's problematic that they expose those directly. They either require user consent on a case-by-case or one-time basis despite not being runtime permissions or they have no real privacy model. Low-level permissions exist for static analysis of what apps can request at runtime. @burnt_disk @MishaalRahman For example, request install packages allows the user to allow it as an app source and then approve app installations on a case-by-case update. Only thing that can be done without case-by-case consent is updating an app again after the user authorized an install initial/update.
Jun 29, 2022 5 tweets 2 min read
@IntelTechniques It's unfortunate that you're giving a platform to someone making numerous false claims about both CalyxOS and GrapheneOS to promote CalyxOS. They're spreading misinformation about our project and are misleading people about multiple privacy and security topics. @IntelTechniques The article in unredactedmagazine.com/issues/003.pdf by Zachary McIntosh should be corrected. They're misleading people about sandboxed Google Play and microG along with falsely claiming that the CalyxOS approach does not use Google services, when in fact CalyxOS always does.
Jun 28, 2022 4 tweets 1 min read
nginx configuration enforcing rate limit based on a value in request body to implement a rate limit for Flarum's forgot password API based on email instead of only based on source IP of the request:

github.com/GrapheneOS/dis…

Could move some directives to http {} to reuse more. nginx's limit_req runs very early in the request and $request_body only exists much later. That variable also only exists if you use a reverse proxy via proxy_pass, fastcgi_pass, etc. Have to get the value out of request body with map, add as a header and reverse proxy to itself.
Jun 28, 2022 5 tweets 2 min read
AttestationServer will no longer be using request tokens as part of CSRF protection. It's far simpler to enforce the Origin header always being present and set to attestation.app for the entire API since we avoid using the GET method for anything:

github.com/GrapheneOS/Att… Using SameSite=Strict for our login session cookie provides a fallback layer of protection. It's not a full protection by itself since it doesn't protect the login and register methods since we really don't want to have sessions for clients who aren't logged into the site.
May 29, 2022 5 tweets 2 min read
@Prof0und_Madman If the developer provides a self-updating mechanism for their app, it makes a lot of sense to get it directly from them.

F-Droid has serious issues with the security of their infrastructure and the app. Updates are often very delayed and they make undocumented changes to apps. @Prof0und_Madman Lots of people recommend F-Droid but it has some serious flaws and they're completely not open to acknowledging or addressing them. We expect many users are going to end up getting compromised when the poorly maintained/secured F-Droid infrastructure ends up compromised...
Nov 4, 2021 9 tweets 2 min read
I think it's pathetic that people feel the need to promote themselves by spreading fabrications about GrapheneOS and myself. The whole routine of posting out-of-context screenshots and fabricating a whole fake story about them is getting old and people should stop falling for it. A troll made a room mimicking my account name / logo and the GrapheneOS room name / logo / topic. They mass invited the entire ban list of the GrapheneOS rooms. Many of those people are incredibly toxic. A couple literally spammed child porn in our rooms thinking it'd kill them.
Oct 1, 2021 5 tweets 2 min read
This device is going to get at best around 2 years of proper security updates due to using an SoC launched in late 2020 with 3 years of support. They're claiming they'll be providing something they won't really be providing without doing the work for it.

arstechnica.com/gadgets/2021/0… It'd be nice if journalists looked beyond marketing and press releases for evidence/substance. It's probably expecting too much. Apple has done the work to provide 6 years of proper support. Fairphone has no actual plan or intention to do it. It's not enough to want to do it...
Aug 23, 2021 7 tweets 2 min read
Canada supposedly has universal health care but OHIP (Ontario) doesn't even cover basic dental or eye checkups and they phased out annual checkups at your doctor.

Dog can get an MRI within a couple days but a person getting one requires waiting for ages. It's also getting worse. Ontario approach to health care is you're on your own from 20 through 64 unless something goes wrong. I think by phasing out annual checkups, etc. they've pretty much doomed it. Official position is pretty much that preventative health care isn't useful according to sketchy data.
Jun 19, 2021 7 tweets 2 min read
Bitcoin mining revenue will become entirely provided by transaction fees as block rewards rapidly fade away.

There isn't infinite demand for Bitcoin block space. Higher transaction fees push people to 2nd layers (Lightning), side chains (Liquid) or custodial exchanges, etc. BTC price went up far faster than block rewards went down, creating a massive amount of revenue for miners in the short term.

The price would have to double every 4 years simply to keep providing the same block reward revenue. Price would need to go up faster for it to increase.
May 20, 2021 5 tweets 2 min read
2 memory corruption bugs introduced to Firefox by Debian patches:

bugzilla.mozilla.org/show_bug.cgi?i…
bugzilla.mozilla.org/show_bug.cgi?i…

Freezing versions of most software for years, backporting a small subset of security fixes and applying broken / strange distribution-specific changes isn't great. A lot of distributions have these kinds of problems with their packaging but Debian remains the best example.

It's painful working with Debian due to all the distribution-specific broken extensions, hacks, meta-configuration and scripts. It's awful as an upstream maintainer too.
May 20, 2021 5 tweets 2 min read


30% of our community is already migrated to the new Matrix rooms. If you want to get involved in the GrapheneOS community or contribute via beta testing, development, etc. you should join. Best experience is with Matrix itself rather than a bridge to it. Element is the most capable client but there are plenty of other options such as weechat-matrix in a terminal:

matrix.org/docs/projects/…

In particular, Element has the best support for end-to-end encryption and uses it by default for direct messages and other non-public rooms.
May 2, 2021 9 tweets 2 min read
Likely going to have very positive news to announce about GrapheneOS in the near future.

It's unfortunate that others decided to pick up the torch of fighting an underhanded war against us after Copperhead started to stop. The past month SHOULD have been a huge relief, but no... Nevertheless, there's probably going to be some great news. I hope others realize that waging a misguided war against us is not going to work out to their benefit and they can either stop or destroy themselves in the long run. I'll happily put very substantial resources into it.
May 2, 2021 6 tweets 2 min read
I'm not sure why I didn't make this change sooner:

github.com/GrapheneOS/har…

There's not much downside to only having 1 slot per slab once slab allocations are 4096 byte aligned, which is what we refer to as extended size classes. This goes nicely with the guard slab feature. By default, there's an unused guard slab between every possible usable slab that's left as unused PROT_NONE memory.

If the slabs have 1 slot, the allocations have guaranteed guard pages without paying the cost of actually making system calls to set them up during regular usage.
May 1, 2021 8 tweets 2 min read
I'm not surprised to find out that Linux kernel socket load balancing is in a terrible state with no good options. Some background:

blog.cloudflare.com/the-sad-state-…

Traditional epoll wakes every thread and they race to accept the connection. EPOLLEXCLUSIVE fixes it but uses LIFO order. LIFO order is terrible for a web server. HTTP connections are generally long-lived and reused for mixed / varying workloads. That's even more true with HTTP/2 where clients are only supposed to make a single connection to each server and multiplex everything over it concurrently.
Feb 21, 2021 8 tweets 3 min read
We've archived these tweets where Copperhead's CEO admits to them tracking devices via unique identifiers and using them as part of the update system.

He admits that their phone sellers with Copperhead emails, etc. have databases mapping unique identifiers to the customers too. His excuse is that tracking devices via unique identifiers available to update server doesn't count as tracking users. They've designed it in a way that they can ship an update targeting a device. The excuse is they don't know which user has which device, but their seller does.
Feb 19, 2021 7 tweets 13 min read
@HamledOnLine @MikeCustomPC @cankerwort_ @sethisimmons @CopperheadOS @mamushi_io @GrapheneOS We still have the original repositories created for CopperheadOS Beta and later. That was before the company was founded too. I created the project on my own time substantially before the project was founded as an extension of my existing hardening work.

github.com/GrapheneOS/pla… @HamledOnLine @MikeCustomPC @cankerwort_ @sethisimmons @CopperheadOS @mamushi_io @GrapheneOS I started github.com/GrapheneOS/har… after the split while figuring out how to put things back together for the OS. I waited until the release of the next major version of Android to make the next release under the temporary Android Hardening name, and then renamed to GrapheneOS.
Feb 19, 2021 5 tweets 6 min read
@cankerwort_ @sethisimmons @CopperheadOS @mamushi_io @GrapheneOS They're the ones choosing to a misinformation war against GrapheneOS along with threatening/intimidating anyone who contributes to the project, even people that are underage. You say it should be settled in court but they're making daily attacks on us causing lots of harm. @cankerwort_ @sethisimmons @CopperheadOS @mamushi_io @GrapheneOS GrapheneOS not a for-profit project. We're not selling any products. We're focused on building privacy and security technology. They're focusing all their resources on causing harm to us in any way that they can, and on marketing a product simply copy pasting our codebase.
Feb 19, 2021 4 tweets 2 min read
By the way, this is with a 50% discount on legal fees thanks to @Snowden / @EFF:



I should go through all the invoices and figure out how much money I've spent on that in total. I'm also sure there's going to be a lot more since it's only getting started. Most expensive month was a bit over $5000 which would be over $10000 without the 50% discount.

Thanks to all the people supporting us with donations, we're able to continue on despite these ongoing attacks on the project by Copperhead. It really detracts from development though.