DivestOS vs. /e/ OS - security and privacy easy

@XjFred Yes, I can add it to the “Allow list” . Now the question… What info does Foogle get when that tracker goes home? I don’t know what I don’t know… Any ideas?

Also it appears if I leave Signal open and just minimize it (don’t close it) that notifications are working even with mtalk.google blocked. Do you see the same?

@andrelam

If someone runs a forward facing NextCloud with an owned domain…is this too allowing for DNS fingerprinting?

Yes, the same until my phone goes in “sleep mode”.

1 Like

Yes, i don’t know if this is being done though, looked at my DNS log record and though, well this is also a fingerprint :).

2 Likes

Might be time for me to move to Silence and bring people (family/friends) with by showing this :+1:.

Next to impossible to be 100% private (even among "Privacy OS’ "), takes massive amounts of effort, time, expertise and money. Thanks for everything here. This discussion has been very helpful.

1 Like
3 Likes

I tried but didn’t succeed in install it.

(J’ai essayé, mais je n’arrive pas à l’installer… Je dois passer à cote de quelque chose).

Another difference. Silence is the default SMS app on DivestOS.

1 Like

As I have read more I have a thought. Since Edward Snowden recommended GrapheneOS within the past couple years why would someone who does not need microG, using all FOSS apps, go with DivestOS over GrapheneOS? Isn’t DivestOS less secure since it is based on LOS where GrapheneOS is not? Why not just use GrapheneOS if this route is one’s subjective path?

Can someone clarify?

1 Like

If you have one of the few newer phones supported by GrapheneOS, the developer of DivestOS recommends use GrapheneOS: DivestOS: long term device support with enhanced privacy and security - #54 by SkewedZeppelin - F-Droid Forum

If you have an older device, not supported by GrapheneOS, DivestOS is an option.

AOSP → LineageOS → DivestOS (and e)
AOSP → GrapheneOS

2 Likes

Okay, thanks. What about security wise? From what I read LOS is not built for security, why is DivestOS built on LOS if security is the main a major focus?

Edit: Deductive reasoning tells me the reason for this :point_down: is likely because the DivestOS own developer points potential DivestOS users directly to GrapheneOS unless the more rare circumstance that someone doesn’t want to buy a phone supported by GrapheneOS. Thank you for the information shared, I see more clearly (other than question at start of this post, still trying to understand that. Maybe the LOS base is hardened?)

Edit: I must say DivestOS clearly should be given praise, very cool what has been done. It is nice to see people work hard to give back to FOSS community, props! (sorry, USA slang for “respect”)

1 Like

I need microG for a couple apps otherwise I would flash and try. I have flashed HavocOS and microG myself but that was too much work for me, good learning, but too long of process. :+1: /e/ fits well for me.

I need microG for a couple apps

Sorry, so sad you cannot be Free of google.

2 Likes

Agree! Hope to get there some day. “Don’t be evil” → “Pure Evil”

@ Pingo

What about Long term?

Pinephone 2 or 3 (or anything else that is affordable) with AOSP, or Fedora, or Arch Linux ARM, or postmarketOS.

Private company in the back

Not a company. There is no legal entity behind me, and it is just me by the way. Divested Computer Group is just a nicer more professional name I chose.

@ headwaters

#8 is an great comparison, thank you!

with inspiration from Daniel Micay

Micay helped me port the original CyanogenMod 13.0 based CopperheadOS to the OnePlus One with full PaX support.
Furthermore many GrapheneOS patches are included in DivestOS.

DivestOS targets more advanced users

I do try to target more then that.

DivestOS had an optional F-Droid repository, and those apps are being added to the main F-Droid

Just one left! :stuck_out_tongue:

includes cloud services […] DivestOS does not.

I have no plans to offer such services in the future.

DivestOS sells a few used phones

These are basically all the unused test devices that I no longer need.
Maybe in the future I will turn it into a model, but I would still stick to minimal margin.

DivestOS adds many security updates.

Every DivestOS device has its kernel run against my automated kernel CVE patcher, patching between 50 and 600 vulnerabilities.
That alone is in my opinion an absolute game changer for devices using old kernels.
See the CVE_Checker on my GitLab/GitHub and the Patch Levels page on the DivestOS website.

Additionally removing proprietary blobs also removes various known vulnerabilities in those components.
See Deblob.sh in DivestOS-Build repository.

The 14.1 branch is patched against CVE-2017-0592.
All branches are mostly patched against against CVE-2019-2306.
N and R have some added A2DP security related patches.
N also has a (likely) no-op FFMPEG patch and a TI WLAN patch.

That is just some of the patching/mitigation of known issues, furthermore there are lots of added security hardening and security re-enablement (-user, relocking, verified boot).
See the Technical Details page on the DivestOS website.

DivestOS has changed some old names of apps, before being public.

  • Veritas to Hypatia
  • Fennec DOS to Mull

connectivity checks

All branches have an option in Settings app to disable these checks.
If you leave them enabled it uses the default Google servers.
Changing it leaks your usage patterns to other third parties and stick out from normal Android’s to network observers.

@ newts

Any idea how many people use each OS for their daily driver?

I have no hard analytics on this.
It is probably somewhere between 600 and 4,000.

@ andrelam

See a lot of patches, /e/ maybe can use some of them

I encourage /e/ to do so.
I would especially like to see them (and others to) adopt my kernel CVE checker/patcher into their build process.

Hypatia […] that App is an UX nightmare.

Hypatia works as it does and I don’t plan all that much to work on it.
I’d rather spend that time providing more security updates to devices via DivestOS.
There is an unfinished recode with an overhauled UI in another branch that I started back in 2018.
Contributors welcome.

NextDNS

They offer a neat service.
But when you can perform host blocking locally why divulge information to a third party?

@ egx470

DivestOS is completely anonymous

DivestOS does not have the goal of making you completely anonymous or completely secure.
Nor does any other implementation provide such an offering.

DivestOS is sending my IP address and a common user agent to Google every time a captive portal check takes place

All branches have an option in Settings to disable these.

Do you know if this is needed for Silence as well?

Silence only uses internet for MMS (to your carrier’s servers) as all SMS apps do.

Might be time for me to move to Silence and bring people (family/friends) with by showing this

I do not recommend this.
Silence is not maintained and is not cross-platform and still divulges information to your carrier.
Please use Conversations or take a skim through other options on my Messengers page.

why is DivestOS built on LOS if security is the main major focus

As mentioned on the FAQ page, DivestOS is based on LineageOS for device compatibility.
Furthermore as also documented on the website, DivestOS enables/restores many if not all security features that LineageOS has disabled.
Not to mention all the additional security features that DivestOS adds.

@ Taurus

an old flip phone

I do not recommend this, especially because it gives you less control into an equally proprietary system.

@all

microG

Maybe too opinionated of me, but I believe most users can get by without microG just fine if they gave it a try.

Signal

Friendly reminder that Signal contains many proprietary libraries whether you download it from Play Store or their website.
Those are:

  • firebase-messaging for push notifications
  • play-services-maps for maps and sharing location
  • play-services-auth for performing ReCAPTCHA checks during signup
  • firebase-ml-vision for face detection for the ‘Scribbles’ feature

Furthermore:

  • Signal only wants official builds of Signal to connect to Signal servers
  • Signal’s server is “code over the wall” open-source

/e/ team (assuming still true, I haven’t thoroughly checked):

Lastly I really do encourage you to take a skim through the DivestOS website.
It has a lot of information on it with a fair bit that is relevant even if you don’t use DivestOS.

DivestOS has the goal of adding more security and more privacy to primarily older devices.

If you have or can afford a Google Pixel, I strongly recommend you use GrapheneOS.
Otherwise, DivestOS is likely the most secure ROM available for devices no longer supported by their manufacturer.

I want to additionally note that DivestOS is more then just a ROM, under my FOSS umbrella:

  • Mull/Hypatia/Extirpater are not exclusive to DivestOS
  • Brace gives you more private/secure defaults for Arch Linux/Debian/Fedora/OpenSUSE
  • Divested-WRT gives you more secure firmware for your Wi-Fi router
  • I provide DNS blocklists, one of which is automatically generated from a list of 6,000+ companies.

Any questions feel free to ask.

Regards,
Tad.

15 Likes

Thanks for this info!

1 Like

Thanks you coming here, you are welcome.
I like the ton, the form and the content of your post,

4 Likes

Because you can’t easilly whitelist. I used hardcoded hosts file but was not happy with it, a symlink to a external host file would introduce security issues.

1 Like

I’m sure it works great, but to me it is not clear what it does, and what exactly is scanned. I see this a lot, putting a lot of effort to create an “engine” and then the “car” has to be build quickly around it using cardboard :). But i think you taking the time here to answer some questions and statements is quite nice, thanks.

2 Likes

Dear Tad

thanks for your time and insights. I enjoyed reading your post and I’m happy that we, as in users, are in such a lucky position to be able to choose between different OS’ with different takes on similar problems.

Very nice from you sharing your knowledge with other projects. This is what makes FOSS great and I’m more than not jelly, as I’m not able to contribute due to my poor coding skills.

4 Likes