Fascinating read. I know nothing about any of this neither the parties involved nor Copperhead though I had heard of Graphene. To that end, I wish the response included a pre-amble for those like me who were not familiar with what was going on. I guess I could probably read the Wired article though. Still. good read and I loved the Q and A at the end.
Graphene is not a consumer brand and they do not intend to be a consumer brand. They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do. That will absolutely limit their scope and reach, but it also allows them to focus on the one thing they’re trying to do without making compromises.
For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
Speaking of trust issues, Rossmann's claim he was going to stop using GrapheneOS proved to be a lie, he was caught using it for months after. He knew it was impossible for us to target him with an individual update, that didn't stop him from including that supposed fear in his sob story though.
He made it sound like Daniel was going crazy on him for no apparent reason over a single comment he posted on the Techlore video when for one, we were wary of him already due to past disagreements and, more importantly, that very video is responsible for the swatting attacks that were aimed at getting Daniel killed by law enforcement. The swatting attacks were carried out by someone who loved the Techlore video a little too much. Do you see where I'm going? Rossmann had voiced his support for the very video that is responsible for the attempted murder on Daniel's life, I reckon you will understand that Daniel was upset over this.
Not much time had passed since these attacks took place so Daniel messaged Rossmann to figure this out and explain to him what this was all about. In private mind you, whereas Rossmann decided this was peak content and live streamed it while the chat was still taking place. Any human being with a basic sense of empathy and decency would have not done this since it was obvious that Daniel was in a bad headspace.
Yet he did so anyway. I guess that's not all too surprising given it was an excellent catch for his following on Kiwi Farms which he caters to.
One of the main criteria to differentiate "rants" from "correcting falsehoods" is proper citing of sources. In the case of Grapheneos, unfortunately I often see very few sources in what they post online.
(But, if you ignore the rants, that's a fantastic OS.)
#1 imo is the fact that some orgs are resilient to libel, and some are heavily affected. If someone is lying about your security protect in order to harm your reputation, I don't find it odd to respond with some zeal.
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
They dont have any history of attacking others. They have a history of defending themselves from attacks.
Other organizations having the resources to continue despite the damage does not mean GrapheneOS can or should deal with the damage it causes. That makes no sense and its excusing horrible behaviour from attackers. They arent rants, the truth just often requires more words than a lie, such is the nature of computer science.
I like the product, and even recommend GOS to those who want a hardened phone OS.
But goddamn, their social media gives me major red flags and I hate remembering that they exist.
I genuinely think that the information in this post is accurate, and at the same time, I think that it is painted in a way that feels off. Like the data is correct, but there are aspects that are clearly emotionally manipulative and combative.
I also have had some less than great interactions with GrapheneOS devs, when I was not seeking out interaction from them on social media (they came to my post and were combative) and played victim that I bullied them and was in league with the harassment campaign when I just asked them to leave me alone.
Overall, I just think that GrapheneOS is a good product, but unless you want to join their cult, just never talk about it neutrally or negatively unless you are ready for weird interactions.
I think this is the case of a lot of successful OSS. Intrigued people of all horizons comes and interact with few people building something meaningful, mostly on their free time, and expect to be welcomed as customers by the company spokesman. Torvalds had a famous way to express himself freely and hurt some feeling on the Linux mailing list, yet Linux is still a successful OSS project.
I would go on a stretch to say that people that express themselves naturally, without detour, are maybe more trustful than the usual silver-tongued corpo.
Why would debunking factual inaccuracies be a red flag? It's the rational action to take, actually. Big corporations often don't respond because their lawyers tell them not to. Surely you're not saying that's a green flag?
A lot of the readers here think Wired is still pre-2006 / pre-Condé Nast ownership.
I was personally involved in a story they did in 2015 that was paid for by a three letter gov agency to bad mouth a companies tech into changing. I know only a few of their tricks, and they’re dirty as hell.
> Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.”
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
I love GrapheneOS and I use it daily for more than 2 years. However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication. Even when they are 99% right most of the time, they sometimes don't come as mature and professional.
Personally, I like that they come across as a little paranoid. That's exactly the attitude I want in the people protecting my privacy and security. I hope the developers lie awake at night, unable to fall asleep because terrified that someone somewhere is plotting to attack and exploit them
It's a personality type / disorder (pick your poison). There's no hope for change. Programming seems to attract such people, because they are fixated on being right and proving that they are right. I know a few more examples. My common sense policy is - if the software these types produce works for me, I will be using it, but I will never allow myself to be dependent on it. That kind of person will gladly burn their own house to the ground, with everyone in it, if that's what's required to prove their truths or maintain some kind of intellectual purity.
My gut feel is that Micay is genuine, and obviously also very defensive.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
Have you considered that the smooth-talking "mature" and "professional" people are more likely to sell your data to advertisers at the first opportunity?
Louis Rossmann caused a lot of harm to GOS and blasted them publicly for trying to raise issues privately. That is disgusting behaviour. He then lied to his own viewers about no longer using GrapheneOS, lied about fears of a targeted update despite that not being possible, among a lot of other things. Note he also has an identity verified kiwifarms account.
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
I don't care about messaging or professionalism in marketing. I'm perfectly happy with the way GrapheneOS is being managed right now, including their lengthy technical rebuttals to any attempts of attacking the project to dilute its quality or reach.
So what if they're defensive and cringe in their rants? Are you so indoctrinated into believing performative aloofness is "professional" that you can't see clearly?
I'm sure it's exhausting producing an awesome product, only to get crapped on by governments and corporations that hate privacy and drama-farming Twitter randos, but debunking bad-faith bullshit is nothing if not rational in a world where reputation matters.
I spent several minutes [1] looking into it earlier today because I'd mostly ignored it in the past, but his claims appear completely valid, and if anything, stop short of painting a sufficient picture of how badly he's harassed. I won't link to any of it here, but it took me one query and reading one page worth of it to think Micay is the most reasonable actor in the story. (Yes, I read more thereafter.)
When you have years-long public forum dox threads dedicated to doxing you with people openly calling for your physical harm, all with some non-zero degree of complicity and/or support by a YouTuber with millions of subscribers, let us know if it still seems like paranoia to you.
Being attacked? That doesn't mean anything. Either you know the security domains in and out or you can't make an educated guess how secure it really is.
Some of us embrace our humanity and have an ethical and moral need to engage with the world we want to live in rather than the world dominant economic forces would prefer us to engage in.
I can understand that, but for me he doesn't come across as a "bad" person. He hasn't come out with racism, sexism, etc. he just comes across a bit rude and blunt IMO.
I'm much more concerned with companies that claim to support LGBQT+ and then stick a flag up for 10 minutes once a year, or companies who make 10% of their workforce redundant because they want to pay themselves more, or companies who on one hand support green initiatives and then behind the scenes do the complete opposite.
There are a lot of judgemental comments here criticising Daniel's character, responses and handling of what was likely a very trying and stressful period in their life.
Barely any comments about the linked thread which is about Wired publishing an article that was extremely poorly researched after having misled GrapheneOS about the intention and content of what would be published. This seems like the sort of thing that should earn a disclaimer on future Wired articles as worthless and get them removed from RSS feeds/have subscriptions cancelled. Complete lack of integrity and respect for standards. Why did they not interview anyone else involved in the project or around at the time?
Frankly insane and speaks to the entitlement of many users that they are against Micay and GOS on this primarily because their online comms are abrasive; I'm used to this having seen the same from many in the Minecraft and Skyrim mods communities, but it still stands saying: You are not owed ANYTHING from a free software developer. They can say anything they want to you and revoke the software at any point or anything they wish - they are providing the software for purely no reason but they want to. If Micay wants to be rude on main he has absolutely every right to do so; if you don't like it, don't use his software. He's not a steward or paragon of virtue just because he has a popular software project, and it's extremely easy to stand on a soapbox and say "If I was in that position, I'd be so much better!" To all the detractors in this thread, I beg you: go make software and give back instead.
P.S. I avoided making any statements about what I personally think about Micay and the GOS team's behaviour above because I don't use it and have never looked into it before reading this article, but from looking at the comments, the WIRED article, the forum thread linked in this post, and some cursory research, it just seems like they are a popular software project that is at odds with many powerful actors with obvious motivations against their existence and popularity - if they are constantly combative online instead of being friendly, don't you think part or all of it may be because they have to defend themselves against attacks instead of having the freedom to be friendly like say SQLite/FFMPEG/Rust/other free software projects? I'm admittedly new to HN but this entitlement and refusal to empathise with the people giving you free shit seems insanely out of character
It seems very plausible to me that there is a vested interest in seeding drama and chaos into the reputation of GOS. Why wouldn’t there be? Especially when it seems there’s an easy way to trigger Micay, and there are cottage industries online specializing in exactly this sort of thing.
I get the sense a lot of people care about this project and care about defending it but good luck against the propaganda and bullshit like this that comes along with it.
I really enjoy GOS and used it as a daily driver for ~3 years
59 comments
[ 3.0 ms ] story [ 77.1 ms ] threadFor contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
He made it sound like Daniel was going crazy on him for no apparent reason over a single comment he posted on the Techlore video when for one, we were wary of him already due to past disagreements and, more importantly, that very video is responsible for the swatting attacks that were aimed at getting Daniel killed by law enforcement. The swatting attacks were carried out by someone who loved the Techlore video a little too much. Do you see where I'm going? Rossmann had voiced his support for the very video that is responsible for the attempted murder on Daniel's life, I reckon you will understand that Daniel was upset over this.
Not much time had passed since these attacks took place so Daniel messaged Rossmann to figure this out and explain to him what this was all about. In private mind you, whereas Rossmann decided this was peak content and live streamed it while the chat was still taking place. Any human being with a basic sense of empathy and decency would have not done this since it was obvious that Daniel was in a bad headspace.
Yet he did so anyway. I guess that's not all too surprising given it was an excellent catch for his following on Kiwi Farms which he caters to.
(But, if you ignore the rants, that's a fantastic OS.)
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
Other organizations having the resources to continue despite the damage does not mean GrapheneOS can or should deal with the damage it causes. That makes no sense and its excusing horrible behaviour from attackers. They arent rants, the truth just often requires more words than a lie, such is the nature of computer science.
I like the product, and even recommend GOS to those who want a hardened phone OS. But goddamn, their social media gives me major red flags and I hate remembering that they exist.
I genuinely think that the information in this post is accurate, and at the same time, I think that it is painted in a way that feels off. Like the data is correct, but there are aspects that are clearly emotionally manipulative and combative.
I also have had some less than great interactions with GrapheneOS devs, when I was not seeking out interaction from them on social media (they came to my post and were combative) and played victim that I bullied them and was in league with the harassment campaign when I just asked them to leave me alone.
Overall, I just think that GrapheneOS is a good product, but unless you want to join their cult, just never talk about it neutrally or negatively unless you are ready for weird interactions.
I would go on a stretch to say that people that express themselves naturally, without detour, are maybe more trustful than the usual silver-tongued corpo.
They Built a Legendary Privacy Tool. Now They're Sworn Enemies https://www.wired.com/story/they-built-privacy-tool-graphene... (https://archive.ph/pbJu9)
I was personally involved in a story they did in 2015 that was paid for by a three letter gov agency to bad mouth a companies tech into changing. I know only a few of their tricks, and they’re dirty as hell.
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
Not that I disagree but Louis Rossmann giving someone advice to tone down the rants is ironic.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
When you have years-long public forum dox threads dedicated to doxing you with people openly calling for your physical harm, all with some non-zero degree of complicity and/or support by a YouTuber with millions of subscribers, let us know if it still seems like paranoia to you.
[1] https://news.ycombinator.com/item?id=47868159
I'm more concerned that Signal incorporated in US is having easy life.
This Micay guy spends so much time and does something hugely beneficial and we're arguing about how he responds to criticism?
I'd rather direct and blunt rather than the weasel words and lies most companies put out.
I'm much more concerned with companies that claim to support LGBQT+ and then stick a flag up for 10 minutes once a year, or companies who make 10% of their workforce redundant because they want to pay themselves more, or companies who on one hand support green initiatives and then behind the scenes do the complete opposite.
Barely any comments about the linked thread which is about Wired publishing an article that was extremely poorly researched after having misled GrapheneOS about the intention and content of what would be published. This seems like the sort of thing that should earn a disclaimer on future Wired articles as worthless and get them removed from RSS feeds/have subscriptions cancelled. Complete lack of integrity and respect for standards. Why did they not interview anyone else involved in the project or around at the time?
P.S. I avoided making any statements about what I personally think about Micay and the GOS team's behaviour above because I don't use it and have never looked into it before reading this article, but from looking at the comments, the WIRED article, the forum thread linked in this post, and some cursory research, it just seems like they are a popular software project that is at odds with many powerful actors with obvious motivations against their existence and popularity - if they are constantly combative online instead of being friendly, don't you think part or all of it may be because they have to defend themselves against attacks instead of having the freedom to be friendly like say SQLite/FFMPEG/Rust/other free software projects? I'm admittedly new to HN but this entitlement and refusal to empathise with the people giving you free shit seems insanely out of character
I get the sense a lot of people care about this project and care about defending it but good luck against the propaganda and bullshit like this that comes along with it.
I really enjoy GOS and used it as a daily driver for ~3 years