GrapheneOS developer still sells updates as feature not explaining or showing the whole picture

The developer just seems to love selling uneducated people updates as feature. The commit shows only half of the truth.

While updates are undeniable important he does not explain or shows if a newer kernel is not already compromised, this happened often with newer OpenSSL versions, to just name one basic example in which it could be security wise a problem to update.

In truth GrapheneOS simply sells updates as security feature without mentioning if newer versions are really more secure, there is simply no proof for such bogus claim. It is more than questionable if newer versions are tested or if he just sells - newer is better - in general to lure people in using his AOSP mod. No one probably can disprove him as he constantly updates and updates without ever doing some serious audit on the OS himself and due to the fact that it constantly gets changed it makes it nearly impossible to audit, confirm or debunk his promises.

This is exactly a scam we had with AntiVirus products in which a test showed weaknesses and then shortly after it, this played absolute no role anymore because there was another signature update, then years later some serious security researcher really did tests and abused AV products.

Short conclusion

The example clearly shows that the developer fools others that are not in the security scene with unproven claims, just because there is an update not necessarily equals more security, until proven and tested otherwise. This is not mentioned with any word. Also it should be said that not every exploit and weaknesses is easily to be abused. People who typically use hardened OS or are connected into the security scene are not a target and those who installed it in the hope to gain something compared to AOSP usually also read basic security news as they already found out about AOSP such as GrapheneOS.

My response an impression
As already mentioned, we already have lots of claims, once again all unproven and the developer wants to make a living out of his project which he tries to sell at all costs as secure. In fact the only thing what is secure is other peoples work which he simply adopts into his Mod. I like to show my disrespect at this point for not showing the entire picture and frame everything under the - secure - claim which is more and more a cash grab these days.

The developer basically spits on the AOSP community and other developers as well as Google, claiming oh there is a new LTS Kernel version, why not roll it out immediately without even going into specifics if exploits are easy to abuse to build an attack that actually works, in lots of cases you need other things to consider to make an attack actually work. People need to execute unknown attachments and the typical yada yada which is not really realistic as such people that use Mods never fall for it and they are knowledgeable to build an efficient strategy without relying on only the Kernels security model. It is called multiple layer strategy, which again the developer not mentioned once on the entire commit nor his website.

I think this whole - my Mod is better and more secure than yours - is one gigantic scam. At the end I never heard of any breach even with the outdated kernel, there is also no current hole that can easily be abused and this is just selling updates as security feature. We had this with AV products and it did not work as you need multiple strategies and not just rely on mainly updates, this is clear with attacks on open source and the entire supply chain surrounding it.

I am not going to defend staying on an older Kernel as I for myself use latest stable kernels but I do not claim on the other way around using alpha kernels is better because they have newer commits on it, because such claim would require that you actually proof your point which the developer never did once, and I for myself have no time to inspect and audit every commit to check if it really holds what it promise on paper. I just do not see and understand why people apparently falling yet again for the same AV lies we had in the 90s. Its all over again, just this time with smartphones. Smartphones are known to be weaker regarding security as there are more limitations, the only way you can bypass this is to get root and not the other way around in installing an apple imitated OS which gives the user zero choices.

The OS should be actually usable and the user should be in control, remote based security mechanism should be explained and there should be toggles for everything with a proper documentation, this is the way and not the apple way around locking everything up so that the user basically can do nothing but install random store apps. You need to audit, inspect and verify apps, the OS and then build strategies based on what you know and not try to defeat unknown stuff with restricting every move the user can make. People like me as well as other users are not child’s who want to get into the sandbox with only a green or red shovel and then be monitored under the promise, security. This is surveillance and limiting users freedom.

That is all I wanted to say with the little blog post as I am pretty much finished with the GrapehenOS developer, I never had any high opinion about him and the picture from him falls in place, he want to lure noobs to his page and product to squeeze them out, without having the decency to show them the whole picture as his bogus claims cannot be verified on a professional level because in the meantime, like an AV signature update, the game changes each hour or time you visit or want to review things to come to some sort of conclusion about the given statements and code.