eOS /e/OS e Foundation disastrous security WARNING-2

Please consider Topic eOS /e/OS e Foundation microG WARNING-1 first – thank you.
You may think that I am coming across too strong with disastrous security but these are not my words they stem from a German Tech site golem reviewing eOS. I was greatly assisted in the translation by German speaking posters at eFound community and discovering DeepL translation site with AI apparently! This was the final nail in the coffin that determined my shiny gold eS7 phone was to be returned – what a disaster?
Here is an extract from the lengthy golem article - Please draw your own conclusions abot e foundation, golem and InfoSec and do a little research yourselves.
/e/ would be a great system that nerds and privacy activists could recommend or install to their less tech-savvy parents or friends so that their old devices get security updates and are less monitored by Google. In reality it turns out to be a bit different, because outdated apps, especially messengers and browsers, both in the app store and in the operating system itself, as well as the unknown origin of the apps do not allow for any recommendation.
This is also no excuse for the fact that /e/ is still in beta, because /e/ is already advertising users and selling devices with pre-installed operating systems without any indication of the disastrous security. However, this is not visible at least not for a less tech-savvy target group.(…)"
I think Golem is referring to me – Andy!
Privacy enabled ??? Spok; This is privacy Jim, but not as we know it!
You may dismiss this independent review as a one off but for the fact that InfoSec confirmed this and more in their independent review. Admin tried to dismiss this too as being an old review and things were now fixed at eFoundation – Yeh, right? Admin did not say that the article had been updated not once but twice with recent final review of e. Whilst e admin including Gael Duval will not respond to golem and refuse to answer questions and emails from InfoSec then they roll-out cheerleaders to post how super eOS is and then add their personal likes to the cheerleader’s post. Tacky or what! Barf Out! In the background e admin then shut down posts relating to this disastrous security to stifle any future discussion – this is done under the false guise of Automatic shut-down.

https://community.e.foundation/t/e-privacy-enabled-android-rom-or-evil-corp-infosec-handbook/2804

https://community.e.foundation/t/infosec-handbook-25-12-2019-final-look/10638

https://codeberg.org/infosechandbook/scripts/raw/branch/master/other/e-rom-domain-names.txt

You may find links useful as a start. Please contain your posts here to e foundation articles of golem and InfoSec as I will post other seperate warnings for discussion.

@Andy2 do I need to smash my smart phone or pull out the battery and never use it again?
What is eOS/e/OS? Yes, way too much info for this old timer. What’s the bottom line?

Hi @easyt50 Howard from one old timer (70) to another - hope you are safe and well.

Check the link and you will see their claims about security and privacy of your data - de-googled too!

I foolishly believed all their claims and bought a refurbished S7 with eOS preinstalled from them - what a disaster. Seemed just as bad as a regular Android or iPhone so eventually returned it.
I have posted these warnings so that hopefully no one else falls blindly into this trap and will do a little digging first.
ps; Check out DiskLabs Faraday bags PS1 or 2. It will stop you being tracked while its in the bag.

Hi @Andy2, so you’re 70. Well guess what? I’m 70 too. Turned 70 this past February. I guess we might be two of the oldest user on this site. Yes, stay safe and keep on trucking.

Thanks for sharing the discovery!

I’ve been looking around at Android alternatives and e/os has been a tempting option. Knowing that its a security risk, I’m pointed back at the Linux phone options PureOS and PinePhone. One of the few working options right now is UBports’ Ubuntu Touch. https://www.pine64.org/pinephone/
Also still in Beta - and not yet ready to be a daily driver, it comes installed on the PinePhone UBports edition (currently for sale) but can be downloaded and installed for free on a Nexus5 device available from ebay. I’m interested in the PinePhone as a android replacement - but with it still under development the best privacy option right now is to install Ubuntu Touch on a Nexus 5, or use a De-Googled android phone.
Rob Braxman talked about them in this video https://youtu.be/EawS7CAUrf8 - the De-Googled android used mis-information to obscure your data with a spoofed google server.
The ultimate privacy step is to drive over a bridge and toss your phone in the river… something many (including myself) cant bring themselves to do.

Hey @mongst I have also been looking around at phone and OS combinations. Think that we should alert readers that you may have to pay import taxes on a Pinephone. Don’t forget that UBports also promotes the FairPhone-2 and the faster more powerful OnePlus-One along with 37 others at various stages. Would be great to use TOR browser on a phone. Please let us know how you get on after you have decided.

Thank you for the detailed info here. I’ve missed looking at your thread. It’ll take me a while to check everything you’ve mentioned.

We’ll make sure to add a disclaimer in our older articles about /e/OS after verifying the claims.

@Ankush_Das I discovered ephones from an it’sFOSS newsletter without any caveats or warnings.

This would be very good for Noobies and those not so conversant with security, privacy, tracking and data mining.
I am confident that my claims and those of independent reviews will stand up but should you require any assistance with checking out my claims please use internal mail to save clutter here - thanks.

How is the verification process coming along - hope soon?
Perhaps this may help. Also for the amusement of our community and sadness of how a forum (/e/) can run into ridicule.
Before it gets taken down - removed completely:-
For you amusement and sheer incredulity please take a look at older post first - leaving e wide open to ridicule - where presumption of results of experiment are presumed to be “0” zero! and presented initially as fact of e’s Data Privacy Check out my hidden posts.

The primary purpose of this mail is to take you to a thread I started to give a real example of phone privacy OpeNyx rather than the false claims of e front page:

I am going through a sense of great guilt and shame that Archie - their most prolific tech poster and Samsung Guru and just a nice person has quit over my silencing by the head of admin cheered along by Fanboy Rik.

The Emperor’s New Clothes

https://andersen.sdu.dk/vaerk/hersholt/TheEmperorsNewClothes_e.html
Take care - stay safe - Andy

Hello folks, I’m new here and I’m also looking to dump Google. I have Huawei Nova 2i which I bought in the Philippines almost 2 years ago.It works great( except for the battery I just replaced). Are there any really good open source mobile OS’s that may work with my device?

i don’t have any experience with that, but you might get some more views or help if you start a new topic for your question since this one hasn’t had much traffic recently and is mostly just about eOS.

Hi @breadtoaspire - May I welcome you on behalf of this community?
@01101111 is correct with his suggestion and many of us are hoping for a separate Phone section for members to post such requests and topics.
I just made a quick search for you and found…

This is NOT a recommendation from me as there are security issues with this OS and others that are forked from it - though still a good read and good information on the process of installing OS’s. You can read my warnings about /e/ or eOS phones here
I am now happily using GrapheneOS on a recommended Pixel-3 yet others have managed to install it on other phones - even a dirt cheap Samsung S4. So that should give you some hope. Also check UBPorts web pages.
Good luck.

Dear Ankush @Ankush_Das Could I invite you and the it’sFOSS Team to respond as it is now over three months since you said that you would look into this matter?

I have been effectively banned by the eFoundation community web forum without any explanation since 25th July as all I can do is log in – without being able to post or reply.
It was after all through reading your newsletter that started me on this dreadful experience with /e/ Foundation and their false advertising. Why is it taking you so long?
Perhaps take a look here as just one of many negative reports
https://privacy-formula.com/reader/ewwlo/
As the most fervent critic of eFound ewwlo.xyz seems to have disappeared off the web.
Please let me know what happened

Hey @Ankush_Das way on back in May 2020 you committed to…

It is now December…! “Take me a while to…” - is stretching the point a little don’t you think?
Please let us all know if you intend to make good and deliver on those promised actions especially as it’sFOSS is still actively promoting this product - expensive preinstalled phones - without any warning or caveats.

As I’ve mentioned you earlier through PM, everything you point out revolves around MicroG and how it works/why it connects to Google servers (anonymously). There’s no better viable alternative to MicroG as of now to offer consumers, and I don’t see a problem with that.

As far as I’m aware (I checked all your links), /e/OS team/moderator has officially replied to all the threads and questions about security/privacy. It has all been officially addressed, I don’t need to get into that.

Now, to give you a conclusion to why I still haven’t added any warning/disclaimer to our posts:

“We at It’s FOSS never claim or promise or force any reader whatsoever, e/OS/ is a passionate project to enhance digital privacy and is open-source, hence, we have mentioned it”.

That being said, nothing guarantees 100% of your privacy/security and everything has a loophole. In a broader idea, "de-google" is a myth for smartphones (practically speaking) but the point of "de-google" method is to simply enhance digital privacy.

Maybe, we can improve our privacy-centric articles by mentioning the fact — so that no one mistakes It’s FOSS for promoting deceiving products in the future (which we never do in the first place).

I hope that clarifies about our take on e/OS/ security and privacy concerns.

That would be perhaps a fine deal. It would be unbeneficial for everyone, if people weren’t fully aware, that the articles are an information about what exists rather than what is good. People have to still investigate and decide themselves if they accept certain solutions, or not.

@Ankush_Das I am most surprised by your response and cannot follow your reasoning at all. As in your PM you suggested that our members should visit /e/ support – What the ….! Like sending sheep into the Lion’s den! As /e/ forum has an international reputation for closing down criticism and banning people – even banning people for liking my security posts! I had hoped that the it’sFoss team would at very least offer some precautionary advice to your membership as I have sought to do. Instead we get zilch – and to add insult to injury….

“everything you point out” Yo; where did this come from. Where is your reference to “unknown origin of the apps do not allow for any recommendation.” Have you got any independent review like Infosec confirming that connections to goolag are anonymous? Gael Duval of /e/ admitted that there is TLS 1.2-encrypted traffic from/to www.google dot com, gstaticadssl.l.google dot com, googleadapis.l.google dot com, and www3.l.google dot com via IPv4/IPv6. Never knew that goolags apis were anonymous? I have never seen any independent verification of this anonymous – where are you getting this from? Merely repeating e’s false and unproven, unsubstantiated advertising just does not cut it; as it is in this context, just blatant promotion of /e/ by yourself implying approval by it’sFOSS.

Unbelievably, as can be seen; you continue with this blatant promotion of /e/ quote - “There’s no better viable alternative to MicroG as of now to offer consumers” - any basic research will take you to GrapheneOS – an OS which I have been using for some time, endorsed by none less than Edward Snowden - “If I were configuring a smartphone today, I’d use Daniel Micay’s GrapheneOS as the base operating system.” I think he may know a thing or two about smartphone security and privacy.

….“and I don’t see a problem with that” which parts of the well respected independent reviews did you not understand - disastrous security, being only one aspect. I had so many security and privacy problems with my /e/phone I returned it for a full refund.
Your assertion come recommendation is quite laughable – Let’s take the 700 dollar OpeNYx Smartphone - When Secure Hardware Meets Secure Software it uses GrapheneOS for the security of its customers as does the impressive £1000 plus OMERTA smartphone

They must be desperately worried about their total lack of MicroG based on your “There’s no better viable alternative to MicroG as of now to offer consumers”
So what is Andy’s recommendation of GrapheneOS about and why does it deliberately not use MicroG or goolag services?

Quote:- GrapheneOS will never include either Google Play services or another implementation of Google services like microG – AOSP APIs not tied to Google…GrapheneOS is not going to be implementing these via a Google service compatibility layer because these APIs are in no way inherently tied to Google services. - We won’t be supporting arbitrary signature spoofing by microG or any other app since it seriously compromises the OS security model.
So you want to ignore @Ankush_Das and get GrapheneOS but can’t afford £1000…? So do as this 70 year old pensioner did and buy a used Pixel 3a smartphone and flash the OS yourself. Just follow the step by step video guide. Some have installed it on a £40 used samsung S4…!
That will do for now regarding just your first paragraph – I will highlight your economy with the actualité in subsequent paragraphs in my next post here.
Hope I have not been too critical – I have researched and referenced my wording – as I’m driven to protect it’sFOSS membership from suffering my huge mistake of buying an /e/ phone on your recommendation.

“I checked all your links” - but did you follow them to the end? Say at gitlab or github?
“/e/OS team/moderator” Manoj Nair - Ah that slippery fish (or eel) who intimidates his members and closes down criticism – Did you ask yourself; who is he or how he operates? Gael Duval’s henchman and enforcer marshaling the same autobot fanboys? He claims to keep the developers off the forum yet he lists himself as a developer on gitlab. You have to question if he and Gael Duval know the meaning of being truthful and honest as their rules say “moderators do not preview new posts” yet….

NewCens-041007×212 11.7 KB

Followed by……

NewCens-05999×152 11.3 KB

As you can ALL see: I am not making this up! So guess that makes overt Censorship official at /e …. pathetic or what? Why are Gael Duval and Manoj so scared of what a 70 year old British pensioner might write in the few minutes before their sockpuppets and fanboys flag and hide it…? “comfortably hidden behind their computer screen and their pseudonyms” to quote Gael Duval. When you read the Gael Duval blog you may begin to understand why he desperately needs the services, talents and expertise of such a person as Manoj Nair to police his /e/ forum like the Stazi…?
Manoj Nair – on wiki Mnair69; where he links everything except /e/ and his involvement as admin, moderator or developer. I wonder why…? Yes the same guy wiki investigated for operating an online sock-puppet identity used for the purpose of deception. Not to mention Orangemoody - editing for profit (i.e., that they are paid editors or forum admin).
Although I have been advised to stick to factual rather than personal I find it necessary for our good membership to a least make up their own minds on the players and at the same time encourage those with inquisitive minds to at least look up the terminology on wiki. Yes; Gael’s own whining blog site (indidea) is listed as a possible sockpuppet in the wiki investigations. I leave you to guess who else who cries “Fake News” when discovered and why our staff wont - "I don’t need to get into that."

As far as I, Andy am aware these supposed official addressed items either end up at another of Gael’s blogs at https://medium dot com/hackernoon where he cannot be questioned rather than his own forum where questions are asked of him – WHY? Or at …

Where as far as I can understand the “issues” are just closed by renaming them or are at best are left as “status To Do” Hey Guys I could do with some help here to understand better as to just what is going on – is nothing resolved…?
Some “issues” read “What is the current behavior? - TLS encrypted calls to and from google web addresses as mentioned above. “What is the expected correct behavior?” The calls should not take place…… So these Shedloads of TLS 1.2-encrypted traffic from/to google connections are still happening today and that is just one example. Is this what eFoundation mean by “/e/OS is open source, pro-privacy and fully degoogled”…? Yo it ain’t even fully open source either! Also…“In summary, the weather app leaks your IP address, the identity of your device, and maybe your location (city name, GPS coordinates). All is sent in cleartext.” Also… Privacy Focused…LoL – Would you buy a phone from these eGuys….LoL

OK Guys – hands up; I’m an OAP Old Age Pensioner struggling with gitlab and other technical stuff – silly old fool…? Apparently not - even our staff member failed once again to do a little basic research to find that on German pro privacy Mobilsicher website…. experts express critical opinions on the current state of the OS, Google servers are still needed, App-Store - here the e Foundation should definitely find a secure solution. Etc
Perhaps our staff should have also found from a well-recognized German security expert - Mike Kuketz…( use DeepL to translate article - simple)

So apart from the dubious apps he highlights another appalling aspect of using a Nougat ePhone – updates or lack of them “I do not believe that e.foundation is backporting the security updates for Android Nougat”
Or as I and experts have noted Disastrous Security with using /e/
Perhaps my next post will address Nougat and highlight that - I started with used ebay Pixel-3a then I fully updated to Android 10 with latest security patches before flashing GrapheneOS. Can an ePhone do that? No
All can see that – I do not look away – I investigate false claims about privacy and degoogled to help our membership! Stay Safe
Edit: ps - I have just noticed 600 views - What? Wow - sincere thanks to all - I only expected a handful

Hey FOSSers – Just found this which will give our US membership another perspective though it should be said that the author, phone expert and magazine are not up to speed. I have written to them about their failings.

Though to their credit they too do NOT confirm that it is google free
A search of their magazine reveals no results at all for grapheneOS or the secure phones for sale with this ROM. You can get more quality, better informed, information here at it’sFOSS community forum even though our staff are still falsely listing /e/ as being google free…

“Gael: It doesn’t send a bit of data to Google” Have you any independent expert review to confirm this - would be my question. But this is beyond our compliant staff.

All this after another open promotion of /e/ OS by a member of staff listing it under a heading of “Open source projects based on Android but free from Google” LOL - when they know that this is not so according to independent expert testing and review. Their dodgy apps not even mentioned or even their inability to update to latest AOSP and security patches. This is a totally misleading review or article on /e/ - surely it’sFOSS can do much better than this?

Where are it’sFOSS staff getting their independent information from… or am I on another website on another planet…? Answers please