Szilágyi Gábor

This week's intel update is out! Once more another week blazes by, and the conflagrations around the world continue to simmer. From the Fiery-But-Mostly-Irish protests in Northern Ireland, to a bit of mathematical impossibilities in the Middle East, the summertime keeps heating up all around. Link below!

The first public release of GrapheneOS Speech Services is now available in our App Store. After installing it, it can be activated as a text-to-speech service by tapping it in Settings > System > Language & region > Speech > Text-to-speech output > Preferred engine and approving it in the dialog. It currently has a single voice for US English. If you have the system language set to anything other than English (United States), then you need to change Settings > System > Language & region > Speech > Text-to-speech output > Language to English (United States) from Use system language for now. Once it's bundled with the OS, it will be enabled by default so activating it won't be necessary. Needing to activate the TTS engine causes a lot of confusion since Android's standard user interface shows the first TTS engine as active if none is active due to assuming one is bundled. Our Speech Services app uses a fully open source model for text-to-speech which we created ourselves using existing open source code and data. We'll be able to train a better model to replace this one now that we have an RTX 5090 for this purpose. We also plan to make voices for other languages too. The second most used language by GrapheneOS users is very likely German and then likely French. UK English would likely be much easier to add than those due to shared code and data sources so we may do that first but German will likely be next if we can find high quality open data to use for it. In the short term, we could alias all of the other English variants to US English to have it working by default with those selected as system languages. We don't really want to train more than US and UK voices in the mid term rather than adding other languages so we'll just alias those to US or UK. We also plan to make our own speech-to-text implementation to go along with the text-to-speech implementation. The models are end up very large so it's unclear if we want to bundle more than US English with the OS. The other languages could be available as extra language packs in App Store instead.

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: https://t.co/7rQnioRa8A Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

This isn’t a glitch. YouTube’s AI has wiped out 13+ years of WWII tank archive footage and veteran stories. My entire channel is gone, and my account has been disabled 155,000 subscribers erased overnight. People are now calling me a PDF file, because in their minds the channel “wasn’t deleted” even though you can clearly see that it was. https://t.co/ZKFbIbWFrO That's the internet for you! First, the channel was removed. Then, my entire account was disabled. YouTube support bots claiming it was a Google product trigger, doesn't make a lick of sense when the channel was deleted first! The content that got flagged? Historical WWII footage. No nudity. No inappropriate intent. Just real history yet it was labeled as “child abuse material.” And I’m not the only one this has happened to. https://t.co/URAlJuc7XX This isn’t just about one channel. It raises serious concerns about how automated systems are handling and potentially erasing historical archives. We can’t let real history be misclassified or disappear like this. #RestorePanzerPicture #YouTubeCensorship #WWIIHistory #SaveHistory Support the effort to restore the archive: https://t.co/AXzajRGruv https://t.co/URAlJuc7XX

This week's intel update is out! This week we take a look at the stagnation in the Middle East and the strategic implications of this crisis continuing, as well as the increase of crime both at home and overseas, as our friends across the pond work through increased tension and terrorism concerns. Link below!