Guardian Rom - Secure Android OS

Discussion in 'privacy technology' started by x942, Jun 9, 2013.

  1. Mailmaiden

    Mailmaiden Registered Member

    Joined:
    Jul 20, 2014
    Posts:
    14
    Will the yubikey option work for any NFC tag that is capable of challenge response? I'm interested in using a NFC ring for convenience and it's not as easily identified as a yubikey
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,260
    Location:
    Outer space
    Update and a new project(Linux distro for airgapped system):

    http://shadowdcatconsulting.com/blog/2014/8/14/updates-guardianrom-new-project
     
  3. x942

    x942 Guest

    It should as long as it supports HMAC-SHA1 Challenge-Response. We do include support for HMAC-SHA1 and the standard yubikey 2FA using YubiCloud. The latter does require internet access but no additional setup by the end user.

    It's now up! Tinfoiled Linux Beta has been uploaded to our website over here. If you have any feedback on it please let me know!! GuardianRom is being uploaded again right now. The delays are now over with ;)
     
  4. MagnificentSpam

    MagnificentSpam Registered Member

    Joined:
    Nov 1, 2013
    Posts:
    3
    Location:
    Germany
    Hi,
    I'm not sure if it is just me, but I find the website (shadowcatconsulting.com) horribly confusing. In the news section it tells me the rom was uploaded on 2014-08-14, I have checked the download page multiple times since then and it always shows the files are currently uploading. The current documentation file links to a download page that doesn't even exist. After lots of clicking around I found an installer, but I still was not able to find any link to the source code ("The ROM is completely Open Source").
    By the way I am a bit surprised that a site about security doesn't use ssl encryption as a default.
     
  5. x942

    x942 Guest

    I haven't been able to get on lately to explain everything in detail. It's a very long story and I will post on the site to explain everything when I have a chance.

    Few things to note:

    • The current site at: www.guardianrom.com is a temporary site, as I am not a webdesigner, nor do I have the time to dedicate to keep a site up to date so I am using SquareSpace.
    • Squarespace sadly doesn't allow use of SSL. I am looking for another host (if you have any recommendations shoot them my way via a PM).
    • I am the sole developer of the project - This is why things are moving so slowly. Up until recently I also had a Full Time (40 hour a week) job.
    • GuardianRom Beta is ready to be released. It was uploaded on 2014-08-14 but due to some unforeseen events (medical) happening I was unable to finish posting everything and getting it out to you all.
    • Source-Code for the kernel will be uploaded first as it is the quickest. Once we have our own servers we will host the code for the whole OS - making it fully open-source.
    • We need help. If anyone here knows android development or Linux Kernel development and can help me get this out faster that would be awesome. As mentioned before the two slowest things right now are porting Hidden-OS and GRSecurity patches over to KitKat. As a one man-developer team this stretches me pretty thin.
    Keep an I on the site. I should be able post links soon. I won't be home until Friday but after that everything should, hopefully, go back to normal. I am hoping to get this out by Friday at the latest. Since I couldn't be at home, and haven't been, since August 15th, I have not been able to login to the site and post the links. I don't have access to a secure network or the GuardianRom GPG keys where I am currently.

    EDIT: Website updates are underway. The site may be down for the next few hours while everything switches over to the new host. I have also purchased SSL certificates and I am preparing a server for TOR hidden services for those whom want to remain fully anonymous.
     
    Last edited by a moderator: Sep 2, 2014
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,986
  7. x942

    x942 Guest

    I am working on this. The beta which is being released shortly will not have this ability just yet. The full version will have this. On software based installs (which includes the Nexus phones) we are doing this as part of the firewall. If we detect that encryption is being turned off on the 3G interface then we will alert the user (and optionally deactivate 3G all together). Once we have our own handset made (which we are working on and is part of the reason for the last set of delays) we will include the firewall but we are also hoping to have a removable 3G Modem. When the user needs to they can insert the modem and use the cellular network, when they need heightened security the can just pull it out and go WiFi only. This would be good to use with hiddenOS too. HiddenOS is used without the modem and for super sensitive stuff, while decoyOS is used day-to-day activities and with the 3G modem. :)

    Our partners are open to the idea, more so than I thought they would be.

    EDIT: Also our latest updates: https://www.guardianrom.com/?page_id=2376 and our site is fully HTTPS now as we switched providers and hosts.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,986
    Thanks :) It's a huge project, and it's hugely needed.
     
  9. x942

    x942 Guest

    Agreed! Oh and since I haven't been able to upload it to the website just yet here is the latest Nexus 5 beta release:

    https://drive.google.com/file/d/0B0FVANQaN9CkNlI0eFJJcUtSTUE/edit?usp=sharing

    sha256: ee8aa993e36ebfc6b0280ba73a9d4862f7236eabf378de5bad05f7aa1239ed0d


    Missing:

    • HiddenOS
    • ChatSecure (working on this but chatsecure keeps crashing I am going to talk to the developers).
    • Firewall UI
    • Security Centre UI
    Everything else should be there. Working on the reset as I type. Encryption right now is still enabled under the settings app. Once the full version is done the user will be prompted on first boot to enable it (and there will be no skip option).

    How to install (ALL DATA WILL BE WIPED FROM THE PHONE!!):

    Download the zip from the link above and extract it. Navigate to the folder in terminal (Linux/Mac) or CMD (Windows).

    Flash using fastboot.

    [In an admin command prompt (windows) or terminal (Mac/Linux)]

    fastboot oem unlock

    fastboot erase boot

    fastboot erase system

    fastboot erase userdata

    fastboot flash boot boot.img

    fastboot flash system.img

    fastboot oem lock

    fastboot continue
     
  10. t456

    t456 Registered Member

    Joined:
    Sep 8, 2014
    Posts:
    1
    Any idea if/when the os will be compatible with the larger "phablet" type phones (notes, mega, LG optimus G pro)?
     
  11. x942

    x942 Guest

    Well I am hoping the new Nexus phone this year will be a phablet if not I will work on porting over to the new Moto X as it's a 5.2" inch display. Nexus phones are easier as they have an AOSP source tree to work from. Stay tuned though once the source code is online I am sure someone will port it to the Note Line of devices.
     
  12. P IV

    P IV Registered Member

    Joined:
    Sep 11, 2014
    Posts:
    1
    Nice work! Thanks for all your hardwork on this .This is definitely a huge project to take on.

    Any idea when the downloads on the new page will be up?
     
  13. Mailmaiden

    Mailmaiden Registered Member

    Joined:
    Jul 20, 2014
    Posts:
    14
    Great work. I wish I knew kernel development so I could help, quite a project for a one man team. Will this new hardware partner change the plan of relaunching the Kickstarter campaign? I look forward helping out how I can.

    Cheers
     
  14. x942

    x942 Guest

    Thanks for the support! It is a huge project, but it is something I need myself too so may as well open it up when we are at it :) New Downloads page will be up shortly. Working out the kinks, GPG keys have been issued and will be posted online, also making a warrant canary so we can alert users if we are ever court ordered to do anything.

    Thanks for your support! We are going to relaunch the kickstarter. Part of the goal is to release the beta build (which is posted here) onto the website, get some media attention/publicity, and then launch. We are going in at a lower goal this time (like $5,000 instead of $30,000). If we hit our goal of $5,000 I am sure we will surpass it like most kickstarter projects do. Plus all we really need to do is show we have a following. The more pledges we get the more likely we can get a manufacturer to sign on with us. Not to worry as we have schematics and 3D models of the phone already made. We know what we want in a secure phone and are excited to work on a hardware level. There is only so much you can do in software. We also need marketing people and designers. So if you are looking for ways to help send me a PM :)

    The new kickstarter has to be done right from the beginning. We need proper graphics and layout and marketing :) It will be happening very soon though :)
     
  15. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Wishing here... Chainfire and Franco hop on board :)

    I found ChatSecure buggy, running Xabber with OTR now, no problems.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,260
    Location:
    Outer space
    Nice :) In addition to a (perhaps) more newb friendly marketing I would also suggest more technical details for advanced users. Afaik the list of features for Guardian Rom from last kickstarter was incomplete and missing some details/features which could attract more techies.
     
  17. x942

    x942 Guest

    Agreed. I am not good at marketing as you can tell :p I am going to get someone else to do that this time around.
     
  18. mlauzon

    mlauzon Registered Member

    Joined:
    Aug 9, 2011
    Posts:
    113
    Location:
    Canada
    What is the current status of this project, and do you have a ROM that will work on the Samsung Galaxy S4..?!
     
  19. Jared_Parrish

    Jared_Parrish Registered Member

    Joined:
    Oct 21, 2014
    Posts:
    1
    Hey, what is the status of the project? And for some reason, my N5 refuses to boot into this os
     
  20. x942

    x942 Guest

    Sorry everyone, I have been crazy busy with the project. Since the last time I posted major things have happened behind the scenes. We now have a partner in the mobile space that is helping us move this along faster and get more traction. Don't worry. Everything will still be open-source and I still own everything and that will never change. I would sooner shutdown the project then betray the openness of it. The good news is our partner is interested in bringing a hardware "GuardianPhone" to the market as well, this is why the last string of delays happened.

    I will have much more to announce soon. Keep an eye out for new updates. I will keep posting every chance I get. Stable is coming very soon as we now have multiple developers working to get HiddenOS ported as well as the rest of the security suite.

    At this time I can't say much more. I am very excited about the next few weeks and I can't wait to share it with you. Jared_Parrish please PM and I will try and help you out with that.
     
  21. logicprobe

    logicprobe Registered Member

    Joined:
    Oct 25, 2014
    Posts:
    1
    Is there an image for Galaxy Nexus? Or is N5 the only one available currently?
    Thanks!
     
  22. x942

    x942 Guest

    Galaxy Nexus sadly uses a system on a chip that is no longer supported. Its hard to maintain builds against it because of this.
     
  23. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    please make sure to list all supported devices once this baby goes gold i hope this will also work on sony z2 and z2 tablets which im planning on getting and its future iterations, em tablets could deffinitely go for the proper security

    update>

    oh and btw ive been doing abit of thinking about your new airgapped project , tbh im not sure if this is anything you should be wasting your time on that should be invested in the main project , ill tell you why its because theres already systems in place that take care of those issues ,systems such as >

    Tails volatile live cd

    whonix , has all the goods of Tails minus the volatility

    and as last contender id put in qubes as main OS once proper windows support gets implemented and it goes gold it sure seems great



    so you see even for airgapped systems theres still alot of options , not to mention the need for having an airgapped system in the first place is of little need at all as long as your using a proper firewall such as pfsense with tight rules in combination with a 64 passphrase high entropy wpa2-psk tunnel on your wifi

    now unless ive missed something then please do tell as always where all here to learn or atleast i am ;)
     
    Last edited: Nov 27, 2014
  24. x942

    x942 Guest

    Hey Happyyarou666, I will make sure a support list is up as soon as we are done. We have made huge progress on getting it ported over. Currently EVERYTHING including hidden OS works on 4.4.4. This is good, because it is the most stable version of Android right now that is supported on the most devices. If you want 5.0 don't worry. Everything is also ported to 5.0 except for hiddenOS which will take some time to port over. We recommend users stay with 4.4.4 as it is more stable, less likely to have bugs and we will backport any security patches from 5.0.

    As for the Airgap. That was just released as it is the system developed for GuardianRom. I used it to access and use the GPG Signing keys for GuardianRom. None of the tools you mention give you an Airgap, they just give anonymity. An Airgap means there is NO connectivity at all except for USB or CD. Physical access only.

    In this case the current system has actually changed a bit. We use Debian Hardened with GRSecurity installed to an HDD with all networking disabled and all USB Devices disabled through GRSecurity. RBAC is employed as well. This harddrive is stored in a secure safe in a hidden location. The GPG Keys are kept on a separate encrypted DVD-Rom that is hidden else where. The machine has no WiFi card or Ethernet (both physically removed). The computer is stored and access in a room that is shielded with RF Shielding material to help ward off TEMPEST Style attacks. No other electronic equipment enters the room (phones, laptops, disks, etc.) The room is locked at all times with me being the only one with access.


    Why do all of this? Because projects like GuardianRom and some of my other works could grab the attention of 3 letter agencies. Your threat models may or may not be the same as mine, but when working on a project that will protect people I want to have as much security as possible. My threat model is landscaped as being worse-case (NSA).

    Why an air-gap when firewalls are in place? Because, the only "hack-proof" computer is the one that isn't online. We use airgaps to shift the attack vector from being remote to forcing it to be physical access (increasing time and effort of an attack exponentially). This way we control what the attacker can do and will know as soon as they try and get access as we have additional alarm systems and security systems in place including tamper resistant tags and Security Cameras.
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,986
    Congratulations again :)

    What's the best device now for v4.4.4? Or the best ones, with some pros and cons for each? Or a URL that you recommend about that :)

    How far out is your custom hardware with locked-down and/or removable radio? Months? Years?
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.