Sanction busting is an interesting thing because states are sovereign so if one state imposes sanctions on another, it's not illegal for the sanctioned state to do everything to ignore/bypass them, unless we consider the sanctioning state to be somehow above others/source of truth for what's legal.
It's usually illegal in the counterparty's state. If I'm in the EU and I sell weapons to Iran, Iran isn't breaking Iranian law, but I'm breaking EU law. Iran is also breaking EU law but that's irrelevant to them the same way it's irrelevant to me that I break North Korean law all the time.
I wish Mullvad would focus on censorship breaking. These days anything that doesn't implement something along the lines of AmneziaWG/Xray/Shadowsocks/Outline feels like a waste of time, sadly.
What makes it a waste of time? A reputable VPN provider that offers a pretty reliable service and has every indication of having a competent security team is worth something in itself; not everyone using Mulled wants to set up / debug potentially complicated systems either.
We will be truly screwed when internet providers will only allow attested hardware to access the internet. Doesn't even seem like an outrageous outcome anymore.
My country had a complete economic collapse in the 90s and people could barely afford food, so mileage varies.
As an oil exporter country we were saved in the 00s by oil prices ballooning to the moon, so that was the golden decade for us instead (relatively speaking, and mostly in the big cities).
I've resigned to the fact that I'll need to use two phones, one with locked down Android/iOS for banking applications and government services (those require strong bank ID around these parts), another with some kind of a Linux or unlocked Android for literally everything else. Oh well, such is life, most people don't care enough about this to pressure Google/Apple/banks/governments into yielding.
A big reason why a non-locked-down OS is absolutely vital to me is that sometimes I (reluctantly) have to travel to places where I need to install obscure VPN/proxy services to be able to access international internet. Most services present in app stores have been banned for years now, and the government sometimes even succeeds in making Apple/Google remove the more effective ones from the stores.
What we need to push back on is making a phone a requirement to do routine banking and conducting other necessary business. There is no reason I should be required to have a phone in order to query my balance or transfer money to someone, when I have a perfectly good computer sitting here.
The physical keys, like Yubico, help with that. However, I have not been convinced that a password manager with unique, strong passwords on all my accounts shouldn't suffice. I don't know why I have to be penalized because other users don't use best practices.
Bank apps in India don't run on rooted phones, need developer mode and adb disabled. At the same time, their website works fine on Firefox on Linux where I can literally go through all their front-end source, attach and run debuggers.
What even is going on? Why are banks doing this security theatre when all their apps are doing is calling some backend apis?
> anybody who does banking on their phone is taking a big and unnecessary risk
It is not necessarily a matter of choice. Besides what the other commenter notes about 2FA, in some countries banks have been removing functionality from their online-banking website, and you can only do certain things in the phone app.
> in some countries banks have been removing functionality from their online-banking website, and you can only do certain things in the phone app.
The most infuriating I've seen, is a bank which removed the anual tax report (which you need to do the anual income tax) from the online-banking website, requiring you to use the phone app... to download a PDF file, which you then have to transfer to the computer anyway so you can print it!
This annoys me to no end. I have an old phone that I boot up occasionally because it holds all the apps that I only need once per year for a niche feature that is only accessible in their app. I don't need 200 apps on my main that I would otherwise never open.
See, the thing is, here you can't use banking on your computer without having a bespoke authentication app on your phone. There used to be a system of one-time codes sent via paper mail, but even that has been scrapped by now, so using bank ID apps is literally the only option across all of the local banks. In my bank the ID app and the bank app are even different apps, and it's the ID app that's the truly important one to have (and that, of course, hates rooted/modified phones with a passion).
The government services also go through these ID apps, although there is a poorly supported alternative that uses USB smart card readers. I have not seen a single person actually use it, probably for a reason, though I'm planning to get one just to have a backup...
At least in Finland's Nordea bank you can order a physical code calculator, they used to be small enough to keep on your wallet but the new one is the size of an old small phone. It even has a QR scanner. So I just keep it at home.
I live in a "developed" country and don't have a banking app on my phone. It's a choice. Sometimes it's a choice of which bank you bank with. Sometimes it's a choice to stick with more traditional means of interacting with that bank and not even checking your account using a website, but it's absolutely a choice.
Real Linux on phones is a thing. They're usable, but most hardware is getting old. E.g. PinePhone still works fine, but they recently announced that it's unlikely that we see a new version. They mention that it's hard to be competitive with hardware when people can install PostmarketOS and SailfishOS on cheap old Android Devices for a similar experience.
Only if your threat model is equal to the one from the GrapheneOS crowd, and only if you value freedom less than maximal security. It's fine if this is your choice, just don't say this is the only reasonable choice.
Concerning "usable", Librem 5 is my daily driver. I have no backup phone.
Also, after skimming your link and seeing "Hardware kill switches are nothing but marketing frills", I can state that this is nothing else than FUD. Kill switches can protect me, when GrapheneOS can't. You have to trust that your proprietary modem never spies on you. I don't have to. Also, here is a couple of nice discussions of this article: https://news.ycombinator.com/item?id=37507414 and https://news.ycombinator.com/item?id=28500824
I think this is the only long term solution, even if cumbersome.
I’m curious what secondary devices people are using. I have a second hand Surface Go running Fedora 43 with Gnome, it’s a bit big but it’s doing its job well.
reply