Security researcher working on mobile privacy/security. Memory allocators, compilers, language design, attestation, sandboxing, permission models, etc.

Toronto, Ontario, Canada
Joined June 2018
The newly created @GrapheneOS handle will be used for official project announcements. I'll continue to use this personal account to talk about GrapheneOS development work and security research. I'll be retweeting all the announcements here, so it'll remain a subset of this feed.
2
24
1
112
DanielMicay retweeted
Someone not part of our community was using the 'GrapheneOS' group name primarily to post spam and promote products not associated with GrapheneOS. Telegram has taken away the name from them and transferred it over to this actual GrapheneOS community group on the platform.
0
3
0
24
Show this thread
DanielMicay retweeted
GrapheneOS doesn't have an official Telegram group yet. The community created an unofficial group. In order to avoid fragmenting the community, we're going to be bridging it with the official IRC channel and control of it will be transferred over to GrapheneOS. It's in progress.
1
3
0
37
Show this thread
DanielMicay retweeted
"why is this android roguelike's savefile like half a megabyte" *opens file* "oh"
23
41
10
397
DanielMicay retweeted
Someone can set their display name to "strcat (@strcat:matrix.org)" and the Element UI doesn't differentiate in any way between that and the way that it shows the actual account name in parentheses like this. The trusted UI is ambiguous with untrusted UI. Real issue.
0
1
0
7
DanielMicay retweeted
My display name is strcat. My username is @strcat:matrix.org. Since there are other users with the same display name (the virtual user for my IRC user), this is how Element displays my name in the main room. That part in parentheses is part of the Element UI.
1
1
0
2
DanielMicay retweeted
No, because Twitter shows your actual username right under the display name and doesn't let you mimic the UI used to display it with your display name. It never displays it as "DisplayName (@username)" and allow people to do "DisplayName (@fakeusername)" which is the issue here.
1
1
0
2
DanielMicay retweeted
Basically, Element displays (@account) after an ambiguous display name but it's possible for people to add that client UI to their actual display name to trick people. Users are used to seeing it as a trusted client UI but it's possible for someone to completely fake it instead.
0
2
1
12
Show this thread
DanielMicay retweeted
They successfully tricked a lot of people this way. Display names are problematic in general as a social engineering vector, but they're using a particularly nasty way of using it to display a fake client UI. Expect this is going to be a problem we see regularly in these raids...
3
2
0
17
Show this thread
DanielMicay retweeted
Ended up receiving one of these messages ourselves so now we were able to take a closer look at it. They're taking advantage of display names having too much flexibility to make a fake trusted UI which users think is part of their client combined with the sneaky account names.
1
1
0
12
Show this thread
DanielMicay retweeted
Reported this to abuse@matrix.org and security@matrix.org but it's being actively used to trick potentially hundreds of our users. It's not at all a secret after being actively used this way and it's also fairly unlikely they discovered this. This was likely already being used.
1
6
0
30
Show this thread
tweet.lambda.dance/GrapheneOS/statu… This is happening right after a major spike in concern trolling clearly aimed at wasting time and creating conflict. Unfortunately, we end up needing to keep a close eye on new users in the channel because usage of sockpuppet accounts is very common.
Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers. They're adding special characters to the end of a nickname not shown in Matrix clients.
Show this thread
0
1
0
13
DanielMicay retweeted
This was an early revision of the message. Later messages are using revised versions of it. They're likely going to try other nasty stuff. Clients are displaying the account names incorrectly and it doesn't even have the extra character(s) when copying. Can't trust your client.
1
4
0
21
Show this thread
DanielMicay retweeted
This is a fake account. It's not @strcat:matrix.org. It's incorrectly shown that way in common Matrix clients. It's part of the ongoing raids against our channels. Most users in both channels are receiving these messages. Screenshots are from one of those users.
3
8
1
26
Show this thread
DanielMicay retweeted
Please be aware that a Matrix / Element exploit is being used in the #grapheneos:matrix.org and #grapheneos-offtopic:matrix.org to impersonate GrapheneOS developers. They're adding special characters to the end of a nickname not shown in Matrix clients.
4
45
3
81
Show this thread
They're welcome to drop their attacks on the open source project they forked and depend on entirely to build their closed source product. There will be evidence-based responses to further attacks including continuing existing ones. Stop trying to harm us if you don't like it.
0
0
0
7
Show this thread