Daniel Micay

icon indicating a website link https://daniel.micay.dev/ icon indicating an email [email protected]

icon company @GrapheneOS icon location Toronto, Ontario, Canada icon location Security researcher/engineer working on mobile privacy/security. Founder of @GrapheneOS.

Results 1218 comments of Daniel Micay

Better options for DDOS mitigation with DoT

There's now an improved implementation of this DDoS protection available at https://github.com/GrapheneOS/infrastructure/blob/b21ea0a23f4d59b7774f4f2ac3dfa4cee7d2597b/nftables-ns1.conf which only uses synproxy to handle SYN packets beyond a rate limit that's unable to exhaust the conntrack...

Photon OS hardening patches

> Back in the days linux-hardened was mostly targeted for android That's not really true. > This is not the case for generic linux platform so adding MPROTECT improvement make...

Photon OS hardening patches

The point of this project was implementing kernel self-protection and userspace process hardening which does not overlap with what should be done via LSMs or in userspace. It's not intended...

Photon OS hardening patches

The goal of linux-hardened was never supposed to be providing redundant features better accomplished via SELinux or work in userspace. For example, beyond the base randomization provided by the kernel...

Apps can bypass VPN with killswitch by sending multicast packets

We have a partial fix for this implemented. It blocks apps sending or receiving multicast packets. However, it doesn't yet block the kernel generated IGMP packets triggered by apps. There...

Apps can bypass VPN with killswitch by sending multicast packets

This is now fully fixed by the combination of https://github.com/GrapheneOS/platform_packages_modules_Connectivity/commit/615c33e677bd19ee023178e4aab11c43989123c7 and https://github.com/GrapheneOS/platform_system_netd/commit/61811e6b628b5183375a516ab4328edb2393b29b.

Apps can bypass VPN with killswitch by sending multicast packets

Fixing this was much more involved than we had expected. We needed eBPF enforcement to address what was reported here but we discovered other issues requiring more complexity for the...

Apps can bypass VPN with killswitch by sending multicast packets

These are the relevant release notes: * extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or separately via kernel-generated multicast...

Apps can bypass VPN with killswitch by sending multicast packets

This caused minor app compatibility issues we can likely easily resolve and unfortunately major carrier/network compatibility issues which weren't reported during ~20 hours of Beta testing so we need to...

Legacy button (square) to switch task

Likely caused by a non-default launcher having compatibility issues with Android 14 QPR2. Need more info or we can't determine that.