 Okay. Good morning. Welcome today too. I just have an update on the slides. I was giving out some outdated information yesterday. So for speakers, you are meant to email it and not upload to shared even though you can. And the slides will appear. There's a drop-down link on the website and it just says slides. So they're all there in one place. Sorry for the wrong information. So our first talk this morning is someone who works for the Linux Foundation on the Git servers and other parts of the infrastructure. Konstantin Reapitsev and he'll be talking on cubes and probably something interesting I'm guessing about Copperhead OS. All right. Thank you for coming. I know it is an amazing morning out there and I really appreciate that you guys traded it off for me. It says a lot. I haven't had any coffee because they didn't bring any because it's I am running pure adrenaline which is good. You know they always yeah maybe they'll bring it later but they always ignore security people until last moment. Observation. So we're gonna talk about cubes OS and Copperhead OS. Today we'll cover the following topics you know why did they do this to myself. If you were here earlier you saw me try to make it work. I had to switch to a different window manager just to make it work. Cubes OS will cover and Copperhead OS. I'll go into it in some detail. Not too much because you'll see. I'll go discuss the guiding principles for behind cubes OS and Copperhead OS. I will go through device requirements. They will very brief look at how would it take to install it. What daily uses like that's aspect that I'll cover most because probably interested here how how it is it like to actually do your work and live your life under cubes OS and Copperhead and what you will like what you will drive you mad and then convenience and security trade-offs and will go for the future outlook or like they're off for each of the options. Please interrupt at any time. Just yell question at me. I'll repeat it to everybody to hear. So this will be a little faster because I know it's hard sometimes to remember what you were going to ask until the very moment. So please feel free to raise your hand and ask the question and I will answer it because this way it's right in everybody's mind. About me I'm a professional Russian hacker. I was one before it was popular so you've never probably heard of me. The lack of accent is the sign of professionalism. Linux on the desktop user since 1998 maybe actually 1999 that I think about it. I installed a Red Hat Linux 6.0 and it's experienced the joys of GNOME point 1.0 and KDE 1.0. Asked me about Coreal Linux or actually don't because it's sucked. A member of the Linux Foundation team since IT team since 2011. I've been running cubes OS on my main workstation since August 2016 so it gives me a good two-year run on the cubes OS. It wasn't just an experiment I can go into continue using it as my daily workstation. I've been running copper head OS since September 2017 so about last year I stopped running it in June 2018. You will see why. I hope to go back at some point maybe. There's a caveat there. So there's a caveat. I'm a system administrator. I'm not a security researcher. I'm not a kernel developer. Everybody's like what? Don't you run kernel.org? Yes. Running kernel.org is very different than working on the Linux kernel. I usually say the differences like kernel developers are like heart surgeons and system administrators are like plumbers. At some point there's all about pipes and gravity and pumps but you don't want your heart surgeons doing your plumbing as you don't want your plumbers doing your heart surgery. They're both important. I'm not trying to say that kernel developers are so much better than we are because they're not. I'm a bit paranoid and there's some people asking why do you do this to yourself? I'm a little bit paranoid. I'm not nearly as paranoid as some people are. So this is an easy caveat. My goal here is to share my experience using Linux based tools that significantly improve my security and privacy because if you look and if you're if you ever ask yourself a question how can I significantly improve my security and privacy? The top answer is going to be run CubesOS and install an Android device that is not tied to the Google mothership. So we'll start by looking at CubesOS and first of course why did I do this to myself? So I'm a system administrator as I said. It is important for me to the security of my workstation and the data that I have on my workstation gives access to a lot of secrets that some other entities might want to get their hands on. As I just my encryption keys, as my SSH keys, PGP keys and so forth. I'm the gatekeeper to some things like creating kernel at org accounts and so forth. It was very important for me to have a workstation environment where I can be fairly certain that compromising it would take significant amount of effort. By the way if you don't know that is Habitat 67 which is a building in Montreal. It was built for Expo 67 and it was an attempt by the architecture to re-imagine how it would be to have a high density housing but without the boxy look. It is very brutalist in nature. It is very hard to miss if you're in Montreal port and it ultimately failed because nobody ended up building high density housing in that way. Maybe there is a metaphor there. Cubes OS, guiding principles. It does come perpendicularization via virtualization. What does that mean? It's that everything that's running on your workstation runs in some sort of a VM. It is a type 1 hypervisor using Xen. The DOM 0 is the privileged VM that runs on your workstation. It runs the actual graphical interface. It draws decorators around every window which indicates from which workspace it came from. Currently I'm running two workspaces that are invisible. There is a purple one. It's called chatter which I use for all the web and IRC and Slack and so forth. There is a work VM that I only use for basically SSHing around. The work VM is covered. There is a title work in there and there is a very distinct blue border. The chatter VM has a purple border and a very distinct word chatter in there. It is theoretically impossible to fake those using the cubes environment. So as I mentioned, all applications run inside their work spaces inside what they call app VMs. They also provide hardware isolation. All IO devices must be assigned to a VM before they are used. There is a special USB VM that is called CCUSB that is completely isolated from the rest of the system. The controller is assigned directly to it. Xen controls that controller. If you wanted to use that device in any other VM, you have to specifically assign it to it. There are convenient management tools to do it. When you insert a USB device, for example, there will be a pop-up saying that you can use the devices available. There is a little icon that says they can click and it will show you all the devices that are available. You can say attach this device to the following VM and then you can use that device in that VM if you are lucky. Sometimes it doesn't work. So convenient management tools, that's what I mean by that. I will also go into some of the details about what the other convenient tools are. It also provides network isolation. You have full control over how your VMs get online or not at all for volt VMs or USB VMs. I can demonstrate it right here. I have Chatter VM goes out via a MALVAD VPN client and work connects directly. If I curl the IP address, you see that this is the MALVAD IP address. That's the direct IP address that I got connecting here. So all applications that will be opened in the Chatter at VM will be accessing the IP address. So I can connect to the internet via the open VPN connection. I can additionally use things like Tor if I wanted to. I can also have multiple VPN clients, one for work, one for untrusted connections. I have a random MALVAD client that connects to a random endpoint. And sometimes I get weird experience of watching Google results in very strange languages pop up on my screen because they try to guess what they want. That's a very good perk. So what are the device requirements of running Cubes OS? It requires lots of RAM, obviously. You are running most of the time on my workstation, I run about 10 at VMs. So each one of them uses it from anywhere from one to four gigabytes of RAM. So on their website you will see they say four plus gigabytes of RAM, that is a lie. You may be able to boot it and start one VM on four gigabytes of RAM, but you will not be a user because if you are anything like me, you will have at least five Firefox processes running. And if you know what Firefox, oh my God, Chromium processes are like, you will understand that running any more than one requires more than eight, preferably more than 16 gigabytes of RAM. On my workstation I have 24. That seems to be a very good comfortable number. It requires fast, large SSD disks because obviously if you are starting it from starting it also sees from different app VMs, you don't benefit from any of the caching that the processor gives you. They will be all red cold from the disk. It also requires for all the other D decorations inside each of the app VMs sometimes. So you also require fast SSD disks and NVMe is the best choice here. It requires multiple processors with many cores, but this laptop is two processors, two cores on each, so this is actually fairly comfortable life if you are not doing anything super crazy. On my workstation I have four by eight or four by four, I don't remember which it is, and that seems to be convenient and comfortable for my use. The CPU for a Cubes 4.0, the CPU must have both VTX and VTD. If you do not have VTD, sometimes processors will not have it enabled or available at all. You will not be able to run Cubes OS at all. Cubes OS version 4, version 3.2 supported processes without VTD or IOMU in AMD parlance, but the 4.0 does not support that at all. And it also if you can, it doesn't require Intel graphics, but you are reliably so much simpler if you have Intel graphics. You may have something else, but your life will be so much more complicated and believe me your life is already going to be complicated, so you don't want to make it any more complicated by picking a different graphics card. So what is the installation like? So Cubes OS is built on top of Fedora, so if you have ever installed Fedora you will be comfortable installing Cubes OS. It is a modified Fedora installer. Post installation requires knowledge of what you are doing before you do it, unless you are just messing around, you can probably accept most of the defaults, but you have to make decisions that will affect how you are going to go about your day-to-day life. Is this just USB? Do you use that for your USB devices? So do you go? There is an option also to use your sysnet. This means also that if you use sysnet, that is the VM that connects to the network, that any device that you plug in directly into your laptop will be immediately able to go out into the network. So that is something that you may not want to do. Which USB controller to assign it to? For laptops, that is easy. You can just assign all USB controllers to the sys USB. If you have a workstation, like a Dell workstation, if you do decide to assign your USB controllers to the VM and you are using USB keyboard and mouse, guess what happens? You are no longer able to use your system at all and you have to reinstall. That is what happened to me when I first installed Cubes OS. Do you create regular app VMs? There gives you a default option of creating a work and a personal and vault and entrusted, and those are good, same defaults, so if you want to do that, I suggest you do. So what are the app VMs? You have to think about them in terms of isolated logical workspaces. You shouldn't think that you have to create an app VM and run each application inside a separate app VM. You can do it. It is a complete total overkill. You have to really think of them in terms of separate physical workstations that you would normally be doing your work in. The best metaphor to think about Cubes OS is you are running multiple full isolated hardware systems that you have a convenient mechanism of copy pasting and copying files between. So if you are doing all your work and you need to run a work browser and work terminal and any other stuff that you need to do for work, you can run it inside a work VM. If you are doing something personal, you can run it in a personal VM. If you will go out and do something questionable on the Internet, you can run it in an entrusted VM that goes out through TorConnection or a fully randomized VPN endpoint. You have to have an option of using disposable VMs. So one of the cool things about Cubes is that everything is powered by template VMs. So template VM is the actual image that your VMs will be using. And when you bring up a disposable VM, it just gives you a throw away everything. So you start a completely blank, just installed system. You do anything you need to do, like open a questionable file or access a questionable site if you wanted to look at the source and figure out what it's doing and so forth. You can then shut down the disposable VM. It will completely destroy everything that that activity has left in terms of traces on that VM system. So templates, you have to learn how they work. You have to think in the framework of system, of templates. There is a SlashRW and SlashHome and SlashUserLocal that are writable on your app VM. Every other location by default is not. Well, it is writable but it will be thrown away after you restart that app VM. Which is a cool thing if you have a compromise that means you're just rebooting. We usually erase all of the badness that a compromise has left. Don't rely on this because obviously if they are smart enough, they will not be writing into those locations. There are community templates available. Fedora, Debian and Hoonix. If you don't know what Hoonix is, that's basically a way to persistent Tor connections. Tor browsing on the Internet. And this is my screenshot of what I usually have on my workstation out of this laptop. I have a chat as I already mentioned. There's a personal one that is used for personal things and personal websites. SysFirewall is basically a dedicated VM that just does packet filtering. There is sysmalvat Canada that's used for non-questionable connections for going out to the Internet. Sysmalvat random is the random endpoint as I mentioned. SysNet is the one where the network card is assigned to and that's the only VM that is actually able to control the network cards. A wireless or your hardware wired card. There is an untrusted that usually connects through the random endpoint. There's a vault VM. A vault VM does not have any network connections to it which is a good VM for storing sensitive files or something like your password database. And a work one that's usually used for only SSH files. So what's the daily use like for cubes? For the most part everything just works as expected. You have applications they behave as they normally would. You can click your point, you can start new ones, you shut them down. Everything is just like you would be expected on any other Linux system. Except, obviously, copying files is more complicated if you have one of the copy files between two VMs. You have to either use a command line that's called copy key VM copy. That gives you a dialogue saying to which VM would you like to copy it to. And this is actually, you get used to it very quickly. And also you can do it through a graphical interface and right click in the files manager. You can say send this to that VM. You can move it or copy or do anything. And they are placed in a special incoming directory on the target VM. Copy pasting, on the other side, it is broken. It works as designed. So C control V, any other operation, obviously there is a clipboard client inside each of the VMs. So you will copy only into the clipboard in that VM. You can then send it to the global VM, to the global clipboard and send that clipboard to the other VM, but oh my God, this you will always forget to do this. You've trained and spent 30 years control C and relearning everything else. It's just the most complex thing I've done. And what you probably end up doing most of the time is pasting completely random things that were somewhere from yesterday in your clipboard because you forgot to send the thing from that other VM. It drives you crazy. It's not broken. It's just how it's supposed to be. In a secure system you don't want an untrusted VM to be able to override your global VM. It's not the worst possible ever when you do it wrong because then you just yeah, I've discovered I know so many things from many different languages of cursing. Installing software via DNF and apt, it has to be done through a template VM. So you can do it in a running app VM. So if you start my work VM and I install a package that I have not had before, I can install and use it at the same time and it goes back to what my template VM looked like. So if you want to use an application that you'll use on a daily basis, you have to install it in a template VM and then it will be available to all the app VMs using that template. And the same thing goes for global configuration files. If you have to use something like a Kerberos client and you need to set up Etsy, kerb5.com, then you have to do it in a proper location on your app VM. There is a way of doing this via an RC file. What I usually do is I have a sim links for those things so you don't want to put the Kerberos configuration and other sensitive files into a template because then they will be available to all the VMs. So what you love about Qubes VM, Qubes OS, you do get the feeling that after you've jumped through so many hoops that you have protected, you've done it. People who created Qubes OS and who write Qubes OS are extremely clever and are very bright and awesome people who I know have security at their heart. They really thought about many things and some things I haven't even thought about. You will love being able to opal mail attachments and disposable VMs. If you've received something, say hey, take a look at this and you are like I don't know what's going on. You can sanitize PDFs, which is the really awesome part. If you receive anything from a vendor, you have no idea what's in there but you still want to be able to look at it. You can send it to a disposable VM, it will convert it to images and then create a new PDF that's just images and all the badness will go away. Obviously there's downsides that you can't copy-paste from that anymore but if you looked at it and you think it's safe, it preserves the original one that you can then go back to and open if you want to. Upgrades are awesome for Fedora. A new Fedora comes out and you assign a different template to your work and say I don't like it so you can go back to the previous one with it just click of a button saying to use this template VM instead of this template VM. You can also switch your work VM entirely to Fedora because Fedora is obviously superior. So Vault VMs you also enjoy because that's where you would store sensitive data that you really don't want getting out and being exfiltrated out of your workstation. I've already demonstrated you have different endpoints, egress endpoints for each app VM, that's the system that I really love and enjoy. I know that if I'm looking at this website it will go out through this website. I don't have to worry about how many traces I'm leaving out there on the internet. So we'll drive you mad. Copy pasting as I mentioned will drive you completely bonkers even though you know this is the right thing to do. Not being able to screen share will drive you crazy. If you're a manager and you're like hey let me just screen share with you quickly we'll forget that. You can also not do it on Wayland or the other security tools. You can screen share if you run there's a way to run standalone VMs inside a complete windowed environment as you would normally do if you're running a virtualized VM for anything. You can screen share from that. It will only show you the screen that's inside that standalone VM. There's weird suspend-resume bugs. If you are using a laptop you already know that suspend-resume is like magic that sometimes works, sometimes doesn't. Well you sprinkled more magic with Zen though and I know they're running VMs so you will probably not bother most of the time. With this laptop it's really one out of ten times that I'm able to resume. Most of the time something just doesn't quite come back right. There is obviously a launch lag for app VMs when they're not running already. So if you wanted to start a new Firefox session from the personal VM but personal VMs not running then you have to basically stop for about 45 to 60 seconds waiting while the actual VM is started when the Firefox is read cold from the disk that comes up and that ready to go for you. Once the VM is running it keeps running so obviously if you do it after that it's going to be fast but there's this definite launch lag when that VM is not running when you're starting it. Especially there is a dependency saying if I want to, if I open an untrusted VM and it's set to go out then it will start the tour gateway and they'll wait for that to connect and it will start the app gateway and the app VM. So that's a pain. There's rare but random weirdness that shows up every now and again. Like I said there's a lot of magic involved in model Linux workstation and Zen just amplifies it and cubes just amplifies it to a hundred percent. Occasionally app VMs just won't start so you click on it and it just sits there. You have to shut it down and you start it again and it'll maybe work. Microphone recently stopped working for me. There is some also pulse audio magic where you can actually send microphone to different app VMs depending on what you're doing. That stopped working for me. I'm not sure why I haven't dug yet into it. There was a pulse update probably that's what broke it. The resolver can stop working in one of the app VMs so everything obviously stops working and you have to figure out what's going on. Backups are complicated. You can, there's a built in way to do backups but there's no automated hands off backup mechanism so you have to remember to do your backups manually. That's annoying. If you have your own backup scripts you can run them inside each app VM then you obviously have to start and run each app VM for the backups. What's the future outlook for Cubes OS? It is sponsored by Invisible Things Lab. It is under active development. Invisible Things Lab I believe is a Polish company. They don't list their location on their website so I'm not sure if that's changed or not. Most of the developers are from Poland. It is partially user supported via donations. You can donate. There's quite a few backers there but obviously it does not pay all the bills. It's not a self-supporting, self-contained system. It is still maintained by a business entity. It uses Zen. So if you've read the news and you know anything about Zen, Zen is never going to be in mainline. Zen was promoted and used by Amazon. Amazon recently stated that they are moving away from Zen. So I'm not sure what kind of future we'll have for Zen and Cubes OS. In the version 4, Cubes OS has been rewritten to be able to have plug-able virtualization support. So I think they're thinking the same thing. They need to be able to move away from Zen if the time comes. They continue to use Zen despite obviously there's been quite a few security vulnerabilities in the recent past. It's the system that provides the best hardware virtualization as opposed to all the other ones. At least that's the claim that they state on their website. It has an active and diverse user base. So that's if something happens and the business entity behind it goes away, there's a chance that the Cubes OS will continue functioning as purely community supported thing. So who is it for? I think it's one of the key features, especially who are gatekeepers with access to privileged information. It has been promoted to be used by journalists. I would caveat that if they have a knowledgeable support department because they will be obviously needing to do this. Being able to securely open attachments without fear of them compromising your workstation is a very important point for a lot of journalists who receive information from leakers and other sources and oftentimes that information is just spearfishing. Anyone expecting direct precision attacks? We've all funded savvy adversaries. Draw your own conclusions there. Anyone working in environments where they're likely to be in trouble, they're caught by drag net surveillance. So if you're in a country where there's a lot of just drag net, just collect everything about all your computer usage being able to go out and get a tour and so forth can give you an important way of remaining unseen by such things. Who is it not for? Anyone not very familiar with Linux? It is not a workstation that you can give to a non-technical person and say here this will make you secure because they will just not use it. This is unfortunately not very usable for anybody who is not a very savvy Linux person. Anyone who can't afford modern hardware? That's an important point here. CPUs capable of ETX and ETG are expensive. They are very new. Lots of RAM is expensive still. Large SSD and VME disks are expensive. It all comes with a high price tag. If you want to use it on your laptop, your laptop will probably cost upwards of $2,000. This is not something you can install and use on your old five-year-old system that is not used for anything else. This is a dedicated, I bought this laptop. This is not something you can use specifically to use this sort of thing. Anyone who is in danger of physical DRS threats? Obviously having cubes on your workstation is a very quick tell-tale sign that you are hiding something or something is really odd about you. If you are in a situation where you are afraid somebody might come and say boot this up and shake you down, this may not be the best solution for you. So what can you use instead? You can also use instead some other things. You can reach some degree of feature parity with CubesOS by using something like a FireJail sandboxing mechanism for your Firefox sessions. You can use Flatback or other sandboxing for other applications. You can use Honix for persistent and anonymous surfing if you need to do this often times. You can use TalesOS for other applications. CubesOS offers all of the above with convenient ways of doing your work, like copying files, doing disposable things. I had a click of a button when it works. It works 99% of the time. Any questions? So the question is, is there any other mechanism other than control C, control V to send to the clipboard? You can use a mechanism like highlight and it will send in middle button paste, but inside control shift V to get into any other app VM. Those keystrokes are global to DOM zero, so they will still work. Even if your terminal doesn't support control shift C, once you get into the clipboard, control shift C will get that into your global clipboard and then control shift V will send it to the app VM. Once that clipboard is in that app VM, you can use whatever mechanism that you want to use. Control shift C is caught by the graphical interface. That keystroke does not make it into your app VM. Does that make sense? I do have still a five-minute thing about copper head OS. About cubes, yeah. So you mentioned a journalist using this would have to have a strong IT support department. The thing I worry the most about using cubes out of the exploit kit or spear phishing hitting, dropping like VM aware malware, do you ever worry about your RW config being caught by this or something like shimming the QVM start, like anything QVM dash star command? I always worry about such things, but the level what can I do about this on a day-to-day basis is limited. I will talk about this later because it's a fairly in-depth discussion there. It's not something I can talk from the podium. I will move on to copper head and then we will go to discussions. Copper head OS, for those of you who don't know, it's a hard and Android distribution or was or is hard and Android distribution. The reason I started using Google is because I have been working with Google for a long time. There is a psychiatrist office right next to it and there was a pop-up on my very friendly Google saying can you share your experience about using psychiatrists services so other people know what to expect. Now Google thinks I did. I'm worried about what kind of information I'm leaking because it's literally next door to them. I decided to try the pure AOSP. If you looked at what's the best, what's the most secure Android, all the hacker types will tell you that copper head OS was it so I did it. But so much has happened since May. Copper head OS in its previous incarnation imploded and died. The company suffered greatly from it. The developer before he left destroyed the signing keys so anything that any available devices out there in the world using copper head OS have been basically bricked. They are still usable but they obviously cannot receive any notifications, any updates, anything like that. They have to be completely re-imaged for a long time. Yeah. So what are the guiding principles behind copper head? There are a lot of this that will be the same as with other pure AOSP like lineage OS devices. So it's a Google free Android experience. They provide fast security patching turnaround. I believe the main developer of copper head OS gave a presentation last year I believe the hard Android stuff. Or maybe not. Two years, all right. They provide hardened kernel obviously with KSPP patches. They believe that he worked very closely with KSPP project to provide those in as part of the copper head OS kernel. He provides hardened compiler tool chain, strict Linux policies that cool things like MAC address randomization so on every boot of the network. So if you're trying to track your MAC address, they will not be able to do so. As we know that malls like to do this when you enter the store so they know if you're a return customer or not. There's stricter defaults for a lot of things. All of the radios except for the actual LTE were disabled so you couldn't use Bluetooth out of the way. So I was very sad obviously when it went away. I use GIFs too many times so maybe I should be more like Alex. This is a picture by Ilya Reppin. Ivan the Terrible kills his only son. It is it was the end of the Rurik dynasty and there was introduced 100 years of what called the times of trouble. I shouldn't make that light jokes about that. The device requirements. It is only available on a very small set of devices. It was in Google Nexus not supported anymore because they dropped that. Google Pixel, that's what I got. I purchased Google Pixel directly from them. There's a development board if you just wanted to test it out how it works. They supported high key dev boards. Installation, it's downloadable and installable. You can install it, but you will not receive over-the-air updates. Every time there's an update to Copperhead you have to do it manually and reinstall it on your device. Obviously, unless you're completely crazy you're not going to do this. You can buy a Pixel from Copperhead OS. The markup is crazy. It's 80% markup. If a Pixel 2 goes for about $650 you can expect to pay about $1200 for it if you buy it directly on your device. You can send in your own device. You will still be paying a lot of money to get it, basically. You're paying not just for the OS, you're paying for the over-the-air updates until they stop, obviously. So daily use, what's the daily use like for Copperhead OS? For the most part it's just like any other pure AOSP device, like Lineage OS. Some apps are available from Evdroid. Evdroid is a great device, which feels like you're using a mail client from 2001. There are some messengers available. It's Telegram, Riot, Silence, available from Evdroid. Some other apps you can also install from the Play Store. There's multiple ways of doing it. There's Yelp, which is a way to install to get APKs directly from the Play Store. I believe it might violate various agreements with Google so use it at your own discretion. There's APK Mirror, which is also a way to get the APKs directly, not directly, but from a mirror of the Play Store. There is Amazon App Store that you can install with limited success because Amazon they're like Evdroid, but proprietary. There are very few apps available there that are any good. So many apps may not work right once you install them, obviously, because there is no Google Foundation Cloud or GSF, Google, whatever you call it. MicroG did not work on Copperhead OS. That was a designed decision by Copperhead. They didn't want to support it. MicroG, if you don't know what that is, there's a way as a clean room re-implementation of a lot of Google stuff without actually being from Google, but you still basically have to interact with their proprietary services. So Copperhead is an excellent for secure communication and browsing. It also has excellent remote at the station feature. There is a way to verify that your Android device is actually running the proper image. So for example, if you're coming in in a conspirator meeting and everybody needs to confirm that their Android devices are still running the proper thing, there is an auditor application that you can run and you can scan a QR code and it uses a secret that is in the trusted execution environment on your Android that will do the response unless there is the proper image installed. It will not be able to give you the proper response for the challenge. So this is a pretty cool application. It is still now available as a separate app. It was only usable on Pixel 2 and some other devices, I believe, and not on Pixel 1. I've never used it because I only have a Pixel 1. So what would you love about pure ASP? The battery life is amazing on pure ASP. I've never had to charge my device twice a day before I started while I was using CopperheadOS and the same experience with LineageOS. So play services are extremely battery hungry. I would have a fully charged device in the morning, I'll come back home, I still have 45% battery left and this is despite using the phone all the time. Well, there's also knowledge that you're obviously not being tracked as much, right? I mean, the telcos are obviously still tracking you because you still have to communicate with the towers. The telcos, they know where you are, they know what you're doing. There's still being tracked through the web browsers and all that stuff. So there's Kavi adapter there. So your mobile service provider still tracks you. There's fast security patches that come to your pure ASP device. I mean, LineageOS has graded this. CopperheadOS has also very graded it. They patched the software. Indeed, there's knowledge that you're using free software. So fDroid supports reproducible builds. That's cool stuff. Some features may be source available, not pure open source. So that's important caveat there. CopperheadOS is a source available system. It's not a free license. What you'll hate, most of the apps that you're trying to use from APK Mirror or from Yalpa will give you this all the time. They still may work, so despite giving you this stuff, but this is pop-up. But you will experience a huge loss of convenient perks. Mobile devices is not just something we use for emailing and messaging. We use it to play games. We use it to find parking spots. We use it to find where's a good place to eat. Hail a ride and all other things. So we're pretty much going back to what mobile phones were in 2005, if you're using pure ISP device. Side load apps may or may not work. They will probably not deliver notifications. So notifications is something that is Google messaging, Cloud messaging, GCM that uses. Obviously if you're running a pure ISP device, you will not get notifications. App authors do not care about your weird setup. They will just say you're using the same thing. Only with the same three people who are using the same things as you are. So if you have a spy circle, that's great for you. If you have real people who are using things like Slack or Facebook Messenger or something like that, then obviously you can't communicate with them without installing those things. Slack works, but notifications don't. Facebook Messenger works actually great, but what's the point of using the device with all the social perks of being a gluten intolerant vegan with a peanut allergy? Some things you can't use, some things you won't use because that's against your ideological reasons for getting the device in the first place. Yeah, that was my experience. I've been a vegan for about a year and the year with Copperhead OS felt very similar. Also you can't play Pokemon Go. That was an important part for me. I need three more friends to complete my field and I'm going to be a friend. So future outlook for Copperhead. They are not dead. So the Copperhead OS in the name continues. The main developer who was doing all the security work is obviously out of the company, but I'm not going to go into detail or take sides here. I'm just saying that Copperhead is not dead. They are releasing a new image that you can install and they store is back. You can buy pixels if you wanted to write Copperhead OS. Who is it for? Anyone really worried about Dragonet private data collection by government or large corporations? By large corporations obviously mean Google. Government, I also mean Google. This is going to be true for most pure ASP. It's not just true for Copperhead OS. Anyone expecting direct precision attacks, we will find it in savvy adversaries. There's a lot of protections that Copperhead kernel hardening and just general compiler stack hardening and there is a lot of patches to the PDF view or no other things. So if you are expecting spearfishing on a daily basis, that's device is probably something that you would enjoy. Same goes for journalists again, same goes for activists. Again it's kind of funny that government employees and activists can use this to protect from each other. Who is it not for? Anyone who needs to use the device for more than secure communication? Like I said, if you're getting a pure ASP device you can use it to protect from each other. So I'm going to go back to my previous years to when the first iPhone just came out. What am I using now? I'm back to stock Google Pie. I re-image my device obviously in the moment when it was said that the company was in trouble because the last thing I wanted is to have some sort of a situation where employee with bad faith is going to do stuff. There is a Hermit app which makes a light. You can use a lot of applications through their mobile light applications and the Hermit is an application that makes it easier. Check it out, Hermit app, Google for it, you will find it. I don't intend to switch to lineageOS primarily because not getting notifications was impacting my work way too much. The rest of my team uses Slack for good or for bad. There is things like IRC cloud that I want to see notifications from. Not being able to do that is a big, big downside to doing this. I might go back to CopperheadOS depending on how company fares. Does that make me a sheep? Maybe for now. That's a Maryp. But at least I have an option to evolve to next level which is fluffy. Thank you.