One of the problems with incompetence, of which there are many, is that it gives bad actors space to operate. From a security point of view I don’t think the distinction matters all that much.
That said, the situations I’ve head about were from affiliate ransomware attacks that didn’t make the news because the backup worked. It’s difficult to keep things secure from highly motivated internal bad actors. I’ve been told it’s an increasing trend but have not heard much about it publicly.
The challenge is this though: companies that are outsourcing to these consultancy firms put them against each other in RFPs that incentivise whatever behaviour can get them to the lowest bid.
Inevitably quality suffers. Until customers start awarding business based on something other than the number at the bottom, this kind of thing will continue.
> It's as if all pro-Israel bots and fan accounts are reading the exact same guide.
Historically, many pro-Israel talking point guides/handbooks have been created and used, yes [1][2][3][4]. It would thus be unreasonable to assume that they are not currently being coordinated.
Snapdragon flagships have solid security and it's the devices made with those which ruin it. Snapdragon has both advantages and disadvantages compared to Tensor.
Pixel 6 through Pixel 9a are essentially Exynos SoC devices using standard Cortex and Mali cores. Certain components are custom including a Trusty OS TEE and secure core, a separate hardened secure element chip, image processing, TPU for neural network acceleration, etc. Tensor was mostly standard Exynos. Pixel 10 moved away from Exynos other than the cellular radio chip, but it's not clear if that is good or bad for security. It gives them more independence, choices and control to an extent but they largely licensed the IP for the components and it's not necessarily more secure. Perhaps PowerVR GPUs have better security than Mali, but that's unclear. It does appear they got GPU virtualization support through it, but Qualcomm cares a lot about virtualization too especially since they support laptops with Windows, etc.
GrapheneOS have mentioned in the past that the Qualcomm baseband processors compare well to competition in terms of security and isolation support on their respective SoCs. There may be other aspects they need to catch up to Pixels on regarding security though (like the secure element, open-source TEE etc.).
Play Store has an attestation API, Google could simply make it harder to run banking apps and similar if you run GrapheneOS. Something like requiring banking apps to use a stricter mode. GrapheneOS even mentions it's not easy spoofing this entirely as it change often on the FAQ page.
There's only so much you can do as a maintainer of a custom OS like Graphene before its too hard to maintain. I don't think there's enough coming in by way of donations to play catch-up.
Need legislation quick. But I suspect the EU doesn't want side loading either in the grand scheme of surveillance.
There's always this culture of taking shortcuts at the expense of security and quality.