Hardware Attestation as Monopoly Enabler(grapheneos.social) |
Hardware Attestation as Monopoly Enabler(grapheneos.social) |
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
Break them up. Break them up. Break them up.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.
Even the Play Integrity API strong integrity level only enforces being no more than 1 year behind on the official Android security bulletins which are 3-4 months outdated at release so that's nearly a year and a half behind of patches. It also has the massive loophole of permitting being arbitrarily behind on patches for earlier Android versions than Android 13, so even the strong integrity level permits a device launched with Android 8 with no patches applied since then. That's not a security check, it's a business model check to lock out alternatives not licensing Google Mobile Services. The licensing terms for Google Mobile Services have been found to be illegal in multiple countries. Google enforcing agreeing to those terms with the Play Integrity API is a truly extraordinarily violation of antitrust laws. Governments are not only failing to act but adopting it themselves. It's going to be looked back on as a massive failure for technology regulation/legislation along with government tech policy beyond that.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
https://learn.microsoft.com/en-us/windows/security/hardware-...
It's amazing to see how many "but it won't happen" comments there.
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use. Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce. Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification. Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
Resist, dont let the buzzkills wear you down.
Also consider this: While bot farms may be able to buy millions of Android devices, they will certainly attract a lot of scrutiny as they approach the billion mark. So bot farms will never own more Android devices than humans.
If you have the $$$, which the big guys certainly do, they'll just buy the bare attestation bits and figure out how to use them directly.
I don't think the govt should be able to set rules that limit and control children's freedoms with computers.
A child can't enter a nightclub or a liquor store. The closest digital equivalents are basically permanently available to them though.
I wonder if we'll get something similar happening with cloudflare
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
Also, "the optimal amount of crime is nonzero."
I think you are conflating free speech with right to a platform and distribution. Which isn't quite a right, or at least not as constitutional, the former is about not obstructing speech, the latter is about positively enabling it.
One of the key aspects of distribution is cost. You can pay for a domain, which is 15$/yr, and a host (which can be as cheap), and distribute your software that way. Since when did we agree that randoms have right to publish software, and vanish? (And why are 'we' using such code in production with a straight face?) The internet founding fathers wisely designed Domain names, DNS, ICANN, HTTP, TCP, IP, NICs. NPM is not in that echelon, NPM is gratis, not freedom.
Also, freedom is, unless you are a libertarian a patriot or a nation, a historical concept, not irrelevant, but definitely a concept that was born out of a different time (slavery, secession), in its modern american sense, it's most definitely not gratis-adjacent.
To reference a specific American Freedom, in order to have access to justice, you have to pay court fees, and an attorney, there's mechanisms in place to waive those fees or have a public defender, but not even America's modern freedom developed a secondary system which pretended to have no cost, and if it did (private lateral arbitration).
I guess private entities have the right to offer public services by proxy, like with subdomains, github pages, vercel, npm packages. But I wouldn't call that freedom, in essence, the cake you can't have and eat in this case is Freedom and Gratis. You either pay the minimum costs established by the public system, or use a gratis non-free system to distribute your 'speech'.
And we the users, have the right to ignore the gratis spam and demand some sort of PoW for messages.
The system works
in any case, google started to cause issues with pixel 10, so it's not as easy to port it
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
Google started causing issues over 20 years ago.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
It's just that there's nothing pro-authority about making it easy for people to verify: "this data hasn't changed since the signer signed it." It's a neutral capability.
There are cases where we can and should blame technologists for building antisocial things that shouldn't exist, but I think that cryptography for the most part falls on the pro-social side of that spectrum.
Then stop trying to take away the technology it's built on
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
Apple already does this and practically no one is outraged
Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
Apple ran a very successful propaganda campaign where they portray themselves as the protectors and enforcers of a secure environment where users are safe from attacks from the wild internet. See Apple's spin on blocking cookies. Therefore, users of Apple products are conditioned to believe these measures exist for their own personal benefit, unlike Google which is presumed to be motivated to abuse your trust.
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
But the “good” king never lasts. They’re always eventually replaced by a despot, and all the power you ceded to the “good” king falls into the hands of the bad king. Which is why ceding that power is a bad idea, and kings are a terrible system of government.
I've had a lengthy debate about this (in the context of right-to-repair) with a friend of mine who's outside tech and he genuinely held (still holds?) the opinion that the manufacturer has the "right" to decide how their products are used. I'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
Perhaps some people were just conditioned to believe that these shackles are forced upon them for their own good, because only bad people would ever want to take them off.
e.g. Without proper regulations, your maintenance can become nearly impossible.
If you don't address this tradeoff you're not really engaging the issue.
What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
There is no shortage of well informed advocates of freedom. The question is, which forum should they discuss this in? There is no meaningful forum for such a debate which will have any real effect on policy and that's by design.
The only place that can both debate and effect policy changes in the legislature and politicians will never take the people's side against corporations on an issue until they fear losing reelection.
Hence the ask to educate the people around you and to encourage them to reach out to their representatives.
This is a fool's errand. We live in a time without virtuous values, where convenience is king. The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
It is absolutely not. Awareness is what people need right now because nobody is saying anything different then the established line. The more people that put there voice into this, the better off we are going to be.
I'm hosting a Surveillance Capitalism Presentation soon that I designed myself, I'll likely post it on the net when I am done. If you are interested in hosting a zoom call or an in person awareness campaign like this. Email me from my website[0] campaign form[1] and ill notify you when its online and you can download it and use it yourself to host your own venue.
[0]: https://www.scottrlarson.com
[1]: https://www.scottrlarson.com/forms/form-contact-campaign/
Honestly, I can totally see where the cynicism is coming from, however if you think about it, that's a pretty condescending view. This effort might be Sisyphean, but things are not as dire as you might think.
People are already seething at how much their lives are being enshitified by Big Co. Even if 10% of voters reach out to their representatives, it would be a tidal wave. Politicians are terrified of the popular will and this is not a hill they are willing to die on. Just see the success of the right to repair movement as an example.
This. No matter how good the intentions are, this represents the infrastructure that can be exploited to persecute individuals and groups and deprive them from the most basic rights.
And before anyone tries to downplay this as scaremongering, US legislators have introduced the legal framework to reject visas based on what comments the applicant may or may not have said in the past years regarding the current government.
Sadly much as I agree with OP, the reality is there are a lot of evil people, and some of them lead a country and thus have vast resources to attack with. We need to solve this problem, not just cry about what a few of us are losing.
Nope. It's not the issue. The issue is people genuinely want the security problem to be solved by someone else. Either governments or big companies. So they can just not care about security once and for all.
If people were so aware of so-called hackers and how insecure their devices are, we would have seen people stopped installing apps on their phones and basically use it as a web browser. But that's not what happens. The opposite is truer: if you run an even slightly popular website you will receive feedback asking if you have an app version.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Oh boy, you're going to be really surprised.
If anyone knows of any european petition around this please share them with us
Your audience is going to shut you out if you don’t show you understand their reality.
I reach out to people, and every tech and media person I know, is holding sessions on government over reach and invasion of privacy, raising alarm bells.
Everyone not in tech, has just about had it with being predated upon, being screwed over and in general would rather warm themselves on a bonfire of tech stock, than do a thing to support it. Voters are HAPPY to see tech brought under control.
The degree of fraud, predation, privacy invasion that regular adults encounter, let alone children, is absurd.
To take the most civil and benign trend I know: online communities are dying to a glut of slop, bots, and spam. Users and mods are simply unable to keep up with this, and are increasingly likely to ding users as much as bots.
A majority of humanity, who live in the developing world, encounter even worse, AND have less recourse to support.
——-
Success in these things requires connecting with people. You cannot do that if you come across as a know it all.
You must open with an acknowledgement that Tech is not doing a good job for users, but giving governments sweeping powers is not the antidote.
I'm doing a presentation on Surveillance Capitalism soon and I might include this topic.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
Using blind signatures for remote attestation has actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
[1] https://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:1...
Specifically, you poke the data lines of the memory bus to induce bitflips, much like I described in https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
So what's the actual issue here? That on HN and Reddit and Instagram and X there'll be a lot of bots? As if they haven't been overrun by human astroturfers/etc for ages. Even ignoring that, what's the biggest issue you see with that, and why is it so big that it's fine to just enable a monopoly?
Your presumption that there has to be an alternative is flawed. Maybe there is none. You're saying there's a real need, great. There's also a real need for sexual assault to be completely eliminated worldwide. I think everyone would agree with the that need is far bigger than bots on social networks. Doesn't mean we should just jail everyone just in case.
You're manufacturing a need here as so important that by definition the ends justify the means. They don't.
Having said that, there may well be a room for a niche recaptcha-like service run by a non-profit. Perhaps one that uses a non-profit social graph or something.
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
And because I can't believe no one else in the thread has linked to it: https://www.gnu.org/philosophy/right-to-read.html
Constructions like this exist for many years. E.g. semaphore RLN (rate limiting nullifier). This particular construction was found unfeasible 7 years ago, but since then zksnark tech made huge progress and it is way cheaper now.
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
I remember the WEI apologists trying to do the same thing to derail the argument. The problem is the goal, not the details. Just say no: DO NOT WANT!
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
I don't agree that it's not a problem.
Also I recall a discussion on Graphene's forums that DRM ID is not only retained there, but stays the same across profiles.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
However if someone extracts a key and keeps it private, and instead gives out unblinded tokens there is nothing you can do other than rate limit - realistically, an adversary is going to trial different rates anyway to figure out which don't make them an outlier.
I agree, except I worry it's a bigger concern than we realize.
I still remember what CableCard (and the hoops needed for HW manufacturers to get certified) did to the DIY DVR Market...
With a secure device, the only way to get an attestation for an account signup is to do the signup on that device, with real fingers clicking real buttons on a real screen. There's no way to short-circuit the process by automatically sending a JSON request and bypassing the actual signup flow from a Python script, like you can do with an insecure endpoint.
With blind signatures, a single compromised device destroys the value of the entire scheme, as it can be used to issue an infinite number of attestations with 0 human oversight.
What we need is a blind signature construction where the verifier can revoke a signature, each signature carries proof that none of the revoked signatures comes from the same signer, and where it is impossible for one signer to issue more than n distinct signatures during one time window. Not sure if this would be possible with ZKPs; my cryptography knowledge doesn't extend that far.
...no? Maybe this is true of end-user device attestation. But there are other use-cases for attestation.
Server device attestation is an entirely different thing. It's used in e.g. IaaS "Confidential VM" offerings, where the audience for the attestation information is the customer, rather than the server host. It's a very pro-privacy / pro-data-sovereignty feature.
And while embedded device attestation is sometimes about preventing customers from tampering with IoT stuff you "sold" them, more often it's about being able to trust and confidently assert that e.g. the climate sensors you've deployed all over a forest as part of a research project haven't been fucked with to report false data by someone with an agenda. (Or to "apply denial" to your unmanned military satellite downlink station the moment you detect that there's some unknown person out there futzing with it.)
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
So, it looks like they were aware about such kind of issues and tried hard to mitigate them.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
that's a corporate monopoly's wet dream.
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
There is no Caesar to assassinate because it is everyone, or near enough. It is the idea that this is how you do things. Tyranny is in the air and in the water, that exploitation of power for more power by means of misery, old as mankind.
In such a world, removing one tyrant only gets you ruled by his rival, who is often worse. The historical recipe for freedom and abundance is a people who, as a whole people, are generous with power and expect it of each other at every level, and are viciously intolerant of its abuse. Such was the world of technology for about five decades in the last century, but it hasn't been so for the last two or three. I think it doesn't take much for a few awful people to eat up any abundance, if they are allowed to, and that war is written across the history of computing from its very beginning. But these days, it is not a healthy society defending itself from would-be conquerers, but a world of feuding warlords anxious to eat up any excess anywhere, not only for profit but because thriving and independent people are inherently a threat. With few exceptions, and it seems like fewer every year, any kingdom now which consists of a group of people and some code, be it a software service, a phone, a game, a car, or a dang toaster oven, looks like a despot extracting taxes from his peasants, not a king sheparding his people. Certainly the big ones are that way, and the legacy of the last generation continues to be eroded.
Whatever the means, that tangle of the legal and economic and social and educational and technological and cultural, and I do not pretend it is anything but a thorny and incomprehensible thicket, Aristotle's identification of the broad themes remains relevant. Divided, humiliated, disempowered - whatever the pretext, the encroachment of dark forces is unmistakable. The only defense is (and ever was) those who see their work as in some sense sacred and power as conveying a duty to serve. The generation for whom Superman is a central myth builds one way; the generation for whom it is Game of Thrones builds very differently. Not that these stories are necessarily causes, but their resonance is a reflection of how two very different groups of people think about power.
Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
Clearly tailored to the regular normie without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
At a certain point it begins to feel pointless.
If enough people write, they may start finding it relevant.
It only makes sense they'll prioritize big-business interests over those of the common folk.
Google certifies devices unpatched for the last 10 years, rooted, riddled with the malware, because the keys have leaked.
Google knows and still sells the lie.
But you should know better. Google is not selling the actual security, it's just protecting its business.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
It's like handing a loaded gun to a kid, and saying "just don't take the safety off".
Of course kids are going to find ways around it. They are going to take the safety off.
If anyone wants to assert control they have to be where the puck is going instead.
Capital remains sovereign in Europe.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
A part of that has already happened.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
Also, governments are supposed to act in the interest of people.
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
Sorry for how you may feel about it, but that *is* how it's being framed for the public..
https://europeanconservative.com/articles/news/eu-parliament...
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
The only way to sure defeat is to surrender.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
It's just enshitfication.
> hackers will find flaws instantly
Yeah.
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
I wish they filled you with anger instead. It’s not too late. You’re not alone.
the meaning of this word has diluted so much
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat? I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
... are not problems, no - but bots in general are
The anonymous internet is going away -- it is too supportive of crime and various kinds of gray area misconduct, and governments and large corporations were eventually going to do something about that.
Such a degree of anonymity is desirable, but it is not a requirement for a free society. What were things like before the internet? You couldn't anonymously browse billions of pages of information in 1960.
China has all the tech giants jumping through whatever hoops they want by banning them by default and only allowing whichever ones they want to operate after they meet their strict policies and ad hoc decisions.
Now that the US has decided the EU is a rival, the EU should do the same.
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care
I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
That is why all companies should be small and no company should ever have a huge market share.
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
Isn't this basically worldcoin? Aside from the fact that worldcoin is run by people I wouldn't trust to watch my cats for an afternoon, the core principle with well thought out ZK crypto could work well.
Turns out right to repair laws are very popular with voters and small business owners. Maybe we all start to tread down that path more and figure out what sorts of regulations pressures companies into adopting open standards?
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.
It is not an us vs. them sort of thing. Don't get me wrong, there are wicked people doing awful things, but I breathe the same air everyone else does. I remember building things 20 years ago with breathless excitement about how it might make the world a better place, and these days I am much quicker to think about how to monetize. Asking a fair price for something isn't evil, but none of us is an island and I don't like how my dreams have changed. I write these things in part to teach myself.
Content Decryption Module (CDM) in your browser or Mobile SDK generates the license challenge
The "license challenge" (it might be a mistake I think it's supposed to be a license request) is just a packet (that can be saved and later sent to anywhere) and it contains the encrypted certificate which doubles as your HWID. An adversary needs to control the private key of the license "server" the challenge is for (this is a privacy measure introduced to prevent the CDM from offering the HWID to anyone who wants it). Now if you want the HWID you need to work for it (one time) by stealing a private key, bribing/blackmailing employees or issuing secret edicts ("here is a new license server we need a certificate for"). Working for Hollywood is also an option I suppose.
Pirates sacrifice devices when they publish ripped content due to the certificate being revoked after Hollywood downloads the torrent and by doing things like this:
For large-scale per-viewer, implement a content identification strategy that allows you to trace back to specific clients, such as per-user session-based watermarking. With this approach, media is conditioned during transcoding and the origin serves a uniquely identifiable pattern of media segments to the end user.
Because many people have fortunately realised that "EOL" is just an excuse to create lots of e-waste and push even more hostile unwanted changes.
The premise of this is to keep the person issuing the tokens and the person accepting them from correlating you.
The issue is when you have more than one service accepting them. You go to use Facebook and WhatsApp but they're both Meta so you present the same unblinded signature to both services and now your Facebook and WhatsApp accounts are correlated against your will. And they have a network that does the same thing, so you go to use a third party service and they require you to submit your unblinded signature to Meta which allows them to correlate you everywhere.
You would never do this as it defeats the entire purpose of using blind signatures to begin with.
It's not the user who wants any of this to begin with. "You would never do that" except that it's now the only way to be let into the service.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
Example: https://www.lrb.co.uk/blog/2021/july/information-sovereignty
1. Most people don't write.
2. The people who write are not always competent.
3. The people who write often have an agenda, too.
What's the consequence of that? Imagine what the politicians receive: tons of messages of people complaining, most of which are factually wrong. What to do then? How to know who is right? It's genuinely hard.
EDIT: please write here: https://european-union.europa.eu/contact-eu/write-us_en
I think it's an error to demand the alternatives be as good-- that might not even always be possible. But even if they're less good they're usually still better than anything we could have imagined decades ago-- they're good enough to use.
And that should be enough because we shouldn't consider handing control of ourselves to third parties to be an acceptable choice at all.
I think the main struggle is moderation. Moderation requires a hierarchy, which is much more compatible with a centralized model. I'm thinking that curation would be a good alternative. Rather than authoritatively silencing unwanted content, just categorize it well enough for users to filter what they want.
The fucking “nazi bar” analogy has ruined an entire generation. You would think after centuries of trying to stamp out competing ideas, humans would finally come to terms with the fact that it cannot be done.
Small curated groups are the only way to enforce ideological orthodoxy. You cannot force it on the public, nor can you punish the public for holding bad ideas without creating blowback and resistance.
Sucks that they have a hard problem like that. Taking away everyone's freedom to exercise ownership of their general purpose computing devices and destroying online anonymity shouldn't be the answer (or, at least, we shouldn't stand for it). Maybe they can spend some of their billions in revenue on it.
Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip.
Failed to mention this but part of the reason for this is that even after getting past CAPTCHA and creating an account, spam bots in online communities have always had to pass a sort of informal ongoing Turing test to not get outed as a bot by human users and banned. In the past, that would happen almost instantly as soon as the bot posted anything. Now they can often go undetected by even human mods for a long time, maybe even indefinitely.
Say your example: a user generates a pub/priv keypair locally and shares the public one with the government. How does the government know you’re rightfully sending the ID? How does the user know what they are sending? Can the app/website/tool/person at post office they are using to generate+store+send the public key be trusted by the user? How can the government give trust to the user that this tool/person can be trusted?
And there we have attestation again. Or walled app stores, or certification as we have for physical services.
I imagine the way to do this effectively would be to get some well-regarded infosec firms to audit both OSes (from source as much as possible), and also compile lists of vulnerabilities found, fixed, not-fixed, etc. over time. Then you need a witness who can explain all of it in a way that's accessible to and likely to sway a jury.
A difference is being drawn between HN users who are interested in tech, and the everyone else. Most of humanity has little interest in Tech, and would rather spend their time on other things.
This also means they are less aware of ways to keep themselves safe, or less on top of whatever current threat is sweeping through the internet.
After multiple interactions on this site, I can say with some confidence that the average HN commenter does not have the same experience with technology that the average user does.
This divergence is resulting in different priorities and conversations.
Edit: I think that, given that us HNers often self-identify as tech priests, advocacy and education should follow naturally from that.
I want a pony! A legitimate desire. So it's okay if I rifle through your underwear drawer in case there are any ponies I could take?
Requiring there be a physical phone is a speedbump at best ( https://i.dailymail.co.uk/i/pix/2017/05/12/13/403C0D44000005... ) and so de-anonymizing every person using the internet by attaching them to a device and allowing google to track them is not sufficient, nor is the privacy loss necessary for the kind of improvement they could realistically hope to achieve.
But most over even if the panopticon were highly effective and even if were the only option to achieve that end we should still reject it because it's wrong.
The frog is slowly being boiled so that people start to accept things which would be unthinkable in the past. Whoever refuses to bend nowadays sounds hyperbolic or insane, but I'm just using the "absolute temperature" here, you know...
> Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more.
They're NOT fullfilling that purpose here - read the post, insecure devices with Google Mobile Spyware pass that, while GrapheneOS doesn't. Yes, Google is trusted to ensure these security/ratelimiting properties are met, but instead uses/abuses that trust to ensure their anticompetitive business goals are met. Google is not an independent attestation authority and should not be treated as such, what Google is doing here should be (and most likely already is) illegal.
> Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
While far from perfect, that would be better, since we'll then only rely on having their hardware (legitimate business) and not their adware/spyware preinstalled with elevated privileges (illegitimate business, illegal monopoly).
The reason it's hard to boot up a secure social network (such as Signal) is the handshake for (re)identifying people. Signal makes a ton of conceits here (the UX essentially asks people to assume phone numbers are securely held) in the name of low friction and it's why they grew so fast. The "real" secure social networks are essentially too difficult to get real adoption because they don't make these conceits around phone numbers, and demand real key exchanges.
But if you had a L1 set of private and public keys the government works to maintain and defend, the L2 social networks like Signal (or banks, or markets, whatever) can do this cheap and easily.
Oh my god. It's 2026, and we're still repeating the "I trust Apple/Google/Microsoft enough to resist the government" spiel.
Hardware attestation is a surveillance mechanism. If China was enforcing the same rule, you would immediately identify it as a state-driven deanonymization effort. But when the US does it, you backpedal and suggest that it could be implemented safely in a hypothetical alternate reality. Do you want to live in a dystopia?
Who is?
> But when the US does it [...]
I don't live in the US, and while US is often setting global trends, in this case I don't think that's actually that likely, unless it somehow goes significantly better (i.e., the benefits actually vastly exceed the collateral damage to anonymity and resiliency via heterogeneity) than expected.
The surveillance of the future will be powered by the things we produce today. If the accepted algorithms leave cookies those cookies will be used tracked and monitized. The bad argument is the forced verification to do things on the internet. Making that start at the hardware is a lock in thats not okay. Business will always own the services and making standards that trade our practical liberty for the sake of security is a very compromised position in my opinion.
And it does start with the age verification, followed by id checks, etc. Its compromising precisely because no lines are drawn and no rights to privacy are codified in law. Without guiderails the worse path will likely be taken for maximum profit
Oh hell you do! Google profit comes from ADS! It's for their profit to surveil and track and deanonymize TO SELL ADS.
I don't know about you but I feel humiliated being forced to look at ads all day.
...But there is always at least one hacker.
The issue with hardening DRM is that at the core it's hard to protect against an adversary that with physical access to the device that keeps the very secret. From the vendor perspective, the very customer paying you is your potential enemy.
That means that the root of trust isn't itself protected with cryptography. Instead, it relies on security-through-obscurity, Faraday cages, fuses, anti-tampering and lots of glue. And it's a numbers game if there are thousands of different devices, potentially with different flaws while your adversaries are hidden among billions of customers.
There is still a gap between the hacker and main-stream availability, though: laws and legalism, like DMCA that penalize disclosing how the obfuscation and all work.
We understand that, as the saying goes, if you're not paying for something then you are the product.
But less technical people don't consider that, and don't have hoards of technical friends to convince them otherwise. They just think: they using the product, so they're the user, right? We know that's true but it's not the same thing as customer. Most people don't have that distinction in their head.
It's even partially true that Google does want to do things that attracts and retains users, because that's a prerequisite for selling them to advertisers. In my experience, that's an upper bound on the amount of thought most non-technical people would give it.
It seems over the last decade that if you _are_ paying, you are still the product, you're just making more money for the people selling you.
I think you're right that they are incompetent. The point is not to make them understand it, but rather to make them see that enough people care. The problem is that most people don't write, so the politicians don't see that they care. Same thing for companies. How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely". That way the companies never see that there is a need.
Being prepared to be this voice is one of the reasons I'm a Graphene OS user. Another is that it helps me avoid accidentally writing code that depends on google play services. When you've got an agent doing most of the driving, it's easy to not realize that your app is broken without google, unless you're testing it on a degoogle'd device.
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
This is also a horrible idea. If an OS can be vetoed for untimely security updates, it can also be vetoed for not having something like clientside scanning.
What would even be the criteria for approval? Pinky promise to not let the end user have full control of their own device? That’s all “integrity” really means in practice. Don’t be fooled by appeals to security.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
The average person is not calculating anything but price, is it what everyone else is using, is it new etc. Very low level calculations. They aren't asking "can I install applications from outside the app store?". Etc.
I don’t know if we can blame the average person when there is an entire class of people which have almost limitless resources, knowledge and means to execute their agenda. At some point we have to accept we are fighting against an evil and powerful enemy. And that the masses are high succeptible
It’s like being mad at the characters in lord of the rings for succumbing to the rings powers
> They aren't asking "can I install applications from outside the app store?"
I agree. They don't want to. They already can't begin to evaluate app trustworthiness and don't want to have to. And they shouldn't have to. Yet they live in a world where they do. So they lean on reputation, app store filtering, the legal system, and hope.
BART (San Francisco Bay Area Rapid Transit), as a real world example, recently installed "evasion-proof" fare gates, and observed a 90% drop in vandalism-related maintenance expense. An overwhelming majority of fare evaders are not vandals, but apparently nearly all vandals were fare evaders. Bayes' theorem in action.
I don't have any data to back this up, but my sense is that attestation is an analogous situation.
In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices. They view banning unapproved devices as a high-ROI means to reduce fraud.
So, any argument predicated on "attestation is not security" is doomed to fail, just like saying "most fare-evaders aren't vandals". Yes, most people running GrapheneOS aren't trying to commit bank fraud, but the banks don't care about that if nearly 100% of fraudsters are using unapproved devices.
Yes, those AI startups can also buy cheap Android phones at scale, but it's a bit harder because they'll pay for stuff that their bots have no use for (a screen, a battery, a 5G radio, software, branding, distribution, customer support etc).
The difference is that if you're human you can create an account and then carry on using it for decades, whereas if you're an aggressive scraper bot or spammer then you get banned and have to buy new accounts over and over.
Not my preference, but they seem so far ahead of other ROMs right now that I use it still.
I do believe people have built and installed it on other devices without too much trouble, but I don't think that'll ever be supported.
They recommend Google play over fdroid due to some security concerns, not because they like the service. The reasoning is available on their discussion forum.
And yeah, it won't officially be supported on other devices than the upcoming Motorola and perhaps the next pixel. Too bad.
It's a bit odd that Europe prioritizes American big-business interests I guess? Idk, as an American it does seem kinda like an odd choice.
How many European countries buy American weapons because they are scared of what would happen if they pissed off the US? And then they still get tariffs and threats of military invasion.
What would cause you to think that to be the case?
There are two primary ways that bank fraud happens. The first is that the attacker steals the user's credentials, at which point they can sign into the user's account and transfer funds, and can use any device the bank requires because they already have the credentials. The second is that the attacker convinces the user to transfer the money and then once again the user is using an approved device if that is required, and requiring it in no way prevents the attack.
Moreover, even if there was a statistical correlation -- which there is no reason to expect in this case -- that doesn't help you when the attackers could just use their stolen credentials on an approved device anyway, regardless of what they were doing before.
Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices. Requiring the attackers to use an approved device when the approved device still allows them to commit the fraud accomplishes nothing.
Just observing: People who don't own an iPhone or modern android are also, generally, of a class -- and probably one banks would prefer to not do business with for profitability reasons.
People who don't have spyware/lockinware for principled reasons are currently rare enough to not matter in this analysis-- though sure, they're probably customers the bank wants.
Google hardware attestation idea won't give them that much data: All Google will know is which phones visited which websites and only when the website asks the phone for hardware attestation. If the website gives the phone a cookie for bypassing subsequent attestations, then Google will know only of the first visit.
I think we should just accept that some things should cost a bit of money and move the discussion to "how much should it cost", rather than trying to sweep economics under the rug.
Contrast this with remote attestation, where they might show you the source code for everything but you're still powerless to do anything.
You have no idea what has been baked into the weights in the training process. In theory you could find biases and attempt to "patch" them out, but its a vastly different process vs. patching machine code.
Consider what would happen if Google's open weight models were best at writing code targeting Google's services vs. their competitors? Is this something that could be patched? What if there were more subtle differences that you only notice much later after some statistical analysis?
Open weight models can be a big boost to building Open AI (cough). Progress comes from incremental improvements, -- and open weight models are a big advance in privacy, security, and autonomy over relying on hosted closed systems.
Source vs not is only one (important!) dimension, moreover in FSF land they define source as being the preferred form for modification, at at least for some kinds of modifications the weights are the preferred form.
This can never be the case.
Both the licensing and source aspects of the Free Software movement are aspiring to create high level of equality of access to a [software] work between both the original author and far downstream recipients. Obviously full and universal equality is impossible because part of the work is only in the author's mind and not everyone can obtain and use computers, but approaching that as closely as possible is important and it is important to think about how to achieve a high level of equality for each work in each context. What is "source" in any given context is a choice the author makes about what level of access they want to pass on to others.
In the case of AI, weights can never be the preferred form for modification because of the equality of access issue. The people who trained the AI (and hide its training data/code but published the weights) will always have more access than the people who only have the weights. Just like a binary can almost never be the preferred form, because the authors have access to the source but we don't.
There are also many ways to bias the model and insert backdoors or other suboptimal behaviours into it during training data selection etc.
Any source on that?
But how are you preventing multiple services from using the same value for service_domain_name because they're cooperating to correlate your use?
Not sending the same value twice would prevent them from being correlated, but now what are you supposed to do when you run out? Running you out could even be the goal: You burn a token to get a cookie and now you can't clear your cookies or you'll be denied a new one since you're out of tokens.
You can change the information you put into the hash in my example to get them one go per site per day or one per year or even one per site ever. But without giving cross site linkablity that does you no good or giving google visibility into everyone all the time.
But that still doesn't get you to your desired unevadable bans, but with suitable parameters it can get as close as google's spyware approach while being much more private.
I think time a time oriented rate limit makes the most sense considering the limits in practice (attacker just gets access to another discarded phone, or tricks someone into authenticating for them via theirs)-- basically means the best you can do against dedicate attackers is rate limit them. So why subject honest users who may have good privacy reasons to use multiple accounts over time to worse effective limits than attackers?
But you don't have to agree with that to accept that schemes much more private than google's are possible.
There is also the problem that most external hardware is less secure than things like Apple's SEP. (But on the other hand, probably more secure than the long tail of cheap Android phones, which use virtualization rather than real hardware.)
That's how it works in Germany: You tap your national ID card (as a citizen) or eID card (as a non-citizen) on any NFC-capable iPhone or Android device. I personally much prefer that solution over one that requires a specifically trusted device.
The big gap is trusted user confirmation, though: Users need to see what they sign by tapping their card, and then you're usually back to some form of attestation.
Practically, they also completely botched the rollout; literally everyone I know managed to somehow lock themselves out of their card at the first attempted use (assuming they've even bothered to set it up).
Big ships turn slowly, but I give it at most two more years until at least one pan-European retail payment scheme (cards, QR, or maybe the "digital Euro") has been regulated into existence.
[1] https://www.theguardian.com/law/2026/feb/18/international-cr...
I never really thought about it until I saw this comment:
Swish in Sweden, MobilePay in Denmark/Finland, iDEAL in the Netherlands, etc. Of course you can't sign up to a specific country payment system if you're not a resident there. And systems from different countries don't work with each other.
Luckily, there's now an initiative called EPI [1], which is an alliance that wants to make all these apps interoperable and call them "Wero" [2].
There are two problem with this system though:
- Wero insists on making you use your own bank app to send/receive payments. That's a terrible choice, because most bank apps are huge behemoths that are slow and heavy. People don't want to use them: PayPal is so much quicker and easier. They should develop a new, lightweight app that only does payments.
- The Italian member of EPI is "BancomatPay", which nobody uses. Sure, Bancomat is a huge company in the debit cards world, but no sane person uses BancomatPay in their daily life (also, BancomatPay forces you to use your bank app). In Italy, Satispay is way bigger and widely accepted, especially in the North (i.e. richest) part of the country. I'm surprised Satispay didn't get into EPI.
Most banks in Belgium (e.g. Bancontact, Wero, Pom) or Sweden (Swish, was renting ice skates with it just this winter) have their own system but typically only nationals use that. It's still enough for shops to get instant payments without those US cards issuers.
TL;DR: yes and it's wrong, but also IBAN works.
https://www.reuters.com/sustainability/society-equity/apple-...
I don't want to hear about how this isn't Apple's fault. This isn't the big bad orange man forcing Apple to act against its will; it's a business arrangement between Apple and the president. He gets censorship, they get a weaker EU.
https://www.whitehouse.gov/presidential-actions/2025/02/defe...
Most of the other big tech companies make their revenue from other companies paying them to leverage the influence they have over their users. So they are not constrained in the same way.
I believe that most Googlers are pretty aligned with the principles of the HN crowd, but Google the machine is not.
Apple is not perfect, by any means. I recently had a conversation with a former Apple employee about how they employ differential privacy internally. This former employee was upset about Apple's interpretation of one parameter ("privacy budget"), but the fact that we're having this conversation at all is a positive. Google, despite being an early adopter of differential privacy, is on the other side of the privacy spectrum: virtually everything they provide is intended to capture what you do on- or off-line.
I will pay a premium for Apple stuff for this, and other reasons. I do wish they were more developer-friendly, however. Enough so that every time I buy a new computer I have to run through the mental calculus of whether I'd rather fight with the cathedral or the bazaar. I recently bought a new computer and the cathedral won the last round.
A company reveals its priorities when it is forced to make inconvenient choices. What privacy compromises did the CCP force out of Apple in exchange for doing business in China?
You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter.
>Why do I need to compromise my hardware
You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
>How do old boomershooter communities tackle cheaters?
By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth.
>When and why do methods that work on a social graph fail or necessitate anticheat?
If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process.
So… I don’t have to compromise the ability to run any program I want on my machine, and I don’t have to compromise the ability to be root on my machine. Right? And of course, when I say "me", I’m talking about everyone, including cheaters. Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
> In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
Secure for the game company you mean. I want a computer that’s secure for me, that responds to my commands. And again, "me" includes everyone and cheaters too.
---
The online gaming industry is not worth sacrificing individual ownership of computers.
Yes. You are free to do whatever you want on your machine.
>Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
Yep. The only thing the cheater is unable to do is prove to the server that they aren't using cheats.
>Secure for the game company you mean.
No I mean that the operating system protects applications from messing with each other. The operating system should isolate each app for security purposes.
A lot of gaming migrated to consoles for this reason. They have secure remote attestation implemented properly. Accusing winners of cheating doesn't work there, and it's obvious why that results in happier and healthier gaming communities.
This does not work. You aren't talking about pissing off a significant percentage of the users who go elsewhere.
The imbalance in power is unthinkable to people 100 years ago when the phrase was first popularised.
I think you're naively presuming the issue is simple and easy to address with a letter.
Regardless of your bank, payment systems such as Visa and Mastercard have blocked transactions involving mainstream online stores such as Steam because they unilaterally deemed some games to be problematic. You cannot fix this problem with an email.
An old account with typical activity patterns can be extended some level of trust. If you sign up for an email address and immediately send a message with 100 recipients in CC, you're probably a spammer, so you get blocked. If you've used the account for years, ehh it's probably invitations to your high-school reunion or a donation drive for your Church, let's let this one through.
You can only extend this level of trust if you prevent your gullible users from constantly getting hacked; 2FA is one way to do that.
Also, you're overestimating the fees. Few apps or services hit the 30% threshold or stay there for long (the fee for subscriptions drops in the second year).
The real problem IMHO is Apple taking a significant amount out of developer pay checks. Users are fine. The impact is on developers.
99% of the payment activity I do on my phone (buying retail goods, travel arrangements, paying invoices) has no additional cost.
Until we have a real way to meaningfully process natural language (I have a serious idea for that, but that's another conversation), we won't be able to automate content filtration. The next best thing is ironically similar to what we came here to complain about: attestations in a web of trust. If everything we bother to read is tied to a user identity (which can be anonymous), we can filter out content from any user identity that is generally agreed to be unwelcome. The traditional work of moderation can be replaced by collaborative categorization of both content and publishers. Any identity whose published content is too burdensome to categorize can simply be filtered out completely. The core difference is that there are no "special" users: anyone can make, edit, and publish a filter list. Authority itself is replaced by every participant's choice of filter. Moderated spaces are replaced by the most popular intersection of lists. Identity is verified by the attestation of other identities, based on their experience participating with you.
The web of trust idea is good, I have thought about it before as well, and I think there’s a couple of people who tried building a platform around it (I don’t think they got very far into the process though). I should be able to filter based on trusted people with similar taste. I shouldn’t have to accept a central authority’s notion of what is acceptable, excepting content that violates US law. That’s all I care about in terms of moderation.
I don't know about that. There are plenty of retirees who want nothing to do with this "modern technology" while still having large amounts of retirement savings that the bank very much wants at their institution.
Small (and for that matter large) business owners also have a tendency to have complicated financial situations and correspondingly want to deal with them using a computer screen rather than a phone, and that's another class of customers banks are certainly not interested in driving away.
Meanwhile I take it you're implying that the people who don't have a smartphone to do banking on are undesirable poors, but those are the people who do use a phone for banking, because bargain bin Android phones are available for ~$15 and that's the extent of what they can afford for an internet device.
Whereas the people using the likes of GrapheneOS might well be a small percentage of the customer base but they're still generally the class of customers the banks like, i.e. tech people with upper middle class financial situations.
Of course, I think the effective purpose of google's attest feature is to invade everyone's privacy which we should assume is part of why they don't use privacy preserving techniques. Privacy preserving techniques could still be abused, however.
Maybe they're even worse for humanity because they make bad schemes more palatable. I think right now I lean towards no: the public in general will currently tolerate the most invasive forms of these systems, so our issue isn't that they're being successfully resisted and the resistance might be diminished by a scheme which is still bad but less bad.
To me, it seems like just the right amount of friction, and user expectations can work in favor of privacy here: People will hopefully refuse to tap their ID on their phone for a service where they want to remain completely anonymous, even if the protocol technically might support anonymous assertions.
We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
It's not like these technologies were created for the greater good and misappropriated by bad actors. They were proposed by bad actors in the first place, they cannot not be inherently good.
I don't think remote attestation (or even more so its umbrella technology, trusted computing) is nearly as specifically targeted as DRM.
> We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
I agree that requiring remote attestation for generic web use is evil. It's way too heavy-handed an approach better reserved
I still don't think this somehow outright disqualifies the technology itself.
captcha/spambots has been a problem since USENET
Are you seriously trying to suggest copyright infringement has not been an issue over the last 30 years? Both of them are solutions to problems that we've had over the last 30 years and were created for the greater good to solve problems that developers were facing.
The policy is "I will not let you access this system unless your system software implements this technological protection."
A camera is technology. A security camera is policy, because it's a camera hooked up to policies on how to watch, record, and respond to what is required, and it is a political effort when connected with laws about face masks, prohibiting spray painting of the cameras, and allowing privacy intrusions.
Suppose someone invents a mind-reader that lets the user read the thoughts of anybody else in range. But the mind-reader requires great up-front costs to produce and also allows people with stronger readers to remotely destroy weaker readers, where strength is basically a function of cost.
In a vacuum, the mind-reader is "just a technology". But it aids autocratic surveillance much more than it aids citizens who want to surveill back. It's "neutral" but its impact is decidedly not.
TPMs and remote attestation enable entities with power to enforce their existing power much more effectively. In contrast, a general-purpose computer does the opposite because anybody can run whatever code they want, they can adversarially interoperate with anybody they feel like, and so on.
One of these is more evil than the other, even though they're both "just technologies".
People have woken up to the truth as the pieces come together.
This article from 2022 is fun to look at and see how prescient it was: https://news.ycombinator.com/item?id=29859106
A TPM with measured boot (SecureBoot) does exactly this, remote attestation is how Alice proves to Bob that it is in a trusted configuration and wasn't tampered with.
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
A chip which you can write to and interact with but can't read is valuable; it lets you enforce conditions which you otherwise couldn't. For example, you can protect your sensitive data with a 6-digit pin, secure in the knowledge that the chip will erase the encryption key after 10 failed attempts. If you had full access to the TPM storage, you could brute force that PIN in seconds.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
Anyway flawed implementation doesn’t mean that hardware attestation is a fundamentally useless primitive. Apple Wallet is responsible for millions of transactions a day.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
They really want to though. Maybe consider that.
I do not see any indication that Apple wants to get involved in adjudicating payment disputes for physical goods and services. That is high cost, high liability, low margin work. They seem to be perfectly happy letting the existing banks (aka card issuers) handle that, and getting a 0.15% cut for allowing their credit cards to use Apple Pay.
Apple has restricted themselves to being the payment infrastructure for only digital goods, and I assume that is because that is the cheaper, more scalable option.
As a side note, in the US, the proportion of sellers willing to eat the credit card fees has gone down every year, and seemingly at an accelerating pace. I have winnowed down my credit card usage to retail goods/restaurants/travel, because almost everyone else wants payment via ACH/Debit/Zelle/other option that avoids credit card fees, so I would be surprised if Apple would ever want to enter this market, given that even the 2% credit card fee transactions are not able to compete.
This nonsense mainly exists only because the operating system is unable to attest that it the app is secure and the right app is what is running.
>It's their computer, it should run whatever software they want.
I agree, but companies shouldn't be forced to match cheaters with legitimate players. Cheaters just can't secretly be cheating.
> the operating system is unable to attest
And it should remain unable. There should be no "attestation" of anything. The corporations who want such things should remain unsure of the device's "security". They should just accept it. Let them write it off as a cost of doing business or something. The optimal amount of fraud is non-zero, as they say.
> the app is secure and the right app is what is running
These machines are our personal computers. They are extensions of our minds. They are general purpose tools with limitless potential, just waiting to be shaped in accordance to our wills.
There is no such thing as being "secure" from us. Not inside our own computers. The mere idea of it is offensive. It is an affront to us all. We are the gods of these machines. To attempt to "secure" a video game of all things against us is an attempt to usurp our power.
> Cheaters just can't secretly be cheating.
Now that remote attestation is in play, the ability to do that -- forge attestations to pretend to be a corporate owned machine while remaining free and subversive -- has become key. So I'm forced to say that cheaters absolutely should be able to secretly cheat. If the cheater wants to edit his computer's memory or whatever, it's his divine right as the owner of the machine. An inability to do that means our freedom is lost.
Cheating in video games is literally nothing compared to the loss of our computer freedom. Let the entire industry go bankrupt if it must. We cannot sacrifice it no matter what, and certainly not over something as mundane such as video games. There is so much more at stake here. Ubiquitous access to cryptography. Adversarial interoperability. Our very self-determination in the digital world. Video games are nothing -- and that's coming from a fellow gamer.
The choice is simple: tolerate some level of online cheating, or require remote attestation to run the game. If you ask me, I’d rather take the first option. Locked down game console already make me a bit queasy. A locked down desktop, laptop, or palmtop? That’s not acceptable. People should be able to run any program they want on their computers. If that means the end of online gaming, so be it.
Let the cheaters join the cheat-friendly servers or the foolishly unmoderated servers.
It's especially ironic to name China when the whole reason the US bought TikTok is because it showed people the reality of the genocide in Gaza, which the far right nationalists hated.
Are you just not paying attention to the dissolution of democracy or are youjust like, cool with money being the only protected thing.
Condescendingly and incorrectly assuming that others think that corruption is impossible is kinda rude and also dodges attempts at correcting the corruption.
Google et al go to the government and say they've got this attestation thing that can something something security. No one is taking a bribe but also no one they're hearing from is telling them that doing this is going to cement the incumbents. "Security" is good, right? So it makes it into the law.
That doesn't meet most formal definitions of corruption. It's more like incompetence than malice. But the outcome is indistinguishable from corruption. The bad thing gets into the law.
The difference is, if the politicians are taking bribes and you get mad at them, they fob you off because they're more interested in lining their pockets. But if the politicians are just misinformed bureaucrats and you get mad at them, they might actually fix it.
And attributing everything to "corruption" discourages people from doing the latter even in cases where it would be effective.
The money that goes into lobbying in order to have that say is, depending on who you ask, corruption. I, as a random citizen, don't get the same say that a multi billion dollar international corporation does.
It's not a given that it's incompetence.
Anytime anyone criticises the EU here, you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
I was asking for evidence about the EU digital ID wallets about what the "disinformation" was around it 3 years ago [0] and not a single link of it was given.
At this point, being an EU defender and supporting the "open web" are incompatible since you will be using your EU digital identity wallet [1] with your phone to login to your bank and the internet will push age verification with it, locking you out if you don't sign up.
Fair enough. It might not be consequential for you, the fact remains Apple took 30% of every dollar you spent on the app store. This, after you paid a premium for Apple hardware. I'm happy the walled garden with a toll is worth it for you. All I'm saying is, others might not agree with that if they knew. Just look at the push back again tariffs as an example.
That thing that got refused multiple times already?
Because not all politicians think like you does not mean they are corrupt. Seems like enough politicians have voted against ChatControl until now.
I always wonder what people who say stuff like "politicians discussed this topic I hate and refused it, but the mere fact that they discussed means that they must all be corrupt" understand about politics. You know that it is about people with different opinions (representing people with different opinions) discussing stuff, right?
Corruption would be if it passed despite it being unpopular, because some corporate or rich peoples interests desired it.
The EU parliament shot down ChatControl.
In fact, without the EU, most likely many member states would have ChatControl in some shape. National governments are the ones all in on this crap.
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
Stop re-electing people.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
Apple (under Jobs) sold themselves as counter-culture, they used popstars (unironically), and design, to sell the idea that if you were your own person, or followed fashion, then you bought Apple.
I think the goodwill from those days still provides the foundations of their cultural position now. Although they chip away at those foundations.
OpenAI looked like it could follow Google's early model, until it didn't.
Is that really so? Does the average iPhone user actually factor the app store tax into their decision to purchase the device? Or do they just assume that is just how all software works because they have no exposure to software ecosystems outside the iPhone app store
As I'm the IT tech support for some family members, I certainly do. A lot less drama and garbage when using Apple products (generally speaking).
I've sysadmined Linux for a living for many moons now, and used to run Linux and then FreeBSD at home, and I switched to Apple for personal stuff during the PowerPC and early Mac OS 10.x timeframe because I did enough fiddling with tech at work and minimized it at home.
I used Linux desktops at work in the pre-COVID era when we still had offices and such. I now use a Apple laptop as I can get Unix-y tools to admin: I spend >80% of my time in Terminal (the rest in Safari and Mail).
I'm not saying it's not a problem, but I am saying it's not a problem that has caused any problems with any Android user I've ever met.
This is the narrative for us in developed nations, but the majority of users today are people who were in developing countries and got a mid-tier smartphone to chat with friends and do banking with the same values as Apple users.
You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me.
>What makes you think they will give us this magical hypervisor capability?
It's not magical. Look at Windows WSL2 which already works like that.
I don’t believe intrusive anti-cheating is required for online gaming to flourish. But even if it was, I would give up Elite Dangerous, for which I have bough a VR setup and build my cockpit, before I give up full control over my PC.
The latter is absolutely a thing where customers can (and should IMO) push back hard.
No, they are not. You have people reliant on this software infrastructure for very basic aspects of their life such using their own money to buying whatever they feel like buying, and you have people being deprived of their rights because operators of said infrastructure actively prevent and deny their rights to do so. This has nothing to do with heuristics, and everything to do with granting people the power to dictate what you may or may not do with the things you own.
https://www.gnu.org/gnu/thegnuproject.html
> [...] the easiest way to develop components of GNU was to do it on a Unix system, and replace the components of that system one by one. But they raised an ethical issue: whether it was right for us to have a copy of Unix at all.
> Unix was (and is) proprietary software, and the GNU Project's philosophy said that we should not use proprietary software. But, applying the same reasoning that leads to the conclusion that violence in self defense is justified, I concluded that it was legitimate to use a proprietary package when that was crucial for developing a free replacement that would help others stop using the proprietary package.
> But, even if this was a justifiable evil, it was still an evil. Today we no longer have any copies of Unix, because we have replaced them with free operating systems. If we could not replace a machine's operating system with a free one, we replaced the machine instead.
Still leave open the the question of RMS personally using SunOS (as opposed to some other proprietary unix) but I think at this point I'd just go dig up very old GNU sources for evidence of that, but I suspect your question was primarily about RMS' ethical reasoning which is well answered above.
Although it seems to me that the comparison is somewhat fragile : it was not possible to develop GNU anywhere else, whereas we could completely build local models from scratch nowadays, unless I'm mistaken.
One observation is that the LLM is a next token predictor but if you train it on the internet/textbooks/etc you get a predictor of that--- but that isn't the behavior we actually want. None of these sources tend to contain "Solve this problem for me. OK, here is the solution:".
It wasn't physically impossible to start GNU the other way around, by bashing machine code into a system until you had a working operating system. But doing so would have been a lot less reasonable-- much more expensive, making progress much less quickly, etc.
A technology squarely and 100% percent intended to give people other than the end user the ability to sleep soundly at night knowing those dastardly end users can't muck with their software (the non-end user) on their (the end user's) devices is only a tool for the authoritarian minded. Sorry mate, but if you're sitting here thinking it's useful and neutral, you are part of the problem, because you're eyes-wide-shutting the fact the only people gaining from the technology are those that already have a terrible trustworthy-ness record in terms of not abusing the sovereignty of another person's machine.
Show me an industry that ships source code, and manuals with all software that runs on the device, along with hardware manuals and the manuals to write your own drivers and doesn't use hardware primitives to enforce their business models over you, then we can talk about an industry where "trusted computing" might be neutral to the end user. History has not seen this relationship bore out, however.
The "Trust" in "Trusted Computing" has only ever been realistically unidirectional in terms of favoring entrenched industry players. As a rule of thumb, if the primary benefactors of a feature are over 90% legal fictions; your feature ain't neutral. It's hostile to humanity. Period.
Here you go: https://puri.sm/products/librem-5
(And indeed, their Pureboot with Heads and a hardware key allow to restrict which OS can be booted on laptops, while not restricting the user.)
That the laziest of us don't mind and the worst of us want something is not a respectable argument for anything, ever.
We can have a discussion about FaceID specifically, but “convenience” is not considered trivial within the security sphere.
Second, I work for a (very large) bank, and you actually do not want to trust them with your biometric data directly. You can be absolutely assured of the privacy of your biometric data with the bank, better than with a Silicon Valley tech company. But I would not trust the bank’s data scientists to come up with a model that will not have an extremely high rate of false positives and negatives.
The reality is, if such an initiative was started at a bank, it would be shuttered after years of delays.
It's not about what people believe, but what they are willing to publicly push back against. If such a law was proposed today, I bet it would pass because the only discussions around it would be whether the data can be kept safe and what punishments to dole out if the car owner access this data. Arguments about privacy will be waved away or dismissed without debate.
In fact, let's make a pointless bet: I bet my imaginary internet reputation that the US or EU will pass a law within the next 10 years that requires the continuous recording and collection of data that not only includes GPS, but also face and audio data whenever a car is in motion. This law will impose severe punishments on any owner that accesses this data or deletes it.
I desperately fear for my family and want things to improve, but we are going to lose this battle.
My logical assumption is that all terrorists and pedophiles will concentrate in the areas where they have legal exceptions from being monitored by multiple different parties at any given time. Legislators and the like. To play one of their cards, why would people who love to say "innocent people have nothing to hide" have something to hide?
Kier Starmer wants to protect children? He put Mandelson into government even though he was mates with Epstein. Doesn't sound like someone who cares about protecting children to me.
Rinse and repeat for any politician or political side, they are all only a step or two away from someone who's done something horrible to children. It doesn't matter to me whether I really think it's true or not (though in the example I've used, that is my opinion, who employs someone like that and really cares about children?) but *it does not matter*. This is an us versus them situation, and they are making proponents of freedom out to be criminals at best, paedos at worst. They can take some of their own medicine, and anyone who parrots their line. If ad hominem is the name of the game then let's play, I'm on firmer ground than they are.
Not true, some aren't. Namely the tiny minority who pushes against this sort of stuff.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.
Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.
The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.
No, you have to use government backdoored device. I.e. the most secure android rom (at least the only rom we know is not penetrable by state-sponsored celebrite based malware) is not covered by google's play protect, while bunch of outdated CVEd phones are.
Same will go with many hardened Linux machines, QubesOS, Whonix stations, you name it. I'd argue they are far more secure than any average windows/macos installation.
Hardware attestation has nothing to do with security, it's censorship.
OK, then let's see you argue it.
Most of the people who claim Linux is more secure have simplistic one-sentence arguments (e.g., "Linux is open-source, and many eyeballs make bugs shallow including bugs that are security holes") whereas those who say that MacOS and ChromeOS are more secure go into great technical detail as to why they think that.
Secure as defined by a duo of monopolists. It's a contractual concept and doesn't have a firm relation to security-related characteristics. I'd trust GrapheneOS to be as secure as anything Google is capable of releasing, but that doesn't help them if Google refuses to vouch for a device running their OS. Which is also why your check/credit card analogy falls flat.
That's not what the parent was saying. Most people don't have any opinion whatsoever on sideloading. You can go confirm this for yourself by asking a Mac or PC owner how scary it is. Most of them will respond that they genuinely never thought about it, not that they're afraid to consider it. To these people, it's a normal feature of their device that you could never remove.
The parent is lamenting that people don't care about this technology - Client Side Scanning, hardware attestation, Push notification surveillance - all of it is enabled not because of fear, but apathy.
> And they shouldn't have to. Yet they live in a world where they do.
This is fearmongering logic that doesn't really defend the App Store. Putting your faith in a centralized software auditor also requires you to pay attention and stay abreast of scams. It's just a different exploit chain to deliver the same payloads: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
I suspect that the GP is, as you write, lamenting the lack of attention to the topic.
> This is fearmongering logic that doesn't really defend the App Store
I agree it doesn't defend the app store. It wasn't about the app store at all. It is about the social problem of the persistent existence of people who choose to purposely do others harm. The problem for most people isn't the app store but those who attempt to get exploits and quasi-exploits into the app stores.
I also agree that you still have to be cautious when using the app stores. Are you claiming that the app store controls do nothing to reduce the presence of malicious apps in their stores? The article you link starts by noting that the app was removed the day after that post was made. That is exactly why people feel more comfortable using the app store.
LastPass has been downloaded in excess of 50 million times in the past 10 years. As many as 10,000 users could have installed the app and turned over their credentials to the trojan version in a 24 hour period. If your manual review takes a day to respond, it's already too late at Apple's scale.
> That is exactly why people feel more comfortable using the app store.
Then why does the App Store represent the minority of software sales on platforms like macOS, where users are given free reign to download whatever they want? It seems like users are overwhelmingly uncomfortable sticking to the App Store, if you take their actions and spending into account.
Apathy seems to be the best explainer here. Users don't care about security at all, they are just consuming whatever is put in front of them. That's why social engineering like LastPass works, and it's why you see people ignore systemic backdoor efforts like Client Side Scanning and Push notifications. They might be afraid of getting hacked, but it's plainly clear that none of them care enough to make a change in their lifestyle.
They're for sure impressive but I don't see how anyone can push them as "open" when they are literally binary blobs. Worse, because it's not practical for anyone to actually train LLMs that can even come close to competing with the ones corporations are pumping out.
Local ai is not ready, and if you think it is, prove me wrong with a detailed guide running commodity hardware with complete setup steps that can use a decently sized model.
I spent 2 weeks trying to get anything running - 8gb RX550XT, 12gb ram, 8core cpu. I even tried turboquant to lower memory utilization and still couldnt even get a 3B or 4B model loaded, and anything lower wont suit my needs (3/4B are even pushing it).
Oh but that is far incomplete a specification. What security purposes? Who are we protecting, from whom? On whose behalf does the OS isolates applications from each other? If it’s on mine, then you bet I absolutely want the ability to lift that isolation in specific cases. It’s my computer, I decide when and how the rules are broken.
But the moment I have that (a computer and OS that really work for me), I lose the ability to prove that I don’t. If I play an online game, being in control means the game company is not, and I can’t prove to them I’m not cheating.
I’m not aware of any third alternative.
>I absolutely want the ability to lift that isolation in specific cases.
There is no need for this. Allowing end users to turn off security features is not a good idea. Users should not have to think about such things.
>I decide when and how the rules are broken.
Most users do not want this ability. They just want a computer that works and is safe to use. They don't want to dictate how exactly it was written. That is the manufacturers job.
I’m getting a strong sense that you don’t know what you’re talking about. "Everyone" for instance doesn’t include the app vendor. You want to allow updates, right?
> Most users do not want this ability
Again with the ambiguous wording. What do you mean exactly? That >50% of users don’t care about having this ability, or that >50% of users explicitly reject this ability?
In my experience, most users think they don’t care, until they need to run an app that’s not on the main app store. Easy example: skip YouTube ads. On Android, you jumps a few hoops, install Newpipe or Tubular, and voilà, no more ads. But I’ve met several iPhone users who wanted the same, and were quite dejected when they realised they couldn’t have it.
Of course, the idea that most users explicitly reject the ability to bypass security measures is utterly ridiculous.
> Allowing end users to turn off security features is not a good idea.
Not that I’m not talking about flipping a switch that would end all process isolation. I’m talking giving permission to one app to mess with one other app. Secure by default with fine grained permissions, not "please revert to Windows 98 with zero memory protection".
> Users should not have to think about such things.
They have to anyway. Where their credentials are, what if they break their computer, lose their phone, their data gets leaked…
So optional that everything that can require it will require it. Games want it because cheating. Streaming services want it because piracy. Banks want it because fraud. Web sites want it because advertising. Governments want it because encryption and anonymity.
> Services have no obligation to check attestation or use it as a hard signal to block people.
They will do so of their own free will.
> All previously existing freedom is still possible on your computer.
You're "free" on your paperweight of a computer that can't do anything useful because it can't interface with the rest of society. Maybe one day even ISPs will reject clients that can't pass attestation. Can't even join the internet if you "tampered" with your machine. Such is life in the land of the free.
These are true. They also don't have much to do with what I replied to, which was about "the propaganda efforts driving a large amount of far right nationalists into violent uprising."
You're simply misinformed if you believe that Russia-originated propaganda has played a bigger role in the rise of right-wing extremism in Europe over the last 10 years than Rupert Murdoch (and yes, I'm aware News Corp's assets are all in English), the Anglo manosphere including the likes of Andrew Tate, and Meta, Google (Youtube) and X intentionally designing their algorithms for outrage/engagement at all costs.
Russia wishes it would have as much influence as the above.
They're going hand in hand, that's how fascism works, corporate interests align with government authority.
DMCA is abused every. single. time.
Like literally hundreds of thousands, every day.
The only things I’d really miss on a phone ecosystem is like, game emulation and some more esoteric network data/file management functions. These are things that are almost inherently outside the range of interests for the vast majority of people and the main reason they’re restricted is because they’re so piracy adjacent that it’s basically impossible to extricate them from association with a whole bunch of technically illegal use cases.
Little wonder then, that both the App Store proprietor AND App Store vendors would have an interest in locking those out to maintain the health of that platform as a viable place to run a business through.
That being said I won’t purchase an apple device again if this one croaks
Source:
https://www.patrick-breyer.de/wp-content/uploads/2026/05/861...
Do you have a list of other things that shouldn't be brought in front of the elected parliament?
It's also kind of weird to propose it as an asymmetry. Google's parent company spends around $4M on lobbying in the US:
https://www.opensecrets.org/federal-lobbying/clients/summary...
That's around $0.01 per capita. Your per capita contribution for individuals to out-spend Google on lobbying is two cents.
You are an HN user of some age. You might even be the family IT person. You may well be changing the experience of people in your orbit.
In contrast, my grandfather’s android phone had somehow 3 different SMS apps, all of which must have tried to remove the default app.
I doubt you think some chap living in rural India, has good data hygiene and habits.
(One argues that since you own both of them, you should simply set up the two servers yourself with a key of your own choosing, asymmetric or otherwise, and then restrict physical access to them.)
Alice runs many services and has a rather large attack surface. I don't want Alice to persist those secrets, only to have them briefly at startup (think joining tokens). Bob however has exactly one job, verify that Alice-1 to Alice-N are in a trusted configuration before granting them access to the cluster.
Very recent events in the Linux kernel prove that it isn't safe to assume "0600 root:root" is sufficient to protect secrets from a misbehaving container.
I can perhaps agree that the idea of SB can be good, but it was designed (and is used) in a bad way. Just look at how many distros do not support SB.
A TPM where the device owner can't take ownership of the root key is worse then no TPM at all.
Honestly, if the only way to secure your banking system is by locking down users' devices, there is something really bad going on at your end, security-wise. Your system should be secure even without locking down user hardware.
Once you have the attestation in place you have no guarantee who is going to get access to data like what apps are present on your device, and there will be nothing you can do to stop it.
Meanwhile, we could educate people against common scams.
How is this not just trading one smaller bad for a bigger bad? Why is this touted as an improvement?
This is a non-sensical remark because it's impossible to "prove" a counterfactual. I find stuff like this incredibly annoying - please don't say this.
When online banking was first created it was an absolute chaos zone. Everyone was accessing it from desktop machines riddled with viruses and malware. There are endless stories of being discovering their life savings had been wired to Belarus by some malware running on their machine that had grabbed their banking credentials when they logged in.
https://www.google.com/search?q=site%3Akrebsonsecurity.com+b...
https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-dev...
> U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
Half a billion dollars, by a single guy with a single virus!
Different parts of the world came up with different solutions for this. The US made all ACH payments reversible and international wires difficult, but that just meant the receiver paid for fraud instead of the person whose machine was full of viruses. This was an obviously bad set of incentives and hacky panic-based fix. Banks elsewhere in the world settled on providing users with authenticator devices that looked like small calculators into which you could type transaction details after plugging in a smart card. Malware could still steal all your financial data but it couldn't initiate transactions.
Obviously, all this was a hack. What was needed was computers that were secure. Apple and the Android ecosystem eventually delivered this, and the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users. Firstly, it protects financial privacy and not just transaction initiation. Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer. Thirdly, adding remote attestation made no difference because that's what the calculator devices were doing anyway. Fourthly, even in the case of customers of small American banks that weren't capable enough to manage dedicated hardware rollouts, getting rid of fraud instead of pushing liability around allows for lower prices and fewer headaches.
So remote attestation is a non-negotiable requirement for digital banking of any form. When Microsoft didn't deliver most banks preferred to literally manufacture and sell their customers single-use smartcards that remotely attested by you manually copying numbers back and forth between screens. Or they hid the cost of rampant fraud in the price of other services until such a time that Apple/Google saved them.
The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)
In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.
I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.
Not 100%. A robber can force people to activate facial recognition or finger print sensors. Forcing someone to type a pin code is harder but doable. If one doesn't bring the authenticator & bank card they cant initiate transactions.
What I'm claiming is that banks have the freedom of offering their customers 2FA other than smartphone apps.
> Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?
All the phones I own, including my daily driver, run some flavor of Debian. None of them support hardware attestation.
I'm in Europe, bound by PSD2, and own a couple of cheap, certified chip-and-TAN devices so I can do banking.
I don't think that's even true, unless you're using "trust" as a synonym for centralization.
Suppose you had actual competing app stores. Google doesn't control which ones you use; you can use Google Play or F-Droid or Amazon or all three at once and anyone can make a new one. You could get Android apps through Apple's store and vice versa. And then you choose who you trust; maybe you only trust F-Droid and Apple and you think Google and Amazon stink. Maybe you install 90% of your apps through F-Droid but are willing to install your bank app on GrapheneOS from Google Play because you trust your bank and you also trust Google enough to at least verify that the bank app is actually from your bank.
This is the thing that doesn't help the incumbents, right? The bank and the customer both trust Google to distribute the bank app but Google isn't allowed to prevent the user from trusting F-Droid for other apps as a condition for getting the bank app from Google Play. You can have trust without centralization.
Consider how Linux distributions work. Every distribution is distributing variants on the same kernel and utilities, but there are hundreds of distributions and dozens of popular ones each with their own repositories. You can choose whichever you like, and make a different choice than someone else.
Coming in at #31 on DistroWatch is a lightweight distribution called Alpine Linux. It's popular on things like firewalls and VoIP servers but is rarely recommended to ordinary users because that isn't its niche. It doesn't matter that most people haven't heard of it because the people relevant to it have. It's fine for things to have a niche, and the people in that niche are the only ones who need to be familiar with it.
Meanwhile around half of Linux users use Debian derivatives. Debian and Ubuntu are very similar, but their repositories are maintained by different organizations, so even when choosing between two things that are nearly the same, you have different options.
And the distribution is not the only place to get software. Maybe you like a stable distribution in general but you want the bleeding edge drivers for your GPU. You can add the repository for the hardware vendor and still get everything else from the distribution. The vendor doesn't even need to maintain their own full distribution to have enough of a reputation for people to make an informed choice about where they want to get their drivers.
> Building broad trust requires scale on some dimension.
The flaw is in assuming that broad trust is a requirement. Narrow trust is good.
https://seeingmachines.com/understanding-driver-drowsiness-a...
Since July 2022, Driver Drowsiness and Attention Warning (DDAW) systems have been required in all new vehicle types within the European Union (EU). They will be mandatory for all newly registered vehicles from July 2024.
I'd agree if you wrote that most users don't understand security at all, that users aren't really given the tools they need to maintain security, or that exploits are designed to target people's vulnerabilities. You seem to be blaming the victims of motivated (sometimes) advanced actors. Even serious engineers have been phished for NPM publishing access.
Do you have an example? And was this a binding or non-binding vote?
Here is the full story:
(Source: https://archive.ph/Kiyn9)
> The commission rejected the plan to rezone the farmland [that would allow the data center to be built]. The township board followed suit, voting 4–1 to deny it. But locals quickly discovered that amid the frenzied AI infrastructure gold rush, “no” does not always mean no.
> Two days later, on Sept. 12, Saline Township was sued by Related Digital and the site’s landowners. Their lawsuit alleged “exclusionary zoning”—that the community had unreasonably barred a legitimate land use under Michigan law, and it hinged on the fact that Saline Township had no land zoned for industrial use, and that a data center qualified as a “necessary” use that could not be excluded altogether.
> The lawsuit underscored the township’s limited leverage. Even if officials had fought it, their lawyers advised them, the project could likely have moved forward via other avenues, such as partnering with an institution like the nearby University of Michigan, which can build projects that are not subject to local zoning in the same way as private developments. Meanwhile, a prolonged legal battle against well-resourced developers risked significant costs for the township, without securing concessions.
> Lucas, the town’s attorney, says the township board had little choice and did its best to be transparent. It was “between a rock and a hard place,” he said. “I’m not sure there were any good solutions.” Within weeks, the township had settled: It signed a court-approved agreement allowing the project to proceed, and construction began soon after.
> In exchange, the township secured roughly $14 million in community benefits—a relatively small sum in the context of a multibillion-dollar project, but more than 10 times its roughly $1 million annual budget. It includes funding for farmland preservation, local projects, and fire departments; along with a series of environmental and operational limits: restrictions on water use, noise caps, preserved agricultural land, and limits on expansion.
> David Landry, the attorney who represented Saline Township in the Related Digital lawsuit, told Fortune that he stands by his recommendation that the board settle with the developer. “The zoning power of any municipality—a township, a city, a village—is not absolute,” he explained. “In this case, exclusionary zoning was substantive—the municipality has to have a reason to say no. They just can’t say, ‘We don’t want it.’”
> Sarah Mills, a professor at the University of Michigan who studies land use planning, agreed that the town had few good options once the lawsuit was filed. “States determine how much authority local governments have in zoning, and those systems vary widely,” she said. “What local governments can do through zoning is highly controlled and regulated by the state.” Local governments are also often strapped for cash, making it difficult to defend against zoning challenges, she added.
> Marion, the township clerk and sole board member who voted in favor of the proposal, said this reality was on her mind when she voted yes. It wasn’t because she favored a data center, she said, but because she did not believe the town could win in a showdown with Related Digital. “They were doing studies,” she said. “They were pulling permits.” Township attorneys and consultants had warned that a denial could trigger a lawsuit—an outcome Marion said felt intimidating. “Everything was drafted and filed with the county within two days of the meeting,” she said of the lawsuit. “They had this all prepared.”
> If the township had continued to fight and lost the lawsuit, Marion said, homeowners could have been on the hook for tens of thousands of dollars in tax assessments to pay for the legal battle. “The insurance company was only going to pay for an attorney to defend us up to so much money if we decided to fight it,” she said.
Suggesting politicians are corrupt without any evidence will make that worse. If people think their politicians are corrupt they will further disengage with the political process, which will ensure there's even less pressure on politicians to take action on niche issues like this.
The EU Commission also gave a foreign tech company called Thorn (they pretend to be a charity), special access to government officials: https://netzpolitik.org/2022/dude-wheres-my-privacy-how-a-ho...
I think both of those cases would be examples of lobbying and corruption.
It's little coincidence that national governments want Chat Control (laundering that through EU), and the EU parliament is the entity that shots it down (coincidentally the entity that is most beholden to the public).
It would be nice to learn which comissioners are lobbying for it.
What I'm saying is that if there's no evidence of corruption, then simply assuming corruption will harm your cause because it will make it seem like political activism is futile in the face of supposedly hidden corruption.
If you look at that person's responses to others in this thread, that is exactly what they are doing. I do hope they have proper health and safety training for moving the goalposts so much.
I think it is far more likely that it is a lack of knowledge and incompetence. I am pretty sure that the majority of Parliament members, Council members and maybe even Commission members do not even know that there are viable alternatives outside Google (certified) Android and iOS. So they try to regulate their app stores, etc. instead.
I hope that with digital sovereignty becoming more important, there will be more interer in alternative mobile operating systems.
Too many people see something they don't like, imply a nefarious motivation without evidence, then expect everyone to agree that it is corruption.
If there is corruption, show the evidence. Otherwise, be honest and state that you don't agree with something. If you want to persuade people, back up your claims with verifiable evidence without falling back to nebulous claims of corruption.
Diplomatic status tax free too.
If it's Apple or Google let us know in the US because we have laws to go after them for acting corruptly in other countries.
Vaguely asserting corruption without specifics or even naming the perpetrators isn't "taboo", it's just poor form and silly. Letting such vague accusations float without evidence, motive, or even people to blame, leads to nothing good, and only vague distrust, which itself enables corruption. It leads to people believing there's no way to know the truth, therefore helplessness, and results in fascism like in Russia.
Lazy cynicism is itself a form of corruption of one's own mind.
I love this way of thinking. I might use this quote down the road
That's my business, not theirs. If my password gets stolen, that's my problem, not my bank's. Same deal if my passkey gets stolen. They're welcome to try to educate me on good security hygiene if they want, but what hardware I use to secure my credentials is not something they should get to decide.
For more specific mitigations, they could issue shorter-living tokens to such devices, in case it gets stolen and it didn’t store the token properly (say, the user did something stupid like “hey I’ll substitute secure enclave with a shim that writes secrets to an SD card”). And they could limit certain critical functions that do require attestation for some reason (e.g. Host Card Emulation, aka “tap your phone to pay”, which they usually delegate to Google Wallet/Pay/Wallet anyway).
Wise seems to do it correctly. It works on rooted phones, even, just gives a scary warning and blocks some app functions. They also have a fully functional webapp, so you mostly don’t need the app anyway. Revolut, on the other hand, has outright blocked me from my account – so I’m not using it anymore.
"Securely signed/verified devices for accessing your bank" or "increased surveillance and tracking of criminals" sound like splendid ideas and direct solutions to immediate problems. Now, how to actually implement them and how it will affect society in the long run might seem less important when you've got increasing crime rates, a slowing economy, displeased voters or whatever looming. In short, some dilemmas have very clear answers when you (willingly or through unawareness) only concern yourself with a subset of the effects of a decision, and this goes both for politicians and special interest groups. That being said, I'm very pro-privacy and it's the job of policymakers to know the details of what they're deciding on. Reality is however usually very complex and nuanced with several things being true because they all contribute a part to what's going on.
e: what am I doing, speaking like I actually know how things work? Nothing is absolute and nuance is important, but sometimes it is also very useful to simplify and generalise to get things done. If no one had any conviction, not much would ever happen. But moderation in all things.
Well, of course not! They're corrupted by the other companies who benefit from the DSA and DMA.
I agree with that. Reading HN comments, where people are supposed to be generally tech-savvy, I see a ton of "lack of knowledge and incompetence" (not in a negative way, just "uninformed"). Why should politicians know better than the average tech-savvy person?
But politicians get yelled at by everybody, saying everything and its contrary, while the tech-savvy people can comfortably take a condescending tone explain why "being so stupid is impossible so it has to be corruption".
Many people aren’t like us. Give them freedom to chose their password without mandating 2FA, and some will lose money to a password database leak & offline guessing. The policy maker knows this, at which point they have a choice: stricter annoying rules with fewer victims, or looser rules with more victims?
Yes, we can mitigate much of this with education, as can we limit vendor lock-in by mandating that the bank does not require any particular device they do not themselves distribute, for free, to their users. (My bank for instance gave me a little device that has a camera, a small screen and a key pad. Upon payment I use the device to scan some QR-code, the device gives me a one-time code that I type, and done.) My point is, some kind of tradeoff remains.
Also banks kinda have to deal with fraud, which presumably costs them money. Stolen passwords mean more fraud, increased costs… that may be incentive enough to enforce stricter rules. And to be honest I’m okay with that, as long as it is accessible. Which in my case means no phone app of any kind.
Come to think of it, there is one law I would pass: for important stuff like banks, no amount of security justifies a lack of accessibility. If I don’t have a smartphone, I should still be able to do online payments. Same if I’m blind. Or both. When I hear all around me about people being utterly unable to do banking, or worse, accessing government online services, without a locked down Android or iOS phone, I’m horrified.
Yep, there's a reason freedom vs safety (or libertarianism vs authoritarianism) is an axis on many political spectrum charts. This is a very common source of tension in politics. As you can probably guess, I usually find myself on the libertarian side of such debates. Freedom is worth the price.
> Give them freedom to chose their password without mandating 2FA, and some will lose money to a password database leak & offline guessing
To be clear, I have no issue with secure defaults. There's only an issue when you start trying to make it impossible for users to compromise their own security, because accomplishing that requires you to take away their freedom to make choices, which I don't think is an acceptable thing to do to mentally sound adults.
There's plenty of competition in the banking space, so normally I'd be fine letting banks and their customers sort this out on their own. But there's not a lot of competition in the OS space, and allowing banks to limit your choice of OS exacerbates that problem.
The fix I've been floating in my head for some time now for a lot of these types of problems in the digital space is some sort of software freedom law guaranteeing users the right to modify software running on devices they own. It would fix so many issues with the software industry, including probably this one, since many common uses of hardware attestation would probably fall afoul of such a law.
Passkeys are non-phishable. That's part of their schtick. I'm not a huge passkey fan myself, but this is a real benefit.
When the passkey is protected behind an HSM (TPM, Yubikey, Tkey…), even a compromise of your main computer can’t steal it. Attackers can still temporarily log in on your behalf, but they can’t do anything with your passkey as long as your computer is turned off. Which means you can un-pwn yourself out of this situation by reinstalling everything (but do keep your HSM!).
Overall, we have several levels of security here:
- Weak password, (potentially reused everywhere). Fished once, pwned everywhere. Not to mention password database leaks.
- Very strong unique password from your password vault (KeepassXC). Note that with automatic login, password managers may provide good phishing resistance. Manual copy pasta is still vulnerable, but at least you only compromise that one account.
- Passkey stored in your password database. Phishing proof as you say, but falls to a keylogger.
- Passkey sorted in a hardware security module. Can’t be stolen ever, save for a vulnerability in the HSM itself, or, if you haven’t set up a password for your HSM, theft.
Clearly that last option is the most secure. Clearly it would be nice if everyone could do that, though we do need a way to recover from the loss or destruction of the HSM (which in the case of the TPM may mean something as mundane as changing your graphics card). Yet often, other ways are more convenient.
Still, I strongly believe companies should not force people into one method or another. Okay, I could maybe tolerate passkeys being forced on me, but not the remote attestation part. Let me manage my own security, with my own tools (preferably open source), thank you very much. There is one use case for which I may approve of remote attestation: work accounts. Because at this point it’s not about the safety of the customer, it’s about the safety of the company itself. It makes sense then that the company (or government agency) impose whatever stringent restrictions on how to access their network. They do have to provide any required tool (company laptop, company palmtop, company dongle…), same way many companies are required to provide individual safety equipment to any of their employees working in hazardous environments.
When it comes to the notion of requiring DBCs without also requiring remote attestation, how do you deal with solving the problem of virtualized credential devices, e.g. swtpm? If some application wants to leverage DBCs, it will make some DBC API call, e.g. call out to a TPM. However, without some sort of attestation scheme, there's no way to verify who/what is on the other end of that API call.
Maybe it's not important for applications to be able to require DBCs without attestation. But at first blush it seems like a valid thing to want.
With the exception of the current US administration, hostile countries and corporations try to appear non-hostile when possible.
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
But that's not what a forgery is.
Got a list of widely available cars and trucks 'without a computer'? :D
so not really useful for 3rd party ROMs
You're like the kid showing up to a test without a pencil.
It's ridiculous for you to suggest that an advanced AI model needs to run on your budget 7 year old graphics card that is already out of date for even today's gaming. My parents spent $2500 on a computer in 1995 and that was a 166Mhz Pentium 1. If they spent that money today it would be $5261. Think of what you can get for amount of money. Then you're over here trying to say a budget graphics card needs to somehow compete with the bleeding edge of computer innovation.
You do, in fact, need to spend money on appropriate gear if you expect to participate.
Spending humongous amount of money to get machine that'll felt obsolete in 2 years? I don't know.
I use a handheld card reader with a display as a 2FA for my bank transactions. It shows me the transaction and, after I confirm, sends a TAN to the bank. It is not a general-purpose device but a certified, tamper-evident/-resistant black box that does just that one thing.
> Meanwhile, we could educate people against common scams.
There's a million ways you can get scammed, no matter how many hours of training you've had.
It’s definitely something I would want, but as you hinted at yourself, if there’s no remote attestation, the user can just use a software TPM. So, a company using passkeys has two choices:
- Enforce DBC with remote attestation. This raises the security floor, but enforces device vendor lock-in, and prevent users from selecting unapproved, but potentially even more secure, devices.
- Do not enforce DBC. This lets users use less secure virtualised devices, but there’s no vendor lock-in, and those who want may use the latest most secure device ever.
Which alternative is appropriate is now a social & political problem. My opinion is that for general computers released to the general public, remote attestation is never legitimate. Even with the best of intentions it is fundamentally uncompetitive, and they make it way too easy to go full Evil Corp. Specialised appliances and employees however are different stories.
---
Anecdotally, I have worked on TPM provisioning a couple years back, and I had to warn my hierarchy that doing it the way they specified, the TPM could be impersonated: we checked the signature of the certificate, but failed to compare the certificate root with the manufacturer’s keys. My boss didn’t believe me, until I showed the production code happily provisioned a software TPM, without detecting the impersonation. (Actually, he didn’t believe me even then, I had to go over him to the security specialist.)
This was totally a case of remote attestation. But I believe this particular case was legitimate, because it was a specialised appliance (electric car charging station), that was meant to process payments, similar to a gas station terminal.
$600K+ went to kickbacks, er… “lobbying”, and thorn was hit with some pretty nasty scandals involving sex crimes.
Broad trust is required in lots of situations. Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate. Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration. The economics don't work for 30 different players to cross-verify each other. So, we have oligopolies...
Regardless of which distribution you use, the distribution itself controls code that runs as root on your machine, and the users are by and large not reading all of the code themselves. It works entirely by reputation. If you ship trash, most people aren't looking, but if even one person is, they point it out to everyone else and then no one trusts you anymore. This works perfectly fine with 30+ distributors.
> Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate.
There are large numbers of financial clearing networks. The reason Visa and Mastercard are an effective duopoly for credit cards isn't the trust issue, it's the network effect. A lot of people have a Visa, so merchants want to accept Visa, and then customers want the card which is accepted at many merchants. It's essentially regulatory capture that they're allowed to get away with this, i.e. that the networks are allowed to force you to use their card in order to use their protocol. The way this should work is closer to how checks work, i.e. Alice tells her bank that she wants to transfer money to Bob, Bob's bank routing number is on the check and the banks just talk to each other using a standard protocol to work out how much money to transfer from one bank to the other on net, with no for-profit middle man taking a cut.
Supply chains are a pretty weird example to pick because they're actually a huge counter-example. When Walmart wants to stock some USB cables or camping stoves they're going to vet the supplier so they don't get sued for selling a fire hazard but there are still dozens or hundreds of suppliers, because they have to vet the ones they use, but they don't have to be the same ones Amazon or Target or Costco uses and frequently aren't.
Hardware attestation is a dumpster fire. It keeps getting pushed because it's excellent at monopolizing a market but anyone actually trying to rely on it has had nothing but a series of swift kicks between the legs. People should stop even attempting it. It should simply be banned.
> Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration.
Most of that stuff scales really well to large numbers of entities. The entire point of things like SLAs and legal liability is that they operate by preventing you from needing to enforce them. No company wants to get sued so they meet the SLA and satisfy the contract in order to minimize their legal costs, which is what allows you to contract with smaller companies as long as they're not so small you're concerned they'll go out of business, and the threshold for that is far smaller than any of these oligopolists.
> The economics don't work for 30 different players to cross-verify each other.
Which is why it's not supposed to be fully meshed. You don't need everyone to verify everyone, you only need the pairings that actually exist. If there are 1000 companies that make shoes and Walmart contracts with 10 of them then they need to verify 10 rather than 1000. Meanwhile the 1000 shoe companies each only have to contract with a dozen retailers, they're just not the same dozen retailers for every manufacturer.
Checks are riddled with fraud and traditional bank-to-bank protocols(like ACH here) are notoriously slow and difficult to navigate for disputes. Visa and Mastercard aren't just selling a network effect, it's instantaneous clearing guarantees, active fraud prevention, and dispute resolution. The "cut" merchants pay funds the risk management layer that standard routing protocols don't provide. Even new systems like Brazil's PIX or the US's FedNow require a centralized state authority to mandate the clearing rules and manage the trust boundary.
Walmart can afford to vet lots of suppliers. A mom-and-pop shop cannot, so they buy from a massive centralized distributor who aggregates that trust for them. Supply chains have distributors all over the place, and they are concentrated in almost all cases.
I generally lean towards that too, including for this issue. But we do need to own up to it. Explicitly ask ourselves, what kind of bad consequences, and how much of them, are we willing to put up with in the name of freedom?
Also, some framings make it difficult: the second someone speaks of protecting the children, all of a sudden freedom becomes secondary. Which leaves two counters, which are logically compatible, but tend to be rhetorically exclusive: denying that this new thing will actually protect the children; and asserting that the protection it allegedly provides is not worth the loss of freedom.
The second one is a hard sell, which is why we so often revert to the first one. Take age verification: sure it won’t stop determined underage teens from seeing images of bunny girls. But it will deter some of them. And assuming images of bunny girls are bad for teen health, it means age verification does "protect the children". A little. And voilà, we’ve destroyed the argument that age verification does absolutely nothing, mass surveillance for the win!
> […] which I don't think is an acceptable thing to do to mentally sound adults.
I haven’t thought of the psychological damage over-protectiveness may cause. That’s a bloody good point.
> There's plenty of competition in the banking space,
Given how people in some countries complain that it’s difficult to find a bank that doesn’t require a locked down phone for online payments, I would argue perhaps not plenty enough. I totally agree though that for any bank to require one of two OSes is not good, and for this reason would be tempted to outlaw such requirements (thus reducing corporate freedom, but I care more about individual freedom).
> some sort of software freedom law guaranteeing users the right to modify software running on devices they own.
That is very tempting indeed. Do understand though that such a law comes very close to mandating Free Software everywhere: for this right to be effective, users need access to the source code, and be allowed to let some professional modify that code for them. Any mass produce piece of hardware would effectively have to publish the full code source of their drivers for all to see. I would absolutely love that, but NVDIA would likely lose their marbles over this.
The way I look it is that when someone uses their freedom for evil, the consequences of that are that person's fault, not the fault of freedom itself. Responding to evil done by one group of people by curtailing the freedoms of everyone, including innocents who have done nothing wrong, is fundamentally unjust. Perhaps in some extreme cases it could be justified, but I'd use a standard similar to how the US supreme court defines "strict scrutiny" when evaluating such measures.
Patrick Henry once said "Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God! I know not what course others may take; but as for me, give me liberty or give me death!"
Unfortunately yes, for some this is a hard sell. I'm not sure how to convince others of the importance of freedom if they don't already consider it to be important, to me it's an almost fundamental belief that I hold.
>> […] which I don't think is an acceptable thing to do to mentally sound adults.
> I haven’t thought of the psychological damage over-protectiveness may cause
My point was more that taking away a person's freedom for their own protection is the kind of thing you do when they're either children or mentally unsound. Outside of those cases I don't think it's acceptable.
> it’s difficult to find a bank that doesn’t require a locked down phone for online payments
Some of this may be due to regulations making banks partially responsible for things they shouldn't be responsible for (like the customer's phone getting hacked). Responsibility and control go hand in hand. But mostly I think it's just due to lack of demand, which would be solved if running modded OSs were more common.
> Do understand though that such a law comes very close to mandating Free Software everywhere
Yes, exactly. I guess I've been radicalized by Stallman. ;) Though to be fair I do partially disagree with his definition of free software, in that I don't think software needs to be freely redistributable without payment (freedom 2) in order to be libre free.
I understand this a pretty radical proposal, and completely politically non-viable for the foreseeable future. It might even be a bad idea to do all at one even if that were possible. But I think probably there are some smaller steps that could be taken in that direction which would be beneficial even if I'm not entirely sure what those are yet.
The story perfectly exemplifies how little democratic control the public has over what corporations do in and do to their community.
> Smartphone HW attestation is better in every way
They're still prone to side-channel attacks like SPECTRE. Crypto wallets are practically immune because they're air-gapped.
[edit] I just realised that's Mike Hearn of early BTC fame. I suppose he would know what a crypto wallet is.
Sometimes I see people captured by the train station unable to check out. They usually find someone with a charger but technically the formula is to fine them for not having a ticket. Then one might still need to buy a ticket to continue the journey. (bring cash)
Phones are usually empty when things [already] aren't going as planned.
Unfortunately for me though, the turnstile that I was about to pass to exit the train station had both an optical scanner and some NFC thing lumped into the same physical module, and every time I tried to scan my ticket, the phone would raise its NFC screen and hide the 2D matrix code.
So yes, you can have a fully charged phone and a perfectly valid ticket with the latest software and still get stuck in a train station.
In a functioning democracy, politicians represent the people. Meaning that some politicians will be on one end of the spectrum, and some will be on the other. If there are no politicians you disagree with, then probably you are not living in a functioning democracy.
> despite strong pushback
That is my point: look at the pushback! It's many people with very different opinions saying everything and its contrary, with a lot of technically incorrect takes.
Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
Everybody wants to believe that they are right and everybody else is wrong, and therefore everybody else is either stupid or corrupt. I want to believe that sometimes, the world is actually nuanced, and people may have different opinions. I may have a strong opinion (and knowledge) about hardware attestation, but it doesn't mean that every politician does and hence has to be corrupt in order to not agree with me.
That's a distraction from the point that I actually made. One can try to paint politicians as saints all they want, and it still won't change the fact that the entire population is digitally surveilled 24/7 and what we do on our own computing devices are increasingly decided for us rather than by us. This flies in the face of liberal democratic values, and not okay. Some things simply aren't up for debate.
> Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
In short, you're accusing of me of criticism. It's boilerplate fallacious logic that makes any criticism against anything sound illegitimate.
I agree that we are, I disagree that we are because all politicians are corrupt. Surveillance capitalism is the result of the private companies that built it, who could because they became so big, because of the lack of antitrust and stuff like the DCMA (and the equivalent that the US forced every other country to adopt).
Did all politicians collude in order to get there? I don't think so. The fact is that many people thought it was great to have powerful US companies taking over the world.
> It's boilerplate fallacious logic that makes any criticism against anything sound illegitimate.
I don't think so. You are saying "they must be corrupt, otherwise they would agree with me". I say that it sometimes happens, in all good faith, that other people don't agree with you. They may have different opinions, or they may be uninformed, incompetent, or simply wrong. There are many, many reasons to disagree that are not corruption.
You gave Snowden as an example: most politicians were not aware of what the NSA was doing. I think only the President (and maybe someone else) did, outside of the NSA.
People who say "the politicians want X" don't understand how politics works. Especially in the EU, where they are elected by the people of 27 very different countries.
The President, within this context, identifies a single entity. As such, it is a proper noun.
Analogy: there are many continents. But if we're discussing Brexit, the Continent is a proper noun. I don't think it's incorrect to not capitalise. But it's certainly gramatically okay, and not in the same bucket as The Nutters who capitalise Random words it Looks like Legalese.
Yeah, no. You're just making things up to suit your position like the president does.
I have an internal convention to not capitalise LLMs when talking about them as if they were people; so claude is not capitalised, and the internal LLM-based service agent we're building, rex, is not capitalised.
I realise this breaks the capitalisation of proper nouns; claude is a name and therefore a proper noun and therefore should be capitalised. But I like that there's a signal in here that the thing I'm talking about is not a person and so we don't capitalise the name (I realise that cities or companies or other things that we capitalise are also not people).
Digression, but then so was the entire discussion on capitalisation.
Countries, companies, religions; hell, planets and galaxies–none of these are sapient. Yet we capitalise them.
I'll go out into the deep end for a second with a hypothesis: I think we capitalise because it makes printed text easier to scan. The words you need to spend more time on are capitalised because they aren't ones you can just roll through. This is also why the nutter affect of capitalising random words is so distracting–it drives attention to non-standard words that are, with minimum thought, being used perfectly standardly.
Your bio contains comma splice, by the way.
According to the dictionary, corruption is "dishonest or illegal behavior especially by powerful people (such as government officials or police officers)." If this isn't corruption, I don't know what is.
https://www.merriam-webster.com/dictionary/corruption
Also,
> I disagree that we are because all politicians are corrupt.
I repeat, I never said this. There are politicians like Ron Wyden or Bernie Sanders that oppose digital surveillance and control.
It's too easy to blame "the politicians" for everything. In democracies, politicians are elected. People just have to vote. You wanted facts? The US people chose not to elect Bernie Sanders, and also chose to re-elect Trump.
Is the US people corrupt? I don't think so. They voted for what they thought would be best. Maybe they were wrong, maybe they were uninformed, maybe they were incompetent. But I wouldn't say all the voters had to be corrupt, there is no other explanation.
> politicians continue to expand its scope with laws like we're discussing here
And my point is that when we discuss such laws here, it is pretty obvious that many "tech-savvy people" have no idea about how it works and complain about the politicians not understanding either. All they know is that they are against it, and yell at it with many incorrect arguments. I find it a bit rich: politicians who are in favour of it do exactly the same thing: they don't understand how it works but they know that they are in favour, based on their limited understanding.
So those many people who are against could not inform the politicians, because they don't know themselves. What happens then? Politicians, who don't understand, are yelled at by people who disagree and mostly don't understand either. If a "good" politician tries to listen to some of those complaints, most likely they will see that the complaint is wrong, and then it would make sense for them to ignore it, wouldn't it?
...this isn't a counterargument. I can similarly assert you're justing making stuff up, which isn't untrue, either way, since we're talking about language, a wholly made-up enterprise.
What's your contention that the President, within the context of the American presidency, does not refer to a single entity? Is this a preference? Or something you actually believe is incorrect?
My additional hypothesis is that capitalisation accords respect, something along the lines of "this is a thing apart, something with a name, so we capitalise it". Not capitalising an actual human's name would seem disrespectful to me.
I still like ‘em!
2.) I'm comfortable with varied comma stylization.
3.) My personal usage of the em-dash hasn't changed in a few decades and I don't see it doing so just because a bunch of folks only just recently learned it exists.
