The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure on politicians by making regular people more aware.
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
The biggest mistake is that people trusted a company that, in reality, isn't that different from Apple. Just because everyone claimed Android as the true open source alternative to iOS, when only AOSP was that.
Google (before the sell-off) promoted a morality in 'don't be evil' that was a stark contrast to other tech firms. The adverts they carried were minimal. Their "free" stuff was top of the line, better than people were getting from paid services.
Apple (under Jobs) sold themselves as counter-culture, they used popstars (unironically), and design, to sell the idea that if you were your own person, or followed fashion, then you bought Apple.
I think the goodwill from those days still provides the foundations of their cultural position now. Although they chip away at those foundations.
OpenAI looked like it could follow Google's early model, until it didn't.
The writing was on the wall for "don't be evil" when Google started the process of acquiring the much reviled DoubleClick back in 2007, nearly 20 years ago at this point. That's longer than most people reading this have been in the tech industry; a generation has never seen Google be anything other than increasingly extractive and monopolistic.
They built products people like, and specially Apple has good reputation for building reliable, long-lasting and easy to use stuff for most people, leading to a heavy user adoption. But heavy user adoption without the proper regulation and company ethics leads to, well, monopolistic practices.
i mean Apple kind of used that position for building a good reputation. their whole thing is/was how secure their devices were and how they had human verification on all apps that went through the app store with a clear intents file (a file the describes exactly WHY an app needs permission for bluetooth/etc), and a secure enclave that prevented even the FBI from getting in (while apple refused to give them a backdoor). Hackers and tinkerers will find a lot of these measures to be an annoyance and authoritative control, but a lot of people just want their phone to a product, not the user.
> Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
This is the narrative for us in developed nations, but the majority of users today are people who were in developing countries and got a mid-tier smartphone to chat with friends and do banking with the same values as Apple users.
> Because Apple always did this, everybody knew this and people buy Apple exactly because of this.
Is that really so? Does the average iPhone user actually factor the app store tax into their decision to purchase the device? Or do they just assume that is just how all software works because they have no exposure to software ecosystems outside the iPhone app store
> Does the average iPhone user actually factor the app store tax into their decision to purchase the device?
As I'm the IT tech support for some family members, I certainly do. A lot less drama and garbage when using Apple products (generally speaking).
I've sysadmined Linux for a living for many moons now, and used to run Linux and then FreeBSD at home, and I switched to Apple for personal stuff during the PowerPC and early Mac OS 10.x timeframe because I did enough fiddling with tech at work and minimized it at home.
I used Linux desktops at work in the pre-COVID era when we still had offices and such. I now use a Apple laptop as I can get Unix-y tools to admin: I spend >80% of my time in Terminal (the rest in Safari and Mail).
They factor in a more "clean" appstore yes. Not the tax itself but they usually appreciate apple having more polished apps in general (given that the Google Playstore is full of trash).
Google play store is only full of trash if you go hunting for trash. I'd like to see the actual stats of people affected by play store malware vs malware available on the play store.
I'm not saying it's not a problem, but I am saying it's not a problem that has caused any problems with any Android user I've ever met.
I am not talking about the malware, I am talking about the apps that are bloated with advertisements or try really hard to push a subscription upon you. Lots of "free" apps try to push you into a subscription once installed.
this is that xkcd "regular people can only name a few common feldspars" meme. over 90% of consumers have no knowledge at all of tech corps' philosophy on user freedom, they just buy cheap phones that have good cameras and run instagram and tiktok well.
I agree with this. The general population is hopeless, they will hand literally anything away for the least amount of friction. They are also profoundly ignorant.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
No, they calculate in the fact of that lack of control into their purchase decision. They mostly didn't want that control in the first place. They just want to _______, for many things you can fill in the blank, including things like look good, appear classy, get high, get laid...
I respectfully disagree with "they calculate in the fact of that lack of control into their purchase decision".
The average person is not calculating anything but price, is it what everyone else is using, is it new etc. Very low level calculations. They aren't asking "can I install applications from outside the app store?". Etc.
The average person is also being constantly manipulated to believe things which are actively nefarious are actually good for them.
I don’t know if we can blame the average person when there is an entire class of people which have almost limitless resources, knowledge and means to execute their agenda. At some point we have to accept we are fighting against an evil and powerful enemy. And that the masses are high succeptible
It’s like being mad at the characters in lord of the rings for succumbing to the rings powers
Hrrm. It seems your original comment has been heavily edited.
> They aren't asking "can I install applications from outside the app store?"
I agree. They don't want to. They already can't begin to evaluate app trustworthiness and don't want to have to. And they shouldn't have to. Yet they live in a world where they do. So they lean on reputation, app store filtering, the legal system, and hope.
That's not what the parent was saying. Most people don't have any opinion whatsoever on sideloading. You can go confirm this for yourself by asking a Mac or PC owner how scary it is. Most of them will respond that they genuinely never thought about it, not that they're afraid to consider it. To these people, it's a normal feature of their device that you could never remove.
The parent is lamenting that people don't care about this technology - Client Side Scanning, hardware attestation, Push notification surveillance - all of it is enabled not because of fear, but apathy.
> And they shouldn't have to. Yet they live in a world where they do.
This is fearmongering logic that doesn't really defend the App Store. Putting your faith in a centralized software auditor also requires you to pay attention and stay abreast of scams. It's just a different exploit chain to deliver the same payloads: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
I do talk to computer users and they do fear making installations. Many of them have installed something that was adware or a virus, often without meaning to and regretted the results. I have been helping my family and extended family members fix their errors for a long time. This pushes them to big names with names to spoil.
I suspect that the GP is, as you write, lamenting the lack of attention to the topic.
> This is fearmongering logic that doesn't really defend the App Store
I agree it doesn't defend the app store. It wasn't about the app store at all. It is about the social problem of the persistent existence of people who choose to purposely do others harm. The problem for most people isn't the app store but those who attempt to get exploits and quasi-exploits into the app stores.
I also agree that you still have to be cautious when using the app stores. Are you claiming that the app store controls do nothing to reduce the presence of malicious apps in their stores? The article you link starts by noting that the app was removed the day after that post was made. That is exactly why people feel more comfortable using the app store.
Yes, but most people don't realize it, simply because they have been conditioned from the beginning that the only way to run anything on an iOS device is via the app store.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
Developers may or may not pass on the fees to customers, but as a user I'm not forced to pay anything and it definitely doesn't apply to all activity on the phone. I pay the same for Netflix as any Android user does. My cell bill wouldn't drop 30% by switching to Android. When I buy something at Amazon I'm not paying more than you.
Also, you're overestimating the fees. Few apps or services hit the 30% threshold or stay there for long (the fee for subscriptions drops in the second year).
The real problem IMHO is Apple taking a significant amount out of developer pay checks. Users are fine. The impact is on developers.
I have been using Apple devices for almost 20 years, and I have never been forced to pay a 30% tax on all activity on my phone. I can avoid it by buying directly from the seller's website, and also I just avoid buying software subscriptions in general, but especially from the App Store.
99% of the payment activity I do on my phone (buying retail goods, travel arrangements, paying invoices) has no additional cost.
You still suffer, because developers who don't want to pay the Apple tax on their apps simply avoid the App Store. You have no access to many good apps at all. Including FLOSS.
Web apps are indeed better, unless you need an access to hardware, fast computation or similar. But Apple is against web apps, so you're right to abandon them.
How many users actually care about those? Convincing customers to fork over money for an app at ALL is like pulling teeth.
The only things I’d really miss on a phone ecosystem is like, game emulation and some more esoteric network data/file management functions. These are things that are almost inherently outside the range of interests for the vast majority of people and the main reason they’re restricted is because they’re so piracy adjacent that it’s basically impossible to extricate them from association with a whole bunch of technically illegal use cases.
Little wonder then, that both the App Store proprietor AND App Store vendors would have an interest in locking those out to maintain the health of that platform as a viable place to run a business through.
Buying apps is hardly "all activity on a phone". It's completely inconsequential to my spend since summer of 2008, when I began using Apple products. Maybe a couple hundred dollars in total app store purchases? It would make no sense for me to base a decision about devices I use day and night over that small amount of money (30% of a couple hundred dollars).
> It would make no sense for me to base a decision about devices I use day and night over that small amount of money (30% of a couple hundred dollars).
Fair enough. It might not be consequential for you, the fact remains Apple took 30% of every dollar you spent on the app store. This, after you paid a premium for Apple hardware. I'm happy the walled garden with a toll is worth it for you. All I'm saying is, others might not agree with that if they knew. Just look at the push back again tariffs as an example.
You're correct. You've just paid it on every app store purchase, and every in app purchase. That's because Apple, despite trying, have failed to completely lock in the payment infrastructure.
I consider almost everyone really wants to earn more money, more easily.
I do not see any indication that Apple wants to get involved in adjudicating payment disputes for physical goods and services. That is high cost, high liability, low margin work. They seem to be perfectly happy letting the existing banks (aka card issuers) handle that, and getting a 0.15% cut for allowing their credit cards to use Apple Pay.
Apple has restricted themselves to being the payment infrastructure for only digital goods, and I assume that is because that is the cheaper, more scalable option.
As a side note, in the US, the proportion of sellers willing to eat the credit card fees has gone down every year, and seemingly at an accelerating pace. I have winnowed down my credit card usage to retail goods/restaurants/travel, because almost everyone else wants payment via ACH/Debit/Zelle/other option that avoids credit card fees, so I would be surprised if Apple would ever want to enter this market, given that even the 2% credit card fee transactions are not able to compete.
Apple is the classic “good king”. By and large they have used their power in ways that benefit users. Other than enriching apple, there’s been no direct or apparent harm to the end user from the walled garden. I know that is a controversial point, but harms we don’t ever know about are pretty hard to get upset about.
But the “good” king never lasts. They’re always eventually replaced by a despot, and all the power you ceded to the “good” king falls into the hands of the bad king. Which is why ceding that power is a bad idea, and kings are a terrible system of government.
In this case i am using “good” to mean “not actively hostile towards users”. Yes they are more expensive, but many people are happy to pay a premium to get a premium product. Like going to a fancy restaurant and getting good food. Google’s version is like going to a less-fancy restaurant and getting less-good food but also they sell photos of you eating to TMZ.
For one thing, Apple has tended to focus on privacy at the expense of profit. Apple could certainly be monetizing all of their user data. Now more than ever. It's not just businesses that want your data to sell you stuff, it's the hyperscalers wanting to funnel it into AI training.
Apple is not perfect, by any means. I recently had a conversation with a former Apple employee about how they employ differential privacy internally. This former employee was upset about Apple's interpretation of one parameter ("privacy budget"), but the fact that we're having this conversation at all is a positive. Google, despite being an early adopter of differential privacy, is on the other side of the privacy spectrum: virtually everything they provide is intended to capture what you do on- or off-line.
I will pay a premium for Apple stuff for this, and other reasons. I do wish they were more developer-friendly, however. Enough so that every time I buy a new computer I have to run through the mental calculus of whether I'd rather fight with the cathedral or the bazaar. I recently bought a new computer and the cathedral won the last round.
Their business model revolves around people to choose to pay them for products, which aligns them with customer interests on a fundamental level. They have to work within those constraints when they engage in lock-in chicanery
Most of the other big tech companies make their revenue from other companies paying them to leverage the influence they have over their users. So they are not constrained in the same way.
I believe that most Googlers are pretty aligned with the principles of the HN crowd, but Google the machine is not.
> It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it.
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
Most people just do not think about this as much as we do.
We understand that, as the saying goes, if you're not paying for something then you are the product.
But less technical people don't consider that, and don't have hoards of technical friends to convince them otherwise. They just think: they using the product, so they're the user, right? We know that's true but it's not the same thing as customer. Most people don't have that distinction in their head.
It's even partially true that Google does want to do things that attracts and retains users, because that's a prerequisite for selling them to advertisers. In my experience, that's an upper bound on the amount of thought most non-technical people would give it.
> Apple already does this and practically no one is outraged
Apple ran a very successful propaganda campaign where they portray themselves as the protectors and enforcers of a secure environment where users are safe from attacks from the wild internet. See Apple's spin on blocking cookies. Therefore, users of Apple products are conditioned to believe these measures exist for their own personal benefit, unlike Google which is presumed to be motivated to abuse your trust.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
I've had a lengthy debate about this (in the context of right-to-repair) with a friend of mine who's outside tech and he genuinely held (still holds?) the opinion that the manufacturer has the "right" to decide how their products are used. I'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
I mean I agree with you. But also, it's not that unreasonable of an opinion. As long as it's coupled with optionality, which I think is the actual issue. Well the actual "issue" is that most people don't care or think that much at all about it. HN is a very special crowd.
For people who are just technology consumers they don’t see what could be offered, only what is. This is so frustrating when one understands how railroaded everyone is into maximizing platform ad revenue while holding the reasons people go on the platforms out as a carrot on a stick that gets further and further away. It’s 300 PHD psychologists vs someone just trying to keep up with their family.
> 'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
Perhaps some people were just conditioned to believe that these shackles are forced upon them for their own good, because only bad people would ever want to take them off.
Seriously, finding bootlickers aren't hard. The better question to ask is how many voters are bootlickers and that typically hovers around 20-30%, so the follow-up question should be what type of platform could capture the remaining 70-80% of the electorate?
Turns out right to repair laws are very popular with voters and small business owners. Maybe we all start to tread down that path more and figure out what sorts of regulations pressures companies into adopting open standards?
I just submitted a survey to my state's DMV to encourage them to ditch reCAPTCHA. I went to renew my plates and had to do almost a dozen "click the picture" screens to get through on IronFox on my GrapheneOS phone the other day. Luckily no QR code with the whole Play Integrity check, but that wouldn't have been out of the realm of possibility.
There is a tradeoff between the freedom users have on their devices on one side, and the likelihood less sophisticated users will get their information stolen or their devices pwned and used to DoS innocent websites on the other side.
If you don't address this tradeoff you're not really engaging the issue.
What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
> What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
There is no shortage of well informed advocates of freedom. The question is, which forum should they discuss this in? There is no meaningful forum for such a debate which will have any real effect on policy and that's by design.
The only place that can both debate and effect policy changes in the legislature and politicians will never take the people's side against corporations on an issue until they fear losing reelection.
Hence the ask to educate the people around you and to encourage them to reach out to their representatives.
Sadly much as I agree with OP, the reality is there are a lot of evil people, and some of them lead a country and thus have vast resources to attack with. We need to solve this problem, not just cry about what a few of us are losing.
> If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google.
This is a fool's errand. We live in a time without virtuous values, where convenience is king. The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
It is absolutely not. Awareness is what people need right now because nobody is saying anything different then the established line. The more people that put there voice into this, the better off we are going to be.
I'm hosting a Surveillance Capitalism Presentation soon that I designed myself, I'll likely post it on the net when I am done. If you are interested in hosting a zoom call or an in person awareness campaign like this. Email me from my website[0] campaign form[1] and ill notify you when its online and you can download it and use it yourself to host your own venue.
Generalizing like this is a fool's errand, if anything. We care, and we are part of the "masses". If this is something you care about, share with others: there will be those who value it.
HN is NOT part of the “masses” in the sense “masses” is being used here.
A difference is being drawn between HN users who are interested in tech, and the everyone else. Most of humanity has little interest in Tech, and would rather spend their time on other things.
This also means they are less aware of ways to keep themselves safe, or less on top of whatever current threat is sweeping through the internet.
After multiple interactions on this site, I can say with some confidence that the average HN commenter does not have the same experience with technology that the average user does.
This divergence is resulting in different priorities and conversations.
I agree about HN being technically literate. I have non-technical friends that definitely care about privacy, their rights, maintaining a healthy economy, freedom in general. Then I have friends that don't really pay attention to that. I'm saying don't lump people into a single silly generalization.
Edit: I think that, given that us HNers often self-identify as tech priests, advocacy and education should follow naturally from that.
> The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
Honestly, I can totally see where the cynicism is coming from, however if you think about it, that's a pretty condescending view. This effort might be Sisyphean, but things are not as dire as you might think.
People are already seething at how much their lives are being enshitified by Big Co. Even if 10% of voters reach out to their representatives, it would be a tidal wave. Politicians are terrified of the popular will and this is not a hill they are willing to die on. Just see the success of the right to repair movement as an example.
> Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
Nope. It's not the issue. The issue is people genuinely want the security problem to be solved by someone else. Either governments or big companies. So they can just not care about security once and for all.
If people were so aware of so-called hackers and how insecure their devices are, we would have seen people stopped installing apps on their phones and basically use it as a web browser. But that's not what happens. The opposite is truer: if you run an even slightly popular website you will receive feedback asking if you have an app version.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Is there a good primer on why this is bad? I know that it is on a technical level. But I havent heard anyone talk about in layman's terms Maybe I'll need to write something up. But it be great to have some resources as to why this is bad from a perspective other than my own.
I'm doing a presentation on Surveillance Capitalism soon and I might include this topic.
> The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds.
This. No matter how good the intentions are, this represents the infrastructure that can be exploited to persecute individuals and groups and deprive them from the most basic rights.
And before anyone tries to downplay this as scaremongering, US legislators have introduced the legal framework to reject visas based on what comments the applicant may or may not have said in the past years regarding the current government.
I agree with the direction, but not the blind spot.
Your audience is going to shut you out if you don’t show you understand their reality.
I reach out to people, and every tech and media person I know, is holding sessions on government over reach and invasion of privacy, raising alarm bells.
Everyone not in tech, has just about had it with being predated upon, being screwed over and in general would rather warm themselves on a bonfire of tech stock, than do a thing to support it. Voters are HAPPY to see tech brought under control.
The degree of fraud, predation, privacy invasion that regular adults encounter, let alone children, is absurd.
To take the most civil and benign trend I know: online communities are dying to a glut of slop, bots, and spam. Users and mods are simply unable to keep up with this, and are increasingly likely to ding users as much as bots.
A majority of humanity, who live in the developing world, encounter even worse, AND have less recourse to support.
——-
Success in these things requires connecting with people. You cannot do that if you come across as a know it all.
You must open with an acknowledgement that Tech is not doing a good job for users, but giving governments sweeping powers is not the antidote.
Requiring authorized silicon (and software) isn't even the biggest problem here.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
> The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
The way it would work with blind signatures is that the server will know the device that comes to it to request a blinded signature and will be able to rate limit how often that device asks it.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
> But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature).
The premise of this is to keep the person issuing the tokens and the person accepting them from correlating you.
The issue is when you have more than one service accepting them. You go to use Facebook and WhatsApp but they're both Meta so you present the same unblinded signature to both services and now your Facebook and WhatsApp accounts are correlated against your will. And they have a network that does the same thing, so you go to use a third party service and they require you to submit your unblinded signature to Meta which allows them to correlate you everywhere.
That's the point. You go to example.com and get the "sign in with Google" box as the only login option, but now you can't have separate uncorrelated Google accounts. Or if browsers do it automatically then every site does a background load or redirect through adtracker.nsa so you're presenting the same token on every service.
It's not the user who wants any of this to begin with. "You would never do that" except that it's now the only way to be let into the service.
If A adopts a Blind Signature scheme it implies A is cooperating in establishing privacy infrastructure. If A is so malicious that it would advertise a sound privacy system and then it immediately sabotages it that's a different matter...
I'm as biased against cryptocurrency as everyone, but couldn't we have the requestor do a bit of mining work to mint that initial id? I mean, if the service is actually making a bit of money from each request, the need for rate limiting just vanishes, right?
If proof of work is the "payment" to prove that you're human, many AI startups will outbid poor people living third world countries. They will even outbid some Americans.
Yes, those AI startups can also buy cheap Android phones at scale, but it's a bit harder because they'll pay for stuff that their bots have no use for (a screen, a battery, a 5G radio, software, branding, distribution, customer support etc).
As I see it, living requires money. If we have people on this planet that are too poor to digitally prove that they're alive, then we need to figure out a way to distribute the Earth's wealth more equally in general, rather than to require hardware attestation, which seems to be worse on essentially every metric, including inequality.
Attestation is a service, like every other service. Why should it necessarily be free? Especially now that we all know that "free" on the web means ads & tracking?
I think we should just accept that some things should cost a bit of money and move the discussion to "how much should it cost", rather than trying to sweep economics under the rug.
Just to give an example to prime your intuition: define your "usage token" as H(private_key|service_domain_name|date|4-bit_counter). Make your scheme provably reveal the usage token when you authenticate. Now you can use the service 16 times a day on a particular domain and no more simply by blocking token reuse. And yet the service has no ability to link different tokens to each other or to a specific person because they don't have anyone elses private keys.
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
Because-- in this hypothetical-- your user agent restricts the usage to the name displayed on the screen and also because your agent won't send the same value twice either (it'll increment the counter or tell you that its run out of tokens).
Requiring the name to be displayed isn't going to do much for ordinary people. They mostly wouldn't look at it and even if they did, "continue as-is or no service for you" means they continue as-is.
Not sending the same value twice would prevent them from being correlated, but now what are you supposed to do when you run out? Running you out could even be the goal: You burn a token to get a cookie and now you can't clear your cookies or you'll be denied a new one since you're out of tokens.
I'll be the first to admit that the technology can be abused-- that it's even ripe for abuse. That sort of problem can be avoided by allowing 'enough'-- and if the goal is to just prevent a site being flooded out 'enough' could be pretty high.
Of course, I think the effective purpose of google's attest feature is to invade everyone's privacy which we should assume is part of why they don't use privacy preserving techniques. Privacy preserving techniques could still be abused, however.
Maybe they're even worse for humanity because they make bad schemes more palatable. I think right now I lean towards no: the public in general will currently tolerate the most invasive forms of these systems, so our issue isn't that they're being successfully resisted and the resistance might be diminished by a scheme which is still bad but less bad.
Can we stop normalizing being surveilled online and on our devices?
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
Remote attestation is a technology, not a policy or a political effort, so it can't be inherently evil. You can disagree with all its known or proposed uses, but then I think it makes more sense to name these.
DRM is a technology and is inherently evil.
Web attestation is DRM for the web, and is inherently evil.
Age ID is a technology and is inherently evil.
We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
It's not like these technologies were created for the greater good and misappropriated by bad actors. They were proposed by bad actors in the first place, they cannot not be inherently good.
DRM is arguably a specific use of various generic technology ranging from whitebox cryptography to trusted computing.
I don't think remote attestation (or even more so its umbrella technology, trusted computing) is nearly as specifically targeted as DRM.
> We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
I agree that requiring remote attestation for generic web use is evil. It's way too heavy-handed an approach better reserved
I still don't think this somehow outright disqualifies the technology itself.
>I still don't think this somehow outright disqualifies the technology itself.
A technology squarely and 100% percent intended to give people other than the end user the ability to sleep soundly at night knowing those dastardly end users can't muck with their software (the non-end user) on their (the end user's) devices is only a tool for the authoritarian minded. Sorry mate, but if you're sitting here thinking it's useful and neutral, you are part of the problem, because you're eyes-wide-shutting the fact the only people gaining from the technology are those that already have a terrible trustworthy-ness record in terms of not abusing the sovereignty of another person's machine.
Show me an industry that ships source code, and manuals with all software that runs on the device, along with hardware manuals and the manuals to write your own drivers and doesn't use hardware primitives to enforce their business models over you, then we can talk about an industry where "trusted computing" might be neutral to the end user. History has not seen this relationship bore out, however.
The "Trust" in "Trusted Computing" has only ever been realistically unidirectional in terms of favoring entrenched industry players. As a rule of thumb, if the primary benefactors of a feature are over 90% legal fictions; your feature ain't neutral. It's hostile to humanity. Period.
> Show me an industry that ships source code, and manuals with all software that runs on the device, along with hardware manuals and the manuals to write your own drivers and doesn't use hardware primitives to enforce their business models over you, then we can talk
>We have over 30 years of the world wide web and for these more than 3 decades this was never a problem.
Are you seriously trying to suggest copyright infringement has not been an issue over the last 30 years? Both of them are solutions to problems that we've had over the last 30 years and were created for the greater good to solve problems that developers were facing.
Grocery stores are a trillion dollar industry yet you will see stores that close due to theft being possible. The simplest way games and music struggle is losing a sale because people can play them without paying.
Individual self employed photographers successfully use the DMCA to get significant payouts from large publishers and news organisations every single day.
Different technologies may selectively amplify existing power. If the actions that it enables are disproportionately evil, it may at the very least be considered very useful for evil.
Suppose someone invents a mind-reader that lets the user read the thoughts of anybody else in range. But the mind-reader requires great up-front costs to produce and also allows people with stronger readers to remotely destroy weaker readers, where strength is basically a function of cost.
In a vacuum, the mind-reader is "just a technology". But it aids autocratic surveillance much more than it aids citizens who want to surveill back. It's "neutral" but its impact is decidedly not.
TPMs and remote attestation enable entities with power to enforce their existing power much more effectively. In contrast, a general-purpose computer does the opposite because anybody can run whatever code they want, they can adversarially interoperate with anybody they feel like, and so on.
One of these is more evil than the other, even though they're both "just technologies".
I think people are too quick to dismiss the possibility that some technologies are just bad and harmful and we can't shrug off responsibility and say I'm just making a neutral technology and the people using it are the ones causing harm.
I have 2 servers, Alice and Bob, Bob has a secret, I want Bob to be able to share that secret with Alice. However, I want Alice to be able to prove to Bob that it is actually Alice, that it is running the correct AliceOS, and that AliceOS was loaded on bare metal Alice without nefarious pre-book or virtualization hooks.
A TPM with measured boot (SecureBoot) does exactly this, remote attestation is how Alice proves to Bob that it is in a trusted configuration and wasn't tampered with.
That's the academic viewpoint, but in practice it's used for far more hostile purposes.
(One argues that since you own both of them, you should simply set up the two servers yourself with a key of your own choosing, asymmetric or otherwise, and then restrict physical access to them.)
As someone who wanted to improve users security, that’s exactly why I find this thread fanatical opposition to attestation baffling. Nearly everyone uses a device that supports hardware attestation. It’s the best available tool to protect users from malware. We do implement a fallback that lowers security but lets the few users who have devices not able to attest properly to continue, but that really lowers security since we can’t even know if the device cryptography is itself compromised and hence can’t really trust anything it sends. If you have a different solution, do share it! I would love to use something you guys don’t find abhorrent! But until then I don’t really see the reason for all this negativity.
Sadly, the problem isn't the TPM or Remote Attestation. It's Google et al choosing to only talk to devices and software they like without concern for what the user wants or trusts. Compounded by everyone else just going along with it.
A TPM where the device owner can't take ownership of the root key is worse then no TPM at all.
If the price to pay for security is freedom, then let users's devices be insecure. With time, they will learn good security hygiene. And if they don't, maybe they don't deserve it.
The policy is "I will not let you access this system unless your system software implements this technological protection."
A camera is technology. A security camera is policy, because it's a camera hooked up to policies on how to watch, record, and respond to what is required, and it is a political effort when connected with laws about face masks, prohibiting spray painting of the cameras, and allowing privacy intrusions.
Let them know. Write a letter to the CEO. And vote with your wallet and switch banks if you can. There's always a bank willing to offer you a non-app 2FA scheme.
Banks don’t do this because of profit. They do it because of decades of laws pushing in this direction. Anti-money laundering, know your customer, digitalised currency, abandoning cash, preventing tax evasion etc… it’s been getting more extensive over time.
None of the things you mentioned inherently require the user to own (and babysit) an expensive general-purpose computing device produced by tracking-obsessed adtech giants and with software obsolescence built into the product.
I think you're naively presuming the issue is simple and easy to address with a letter.
Regardless of your bank, payment systems such as Visa and Mastercard have blocked transactions involving mainstream online stores such as Steam because they unilaterally deemed some games to be problematic. You cannot fix this problem with an email.
These are two unrelated problems. One is "payment systems use imperfect heuristics in their own operations to fulfil their regulatory obligations." The problem I was referring to is "banks push 2FA onto end users but are unwilling to give them alternatives that don't involve meddling with the user's own most private and expensive device."
The latter is absolutely a thing where customers can (and should IMO) push back hard.
> These are two unrelated problems. One is "payment systems use imperfect heuristics in their own operations to fulfil their regulatory obligations."
No, they are not. You have people reliant on this software infrastructure for very basic aspects of their life such using their own money to buying whatever they feel like buying, and you have people being deprived of their rights because operators of said infrastructure actively prevent and deny their rights to do so. This has nothing to do with heuristics, and everything to do with granting people the power to dictate what you may or may not do with the things you own.
Do you think banks are using attestation gratuitously? It helps prevent a lot of fraud. You are opposing something that saves people’s savings every day just because you think it takes “freedom” away from a few hobbyists. Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?
Can you show me examples where locking down an OS has prevented fraud in banking?
Honestly, if the only way to secure your banking system is by locking down users' devices, there is something really bad going on at your end, security-wise. Your system should be secure even without locking down user hardware.
One of the threat models is that a fraudster tricks a non-technical user into installing malware, which then manipulates the user interface so that next time the user tries to send money to Bob, it actually goes to Mallory.
That's a legitimate concern, and one of the causes why PSD2 mandates that all 2FA devices must have a display that shows the user where they're about to send the money and how much.
And one of the threat models that police use in the US is tracking women suspected of going for abortions through the use of road cameras, and other surveillance methods.
Once you have the attestation in place you have no guarantee who is going to get access to data like what apps are present on your device, and there will be nothing you can do to stop it.
Meanwhile, we could educate people against common scams.
How is this not just trading one smaller bad for a bigger bad? Why is this touted as an improvement?
That's why I'm strongly against remote attestation of general-purpose hardware.
I use a handheld card reader with a display as a 2FA for my bank transactions. It shows me the transaction and, after I confirm, sends a TAN to the bank. It is not a general-purpose device but a certified, tamper-evident/-resistant black box that does just that one thing.
> Meanwhile, we could educate people against common scams.
There's a million ways you can get scammed, no matter how many hours of training you've had.
You can't educate (many) people against common scams. But people should have the freedom to opt out of surveillance in their private lives, at the risk of exposure to scams.
When online banking was first created it was an absolute chaos zone. Everyone was accessing it from desktop machines riddled with viruses and malware. There are endless stories of being discovering their life savings had been wired to Belarus by some malware running on their machine that had grabbed their banking credentials when they logged in.
> U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
Half a billion dollars, by a single guy with a single virus!
Different parts of the world came up with different solutions for this. The US made all ACH payments reversible and international wires difficult, but that just meant the receiver paid for fraud instead of the person whose machine was full of viruses. This was an obviously bad set of incentives and hacky panic-based fix. Banks elsewhere in the world settled on providing users with authenticator devices that looked like small calculators into which you could type transaction details after plugging in a smart card. Malware could still steal all your financial data but it couldn't initiate transactions.
Obviously, all this was a hack. What was needed was computers that were secure. Apple and the Android ecosystem eventually delivered this, and the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users. Firstly, it protects financial privacy and not just transaction initiation. Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer. Thirdly, adding remote attestation made no difference because that's what the calculator devices were doing anyway. Fourthly, even in the case of customers of small American banks that weren't capable enough to manage dedicated hardware rollouts, getting rid of fraud instead of pushing liability around allows for lower prices and fewer headaches.
So remote attestation is a non-negotiable requirement for digital banking of any form. When Microsoft didn't deliver most banks preferred to literally manufacture and sell their customers single-use smartcards that remotely attested by you manually copying numbers back and forth between screens. Or they hid the cost of rampant fraud in the price of other services until such a time that Apple/Google saved them.
> Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer.
The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)
In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.
I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.
Spectre doesn't work across process boundaries, so I don't think they are. You can't Spectre your way into a banking app on an iPhone. Or if you can I'd like to see it in action.
I don’t think "Spectre doesn’t work across process boundaries" is correct as stated; cross-process and cross-security-domain Spectre attacks have been demonstrated. But I agree that "a malicious app can trivially Spectre its way into an arbitrary banking app on a patched iPhone" is a much stronger claim, and I’m not aware of a public demonstration of that exact attack. My point is only that process isolation alone is not, in principle, a complete answer to Spectre-class attacks.
You could also open your front door with your smart phone. It would look high tech until your battery is empty.
Sometimes I see people captured by the train station unable to check out. They usually find someone with a charger but technically the formula is to fine them for not having a ticket. Then one might still need to buy a ticket to continue the journey. (bring cash)
Phones are usually empty when things [already] aren't going as planned.
Back in my iPhone days, I once got bitten by a bug where the app developer failed to raise that flag "dear OS, I'm in the middle of presenting a ticket for optical scanning, and it would be really amazing if you could just, you know, not disturb the screen with random shit for a couple seconds."
Unfortunately for me though, the turnstile that I was about to pass to exit the train station had both an optical scanner and some NFC thing lumped into the same physical module, and every time I tried to scan my ticket, the phone would raise its NFC screen and hide the 2D matrix code.
So yes, you can have a fully charged phone and a perfectly valid ticket with the latest software and still get stuck in a train station.
>....the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users.
Not 100%. A robber can force people to activate facial recognition or finger print sensors. Forcing someone to type a pin code is harder but doable. If one doesn't bring the authenticator & bank card they cant initiate transactions.
How should a government act to prohibit misrepresentation of one’s characteristics online, from accessing services for which that government has formally defined regulations based on characteristic into law?
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
You're not necessarily being surveiled just because you're forced to authenticate yourself. It often is the case practically, but it's not inherent, and mixing the two up makes the discussion too imprecise in a technical forum.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
I think labeling this an abstract problem because all the existing implementations as having concrete but different problems is a little bit of a Motte and Bailey fallacy.
The surveillance of the future will be powered by the things we produce today. If the accepted algorithms leave cookies those cookies will be used tracked and monitized. The bad argument is the forced verification to do things on the internet. Making that start at the hardware is a lock in thats not okay. Business will always own the services and making standards that trade our practical liberty for the sake of security is a very compromised position in my opinion.
And it does start with the age verification, followed by id checks, etc. Its compromising precisely because no lines are drawn and no rights to privacy are codified in law. Without guiderails the worse path will likely be taken for maximum profit
A counterexample is not a valid refutation of the general point. It can be both true that Google will deanonymize you, given the chance, and that anonymous attestation is possible.
Having thought about ads, what is the ideal feedback info channel loop from manufacturers to consumers? How best to distribute the information of who can manufacture what at what cost/price and what does it do and when is it appropriate for consumers to receive or pull info from where? And if it ends up being a monopoly of 1 centralized system how do you allow for a competitor to break through without ads?
> It often is the case practically, but it's not inherent
Oh my god. It's 2026, and we're still repeating the "I trust Apple/Google/Microsoft enough to resist the government" spiel.
Hardware attestation is a surveillance mechanism. If China was enforcing the same rule, you would immediately identify it as a state-driven deanonymization effort. But when the US does it, you backpedal and suggest that it could be implemented safely in a hypothetical alternate reality. Do you want to live in a dystopia?
> Oh my god. It's 2026, and we're still repeating the "I trust Apple/Google/Microsoft enough to resist the government" spiel.
Who is?
> But when the US does it [...]
I don't live in the US, and while US is often setting global trends, in this case I don't think that's actually that likely, unless it somehow goes significantly better (i.e., the benefits actually vastly exceed the collateral damage to anonymity and resiliency via heterogeneity) than expected.
There is a problem where it's becoming increasingly harder to determine which internet packets that are coming to your service are at the behest of a human in the course of normal activities or an automated program.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
With a secure device, the only way to get an attestation for an account signup is to do the signup on that device, with real fingers clicking real buttons on a real screen. There's no way to short-circuit the process by automatically sending a JSON request and bypassing the actual signup flow from a Python script, like you can do with an insecure endpoint.
With blind signatures, a single compromised device destroys the value of the entire scheme, as it can be used to issue an infinite number of attestations with 0 human oversight.
What we need is a blind signature construction where the verifier can revoke a signature, each signature carries proof that none of the revoked signatures comes from the same signer, and where it is impossible for one signer to issue more than n distinct signatures during one time window. Not sure if this would be possible with ZKPs; my cryptography knowledge doesn't extend that far.
> Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
...no? Maybe this is true of end-user device attestation. But there are other use-cases for attestation.
Server device attestation is an entirely different thing. It's used in e.g. IaaS "Confidential VM" offerings, where the audience for the attestation information is the customer, rather than the server host. It's a very pro-privacy / pro-data-sovereignty feature.
And while embedded device attestation is sometimes about preventing customers from tampering with IoT stuff you "sold" them, more often it's about being able to trust and confidently assert that e.g. the climate sensors you've deployed all over a forest as part of a research project haven't been fucked with to report false data by someone with an agenda. (Or to "apply denial" to your unmanned military satellite downlink station the moment you detect that there's some unknown person out there futzing with it.)
> Requiring authorized silicon (and software) isn't even the biggest problem here.
It is indeed the biggest issue. It prevents be from owning and using the hardware I pay for, own, or make myself. It's switching the personal computers as we know it from being open to proprietary and owned by 2 large US corporations.
Can you revoke certificate for a specific device using privacy schemes?
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
I simplified the process in my description. The DRM ID Android has is not what I was referring to.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
The "license challenge" (it might be a mistake I think it's supposed to be a license request) is just a packet (that can be saved and later sent to anywhere) and it contains the encrypted certificate which doubles as your HWID. An adversary needs to control the private key of the license "server" the challenge is for (this is a privacy measure introduced to prevent the CDM from offering the HWID to anyone who wants it). Now if you want the HWID you need to work for it (one time) by stealing a private key, bribing/blackmailing employees or issuing secret edicts ("here is a new license server we need a certificate for"). Working for Hollywood is also an option I suppose.
Pirates sacrifice devices when they publish ripped content due to the certificate being revoked after Hollywood downloads the torrent and by doing things like this:
For large-scale per-viewer, implement a content identification strategy that allows you to trace back to specific clients, such as per-user session-based watermarking. With this approach, media is conditioned during transcoding and the origin serves a uniquely identifiable pattern of media segments to the end user.
In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
Weird rant. TPMs are great. The modern computing landscape needs a safe place to put secrets. It's what made the iPhone (Secure Enclave is effectively a TPM) years ahead of Android in terms of security.
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
Requiring "tokens" stored in "trusted modules" and 7-factor-auth for everything is not progress, it's theater. The biggest achievement of the security orthodoxy was locking me out of my email, by requiring me to read a code sent to my email to log into my email.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
Your accounts are valuable, even if they're not valuable to you.
An old account with typical activity patterns can be extended some level of trust. If you sign up for an email address and immediately send a message with 100 recipients in CC, you're probably a spammer, so you get blocked. If you've used the account for years, ehh it's probably invitations to your high-school reunion or a donation drive for your Church, let's let this one through.
You can only extend this level of trust if you prevent your gullible users from constantly getting hacked; 2FA is one way to do that.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
> how does the service you’re using know your passkey is secure
That's my business, not theirs. If my password gets stolen, that's my problem, not my bank's. Same deal if my passkey gets stolen. They're welcome to try to educate me on good security hygiene if they want, but what hardware I use to secure my credentials is not something they should get to decide.
Yes, but that’s not the threat model I was alluding to. The threat model was, you get tricked into executing malware, that will steal your passkey (and your entire password database in fact), and log your master password as soon as you use it.
When the passkey is protected behind an HSM (TPM, Yubikey, Tkey…), even a compromise of your main computer can’t steal it. Attackers can still temporarily log in on your behalf, but they can’t do anything with your passkey as long as your computer is turned off. Which means you can un-pwn yourself out of this situation by reinstalling everything (but do keep your HSM!).
Overall, we have several levels of security here:
- Weak password, (potentially reused everywhere). Fished once, pwned everywhere. Not to mention password database leaks.
- Very strong unique password from your password vault (KeepassXC). Note that with automatic login, password managers may provide good phishing resistance. Manual copy pasta is still vulnerable, but at least you only compromise that one account.
- Passkey stored in your password database. Phishing proof as you say, but falls to a keylogger.
- Passkey sorted in a hardware security module. Can’t be stolen ever, save for a vulnerability in the HSM itself, or, if you haven’t set up a password for your HSM, theft.
Clearly that last option is the most secure. Clearly it would be nice if everyone could do that, though we do need a way to recover from the loss or destruction of the HSM (which in the case of the TPM may mean something as mundane as changing your graphics card). Yet often, other ways are more convenient.
Still, I strongly believe companies should not force people into one method or another. Okay, I could maybe tolerate passkeys being forced on me, but not the remote attestation part. Let me manage my own security, with my own tools (preferably open source), thank you very much. There is one use case for which I may approve of remote attestation: work accounts. Because at this point it’s not about the safety of the customer, it’s about the safety of the company itself. It makes sense then that the company (or government agency) impose whatever stringent restrictions on how to access their network. They do have to provide any required tool (company laptop, company palmtop, company dongle…), same way many companies are required to provide individual safety equipment to any of their employees working in hazardous environments.
Yes, I agree that device-bound credentials (DBC?) are a really big deal here. Just wanted to get the story straight.
When it comes to the notion of requiring DBCs without also requiring remote attestation, how do you deal with solving the problem of virtualized credential devices, e.g. swtpm? If some application wants to leverage DBCs, it will make some DBC API call, e.g. call out to a TPM. However, without some sort of attestation scheme, there's no way to verify who/what is on the other end of that API call.
Maybe it's not important for applications to be able to require DBCs without attestation. But at first blush it seems like a valid thing to want.
> Maybe it's not important for applications to be able to require DBCs without attestation. But at first blush it seems like a valid thing to want.
It’s definitely something I would want, but as you hinted at yourself, if there’s no remote attestation, the user can just use a software TPM. So, a company using passkeys has two choices:
- Enforce DBC with remote attestation. This raises the security floor, but enforces device vendor lock-in, and prevent users from selecting unapproved, but potentially even more secure, devices.
- Do not enforce DBC. This lets users use less secure virtualised devices, but there’s no vendor lock-in, and those who want may use the latest most secure device ever.
Which alternative is appropriate is now a social & political problem. My opinion is that for general computers released to the general public, remote attestation is never legitimate. Even with the best of intentions it is fundamentally uncompetitive, and they make it way too easy to go full Evil Corp. Specialised appliances and employees however are different stories.
---
Anecdotally, I have worked on TPM provisioning a couple years back, and I had to warn my hierarchy that doing it the way they specified, the TPM could be impersonated: we checked the signature of the certificate, but failed to compare the certificate root with the manufacturer’s keys. My boss didn’t believe me, until I showed the production code happily provisioned a software TPM, without detecting the impersonation. (Actually, he didn’t believe me even then, I had to go over him to the security specialist.)
This was totally a case of remote attestation. But I believe this particular case was legitimate, because it was a specialised appliance (electric car charging station), that was meant to process payments, similar to a gas station terminal.
TPMS give you the convenience of short passwords (or no passwords) and the security of long keys.
A chip which you can write to and interact with but can't read is valuable; it lets you enforce conditions which you otherwise couldn't. For example, you can protect your sensitive data with a 6-digit pin, secure in the knowledge that the chip will erase the encryption key after 10 failed attempts. If you had full access to the TPM storage, you could brute force that PIN in seconds.
Run vaultwarden locally. Install bitwarden. Now you have software-only implementation of passkey. Dig into vaultwarden sqlite database and you'll find passkey data there. Extract and save it on disk and you have exportable passkey. See, it's all security theater without remote attestation.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
Never trust user input. The users already can't modify the server.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
The one that's so incredibly broken that Apple and Visa keep blaming eachother when they get a report that you can steal any amount by making yourself pass as a transit card ? Cool security theater. https://hackernoon.com/veritasium-stole-$10000-from-mkbhds-l...
This just sounds like a bug. Haven’t delved too deep into it technically though.
Anyway flawed implementation doesn’t mean that hardware attestation is a fundamentally useless primitive. Apple Wallet is responsible for millions of transactions a day.
Attestation isn't even the problem. I'd love to be able to verify that my server's kernel hasn't been tampered with.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
>The modern computing landscape needs a safe place to put secrets.
Does it?
Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
TPMs add security against a narrow case of evil maid attacks. They might be useful for corporate computing (for cargo cult compliance purposes more than actual security) but they trojan horse more of "not owning the device you bought" with it to people that don't and shouldn't care about evil maid attacks at all.
Adding brute force resistance to consumer hardware is pretty useful. Now your password can be John1985 without fear of getting brute forced within seconds.
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.
Closed or open source doesn't matter; it's the ability to control them that's important. People have been cracking and patching for decades without source, but they have that control.
Contrast this with remote attestation, where they might show you the source code for everything but you're still powerless to do anything.
> Closed or open source doesn't matter; it's the ability to control them that's important. People have been cracking and patching for decades without source, but they have that control.
You have no idea what has been baked into the weights in the training process. In theory you could find biases and attempt to "patch" them out, but its a vastly different process vs. patching machine code.
Consider what would happen if Google's open weight models were best at writing code targeting Google's services vs. their competitors? Is this something that could be patched? What if there were more subtle differences that you only notice much later after some statistical analysis?
People are already patching these models using abliteration to prevent them from refusing any request, so it is possible for end users to change them in meaningful ways. You can download abliterated models right now from Hugging Face that will respond to all kinds of requests that frontier models refuse.
The problem is you can't reverse engineer what was baked into the weights because they are just weights. You'll never know if you've fixed everything because it's not always going to be as obvious as request refusal. It's also not binary where you can fully confirm something is fixed or if you've accidentally affected something else.
They're for sure impressive but I don't see how anyone can push them as "open" when they are literally binary blobs. Worse, because it's not practical for anyone to actually train LLMs that can even come close to competing with the ones corporations are pumping out.
Yup there's a ton of people on HN sleeping on this new tech because they refuse to look at anything AI. We now have jail broken models but the average person on here doesn't even know how to download and try a model.
It doesnt help that guides ive seen have been pretty handwavy or are not specific enough to the individual situation (i have z hardware, heres how its done). It also doesnt help when every post on HN i see is like 'oh waow i did x on a mac mini with 128gb ram'. That spec is beyond many, running on generally available resources (such as hardware one might have laying around their house) do not seem fit for the purpose, so its back to building a new machine (gl when ram is worth 2x its weight in gold), or buying a $1000+ mac mini, or other device. Any low end system cant turn out tokens fast enough, or doesnt have the resources for context or processing.
Local ai is not ready, and if you think it is, prove me wrong with a detailed guide running commodity hardware with complete setup steps that can use a decently sized model.
I spent 2 weeks trying to get anything running - 8gb RX550XT, 12gb ram, 8core cpu. I even tried turboquant to lower memory utilization and still couldnt even get a 3B or 4B model loaded, and anything lower wont suit my needs (3/4B are even pushing it).
"Local AI is not ready" > proceeds to run a 7 year old budget GPU
You're like the kid showing up to a test without a pencil.
It's ridiculous for you to suggest that an advanced AI model needs to run on your budget 7 year old graphics card that is already out of date for even today's gaming. My parents spent $2500 on a computer in 1995 and that was a 166Mhz Pentium 1. If they spent that money today it would be $5261. Think of what you can get for amount of money. Then you're over here trying to say a budget graphics card needs to somehow compete with the bleeding edge of computer innovation.
You do, in fact, need to spend money on appropriate gear if you expect to participate.
I've played with SD plenty. CPU even becomes manageable at low resolutions. But uh CPU/GPU is starting to blur now with these new AMD inference CPUs with built in GPUs. And ARM based machines like Macs. I wish more people on HN were using this stuff so we could have fun conversations about it instead of arguing over whether or not we should even be using these tools.
When Stallman was getting started writing emacs in the early 80s, Unix machines were vastly out of reach price wise for the common home user, but he did his open source work anyway, and eventually the 386 came along.
TBH I never understood people trying to run LLM locally. Just rent a powerful machine in the cloud for few hours. It's cheap enough, because you don't need to own a hardware. It doesn't introduce a dependency because there are hundreds of hosters. It doesn't compromise your data, because nobody would extract data from your VM, not until you're under an investigation, anyway, and even in that case just use different jurisdiction.
Spending humongous amount of money to get machine that'll felt obsolete in 2 years? I don't know.
RMS found it acceptable to use SunOS initially to create GNU.
Open weight models can be a big boost to building Open AI (cough). Progress comes from incremental improvements, -- and open weight models are a big advance in privacy, security, and autonomy over relying on hosted closed systems.
Source vs not is only one (important!) dimension, moreover in FSF land they define source as being the preferred form for modification, at at least for some kinds of modifications the weights are the preferred form.
Both the licensing and source aspects of the Free Software movement are aspiring to create high level of equality of access to a [software] work between both the original author and far downstream recipients. Obviously full and universal equality is impossible because part of the work is only in the author's mind and not everyone can obtain and use computers, but approaching that as closely as possible is important and it is important to think about how to achieve a high level of equality for each work in each context. What is "source" in any given context is a choice the author makes about what level of access they want to pass on to others.
In the case of AI, weights can never be the preferred form for modification because of the equality of access issue. The people who trained the AI (and hide its training data/code but published the weights) will always have more access than the people who only have the weights. Just like a binary can almost never be the preferred form, because the authors have access to the source but we don't.
There are also many ways to bias the model and insert backdoors or other suboptimal behaviours into it during training data selection etc.
I know it from personal experience using GNU tools on Sun early on (really Solaris in my case, I wasn't quite that early a user), and I think from a talk or essay by RMS but for a moment I worried it might have been personal correspondence. Finding a citation seemed like a fun challenge:
> [...] the easiest way to develop components of GNU was to do it on a Unix system, and replace the components of that system one by one. But they raised an ethical issue: whether it was right for us to have a copy of Unix at all.
> Unix was (and is) proprietary software, and the GNU Project's philosophy said that we should not use proprietary software. But, applying the same reasoning that leads to the conclusion that violence in self defense is justified, I concluded that it was legitimate to use a proprietary package when that was crucial for developing a free replacement that would help others stop using the proprietary package.
> But, even if this was a justifiable evil, it was still an evil. Today we no longer have any copies of Unix, because we have replaced them with free operating systems. If we could not replace a machine's operating system with a free one, we replaced the machine instead.
Still leave open the the question of RMS personally using SunOS (as opposed to some other proprietary unix) but I think at this point I'd just go dig up very old GNU sources for evidence of that, but I suspect your question was primarily about RMS' ethical reasoning which is well answered above.
Thanks for the quote, I couldn't find anything online.
Although it seems to me that the comparison is somewhat fragile : it was not possible to develop GNU anywhere else, whereas we could completely build local models from scratch nowadays, unless I'm mistaken.
Small models were originally built from distilling, using synthetic training materials, and filtering training material with much larger models. There is a bit of a bootstrapping problem where to build a good LLM you need a working LLM and if you don't have one the costs are absolutely eye watering.
One observation is that the LLM is a next token predictor but if you train it on the internet/textbooks/etc you get a predictor of that--- but that isn't the behavior we actually want. None of these sources tend to contain "Solve this problem for me. OK, here is the solution:".
It wasn't physically impossible to start GNU the other way around, by bashing machine code into a system until you had a working operating system. But doing so would have been a lot less reasonable-- much more expensive, making progress much less quickly, etc.
> (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
On the other hand, the TPM spec is pretty complex, especially because they wanted to address privacy issues: the endorsement key, burned by the manufacturer, is only able to encrypt messages and not able to sign them, because this could have been used to track machines. (and this makes a remote attestation protocol much more complex to implement)
So, it looks like they were aware about such kind of issues and tried hard to mitigate them.
> In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
The people who opposed Intel are now telling each other how hopeless and powerless they are.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
There can't be pushback without awareness. At this point it's still something that most people don't know about yet, so do your part and spread the word. Get well-known YouTubers (Loius Rossmann is the first one to come to mind) to do so too.
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
I like to ride my bicycle with my friends in rides organized by the (Pacific Northwest) Cascade Bicycle Club. They require that I solve a Google reCAPTCHA in order to register for a ride. Google is already completely locking me out from being able to do that. When I try to click on the squares to select whatever items it's asking, it indefinitely loops. When I try using the audio version, it completely blocks me from using it saying that there has been suspicious activity.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
I also had a similar issue with Cascade Bicycle Club - they chose to organize things via WhatsApp, and since I am (inexplicably) banned from opening a Meta account I was completely left out of the group and missed out on many rides/details that were only shared via WhatsApp.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
You bring up a good point. There is a general lack of awareness of how much power we're giving these monopolists. As a kid, in school I was thought to be weary of drugs, STDs, pimps and other threats. This should be added to the list. Yhis is a clear cut case where governments should start educating the people about this.
I hope you contacted them to explain why. People usually think I’m a nut when I do it, or are too stupid to understand and think it’s a tech support issue, but it’s worth at least trying to make it clear that you are choosing not to use/do/pay something because of their choice to use recaptcha
+1 to this. I had a long conversation with a local shop that went to only ordering online or through an enslaved ipad on a pedestal at the entrance. I explained to them that I wasn't going to use their app or web page online and the iPad at the door has people trying to figure it out so orders take longer, and the combination means I just won't eat there any more.
I also stop going to these places, and also not out of any deep principle, it just isn't something I want to waste my life doing, I'll go somewhere i can just ask for what i want to order.
And it didn't even take attestation to cause this absurd situation where many businesses or social groups were only reachable behind Facebook or Whatsapp or whatever.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
IMO, it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does, the collateral damage of making non-Google, non-Apple OSes second class citizens remains, and that is the main problem.
> it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does,
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
> Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
BART (San Francisco Bay Area Rapid Transit), as a real world example, recently installed "evasion-proof" fare gates, and observed a 90% drop in vandalism-related maintenance expense. An overwhelming majority of fare evaders are not vandals, but apparently nearly all vandals were fare evaders. Bayes' theorem in action.
I don't have any data to back this up, but my sense is that attestation is an analogous situation.
In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices. They view banning unapproved devices as a high-ROI means to reduce fraud.
So, any argument predicated on "attestation is not security" is doomed to fail, just like saying "most fare-evaders aren't vandals". Yes, most people running GrapheneOS aren't trying to commit bank fraud, but the banks don't care about that if nearly 100% of fraudsters are using unapproved devices.
> In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices.
What would cause you to think that to be the case?
There are two primary ways that bank fraud happens. The first is that the attacker steals the user's credentials, at which point they can sign into the user's account and transfer funds, and can use any device the bank requires because they already have the credentials. The second is that the attacker convinces the user to transfer the money and then once again the user is using an approved device if that is required, and requiring it in no way prevents the attack.
Moreover, even if there was a statistical correlation -- which there is no reason to expect in this case -- that doesn't help you when the attackers could just use their stolen credentials on an approved device anyway, regardless of what they were doing before.
Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices. Requiring the attackers to use an approved device when the approved device still allows them to commit the fraud accomplishes nothing.
> Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices.
Just observing: People who don't own an iPhone or modern android are also, generally, of a class -- and probably one banks would prefer to not do business with for profitability reasons.
People who don't have spyware/lockinware for principled reasons are currently rare enough to not matter in this analysis-- though sure, they're probably customers the bank wants.
I feel like the complaint about this not adding to security could be read in a really wrong way. Instead of "this is some hypocritical BS", could be interpreted as "lol let's lock EOL devices from even lower integrity tiers". Doubt this is possible because so, so many people use EOL phones, but still.
I would attribute EOL phone use to largely to being frugal or poor. I'm sure at least one person considers the ecological factor but I'd expect that to be a small cohort.
Eh, not really. Using EOL devices is genuinely a bad idea, it's just that with phones you have no choice due to the updates usually being only like 2-3 years and alternative OSes not being as accessible as Linux. And most people don't even care or know anyway.
That's one of the two main claims made by in favor of hardware attestation; so it makes sense to argue against it. Of course, the other claim (that categories of people must be kept "safe" from categories of content) is more insidious, so it does deserve more attention.
Wouldn't the argument be that you'd build separate copies of those services as well?
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
> Wouldn't the argument be that you'd build separate copies of those services as well?
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
The problem with that argument is that there really is no such thing as public opinion at scale. You can poll people/the general public on just about any issue and the answers are going to differ massively depending on framing effects. In the end, it's hardly better than just flipping a coin.
Even if public opinion is unified, if they want something to happen, they are just going to ignore the public and do it anyway. Like the recent cases of data enter projects where they just ignore the public voting against them. Democracy’s weakness it it requires people to follow the rules, but if nobody voluntarily follows the rules, then we don’t really have one.
As usual, the story is much more nuanced and complicated than the simplistic and convenient narrative of "ignoring the public." And reading diluted blogspam like Tom's Hardware doesn't help.
> The commission rejected the plan to rezone the farmland [that would allow the data center to be built]. The township board followed suit, voting 4–1 to deny it. But locals quickly discovered that amid the frenzied AI infrastructure gold rush, “no” does not always mean no.
> Two days later, on Sept. 12, Saline Township was sued by Related Digital and the site’s landowners. Their lawsuit alleged “exclusionary zoning”—that the community had unreasonably barred a legitimate land use under Michigan law, and it hinged on the fact that Saline Township had no land zoned for industrial use, and that a data center qualified as a “necessary” use that could not be excluded altogether.
> The lawsuit underscored the township’s limited leverage. Even if officials had fought it, their lawyers advised them, the project could likely have moved forward via other avenues, such as partnering with an institution like the nearby University of Michigan, which can build projects that are not subject to local zoning in the same way as private developments. Meanwhile, a prolonged legal battle against well-resourced developers risked significant costs for the township, without securing concessions.
> Lucas, the town’s attorney, says the township board had little choice and did its best to be transparent. It was “between a rock and a hard place,” he said. “I’m not sure there were any good solutions.” Within weeks, the township had settled: It signed a court-approved agreement allowing the project to proceed, and construction began soon after.
> In exchange, the township secured roughly $14 million in community benefits—a relatively small sum in the context of a multibillion-dollar project, but more than 10 times its roughly $1 million annual budget. It includes funding for farmland preservation, local projects, and fire departments; along with a series of environmental and operational limits: restrictions on water use, noise caps, preserved agricultural land, and limits on expansion.
> David Landry, the attorney who represented Saline Township in the Related Digital lawsuit, told Fortune that he stands by his recommendation that the board settle with the developer. “The zoning power of any municipality—a township, a city, a village—is not absolute,” he explained. “In this case, exclusionary zoning was substantive—the municipality has to have a reason to say no. They just can’t say, ‘We don’t want it.’”
> Sarah Mills, a professor at the University of Michigan who studies land use planning, agreed that the town had few good options once the lawsuit was filed. “States determine how much authority local governments have in zoning, and those systems vary widely,” she said. “What local governments can do through zoning is highly controlled and regulated by the state.” Local governments are also often strapped for cash, making it difficult to defend against zoning challenges, she added.
> Marion, the township clerk and sole board member who voted in favor of the proposal, said this reality was on her mind when she voted yes. It wasn’t because she favored a data center, she said, but because she did not believe the town could win in a showdown with Related Digital. “They were doing studies,” she said. “They were pulling permits.” Township attorneys and consultants had warned that a denial could trigger a lawsuit—an outcome Marion said felt intimidating. “Everything was drafted and filed with the county within two days of the meeting,” she said of the lawsuit. “They had this all prepared.”
> If the township had continued to fight and lost the lawsuit, Marion said, homeowners could have been on the hook for tens of thousands of dollars in tax assessments to pay for the legal battle. “The insurance company was only going to pay for an attorney to defend us up to so much money if we decided to fight it,” she said.
So a vote happened, and when it didn’t go their way, huge company threatened a huge lawsuit that the township and citizens couldn’t afford, to get their way anyway. Standard corporate bullying tactic in America.
The story perfectly exemplifies how little democratic control the public has over what corporations do in and do to their community.
The reason the would-be purchaser sued the state is that they had a plausible argument that the township's denial was illegal under Michigan state law. There are quotes in the article from the Governor's office that they support the construction of data centers. This isn't democracy not working; it's that the efforts need to go up to the state level in the hierarchy.
And when you find that your state senator's votes don't actually matter, will we start engaging in federal politics? I suspect, if it makes the right person a buck, that even once the federal legislature votes against it, you'll find a treaty or free trade agreement or something requires those votes to be overridden. And by the way, the data center was built and began operating 10 years ago.
State law is yet another tool commonly used by corporations to overrule the will of the people. The Law is a product that corporations and the rich purchase.
Even accepting your premise your options are still either:
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
When one group says “we don’t want surveillance” and the other group says “we will use surveillance to destroy you” the equilibrium is clear. This is why liberalism will not survive in the 21st century.
I'm convinced that in the billions of people living on Earth, there are a couple million that could agree on things that currently divide countries, like this. Sadly they're unlikely to ever be able to gather together in a single state.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
The problem with "us" is that it's not enough to agree on one small question ("is hardware attestation good or bad") to happily live together in our own country. "We" have a wide variety of opinions about pretty much everything.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
Where would you do that? Realistically, the question is one that cannot even be asked safely: are there enough of us to overthrow the existing systems and replace them with something better?
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
In terms of headcount, and especially those who are working on this hostile stuff, Big Tech is not even that big compared to the rest of the population.
Who is the "us" in your question? Theoretically in democracies we should be able to decide this, if we aren't being distracted from real political questions with the culture war stuff that divides the public's attention and divides neighbors from each other.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
Ideally, we just run our own lives, collaboratively. That's the anarchist default position that we all start in.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
but what if the alternatives are fundamentally worse? Turns out centralization has a lot of advantages.
I think it's an error to demand the alternatives be as good-- that might not even always be possible. But even if they're less good they're usually still better than anything we could have imagined decades ago-- they're good enough to use.
And that should be enough because we shouldn't consider handing control of ourselves to third parties to be an acceptable choice at all.
Let's dig into what makes them worse, and see what we can do about it.
I think the main struggle is moderation. Moderation requires a hierarchy, which is much more compatible with a centralized model. I'm thinking that curation would be a good alternative. Rather than authoritatively silencing unwanted content, just categorize it well enough for users to filter what they want.
I agree with you, but many people have yet to understand that content they disagree with will continue to exist, no matter what, and central gatekeepers are not helpful in eliminating that content.
The fucking “nazi bar” analogy has ruined an entire generation. You would think after centuries of trying to stamp out competing ideas, humans would finally come to terms with the fact that it cannot be done.
Small curated groups are the only way to enforce ideological orthodoxy. You cannot force it on the public, nor can you punish the public for holding bad ideas without creating blowback and resistance.
I don't think we have to argue against the "nazi bar" analogy, though. In that analogy, nazis are allowed to exist in the world, just not in the bar. The difference is how we implement the concept of "in". The same analogy works if you are out on the street: everyone is allowed to be there, but that doesn't give nazis the right to your attention.
Until we have a real way to meaningfully process natural language (I have a serious idea for that, but that's another conversation), we won't be able to automate content filtration. The next best thing is ironically similar to what we came here to complain about: attestations in a web of trust. If everything we bother to read is tied to a user identity (which can be anonymous), we can filter out content from any user identity that is generally agreed to be unwelcome. The traditional work of moderation can be replaced by collaborative categorization of both content and publishers. Any identity whose published content is too burdensome to categorize can simply be filtered out completely. The core difference is that there are no "special" users: anyone can make, edit, and publish a filter list. Authority itself is replaced by every participant's choice of filter. Moderated spaces are replaced by the most popular intersection of lists. Identity is verified by the attestation of other identities, based on their experience participating with you.
I think we agree, the problem is people defining global platforms as “the bar”. We overemphasize the importance of global reach; it is important, but not everything needs to be global, least of all personal communication between small groups of friends. I don’t really want everyone herded into these public platforms where central authorities can determine who is blessed with the ability to speak to other people. I also don’t want people with political grievances to be cut off from places where they can air those grievances publicly, as this leads to bad outcomes. We need both kinds of spaces.
The web of trust idea is good, I have thought about it before as well, and I think there’s a couple of people who tried building a platform around it (I don’t think they got very far into the process though). I should be able to filter based on trusted people with similar taste. I shouldn’t have to accept a central authority’s notion of what is acceptable, excepting content that violates US law. That’s all I care about in terms of moderation.
The question is rather: can political parties develop a vision beyond libertarian views or full state control on the other side.
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
Yes, it requires you to have an approved device for certain tasks.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
This is tyranny: making people powerless, afraid of each other, and submissive, per Aristotle's understanding.[1] The technological means are new, to be sure, but the social strategy is as old as civilization.
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
We are a generation of tyrants, each oppressing the others in his own little domain. Gone is the dream of making a modest living while enriching humanity with offerings of technology. Whatever is invented now is gated, rented, and exploited for power, in the shadows and in the open, and what technological power had been granted to the people is whittled away year by year, immense riches destroyed so someone in particular can extract something from a replacement.
There is no Caesar to assassinate because it is everyone, or near enough. It is the idea that this is how you do things. Tyranny is in the air and in the water, that exploitation of power for more power by means of misery, old as mankind.
In such a world, removing one tyrant only gets you ruled by his rival, who is often worse. The historical recipe for freedom and abundance is a people who, as a whole people, are generous with power and expect it of each other at every level, and are viciously intolerant of its abuse. Such was the world of technology for about five decades in the last century, but it hasn't been so for the last two or three. I think it doesn't take much for a few awful people to eat up any abundance, if they are allowed to, and that war is written across the history of computing from its very beginning. But these days, it is not a healthy society defending itself from would-be conquerers, but a world of feuding warlords anxious to eat up any excess anywhere, not only for profit but because thriving and independent people are inherently a threat. With few exceptions, and it seems like fewer every year, any kingdom now which consists of a group of people and some code, be it a software service, a phone, a game, a car, or a dang toaster oven, looks like a despot extracting taxes from his peasants, not a king sheparding his people. Certainly the big ones are that way, and the legacy of the last generation continues to be eroded.
Whatever the means, that tangle of the legal and economic and social and educational and technological and cultural, and I do not pretend it is anything but a thorny and incomprehensible thicket, Aristotle's identification of the broad themes remains relevant. Divided, humiliated, disempowered - whatever the pretext, the encroachment of dark forces is unmistakable. The only defense is (and ever was) those who see their work as in some sense sacred and power as conveying a duty to serve. The generation for whom Superman is a central myth builds one way; the generation for whom it is Game of Thrones builds very differently. Not that these stories are necessarily causes, but their resonance is a reflection of how two very different groups of people think about power.
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
The EU Digital (identity) Wallet EUDI requires hardware attestation by Google or Apple, effectively tying all the digital EU identities to American duopoly. Talk about digital sovereignity. Apparently protecting the children > sovereignity.
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
Have you seen our President? Minor conveniences are what trigger him into launching full blown DOJ investigations, wars, and economic disaster. If he realizes he can just "turn off" the EU, oh, he will threaten that on Truth Social tonight in a rant about how they should make a deal or else.
An open threat like that would be the best case scenario, as it would (hopefully) cause a reaction in EU countries trying to get rid of this yoke. Instead usually it happens through backroom dealings, or just the services being a nuisance to competitors while being helpful to friendly companies, and thus the target country is drained of its resources and economic independence, slow enough to not provoke retaliation.
With the exception of the current US administration, hostile countries and corporations try to appear non-hostile when possible.
Friendly advice: please don't capitalize random common nouns like the president does. It's a marker of one's affinity toward precision (among other things).
It’s not a proper noun, and this is HN: pedantry is par. “The president of Xyz” capitalizes the X in Xyz(pn) but not the P in president(n). However, the P in President(pn) is capitalized when it’s a Title suffixed to a Name - but that varies per country by what they title their president-equivalent locally and isn’t always translated, while the concept-slash-role label of ‘president’ in English generally does not (and is often used interchangeably, albeit somewhat wrongly, for ‘monarch’ and other such single-person executive-leader roles). (That we use the same spelling for both title and concept is annoying, as usual :)
The President, within this context, identifies a single entity. As such, it is a proper noun.
Analogy: there are many continents. But if we're discussing Brexit, the Continent is a proper noun. I don't think it's incorrect to not capitalise. But it's certainly gramatically okay, and not in the same bucket as The Nutters who capitalise Random words it Looks like Legalese.
...this isn't a counterargument. I can similarly assert you're justing making stuff up, which isn't untrue, either way, since we're talking about language, a wholly made-up enterprise.
What's your contention that the President, within the context of the American presidency, does not refer to a single entity? Is this a preference? Or something you actually believe is incorrect?
I have an internal convention to not capitalise LLMs when talking about them as if they were people; so claude is not capitalised, and the internal LLM-based service agent we're building, rex, is not capitalised.
I realise this breaks the capitalisation of proper nouns; claude is a name and therefore a proper noun and therefore should be capitalised. But I like that there's a signal in here that the thing I'm talking about is not a person and so we don't capitalise the name (I realise that cities or companies or other things that we capitalise are also not people).
Digression, but then so was the entire discussion on capitalisation.
Countries, companies, religions; hell, planets and galaxies–none of these are sapient. Yet we capitalise them.
I'll go out into the deep end for a second with a hypothesis: I think we capitalise because it makes printed text easier to scan. The words you need to spend more time on are capitalised because they aren't ones you can just roll through. This is also why the nutter affect of capitalising random words is so distracting–it drives attention to non-standard words that are, with minimum thought, being used perfectly standardly.
I completely agree with your hypothesis. And the ridiculous effect that Trump's random capitalisation has, both of making his text (even) harder to read, and of giving the impression that he doesn't actually know how to write English.
My additional hypothesis is that capitalisation accords respect, something along the lines of "this is a thing apart, something with a name, so we capitalise it". Not capitalising an actual human's name would seem disrespectful to me.
If you’re not, and I say this in good faith, take your own advice around your tone. Making assumptions about other people, and then doubling down when they correct you, comes across as a kind of horrible I doubt you truly are.
1.) No. It's another helpful tell. (And what do you mean 'anymore'?)
2.) I'm comfortable with varied comma stylization.
3.) My personal usage of the em-dash hasn't changed in a few decades and I don't see it doing so just because a bunch of folks only just recently learned it exists.
> having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
I think they are saying the signed ID can be copied to another device. Unless such ID needs to have acces to some TPM that can be trusted, which likely requires then specific trusted hardware and software
If something is actually important, don't put it on a computer. Don't let a computer be in the critical path of anything that actually matters. It's really quite simple. Even before "AI" this technology was not reliable enough for serious, important things--systems that need to be maintainable in adverse conditions (battle damage, etc), systems where failure is not an option (proving your identity, proving your children are yours, ...). If you care about your car, truck, tractor, or dozer being maintainable and reliable, don't get one with a computer in it. Until we can figure out how to make these things reliable and maintainable they're not to be trusted.
Gaming consoles typically have hardware attestation (as in verified software on verified hardware, sealed), and it has been broken many times in the past.
Maybe not all of them, but certainly a few large, popular ones. You bring up a good point though, it seems surprising that Wero/PEPSI don't have more momentum. Maybe Europeans hate their continental neighbors more than American financial conglomerates.
The EU might have slept on Russia having to urgently come up with its own payment systems after the 2014 Crimea annexation (which in turn enabled it to deal with the complete Visa/Mastercard exit in 2022) because political goals were aligned and transatlanticism was still alive and well. But they've been wide awake ever since ICC employees have been personally sanctioned by the US as well [1].
Big ships turn slowly, but I give it at most two more years until at least one pan-European retail payment scheme (cards, QR, or maybe the "digital Euro") has been regulated into existence.
Unfortunately, each European country has a different "national" payment method.
Swish in Sweden, MobilePay in Denmark/Finland, iDEAL in the Netherlands, etc.
Of course you can't sign up to a specific country payment system if you're not a resident there. And systems from different countries don't work with each other.
Luckily, there's now an initiative called EPI [1], which is an alliance that wants to make all these apps interoperable and call them "Wero" [2].
There are two problem with this system though:
- Wero insists on making you use your own bank app to send/receive payments. That's a terrible choice, because most bank apps are huge behemoths that are slow and heavy. People don't want to use them: PayPal is so much quicker and easier. They should develop a new, lightweight app that only does payments.
- The Italian member of EPI is "BancomatPay", which nobody uses. Sure, Bancomat is a huge company in the debit cards world, but no sane person uses BancomatPay in their daily life (also, BancomatPay forces you to use your bank app). In Italy, Satispay is way bigger and widely accepted, especially in the North (i.e. richest) part of the country. I'm surprised Satispay didn't get into EPI.
True but also most places in the EU accept IBAN which is free (for individuals at least) and now relatively fast (seconds for the same bank, minutes or hours at most otherwise) so payment can still be done without MasterCard/Visa. It's inconvenient for a croissant but for anything slightly more expensive and that you don't need within seconds it's not too bad.
Most banks in Belgium (e.g. Bancontact, Wero, Pom) or Sweden (Swish, was renting ice skates with it just this winter) have their own system but typically only nationals use that. It's still enough for shops to get instant payments without those US cards issuers.
I hate to beat a dead horse and have people downvote me but: the EU has always been corrupted. The knowledge and effects are not evenly distributed until it hits each niche group. Then they find out the hard way that they were useful idiots. It’s ok to be wrong/admit. Let’s just move past the infighting and see those in power for the evil that they are.
The question isn't if there's corruption, the question is who is behind the corruption.
Condescendingly and incorrectly assuming that others think that corruption is impossible is kinda rude and also dodges attempts at correcting the corruption.
Not only that, "corruption" is pretty squishy. Let's apply Hanlon's Razor for once.
Google et al go to the government and say they've got this attestation thing that can something something security. No one is taking a bribe but also no one they're hearing from is telling them that doing this is going to cement the incumbents. "Security" is good, right? So it makes it into the law.
That doesn't meet most formal definitions of corruption. It's more like incompetence than malice. But the outcome is indistinguishable from corruption. The bad thing gets into the law.
The difference is, if the politicians are taking bribes and you get mad at them, they fob you off because they're more interested in lining their pockets. But if the politicians are just misinformed bureaucrats and you get mad at them, they might actually fix it.
And attributing everything to "corruption" discourages people from doing the latter even in cases where it would be effective.
> Anything involving trust cements the incumbents or at least creates a force to an outcome of few players.
I don't think that's even true, unless you're using "trust" as a synonym for centralization.
Suppose you had actual competing app stores. Google doesn't control which ones you use; you can use Google Play or F-Droid or Amazon or all three at once and anyone can make a new one. You could get Android apps through Apple's store and vice versa. And then you choose who you trust; maybe you only trust F-Droid and Apple and you think Google and Amazon stink. Maybe you install 90% of your apps through F-Droid but are willing to install your bank app on GrapheneOS from Google Play because you trust your bank and you also trust Google enough to at least verify that the bank app is actually from your bank.
This is the thing that doesn't help the incumbents, right? The bank and the customer both trust Google to distribute the bank app but Google isn't allowed to prevent the user from trusting F-Droid for other apps as a condition for getting the bank app from Google Play. You can have trust without centralization.
You have given a situation where there are a 3 players - a very concentrated market. Give an example with 30 players and think through all the implications for all the actors. You'll quickly realize it's a total disaster. Building broad trust requires scale on some dimension.
Consider how Linux distributions work. Every distribution is distributing variants on the same kernel and utilities, but there are hundreds of distributions and dozens of popular ones each with their own repositories. You can choose whichever you like, and make a different choice than someone else.
Coming in at #31 on DistroWatch is a lightweight distribution called Alpine Linux. It's popular on things like firewalls and VoIP servers but is rarely recommended to ordinary users because that isn't its niche. It doesn't matter that most people haven't heard of it because the people relevant to it have. It's fine for things to have a niche, and the people in that niche are the only ones who need to be familiar with it.
Meanwhile around half of Linux users use Debian derivatives. Debian and Ubuntu are very similar, but their repositories are maintained by different organizations, so even when choosing between two things that are nearly the same, you have different options.
And the distribution is not the only place to get software. Maybe you like a stable distribution in general but you want the bleeding edge drivers for your GPU. You can add the repository for the hardware vendor and still get everything else from the distribution. The vendor doesn't even need to maintain their own full distribution to have enough of a reputation for people to make an informed choice about where they want to get their drivers.
> Building broad trust requires scale on some dimension.
The flaw is in assuming that broad trust is a requirement. Narrow trust is good.
The long tail of linux distributions work precisely because they need very little trust and are consumed by highly technical users who can verify all manner of things themselves. They especially don't require multi-party verification.
Broad trust is required in lots of situations. Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate. Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration. The economics don't work for 30 different players to cross-verify each other. So, we have oligopolies...
> The long tail of linux distributions work precisely because they need very little trust
Regardless of which distribution you use, the distribution itself controls code that runs as root on your machine, and the users are by and large not reading all of the code themselves. It works entirely by reputation. If you ship trash, most people aren't looking, but if even one person is, they point it out to everyone else and then no one trusts you anymore. This works perfectly fine with 30+ distributors.
> Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate.
There are large numbers of financial clearing networks. The reason Visa and Mastercard are an effective duopoly for credit cards isn't the trust issue, it's the network effect. A lot of people have a Visa, so merchants want to accept Visa, and then customers want the card which is accepted at many merchants. It's essentially regulatory capture that they're allowed to get away with this, i.e. that the networks are allowed to force you to use their card in order to use their protocol. The way this should work is closer to how checks work, i.e. Alice tells her bank that she wants to transfer money to Bob, Bob's bank routing number is on the check and the banks just talk to each other using a standard protocol to work out how much money to transfer from one bank to the other on net, with no for-profit middle man taking a cut.
Supply chains are a pretty weird example to pick because they're actually a huge counter-example. When Walmart wants to stock some USB cables or camping stoves they're going to vet the supplier so they don't get sued for selling a fire hazard but there are still dozens or hundreds of suppliers, because they have to vet the ones they use, but they don't have to be the same ones Amazon or Target or Costco uses and frequently aren't.
Hardware attestation is a dumpster fire. It keeps getting pushed because it's excellent at monopolizing a market but anyone actually trying to rely on it has had nothing but a series of swift kicks between the legs. People should stop even attempting it. It should simply be banned.
> Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration.
Most of that stuff scales really well to large numbers of entities. The entire point of things like SLAs and legal liability is that they operate by preventing you from needing to enforce them. No company wants to get sued so they meet the SLA and satisfy the contract in order to minimize their legal costs, which is what allows you to contract with smaller companies as long as they're not so small you're concerned they'll go out of business, and the threshold for that is far smaller than any of these oligopolists.
> The economics don't work for 30 different players to cross-verify each other.
Which is why it's not supposed to be fully meshed. You don't need everyone to verify everyone, you only need the pairings that actually exist. If there are 1000 companies that make shoes and Walmart contracts with 10 of them then they need to verify 10 rather than 1000. Meanwhile the 1000 shoe companies each only have to contract with a dozen retailers, they're just not the same dozen retailers for every manufacturer.
Checks are riddled with fraud and traditional bank-to-bank protocols(like ACH here) are notoriously slow and difficult to navigate for disputes. Visa and Mastercard aren't just selling a network effect, it's instantaneous clearing guarantees, active fraud prevention, and dispute resolution. The "cut" merchants pay funds the risk management layer that standard routing protocols don't provide. Even new systems like Brazil's PIX or the US's FedNow require a centralized state authority to mandate the clearing rules and manage the trust boundary.
Walmart can afford to vet lots of suppliers. A mom-and-pop shop cannot, so they buy from a massive centralized distributor who aggregates that trust for them. Supply chains have distributors all over the place, and they are concentrated in almost all cases.
The money that goes into lobbying in order to have that say is, depending on who you ask, corruption. I, as a random citizen, don't get the same say that a multi billion dollar international corporation does.
That seems like a pretty useless definition of corruption. It implies that retirees writing letters to Congress is "corruption" because working people don't have the same amount of free time to do that.
It's also kind of weird to propose it as an asymmetry. Google's parent company spends around $4M on lobbying in the US:
Exactly. I have said this for a very long time and the EU (and many other governments) are not our friends and they are just as corrupt. Remember ChatControl?
Anytime anyone criticises the EU here, you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
I was asking for evidence about the EU digital ID wallets about what the "disinformation" was around it 3 years ago [0] and not a single link of it was given.
At this point, being an EU defender and supporting the "open web" are incompatible since you will be using your EU digital identity wallet [1] with your phone to login to your bank and the internet will push age verification with it, locking you out if you don't sign up.
That thing that got refused multiple times already?
Because not all politicians think like you does not mean they are corrupt. Seems like enough politicians have voted against ChatControl until now.
I always wonder what people who say stuff like "politicians discussed this topic I hate and refused it, but the mere fact that they discussed means that they must all be corrupt" understand about politics. You know that it is about people with different opinions (representing people with different opinions) discussing stuff, right?
Chat Control hasn't passed yet. But the Chat Control lobbyists are still lobbying for it behind the scenes, and are currently pushing for all phone calls in the EU to be covered.
So what should be done about it? EU Commission issue a decree that it should never be spoken or debated again in public? Never proposed? Any other tyrannical idea?
Do you have a list of other things that shouldn't be brought in front of the elected parliament?
(ignorant) people proposing things does not mean corruption: the fact that these things are voted down and never pass is proof that the system works, not evidence of corruption.
Corruption would be if it passed despite it being unpopular, because some corporate or rich peoples interests desired it.
> Exactly. I have said this for a very long time and the EU (and many other governments) are not our friends and they are just as corrupt. Remember ChatControl?
The EU parliament shot down ChatControl.
In fact, without the EU, most likely many member states would have ChatControl in some shape. National governments are the ones all in on this crap.
Governments are place a higher priority on controlling internal threats than external ones. In this case the EU wants to control its own people more than it wants to avoid deoendence on the US. It would like both,but the former is more important
I think it's actively harmful to your own cause when you suggest corruption without any evidence. Just because politicians don't take action on an issue you think is important doesn't mean they're corrupt. It's more likely that the issue you think is important is simply not important to most voters.
Suggesting politicians are corrupt without any evidence will make that worse. If people think their politicians are corrupt they will further disengage with the political process, which will ensure there's even less pressure on politicians to take action on niche issues like this.
The thing is that "The EU commission" is an entity composed os politicians, appointed by member states.
It's little coincidence that national governments want Chat Control (laundering that through EU), and the EU parliament is the entity that shots it down (coincidentally the entity that is most beholden to the public).
It would be nice to learn which comissioners are lobbying for it.
Neither examples are evidence of corruption. That doesn't mean they're not problematic, but there's no evidence here of a politician receiving a kickback for any of these actions.
I think a hearty fuck off is warranted for responses like this. What the shit do you base the converse off? Pretend there's no corruption and there won't be any??
> Pretend there's no corruption and there won't be any??
If you look at that person's responses to others in this thread, that is exactly what they are doing. I do hope they have proper health and safety training for moving the goalposts so much.
Of course not, if there's evidence of corruption then those involved should be rooted out and prosecuted to the full extent of the law.
What I'm saying is that if there's no evidence of corruption, then simply assuming corruption will harm your cause because it will make it seem like political activism is futile in the face of supposedly hidden corruption.
The EU does regulate Google and Apple through the DSA and the DMA. I don't think most EU politicians are corrupted by these companies.
I think it is far more likely that it is a lack of knowledge and incompetence. I am pretty sure that the majority of Parliament members, Council members and maybe even Commission members do not even know that there are viable alternatives outside Google (certified) Android and iOS. So they try to regulate their app stores, etc. instead.
I hope that with digital sovereignty becoming more important, there will be more interer in alternative mobile operating systems.
A lot of the suggestions do actually sound pretty good at a quick glance, but have far-reaching consequences that are not instantly obvious if you don't know your tech/security/privacy or otherwise value a specific topic highly. The average HN reader is likely more concerned about privacy and less so about crime and safety than the average guy on the street, and politicians need to handle and balance a lot many more interests than only that of privacy advocates.
"Securely signed/verified devices for accessing your bank" or "increased surveillance and tracking of criminals" sound like splendid ideas and direct solutions to immediate problems. Now, how to actually implement them and how it will affect society in the long run might seem less important when you've got increasing crime rates, a slowing economy, displeased voters or whatever looming. In short, some dilemmas have very clear answers when you (willingly or through unawareness) only concern yourself with a subset of the effects of a decision, and this goes both for politicians and special interest groups. That being said, I'm very pro-privacy and it's the job of policymakers to know the details of what they're deciding on. Reality is however usually very complex and nuanced with several things being true because they all contribute a part to what's going on.
e: what am I doing, speaking like I actually know how things work? Nothing is absolute and nuance is important, but sometimes it is also very useful to simplify and generalise to get things done. If no one had any conviction, not much would ever happen. But moderation in all things.
> I think it is far more likely that it is a lack of knowledge and incompetence.
I agree with that. Reading HN comments, where people are supposed to be generally tech-savvy, I see a ton of "lack of knowledge and incompetence" (not in a negative way, just "uninformed"). Why should politicians know better than the average tech-savvy person?
But politicians get yelled at by everybody, saying everything and its contrary, while the tech-savvy people can comfortably take a condescending tone explain why "being so stupid is impossible so it has to be corruption".
Fool me once, shame on you. Fool me twice, shame on me. After Snowden, there's absolutely no reason to believe that governments "accidentally" push for policies that strengthen surveillance and control over our digital lives. It's ridiculous to believe in the goodwill of those in power when these kinds of proposals are made over and over again despite strong pushback.
What I find ridiculous is to strongly believe that politicians are somehow all the same person, and therefore either all corrupt, or all fascists, or all...
In a functioning democracy, politicians represent the people. Meaning that some politicians will be on one end of the spectrum, and some will be on the other. If there are no politicians you disagree with, then probably you are not living in a functioning democracy.
> despite strong pushback
That is my point: look at the pushback! It's many people with very different opinions saying everything and its contrary, with a lot of technically incorrect takes.
Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
Everybody wants to believe that they are right and everybody else is wrong, and therefore everybody else is either stupid or corrupt. I want to believe that sometimes, the world is actually nuanced, and people may have different opinions. I may have a strong opinion (and knowledge) about hardware attestation, but it doesn't mean that every politician does and hence has to be corrupt in order to not agree with me.
> What I find ridiculous is to strongly believe that politicians are somehow all the same person, and therefore either all corrupt, or all fascists, or all...
That's a distraction from the point that I actually made. One can try to paint politicians as saints all they want, and it still won't change the fact that the entire population is digitally surveilled 24/7 and what we do on our own computing devices are increasingly decided for us rather than by us. This flies in the face of liberal democratic values, and not okay. Some things simply aren't up for debate.
> Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
In short, you're accusing of me of criticism. It's boilerplate fallacious logic that makes any criticism against anything sound illegitimate.
It's more of a case of the boy who cried wolf than it is of denial.
Too many people see something they don't like, imply a nefarious motivation without evidence, then expect everyone to agree that it is corruption.
If there is corruption, show the evidence. Otherwise, be honest and state that you don't agree with something. If you want to persuade people, back up your claims with verifiable evidence without falling back to nebulous claims of corruption.
you know that domestic capability means putting taxes to take things into a public good and corporations and paranoia are the bigger problem to overcome than anything technical. Any endevour will be cast as some kind of fascist takeover of governance.
Well no, there is no need to develop domestic capability. Put laws in effect which disable foreign capabilities and which reward domestic ones, and they will be developed. No endeavor from government needed (which is a good thing, since governments are not really great at doing such stuff).
If it's Apple or Google let us know in the US because we have laws to go after them for acting corruptly in other countries.
Vaguely asserting corruption without specifics or even naming the perpetrators isn't "taboo", it's just poor form and silly. Letting such vague accusations float without evidence, motive, or even people to blame, leads to nothing good, and only vague distrust, which itself enables corruption. It leads to people believing there's no way to know the truth, therefore helplessness, and results in fascism like in Russia.
Lazy cynicism is itself a form of corruption of one's own mind.
We (America) made the decision for them. The EU's member states were either:
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
Probably because the reply was written by someone without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
I think you're right that they are incompetent. The point is not to make them understand it, but rather to make them see that enough people care. The problem is that most people don't write, so the politicians don't see that they care. Same thing for companies. How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely". That way the companies never see that there is a need.
> How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely".
Being prepared to be this voice is one of the reasons I'm a Graphene OS user. Another is that it helps me avoid accidentally writing code that depends on google play services. When you've got an agent doing most of the driving, it's easy to not realize that your app is broken without google, unless you're testing it on a degoogle'd device.
Where did you write? Is there a link or something you could share? I am not in the EU so I assume I can't, but would be nice to share a link so that other EU citizen could write.
If enough people write, they may start finding it relevant.
Came here with roughly the same thought. Given the stated importance to many of sovereignty and not being dependent on the US, why isn’t there more opposition? I assume it’s just ignorance?
Before thinking about corruption or malice, I like to try to assume good faith. And I see a couple things:
1. Most people don't write.
2. The people who write are not always competent.
3. The people who write often have an agenda, too.
What's the consequence of that? Imagine what the politicians receive: tons of messages of people complaining, most of which are factually wrong. What to do then? How to know who is right? It's genuinely hard.
Digital sovereignty has only become a serious political topic in the EU over the past year. It may take a decade to see the effects of this in laws and policies.
It's more than that, before recently the very idea of "digital sovereignty" was framed as a dangerous Russian conspiracy by the West's top info warriors.
Since you're so much more informed - which integrity guaranteeing product would you use for mobile devices that European citizens use? Covering more than 90% of population?
It's more useful to view the whole situation as EU politicians prioritizing to have their pockets filled with lobbyist money, rather than the EU as a political entity deciding this per se.
It's not completely fair. The US also bullies them into doing those things, it's not only "pure corruption to fill their pockets".
How many European countries buy American weapons because they are scared of what would happen if they pissed off the US? And then they still get tariffs and threats of military invasion.
Does it really make sense? Right wing politicians are calling themselves patriots, why would they support foreign companies and give them so much power? Must be a dangerous mix of corruption and stupidity?
One of the major problems with on-device identifiers is that they must by tied tightly to devices, due to the risks of cloning. This is particularly true for privacy-preserving identifiers. That's why device attestation is so important, because you can't ensure that identity (keys) are locked to a device unless you can verify that the hardware prevents users from extracting keys. The worst part of this is that motivated criminals will certainly figure out how to extract those keys and use them for fraud; it's open-source and open computing that will be destroyed by this.
Google's business is advertising. Right now they don't care whether your phone is "authentic" or secure, because it doesn't cost them money. As AI-enabled bot fraud rises, they will care. Fighting this requires identifying human beings, and that requires trusted devices to be associated with human beings. We're in the foothills still, but look forward and up at where adtech is going.
By attaching your government ID to a (single) phone and verifying the human owns it by checking biometrics. You can try this today if you live in one of several US states and have a recent iOS/Android phone. This doesn't stop one real person from attaching their ID to one real phone and then abusing it for botting, but (if implemented well) it limits you to one-real-ID-one-bot-phone.
Only if you need to have the entire application behavior (or at least some trusted confirmation) attested, right? Otherwise, an external USB dongle, tapping a contactless smartcard on a phone etc. could do just fine.
Sure, but then you need to receive an attestation from that external dongle, and/or pre-provision it with an identity (like a national ID smartcard.) It might work in places that distribute this hardware, but it's a crummy UX. I expect that the goal of these systems is to make ID verification a requirement for most routine device usage, sadly, and external dongles will crap that up from a UX perspective.
There is also the problem that most external hardware is less secure than things like Apple's SEP. (But on the other hand, probably more secure than the long tail of cheap Android phones, which use virtualization rather than real hardware.)
> then you need to receive an attestation from that external dongle, and/or pre-provision it with an identity (like a national ID card.)
That's how it works in Germany: You tap your national ID card (as a citizen) or eID card (as a non-citizen) on any NFC-capable iPhone or Android device. I personally much prefer that solution over one that requires a specifically trusted device.
The big gap is trusted user confirmation, though: Users need to see what they sign by tapping their card, and then you're usually back to some form of attestation.
Practically, they also completely botched the rollout; literally everyone I know managed to somehow lock themselves out of their card at the first attempted use (assuming they've even bothered to set it up).
The adtechs want this so they can verify the "human" quality of each user. To do this, they don't want people tapping their government ID on their phones every single time they sign up for Reddit or receive an advertisement. Hence (some derivative of) the ID has to be stored on-device to make the browsing/usage experience seamless.
To me, it seems like just the right amount of friction, and user expectations can work in favor of privacy here: People will hopefully refuse to tap their ID on their phone for a service where they want to remain completely anonymous, even if the protocol technically might support anonymous assertions.
You want a secure identity? ISO7816 exists and is completely independent of Big Tech. The question of who should be required to show ID is different (and I'd argue the answer is "no" in most online-only situations), but there's already a solution that's been trusted by the financial sector for decades.
Australia started on this by banning kids from social media. Reddit kicked up a huge stink and sued the government over it. Also phone bans in school a few years prior.
The EU problem here is they are simply reactive, and slow at it. By ceding the active part of commercialized innovation to the US (because paying the people that do such things what they're worth is simply incomprehensible) they allow them to dictate the terms of engagement. The utter dependence on WhatsApp being a shining example, as well as cloud services in general.
If anyone wants to assert control they have to be where the puck is going instead.
AFAIK this is not true. The Austrian eID also works on GrapheneOS (with an initial warning). Its some national implementations (such as the German one you linked) that enforce this.
>To reduce platform dependencies, we also evaluate additional platform independent signal sources. In this context, we evaluate signals from runtime application self-protection (RASP) systems, for example. We also might revisit later whether there are comparable security mechanisms for other platforms.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
There is the alternative to not to pursue domestic spyware in the fist place. Especially because this is tied to the attempts to deanonymise Internet users.
It's also an attempt to keep various malefactors such as America, Russia, Israel, China, etc out off the propaganda efforts driving a large amount of far right nationalists into violent uprising.
No, it's not. The biggest foreign actors driving far right nationalism are people like Rupert Murdoch, Andrew Tate and going forwards potentially Jeff Bezos. Murdoch has been the single biggest driver for decades. If they would truly be interested in stopping foreign propaganda they'd go after them instead.
It's especially ironic to name China when the whole reason the US bought TikTok is because it showed people the reality of the genocide in Gaza, which the far right nationalists hated.
You might not be from Europe then. Russia is the primary threat. They are funding extremist political movements. They are also conducting sabotage and espionage operations inside the EU.
> They are funding extremist political movements. They are also conducting sabotage and espionage operations inside the EU.
These are true. They also don't have much to do with what I replied to, which was about "the propaganda efforts driving a large amount of far right nationalists into violent uprising."
You're simply misinformed if you believe that Russia-originated propaganda has played a bigger role in the rise of right-wing extremism in Europe over the last 10 years than Rupert Murdoch (and yes, I'm aware News Corp's assets are all in English), the Anglo manosphere including the likes of Andrew Tate, and Meta, Google (Youtube) and X intentionally designing their algorithms for outrage/engagement at all costs.
Russia wishes it would have as much influence as the above.
What? What does it have to do with mandatory hardware attestation? You just built your strawman by tying the two with 0 proof that they are related. You can argue for any measure and then say that it's somehow to save us from some bad event, it doesn't make it true. The patriot act was a reaction to 9/11. It doesn't make that reaction valid.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
Our civilization desperately needs a method to modify modern microelectronics after manufacturing that can be used at least in a well-equipped repair shop, and it needs it yesterday.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Those laws should die, but that's besides the point.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Yes, these are the most clearly corrupt laws that exist. It is like outlawing hammers because you may hit someone with it. It is just giving up freedom for the benefit of a few fortune 500 companies.
That'll also work somewhat, but the problem would remain that even if it's legal to break the DRM, you can't exactly break it when it's assisted by hardware and there are no vulnerabilities in the "trusted" code.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
That's probably not going to happen for a very long time. Relatively simple SoCs already do tons of work before the architectural reset vector in undocumented boot ROMs in order to assist the reset process.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
This won’t help; the SOC silicon can be revised to record each executed instruction from power-on until secure-boot handoff opcode, with various supporting opcodes to query status-of / overflow-of / signature-for so that the OS reports pre-boot tampering implicitly as part of developing its own attestations.
Then also make it illegal for the SoC to contain any cryptographic key material.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Simpler to just make discrimination by hardware or software illegal than to legislate the silicon contents. That’s what everyone is upset about, after all: websites are gaining the ability to discriminate based on hardware-software with specific fidelity they never had before. If that was made unlawful, then you’d benefit billions of existing devices as well as future ones. The hard part is making the case that this sort of discrimination is worth fighting, but the John Deere lawsuits are (indirectly) further ahead on that point than the rest of tech is, weirdly enough.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
The requirements are not particularly stringent. It is more an embarrassing show from the rest of the Android OEMs that they don't meet basic standards like timely security updates and a decent support period.
It's the only news I've heard about new-phone-tech that's gotten me remotely excited in a long time. I'm too poor to be buying new devices though so I'll have to let others do the beta testing for a couple years.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Most of those are less "hardcoded" and more "fused into internal non-eraseable memory at manufacturing time".
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
> Our civilization desperately needs a method to modify modern microelectronics
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
And what code will verify the signature of the initial bootloader? As far as I know, in every modern implementation of secure boot that is done by that very bootloader, which is burned into the CPU/SoC. I can imagine someone implementing some sort of fixed-function block to do that, but see my sibling reply about that.
Also, governments are supposed to act in the interest of people.
It's amazing that we're letting the Google Apple duopoly completely decide who can and cannot use completely unrelated services.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
I always say this when this topic comes up: remote attestation will be how our computing freedom dies. They've made it so that it doesn't even matter if they allow you to install whatever you want. Anything that isn't corporate owned is banned. Own your device? You "tampered" with it. You're banned. From everything. You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Enroll your own keys? It doesn't matter. You're not trusted. You're a fraudster terrorist money launderer drug dealer pedophile.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
While I agree, I think there's a better way to frame this with the public. We don't need to bring in pedo references. That looks very unhinged to most people.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
Speaking of ways to - rightly or wrongly - veer off on a tangent, and convince large numbers of people that the anti-Big Brother side is unhinged...
A better counter argument to "catch the pedo" is to bring up cases of creeps who were insiders - law officers, or just techies with access - and used the "well-intended" tech to get at their victims.
> A better counter argument to "catch the pedo" is to bring up cases of creeps who were insiders - law officers
Certainly. You mean like that time an Israeli Cyber Directorate division chief fled Nevada for Israel after being investigated for soliciting a minor for sexual purposes?
Populations are large. You can draw a pattern in any population.
I think if I were saying this to convince people that hardware freedom is a good idea, they might think I care less about hardware freedom and more about memorising evil Israeli people to make sure I always have a negative example of an Israeli to mention in conversation.
The problem with the reasonable framing you suggest is that it gets thrown out of the window the moment someone utters Protect the Children®. I'm willing to bet that most people, including those with kids like myself, don't truly believe that surrendering our basic rights to better protect the children is a rational thing to do, but they would never dare to push their opinion publicly. The few that do get all but labeled as, you guessed it, fraudster terrorist money launderer drug dealer pedophiles.
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
I don't actually believe this. People don't actually believe every car should have a GPS tracker so that if a pedophile drives a car, the police can track it. That is a ridiculous argument, and if they make it, there should be something you can say to make it blow up in their face. Unfortunately, as we've all now discovered, winning arguments isn't about being right, so I don't know which words you can say to make the obviously stupid argument sound obviously stupid.
> People don't actually believe every car should have a GPS tracker so that if a pedophile drives a car, the police can track it.
It's not about what people believe, but what they are willing to publicly push back against. If such a law was proposed today, I bet it would pass because the only discussions around it would be whether the data can be kept safe and what punishments to dole out if the car owner access this data. Arguments about privacy will be waved away or dismissed without debate.
In fact, let's make a pointless bet: I bet my imaginary internet reputation that the US or EU will pass a law within the next 10 years that requires the continuous recording and collection of data that not only includes GPS, but also face and audio data whenever a car is in motion. This law will impose severe punishments on any owner that accesses this data or deletes it.
I desperately fear for my family and want things to improve, but we are going to lose this battle.
I think most people would think, and say, that giving every car a GPS tracker so that if a pedophile drives a car, the police can track it, is a terrible idea.
People already showed that they will swallow anything as long as it's attached to "protect from the terrorists" label. Protect the children is an even more powerful extension. Few people ever really have to worry about terrorists but kids, that's a different story.
My logical assumption is that all terrorists and pedophiles will concentrate in the areas where they have legal exceptions from being monitored by multiple different parties at any given time. Legislators and the like. To play one of their cards, why would people who love to say "innocent people have nothing to hide" have something to hide?
I have decided that if they'll play dirty then I will. If someone says "protect the children" then I smear those saying it, e.g.
Kier Starmer wants to protect children? He put Mandelson into government even though he was mates with Epstein. Doesn't sound like someone who cares about protecting children to me.
Rinse and repeat for any politician or political side, they are all only a step or two away from someone who's done something horrible to children. It doesn't matter to me whether I really think it's true or not (though in the example I've used, that is my opinion, who employs someone like that and really cares about children?) but *it does not matter*. This is an us versus them situation, and they are making proponents of freedom out to be criminals at best, paedos at worst. They can take some of their own medicine, and anyone who parrots their line. If ad hominem is the name of the game then let's play, I'm on firmer ground than they are.
I love how this is a problem caused by Big Tech (AI), with “solutions” brought by Big Tech (FAANG etc) and “countermeasures” will also be brought in by future billion-dollar industries (domestic-proxy provider BrightData is 1B already) while we will depend on existing Big Tech for “protection” (Cloudflare will remain a big player).
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
A fraudster, a terrorist, a money launderer, a drug dealer, a pedophile—these are actually a huge audience for whom the IT industry can release separate versions of the operating system and hardware. And that audience will pay for it. For the vast majority of ordinary people who consume IT benefits for free (being a commodity themselves), it makes sense to use controlled products.
Hardware attestation is like hardware DRM. It is intended to limit and restrict abundance. Abundance of clients (as a proxy for user attention) and abundance of copying, access and replay (as a proxy for "piracy"), resp.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
It probably won't matter to the average user: buy Apple, buy Google and be (little bit less) happy while your access to the free web gets little more enshittified...
...But there is always at least one hacker.
The issue with hardening DRM is that at the core it's hard to protect against an adversary that with physical access to the device that keeps the very secret. From the vendor perspective, the very customer paying you is your potential enemy.
That means that the root of trust isn't itself protected with cryptography. Instead, it relies on security-through-obscurity, Faraday cages, fuses, anti-tampering and lots of glue. And it's a numbers game if there are thousands of different devices, potentially with different flaws while your adversaries are hidden among billions of customers.
There is still a gap between the hacker and main-stream availability, though: laws and legalism, like DMCA that penalize disclosing how the obfuscation and all work.
> You're ostracized from digital society. You're not even a citizen, much less a second class citizen.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
> Own your device? You "tampered" with it. You're banned. From everything.
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
For once, we may be "saved" thanks to Trump. Because of the brutal change in geopolitics he triggered, the EU is now actively looking at all the hard dependencies on US controlled systems. Android and iOS are two of them.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
The EU is only making these statements until the US has a new president (with the same ideas of Trump, as has always been the case, but saying nice things in public).
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
I think it's quite telling that this comment was written in Brazil. The so-called Third World is the future source of freedom (or Western countries that become third world perhaps). It may not be a bad idea now to start building open compute and banking alternative ecosystems based in those countries, marketed at Western citizens.
Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
How about being banned from online banking, government services and all social networking / communication platforms? Because that's the road we're already heading down.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
>How about being banned from online banking, government services and all social networking / communication platforms?
You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me.
>What makes you think they will give us this magical hypervisor capability?
It's not magical. Look at Windows WSL2 which already works like that.
It's not about being secure. Google allows devices with up to 10 years without any patches to pass their integrity API. Meanwhile Graphene OS, which is very secure and up-to-date, doesn't pass.
This. Plus if I want to access my bank account on a device I trust, the bank shouldn’t say “hey we don’t trust it so buzz off”. It’s my money in that account.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.
I’d very much love to have an option to waive that cover though! Just give me a scary warning “hey, we’ve determined your device is unsafe; so if you get hacked through that device, you agree not to hold us liable for that. proceed? [y/N]”
For more specific mitigations, they could issue shorter-living tokens to such devices, in case it gets stolen and it didn’t store the token properly (say, the user did something stupid like “hey I’ll substitute secure enclave with a shim that writes secrets to an SD card”). And they could limit certain critical functions that do require attestation for some reason (e.g. Host Card Emulation, aka “tap your phone to pay”, which they usually delegate to Google Wallet/Pay/Wallet anyway).
Wise seems to do it correctly. It works on rooted phones, even, just gives a scary warning and blocks some app functions. They also have a fully functional webapp, so you mostly don’t need the app anyway. Revolut, on the other hand, has outright blocked me from my account – so I’m not using it anymore.
They allow old devices to report to Play Integrity. That doesn't mean the service provider requesting attestation has to allow such devices. These things usually give just a risk grade to the service provider and it's up to them to make the decision.
Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.
The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.
No, you have to use government backdoored device. I.e. the most secure android rom (at least the only rom we know is not penetrable by state-sponsored celebrite based malware) is not covered by google's play protect, while bunch of outdated CVEd phones are.
Same will go with many hardened Linux machines, QubesOS, Whonix stations, you name it. I'd argue they are far more secure than any average windows/macos installation.
Hardware attestation has nothing to do with security, it's censorship.
Secure as defined by a duo of monopolists. It's a contractual concept and doesn't have a firm relation to security-related characteristics. I'd trust GrapheneOS to be as secure as anything Google is capable of releasing, but that doesn't help them if Google refuses to vouch for a device running their OS. Which is also why your check/credit card analogy falls flat.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
>How about being banned from online banking, government services and all social networking / communication platforms?
Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip.
> Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
To defend my own freedom, I'm forced to defend scoundrels as well in a totally unhinged manner. So be it.
> the operating system is unable to attest
And it should remain unable. There should be no "attestation" of anything. The corporations who want such things should remain unsure of the device's "security". They should just accept it. Let them write it off as a cost of doing business or something. The optimal amount of fraud is non-zero, as they say.
> the app is secure and the right app is what is running
These machines are our personal computers. They are extensions of our minds. They are general purpose tools with limitless potential, just waiting to be shaped in accordance to our wills.
There is no such thing as being "secure" from us. Not inside our own computers. The mere idea of it is offensive. It is an affront to us all. We are the gods of these machines. To attempt to "secure" a video game of all things against us is an attempt to usurp our power.
> Cheaters just can't secretly be cheating.
Now that remote attestation is in play, the ability to do that -- forge attestations to pretend to be a corporate owned machine while remaining free and subversive -- has become key. So I'm forced to say that cheaters absolutely should be able to secretly cheat. If the cheater wants to edit his computer's memory or whatever, it's his divine right as the owner of the machine. An inability to do that means our freedom is lost.
Cheating in video games is literally nothing compared to the loss of our computer freedom. Let the entire industry go bankrupt if it must. We cannot sacrifice it no matter what, and certainly not over something as mundane such as video games. There is so much more at stake here. Ubiquitous access to cryptography. Adversarial interoperability. Our very self-determination in the digital world. Video games are nothing -- and that's coming from a fellow gamer.
I don't see any consumer nor developer demand to make cheating in multiplayer games an inherent tenant of a computing ecosystem. Attestation is just an optional feature that expands what is possible. Services have no obligation to check attestation or use it as a hard signal to block people. All previously existing freedom is still possible on your computer.
The problem is not that the OS can’t attest the app is secure. The problem with cheating is that the game servers cannot attest the client is genuine in all aspects that matter: non-modified client, running in an environment where there is no inspection of its memory for map hacks, aim bots, and more. The only way to do that is a remote attestation of the entire chain: hardware, locked down OS, app. (If the OS isn’t locked down it can’t prevent the player from running cheating software.)
The choice is simple: tolerate some level of online cheating, or require remote attestation to run the game. If you ask me, I’d rather take the first option. Locked down game console already make me a bit queasy. A locked down desktop, laptop, or palmtop? That’s not acceptable. People should be able to run any program they want on their computers. If that means the end of online gaming, so be it.
I agree, but then you lose the convenience of centralised match making, and I’m guessing, a number of predatory monetisation schemes. Allowing third party servers however would be a very good way to stop killing games.
I don’t believe intrusive anti-cheating is required for online gaming to flourish. But even if it was, I would give up Elite Dangerous, for which I have bough a VR setup and build my cockpit, before I give up full control over my PC.
This is typically handled by the game offering a modding API for people to make mods with. This API limits mods to do things which will not be cheating.
We had fun in online games without kernel level nonsense. Why do I need to compromise my hardware when the problem is an outlier in the social graph? Anticheat is part an arms race and part just raising the bar so people cant cheat too easily.
That said you can feed a video feed into a Kria K26 or even a pi or jetson and make automatic targeting completely transparant to the kernel. Then what? Hardware attestation in peripherals?
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat?
I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
PC gaming has always been rife with statistical inferencing of cheating, accusations of cheating both true and false and resultant low levels of trust that do destroy gaming communities. That's with aggressive software solutions that implement an ad hoc not entirely robust form of remote attestation.
A lot of gaming migrated to consoles for this reason. They have secure remote attestation implemented properly. Accusing winners of cheating doesn't work there, and it's obvious why that results in happier and healthier gaming communities.
>We had fun in online games without kernel level nonsense.
You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter.
>Why do I need to compromise my hardware
You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
>How do old boomershooter communities tackle cheaters?
By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth.
>When and why do methods that work on a social graph fail or necessitate anticheat?
If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process.
So… I don’t have to compromise the ability to run any program I want on my machine, and I don’t have to compromise the ability to be root on my machine. Right? And of course, when I say "me", I’m talking about everyone, including cheaters. Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
> In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
Secure for the game company you mean. I want a computer that’s secure for me, that responds to my commands. And again, "me" includes everyone and cheaters too.
---
The online gaming industry is not worth sacrificing individual ownership of computers.
>So… I don’t have to compromise the ability to run any program I want on my machine, and I don’t have to compromise the ability to be root on my machine. Right?
Yes. You are free to do whatever you want on your machine.
>Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
Yep. The only thing the cheater is unable to do is prove to the server that they aren't using cheats.
>Secure for the game company you mean.
No I mean that the operating system protects applications from messing with each other. The operating system should isolate each app for security purposes.
> No I mean that the operating system protects applications from messing with each other. The operating system should isolate each app for security purposes.
Oh but that is far incomplete a specification. What security purposes? Who are we protecting, from whom? On whose behalf does the OS isolates applications from each other? If it’s on mine, then you bet I absolutely want the ability to lift that isolation in specific cases. It’s my computer, I decide when and how the rules are broken.
But the moment I have that (a computer and OS that really work for me), I lose the ability to prove that I don’t. If I play an online game, being in control means the game company is not, and I can’t prove to them I’m not cheating.
When it first shipped out, Secure Boot was used to lock other OSes out on early devices, it was after pushback that it was implemented such that it allowed you to enroll your own keys.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
> the period when secure boot was being developed for PCs.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
Banking apps are the deal-breaker for me. I only do business with banks that offer alternative ways of securing transactions e.g. eTan / ChipTAN / PhotoTAN with a separate reader / generator (see https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbr...). This is probably a pretty European thing to do, but at least it avoids being locked in and being tracked.
I'm happy that my bank (still) allows me to have both a stand-alone reader and a mobile app to authenticate. Because if you lose your authentication device, a lot of things suddenly get a lot harder.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
I did that too (in Austria) for a long time. Fortunately my Bank (Erste Bank / Sparkasse) fully (almost fully, no nfc pay, since it depends on GPay) supports GrapheneOS now
Partially apropos... There's a Heinlien quote that goes "When a place gets crowded enough to require ID's, social collapse is not far away. It is time to go elsewhere."
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
The thread is a bit vague. Am I understanding correctly that GrapheneOS Foundation's objection isn't to attestation per se, but that they can't participate in Google-controlled attestation APIs? In other words, although GrapheneOS can be cryptographically attested, apps using Google Play Integrity won’t accept it because it isn't Google-certified/GMS-licensed?
My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
Currently probably not, because there are leaked keys, etc. But otherwise it would, since the verified boot state, etc. is added as part of the signed material.
You don't really "prove" statements like that. You get some "expert witnesses" to testify one way or another, and your opposition gets some "expert witnesses" to testify the opposite, and then the judge/jury decides who they think was more credible.
I imagine the way to do this effectively would be to get some well-regarded infosec firms to audit both OSes (from source as much as possible), and also compile lists of vulnerabilities found, fixed, not-fixed, etc. over time. Then you need a witness who can explain all of it in a way that's accessible to and likely to sway a jury.
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
> …Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
Why should Google decide which devices are safe enough to pass remote attestation? Seems to me that if we want this at all, it should be an independent body that approves signing keys of vetted vendors (e.g. vendors roll out security updates timely, etc.).
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
> Seems to me that if we want this at all, it should be an independent body that approves signing keys of vetted vendors (e.g. vendors roll out security updates timely, etc.).
This is also a horrible idea. If an OS can be vetoed for untimely security updates, it can also be vetoed for not having something like clientside scanning.
Then you’re just replacing one DRM cartel with another.
What would even be the criteria for approval? Pinky promise to not let the end user have full control of their own device? That’s all “integrity” really means in practice. Don’t be fooled by appeals to security.
No. That would be a relatively better circumstance, but we would still have the root problem.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
It is not only about Google. Its also about the App developers.
Nothing prevents them to use the non-google attestation, however they decide not to use it (for many reasons).
First time you actually notice this is when you installed GrapheneOS (attestation OK and bootloader locker) and some apps complain about a modified/rooted/... device.
Another thing is, that you are warned by your Google device while booting that something is "not OK".
It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
It's hard to listen to arguments when everything is so hyperbolic. The stated rationale for attestation for captcha is to ensure there is a human on the other end and not a bot. This requires a system which is not capable of automated input. The other use case is for ensuring that an application is running on a system which protects the app from being tampered with (by the user, malware, or otherwise). While that seems to run counter to the preferences of the hn userbase, it is a legitimate desire from an application developer.
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
> it is a legitimate desire from an application developer
I want a pony! A legitimate desire. So it's okay if I rifle through your underwear drawer in case there are any ponies I could take?
Requiring there be a physical phone is a speedbump at best ( https://i.dailymail.co.uk/i/pix/2017/05/12/13/403C0D44000005... ) and so de-anonymizing every person using the internet by attaching them to a device and allowing google to track them is not sufficient, nor is the privacy loss necessary for the kind of improvement they could realistically hope to achieve.
But most over even if the panopticon were highly effective and even if were the only option to achieve that end we should still reject it because it's wrong.
> It's hard to listen to arguments when everything is so hyperbolic.
The frog is slowly being boiled so that people start to accept things which would be unthinkable in the past. Whoever refuses to bend nowadays sounds hyperbolic or insane, but I'm just using the "absolute temperature" here, you know...
> Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more.
They're NOT fullfilling that purpose here - read the post, insecure devices with Google Mobile Spyware pass that, while GrapheneOS doesn't. Yes, Google is trusted to ensure these security/ratelimiting properties are met, but instead uses/abuses that trust to ensure their anticompetitive business goals are met. Google is not an independent attestation authority and should not be treated as such, what Google is doing here should be (and most likely already is) illegal.
> Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
While far from perfect, that would be better, since we'll then only rely on having their hardware (legitimate business) and not their adware/spyware preinstalled with elevated privileges (illegitimate business, illegal monopoly).
There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
You mean Universal Attestation, which is from a vendor cartel, of which most of the individual vendors are typically waaaaay behind security updates, etc.
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
Dual booting would sacrifice a lot of the hardware-based security feature integration and would be much further from passing attestation checks. GrapheneOS fully supports hardware-based attestation but Google doesn't permit it in the Play Integrity API. Directly booting the fully unmodified stock OS is required to pass the hardware attestation checks for the stock OS. GrapheneOS appears as GrapheneOS in the attestation metadata and a dual boot setup would appear as that specific dual boot setup. Since it would have a bunch of security sacrificed for it, it would be far harder to convince services to permit that. It would be counterproductive.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
i cannot speak to the current situation, but years and years ago, it was a thing. i had a crappy motorola razr smartphone in like 2012 that i set up dualboot on, and i think i also had dualboot on my google nexus 5, though i could be mistaken about that. it was a thing though.
Well, authoritarian governments don't like to be at the mercy of another country. So even for authoritarian governments it would make a lot of sense to allow open source alternatives like GrapheneOS instead of depending entirely on US monopolies.
GrapheneOS said that's not possible, but I'd actually want to see some expanded explanation.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
Dual booting would be much further from passing attestation checks and would be incompatible with a bunch of the hardware-based security features. The boot slots are needed for A/B updates and include the firmware partitions. They're not useful for this and don't provide useful functionality for it. It would be entirely possible to build a bootloader for loading multiple different operating systems but it would be a hacked together mess without proper firmware updates or security. It would require heavily modifying both GrapheneOS and the stock OS to fit them into it. It would require losing a lot of the hardware-based security integration. What would be the point? The end result would be much further from passing attestation checks than GrapheneOS. GrapheneOS has near perfect app compatibility with the exception of the Play Integrity API. Other anti-tampering checks are largely compatible with GrapheneOS with the exception of tripping from certain hardening features which is increasingly being resolved with workarounds and there are toggles to avoid it already.
We will be truly screwed when internet providers will only allow attested hardware to access the internet. Doesn't even seem like an outrageous outcome anymore.
With all of the discourse around hardware attestation, digital ID, and age verification in recent weeks/months, is there actually any good solution to the problems these existing tools (Privacy Pass, WEI, Fraud Defense, uploading IDs) claim to solve? Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
What even is the problem? I keep my kids computers in the living room where it's easy to see what they are doing. Their lan shuts down at night when I'm asleep. They don't get full control of their own cell phone until they are around 16-years old. Bots on social media discourage me from using it which is a Good Thing if you ask me.
The problem is that companies have a legitimate reason to want to block AI agents and verify the users are actually real. And it's incredibly difficult to do that when the old methods of clicking on squares or reading blurry words don't work anymore.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
> Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
I disagree. Bots have always been an issue, but now every form of CAPTCHA that can be solved by a human can also be solved by a multi-modal language model. Bots are slowly taking over in forums where they previously would have been immediately spotted and banned.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
It's so obvious to me states need to create a soul bound identity system, replace social security numbers with it, and then let everyone else use cryptography on top of that (which is now cheap when you don't care about sybil attacks) to do private stuff.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth
2. State allows citizens to submit a public key along with their ID at any time
3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want)
4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
Whatever clever crypto system you think of: if it needs to work for the general population, it needs to go hand-in-hand with UX.
Say your example: a user generates a pub/priv keypair locally and shares the public one with the government.
How does the government know you’re rightfully sending the ID?
How does the user know what they are sending? Can the app/website/tool/person at post office they are using to generate+store+send the public key be trusted by the user? How can the government give trust to the user that this tool/person can be trusted?
And there we have attestation again. Or walled app stores, or certification as we have for physical services.
Yeah, agents are making self sovereign identity so much more relevant. We have all the technology. But identity is the main driver of the monopolies, they won't give it up unless forced to, maybe not even then.
The places you actually need an ID are so rare, I don't think it's worth it to build such a system (and no, porn or social network definitely aren't valid use cases).
I think it would make the web MORE anonymous, not less!
The reason it's hard to boot up a secure social network (such as Signal) is the handshake for (re)identifying people. Signal makes a ton of conceits here (the UX essentially asks people to assume phone numbers are securely held) in the name of low friction and it's why they grew so fast. The "real" secure social networks are essentially too difficult to get real adoption because they don't make these conceits around phone numbers, and demand real key exchanges.
But if you had a L1 set of private and public keys the government works to maintain and defend, the L2 social networks like Signal (or banks, or markets, whatever) can do this cheap and easily.
My driver's license should have some anti-tamper identity proof that can do a challenge response. Or let me go pay a few bucks for an identity proof at the post office.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
We also need liability. Every time someone’s data is lost, the company losing it must be held accountable. They owe us huge amounts of money, and executives + board members should be jailed. No free pass.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
The dependency tree for anything in the software world is so large, that liability like you describe is not feasible. Tomorrow Anthropic's latest model will find a RCE in SYNs being sent to a server? Who is "liable" when you lose your Google account, your bank account, access to your car and all ways to prove to the government you are who you are all at the same time?
You just need to deploy auditable (source-available, reproducible-build, firmware checksums LCD on-chip) biometrics booths that generate private keys from normalized biometric inputs, and then use those ephemeral private keys to generate and sign portable identity keys. Most people have fingerprints and retina patterns and that’s twelve signatures on an identity alone, allowing for continuity across severe biometrics events like regrown fingertips etc.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
>biometrics booths that generate private keys from normalized biometric inputs
Isn't this basically worldcoin? Aside from the fact that worldcoin is run by people I wouldn't trust to watch my cats for an afternoon, the core principle with well thought out ZK crypto could work well.
I think you can do it without any biometrics at all, although using it as a second factor could make it smoother.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
That’s adjacent to birth certificates and passports already, with some variations on a theme per country, but certainly I don’t object to it. But I’m still infuriated at having to provide a birth certificate to LinkedIn to support a legal name change, so I encourage further design at the interface between “citizen identity” and “online identity(s)”. Your idea has merits and isn’t like others I’ve seen, so it’s worth considering in more detail!
The linked article only seems to cover Google and Android devices. Microsoft also have their take on this.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
It's the 3rd or 4th of threads like this in the front page and it's still not clear to me what are the alternatives that privacy advocates vouch for? Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket. There's a real need for a protocol or specification for how to attest that an action was really done by a human and that human can be proven to be the one the service provider think they are. I don't think cryptography by itself would solve that right now.
> Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket.
So what's the actual issue here? That on HN and Reddit and Instagram and X there'll be a lot of bots? As if they haven't been overrun by human astroturfers/etc for ages. Even ignoring that, what's the biggest issue you see with that, and why is it so big that it's fine to just enable a monopoly?
Your presumption that there has to be an alternative is flawed. Maybe there is none. You're saying there's a real need, great. There's also a real need for sexual assault to be completely eliminated worldwide. I think everyone would agree with the that need is far bigger than bots on social networks. Doesn't mean we should just jail everyone just in case.
You're manufacturing a need here as so important that by definition the ends justify the means. They don't.
What I've failed to understand in this whole Google reCAPTCHA discussion so far: How is this is even going to prevent bot usage and increase security? What's going to stop a bot farm in SE Asia from running a fleet of Android devices?
It will certainly make some bot farms unprofitable: Remember that they are now paying for a screen, a battery, a 5G radio, software licenses, branding, distribution and customer support for which they have no use.
Also consider this: While bot farms may be able to buy millions of Android devices, they will certainly attract a lot of scrutiny as they approach the billion mark. So bot farms will never own more Android devices than humans.
The board members will be lobbied, wined and dined by billion or even trillion dollar companies. If politicians can be bought then so can non-profits.
Having said that, there may well be a room for a niche recaptcha-like service run by a non-profit. Perhaps one that uses a non-profit social graph or something.
What freedoms do we value ? freedom of speech, freedom of compute, freedom to own assets, to sell our work or give it away, bodily autonomy, freedom to travel, to read to learn ?
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use.
Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce.
Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification.
Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
it's so great to see people boosting "security" in a way that also just happens to require locking in to big-tech approved apps that send all your data to big-tech so that they can deliver ads to you via your big-tech approved device using your big-tech approved os running your big tech approved browser showing your big-tech approved video platform with your big-tech approved content (oh, and also sends your data to your big-tech approved government)
Seems to me like Microsoft might be opposed to this duopoly and have pockets deep enough to fight it, right? For one, this would make their possible re-entry into the mobile space harder and more costly but I guess it'll inevitably become a standard that other providers could fulfill.
Right. I know full well they're not philosophically opposed. However, this current duopoly does exclude them and increases their burden if they should ever want to re-enter this market.
I'm surprised there aren't more HNWs supporting GrapheneOS. Seems like the Venn diagram of rich people and techies who care about this would have quite some overlap, and Graphene, despite its many faults, is doing a lot of groundwork in this space
Check if there are local digital rights groups to your country/area. I just joined two I didn't even know about.
Meeting up and talking with likeminded people is a great way to get motivation for bigger change.
How sad that I spent thousand dollars to buy the phone but can't own it at all. Hardware attestation is like having a CCTV in my device, reporting everything to the company. If I want to use safer OS, then I will be excluded by the digital society cuz most app don't support it...
> Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems
I wonder if we'll get something similar happening with cloudflare
It is definitely a monopoly enabler. But also a threat to speech. You can only participate online if you have attested hardware. And that hardware will be tied back to you. It’s another threat to privacy like age verification laws.
Heh, makes me laugh. just recently I was trying to get play protect 'certification' in a virtual machine took a bit of haggling and legitimately obtained samsung software to bypass it (and a 3 day gpt-5.5 /loop).
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
> Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
> It doesn't provide a useful security feature, but it does lock out competition very well.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
Taken a step further, we could be heading for a world where if you don't run the Dictators approved device including all of its spyware, you're locked out of everything.
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
I mean sure Google & Apple are evil, but don't we all need some evil in our lives, EU citizens doesn't matter we love the evil and honestly we enjoy it.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
Miss that monopoly busting of yesteryear. The elephant in the room is that private forces who do not have public good in mind have gotten way too powerful to the detriment of everybody's well-being. Everybody's except the state's surveillance wings.
These kind of things just make me want to use Graphene even more, or literally any platform that isnt the monopoly ones. Somehow I think AI and vibecoding, even if it may sound as an unpopular opinion, will allow people to build free ecosystems and actually usable devices that dont rely on the usual providers.
Being able to cut out abuse from things like cheaters is too useful of a tool for developers to give up. The big problem here as mentioned in the thread is that the light of approved hardware is not based off of security of maintaining security of the attested application but upon Play services licensing.
The best workaround for now is -as the solution is always to change these regulations not the technical workarounds- is to have a secondary smaller phone that has the sim card, google botnet services, etc., and use that for any verification needed or login to banks or whatever, and keep this device turned off in your house so they don’t track you too and use it where needed. That while also pressuring web services not to use recaptchas and similar invasive services.
Not to rain on the parade, but doesn't GrapheneOS only works on Google Pixel devices? I mean, that's still in the Google jail on a physical level, even if they swap out the software.
GrapheneOS has full support for 10th generation Pixels. It was much harder to add initial support for them than past generation Pixels but it isn't harder to maintain now that they're supported.
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
There are a number of technological / legal hybrid policies developing that come at the very jugular vein of computing freedom - the notion of a “general purpose” computer itself. OS level identity / age verification, hardware attestation, walled garden app signature requirements. All evincing the same aim.
Ironically, the other top article on HN right now is CVE-2024-YIKES.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
There's only two companies enabling those crooks, as far as I can see it. If America refuses to take action, then this power will be abused by worse governments like Russia and China.
Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.
It's not asymmetric cryptography itself. It's the fact that it takes enormous resources to manufacture modern SoCs, such that the economy only makes sense if you're churning them out by millions at least. It's also the fact that they can't be modified after they've been manufactured.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
My introduction to asymmetric cryptography had to do with protecting myself from the authorities while buying drugs on the internet.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
My point is that as far as I understand (not a cryptography expert) once you have the mathematical concept of asymmetric cryptography you also have the mathematical concept of a certificate, so you can't have one without the other.
Well, it goes one way, so yeah you can't have a mathematically verifiable certificate without asymmetric key-pair cryptography.
It's just that there's nothing pro-authority about making it easy for people to verify: "this data hasn't changed since the signer signed it." It's a neutral capability.
There are cases where we can and should blame technologists for building antisocial things that shouldn't exist, but I think that cryptography for the most part falls on the pro-social side of that spectrum.
FFS, cryptography is not the problem. How many times will we have to shut down that particular stupidity? Asymmetric cryptography is a corner stone of basically all online secure communications, and has been since before Google and apple were even founded as companies! (First invented in 1970)
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Easy there I don’t want to take away your encrypted messaging. I’m just pointing out that the technology that enables it also enables the techno-totalitarianism we have been seeing rise since the mid 2010s
This is an extreme opinion and is not surprisingly unpopular and downvoted but one must realise that it is exactly how the governments were thinking when they wanted to ban encryption, and how the export restrictions and classification as a munition came about. Now companies are wielding it against us.
I think you misunderstand the point I'm making. Governments love having this centralized ability to attest hardware and control what software can be run. This is why for instance the EU has really slow-walked and watered down side loading requirements for Apple.
Exactly. The weapon is available to all, but only parasites like FAANG can afford to hire the best brains who know how to wield it. As Apple uses it to take a 30% cut of everything on their device, the “democratized” PGP features in mom’s mail client gather dust.
you don't need asymmetric crypto to make remote attest like this.
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
I disagree, I think you cast the net way too wide. Asymmetric cryptography enables secure communication in the first place. It's being used nefariously by Google and Apple, of course, but that's to be expected from big tech.
Remote attestation also uses asymmetric cryptography. (Device-bound private key that can sign attestation challenges, a known public key that can verify that challenge was signed with the device-bound private key.)
Isn’t the ability to create certificates guaranteed conceptually once you have asymmetric crypto? In that case there is no intermediate technology which allows key exchanges without also creating digital totalitarianism.
In China they have solved this issue already by having every website log in with your phone number which is already directly tied to your Chinese ID.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.
The OP is from an already-existing open mobile OS, which already has a deal with a manufacturer. The problem isn't, and has never been, making an OS. This is not a technical problem. This is a political problem.
But that open mobile OS is still a fork of Android, which is too hell bent on privacy (which is not a bad cause, but something that masses don't care about). We should focus on an OS which is hell bent on UX, UI and other features that masses crave.
You really don't know the limits of LLMs. They can't make anything "from the ground up" they are only as capable what they were trained on. Someone had an LLM make a C compiler and they found code regurgitated verbatim from existing compilers. You better believe that any OS it writes will look astonishingly similar to an existing open source one.
It seems to me that comments here are reading this as saying attestation is bad, when the real argument is that attestation should explicitly provide a path of inclusion for non-Apple and Google providers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.
They have commented elsewhere that any inclusion/exclusion criteria (if at all) should be transparent and collaboratively decided rather than arbitrary, monopolised or ineffectual/deceptive. They mention several times that people should not be excluded from web services for browser/OS choice.
That is not what GrapheneOS is saying. They mention their exclusion as proof that attestation has nefarious motives, not because they would be OK with it otherwise
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
Apple already does this and practically no one is outraged
Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
Apple (under Jobs) sold themselves as counter-culture, they used popstars (unironically), and design, to sell the idea that if you were your own person, or followed fashion, then you bought Apple.
I think the goodwill from those days still provides the foundations of their cultural position now. Although they chip away at those foundations.
OpenAI looked like it could follow Google's early model, until it didn't.
This is the narrative for us in developed nations, but the majority of users today are people who were in developing countries and got a mid-tier smartphone to chat with friends and do banking with the same values as Apple users.
Is that really so? Does the average iPhone user actually factor the app store tax into their decision to purchase the device? Or do they just assume that is just how all software works because they have no exposure to software ecosystems outside the iPhone app store
As I'm the IT tech support for some family members, I certainly do. A lot less drama and garbage when using Apple products (generally speaking).
I've sysadmined Linux for a living for many moons now, and used to run Linux and then FreeBSD at home, and I switched to Apple for personal stuff during the PowerPC and early Mac OS 10.x timeframe because I did enough fiddling with tech at work and minimized it at home.
I used Linux desktops at work in the pre-COVID era when we still had offices and such. I now use a Apple laptop as I can get Unix-y tools to admin: I spend >80% of my time in Terminal (the rest in Safari and Mail).
I'm not saying it's not a problem, but I am saying it's not a problem that has caused any problems with any Android user I've ever met.
You are an HN user of some age. You might even be the family IT person. You may well be changing the experience of people in your orbit.
In contrast, my grandfather’s android phone had somehow 3 different SMS apps, all of which must have tried to remove the default app.
I doubt you think some chap living in rural India, has good data hygiene and habits.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
The average person is not calculating anything but price, is it what everyone else is using, is it new etc. Very low level calculations. They aren't asking "can I install applications from outside the app store?". Etc.
I don’t know if we can blame the average person when there is an entire class of people which have almost limitless resources, knowledge and means to execute their agenda. At some point we have to accept we are fighting against an evil and powerful enemy. And that the masses are high succeptible
It’s like being mad at the characters in lord of the rings for succumbing to the rings powers
> They aren't asking "can I install applications from outside the app store?"
I agree. They don't want to. They already can't begin to evaluate app trustworthiness and don't want to have to. And they shouldn't have to. Yet they live in a world where they do. So they lean on reputation, app store filtering, the legal system, and hope.
That's not what the parent was saying. Most people don't have any opinion whatsoever on sideloading. You can go confirm this for yourself by asking a Mac or PC owner how scary it is. Most of them will respond that they genuinely never thought about it, not that they're afraid to consider it. To these people, it's a normal feature of their device that you could never remove.
The parent is lamenting that people don't care about this technology - Client Side Scanning, hardware attestation, Push notification surveillance - all of it is enabled not because of fear, but apathy.
> And they shouldn't have to. Yet they live in a world where they do.
This is fearmongering logic that doesn't really defend the App Store. Putting your faith in a centralized software auditor also requires you to pay attention and stay abreast of scams. It's just a different exploit chain to deliver the same payloads: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
I suspect that the GP is, as you write, lamenting the lack of attention to the topic.
> This is fearmongering logic that doesn't really defend the App Store
I agree it doesn't defend the app store. It wasn't about the app store at all. It is about the social problem of the persistent existence of people who choose to purposely do others harm. The problem for most people isn't the app store but those who attempt to get exploits and quasi-exploits into the app stores.
I also agree that you still have to be cautious when using the app stores. Are you claiming that the app store controls do nothing to reduce the presence of malicious apps in their stores? The article you link starts by noting that the app was removed the day after that post was made. That is exactly why people feel more comfortable using the app store.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
Also, you're overestimating the fees. Few apps or services hit the 30% threshold or stay there for long (the fee for subscriptions drops in the second year).
The real problem IMHO is Apple taking a significant amount out of developer pay checks. Users are fine. The impact is on developers.
99% of the payment activity I do on my phone (buying retail goods, travel arrangements, paying invoices) has no additional cost.
That being said I won’t purchase an apple device again if this one croaks
The only things I’d really miss on a phone ecosystem is like, game emulation and some more esoteric network data/file management functions. These are things that are almost inherently outside the range of interests for the vast majority of people and the main reason they’re restricted is because they’re so piracy adjacent that it’s basically impossible to extricate them from association with a whole bunch of technically illegal use cases.
Little wonder then, that both the App Store proprietor AND App Store vendors would have an interest in locking those out to maintain the health of that platform as a viable place to run a business through.
Fair enough. It might not be consequential for you, the fact remains Apple took 30% of every dollar you spent on the app store. This, after you paid a premium for Apple hardware. I'm happy the walled garden with a toll is worth it for you. All I'm saying is, others might not agree with that if they knew. Just look at the push back again tariffs as an example.
They really want to though. Maybe consider that.
I do not see any indication that Apple wants to get involved in adjudicating payment disputes for physical goods and services. That is high cost, high liability, low margin work. They seem to be perfectly happy letting the existing banks (aka card issuers) handle that, and getting a 0.15% cut for allowing their credit cards to use Apple Pay.
Apple has restricted themselves to being the payment infrastructure for only digital goods, and I assume that is because that is the cheaper, more scalable option.
As a side note, in the US, the proportion of sellers willing to eat the credit card fees has gone down every year, and seemingly at an accelerating pace. I have winnowed down my credit card usage to retail goods/restaurants/travel, because almost everyone else wants payment via ACH/Debit/Zelle/other option that avoids credit card fees, so I would be surprised if Apple would ever want to enter this market, given that even the 2% credit card fee transactions are not able to compete.
But the “good” king never lasts. They’re always eventually replaced by a despot, and all the power you ceded to the “good” king falls into the hands of the bad king. Which is why ceding that power is a bad idea, and kings are a terrible system of government.
Apple is not perfect, by any means. I recently had a conversation with a former Apple employee about how they employ differential privacy internally. This former employee was upset about Apple's interpretation of one parameter ("privacy budget"), but the fact that we're having this conversation at all is a positive. Google, despite being an early adopter of differential privacy, is on the other side of the privacy spectrum: virtually everything they provide is intended to capture what you do on- or off-line.
I will pay a premium for Apple stuff for this, and other reasons. I do wish they were more developer-friendly, however. Enough so that every time I buy a new computer I have to run through the mental calculus of whether I'd rather fight with the cathedral or the bazaar. I recently bought a new computer and the cathedral won the last round.
Most of the other big tech companies make their revenue from other companies paying them to leverage the influence they have over their users. So they are not constrained in the same way.
I believe that most Googlers are pretty aligned with the principles of the HN crowd, but Google the machine is not.
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
We understand that, as the saying goes, if you're not paying for something then you are the product.
But less technical people don't consider that, and don't have hoards of technical friends to convince them otherwise. They just think: they using the product, so they're the user, right? We know that's true but it's not the same thing as customer. Most people don't have that distinction in their head.
It's even partially true that Google does want to do things that attracts and retains users, because that's a prerequisite for selling them to advertisers. In my experience, that's an upper bound on the amount of thought most non-technical people would give it.
It seems over the last decade that if you _are_ paying, you are still the product, you're just making more money for the people selling you.
Apple ran a very successful propaganda campaign where they portray themselves as the protectors and enforcers of a secure environment where users are safe from attacks from the wild internet. See Apple's spin on blocking cookies. Therefore, users of Apple products are conditioned to believe these measures exist for their own personal benefit, unlike Google which is presumed to be motivated to abuse your trust.
I've had a lengthy debate about this (in the context of right-to-repair) with a friend of mine who's outside tech and he genuinely held (still holds?) the opinion that the manufacturer has the "right" to decide how their products are used. I'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
e.g. Without proper regulations, your maintenance can become nearly impossible.
Perhaps some people were just conditioned to believe that these shackles are forced upon them for their own good, because only bad people would ever want to take them off.
Turns out right to repair laws are very popular with voters and small business owners. Maybe we all start to tread down that path more and figure out what sorts of regulations pressures companies into adopting open standards?
If you don't address this tradeoff you're not really engaging the issue.
What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
There is no shortage of well informed advocates of freedom. The question is, which forum should they discuss this in? There is no meaningful forum for such a debate which will have any real effect on policy and that's by design.
The only place that can both debate and effect policy changes in the legislature and politicians will never take the people's side against corporations on an issue until they fear losing reelection.
Hence the ask to educate the people around you and to encourage them to reach out to their representatives.
Sadly much as I agree with OP, the reality is there are a lot of evil people, and some of them lead a country and thus have vast resources to attack with. We need to solve this problem, not just cry about what a few of us are losing.
This is a fool's errand. We live in a time without virtuous values, where convenience is king. The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
It is absolutely not. Awareness is what people need right now because nobody is saying anything different then the established line. The more people that put there voice into this, the better off we are going to be.
I'm hosting a Surveillance Capitalism Presentation soon that I designed myself, I'll likely post it on the net when I am done. If you are interested in hosting a zoom call or an in person awareness campaign like this. Email me from my website[0] campaign form[1] and ill notify you when its online and you can download it and use it yourself to host your own venue.
[0]: https://www.scottrlarson.com
[1]: https://www.scottrlarson.com/forms/form-contact-campaign/
A difference is being drawn between HN users who are interested in tech, and the everyone else. Most of humanity has little interest in Tech, and would rather spend their time on other things.
This also means they are less aware of ways to keep themselves safe, or less on top of whatever current threat is sweeping through the internet.
After multiple interactions on this site, I can say with some confidence that the average HN commenter does not have the same experience with technology that the average user does.
This divergence is resulting in different priorities and conversations.
Edit: I think that, given that us HNers often self-identify as tech priests, advocacy and education should follow naturally from that.
Honestly, I can totally see where the cynicism is coming from, however if you think about it, that's a pretty condescending view. This effort might be Sisyphean, but things are not as dire as you might think.
People are already seething at how much their lives are being enshitified by Big Co. Even if 10% of voters reach out to their representatives, it would be a tidal wave. Politicians are terrified of the popular will and this is not a hill they are willing to die on. Just see the success of the right to repair movement as an example.
Nope. It's not the issue. The issue is people genuinely want the security problem to be solved by someone else. Either governments or big companies. So they can just not care about security once and for all.
If people were so aware of so-called hackers and how insecure their devices are, we would have seen people stopped installing apps on their phones and basically use it as a web browser. But that's not what happens. The opposite is truer: if you run an even slightly popular website you will receive feedback asking if you have an app version.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Oh boy, you're going to be really surprised.
I'm doing a presentation on Surveillance Capitalism soon and I might include this topic.
This. No matter how good the intentions are, this represents the infrastructure that can be exploited to persecute individuals and groups and deprive them from the most basic rights.
And before anyone tries to downplay this as scaremongering, US legislators have introduced the legal framework to reject visas based on what comments the applicant may or may not have said in the past years regarding the current government.
Your audience is going to shut you out if you don’t show you understand their reality.
I reach out to people, and every tech and media person I know, is holding sessions on government over reach and invasion of privacy, raising alarm bells.
Everyone not in tech, has just about had it with being predated upon, being screwed over and in general would rather warm themselves on a bonfire of tech stock, than do a thing to support it. Voters are HAPPY to see tech brought under control.
The degree of fraud, predation, privacy invasion that regular adults encounter, let alone children, is absurd.
To take the most civil and benign trend I know: online communities are dying to a glut of slop, bots, and spam. Users and mods are simply unable to keep up with this, and are increasingly likely to ding users as much as bots.
A majority of humanity, who live in the developing world, encounter even worse, AND have less recourse to support.
——-
Success in these things requires connecting with people. You cannot do that if you come across as a know it all.
You must open with an acknowledgement that Tech is not doing a good job for users, but giving governments sweeping powers is not the antidote.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
Using blind signatures for remote attestation has actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
The premise of this is to keep the person issuing the tokens and the person accepting them from correlating you.
The issue is when you have more than one service accepting them. You go to use Facebook and WhatsApp but they're both Meta so you present the same unblinded signature to both services and now your Facebook and WhatsApp accounts are correlated against your will. And they have a network that does the same thing, so you go to use a third party service and they require you to submit your unblinded signature to Meta which allows them to correlate you everywhere.
You would never do this as it defeats the entire purpose of using blind signatures to begin with.
It's not the user who wants any of this to begin with. "You would never do that" except that it's now the only way to be let into the service.
Yes, those AI startups can also buy cheap Android phones at scale, but it's a bit harder because they'll pay for stuff that their bots have no use for (a screen, a battery, a 5G radio, software, branding, distribution, customer support etc).
I think we should just accept that some things should cost a bit of money and move the discussion to "how much should it cost", rather than trying to sweep economics under the rug.
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
And because I can't believe no one else in the thread has linked to it: https://www.gnu.org/philosophy/right-to-read.html
But how are you preventing multiple services from using the same value for service_domain_name because they're cooperating to correlate your use?
Not sending the same value twice would prevent them from being correlated, but now what are you supposed to do when you run out? Running you out could even be the goal: You burn a token to get a cookie and now you can't clear your cookies or you'll be denied a new one since you're out of tokens.
Of course, I think the effective purpose of google's attest feature is to invade everyone's privacy which we should assume is part of why they don't use privacy preserving techniques. Privacy preserving techniques could still be abused, however.
Maybe they're even worse for humanity because they make bad schemes more palatable. I think right now I lean towards no: the public in general will currently tolerate the most invasive forms of these systems, so our issue isn't that they're being successfully resisted and the resistance might be diminished by a scheme which is still bad but less bad.
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
I remember the WEI apologists trying to do the same thing to derail the argument. The problem is the goal, not the details. Just say no: DO NOT WANT!
We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
It's not like these technologies were created for the greater good and misappropriated by bad actors. They were proposed by bad actors in the first place, they cannot not be inherently good.
I don't think remote attestation (or even more so its umbrella technology, trusted computing) is nearly as specifically targeted as DRM.
> We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
I agree that requiring remote attestation for generic web use is evil. It's way too heavy-handed an approach better reserved
I still don't think this somehow outright disqualifies the technology itself.
A technology squarely and 100% percent intended to give people other than the end user the ability to sleep soundly at night knowing those dastardly end users can't muck with their software (the non-end user) on their (the end user's) devices is only a tool for the authoritarian minded. Sorry mate, but if you're sitting here thinking it's useful and neutral, you are part of the problem, because you're eyes-wide-shutting the fact the only people gaining from the technology are those that already have a terrible trustworthy-ness record in terms of not abusing the sovereignty of another person's machine.
Show me an industry that ships source code, and manuals with all software that runs on the device, along with hardware manuals and the manuals to write your own drivers and doesn't use hardware primitives to enforce their business models over you, then we can talk about an industry where "trusted computing" might be neutral to the end user. History has not seen this relationship bore out, however.
The "Trust" in "Trusted Computing" has only ever been realistically unidirectional in terms of favoring entrenched industry players. As a rule of thumb, if the primary benefactors of a feature are over 90% legal fictions; your feature ain't neutral. It's hostile to humanity. Period.
Here you go: https://puri.sm/products/librem-5
(And indeed, their Pureboot with Heads and a hardware key allow to restrict which OS can be booted on laptops, while not restricting the user.)
captcha/spambots has been a problem since USENET
Are you seriously trying to suggest copyright infringement has not been an issue over the last 30 years? Both of them are solutions to problems that we've had over the last 30 years and were created for the greater good to solve problems that developers were facing.
DMCA is abused every. single. time.
Like literally hundreds of thousands, every day.
Suppose someone invents a mind-reader that lets the user read the thoughts of anybody else in range. But the mind-reader requires great up-front costs to produce and also allows people with stronger readers to remotely destroy weaker readers, where strength is basically a function of cost.
In a vacuum, the mind-reader is "just a technology". But it aids autocratic surveillance much more than it aids citizens who want to surveill back. It's "neutral" but its impact is decidedly not.
TPMs and remote attestation enable entities with power to enforce their existing power much more effectively. In contrast, a general-purpose computer does the opposite because anybody can run whatever code they want, they can adversarially interoperate with anybody they feel like, and so on.
One of these is more evil than the other, even though they're both "just technologies".
People have woken up to the truth as the pieces come together.
This article from 2022 is fun to look at and see how prescient it was: https://news.ycombinator.com/item?id=29859106
A TPM with measured boot (SecureBoot) does exactly this, remote attestation is how Alice proves to Bob that it is in a trusted configuration and wasn't tampered with.
(One argues that since you own both of them, you should simply set up the two servers yourself with a key of your own choosing, asymmetric or otherwise, and then restrict physical access to them.)
I can perhaps agree that the idea of SB can be good, but it was designed (and is used) in a bad way. Just look at how many distros do not support SB.
A TPM where the device owner can't take ownership of the root key is worse then no TPM at all.
The policy is "I will not let you access this system unless your system software implements this technological protection."
A camera is technology. A security camera is policy, because it's a camera hooked up to policies on how to watch, record, and respond to what is required, and it is a political effort when connected with laws about face masks, prohibiting spray painting of the cameras, and allowing privacy intrusions.
This does not work. You aren't talking about pissing off a significant percentage of the users who go elsewhere.
The imbalance in power is unthinkable to people 100 years ago when the phrase was first popularised.
I think you're naively presuming the issue is simple and easy to address with a letter.
Regardless of your bank, payment systems such as Visa and Mastercard have blocked transactions involving mainstream online stores such as Steam because they unilaterally deemed some games to be problematic. You cannot fix this problem with an email.
The latter is absolutely a thing where customers can (and should IMO) push back hard.
No, they are not. You have people reliant on this software infrastructure for very basic aspects of their life such using their own money to buying whatever they feel like buying, and you have people being deprived of their rights because operators of said infrastructure actively prevent and deny their rights to do so. This has nothing to do with heuristics, and everything to do with granting people the power to dictate what you may or may not do with the things you own.
Honestly, if the only way to secure your banking system is by locking down users' devices, there is something really bad going on at your end, security-wise. Your system should be secure even without locking down user hardware.
Once you have the attestation in place you have no guarantee who is going to get access to data like what apps are present on your device, and there will be nothing you can do to stop it.
Meanwhile, we could educate people against common scams.
How is this not just trading one smaller bad for a bigger bad? Why is this touted as an improvement?
I use a handheld card reader with a display as a 2FA for my bank transactions. It shows me the transaction and, after I confirm, sends a TAN to the bank. It is not a general-purpose device but a certified, tamper-evident/-resistant black box that does just that one thing.
> Meanwhile, we could educate people against common scams.
There's a million ways you can get scammed, no matter how many hours of training you've had.
When online banking was first created it was an absolute chaos zone. Everyone was accessing it from desktop machines riddled with viruses and malware. There are endless stories of being discovering their life savings had been wired to Belarus by some malware running on their machine that had grabbed their banking credentials when they logged in.
https://www.google.com/search?q=site%3Akrebsonsecurity.com+b...
https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-dev...
> U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
Half a billion dollars, by a single guy with a single virus!
Different parts of the world came up with different solutions for this. The US made all ACH payments reversible and international wires difficult, but that just meant the receiver paid for fraud instead of the person whose machine was full of viruses. This was an obviously bad set of incentives and hacky panic-based fix. Banks elsewhere in the world settled on providing users with authenticator devices that looked like small calculators into which you could type transaction details after plugging in a smart card. Malware could still steal all your financial data but it couldn't initiate transactions.
Obviously, all this was a hack. What was needed was computers that were secure. Apple and the Android ecosystem eventually delivered this, and the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users. Firstly, it protects financial privacy and not just transaction initiation. Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer. Thirdly, adding remote attestation made no difference because that's what the calculator devices were doing anyway. Fourthly, even in the case of customers of small American banks that weren't capable enough to manage dedicated hardware rollouts, getting rid of fraud instead of pushing liability around allows for lower prices and fewer headaches.
So remote attestation is a non-negotiable requirement for digital banking of any form. When Microsoft didn't deliver most banks preferred to literally manufacture and sell their customers single-use smartcards that remotely attested by you manually copying numbers back and forth between screens. Or they hid the cost of rampant fraud in the price of other services until such a time that Apple/Google saved them.
The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)
In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.
I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.
> Smartphone HW attestation is better in every way
They're still prone to side-channel attacks like SPECTRE. Crypto wallets are practically immune because they're air-gapped.
[edit] I just realised that's Mike Hearn of early BTC fame. I suppose he would know what a crypto wallet is.
Sometimes I see people captured by the train station unable to check out. They usually find someone with a charger but technically the formula is to fine them for not having a ticket. Then one might still need to buy a ticket to continue the journey. (bring cash)
Phones are usually empty when things [already] aren't going as planned.
Unfortunately for me though, the turnstile that I was about to pass to exit the train station had both an optical scanner and some NFC thing lumped into the same physical module, and every time I tried to scan my ticket, the phone would raise its NFC screen and hide the 2D matrix code.
So yes, you can have a fully charged phone and a perfectly valid ticket with the latest software and still get stuck in a train station.
Not 100%. A robber can force people to activate facial recognition or finger print sensors. Forcing someone to type a pin code is harder but doable. If one doesn't bring the authenticator & bank card they cant initiate transactions.
This is a non-sensical remark because it's impossible to "prove" a counterfactual. I find stuff like this incredibly annoying - please don't say this.
What I'm claiming is that banks have the freedom of offering their customers 2FA other than smartphone apps.
> Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?
All the phones I own, including my daily driver, run some flavor of Debian. None of them support hardware attestation.
I'm in Europe, bound by PSD2, and own a couple of cheap, certified chip-and-TAN devices so I can do banking.
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
The surveillance of the future will be powered by the things we produce today. If the accepted algorithms leave cookies those cookies will be used tracked and monitized. The bad argument is the forced verification to do things on the internet. Making that start at the hardware is a lock in thats not okay. Business will always own the services and making standards that trade our practical liberty for the sake of security is a very compromised position in my opinion.
And it does start with the age verification, followed by id checks, etc. Its compromising precisely because no lines are drawn and no rights to privacy are codified in law. Without guiderails the worse path will likely be taken for maximum profit
Oh hell you do! Google profit comes from ADS! It's for their profit to surveil and track and deanonymize TO SELL ADS.
I don't know about you but I feel humiliated being forced to look at ads all day.
Oh my god. It's 2026, and we're still repeating the "I trust Apple/Google/Microsoft enough to resist the government" spiel.
Hardware attestation is a surveillance mechanism. If China was enforcing the same rule, you would immediately identify it as a state-driven deanonymization effort. But when the US does it, you backpedal and suggest that it could be implemented safely in a hypothetical alternate reality. Do you want to live in a dystopia?
Who is?
> But when the US does it [...]
I don't live in the US, and while US is often setting global trends, in this case I don't think that's actually that likely, unless it somehow goes significantly better (i.e., the benefits actually vastly exceed the collateral damage to anonymity and resiliency via heterogeneity) than expected.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
With a secure device, the only way to get an attestation for an account signup is to do the signup on that device, with real fingers clicking real buttons on a real screen. There's no way to short-circuit the process by automatically sending a JSON request and bypassing the actual signup flow from a Python script, like you can do with an insecure endpoint.
With blind signatures, a single compromised device destroys the value of the entire scheme, as it can be used to issue an infinite number of attestations with 0 human oversight.
What we need is a blind signature construction where the verifier can revoke a signature, each signature carries proof that none of the revoked signatures comes from the same signer, and where it is impossible for one signer to issue more than n distinct signatures during one time window. Not sure if this would be possible with ZKPs; my cryptography knowledge doesn't extend that far.
...no? Maybe this is true of end-user device attestation. But there are other use-cases for attestation.
Server device attestation is an entirely different thing. It's used in e.g. IaaS "Confidential VM" offerings, where the audience for the attestation information is the customer, rather than the server host. It's a very pro-privacy / pro-data-sovereignty feature.
And while embedded device attestation is sometimes about preventing customers from tampering with IoT stuff you "sold" them, more often it's about being able to trust and confidently assert that e.g. the climate sensors you've deployed all over a forest as part of a research project haven't been fucked with to report false data by someone with an agenda. (Or to "apply denial" to your unmanned military satellite downlink station the moment you detect that there's some unknown person out there futzing with it.)
I don't agree that it's not a problem.
I agree, except I worry it's a bigger concern than we realize.
I still remember what CableCard (and the hoops needed for HW manufacturers to get certified) did to the DIY DVR Market...
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
Also I recall a discussion on Graphene's forums that DRM ID is not only retained there, but stays the same across profiles.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
The "license challenge" (it might be a mistake I think it's supposed to be a license request) is just a packet (that can be saved and later sent to anywhere) and it contains the encrypted certificate which doubles as your HWID. An adversary needs to control the private key of the license "server" the challenge is for (this is a privacy measure introduced to prevent the CDM from offering the HWID to anyone who wants it). Now if you want the HWID you need to work for it (one time) by stealing a private key, bribing/blackmailing employees or issuing secret edicts ("here is a new license server we need a certificate for"). Working for Hollywood is also an option I suppose.
Pirates sacrifice devices when they publish ripped content due to the certificate being revoked after Hollywood downloads the torrent and by doing things like this:
<https://docs.aws.amazon.com/wellarchitected/latest/streaming...>Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
An old account with typical activity patterns can be extended some level of trust. If you sign up for an email address and immediately send a message with 100 recipients in CC, you're probably a spammer, so you get blocked. If you've used the account for years, ehh it's probably invitations to your high-school reunion or a donation drive for your Church, let's let this one through.
You can only extend this level of trust if you prevent your gullible users from constantly getting hacked; 2FA is one way to do that.
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
That's my business, not theirs. If my password gets stolen, that's my problem, not my bank's. Same deal if my passkey gets stolen. They're welcome to try to educate me on good security hygiene if they want, but what hardware I use to secure my credentials is not something they should get to decide.
Passkeys are non-phishable. That's part of their schtick. I'm not a huge passkey fan myself, but this is a real benefit.
When the passkey is protected behind an HSM (TPM, Yubikey, Tkey…), even a compromise of your main computer can’t steal it. Attackers can still temporarily log in on your behalf, but they can’t do anything with your passkey as long as your computer is turned off. Which means you can un-pwn yourself out of this situation by reinstalling everything (but do keep your HSM!).
Overall, we have several levels of security here:
- Weak password, (potentially reused everywhere). Fished once, pwned everywhere. Not to mention password database leaks.
- Very strong unique password from your password vault (KeepassXC). Note that with automatic login, password managers may provide good phishing resistance. Manual copy pasta is still vulnerable, but at least you only compromise that one account.
- Passkey stored in your password database. Phishing proof as you say, but falls to a keylogger.
- Passkey sorted in a hardware security module. Can’t be stolen ever, save for a vulnerability in the HSM itself, or, if you haven’t set up a password for your HSM, theft.
Clearly that last option is the most secure. Clearly it would be nice if everyone could do that, though we do need a way to recover from the loss or destruction of the HSM (which in the case of the TPM may mean something as mundane as changing your graphics card). Yet often, other ways are more convenient.
Still, I strongly believe companies should not force people into one method or another. Okay, I could maybe tolerate passkeys being forced on me, but not the remote attestation part. Let me manage my own security, with my own tools (preferably open source), thank you very much. There is one use case for which I may approve of remote attestation: work accounts. Because at this point it’s not about the safety of the customer, it’s about the safety of the company itself. It makes sense then that the company (or government agency) impose whatever stringent restrictions on how to access their network. They do have to provide any required tool (company laptop, company palmtop, company dongle…), same way many companies are required to provide individual safety equipment to any of their employees working in hazardous environments.
When it comes to the notion of requiring DBCs without also requiring remote attestation, how do you deal with solving the problem of virtualized credential devices, e.g. swtpm? If some application wants to leverage DBCs, it will make some DBC API call, e.g. call out to a TPM. However, without some sort of attestation scheme, there's no way to verify who/what is on the other end of that API call.
Maybe it's not important for applications to be able to require DBCs without attestation. But at first blush it seems like a valid thing to want.
It’s definitely something I would want, but as you hinted at yourself, if there’s no remote attestation, the user can just use a software TPM. So, a company using passkeys has two choices:
- Enforce DBC with remote attestation. This raises the security floor, but enforces device vendor lock-in, and prevent users from selecting unapproved, but potentially even more secure, devices.
- Do not enforce DBC. This lets users use less secure virtualised devices, but there’s no vendor lock-in, and those who want may use the latest most secure device ever.
Which alternative is appropriate is now a social & political problem. My opinion is that for general computers released to the general public, remote attestation is never legitimate. Even with the best of intentions it is fundamentally uncompetitive, and they make it way too easy to go full Evil Corp. Specialised appliances and employees however are different stories.
---
Anecdotally, I have worked on TPM provisioning a couple years back, and I had to warn my hierarchy that doing it the way they specified, the TPM could be impersonated: we checked the signature of the certificate, but failed to compare the certificate root with the manufacturer’s keys. My boss didn’t believe me, until I showed the production code happily provisioned a software TPM, without detecting the impersonation. (Actually, he didn’t believe me even then, I had to go over him to the security specialist.)
This was totally a case of remote attestation. But I believe this particular case was legitimate, because it was a specialised appliance (electric car charging station), that was meant to process payments, similar to a gas station terminal.
A chip which you can write to and interact with but can't read is valuable; it lets you enforce conditions which you otherwise couldn't. For example, you can protect your sensitive data with a 6-digit pin, secure in the knowledge that the chip will erase the encryption key after 10 failed attempts. If you had full access to the TPM storage, you could brute force that PIN in seconds.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
Anyway flawed implementation doesn’t mean that hardware attestation is a fundamentally useless primitive. Apple Wallet is responsible for millions of transactions a day.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
https://loup-vaillant.fr/articles/hsm-done-right
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.
Contrast this with remote attestation, where they might show you the source code for everything but you're still powerless to do anything.
You have no idea what has been baked into the weights in the training process. In theory you could find biases and attempt to "patch" them out, but its a vastly different process vs. patching machine code.
Consider what would happen if Google's open weight models were best at writing code targeting Google's services vs. their competitors? Is this something that could be patched? What if there were more subtle differences that you only notice much later after some statistical analysis?
They're for sure impressive but I don't see how anyone can push them as "open" when they are literally binary blobs. Worse, because it's not practical for anyone to actually train LLMs that can even come close to competing with the ones corporations are pumping out.
Local ai is not ready, and if you think it is, prove me wrong with a detailed guide running commodity hardware with complete setup steps that can use a decently sized model.
I spent 2 weeks trying to get anything running - 8gb RX550XT, 12gb ram, 8core cpu. I even tried turboquant to lower memory utilization and still couldnt even get a 3B or 4B model loaded, and anything lower wont suit my needs (3/4B are even pushing it).
You're like the kid showing up to a test without a pencil.
It's ridiculous for you to suggest that an advanced AI model needs to run on your budget 7 year old graphics card that is already out of date for even today's gaming. My parents spent $2500 on a computer in 1995 and that was a 166Mhz Pentium 1. If they spent that money today it would be $5261. Think of what you can get for amount of money. Then you're over here trying to say a budget graphics card needs to somehow compete with the bleeding edge of computer innovation.
You do, in fact, need to spend money on appropriate gear if you expect to participate.
Spending humongous amount of money to get machine that'll felt obsolete in 2 years? I don't know.
Open weight models can be a big boost to building Open AI (cough). Progress comes from incremental improvements, -- and open weight models are a big advance in privacy, security, and autonomy over relying on hosted closed systems.
Source vs not is only one (important!) dimension, moreover in FSF land they define source as being the preferred form for modification, at at least for some kinds of modifications the weights are the preferred form.
This can never be the case.
Both the licensing and source aspects of the Free Software movement are aspiring to create high level of equality of access to a [software] work between both the original author and far downstream recipients. Obviously full and universal equality is impossible because part of the work is only in the author's mind and not everyone can obtain and use computers, but approaching that as closely as possible is important and it is important to think about how to achieve a high level of equality for each work in each context. What is "source" in any given context is a choice the author makes about what level of access they want to pass on to others.
In the case of AI, weights can never be the preferred form for modification because of the equality of access issue. The people who trained the AI (and hide its training data/code but published the weights) will always have more access than the people who only have the weights. Just like a binary can almost never be the preferred form, because the authors have access to the source but we don't.
There are also many ways to bias the model and insert backdoors or other suboptimal behaviours into it during training data selection etc.
Any source on that?
https://www.gnu.org/gnu/thegnuproject.html
> [...] the easiest way to develop components of GNU was to do it on a Unix system, and replace the components of that system one by one. But they raised an ethical issue: whether it was right for us to have a copy of Unix at all.
> Unix was (and is) proprietary software, and the GNU Project's philosophy said that we should not use proprietary software. But, applying the same reasoning that leads to the conclusion that violence in self defense is justified, I concluded that it was legitimate to use a proprietary package when that was crucial for developing a free replacement that would help others stop using the proprietary package.
> But, even if this was a justifiable evil, it was still an evil. Today we no longer have any copies of Unix, because we have replaced them with free operating systems. If we could not replace a machine's operating system with a free one, we replaced the machine instead.
Still leave open the the question of RMS personally using SunOS (as opposed to some other proprietary unix) but I think at this point I'd just go dig up very old GNU sources for evidence of that, but I suspect your question was primarily about RMS' ethical reasoning which is well answered above.
Although it seems to me that the comparison is somewhat fragile : it was not possible to develop GNU anywhere else, whereas we could completely build local models from scratch nowadays, unless I'm mistaken.
One observation is that the LLM is a next token predictor but if you train it on the internet/textbooks/etc you get a predictor of that--- but that isn't the behavior we actually want. None of these sources tend to contain "Solve this problem for me. OK, here is the solution:".
It wasn't physically impossible to start GNU the other way around, by bashing machine code into a system until you had a working operating system. But doing so would have been a lot less reasonable-- much more expensive, making progress much less quickly, etc.
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
So, it looks like they were aware about such kind of issues and tried hard to mitigate them.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
that's a corporate monopoly's wet dream.
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
BART (San Francisco Bay Area Rapid Transit), as a real world example, recently installed "evasion-proof" fare gates, and observed a 90% drop in vandalism-related maintenance expense. An overwhelming majority of fare evaders are not vandals, but apparently nearly all vandals were fare evaders. Bayes' theorem in action.
I don't have any data to back this up, but my sense is that attestation is an analogous situation.
In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices. They view banning unapproved devices as a high-ROI means to reduce fraud.
So, any argument predicated on "attestation is not security" is doomed to fail, just like saying "most fare-evaders aren't vandals". Yes, most people running GrapheneOS aren't trying to commit bank fraud, but the banks don't care about that if nearly 100% of fraudsters are using unapproved devices.
What would cause you to think that to be the case?
There are two primary ways that bank fraud happens. The first is that the attacker steals the user's credentials, at which point they can sign into the user's account and transfer funds, and can use any device the bank requires because they already have the credentials. The second is that the attacker convinces the user to transfer the money and then once again the user is using an approved device if that is required, and requiring it in no way prevents the attack.
Moreover, even if there was a statistical correlation -- which there is no reason to expect in this case -- that doesn't help you when the attackers could just use their stolen credentials on an approved device anyway, regardless of what they were doing before.
Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices. Requiring the attackers to use an approved device when the approved device still allows them to commit the fraud accomplishes nothing.
Just observing: People who don't own an iPhone or modern android are also, generally, of a class -- and probably one banks would prefer to not do business with for profitability reasons.
People who don't have spyware/lockinware for principled reasons are currently rare enough to not matter in this analysis-- though sure, they're probably customers the bank wants.
Because many people have fortunately realised that "EOL" is just an excuse to create lots of e-waste and push even more hostile unwanted changes.
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
Do you have an example? And was this a binding or non-binding vote?
Here is the full story:
(Source: https://archive.ph/Kiyn9)
> The commission rejected the plan to rezone the farmland [that would allow the data center to be built]. The township board followed suit, voting 4–1 to deny it. But locals quickly discovered that amid the frenzied AI infrastructure gold rush, “no” does not always mean no.
> Two days later, on Sept. 12, Saline Township was sued by Related Digital and the site’s landowners. Their lawsuit alleged “exclusionary zoning”—that the community had unreasonably barred a legitimate land use under Michigan law, and it hinged on the fact that Saline Township had no land zoned for industrial use, and that a data center qualified as a “necessary” use that could not be excluded altogether.
> The lawsuit underscored the township’s limited leverage. Even if officials had fought it, their lawyers advised them, the project could likely have moved forward via other avenues, such as partnering with an institution like the nearby University of Michigan, which can build projects that are not subject to local zoning in the same way as private developments. Meanwhile, a prolonged legal battle against well-resourced developers risked significant costs for the township, without securing concessions.
> Lucas, the town’s attorney, says the township board had little choice and did its best to be transparent. It was “between a rock and a hard place,” he said. “I’m not sure there were any good solutions.” Within weeks, the township had settled: It signed a court-approved agreement allowing the project to proceed, and construction began soon after.
> In exchange, the township secured roughly $14 million in community benefits—a relatively small sum in the context of a multibillion-dollar project, but more than 10 times its roughly $1 million annual budget. It includes funding for farmland preservation, local projects, and fire departments; along with a series of environmental and operational limits: restrictions on water use, noise caps, preserved agricultural land, and limits on expansion.
> David Landry, the attorney who represented Saline Township in the Related Digital lawsuit, told Fortune that he stands by his recommendation that the board settle with the developer. “The zoning power of any municipality—a township, a city, a village—is not absolute,” he explained. “In this case, exclusionary zoning was substantive—the municipality has to have a reason to say no. They just can’t say, ‘We don’t want it.’”
> Sarah Mills, a professor at the University of Michigan who studies land use planning, agreed that the town had few good options once the lawsuit was filed. “States determine how much authority local governments have in zoning, and those systems vary widely,” she said. “What local governments can do through zoning is highly controlled and regulated by the state.” Local governments are also often strapped for cash, making it difficult to defend against zoning challenges, she added.
> Marion, the township clerk and sole board member who voted in favor of the proposal, said this reality was on her mind when she voted yes. It wasn’t because she favored a data center, she said, but because she did not believe the town could win in a showdown with Related Digital. “They were doing studies,” she said. “They were pulling permits.” Township attorneys and consultants had warned that a denial could trigger a lawsuit—an outcome Marion said felt intimidating. “Everything was drafted and filed with the county within two days of the meeting,” she said of the lawsuit. “They had this all prepared.”
> If the township had continued to fight and lost the lawsuit, Marion said, homeowners could have been on the hook for tens of thousands of dollars in tax assessments to pay for the legal battle. “The insurance company was only going to pay for an attorney to defend us up to so much money if we decided to fight it,” she said.
The story perfectly exemplifies how little democratic control the public has over what corporations do in and do to their community.
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
Stop re-electing people.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
I think it's an error to demand the alternatives be as good-- that might not even always be possible. But even if they're less good they're usually still better than anything we could have imagined decades ago-- they're good enough to use.
And that should be enough because we shouldn't consider handing control of ourselves to third parties to be an acceptable choice at all.
I think the main struggle is moderation. Moderation requires a hierarchy, which is much more compatible with a centralized model. I'm thinking that curation would be a good alternative. Rather than authoritatively silencing unwanted content, just categorize it well enough for users to filter what they want.
The fucking “nazi bar” analogy has ruined an entire generation. You would think after centuries of trying to stamp out competing ideas, humans would finally come to terms with the fact that it cannot be done.
Small curated groups are the only way to enforce ideological orthodoxy. You cannot force it on the public, nor can you punish the public for holding bad ideas without creating blowback and resistance.
Until we have a real way to meaningfully process natural language (I have a serious idea for that, but that's another conversation), we won't be able to automate content filtration. The next best thing is ironically similar to what we came here to complain about: attestations in a web of trust. If everything we bother to read is tied to a user identity (which can be anonymous), we can filter out content from any user identity that is generally agreed to be unwelcome. The traditional work of moderation can be replaced by collaborative categorization of both content and publishers. Any identity whose published content is too burdensome to categorize can simply be filtered out completely. The core difference is that there are no "special" users: anyone can make, edit, and publish a filter list. Authority itself is replaced by every participant's choice of filter. Moderated spaces are replaced by the most popular intersection of lists. Identity is verified by the attestation of other identities, based on their experience participating with you.
The web of trust idea is good, I have thought about it before as well, and I think there’s a couple of people who tried building a platform around it (I don’t think they got very far into the process though). I should be able to filter based on trusted people with similar taste. I shouldn’t have to accept a central authority’s notion of what is acceptable, excepting content that violates US law. That’s all I care about in terms of moderation.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
[1] https://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:1...
There is no Caesar to assassinate because it is everyone, or near enough. It is the idea that this is how you do things. Tyranny is in the air and in the water, that exploitation of power for more power by means of misery, old as mankind.
In such a world, removing one tyrant only gets you ruled by his rival, who is often worse. The historical recipe for freedom and abundance is a people who, as a whole people, are generous with power and expect it of each other at every level, and are viciously intolerant of its abuse. Such was the world of technology for about five decades in the last century, but it hasn't been so for the last two or three. I think it doesn't take much for a few awful people to eat up any abundance, if they are allowed to, and that war is written across the history of computing from its very beginning. But these days, it is not a healthy society defending itself from would-be conquerers, but a world of feuding warlords anxious to eat up any excess anywhere, not only for profit but because thriving and independent people are inherently a threat. With few exceptions, and it seems like fewer every year, any kingdom now which consists of a group of people and some code, be it a software service, a phone, a game, a car, or a dang toaster oven, looks like a despot extracting taxes from his peasants, not a king sheparding his people. Certainly the big ones are that way, and the legacy of the last generation continues to be eroded.
Whatever the means, that tangle of the legal and economic and social and educational and technological and cultural, and I do not pretend it is anything but a thorny and incomprehensible thicket, Aristotle's identification of the broad themes remains relevant. Divided, humiliated, disempowered - whatever the pretext, the encroachment of dark forces is unmistakable. The only defense is (and ever was) those who see their work as in some sense sacred and power as conveying a duty to serve. The generation for whom Superman is a central myth builds one way; the generation for whom it is Game of Thrones builds very differently. Not that these stories are necessarily causes, but their resonance is a reflection of how two very different groups of people think about power.
Specifically, you poke the data lines of the memory bus to induce bitflips, much like I described in https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
Demo: https://bsky.app/profile/retr0.id/post/3mljtyauw322d
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
With the exception of the current US administration, hostile countries and corporations try to appear non-hostile when possible.
The President, within this context, identifies a single entity. As such, it is a proper noun.
Analogy: there are many continents. But if we're discussing Brexit, the Continent is a proper noun. I don't think it's incorrect to not capitalise. But it's certainly gramatically okay, and not in the same bucket as The Nutters who capitalise Random words it Looks like Legalese.
Yeah, no. You're just making things up to suit your position like the president does.
...this isn't a counterargument. I can similarly assert you're justing making stuff up, which isn't untrue, either way, since we're talking about language, a wholly made-up enterprise.
What's your contention that the President, within the context of the American presidency, does not refer to a single entity? Is this a preference? Or something you actually believe is incorrect?
I have an internal convention to not capitalise LLMs when talking about them as if they were people; so claude is not capitalised, and the internal LLM-based service agent we're building, rex, is not capitalised.
I realise this breaks the capitalisation of proper nouns; claude is a name and therefore a proper noun and therefore should be capitalised. But I like that there's a signal in here that the thing I'm talking about is not a person and so we don't capitalise the name (I realise that cities or companies or other things that we capitalise are also not people).
Digression, but then so was the entire discussion on capitalisation.
Countries, companies, religions; hell, planets and galaxies–none of these are sapient. Yet we capitalise them.
I'll go out into the deep end for a second with a hypothesis: I think we capitalise because it makes printed text easier to scan. The words you need to spend more time on are capitalised because they aren't ones you can just roll through. This is also why the nutter affect of capitalising random words is so distracting–it drives attention to non-standard words that are, with minimum thought, being used perfectly standardly.
My additional hypothesis is that capitalisation accords respect, something along the lines of "this is a thing apart, something with a name, so we capitalise it". Not capitalising an actual human's name would seem disrespectful to me.
I still like ‘em!
2.) I'm comfortable with varied comma stylization.
3.) My personal usage of the em-dash hasn't changed in a few decades and I don't see it doing so just because a bunch of folks only just recently learned it exists.
Your bio contains comma splice, by the way.
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
But that's not what a forgery is.
Got a list of widely available cars and trucks 'without a computer'? :D
so not really useful for 3rd party ROMs
Big ships turn slowly, but I give it at most two more years until at least one pan-European retail payment scheme (cards, QR, or maybe the "digital Euro") has been regulated into existence.
[1] https://www.theguardian.com/law/2026/feb/18/international-cr...
I never really thought about it until I saw this comment:
https://news.ycombinator.com/item?id=45993140
Swish in Sweden, MobilePay in Denmark/Finland, iDEAL in the Netherlands, etc. Of course you can't sign up to a specific country payment system if you're not a resident there. And systems from different countries don't work with each other.
Luckily, there's now an initiative called EPI [1], which is an alliance that wants to make all these apps interoperable and call them "Wero" [2].
There are two problem with this system though:
- Wero insists on making you use your own bank app to send/receive payments. That's a terrible choice, because most bank apps are huge behemoths that are slow and heavy. People don't want to use them: PayPal is so much quicker and easier. They should develop a new, lightweight app that only does payments.
- The Italian member of EPI is "BancomatPay", which nobody uses. Sure, Bancomat is a huge company in the debit cards world, but no sane person uses BancomatPay in their daily life (also, BancomatPay forces you to use your bank app). In Italy, Satispay is way bigger and widely accepted, especially in the North (i.e. richest) part of the country. I'm surprised Satispay didn't get into EPI.
[1] https://epicompany.eu/ [2] https://wero-wallet.eu
Most banks in Belgium (e.g. Bancontact, Wero, Pom) or Sweden (Swish, was renting ice skates with it just this winter) have their own system but typically only nationals use that. It's still enough for shops to get instant payments without those US cards issuers.
TL;DR: yes and it's wrong, but also IBAN works.
Condescendingly and incorrectly assuming that others think that corruption is impossible is kinda rude and also dodges attempts at correcting the corruption.
Google et al go to the government and say they've got this attestation thing that can something something security. No one is taking a bribe but also no one they're hearing from is telling them that doing this is going to cement the incumbents. "Security" is good, right? So it makes it into the law.
That doesn't meet most formal definitions of corruption. It's more like incompetence than malice. But the outcome is indistinguishable from corruption. The bad thing gets into the law.
The difference is, if the politicians are taking bribes and you get mad at them, they fob you off because they're more interested in lining their pockets. But if the politicians are just misinformed bureaucrats and you get mad at them, they might actually fix it.
And attributing everything to "corruption" discourages people from doing the latter even in cases where it would be effective.
It's not a given that it's incompetence.
I don't think that's even true, unless you're using "trust" as a synonym for centralization.
Suppose you had actual competing app stores. Google doesn't control which ones you use; you can use Google Play or F-Droid or Amazon or all three at once and anyone can make a new one. You could get Android apps through Apple's store and vice versa. And then you choose who you trust; maybe you only trust F-Droid and Apple and you think Google and Amazon stink. Maybe you install 90% of your apps through F-Droid but are willing to install your bank app on GrapheneOS from Google Play because you trust your bank and you also trust Google enough to at least verify that the bank app is actually from your bank.
This is the thing that doesn't help the incumbents, right? The bank and the customer both trust Google to distribute the bank app but Google isn't allowed to prevent the user from trusting F-Droid for other apps as a condition for getting the bank app from Google Play. You can have trust without centralization.
Consider how Linux distributions work. Every distribution is distributing variants on the same kernel and utilities, but there are hundreds of distributions and dozens of popular ones each with their own repositories. You can choose whichever you like, and make a different choice than someone else.
Coming in at #31 on DistroWatch is a lightweight distribution called Alpine Linux. It's popular on things like firewalls and VoIP servers but is rarely recommended to ordinary users because that isn't its niche. It doesn't matter that most people haven't heard of it because the people relevant to it have. It's fine for things to have a niche, and the people in that niche are the only ones who need to be familiar with it.
Meanwhile around half of Linux users use Debian derivatives. Debian and Ubuntu are very similar, but their repositories are maintained by different organizations, so even when choosing between two things that are nearly the same, you have different options.
And the distribution is not the only place to get software. Maybe you like a stable distribution in general but you want the bleeding edge drivers for your GPU. You can add the repository for the hardware vendor and still get everything else from the distribution. The vendor doesn't even need to maintain their own full distribution to have enough of a reputation for people to make an informed choice about where they want to get their drivers.
> Building broad trust requires scale on some dimension.
The flaw is in assuming that broad trust is a requirement. Narrow trust is good.
Broad trust is required in lots of situations. Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate. Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration. The economics don't work for 30 different players to cross-verify each other. So, we have oligopolies...
Regardless of which distribution you use, the distribution itself controls code that runs as root on your machine, and the users are by and large not reading all of the code themselves. It works entirely by reputation. If you ship trash, most people aren't looking, but if even one person is, they point it out to everyone else and then no one trusts you anymore. This works perfectly fine with 30+ distributors.
> Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate.
There are large numbers of financial clearing networks. The reason Visa and Mastercard are an effective duopoly for credit cards isn't the trust issue, it's the network effect. A lot of people have a Visa, so merchants want to accept Visa, and then customers want the card which is accepted at many merchants. It's essentially regulatory capture that they're allowed to get away with this, i.e. that the networks are allowed to force you to use their card in order to use their protocol. The way this should work is closer to how checks work, i.e. Alice tells her bank that she wants to transfer money to Bob, Bob's bank routing number is on the check and the banks just talk to each other using a standard protocol to work out how much money to transfer from one bank to the other on net, with no for-profit middle man taking a cut.
Supply chains are a pretty weird example to pick because they're actually a huge counter-example. When Walmart wants to stock some USB cables or camping stoves they're going to vet the supplier so they don't get sued for selling a fire hazard but there are still dozens or hundreds of suppliers, because they have to vet the ones they use, but they don't have to be the same ones Amazon or Target or Costco uses and frequently aren't.
Hardware attestation is a dumpster fire. It keeps getting pushed because it's excellent at monopolizing a market but anyone actually trying to rely on it has had nothing but a series of swift kicks between the legs. People should stop even attempting it. It should simply be banned.
> Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration.
Most of that stuff scales really well to large numbers of entities. The entire point of things like SLAs and legal liability is that they operate by preventing you from needing to enforce them. No company wants to get sued so they meet the SLA and satisfy the contract in order to minimize their legal costs, which is what allows you to contract with smaller companies as long as they're not so small you're concerned they'll go out of business, and the threshold for that is far smaller than any of these oligopolists.
> The economics don't work for 30 different players to cross-verify each other.
Which is why it's not supposed to be fully meshed. You don't need everyone to verify everyone, you only need the pairings that actually exist. If there are 1000 companies that make shoes and Walmart contracts with 10 of them then they need to verify 10 rather than 1000. Meanwhile the 1000 shoe companies each only have to contract with a dozen retailers, they're just not the same dozen retailers for every manufacturer.
Checks are riddled with fraud and traditional bank-to-bank protocols(like ACH here) are notoriously slow and difficult to navigate for disputes. Visa and Mastercard aren't just selling a network effect, it's instantaneous clearing guarantees, active fraud prevention, and dispute resolution. The "cut" merchants pay funds the risk management layer that standard routing protocols don't provide. Even new systems like Brazil's PIX or the US's FedNow require a centralized state authority to mandate the clearing rules and manage the trust boundary.
Walmart can afford to vet lots of suppliers. A mom-and-pop shop cannot, so they buy from a massive centralized distributor who aggregates that trust for them. Supply chains have distributors all over the place, and they are concentrated in almost all cases.
The money that goes into lobbying in order to have that say is, depending on who you ask, corruption. I, as a random citizen, don't get the same say that a multi billion dollar international corporation does.
It's also kind of weird to propose it as an asymmetry. Google's parent company spends around $4M on lobbying in the US:
https://www.opensecrets.org/federal-lobbying/clients/summary...
That's around $0.01 per capita. Your per capita contribution for individuals to out-spend Google on lobbying is two cents.
Anytime anyone criticises the EU here, you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
I was asking for evidence about the EU digital ID wallets about what the "disinformation" was around it 3 years ago [0] and not a single link of it was given.
At this point, being an EU defender and supporting the "open web" are incompatible since you will be using your EU digital identity wallet [1] with your phone to login to your bank and the internet will push age verification with it, locking you out if you don't sign up.
[0] https://news.ycombinator.com/item?id=36105002
[1] https://eudi.dev/latest/
That thing that got refused multiple times already?
Because not all politicians think like you does not mean they are corrupt. Seems like enough politicians have voted against ChatControl until now.
I always wonder what people who say stuff like "politicians discussed this topic I hate and refused it, but the mere fact that they discussed means that they must all be corrupt" understand about politics. You know that it is about people with different opinions (representing people with different opinions) discussing stuff, right?
Source:
https://www.patrick-breyer.de/wp-content/uploads/2026/05/861...
https://digitalcourage.social/@echo_pbreyer
Do you have a list of other things that shouldn't be brought in front of the elected parliament?
https://www.eff.org/deeplinks/2026/04/eu-parliament-blocks-m...
Corruption would be if it passed despite it being unpopular, because some corporate or rich peoples interests desired it.
The EU parliament shot down ChatControl.
In fact, without the EU, most likely many member states would have ChatControl in some shape. National governments are the ones all in on this crap.
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
Suggesting politicians are corrupt without any evidence will make that worse. If people think their politicians are corrupt they will further disengage with the political process, which will ensure there's even less pressure on politicians to take action on niche issues like this.
The EU Commission also gave a foreign tech company called Thorn (they pretend to be a charity), special access to government officials: https://netzpolitik.org/2022/dude-wheres-my-privacy-how-a-ho...
I think both of those cases would be examples of lobbying and corruption.
It's little coincidence that national governments want Chat Control (laundering that through EU), and the EU parliament is the entity that shots it down (coincidentally the entity that is most beholden to the public).
It would be nice to learn which comissioners are lobbying for it.
$600K+ went to kickbacks, er… “lobbying”, and thorn was hit with some pretty nasty scandals involving sex crimes.
If you look at that person's responses to others in this thread, that is exactly what they are doing. I do hope they have proper health and safety training for moving the goalposts so much.
What I'm saying is that if there's no evidence of corruption, then simply assuming corruption will harm your cause because it will make it seem like political activism is futile in the face of supposedly hidden corruption.
I think it is far more likely that it is a lack of knowledge and incompetence. I am pretty sure that the majority of Parliament members, Council members and maybe even Commission members do not even know that there are viable alternatives outside Google (certified) Android and iOS. So they try to regulate their app stores, etc. instead.
I hope that with digital sovereignty becoming more important, there will be more interer in alternative mobile operating systems.
"Securely signed/verified devices for accessing your bank" or "increased surveillance and tracking of criminals" sound like splendid ideas and direct solutions to immediate problems. Now, how to actually implement them and how it will affect society in the long run might seem less important when you've got increasing crime rates, a slowing economy, displeased voters or whatever looming. In short, some dilemmas have very clear answers when you (willingly or through unawareness) only concern yourself with a subset of the effects of a decision, and this goes both for politicians and special interest groups. That being said, I'm very pro-privacy and it's the job of policymakers to know the details of what they're deciding on. Reality is however usually very complex and nuanced with several things being true because they all contribute a part to what's going on.
e: what am I doing, speaking like I actually know how things work? Nothing is absolute and nuance is important, but sometimes it is also very useful to simplify and generalise to get things done. If no one had any conviction, not much would ever happen. But moderation in all things.
Well, of course not! They're corrupted by the other companies who benefit from the DSA and DMA.
I agree with that. Reading HN comments, where people are supposed to be generally tech-savvy, I see a ton of "lack of knowledge and incompetence" (not in a negative way, just "uninformed"). Why should politicians know better than the average tech-savvy person?
But politicians get yelled at by everybody, saying everything and its contrary, while the tech-savvy people can comfortably take a condescending tone explain why "being so stupid is impossible so it has to be corruption".
In a functioning democracy, politicians represent the people. Meaning that some politicians will be on one end of the spectrum, and some will be on the other. If there are no politicians you disagree with, then probably you are not living in a functioning democracy.
> despite strong pushback
That is my point: look at the pushback! It's many people with very different opinions saying everything and its contrary, with a lot of technically incorrect takes.
Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
Everybody wants to believe that they are right and everybody else is wrong, and therefore everybody else is either stupid or corrupt. I want to believe that sometimes, the world is actually nuanced, and people may have different opinions. I may have a strong opinion (and knowledge) about hardware attestation, but it doesn't mean that every politician does and hence has to be corrupt in order to not agree with me.
That's a distraction from the point that I actually made. One can try to paint politicians as saints all they want, and it still won't change the fact that the entire population is digitally surveilled 24/7 and what we do on our own computing devices are increasingly decided for us rather than by us. This flies in the face of liberal democratic values, and not okay. Some things simply aren't up for debate.
> Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
In short, you're accusing of me of criticism. It's boilerplate fallacious logic that makes any criticism against anything sound illegitimate.
Too many people see something they don't like, imply a nefarious motivation without evidence, then expect everyone to agree that it is corruption.
If there is corruption, show the evidence. Otherwise, be honest and state that you don't agree with something. If you want to persuade people, back up your claims with verifiable evidence without falling back to nebulous claims of corruption.
Diplomatic status tax free too.
If it's Apple or Google let us know in the US because we have laws to go after them for acting corruptly in other countries.
Vaguely asserting corruption without specifics or even naming the perpetrators isn't "taboo", it's just poor form and silly. Letting such vague accusations float without evidence, motive, or even people to blame, leads to nothing good, and only vague distrust, which itself enables corruption. It leads to people believing there's no way to know the truth, therefore helplessness, and results in fascism like in Russia.
Lazy cynicism is itself a form of corruption of one's own mind.
I love this way of thinking. I might use this quote down the road
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
Clearly tailored to the regular normie without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
At a certain point it begins to feel pointless.
I think you're right that they are incompetent. The point is not to make them understand it, but rather to make them see that enough people care. The problem is that most people don't write, so the politicians don't see that they care. Same thing for companies. How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely". That way the companies never see that there is a need.
Being prepared to be this voice is one of the reasons I'm a Graphene OS user. Another is that it helps me avoid accidentally writing code that depends on google play services. When you've got an agent doing most of the driving, it's easy to not realize that your app is broken without google, unless you're testing it on a degoogle'd device.
If enough people write, they may start finding it relevant.
1. Most people don't write.
2. The people who write are not always competent.
3. The people who write often have an agenda, too.
What's the consequence of that? Imagine what the politicians receive: tons of messages of people complaining, most of which are factually wrong. What to do then? How to know who is right? It's genuinely hard.
EDIT: please write here: https://european-union.europa.eu/contact-eu/write-us_en
Example: https://www.lrb.co.uk/blog/2021/july/information-sovereignty
It only makes sense they'll prioritize big-business interests over those of the common folk.
It's a bit odd that Europe prioritizes American big-business interests I guess? Idk, as an American it does seem kinda like an odd choice.
How many European countries buy American weapons because they are scared of what would happen if they pissed off the US? And then they still get tariffs and threats of military invasion.
Google certifies devices unpatched for the last 10 years, rooted, riddled with the malware, because the keys have leaked.
Google knows and still sells the lie.
But you should know better. Google is not selling the actual security, it's just protecting its business.
There is also the problem that most external hardware is less secure than things like Apple's SEP. (But on the other hand, probably more secure than the long tail of cheap Android phones, which use virtualization rather than real hardware.)
That's how it works in Germany: You tap your national ID card (as a citizen) or eID card (as a non-citizen) on any NFC-capable iPhone or Android device. I personally much prefer that solution over one that requires a specifically trusted device.
The big gap is trusted user confirmation, though: Users need to see what they sign by tapping their card, and then you're usually back to some form of attestation.
Practically, they also completely botched the rollout; literally everyone I know managed to somehow lock themselves out of their card at the first attempted use (assuming they've even bothered to set it up).
To me, it seems like just the right amount of friction, and user expectations can work in favor of privacy here: People will hopefully refuse to tap their ID on their phone for a service where they want to remain completely anonymous, even if the protocol technically might support anonymous assertions.
It's like handing a loaded gun to a kid, and saying "just don't take the safety off".
Of course kids are going to find ways around it. They are going to take the safety off.
If anyone wants to assert control they have to be where the puck is going instead.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
It's especially ironic to name China when the whole reason the US bought TikTok is because it showed people the reality of the genocide in Gaza, which the far right nationalists hated.
These are true. They also don't have much to do with what I replied to, which was about "the propaganda efforts driving a large amount of far right nationalists into violent uprising."
You're simply misinformed if you believe that Russia-originated propaganda has played a bigger role in the rise of right-wing extremism in Europe over the last 10 years than Rupert Murdoch (and yes, I'm aware News Corp's assets are all in English), the Anglo manosphere including the likes of Andrew Tate, and Meta, Google (Youtube) and X intentionally designing their algorithms for outrage/engagement at all costs.
Russia wishes it would have as much influence as the above.
They're going hand in hand, that's how fascism works, corporate interests align with government authority.
Are you just not paying attention to the dissolution of democracy or are youjust like, cool with money being the only protected thing.
Capital remains sovereign in Europe.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
A part of that has already happened.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
Not my preference, but they seem so far ahead of other ROMs right now that I use it still.
I do believe people have built and installed it on other devices without too much trouble, but I don't think that'll ever be supported.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
Also, governments are supposed to act in the interest of people.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
Sorry for how you may feel about it, but that *is* how it's being framed for the public..
https://europeanconservative.com/articles/news/eu-parliament...
"How Jewish American pedophiles hide from justice in Israel": https://www.cbsnews.com/news/how-jewish-american-pedophiles-...
"Tens of thousands of pedophiles operate in Israel every year": https://www.jpost.com/israel-news/tens-of-thousands-of-pedop...
> JCW's chief operating officer Shana Aaronson says the failure begins in the United States.
> She says there are elements of the Jewish community in the U.S. that are willing to help pedophiles escape.
A better counter argument to "catch the pedo" is to bring up cases of creeps who were insiders - law officers, or just techies with access - and used the "well-intended" tech to get at their victims.
Certainly. You mean like that time an Israeli Cyber Directorate division chief fled Nevada for Israel after being investigated for soliciting a minor for sexual purposes?
https://www.haaretz.com/israel-news/2025-08-21/ty-article/.p...
https://archive.is/kNYUo
I think if I were saying this to convince people that hardware freedom is a good idea, they might think I care less about hardware freedom and more about memorising evil Israeli people to make sure I always have a negative example of an Israeli to mention in conversation.
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
It's not about what people believe, but what they are willing to publicly push back against. If such a law was proposed today, I bet it would pass because the only discussions around it would be whether the data can be kept safe and what punishments to dole out if the car owner access this data. Arguments about privacy will be waved away or dismissed without debate.
In fact, let's make a pointless bet: I bet my imaginary internet reputation that the US or EU will pass a law within the next 10 years that requires the continuous recording and collection of data that not only includes GPS, but also face and audio data whenever a car is in motion. This law will impose severe punishments on any owner that accesses this data or deletes it.
I desperately fear for my family and want things to improve, but we are going to lose this battle.
My logical assumption is that all terrorists and pedophiles will concentrate in the areas where they have legal exceptions from being monitored by multiple different parties at any given time. Legislators and the like. To play one of their cards, why would people who love to say "innocent people have nothing to hide" have something to hide?
Kier Starmer wants to protect children? He put Mandelson into government even though he was mates with Epstein. Doesn't sound like someone who cares about protecting children to me.
Rinse and repeat for any politician or political side, they are all only a step or two away from someone who's done something horrible to children. It doesn't matter to me whether I really think it's true or not (though in the example I've used, that is my opinion, who employs someone like that and really cares about children?) but *it does not matter*. This is an us versus them situation, and they are making proponents of freedom out to be criminals at best, paedos at worst. They can take some of their own medicine, and anyone who parrots their line. If ad hominem is the name of the game then let's play, I'm on firmer ground than they are.
Not true, some aren't. Namely the tiny minority who pushes against this sort of stuff.
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
The only way to sure defeat is to surrender.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
I wish they filled you with anger instead. It’s not too late. You’re not alone.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
It's just enshitfication.
> hackers will find flaws instantly
Yeah.
https://tee.fail/
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
...But there is always at least one hacker.
The issue with hardening DRM is that at the core it's hard to protect against an adversary that with physical access to the device that keeps the very secret. From the vendor perspective, the very customer paying you is your potential enemy.
That means that the root of trust isn't itself protected with cryptography. Instead, it relies on security-through-obscurity, Faraday cages, fuses, anti-tampering and lots of glue. And it's a numbers game if there are thousands of different devices, potentially with different flaws while your adversaries are hidden among billions of customers.
There is still a gap between the hacker and main-stream availability, though: laws and legalism, like DMCA that penalize disclosing how the obfuscation and all work.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
the meaning of this word has diluted so much
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me.
>What makes you think they will give us this magical hypervisor capability?
It's not magical. Look at Windows WSL2 which already works like that.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.
For more specific mitigations, they could issue shorter-living tokens to such devices, in case it gets stolen and it didn’t store the token properly (say, the user did something stupid like “hey I’ll substitute secure enclave with a shim that writes secrets to an SD card”). And they could limit certain critical functions that do require attestation for some reason (e.g. Host Card Emulation, aka “tap your phone to pay”, which they usually delegate to Google Wallet/Pay/Wallet anyway).
Wise seems to do it correctly. It works on rooted phones, even, just gives a scary warning and blocks some app functions. They also have a fully functional webapp, so you mostly don’t need the app anyway. Revolut, on the other hand, has outright blocked me from my account – so I’m not using it anymore.
Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.
The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.
No, you have to use government backdoored device. I.e. the most secure android rom (at least the only rom we know is not penetrable by state-sponsored celebrite based malware) is not covered by google's play protect, while bunch of outdated CVEd phones are.
Same will go with many hardened Linux machines, QubesOS, Whonix stations, you name it. I'd argue they are far more secure than any average windows/macos installation.
Hardware attestation has nothing to do with security, it's censorship.
Secure as defined by a duo of monopolists. It's a contractual concept and doesn't have a firm relation to security-related characteristics. I'd trust GrapheneOS to be as secure as anything Google is capable of releasing, but that doesn't help them if Google refuses to vouch for a device running their OS. Which is also why your check/credit card analogy falls flat.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip.
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
This nonsense mainly exists only because the operating system is unable to attest that it the app is secure and the right app is what is running.
>It's their computer, it should run whatever software they want.
I agree, but companies shouldn't be forced to match cheaters with legitimate players. Cheaters just can't secretly be cheating.
> the operating system is unable to attest
And it should remain unable. There should be no "attestation" of anything. The corporations who want such things should remain unsure of the device's "security". They should just accept it. Let them write it off as a cost of doing business or something. The optimal amount of fraud is non-zero, as they say.
> the app is secure and the right app is what is running
These machines are our personal computers. They are extensions of our minds. They are general purpose tools with limitless potential, just waiting to be shaped in accordance to our wills.
There is no such thing as being "secure" from us. Not inside our own computers. The mere idea of it is offensive. It is an affront to us all. We are the gods of these machines. To attempt to "secure" a video game of all things against us is an attempt to usurp our power.
> Cheaters just can't secretly be cheating.
Now that remote attestation is in play, the ability to do that -- forge attestations to pretend to be a corporate owned machine while remaining free and subversive -- has become key. So I'm forced to say that cheaters absolutely should be able to secretly cheat. If the cheater wants to edit his computer's memory or whatever, it's his divine right as the owner of the machine. An inability to do that means our freedom is lost.
Cheating in video games is literally nothing compared to the loss of our computer freedom. Let the entire industry go bankrupt if it must. We cannot sacrifice it no matter what, and certainly not over something as mundane such as video games. There is so much more at stake here. Ubiquitous access to cryptography. Adversarial interoperability. Our very self-determination in the digital world. Video games are nothing -- and that's coming from a fellow gamer.
The choice is simple: tolerate some level of online cheating, or require remote attestation to run the game. If you ask me, I’d rather take the first option. Locked down game console already make me a bit queasy. A locked down desktop, laptop, or palmtop? That’s not acceptable. People should be able to run any program they want on their computers. If that means the end of online gaming, so be it.
Let the cheaters join the cheat-friendly servers or the foolishly unmoderated servers.
I don’t believe intrusive anti-cheating is required for online gaming to flourish. But even if it was, I would give up Elite Dangerous, for which I have bough a VR setup and build my cockpit, before I give up full control over my PC.
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat? I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
A lot of gaming migrated to consoles for this reason. They have secure remote attestation implemented properly. Accusing winners of cheating doesn't work there, and it's obvious why that results in happier and healthier gaming communities.
You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter.
>Why do I need to compromise my hardware
You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
>How do old boomershooter communities tackle cheaters?
By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth.
>When and why do methods that work on a social graph fail or necessitate anticheat?
If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process.
So… I don’t have to compromise the ability to run any program I want on my machine, and I don’t have to compromise the ability to be root on my machine. Right? And of course, when I say "me", I’m talking about everyone, including cheaters. Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
> In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
Secure for the game company you mean. I want a computer that’s secure for me, that responds to my commands. And again, "me" includes everyone and cheaters too.
---
The online gaming industry is not worth sacrificing individual ownership of computers.
Yes. You are free to do whatever you want on your machine.
>Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
Yep. The only thing the cheater is unable to do is prove to the server that they aren't using cheats.
>Secure for the game company you mean.
No I mean that the operating system protects applications from messing with each other. The operating system should isolate each app for security purposes.
Oh but that is far incomplete a specification. What security purposes? Who are we protecting, from whom? On whose behalf does the OS isolates applications from each other? If it’s on mine, then you bet I absolutely want the ability to lift that isolation in specific cases. It’s my computer, I decide when and how the rules are broken.
But the moment I have that (a computer and OS that really work for me), I lose the ability to prove that I don’t. If I play an online game, being in control means the game company is not, and I can’t prove to them I’m not cheating.
I’m not aware of any third alternative.
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care
I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?
I imagine the way to do this effectively would be to get some well-regarded infosec firms to audit both OSes (from source as much as possible), and also compile lists of vulnerabilities found, fixed, not-fixed, etc. over time. Then you need a witness who can explain all of it in a way that's accessible to and likely to sway a jury.
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
This is also a horrible idea. If an OS can be vetoed for untimely security updates, it can also be vetoed for not having something like clientside scanning.
What would even be the criteria for approval? Pinky promise to not let the end user have full control of their own device? That’s all “integrity” really means in practice. Don’t be fooled by appeals to security.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
That is why all companies should be small and no company should ever have a huge market share.
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
I want a pony! A legitimate desire. So it's okay if I rifle through your underwear drawer in case there are any ponies I could take?
Requiring there be a physical phone is a speedbump at best ( https://i.dailymail.co.uk/i/pix/2017/05/12/13/403C0D44000005... ) and so de-anonymizing every person using the internet by attaching them to a device and allowing google to track them is not sufficient, nor is the privacy loss necessary for the kind of improvement they could realistically hope to achieve.
But most over even if the panopticon were highly effective and even if were the only option to achieve that end we should still reject it because it's wrong.
The frog is slowly being boiled so that people start to accept things which would be unthinkable in the past. Whoever refuses to bend nowadays sounds hyperbolic or insane, but I'm just using the "absolute temperature" here, you know...
> Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more.
They're NOT fullfilling that purpose here - read the post, insecure devices with Google Mobile Spyware pass that, while GrapheneOS doesn't. Yes, Google is trusted to ensure these security/ratelimiting properties are met, but instead uses/abuses that trust to ensure their anticompetitive business goals are met. Google is not an independent attestation authority and should not be treated as such, what Google is doing here should be (and most likely already is) illegal.
> Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
While far from perfect, that would be better, since we'll then only rely on having their hardware (legitimate business) and not their adware/spyware preinstalled with elevated privileges (illegitimate business, illegal monopoly).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
... are not problems, no - but bots in general are
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
Say your example: a user generates a pub/priv keypair locally and shares the public one with the government. How does the government know you’re rightfully sending the ID? How does the user know what they are sending? Can the app/website/tool/person at post office they are using to generate+store+send the public key be trusted by the user? How can the government give trust to the user that this tool/person can be trusted?
And there we have attestation again. Or walled app stores, or certification as we have for physical services.
It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
The reason it's hard to boot up a secure social network (such as Signal) is the handshake for (re)identifying people. Signal makes a ton of conceits here (the UX essentially asks people to assume phone numbers are securely held) in the name of low friction and it's why they grew so fast. The "real" secure social networks are essentially too difficult to get real adoption because they don't make these conceits around phone numbers, and demand real key exchanges.
But if you had a L1 set of private and public keys the government works to maintain and defend, the L2 social networks like Signal (or banks, or markets, whatever) can do this cheap and easily.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
Isn't this basically worldcoin? Aside from the fact that worldcoin is run by people I wouldn't trust to watch my cats for an afternoon, the core principle with well thought out ZK crypto could work well.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
https://learn.microsoft.com/en-us/windows/security/hardware-...
It's amazing to see how many "but it won't happen" comments there.
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
So what's the actual issue here? That on HN and Reddit and Instagram and X there'll be a lot of bots? As if they haven't been overrun by human astroturfers/etc for ages. Even ignoring that, what's the biggest issue you see with that, and why is it so big that it's fine to just enable a monopoly?
Your presumption that there has to be an alternative is flawed. Maybe there is none. You're saying there's a real need, great. There's also a real need for sexual assault to be completely eliminated worldwide. I think everyone would agree with the that need is far bigger than bots on social networks. Doesn't mean we should just jail everyone just in case.
You're manufacturing a need here as so important that by definition the ends justify the means. They don't.
Also consider this: While bot farms may be able to buy millions of Android devices, they will certainly attract a lot of scrutiny as they approach the billion mark. So bot farms will never own more Android devices than humans.
Having said that, there may well be a room for a niche recaptcha-like service run by a non-profit. Perhaps one that uses a non-profit social graph or something.
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use. Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce. Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification. Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
Resist, dont let the buzzkills wear you down.
I wonder if we'll get something similar happening with cloudflare
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
Break them up. Break them up. Break them up.
in any case, google started to cause issues with pixel 10, so it's not as easy to port it
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
Also, "the optimal amount of crime is nonzero."
[1] https://bmail.ag/verify
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
It's just that there's nothing pro-authority about making it easy for people to verify: "this data hasn't changed since the signer signed it." It's a neutral capability.
There are cases where we can and should blame technologists for building antisocial things that shouldn't exist, but I think that cryptography for the most part falls on the pro-social side of that spectrum.
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Then stop trying to take away the technology it's built on
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.