Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
Apple already does this and practically no one is outraged
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
We understand that, as the saying goes, if you're not paying for something then you are the product.
But less technical people don't consider that, and don't have hoards of technical friends to convince them otherwise. They just think: they using the product, so they're the user, right? We know that's true but it's not the same thing as customer. Most people don't have that distinction in their head.
It's even partially true that Google does want to do things that attracts and retains users, because that's a prerequisite for selling them to advertisers. In my experience, that's an upper bound on the amount of thought most non-technical people would give it.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
99% of the payment activity I do on my phone (buying retail goods, travel arrangements, paying invoices) has no additional cost.
They really want to though. Maybe consider that.
Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
Is that really so? Does the average iPhone user actually factor the app store tax into their decision to purchase the device? Or do they just assume that is just how all software works because they have no exposure to software ecosystems outside the iPhone app store
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
Using blind signatures for remote attestation has actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
The premise of this is to keep the person issuing the tokens and the person accepting them from correlating you.
The issue is when you have more than one service accepting them. You go to use Facebook and WhatsApp but they're both Meta so you present the same unblinded signature to both services and now your Facebook and WhatsApp accounts are correlated against your will. And they have a network that does the same thing, so you go to use a third party service and they require you to submit your unblinded signature to Meta which allows them to correlate you everywhere.
You would never do this as it defeats the entire purpose of using blind signatures to begin with.
It's not the user who wants any of this to begin with. "You would never do that" except that it's now the only way to be let into the service.
Yes, those AI startups can also buy cheap Android phones at scale, but it's a bit harder because they'll pay for stuff that their bots have no use for (a screen, a battery, a 5G radio, software, branding, distribution, customer support etc).
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
And because I can't believe no one else in the thread has linked to it: https://www.gnu.org/philosophy/right-to-read.html
But how are you preventing multiple services from using the same value for service_domain_name because they're cooperating to correlate your use?
Not sending the same value twice would prevent them from being correlated, but now what are you supposed to do when you run out? Running you out could even be the goal: You burn a token to get a cookie and now you can't clear your cookies or you'll be denied a new one since you're out of tokens.
Of course, I think the effective purpose of google's attest feature is to invade everyone's privacy which we should assume is part of why they don't use privacy preserving techniques. Privacy preserving techniques could still be abused, however.
Maybe they're even worse for humanity because they make bad schemes more palatable. I think right now I lean towards no: the public in general will currently tolerate the most invasive forms of these systems, so our issue isn't that they're being successfully resisted and the resistance might be diminished by a scheme which is still bad but less bad.
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
I remember the WEI apologists trying to do the same thing to derail the argument. The problem is the goal, not the details. Just say no: DO NOT WANT!
Honestly, if the only way to secure your banking system is by locking down users' devices, there is something really bad going on at your end, security-wise. Your system should be secure even without locking down user hardware.
When online banking was first created it was an absolute chaos zone. Everyone was accessing it from desktop machines riddled with viruses and malware. There are endless stories of being discovering their life savings had been wired to Belarus by some malware running on their machine that had grabbed their banking credentials when they logged in.
https://www.google.com/search?q=site%3Akrebsonsecurity.com+b...
https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-dev...
> U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
Half a billion dollars, by a single guy with a single virus!
Different parts of the world came up with different solutions for this. The US made all ACH payments reversible and international wires difficult, but that just meant the receiver paid for fraud instead of the person whose machine was full of viruses. This was an obviously bad set of incentives and hacky panic-based fix. Banks elsewhere in the world settled on providing users with authenticator devices that looked like small calculators into which you could type transaction details after plugging in a smart card. Malware could still steal all your financial data but it couldn't initiate transactions.
Obviously, all this was a hack. What was needed was computers that were secure. Apple and the Android ecosystem eventually delivered this, and the calculator devices were retired in favour of smartphones with remote attestation. This was better in literally every way, for 100% of users. Firstly, it protects financial privacy and not just transaction initiation. Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer. Thirdly, adding remote attestation made no difference because that's what the calculator devices were doing anyway. Fourthly, even in the case of customers of small American banks that weren't capable enough to manage dedicated hardware rollouts, getting rid of fraud instead of pushing liability around allows for lower prices and fewer headaches.
So remote attestation is a non-negotiable requirement for digital banking of any form. When Microsoft didn't deliver most banks preferred to literally manufacture and sell their customers single-use smartcards that remotely attested by you manually copying numbers back and forth between screens. Or they hid the cost of rampant fraud in the price of other services until such a time that Apple/Google saved them.
The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)
In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.
I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.
What I'm claiming is that banks have the freedom of offering their customers 2FA other than smartphone apps.
> Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?
All the phones I own, including my daily driver, run some flavor of Debian. None of them support hardware attestation.
I'm in Europe, bound by PSD2, and own a couple of cheap, certified chip-and-TAN devices so I can do banking.
I think you're naively presuming the issue is simple and easy to address with a letter.
Regardless of your bank, payment systems such as Visa and Mastercard have blocked transactions involving mainstream online stores such as Steam because they unilaterally deemed some games to be problematic. You cannot fix this problem with an email.
We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
It's not like these technologies were created for the greater good and misappropriated by bad actors. They were proposed by bad actors in the first place, they cannot not be inherently good.
captcha/spambots has been a problem since USENET
I don't think remote attestation (or even more so its umbrella technology, trusted computing) is nearly as specifically targeted as DRM.
> We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad.
I agree that requiring remote attestation for generic web use is evil. It's way too heavy-handed an approach better reserved
I still don't think this somehow outright disqualifies the technology itself.
Are you seriously trying to suggest copyright infringement has not been an issue over the last 30 years? Both of them are solutions to problems that we've had over the last 30 years and were created for the greater good to solve problems that developers were facing.
DMCA is abused every. single. time.
Like literally hundreds of thousands, every day.
The policy is "I will not let you access this system unless your system software implements this technological protection."
A camera is technology. A security camera is policy, because it's a camera hooked up to policies on how to watch, record, and respond to what is required, and it is a political effort when connected with laws about face masks, prohibiting spray painting of the cameras, and allowing privacy intrusions.
People have woken up to the truth as the pieces come together.
This article from 2022 is fun to look at and see how prescient it was: https://news.ycombinator.com/item?id=29859106
A TPM with measured boot (SecureBoot) does exactly this, remote attestation is how Alice proves to Bob that it is in a trusted configuration and wasn't tampered with.
A TPM where the device owner can't take ownership of the root key is worse then no TPM at all.
I can perhaps agree that the idea of SB can be good, but it was designed (and is used) in a bad way. Just look at how many distros do not support SB.
(One argues that since you own both of them, you should simply set up the two servers yourself with a key of your own choosing, asymmetric or otherwise, and then restrict physical access to them.)
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
The surveillance of the future will be powered by the things we produce today. If the accepted algorithms leave cookies those cookies will be used tracked and monitized. The bad argument is the forced verification to do things on the internet. Making that start at the hardware is a lock in thats not okay. Business will always own the services and making standards that trade our practical liberty for the sake of security is a very compromised position in my opinion.
And it does start with the age verification, followed by id checks, etc. Its compromising precisely because no lines are drawn and no rights to privacy are codified in law. Without guiderails the worse path will likely be taken for maximum profit
Oh hell you do! Google profit comes from ADS! It's for their profit to surveil and track and deanonymize TO SELL ADS.
Oh my god. It's 2026, and we're still repeating the "I trust Apple/Google/Microsoft enough to resist the government" spiel.
Hardware attestation is a surveillance mechanism. If China was enforcing the same rule, you would immediately identify it as a state-driven deanonymization effort. But when the US does it, you backpedal and suggest that it could be implemented safely in a hypothetical alternate reality. Do you want to live in a dystopia?
Who is?
> But when the US does it [...]
I don't live in the US, and while US is often setting global trends, in this case I don't think that's actually that likely, unless it somehow goes significantly better (i.e., the benefits actually vastly exceed the collateral damage to anonymity and resiliency via heterogeneity) than expected.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
I don't agree that it's not a problem.
Also I recall a discussion on Graphene's forums that DRM ID is not only retained there, but stays the same across profiles.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
Content Decryption Module (CDM) in your browser or Mobile SDK generates the license challenge
The "license challenge" (it might be a mistake I think it's supposed to be a license request) is just a packet (that can be saved and later sent to anywhere) and it contains the encrypted certificate which doubles as your HWID. An adversary needs to control the private key of the license "server" the challenge is for (this is a privacy measure introduced to prevent the CDM from offering the HWID to anyone who wants it). Now if you want the HWID you need to work for it (one time) by stealing a private key, bribing/blackmailing employees or issuing secret edicts ("here is a new license server we need a certificate for"). Working for Hollywood is also an option I suppose.
Pirates sacrifice devices when they publish ripped content due to the certificate being revoked after Hollywood downloads the torrent and by doing things like this:
For large-scale per-viewer, implement a content identification strategy that allows you to trace back to specific clients, such as per-user session-based watermarking. With this approach, media is conditioned during transcoding and the origin serves a uniquely identifiable pattern of media segments to the end user.
Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
Passkeys are non-phishable. That's part of their schtick. I'm not a huge passkey fan myself, but this is a real benefit.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
Contrast this with remote attestation, where they might show you the source code for everything but you're still powerless to do anything.
You have no idea what has been baked into the weights in the training process. In theory you could find biases and attempt to "patch" them out, but its a vastly different process vs. patching machine code.
Consider what would happen if Google's open weight models were best at writing code targeting Google's services vs. their competitors? Is this something that could be patched? What if there were more subtle differences that you only notice much later after some statistical analysis?
Local ai is not ready, and if you think it is, prove me wrong with a detailed guide running commodity hardware with complete setup steps that can use a decently sized model.
I spent 2 weeks trying to get anything running - 8gb RX550XT, 12gb ram, 8core cpu. I even tried turboquant to lower memory utilization and still couldnt even get a 3B or 4B model loaded, and anything lower wont suit my needs (3/4B are even pushing it).
Spending humongous amount of money to get machine that'll felt obsolete in 2 years? I don't know.
You're like the kid showing up to a test without a pencil.
It's ridiculous for you to suggest that an advanced AI model needs to run on your budget 7 year old graphics card that is already out of date for even today's gaming. My parents spent $2500 on a computer in 1995 and that was a 166Mhz Pentium 1. If they spent that money today it would be $5261. Think of what you can get for amount of money. Then you're over here trying to say a budget graphics card needs to somehow compete with the bleeding edge of computer innovation.
You do, in fact, need to spend money on appropriate gear if you expect to participate.
Open weight models can be a big boost to building Open AI (cough). Progress comes from incremental improvements, -- and open weight models are a big advance in privacy, security, and autonomy over relying on hosted closed systems.
Source vs not is only one (important!) dimension, moreover in FSF land they define source as being the preferred form for modification, at at least for some kinds of modifications the weights are the preferred form.
This can never be the case.
Both the licensing and source aspects of the Free Software movement are aspiring to create high level of equality of access to a [software] work between both the original author and far downstream recipients. Obviously full and universal equality is impossible because part of the work is only in the author's mind and not everyone can obtain and use computers, but approaching that as closely as possible is important and it is important to think about how to achieve a high level of equality for each work in each context. What is "source" in any given context is a choice the author makes about what level of access they want to pass on to others.
In the case of AI, weights can never be the preferred form for modification because of the equality of access issue. The people who trained the AI (and hide its training data/code but published the weights) will always have more access than the people who only have the weights. Just like a binary can almost never be the preferred form, because the authors have access to the source but we don't.
There are also many ways to bias the model and insert backdoors or other suboptimal behaviours into it during training data selection etc.
Any source on that?
https://www.gnu.org/gnu/thegnuproject.html
> [...] the easiest way to develop components of GNU was to do it on a Unix system, and replace the components of that system one by one. But they raised an ethical issue: whether it was right for us to have a copy of Unix at all.
> Unix was (and is) proprietary software, and the GNU Project's philosophy said that we should not use proprietary software. But, applying the same reasoning that leads to the conclusion that violence in self defense is justified, I concluded that it was legitimate to use a proprietary package when that was crucial for developing a free replacement that would help others stop using the proprietary package.
> But, even if this was a justifiable evil, it was still an evil. Today we no longer have any copies of Unix, because we have replaced them with free operating systems. If we could not replace a machine's operating system with a free one, we replaced the machine instead.
Still leave open the the question of RMS personally using SunOS (as opposed to some other proprietary unix) but I think at this point I'd just go dig up very old GNU sources for evidence of that, but I suspect your question was primarily about RMS' ethical reasoning which is well answered above.
Although it seems to me that the comparison is somewhat fragile : it was not possible to develop GNU anywhere else, whereas we could completely build local models from scratch nowadays, unless I'm mistaken.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
that's a corporate monopoly's wet dream.
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
BART (San Francisco Bay Area Rapid Transit), as a real world example, recently installed "evasion-proof" fare gates, and observed a 90% drop in vandalism-related maintenance expense. An overwhelming majority of fare evaders are not vandals, but apparently nearly all vandals were fare evaders. Bayes' theorem in action.
I don't have any data to back this up, but my sense is that attestation is an analogous situation.
In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices. They view banning unapproved devices as a high-ROI means to reduce fraud.
So, any argument predicated on "attestation is not security" is doomed to fail, just like saying "most fare-evaders aren't vandals". Yes, most people running GrapheneOS aren't trying to commit bank fraud, but the banks don't care about that if nearly 100% of fraudsters are using unapproved devices.
What would cause you to think that to be the case?
There are two primary ways that bank fraud happens. The first is that the attacker steals the user's credentials, at which point they can sign into the user's account and transfer funds, and can use any device the bank requires because they already have the credentials. The second is that the attacker convinces the user to transfer the money and then once again the user is using an approved device if that is required, and requiring it in no way prevents the attack.
Moreover, even if there was a statistical correlation -- which there is no reason to expect in this case -- that doesn't help you when the attackers could just use their stolen credentials on an approved device anyway, regardless of what they were doing before.
Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices. Requiring the attackers to use an approved device when the approved device still allows them to commit the fraud accomplishes nothing.
Because many people have fortunately realised that "EOL" is just an excuse to create lots of e-waste and push even more hostile unwanted changes.
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
Do you have an example? And was this a binding or non-binding vote?
Here is the full story:
(Source: https://archive.ph/Kiyn9)
> The commission rejected the plan to rezone the farmland [that would allow the data center to be built]. The township board followed suit, voting 4–1 to deny it. But locals quickly discovered that amid the frenzied AI infrastructure gold rush, “no” does not always mean no.
> Two days later, on Sept. 12, Saline Township was sued by Related Digital and the site’s landowners. Their lawsuit alleged “exclusionary zoning”—that the community had unreasonably barred a legitimate land use under Michigan law, and it hinged on the fact that Saline Township had no land zoned for industrial use, and that a data center qualified as a “necessary” use that could not be excluded altogether.
> The lawsuit underscored the township’s limited leverage. Even if officials had fought it, their lawyers advised them, the project could likely have moved forward via other avenues, such as partnering with an institution like the nearby University of Michigan, which can build projects that are not subject to local zoning in the same way as private developments. Meanwhile, a prolonged legal battle against well-resourced developers risked significant costs for the township, without securing concessions.
> Lucas, the town’s attorney, says the township board had little choice and did its best to be transparent. It was “between a rock and a hard place,” he said. “I’m not sure there were any good solutions.” Within weeks, the township had settled: It signed a court-approved agreement allowing the project to proceed, and construction began soon after.
> In exchange, the township secured roughly $14 million in community benefits—a relatively small sum in the context of a multibillion-dollar project, but more than 10 times its roughly $1 million annual budget. It includes funding for farmland preservation, local projects, and fire departments; along with a series of environmental and operational limits: restrictions on water use, noise caps, preserved agricultural land, and limits on expansion.
> David Landry, the attorney who represented Saline Township in the Related Digital lawsuit, told Fortune that he stands by his recommendation that the board settle with the developer. “The zoning power of any municipality—a township, a city, a village—is not absolute,” he explained. “In this case, exclusionary zoning was substantive—the municipality has to have a reason to say no. They just can’t say, ‘We don’t want it.’”
> Sarah Mills, a professor at the University of Michigan who studies land use planning, agreed that the town had few good options once the lawsuit was filed. “States determine how much authority local governments have in zoning, and those systems vary widely,” she said. “What local governments can do through zoning is highly controlled and regulated by the state.” Local governments are also often strapped for cash, making it difficult to defend against zoning challenges, she added.
> Marion, the township clerk and sole board member who voted in favor of the proposal, said this reality was on her mind when she voted yes. It wasn’t because she favored a data center, she said, but because she did not believe the town could win in a showdown with Related Digital. “They were doing studies,” she said. “They were pulling permits.” Township attorneys and consultants had warned that a denial could trigger a lawsuit—an outcome Marion said felt intimidating. “Everything was drafted and filed with the county within two days of the meeting,” she said of the lawsuit. “They had this all prepared.”
> If the township had continued to fight and lost the lawsuit, Marion said, homeowners could have been on the hook for tens of thousands of dollars in tax assessments to pay for the legal battle. “The insurance company was only going to pay for an attorney to defend us up to so much money if we decided to fight it,” she said.
The story perfectly exemplifies how little democratic control the public has over what corporations do in and do to their community.
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
Stop re-electing people.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
I think it's an error to demand the alternatives be as good-- that might not even always be possible. But even if they're less good they're usually still better than anything we could have imagined decades ago-- they're good enough to use.
And that should be enough because we shouldn't consider handing control of ourselves to third parties to be an acceptable choice at all.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
[1] https://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:1...
Specifically, you poke the data lines of the memory bus to induce bitflips, much like I described in https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
With the exception of the current US administration, hostile countries and corporations try to appear non-hostile when possible.
The President, within this context, identifies a single entity. As such, it is a proper noun.
Analogy: there are many continents. But if we're discussing Brexit, the Continent is a proper noun. I don't think it's incorrect to not capitalise. But it's certainly gramatically okay, and not in the same bucket as The Nutters who capitalise Random words it Looks like Legalese.
Yeah, no. You're just making things up to suit your position like the president does.
...this isn't a counterargument. I can similarly assert you're justing making stuff up, which isn't untrue, either way, since we're talking about language, a wholly made-up enterprise.
What's your contention that the President, within the context of the American presidency, does not refer to a single entity? Is this a preference? Or something you actually believe is incorrect?
I have an internal convention to not capitalise LLMs when talking about them as if they were people; so claude is not capitalised, and the internal LLM-based service agent we're building, rex, is not capitalised.
I realise this breaks the capitalisation of proper nouns; claude is a name and therefore a proper noun and therefore should be capitalised. But I like that there's a signal in here that the thing I'm talking about is not a person and so we don't capitalise the name (I realise that cities or companies or other things that we capitalise are also not people).
Digression, but then so was the entire discussion on capitalisation.
Countries, companies, religions; hell, planets and galaxies–none of these are sapient. Yet we capitalise them.
I'll go out into the deep end for a second with a hypothesis: I think we capitalise because it makes printed text easier to scan. The words you need to spend more time on are capitalised because they aren't ones you can just roll through. This is also why the nutter affect of capitalising random words is so distracting–it drives attention to non-standard words that are, with minimum thought, being used perfectly standardly.
My additional hypothesis is that capitalisation accords respect, something along the lines of "this is a thing apart, something with a name, so we capitalise it". Not capitalising an actual human's name would seem disrespectful to me.
Your bio contains comma splice, by the way.
How do you figure? Isn't just having the digital ID be signed by a key belonging to the issuer good enough for that?
But that's not what a forgery is.
so not really useful for 3rd party ROMs
Big ships turn slowly, but I give it at most two more years until at least one pan-European retail payment scheme (cards, QR, or maybe the "digital Euro") has been regulated into existence.
[1] https://www.theguardian.com/law/2026/feb/18/international-cr...
I never really thought about it until I saw this comment:
Swish in Sweden, MobilePay in Denmark/Finland, iDEAL in the Netherlands, etc. Of course you can't sign up to a specific country payment system if you're not a resident there. And systems from different countries don't work with each other.
Luckily, there's now an initiative called EPI [1], which is an alliance that wants to make all these apps interoperable and call them "Wero" [2].
There are two problem with this system though:
- Wero insists on making you use your own bank app to send/receive payments. That's a terrible choice, because most bank apps are huge behemoths that are slow and heavy. People don't want to use them: PayPal is so much quicker and easier. They should develop a new, lightweight app that only does payments.
- The Italian member of EPI is "BancomatPay", which nobody uses. Sure, Bancomat is a huge company in the debit cards world, but no sane person uses BancomatPay in their daily life (also, BancomatPay forces you to use your bank app). In Italy, Satispay is way bigger and widely accepted, especially in the North (i.e. richest) part of the country. I'm surprised Satispay didn't get into EPI.
Most banks in Belgium (e.g. Bancontact, Wero, Pom) or Sweden (Swish, was renting ice skates with it just this winter) have their own system but typically only nationals use that. It's still enough for shops to get instant payments without those US cards issuers.
TL;DR: yes and it's wrong, but also IBAN works.
Condescendingly and incorrectly assuming that others think that corruption is impossible is kinda rude and also dodges attempts at correcting the corruption.
Google et al go to the government and say they've got this attestation thing that can something something security. No one is taking a bribe but also no one they're hearing from is telling them that doing this is going to cement the incumbents. "Security" is good, right? So it makes it into the law.
That doesn't meet most formal definitions of corruption. It's more like incompetence than malice. But the outcome is indistinguishable from corruption. The bad thing gets into the law.
The difference is, if the politicians are taking bribes and you get mad at them, they fob you off because they're more interested in lining their pockets. But if the politicians are just misinformed bureaucrats and you get mad at them, they might actually fix it.
And attributing everything to "corruption" discourages people from doing the latter even in cases where it would be effective.
It's not a given that it's incompetence.
I don't think that's even true, unless you're using "trust" as a synonym for centralization.
Suppose you had actual competing app stores. Google doesn't control which ones you use; you can use Google Play or F-Droid or Amazon or all three at once and anyone can make a new one. You could get Android apps through Apple's store and vice versa. And then you choose who you trust; maybe you only trust F-Droid and Apple and you think Google and Amazon stink. Maybe you install 90% of your apps through F-Droid but are willing to install your bank app on GrapheneOS from Google Play because you trust your bank and you also trust Google enough to at least verify that the bank app is actually from your bank.
This is the thing that doesn't help the incumbents, right? The bank and the customer both trust Google to distribute the bank app but Google isn't allowed to prevent the user from trusting F-Droid for other apps as a condition for getting the bank app from Google Play. You can have trust without centralization.
Consider how Linux distributions work. Every distribution is distributing variants on the same kernel and utilities, but there are hundreds of distributions and dozens of popular ones each with their own repositories. You can choose whichever you like, and make a different choice than someone else.
Coming in at #31 on DistroWatch is a lightweight distribution called Alpine Linux. It's popular on things like firewalls and VoIP servers but is rarely recommended to ordinary users because that isn't its niche. It doesn't matter that most people haven't heard of it because the people relevant to it have. It's fine for things to have a niche, and the people in that niche are the only ones who need to be familiar with it.
Meanwhile around half of Linux users use Debian derivatives. Debian and Ubuntu are very similar, but their repositories are maintained by different organizations, so even when choosing between two things that are nearly the same, you have different options.
And the distribution is not the only place to get software. Maybe you like a stable distribution in general but you want the bleeding edge drivers for your GPU. You can add the repository for the hardware vendor and still get everything else from the distribution. The vendor doesn't even need to maintain their own full distribution to have enough of a reputation for people to make an informed choice about where they want to get their drivers.
> Building broad trust requires scale on some dimension.
The flaw is in assuming that broad trust is a requirement. Narrow trust is good.
Broad trust is required in lots of situations. Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate. Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration. The economics don't work for 30 different players to cross-verify each other. So, we have oligopolies...
Regardless of which distribution you use, the distribution itself controls code that runs as root on your machine, and the users are by and large not reading all of the code themselves. It works entirely by reputation. If you ship trash, most people aren't looking, but if even one person is, they point it out to everyone else and then no one trusts you anymore. This works perfectly fine with 30+ distributors.
> Hardware attestation, financial clearing networks, or even physical supply chains. Ie, you have multiple independent parties who need mutual, verifiable trust to operate.
There are large numbers of financial clearing networks. The reason Visa and Mastercard are an effective duopoly for credit cards isn't the trust issue, it's the network effect. A lot of people have a Visa, so merchants want to accept Visa, and then customers want the card which is accepted at many merchants. It's essentially regulatory capture that they're allowed to get away with this, i.e. that the networks are allowed to force you to use their card in order to use their protocol. The way this should work is closer to how checks work, i.e. Alice tells her bank that she wants to transfer money to Bob, Bob's bank routing number is on the check and the banks just talk to each other using a standard protocol to work out how much money to transfer from one bank to the other on net, with no for-profit middle man taking a cut.
Supply chains are a pretty weird example to pick because they're actually a huge counter-example. When Walmart wants to stock some USB cables or camping stoves they're going to vet the supplier so they don't get sued for selling a fire hazard but there are still dozens or hundreds of suppliers, because they have to vet the ones they use, but they don't have to be the same ones Amazon or Target or Costco uses and frequently aren't.
Hardware attestation is a dumpster fire. It keeps getting pushed because it's excellent at monopolizing a market but anyone actually trying to rely on it has had nothing but a series of swift kicks between the legs. People should stop even attempting it. It should simply be banned.
> Establishing that requires transaction costs like audits, SLAs, legal liability, and cryptographic integration.
Most of that stuff scales really well to large numbers of entities. The entire point of things like SLAs and legal liability is that they operate by preventing you from needing to enforce them. No company wants to get sued so they meet the SLA and satisfy the contract in order to minimize their legal costs, which is what allows you to contract with smaller companies as long as they're not so small you're concerned they'll go out of business, and the threshold for that is far smaller than any of these oligopolists.
> The economics don't work for 30 different players to cross-verify each other.
Which is why it's not supposed to be fully meshed. You don't need everyone to verify everyone, you only need the pairings that actually exist. If there are 1000 companies that make shoes and Walmart contracts with 10 of them then they need to verify 10 rather than 1000. Meanwhile the 1000 shoe companies each only have to contract with a dozen retailers, they're just not the same dozen retailers for every manufacturer.
The money that goes into lobbying in order to have that say is, depending on who you ask, corruption. I, as a random citizen, don't get the same say that a multi billion dollar international corporation does.
It's also kind of weird to propose it as an asymmetry. Google's parent company spends around $4M on lobbying in the US:
https://www.opensecrets.org/federal-lobbying/clients/summary...
That's around $0.01 per capita. Your per capita contribution for individuals to out-spend Google on lobbying is two cents.
Anytime anyone criticises the EU here, you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
I was asking for evidence about the EU digital ID wallets about what the "disinformation" was around it 3 years ago [0] and not a single link of it was given.
At this point, being an EU defender and supporting the "open web" are incompatible since you will be using your EU digital identity wallet [1] with your phone to login to your bank and the internet will push age verification with it, locking you out if you don't sign up.
That thing that got refused multiple times already?
Because not all politicians think like you does not mean they are corrupt. Seems like enough politicians have voted against ChatControl until now.
I always wonder what people who say stuff like "politicians discussed this topic I hate and refused it, but the mere fact that they discussed means that they must all be corrupt" understand about politics. You know that it is about people with different opinions (representing people with different opinions) discussing stuff, right?
Source:
https://www.patrick-breyer.de/wp-content/uploads/2026/05/861...
Do you have a list of other things that shouldn't be brought in front of the elected parliament?
Corruption would be if it passed despite it being unpopular, because some corporate or rich peoples interests desired it.
The EU parliament shot down ChatControl.
In fact, without the EU, most likely many member states would have ChatControl in some shape. National governments are the ones all in on this crap.
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
Suggesting politicians are corrupt without any evidence will make that worse. If people think their politicians are corrupt they will further disengage with the political process, which will ensure there's even less pressure on politicians to take action on niche issues like this.
The EU Commission also gave a foreign tech company called Thorn (they pretend to be a charity), special access to government officials: https://netzpolitik.org/2022/dude-wheres-my-privacy-how-a-ho...
I think both of those cases would be examples of lobbying and corruption.
It's little coincidence that national governments want Chat Control (laundering that through EU), and the EU parliament is the entity that shots it down (coincidentally the entity that is most beholden to the public).
It would be nice to learn which comissioners are lobbying for it.
$600K+ went to kickbacks, er… “lobbying”, and thorn was hit with some pretty nasty scandals involving sex crimes.
If you look at that person's responses to others in this thread, that is exactly what they are doing. I do hope they have proper health and safety training for moving the goalposts so much.
What I'm saying is that if there's no evidence of corruption, then simply assuming corruption will harm your cause because it will make it seem like political activism is futile in the face of supposedly hidden corruption.
I think it is far more likely that it is a lack of knowledge and incompetence. I am pretty sure that the majority of Parliament members, Council members and maybe even Commission members do not even know that there are viable alternatives outside Google (certified) Android and iOS. So they try to regulate their app stores, etc. instead.
I hope that with digital sovereignty becoming more important, there will be more interer in alternative mobile operating systems.
"Securely signed/verified devices for accessing your bank" or "increased surveillance and tracking of criminals" sound like splendid ideas and direct solutions to immediate problems. Now, how to actually implement them and how it will affect society in the long run might seem less important when you've got increasing crime rates, a slowing economy, displeased voters or whatever looming. In short, some dilemmas have very clear answers when you (willingly or through unawareness) only concern yourself with a subset of the effects of a decision, and this goes both for politicians and special interest groups. That being said, I'm very pro-privacy and it's the job of policymakers to know the details of what they're deciding on. Reality is however usually very complex and nuanced with several things being true because they all contribute a part to what's going on.
e: what am I doing, speaking like I actually know how things work? Nothing is absolute and nuance is important, but sometimes it is also very useful to simplify and generalise to get things done. If no one had any conviction, not much would ever happen. But moderation in all things.
Well, of course not! They're corrupted by the other companies who benefit from the DSA and DMA.
I agree with that. Reading HN comments, where people are supposed to be generally tech-savvy, I see a ton of "lack of knowledge and incompetence" (not in a negative way, just "uninformed"). Why should politicians know better than the average tech-savvy person?
But politicians get yelled at by everybody, saying everything and its contrary, while the tech-savvy people can comfortably take a condescending tone explain why "being so stupid is impossible so it has to be corruption".
In a functioning democracy, politicians represent the people. Meaning that some politicians will be on one end of the spectrum, and some will be on the other. If there are no politicians you disagree with, then probably you are not living in a functioning democracy.
> despite strong pushback
That is my point: look at the pushback! It's many people with very different opinions saying everything and its contrary, with a lot of technically incorrect takes.
Do you realise that when you say "they must be corrupt, because they don't share my opinion, and my opinion is absolutely the best", and you are not the only one saying that, then either everybody saying it should share your opinion or at least some of you are wrong, right?
Everybody wants to believe that they are right and everybody else is wrong, and therefore everybody else is either stupid or corrupt. I want to believe that sometimes, the world is actually nuanced, and people may have different opinions. I may have a strong opinion (and knowledge) about hardware attestation, but it doesn't mean that every politician does and hence has to be corrupt in order to not agree with me.
Too many people see something they don't like, imply a nefarious motivation without evidence, then expect everyone to agree that it is corruption.
If there is corruption, show the evidence. Otherwise, be honest and state that you don't agree with something. If you want to persuade people, back up your claims with verifiable evidence without falling back to nebulous claims of corruption.
Diplomatic status tax free too.
If it's Apple or Google let us know in the US because we have laws to go after them for acting corruptly in other countries.
Vaguely asserting corruption without specifics or even naming the perpetrators isn't "taboo", it's just poor form and silly. Letting such vague accusations float without evidence, motive, or even people to blame, leads to nothing good, and only vague distrust, which itself enables corruption. It leads to people believing there's no way to know the truth, therefore helplessness, and results in fascism like in Russia.
Lazy cynicism is itself a form of corruption of one's own mind.
I love this way of thinking. I might use this quote down the road
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
Clearly tailored to the regular normie without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
At a certain point it begins to feel pointless.
I think you're right that they are incompetent. The point is not to make them understand it, but rather to make them see that enough people care. The problem is that most people don't write, so the politicians don't see that they care. Same thing for companies. How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely". That way the companies never see that there is a need.
Being prepared to be this voice is one of the reasons I'm a Graphene OS user. Another is that it helps me avoid accidentally writing code that depends on google play services. When you've got an agent doing most of the driving, it's easy to not realize that your app is broken without google, unless you're testing it on a degoogle'd device.
If enough people write, they may start finding it relevant.
1. Most people don't write.
2. The people who write are not always competent.
3. The people who write often have an agenda, too.
What's the consequence of that? Imagine what the politicians receive: tons of messages of people complaining, most of which are factually wrong. What to do then? How to know who is right? It's genuinely hard.
EDIT: please write here: https://european-union.europa.eu/contact-eu/write-us_en
Example: https://www.lrb.co.uk/blog/2021/july/information-sovereignty
It only makes sense they'll prioritize big-business interests over those of the common folk.
It's a bit odd that Europe prioritizes American big-business interests I guess? Idk, as an American it does seem kinda like an odd choice.
How many European countries buy American weapons because they are scared of what would happen if they pissed off the US? And then they still get tariffs and threats of military invasion.
Google certifies devices unpatched for the last 10 years, rooted, riddled with the malware, because the keys have leaked.
Google knows and still sells the lie.
But you should know better. Google is not selling the actual security, it's just protecting its business.
There is also the problem that most external hardware is less secure than things like Apple's SEP. (But on the other hand, probably more secure than the long tail of cheap Android phones, which use virtualization rather than real hardware.)
That's how it works in Germany: You tap your national ID card (as a citizen) or eID card (as a non-citizen) on any NFC-capable iPhone or Android device. I personally much prefer that solution over one that requires a specifically trusted device.
The big gap is trusted user confirmation, though: Users need to see what they sign by tapping their card, and then you're usually back to some form of attestation.
Practically, they also completely botched the rollout; literally everyone I know managed to somehow lock themselves out of their card at the first attempted use (assuming they've even bothered to set it up).
To me, it seems like just the right amount of friction, and user expectations can work in favor of privacy here: People will hopefully refuse to tap their ID on their phone for a service where they want to remain completely anonymous, even if the protocol technically might support anonymous assertions.
It's like handing a loaded gun to a kid, and saying "just don't take the safety off".
Of course kids are going to find ways around it. They are going to take the safety off.
If anyone wants to assert control they have to be where the puck is going instead.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
It's especially ironic to name China when the whole reason the US bought TikTok is because it showed people the reality of the genocide in Gaza, which the far right nationalists hated.
Are you just not paying attention to the dissolution of democracy or are youjust like, cool with money being the only protected thing.
Capital remains sovereign in Europe.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
A part of that has already happened.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
Not my preference, but they seem so far ahead of other ROMs right now that I use it still.
I do believe people have built and installed it on other devices without too much trouble, but I don't think that'll ever be supported.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
Also, governments are supposed to act in the interest of people.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
Sorry for how you may feel about it, but that *is* how it's being framed for the public..
https://europeanconservative.com/articles/news/eu-parliament...
"How Jewish American pedophiles hide from justice in Israel": https://www.cbsnews.com/news/how-jewish-american-pedophiles-...
"Tens of thousands of pedophiles operate in Israel every year": https://www.jpost.com/israel-news/tens-of-thousands-of-pedop...
> JCW's chief operating officer Shana Aaronson says the failure begins in the United States.
> She says there are elements of the Jewish community in the U.S. that are willing to help pedophiles escape.
A better counter argument to "catch the pedo" is to bring up cases of creeps who were insiders - law officers, or just techies with access - and used the "well-intended" tech to get at their victims.
Certainly. You mean like that time an Israeli Cyber Directorate division chief fled Nevada for Israel after being investigated for soliciting a minor for sexual purposes?
https://www.haaretz.com/israel-news/2025-08-21/ty-article/.p...
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
It's not about what people believe, but what they are willing to publicly push back against. If such a law was proposed today, I bet it would pass because the only discussions around it would be whether the data can be kept safe and what punishments to dole out if the car owner access this data. Arguments about privacy will be waved away or dismissed without debate.
In fact, let's make a pointless bet: I bet my imaginary internet reputation that the US or EU will pass a law within the next 10 years that requires the continuous recording and collection of data that not only includes GPS, but also face and audio data whenever a car is in motion. This law will impose severe punishments on any owner that accesses this data or deletes it.
I desperately fear for my family and want things to improve, but we are going to lose this battle.
My logical assumption is that all terrorists and pedophiles will concentrate in the areas where they have legal exceptions from being monitored by multiple different parties at any given time. Legislators and the like. To play one of their cards, why would people who love to say "innocent people have nothing to hide" have something to hide?
Kier Starmer wants to protect children? He put Mandelson into government even though he was mates with Epstein. Doesn't sound like someone who cares about protecting children to me.
Rinse and repeat for any politician or political side, they are all only a step or two away from someone who's done something horrible to children. It doesn't matter to me whether I really think it's true or not (though in the example I've used, that is my opinion, who employs someone like that and really cares about children?) but *it does not matter*. This is an us versus them situation, and they are making proponents of freedom out to be criminals at best, paedos at worst. They can take some of their own medicine, and anyone who parrots their line. If ad hominem is the name of the game then let's play, I'm on firmer ground than they are.
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
The only way to sure defeat is to surrender.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
I wish they filled you with anger instead. It’s not too late. You’re not alone.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
It's just enshitfication.
> hackers will find flaws instantly
Yeah.
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
...But there is always at least one hacker.
The issue with hardening DRM is that at the core it's hard to protect against an adversary that with physical access to the device that keeps the very secret. From the vendor perspective, the very customer paying you is your potential enemy.
That means that the root of trust isn't itself protected with cryptography. Instead, it relies on security-through-obsurity, Faraday cages, fuses, anti-tampering and lots of glue. And it's a numbers game if there are thousands of different devices, potentially with different flaws while your adversaries are hidden among billions of customers.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
the meaning of this word has diluted so much
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me.
>What makes you think they will give us this magical hypervisor capability?
It's not magical. Look at Windows WSL2 which already works like that.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.
Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.
The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.
No, you have to use government backdoored device. I.e. the most secure android rom (at least the only rom we know is not penetrable by state-sponsored celebrite based malware) is not covered by google's play protect, while bunch of outdated CVEd phones are.
Same will go with many hardened Linux machines, QubesOS, Whonix stations, you name it. I'd argue they are far more secure than any average windows/macos installation.
Hardware attestation has nothing to do with security, it's censorship.
Secure as defined by a duo of monopolists. It's a contractual concept and doesn't have a firm relation to security-related characteristics. I'd trust GrapheneOS to be as secure as anything Google is capable of releasing, but that doesn't help them if Google refuses to vouch for a device running their OS. Which is also why your check/credit card analogy falls flat.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip.
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
This nonsense mainly exists only because the operating system is unable to attest that it the app is secure and the right app is what is running.
>It's their computer, it should run whatever software they want.
I agree, but companies shouldn't be forced to match cheaters with legitimate players. Cheaters just can't secretly be cheating.
> the operating system is unable to attest
And it should remain unable. There should be no "attestation" of anything. The corporations who want such things should remain unsure of the device's "security". They should just accept it. Let them write it off as a cost of doing business or something. The optimal amount of fraud is non-zero, as they say.
> the app is secure and the right app is what is running
These machines are our personal computers. They are extensions of our minds. They are general purpose tools with limitless potential, just waiting to be shaped in accordance to our wills.
There is no such thing as being "secure" from us. Not inside our own computers. The mere idea of it is offensive. It is an affront to us all. We are the gods of these machines. To attempt to "secure" a video game of all things against us is an attempt to usurp our power.
> Cheaters just can't secretly be cheating.
Now that remote attestation is in play, the ability to do that -- forge attestations to pretend to be a corporate owned machine while remaining free and subversive -- has become key. So I'm forced to say that cheaters absolutely should be able to secretly cheat. If the cheater wants to edit his computer's memory or whatever, it's his divine right as the owner of the machine. An inability to do that means our freedom is lost.
Cheating in video games is literally nothing compared to the loss of our computer freedom. Let the entire industry go bankrupt if it must. We cannot sacrifice it no matter what, and certainly not over something as mundane such as video games. There is so much more at stake here. Ubiquitous access to cryptography. Adversarial interoperability. Our very self-determination in the digital world. Video games are nothing -- and that's coming from a fellow gamer.
The choice is simple: tolerate some level of online cheating, or require remote attestation to run the game. If you ask me, I’d rather take the first option. Locked down game console already make me a bit queasy. A locked down desktop, laptop, or palmtop? That’s not acceptable. People should be able to run any program they want on their computers. If that means the end of online gaming, so be it.
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat? I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
A lot of gaming migrated to consoles for this reason. They have secure remote attestation implemented properly. Accusing winners of cheating doesn't work there, and it's obvious why that results in happier and healthier gaming communities.
You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter.
>Why do I need to compromise my hardware
You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
>How do old boomershooter communities tackle cheaters?
By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth.
>When and why do methods that work on a social graph fail or necessitate anticheat?
If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process.
So… I don’t have to compromise the ability to run any program I want on my machine, and I don’t have to compromise the ability to be root on my machine. Right? And of course, when I say "me", I’m talking about everyone, including cheaters. Meaning, we don’t have to compromise the cheater’s ability to run any program they want (that would include cheats), nor their ability to be root on their machine.
> In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
Secure for the game company you mean. I want a computer that’s secure for me, that responds to my commands. And again, "me" includes everyone and cheaters too.
---
The online gaming industry is not worth sacrificing individual ownership of computers.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care
I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?
I imagine the way to do this effectively would be to get some well-regarded infosec firms to audit both OSes (from source as much as possible), and also compile lists of vulnerabilities found, fixed, not-fixed, etc. over time. Then you need a witness who can explain all of it in a way that's accessible to and likely to sway a jury.
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
This is also a horrible idea. If an OS can be vetoed for untimely security updates, it can also be vetoed for not having something like clientside scanning.
What would even be the criteria for approval? Pinky promise to not let the end user have full control of their own device? That’s all “integrity” really means in practice. Don’t be fooled by appeals to security.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
That is why all companies should be small and no company should ever have a huge market share.
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
I want a pony! A legitimate desire. So it's okay if I rifle through your underwear drawer in case there are any ponies I could take?
Requiring there be a physical phone is a speedbump at best ( https://i.dailymail.co.uk/i/pix/2017/05/12/13/403C0D44000005... ) and so de-anonymizing every person using the internet by attaching them to a device and allowing google to track them is not sufficient, nor is the privacy loss necessary for the kind of improvement they could realistically hope to achieve.
But most over even if the panopticon were highly effective and even if were the only option to achieve that end we should still reject it because it's wrong.
The frog is slowly being boiled so that people start to accept things which would be unthinkable in the past. Whoever refuses to bend nowadays sounds hyperbolic or insane, but I'm just using the "absolute temperature" here, you know...
> Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more.
They're NOT fullfilling that purpose here - read the post, insecure devices with Google Mobile Spyware pass that, while GrapheneOS doesn't. Yes, Google is trusted to ensure these security/ratelimiting properties are met, but instead uses/abuses that trust to ensure their anticompetitive business goals are met. Google is not an independent attestation authority and should not be treated as such, what Google is doing here should be (and most likely already is) illegal.
> Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
While far from perfect, that would be better, since we'll then only rely on having their hardware (legitimate business) and not their adware/spyware preinstalled with elevated privileges (illegitimate business, illegal monopoly).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
Say your example: a user generates a pub/priv keypair locally and shares the public one with the government. How does the government know you’re rightfully sending the ID? How does the user know what they are sending? Can the app/website/tool/person at post office they are using to generate+store+send the public key be trusted by the user? How can the government give trust to the user that this tool/person can be trusted?
And there we have attestation again. Or walled app stores, or certification as we have for physical services.
It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
The reason it's hard to boot up a secure social network (such as Signal) is the handshake for (re)identifying people. Signal makes a ton of conceits here (the UX essentially asks people to assume phone numbers are securely held) in the name of low friction and it's why they grew so fast. The "real" secure social networks are essentially too difficult to get real adoption because they don't make these conceits around phone numbers, and demand real key exchanges.
But if you had a L1 set of private and public keys the government works to maintain and defend, the L2 social networks like Signal (or banks, or markets, whatever) can do this cheap and easily.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
... are not problems, no - but bots in general are
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
https://learn.microsoft.com/en-us/windows/security/hardware-...
It's amazing to see how many "but it won't happen" comments there.
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use. Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce. Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification. Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
Resist, dont let the buzzkills wear you down.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
I wonder if we'll get something similar happening with cloudflare
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
Break them up. Break them up. Break them up.
in any case, google started to cause issues with pixel 10, so it's not as easy to port it
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
Also, "the optimal amount of crime is nonzero."
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
It's just that there's nothing pro-authority about making it easy for people to verify: "this data hasn't changed since the signer signed it." It's a neutral capability.
There are cases where we can and should blame technologists for building antisocial things that shouldn't exist, but I think that cryptography for the most part falls on the pro-social side of that spectrum.
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Then stop trying to take away the technology it's built on
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.