Comment by shadowgovt
19 hours ago
Often times the problem is literally yelling at Cloud.
Cloud doesn't have an automatic philosophical match to the way the Freedoms were justified originally. The Freedoms are based on the notion that you should have the right to do what you will with hardware you own; you don't own someone else's hardware in the Cloud.
> The Freedoms are based on the notion that you should have the right to do what you will with hardware you own
Then why do they keep trying to own our devices? Why do we have all this attestation nonsense designed to subvert our ability to do what we will with the hardware we own?
> you don't own someone else's hardware in the Cloud
Then they should keep their ownership in the cloud where it belongs. My software will talk to their software through the network boundary. All is well.
Dictating what software I can or can't use on my machine to talk to their software is an invasion of my territory. It shouldn't matter whether I use their official app, my own custom client or some curl script to achieve my own ends. If they're going to try and usurp control of my machine, then I'm gonna start relativizing their "freedoms" as well.
The problem is that the philosophy doesn't extend to networking.
You are free to do whatever you want with your hardware. Rip the chip out and install firmware that will boot anyway when the missing chip doesn't POST.
... and when you try to connect to my server, I will send a challenge-response that you needed that chip to answer. When that fails, I'm free to do what I want with my hardware. Which is drop or reject your incoming request because I don't trust you.
So far, this situation has been stable because it's a lot more valuable to me to trust you than not; the benefit I get from having you as a user outweighs the harm that can happen if your machine has been modified and does something that breaks my protocols. In fact, the rule on the Internet has basically been "What happens in your house you have control over; what comes in from the outside is assumed to be pure screaming madness until it's validated" for that reason (among others).
... but validation is expensive and I can see why some companies would want to push the whole validation story onto "We use attestation to confirm that we can trust the software works the way we expect it to on the other side of the machine." I personally think it's a bit of a dumb experiment (I don't trust attestation itself to succeed, not when the end-user fundamentally still owns the device and every hacker on the planet can attack the attestation protocol all day if they want; I haven't seen a system that pretends it controls both sides of the network ultimately succeed yet and I don't expect I will this time either). But if companies want to win stupid prizes I don't think we need to do anything more than "not work with them" to help them along.
It's hard to do otherwise without doing injury to the core concept "You own your own machine" whether 'you' is one person with a smartphone or a corporation with a datacenter.