Comment by necovek
15 hours ago
Locked devices are created to supposedly ensure the security of a device user, not because malicious users exist.
SIM card is a good example. Technically, that's trivially solvable with a PKI infrastructure (a malicious user can't trivially and successfully misrepresent as google.com): operator runs their CA, and by signing your certificate, they attest that you are the owner of a particular phone number. No malicious user can mess with that (other than attacking the CA).
What they can do is attack end-user devices through different cheaper means (social engineering, malicious apps, exploits...), and extract individuals' private keys, thus allowing them to misrepresent as that individual. A SIM card protects against this by not making private key accessible in the first place.
This is exactly what locked devices do: they protect customers from not knowing how to properly (including securely) use their devices.
This is what we need to focus on as technologists: if we know how to securely use our devices, how do we opt out of others "protecting" us, and take full responsibility and liability for security lapses?
It's got nothing to do with protecting users. It's got everything to do with protecting the corporation from the users. Especially the corporation's bottom line.
If you have a free computer, you can make it save a copy of the film the corporation is streaming to you. It's your computer, you are in control.
If you have a corporate owned computer, it will not let you do that. They own the computer, they are in control. If you manage to subvert their control, it will be detected and they will not stream the movie to you.
Substitute corporation with government, and streaming with cryptography. Now consider the fact Europe is trying hard to enact laws that force client-side scanning of our end-to-end encrypted messages.
That is the war we are fighting. The fact we are losing hurts me deeply. It is hard to put into words my disillusionment.
I did use "supposedly" in there. While media lobbies are strong, that's not how they are convincing governments to line up: it's about protecting the naive, non-techy user in this tech-heavy world.
To me, that's why we need to rise and say: I need no protection! Media companies can do what they please and still insist on "secure attestation" (like Netflix does with Chrome on Linux, still limiting to lower quality streams), without essential services like government services, banking services, communication services etc. being allowed to do the same if the user decides against that "protection".
Jails are created to secure users. Jailbreak is created to make users insecure!!!
?
They can represent themselves as users just fine without extracting keys from the Secure Enclave. What are you talking about?
Not sure who are "they" and where are they "representing themselves" in your question?
My point was that you can be protected as a user even without the "secure enclave": that's how GPG, SSH and HTTPS PKI works (a user has their own private key, and they are as safe as their key is). Leaking any one of those only impacts that single user, similar to someone stealing your phone and using your logged in accounts or even secure chips if they get your PIN or password (or biometrics) — if you even have it set up, which most people outside the tech bubble don't.
You might be misunderstanding some of the nuances I brought up: what are you talking about?