The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure on politicians by making regular people more aware.
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
I agree with this. The general population is hopeless, they will hand literally anything away for the least amount of friction. They are also profoundly ignorant.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
Yes, but most people don't realize it, simply because they have been conditioned from the beginning that the only way to run anything on an iOS device is via the app store.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
> It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it.
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
Apple is the classic “good king”. By and large they have used their power in ways that benefit users. Other than enriching apple, there’s been no direct or apparent harm to the end user from the walled garden. I know that is a controversial point, but harms we don’t ever know about are pretty hard to get upset about.
But the “good” king never lasts. They’re always eventually replaced by a despot, and all the power you ceded to the “good” king falls into the hands of the bad king. Which is why ceding that power is a bad idea, and kings are a terrible system of government.
That's perhaps where the part about educating less tech-savvy folks comes in. There are even professionals in tech under the mistaken belief that Apple meaningfully adds value in exchange for one's freedom to use one's device as one chooses. Big Tech loves normalising the story how only they can help
> Apple already does this and practically no one is outraged
Apple ran a very successful propaganda campaign where they portray themselves as the protectors and enforcers of a secure environment where users are safe from attacks from the wild internet. See Apple's spin on blocking cookies. Therefore, users of Apple products are conditioned to believe these measures exist for their own personal benefit, unlike Google which is presumed to be motivated to abuse your trust.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
I've had a lengthy debate about this (in the context of right-to-repair) with a friend of mine who's outside tech and he genuinely held (still holds?) the opinion that the manufacturer has the "right" to decide how their products are used. I'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
> 'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
Perhaps some people were just conditioned to believe that these shackles are forced upon them for their own good, because only bad people would ever want to take them off.
I mean I agree with you. But also, it's not that unreasonable of an opinion. As long as it's coupled with optionality, which I think is the actual issue. Well the actual "issue" is that most people don't care or think that much at all about it. HN is a very special crowd.
I just submitted a survey to my state's DMV to encourage them to ditch reCAPTCHA. I went to renew my plates and had to do almost a dozen "click the picture" screens to get through on IronFox on my GrapheneOS phone the other day. Luckily no QR code with the whole Play Integrity check, but that wouldn't have been out of the realm of possibility.
There is a tradeoff between the freedom users have on their devices on one side, and the likelihood less sophisticated users will get their information stolen or their devices pwned and used to DoS innocent websites on the other side.
If you don't address this tradeoff you're not really engaging the issue.
What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
> What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
There is no shortage of well informed advocates of freedom. The question is, which forum should they discuss this in? There is no meaningful forum for such a debate which will have any real effect on policy and that's by design.
The only place that can both debate and effect policy changes in the legislature and politicians will never take the people's side against corporations on an issue until they fear losing reelection.
Hence the ask to educate the people around you and to encourage them to reach out to their representatives.
> If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google.
This is a fool's errand. We live in a time without virtuous values, where convenience is king. The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
Generalizing like this is a fool's errand, if anything. We care, and we are part of the "masses". If this is something you care about, share with others: there will be those who value it.
It is absolutely not. Awareness is what people need right now because nobody is saying anything different then the established line. The more people that put there voice into this, the better off we are going to be.
I'm hosting a Surveillance Capitalism Presentation soon that I designed myself, I'll likely post it on the net when I am done. If you are interested in hosting a zoom call or an in person awareness campaign like this. Email me from my website[0] campaign form[1] and ill notify you when its online and you can download it and use it yourself to host your own venue.
> The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
Honestly, I can totally see where the cynicism is coming from, however if you think about it, that's a pretty condescending view. This effort might be Sisyphean, but things are not as dire as you might think.
People are already seething at how much their lives are being enshitified by Big Co. Even if 10% of voters reach out to their representatives, it would be a tidal wave. Politicians are terrified of the popular will and this is not a hill they are willing to die on. Just see the success of the right to repair movement as an example.
> The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds.
This. No matter how good the intentions are, this represents the infrastructure that can be exploited to persecute individuals and groups and deprive them from the most basic rights.
And before anyone tries to downplay this as scaremongering, US legislators have introduced the legal framework to reject visas based on what comments the applicant may or may not have said in the past years regarding the current government.
Sadly much as I agree with OP, the reality is there are a lot of evil people, and some of them lead a country and thus have vast resources to attack with. We need to solve this problem, not just cry about what a few of us are losing.
Petitions are also a good way of reaching out to people and explain the dangers of these issues. Many people that usually sign petitions are notified of new ones, and, as a generalisation, they are usually fairly against big tech.
If anyone knows of any european petition around this please share them with us
> Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
Nope. It's not the issue. The issue is people genuinely want the security problem to be solved by someone else. Either governments or big companies. So they can just not care about security once and for all.
If people were so aware of so-called hackers and how insecure their devices are, we would have seen people stopped installing apps on their phones and basically use it as a web browser. But that's not what happens. The opposite is truer: if you run an even slightly popular website you will receive feedback asking if you have an app version.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
I agree with the direction, but not the blind spot.
Your audience is going to shut you out if you don’t show you understand their reality.
I reach out to people, and every tech and media person I know, is holding sessions on government over reach and invasion of privacy, raising alarm bells.
Everyone not in tech, has just about had it with being predated upon, being screwed over and in general would rather warm themselves on a bonfire of tech stock, than do a thing to support it. Voters are HAPPY to see tech brought under control.
The degree of fraud, predation, privacy invasion that regular adults encounter, let alone children, is absurd.
To take the most civil and benign trend I know: online communities are dying to a glut of slop, bots, and spam. Users and mods are simply unable to keep up with this, and are increasingly likely to ding users as much as bots.
A majority of humanity, who live in the developing world, encounter even worse, AND have less recourse to support.
——-
Success in these things requires connecting with people. You cannot do that if you come across as a know it all.
You must open with an acknowledgement that Tech is not doing a good job for users, but giving governments sweeping powers is not the antidote.
Is there a good primer on why this is bad? I know that it is on a technical level. But I havent heard anyone talk about in layman's terms Maybe I'll need to write something up. But it be great to have some resources as to why this is bad from a perspective other than my own.
I'm doing a presentation on Surveillance Capitalism soon and I might include this topic.
Requiring authorized silicon (and software) isn't even the biggest problem here.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
> The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
The way it would work with blind signatures is that the server will know the device that comes to it to request a blinded signature and will be able to rate limit how often that device asks it.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
Just to give an example to prime your intuition: define your "usage token" as H(private_key|service_domain_name|date|4-bit_counter). Make your scheme provably reveal the usage token when you authenticate. Now you can use the service 16 times a day on a particular domain and no more simply by blocking token reuse. And yet the service has no ability to link different tokens to each other or to a specific person because they don't have anyone elses private keys.
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
I'm as biased against cryptocurrency as everyone, but couldn't we have the requestor do a bit of mining work to mint that initial id? I mean, if the service is actually making a bit of money from each request, the need for rate limiting just vanishes, right?
> I still don't see how you can keep something anonymous and still rate limit it.
Constructions like this exist for many years. E.g. semaphore RLN (rate limiting nullifier). This particular construction was found unfeasible 7 years ago, but since then zksnark tech made huge progress and it is way cheaper now.
Can we stop normalizing being surveilled online and on our devices?
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
How should a government act to prohibit misrepresentation of one’s characteristics online, from accessing services for which that government has formally defined regulations based on characteristic into law?
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
You're not necessarily being surveiled just because you're forced to authenticate yourself. It often is the case practically, but it's not inherent, and mixing the two up makes the discussion too imprecise in a technical forum.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
There is a problem where it's becoming increasingly harder to determine which internet packets that are coming to your service are at the behest of a human in the course of normal activities or an automated program.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
> Requiring authorized silicon (and software) isn't even the biggest problem here.
It is indeed the biggest issue. It prevents be from owning and using the hardware I pay for, own, or make myself. It's switching the personal computers as we know it from being open to proprietary and owned by 2 large US corporations.
I simplified the process in my description. The DRM ID Android has is not what I was referring to.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
Can you revoke certificate for a specific device using privacy schemes?
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
Yes, with blind signatures you still have a central authority which voluntarily 'launders' tokens for you. When you present it your certificate and ask it to give you a blind signature it can reject the certificate.
However if someone extracts a key and keeps it private, and instead gives out unblinded tokens there is nothing you can do other than rate limit - realistically, an adversary is going to trial different rates anyway to figure out which don't make them an outlier.
Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
With a secure device, the only way to get an attestation for an account signup is to do the signup on that device, with real fingers clicking real buttons on a real screen. There's no way to short-circuit the process by automatically sending a JSON request and bypassing the actual signup flow from a Python script, like you can do with an insecure endpoint.
With blind signatures, a single compromised device destroys the value of the entire scheme, as it can be used to issue an infinite number of attestations with 0 human oversight.
What we need is a blind signature construction where the verifier can revoke a signature, each signature carries proof that none of the revoked signatures comes from the same signer, and where it is impossible for one signer to issue more than n distinct signatures during one time window. Not sure if this would be possible with ZKPs; my cryptography knowledge doesn't extend that far.
> Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
...no? Maybe this is true of end-user device attestation. But there are other use-cases for attestation.
Server device attestation is an entirely different thing. It's used in e.g. IaaS "Confidential VM" offerings, where the audience for the attestation information is the customer, rather than the server host. It's a very pro-privacy / pro-data-sovereignty feature.
And while embedded device attestation is sometimes about preventing customers from tampering with IoT stuff you "sold" them, more often it's about being able to trust and confidently assert that e.g. the climate sensors you've deployed all over a forest as part of a research project haven't been fucked with to report false data by someone with an agenda. (Or to "apply denial" to your unmanned military satellite downlink station the moment you detect that there's some unknown person out there futzing with it.)
In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
Weird rant. TPMs are great. The modern computing landscape needs a safe place to put secrets. It's what made the iPhone (Secure Enclave is effectively a TPM) years ahead of Android in terms of security.
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
Requiring "tokens" stored in "trusted modules" and 7-factor-auth for everything is not progress, it's theater. The biggest achievement of the security orthodoxy was locking me out of my email, by requiring me to read a code sent to my email to log into my email.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
Attestation isn't even the problem. I'd love to be able to verify that my server's kernel hasn't been tampered with.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
>The modern computing landscape needs a safe place to put secrets.
Does it?
Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
TPMs add security against a narrow case of evil maid attacks. They might be useful for corporate computing (for cargo cult compliance purposes more than actual security) but they trojan horse more of "not owning the device you bought" with it to people that don't and shouldn't care about evil maid attacks at all.
> (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
On the other hand, the TPM spec is pretty complex, especially because they wanted to address privacy issues: the endorsement key, burned by the manufacturer, is only able to encrypt messages and not able to sign them, because this could have been used to track machines. (and this makes a remote attestation protocol much more complex to implement)
So, it looks like they were aware about such kind of issues and tried hard to mitigate them.
> In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
The people who opposed Intel are now telling each other how hopeless and powerless they are.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
I like to ride my bicycle with my friends in rides organized by the (Pacific Northwest) Cascade Bicycle Club. They require that I solve a Google reCAPTCHA in order to register for a ride. Google is already completely locking me out from being able to do that. When I try to click on the squares to select whatever items it's asking, it indefinitely loops. When I try using the audio version, it completely blocks me from using it saying that there has been suspicious activity.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
I also had a similar issue with Cascade Bicycle Club - they chose to organize things via WhatsApp, and since I am (inexplicably) banned from opening a Meta account I was completely left out of the group and missed out on many rides/details that were only shared via WhatsApp.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
I hope you contacted them to explain why. People usually think I’m a nut when I do it, or are too stupid to understand and think it’s a tech support issue, but it’s worth at least trying to make it clear that you are choosing not to use/do/pay something because of their choice to use recaptcha
The old, open web is too easy to attack and that is part of what has led sites to adopt technologies like this. I hope there are better solutions than everyone-is-their-GoogleID, but how realistic is it that people just trying to run a bakery, a bicycle ride, &c, will find them? They have other things to do.
And it didn't even take attestation to cause this absurd situation where many businesses or social groups were only reachable behind Facebook or Whatsapp or whatever.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
IMO, it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does, the collateral damage of making non-Google, non-Apple OSes second class citizens remains, and that is the main problem.
> it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does,
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
I feel like the complaint about this not adding to security could be read in a really wrong way. Instead of "this is some hypocritical BS", could be interpreted as "lol let's lock EOL devices from even lower integrity tiers". Doubt this is possible because so, so many people use EOL phones, but still.
That's one of the two main claims made by in favor of hardware attestation; so it makes sense to argue against it. Of course, the other claim (that categories of people must be kept "safe" from categories of content) is more insidious, so it does deserve more attention.
Wouldn't the argument be that you'd build separate copies of those services as well?
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
> Wouldn't the argument be that you'd build separate copies of those services as well?
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
Ideally, we just run our own lives, collaboratively. That's the anarchist default position that we all start in.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
I'm convinced that in the billions of people living on Earth, there are a couple million that could agree on things that currently divide countries, like this. Sadly they're unlikely to ever be able to gather together in a single state.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
The problem with "us" is that it's not enough to agree on one small question ("is hardware attestation good or bad") to happily live together in our own country. "We" have a wide variety of opinions about pretty much everything.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
Where would you do that? Realistically, the question is one that cannot even be asked safely: are there enough of us to overthrow the existing systems and replace them with something better?
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Who is the "us" in your question? Theoretically in democracies we should be able to decide this, if we aren't being distracted from real political questions with the culture war stuff that divides the public's attention and divides neighbors from each other.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
The question is rather: can political parties develop a vision beyond libertarian views or full state control on the other side.
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
Yes, it requires you to have an approved device for certain tasks.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
This is tyranny: making people powerless, afraid of each other, and submissive, per Aristotle's understanding.[1] The technological means are new, to be sure, but the social strategy is as old as civilization.
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
We are a generation of tyrants, each oppressing the others in his own little domain. Gone is the dream of making a modest living while enriching humanity with offerings of technology. Whatever is invented now is gated, rented, and exploited for power, in the shadows and in the open, and what technological power had been granted to the people is whittled away year by year, immense riches destroyed so someone in particular can extract something from a replacement.
There is no Caesar to assassinate because it is everyone, or near enough. It is the idea that this is how you do things. Tyranny is in the air and in the water, that exploitation of power for more power by means of misery, old as mankind.
In such a world, removing one tyrant only gets you ruled by his rival, who is often worse. The historical recipe for freedom and abundance is a people who, as a whole people, are generous with power and expect it of each other at every level, and are viciously intolerant of its abuse. Such was the world of technology for about five decades in the last century, but it hasn't been so for the last two or three. I think it doesn't take much for a few awful people to eat up any abundance, if they are allowed to, and that war is written across the history of computing from its very beginning. But these days, it is not a healthy society defending itself from would-be conquerers, but a world of feuding warlords anxious to eat up any excess anywhere, not only for profit but because thriving and independent people are inherently a threat. With few exceptions, and it seems like fewer every year, any kingdom now which consists of a group of people and some code, be it a software service, a phone, a game, a car, or a dang toaster oven, looks like a despot extracting taxes from his peasants, not a king sheparding his people. Certainly the big ones are that way, and the legacy of the last generation continues to be eroded.
Whatever the means, that tangle of the legal and economic and social and educational and technological and cultural, and I do not pretend it is anything but a thorny and incomprehensible thicket, Aristotle's identification of the broad themes remains relevant. Divided, humiliated, disempowered - whatever the pretext, the encroachment of dark forces is unmistakable. The only defense is (and ever was) those who see their work as in some sense sacred and power as conveying a duty to serve. The generation for whom Superman is a central myth builds one way; the generation for whom it is Game of Thrones builds very differently. Not that these stories are necessarily causes, but their resonance is a reflection of how two very different groups of people think about power.
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
The EU Digital (identity) Wallet EUDI requires hardware attestation by Google or Apple, effectively tying all the digital EU identities to American duopoly. Talk about digital sovereignity. Apparently protecting the children > sovereignity.
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
We (America) made the decision for them. The EU's member states were either:
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
I hate to beat a dead horse and have people downvote me but: the EU has always been corrupted. The knowledge and effects are not evenly distributed until it hits each niche group. Then they find out the hard way that they were useful idiots. It’s ok to be wrong/admit. Let’s just move past the infighting and see those in power for the evil that they are.
Probably because the reply was written by someone without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
Where did you write? Is there a link or something you could share? I am not in the EU so I assume I can't, but would be nice to share a link so that other EU citizen could write.
If enough people write, they may start finding it relevant.
Came here with roughly the same thought. Given the stated importance to many of sovereignty and not being dependent on the US, why isn’t there more opposition? I assume it’s just ignorance?
Digital sovereignty has only become a serious political topic in the EU over the past year. It may take a decade to see the effects of this in laws and policies.
Since you're so much more informed - which integrity guaranteeing product would you use for mobile devices that European citizens use? Covering more than 90% of population?
You want a secure identity? ISO7816 exists and is completely independent of Big Tech. The question of who should be required to show ID is different (and I'd argue the answer is "no" in most online-only situations), but there's already a solution that's been trusted by the financial sector for decades.
One of the major problems with on-device identifiers is that they must by tied tightly to devices, due to the risks of cloning. This is particularly true for privacy-preserving identifiers. That's why device attestation is so important, because you can't ensure that identity (keys) are locked to a device unless you can verify that the hardware prevents users from extracting keys. The worst part of this is that motivated criminals will certainly figure out how to extract those keys and use them for fraud; it's open-source and open computing that will be destroyed by this.
Only if you need to have the entire application behavior (or at least some trusted confirmation) attested, right? Otherwise, an external USB dongle, tapping a contactless smartcard on a phone etc. could do just fine.
>To reduce platform dependencies, we also evaluate additional platform independent signal sources. In this context, we evaluate signals from runtime application self-protection (RASP) systems, for example. We also might revisit later whether there are comparable security mechanisms for other platforms.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
There is the alternative to not to pursue domestic spyware in the fist place. Especially because this is tied to the attempts to deanonymise Internet users.
The EU problem here is they are simply reactive, and slow at it. By ceding the active part of commercialized innovation to the US (because paying the people that do such things what they're worth is simply incomprehensible) they allow them to dictate the terms of engagement. The utter dependence on WhatsApp being a shining example, as well as cloud services in general.
If anyone wants to assert control they have to be where the puck is going instead.
AFAIK this is not true. The Austrian eID also works on GrapheneOS (with an initial warning). Its some national implementations (such as the German one you linked) that enforce this.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
Our civilization desperately needs a method to modify modern microelectronics after manufacturing that can be used at least in a well-equipped repair shop, and it needs it yesterday.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Those laws should die, but that's besides the point.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Yes, these are the most clearly corrupt laws that exist. It is like outlawing hammers because you may hit someone with it. It is just giving up freedom for the benefit of a few fortune 500 companies.
That'll also work somewhat, but the problem would remain that even if it's legal to break the DRM, you can't exactly break it when it's assisted by hardware and there are no vulnerabilities in the "trusted" code.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
That's probably not going to happen for a very long time. Relatively simple SoCs already do tons of work before the architectural reset vector in undocumented boot ROMs in order to assist the reset process.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
This won’t help; the SOC silicon can be revised to record each executed instruction from power-on until secure-boot handoff opcode, with various supporting opcodes to query status-of / overflow-of / signature-for so that the OS reports pre-boot tampering implicitly as part of developing its own attestations.
Then also make it illegal for the SoC to contain any cryptographic key material.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Most of those are less "hardcoded" and more "fused into internal non-eraseable memory at manufacturing time".
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
And what code will verify the signature of the initial bootloader? As far as I know, in every modern implementation of secure boot that is done by that very bootloader, which is burned into the CPU/SoC. I can imagine someone implementing some sort of fixed-function block to do that, but see my sibling reply about that.
Also, governments are supposed to act in the interest of people.
> Our civilization desperately needs a method to modify modern microelectronics
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
It's amazing that we're letting the Google Apple duopoly completely decide who can and cannot use completely unrelated services.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
When it first shipped out, Secure Boot was used to lock other OSes out on early devices, it was after pushback that it was implemented such that it allowed you to enroll your own keys.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
> the period when secure boot was being developed for PCs.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
I always say this when this topic comes up: remote attestation will be how our computing freedom dies. They've made it so that it doesn't even matter if they allow you to install whatever you want. Anything that isn't corporate owned is banned. Own your device? You "tampered" with it. You're banned. From everything. You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Enroll your own keys? It doesn't matter. You're not trusted. You're a fraudster terrorist money launderer drug dealer pedophile.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
While I agree, I think there's a better way to frame this with the public. We don't need to bring in pedo references. That looks very unhinged to most people.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
The problem with the reasonable framing you suggest is that it gets thrown out of the window the moment someone utters Protect the Children®. I'm willing to bet that most people, including those with kids like myself, don't truly believe that surrendering our basic rights to better protect the children is a rational thing to do, but they would never dare to push their opinion publicly. The few that do get all but labeled as, you guessed it, fraudster terrorist money launderer drug dealer pedophiles.
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
I love how this is a problem caused by Big Tech (AI), with “solutions” brought by Big Tech (FAANG etc) and “countermeasures” will also be brought in by future billion-dollar industries (domestic-proxy provider BrightData is 1B already) while we will depend on existing Big Tech for “protection” (Cloudflare will remain a big player).
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
> You're ostracized from digital society. You're not even a citizen, much less a second class citizen.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
Hardware attestation is like hardware DRM. It is intended to limit and restrict abundance. Abundance of clients (as a proxy for user attention) and abundance of copying, access and replay (as a proxy for "piracy"), resp.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
A fraudster, a terrorist, a money launderer, a drug dealer, a pedophile—these are actually a huge audience for whom the IT industry can release separate versions of the operating system and hardware. And that audience will pay for it. For the vast majority of ordinary people who consume IT benefits for free (being a commodity themselves), it makes sense to use controlled products.
I think it's quite telling that this comment was written in Brazil. The so-called Third World is the future source of freedom (or Western countries that become third world perhaps). It may not be a bad idea now to start building open compute and banking alternative ecosystems based in those countries, marketed at Western citizens.
> Own your device? You "tampered" with it. You're banned. From everything.
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
For once, we may be "saved" thanks to Trump. Because of the brutal change in geopolitics he triggered, the EU is now actively looking at all the hard dependencies on US controlled systems. Android and iOS are two of them.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
The EU is only making these statements until the US has a new president (with the same ideas of Trump, as has always been the case, but saying nice things in public).
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
How about being banned from online banking, government services and all social networking / communication platforms? Because that's the road we're already heading down.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
> Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
We had fun in online games without kernel level nonsense. Why do I need to compromise my hardware when the problem is an outlier in the social graph? Anticheat is part an arms race and part just raising the bar so people cant cheat too easily.
That said you can feed a video feed into a Kria K26 or even a pi or jetson and make automatic targeting completely transparant to the kernel. Then what? Hardware attestation in peripherals?
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat?
I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
With all of the discourse around hardware attestation, digital ID, and age verification in recent weeks/months, is there actually any good solution to the problems these existing tools (Privacy Pass, WEI, Fraud Defense, uploading IDs) claim to solve? Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
What even is the problem? I keep my kids computers in the living room where it's easy to see what they are doing. Their lan shuts down at night when I'm asleep. They don't get full control of their own cell phone until they are around 16-years old. Bots on social media discourage me from using it which is a Good Thing if you ask me.
The problem is that companies have a legitimate reason to want to block AI agents and verify the users are actually real. And it's incredibly difficult to do that when the old methods of clicking on squares or reading blurry words don't work anymore.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
There is a good solution to these problems. Exhaustive punishments and forcefully ceasing operations for repeat offenses.
China has all the tech giants jumping through whatever hoops they want by banning them by default and only allowing whichever ones they want to operate after they meet their strict policies and ad hoc decisions.
Now that the US has decided the EU is a rival, the EU should do the same.
Thank you for offering this take -- it is the only forward looking one.
The anonymous internet is going away -- it is too supportive of crime and various kinds of gray area misconduct, and governments and large corporations were eventually going to do something about that.
Such a degree of anonymity is desirable, but it is not a requirement for a free society. What were things like before the internet? You couldn't anonymously browse billions of pages of information in 1960.
> Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
I disagree. Bots have always been an issue, but now every form of CAPTCHA that can be solved by a human can also be solved by a multi-modal language model. Bots are slowly taking over in forums where they previously would have been immediately spotted and banned.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
The people pushing for age verification have already said that they want to know who's behind every account on every website on the entire Internet. They won't accept any open or privacy-preserving standard.
Partially apropos... There's a Heinlien quote that goes "When a place gets crowded enough to require ID's, social collapse is not far away. It is time to go elsewhere."
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
The thread is a bit vague. Am I understanding correctly that GrapheneOS Foundation's objection isn't to attestation per se, but that they can't participate in Google-controlled attestation APIs? In other words, although GrapheneOS can be cryptographically attested, apps using Google Play Integrity won’t accept it because it isn't Google-certified/GMS-licensed?
My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
> …Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
It is not only about Google. Its also about the App developers.
Nothing prevents them to use the non-google attestation, however they decide not to use it (for many reasons).
First time you actually notice this is when you installed GrapheneOS (attestation OK and bootloader locker) and some apps complain about a modified/rooted/... device.
Another thing is, that you are warned by your Google device while booting that something is "not OK".
It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
It's hard to listen to arguments when everything is so hyperbolic. The stated rationale for attestation for captcha is to ensure there is a human on the other end and not a bot. This requires a system which is not capable of automated input. The other use case is for ensuring that an application is running on a system which protects the app from being tampered with (by the user, malware, or otherwise). While that seems to run counter to the preferences of the hn userbase, it is a legitimate desire from an application developer.
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
You mean Universal Attestation, which is from a vendor cartel, of which most of the individual vendors are typically waaaaay behind security updates, etc.
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
Dual booting would sacrifice a lot of the hardware-based security feature integration and would be much further from passing attestation checks. GrapheneOS fully supports hardware-based attestation but Google doesn't permit it in the Play Integrity API. Directly booting the fully unmodified stock OS is required to pass the hardware attestation checks for the stock OS. GrapheneOS appears as GrapheneOS in the attestation metadata and a dual boot setup would appear as that specific dual boot setup. Since it would have a bunch of security sacrificed for it, it would be far harder to convince services to permit that. It would be counterproductive.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
GrapheneOS said that's not possible, but I'd actually want to see some expanded explanation.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
Dual booting would be much further from passing attestation checks and would be incompatible with a bunch of the hardware-based security features. The boot slots are needed for A/B updates and include the firmware partitions. They're not useful for this and don't provide useful functionality for it. It would be entirely possible to build a bootloader for loading multiple different operating systems but it would be a hacked together mess without proper firmware updates or security. It would require heavily modifying both GrapheneOS and the stock OS to fit them into it. It would require losing a lot of the hardware-based security integration. What would be the point? The end result would be much further from passing attestation checks than GrapheneOS. GrapheneOS has near perfect app compatibility with the exception of the Play Integrity API. Other anti-tampering checks are largely compatible with GrapheneOS with the exception of tripping from certain hardening features which is increasingly being resolved with workarounds and there are toggles to avoid it already.
i cannot speak to the current situation, but years and years ago, it was a thing. i had a crappy motorola razr smartphone in like 2012 that i set up dualboot on, and i think i also had dualboot on my google nexus 5, though i could be mistaken about that. it was a thing though.
Well, authoritarian governments don't like to be at the mercy of another country. So even for authoritarian governments it would make a lot of sense to allow open source alternatives like GrapheneOS instead of depending entirely on US monopolies.
Banking apps are the deal-breaker for me. I only do business with banks that offer alternative ways of securing transactions e.g. eTan / ChipTAN / PhotoTAN with a separate reader / generator (see https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbr...). This is probably a pretty European thing to do, but at least it avoids being locked in and being tracked.
I'm happy that my bank (still) allows me to have both a stand-alone reader and a mobile app to authenticate. Because if you lose your authentication device, a lot of things suddenly get a lot harder.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
I did that too (in Austria) for a long time. Fortunately my Bank (Erste Bank / Sparkasse) fully (almost fully, no nfc pay, since it depends on GPay) supports GrapheneOS now
It is definitely a monopoly enabler. But also a threat to speech. You can only participate online if you have attested hardware. And that hardware will be tied back to you. It’s another threat to privacy like age verification laws.
It's so obvious to me states need to create a soul bound identity system, replace social security numbers with it, and then let everyone else use cryptography on top of that (which is now cheap when you don't care about sybil attacks) to do private stuff.
The places you actually need an ID are so rare, I don't think it's worth it to build such a system (and no, porn or social network definitely aren't valid use cases).
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth
2. State allows citizens to submit a public key along with their ID at any time
3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want)
4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
My driver's license should have some anti-tamper identity proof that can do a challenge response. Or let me go pay a few bucks for an identity proof at the post office.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
Yeah, agents are making self sovereign identity so much more relevant. We have all the technology. But identity is the main driver of the monopolies, they won't give it up unless forced to, maybe not even then.
We also need liability. Every time someone’s data is lost, the company losing it must be held accountable. They owe us huge amounts of money, and executives + board members should be jailed. No free pass.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
The dependency tree for anything in the software world is so large, that liability like you describe is not feasible. Tomorrow Anthropic's latest model will find a RCE in SYNs being sent to a server? Who is "liable" when you lose your Google account, your bank account, access to your car and all ways to prove to the government you are who you are all at the same time?
You just need to deploy auditable (source-available, reproducible-build, firmware checksums LCD on-chip) biometrics booths that generate private keys from normalized biometric inputs, and then use those ephemeral private keys to generate and sign portable identity keys. Most people have fingerprints and retina patterns and that’s twelve signatures on an identity alone, allowing for continuity across severe biometrics events like regrown fingertips etc.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
I think you can do it without any biometrics at all, although using it as a second factor could make it smoother.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
>biometrics booths that generate private keys from normalized biometric inputs
Isn't this basically worldcoin? Aside from the fact that worldcoin is run by people I wouldn't trust to watch my cats for an afternoon, the core principle with well thought out ZK crypto could work well.
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
We will be truly screwed when internet providers will only allow attested hardware to access the internet. Doesn't even seem like an outrageous outcome anymore.
Taken a step further, we could be heading for a world where if you don't run the Dictators approved device including all of its spyware, you're locked out of everything.
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
It's the 3rd or 4th of threads like this in the front page and it's still not clear to me what are the alternatives that privacy advocates vouch for? Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket. There's a real need for a protocol or specification for how to attest that an action was really done by a human and that human can be proven to be the one the service provider think they are. I don't think cryptography by itself would solve that right now.
> Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket.
So what's the actual issue here? That on HN and Reddit and Instagram and X there'll be a lot of bots? As if they haven't been overrun by human astroturfers/etc for ages. Even ignoring that, what's the biggest issue you see with that, and why is it so big that it's fine to just enable a monopoly?
Your presumption that there has to be an alternative is flawed. Maybe there is none. You're saying there's a real need, great. There's also a real need for sexual assault to be completely eliminated worldwide. I think everyone would agree with the that need is far bigger than bots on social networks. Doesn't mean we should just jail everyone just in case.
You're manufacturing a need here as so important that by definition the ends justify the means. They don't.
The linked article only seems to cover Google and Android devices. Microsoft also have their take on this.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
The board members will be lobbied, wined and dined by billion or even trillion dollar companies. If politicians can be bought then so can non-profits.
Having said that, there may well be a room for a niche recaptcha-like service run by a non-profit. Perhaps one that uses a non-profit social graph or something.
it's so great to see people boosting "security" in a way that also just happens to require locking in to big-tech approved apps that send all your data to big-tech so that they can deliver ads to you via your big-tech approved device using your big-tech approved os running your big tech approved browser showing your big-tech approved video platform with your big-tech approved content (oh, and also sends your data to your big-tech approved government)
What freedoms do we value ? freedom of speech, freedom of compute, freedom to own assets, to sell our work or give it away, bodily autonomy, freedom to travel, to read to learn ?
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use.
Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce.
Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification.
Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
What I've failed to understand in this whole Google reCAPTCHA discussion so far: How is this is even going to prevent bot usage and increase security? What's going to stop a bot farm in SE Asia from running a fleet of Android devices?
It will certainly make some bot farms unprofitable: Remember that they are now paying for a screen, a battery, a 5G radio, software licenses, branding, distribution and customer support for which they have no use.
Also consider this: While bot farms may be able to buy millions of Android devices, they will certainly attract a lot of scrutiny as they approach the billion mark. So bot farms will never own more Android devices than humans.
Remember that they are now paying for a screen, a battery, a 5G radio, software licenses, branding, distribution and customer support for which they have no use.
If you have the $$$, which the big guys certainly do, they'll just buy the bare attestation bits and figure out how to use them directly.
Seems to me like Microsoft might be opposed to this duopoly and have pockets deep enough to fight it, right? For one, this would make their possible re-entry into the mobile space harder and more costly but I guess it'll inevitably become a standard that other providers could fulfill.
Right. I know full well they're not philosophically opposed. However, this current duopoly does exclude them and increases their burden if they should ever want to re-enter this market.
I'm surprised there aren't more HNWs supporting GrapheneOS. Seems like the Venn diagram of rich people and techies who care about this would have quite some overlap, and Graphene, despite its many faults, is doing a lot of groundwork in this space
Not even the first time Google has protected its Android monopoly by (ab)using hardware attestation in its other products. The Waymo app also enforces strict integrity checking and has therefore been broken on stock GrapheneOS for months.
The best workaround for now is -as the solution is always to change these regulations not the technical workarounds- is to have a secondary smaller phone that has the sim card, google botnet services, etc., and use that for any verification needed or login to banks or whatever, and keep this device turned off in your house so they don’t track you too and use it where needed. That while also pressuring web services not to use recaptchas and similar invasive services.
How sad that I spent thousand dollars to buy the phone but can't own it at all. Hardware attestation is like having a CCTV in my device, reporting everything to the company. If I want to use safer OS, then I will be excluded by the digital society cuz most app don't support it...
Being able to cut out abuse from things like cheaters is too useful of a tool for developers to give up. The big problem here as mentioned in the thread is that the light of approved hardware is not based off of security of maintaining security of the attested application but upon Play services licensing.
> Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems
I wonder if we'll get something similar happening with cloudflare
There are a number of technological / legal hybrid policies developing that come at the very jugular vein of computing freedom - the notion of a “general purpose” computer itself. OS level identity / age verification, hardware attestation, walled garden app signature requirements. All evincing the same aim.
Check if there are local digital rights groups to your country/area. I just joined two I didn't even know about.
Meeting up and talking with likeminded people is a great way to get motivation for bigger change.
I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.
Ironically, the other top article on HN right now is CVE-2024-YIKES.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
I think you are conflating free speech with right to a platform and distribution. Which isn't quite a right, or at least not as constitutional, the former is about not obstructing speech, the latter is about positively enabling it.
One of the key aspects of distribution is cost. You can pay for a domain, which is 15$/yr, and a host (which can be as cheap), and distribute your software that way. Since when did we agree that randoms have right to publish software, and vanish? (And why are 'we' using such code in production with a straight face?) The internet founding fathers wisely designed Domain names, DNS, ICANN, HTTP, TCP, IP, NICs. NPM is not in that echelon, NPM is gratis, not freedom.
Also, freedom is, unless you are a libertarian a patriot or a nation, a historical concept, not irrelevant, but definitely a concept that was born out of a different time (slavery, secession), in its modern american sense, it's most definitely not gratis-adjacent.
To reference a specific American Freedom, in order to have access to justice, you have to pay court fees, and an attorney, there's mechanisms in place to waive those fees or have a public defender, but not even America's modern freedom developed a secondary system which pretended to have no cost, and if it did (private lateral arbitration).
I guess private entities have the right to offer public services by proxy, like with subdomains, github pages, vercel, npm packages. But I wouldn't call that freedom, in essence, the cake you can't have and eat in this case is Freedom and Gratis. You either pay the minimum costs established by the public system, or use a gratis non-free system to distribute your 'speech'.
And we the users, have the right to ignore the gratis spam and demand some sort of PoW for messages.
Not to rain on the parade, but doesn't GrapheneOS only works on Google Pixel devices? I mean, that's still in the Google jail on a physical level, even if they swap out the software.
GrapheneOS has full support for 10th generation Pixels. It was much harder to add initial support for them than past generation Pixels but it isn't harder to maintain now that they're supported.
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
> Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
Heh, makes me laugh. just recently I was trying to get play protect 'certification' in a virtual machine took a bit of haggling and legitimately obtained samsung software to bypass it (and a 3 day gpt-5.5 /loop).
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
> It doesn't provide a useful security feature, but it does lock out competition very well.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.
It's not asymmetric cryptography itself. It's the fact that it takes enormous resources to manufacture modern SoCs, such that the economy only makes sense if you're churning them out by millions at least. It's also the fact that they can't be modified after they've been manufactured.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
My introduction to asymmetric cryptography had to do with protecting myself from the authorities while buying drugs on the internet.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
My point is that as far as I understand (not a cryptography expert) once you have the mathematical concept of asymmetric cryptography you also have the mathematical concept of a certificate, so you can't have one without the other.
Exactly. The weapon is available to all, but only parasites like FAANG can afford to hire the best brains who know how to wield it. As Apple uses it to take a 30% cut of everything on their device, the “democratized” PGP features in mom’s mail client gather dust.
FFS, cryptography is not the problem. How many times will we have to shut down that particular stupidity? Asymmetric cryptography is a corner stone of basically all online secure communications, and has been since before Google and apple were even founded as companies! (First invented in 1970)
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Easy there I don’t want to take away your encrypted messaging. I’m just pointing out that the technology that enables it also enables the techno-totalitarianism we have been seeing rise since the mid 2010s
you don't need asymmetric crypto to make remote attest like this.
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
This is an extreme opinion and is not surprisingly unpopular and downvoted but one must realise that it is exactly how the governments were thinking when they wanted to ban encryption, and how the export restrictions and classification as a munition came about. Now companies are wielding it against us.
I think you misunderstand the point I'm making. Governments love having this centralized ability to attest hardware and control what software can be run. This is why for instance the EU has really slow-walked and watered down side loading requirements for Apple.
I disagree, I think you cast the net way too wide. Asymmetric cryptography enables secure communication in the first place. It's being used nefariously by Google and Apple, of course, but that's to be expected from big tech.
Isn’t the ability to create certificates guaranteed conceptually once you have asymmetric crypto? In that case there is no intermediate technology which allows key exchanges without also creating digital totalitarianism.
These kind of things just make me want to use Graphene even more, or literally any platform that isnt the monopoly ones. Somehow I think AI and vibecoding, even if it may sound as an unpopular opinion, will allow people to build free ecosystems and actually usable devices that dont rely on the usual providers.
I mean sure Google & Apple are evil, but don't we all need some evil in our lives, EU citizens doesn't matter we love the evil and honestly we enjoy it.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
Miss that monopoly busting of yesteryear. The elephant in the room is that private forces who do not have public good in mind have gotten way too powerful to the detriment of everybody's well-being. Everybody's except the state's surveillance wings.
In China they have solved this issue already by having every website log in with your phone number which is already directly tied to your Chinese ID.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.
The OP is from an already-existing open mobile OS, which already has a deal with a manufacturer. The problem isn't, and has never been, making an OS. This is not a technical problem. This is a political problem.
But that open mobile OS is still a fork of Android, which is too hell bent on privacy (which is not a bad cause, but something that masses don't care about). We should focus on an OS which is hell bent on UX, UI and other features that masses crave.
You really don't know the limits of LLMs. They can't make anything "from the ground up" they are only as capable what they were trained on. Someone had an LLM make a C compiler and they found code regurgitated verbatim from existing compilers. You better believe that any OS it writes will look astonishingly similar to an existing open source one.
It seems to me that comments here are reading this as saying attestation is bad, when the real argument is that attestation should explicitly provide a path of inclusion for non-Apple and Google providers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.
The position of GrapheneOS is that attestation shouldn't be used to restrict people to an allowlist of hardware and operating systems. It can be used to without forbidding them from using what they want to use. However, if it's going to be used to make an allowlist of hardware and operating systems, then it needs to permit any any at least as secure as what they're permitting to be approved. Instead, they're enforcing Google's business model for licensing Google Mobile Services while not requiring secure devices at all. There's no security value in the current Play Integrity API which permits devices with no patches for 10 years.
Even the Play Integrity API strong integrity level only enforces being no more than 1 year behind on the official Android security bulletins which are 3-4 months outdated at release so that's nearly a year and a half behind of patches. It also has the massive loophole of permitting being arbitrarily behind on patches for earlier Android versions than Android 13, so even the strong integrity level permits a device launched with Android 8 with no patches applied since then. That's not a security check, it's a business model check to lock out alternatives not licensing Google Mobile Services. The licensing terms for Google Mobile Services have been found to be illegal in multiple countries. Google enforcing agreeing to those terms with the Play Integrity API is a truly extraordinarily violation of antitrust laws. Governments are not only failing to act but adopting it themselves. It's going to be looked back on as a massive failure for technology regulation/legislation along with government tech policy beyond that.
That is not what GrapheneOS is saying. They mention their exclusion as proof that attestation has nefarious motives, not because they would be OK with it otherwise
They have commented elsewhere that any inclusion/exclusion criteria (if at all) should be transparent and collaboratively decided rather than arbitrary, monopolised or ineffectual/deceptive. They mention several times that people should not be excluded from web services for browser/OS choice.
The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure on politicians by making regular people more aware.
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Apple already does this and practically no one is outraged
Because Apple always did this, everybody knew this and people buy Apple exactly because of this.
Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
17 replies →
I agree with this. The general population is hopeless, they will hand literally anything away for the least amount of friction. They are also profoundly ignorant.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
9 replies →
Yes, but most people don't realize it, simply because they have been conditioned from the beginning that the only way to run anything on an iOS device is via the app store.
With Apple customers, a better argument to make is to say that Apple applies a 30% 'tax' on all activity on their phones. That they are being forced to pay more compared to non Apple users in spite of having bought their device fair and square.
13 replies →
Frame it as "America will decide what you can do with your phone" and people in Europe will listen.
3 replies →
> It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it.
I think with Apple in particular, this is the issue. Apple have largely demonstrated that they _do_ often have the users best interests in mind (or at least at some point have had) on the basis that the users are Apple’s primary customers. Yes, Apple lock down iOS functionality but this has often been to deliver innovative features. Users don’t mind that they’re in a walled garden because, they like the walled garden.
This is where Google is a different case. Google’s interests are aligned with mass data collection rather than products people love. Most Google users have experienced how this impacts them negatively at some point, usually with the degradation of their products, and constant advert spam.
Google is an example of a company that the mass majority assumes to be in the wrong. Apple often isn’t.
2 replies →
Apple is the classic “good king”. By and large they have used their power in ways that benefit users. Other than enriching apple, there’s been no direct or apparent harm to the end user from the walled garden. I know that is a controversial point, but harms we don’t ever know about are pretty hard to get upset about.
But the “good” king never lasts. They’re always eventually replaced by a despot, and all the power you ceded to the “good” king falls into the hands of the bad king. Which is why ceding that power is a bad idea, and kings are a terrible system of government.
9 replies →
That's perhaps where the part about educating less tech-savvy folks comes in. There are even professionals in tech under the mistaken belief that Apple meaningfully adds value in exchange for one's freedom to use one's device as one chooses. Big Tech loves normalising the story how only they can help
And it was a huge mistake. The laws are the same for everyone. If Apple can do this then so can Google.
Apple doesn't own re-captcha. Apple's walled garden is still a tragedy but its a tragedy of willing participants.
> Apple already does this and practically no one is outraged
Apple ran a very successful propaganda campaign where they portray themselves as the protectors and enforcers of a secure environment where users are safe from attacks from the wild internet. See Apple's spin on blocking cookies. Therefore, users of Apple products are conditioned to believe these measures exist for their own personal benefit, unlike Google which is presumed to be motivated to abuse your trust.
[dead]
[dead]
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
I've had a lengthy debate about this (in the context of right-to-repair) with a friend of mine who's outside tech and he genuinely held (still holds?) the opinion that the manufacturer has the "right" to decide how their products are used. I'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
Did you ask whether your friend have a car? I think it's much easier to get the point if the story comes to someone's 10 year old but still okay cars.
e.g. Without proper regulations, your maintenance can become nearly impossible.
> 'm willing to bet that this is a common viewpoint of people outside the tech sphere, they just want a device that "works", which for them is essentially just "I can use apps from the App store".
Perhaps some people were just conditioned to believe that these shackles are forced upon them for their own good, because only bad people would ever want to take them off.
1 reply →
I mean I agree with you. But also, it's not that unreasonable of an opinion. As long as it's coupled with optionality, which I think is the actual issue. Well the actual "issue" is that most people don't care or think that much at all about it. HN is a very special crowd.
3 replies →
I just submitted a survey to my state's DMV to encourage them to ditch reCAPTCHA. I went to renew my plates and had to do almost a dozen "click the picture" screens to get through on IronFox on my GrapheneOS phone the other day. Luckily no QR code with the whole Play Integrity check, but that wouldn't have been out of the realm of possibility.
There is a tradeoff between the freedom users have on their devices on one side, and the likelihood less sophisticated users will get their information stolen or their devices pwned and used to DoS innocent websites on the other side.
If you don't address this tradeoff you're not really engaging the issue.
What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
> What I think we need is a professional, well-informed advocate of freedom who is willing to seriously discuss the tradeoff and concede that neither extreme is ideal.
There is no shortage of well informed advocates of freedom. The question is, which forum should they discuss this in? There is no meaningful forum for such a debate which will have any real effect on policy and that's by design.
The only place that can both debate and effect policy changes in the legislature and politicians will never take the people's side against corporations on an issue until they fear losing reelection.
Hence the ask to educate the people around you and to encourage them to reach out to their representatives.
> If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google.
This is a fool's errand. We live in a time without virtuous values, where convenience is king. The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
Generalizing like this is a fool's errand, if anything. We care, and we are part of the "masses". If this is something you care about, share with others: there will be those who value it.
2 replies →
>This is a fool's errand.
It is absolutely not. Awareness is what people need right now because nobody is saying anything different then the established line. The more people that put there voice into this, the better off we are going to be.
I'm hosting a Surveillance Capitalism Presentation soon that I designed myself, I'll likely post it on the net when I am done. If you are interested in hosting a zoom call or an in person awareness campaign like this. Email me from my website[0] campaign form[1] and ill notify you when its online and you can download it and use it yourself to host your own venue.
[0]: https://www.scottrlarson.com
[1]: https://www.scottrlarson.com/forms/form-contact-campaign/
> The masses don't care about cookies or consent, they accept all. They only understand direct punishment.
Honestly, I can totally see where the cynicism is coming from, however if you think about it, that's a pretty condescending view. This effort might be Sisyphean, but things are not as dire as you might think.
People are already seething at how much their lives are being enshitified by Big Co. Even if 10% of voters reach out to their representatives, it would be a tidal wave. Politicians are terrified of the popular will and this is not a hill they are willing to die on. Just see the success of the right to repair movement as an example.
> The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds.
This. No matter how good the intentions are, this represents the infrastructure that can be exploited to persecute individuals and groups and deprive them from the most basic rights.
And before anyone tries to downplay this as scaremongering, US legislators have introduced the legal framework to reject visas based on what comments the applicant may or may not have said in the past years regarding the current government.
I think part of it is the hackers that the media reports on are entirely malicious. Most hackers aren't, we just like computers
Evil people always get in the news.
Sadly much as I agree with OP, the reality is there are a lot of evil people, and some of them lead a country and thus have vast resources to attack with. We need to solve this problem, not just cry about what a few of us are losing.
Petitions are also a good way of reaching out to people and explain the dangers of these issues. Many people that usually sign petitions are notified of new ones, and, as a generalisation, they are usually fairly against big tech.
If anyone knows of any european petition around this please share them with us
> Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
Nope. It's not the issue. The issue is people genuinely want the security problem to be solved by someone else. Either governments or big companies. So they can just not care about security once and for all.
If people were so aware of so-called hackers and how insecure their devices are, we would have seen people stopped installing apps on their phones and basically use it as a web browser. But that's not what happens. The opposite is truer: if you run an even slightly popular website you will receive feedback asking if you have an app version.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Oh boy, you're going to be really surprised.
I agree with the direction, but not the blind spot.
Your audience is going to shut you out if you don’t show you understand their reality.
I reach out to people, and every tech and media person I know, is holding sessions on government over reach and invasion of privacy, raising alarm bells.
Everyone not in tech, has just about had it with being predated upon, being screwed over and in general would rather warm themselves on a bonfire of tech stock, than do a thing to support it. Voters are HAPPY to see tech brought under control.
The degree of fraud, predation, privacy invasion that regular adults encounter, let alone children, is absurd.
To take the most civil and benign trend I know: online communities are dying to a glut of slop, bots, and spam. Users and mods are simply unable to keep up with this, and are increasingly likely to ding users as much as bots.
A majority of humanity, who live in the developing world, encounter even worse, AND have less recourse to support.
——-
Success in these things requires connecting with people. You cannot do that if you come across as a know it all.
You must open with an acknowledgement that Tech is not doing a good job for users, but giving governments sweeping powers is not the antidote.
Is there a good primer on why this is bad? I know that it is on a technical level. But I havent heard anyone talk about in layman's terms Maybe I'll need to write something up. But it be great to have some resources as to why this is bad from a perspective other than my own.
I'm doing a presentation on Surveillance Capitalism soon and I might include this topic.
[dead]
Requiring authorized silicon (and software) isn't even the biggest problem here.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show about how much they care about your privacy by introducing indirection into the process (static device 'ID' is used to acquire an ephemeral 'ID' from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM 'ID' vector is even worse (no meaningful indirection, every license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
Using blind signatures for remote attestation has actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
> The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting
I still don't see how you can keep something anonymous and still rate limit it. If a service can tell that two requests came from the same party in order to count them then two services can tell that two requests came from the same party (by both pretending to be the same service) and therefore correlate them.
The way it would work with blind signatures is that the server will know the device that comes to it to request a blinded signature and will be able to rate limit how often that device asks it.
But once you get the response you can unblind the signed signature and obtain the token (which is just the unblinded signature). This token can then be used once either because its blacklisted after use (and it expires before the next day starts for example).
The desired property of blind signatures is that given a token it's information theoretically impossible to determine which blinded signature it came from (because it could have come from any of them) even if the cryptographic primitive is broken by a mathematical breakthrough or a quantum computer. There is technically the danger that if the anonymity set is too small and all the other participants collude you can be singled out.
Correlating times is a threat vector that needs to be managed either by delaying actions (not tolerable by normal users) or by acquiring tokens automatically and storing them in expectation. Or something other I haven't thought of probably. There is also a networking aspect to this, you will need a decentralized relay server network that masks origin of requests.
5 replies →
Just to give an example to prime your intuition: define your "usage token" as H(private_key|service_domain_name|date|4-bit_counter). Make your scheme provably reveal the usage token when you authenticate. Now you can use the service 16 times a day on a particular domain and no more simply by blocking token reuse. And yet the service has no ability to link different tokens to each other or to a specific person because they don't have anyone elses private keys.
You can make variations on this for a wide spectrum of rate limiting behaviors.
But also I agree with xinayder's comment-- the anticompetative, anti-privacy, invasive surveillance is unacceptable. There is a lot of risks with ZKP's that we just make the poison a little less bitter with the end result being more harm to humanity.
I think ZKP systems are intellectually interesting and their lack of use helps make it more clear that the surveillance is really the point of these schemes, not security because most of the security (or more of it) could be achieved without most of the surveillance.
But allowing the apple google duoopoly to control who can read online is wrong even if they did it in a way that better preserved privacy.
And because I can't believe no one else in the thread has linked to it: https://www.gnu.org/philosophy/right-to-read.html
6 replies →
I'm as biased against cryptocurrency as everyone, but couldn't we have the requestor do a bit of mining work to mint that initial id? I mean, if the service is actually making a bit of money from each request, the need for rate limiting just vanishes, right?
9 replies →
> I still don't see how you can keep something anonymous and still rate limit it.
Constructions like this exist for many years. E.g. semaphore RLN (rate limiting nullifier). This particular construction was found unfeasible 7 years ago, but since then zksnark tech made huge progress and it is way cheaper now.
Can we stop normalizing being surveilled online and on our devices?
Saying something like "the problem is not hardware attestation, but that they don't use ZKP".
You are normalizing the new behavior. You shouldn't. It doesn't matter if they use ZKP or the latest, secure technology for hardware attestation. The issue is hardware attestation. It's the same with age ID. The issue is not that Age ID is prone to data leaks, the problem itself is called Age ID.
Hell yes. I was going to post the same comment. I don't give a flying fuck how it's implemented. Remote attestation is inherently evil.
I remember the WEI apologists trying to do the same thing to derail the argument. The problem is the goal, not the details. Just say no: DO NOT WANT!
51 replies →
How should a government act to prohibit misrepresentation of one’s characteristics online, from accessing services for which that government has formally defined regulations based on characteristic into law?
If your answer is “they shouldn’t ever do that”, then you’re promoting an uncompromising position that governments are disinclined to adopt, being the primary user of identity issuance and verification on behalf of their citizens.
If your answer is “they should do that differently”, then you have a discussion about (for example) ZKP or biosigs or etc., such as the thread you’re replying to.
Which of these two paths are you here to discuss? I want to be sure I’ve correctly understood you to be arguing for the former in a thread about the latter.
You're not necessarily being surveiled just because you're forced to authenticate yourself. It often is the case practically, but it's not inherent, and mixing the two up makes the discussion too imprecise in a technical forum.
Hardware attestation often also has problems of centralization, but that's something else as well.
By just labeling it as an abstract bad thing without seeing nuance, I'm afraid you won't be convincing those in power to pass or block these laws, or those convincing your fellow voters which efforts to support.
9 replies →
There is a problem where it's becoming increasingly harder to determine which internet packets that are coming to your service are at the behest of a human in the course of normal activities or an automated program.
If all the internet was is static content, that wouldn't be much of a problem. But we live in world where packets coming to your service result in significant state changes to your database (such as user generated content).
I suspect that we are currently in the valley of do-something-about-it on the graph which is why you see all this angst from the big players. Would Google really care if automated programs were so good that they were approximating real humans to such an extent that absolutely no one can tell? I suspect they would not only be happy with such a state of affairs, they would join in.
1 reply →
> Requiring authorized silicon (and software) isn't even the biggest problem here. It is indeed the biggest issue. It prevents be from owning and using the hardware I pay for, own, or make myself. It's switching the personal computers as we know it from being open to proprietary and owned by 2 large US corporations.
I don't agree that it's not a problem.
Did you just read “not even the biggest problem” as “not a problem”?
1 reply →
Would like to read a writeup on this, I was certain it was going to be something like this from the app's announcement.
Also I recall a discussion on Graphene's forums that DRM ID is not only retained there, but stays the same across profiles.
I simplified the process in my description. The DRM ID Android has is not what I was referring to.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
2 replies →
Can you revoke certificate for a specific device using privacy schemes?
Like imagine that someone managed to extract key from the specific device and distributed that key in a software implementation to fake attestation. Now Google needs to revoke that particular key to disallow its usage. This is obvious requirement.
Yes, with blind signatures you still have a central authority which voluntarily 'launders' tokens for you. When you present it your certificate and ask it to give you a blind signature it can reject the certificate.
However if someone extracts a key and keeps it private, and instead gives out unblinded tokens there is nothing you can do other than rate limit - realistically, an adversary is going to trial different rates anyway to figure out which don't make them an outlier.
Especially if the device in question is linked to an enemy of the state and the people.
> Requiring authorized silicon (and software) isn't even the biggest problem here.
I agree, except I worry it's a bigger concern than we realize.
I still remember what CableCard (and the hoops needed for HW manufacturers to get certified) did to the DIY DVR Market...
Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
With a secure device, the only way to get an attestation for an account signup is to do the signup on that device, with real fingers clicking real buttons on a real screen. There's no way to short-circuit the process by automatically sending a JSON request and bypassing the actual signup flow from a Python script, like you can do with an insecure endpoint.
With blind signatures, a single compromised device destroys the value of the entire scheme, as it can be used to issue an infinite number of attestations with 0 human oversight.
What we need is a blind signature construction where the verifier can revoke a signature, each signature carries proof that none of the revoked signatures comes from the same signer, and where it is impossible for one signer to issue more than n distinct signatures during one time window. Not sure if this would be possible with ZKPs; my cryptography knowledge doesn't extend that far.
> Ultimately, the point of hardware attestation isn't to ensure that your device is trusted, but that the action you're trying to perform was done by a human, not a bot doing millions of them per second. It's just another CAPTCHA mechanism in disguise, required because bots have gotten so good at solving the existing ones.
...no? Maybe this is true of end-user device attestation. But there are other use-cases for attestation.
Server device attestation is an entirely different thing. It's used in e.g. IaaS "Confidential VM" offerings, where the audience for the attestation information is the customer, rather than the server host. It's a very pro-privacy / pro-data-sovereignty feature.
And while embedded device attestation is sometimes about preventing customers from tampering with IoT stuff you "sold" them, more often it's about being able to trust and confidently assert that e.g. the climate sensors you've deployed all over a forest as part of a research project haven't been fucked with to report false data by someone with an agenda. (Or to "apply denial" to your unmanned military satellite downlink station the moment you detect that there's some unknown person out there futzing with it.)
Are these the kinds of issues privacy pass intends to fix? If so, what carrot and/or stick will get it adopted?
In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and contributed to the rise of mobile walled gardens. Windows 11's TPM requirements were another step towards their goal. The amount of propaganda about how that was supposed to be a good thing, both here and elsewhere, was shocking.
It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The war on general-purpose computing continues, and we need to keep fighting.
Stallman was right, as always. Time to give his "Right to Read" another read. (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
"Those who give up freedom for security deserve neither."
Weird rant. TPMs are great. The modern computing landscape needs a safe place to put secrets. It's what made the iPhone (Secure Enclave is effectively a TPM) years ahead of Android in terms of security.
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
Requiring "tokens" stored in "trusted modules" and 7-factor-auth for everything is not progress, it's theater. The biggest achievement of the security orthodoxy was locking me out of my email, by requiring me to read a code sent to my email to log into my email.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
22 replies →
Attestation isn't even the problem. I'd love to be able to verify that my server's kernel hasn't been tampered with.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
>The modern computing landscape needs a safe place to put secrets.
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
> TPMs are great.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
https://loup-vaillant.fr/articles/hsm-done-right
TPMs add security against a narrow case of evil maid attacks. They might be useful for corporate computing (for cargo cult compliance purposes more than actual security) but they trojan horse more of "not owning the device you bought" with it to people that don't and shouldn't care about evil maid attacks at all.
2 replies →
Agreed. Trying to limit progress because it may be misused is attacking the wrong part of the problem and will not work.
Totally with you until you brought in AI, a completely centralized and proprietary tool.
Local models exist, but there's also irony in using the tools to spread the message of the opposition.
21 replies →
Especially considering AI bots are the whole reason google is pushing this new recaptcha.
1 reply →
> (If it hasn't been done already, an AI-generated short film of it would be a great idea...)
Once you have the script, that’s a couple actors in a classroom, a couple e-ink readers for props, the film crew… It can be shot with less than 10 people in a day, then one person for a couple days for cutting and post production. And that’s on the very high end for this scene.
Considering the reach this video would meant to have, avoiding AI would not be that expensive.
On the other hand, the TPM spec is pretty complex, especially because they wanted to address privacy issues: the endorsement key, burned by the manufacturer, is only able to encrypt messages and not able to sign them, because this could have been used to track machines. (and this makes a remote attestation protocol much more complex to implement)
So, it looks like they were aware about such kind of issues and tried hard to mitigate them.
> In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.
> It turns out a significant (but hopefully decreasing) number of the population is easily coerced into anything when "security" is given as a justification.
The people who opposed Intel are now telling each other how hopeless and powerless they are. You can see it on HN, in this thread: No drive, outrage, and self-organizing response to these issues, but despair - 'nobody cares', 'there's nothing we can do', etc. Quitting is a sure way to lose.
The people who opposed Intel are now telling each other how hopeless and powerless they are.
I don't think those are the same people. I, for one, will continue this fight by telling everyone I know about the fact that Google is going for absolute control of the Internet, and by extension, everyone's lives. They have already become an unelected global government.
2 replies →
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
I like to ride my bicycle with my friends in rides organized by the (Pacific Northwest) Cascade Bicycle Club. They require that I solve a Google reCAPTCHA in order to register for a ride. Google is already completely locking me out from being able to do that. When I try to click on the squares to select whatever items it's asking, it indefinitely loops. When I try using the audio version, it completely blocks me from using it saying that there has been suspicious activity.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
I also had a similar issue with Cascade Bicycle Club - they chose to organize things via WhatsApp, and since I am (inexplicably) banned from opening a Meta account I was completely left out of the group and missed out on many rides/details that were only shared via WhatsApp.
When I tell people that this is even possible I get wide-eyed stares — as if they never contemplated that Meta could exercise their right to ban someone from the platform.
It's a huge problem and I have no idea how to fix it except talk about it and spread awareness. And I am not remotely interested in trying to work around the ban.
1 reply →
I hope you contacted them to explain why. People usually think I’m a nut when I do it, or are too stupid to understand and think it’s a tech support issue, but it’s worth at least trying to make it clear that you are choosing not to use/do/pay something because of their choice to use recaptcha
3 replies →
The old, open web is too easy to attack and that is part of what has led sites to adopt technologies like this. I hope there are better solutions than everyone-is-their-GoogleID, but how realistic is it that people just trying to run a bakery, a bicycle ride, &c, will find them? They have other things to do.
And it didn't even take attestation to cause this absurd situation where many businesses or social groups were only reachable behind Facebook or Whatsapp or whatever.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
> could only send letters and packages to people subscribed to the same private postal service ...
that's a corporate monopoly's wet dream.
IMO, it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does, the collateral damage of making non-Google, non-Apple OSes second class citizens remains, and that is the main problem.
> it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does,
What evidence is there that it does?
Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
The first is that "approved" not only has no relationship to "secure", they're actually anti-correlated. As the article points out, GrapheneOS has better security than normal Android. Moreover, as a general rule the stock firmware that can pass attestation is more likely to be outdated and have security vulnerabilities than a custom ROM, and also as a general rule devices (like PCs) with more open hardware have the ability to be updated. A four year old attestation-passing Android phone may already be out of support and unable to be updated while still passing attestation; a 20+ year old PC can run the latest supported release of e.g. Debian.
The second is that "secure" and "runs code the service doesn't want" are likewise unrelated. Suppose there is an Android device which is still receiving updates. A local privilege escalation vulnerability comes out and that device will get the patch, but hasn't yet. So now any attacker with any of those devices can get root on it until they apply the patch. Which means they can get root after the main filesystem is unlocked, modify the filesystem so they continue to have root by changing something that isn't part of the attestation hash but still causes code or scripts to run as root later, and then update to the latest kernel and continue to have root on a device that passes attestation. The device is secure -- fully patched -- but it's the attacker's own device and they can run arbitrary privileged code on it. Requiring every device to be "secure" against the person who has ownership and permanent physical possession of it is a ridiculous thing to take as a security assumption.
And the third is that attestation doesn't actually do what you want it to anyway. Banks want to make sure the user isn't entering their credentials into a compromised phone, but having the official bank app refuse to run on that phone doesn't actually prevent that, because the fake bank app which is stealing the user's credentials on a compromised device won't require attestation to pass regardless of whether the real one does.
4 replies →
I feel like the complaint about this not adding to security could be read in a really wrong way. Instead of "this is some hypocritical BS", could be interpreted as "lol let's lock EOL devices from even lower integrity tiers". Doubt this is possible because so, so many people use EOL phones, but still.
3 replies →
That's one of the two main claims made by in favor of hardware attestation; so it makes sense to argue against it. Of course, the other claim (that categories of people must be kept "safe" from categories of content) is more insidious, so it does deserve more attention.
Wouldn't the argument be that you'd build separate copies of those services as well?
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
> Wouldn't the argument be that you'd build separate copies of those services as well?
you can't if the service requires the network effect to function well, if at all. Look at blusky and all that alternatives, look at the pitiful attempts at making a youtube alternative, etc.
Are there enough of us to run our own country? It makes me feel dumb, but this is a serious question.
Ideally, we just run our own lives, collaboratively. That's the anarchist default position that we all start in.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
5 replies →
If you live in a democracy, you already do run your own country. Vote accordingly. Get involved in politics.
18 replies →
I'm convinced that in the billions of people living on Earth, there are a couple million that could agree on things that currently divide countries, like this. Sadly they're unlikely to ever be able to gather together in a single state.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
The problem with "us" is that it's not enough to agree on one small question ("is hardware attestation good or bad") to happily live together in our own country. "We" have a wide variety of opinions about pretty much everything.
In other words, "we" exist only to fight against this one thing we disagree with. And even there, we probably don't all agree on how to fight it or what to do instead.
Where would you do that? Realistically, the question is one that cannot even be asked safely: are there enough of us to overthrow the existing systems and replace them with something better?
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
2 replies →
Who is the "us" in your question? Theoretically in democracies we should be able to decide this, if we aren't being distracted from real political questions with the culture war stuff that divides the public's attention and divides neighbors from each other.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
We already have a republic. If we can keep it.
https://en.wikipedia.org/wiki/Micronation
I’m not sure why you’re asking this question, but you can run a country as a population of 1 (ie just yourself) if you wanted.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
1 reply →
The question is rather: can political parties develop a vision beyond libertarian views or full state control on the other side.
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
Yes, it requires you to have an approved device for certain tasks.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
This is tyranny: making people powerless, afraid of each other, and submissive, per Aristotle's understanding.[1] The technological means are new, to be sure, but the social strategy is as old as civilization.
Mark my words. General purpose computing and private, direct communication are things too powerful for a tyrant to permit the people to have. The freedom we've enjoyed for the last several decades, to build what we want, to run what we want, to network with who we want, is not the default and will always be under attack. We had it for a little while by the generosity of the previous generation. It was not then, and is not now, and never will be free.
[1] https://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:1...
[dead]
is that tyrant in the room with us now?
We are a generation of tyrants, each oppressing the others in his own little domain. Gone is the dream of making a modest living while enriching humanity with offerings of technology. Whatever is invented now is gated, rented, and exploited for power, in the shadows and in the open, and what technological power had been granted to the people is whittled away year by year, immense riches destroyed so someone in particular can extract something from a replacement.
There is no Caesar to assassinate because it is everyone, or near enough. It is the idea that this is how you do things. Tyranny is in the air and in the water, that exploitation of power for more power by means of misery, old as mankind.
In such a world, removing one tyrant only gets you ruled by his rival, who is often worse. The historical recipe for freedom and abundance is a people who, as a whole people, are generous with power and expect it of each other at every level, and are viciously intolerant of its abuse. Such was the world of technology for about five decades in the last century, but it hasn't been so for the last two or three. I think it doesn't take much for a few awful people to eat up any abundance, if they are allowed to, and that war is written across the history of computing from its very beginning. But these days, it is not a healthy society defending itself from would-be conquerers, but a world of feuding warlords anxious to eat up any excess anywhere, not only for profit but because thriving and independent people are inherently a threat. With few exceptions, and it seems like fewer every year, any kingdom now which consists of a group of people and some code, be it a software service, a phone, a game, a car, or a dang toaster oven, looks like a despot extracting taxes from his peasants, not a king sheparding his people. Certainly the big ones are that way, and the legacy of the last generation continues to be eroded.
Whatever the means, that tangle of the legal and economic and social and educational and technological and cultural, and I do not pretend it is anything but a thorny and incomprehensible thicket, Aristotle's identification of the broad themes remains relevant. Divided, humiliated, disempowered - whatever the pretext, the encroachment of dark forces is unmistakable. The only defense is (and ever was) those who see their work as in some sense sacred and power as conveying a duty to serve. The generation for whom Superman is a central myth builds one way; the generation for whom it is Game of Thrones builds very differently. Not that these stories are necessarily causes, but their resonance is a reflection of how two very different groups of people think about power.
2 replies →
It is possible to bypass Play Integrity on most devices (even at the "strong" level) using a sewing needle.
Specifically, you poke the data lines of the memory bus to induce bitflips, much like I described in https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.
Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.
The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".
I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.
Demo: https://bsky.app/profile/retr0.id/post/3mljtyauw322d
Play Integrity will only get more advanced, though
Indeed, my point is less "don't worry about play integrity" and more "don't put it in your app"
Much like DRM, the point is that we shouldn't have to fight this BS in the first place.
The EU Digital (identity) Wallet EUDI requires hardware attestation by Google or Apple, effectively tying all the digital EU identities to American duopoly. Talk about digital sovereignity. Apparently protecting the children > sovereignity.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
So with a single flip of the switch, the president of the USA can shut down our EU Digital Identity Wallet.
Why was this decision ever made?
> Why was this decision ever made?
because it wasn't made
the decision which was made was having a digital ID wallet, that this needs hardware attestation (or something comparable) is somewhat of a direct consequence of existing laws/regulations regarding making IDs forgery safe
it also is a phone only application
the huge huge majority of phones runs Googled Android/iOS, so you support them
if there where a relevant 3rd party competition it would (most likely) supported it, too
going back to the "the president .. shut down .." argument: The US can shut down >90% of all smart phones used in the EU. I don't think the US being able to shut down something which in the end is fundamentally just a minor convenience feature is making much of a difference here.
But I also think that whole identity wallet (the regulations behind it) is approaching things from the wrong direction, carrying a credit card sized ID with you isn't really a problem or very inconvenient. So instead of having the whole attestation nonsense it would be more practical to simply not have attestation and in turn allow the digital ID only for usage where the damage it can cause is quite limited. Especially given that device attestation systems have a long history of being circumvented...
As a side note this whole app is distinct from the "use you ID with through your phone/NFC with applications" thing many EU countries have, through that solutions also tend to have attestation issues in most cases. But again most relevant use-case of it can be done just fine, without the security level attestation tries to provide, if approached pragmatically.
50 replies →
Is some party or coalition putting forth candidates that stand against this?
They can also shut down all European payment cards.
7 replies →
Corruption. A taboo topic people prefer to downvote and pretend it does not exist.
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
30 replies →
We (America) made the decision for them. The EU's member states were either:
1. Explicitly designed as client states for the US
2. Explicitly designed as client states for the Soviet Union, with alliances switching over as the Soviet Union fell apart
3. Great Britain, a country whose electorate would probably only reconsider rejoining if the EU agreed to explicitly become British client states, because the only thing Britain hates more than France is those dastardly American upstarts[0].
The reason why this persists despite an openly hostile American president is the fact that the EU has no real alternative. The EU has a shitton of internal political distrust between member states, and the US was offering a lubricating alternative: "Just trust us." Politically distributed alternatives require balancing coalitions that are far more fragile.
[0] The history of European anti-Americanism is extremely fascinating, because it's effectively a Reactionary meme - as in, "wanting to restore the Ancien Regime" Reactionary, not "funny way to say Nazi Party member" Reactionary. And yet it's jumped across so many incompatible political ideologies that the average European probably had no clue why they hate America until Donald Trump gave them a good reason to.
I hate to beat a dead horse and have people downvote me but: the EU has always been corrupted. The knowledge and effects are not evenly distributed until it hits each niche group. Then they find out the hard way that they were useful idiots. It’s ok to be wrong/admit. Let’s just move past the infighting and see those in power for the evil that they are.
25 replies →
I wrote to the EU contact about this, got a patronising reply about how good it is, app being open source and what not.
Clearly tailored to the regular normie without technical skills.
Probably because the reply was written by someone without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
At a certain point it begins to feel pointless.
2 replies →
Where did you write? Is there a link or something you could share? I am not in the EU so I assume I can't, but would be nice to share a link so that other EU citizen could write.
If enough people write, they may start finding it relevant.
2 replies →
Came here with roughly the same thought. Given the stated importance to many of sovereignty and not being dependent on the US, why isn’t there more opposition? I assume it’s just ignorance?
There is some opposition, but none of it is making a dent. It's depressing. I can't decide if it's incompetence, corruption, or malice.
2 replies →
Digital sovereignty has only become a serious political topic in the EU over the past year. It may take a decade to see the effects of this in laws and policies.
1 reply →
Since you're so much more informed - which integrity guaranteeing product would you use for mobile devices that European citizens use? Covering more than 90% of population?
We have voted in the most right-wing Parliament and, by extension, Commission, in the EU's history.
It only makes sense they'll prioritize big-business interests over those of the common folk.
4 replies →
You want a secure identity? ISO7816 exists and is completely independent of Big Tech. The question of who should be required to show ID is different (and I'd argue the answer is "no" in most online-only situations), but there's already a solution that's been trusted by the financial sector for decades.
One of the major problems with on-device identifiers is that they must by tied tightly to devices, due to the risks of cloning. This is particularly true for privacy-preserving identifiers. That's why device attestation is so important, because you can't ensure that identity (keys) are locked to a device unless you can verify that the hardware prevents users from extracting keys. The worst part of this is that motivated criminals will certainly figure out how to extract those keys and use them for fraud; it's open-source and open computing that will be destroyed by this.
Yeah, but they aren't.
Google certifies devices unpatched for the last 10 years, rooted, riddled with the malware, because the keys have leaked.
Google knows and still sells the lie.
But you should know better. Google is not selling the actual security, it's just protecting its business.
3 replies →
Don't hardware identifiers also mean that Google can blacklist your device from vast portions of the internet whenever they feel like it?
2 replies →
Only if you need to have the entire application behavior (or at least some trusted confirmation) attested, right? Otherwise, an external USB dongle, tapping a contactless smartcard on a phone etc. could do just fine.
4 replies →
>To reduce platform dependencies, we also evaluate additional platform independent signal sources. In this context, we evaluate signals from runtime application self-protection (RASP) systems, for example. We also might revisit later whether there are comparable security mechanisms for other platforms.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
There is the alternative to not to pursue domestic spyware in the fist place. Especially because this is tied to the attempts to deanonymise Internet users.
10 replies →
Protecting the children is their favorite reason for ramping up authoritarian measures.
If they really wanted to protect children, they wouldn't give them phones, tablets, or laptops until a certain age.
It's like handing a loaded gun to a kid, and saying "just don't take the safety off".
Of course kids are going to find ways around it. They are going to take the safety off.
1 reply →
The EU problem here is they are simply reactive, and slow at it. By ceding the active part of commercialized innovation to the US (because paying the people that do such things what they're worth is simply incomprehensible) they allow them to dictate the terms of engagement. The utter dependence on WhatsApp being a shining example, as well as cloud services in general.
If anyone wants to assert control they have to be where the puck is going instead.
AFAIK this is not true. The Austrian eID also works on GrapheneOS (with an initial warning). Its some national implementations (such as the German one you linked) that enforce this.
> Apparently protecting the children trumps sovereignity.
Capital remains sovereign in Europe.
I think you misread the parent comment.
Being a highly skilled lawyer, UN official, can get you banned from all government EU services of the Drumpf doesn't like the fact you're investigating war crimes.
A part of that has already happened.
"protecting" the "children"
Our civilization desperately needs a method to modify modern microelectronics after manufacturing that can be used at least in a well-equipped repair shop, and it needs it yesterday.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Or maybe we should just get rid of the "breaking DRM is illegal"-laws. See https://pluralistic.net/2026/01/01/39c3/
Those laws should die, but that's besides the point.
Modern cryptography allows for making DRM incredibly hard to break. And the disadvantage of "hardware attestation" DRM is that you have to break it not once, on a single device, the way you do to dump a "protected" movie, but on every single device that you want to use.
Yes, these are the most clearly corrupt laws that exist. It is like outlawing hammers because you may hit someone with it. It is just giving up freedom for the benefit of a few fortune 500 companies.
That'll also work somewhat, but the problem would remain that even if it's legal to break the DRM, you can't exactly break it when it's assisted by hardware and there are no vulnerabilities in the "trusted" code.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
Funny, I have a related proposal: make it illegal to sell hardware and distribute software. Or at least, if you distribute software, we don’t buy your hardware. The idea is to force hardware companies to release the complete user manual for their hardware, and incentivise them to simplify and standardise their hardware interfaces.
What I did forget was forbidding them to arbitrarily restrict what kind of software can run with their hardware, which they could if the hardware hashes the software & verifies a signature before running it. But it would seem your separation between CPU and storage takes care of that.
[dead]
That's probably not going to happen for a very long time. Relatively simple SoCs already do tons of work before the architectural reset vector in undocumented boot ROMs in order to assist the reset process.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
Having DFU in BootROM is good. Having "secure boot" with only the vendor keys in BootROM is evil.
1 reply →
This won’t help; the SOC silicon can be revised to record each executed instruction from power-on until secure-boot handoff opcode, with various supporting opcodes to query status-of / overflow-of / signature-for so that the OS reports pre-boot tampering implicitly as part of developing its own attestations.
Then also make it illegal for the SoC to contain any cryptographic key material.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
1 reply →
TFA is authored by the developers of an alternative operating system that can be freely installed on every Google phone since Pixel 6.
....and this is only Google phones solely because NONE of the alternatives meet the team's stringent security requirements.
4 replies →
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
Most of those are less "hardcoded" and more "fused into internal non-eraseable memory at manufacturing time".
Not that it changes much. It really should be illegal to enforce "secure boot" with no way for the device owner to opt out of it or enroll his own keys.
> just make it illegal to ship any kind of initial bootloader
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
And what code will verify the signature of the initial bootloader? As far as I know, in every modern implementation of secure boot that is done by that very bootloader, which is burned into the CPU/SoC. I can imagine someone implementing some sort of fixed-function block to do that, but see my sibling reply about that.
Also, governments are supposed to act in the interest of people.
It's called laws
> Our civilization desperately needs a method to modify modern microelectronics
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
It's amazing that we're letting the Google Apple duopoly completely decide who can and cannot use completely unrelated services.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
It is naive to think that this is being done without the full support of the government. They won't step in to stop it.
I am reminded of the period when secure boot was being developed for PCs.
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
When it first shipped out, Secure Boot was used to lock other OSes out on early devices, it was after pushback that it was implemented such that it allowed you to enroll your own keys.
That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
> the period when secure boot was being developed for PCs.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
It's much worse than just TPM now: https://learn.microsoft.com/en-us/windows/security/hardware-...
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.
I always say this when this topic comes up: remote attestation will be how our computing freedom dies. They've made it so that it doesn't even matter if they allow you to install whatever you want. Anything that isn't corporate owned is banned. Own your device? You "tampered" with it. You're banned. From everything. You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Enroll your own keys? It doesn't matter. You're not trusted. You're a fraudster terrorist money launderer drug dealer pedophile.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
While I agree, I think there's a better way to frame this with the public. We don't need to bring in pedo references. That looks very unhinged to most people.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
> We don't need to bring in pedo references. That looks very unhinged to most people.
Sorry for how you may feel about it, but that *is* how it's being framed for the public..
https://europeanconservative.com/articles/news/eu-parliament...
4 replies →
The problem with the reasonable framing you suggest is that it gets thrown out of the window the moment someone utters Protect the Children®. I'm willing to bet that most people, including those with kids like myself, don't truly believe that surrendering our basic rights to better protect the children is a rational thing to do, but they would never dare to push their opinion publicly. The few that do get all but labeled as, you guessed it, fraudster terrorist money launderer drug dealer pedophiles.
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
13 replies →
I love how this is a problem caused by Big Tech (AI), with “solutions” brought by Big Tech (FAANG etc) and “countermeasures” will also be brought in by future billion-dollar industries (domestic-proxy provider BrightData is 1B already) while we will depend on existing Big Tech for “protection” (Cloudflare will remain a big player).
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
Keep fighting. Spread the word. Ensure that everyone you know is aware of the totalitarian implications.
The only way to sure defeat is to surrender.
I will, but it doesn't look good.
1 reply →
The most dangerous thing in computing is safety.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
> You're ostracized from digital society. You're not even a citizen, much less a second class citizen.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
Hardware attestation is like hardware DRM. It is intended to limit and restrict abundance. Abundance of clients (as a proxy for user attention) and abundance of copying, access and replay (as a proxy for "piracy"), resp.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
It's just enshitfication.
I hope you're right. I truly do.
> hackers will find flaws instantly
Yeah.
https://tee.fail/
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
1 reply →
A fraudster, a terrorist, a money launderer, a drug dealer, a pedophile—these are actually a huge audience for whom the IT industry can release separate versions of the operating system and hardware. And that audience will pay for it. For the vast majority of ordinary people who consume IT benefits for free (being a commodity themselves), it makes sense to use controlled products.
It doesn't have to be controlled in such a way that it produces monopolies or enables surveillance.
> these developments still fill me with a terrible sadness.
I wish they filled you with anger instead. It’s not too late. You’re not alone.
I think it's quite telling that this comment was written in Brazil. The so-called Third World is the future source of freedom (or Western countries that become third world perhaps). It may not be a bad idea now to start building open compute and banking alternative ecosystems based in those countries, marketed at Western citizens.
The third world is also pushing Digital ID. In fact they would love it even more than the first world as it would allow for even more totalitarianism.
all "hackers" be vibe coding b2b saas these days
the meaning of this word has diluted so much
> Own your device? You "tampered" with it. You're banned. From everything.
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
For once, we may be "saved" thanks to Trump. Because of the brutal change in geopolitics he triggered, the EU is now actively looking at all the hard dependencies on US controlled systems. Android and iOS are two of them.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
The EU is only making these statements until the US has a new president (with the same ideas of Trump, as has always been the case, but saying nice things in public).
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
1 reply →
Are they really tho? The EU is currently enforcing a digital ID that will depend on Android and iOS in most implementations
1 reply →
Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
How about being banned from online banking, government services and all social networking / communication platforms? Because that's the road we're already heading down.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
12 replies →
I think you got it reverse.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
1 reply →
> Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
9 replies →
We had fun in online games without kernel level nonsense. Why do I need to compromise my hardware when the problem is an outlier in the social graph? Anticheat is part an arms race and part just raising the bar so people cant cheat too easily. That said you can feed a video feed into a Kria K26 or even a pi or jetson and make automatic targeting completely transparant to the kernel. Then what? Hardware attestation in peripherals?
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat? I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
7 replies →
With all of the discourse around hardware attestation, digital ID, and age verification in recent weeks/months, is there actually any good solution to the problems these existing tools (Privacy Pass, WEI, Fraud Defense, uploading IDs) claim to solve? Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
What even is the problem? I keep my kids computers in the living room where it's easy to see what they are doing. Their lan shuts down at night when I'm asleep. They don't get full control of their own cell phone until they are around 16-years old. Bots on social media discourage me from using it which is a Good Thing if you ask me.
The problem is that companies have a legitimate reason to want to block AI agents and verify the users are actually real. And it's incredibly difficult to do that when the old methods of clicking on squares or reading blurry words don't work anymore.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
2 replies →
> Bots on social media
... are not problems, no - but bots in general are
There is a good solution to these problems. Exhaustive punishments and forcefully ceasing operations for repeat offenses.
China has all the tech giants jumping through whatever hoops they want by banning them by default and only allowing whichever ones they want to operate after they meet their strict policies and ad hoc decisions.
Now that the US has decided the EU is a rival, the EU should do the same.
Thank you for offering this take -- it is the only forward looking one.
The anonymous internet is going away -- it is too supportive of crime and various kinds of gray area misconduct, and governments and large corporations were eventually going to do something about that.
Such a degree of anonymity is desirable, but it is not a requirement for a free society. What were things like before the internet? You couldn't anonymously browse billions of pages of information in 1960.
> Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
I disagree. Bots have always been an issue, but now every form of CAPTCHA that can be solved by a human can also be solved by a multi-modal language model. Bots are slowly taking over in forums where they previously would have been immediately spotted and banned.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
1 reply →
The people pushing for age verification have already said that they want to know who's behind every account on every website on the entire Internet. They won't accept any open or privacy-preserving standard.
Partially apropos... There's a Heinlien quote that goes "When a place gets crowded enough to require ID's, social collapse is not far away. It is time to go elsewhere."
Which I think in this case may mean that I'm hoping an Apple or Google exclusive id system couldn't be ubiquitous enough to be required. But forethought doesn't seem to be modern man's strong suit.
The thread is a bit vague. Am I understanding correctly that GrapheneOS Foundation's objection isn't to attestation per se, but that they can't participate in Google-controlled attestation APIs? In other words, although GrapheneOS can be cryptographically attested, apps using Google Play Integrity won’t accept it because it isn't Google-certified/GMS-licensed?
My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
> very likely to be the most secure mobile OS
> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care
I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?
1 reply →
> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
1 reply →
> Am I understanding correctly that [...]
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
> …Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
4 replies →
It is not only about Google. Its also about the App developers. Nothing prevents them to use the non-google attestation, however they decide not to use it (for many reasons). First time you actually notice this is when you installed GrapheneOS (attestation OK and bootloader locker) and some apps complain about a modified/rooted/... device. Another thing is, that you are warned by your Google device while booting that something is "not OK".
It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
It's hard to listen to arguments when everything is so hyperbolic. The stated rationale for attestation for captcha is to ensure there is a human on the other end and not a bot. This requires a system which is not capable of automated input. The other use case is for ensuring that an application is running on a system which protects the app from being tampered with (by the user, malware, or otherwise). While that seems to run counter to the preferences of the hn userbase, it is a legitimate desire from an application developer.
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
2 replies →
It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
> I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
That is why all companies should be small and no company should ever have a huge market share.
There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
You mean Universal Attestation, which is from a vendor cartel, of which most of the individual vendors are typically waaaaay behind security updates, etc.
1 reply →
Observations:
1) Only law can fix this. Anybody (looking at you ancaps) telling you "if you don't like it, start a competitor" doesn't understand how the economy and network effects work.
2) The general population is a combination of not caring and not even being smart enough to be able to understand. If everyone votes on everything (like most "democracies" where you vote for parties), bigger issues like healthcare, abortions, LGBT will dominate and everything else is noise.
3) People who don't know what public-private crypto or zero-knowledge proofs are shouldn't be allowed to vote on issues where these are relevant factors.
4) We need to fix voting so people can vote on only the stuff they care about and only the stuff they are actually informed about. This works in small teams of highly competent people - at work or in FOSS - and only when they have the same goals. Politics is by nature adversarial and I don't know how to fix this.
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
Dual booting would sacrifice a lot of the hardware-based security feature integration and would be much further from passing attestation checks. GrapheneOS fully supports hardware-based attestation but Google doesn't permit it in the Play Integrity API. Directly booting the fully unmodified stock OS is required to pass the hardware attestation checks for the stock OS. GrapheneOS appears as GrapheneOS in the attestation metadata and a dual boot setup would appear as that specific dual boot setup. Since it would have a bunch of security sacrificed for it, it would be far harder to convince services to permit that. It would be counterproductive.
GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle.
The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks.
GrapheneOS said that's not possible, but I'd actually want to see some expanded explanation.
TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..
But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..
Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?
Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.
But I'd like someone more competent to address all this.
Dual booting would be much further from passing attestation checks and would be incompatible with a bunch of the hardware-based security features. The boot slots are needed for A/B updates and include the firmware partitions. They're not useful for this and don't provide useful functionality for it. It would be entirely possible to build a bootloader for loading multiple different operating systems but it would be a hacked together mess without proper firmware updates or security. It would require heavily modifying both GrapheneOS and the stock OS to fit them into it. It would require losing a lot of the hardware-based security integration. What would be the point? The end result would be much further from passing attestation checks than GrapheneOS. GrapheneOS has near perfect app compatibility with the exception of the Play Integrity API. Other anti-tampering checks are largely compatible with GrapheneOS with the exception of tripping from certain hardening features which is increasingly being resolved with workarounds and there are toggles to avoid it already.
Some retrogaming devices have multi-boot options where you can pick between android and linux (e.g. Anbernic RG353V).
i cannot speak to the current situation, but years and years ago, it was a thing. i had a crappy motorola razr smartphone in like 2012 that i set up dualboot on, and i think i also had dualboot on my google nexus 5, though i could be mistaken about that. it was a thing though.
Well, authoritarian governments don't like to be at the mercy of another country. So even for authoritarian governments it would make a lot of sense to allow open source alternatives like GrapheneOS instead of depending entirely on US monopolies.
Banking apps are the deal-breaker for me. I only do business with banks that offer alternative ways of securing transactions e.g. eTan / ChipTAN / PhotoTAN with a separate reader / generator (see https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbr...). This is probably a pretty European thing to do, but at least it avoids being locked in and being tracked.
I'm happy that my bank (still) allows me to have both a stand-alone reader and a mobile app to authenticate. Because if you lose your authentication device, a lot of things suddenly get a lot harder.
I also tried to use an old phone as a backup device. However, most authentication apps only allow it to be installed on a single device.
I did that too (in Austria) for a long time. Fortunately my Bank (Erste Bank / Sparkasse) fully (almost fully, no nfc pay, since it depends on GPay) supports GrapheneOS now
It is definitely a monopoly enabler. But also a threat to speech. You can only participate online if you have attested hardware. And that hardware will be tied back to you. It’s another threat to privacy like age verification laws.
Safety is the pretext. This is the actual reason why this is happening, and why it is accelerating now
It's so obvious to me states need to create a soul bound identity system, replace social security numbers with it, and then let everyone else use cryptography on top of that (which is now cheap when you don't care about sybil attacks) to do private stuff.
The places you actually need an ID are so rare, I don't think it's worth it to build such a system (and no, porn or social network definitely aren't valid use cases).
It's a problem in search of a solution.
> It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
1 reply →
Any system mandated by the government will have a backdoor to deanonymize users. Nothing would convince me otherwise.
Let me try anyway (maybe I'm a masochist)
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
1 reply →
My driver's license should have some anti-tamper identity proof that can do a challenge response. Or let me go pay a few bucks for an identity proof at the post office.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
Social media in an ad economy serves two masters.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
Yeah, agents are making self sovereign identity so much more relevant. We have all the technology. But identity is the main driver of the monopolies, they won't give it up unless forced to, maybe not even then.
We also need liability. Every time someone’s data is lost, the company losing it must be held accountable. They owe us huge amounts of money, and executives + board members should be jailed. No free pass.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
The dependency tree for anything in the software world is so large, that liability like you describe is not feasible. Tomorrow Anthropic's latest model will find a RCE in SYNs being sent to a server? Who is "liable" when you lose your Google account, your bank account, access to your car and all ways to prove to the government you are who you are all at the same time?
You just need to deploy auditable (source-available, reproducible-build, firmware checksums LCD on-chip) biometrics booths that generate private keys from normalized biometric inputs, and then use those ephemeral private keys to generate and sign portable identity keys. Most people have fingerprints and retina patterns and that’s twelve signatures on an identity alone, allowing for continuity across severe biometrics events like regrown fingertips etc.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
I think you can do it without any biometrics at all, although using it as a second factor could make it smoother.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
1 reply →
>biometrics booths that generate private keys from normalized biometric inputs
Isn't this basically worldcoin? Aside from the fact that worldcoin is run by people I wouldn't trust to watch my cats for an afternoon, the core principle with well thought out ZK crypto could work well.
I agree with Graphene's take here.
I've defended app attestation against baseless criticism, but this is a valid take.
The only nuance I would make is that hardware attestation as a technology isn't inherently anti-competitive but rather the way these companies implement it.
I would love to see a non-profit attestation service that publishes a list of allowed OS's, and roots that are deemed secure based on reality.
We will be truly screwed when internet providers will only allow attested hardware to access the internet. Doesn't even seem like an outrageous outcome anymore.
Taken a step further, we could be heading for a world where if you don't run the Dictators approved device including all of its spyware, you're locked out of everything.
I'm sure this will happen in non-free countries quickly if Hardware Attestation becomes commonplace to access basic services.
It's the 3rd or 4th of threads like this in the front page and it's still not clear to me what are the alternatives that privacy advocates vouch for? Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket. There's a real need for a protocol or specification for how to attest that an action was really done by a human and that human can be proven to be the one the service provider think they are. I don't think cryptography by itself would solve that right now.
> Dead internet theory is happening, you have botnets with more budget than most of the third world countries and you could also add openclaw usage to same bucket.
So what's the actual issue here? That on HN and Reddit and Instagram and X there'll be a lot of bots? As if they haven't been overrun by human astroturfers/etc for ages. Even ignoring that, what's the biggest issue you see with that, and why is it so big that it's fine to just enable a monopoly?
Your presumption that there has to be an alternative is flawed. Maybe there is none. You're saying there's a real need, great. There's also a real need for sexual assault to be completely eliminated worldwide. I think everyone would agree with the that need is far bigger than bots on social networks. Doesn't mean we should just jail everyone just in case.
You're manufacturing a need here as so important that by definition the ends justify the means. They don't.
[dead]
[dead]
I literaly switched away from banks whose apps dont work on GrapheneOS
The linked article only seems to cover Google and Android devices. Microsoft also have their take on this.
> "Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services."
https://learn.microsoft.com/en-us/windows/security/hardware-...
Related article about that 4 years ago: https://news.ycombinator.com/item?id=29859106
It's amazing to see how many "but it won't happen" comments there.
So basically, ReCaptcha should be spun off into a not-for-profit.
The board members will be lobbied, wined and dined by billion or even trillion dollar companies. If politicians can be bought then so can non-profits.
Having said that, there may well be a room for a niche recaptcha-like service run by a non-profit. Perhaps one that uses a non-profit social graph or something.
it's so great to see people boosting "security" in a way that also just happens to require locking in to big-tech approved apps that send all your data to big-tech so that they can deliver ads to you via your big-tech approved device using your big-tech approved os running your big tech approved browser showing your big-tech approved video platform with your big-tech approved content (oh, and also sends your data to your big-tech approved government)
What freedoms do we value ? freedom of speech, freedom of compute, freedom to own assets, to sell our work or give it away, bodily autonomy, freedom to travel, to read to learn ?
Amid the massive hype of the Web3 Crypto era, there was a kernel of useful innovation : that you can choose to have unique digital copies of things, and thus you can have a way of sending value that bypasses the middlemen, be they local thugs, bent politicians, violent regimes, benevolent dictators, or the dominant hegemony.
Having central big-Corp approve your content or sign your executable or take a vig on your sales, or license your hardware - these may be common, but are not a universal law of nature.
The internet itself is our best example of the value of technology open for all to use. Frankly, that is in danger.
Whether it is bogus age-checks in your OS, a hidden bios OS, or the move away from owning your own compute [ because the GPU / CPU and RAM are priced so high you have to rent them ], consumers need to pool resources and ensure open access.
Kudos to France for mandating a Linux OS for their public service workforce. Good on the Europeans for doubling down on renewables to insulate themselves from petrodollar volatility, and making sure portable devices have replaceable batteries.
Cory Doctorow has some great rants on enshizzification. Garys Economics YT channel has some great rants on why high inequality steals resources, see also Piketty.
The technocrats on this forum have an understanding of these measures the common person may not, and thus a moral obligation to weigh in on the issues and warn 'genpop'.
Resist, dont let the buzzkills wear you down.
What I've failed to understand in this whole Google reCAPTCHA discussion so far: How is this is even going to prevent bot usage and increase security? What's going to stop a bot farm in SE Asia from running a fleet of Android devices?
It will certainly make some bot farms unprofitable: Remember that they are now paying for a screen, a battery, a 5G radio, software licenses, branding, distribution and customer support for which they have no use.
Also consider this: While bot farms may be able to buy millions of Android devices, they will certainly attract a lot of scrutiny as they approach the billion mark. So bot farms will never own more Android devices than humans.
Remember that they are now paying for a screen, a battery, a 5G radio, software licenses, branding, distribution and customer support for which they have no use.
If you have the $$$, which the big guys certainly do, they'll just buy the bare attestation bits and figure out how to use them directly.
Seems to me like Microsoft might be opposed to this duopoly and have pockets deep enough to fight it, right? For one, this would make their possible re-entry into the mobile space harder and more costly but I guess it'll inevitably become a standard that other providers could fulfill.
On the contrary, Microsoft was one of the early promoters of such technology; look up Palladium/TCG/NGSCB.
Right. I know full well they're not philosophically opposed. However, this current duopoly does exclude them and increases their burden if they should ever want to re-enter this market.
I'm surprised there aren't more HNWs supporting GrapheneOS. Seems like the Venn diagram of rich people and techies who care about this would have quite some overlap, and Graphene, despite its many faults, is doing a lot of groundwork in this space
I don't think the govt should be able to set rules that limit and control adult's freedoms with computers.
I don't think the govt should be able to set rules that limit and control children's freedoms with computers.
A child can't enter a nightclub or a liquor store. The closest digital equivalents are basically permanently available to them though.
Not even the first time Google has protected its Android monopoly by (ab)using hardware attestation in its other products. The Waymo app also enforces strict integrity checking and has therefore been broken on stock GrapheneOS for months.
The best workaround for now is -as the solution is always to change these regulations not the technical workarounds- is to have a secondary smaller phone that has the sim card, google botnet services, etc., and use that for any verification needed or login to banks or whatever, and keep this device turned off in your house so they don’t track you too and use it where needed. That while also pressuring web services not to use recaptchas and similar invasive services.
To think I'm gonna live in a cross-state totalitarian world
How sad that I spent thousand dollars to buy the phone but can't own it at all. Hardware attestation is like having a CCTV in my device, reporting everything to the company. If I want to use safer OS, then I will be excluded by the digital society cuz most app don't support it...
Being able to cut out abuse from things like cheaters is too useful of a tool for developers to give up. The big problem here as mentioned in the thread is that the light of approved hardware is not based off of security of maintaining security of the attested application but upon Play services licensing.
> Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems
I wonder if we'll get something similar happening with cloudflare
If you use Turnstile you can skip all the Cloudflare captchas.
There are a number of technological / legal hybrid policies developing that come at the very jugular vein of computing freedom - the notion of a “general purpose” computer itself. OS level identity / age verification, hardware attestation, walled garden app signature requirements. All evincing the same aim.
I found this an approachable way to understand the problem: https://byteiota.com/hardware-attestation-monopoly-tool-2/
Check if there are local digital rights groups to your country/area. I just joined two I didn't even know about. Meeting up and talking with likeminded people is a great way to get motivation for bigger change.
I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.
[1] https://bmail.ag/verify
Ironically, the other top article on HN right now is CVE-2024-YIKES.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
You can't have the cake and eat it too.
One of our Founding Fathers said it best (I know the original context was different, but it fits so well with the current theme): "Those who give up freedom for security deserve neither."
Also, "the optimal amount of crime is nonzero."
https://xkcd.com/1357/
I think you are conflating free speech with right to a platform and distribution. Which isn't quite a right, or at least not as constitutional, the former is about not obstructing speech, the latter is about positively enabling it.
One of the key aspects of distribution is cost. You can pay for a domain, which is 15$/yr, and a host (which can be as cheap), and distribute your software that way. Since when did we agree that randoms have right to publish software, and vanish? (And why are 'we' using such code in production with a straight face?) The internet founding fathers wisely designed Domain names, DNS, ICANN, HTTP, TCP, IP, NICs. NPM is not in that echelon, NPM is gratis, not freedom.
Also, freedom is, unless you are a libertarian a patriot or a nation, a historical concept, not irrelevant, but definitely a concept that was born out of a different time (slavery, secession), in its modern american sense, it's most definitely not gratis-adjacent.
To reference a specific American Freedom, in order to have access to justice, you have to pay court fees, and an attorney, there's mechanisms in place to waive those fees or have a public defender, but not even America's modern freedom developed a secondary system which pretended to have no cost, and if it did (private lateral arbitration).
I guess private entities have the right to offer public services by proxy, like with subdomains, github pages, vercel, npm packages. But I wouldn't call that freedom, in essence, the cake you can't have and eat in this case is Freedom and Gratis. You either pay the minimum costs established by the public system, or use a gratis non-free system to distribute your 'speech'.
And we the users, have the right to ignore the gratis spam and demand some sort of PoW for messages.
The system works
A Big Brother dictating what is allowed isn't necessary for your security. Virtualization can be the solution. See: https://qubes-os.org
Not to rain on the parade, but doesn't GrapheneOS only works on Google Pixel devices? I mean, that's still in the Google jail on a physical level, even if they swap out the software.
they made a deal with Motorola, from next year we should have an alternative.
in any case, google started to cause issues with pixel 10, so it's not as easy to port it
GrapheneOS has full support for 10th generation Pixels. It was much harder to add initial support for them than past generation Pixels but it isn't harder to maintain now that they're supported.
There should be multiple 2027 Motorola flagships meeting all the requirements for GrapheneOS. They'll be providing official support for it and they're already working on porting GrapheneOS to their devices.
> google started to cause issues with pixel 10
Google started causing issues over 20 years ago.
Well there you have it.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
> They do not care about you
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
> By "they" you mean FAANG and the FTC, right?
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
1 reply →
> Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc.
Isn't this a textbook case of an antitrust lawsuit? Y'know, with the whole ordeal with Windows/IE, I assume the court would find this as blatantly anticompetitive behavior.
Man I hate threads like this, they grt interrupted by comments and the cadence is all weird because of the character limit
Heh, makes me laugh. just recently I was trying to get play protect 'certification' in a virtual machine took a bit of haggling and legitimately obtained samsung software to bypass it (and a 3 day gpt-5.5 /loop).
Google has proven time and time again that they don't want to make this technology fool proof and I severely doubt this will be any different.
Although I do agree that hardware attestation as a captcha is pure bullshit no matter the context.
Patents and copyright were the original form of monopoly. As long as software is not open source, it is by definition a monopoly
I can barely read this, somethong supposedly this serious, would be much better as a single page, a cogent, actual article.
This is exactly why is legislation like the Digital Markets Act needed.
> It doesn't provide a useful security feature, but it does lock out competition very well.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
How does this work ? I am not sure I understand it.
Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.
It's not asymmetric cryptography itself. It's the fact that it takes enormous resources to manufacture modern SoCs, such that the economy only makes sense if you're churning them out by millions at least. It's also the fact that they can't be modified after they've been manufactured.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
It doesn’t matter if you can produce SOCs if your hardware isn’t trusted.
2 replies →
My introduction to asymmetric cryptography had to do with protecting myself from the authorities while buying drugs on the internet.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
My point is that as far as I understand (not a cryptography expert) once you have the mathematical concept of asymmetric cryptography you also have the mathematical concept of a certificate, so you can't have one without the other.
1 reply →
Exactly. The weapon is available to all, but only parasites like FAANG can afford to hire the best brains who know how to wield it. As Apple uses it to take a 30% cut of everything on their device, the “democratized” PGP features in mom’s mail client gather dust.
FFS, cryptography is not the problem. How many times will we have to shut down that particular stupidity? Asymmetric cryptography is a corner stone of basically all online secure communications, and has been since before Google and apple were even founded as companies! (First invented in 1970)
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Easy there I don’t want to take away your encrypted messaging. I’m just pointing out that the technology that enables it also enables the techno-totalitarianism we have been seeing rise since the mid 2010s
2 replies →
you don't need asymmetric crypto to make remote attest like this.
Google can put a hmac key in each device which it knows and keeps secret. Device can author authenticated messages using it. Of course, only google can verify them-- but it appears that the workflow in this depends on google in any case and if anything that limitation would be more a feature to them than a bug.
This is an extreme opinion and is not surprisingly unpopular and downvoted but one must realise that it is exactly how the governments were thinking when they wanted to ban encryption, and how the export restrictions and classification as a munition came about. Now companies are wielding it against us.
I think you misunderstand the point I'm making. Governments love having this centralized ability to attest hardware and control what software can be run. This is why for instance the EU has really slow-walked and watered down side loading requirements for Apple.
I disagree, I think you cast the net way too wide. Asymmetric cryptography enables secure communication in the first place. It's being used nefariously by Google and Apple, of course, but that's to be expected from big tech.
Isn’t the ability to create certificates guaranteed conceptually once you have asymmetric crypto? In that case there is no intermediate technology which allows key exchanges without also creating digital totalitarianism.
1 reply →
Nefariously how?
1 reply →
These kind of things just make me want to use Graphene even more, or literally any platform that isnt the monopoly ones. Somehow I think AI and vibecoding, even if it may sound as an unpopular opinion, will allow people to build free ecosystems and actually usable devices that dont rely on the usual providers.
Of course it is
I mean sure Google & Apple are evil, but don't we all need some evil in our lives, EU citizens doesn't matter we love the evil and honestly we enjoy it.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
Miss that monopoly busting of yesteryear. The elephant in the room is that private forces who do not have public good in mind have gotten way too powerful to the detriment of everybody's well-being. Everybody's except the state's surveillance wings.
Break them up. Break them up. Break them up.
[dead]
[flagged]
[dead]
[dead]
[dead]
[dead]
[flagged]
[flagged]
They recently said that in the future they want to do more long-form posts just in their discussion forum and then link to it from Mastodon, etc.
Well nothing is stopping them
This was a wild ride, what an adventure. So many moving pieces, this really is just one big house of cards.
I definitely posted this on the wrong thread, I am sorry
Mark my words: in ten years from now on, the Chinese web will be more free and open than any Western country.
In China they have solved this issue already by having every website log in with your phone number which is already directly tied to your Chinese ID.
Problem is some countries don't lock down their phone numbers this far so for this to work you have to whitelist country codes which have secured phone numbers.
Isn't half the reason companies push for these sorts of controls is so they are allowed by the Chinese government to do business there?
It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.
The OP is from an already-existing open mobile OS, which already has a deal with a manufacturer. The problem isn't, and has never been, making an OS. This is not a technical problem. This is a political problem.
But that open mobile OS is still a fork of Android, which is too hell bent on privacy (which is not a bad cause, but something that masses don't care about). We should focus on an OS which is hell bent on UX, UI and other features that masses crave.
1 reply →
You really don't know the limits of LLMs. They can't make anything "from the ground up" they are only as capable what they were trained on. Someone had an LLM make a C compiler and they found code regurgitated verbatim from existing compilers. You better believe that any OS it writes will look astonishingly similar to an existing open source one.
It seems to me that comments here are reading this as saying attestation is bad, when the real argument is that attestation should explicitly provide a path of inclusion for non-Apple and Google providers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.
The position of GrapheneOS is that attestation shouldn't be used to restrict people to an allowlist of hardware and operating systems. It can be used to without forbidding them from using what they want to use. However, if it's going to be used to make an allowlist of hardware and operating systems, then it needs to permit any any at least as secure as what they're permitting to be approved. Instead, they're enforcing Google's business model for licensing Google Mobile Services while not requiring secure devices at all. There's no security value in the current Play Integrity API which permits devices with no patches for 10 years.
Even the Play Integrity API strong integrity level only enforces being no more than 1 year behind on the official Android security bulletins which are 3-4 months outdated at release so that's nearly a year and a half behind of patches. It also has the massive loophole of permitting being arbitrarily behind on patches for earlier Android versions than Android 13, so even the strong integrity level permits a device launched with Android 8 with no patches applied since then. That's not a security check, it's a business model check to lock out alternatives not licensing Google Mobile Services. The licensing terms for Google Mobile Services have been found to be illegal in multiple countries. Google enforcing agreeing to those terms with the Play Integrity API is a truly extraordinarily violation of antitrust laws. Governments are not only failing to act but adopting it themselves. It's going to be looked back on as a massive failure for technology regulation/legislation along with government tech policy beyond that.
That is not what GrapheneOS is saying. They mention their exclusion as proof that attestation has nefarious motives, not because they would be OK with it otherwise
They have commented elsewhere that any inclusion/exclusion criteria (if at all) should be transparent and collaboratively decided rather than arbitrary, monopolised or ineffectual/deceptive. They mention several times that people should not be excluded from web services for browser/OS choice.