Comment by matheusmoreira
3 days ago
I always say this when this topic comes up: remote attestation will be how our computing freedom dies. They've made it so that it doesn't even matter if they allow you to install whatever you want. Anything that isn't corporate owned is banned. Own your device? You "tampered" with it. You're banned. From everything. You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Enroll your own keys? It doesn't matter. You're not trusted. You're a fraudster terrorist money launderer drug dealer pedophile.
While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss.
While I agree, I think there's a better way to frame this with the public. We don't need to bring in pedo references. That looks very unhinged to most people.
There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it.
I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try.
This framing resonates with a lot of people.
The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility.
Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft.
> We don't need to bring in pedo references. That looks very unhinged to most people.
Sorry for how you may feel about it, but that *is* how it's being framed for the public..
https://europeanconservative.com/articles/news/eu-parliament...
[flagged]
3 replies →
The problem with the reasonable framing you suggest is that it gets thrown out of the window the moment someone utters Protect the Children®. I'm willing to bet that most people, including those with kids like myself, don't truly believe that surrendering our basic rights to better protect the children is a rational thing to do, but they would never dare to push their opinion publicly. The few that do get all but labeled as, you guessed it, fraudster terrorist money launderer drug dealer pedophiles.
It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy.
I don't actually believe this. People don't actually believe every car should have a GPS tracker so that if a pedophile drives a car, the police can track it. That is a ridiculous argument, and if they make it, there should be something you can say to make it blow up in their face. Unfortunately, as we've all now discovered, winning arguments isn't about being right, so I don't know which words you can say to make the obviously stupid argument sound obviously stupid.
9 replies →
I have decided that if they'll play dirty then I will. If someone says "protect the children" then I smear those saying it, e.g.
Kier Starmer wants to protect children? He put Mandelson into government even though he was mates with Epstein. Doesn't sound like someone who cares about protecting children to me.
Rinse and repeat for any politician or political side, they are all only a step or two away from someone who's done something horrible to children. It doesn't matter to me whether I really think it's true or not (though in the example I've used, that is my opinion, who employs someone like that and really cares about children?) but *it does not matter*. This is an us versus them situation, and they are making proponents of freedom out to be criminals at best, paedos at worst. They can take some of their own medicine, and anyone who parrots their line. If ad hominem is the name of the game then let's play, I'm on firmer ground than they are.
1 reply →
There's an answer for that now: "Release ALL the Epstein files."
I love how this is a problem caused by Big Tech (AI), with “solutions” brought by Big Tech (FAANG etc) and “countermeasures” will also be brought in by future billion-dollar industries (domestic-proxy provider BrightData is 1B already) while we will depend on existing Big Tech for “protection” (Cloudflare will remain a big player).
At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system.
Keep fighting. Spread the word. Ensure that everyone you know is aware of the totalitarian implications.
The only way to sure defeat is to surrender.
I will, but it doesn't look good.
Then we should step it up a bit.
The most dangerous thing in computing is safety.
"Secure" is great. But when you hear "safe", that means there is some corp in the shadows predating on you because <insert boogeyman>. They decide what safe means, not you. They will abuse you to no end while keeping you "safe".
That's why companies always remove the features that keep you "secure" and give you ones to keep you "safe".
> You're ostracized from digital society. You're not even a citizen, much less a second class citizen.
Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property.
Hardware attestation is like hardware DRM. It is intended to limit and restrict abundance. Abundance of clients (as a proxy for user attention) and abundance of copying, access and replay (as a proxy for "piracy"), resp.
It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly.
It's just enshitfication.
I hope you're right. I truly do.
> hackers will find flaws instantly
Yeah.
https://tee.fail/
The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future.
They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources.
It probably won't matter to the average user: buy Apple, buy Google and be (little bit less) happy while your access to the free web gets little more enshittified...
...But there is always at least one hacker.
The issue with hardening DRM is that at the core it's hard to protect against an adversary that with physical access to the device that keeps the very secret. From the vendor perspective, the very customer paying you is your potential enemy.
That means that the root of trust isn't itself protected with cryptography. Instead, it relies on security-through-obscurity, Faraday cages, fuses, anti-tampering and lots of glue. And it's a numbers game if there are thousands of different devices, potentially with different flaws while your adversaries are hidden among billions of customers.
There is still a gap between the hacker and main-stream availability, though: laws and legalism, like DMCA that penalize disclosing how the obfuscation and all work.
A fraudster, a terrorist, a money launderer, a drug dealer, a pedophile—these are actually a huge audience for whom the IT industry can release separate versions of the operating system and hardware. And that audience will pay for it. For the vast majority of ordinary people who consume IT benefits for free (being a commodity themselves), it makes sense to use controlled products.
It doesn't have to be controlled in such a way that it produces monopolies or enables surveillance.
> these developments still fill me with a terrible sadness.
I wish they filled you with anger instead. It’s not too late. You’re not alone.
I think it's quite telling that this comment was written in Brazil. The so-called Third World is the future source of freedom (or Western countries that become third world perhaps). It may not be a bad idea now to start building open compute and banking alternative ecosystems based in those countries, marketed at Western citizens.
The third world is also pushing Digital ID. In fact they would love it even more than the first world as it would allow for even more totalitarianism.
all "hackers" be vibe coding b2b saas these days
the meaning of this word has diluted so much
> Own your device? You "tampered" with it. You're banned. From everything.
Don't worry officer, my device is completely clean. Here you go check it. Why yes, I absolutely only ever use it for banking and updating linkedin on a suspiciously empty gmail, and keep it on silent 100% of the time. What's so odd about that? What? No, I just re-read a lot of books, that's my hobby, I read Catcher In The Rye 20 times a month.
...
It's about time people realize the concept of a real phone and a civilian phone as one and the same is dead.
In fact.
You don't need a "real" phone. Just the civilian one.
I use what's basically a portable retroconsole for entertainment. Including reading, incidentally. From its perspective, it is just a computer. Let's make it a competition, puny phones versus portable computing. Name me one thing you think it can't do, in return, I'll fire two YOUR phone can't right now, back at you. I'll forward two: It can run tmux and has a copyparty toggle for a portable filestorage on it. Yes, you can do both on the phone. But yours can't right now, and I you will suffer trying tog get it, while mine, it was 2 command lines and one config file each.
For once, we may be "saved" thanks to Trump. Because of the brutal change in geopolitics he triggered, the EU is now actively looking at all the hard dependencies on US controlled systems. Android and iOS are two of them.
I cannot tell if the alternative solution will be better, but I do think we will develop alternatives.
The EU is only making these statements until the US has a new president (with the same ideas of Trump, as has always been the case, but saying nice things in public).
Also, in the mean time, their announced "sovereign solutions for the European citizen" look ridiculous: now you'll be free from Visa and Mastercard for your payments but at the same time you'll need a phone approved by either Apple or Google.
And there is also "sovereign cloud" by microsoft!
Are they really tho? The EU is currently enforcing a digital ID that will depend on Android and iOS in most implementations
Not only that, they're also enforcing age verification, i.e. mass surveillance.
Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client.
For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want.
How about being banned from online banking, government services and all social networking / communication platforms? Because that's the road we're already heading down.
What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly.
>How about being banned from online banking, government services and all social networking / communication platforms?
You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me.
>What makes you think they will give us this magical hypervisor capability?
It's not magical. Look at Windows WSL2 which already works like that.
11 replies →
I think you got it reverse.
Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc.
General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost.
>How about being banned from online banking, government services and all social networking / communication platforms?
Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip.
> Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom?
No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers.
> if they want to play with others who don't want to play with cheaters then they have to use the official client
They should be able to play with whatever client they want. It's their computer, it should run whatever software they want.
>See kernel level anticheat nonsense.
This nonsense mainly exists only because the operating system is unable to attest that it the app is secure and the right app is what is running.
>It's their computer, it should run whatever software they want.
I agree, but companies shouldn't be forced to match cheaters with legitimate players. Cheaters just can't secretly be cheating.
8 replies →
We had fun in online games without kernel level nonsense. Why do I need to compromise my hardware when the problem is an outlier in the social graph? Anticheat is part an arms race and part just raising the bar so people cant cheat too easily. That said you can feed a video feed into a Kria K26 or even a pi or jetson and make automatic targeting completely transparant to the kernel. Then what? Hardware attestation in peripherals?
How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat? I agree on the hypervisor part. Putting different applications in microvms would be good for isolation.
>We had fun in online games without kernel level nonsense.
You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter.
>Why do I need to compromise my hardware
You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game.
>How do old boomershooter communities tackle cheaters?
By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth.
>When and why do methods that work on a social graph fail or necessitate anticheat?
If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process.
5 replies →
PC gaming has always been rife with statistical inferencing of cheating, accusations of cheating both true and false and resultant low levels of trust that do destroy gaming communities. That's with aggressive software solutions that implement an ad hoc not entirely robust form of remote attestation.
A lot of gaming migrated to consoles for this reason. They have secure remote attestation implemented properly. Accusing winners of cheating doesn't work there, and it's obvious why that results in happier and healthier gaming communities.