Comment by pojntfx
7 hours ago
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
How so? Do you have rights to your data in secure enclaves?
what you really looking for is API-free services/products. so it works without cloud at all.
or products/companies that explicitly expose API access to their products.
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
Sure, it’s one element in a defense in depth. You ensure that post boot it’s not possible to manipulate what’s being loaded, and then you ensure that during boot the OS in the expected state for that to be true. It’s not a panacea but it is an important part of the process.
[flagged]
*Smuggly* Huh, don’t like it? Just vote with your wallet and buy a car with better TC. Or build your own?
Caught one in the wild!
https://news.ycombinator.com/item?id=48320351
I wonder if companies can T&C their way out of any problem.
pretty much. correct me if I am wrong, but these T&C treated like "local" laws (in respect to interaction of client and business within their interaction) within most jurisdictions by courts.
so even if T&C does not make sense, usually courts are in favour of enforcing them.
unless some severe contradiction with constitution or alike, or serious harm to people or something, they would throw away T&C in cases. but AFAIK that is rare.
7 replies →