Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
notepad0x90 3 hours ago

I just wish more people would protest this instead of things like secure boot.

Password managers and/or operating systems can manage private keys just fine. websites shouldn't be concerned with how the keys are managed, or be able to make demands on how users store credentials, or know device details for users.

One thing I dislike even with systems like FIDO2 is that the websites/apps can block list your FIDO key's vendors. Similar trends suck. Passkeys are just one iteration in a long line of systems designed with corporate interests in mind.

The system validating the authentication needs only to verify that the credentials are correct. If users want to use TPMs, HSMs,etc.. or none at all, that's up to them. And no information, other than what is strictly required to verify the credential should be transmitted over the network. a signature of challenge data from the app should be sufficient. the user's public key shouldn't be signed at all by hardware, a trusted 3rd party,etc.. the registration process should take care of establishing public key trust to the authenticator/app. The whole thing feels insidious.

dgxyz an hour ago | parent | next [-]

Oh that's not even the worst of the stupid shit.

When you have Apple managing your keychain, your passwords stored in that, your passkeys stored in that, them filling in your MFA info by reading your email and SMS on every device, supplying your primary email account and all your throwaway addresses, and possibly trying to tie you into their OAuth or whatever for a third party, you are fucked if something goes trivially wrong.

digiown 3 hours ago | parent | prev | next [-]

Corporate interests HATE general purpose computing, and the freedom to run what you want. With that freedom, you can hurt their interests by blocking ads, stripping out spyware, or avoiding giving up your privacy, and they can't let you have that.

It's a death by thousand cuts that's finally starting to come together:

- Remote attestation like Play "integrity"

- Hardware backed DRM like Widevine

- No full access to filesystem on Android, and no access to filesystem at all on iOS

- No ability to run your own programs at all on iOS without Apple's permission.

- "Secure" boot on Android and iOS that do not allow running your own software

Ever wondered why Windows 11 have a TPM requirement? No, it's not just planned obsolescence.

If they get their way, user-owned computers running free software will never be usable again, and we'll lose the final escape hatch slowing down the enshittification of computers. The only hope we have is that they turn up the temperature a little too quickly that normies would catch on before it gets far enough.

hparadiz 2 hours ago | parent [-]

Windows 11 has tpm required to enforce full disk encryption that is pinned to a given machine. Linux would do well to do the same thing. It's possible but almost no one does it.

19 minutes ago | parent | next [-]
[deleted]
turminal an hour ago | parent | prev | next [-]

This sounds like a great way to lose data when the machine dies unexpectedly.

michaelt 8 minutes ago | parent | next [-]

Linux should replicate Microsoft's feature where they back up your "full disk encryption" keys to your cloud account, completely unencrypted, and share them with the cops.

dgxyz 36 minutes ago | parent | prev [-]

You can print recovery codes. Just chuck them in your safe.

Cryptography is only safe against someone who doesn't come and beat the password out of you if they want it. In my case, only my laptop is encrypted so if I lose it when I'm out it's useless.

dummydummy1234 an hour ago | parent | prev [-]

What is the benefit of having full disk encryption pinned to a machine?

vbezhenar an hour ago | parent | next [-]

The benefit is to not type encryption password on every boot. TPM stores the encryption key and Secure Boot ensures that the system is not tampered.

That said, I think that it's better to use alternative approach. Use unencrypted signed system partition which presents login screen. After user typed their username and password, only user home gets decrypted. This scheme does not require TPM and only uses secure boot to ensure that system partition has not been altered. I think that macOS uses similar approach.

ab71e5 33 minutes ago | parent [-]

Kinda like how I have it set up in linux except the system partition is the uki and the user password is LUKS2 passphrase

hparadiz an hour ago | parent | prev [-]

Anti theft

jmclnx 3 hours ago | parent | prev [-]

I fully agree, seems Linux is heading directly towards being a Windows Clone. So far all the windows crap can be easily avoided, but once these things are forced on me, it is bye bye Linux.

Already I use BSD on an older laptop probably 40% of the time. Linux on my main system is there due to a hardware device issue BSD still have a minor problem with it. But for me right now, Linux seems to be heading in a wrong direction.

digiown 3 hours ago | parent [-]

KeepassXC implements passkeys in a respectful way. I don't see how this is "Windows crap". If they want to force attestation on passkey implementations, whether or not Linux supports it will not matter.

yencabulator an hour ago | parent [-]

The part that matters is if people adopt the bait. If the bait doesn't get chomped on, the hook is ineffective. Actively encouraging passkey adoption is telling people to eat the bait.