| ▲ | matheusmoreira 3 hours ago |
| I always say this when this topic comes up: remote attestation will be how our computing freedom dies. They've made it so that it doesn't even matter if they allow you to install whatever you want. Anything that isn't corporate owned is banned. Own your device? You "tampered" with it. You're banned. From everything. You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Enroll your own keys? It doesn't matter. You're not trusted. You're a fraudster terrorist money launderer drug dealer pedophile. While I am glad that people continue to struggle, that GrapheneOS continues to fight and speak out, these developments still fill me with a terrible sadness. The future is bleak. We inch ever closer to the complete destruction of everything the word "hacker" ever stood for. It's a deep loss. |
|
| ▲ | safety1st an hour ago | parent | next [-] |
| While I agree, I think there's a better way to frame this with the public. We don't need to bring in pedo references. That looks very unhinged to most people. There's already a lot of support out there, in both public opinion and the law, for the idea that if I pay for something physical like a device, I own it. Any substantial alteration in its functionality, especially a reduction in what it can do, requires my consent. Reduction in what it can do should require my consent. Just because tech made it possible for the manufacturer to brick my phone or my car, start charging me extra for certain features I already paid for, or block the apps the OS vendor doesn't approve of doesn't mean they should or that it's even legal to do so. Additionally once I buy the device the vendor has zero business telling me how I can modify it, or whether I can repair it. I own the thing I bought, fucker. It's my property and I have property rights. The corp has no right to steal away part of the thing I bought or change the terms after the fact. It's potentially criminal if they try. This framing resonates with a lot of people. The guy who really exemplifies this positioning at the moment is Louis Rossman and by focusing on these widely understood and popular concepts, he's gained the ability to direct an enormous amount of attention to an issue. He can absolutely swamp a legislature with letters from angry constituents for example when he gives an issue visibility. Frame it as theft because it is. If they push an update without my consent that removes functionality or sabotages my ownership of the device, it's theft. At the very least product liability laws should apply. Some part of what I bought stops working, that goes to product liability. But I'd take it a step farther and say we're dealing with straight up theft. |
| |
| ▲ | someguyornotidk 37 minutes ago | parent [-] | | The problem with the reasonable framing you suggest is that it gets thrown out of the window the moment someone utters Protect the Children®. I'm willing to bet that most people, including those with kids like myself, don't truly believe that surrendering our basic rights to better protect the children is a rational thing to do, but they would never dare to push their opinion publicly. The few that do get all but labeled as, you guessed it, fraudster terrorist money launderer drug dealer pedophiles. It's the the Emperor's New Clothes in real life but for morals. No amount of Rossmanning is going to help society walk back its collective hypocrisy. | | |
| ▲ | pocksuppet 29 minutes ago | parent | next [-] | | I don't actually believe this. People don't actually believe every car should have a GPS tracker so that if a pedophile drives a car, the police can track it. That is a ridiculous argument, and if they make it, there should be something you can say to make it blow up in their face. Unfortunately, as we've all now discovered, winning arguments isn't about being right, so I don't know which words you can say to make the obviously stupid argument sound obviously stupid. | | |
| ▲ | throwawayqqq11 17 minutes ago | parent | next [-] | | "Criminals will adapt and avoid while the public gets transparent." Is my simple response. | |
| ▲ | close04 16 minutes ago | parent | prev [-] | | People already showed that they will swallow anything as long as it's attached to "protect from the terrorists" label. Protect the children is an even more powerful extension. Few people ever really have to worry about terrorists but kids, that's a different story. My logical assumption is that all terrorists and pedophiles will concentrate in the areas where they have legal exceptions from being monitored by multiple different parties at any given time. Legislators and the like. To play one of their cards, why would people who love to say "innocent people have nothing to hide" have something to hide? |
| |
| ▲ | Animats 3 minutes ago | parent | prev [-] | | There's an answer for that now: "Release ALL the Epstein files." |
|
|
|
| ▲ | whstl 26 minutes ago | parent | prev | next [-] |
| I love how this is a problem caused by Big Tech (AI), with “solutions” brought by Big Tech (FAANG etc) and “countermeasures” will also be brought in by future billion-dollar industries (domestic-proxy provider BrightData is 1B already) while we will depend on existing Big Tech for “protection” (Cloudflare will remain a big player). At this point the internet is exactly like the film Matrix, where humans are merely an implementation detail in the whole system. |
|
| ▲ | userbinator 2 hours ago | parent | prev | next [-] |
| Keep fighting. Spread the word. Ensure that everyone you know is aware of the totalitarian implications. The only way to sure defeat is to surrender. |
| |
|
| ▲ | timbooktwo 27 minutes ago | parent | prev | next [-] |
| A fraudster, a terrorist, a money launderer, a drug dealer, a pedophile—these are actually a huge audience for whom the IT industry can release separate versions of the operating system and hardware. And that audience will pay for it. For the vast majority of ordinary people who consume IT benefits for free (being a commodity themselves), it makes sense to use controlled products. |
|
| ▲ | locknitpicker 9 minutes ago | parent | prev | next [-] |
| > You're ostracized from digital society. You're not even a citizen, much less a second class citizen. Before anyone downplays this concern as scaremongering ans slippery slope fallacy stuff, keep in mind that countries are shifting their national ID cars infrastructure to online services which are fundamentally designed around attestation. Moreover some class of services such as banking are progressively increasing requirements that your software and hardware needs to meet to allow you to manage your own property. |
|
| ▲ | Loic 43 minutes ago | parent | prev | next [-] |
| For once, we may be "saved" thanks to Trump. Because of the brutal change in geopolitics he triggered, the EU is now actively looking at all the hard dependencies on US controlled systems. Android and iOS are two of them. I cannot tell if the alternative solution will be better, but I do think we will develop alternatives. |
| |
| ▲ | trallnag 11 minutes ago | parent [-] | | Are they really tho? The EU is currently enforcing a digital ID that will depend on Android and iOS in most implementations | | |
| ▲ | reddalo 10 minutes ago | parent [-] | | Not only that, they're also enforcing age verification, i.e. mass surveillance. |
|
|
|
| ▲ | bartekpacia 42 minutes ago | parent | prev | next [-] |
| all "hackers" be vibe coding b2b saas these days the meaning of this word has diluted so much |
|
| ▲ | repelsteeltje 2 hours ago | parent | prev | next [-] |
| Hardware attestation is like hardware DRM. It is intended to limit and restrict abundance. Abundance of clients (as a proxy for user attention) and abundance of copying, access and replay (as a proxy for "piracy"), resp. It won't matter to the masses, it won't hamper "bad actors" because hackers will find flaws instantly. It's just enshitfication. |
| |
| ▲ | matheusmoreira 2 hours ago | parent [-] | | I hope you're right. I truly do. > hackers will find flaws instantly Yeah. https://tee.fail/ The ability to circumvent these cryptographic attestations and pretend to be a "pristine" corporate owned device while in fact being free will be a key strategic capability in the future. They will no doubt pour billions into improving the technology though. I'm not sure if such a capability can be maintained over the long term. We don't have the resources. |
|
|
| ▲ | charcircuit 2 hours ago | parent | prev [-] |
| Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom? The user still maintains all the freedom of doing whatever computing they want on their own machine, but if they want to play with others who don't want to play with cheaters then they have to use the official client. For people who want a high degree of freedom and be able to access as many digital services as possible I foresee such people using a hypervisor that runs both a provable secure OS and another OS that is as free as they want. |
| |
| ▲ | franga2000 an hour ago | parent | next [-] | | How about being banned from online banking, government services and all social networking / communication platforms? Because that's the road we're already heading down. What makes you think they will give us this magical hypervisor capability? It's more effort, increases the chances someone finds a bypass and takes power away from the incumbent online platforms. It's so much easier to just prevent it all. The only reason it hasn't happened yet is the amount of devices without this ability in circulation. But that number is shrinking rapidly. | | |
| ▲ | charcircuit an hour ago | parent [-] | | >How about being banned from online banking, government services and all social networking / communication platforms? You aren't banned. You just have to use a secure device. It's like saying that a store banned you because they stopped taking checks and started requiring a credit card since they are more secure and harder to commit fraud with. As a person you didn't lose any freedom. Freedom does not mean someone has to be able to force their will on another person. That sounds like the opposite of freedom to me. >What makes you think they will give us this magical hypervisor capability? It's not magical. Look at Windows WSL2 which already works like that. | | |
| ▲ | dmantis an hour ago | parent | next [-] | | > You just have to use a secure device. No, you have to use government backdoored device. I.e. the most secure android rom (at least the only rom we know is not penetrable by state-sponsored celebrite based malware) is not covered by google's play protect, while bunch of outdated CVEd phones are. Same will go with many hardened Linux machines, QubesOS, Whonix stations, you name it. I'd argue they are far more secure than any average windows/macos installation. Hardware attestation has nothing to do with security, it's censorship. | |
| ▲ | przmk an hour ago | parent | prev | next [-] | | It's not about being secure. Google allows devices with up to 10 years without any patches to pass their integrity API. Meanwhile Graphene OS, which is very secure and up-to-date, doesn't pass. | | |
| ▲ | notpushkin an hour ago | parent [-] | | This. Plus if I want to access my bank account on a device I trust, the bank shouldn’t say “hey we don’t trust it so buzz off”. It’s my money in that account. I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre. |
| |
| ▲ | inejge 30 minutes ago | parent | prev [-] | | > You just have to use a secure device. Secure as defined by a duo of monopolists. It's a contractual concept and doesn't have a firm relation to security-related characteristics. I'd trust GrapheneOS to be as secure as anything Google is capable of releasing, but that doesn't help them if Google refuses to vouch for a device running their OS. Which is also why your check/credit card analogy falls flat. |
|
| |
| ▲ | xeyownt 2 hours ago | parent | prev | next [-] | | I think you got it reverse. Gaming and such are dedicated services. Fine if people agree to pay premium to have the required platform / console / etc. General services such as communications / banking must be free, and must not require trusted hardware on the end point. The services must be designed to be secure even in the case of compromised end points. But that's against the current trend where all banks are trying to push all the responsibility on the end user because they want to reduce their costs. There are plenty of solutions but they don't go for it because it's not in their interest and they want to squeeze out any little penny of infrastructure cost. | | |
| ▲ | charcircuit an hour ago | parent [-] | | >How about being banned from online banking, government services and all social networking / communication platforms? Defense is depth actually works. It's better security to require a dedicated device to make it harder to commit fraud. This is why credit cards became a secure device instead of just being a magnetic strip. |
| |
| ▲ | matheusmoreira 2 hours ago | parent | prev | next [-] | | > Do you consider being banned in a video game because of hacking to be an example of something killing computing freedom? No. It's the constant attempts to invade our computers and "prevent" the unwanted behavior that are problematic. See kernel level anticheat nonsense. They want to own our computers. > if they want to play with others who don't want to play with cheaters then they have to use the official client They should be able to play with whatever client they want. It's their computer, it should run whatever software they want. | | |
| ▲ | charcircuit an hour ago | parent [-] | | >See kernel level anticheat nonsense. This nonsense mainly exists only because the operating system is unable to attest that it the app is secure and the right app is what is running. >It's their computer, it should run whatever software they want. I agree, but companies shouldn't be forced to match cheaters with legitimate players. Cheaters just can't secretly be cheating. | | |
| ▲ | matheusmoreira 33 minutes ago | parent [-] | | To defend my own freedom, I'm forced to defend scoundrels as well in a totally unhinged manner. So be it. > the operating system is unable to attest And it should remain unable. There should be no "attestation" of anything. The corporations who want such things should remain unsure of the device's "security". They should just accept it. Let them write it off as a cost of doing business or something. The optimal amount of fraud is non-zero, as they say. > the app is secure and the right app is what is running These machines are our personal computers. They are extensions of our minds. They are general purpose tools with limitless potential, just waiting to be shaped in accordance to our wills. There is no such thing as being "secure" from us. Not inside our own computers. The mere idea of it is offensive. It is an affront to us all. We are the gods of these machines. To attempt to "secure" a video game of all things against us is an attempt to usurp our power. > Cheaters just can't secretly be cheating. Now that remote attestation is in play, the ability to do that -- forge attestations to pretend to be a corporate owned machine while remaining free and subversive -- has become key. So I'm forced to say that cheaters absolutely should be able to secretly cheat. If the cheater wants to edit his computer's memory or whatever, it's his divine right as the owner of the machine. An inability to do that means our freedom is lost. Cheating in video games is literally nothing compared to the loss of our computer freedom. Let the entire industry go bankrupt if it must. We cannot sacrifice it no matter what, and certainly not over something as mundane such as video games. There is so much more at stake here. Ubiquitous access to cryptography. Adversarial interoperability. Our very self-determination in the digital world. Video games are nothing -- and that's coming from a fellow gamer. |
|
| |
| ▲ | greybcg 2 hours ago | parent | prev [-] | | We had fun in online games without kernel level nonsense. Why do I need to compromise my hardware when the problem is an outlier in the social graph? Anticheat is part an arms race and part just raising the bar so people cant cheat too easily.
That said you can feed a video feed into a Kria K26 or even a pi or jetson and make automatic targeting completely transparant to the kernel. Then what? Hardware attestation in peripherals? How do old boomershooter communities tackle cheaters? When and why do methods that work on a social graph fail or necessitate anticheat?
I agree on the hypervisor part. Putting different applications in microvms would be good for isolation. | | |
| ▲ | charcircuit 44 minutes ago | parent [-] | | >We had fun in online games without kernel level nonsense. You might of. But there was a percentage of players turned away by cheaters or even just had a bad experience one day because of one. At scale this can cause a bad experience for a ton of players so trying to stop as many cheaters as possible does matter. >Why do I need to compromise my hardware You don't have to compromise anything. In fact it is optimal to have the system be as secure as possible that way cheats can't mess with the game. >How do old boomershooter communities tackle cheaters? By limiting the rate of new players. This goes against the wishes of games who want to achieve massive growth. >When and why do methods that work on a social graph fail or necessitate anticheat? If people provided IDs that could work too instead of anticheat, but usually people do not want to do that just to play a game. It adds friction to the onboarding process. |
|
|
