| ▲ | matheusmoreira 6 hours ago |
| Remote attestation is not just insane, it's the technology that will end free computing as we know it today. What good is free software if using it marks our devices as untrusted and gets us banned from every service out there? Gets us ostracized from digital society? Because we "tampered" with the device? We should be able to run whatever software we want and they should be none the wiser. Instead, we are part of the threat model now. Our devices are now cryptographically attesting that they are corporate owned and that we are under corporate control. It's so disgusting. The future we're heading towards is terrifying. Everything the word hacker ever stood for will be destroyed if this keeps up. |
|
| ▲ | Cider9986 6 hours ago | parent | next [-] |
| It can be used for security and used privately [1] but I entirely agree with you, Google's use of it is anti-competitive and terrible. [1] attestation.app |
| |
| ▲ | matheusmoreira an hour ago | parent | next [-] | | It's all about who owns the keys and who trusts those keys. If you don't have the keys to "your" computer, then you don't own that computer, you're just renting it from the corporation. And even if our own keys could be used, who's going to trust those attestations? Nobody. They will trust Google's keys, Microsoft's keys, Apple's keys. Not ours. | |
| ▲ | preisschild 3 hours ago | parent | prev [-] | | Yeah same as TPM and Secureboot. They can improve your own personal security (and thereby privacy) drastically, but it has to be controlled by the user. |
|
|
| ▲ | myaccountonhn 3 hours ago | parent | prev | next [-] |
| You'll probably just need to keep two phones. One hostile spying device that you use for authenticating and dealing with government stuff, and that becomes e-waste every 2 years. Then you have one that you can repair and extend for your own stuff that respects you and your privacy. |
| |
| ▲ | collabs 2 hours ago | parent [-] | | I am doing this now. I have had a carrier locked iPhone SE 2020 which I only use on Wi-Fi for over five years now. I also have an android phone and I don't install any banking apps on my android phone. |
|
|
| ▲ | charcircuit 5 hours ago | parent | prev [-] |
| >What good is free software if using it marks our devices as untrusted That is not what remote attestation is for. The operating system maintains isolation between apps, so a free software app being installed doesn't mean an app that needs high security is compromised. |
| |
| ▲ | marmarama 4 hours ago | parent | next [-] | | I think you've misunderstood. It's not an app problem. The problem is that it makes Free Software OSes unviable. The copy of Android you compile and install yourself - or your copy of desktop Linux where you upgraded the kernel yourself - will never pass remote attestation, and it gives both the attestation provider and software that checks attestation the ability to unilaterally shut out any OS they like with no workaround, even those that do pass attestation. In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling. There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence. | | |
| ▲ | floam 4 hours ago | parent | next [-] | | I don’t see how it’s incompatible with open source, just because my development builds aren’t being blessed. | | |
| ▲ | dpark 4 hours ago | parent | next [-] | | It’s not incompatible with open source. It’s incompatible with free software. If Apple or Google or Microsoft or the government needs to “bless” your build, then you have no freedom to actually use your build. | |
| ▲ | marmarama 3 hours ago | parent | prev [-] | | Your "development build" is another person's daily driver. Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware. Same goes for any desktop Linux. | | |
| ▲ | inigyou an hour ago | parent [-] | | GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system. I still think destroying the playing field is better, but less likely to succeed. | | |
| ▲ | matheusmoreira 22 minutes ago | parent | next [-] | | > so you can attest This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all. GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there". | |
| ▲ | HybridStatAnim8 22 minutes ago | parent | prev [-] | | GrapheneOS doesnt implement its own attestation. It simply inherits the existing, generic attestation system provided in the android open source project. Any fork of AOSP can provide this, the keys would just need to be whitelisted per OS. |
|
|
| |
| ▲ | charcircuit an hour ago | parent | prev [-] | | You can apply my same comment 1 layer up. The hypervisor maintains isolation between operating systems, so a free operating system being installed doesn't mean an app that needs a high security operating system is compromised. |
| |
| ▲ | matheusmoreira an hour ago | parent | prev [-] | | Then why can't we install whatever we want on "our" devices? | | |
| ▲ | charcircuit an hour ago | parent [-] | | Because you are buying a device without the feature of installing a custom OS. If you want a feature, buy a device offering it. | | |
| ▲ | matheusmoreira 25 minutes ago | parent [-] | | The whole point of this discussion is the trend towards societal scale denial of that feature by both market forces and governmental forces. There is no such a thing as "just buy a different device" when this "different device" is actively discriminated against to the point it's a paper weight. I wouldn't be surprised if remote attestation becomes necessary to even get an internet connection in the future. |
|
|
|