Widely deploying remote attestation as described in the doomsday scenario here is probably not possible, even if Microsoft wanted it. The blogpost largely just pose questions about potential danger without really describing how any of this would be achiveable. It’s lazy, really.
It’s simply too brittle outside of tightly controlled environments and would break far too often to actually give any consumer value.
Can a school run some WPA2 endpoint and restrict access based off on some Chromebook the school issues and validate it with an attestation protocol? Sure. It’s tightly controlled.
Is this going to be achiveable with everything from my self-built desktop running Windows and my random consumer-grade laptops? It would be an engineering marvel. Microsoft would need to be supplying tightly controlled hardware configurations to all consumers and uh….I don’t see how that would happen. The infrastructure needed to even begin validating this would be an interesting problem on it’s own.
The TPM has proved a total failure for the goal of providing a platform for remote attestation to verify Digital Restrictions Management. […] The only current uses of the “Trusted Platform Modules” are the innocent secondary uses—for instance, to verify that no one has surreptitiously changed the system in a computer. […] Therefore, we conclude that the “Trusted Platform Modules” available for PCs are not dangerous, and there is no reason not to include one in a computer or support it in system software.
Widely deploying remote attestation as described in the doomsday scenario here is probably not possible
It already happened on Android with many apps. There are no modern Android phones that aren’t shipped with Google certified keys inside the TPM. The claim that a large-scale deployment of such systems is not possible is quite foolish, given that it already happened to various ecosystems and such trends are only accelerating. The threat is real and serious. May I ask, do you have a smartphone? Android, iPhone? Do you have a banking app? Did you try to assert your ownership of the device by installing an operating system of your choice? How many apps were you unable to use afterwards?
Do you have a banking app? Did you try to assert your ownership of the device by installing an operating system of your choice? How many apps were you unable to use afterwards?
What you are demanding here is not “ownership of the device”, but ownership or ownership-like rights to third-party services and hardware. The bank will, I am certain, still serve you via their web site, via phone call, probably these days via SMS, and certainly if you just show up in-person at a branch. They are free to set out the terms on which you get access to their systems, and for some banks and some apps, one of the terms is “app, but only if we can verify you haven’t messed with it or with crucial system libraries it depends on”.
You’re free to dislike that. But you don’t have an inherent moral right to access their systems without their consent. They have the same ownership rights to their systems and networks and devices that you have to yours, and your unfettered right to tinker with your stuff ends where their stuff begins.
Also, in my experience most people have completely wrong ideas about the incentives that lead to things like this – it’s not that the bank hates your freedom, or that Google hates your freedom, or that either of them wants to take your freedom or your “ownership of the device” from you. That’s the mustache-twirling hyperbolic strawman I’ve already pointed out in my other comment.
Instead, it’s that large corporate environments have weird incentive systems to begin with, and for large corporate environments in heavily-regulated industries that weirdness is generally at least squared if not cubed. So, say, the website might get declared a low-trust environment and they check some boxes to say they’re properly securing it, while the app gets declared a high-trust environment and they just forbid access from a modified version or from a version where they can’t reliably detect if modification has occurred, and that checks the required corporate and regulatory boxes to ship the app, which is less effort than they had to put in for the site. Even if the app literally just embeds a web view. Even if it makes no sense right now, it’s often the cumulative result of a bunch of seemed-reasonable-at-the-time decisions that most people go through life unaware of.
(my personal favorite example of this, from healthcare – the highly-regulated industry with which I’m most familiar – is that in the US many entities clung to faxes well past the time when it made any technical sense, largely because of a weird quirk where US health-care regulations treated fax systems differently than basically all other electronic transmission methods, for reasons that make no sense whatsoever today but presumably did multiple decades ago when the decision was made)
Meanwhile, the nightmare dystopian scenario that, for years, people have been asserting would be the endgame for the deployment of all this stuff… has still not materialized. If it had, you wouldn’t have been able to “assert ownership of the device” in the first place, remember.
Although I don’t disagree with the main argument, saying things like “you are free not to use an iPhone or Android” is like saying “you are free to become a monk or live secluded in a jungle”. It is unrealistic and perpetrates the poor argument that most “people have a choice”, when it comes to social median, online services, identity etc. They don’t. Not even geeks. Try creating an eshop without integrating with Google (ads, analytics), Facebook, Twitter, Stripe, PayPal, Amazon… if you are Walmart you MIGHT pull it off, but otherwise good luck.
This is why it’s important to keep the door open to compatible third party implementations. Because without that, social forces become technological handcuffs.
Technology forms part of the social fabric, and therefore can interact with social forces. The classic example of this is copyleft and the free software movement. I’m not saying that FOSS was a great success, but it’s certainly true that it influenced the direction of software for 20 years or more.
As technologists, we should remember more often that technology does not exist outside of society and morality.
I already explained this in a way that makes it hard to take your reply as being in good faith, but I’ll explain it again: you’re free to modify the things you own. You’re not free to demand unlimited/unrestricted access to the things other people own.
So the bank is free to set hours when their branch is open and say they won’t provide in-person service at the branch outside of those hours, no matter how much some people might insist this infringes their freedom to come in when they want to. They’re free to set a “shirt and shoes required” policy for receiving service at the branch, no matter how much some people might insist this infringes their freedom to come in dressed as they please.
And they’re free to set rules for accessing their systems via network connection.
Sometimes those rules include “mobile app, but only if we can verify it hasn’t been tampered with”, and it’s their right to do that no matter how much some people might insist this infringes their freedom to tinker with their devices.
As I said already, that freedom to tinker ends where someone else’s systems and devices begin. You don’t own the bank’s systems. Therefore you don’t get to dictate to them how and on what terms you’ll access those systems, no matter how much you might like to, because they have the same ownership rights to their systems and devices that you have to yours.
So the bank is free to set hours when their branch is open and say they won’t provide in-person service at the branch outside of those hours
But it isn’t free to demand complete control of the contents of cars on nearby roads. No matter how much the ability to inspect them may reduce bank robberies.
The bank may want the ability to inspect your car, but society doesn’t need to say yes to every misguided request.
But it isn’t free to demand complete control of the contents of cars on nearby roads.
That analogy doesn’t work, because “nearby roads” aren’t the bank’s property.
So if you want to go with that analogy and make it work: the bank branch may have drive-through facilities, and they may not accommodate all vehicle types. Say, due to lane width, a huge pickup truck or SUV might not fit, or due to the height of the covering over the lane, a very tall vehicle might not fit.
You still have the freedom to buy and drive a vehicle that doesn’t fit in the drive-through lane. But you don’t have the right to demand the bank rebuild the drive-through lane to accommodate you. They’re free to tell you to park and come inside, or use the ATM, or bank online, or any of the other methods they offer.
And, again, there is no situation in which “ownership of your device” creates a moral right to demand access to systems owned by others on terms you dictate. If the bank doesn’t want to grant you access on your preferred terms, they don’t have to; they can set their own terms for access to their systems and (subject to local laws about accessibility, etc.) enforce those terms.
(also, in some jurisdictions the bank absolutely could regulate the “contents of cars” on the bank’s property – for example, the bank could post a sign saying no firearms are permitted on the bank’s property, and that would apply equally to one stored in a car as it would to one brought inside the branch)
Your car is your property. But when you want to use your car on someone else’s property they can make rules about it. For example, where you can park, how fast you can drive, which direction you can drive, and so on.
Your networked device is your property. But when you want to use your networked device to access someone else’s devices/systems, which are their property and not yours, they can make rules about it.
I’ve explained this now multiple times, and I don’t see how any legitimate difficulty could still exist in understanding the point I’m making.
Yes, I understand that it is technically legal for them to do this. Technically legal is not the same as desirable. It’s a horrifyingly dystopian future being described here, and painted as desirable because it is possible.
I want a way off this ride, and I don’t see one.
No, “stop keeping your money in banks” is not a serious option.
No, I do not use Linux, Windows, or OSX.
Yes, I already refuse to install apps for this on my phone – I use my phone exclusively for tethering, maps, and getting paged when I am on call for work. I do not trust it to act in my best interests, and I do not want enforced software that I dislike spread to the rest of my computing devices.
Your networked device is your property. But when you want to use your networked device to access someone else’s devices/systems, which are their property and not yours, they can make rules about it.
It would probably be legal for a bank to require you to install a GPS tracker on your car to gain access to the bank. It would be safer for the bank if they could track the location of possible getaway cars. It would be safer for the bank to ensure that you didn’t go into sketchy neighborhoods where you could get mugged and have your bank cards stolen.
But I don’t think a future where banks remotely enforcing what you do with your car is a good one. It’s not worth the safety.
Every time I point out that the analogy falls apart when you try to extend control past the bank’s property line, you propose another analogy which extends control past the bank’s property line.
What do you mean, “extend control past the bank’s property line?”.
In this analogy, the bank allows you to drive cars without GPS trackers; They just require you to have one installed to engage with them. They’re not controlling your property –you’re voluntarily complying with their business requirements. It’s just them choosing how you engage with their business. You can avoid getting a GPS tracker so long as you don’t set foot on a bank’s property.
This is less hypothetical than it sounds. While I’m not aware of banks pushing for GPS information, insurance companies already want this information in order to dynamically adjust rates based on driving habits, and to attribute blame more accurately in collisions.
I’ve interviewed for an offshoot of State Farm that was established to explore exactly this. The interviewer was very excited about the increased safety you’d get because drivers would know they’re being watched. This was a few years ago – today, of course, you’d need to do some remote attestation to ensure that the system wasn’t tampered with and the data was transmitted with full integrity.
Once this pool of data is established for analysis, it becomes very tempting for law enforcement, less pleasant regimes, and three letter agencies to access it.
Also, in my experience most people have completely wrong ideas about the
incentives that lead to things like this – it’s not that the bank hates
your freedom, or that Google hates your freedom, or that either of them
wants to take your freedom or your “ownership of the device” from you.
Let’s ignore the fact that large corporations have a long and
well-documented history of nefarious behavior. I mean, one of the first
corporations in the west was the British East India Company. Calling
it nefarious is a huge understatement. But that’s all not quite
relevant to the point I’m making.
Instead, it’s that large corporate environments have weird incentive
systems to begin with, and for large corporate environments in
heavily-regulated industries that weirdness is generally at least
squared if not cubed.
Fine. Does it truly matter if the reason is maliciousness or ignorant
apathy combined with perverse incentives, if the end result is still the
same? A difference which makes no difference is no difference at all.
What I’m seeing is gradual disempowerment of people, not some quick
power grab. And I don’t care what the reasons are, if the results are
still the same.
Every time this discussion comes up on Lobsters, you trot out the
comic-book villain trope as a way to belittle the people you disagree
with. A box-ticking technocrat can be just as harmful as a villain.
Does it truly matter if the reason is maliciousness or ignorant apathy combined with perverse incentives, if the end result is still the same?
Except the end result is not the same. The freedom-hating cartoon villain would not give you a way out. Yet out here in the real world you do get a way out. And as I pointed out, it’s been getting finer-grained over time so that you actually have even more control over which security features you want on and which ones you want off.
This is not how an actual “war on general-purpose computing” would be waged!
Every time this discussion comes up on Lobsters, you trot out the comic-book villain trope as a way to belittle the people you disagree with. A box-ticking technocrat can be just as harmful as a villain.
My central assertion is that the Free Software movement and its adherents are actively hostile to security measures that are A) reasonable, B) desired by and C) accepted by much of the market, and that this hostility goes all the way back to the early days with Stallman writing purple prose about how he was standing up for “the masses” by having GNU su refuse to support a “wheel” or equivalent group. Today that manifests itself as reflexive hyperbolic opposition to fairly banal system security enhancements, which inspire yet more reams of purple prose.
I further note that this opposition relies on appeals to emotion, especially fear (they’re coming for your freedom!), and on erecting straw-man opponents to knock down, neither of which is a particularly honest rhetorical tactic.
And finally, this opposition also doesn’t stand up to even the slightest bit of actual scrutiny or comparison to what’s occurring in the real world, and on that theme I note you yourself largely refused to actually engage with any of the points I made, and instead went meta and tried to tone-police how I made the points, or the fact that I was making them at all.
Yes, and the industry trend is to slowly extend that to more computing devices, including PCs. And, in this very thread, we have someone who is arguing that not only is it a company’s right, it’s effectively their duty, to ensure users aren’t tampering with their computing devices so that bad actors can’t compromise them.
The hyperbole around this stuff runs into the inconvenient fact that all the horrible things have been technically possible for a very long time, using only features that already exist on consumer hardware and consumer operating systems, and yet the predicted dystopia… has not arrived.
Microsoft has been theoretically able to fully lock down laptops and desktops for years. Apple has been theoretically able to fully lock down laptops and desktops for years. The reason they haven’t is not that they lack the one final piece of the freedom-destroying superweapon that will finally let them power it on, and it is not that scrappy freedom-warriors on the internet have pushed back too hard. The reason they haven’t is that destroying freedom is not, and never has been, their goal.
So, so much of the argumentation around this stuff relies on building up strawmen and knocking them down. In the real world, there are no mustache-twirling executives cackling about how this time, finally, they will succeed at destroying freedom forever and bringing an end to general-purpose computing. There are just ordinary, usually really tired, people doing things for honestly pretty ordinary and banal reasons, and we generally will do best by taking their statements at face value: that they’re doing it for security, which is something both corporate and consumer users are loudly demanding.
A lot of people are tired of living in constant fear. Fear that looking at, or in some cases just being a recipient of, the wrong email or the wrong text message or the wrong PDF or the wrong link will silently and completely compromise their systems. Fear of malicious actors, both remote and intimate. Fear of being fired if they slip up and make even the tiniest mistake instead of being a perfect “human firewall”. Fear of all manner of things that we can prevent by default if we just choose to.
So we get more and more systems that have those protections by default. That let you just use it without being afraid. And if you want to live dangerously, you still can. The “I know what I’m doing” escape hatches are there! They’re even getting finer-grained over time, so that you can choose just how dangerously you want to live. You can turn off bits and pieces, or go all-in and replace the OS entirely. This is not the progression we would see in a world where the vendors were waging a “war on general-purpose computing”, and the actual observed state of the world is the strongest possible counterargument against the existence of such a “war”.
And yet we still get hyperbole like this article. I’m so, so tired of it at this point.
I don’t think it is not possible. Obviously game publishers already want this solution, windows 11 requires the chip (or will require the new one too, doesn’t make a difference), and if you ever owned an android device, you’ll know how many apps break when you install your own android copy.
I can definitely imagine banks and other services rolling this out as a requirement. Developing a new browser is already hard enough, but if only 10% of the services under cloudflare require this in the future, you’re basically locked out of using linux/owned android/new browsers. We have a regular inspection requirement in germany for all vehicles on the street, for the safety of others. Maybe this will come one day for the internet, simply because that could reduce the amount of spammers and bots.
Let’s spin this idea further: There is a law in germany that you’re responsible for your network connection. What if because of that you’ll not be allowed on public wifi anymore, without such an attestation ? No more headaches due to compromised devices.
It has steadily become harder and more costly to unlock your bootloader and root your phone. The amount of rooted phones has gone down over time severely. The easy corporate friendly narrative is that they’ve given users a better experience and more control without root. This has some genuine truth to it! But the central issue is more related to how rooting is such a huge pain in the ass and loses you access to enough apps that even powers users have given up.
I’m not sure what it will take for people to recognize that this is not healthy and that it leads to a concentration of technological power away from the hands of users and more into the hands of corporations. If you have a healthy user base with root they can push back against bloatware, abusive telemetry and OEM spyware for starters. If however you have a root population of <2% then none of this matters.
All it takes is for a couple of apps a lot of people rely on to tick that box and make it so rooted users can’t use them, and suddenly root becomes so much less attractive to users. This eviscerates the resources the power user community has (by reducing its population) and people outright forget what benefits device control would have because nobody is even capable of demonstrating that anymore.
This is not about rights. This isn’t about whether you should or not have the right to access your banking app with root. Let’s stop thinking in terms of who is owed what and start thinking in terms of the world we want to live in. If you want to use root and avoid detection, the OS conspires against you. Steadily root population has been trimmed down via various measures and market conditions and now it is feasible for every app in the world to make it impossible for its users to continue using the app while having root.
They aren’t doing it because they’re moustache twirling villains, as another poster put it. They’re doing it because the cost of losing all rooted app users is tiny and it makes their security department happy. Ultimately their reasons don’t matter because the result is the same – the increased domestication of the user and consolidation of user population into specific settings that the OS developer approves of. The more users get into this approved band of user settings, the lower the cost of discriminating against everyone else.
Look at what the post actually mentioned. That MacOS will allow you to bypass captchas via remote attestation. Sounds great for the user! The problem is that once you have 80% of the userbase on this fast track, it becomes much more easy for Cloudflare to ramp up captcha frequency for the rest of the users. And now Cloudflare suddenly relies on MacOS ensuring that users on its platform minimize behaviors Cloudflare dislikes. Sure, even this case I’m presenting is hypothetical. The case itself is less important than the fact that we already have all the incentives aligned to produce this future trend: OS developers and big companies shaking hands to make life more convenient for attested users (that have the settings Apple / Microsoft / Google want them to have) while leaving others behind. Now it’s just one nice feature, but in the future there can be many.
Our lives are tiresome and complicated, convenience is a real resource we want access to, it’s not some luxury nobody really needs if they “actually” cared about freedom enough.
Over the years Android and Windows have become less free by about every metric I can think of. 15 years ago, the idea of your OS forcing you to restart to update would have been considered unacceptable. Now you will see apologists for it on even the supposedly “hardcore” software communities. The overton window has shifted so much that you have to be extremely optimistic to think it will not shift further – you are not immune to this overton window.
Remote Attestation is yet another piece of technology that has the potential to curtail what a user can do with their own devices. It will probably not be used in an obviously doomsday way. These companies have PR failures commonly, but they’re neither dumb nor evil, they’ll find genuine reasons, genuine benefits. They’ll use their vast access to social network to propagate ideas about these great benefits. We already have people on here and HN that hate politics and love tech and they don’t like seeing these heated political discussions that reek of hysteria. They are prime targets to become apologists corporations on these issues. It’s not a conscious effort by companies or said users, it’s just the structure of the social network. This results in users forgetting a bit more about how life could be with more user control. And that’s how the gap between consumer and corporation will be allowed grow. The expansion of this tech will be gradual, nobody will make it impossible to install Linux. Microsoft will not risk something that can get the EU in a legislative mood.
The fact that Microsoft pushed so hard for everyone to have TPM gives us a genuine signal of how important this is for them – it’s a hint they would really like to milk this technology in the future. This whole line of argument about “if they wanted to destroy free software, they could have done it ages ago, they don’t need Pluton” is fallacious. Microsoft doesn’t care about free software in the abstract. Free software won’t die by Microsoft consciously attacking it. It will wither away by big corporations creating a technological platform to which major service providers subscribe to, where alternative free platforms are second class citizens which lesser features, reduced convenience.
DRM is also a major threat where TPM can be leveraged to great effect. Regardless of your opinion on piracy, DRM has caused genuine harm to its users, the net effect is extremely negative. Based on how the current overton window is around piracy and how it’s difficult to get people to care enough about this even on HackerNews, Microsoft would have no problem expanding its DRM capabilities using Remote Attestation. We can talk shit all we want about how “companies have the right to exclude certain users that do x, y, z with their computers” – the end result will still be net negative for everyone except those companies.
If this again sounds like empty rhetoric to you, consider that if I’m wrong about being “dystopic”, and techniques like remote attestation and root detection are kept to a minimum, the average user loses almost nothing.
If I’m right and nothing is done, we become technological lumpenproles and the past will look like a golden age by comparison.
Since you’re obviously arguing with me despite not doing it in a reply to me, I’ll just point out that your moral theory is missing a big piece: effects on other people.
Say, for example, that you don’t want to have Windows force an update on you. OK, now what? Refusing to apply security updates isn’t just a you problem – you refusing to apply security updates can very easily turn your system into an attacker of my systems. Do I have a right to say that as a condition of network access to my systems you must agree to be a good steward of your systems and take at least some basic steps to prevent that?
And before you give an immediate answer rooted in freedom, remember that out in the real world this kind of “limit what you can do with your property, to protect others” is already a standard thing. If you own a piece of land that a river flows through, for example, you’re not completely free to do what you want with it, because what you do to the water in the river can and will affect others’ properties downstream of you.
So if you want absolute freedom with your devices, fine. Just don’t expect the rest of us to be willing to be on the same network as you when you do it, because your choices can affect the rest of us, and our property, and when that happens we have every right to step in and tell you to act in a way that only affects you. Which may involve denying you networked access to everyone else’s property.
I’ll just point out that your moral theory is missing a big piece: effects on other people.
I don’t think this is a missing piece in my moral theory any more than yours. It’s not like you spared a single line to actually consider the negative effects on other people in your posts. But I don’t hold that against you since we have different values and focus on different areas.
I’ve considered knock-on security effects, I just have no reason to believe they are significant enough to warrant this kind of behavior from software corporations AND I have no reason to believe that measures which I consider invasive and restrictive are the best possible solution out there. Other kinds of measures exist.
you refusing to apply security updates can very easily turn your system into an attacker of my systems.
Sure, this is true, I am just arguing that the pendulum is swinging dramatically in one direction and I do not think it is for the good of the users at large and have not seen anywhere near enough evidence to suggest otherwise. The world of computing existed before these measures and didn’t collapse in on itself. Of course you can say that attackers were not as sophisticated in the past, but the truth is that the world got along and security can get better without things like Google and phone manufacturers making life hell for people that value rooting their phone.
The trade-off corporations choose to set matter dramatically. Users don’t get to choose anything other than “do I want to uproot my entire life for a significant portion of time and give up on Windows because I don’t agree with their trade-offs in this version?”.
And before you give an immediate answer rooted in freedom, remember that out in the real world this kind of “limit what you can do with your property, to protect others” is already a standard thing. If you own a piece of land that a river flows through, for example, you’re not completely free to do what you want with it, because what you do to the water in the river can and will affect others’ properties downstream of you.
I am aware of the concept of negative externalities. It’s not a matter of whether they exist, it’s a matter of magnitude and whether other recourses exist.
If you could incarnate the incentives of corporations into a person and question that person how much user control there should be, the answer would be “as little as possible that still keeps the platform attractive”. If you ask them how much user control should be sacrificed in exchange for security, they will say “as much as possible”, but note that “security” here is not “the user’s security”. It has overlap with the user’s security, but it primarily refers to the security of their systems, the convenience that security affords them, and the reputation gains from being seen as a “secure platform”. More often than not, it’s security by restriction – it’s not the expansion of platform features to empower the user to do more things securely. It’s the restriction of user power in the service of security, which is then presented as a new feature.
(Disclaimer that not all corporations are like this, but the vast majority of big tech is like this.)
So if you want absolute freedom with your devices, fine. Just don’t expect the rest of us to be willing to be on the same network as you when you do it, because your choices can affect the rest of us, and our property, and when that happens we have every right to step in and tell you to act in a way that only affects you. Which may involve denying you networked access to everyone else’s property.
Because you might be affected, you think that you and people like you should get to choose how much people that disagree get to be part of modern society? This is how you’re making it sound to me, whether you want to or not. Losing access to a few critical services (banking apps, play store, gmail, gcal, facebook, twitter etc.) can cripple your ability to network and/or massively reduce your convenience. Inflicting that on someone because they’re not as security-minded as you seems like an unhealthy and unfair approach in the absence of evidence regarding the necessity and utility of these measures. People have begun waking up to the amount of influence these technologies over our daily lives that the discourse has started to shift towards considering them as public utilities where the service provider has fewer rights to discriminate, not more. I don’t say think I conceptually agree with this framing, but it gives you some impression of how important addressing this power imbalance has become to people.
Secondly, this isn’t the early 00s where spam and worms genuinely threatened to bring email as a service worldwide to its knees. Your network will be fine without further reductions in user control.
The way you phrased this paragraph makes it sound as if you’re part of the group deciding this. You are verbally associating yourself with the agents of corporations that have all of the power, but that association is just that – a one sided verbal association. Unless you are an executive at Microsoft, the “you” in this case does not actually have any power. These measures aren’t driven by societal consensus. They’re driven by what corporations can get away with in a market that is dominated by users that are too busy to want to care and too non-technical to be able to care. But just because they can’t discriminate on these matters doesn’t mean that whatever Apple, Google and Microsoft decide is good for them.
Ultimately, there’s always many ways to make your own device more secure. And there are ways to make networks more secure without moving the onus so much on user nodes. But there is very little way for people to circumvent certain kinds platform-side decisions of their tech providers - SafetyNet definitely falls within this category. The idea that users need to give up significant control just to make life easier for the networks and services they often pay for is unsupported to me.
I don’t want our exchange to be particularly hostile and I already feel apologetic for not having been able to find more common ground. But I simply don’t get where you’re coming from or why you’re defending the “rights” of network providers (which I find a weird way to focus the conversation), when the discussion itself is fruitless to phrase in terms of rights.
It’s a jockeying for power over what the future of computing will look like – one where users that don’t work for big tech can have a hand in shaping the digital landscape and make devices serve them OR one where devices exist primarily to be as convenient as possible for corporations, and in which alternative devices do not exist because FOSS has failed to keep up its tech stack and corporations have similar levels of device lockdown across all their products, providing no alternative in the market (This is basically 90% already the case with phones).
The security measures of the old days didn’t have to deal with the number of always-on, always-networked devices we have today, and the new threat models which come from that. Claiming that computing “existed… and didn’t collapse in on itself” in the past is no guarantee that the past’s security techniques will be sufficient for the future.
Many modern systems take away your freedom to have a chunk of memory both writable and executable at the same time, for example. Computing didn’t “collapse in on itself” before that, so should we reject W^X models?
It’s a jockeying for power over what the future of computing will look like – one where users that don’t work for big tech can have a hand in shaping the digital landscape and make devices serve them OR one where devices exist primarily to be as convenient as possible for corporations
There already is at least one counterexample in this very thread for remote attestation being useful to entities that aren’t “corporations”. I also do not happen to share the axiomatic beliefs you appear to hold about “corporations” in general – all the wonderful FOSS you no doubt use and love exists today largely because of corporations sponsoring and supporting development, for their own ends!
device lockdown across all their products, providing no alternative in the market (This is basically 90% already the case with phones).
I have never personally treated phones or even most tablets as truly “general-purpose computing” devices. I don’t really want to write code on my phone, or even on the tablet where I’m typing this comment, because the form factor and input mechanisms are horrible for that use case. When I want “general-purpose computing” I turn to a laptop or desktop computer, or to a server running somewhere. And the market seems to be content with that segmentation. If Apple or Microsoft wanted to fully lock down laptops and desktops they already could – they’ve had the technical capabilities for years! – but the fact that they haven’t, and are giving no indication of wanting to, should be a big big sign that people are incorrect in assuming that their imagined dystopia is the explicit and inevitable goal.
(which isn’t taking into account that you explicitly can root at least Android phones, but that gets into the “nobody else is required to network with you after you do” issue that people seem to have trouble accepting)
I don’t really want to write code on my phone, or even on the tablet where I’m typing this comment, because the form factor and input mechanisms are horrible for that use case.
Sure, doing the actual coding on a tablet, never mind a phone, isn’t practical. But you should be able to modify the code that runs on your phone and tablet, including platform code, and use such modifications written by others that will never be blessed by the platform vendor. The big platforms don’t serve all users equally well, and users should be free to work around deficiencies in their platforms without then being unfairly discriminated against by applications. This is where I’ll tie this subthread together with a discussion you had with @teiresias, who said that he doesn’t support unrestricted freedom of association because he’s a member of a minority. I’m a member of the same minority (well, kind of; I’m not totally blind but legally blind), and I believe that we shouldn’t be forced to rely on the accessibility solutions handed down to us by platform vendors. We should be free to hack on our own solutions to accessibility problems, at whatever layer(s) of the stack we must. This is why I think applications shouldn’t deny us access simply because we’re not running a stock version of the OS, especially if the OS (e.g. Android) is ostensibly open-source.
This is getting to a more productive way to discuss things!
And that’s fine. If you go back and read my initial comments, my issue is with people who want to take an absolutist/moralizing stance based on abstract arguments of “freedom”. That basically always ends uselessly, because they end up defining their position to be the only morally good one (how could it not be? Who would be against freedom?) and anyone who disagrees as morally wrong (since, after all, anyone who disagrees is anti-freedom by definition).
Before any kind of actual productive discussion about the merits of something like remote attestation can even begin, that framing has to be attacked and broken down. Which is what I have tried repeatedly to do here.
And when it comes to the actual discussion, there aren’t any easy answers. There are legitimate issues that might make some entities – especially ones in highly-regulated fields – not want to allow use of an app unless they can verify certain security properties about it. Which then gets into debates about what methods of access they’re obligated to provide, how we’ll ensure that they’re provided equitably, and so on. And as other commenters have pointed out, attestation goes both ways and also lets a user establish trust of a remote service, which is a positive.
But we can’t have those debates if people jump straight into the “I am for freedom, and everyone who disagrees with me on this issue is against freedom” stance.
Anyone who knows me can confirm that I’m far from a software freedom absolutist. I even worked on the Windows accessibility team at Microsoft. But I felt some cognitive dissonance the whole time that I was there, because I felt I had become part of an elite group where I believe there shouldn’t be an elite at all. @Anvoker captured this in one of their comments:
what the future of computing will look like – one where users that don’t work for big tech can have a hand in shaping the digital landscape and make devices serve them OR one where devices exist primarily to be as convenient as possible for corporations, and in which alternative devices do not exist because FOSS has failed to keep up its tech stack and corporations have similar levels of device lockdown across all their products, providing no alternative in the market
I want the former. To make it more concrete, I want all disabled programmers to be free to help adapt our devices for our needs (and the needs of non-programmers as well), not just the handful of us that happen to land a job at one of the big tech companies. I took that job in part because I was afraid Windows was headed toward being fully locked down, and I figured I should try to make the best of it.
Even now, I’m not fully consistent; I currently use an iPhone, because it just works better for me than Android, and when I was using an Android phone, I never got serious about hacking it. But others should be able to. Especially future generations of kids who have more time to do such things.
On the general subject of where the line should be drawn between the user’s freedom and the security requirements of services such as banks, I think such services should accept connections from any client that implements the relevant protocols and can authenticate itself as an authorized user of the service. I can see why enforcing the latter requirement would be helped by remote attestation of a secure enclave or similar, to guard against authentication tokens being compromised. But requiring the app to be running on a fully unmodified OEM OS image, including all the UI components that are included in such an image, seems excessive to me. And if I’m not mistaken, that’s what SafetyNet for Android does.
Say, for example, that you don’t want to have Windows force an update on
you. OK, now what? Refusing to apply security updates isn’t just a you
problem – you refusing to apply security updates can very easily turn
your system into an attacker of my systems. Do I have a right to say
that as a condition of network access to my systems you must agree to be
a good steward of your systems and take at least some basic steps to
prevent that?
If your systems were updated, the point would be moot, because the
attempted attacks would be fruitless. Seems like a bit of a strawman.
And the illusion of security you might have from controlling what I do
with my systems is just that: an illusion. If your systems are at risk,
then they’re at risk regardless of what I’m doing, because bad actors
will not play by the rules. In this society, there’s always a way
around the rules if you have enough money and resources.
ubernostrum is saying that because you don’t update your system as fast possible, your system may be subverted by an attacker and be leveraged in a subsequent attack on different systems or the network.
What you’re doing with your system affects the chance that your computer is compromised and used in other attacks. The point is logically valid, I just don’t think the magnitude of the problem can justify the trajectory of loss of user control that we’re on currently. And I don’t see the loss of user control as actually addressing this problem. Services aren’t going to get DDoSed less because my banking app forbids me service due to root.
I just don’t think the magnitude of the problem can justify the trajectory of loss of user control that we’re on currently
We live in a world where brand-new consumer devices fresh out of the box get pwned within minutes of being connected to the internet. We live in a world where brand-new installs of content-management systems get pwned within minutes of being turned on. We live in a world where ransomware attacks and data breaches are rampant, virtually all of them targeting entities which refused to engage in some simple and reasonable preventive practices.
We live in a world where the devices and systems that don’t have these problems, or don’t have them to anywhere near the same degree, are the ones you’re arguing against.
So in addition to overestimating the loss of “user control”, I think you also drastically underestimate the scope of the problem.
If your systems were updated, the point would be moot, because the attempted attacks would be fruitless
This is “if you believe vaccines work then it doesn’t matter if I get vaccinated because you will never get the disease anyway right?” And it’s wrong for similar reasons. I’m “vulnerable” to DDoS regardless of my security patch status, and like vaccines DDoS is partially a statistics game, for again similar reasons. We need “most” machines to be patched for the inevitable unpatched botnets to be small enough to not matter.
This is “if you believe vaccines work then it doesn’t matter if I get
vaccinated because you will never get the disease anyway right?”
Thanks for comparing me to an anti-vaxer. Let’s get back to the
discussion at hand.
I argue that ceding control to manufacturers does not in fact imply
greater security for end users. My story below is worth telling, even
though I told it in at least two other threads.
Take, for example, my Motorola G6 smartphone. It came from Amazon,
bought as a Prime “exclusive”, new for a really good price. There were
strings attached, but I didn’t realize it until it was too late.
The bootloader is locked. It stopped receiving security updates in
2020, two years after I bought it. I cannot unlock the bootloader
through Motorola’s unlocking program, because the device was gotten
through Amazon. I cannot install an up to date ROM on the thing. My
hands are tied.
This is what happens when manufacturers have nearly complete control
over the devices that you bought and paid for. You are at their mercy.
They can force planned obsolescence on you, or prevent you from
maintaining a perfectly good and usable piece of hardware.
I would love to have regular security updates on my phone again.
I challenge anyone who really believes that restricting my use of my
device leads to greater security to put their money where their mouth
is. I’d love to sell a Motorola G6 in good condition. The price is
negotiable, as long as it’s above $60.
And the illusion of security you might have from controlling what I do with my systems is just that: an illusion.
Right now, for the record: do you believe that I have freedom of association? Yes or no?
Because if I do, I can choose who to associate with, for whatever reasons I choose, and you don’t get to force me to do otherwise. It’s not “controlling what you do” for me to say I won’t associate with you, it’s just… me choosing who I will and won’t associate with.
And my freedom of association extends to the network level. If I don’t want to accept traffic from you, you cannot force me to. That’s not me “controlling what you do”, that’s just me choosing who I will and won’t associate with. You are the one demanding to control me and my systems by hinting that I might not have freedom of association, or that you might argue I should be forced to associate with you and accept your traffic even when I don’t want to.
Right now, for the record: do you believe that I have freedom of
association? Yes or no?
No. But read the long answer. Not absolutely, because absolute freedom
of association has been used to justify all manner of discrimination
against minorities. I’m a member of a minority group, so I’m not down
with the absolute freedom to discriminate.
You’re still not going to get to where you want to be, though – yes, many jurisdictions have carved out exceptions to freedom of association to prevent discrimination against minority groups, but they’ve done so due to demonstrated, long-term historical persecution and violence against those groups due to attributes over which they have no control and in which they had no choice, such as their perceived race or ethnicity. People, say, who want to root their Android phones are not one of those groups, so forcing everyone to associate with them is not a justifiable exception, to me.
Do I have a right to say that as a condition of network access to my systems you must agree to be a good steward of your systems and take at least some basic steps to prevent that?
I don’t think anyone’s saying you don’t or shouldn’t have the option to do that. Anvoker seems to be saying “Hey, we’ve observed how technology like this has been used to degrade the user experience, and it will continue to get worse unless we discourage the use of technology this way.”
It’s really cool and fair enough you want to control how we use our systems for the sake of your own. That has trended towards not ending well for the freedom of anyone involved except corporate actors.
Anvoker seems to be saying “Hey, we’ve observed how technology like this has been used to degrade the user experience, and it will continue to get worse unless we discourage the use of technology this way.”
And I’ve already pointed out that the reason why vendors have been moving to more-secure-by-default systems is the superior user experience. Which is to say: the user experience that comes with reduced fear of anything and everything potentially being a security issue.
It’s really cool and fair enough you want to control how we use our systems for the sake of your own.
I have the right to choose who I will and will not associate with, including at a network level. You’re still free to do whatever you want with your devices, just not to also demand that I engage in unrestricted networked communication with you. Any other arrangement would be you dictating to me what I must do with my own property. Which you assert has bad outcomes, so it’s surprising that you seem to want that.
We’re clearly going to be at-odds in determining which experiences are superior for which groups of users.
I have the right to choose who I will and will not associate with, including at a network level.
I don’t believe people are saying you can’t choose. I’m for sure not. You have that right, just users including myself have the right to try and discourage the implementation of these features.
The big win for freedom with remote attestation comes from confidential cloud computing. This lets me rent a server in someone else’s data centre and get a strong guarantee that they haven’t tampered with the program I want to run. I can then choose to provision it with encryption keys that let it access encrypted data and have strong guarantees that the cloud provider can’t see the data.
Once you invert the usage model, all of these technologies become things that protect freedom, rather than restricting it. For example, Signal uses this exact technology to allow you to recover an account if you lose your phone, while providing the kinds of rate limits on PIN attempts that you’d normally be able to enforce only with a physically secured device.
That’s an interesting thought I hadn’t considered before, but I’m somewhat skeptical, considering that have ton of people using Google cloud services that report you to the police for CSAM without human oversight. Because the debate is lost on “think of the children”, I don’t see how we’ll actually have confidential cloud computing even if it becomes technologically feasible. I also don’t see the industry getting behind using remote attestation in this way that helps freedom. But I can see some knock on effect from companies wanting their cloud computing to be secure and confidential, and this trickling down to more common users.
How do you imagine this tech spreading in a way that is pro-freedom?
We (Azure) are actively working on shipping this (and have already launched some things in this space with others announced). Governments are always a bit conflicted, but generally politicians don’t like the idea that we could get at their financial or medical information simply because their bank or hospital uses our services. Similarly, regulators in these sectors want strong legal and technical guarantees that anyone using cloud services is protected against insider threats at the cloud provider.
You can now deploy container instances to Azure and have them run in AMD SEV-SNP VMs, where all memory is encrypted in use and where you get a remote attestation over the container image hash, so that you can be sure that we haven’t tampered with the contents. I wrote about our vision for this last year.
Nothing?
Widely deploying remote attestation as described in the doomsday scenario here is probably not possible, even if Microsoft wanted it. The blogpost largely just pose questions about potential danger without really describing how any of this would be achiveable. It’s lazy, really.
It’s simply too brittle outside of tightly controlled environments and would break far too often to actually give any consumer value.
Can a school run some WPA2 endpoint and restrict access based off on some Chromebook the school issues and validate it with an attestation protocol? Sure. It’s tightly controlled.
Is this going to be achiveable with everything from my self-built desktop running Windows and my random consumer-grade laptops? It would be an engineering marvel. Microsoft would need to be supplying tightly controlled hardware configurations to all consumers and uh….I don’t see how that would happen. The infrastructure needed to even begin validating this would be an interesting problem on it’s own.
I still think Matthews take on this is the better one. Pluton is not (currently) a threat to software freedom
If you also care about the opinion of the FSF/Richard Stallman: They went back on their stance about TPMs in 2015. https://www.gnu.org/philosophy/can-you-trust.en.html
It already happened on Android with many apps. There are no modern Android phones that aren’t shipped with Google certified keys inside the TPM. The claim that a large-scale deployment of such systems is not possible is quite foolish, given that it already happened to various ecosystems and such trends are only accelerating. The threat is real and serious. May I ask, do you have a smartphone? Android, iPhone? Do you have a banking app? Did you try to assert your ownership of the device by installing an operating system of your choice? How many apps were you unable to use afterwards?
What you are demanding here is not “ownership of the device”, but ownership or ownership-like rights to third-party services and hardware. The bank will, I am certain, still serve you via their web site, via phone call, probably these days via SMS, and certainly if you just show up in-person at a branch. They are free to set out the terms on which you get access to their systems, and for some banks and some apps, one of the terms is “app, but only if we can verify you haven’t messed with it or with crucial system libraries it depends on”.
You’re free to dislike that. But you don’t have an inherent moral right to access their systems without their consent. They have the same ownership rights to their systems and networks and devices that you have to yours, and your unfettered right to tinker with your stuff ends where their stuff begins.
Also, in my experience most people have completely wrong ideas about the incentives that lead to things like this – it’s not that the bank hates your freedom, or that Google hates your freedom, or that either of them wants to take your freedom or your “ownership of the device” from you. That’s the mustache-twirling hyperbolic strawman I’ve already pointed out in my other comment.
Instead, it’s that large corporate environments have weird incentive systems to begin with, and for large corporate environments in heavily-regulated industries that weirdness is generally at least squared if not cubed. So, say, the website might get declared a low-trust environment and they check some boxes to say they’re properly securing it, while the app gets declared a high-trust environment and they just forbid access from a modified version or from a version where they can’t reliably detect if modification has occurred, and that checks the required corporate and regulatory boxes to ship the app, which is less effort than they had to put in for the site. Even if the app literally just embeds a web view. Even if it makes no sense right now, it’s often the cumulative result of a bunch of seemed-reasonable-at-the-time decisions that most people go through life unaware of.
(my personal favorite example of this, from healthcare – the highly-regulated industry with which I’m most familiar – is that in the US many entities clung to faxes well past the time when it made any technical sense, largely because of a weird quirk where US health-care regulations treated fax systems differently than basically all other electronic transmission methods, for reasons that make no sense whatsoever today but presumably did multiple decades ago when the decision was made)
Meanwhile, the nightmare dystopian scenario that, for years, people have been asserting would be the endgame for the deployment of all this stuff… has still not materialized. If it had, you wouldn’t have been able to “assert ownership of the device” in the first place, remember.
Although I don’t disagree with the main argument, saying things like “you are free not to use an iPhone or Android” is like saying “you are free to become a monk or live secluded in a jungle”. It is unrealistic and perpetrates the poor argument that most “people have a choice”, when it comes to social median, online services, identity etc. They don’t. Not even geeks. Try creating an eshop without integrating with Google (ads, analytics), Facebook, Twitter, Stripe, PayPal, Amazon… if you are Walmart you MIGHT pull it off, but otherwise good luck.
All of the things you mention in your example of setting up an online shop are pushed on you by social forces, not by technological handcuffs.
There is no technological solution to the social forces.
This is why it’s important to keep the door open to compatible third party implementations. Because without that, social forces become technological handcuffs.
Technology forms part of the social fabric, and therefore can interact with social forces. The classic example of this is copyleft and the free software movement. I’m not saying that FOSS was a great success, but it’s certainly true that it influenced the direction of software for 20 years or more.
As technologists, we should remember more often that technology does not exist outside of society and morality.
I wasn’t aware that my phone was a third party service or hardware.
I already explained this in a way that makes it hard to take your reply as being in good faith, but I’ll explain it again: you’re free to modify the things you own. You’re not free to demand unlimited/unrestricted access to the things other people own.
So the bank is free to set hours when their branch is open and say they won’t provide in-person service at the branch outside of those hours, no matter how much some people might insist this infringes their freedom to come in when they want to. They’re free to set a “shirt and shoes required” policy for receiving service at the branch, no matter how much some people might insist this infringes their freedom to come in dressed as they please.
And they’re free to set rules for accessing their systems via network connection.
Sometimes those rules include “mobile app, but only if we can verify it hasn’t been tampered with”, and it’s their right to do that no matter how much some people might insist this infringes their freedom to tinker with their devices.
As I said already, that freedom to tinker ends where someone else’s systems and devices begin. You don’t own the bank’s systems. Therefore you don’t get to dictate to them how and on what terms you’ll access those systems, no matter how much you might like to, because they have the same ownership rights to their systems and devices that you have to yours.
But it isn’t free to demand complete control of the contents of cars on nearby roads. No matter how much the ability to inspect them may reduce bank robberies.
The bank may want the ability to inspect your car, but society doesn’t need to say yes to every misguided request.
That analogy doesn’t work, because “nearby roads” aren’t the bank’s property.
So if you want to go with that analogy and make it work: the bank branch may have drive-through facilities, and they may not accommodate all vehicle types. Say, due to lane width, a huge pickup truck or SUV might not fit, or due to the height of the covering over the lane, a very tall vehicle might not fit.
You still have the freedom to buy and drive a vehicle that doesn’t fit in the drive-through lane. But you don’t have the right to demand the bank rebuild the drive-through lane to accommodate you. They’re free to tell you to park and come inside, or use the ATM, or bank online, or any of the other methods they offer.
And, again, there is no situation in which “ownership of your device” creates a moral right to demand access to systems owned by others on terms you dictate. If the bank doesn’t want to grant you access on your preferred terms, they don’t have to; they can set their own terms for access to their systems and (subject to local laws about accessibility, etc.) enforce those terms.
(also, in some jurisdictions the bank absolutely could regulate the “contents of cars” on the bank’s property – for example, the bank could post a sign saying no firearms are permitted on the bank’s property, and that would apply equally to one stored in a car as it would to one brought inside the branch)
And my phone is?
My phone is an access method, and I have neither sold nor rented it to the bank.
Your car is your property. But when you want to use your car on someone else’s property they can make rules about it. For example, where you can park, how fast you can drive, which direction you can drive, and so on.
Your networked device is your property. But when you want to use your networked device to access someone else’s devices/systems, which are their property and not yours, they can make rules about it.
I’ve explained this now multiple times, and I don’t see how any legitimate difficulty could still exist in understanding the point I’m making.
Yes, I understand that it is technically legal for them to do this. Technically legal is not the same as desirable. It’s a horrifyingly dystopian future being described here, and painted as desirable because it is possible.
I want a way off this ride, and I don’t see one.
No, “stop keeping your money in banks” is not a serious option.
No, I do not use Linux, Windows, or OSX.
Yes, I already refuse to install apps for this on my phone – I use my phone exclusively for tethering, maps, and getting paged when I am on call for work. I do not trust it to act in my best interests, and I do not want enforced software that I dislike spread to the rest of my computing devices.
It would probably be legal for a bank to require you to install a GPS tracker on your car to gain access to the bank. It would be safer for the bank if they could track the location of possible getaway cars. It would be safer for the bank to ensure that you didn’t go into sketchy neighborhoods where you could get mugged and have your bank cards stolen.
But I don’t think a future where banks remotely enforcing what you do with your car is a good one. It’s not worth the safety.
Every time I point out that the analogy falls apart when you try to extend control past the bank’s property line, you propose another analogy which extends control past the bank’s property line.
I cannot engage further with this.
What do you mean, “extend control past the bank’s property line?”.
In this analogy, the bank allows you to drive cars without GPS trackers; They just require you to have one installed to engage with them. They’re not controlling your property –you’re voluntarily complying with their business requirements. It’s just them choosing how you engage with their business. You can avoid getting a GPS tracker so long as you don’t set foot on a bank’s property.
This is less hypothetical than it sounds. While I’m not aware of banks pushing for GPS information, insurance companies already want this information in order to dynamically adjust rates based on driving habits, and to attribute blame more accurately in collisions.
I’ve interviewed for an offshoot of State Farm that was established to explore exactly this. The interviewer was very excited about the increased safety you’d get because drivers would know they’re being watched. This was a few years ago – today, of course, you’d need to do some remote attestation to ensure that the system wasn’t tampered with and the data was transmitted with full integrity.
Once this pool of data is established for analysis, it becomes very tempting for law enforcement, less pleasant regimes, and three letter agencies to access it.
For a bank or hospital? It absolutely is.
Let’s ignore the fact that large corporations have a long and well-documented history of nefarious behavior. I mean, one of the first corporations in the west was the British East India Company. Calling it nefarious is a huge understatement. But that’s all not quite relevant to the point I’m making.
Fine. Does it truly matter if the reason is maliciousness or ignorant apathy combined with perverse incentives, if the end result is still the same? A difference which makes no difference is no difference at all. What I’m seeing is gradual disempowerment of people, not some quick power grab. And I don’t care what the reasons are, if the results are still the same.
Every time this discussion comes up on Lobsters, you trot out the comic-book villain trope as a way to belittle the people you disagree with. A box-ticking technocrat can be just as harmful as a villain.
Except the end result is not the same. The freedom-hating cartoon villain would not give you a way out. Yet out here in the real world you do get a way out. And as I pointed out, it’s been getting finer-grained over time so that you actually have even more control over which security features you want on and which ones you want off.
This is not how an actual “war on general-purpose computing” would be waged!
My central assertion is that the Free Software movement and its adherents are actively hostile to security measures that are A) reasonable, B) desired by and C) accepted by much of the market, and that this hostility goes all the way back to the early days with Stallman writing purple prose about how he was standing up for “the masses” by having GNU
surefuse to support a “wheel” or equivalent group. Today that manifests itself as reflexive hyperbolic opposition to fairly banal system security enhancements, which inspire yet more reams of purple prose.I further note that this opposition relies on appeals to emotion, especially fear (they’re coming for your freedom!), and on erecting straw-man opponents to knock down, neither of which is a particularly honest rhetorical tactic.
And finally, this opposition also doesn’t stand up to even the slightest bit of actual scrutiny or comparison to what’s occurring in the real world, and on that theme I note you yourself largely refused to actually engage with any of the points I made, and instead went meta and tried to tone-police how I made the points, or the fact that I was making them at all.
Android is an example of tightly controlled devices where this is completely feasible though.
Yes, and the industry trend is to slowly extend that to more computing devices, including PCs. And, in this very thread, we have someone who is arguing that not only is it a company’s right, it’s effectively their duty, to ensure users aren’t tampering with their computing devices so that bad actors can’t compromise them.
Yup.
The hyperbole around this stuff runs into the inconvenient fact that all the horrible things have been technically possible for a very long time, using only features that already exist on consumer hardware and consumer operating systems, and yet the predicted dystopia… has not arrived.
Microsoft has been theoretically able to fully lock down laptops and desktops for years. Apple has been theoretically able to fully lock down laptops and desktops for years. The reason they haven’t is not that they lack the one final piece of the freedom-destroying superweapon that will finally let them power it on, and it is not that scrappy freedom-warriors on the internet have pushed back too hard. The reason they haven’t is that destroying freedom is not, and never has been, their goal.
So, so much of the argumentation around this stuff relies on building up strawmen and knocking them down. In the real world, there are no mustache-twirling executives cackling about how this time, finally, they will succeed at destroying freedom forever and bringing an end to general-purpose computing. There are just ordinary, usually really tired, people doing things for honestly pretty ordinary and banal reasons, and we generally will do best by taking their statements at face value: that they’re doing it for security, which is something both corporate and consumer users are loudly demanding.
A lot of people are tired of living in constant fear. Fear that looking at, or in some cases just being a recipient of, the wrong email or the wrong text message or the wrong PDF or the wrong link will silently and completely compromise their systems. Fear of malicious actors, both remote and intimate. Fear of being fired if they slip up and make even the tiniest mistake instead of being a perfect “human firewall”. Fear of all manner of things that we can prevent by default if we just choose to.
So we get more and more systems that have those protections by default. That let you just use it without being afraid. And if you want to live dangerously, you still can. The “I know what I’m doing” escape hatches are there! They’re even getting finer-grained over time, so that you can choose just how dangerously you want to live. You can turn off bits and pieces, or go all-in and replace the OS entirely. This is not the progression we would see in a world where the vendors were waging a “war on general-purpose computing”, and the actual observed state of the world is the strongest possible counterargument against the existence of such a “war”.
And yet we still get hyperbole like this article. I’m so, so tired of it at this point.
I don’t think it is not possible. Obviously game publishers already want this solution, windows 11 requires the chip (or will require the new one too, doesn’t make a difference), and if you ever owned an android device, you’ll know how many apps break when you install your own android copy.
I can definitely imagine banks and other services rolling this out as a requirement. Developing a new browser is already hard enough, but if only 10% of the services under cloudflare require this in the future, you’re basically locked out of using linux/owned android/new browsers. We have a regular inspection requirement in germany for all vehicles on the street, for the safety of others. Maybe this will come one day for the internet, simply because that could reduce the amount of spammers and bots.
Let’s spin this idea further: There is a law in germany that you’re responsible for your network connection. What if because of that you’ll not be allowed on public wifi anymore, without such an attestation ? No more headaches due to compromised devices.
It has steadily become harder and more costly to unlock your bootloader and root your phone. The amount of rooted phones has gone down over time severely. The easy corporate friendly narrative is that they’ve given users a better experience and more control without root. This has some genuine truth to it! But the central issue is more related to how rooting is such a huge pain in the ass and loses you access to enough apps that even powers users have given up.
I’m not sure what it will take for people to recognize that this is not healthy and that it leads to a concentration of technological power away from the hands of users and more into the hands of corporations. If you have a healthy user base with root they can push back against bloatware, abusive telemetry and OEM spyware for starters. If however you have a root population of <2% then none of this matters.
All it takes is for a couple of apps a lot of people rely on to tick that box and make it so rooted users can’t use them, and suddenly root becomes so much less attractive to users. This eviscerates the resources the power user community has (by reducing its population) and people outright forget what benefits device control would have because nobody is even capable of demonstrating that anymore.
This is not about rights. This isn’t about whether you should or not have the right to access your banking app with root. Let’s stop thinking in terms of who is owed what and start thinking in terms of the world we want to live in. If you want to use root and avoid detection, the OS conspires against you. Steadily root population has been trimmed down via various measures and market conditions and now it is feasible for every app in the world to make it impossible for its users to continue using the app while having root.
They aren’t doing it because they’re moustache twirling villains, as another poster put it. They’re doing it because the cost of losing all rooted app users is tiny and it makes their security department happy. Ultimately their reasons don’t matter because the result is the same – the increased domestication of the user and consolidation of user population into specific settings that the OS developer approves of. The more users get into this approved band of user settings, the lower the cost of discriminating against everyone else.
Look at what the post actually mentioned. That MacOS will allow you to bypass captchas via remote attestation. Sounds great for the user! The problem is that once you have 80% of the userbase on this fast track, it becomes much more easy for Cloudflare to ramp up captcha frequency for the rest of the users. And now Cloudflare suddenly relies on MacOS ensuring that users on its platform minimize behaviors Cloudflare dislikes. Sure, even this case I’m presenting is hypothetical. The case itself is less important than the fact that we already have all the incentives aligned to produce this future trend: OS developers and big companies shaking hands to make life more convenient for attested users (that have the settings Apple / Microsoft / Google want them to have) while leaving others behind. Now it’s just one nice feature, but in the future there can be many.
Our lives are tiresome and complicated, convenience is a real resource we want access to, it’s not some luxury nobody really needs if they “actually” cared about freedom enough.
Over the years Android and Windows have become less free by about every metric I can think of. 15 years ago, the idea of your OS forcing you to restart to update would have been considered unacceptable. Now you will see apologists for it on even the supposedly “hardcore” software communities. The overton window has shifted so much that you have to be extremely optimistic to think it will not shift further – you are not immune to this overton window.
Remote Attestation is yet another piece of technology that has the potential to curtail what a user can do with their own devices. It will probably not be used in an obviously doomsday way. These companies have PR failures commonly, but they’re neither dumb nor evil, they’ll find genuine reasons, genuine benefits. They’ll use their vast access to social network to propagate ideas about these great benefits. We already have people on here and HN that hate politics and love tech and they don’t like seeing these heated political discussions that reek of hysteria. They are prime targets to become apologists corporations on these issues. It’s not a conscious effort by companies or said users, it’s just the structure of the social network. This results in users forgetting a bit more about how life could be with more user control. And that’s how the gap between consumer and corporation will be allowed grow. The expansion of this tech will be gradual, nobody will make it impossible to install Linux. Microsoft will not risk something that can get the EU in a legislative mood.
The fact that Microsoft pushed so hard for everyone to have TPM gives us a genuine signal of how important this is for them – it’s a hint they would really like to milk this technology in the future. This whole line of argument about “if they wanted to destroy free software, they could have done it ages ago, they don’t need Pluton” is fallacious. Microsoft doesn’t care about free software in the abstract. Free software won’t die by Microsoft consciously attacking it. It will wither away by big corporations creating a technological platform to which major service providers subscribe to, where alternative free platforms are second class citizens which lesser features, reduced convenience.
DRM is also a major threat where TPM can be leveraged to great effect. Regardless of your opinion on piracy, DRM has caused genuine harm to its users, the net effect is extremely negative. Based on how the current overton window is around piracy and how it’s difficult to get people to care enough about this even on HackerNews, Microsoft would have no problem expanding its DRM capabilities using Remote Attestation. We can talk shit all we want about how “companies have the right to exclude certain users that do x, y, z with their computers” – the end result will still be net negative for everyone except those companies.
If this again sounds like empty rhetoric to you, consider that if I’m wrong about being “dystopic”, and techniques like remote attestation and root detection are kept to a minimum, the average user loses almost nothing.
If I’m right and nothing is done, we become technological lumpenproles and the past will look like a golden age by comparison.
Since you’re obviously arguing with me despite not doing it in a reply to me, I’ll just point out that your moral theory is missing a big piece: effects on other people.
Say, for example, that you don’t want to have Windows force an update on you. OK, now what? Refusing to apply security updates isn’t just a you problem – you refusing to apply security updates can very easily turn your system into an attacker of my systems. Do I have a right to say that as a condition of network access to my systems you must agree to be a good steward of your systems and take at least some basic steps to prevent that?
And before you give an immediate answer rooted in freedom, remember that out in the real world this kind of “limit what you can do with your property, to protect others” is already a standard thing. If you own a piece of land that a river flows through, for example, you’re not completely free to do what you want with it, because what you do to the water in the river can and will affect others’ properties downstream of you.
So if you want absolute freedom with your devices, fine. Just don’t expect the rest of us to be willing to be on the same network as you when you do it, because your choices can affect the rest of us, and our property, and when that happens we have every right to step in and tell you to act in a way that only affects you. Which may involve denying you networked access to everyone else’s property.
I don’t think this is a missing piece in my moral theory any more than yours. It’s not like you spared a single line to actually consider the negative effects on other people in your posts. But I don’t hold that against you since we have different values and focus on different areas.
I’ve considered knock-on security effects, I just have no reason to believe they are significant enough to warrant this kind of behavior from software corporations AND I have no reason to believe that measures which I consider invasive and restrictive are the best possible solution out there. Other kinds of measures exist.
The trade-off corporations choose to set matter dramatically. Users don’t get to choose anything other than “do I want to uproot my entire life for a significant portion of time and give up on Windows because I don’t agree with their trade-offs in this version?”.
I am aware of the concept of negative externalities. It’s not a matter of whether they exist, it’s a matter of magnitude and whether other recourses exist.
If you could incarnate the incentives of corporations into a person and question that person how much user control there should be, the answer would be “as little as possible that still keeps the platform attractive”. If you ask them how much user control should be sacrificed in exchange for security, they will say “as much as possible”, but note that “security” here is not “the user’s security”. It has overlap with the user’s security, but it primarily refers to the security of their systems, the convenience that security affords them, and the reputation gains from being seen as a “secure platform”. More often than not, it’s security by restriction – it’s not the expansion of platform features to empower the user to do more things securely. It’s the restriction of user power in the service of security, which is then presented as a new feature.
(Disclaimer that not all corporations are like this, but the vast majority of big tech is like this.)
Because you might be affected, you think that you and people like you should get to choose how much people that disagree get to be part of modern society? This is how you’re making it sound to me, whether you want to or not. Losing access to a few critical services (banking apps, play store, gmail, gcal, facebook, twitter etc.) can cripple your ability to network and/or massively reduce your convenience. Inflicting that on someone because they’re not as security-minded as you seems like an unhealthy and unfair approach in the absence of evidence regarding the necessity and utility of these measures. People have begun waking up to the amount of influence these technologies over our daily lives that the discourse has started to shift towards considering them as public utilities where the service provider has fewer rights to discriminate, not more. I don’t say think I conceptually agree with this framing, but it gives you some impression of how important addressing this power imbalance has become to people.
Secondly, this isn’t the early 00s where spam and worms genuinely threatened to bring email as a service worldwide to its knees. Your network will be fine without further reductions in user control.
The way you phrased this paragraph makes it sound as if you’re part of the group deciding this. You are verbally associating yourself with the agents of corporations that have all of the power, but that association is just that – a one sided verbal association. Unless you are an executive at Microsoft, the “you” in this case does not actually have any power. These measures aren’t driven by societal consensus. They’re driven by what corporations can get away with in a market that is dominated by users that are too busy to want to care and too non-technical to be able to care. But just because they can’t discriminate on these matters doesn’t mean that whatever Apple, Google and Microsoft decide is good for them.
Ultimately, there’s always many ways to make your own device more secure. And there are ways to make networks more secure without moving the onus so much on user nodes. But there is very little way for people to circumvent certain kinds platform-side decisions of their tech providers - SafetyNet definitely falls within this category. The idea that users need to give up significant control just to make life easier for the networks and services they often pay for is unsupported to me.
I don’t want our exchange to be particularly hostile and I already feel apologetic for not having been able to find more common ground. But I simply don’t get where you’re coming from or why you’re defending the “rights” of network providers (which I find a weird way to focus the conversation), when the discussion itself is fruitless to phrase in terms of rights.
It’s a jockeying for power over what the future of computing will look like – one where users that don’t work for big tech can have a hand in shaping the digital landscape and make devices serve them OR one where devices exist primarily to be as convenient as possible for corporations, and in which alternative devices do not exist because FOSS has failed to keep up its tech stack and corporations have similar levels of device lockdown across all their products, providing no alternative in the market (This is basically 90% already the case with phones).
The security measures of the old days didn’t have to deal with the number of always-on, always-networked devices we have today, and the new threat models which come from that. Claiming that computing “existed… and didn’t collapse in on itself” in the past is no guarantee that the past’s security techniques will be sufficient for the future.
Many modern systems take away your freedom to have a chunk of memory both writable and executable at the same time, for example. Computing didn’t “collapse in on itself” before that, so should we reject
W^Xmodels?There already is at least one counterexample in this very thread for remote attestation being useful to entities that aren’t “corporations”. I also do not happen to share the axiomatic beliefs you appear to hold about “corporations” in general – all the wonderful FOSS you no doubt use and love exists today largely because of corporations sponsoring and supporting development, for their own ends!
I have never personally treated phones or even most tablets as truly “general-purpose computing” devices. I don’t really want to write code on my phone, or even on the tablet where I’m typing this comment, because the form factor and input mechanisms are horrible for that use case. When I want “general-purpose computing” I turn to a laptop or desktop computer, or to a server running somewhere. And the market seems to be content with that segmentation. If Apple or Microsoft wanted to fully lock down laptops and desktops they already could – they’ve had the technical capabilities for years! – but the fact that they haven’t, and are giving no indication of wanting to, should be a big big sign that people are incorrect in assuming that their imagined dystopia is the explicit and inevitable goal.
(which isn’t taking into account that you explicitly can root at least Android phones, but that gets into the “nobody else is required to network with you after you do” issue that people seem to have trouble accepting)
Sure, doing the actual coding on a tablet, never mind a phone, isn’t practical. But you should be able to modify the code that runs on your phone and tablet, including platform code, and use such modifications written by others that will never be blessed by the platform vendor. The big platforms don’t serve all users equally well, and users should be free to work around deficiencies in their platforms without then being unfairly discriminated against by applications. This is where I’ll tie this subthread together with a discussion you had with @teiresias, who said that he doesn’t support unrestricted freedom of association because he’s a member of a minority. I’m a member of the same minority (well, kind of; I’m not totally blind but legally blind), and I believe that we shouldn’t be forced to rely on the accessibility solutions handed down to us by platform vendors. We should be free to hack on our own solutions to accessibility problems, at whatever layer(s) of the stack we must. This is why I think applications shouldn’t deny us access simply because we’re not running a stock version of the OS, especially if the OS (e.g. Android) is ostensibly open-source.
This is getting to a more productive way to discuss things!
And that’s fine. If you go back and read my initial comments, my issue is with people who want to take an absolutist/moralizing stance based on abstract arguments of “freedom”. That basically always ends uselessly, because they end up defining their position to be the only morally good one (how could it not be? Who would be against freedom?) and anyone who disagrees as morally wrong (since, after all, anyone who disagrees is anti-freedom by definition).
Before any kind of actual productive discussion about the merits of something like remote attestation can even begin, that framing has to be attacked and broken down. Which is what I have tried repeatedly to do here.
And when it comes to the actual discussion, there aren’t any easy answers. There are legitimate issues that might make some entities – especially ones in highly-regulated fields – not want to allow use of an app unless they can verify certain security properties about it. Which then gets into debates about what methods of access they’re obligated to provide, how we’ll ensure that they’re provided equitably, and so on. And as other commenters have pointed out, attestation goes both ways and also lets a user establish trust of a remote service, which is a positive.
But we can’t have those debates if people jump straight into the “I am for freedom, and everyone who disagrees with me on this issue is against freedom” stance.
Anyone who knows me can confirm that I’m far from a software freedom absolutist. I even worked on the Windows accessibility team at Microsoft. But I felt some cognitive dissonance the whole time that I was there, because I felt I had become part of an elite group where I believe there shouldn’t be an elite at all. @Anvoker captured this in one of their comments:
I want the former. To make it more concrete, I want all disabled programmers to be free to help adapt our devices for our needs (and the needs of non-programmers as well), not just the handful of us that happen to land a job at one of the big tech companies. I took that job in part because I was afraid Windows was headed toward being fully locked down, and I figured I should try to make the best of it.
Even now, I’m not fully consistent; I currently use an iPhone, because it just works better for me than Android, and when I was using an Android phone, I never got serious about hacking it. But others should be able to. Especially future generations of kids who have more time to do such things.
On the general subject of where the line should be drawn between the user’s freedom and the security requirements of services such as banks, I think such services should accept connections from any client that implements the relevant protocols and can authenticate itself as an authorized user of the service. I can see why enforcing the latter requirement would be helped by remote attestation of a secure enclave or similar, to guard against authentication tokens being compromised. But requiring the app to be running on a fully unmodified OEM OS image, including all the UI components that are included in such an image, seems excessive to me. And if I’m not mistaken, that’s what SafetyNet for Android does.
If your systems were updated, the point would be moot, because the attempted attacks would be fruitless. Seems like a bit of a strawman. And the illusion of security you might have from controlling what I do with my systems is just that: an illusion. If your systems are at risk, then they’re at risk regardless of what I’m doing, because bad actors will not play by the rules. In this society, there’s always a way around the rules if you have enough money and resources.
ubernostrum is saying that because you don’t update your system as fast possible, your system may be subverted by an attacker and be leveraged in a subsequent attack on different systems or the network.
What you’re doing with your system affects the chance that your computer is compromised and used in other attacks. The point is logically valid, I just don’t think the magnitude of the problem can justify the trajectory of loss of user control that we’re on currently. And I don’t see the loss of user control as actually addressing this problem. Services aren’t going to get DDoSed less because my banking app forbids me service due to root.
We live in a world where brand-new consumer devices fresh out of the box get pwned within minutes of being connected to the internet. We live in a world where brand-new installs of content-management systems get pwned within minutes of being turned on. We live in a world where ransomware attacks and data breaches are rampant, virtually all of them targeting entities which refused to engage in some simple and reasonable preventive practices.
We live in a world where the devices and systems that don’t have these problems, or don’t have them to anywhere near the same degree, are the ones you’re arguing against.
So in addition to overestimating the loss of “user control”, I think you also drastically underestimate the scope of the problem.
This is “if you believe vaccines work then it doesn’t matter if I get vaccinated because you will never get the disease anyway right?” And it’s wrong for similar reasons. I’m “vulnerable” to DDoS regardless of my security patch status, and like vaccines DDoS is partially a statistics game, for again similar reasons. We need “most” machines to be patched for the inevitable unpatched botnets to be small enough to not matter.
Thanks for comparing me to an anti-vaxer. Let’s get back to the discussion at hand.
I argue that ceding control to manufacturers does not in fact imply greater security for end users. My story below is worth telling, even though I told it in at least two other threads.
Take, for example, my Motorola G6 smartphone. It came from Amazon, bought as a Prime “exclusive”, new for a really good price. There were strings attached, but I didn’t realize it until it was too late.
The bootloader is locked. It stopped receiving security updates in 2020, two years after I bought it. I cannot unlock the bootloader through Motorola’s unlocking program, because the device was gotten through Amazon. I cannot install an up to date ROM on the thing. My hands are tied.
This is what happens when manufacturers have nearly complete control over the devices that you bought and paid for. You are at their mercy. They can force planned obsolescence on you, or prevent you from maintaining a perfectly good and usable piece of hardware.
I would love to have regular security updates on my phone again.
I challenge anyone who really believes that restricting my use of my device leads to greater security to put their money where their mouth is. I’d love to sell a Motorola G6 in good condition. The price is negotiable, as long as it’s above $60.
Right now, for the record: do you believe that I have freedom of association? Yes or no?
Because if I do, I can choose who to associate with, for whatever reasons I choose, and you don’t get to force me to do otherwise. It’s not “controlling what you do” for me to say I won’t associate with you, it’s just… me choosing who I will and won’t associate with.
And my freedom of association extends to the network level. If I don’t want to accept traffic from you, you cannot force me to. That’s not me “controlling what you do”, that’s just me choosing who I will and won’t associate with. You are the one demanding to control me and my systems by hinting that I might not have freedom of association, or that you might argue I should be forced to associate with you and accept your traffic even when I don’t want to.
No. But read the long answer. Not absolutely, because absolute freedom of association has been used to justify all manner of discrimination against minorities. I’m a member of a minority group, so I’m not down with the absolute freedom to discriminate.
You’re still not going to get to where you want to be, though – yes, many jurisdictions have carved out exceptions to freedom of association to prevent discrimination against minority groups, but they’ve done so due to demonstrated, long-term historical persecution and violence against those groups due to attributes over which they have no control and in which they had no choice, such as their perceived race or ethnicity. People, say, who want to root their Android phones are not one of those groups, so forcing everyone to associate with them is not a justifiable exception, to me.
I don’t think anyone’s saying you don’t or shouldn’t have the option to do that. Anvoker seems to be saying “Hey, we’ve observed how technology like this has been used to degrade the user experience, and it will continue to get worse unless we discourage the use of technology this way.”
It’s really cool and fair enough you want to control how we use our systems for the sake of your own. That has trended towards not ending well for the freedom of anyone involved except corporate actors.
And I’ve already pointed out that the reason why vendors have been moving to more-secure-by-default systems is the superior user experience. Which is to say: the user experience that comes with reduced fear of anything and everything potentially being a security issue.
I have the right to choose who I will and will not associate with, including at a network level. You’re still free to do whatever you want with your devices, just not to also demand that I engage in unrestricted networked communication with you. Any other arrangement would be you dictating to me what I must do with my own property. Which you assert has bad outcomes, so it’s surprising that you seem to want that.
We’re clearly going to be at-odds in determining which experiences are superior for which groups of users.
I don’t believe people are saying you can’t choose. I’m for sure not. You have that right, just users including myself have the right to try and discourage the implementation of these features.
Conversely, how much will it provide?
The big win for freedom with remote attestation comes from confidential cloud computing. This lets me rent a server in someone else’s data centre and get a strong guarantee that they haven’t tampered with the program I want to run. I can then choose to provision it with encryption keys that let it access encrypted data and have strong guarantees that the cloud provider can’t see the data.
Once you invert the usage model, all of these technologies become things that protect freedom, rather than restricting it. For example, Signal uses this exact technology to allow you to recover an account if you lose your phone, while providing the kinds of rate limits on PIN attempts that you’d normally be able to enforce only with a physically secured device.
That’s an interesting thought I hadn’t considered before, but I’m somewhat skeptical, considering that have ton of people using Google cloud services that report you to the police for CSAM without human oversight. Because the debate is lost on “think of the children”, I don’t see how we’ll actually have confidential cloud computing even if it becomes technologically feasible. I also don’t see the industry getting behind using remote attestation in this way that helps freedom. But I can see some knock on effect from companies wanting their cloud computing to be secure and confidential, and this trickling down to more common users.
How do you imagine this tech spreading in a way that is pro-freedom?
We (Azure) are actively working on shipping this (and have already launched some things in this space with others announced). Governments are always a bit conflicted, but generally politicians don’t like the idea that we could get at their financial or medical information simply because their bank or hospital uses our services. Similarly, regulators in these sectors want strong legal and technical guarantees that anyone using cloud services is protected against insider threats at the cloud provider.
You can now deploy container instances to Azure and have them run in AMD SEV-SNP VMs, where all memory is encrypted in use and where you get a remote attestation over the container image hash, so that you can be sure that we haven’t tampered with the contents. I wrote about our vision for this last year.