ES version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
41% Positive
Analyzed from 6667 words in the discussion.
Trending Topics
#google#attestation#more#don#device#should#grapheneos#need#key#hardware
Discussion (144 Comments)Read Original on HackerNews
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Why was this decision ever made?
Anytime anyone criticises the EU here, you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
I was asking for evidence about the EU digital ID wallets about what the "disinformation" was around it 3 years ago [0] and not a single link of it was given.
At this point, being an EU defender and supporting the "open web" are incompatible since you will be using your EU digital identity wallet [1] with your phone to login to your bank and the internet will push age verification with it, locking you out if you don't sign up.
[0] https://news.ycombinator.com/item?id=36105002
[1] https://eudi.dev/latest/
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
Suggesting politicians are corrupt without any evidence will make that worse. If people think their politicians are corrupt they will further disengage with the political process, which will ensure there's even less pressure on politicians to take action on niche issues like this.
I think it is far more likely that it is a lack of knowledge and incompetence. I am pretty sure that the majority of Parliament members, Council members and maybe even Commission members do not even know that there are viable alternatives outside Google (certified) Android and iOS. So they try to regulate their app stores, etc. instead.
I hope that with digital sovereignty becoming more important, there will be more interer in alternative mobile operating systems.
Clearly tailored to the regular normie without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks, if I’m been charitable because they don’t understand them either.
At a certain point it begins to feel pointless.
I think you're right that they are incompetent. The point is not to make them understand it, but rather to make them see that enough people care. The problem is that most people don't write, so the politicians don't see that they care. Same thing for companies. How many GrapheneOS users say "well when it stops working, I just move to another service, and if there is none, then I live without the service entirely". That way the companies never see that there is a need.
If enough people write, they may start finding it relevant.
1. Most people don't write.
2. The people who write are not always competent.
3. The people who write often have an agenda, too.
What's the consequence of that? Imagine what the politicians receive: tons of messages of people complaining, most of which are factually wrong. What to do then? How to know who is right? It's genuinely hard.
It only makes sense they'll prioritize big-business interests over those of the common folk.
It's a bit odd that Europe prioritizes American big-business interests I guess? Idk, as an American it does seem kinda like an odd choice.
They're basically saying they have no choice but will evaluate better options.
So the follow up question is: Are you going to push the EU & Governments to do the logical thing and start developing, with your tax dollars, the necessary software & hardware to make it into the public domain so they arn't reliant.
Mostly it seems like few people see the need for brining government into software, no matter how much software & hardware are becoming essential utilities.
They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. They put on a show where they care about your privacy by introducing indirection (static device ID is used to acquire an ephemeral ID from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM ID vector is even worse (no meaningful indirection, every single license server has access to your burned-in-silicon static identity). And the Google account vector is what it is.
Using blind signatures for remote attestation ha actually been proposed, but no one notable is currently using it: <https://en.wikipedia.org/wiki/Direct_Anonymous_Attestation>
There are several possible reasons for this, the obvious one is that they want to be able to violate your privacy at will or are mandated to have the capability. The other is that because it's not possible to link an attestation to a particular device the only mitigation to abuse that is feasible is rate limiting which may not be good enough for them - an adversary could set up a farm where every device generates $/hour from providing remote attestations to 'malicious' actors.
Also I recall a discussion on Graphene's forums that DRM ID is not only retained there, but stays the same across profiles.
I was referring to the static private key that is stored in the silicon. At any time an application can initiate a license request process using DRM APIs which will elicit an unchangeable HWID from your device. The only protection is that it will be encrypted for an authorized license server private key so collusion may be required (intel agencies almost certainly sourced 'authorized' private keys for themselves). Google or Apple also has the option to authorize keys for themselves. In 'theory' all such keys should be stored in "trusted execution environments" on license servers and not divulge client identities for whatever that's worth: <https://tee.fail>.
I wonder if we'll get something similar happening with cloudflare
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
The status quo is nation-states in roughly their post-WW2 borders, and it's fiercely protected. The upside is stability and fewer wars, the downside is that the only way to try anything new is to co-opt an existing country. Adding to that, most countries are ethnostates that would prefer to have only a small percentage of their population be migrants. It's an easy way toward social cohesion, you just stay roughly where you're born, with people who were also born there and share the same cultural background. As we can see, it's not ideal - two lifelong neighbours can easily hold completely opposite moral values.
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
There's also tons of value in a boot ROM that can't be accidentally erased to add low level DFU routines.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
Micro is now nano, not amendable to modification, and even if it was theoretically possible, hardware is a super-easy target for legislation.
> Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM
If you had the political means to enact such legislation, you could legislate much cleaner and easier ways to deal with the problem.
I find myself saying this a lot but I still can't quite figure our why people keep seeking technical solutions to political problems.
I mean, these things aren't comparable, in some limited cases the naive approach might help but insisting on it while neglecting political action is worse than doing nothing.
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
Also, governments are supposed to act in the interest of people.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
Imagine getting banned from Google services for anti-google views and being unable to log into your bank account. We really should breakup the Alphabet.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
The reason it's hard to boot up a secure social network (such as Signal) is the handshake for (re)identifying people. Signal makes a ton of conceits here (the UX essentially asks people to assume phone numbers are securely held) in the name of low friction and it's why they grew so fast. The "real" secure social networks are essentially too difficult to get real adoption because they don't make these conceits around phone numbers, and demand real key exchanges.
But if you had a L1 set of private and public keys the government works to maintain and defend, the L2 social networks like Signal (or banks, or markets, whatever) can do this cheap and easily.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
I'd propose the primary factor is social - when a child is born there is a recorded attestation from the family and care providers about the minting of a new soul. When keys are compromised you similarly seek attestations from your social network (or social worker) that you need to furnish a new key.
The network could be attacked by literal force, blackmail, or deception, but it's very expensive compared the defense (strong legal punishment for attempts to subvert the network)
That last part is why I think the state has to do it, not technologists. There has to be a strong legal and cultural immune system in place to defend the network.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.
> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care
I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
Neither of these situations are related to any so-called spyware. The fact that Google is involved here had to do with the fact that they are a trusted party for folks to rely on to ensure the desired properties are being met, nothing more. In theory it should be possible for other parties to provide similar attestation, but that party needs to be deeply involved in the OS and boot chain. Apple is obviously capable and is equally trusted. Graphene probably provides the necessary properties but lacks a good way to attest due to the reliance on Google specific attestation APIs. That could be remedied. Otherwise Graphene would need to create their own APIs and applications would need to use them, which would be a harder sell. In both cases the party asking for the attestation needs to decide to trust Graphene, which is still a barrier, but that's an easier way forward. Alternatively, Google could trust Graphene and everyone who already trusts Google would inherit such trust.
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
Hardware attestion will spread like a plague and you will soon no longer be able to log into anything without using "an approved computer". Which will mean a computer of someone elses choosing.
I could easily see large companies using this as a way to charge employees for their desktop access and a million other perversions of this nonsense.
Its bad enough we cant use our computers without being spied on, now they want to install their spyware and force us to use "their computers"
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
And the audacity to reply rudely to someone in the thread with "Read the rest of the thread once it's posted". Absurd
(Wrote this on a Pixel running grapheneos fwiw)
Break them up. Break them up. Break them up.
What can't we do for these two companies we will beg, we will bend, we might even consider grovelling as long as the evil is around, to help us find the greater evils in the world. That is, the people we don't like, might be the bad guys today, but just don't worry you will be the bad guy too, just wait until the bad guys get into power...
I haven't read the hobbit or lord of the rings but man if this isn't greed corrupting all men then I don't know what is.
I feel sick of all this, I might really just move out and live the rest of my life out on the farm somewhere.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
[1] https://bmail.ag/verify
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it (instead of printing a symmetric secret on the outside of the card).
It's predominantly a force for good. If anything, its a bit anarchical.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the late stage of adoption where the bad guys realize that their enemy's sword has had two edges all this time. Every technology that mediates an adversarial relationship goes through this eventually.
With the printing press came temporary freedom followed by intellectual property. So too with radios and the FCC. So too with social media. It's useless to blame the technology. Blame the people.
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Then stop trying to take away the technology it's built on