The EU Digital (identity) Wallet EUDI requires hardware attestation by Google or Apple, effectively tying all the digital EU isentities to American duopoly. Talk about digital sovereignity. Apparently protecting the children > sovereignity.
Came here with roughly the same thought. Given the stated importance to many of sovereignty and not being dependent on the US, why isn’t there more opposition? I assume it’s just ignorance?
Probably because the reply was written by someone without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks.
I hate to beat a dead horse and have people downvote me but: the EU has always been corrupted. The knowledge and effects are not evenly distributed until it hits each niche group. Then they find out the hard way that they were useful idiots. It’s ok to be wrong/admit. Let’s just move past the infighting and see those in power for the evil that they are.
Requiring authorized silicon isn't even the biggest problem here.
They do not use zero knowledge proof systems or blind signatures. So every time you use you device to attest you leave behind something that can be used to link the attestation to your device. They put on a show where they care about your privacy by introducing indirection (static device ID is used to acquire an ephemeral ID from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM ID vector is even worse (no meaningful indirection). And the Google account vector is what it is.
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
I like to ride my bicycle with my friends in rides organized by the (Pacific Northwest) Cascade Bicycle Club. They require that I solve a Google reCAPTCHA in order to register for a ride. Google is already completely locking me out from being able to do that. When I try to click on the squares to select whatever items it's asking, it indefinitely loops. When I try using the audio version, it completely blocks me from using it saying that there has been suspicious activity.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
I hope you contacted them to explain why. People usually think I’m a nut when I do it, or are too stupid to understand and think it’s a tech support issue, but it’s worth at least trying to make it clear that you are choosing not to use/do/pay something because of their choice to use recaptcha
IMO, it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does, the collateral damage of making non-Google, non-Apple OSes second class citizens remains, and that is the main problem.
That's one of the two main claims made by in favor of hardware attestation; so it makes sense to argue against it. Of course, the other claim (that categories of people must be kept "safe" from categories of content) is more insidious, so it does deserve more attention.
And it didn't even take attestation to cause this absurd situation where many businesses or social groups were only reachable behind Facebook or Whatsapp or whatever.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
Wouldn't the argument be that you'd build separate copies of those services as well?
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Even accepting your premise your options are still either:
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
The problem with that argument is that there really is no such thing as public opinion at scale. You can poll people/the general public on just about any issue and the answers are going to differ massively depending on framing effects. In the end, it's hardly better than just flipping a coin.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
Who is the "us" in your question? Theoretically in democracies we should be able to decide this, if we aren't being distracted from real political questions with the culture war stuff that divides the public's attention and divides neighbors from each other.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
Where would you do that? Realistically, the question is one that cannot even be asked safely: are there enough of us to overthrow the existing systems and replace them with something better?
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Ideally, we just run our own lives, collaboratively. That's the anarchist default position that we all start in.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
The question is rather: can political parties develop a vision beyond libertarian views or full state control on the other side.
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
Yes, it requires you to have an approved device for certain tasks.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
Our civilization desperately needs a method to modify modern microelectronics after manufacturing that can be used at least in a well-equipped repair shop, and it needs it yesterday.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
This won’t help; the SOC silicon can be revised to record each executed instruction from power-on until secure-boot handoff opcode, with various supporting opcodes to query status-of / overflow-of / signature-for so that the OS reports pre-boot tampering implicitly as part of developing its own attestations.
Then also make it illegal for the SoC to contain any cryptographic key material.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Simpler to just make discrimination by hardware or software illegal than to legislate the silicon contents. That’s what everyone is upset about, after all: websites are gaining the ability to discriminate based on hardware-software with specific fidelity they never had before. If that was made unlawful, then you’d benefit billions of existing devices as well as future ones. The hard part is making the case that this sort of discrimination is worth fighting, but the John Deere lawsuits are (indirectly) further ahead on that point than the rest of tech is, weirdly enough.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
And what code will verify the signature of the initial bootloader? As far as I know, in every modern implementation of secure boot that is done by that very bootloader, which is burned into the CPU/SoC. I can imagine someone implementing some sort of fixed-function block to do that, but see my sibling reply about that.
Also, governments are supposed to act in the interest of people.
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
The thread is a bit vague. Am I understanding correctly that GrapheneOS Foundation's objection isn't to attestation per se, but that they can't participate in Google-controlled attestation APIs? In other words, although GrapheneOS can be cryptographically attested, apps using Google Play Integrity won’t accept it because it isn't Google-certified/GMS-licensed?
My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
> …Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
Why should Google decide which devices are safe enough to pass remote attestation? Seems to me that if we want this at all, it should be an independent body that approves signing keys of vetted vendors (e.g. vendors roll out security updates timely, etc.).
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
No. That would be a relatively better circumstance, but we would still have the root problem.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
You mean Universal Attestation, which is from a vendor cartel, of which most of the individual vendors are typically waaaaay behind security updates, etc.
Ironically, the other top article on HN right now is CVE-2024-YIKES.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
It's so obvious to me states need to create a soul bound identity system, replace social security numbers with it, and then let everyone else use cryptography on top of that (which is now cheap when you don't care about sybil attacks) to do private stuff.
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth
2. State allows citizens to submit a public key along with their ID at any time
3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want)
4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
We also need liability. Every time someone’s data is lost, the company losing it must be held accountable. They owe us huge amounts of money, and executives + board members should be jailed. No free pass.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
The places you actually need an ID are so rare, I don't think it's worth it to build such a system (and no, porn or social network definitely aren't valid use cases).
My driver's license should have some anti-tamper identity proof that can do a challenge response. Or let me go pay a few bucks for an identity proof at the post office.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
You just need to deploy auditable (source-available, reproducible-build, firmware checksums LCD on-chip) biometrics booths that generate private keys from normalized biometric inputs, and then use those ephemeral private keys to generate and sign portable identity keys. Most people have fingerprints and retina patterns and that’s twelve signatures on an identity alone, allowing for continuity across severe biometrics events like regrown fingertips etc.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
GrapheneOS would do well to get a grip on its marketing/PR, especially at this pivotal moment of partnering with Motorola. This topic deserves to be a proper article. Please, not everyone wants to read a stream of tweets and replies.
And the audacity to reply rudely to someone in the thread with "Read the rest of the thread once it's posted". Absurd
It is definitely a monopoly enabler. But also a threat to speech. You can only participate online if you have attested hardware. And that hardware will be tied back to you. It’s another threat to privacy like age verification laws.
These kind of things just make me want to use Graphene even more, or literally any platform that isnt the monopoly ones. Somehow I think AI and vibecoding, even if it may sound as an unpopular opinion, will allow people to build free ecosystems and actually usable devices that dont rely on the usual providers.
I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
There's only two companies enabling those crooks, as far as I can see it. If America refuses to take action, then this power will be abused by worse governments like Russia and China.
Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.
My introduction to asymmetric cryptography had to do with protecting myself from the authorities while buying drugs on the internet.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the bad guys arriving late to the game and realizing that their enemy's sword has had two edges all this time.
It's not asymmetric cryptography itself. It's the fact that it takes enormous resources to manufacture modern SoCs, such that the economy only makes sense if you're churning them out by millions at least. It's also the fact that they can't be modified after they've been manufactured.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
FFS, cryptography is not the problem. How many times will we have to shut down that particular stupidity? Asymmetric cryptography is a corner stone of basically all online secure communications, and has been since before Google and apple were even founded as companies! (First invented in 1970)
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Easy there I don’t want to take away your encrypted messaging. I’m just pointing out that the technology that enables it also enables the techno-totalitarianism we have been seeing rise since the mid 2010s
I disagree, I think you cast the net way too wide. Asymmetric cryptography enables secure communication in the first place. It's being used nefariously by Google and Apple, of course, but that's to be expected from big tech.
Remote attestation also uses asymmetric cryptography. (Device-bound private key that can sign attestation challenges, a known public key that can verify that challenge was signed with the device-bound private key.)
Isn’t the ability to create certificates guaranteed conceptually once you have asymmetric crypto? In that case there is no intermediate technology which allows key exchanges without also creating digital totalitarianism.
It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.
The OP is from an already-existing open mobile OS, which already has a deal with a manufacturer. The problem isn't, and has never been, making an OS. This is not a technical problem. This is a political problem.
The EU Digital (identity) Wallet EUDI requires hardware attestation by Google or Apple, effectively tying all the digital EU isentities to American duopoly. Talk about digital sovereignity. Apparently protecting the children > sovereignity.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Came here with roughly the same thought. Given the stated importance to many of sovereignty and not being dependent on the US, why isn’t there more opposition? I assume it’s just ignorance?
There is some opposition, but none of it is making a dent. It's depressing. I can't decide if it's incompetence, corruption, or malice.
Probably some combination of all three.
I wrote to the EU contact about this, got a patronising reply about how good it is, app being open source and what not.
Clearly tailored to the regular normie without technical skills.
Probably because the reply was written by someone without technical skills.
I’ve written to politicians over the years about technical matters and it’s uniformly either a clearly form response or an inaccurate summation of the technical risks.
At a certain point it begins to feel pointless.
So with a single flip of the switch, the president of the USA can shut down our EU Digital Identity Wallet.
Why was this decision ever made?
Is some party or coalition putting forth candidates that stand against this?
I hate to beat a dead horse and have people downvote me but: the EU has always been corrupted. The knowledge and effects are not evenly distributed until it hits each niche group. Then they find out the hard way that they were useful idiots. It’s ok to be wrong/admit. Let’s just move past the infighting and see those in power for the evil that they are.
Exactly. I have said this for a very long time and the EU (and many other governments) are not our friends and they are just as corrupt.
Anytime anyone criticises the EU here you will get downvoted even after trying to warn the EU defenders that they are not our friends at all.
Corruption. A taboo topic people prefer to downvote and pretend it does not exist.
But even bigger problem is that institutions designed to prevent this from happening are not doing their job.
Thousands security service and civil servants take their wages and look the other way.
No doubt there is corruption; but it’s also momentum. There aren’t stable and good alternatives for so many reasons so the duopoly has momentum
Requiring authorized silicon isn't even the biggest problem here.
They do not use zero knowledge proof systems or blind signatures. So every time you use you device to attest you leave behind something that can be used to link the attestation to your device. They put on a show where they care about your privacy by introducing indirection (static device ID is used to acquire an ephemeral ID from an intermediate server) but it's just a show because you don't know what those intermediary severs are doing: You should assume they log everything.
And this just the remote attestation vector, the DRM ID vector is even worse (no meaningful indirection). And the Google account vector is what it is.
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
I like to ride my bicycle with my friends in rides organized by the (Pacific Northwest) Cascade Bicycle Club. They require that I solve a Google reCAPTCHA in order to register for a ride. Google is already completely locking me out from being able to do that. When I try to click on the squares to select whatever items it's asking, it indefinitely loops. When I try using the audio version, it completely blocks me from using it saying that there has been suspicious activity.
That means that I ride alone these days. I did not renew my membership this year.
The last time I experienced something like this was when Facebook starting being the only way to participate in certain events. Back when that happened, I simply counted myself as excluded and did other things with my time and money.
I hope you contacted them to explain why. People usually think I’m a nut when I do it, or are too stupid to understand and think it’s a tech support issue, but it’s worth at least trying to make it clear that you are choosing not to use/do/pay something because of their choice to use recaptcha
IMO, it would be better if they removed the claim “It doesn't provide a useful security feature” because, even if it does, the collateral damage of making non-Google, non-Apple OSes second class citizens remains, and that is the main problem.
That's one of the two main claims made by in favor of hardware attestation; so it makes sense to argue against it. Of course, the other claim (that categories of people must be kept "safe" from categories of content) is more insidious, so it does deserve more attention.
And it didn't even take attestation to cause this absurd situation where many businesses or social groups were only reachable behind Facebook or Whatsapp or whatever.
To me this is such a bizarre cyberpunk dystopia. Like if we could only send letters and packages to people subscribed to the same private postal service, or drive on roads that had cross-licensing with our brand of car.
Wouldn't the argument be that you'd build separate copies of those services as well?
Granted, for banking or government-interactions that isn't feasible, but wouldn't it for many other things? It would likely be more expensive given that the work to build something still needs to be done and the cost is distributed among fewer shoulders and the lower complexity since you don't need to build ad-tech doesn't make up for that, but I suppose that's a bit like quality food.
Hardware will be more difficult.
Are there enough of us to run our own country? It makes me feel dumb, but this is a serious question.
If you live in a democracy, you already do run your own country. Vote accordingly. Get involved in politics.
There are mountains of academic research showing that even in “democracies”, public opinion rarely translates into policy (by design).
Even accepting your premise your options are still either:
1) Don't participate (and accept the consequences)
2) Participate (and accept potential disappointment/failure, with the benefit of having tried)
If you view 2) as fruitless unless your desired outcome is likely, you miss the potential value in the pursuit itself: working with like-minded people, building community, developing new skills, taking agency in your own life, and whatever else might come up along the way.
I don't begrudge anyone for choosing 1) (as long as they own their decision and don't force it on others), but 2) still seems like the aspirational choice I'd want to make if I could.
The problem with that argument is that there really is no such thing as public opinion at scale. You can poll people/the general public on just about any issue and the answers are going to differ massively depending on framing effects. In the end, it's hardly better than just flipping a coin.
https://www.nber.org/papers/w29766
Stop re-electing people.
Stop sitting at home projecting apathy and ennui in between WOW raids and rounds of LoL.
Mountains of evidence from history shows public has to stand up for itself, not lick boot.
Refuse to give the politicians and owner class assurances they too refuse to provide.
Most of them are old af and have no survival skills. They're reliant on the latest social memes, stock valuations not religious allegory, that are not immutable constants of physics.
Boomers looted the pension system of the prior generation to fund Wall Street. Take their money. It's American tradition.
Remind them physics is ageist and neither physics and American society afford no assurances anyone has food and healthcare.
Not much of a democracy...
Who is the "us" in your question? Theoretically in democracies we should be able to decide this, if we aren't being distracted from real political questions with the culture war stuff that divides the public's attention and divides neighbors from each other.
Any new country will have these same issues, eventually, and probably a lot more that don't seem obvious on the surface.
Fighting against these sorts of monopolies seems far more likely if we can figure out what forces inside the EU and the US are driving these changes and find a way to educated the public, interest groups, and politicians about what's going on.
We already have a republic. If we can keep it.
Where would you do that? Realistically, the question is one that cannot even be asked safely: are there enough of us to overthrow the existing systems and replace them with something better?
The answer to either question, really, is no. The powers that be have systematically implemented policies that keep us divided to prevent that eventual outcome.
Ideally, we just run our own lives, collaboratively. That's the anarchist default position that we all start in.
What we really need is to meaningfully participate outside of the hierarchical monopolistic systems that demand our participation. That doesn't just mean that we create and hang out in distributed networks: it also means that we make and do interesting shit there, too.
The biggest hurdle I see is that we only really use uncensored spaces to do the shit that would otherwise be censored. We don't use distributed networks to plan a party with grandma, or bitch about the next series of layoffs. We don't use distributed networks to share scientific discovery or art.
I think part of the solution is to make software that is better at facilitating those kind of interactions, and the other part of the solution is actually fucking using it. How many of us are only waiting for the first part?
https://en.wikipedia.org/wiki/Micronation
I’m not sure why you’re asking this question, but you can run a country as a population of 1 (ie just yourself) if you wanted.
The problem being raised isn’t due to the size of the country though. It’s the size of the company (ie Apple and Google)
The question is rather: can political parties develop a vision beyond libertarian views or full state control on the other side.
I feel that we need a better political consensus on a free society that puts the monopoly of force in the hand of democratic legitimate forces. I currently feel that all digital violence lies in the hands of a few corporations. And at the same time there is politician that like this because they can through this proxy can indirectly execute control without any political legitimacy. Sorry, I do not believe in markets as guarantees for freedom. I have read too much dystopian sci-fi for that.
Yes, it requires you to have an approved device for certain tasks.
But you can own multiple devices. You can use an approved device specifically for banking or Netflix and whatever device you like for all your other tasks. Maybe you could use an approved device (a Yubikey?) to authenticate your other devices?
Also, governments should be leaning on them to approve more devices.
Our civilization desperately needs a method to modify modern microelectronics after manufacturing that can be used at least in a well-equipped repair shop, and it needs it yesterday.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one. I.e. the first instruction that the CPU executes after reset must come from a storage device that is physically external to the CPU package.
Alternatively, just make it illegal to ship any kind of initial bootloader as part of a CPU's/SoC's mask ROM in any computing device that is marketed as a general-purpose one.
No, you just need to make it illegal to have the bootloader contain hardcoded key material and use it for verifying the code it loads.
This won’t help; the SOC silicon can be revised to record each executed instruction from power-on until secure-boot handoff opcode, with various supporting opcodes to query status-of / overflow-of / signature-for so that the OS reports pre-boot tampering implicitly as part of developing its own attestations.
Then also make it illegal for the SoC to contain any cryptographic key material.
My intention with this is to make sure that if someone were to desolder the flash chip and reprogram it, they could completely own the device without the device or SoC manufacturer having a say in it or a way to prevent or detect it.
Simpler to just make discrimination by hardware or software illegal than to legislate the silicon contents. That’s what everyone is upset about, after all: websites are gaining the ability to discriminate based on hardware-software with specific fidelity they never had before. If that was made unlawful, then you’d benefit billions of existing devices as well as future ones. The hard part is making the case that this sort of discrimination is worth fighting, but the John Deere lawsuits are (indirectly) further ahead on that point than the rest of tech is, weirdly enough.
Example: I’m perfectly fine with my Touch ID sensor having a crypto-paired link to my SOC so that someone can’t swap in a malware-sensor at a border checkpoint; I also don’t want my device (or websites) to be able to discriminate against me installing my own homemade sensor. What that looks like in practice is close to what we have now, but not quite there yet — and is definitely not ‘no crypto-pairing at all’, as a ban on key material would enforce.
> just make it illegal to ship any kind of initial bootloader
funny how you think the solution to people imposing their will on you is to impose your will on others
also, the solution you propose wouldn't work because signed firmware
And what code will verify the signature of the initial bootloader? As far as I know, in every modern implementation of secure boot that is done by that very bootloader, which is burned into the CPU/SoC. I can imagine someone implementing some sort of fixed-function block to do that, but see my sibling reply about that.
Also, governments are supposed to act in the interest of people.
It's called laws
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when.
Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do.
I literaly switched away from banks whose apps dont work on GrapheneOS
The thread is a bit vague. Am I understanding correctly that GrapheneOS Foundation's objection isn't to attestation per se, but that they can't participate in Google-controlled attestation APIs? In other words, although GrapheneOS can be cryptographically attested, apps using Google Play Integrity won’t accept it because it isn't Google-certified/GMS-licensed?
My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).
The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).
IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.
I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.
[delayed]
> Am I understanding correctly that [...]
What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
> …Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.
But if Google did support third-party attestation, would the GrapheneOS Foundation be happy? Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable. But "Google could use it to permit GrapheneOS for Play Integrity if that was actually about security" seems to be the real ask, and that seems reasonable and achievable. If that's true, I think it would’ve been more effective to lead with that and focus on it.
Why should Google decide which devices are safe enough to pass remote attestation? Seems to me that if we want this at all, it should be an independent body that approves signing keys of vetted vendors (e.g. vendors roll out security updates timely, etc.).
As long as this is in Google's hands, they can abuse it to control the market.
That said, Play Integrity accepting GrapheneOS would be a step forward, but they will never do it, because then other vendors might also want to pass attestation without preloading Google apps.
No. That would be a relatively better circumstance, but we would still have the root problem.
> Most of the thread seems to be a call for attestation to die, which feels impractical and unachievable.
I disagree, and I expect GrapheneOS devs do, too. Hardware attestation is a new thing, that isn't even really here yet. It absolutely can and should meet its demise.
It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.
GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!
I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.
It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..
Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly
There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).
They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.
You mean Universal Attestation, which is from a vendor cartel, of which most of the individual vendors are typically waaaaay behind security updates, etc.
I am reminded of the period when secure boot was being developed for PCs.
Microsoft certainly wanted to be the only company whose OS was allowed to boot with secure boot turned on.
Google should not be allowed to close the supposedly "open" ecosystem they created any more than Microsoft was allowed to.
Ironically, the other top article on HN right now is CVE-2024-YIKES.
You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.
It's so obvious to me states need to create a soul bound identity system, replace social security numbers with it, and then let everyone else use cryptography on top of that (which is now cheap when you don't care about sybil attacks) to do private stuff.
Any system mandated by the government will have a backdoor to deanonymize users. Nothing would convince me otherwise.
Let me try anyway (maybe I'm a masochist)
First I'll say the government already has an ID system with a backdoor they mandate you use (your federal social security ID and state ID). The backdoor isn't very interesting because anyone with your ID in hand also has it.
So how about this:
1. State assigns citizens an ID at birth 2. State allows citizens to submit a public key along with their ID at any time 3. Citizens can go to their bank / private social network / whatever and say "this is my public key, you can use it to sign messages to me, and you can verify someone a) alive and b) a citizen of $state is reading it (from here you can bootstrap whatever protocol you want) 4. The state<>citizen network established in (2) is constantly under attack as stealing someones private key valuable so you also need a legal and technical framework to defend it
The protocol for submitting private keys and defending it from attack is a much longer post, I'm convinced there are ways to do it that drastically favor defense over offense, but that's not the point here.
Our question is can a government force it's way into the protocol you bootstrapped on top
How would they?
1. They could reset your public key to one they control the secret to, and then impersonate you digitally to break into your bank or social network. However I don't think they could do this secretly (the key update would necessarily be publically visible), so it's not really a back door. They can already do this with a search warrant. And if you're paranoid you can bootstrap your secondary cryptographic networks with multiple factors. So, this is on net more secure for you.
2. They could try to recover your secret key by force or warrant - but again not a back door.
I think the real concern isn't backdooring it's blacklisting, if this system becomes the L1 for every L2 crytographic interaction, they can practically remove your ability to freely transact. But that's a political problem you address with political means, I'm convinced from a technical perspective this is more secure and far cheaper for everyone.
We also need liability. Every time someone’s data is lost, the company losing it must be held accountable. They owe us huge amounts of money, and executives + board members should be jailed. No free pass.
Let’s see then if they really want to collect all our information all the time. Right now, they take it and handle it irresponsibly because they’re free from consequences.
The places you actually need an ID are so rare, I don't think it's worth it to build such a system (and no, porn or social network definitely aren't valid use cases).
It's a problem in search of a solution.
> It's a problem in search of a solution.
The cynic in me suspects it's a way of slowly but methodically eradicating online anonymity and thus anonymity in general.
My driver's license should have some anti-tamper identity proof that can do a challenge response. Or let me go pay a few bucks for an identity proof at the post office.
There must be a dozen other ways smarter people can think of but identity verification kills profits so the smart people don't work on them IMO. It's more profitable for social media to be an astroturfed shithole. It's more profitable to remove control of your PC.
Social media in an ad economy serves two masters.
End users should be authenticated so you can prove you're selling real eyeballs in the demographic mix you claimed to marketers and to provide lip service for the 'think of the children' regulators.
But anyone who's paying for ads should have as little friction as possible to dropping money and spewing garbage.
I'm surprised nobody is looking at some sort of "corporations are people" angle here-- we've attested the device ownership, but it's owned by the Lorem Ipsum Corporation, which is a legal/demographic dead end and spawned just long enough to buy the device.
You just need to deploy auditable (source-available, reproducible-build, firmware checksums LCD on-chip) biometrics booths that generate private keys from normalized biometric inputs, and then use those ephemeral private keys to generate and sign portable identity keys. Most people have fingerprints and retina patterns and that’s twelve signatures on an identity alone, allowing for continuity across severe biometrics events like regrown fingertips etc.
A nonprofit business could do this if backed by all existing dotcom and bitcoin billionaires. But they’d all want to profit from it, so either non-profit (NGO) or governmental it is.
Fun fact: this is already a core function of USPS. They serve as an identity verification hub for both US passports and their informed delivery and PO box services. They just have a human-dependent process rather than an identity-generator booth. So they’d be perfectly positioned to take your ID, hand you an attestation request QR code, and get your identity-signatures on it — without being able to reverse-engineer your biometrics from those signatures, but still being able to detect gross variances when someone else tries to lie about being you in a future verification.
Anyways, none of this will likely ever happen, but the rich tech folks could make it happen at any time if they cared to. Instead we get THE ORB which is doing retinas as a for-profit without auditable artifacts or hardware. Sigh.
So basically, ReCaptcha should be spun off into a not-for-profit.
GrapheneOS would do well to get a grip on its marketing/PR, especially at this pivotal moment of partnering with Motorola. This topic deserves to be a proper article. Please, not everyone wants to read a stream of tweets and replies.
And the audacity to reply rudely to someone in the thread with "Read the rest of the thread once it's posted". Absurd
(Wrote this on a Pixel running grapheneos fwiw)
They recently said that in the future they want to do more long-form posts just in their discussion forum and then link to it from Mastodon, etc.
It is definitely a monopoly enabler. But also a threat to speech. You can only participate online if you have attested hardware. And that hardware will be tied back to you. It’s another threat to privacy like age verification laws.
Safety is the pretext. This is the actual reason why this is happening, and why it is accelerating now
These kind of things just make me want to use Graphene even more, or literally any platform that isnt the monopoly ones. Somehow I think AI and vibecoding, even if it may sound as an unpopular opinion, will allow people to build free ecosystems and actually usable devices that dont rely on the usual providers.
I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.
[1] https://bmail.ag/verify
Well there you have it.
> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.
[0] https://grapheneos.social/@GrapheneOS/116551068177121365
> They do not care about you
By "they" you mean FAANG and the FTC, right? Telling the EU to respect the Open Web does nothing to protect users if you continue to approve the export of attested hardware. America is deliberately abetting authoritarian schemes.
> By "they" you mean FAANG and the FTC, right?
You might need to the sentence again since I was quite clear who I was talking about:
"EU government"
"banking apps"
...and everyone else who benefits from pushing "digital payments, ID, age verification, etc." that will use "Apple's App Attest and Google's Play Integrity" APIs.
It isn't that hard to understand.
There's only two companies enabling those crooks, as far as I can see it. If America refuses to take action, then this power will be abused by worse governments like Russia and China.
Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.
My introduction to asymmetric cryptography had to do with protecting myself from the authorities while buying drugs on the internet.
One of its first applications anywhere was protecting anti nuclear protestors from government provocateurs.
We could prevent so much fraud of we could only convince the credit card companies to start using it.
What you're noticing is not the leading edge of set of harms brought about by asymmetric cryptography, but rather the bad guys arriving late to the game and realizing that their enemy's sword has had two edges all this time.
It's not asymmetric cryptography itself. It's the fact that it takes enormous resources to manufacture modern SoCs, such that the economy only makes sense if you're churning them out by millions at least. It's also the fact that they can't be modified after they've been manufactured.
It's basically those people who can manufacture chips having technological supremacy over the rest of the humanity.
It doesn’t matter if you can produce SOCs if your hardware isn’t trusted.
What if you can copy someone else's SoC including their keys?
I guess read-only memory is another requirement but that is very old technology we have never had asymmetric cryptography without read only memory.
FFS, cryptography is not the problem. How many times will we have to shut down that particular stupidity? Asymmetric cryptography is a corner stone of basically all online secure communications, and has been since before Google and apple were even founded as companies! (First invented in 1970)
When did Https ever hurt you? That's built on asymmetric cryptography. Wherever you see the word "secure" it's basically shorthand for asymmetric cryptography.
Https
Ssh
Sftp
E2ee
It's asymmetric cryptography all the way.
Easy there I don’t want to take away your encrypted messaging. I’m just pointing out that the technology that enables it also enables the techno-totalitarianism we have been seeing rise since the mid 2010s
>Easy there I don’t want to take away your encrypted messaging
Then stop trying to take away the technology it's built on
I disagree, I think you cast the net way too wide. Asymmetric cryptography enables secure communication in the first place. It's being used nefariously by Google and Apple, of course, but that's to be expected from big tech.
Nefariously how?
Remote attestation also uses asymmetric cryptography. (Device-bound private key that can sign attestation challenges, a known public key that can verify that challenge was signed with the device-bound private key.)
Isn’t the ability to create certificates guaranteed conceptually once you have asymmetric crypto? In that case there is no intermediate technology which allows key exchanges without also creating digital totalitarianism.
This was a wild ride, what an adventure. So many moving pieces, this really is just one big house of cards.
It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.
The OP is from an already-existing open mobile OS, which already has a deal with a manufacturer. The problem isn't, and has never been, making an OS. This is not a technical problem. This is a political problem.