Hardware Attestation as Monopoly Enabler

This is exactly why is legislation like the Digital Markets Act needed.

I can barely read this, somethong supposedly this serious, would be much better as a single page, a cogent, actual article.

Being able to cut out abuse from things like cheaters is too useful of a tool for developers to give up. The big problem here as mentioned in the thread is that the light of approved hardware is not based off of security of maintaining security of the attested application but upon Play services licensing.

The best workaround for now is -as the solution is always to change these regulations not the technical workarounds- is to have a secondary smaller phone that has the sim card, google botnet services, etc., and use that for any verification needed or login to banks or whatever, and keep this device turned off in your house so they don’t track you too and use it where needed. That while also pressuring web services not to use recaptchas and similar invasive services.

Not to rain on the parade, but doesn't GrapheneOS only works on Google Pixel devices? I mean, that's still in the Google jail on a physical level, even if they swap out the software.

There are a number of technological / legal hybrid policies developing that come at the very jugular vein of computing freedom - the notion of a “general purpose” computer itself. OS level identity / age verification, hardware attestation, walled garden app signature requirements. All evincing the same aim.

Ironically, the other top article on HN right now is CVE-2024-YIKES.

You can't have the cake and eat it too. Maybe we need to close some doors, especially if the barrier for publication is literally just a couple of prompts and uploading the result to distributor like npm or play store.

I agree hw attestation is net negative when forced upon end users. OTOH, when service providers use it, it results in transparency to end users [1] so it's really about how it is used.

[1] https://bmail.ag/verify

Well there you have it.

> Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.

Even the "beloved" EU government is also in on it as well as banking apps are pushing for this too. They do not care about you and the so-called "Open Web" is already dead on arrival.

[0] https://grapheneos.social/@GrapheneOS/116551068177121365

Asymmetric cryptography and its consequences have been a disaster for the human race. I’m not even joking all of the centralization of power and the rise of totalitarianism tech is driving is downstream from asymmetric cryptography.

[dead]

[dead]

[flagged]

[dead]

[dead]

[flagged]

Its actually worse than people seem to understand.

Hardware attestion will spread like a plague and you will soon no longer be able to log into anything without using "an approved computer". Which will mean a computer of someone elses choosing.

I could easily see large companies using this as a way to charge employees for their desktop access and a million other perversions of this nonsense.

Its bad enough we cant use our computers without being spied on, now they want to install their spyware and force us to use "their computers"

[flagged]

Mark my words: in ten years from now on, the Chinese web will be more free and open than any Western country.

This was a wild ride, what an adventure. So many moving pieces, this really is just one big house of cards.

It's still not too late. With the help of Claude et. al, we can make a truly open mobile OS from ground up. We can make an app translater that can translate Android and iOS apps to our OS. We can make deals with manufacturers to start shipping phones with this OS. We have the will, there's enough of us on this site to make an impact. All ee need is good leadership. Please somebody with enough clout step up.

It seems to me that comments here are reading this as saying attestation is bad, when the real argument is that attestation should explicitly provide a path of inclusion for non-Apple and Google providers.

The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.