There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
How so? Do you have rights to your data in secure enclaves?
what you really looking for is API-free services/products. so it works without cloud at all.
or products/companies that explicitly expose API access to their products.
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
Sure, it’s one element in a defense in depth. You ensure that post boot it’s not possible to manipulate what’s being loaded, and then you ensure that during boot the OS in the expected state for that to be true. It’s not a panacea but it is an important part of the process.
[flagged]
*Smuggly* Huh, don’t like it? Just vote with your wallet and buy a car with better TC. Or build your own?
Caught one in the wild!
https://news.ycombinator.com/item?id=48320351
I wonder if companies can T&C their way out of any problem.
pretty much. correct me if I am wrong, but these T&C treated like "local" laws (in respect to interaction of client and business within their interaction) within most jurisdictions by courts.
so even if T&C does not make sense, usually courts are in favour of enforcing them.
unless some severe contradiction with constitution or alike, or serious harm to people or something, they would throw away T&C in cases. but AFAIK that is rare.
No: T&C cannot override the law, that is a national/EU law is still superior to anything that is written in the T&C. If there is a contrast between T&C and the law of course that T&C are just scratch paper.
Nobody claimed that this wasn’t the case.
Noone is claiming T&C overrides the law, but most laws (even here in EU) give a lot of leeway to contracts (which T&C is an example of) in cases where law doesn't establish any extra positive right.
And there's no law demanding you get access to a proprietary system (as of right now) that would override a T&C restriction.
Definitely not. you cant have T&C that are against the law, event if consumer has agreed to that. Like you cant sell your kidney even if you want to. Its illegal.
> T&C treated like "local" laws. so even if T&C does not make sense, usually courts are in favour of enforcing them. unless some severe contradiction with constitution or alike
It's not a "law", it's always under the law like any contract. And a court will not enforce illegal terms unless something very shady is afoot. The law always takes precedence, Even "lowly" laws, not just the constitution. In case of conflict the law wins so you can't have illegal provisions in the T&C even if you agree to them. They can give you extra rights but they can't take away the ones you have legally.
The principle is simple, the company isn't allowed to ask for illegal things. Your agreement is irrelevant because you are not entitled to legitimize an illegal demand.
The problem is you need to go to court if the company won't cooperate.
That's how local laws work. The higher jurisdiction always takes precedence over the more local one.
I'm saying that T&Cs are not like any kind of law but like a contract and they are not treated like "local law" in court.
Laws work like that because there's a hierarchy in the legal system too but that's about it for commonality.