Alternate take: it's exactly as bad as you expected, but your timeline was off.
And even so, perhaps it's later than you realize. Device attestation in the browser is the final nail in the coffin, and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
> and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
I recently found a plugin that can alert to JS doing shady "fingerprint-like" activity. I did not expect it to go off quite as often as it does now.
It would seem that some sites are already asking _very_ probing questions about the browser so it's only a matter of time before they go one step further and demand proof and gate on furnishment of that proof.
I don't agree, it is absolutely dreadful, and we saw this coming and did nothing about it.
Think about it: you need permission to run software on your own hardware. Every time you launch a Mac App, it checks in with its masters to be sure its okay to do so - every time you install an app on your mobile device, it does the same thing.
People accept this terrible state of affairs because the "user experience is better" - but this is a fallacy. Under the cover of 'security issues' that their are incapable of fixing, due to very poor architecture decisions, OS vendors have instead bolted on an insanity and sold it to the user as progress.
Every computing device should have everything it needs, onboard, to write software for that computing device. That they don't is because the OS vendors are cowardly running from the bloat of yesteryear and adding more bloat tomorrow to cover it all up.
There will be a backlash against this. We see it already in the retro-computing and alternative-platform hacking communities, which are growing and growing, exponentially, by the year.
Its only a matter of time that someone wraps up this freedom-to-use concept in hardware that is sexy enough to compete with the totalitarian-authoritarian platform providers. Any .. day .. now ..
So far, yes. It's getting hardware with every release. First you had to click approve in a dialog to launch unsigned software. Later you had to right click -> "open" -> then approve. Now you have to open system settings to find the button to show the approval prompt.
Meanwhile to install a kernel extension you now have to reboot into safe mode and disable part of system integrity protection (with big warnings that it's at your own risk).
For the average user, kernel extension are already gone, and unsigned software not far behind.
The early MacOS era as well as pretty much the entire classic Mac OS era was infamous for being a more-or-less do it yourself environment for adding bits the OS didn't have or did sub-optimally for given use cases.
The wisdom of such a freewheeling ecosystem in today's era is maybe debatable, but given how user-hostile the mainline OS and software vendors can be, I say there's still plenty of room for that ecosystem and it should be preserved.
The old OS was awesome in that way. As extensions loaded the would appear in sequence at the bottom of the screen when a driver failed the boot would lock-up and one could reboot with extensions off change the boot order or remove the driver from the system folder. Very easy to mess with.
ever since that was how you did device drivers. If you anything interesting, hardware wise, it came with drivers that required help from inside the kernel, and maybe you can argue that was different but it's still kernel level stuff that normal users had to install.
You can also just resign the binaries in one quick CLI command. That can’t go away because it’s baked into the post-compile build stages of Mac and iOS apps. So relax, this thread is all a bunch of silly FUD.
PC was an anomaly thanks to IBM not being able to go with their plans.
On UNIX, Sun was the vendor that introduced the concept of SDK SKU, thus for having developer tools, an additional SKU had to be bought, and the until then largely ignored GCC sundenly got a new focus of attention.
Mainframes and micros always needed having a group of folks from the vendor professional services for specific kinds of configurations.
I still remeber working on traditional timesharing UNIX systems, one single server for all teams, what you get to do is decided by IT for your role.
There are plenty of examples from the past on how this has been happening already.
An anomaly from some corporate pov, maybe, but at home the PC was definitely not more open to general purpose computing than the alternatives. Most early home computers booted straight into a BASIC prompt, and the line between being a programmer and a user was far more blurred than it is now.
PCs from IBM could do this as well. There was a ROM'd BASIC in IBM computers that they would default to if they couldn't find a bootable disk. The BASIC that came with PC-DOS, BASICA.COM, was actually a wrapper for this ROM BASIC.
The clones relied on GW-BASIC and later QBasic, which came on disk and was bundled with DOS, to supply this functionality, and didn't have BASIC in ROM. In fact, some early BIOS implementations, if they did not find a bootable disk, displayed a message "NO BASIC FOUND" or similar.
But the "walled garden" on mobile (iOS mostly, but now also Android) isn't really about trusted computing at all. Trusted computing (locked bootloaders) is but a small part of it.
Trusted computing and even remote attestation have legitimate use cases. It's good, great even, that they exist. But just like everything, they can be used against you.
In fact most digital goods that are sold in large numbers via download, are, as far as I'm aware, sold with some form of DRM. Like films and video games. Otherwise piracy would be just too easy. MP3s don't have DRMs, and are still sold (e.g. by Amazon), but those now seem to be largely replaced by music subscription services.
And this might be a reaction to the fact that music piracy is quite easy; if it wasn't, perhaps there would be no Spotify where you get basically All The Music in existence for peanuts. (Note that no equivalent subscription service exists with regards to movies or games: Netflix and Xbox Game Pass have only a limited selection of content included in their subscription.)
A more generous explanation is that it might be both — vendor lock-in also happens to be a security measure.
Having important info on your device and having that device accessible to the wild, wild, internet is a very real problem. If the "walled garden" is a flawed solution we should work on a better one.
Anyone who thinks that vendor lock-in is a security feature didn't learn a thing from the Crowdstrike incident last year. The biggest security incident in the history of the entire internet was caused by a cybersecurity ''vendor''.
No, the issue is too much of the Secure Boot chain is currently being controlled by Microsoft.
Kernel being GPL has no point currently. Require hardware attestation with Microsoft private keys + systemd-boot + systemd + uutils can create a nice walled garden, allowing "vendors" to build locked-down hardware-OS pairs.
More importantly, uutils is MIT, which can attest at every level, without sharing a line of source code.
This will affect everything from small appliances to big iron and it can be very ugly.
I know. The question is not about what’s possible today.
What prevents Microsoft from updating Windows PC standards and eliminate the possibility of turning off secure boot and allowance of enrolling your own keychain in the secure boot process?
These are long games. Being comfortable today doesn’t guarantee same comfort and allowances tomorrow.
Ironically, we’re discussing this under Android’s increasing restrictions.
The same Android which was championed as the bastion of mobile freedom when it first came out.
It goes back to the old arguments about free software vs open source. Maybe by restricting devs in certain ways the users are actually more free. But then maybe the system to lock the users in gets built with wholly proprietary software and there's less adoption overall of the FOSS software. I don't really have a good answer. I recently switched to grapheneOS but it feels like fighting a losing battle, and lots of apps don't like that I'm using a non official android build.
I worked at a big company where GPLv2 software could be used in our systems but not GPLv3. Is it better that that GPLv3 software didn't have more users? The company didn't contribute much back so maybe it's not a big loss.
- 22K stars - 1600+ forks - 33 releases - 622 contributors - 678 users (at minimum) - Code of conduct (with a debian.org mailing address nonetheless) - 1 distribution shipping it as default (so far)
The project has the stated goal as follows [0]:
> The uutils project reimplements ubiquitous command line utilities in Rust. Our goal is to modernize the utils, while retaining full compatibility with the existing utilities. We are planning to replace all essential Linux tools.
This is hell of a self-tutorial.
If this was GPL licensed, I'd love to try these. But at this point, it's looking for pushing GNU out of the Linux ecosystem, completely.
it's in the name, but it's open source and it's replacing a hodgepodge of other stuff (the point isn't why it's replacing it, or how well it's going; the point is there are replacements).
if the computer won't allow to install or use other software until you install a vendor-signed version of systemd on a vendor-signed kernel we'll be there. it's about hardware attestation, not signed software, though.
The future is likely bifurcated trust: Official, encrypted, attested systems; and unofficial, unencrypted, unattested systems.
The GNU freedoms never specified the right to run free software side by side with proprietary software on the same hardware; so the FSF should actually be fine with such an outcome.
The problem with bifurcated trust is the ongoing efforts to force people into carrying a “trusted” pocket spy. Cashless payments, mobile train tickets, and digital ID are making it extremely difficult to live without a pocket spy in some places.
If my bank requires me to use a phone for transfers (mine doesn’t), it might be acceptable to leave one in a desk drawer powered off as you would do with a hardware authentication token. It’s a special device for occasionally accessing a service. Fine. But when governments and industry collude to force citizens to carry these devices in order to live life normally, that’s not OK.
My intent is to be as stubborn and obnoxious as possible in resisting this until they either give up and provide an alternate path or lock me away for noncompliance. Fortunately there is still an alternate path available for most things, primarily thanks to elders who have trouble with new tech. (Thank you elders!)
Or… acknowledge this is a fear of a future 30, 40, 50 years away that may never happen, which is never an argument.
It’s like saying the government, because they have power, and the SCOTUS, because they have power, could decide to kill all children. Yes, they could. No, it’s absurd to let that power keep you up at night, or say the solution is to abolish their power.
Ha! Let me know how to achieve that and I will. I’ve advocated, donated, and volunteered for years on behalf of a number of causes, some with excellent organizations promoting them, and yet things continue to get worse. The only minor victories have been temporary delays of bad policy.
No, the best response for the average citizen is stubborn noncompliance and constant passive resistance. Drag your feet until the whole thing comes crashing down. And encourage your friends to do it too! (But don’t stop trying through conventional politics, maybe one day it will work. Just don’t get your hopes up.)
You can’t pass a law; because you have almost no bad examples to point to. Emulators, something that happened on the other side of the world, and piracy aren’t arguments.
The banning of Parler did more for activism and awareness regarding platform control than all FOSDEM. Of course, HN happily piled on in favor of this decision, missing the moment to build common ground on platform control, for the sake of political expediency.
If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway. The rush to technical solutions seems to imply we already internally agree tech and government aren’t going to do anything the average person cares about - as it assumes the “bad future” can happen without a national policy discussion anywhere.
It may be across an ocean, but Europe isn’t exactly the other side of the world geographically or culturally. Many of the ideas being trialed there are working their way into parts of the US. The frog is being boiled slowly, but the heat is rising more quickly in big cities.
> HN happily piled on in favor of this decision
HN is not a monolith with a single opinion. The loudest users at the time (not just here, all over the internet) were pro-censorship political activists, so maybe that caused you to interpret things that way.
> If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway.
The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
This is a lazy argument, as I can safely say that 80% or more of HN has the same political bent, and every community ever has said “but not everyone.”
Read the comments on the Parler deplatforming. See what was upvoted. See what the consensus was. Nobody cares about the principles, even here, when rubber hits the road.
Imagine if the undesirables, on either side, started actively using all the decentralized censorship-resist tech for their cause. Would the builders and commentators here be saying “working as designed,” or would there be a sense of fury, a sense of “not like that?” A sense of “that was supposed to enable my cause, not yours?”
Suppose Proud Boys coordinated their Jan 6 activities on Signal and Tor. Suppose Truth Social was built on ActivityPub and MAGA developers were the loudest voices at FOSDEM advocating for censorship-resistant protocols. How do you feel? Are we still citing the same principles? If not, we never believed them.
> The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
> This is a lazy argument, as I can safely say that 80% or more of HN has the same political bent, and every community ever has said “but not everyone.”
I disagree, but even if you were correct: like, what’s your point? Are you grouping me in with them because I happen to be posting here? I reject that characterization.
Edit: I feel like this is an attempt at some kind of “gotcha” based on the example you provided. No, I don’t believe access to tech should be gated based on politics. IMHO everyone should have access to private and secure systems, as part of their human rights regarding speech, thought, and personal privacy. I attempted to raise this point in several venues during the “deplatforming” fad and explained how the political pendulum made it a bad idea. The mob remained unconvinced.
> I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
You tell me how people are going to protest effectively in the face of:
- Ubiquitous visual surveillance and facial recognition
- Ubiquitous audio surveillance via pocket spies and things like Flock/ShotSpotter/other competing systems
- Ubiquitous ALPR systems and GPS-enabled “digital plates” being trialed in some areas
- Data mining coupled with AI behavioral analysis (sloppy but likely good enough)
- An increasing percentage of cars with remote shutdown capabilities
- The replacement of cash with digital currency that can be remotely disabled
The future looks a lot like China, but without their “economic miracle” that has kept the population satisfied.
In fact FSF specifically exempts special purpose hardware like microwaves from its purview. The philosophy is targeted at software the user has a choice to install. If the hardware provider does not intend the user to choose to install an alternative version of the system software, software freedom doesn't come into play.
Which honestly I disagree with. Tivo didn't want you installing alternate OSes on their device and neither did Sony. Alternate OS support was eventually removed from the PS3. As to the microwave, you've not had any of them do anything annoying, like beep annoying at the wrong times, or wanted a button or override beeping in the middle of the night to not wake up other people? why can't I want to install an alternate firmware to my microwave or my TV. My soldering iron supports that.
That seems to be either an oversimplified take on the FSF's position, or argument in bad faith. The FSF wants people to be able to run free software for all purposes, as they fight for user freedoms. If said free software cannot be used, because of all kinds of vendors limiting their services to proprietary software or platforms, then this should be a major concern to the FSF, because their advocated kind of software is being sabotaged.
