zlacker

>>matthe+(OP)
I posted a comment a few days ago here (https://news.ycombinator.com/item?id=31670689#31671551) about my views about this “feature”, which I’ll repeat verbatim here. Needless to say, it’s something I don’t like.

Original comment follows:

In my view, this would just DRM-ize everything on the web. Of course, Cloudflare and Fastly don't talk about this much, and Cloudflare keeps assuring you'll still get captchas if device attestation fails or is unsupported. But realistically, once all Microsoft, Google and Apple implement it in their devices, there isn't much of a reason to keep accepting non-attested devices. You can already see where this is starting to go - if you're using Linux/BSD or another niche OS, congratulations, you can't submit forms any more. And since device verification would become extremely cheap to perform this way, you'd also see websites protected entirely by this tech, effectively locking out Linux/BSD users. The Cloudflare article also talks about how, at least in the case of Apple, they'd run something like a posture assessment to confirm that your device components are genuine. I can also see this new tech locking out users of non-OEM repairs. This is a much bigger deal than what it seems like on the surface, and I'm genuinely scared about how this one simple move dwarfs all of the "evil" things that big tech has done so far.

>>stevew+e3
This isn't DRM. A party is verifying your actions as legitimate and not a bot. There is nothing stopping the Linux/BSD community from implementing something similar.

https://www.ietf.org/archive/id/draft-private-access-tokens-...

>>nojito+a7
Did you mean to say this?

> There is nothing stopping the Spam/Bot community from implementing something similar.

I am a full time linux user, but I can guarantee you that if the bigcorps are going through with this it absolutely is going to lock out linux users, because the goal is to stop bots.

Evil.

>>dingle+9d
It won't stop bots. Have you seen phone farms [1]? Attackers are getting clever (and lazy maybe). They use physical devices. Old ones are cheap, can have broken screens etc. And you can't lock out users with old devices.

We shouldn't fight bots. We should use trust instead. Not global trust, it must be subjective. I trust A, B, C. B trusts D, E. E trusts F. It should be weighted. There's small world effect [2]. There's just a few hops between any two people in the world. It solves SPAM, it solves reviews, scam, news and maybe politics. Somebody please get it done already.

1. https://duckduckgo.com/?q=phone+farm+bots&t=ffab&iar=images&...

2. https://en.wikipedia.org/wiki/Small-world_experiment

>>comboy+hi
This is known as https://en.wikipedia.org/wiki/Web_of_trust

>>alexmi+Go
I'm sorry for not inventing a different name but what I have in mind is very different. Main difference is that it queries recursively automatically, and it is weighted. Weights are very important. This is old version where I had put my ideas [1]. I have no chance touching it anytime soon - it requires focus and solving hard problems (some of which sound lame like usability and bootstrapping). I write these comments hoping that maybe somebody decides to try it. Chances of bootstrapping it are slim (but could start in some niches), but the payout (I mean positive change in society, there's no money to be made here) is huge enough that I think it's worth trying.

Since I wrote it I became confident that algorithm which is used for cumulative trust computation should be up to each node (instead of using zk-SNARks for example). If you trust somebody, you trust them to compute it as they wish. And I would drop dimensionality at least in the beginning. Probably using multiple identities in place of it.

1. http://comboy.pl/wot.html