zlacker

[return to "The Dangers of Microsoft Pluton"]
1. userbi+17[view] [source] 2022-07-26 05:05:33
>>gjsman+(OP)
What is to prevent school WiFi from one day requiring a Pluton assertion that your Windows PC hasn’t been tampered with before you can join the network?

Remote attestation is the true enemy of your freedom. The power of the authoritarian corporatocracy to force you to use only the (entire) systems they control. It's worth reading https://www.gnu.org/philosophy/right-to-read.en.html again just to see how prescient Stallman was.

◧◩
2. aplana+Fj[view] [source] 2022-07-26 07:01:27
>>userbi+17
Windows security models and policies are the enemy, not remote attestation (RA).

RA is a technology that has its fair use, and can be desired for other systems, like in Linux. With a pure RA system your services can decide to trust or not those devices on your network that can be compromised, and report to other devices that there is something suspicious.

As anything, this can be used properly to increase the security of your edge architecture, or wrongly to limit the users actions.

Let me put another example. With RA I should be able to authorize validated systems in my R&D VPN. If you are using your own laptop with the company certificate, and the verifier tag the systems as "unknown" or "unhealthy", it will not allow the access to the internal network, but sure you can still use your laptop for anything else. This, IMHO, is a fair use of this technology.

◧◩◪
3. fulafe+5o[view] [source] 2022-07-26 07:50:08
>>aplana+Fj
Yes, lots of Linux devices apply it like that today: You can't use your banking app or consume DRM crippled media on your Android phone if you have root or run a open source Android distribution.
◧◩◪◨
4. Aeolun+Lo[view] [source] 2022-07-26 07:58:53
>>fulafe+5o
> if you have root

Because god forbid you have control of your own PC?

◧◩◪◨⬒
5. nptelj+cs[view] [source] 2022-07-26 08:34:01
>>Aeolun+Lo
Yep! Basically, it's safer if you don't own your PC. Think about users with a million toolbars and Bonzi Buddy installed.

Of course, the system for it is rudimentary, and puts a disproportionate amount of control in the hands of providers. And that works very well for them too.

◧◩◪◨⬒⬓
6. adev_+eP[view] [source] 2022-07-26 12:11:23
>>nptelj+cs
> Yep! Basically, it's safer if you don't own your PC. Think about users with a million toolbars and Bonzi Buddy installed.

And it is a pretty terrible solution to the problem.

- It is also keeping the good guys outside too: Anyone that want to analyse and understand the security of the system for good reasons cannot. Excepted if explicitly allowed by the corporation X and that is a terrible security property.

- No root access also means very little control or ability to scan the system itself if your are not the X corporation controlling it. That means no possibility to mandate reviewer corporation Y to check that corporation X is doing the right thing. TPMs currently make that even worst by design, they are undocumented and complex, therefore rely on blind trust that company X do the rthe ight thing. And since the Intel management engine fiasco, we do know they are not doing the right thing.

- Bonzi Buddy and toolbar type of problem can be easily avoided by separating properly the normal user account from any admin account(the unix way). It should be painful to be admin but not impossible, just to make sure your grandma do not install a rootkit by mistake when she want her 20% coupon.

In summary: That is mainly bullshit from company X to keep full control on the entire user device, and not for their own good.

[go to top]