zlacker

[return to "Remote Attestation is coming back"]
1. fleven+Lb[view] [source] 2022-07-29 23:59:09
>>gjsman+(OP)
Unpopular opinion:

Hardware-based attestation of the running software is an important security feature, especially in a world where data leaks and identity theft are rampant. Let's say I'm a healthcare provider, and I'm about to send sensitive medical data to a third party vendor. Wouldn't you prefer that this data only be able to be decrypted by a computer that can prove to the world it booted a clean OS image with all the latest security patches installed?

If the vendor wants to install some self-built OS that they trust on their computer and not update it for 5 years, that's their business, but I may not want to trust their computer to have access to my personal data.

Remote attestation gives more control to the owners of data to dictate how that data is processed on third-party machines (or even their own machines that may have been compromised). This is useful for more than just DRM.

◧◩
2. gjsman+kc[view] [source] 2022-07-30 00:06:39
>>fleven+Lb
I actually don't disagree with you. As I mention in the article:

> I cannot say how much freedom it will take. Arguably, some of the new features will be “good.” Massively reduced cheating in online multiplayer games is something many gamers could appreciate (unless they cheat). Being able to potentially play 4K Blu-ray Discs on your PC again would be convenient.

However, I'm more worried about the questions the increased deployment of technology will bring, such as will Linux users be doomed to a CAPTCHA onslaught being the untrusted devices, or worse. Important questions that, unless raised, risk us just "going with the flow" until it is way too late.

◧◩◪
3. fleven+bd[view] [source] 2022-07-30 00:14:52
>>gjsman+kc
Unfortunately, it does seem likely that many services will require that your machine run a kernel/web browser signed by an entity they trust before they give you access to what they consider sensitive data. That will suck for those of us who want to build our own kernels/web browsers and use that software to interact with sensitive data from large corporations, but that's their choice to make (IMHO). And it's my choice not to use their service.
◧◩◪◨
4. est31+Qe[view] [source] 2022-07-30 00:34:42
>>fleven+bd
Often it's not your choice, when e.g. all banking apps have this requirement, and banks require an app to allow you access to your account at all. Or when it's a health service because the data is so "sensitive". Today, platforms like Discord and Twitter very often want your phone number despite not having any technological need for it. Will they in the future require this thing as well so that they are sure that you are not using ad blockers? Will you be unable to communicate with most of society through these "optional" services if you don't have one of these "trusted computing" devices?

This is way more than just about not watching movies in 4k that you could also pirate. This is about turning people who don't have "trusted computing" devices that track every behaviour of theirs into societal outcasts.

◧◩◪◨⬒
5. kmeist+Zu[view] [source] 2022-07-30 04:14:02
>>est31+Qe
Discord and Twitter want your phone number to limit how many accounts you are allowed to sign up for.
◧◩◪◨⬒⬓
6. est31+Kz1[view] [source] 2022-07-30 17:06:54
>>kmeist+Zu
That's only part of it, Twitter is also in the ad business, and in the ad industry, phone numbers are used as identifiers to correlate users between datasets.

If it's just about limiting access, Cloudflare imposes a similar limitation of number of accesses you can have to a website via remote attestation. I think once remote attestation becomes more prevalent, it might become useful in the ad business too, e.g. to prevent you from using ad blockers, or similar things.

[go to top]