zlacker

[return to "Remote Attestation is coming back"]
1. bunnie+MF[view] [source] 2022-07-30 06:56:14
>>gjsman+(OP)
Is there any way we can make Remote Attestation providers liable for any losses incurred while using their services? Can we make it so that banks, record companies, and individuals can sue Microsoft or Google if their system doesn't deliver on the promise? If we still see cheating in on-line gaming even though all machines are attested, can we we get our money back?

I feel like part of the problem is that Remote Attestation providers get to have their cake and eat it too: they make a theme park, set up boundaries, and charge admission under the premise that it's safer to play in their walled garden than in a public park.

But if a bad actor slips through their gate and picks a few pockets or kidnaps a couple children, the operators get to say "not our problem, our services have no warranty -- read the EULA".

I feel like in the real world, if a park operator explicitly bills itself as "a safe place to play" it's their problem if someone goes on a crime spree on their property -- there is some duty to deliver on the advertised safety promise.

But somehow, in the software world people can control admission, control what you do and somehow have no liability if things still go off the rails. It's just a sucker's game.

Of course, I'd rather not see remote attestation happen, but maybe part of the reason it keeps creeping back is exactly because there is zero legal downside to making security promises that can't be kept, but incredible market advantages if they can sucker enough people to believe in the scheme.

◧◩
2. mindsl+nm1[view] [source] 2022-07-30 15:27:03
>>bunnie+MF
IMO this just seems like bargaining and hoping for a just world where the law actually applies equally and constrains too-big-to-fail actors. What would actually happen is various limits/exceptions would get written in, like as long as you used "proper" software (read: microsoft) and did "proper" audits (read: tediously check moar boxes) then you could pass that liability onto someone else or have it be "nobody's fault". We'd likely end up with the same software totalitarianism even faster, because companies would be even more incentivized to deploy cookie cutter centralizing solutions to escape the additional liability.

Never mind that you can't really put a dollar value on personal information to substantiate damages or even personal time spent dealing with the fallout from someone else's negligence, which is like one of the fundamental problems with our legal system.

(There's also the elephant in the room that one of the main industries clamoring for ever more "security" still continues to insist that widely-published numbers (ssn/acct/etc) are somehow secret.)

◧◩◪
3. ece+ij2[view] [source] 2022-07-30 22:53:59
>>mindsl+nm1
Perhaps incentivizing better methods is more helpful than an outcomes in this case.
[go to top]