Remote Attestation is coming back

>>gjsman+(OP)
Unpopular opinion:

Hardware-based attestation of the running software is an important security feature, especially in a world where data leaks and identity theft are rampant. Let's say I'm a healthcare provider, and I'm about to send sensitive medical data to a third party vendor. Wouldn't you prefer that this data only be able to be decrypted by a computer that can prove to the world it booted a clean OS image with all the latest security patches installed?

If the vendor wants to install some self-built OS that they trust on their computer and not update it for 5 years, that's their business, but I may not want to trust their computer to have access to my personal data.

Remote attestation gives more control to the owners of data to dictate how that data is processed on third-party machines (or even their own machines that may have been compromised). This is useful for more than just DRM.

>>fleven+Lb
Wouldn't you prefer that this data only be able to be decrypted by a computer that can prove to the world it booted a clean OS image with all the latest security patches installed?

No.

Contrarily unpopular opinion: You cannot own data except what resides on your own property. Once you give someone a copy, it is theirs to do with as they wish. They may tell you what they will and will not do, but it is entirely on you to trust them.

...and that's the peril of things like remote attestation and other "zero trust" crap. They replace the nuanced meaning of trust that holds society together (and has literally done so since the beginning of life) with absolutes enforced by an unrelenting machine controlled by some faceless bureaucracy which is also partly under the command of the government. There should already be enough dystopian sci-fi to convince everyone why that is a really bad idea.

>>userbi+nd
Right, but if they aren't going to follow best security practices and prove it (via a signed a hardware attestation of the running software that includes the transport key they want me to use to send them the data), then I'm not going to send them the data. That's my choice.

>>fleven+Sd
> best security practices

as defined by whom? Some government (which one) organization ?

This will end up making everything more ossified and less secure.

But also once that is in place, various organizations and goverments will be able to force you to use whatever spyware they want, in order for your attestation to go through.

>>unionp+Jg
Best security practices as defined by Microsoft, but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits.

>>judge2+Dh
Microsoft. The same company which strongly pushes a spyware-filled, user-hostile OS. "best"? Really?

but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits

Try doing that to your bank or whatever other large company you interact with...

>>userbi+vp
You can't have your cake and eat it too. Everyone has agency, to decide who they interact with and who they give money to or, on the other side, who they sell products to/provide services to, and there are remarkably few exceptions to this rule (most based on things that the victim can't control). If a company wants to require you only use their products, or only use a allowlist of approved products, they can do that, just as you can decide not to use their services if they charge too much, perform unethical actions, or even if their company name contains the letter 'Y'.

>>judge2+Sp
Corporations are an artificial construct that we as a society let exist. We can decide to add additional restrictions to that existence like requiring them to not discriminate based on what software you run on your own devices.

zlacker