zlacker

[parent] [thread] 7 comments
1. unionp+(OP)[view] [source] 2022-07-30 01:00:15
> best security practices

as defined by whom? Some government (which one) organization ?

This will end up making everything more ossified and less secure.

But also once that is in place, various organizations and goverments will be able to force you to use whatever spyware they want, in order for your attestation to go through.

replies(2): >>judge2+U >>mike_h+OS
2. judge2+U[view] [source] 2022-07-30 01:08:53
>>unionp+(OP)
Best security practices as defined by Microsoft, but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits.
replies(3): >>userbi+M8 >>patrak+sg >>dzikim+Yo
◧◩
3. userbi+M8[view] [source] [discussion] 2022-07-30 02:49:47
>>judge2+U
Microsoft. The same company which strongly pushes a spyware-filled, user-hostile OS. "best"? Really?

but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits

Try doing that to your bank or whatever other large company you interact with...

replies(1): >>judge2+99
◧◩◪
4. judge2+99[view] [source] [discussion] 2022-07-30 02:56:48
>>userbi+M8
You can't have your cake and eat it too. Everyone has agency, to decide who they interact with and who they give money to or, on the other side, who they sell products to/provide services to, and there are remarkably few exceptions to this rule (most based on things that the victim can't control). If a company wants to require you only use their products, or only use a allowlist of approved products, they can do that, just as you can decide not to use their services if they charge too much, perform unethical actions, or even if their company name contains the letter 'Y'.
replies(1): >>accoun+rw5
◧◩
5. patrak+sg[view] [source] [discussion] 2022-07-30 04:49:17
>>judge2+U
Best security practices as defined by Microsoft = "You can't have a computer if your country is under US sanctions". Important word: US, a single country. I don't want to punch such a huge hole in any of my systems.
◧◩
6. dzikim+Yo[view] [source] [discussion] 2022-07-30 06:54:46
>>judge2+U
SP500 corp I often work with has security department filled with mindless drones, who say things like "regular enforced passwords changes are well regarded best practice".

You almost certainly use software that calls their server at some point. Hope you will enjoy their vision of security. I'm moving into the woods if they can define how my _personal_ computer behaves.

7. mike_h+OS[view] [source] 2022-07-30 13:40:26
>>unionp+(OP)
"as defined by whom? Some government (which one) organization ?"

As defined by the user.

RA doesn't care what software you run. In fact RA is better supported by Linux than any other OS! And, although the discussion in this thread is about RA of entire machines, that's actually pretty old school. Modern RA is all about attesting the tiniest slice of code possible, hence the "enclave" terminology. The surrounding OS and infrastructure doesn't get attested because it can be blinded with encryption. This is beneficial for both sides. I don't actually necessarily care how you configure your OS or even if it's up to date with security patches, if the security model treats the entire OS as an adversary, which is how Intel SGX works. You just attest the code inside the enclave and I send/receive encrypted messages with it.

◧◩◪◨
8. accoun+rw5[view] [source] [discussion] 2022-08-01 11:36:01
>>judge2+99
Corporations are an artificial construct that we as a society let exist. We can decide to add additional restrictions to that existence like requiring them to not discriminate based on what software you run on your own devices.
[go to top]