zlacker

iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.

>>mozbal+(OP)
It's important to remember they are only commercial efforts. If you can value something other than money it doesn't matter what the corporate web is doing compared to human ingenuity and the internet. Let them waste their time and money write their specs.

>>detour+O
As an example, Can you recommend a good tech/hacker video channel that is available somewhere else other than Youtube?

>>mozbal+(OP)
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.

The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.

>>detour+O
Normal people interact with the “corporate web,” because they feel compelled to do things like banking, buying stuff, etc.

>>meepmo+Y4
Those normal activities like banking is a corporate service and I'm happy with it's regulation and it makes sense to be regulated.

Buying stuff is on a spectrum and I think a consumer should be able to chose a tightly regulated system for exchanging currency.

Most everything else should be free to choose.

>>detour+O
Unfortunately, the corporate Web has managed to monopolise how we communicate and learn about things (Facebook, reddit, twitter, YouTube, news sites, etc).

>>mozbal+o3
That is why I call for federated publishing tools. Believe it or not I plan on launching such a channel and it will be self-hosted in the 90's meaning of the term. They only way the channel will grow an audience is if it is passed by word of mouth.

The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.

Real creators create and don't need the like, subscribe, patreon, mantra. Most of the gunsmithing sights on YouTube are moving towards this idea.

I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.

I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.

>>mozbal+o3
Arent everyday astronaught, practical engineering and tom Scott available on their own websites?

>>concor+c7
This is a mistaken view. The closest thing I have to social media is HN. I did get a twitter account in the beginning and I was waiting for the right moment to tweet but it seems to have passed.

The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".

The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.

A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.

If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.

The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.

Take away the commercial interest and you are left with passionate publishers and audiences.

>>mozbal+o3
Do Channels on Nebula count? Since Nebula is paid only, ads free and creator owned (as far as I understand), it might be the one prime example of a video platform not incentivized to restrict access to only consumers using proprietary, big tech OSes.

>>concor+j7
I visited Practical engineering and tom scott's websites and AFAI seen they embed youtube videos in their websites. I couldn't find astronaught's website. Its not even linked to in his youtube channel.

>>meepmo+Y4
I don't mind in these cases. Because I already have to present my ID card or my driver's license, when I'm doing most of this. I'd buy a cheap laptop, label it as a banking and ecommerce laptop/tablet, and use it to browse the corporate web. More friction, yes, but I'd welcome it as it would make me reluctant to interact with them. Any other sites that try would just end on my blacklist.

>>jeroen+T4
> I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

Do you mean a kind of Linux where root cannot do anything he wants? Like Android?

>>Stammo+m8
I would say so.

>>jeroen+T4
Linux computers with an approved boot chain and software environment. Gentoo users are out, as is anyone making a custom kernel.

>>jasonj+va
I imagine also anyone who, despite being on an approved distro, has had to enroll their own key to build and sign drivers as well.

>>codedo+M8
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.

More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.

>>jasonj+va
Gentoo users and people running Nvidia drivers and the like will be out, that's true. That's very different from "only certain architectures allowed", though.

Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.

>>mozbal+C8
He has article versions of his videos which you can find linked in the description of his YouTube videos. The videos on his website are just linked to YouTube however.

>>detour+J5
E.g. McDonald's android app, at this moment. It doesn't launch on devices which fail Safety Net checks, i.e. modified firmware

>>out_of+9f
I have been in the tank for Apple since the 80's. So no doubt I'm distorted but content.

Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.

Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.

It is only out of convenience that these services are currently tied to a "phone".

>>jeroen+T4
This is exactly why people criticized secure boot. To not allow such system to establish themselves is the best defense. True for secure boot as well. Security is not the argument anymore, it is market domination.

>>jeroen+7e
They are not more secure at all.

>>jeroen+Xe
Netflix can only discriminate because we have attestation in the first place. This is not a security mechanism anymore.

>>jeroen+7e
I mean if root can do anything then such system is not "trusted" from corporations point of view. Therefore, it won't be able to pass the attestation or play DRM content.

>>mozbal+o3
Not an answer but your question has me curious now. I'm not old but I've got a particular worldview that could use an update. Why video? Aside from entertainment or live collaboration, I've never found video compelling for productivity.

Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.

Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.

If you're dyslexic, I get it but TTS systems are extremely solid these days.

What is the point?

>>mozbal+(OP)
Remote attestation, including hardware attestation, is absolutely compatible with open source.

>>korse+NT
Unfortunately we live in a time where the majority of people are practicing illiteracy.

>>jeroen+7e
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.

Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.

>>holler+ZM5
Fedora's own website [1] states:

> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.

Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.

[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...

>>jeroen+wU5
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.

And, again, it is complicated to get it turned on. How complicated? Take a look:

https://nwildner.com/posts/2021-04-10-secureboot-fedora/

>The kind of Linux 99% of Linux users are running today.

I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.

>>holler+HX5
> Earlier I wrote, "it is complicated to get it turned on". How complicated? Take a look:

> https://nwildner.com/posts/2021-04-10-secureboot-fedora/

Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.

The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.

>>jeroen+Km6
If secure boot is enabled on the motherboard, Fedora can be installed and used without going into the motherboard firmware and turning it off, but that is different from secure boot's providing to the Fedora install the kind of security assurances that secure boot provides to the other mainstream operating systems (Windows, MacOS, iOS, Android and ChromeOS).

For instance, initrd is not verified: >>36717975

>The page you link goes into custom secure boot keys, which are usually unnecessary.

You might be right about that.

>>holler+tA6
It's true initrd is not verified; the system boots but the security secure boot is supposed to provide is not available by default. I don't think many Fedora users care, but that can be an issue.

To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.

I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.

As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.

>>jeroen+oG6
Unified Kernel Images sounds like a useful improvement. I imagine that when combined with whole-disk encryption it provides useful protection against evil-maid attacks, but I haven't been able to find any signs that there is any Linux install in existence anywhere--except for Android and ChromeOS--where the boot process can detect an alteration to a file in /usr/ (e.g., the system's C library) and refuse to boot or at least warn the user. Unlike an evil maid, malware that has succeeded in its goal of running in a privileged process can alter any file in the unencrypted root filesystem.

In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.

In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.