No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.
>if she said keeping "her" stuff working was more important than my life
Arguing that you would be dead if your viewpoint isn't correct is a bad argument.
>what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?
It would be a better analogy to say that "employers can run background checks on people who want to work for them." Because it is up to each website to choose which attestors they trust and the websites have the choice of doing whatever they want with information or not requiring attestation at all.
>Even if it's signed and approved, malware can still hijack it....
At which point the vulnerability in the software or hardware should be fixed and the old version should be blacklisted.
It’s about proving your device meets an unspecified standard. Today that standard would probably involve a signed browser binary and kernel verified by a hardware root of trust.
Tomorrow it could be “Please drink verification can.” or “Your social credit score is too low for you to use this feature.” or any other arbitrary criteria that gets cooked-up.
> Attestation doesn't stop you from writing software for your device.
Attestation means the metes and bounds of your computing experience are defined by a third party.
What you use your computer for today might not be permitted tomorrow. Look at the invasive software mechanisms that games use for “anti-cheat” if you want to see one possible eventuality.
This is “Right to Read” territory we’re walking into. We’re already there with phones because we ceded freedom for “security”. (“Phones aren’t computers.”, “I just want my phone to work.”, “I don’t want to remove malware from the phones of the oldsters in my life.” Blah. Blah. Blah.)
Now we’re going to do that with personal computers.
We’re getting what we deserve, so guess.
How do I prove my device is secure while also being able to run any software that I want?
When discussing tradeoffs, it's not about correctness but value judgments. Is it preferable for people like geocar to die than to continue allowing people to access all websites with arbitrary devices and software?
Of course, there are services that could be exposed through a website where the consequences of improper use would be catastrophic, but I would argue the web is usually inappropriate for control of life-critical systems without other safeguards or redundancies.
The operating system should properly prevent software from violating the security of the system. If you mean that you want to be able to run an OS that does that provide a level of security that is expected then you shouldn't be able to prove that insecure OS is secure.
Neither of those require attestation.
>Look at the invasive software mechanisms that games use for “anti-cheat” if you want to see one possible eventuality.
A future where people can't cheat when playing with me is a positive direction to take computing.
>This is “Right to Read” territory we’re walking into.
I assume you are talking about "The Right to Read" by RMS. It is already illegal to redistribute ebooks if you don't have the rights to do so. We already live in that world. Unlike the essay as an industry we have chosen to focus on hardware based security instead of making debuggers illegal.
This presents enormous barriers of entry to both hardware and software entrants.
Any assumption the client is "trustworthy" requires attestation. I was certainly being hyperbolic with my examples. Using a more concrete example of, say, a device's camera and LIDAR claiming a living human is interacting w/ the device would require software and hardware attestation with a chain of trust extending to the camera and LIDAR hardware. Without that one could connect emulated inputs to those devices and game the system.
> A future where people can't cheat when playing with me is a positive direction to take computing.
I agree, provided that the architecture of the anti-cheat relies on that infrastructure happening server-side. Any architecture that requires the client to be "trustworthy" requires attestation and runs afoul of freedom.
I think having anti-cheat is a poor trade off for user freedom on personal computers.
> I assume you are talking about "The Right to Read" by RMS. ... we have chosen to focus on hardware based security instead of making debuggers illegal.
You can make a literal interpretation if you'd like. My takeaway from "The Right to Read" is a cautionary tale about architectures of control being used to remove user freedom. That rings true to me irrespective of the mechanism employed in the story, or even that it deals with ebooks specifically. That Stallman didn't think about tamper-resistant hardware, e-fuses, and key material locked up in embedded processors doesn't change the message of the story.
Might that apply to the software geocar credits with saving their life? Without knowing more, we can't say. There's a good chance it applies to things like running open source operating systems and browsers.
It also enables more software to be popular because it will be cheaper to run sites and sites can be more profitable that before.
Failing attestation does not mean you get blacklisted. It means that you are not as trustworthy. Not every CVE breaks an OS's security model.
Reach out to an attestor and discuss with them what the process is for them to trust you.
>How much will it cost?
It will likely be free. If not it will be significantly less than the cost of writing an OS.
>This presents enormous barriers of entry to both hardware and software entrants
Hopefully they are high enough that fly by night malicious actors do not bother with trying to get their insecure hardware and software to be trusted, but row low enough that good actors can prove that they can be trusted.
Sure, but that sounds useful.
>Any architecture that requires the client to be "trustworthy" requires attestation and runs afoul of freedom.
Okay, but I would give up freedom if it means there are no cheaters. Not all cheats can be detected server side. The cost of stopping name cheats server side is more expensive to do than stopping them client side. If the cost of anticheat is cheaper it means that games can be developed for cheaper incentivizing more and higher quality games to be made.
As an industry we are getting better at security and finding and patching vulnerabilities.
>Attestation does not prove that a device meets any security bar.
But it can prove that a device's software and hardware is running software and hardware that does pass your security bar.
>No, it doesn’t provide any guarantee other than the power that be are empowered to grant themselves and their friends privileged status while leaving everybody else without a device that can run the software they want.
Security doesn't have to be perfect in order to be beneficial.