zlacker

[parent] [thread] 5 comments
1. Button+(OP)[view] [source] 2023-07-27 11:06:08
> No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.

How do I prove my device is secure while also being able to run any software that I want?

replies(1): >>charci+6S
2. charci+6S[view] [source] 2023-07-27 15:36:23
>>Button+(OP)
>How do I prove my device is secure while also being able to run any software that I want?

The operating system should properly prevent software from violating the security of the system. If you mean that you want to be able to run an OS that does that provide a level of security that is expected then you shouldn't be able to prove that insecure OS is secure.

replies(2): >>helloj+dg1 >>null0p+Oh2
◧◩
3. helloj+dg1[view] [source] [discussion] 2023-07-27 17:05:55
>>charci+6S
What if I write my own OS? What is the process of getting attlestation certified? How much will it cost?

This presents enormous barriers of entry to both hardware and software entrants.

replies(1): >>charci+Y62
◧◩◪
4. charci+Y62[view] [source] [discussion] 2023-07-27 20:47:30
>>helloj+dg1
>What is the process of getting attlestation certified?

Reach out to an attestor and discuss with them what the process is for them to trust you.

>How much will it cost?

It will likely be free. If not it will be significantly less than the cost of writing an OS.

>This presents enormous barriers of entry to both hardware and software entrants

Hopefully they are high enough that fly by night malicious actors do not bother with trying to get their insecure hardware and software to be trusted, but row low enough that good actors can prove that they can be trusted.

◧◩
5. null0p+Oh2[view] [source] [discussion] 2023-07-27 21:49:14
>>charci+6S
Ok let me know when there’s an OS or browser that’s totally secure. Attestation does not prove that a device meets any security bar. And likewise lack of attestation does not prove that a device does not meet a security bar. Attestation merely shows that a device has been “allowed”. You might argue that all devices with attestation have been audited for security so at least that provides some standard. How well did audits work in the past for things like mortgage backed securities in 2008? No, it doesn’t provide any guarantee other than the power that be are empowered to grant themselves and their friends privileged status while leaving everybody else without a device that can run the software they want.
replies(1): >>charci+Hz2
◧◩◪
6. charci+Hz2[view] [source] [discussion] 2023-07-28 00:05:44
>>null0p+Oh2
>Ok let me know when there’s an OS or browser that’s totally secure.

As an industry we are getting better at security and finding and patching vulnerabilities.

>Attestation does not prove that a device meets any security bar.

But it can prove that a device's software and hardware is running software and hardware that does pass your security bar.

>No, it doesn’t provide any guarantee other than the power that be are empowered to grant themselves and their friends privileged status while leaving everybody else without a device that can run the software they want.

Security doesn't have to be perfect in order to be beneficial.

[go to top]