Hardware Attestation as Monopoly Enabler
grapheneos.social2179 points by ChuckMcM 6 days ago
2179 points by ChuckMcM 6 days ago
The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure on politicians by making regular people more aware.
Right now, the vast majority of users are being bombarded with a one sided narrative of how 'insecure' their devices are. They read almost everyday about someone losing their life's savings due to 'hackers'. In this environment, they genuinely believe locking down their devices will make them more secure and prevent them from being 'hacked'.
The powers that be make sure that the people never hear the other side. That people are giving absolute control to large corporations. In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
If you want to make a meaningful contribution, however small, then make it a point to educate people about the control they are giving to large corporations like Google. It doesn't take much to convince them that Google et al don't have their best interests in mind. They already know it and have experienced it. The second thing to do is to encourage them to reach out to their member of congress via letters. It's easy enough to do, and politicians are terrified of going against voters. They rely on people's ignorance to quietly work against their constituent's interests while supporting whichever special interest happened to donate the most to their campaign fund.
> In my experience, once the issue is framed as 'Google will decide what you can do with your phone' every single person is immediately outraged.
Apple already does this and practically no one is outraged
Because Apple always did this, everybody knew this and people buy Apple exactly because of this.
Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
The biggest mistake is that people trusted a company that, in reality, isn't that different from Apple. Just because everyone claimed Android as the true open source alternative to iOS, when only AOSP was that.
Yea agree. I reeeeally dont get why Google or Apple have good reputation at all.
Google (before the sell-off) promoted a morality in 'don't be evil' that was a stark contrast to other tech firms. The adverts they carried were minimal. Their "free" stuff was top of the line, better than people were getting from paid services.
Apple (under Jobs) sold themselves as counter-culture, they used popstars (unironically), and design, to sell the idea that if you were your own person, or followed fashion, then you bought Apple.
I think the goodwill from those days still provides the foundations of their cultural position now. Although they chip away at those foundations.
OpenAI looked like it could follow Google's early model, until it didn't.
The writing was on the wall for "don't be evil" when Google started the process of acquiring the much reviled DoubleClick back in 2007, nearly 20 years ago at this point. That's longer than most people reading this have been in the tech industry; a generation has never seen Google be anything other than increasingly extractive and monopolistic.
They built products people like, and specially Apple has good reputation for building reliable, long-lasting and easy to use stuff for most people, leading to a heavy user adoption. But heavy user adoption without the proper regulation and company ethics leads to, well, monopolistic practices.
i mean Apple kind of used that position for building a good reputation. their whole thing is/was how secure their devices were and how they had human verification on all apps that went through the app store with a clear intents file (a file the describes exactly WHY an app needs permission for bluetooth/etc), and a secure enclave that prevented even the FBI from getting in (while apple refused to give them a backdoor). Hackers and tinkerers will find a lot of these measures to be an annoyance and authoritative control, but a lot of people just want their phone to a product, not the user.
> Because Apple always did this, everybody knew this and people buy Apple exactly because of this.
Is that really so? Does the average iPhone user actually factor the app store tax into their decision to purchase the device? Or do they just assume that is just how all software works because they have no exposure to software ecosystems outside the iPhone app store
> Does the average iPhone user actually factor the app store tax into their decision to purchase the device?
As I'm the IT tech support for some family members, I certainly do. A lot less drama and garbage when using Apple products (generally speaking).
I've sysadmined Linux for a living for many moons now, and used to run Linux and then FreeBSD at home, and I switched to Apple for personal stuff during the PowerPC and early Mac OS 10.x timeframe because I did enough fiddling with tech at work and minimized it at home.
I used Linux desktops at work in the pre-COVID era when we still had offices and such. I now use a Apple laptop as I can get Unix-y tools to admin: I spend >80% of my time in Terminal (the rest in Safari and Mail).
They factor in a more "clean" appstore yes. Not the tax itself but they usually appreciate apple having more polished apps in general (given that the Google Playstore is full of trash).
Google play store is only full of trash if you go hunting for trash. I'd like to see the actual stats of people affected by play store malware vs malware available on the play store.
I'm not saying it's not a problem, but I am saying it's not a problem that has caused any problems with any Android user I've ever met.
> but I am saying it's not a problem that has caused any problems with any Android user I've ever met.
You are an HN user of some age. You might even be the family IT person. You may well be changing the experience of people in your orbit.
In contrast, my grandfather’s android phone had somehow 3 different SMS apps, all of which must have tried to remove the default app.
I doubt you think some chap living in rural India, has good data hygiene and habits.
I am not talking about the malware, I am talking about the apps that are bloated with advertisements or try really hard to push a subscription upon you. Lots of "free" apps try to push you into a subscription once installed.
People do not buy Apple because of this. They buy Apple for other reasons and this comes along with it. Apple could allow side-loaded apps and not a single person would switch
> Google now pulls the rug on Android which is a whole different story because it used to be open. The whole idea of Android was to be open.
This is the narrative for us in developed nations, but the majority of users today are people who were in developing countries and got a mid-tier smartphone to chat with friends and do banking with the same values as Apple users.
this is that xkcd "regular people can only name a few common feldspars" meme. over 90% of consumers have no knowledge at all of tech corps' philosophy on user freedom, they just buy cheap phones that have good cameras and run instagram and tiktok well.
Thanks for the reminder, I needed that. I didn't know this xkcd, but I've bookmarked it.
I agree with this. The general population is hopeless, they will hand literally anything away for the least amount of friction. They are also profoundly ignorant.
The solution should be to provide the tools necessary to preserve as much agency using technology to people who want to. You should also keep in mind the middle tier technical people who need a bit of hand holding. But do not waste your time on the general public because they don't share or comprehend your goals.
No, they calculate in the fact of that lack of control into their purchase decision. They mostly didn't want that control in the first place. They just want to _______, for many things you can fill in the blank, including things like look good, appear classy, get high, get laid...
I respectfully disagree with "they calculate in the fact of that lack of control into their purchase decision".
The average person is not calculating anything but price, is it what everyone else is using, is it new etc. Very low level calculations. They aren't asking "can I install applications from outside the app store?". Etc.
The average person is also being constantly manipulated to believe things which are actively nefarious are actually good for them.
I don’t know if we can blame the average person when there is an entire class of people which have almost limitless resources, knowledge and means to execute their agenda. At some point we have to accept we are fighting against an evil and powerful enemy. And that the masses are high succeptible
It’s like being mad at the characters in lord of the rings for succumbing to the rings powers
Hrrm. It seems your original comment has been heavily edited.
> They aren't asking "can I install applications from outside the app store?"
I agree. They don't want to. They already can't begin to evaluate app trustworthiness and don't want to have to. And they shouldn't have to. Yet they live in a world where they do. So they lean on reputation, app store filtering, the legal system, and hope.
> I agree. They don't want to.
That's not what the parent was saying. Most people don't have any opinion whatsoever on sideloading. You can go confirm this for yourself by asking a Mac or PC owner how scary it is. Most of them will respond that they genuinely never thought about it, not that they're afraid to consider it. To these people, it's a normal feature of their device that you could never remove.
The parent is lamenting that people don't care about this technology - Client Side Scanning, hardware attestation, Push notification surveillance - all of it is enabled not because of fear, but apathy.
> And they shouldn't have to. Yet they live in a world where they do.
This is fearmongering logic that doesn't really defend the App Store. Putting your faith in a centralized software auditor also requires you to pay attention and stay abreast of scams. It's just a different exploit chain to deliver the same payloads: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
I do talk to computer users and they do fear making installations. Many of them have installed something that was adware or a virus, often without meaning to and regretted the results. I have been helping my family and extended family members fix their errors for a long time. This pushes them to big names with names to spoil.
I suspect that the GP is, as you write, lamenting the lack of attention to the topic.
> This is fearmongering logic that doesn't really defend the App Store
I agree it doesn't defend the app store. It wasn't about the app store at all. It is about the social problem of the persistent existence of people who choose to purposely do others harm. The problem for most people isn't the app store but those who attempt to get exploits and quasi-exploits into the app stores.
I also agree that you still have to be cautious when using the app stores. Are you claiming that the app store controls do nothing to reduce the presence of malicious apps in their stores? The article you link starts by noting that the app was removed the day after that post was made. That is exactly why people feel more comfortable using the app store.
> the app was removed the day after that post was made
LastPass has been downloaded in excess of 50 million times in the past 10 years. As many as 10,000 users could have installed the app and turned over their credentials to the trojan version in a 24 hour period. If your manual review takes a day to respond, it's already too late at Apple's scale.
> That is exactly why people feel more comfortable using the app store.
Then why does the App Store represent the minority of software sales on platforms like macOS, where users are given free reign to download whatever they want? It seems like users are overwhelmingly uncomfortable sticking to the App Store, if you take their actions and spending into account.
Apathy seems to be the best explainer here. Users don't care about security at all, they are just consuming whatever is put in front of them. That's why social engineering like LastPass works, and it's why you see people ignore systemic backdoor efforts like Client Side Scanning and Push notifications. They might be afraid of getting hacked, but it's plainly clear that none of them care enough to make a change in their lifestyle.