GrapheneOS with literally call anything shit that Gaelle from Murena touches. If Gaelle made billions and gave away an entire billion to an opensource project, GrapheneOS would whine day in day out about it. If Gaelle donated that billion to GrapheneOS, it wouldn’t surprise me if the disbanded or gave that billion away in order not to be associated with the money.
Attestation is definitely a tool to lock people in, but it has valid usecases that cannot just be ignored. For example, it claims to ensure that the device is safe, to a certain degree, from malware and tampering that could lead to security problems for applications on the device. Those claims are part of the appeal. Instead of writing pages of slander towards the developers of Unified Attestation and, what I can only describe as, losing their shit, why not be constructive. Propose alternatives, propose to work on something better, point to a group that could help work on something better, throw out ideas for improvements, etc.
A bit of drama is cute once in a while, but not like this.
The issue is that OS’s like /e/ and Jolla are quite insecure, meaning a verification that they’re “safe” can be a lie if the device is exploited, which it easily can.
GrapheneOS has their own attestation system, and some banks are using it.
GrapheneOS’s propaganda about every android ROM being insecure except their’s seems to working.
Nothing is 100% safe. There are varying degrees. GrapheneOS can be exploited just “the most secure phone OS” that is supposedly iOS.
If attestation is wrong and GrapheneOS is slamming another group for making an attestation system but GrapheneOS has its own attestation, doesn’t that seem a bit hypocritical?
They complain about /e/ and Sailfish because they are genuinely bad. You can see how bad /e/ is in my recent post.
They used to support DivestOS which was an OS designed for phones which don’t support Graphene.
Even GrapheneOS is not as insane to suggest ebanking should be restricted to locked down platforms.
EU should ban banks from requiring hardware attestation and other “security” excuses to refuse serving people.
Hardware attestation verifies that the phone and the OS its running on are real and not an emulator or a fake malware laced version.
It ensures that you don’t get your bank account stolen by a fake ROM with an infostealer inside.
Hardware attestation verifies that the phone and the OS its running on are real and not an emulator or a fake malware laced version.
No, it verifies that the phone is running an approved OS. If the app developer does not add your OS’ keys it will fail. This included GrapheneOS.
We have been web banking for decades on platforms without hardware attestation. The potential for anti-competitiveness abuse is not worth it.
It also does not protect the user. If your system is actually compromised they can simply replace the app, not allow it to run etc. I don’t see how it protects the user if they chose to run an emulator, what exactly is the threat to the user there?
If someone injects malware into your GrapheneOS image then the attestation won’t pass. That is how it works.
Where did I say a malware injected GrapheneOS image will pass hardware attestation?
The problem is that an unmodified GrapheneOS image may also not pass hardware attestation if the app developer has not whitelisted GrapheneOS’s key.
Also I hope GrapheneOS would simply inform the user or refuse to boot if the image does not pass attestation. In that case an app itself requiring attestation, based on it’s own list of accepted keys, has no security value, only gatekeeping potential.
It’s play attestation EU edition. Can the EU just go back to doing things that are actually helpful instead of putting European lipstick on all the American pigs?
The EU is not doing anything in this, it’s some private companies.
It should do something though, forbid banks and other essential services from imposing arbitrary requirements for providing service.
The danger of ignoring it is that it happens anyway in a worse form than it might otherwise take. It’s the eternal pragmatism-vs-idealism situation. Taking the approach of no compromises is risky.
I’m not suggesting we ignore the problem by rejecting any imperfect solution, but I think this idea that anything EU-edition is inherently better creates an environment that blindly supports the surveillance state under the guise of consumer protection.
The major difference is that it’s opensource. But as I said, it’d be better if people proposed alternatives to attestation instead of just saying “attestation is wrong”.
But like… attestation is wrong. There should be no need to prepose an alternative because it shouldn’t exist in the first place. It should be the user’s burden to determine if their device is secure enough for accessing their personal stuff. My bank, or any app for that matter, should have no right to tell me whether or not my device meets their security requirements.
I disagree. Attestation is definitely not wrong in a corporate setting where you want applications to only run on safe devices.
Taken out of the corporate world, it is problematic though, that I can agree with. But the solution shouldn’t be abolishing it without knowing why it exists. My guess is that there is a legal precedent or threat for it existing. Banks, healthcare applications and so on have a good reason to want to run in a secure environment. However, and this I’d where I think the alternative should be, users must have the option to opt out or say “I don’t care what you think, this device is secure, I will be liable for any damages to my own data should this device be insecure”.
Unified Attestation might actually be the way to include an opt out that is legally binding. So, again, instead of just taking a hard-line “no, I’m right all the time, my opinion is absolute”, it might help to think critically about things and ask “why” and “what if”.
You make a valid point, but I still don’t see why attestation is necessary. In a corporate setting, sure, it’s probably important to remotely verify that the OS is still untampered–except, oh wait, you can do that with the FOSS, opt in, privacy respecting, auditor app. If you install it via MDM you can install, set up, and then block the app so the user doesn’t do something dumb.
As for my bank and other such companies, from a legal standpoint I’m already liable if my device is compromised. In almost every Terms and Conditions, it will include a clause that they cannot guarantee your device, or any device you use to access their service, is free from malicious software, and thus it is up to you to keep your account secure.
Where did this site take that weird logo from
The fact that they post about this on twitter makes everything they say invalid. Clowns talking about privacy on a site owned by Musk.
I guess every privacy video on YouTube is wrong then, according to you
Only if it is only on Youtube
So most of them… yea nah, sorry, not a good take imo
But I agree that those videos should be put on alternatives like peertube or odysee