I’m not suggesting we ignore the problem by rejecting any imperfect solution, but I think this idea that anything EU-edition is inherently better creates an environment that blindly supports the surveillance state under the guise of consumer protection.
The major difference is that it’s opensource. But as I said, it’d be better if people proposed alternatives to attestation instead of just saying “attestation is wrong”.
But like… attestation is wrong. There should be no need to prepose an alternative because it shouldn’t exist in the first place. It should be the user’s burden to determine if their device is secure enough for accessing their personal stuff. My bank, or any app for that matter, should have no right to tell me whether or not my device meets their security requirements.
I disagree. Attestation is definitely not wrong in a corporate setting where you want applications to only run on safe devices.
Taken out of the corporate world, it is problematic though, that I can agree with. But the solution shouldn’t be abolishing it without knowing why it exists. My guess is that there is a legal precedent or threat for it existing. Banks, healthcare applications and so on have a good reason to want to run in a secure environment. However, and this I’d where I think the alternative should be, users must have the option to opt out or say “I don’t care what you think, this device is secure, I will be liable for any damages to my own data should this device be insecure”.
Unified Attestation might actually be the way to include an opt out that is legally binding. So, again, instead of just taking a hard-line “no, I’m right all the time, my opinion is absolute”, it might help to think critically about things and ask “why” and “what if”.
You make a valid point, but I still don’t see why attestation is necessary. In a corporate setting, sure, it’s probably important to remotely verify that the OS is still untampered–except, oh wait, you can do that with the FOSS, opt in, privacy respecting, auditor app. If you install it via MDM you can install, set up, and then block the app so the user doesn’t do something dumb.
As for my bank and other such companies, from a legal standpoint I’m already liable if my device is compromised. In almost every Terms and Conditions, it will include a clause that they cannot guarantee your device, or any device you use to access their service, is free from malicious software, and thus it is up to you to keep your account secure.
If you can tell me an actual use case for attestation that isn’t purely for discrimination, I’m all ears. But if you want to tell me I should be in support of something because it’s better than the other thing, all the while ignoring the fact that it has no need to exist in the first place, I’m certainly not going to be swayed to agree with you.
I’m not suggesting we ignore the problem by rejecting any imperfect solution, but I think this idea that anything EU-edition is inherently better creates an environment that blindly supports the surveillance state under the guise of consumer protection.
The major difference is that it’s opensource. But as I said, it’d be better if people proposed alternatives to attestation instead of just saying “attestation is wrong”.
But like… attestation is wrong. There should be no need to prepose an alternative because it shouldn’t exist in the first place. It should be the user’s burden to determine if their device is secure enough for accessing their personal stuff. My bank, or any app for that matter, should have no right to tell me whether or not my device meets their security requirements.
I disagree. Attestation is definitely not wrong in a corporate setting where you want applications to only run on safe devices.
Taken out of the corporate world, it is problematic though, that I can agree with. But the solution shouldn’t be abolishing it without knowing why it exists. My guess is that there is a legal precedent or threat for it existing. Banks, healthcare applications and so on have a good reason to want to run in a secure environment. However, and this I’d where I think the alternative should be, users must have the option to opt out or say “I don’t care what you think, this device is secure, I will be liable for any damages to my own data should this device be insecure”.
Unified Attestation might actually be the way to include an opt out that is legally binding. So, again, instead of just taking a hard-line “no, I’m right all the time, my opinion is absolute”, it might help to think critically about things and ask “why” and “what if”.
You make a valid point, but I still don’t see why attestation is necessary. In a corporate setting, sure, it’s probably important to remotely verify that the OS is still untampered–except, oh wait, you can do that with the FOSS, opt in, privacy respecting, auditor app. If you install it via MDM you can install, set up, and then block the app so the user doesn’t do something dumb.
As for my bank and other such companies, from a legal standpoint I’m already liable if my device is compromised. In almost every Terms and Conditions, it will include a clause that they cannot guarantee your device, or any device you use to access their service, is free from malicious software, and thus it is up to you to keep your account secure.
If banks were really serious about security, more of them would offer yubikey support. None of mine do, unless they just brought it online.
I see you have made up your mind and nothing said will change it. 🙄
If you can tell me an actual use case for attestation that isn’t purely for discrimination, I’m all ears. But if you want to tell me I should be in support of something because it’s better than the other thing, all the while ignoring the fact that it has no need to exist in the first place, I’m certainly not going to be swayed to agree with you.