En god nyhed: Unified Attestation - et Google Play Integrity API er under udvikling, iniativ fra @volla og med deltagelse af blandt andet @murena!
-
@jpkolsen @anderslund @pmakholm men for at det kan virke helt skudsikkert er der behov for kontrol over hele kæden fra Secure boot i hardware der godkender os der så kan validere apps.
Hvis noget i den kæde er brudt kan der lyves.
@svuorela @anderslund @pmakholm interessant. Jeg troede egentlig bare det var betroet autoritet der sammenlignede nogle hashes eller noget i den stil, men jeg har aldrig sat mig ind i arkitekturen
-
@svuorela @anderslund @pmakholm interessant. Jeg troede egentlig bare det var betroet autoritet der sammenlignede nogle hashes eller noget i den stil, men jeg har aldrig sat mig ind i arkitekturen
@jpkolsen @anderslund @pmakholm men hashes af hvad? Og foretaget af hvem?
-
@jpkolsen @anderslund @pmakholm men hashes af hvad? Og foretaget af hvem?
@svuorela @anderslund @pmakholm du siger noget…
-
@anderslund @volla @murena Ok, tak! Jeg fik også et svar i murena-community men har ikke fået læst det endnu: https://community.e.foundation/t/article-paying-without-google/80205
@bettina Det ligner at dette i praksis rykker Murena / e/os fra en dries software-freedom a-c til en klart D. Det gør i praksis man ikke kan bruge sin egen modificerede android/linux men er bundet op på nogen andres ubetinget. @anderslund @volla @murena
-
@anderslund @volla @murena Ok, tak! Jeg fik også et svar i murena-community men har ikke fået læst det endnu: https://community.e.foundation/t/article-paying-without-google/80205
@bettina @anderslund @volla @murena awesome: “With #UnifiedAttestation, we are creating a transparent and trustworthy procedure for security checks that developers and app publishers can rely on equally. This removes the last hurdle for the use of alternative mobile operating systems"
“We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust," #unplugtrump #degoogle -
@bettina @anderslund @volla @murena awesome: “With #UnifiedAttestation, we are creating a transparent and trustworthy procedure for security checks that developers and app publishers can rely on equally. This removes the last hurdle for the use of alternative mobile operating systems"
“We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust," #unplugtrump #degoogleRE: https://grapheneos.social/@GrapheneOS/116200110686604617
@bettina @anderslund @volla @murena just read the protest from GrapheneOS: https://mastodon.social/@GrapheneOS@grapheneos.social/116200111659862792
I cannot see through the technical background how this system closes the space and just deamercanizes it, being from EU.
-
RE: https://grapheneos.social/@GrapheneOS/116200110686604617
@bettina @anderslund @volla @murena just read the protest from GrapheneOS: https://mastodon.social/@GrapheneOS@grapheneos.social/116200111659862792
I cannot see through the technical background how this system closes the space and just deamercanizes it, being from EU.
@MisterSmith @anderslund @murena To quote Voltaire quoting an Italian: "The best is the enemy of the good". Without having much technical insight, I think the initiative by Volla, Murena etc. is trying to fix a problem in a structure none of us created in the first place. So I welcome it.
Do I also want to see a world where tech is structured in a completely different way? Of course. But one step at a time.
And shaming others or wanting them obliterated is not a path to peaceful coexistence
-
@MisterSmith @anderslund @murena To quote Voltaire quoting an Italian: "The best is the enemy of the good". Without having much technical insight, I think the initiative by Volla, Murena etc. is trying to fix a problem in a structure none of us created in the first place. So I welcome it.
Do I also want to see a world where tech is structured in a completely different way? Of course. But one step at a time.
And shaming others or wanting them obliterated is not a path to peaceful coexistence
@bettina @anderslund @murena thank you for furthering :]
-
@anderslund All they're doing is building a centralized system on top of standard hardware attestation permitting only their products regardless of how insecure those are. Unified Attestation anti-competitive and clearly illegal. If any app implements this without permitting GrapheneOS via standard Android hardware attestation, that's going to be a problem for each of the companies involved. They aren't allowed to ban using products from other companies.
-
@bettina @anderslund @volla @murena awesome: “With #UnifiedAttestation, we are creating a transparent and trustworthy procedure for security checks that developers and app publishers can rely on equally. This removes the last hurdle for the use of alternative mobile operating systems"
“We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust," #unplugtrump #degoogle@MisterSmith @bettina @anderslund All they're doing is building a centralized system on top of standard hardware attestation permitting only their products regardless of how insecure those are. Unified Attestation anti-competitive and clearly illegal. If any app implements this without permitting GrapheneOS via standard Android hardware attestation, that's going to be a problem for each of the companies involved. They aren't allowed to ban using products from other companies.
-
@MisterSmith @anderslund @murena To quote Voltaire quoting an Italian: "The best is the enemy of the good". Without having much technical insight, I think the initiative by Volla, Murena etc. is trying to fix a problem in a structure none of us created in the first place. So I welcome it.
Do I also want to see a world where tech is structured in a completely different way? Of course. But one step at a time.
And shaming others or wanting them obliterated is not a path to peaceful coexistence
@bettina @MisterSmith @anderslund Android already has a standard hardware attestation API which can be used to permit each of these options. The entire purpose of this system made by Volla, Murena and iodé is to centralize control over what's allowed to be use with a service under their control. The whole point of their service is to permit their own insecure products with no serious security standards while forbidding everything not part of it including GrapheneOS. It's definitely not legal.
-
@bettina @MisterSmith @anderslund Android already has a standard hardware attestation API which can be used to permit each of these options. The entire purpose of this system made by Volla, Murena and iodé is to centralize control over what's allowed to be use with a service under their control. The whole point of their service is to permit their own insecure products with no serious security standards while forbidding everything not part of it including GrapheneOS. It's definitely not legal.
@bettina @MisterSmith @anderslund Forming an anti-competitive cartel which pushes a centralized system only permitting using the products of the companies forming it while disallowing anything else is clearly not legal. We fully intend to file a lawsuit against Volla, Murena and iodé once the damages against GrapheneOS start building up. This highly unethical anti-competitive power grab by these companies will not stand. There's nothing peaceful about this aggressive power grab they're making.
-
@bettina @MisterSmith @anderslund Forming an anti-competitive cartel which pushes a centralized system only permitting using the products of the companies forming it while disallowing anything else is clearly not legal. We fully intend to file a lawsuit against Volla, Murena and iodé once the damages against GrapheneOS start building up. This highly unethical anti-competitive power grab by these companies will not stand. There's nothing peaceful about this aggressive power grab they're making.
@GrapheneOS @bettina @MisterSmith @anderslund I hope you'll file a lawsuit against Google that prevents me to use some apps (banks, mostly) on the system of my choice (i.e. not passing their integrity check), and soon will prevent me to install app from dev who does not want to give all their info to them (i.e. https://keepandroidopen.org/). If that's not anticompetitive cartel behaviour, I dont know what is.
PS : running GrapheneOS here -
@GrapheneOS @bettina @MisterSmith @anderslund I hope you'll file a lawsuit against Google that prevents me to use some apps (banks, mostly) on the system of my choice (i.e. not passing their integrity check), and soon will prevent me to install app from dev who does not want to give all their info to them (i.e. https://keepandroidopen.org/). If that's not anticompetitive cartel behaviour, I dont know what is.
PS : running GrapheneOS here@guilg @bettina @MisterSmith @anderslund We're already taking action against Google for the Play Integrity API. Volla, Murena and iodé have sided against us on freeing people from anti-competitive use of hardware attestation. Instead of fighting it, they've built their own anti-competitive system on top of the standard Android hardware attestation API. They've made it to permit their own products while forbidding others. It's clearly not legal and they don't have the legal resources Google does.
-
@guilg @bettina @MisterSmith @anderslund We're already taking action against Google for the Play Integrity API. Volla, Murena and iodé have sided against us on freeing people from anti-competitive use of hardware attestation. Instead of fighting it, they've built their own anti-competitive system on top of the standard Android hardware attestation API. They've made it to permit their own products while forbidding others. It's clearly not legal and they don't have the legal resources Google does.
@guilg @bettina @MisterSmith @anderslund Google's developer verification system has no direct impact on GrapheneOS since we won't have any enforcement of that system. It's going to be a Google Play feature similar to Play Protect. App developers not performing verification would have grounds to file a lawsuit against them but we wouldn't since it doesn't directly negatively impact us. They've also said there will be a way around it for power users but not how that will work such as needing ADB.
-
@anderslund Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
-
@anderslund @volla @murena fantastiske nyheder!
@benjaminlj @anderslund Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
-
@anderslund @volla @murena wohooo!
@Laust Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
-
@anderslund @volla @murena Sådan! Det er et længe ventet produkt!
@theizo Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
-
@anderslund Nogen der kort, men teknisk, kan forklare hvad en app-udvikler får ud af dette API.
Ikke bare "det øger sikkerheden - og det er best practise" men "det fjerner denne type angreb på bekostning af denne funktionalitet".
Hvorfor er det en god ting og ikke bare en workaround for sikkerhedsteater?
@pmakholm Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
