I could also mean that if you don’t have TPM on your computer and the OS is not in the ”allowed” list, you can’t access anything. I hope that this is not the path we will see.
Agreed. But talking in generalities like "the government should be allowed to mandate a feature" leads to silly arguments like "government can't mandate airbags." We should be having the discussion about what the goal is, what the mandate would be, and what the side effects could be. Otherwise the conversation is too high level to mean anything.
I'm not really grokking the explanation in the article of why the SameSite cookie attribute doesn't fix CSRF. I thought that was the whole design intent of SameSite=Secure on an HTTPS cookie, was to fix CSRF. Can someone boil it down?
The article seemingly says "these cookies won't be sent with an unsafe request. But that doesn't fix it!" And doesn't elaborate?
The problem boils down to the lack of equivalence between a site and an origin. The article explains how https://app.example.com and https://marketing.example.com may sit at very different trust levels, but are considered the same site by the browser. You don't want https://marketing.example.com to be able to make requests to https://app.example.com with your authentication cookies, but SameSite wouldn't prevent that.
This doesn't match my experience. What am I doing different?
Example I set SameSite=Strict on www.edoceo.com and then visiting app.edoceo.com the cookie is not there? They are different sites, different origins. And the cookie is set to the domain (ie: host, ie: www.edoceo.com)
For CSRF (and for SameSite), you are not looking at what cookies are sent to attacker.example.com, but what cookies are sent to target.example.com if a request is originated from attacker.example.com (or from attacker.com).
Same-Site cookies are, well, same-site. Not same-origin. This is already a deal-breaker for many deployments, because they don't trust blog.example.com and partner.example.com as much as admin.example.com (both in the strict sense of trust, and in the senso of not having XSS vulnerabilities the attacker can pivot off).
Worse, by the original definition http://foo.example.com and https://admin.example.com are same-site, and unless the site uses HSTS with includeSubDomains, any network attacker controls the former. Chrome changed that with Schemeful Same-Site in 2020, but Firefox and Safari never deployed it.
The other replies answer this question, but it’s worth mentioning the public suffix list which contains a list of domain suffixes that have subdomains that are controlled by different people. E.g github.io, wordpress.com
Browser use this list to prevent cookie shared between sites using the suffixes on the list. E.g evil.github.io will not receive cookies from nice.github.io, or any other .github.io origin, regardless of the SameSite attribute
Yup, this is possible. It would have to be at some fair market value, and you'd (obviously) have to tax that in Germany. And depending on how much you trust your buddy, you might or might not have to draft up some complicated legal framework that you indeed have the right to buy back your company at some stage :)
So what's the secret sauce that cadence is not allowed to sell to personas non gratas? The article just says EDA tools but that's so broad. Is KiCAD export restricted?
For EDA, gate-all-around technologies used in 2nm processes are banned from export by ITAR. This applies to device electrical modeling as well as physical design layout rules. You won’t find these GAA in KiCAD or OpenROAD.
I think for this case though it was specifically because Cadence sold a commercial product to a banned entity, instead of anything technology related.
Is this actually because of legal requirements, or because of reality?
Nobody with access to a bleeding-edge node is using vastly inferior FOSS tools that can't actually work with a brand new fab PDK (which was produced specifically for Synopsys or Cadence tools.)
If you read the article, you will see that the technology is specifically semiconductor design tools required for developing high performance computing that the PRC would use for nuclear weapons development. Can you do that with KiCAD? No.
The parent's question still seems applicable. Is this basically down to a judge to decide the line at which a certain technology is too advanced to export? Would open sourcing an EDA tool be illegal if it was sufficiently capable?
Licensing as "open source" wouldn't be illegal, but the act of exporting would be. I've certainly seen libre software downloads that have click-throughs where you attest you're not in certain prohibited countries, IP blocks (eg Github does this site-wide AFAIK), etc. No idea if this will continue to be "enough" under this new fascist regime that doesn't care much for institutions like the rule of law. Probably fine up until it isn't, at which point ceasing and desisting would probably be enough unless you're deemed "woke" or some other kind of unperson.
(I'm not a member of any guilds. And I guess the downvote is for the political incorrectness. Plus ça change)
If we're to regain any ground here we need to adjust the messaging wrt terms like "wild west" - that's precisely the kind of terminology that scares the average voter into thinking the government needs to do something about this whole internet thing. We need to use patriotic and inspiring language, like "free" as in "free speech for the internet," or "safe and private" etc
I don't and I wish Google et al would take a god damned stand against it. All it takes is 2 or 3 big companies to just not play along with the destruction of the open internet (the very same responsible for their genesis and incredible success), and the bureaucrats will eventually relent. Unfortunately they've chosen the path of least resistance, which also is the path of regulatory capture to their sole benefit. Sad to see that win over the ideals of the early net.
I agree in principle but as time goes on I have found that the free and open internet as we know it already no longer exists in practise. Theres like 5 places to go on the internet these days - your social media platform of choice, your short form content platform of choice, youtube, perhaps an AI platform, and 1 misc place of your preference. And this loop of crap seems to demand more and more of your life.
I went on youtube in bed last night to watch a 10 minute video (that I knew I had to search for to find - it was a specific one), but the app opens to shorts and they're so damn stimulating that it was 30 minutes before I finally got to the vid I wanted. I started with pure agency and was immediately thrown off course. Say what you will about my discipline or habits, but imagine the affect this has on less... aware individuals such as children.
Walking around the world you see everyone buried in their phones.
There are aspects of this initiative that I totally welcome, if it has the result of some level of de-interneting. The argument is always "they do it to protect children first, then it comes for everyone". I hope they increase resistance for the end user. I agree its sad, but what we have currently is truly awful, and less of it is a good thing.
I understand that it may not have that effect and end up in the "worst of both worlds" situation. But I don't wan't google fighting any battles for me anymore. They might try on occasion to be respectful but their bottom line is to own my attention.
> that bothered to implement hardware-to-app attestation chaining live in production end-user devices
This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.
> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.
That ship sailed decades ago when Intel promoted Secure Boot as a defense against malicious modifications; it stops rootkits and it stops cheaters, what more could one ask for, etc. App attestation of this sort has been offered in certain enterprise/government Windows 10 SKUs since day one. Apple’s web attestation protocol has been live on all T2 devices for about as long as T2 has been out.
Governments have real and serious need for verifications that are backed by their force. They’re a government; they are wielding force upon citizens by doing this, knowingly and intentionally. That is a normal and widespread purpose of the State existing at all: to compel people to align with the goals of the State, whether members of the State like it or not, until such time as the State’s goals are changed by whatever means it permits or by its collapse.
If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.
Western sfbay-style tech was founded on the libertarian principle that one should be able to tell the government to fuck off and deny taxation, representation, blah blah etc. in favor of one’s armed enclave that does what it feels like. It’s fine to desire that, but it’s proven too radical to be compatible with the needs of nation-states or the needs they enforce satisfactions for on behalf of their citizens. Attacking attestation won’t solve the problem of the “State”, and has led us to a point where Google can claim truthfully to a “State” that the Android forks ecosystem isn’t competent enough to be trusted, because they can’t be bother to do attestations.
> If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.
we've banned all graphic depictions from the internet, required a verified name attached to every blog post, and made sure to confirm everyone's digital passport before letting them resolve a DNS query, but at least now I can vote from me phone instead of having to go outside. The future is bright!
Yeah, this future sucks, and we’ve had twenty years to push back and utterly failed to do so. I’ve tried for years to interest people in learning about attestation so they can curb it before it swings hard authoritarian, but no one wanted to listen b/c Linux is about having root and anything that challenges that belief is anathema to consider. Welcome to the party, the sky is falling just as it has been for years; someone else can be the harbinger for a while, I’m tired of watching people try the same old arguments that have failed for years.
Aha! Graphene, with the support of impacted EU citizens, has grounds to petition the EU for inclusion in their age verification app, then. I hope someone makes that happen! (I am not an EU citizen and so have no ability to help.)
In my experience, Samsung is a label that means "stay far, far away." From the Galaxy Note fiasco to my microwave to my dishwasher to ... Probably at least three other products before I learned my lesson.
I even refuse to buy QD-OLED monitors out of indignation that Samsung makes the panels. Maybe I'm alone but maybe one day we'll boycott lousy companies out of business.
In favor of what? The Android ecosystem is pretty lousy. Which manufacturers allow you to easily migrate to a new phone (Samsung has Smart Switch) and have, let's say, 4+ years of security updates?
Genuine question.
In my case I also wanted an SD card slot so it was slim slim pickings indeed. (And still there are some misfits who insist that there is no such thing as progress!)
Going from a phone with a Snapdragon SoC to a Pixel with the Tensor SoC was a big downgrade for me. It gets hotter quicker when doing more demanding tasks, battery drains faster if network conditions are not perfect, etc.
We've been having some warm weather (~30ºC) around here and the other day my Pixel 8 Pro started warning me about the phone being too hot when I tried to record a video.
I like Google's Android skin and their long support periods, but Tensor holds these newer Pixels back.
Pixel phones have been awful hardware since the 5. So there is that. The tensor chip is a dud and can't be fixed. I'm done with Samsung for good after my current phone which I bought a few months ago. I'll probably replace it with an Oppo or something again, never going back to Samsung.
Pixel of course. And yeah the Androids suck mostly. Pixels suck too in some ways, for example, they are quite bulky, and heat up a bunch. But overall, by far the best Android experience in my opinion. No SD slot though.
I'm still using a V20 as my main phone. The recent app icons at the extra top section of the screen really make juggling active apps fast. I don't think any phone has had this feature since.
I love the phones Nothing makes. And they are offering five years of Android updates and seven years of security upgrades on their upcoming Nothing phone 3.
Has any smartphone maker succeeded in getting more than a few percent of market share, released more that 2 phones while being immune to that level of fiasco ?
Samsung phones have been filled with preinstalled spyware since the beginning. Outside of fairly unusable Linux phones, Apple seems to be the only one taking privacy seriously.
Because Apple blocks everybody else from spying on you but Apple themselves are still perfectly spying on you. And not just that, by disallowing all other apps to get their hands on your data you even tell Apple which data it can sell for a higher price because it's only available via Apple and noons else...
Let what sink in? Your completely unprovable/unproven conspiracy theory?
You are suggesting that Apple is actively tracking you in other apps (apps that aren’t allowed to track you themselves). I find that completely preposterous and a huge risk for Apple to take given their marketing.
> Because Apple blocks everybody else from spying on you but Apple themselves are still perfectly spying on you.
Extraordinary claims require extraordinary evidence. Specifically Apple spying on users and collecting info tied to their identities in 3rd party apps.
You mean extraordinary evidence like selling Apple Ads and associated attribution data that third parties aren't allowed to collect? Their ads revenue is now $10B+ and growing. You must know nothing about the mobile measurement industry if you think this very mundane claim is some extraordinary conspiracy theory; it's not even controversial there.
reply