Unfortunately all "secure" or "trusted" computing efforts seems to be focused on depriving the owner of permissions and command over the computer, and instead transfer that to large copyright holders.
But I suppose the Android security model would make sense, which seems to be based on a traditional unix security model combined with that each program will run as a separate user and having it's own set of group memberships.
As long as I don't need to install a rootkit on my own computer.
Consider a user that has no idea what SSL, TLS, Certificates, Encryption, HTTP, drivers, program signing even mean. What do you put in the prompt that would allow the user to make an informed decision about whether a program they downloaded should be able to install a cert?
If Microsoft (or any vendor) wants to sell security, they have to be responsible. Then they have to sign the drivers.
Yes, it's a whole lot of Single Point of Fuck, but that's what it takes. Hence we have the CA model. We have a "few" trusted authorities.
This could be made into a reputation market thing. So the user could buy security from a vendor. If a vendor is too strict, it'll have few users. If a vendor is too lax, we need a negative signal to penalize its reputation, maybe IP packets should contain a sort of fingerprint of the vendor. So if we see a lot of spam/DDoS from a vendor, it should cost them.
User testing revealed that most users clicked the little cross in the top corner.
:headwall:
On smartphones permissions are pretty obvious (Camera, Contacts, Location, Pictures) but even they sometimes have consequences beyond the obvious.
How would would one even begin to word a certificate store permission so that the average person would understand the consequences of it?
Same way you educate people on how to vote: functional literacy [0]. If people are functionally illiterate, they are going to struggle in all sorts of ways. One of the big drawbacks of our society is that its complexity seems to be growing without bound. This places ever-higher demands on people's ability to read, interpret, and act upon important information in their daily lives.
> Do you trust this program to make security changes to your device? [More details]
> " Mom, just click OK whenever this box pops up"
But device drivers for a desktop machine? The user has paid good money for that device and are going to grant every permission they need to get it working. Asking for each permission individually is just noise.
But the problem is the user interface and programming environment is shit for anything past basic stabby finger novelty apps and no one trusts them enough to invest heavily in it. Oh and the store is a desert of turdblossoms.
I trust my distro vendor, but on Windows this likely remain the wild west for years to come.
Think about it this way. I've never seen anyone complain about full disk encryption on an iPhone 6 or later. Do the same on a Windows machine with 5400 rpm spinning rust...
https://news.ycombinator.com/item?id=12061320
Those worrying about security should remember that device drivers already run in ring 0 and can do anything they damn well please.
Thus I say: Good on Savitech for not being afraid to rebel against; and fuckings to the corporatocracy that is certificate authorities and the authoritarian security industry.
I am with you here, as I've been for many years (you link to a comment of yours that links to a comment of mine, for that effect). I'm even fond of saying, "security vs. fun - pick one". But I start to increasingly understand the arguments from the other side.
Consider: what I consider an essential "fun" of computing is being able to alter software running on my machine as I see fit. If I want to make it so that Windows Notepad is pink, or supports Emacs shortcuts, I should be able to mess with both binary on my hard drive and running process in memory, because it's my computer and my rules. But the same mechanisms allow an evil person to make my mother's Notepad look like her e-mail account login screen and exfiltrate data from that. I dream of having an OS as malleable and tightly integrated as Lisp Machines were, but I wouldn't dare connect it to the Internet these days.
So what can one do? How to approach it? Is there even a way to create a computer that both respects the end-user as its rightful owner and can be safely used to conduct business and pleasure on-line? I honestly don't know if this is even possible in principle. If it is, I would appreciate being pointed towards possible solutions, because this - I believe - is a case worth fighting for.
My personal approach to the problem is multiple devices. Linux laptop and Windows desktop for my open systems. iPhone and Chromebook for when I don't want to worry.
Take a look at Qubes. It virtualizes almost everything that is done on the system and it had a very solid security model. An example: your banking VM can be clearly marked and distinct from the (potentially one-time) VM you used to pen that dodgy-looking email attachment.
We have to accept that those who need rigid, inflexible computing to protect them far outnumber us. People don’t care if they can rewrite Notepad or read its source code, they care that Facebook works and that they don’t get viruses or added to a botnet. The only way to develop a healthy advocacy here is to understand that the hacker ideals and customizability that we expect of a computing system really make us a vanishing minority and acknowledging that for the now-average user, those ideals make less and less sense as time goes on. We had our run, then everybody else found computers. Times change. It’s not bad.
Is there a way to create your computer? For us, probably. For them, I’m increasingly believing it isn’t. This isn’t a knock against anyone, just an acknowledgment that there are almost certainly two answers to this question and Free Software ideals and beliefs aren’t equipped to handle the much, much larger answer. Proprietary operating systems, walled gardens, Internet centralization, it plays toward all of the ideals Free Software has been holding dear for decades. We have to evolve our thinking, I’m afraid. The less we acknowledge that perhaps Free Software is wrong for the average user, the less we will have a voice at the table; eventually, nobody will listen at all.
Hell, many cars don’t even allow you to work on them any more. Look at Teslas, higher-end Audis, etc. I offered to change my neighbor’s oil in his Audi and he got scared about his warranty.
Corporate proxies today are obscenely intrusive and if anyone even knows what a "root CA" is they have no idea what it's used for. Many places get people to install them on to personal devices and of course most people do as instructed. This is the environment in which most people do their "computing" and it's all they know.
Not in a proper microkernel, so that's fixable.
>Thus I say: Good on Savitech for not being afraid to rebel against; and fuckings to the corporatocracy that is certificate authorities and the authoritarian security industry.
"Fuck to the CAs" I get.
But there's nothing about what Savitech did that's good.
But the reality is that most people are not software engineers and prefer computers that have proper safeguards against malware.
If you don't want to participate in mainstream computing with it's certificate authorities and authoritarianism, there are always alternatives for you to use.
Use Linux, use hardware which focuses on freedom and privacy, these options are freely available.
- generate a fake CA and use it to sign your driver on the fly;
- add the generated root CA to the trusted list
- delete the private key so that nobody else can sign anything with this CA
- now windows will happily consider this driver as worthy of trust and install it.
"[T]he term 'protected computer' means a computer [...] which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States"
"[T]he term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information"
The correct solution would be for microsoft to allow unsigned drivers (perhaps with a warning.)
Most of this separation is done on good-faith already, but it should be done in a more discrete manner.
Notably, some parties in the newly minted government have declared their intention to ignore the referendum. They back this by two arguments "It is needed for security" and "We are going to remove the advisory referendum anyway, so we get to ignore this one".
That second point is kind of interesting, because the referendum is possible due to a rather new law. We had one before that went rather poorly, so now we want to get rid of it.
The actual law is here [1] this site [2] advocates for the referendum. I'm afraid I don't know of any english sources.
Quoting from the law, and applying my own translation
>>
Article 45. Member 1
The services are authorized to:
a. (Basically, do exploratory searches of networks)
b. Use false signals, false keys, false identity or intervention by third parties to gain acces to automated systems. This can be done with the help of technical tooling.
Article 45. Member 2 The authorization from member 1b above also authorizes:
a. The defeating of any security measures
b. Installing technical measures to reverse encryption on data stored or processed by automated systems. c. (references article 40)
d. To copy data stored or processed by an automated system.
Article 45 Member 2 (summarized, the government needs to give written permission for any of the above to happen)
>>
This seems to be the referenced passage based on a preliminary search.
[1] https://zoek.officielebekendmakingen.nl/kst-34588-A.html
You can also add your own cert to the root certs list of any of the browser, then any site's key's signed by your cert is gonna be trusted. Next time, check whenever your browser says "Don't trust this site", then explore the key chain.
Other applications like Firefox have their own independent root CA store.
We are looking for somebody who can run aforesaid event fifty times a year for the general public without anybody falling in any of the machinery. In hindsight drunk people in an industrial workplace was a mistake, and so we can and should demand they do their best to make it safe, but perfection just isn't to be expected.
However, once you have installed your own root CA certificate on a computer means you can read all HTTPS traffic originating from that computer, and fake responses. Likely, thanks to having installed that certificate you can read someone's emails, move money out their bank account, and view any files they have stored online.
The effect of installing a certificate is broadly similar to the effect of installing a keylogger, and in neither case have you been given a right to do so. In both cases you have altered someone's computer in such a way that you are able to read their encrypted communications, which is certainly in the spirit of what malware means to me.
I'm sure that the intent in this case was not malicious, but we would not accept software installing a keylogger because they wish to measure your typing speed, and we should not accept this.
What other explanation is there? Is there a valid reason for an audio driver to silently install a CA cert?
Some of your competitors have had their current root certs in device preinstalled for a lot longer than you. Entrust and GlobalSign have 2048 bit roots with Not Before before 2000.
If I'm going to go with a Johnny come lately root, I may as well use LetsEncrypt because it doesn't cost money. Also, audio drivers may get you desktop share, but getting into the platform store on mobile is a lot harder.
Purposes other than TLS server and /maybe/ S/MIME are not subject to any meaningful public oversight, you are entirely trusting Microsoft. Which for drivers, or Xbox games is probably fine but it's worth keeping in the back of your mind.
curl https://example.com/some_script.sh | bash
I still love Linux, but I don't hate windows. We're not in the 90s. Bill Gates isn't master of the Borg.
No, its not the 90s. Now its worse!
I prefer RCC (root certificate checker) and have used it in the past, but the website seems to be suspended.
Microsoft should mark these as malicious and quarantine them using their built-in AV. If the end user needs them he can remove them from quarantine. Posting advisories no end user will ever see isn't helping much.
And what kind of odds do I get on the certs having a EKU for anything but driver signing?