alt Hacker NewsThe technologies themselves are mostly a good idea. The problem is that the companies designing them also like to abuse them.
Take, for example, hardware attestation on android. There's not really any serious issue with this feature, it can be used to ensure your device is not compromised. This is for example how GrapheneOS enables its use with the auditor application.
But, on the other hand, Google abuses the feature to ensure that you are running a google signed OS if you want to use Google Pay. Meanwhile you can use banking apps which also use hardware attestation (although, from their perspective, they don't use enough of it to ensure it isn't being spoofed, and even then...) without any problem on GOS. Moreover, before Google Pay completely killed all of its competition, it was possible to even find third party banks which would provide you with the ability to pay with your phone without using google pay.
Likewise, secure boot is a great concept if you want to be more sure about the integrity of your laptop throughout its lifetime. But some companies have abused it to force you to use Windows. If you want to set up your own signing keys for secure boot, you end up having to deal with poorly managed UEFI keys from third parties which weaken the security of your machine. The feature, as it's implemented, is rarely designed with helping end user's secure their machines. But the core of the design is fine.
I think limiting root on a phone is also a really good idea, the issue is that Google likes to give themselves and their "system apps" special privileges. If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
So all in all, fundamentally, most of these features are fine. They're genuinely great for security. But the main problem is how they're abuse by the companies in control and how little effort is put into allowing power-users to use those features for their own benefit.
No disagreement here, although if past experience has proven anything I think it's that companies will abuse whatever "security features" they can to accomplish their objectives. It reminds me a lot of the old adage, "the same wall can keep people in just like it can keep people out."
When the OS is fundamentally in the user's control, they are limited in what they can do, but when the OS disregards it's owners preferences/desires and enforces it's creators desires.
Minor thing actually:
> If APIs were exposed to allow you to bless your own applications with the right permissions, you would probably not care so much about root restrictions.
I absolutely agree with this in theory, but in practice I'm not sure it would ever work because they just aren't going to put in the work to build and maintain APIs for things they don't care about, and there would be a very long tail of things to do (and sometimes those things are legitimately a lot of work). Call recording being a classic example.
But all in all, I very much agree. I love those features when they are in my control on my devices. Biggest issue is, they virtually never are and the number of occurences is trending down.
Anyway,