Mastodawn

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ Jul 22, 2023

@lina I love how people keep claiming that their arbitrary websites and apps need to know exactly the software you are running "for your own good" while even some bank apps (like the ones I use) don't care about attesting client-side integrity.

Ryan Jul 22, 2023

@PeterCxy @lina imo the people who are running detectable unofficial software are the people who (are more likely to) know what they're doing

developers who do stuff like this: maybe focus your efforts on protecting your platform from people doing undetectable things instead?

ellzumem Jul 22, 2023

@ryanc @PeterCxy @lina It’s pretty much always a “don’t want to support” instead of a “cannot support” from the website’s company/underfinanced development team… There’s not really a reason why your webapp wouldn’t run in an environment other than Chromium-based, except if you only developed for and tested against that…

Ryan Jul 22, 2023

@lm1 @PeterCxy @lina the thing is, they're doing way more work to remove support

i don't see how a "Your device has been modified, some functions may not work right and you might experience weirdness! Click here to continue." prompt doesn't suffice in 99% (if not 100%) of scenarios.

instead they have complicated detection systems that probably break several platforms' security models, like Pokemon Go's which still locks me out on my iPhone 13 Pro because i jailbroke my old iPhone 7 3 millennias ago (and at least 10 restores ago).

Andreas K Jul 22, 2023

@lm1 @ryanc @PeterCxy @lina It's usually not the development team.

It's management, the legal department, …

@lm1 @ryanc @PeterCxy @lina There is also this ugly illusion that I call “security by legal contract”.

Lawyers swear by it. Actually they should know best how irrelevant contracts are, and a bankruptcy court can give the stinky finger in very polite words.

So let's start with company A. For whatever legal reasons, they need a single-signon solution that is capable to nuke their devices on demand remotely. Their devices BTW, that are full disc encrypted by policy for years now.

@lm1 @ryanc @PeterCxy @lina
Now setting up such a solution by the IT department, on-premises or on A's slice of cloud heaven, would be expensive. A would need admins trained to set it up and run it, software licences, hardware, …

Now how lucky for A, there are company (as this is a new field, relative young ones, 🤷 ) that other to run your single sign on service for you on the internet as a fully maintained service. Cool.

Pay less what a developer or two cost per month to solve the issue!

@lm1 @ryanc @PeterCxy @lina
And that SaaS style provider (although they actually sell not a specific software but their own proprietary cooking), pinky swears that it is all 100% secure in the contract.

While they advertise how many Fortune 500 companies and general customers are using their services. ⇽ this BTW does not paint a huge hair cross on their back, for any malware peddler on the planet: “hack here to get instant admin-level access to the IT of 1000s of juicy corporate targets”.

@lm1 @ryanc @PeterCxy @lina So let's analyse what A did from a legal point of view: they improved their security, their IT insurance will give them a discount because they have a central single signon system.

Senior engineers just roll eyes, that's what happens daily in corporate IT. Not only with single sign on, but critical core functionality is outsourced, and replaced with a contract. Without any consideration, that if your contract partner fails to deliver you might be out of business,

@lm1 @ryanc @PeterCxy @lina Sure the bankruptcy court might be able to recover some damages from the service provider that failed you.

In some cases. In others, the service provider will also be bankrupt.

But let's think what did A do technicaly:
- they installed agents of the SaaS company that run with root/admin on all computers of the company. (needed to manage users on the computers)
- that listen to remote control servers.

It's the RAT and C&C pattern.

@lm1 @ryanc @PeterCxy @lina
Only the contract that A's legal dept reviewed and said it's okay keeps the SaaS from doing stupid things with A's IT.

I think I mentioned that this concentration juicy targets that can be accessed by breaking into one office might attract predators from tiny to big, including state level predators.

Oh. How exactly are you making sure that the hacking team of the home team does not show in the office of the SaaS company?

fabiandrinksmilk Jul 22, 2023

@PeterCxy @lina I am running CalxOS on my phone, which is a degoogled ROM using MicroG instead of Google Play Services. I have it rooted and patched for SafetyNet. Almost all apps work, including those from Google, DRM protected streaming services and my banking app. The only app that doesn't work is BeReal. It is so stupid. It works for like a second when openen, only to give a pop-up saying I need Google Play Services.

Reina

@PeterCxy @lina My government sign-in app only cares if my phone is rooted, which is easy to spoof. Same with my bank's app. But a Norwegian friend-payment app is so dependant on Google services that I can't use it, which is annoying because in Norway "everyone" has it ... If I asked them why they deny me access without Google services on my phone, I'm almost certain they'd respond with some vague security nonsense :/

Alonely0 🦀 🇪🇺Jul 23, 2023

@reina @PeterCxy @lina What's the name of that app?

Reina

Jul 23, 2023

@Alonely0 @PeterCxy @lina Vipps. It's afaik confined to Norway

mathew Jul 22, 2023

@PeterCxy @lina “but security” they say, while banks don’t even bother to digitally sign their emails to combat phishing and still use SMS 2FA if they have 2FA at all.

Andreas K Jul 22, 2023

@PeterCxy @lina More damning are the apps that use attesting "because of security", and then happily continue to run on a 10 years old Android 4.x running device that hasn't seen updates for years.

You can literally root such a device on the fly via an app.

You can root such a device on the fly remotely by sending all kind of funny data to it, if you want to be kinky, going through all layers of the TCP/IP stacks with different exploits.

But your custom rom that closes half of these? ⛔

L-N was Jul 22, 2023

@lina i love the issue tracker on this

UsernameSwift

"This is basically taking the spirit of the internet (being decentralized and open) and throwing it into the garbage and then setting it on fire."

This issue tracker is great lmao

AT-AT Assault 🏳️‍⚧️Jul 22, 2023

@usernameswift @limepot @lina

And Google are bitches, and have locked out anyone new from logging issues (or even voting on issues).

Someone needs to send this to a Zealous DOJ attorney looking for an easy win against a corporation.

✧✦Catherine✦✧Jul 22, 2023

@atatassault @usernameswift @limepot @lina (they've locked it for the weekend; there's a comment from the author saying it'll be unlocked on Monday)

L-N was Jul 22, 2023

@whitequark
@atatassault
@[email protected]
@lina looks like i have a job to do on monday

Jaime Herazo Jul 22, 2023

@whitequark
Because on Monday we'll like it better, right?
@atatassault @usernameswift @limepot @lina

FoolishOwl Jul 22, 2023

@jherazob @whitequark @atatassault @usernameswift @limepot @lina They say they mean well, and I'm sure we can trust a spokesperson for a giant corporation that's spent decades trying to lock down total control of the Internet.

cytokine_storm Jul 22, 2023

@limepot @lina Yeah it's a heady cocktail of humour and technical discussion. Well worth a skim. My current favourite is this one: https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/51

Do not listen to ad blocking addicts, please ship this ASAP · Issue #51 · RupertBenWiser/Web-Environment-Integrity

Ad blocking virus is currently spreading and we all know it makes people unhappy, because people need to watch at least 250 ads per day to be happy. Ad blockers interfere with this and it's not har...

GitHub

Flux Jul 22, 2023

@lina drm should never be trusted.

Miga Jul 22, 2023

@lina This is a pretty serious issue, yeah... The web needs to be open, and this effectively would close it off.

Doughnut Lollipop 【記録係】

@lina @freeplay It's almost like that's what they're trying to do.

Nicolás Alvarez Jul 22, 2023

@lina Attestation and DRM is one of the biggest roadblocks to implementing Apple server protocols (eg. iCloud) in free software clients. Some have DRM-grade obfuscated code (literally the same code obfuscation as FairPlay!), but there are already some services using strong cryptographic attestation instead, and those feel frustratingly "game over" to me.

...now Google wants that kind of crap on the *web*?!

Saagar Jha Jul 23, 2023

@nicolas17 @lina Now imagine if Apple made it silicon-backed

Nicolás Alvarez Jul 23, 2023

@saagar @lina For some services they already did. AFAIK DeviceCheck / App Attest / BAA is silicon-backed, and AFAIK connections to iCloud Private Relay are authenticated with that. I don't personally care about Private Relay, but I do worry about that being expanded to other new services.

Third-party iOS apps can also use DCAppAttestService. Google wants that shit to be accessible to web apps.

Saagar Jha Jul 23, 2023

@nicolas17 @lina Right, it’s just not used for Apple services yet

riley is gay

@lina i’ve heard that at least there are voices within google who are against this (probably recognising it would get the FTC on their ass for monopolistic behaviour)

M8_d Jul 22, 2023

@lina as i said, they are criminal

jan Susu (MOVING INSTANCES)Jul 22, 2023

@lina @usernameswift
you know what would really improve the internet? if a small group (their words) would be able to decide if your stack was trustable. Cartels improve everything

Herr Irrtum! 🔊Jul 22, 2023

@lina
Haha, the "issues" tab on the Microsoft GitHub page is hilarious:

https://github.com/RupertBenWiser/Web-Environment-Integrity/issues

GitHub - RupertBenWiser/Web-Environment-Integrity

Contribute to RupertBenWiser/Web-Environment-Integrity development by creating an account on GitHub.

GitHub

Badri Jul 22, 2023

(side note: +1 for calling it by its full name, "Microsoft GitHub"!)

@herr_irrtum @lina

oceaniceternity Jul 22, 2023

@herr_irrtum @lina this is my favorite one (violates Yahweh's TOS a close second) https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/51

Do not listen to ad blocking addicts, please ship this ASAP · Issue #51 · RupertBenWiser/Web-Environment-Integrity

GitHub

Ian Jul 22, 2023

@lina Wow, their Github issue tracker is full of people who are not happy. Wonder what they thought would happen? 🤔

Joby (chaotic good)Jul 22, 2023

@lina "This trust is the backbone of the open internet"

IS IT THOUGH?

Joby (chaotic good)Jul 22, 2023

@lina Most recent blog post by the author of that repo: "I just spent £700 to have my own app on my iPhone"

Complaining about how expensive it is to make an app for his own phone, because of how closed the iOS ecosystem is.

I may die of irony overload.

http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-own-app-on-my-iPhone.html

Ben Wiser | I just spent £700 to have my own app on my iPhone

Lawler Hix

@lina inb4 second internet forms in response and the 'deep web' expands to include completely normal websites that otherwise don't want to use a tyrannical anti-ad blocker standard.

LisPi Jul 22, 2023

@lawlznet @lina That's kinda what I've been wanting and declaring the #clearnet dead for (also there's no sufficient trust for running arbitrary code from strangers on there, so sites don't expect to be able to either unlike the clearnet).

Caveat that "darknet" is more the appropriate term.

"Deep web" is a lot more more general.

wilco Jul 22, 2023

@lawlznet @lina "Walkaway" by Cory Doctorow. walkaway-net vs default net. I, too, think this is the way it goes.

Softwarewolf Jul 22, 2023

@lawlznet @lina So Gemini? (/s, kinda)

Lawler Hix

@faoluin @lina what is? owo

Softwarewolf Jul 22, 2023

@lawlznet @lina https://gemini.circumlunar.space/ Basically a network of clients and servers inspired by the Gopher protocol and very simplified HTTP. It's kinda neat, if niche and nerdy. :3

Project Gemini

Lawler Hix

@faoluin @lina OWO poggers, ty!

Art 🏳️‍⚧️🏳️‍🌈✊🏿🇺🇦🇵🇸Jul 22, 2023

@lina that’s a solid “hell no” right there

oceaniceternity Jul 22, 2023

@lina they basically want you to have to run an anticheat to... Access a website? For more security? Why?

Why do they even need this information about my device? Isn't it good enough to just get a https request?

Xolotl (ENVtuber)Jul 22, 2023

@lina disgusting

Annie Jul 22, 2023

@lina You can now only contribute to the issue tracker if you've contributed to the repo before lol.

Luna:babaw_is: NOT

@anniethebruce @lina people will use pull requests as issues then, don't think those can be disabled on github

uwu1ba Jul 22, 2023

@lina >An owner of this repository has limited the ability to open an issue to users that have contributed to this repository in the past.

Luna:babaw_is: NOT

@[email protected] @lina that's a thing you can do? Huh. Didn't know that.

furina 💧⚖️Jul 22, 2023

@lina DRM for websites is an absolute nightmare.

Bob Brown 🕹️Jul 22, 2023

@lina "Detect non-human traffic in advertising to improve user experience and access to web content" - there's the motivation, Google are their advertisers are losing HUGE amounts of money due to this, see https://malicious.life/episode/episode-216/ and https://malicious.life/episode/episode-217/

Episode 216 | Malicious Life

Josh Jul 22, 2023

@gurubob Agreed, although I'd say they're not losing the money, just not making as much money. It's not like they're entitled to unlimited profit at the expense of users freedom.

Bob Brown 🕹️Jul 22, 2023

@krnlg yeah of course, my bad framing …. they’re not accelerating their profits as quickly as they could be. That’s a better way to frame it.