clinteroni2d ago
Irenes (many)

when Intel introduced a cpuid instruction, around 1998 or so

there was a debate on the Linux kernel mailing list as to whether Linux should provide a way to call that instruction

you know, because of its potential uses for surveillance and how that was sharply at odds with the idea of computers being owned by their users

Mar 19 at 9:03pmWeb
Show threadIrenes (many)2d ago
the resolution, at least for a while, was that Linux would implement an interface for programs to invoke the instruction, but would also add an interface that allows the user to instruct the kernel to lie and return a user-specified identifier instead
Show threadIrenes (many)2d ago
that was a reasonable approach, though it was only possible because cpuid did not have the force of law. that's how you resist surveillance through technology, when you have to.
Show threadIrenes (many)2d ago
we haven't followed up on it since then. we kind of suspect everyone forgot about cpui and some DRM patch in the 2010s quietly made it a "real" surveillance feature and nobody noticed, but ... who knows, you know?
Show threadIrenes (many)2d ago

at any rate, it's really startling to us to see people complying in advance with this current wave of surveillance stuff

many of them are people we have ideological differences with, but we would have at least hoped that libertarians (in the modern, US-centric sense, not the historical one) would understand when someone is seeking to control them, and resist it

Show threadIrenes (many)2d ago

like, if you're not based in California, and are willing to say "people in California are prohibited from using this", this current law does not apply to you

and that would be the correct form of resistance, for the record

Show threadIrenes (many)2d ago
the only reason anybody disagrees is that they're part of an organization that decided to make itself dependent on money, and losing money on a matter of principle feels impossible and unacceptable
Show threadIrenes (many)2d ago
this birth date stuff is ... you all understand that once your hands are in the handcuffs, the cuffs tighten, right? don't do this thing of finding specific ways the law is better than some alternatives and convincing yourself it'll be fine. people are fooling themselves on that count.
Show threadRho2d ago

@ireneista personally we are torn, the birthdate stuff is bad. legislating that any age verification need to trust the data provided by the adult responsible for the device does seem correct, vs giving up way more data to 3rd party services.

also os data version actually supports emancipated people under 18 who generally get fucked by society

Show threadIrenes (many)2d ago
@rho it's important to understand this sort of thing as putting in place one piece of a system, on which other pieces can rely. it's not appropriate to say, well, clearly nobody will ever build anything oppressive that goes beyond the scope of the law, and clearly the courts will always interpret the law in the most favorable possible way. we don't know that, we don't know the future.
Show threadIrenes (many)2d ago
@rho we do agree that it's, like... it looks as if somebody at least tried to defer the worst aspects of it to a later bill, we're just highly skeptical that they succeeded. anyway, children are not property!!!! if disinformation on social media is a danger to society - and it is - then the specific social media features that actively promote its spread need to be illegal for anybody, and then we don't need surveillance
Show threadRho2d ago
@ireneista yes, we would say not just defer but disable the surveillance things happening elsewhere. in our opinion social media legislation is related but distantly to the specifics of age verification.
Show threadRho2d ago
@ireneista our state (colorado) is currently working on something similar to the california law but has pulled back a little after a lot of folks got in touch to say what a problem it would be for opensource specifically but community run things in general
Show threadIrenes (many)2d ago
@rho yes, we're tentatively hopeful there will be some sort of carve-out.... fingers crossed...
Show threadIrenes (many)2d ago
@rho we've been following the Colorado bill, though not closely. actually we were heavily focused on Washington state for a while and that's how the California one slipped past us :(
Show threadJon1d ago

Yeah, I'm somewhat baffled why they didn't try to bring this OS-level signal approach to Washington this session, instead basing stuff on the Mississippi and Texas laws and doubling down on the "addictive feeds" silliness. It's exactly what you say, this approach seems relatively benign in the age verification spectrum, but it's laying the groundwork for the inevitable future tightening of the handcuffs.

@ireneista @rho

Show threadIrenes (many)2d ago
@rho we do need to do a close read of the bill for ourselves, and have not yet done so. we've done enough tech policy work that we have come to feel that other people's reads of it always end up oversimplifying things, and every civil-society organization's statements summarizing it reflect their own perspective which is never going to be quite the same as ours.
Show threadIrenes (many)2d ago
@rho er by "it" we mean any legislation, really
Show threadRho2d ago
@ireneista it's very worth reading the california one for sure, there may be a draft of the colorado one online
Show threadJon1d ago

Here's the Colorado bill -
https://leg.colorado.gov/bills/SB26-051

@rho @ireneista

SB26-051 Age Attestation on Computing Devices | Colorado General Assembly

Show threadRho2d ago
@ireneista a lot of those pieces already exist unfortunately, we don't actually know how many countries have laws and regulations for children by age with respect to technology and communication but it does seem very common. what's new is things like the social media ban or us states trying to put the liability on services individually, these are both surveillance state measures that are very up front about it in our opinion(ignoring the mess that is the uk)
Show threadENIGMATICO  2d ago
@ireneista The birthdate thing doesn't worry me because it's made just to please the law enforcement at these places. You can bypass it very easily and you don't need to know anything about computers to do so. You can straight up lie about it and they can't do anything about it.

What bothers me is that this is clearly in preparation to more follow-ups where they request more data later, like also requiring your ID or some sort of certificate that can be back tracked to you.

But nobody is doing anything to stop it so yeah, that's going to happen. The kids sure are going to be very protected...
Show threadIrenes (many)2d ago

@enigmatico we think you perhaps aren't considering it in the full context of how organizations are complying and how those systems will interoperate with each other, but we understand your point

the practical reality is that the best opportunity to oppose oppression is when it is NEW, because it is far more difficult to galvanize public action around something that feels like a tiny incremental change

Show threadENIGMATICO  2d ago
@ireneista Yes, but if they don't comply then they get sued and get themselves in legal trouble. And that's a lawsuit they can not win, which would get them into a lot of financial trouble and might even get them to run out of business. I can understand if they fear that and decide to place a half-assed age verification check rather than have to face legal action against them.

The alternative would be to stop being "free" and disallow using their distro in these places, but we all know age verification is coming globally because it seems like it is the trend now among political parties worldwide. They'd run out of countries where it is allowed to use their software.

If you want to fight then the best way to fight it is by making it so that it's going to be more problematic to the governments to implant those measures than it is to not do so, until they give up. How do you do that? I'll leave that to your imagination.
Show threadIrenes (many)2d ago
@enigmatico these organizations chose to structure themselves in ways which rely on influx of money. that's why they're unwilling to pull out of California, and why they need to be understood as closer to industry than to civil society. that really is what it comes down to.
Show threadLisPi2d ago
@enigmatico @ireneista > The alternative would be to stop being "free" and disallow using their distro in these places, but we all know age verification is coming globally because it seems like it is the trend now among political parties worldwide.

They don't have to, they can just recommend against and tell the user they're taking their non-compliance with their local laws at their own risk.

Freedom 0 includes ignoring stupid laws.
Show threadDavid Smith2d ago
@ireneista I do have some quibbles with “decided” as the verb here. The default predicament of all humans under capitalism is that if they don’t get money they’re indirectly murdered by the state.
Show threadIrenes (many)2d ago
@Catfish_Man that's fair. we have more to say but we burned through all our spoons for the day on a failed laptop upgrade, so we'll leave it at that
Show thread0xC0DEC0DE07EA2d ago
@ireneista “people in California are prohibited from using this […] this website does not retain records of its users, or their geographic location *wink wink*”
Show threadIrenes (many)2d ago
@c0dec0dec0de we would advise people to not go out of their way to do the "wink wink" part, but we're not a lawyer and this is not legal advice
Show threadCassandra is only carbon now2d ago

@ireneista Not everyone can afford to take the risk, but I applaud those who can and then do.

https://agelesslinux.org/

Ageless Linux — Software for Humans of Indeterminate Age

Show threadcthos 🐱2d ago
@xgranade @ireneista thank you for bringing this to my attention
Show threadIrenes (many)2d ago
@xgranade for sure
Show threadVile Lasagna2d ago
@ireneista honestly, libertarians seem to only understand control and oppression when it's taxes or the age of consent. They're extremely eager to lick every single actual boot that comes their way
Show threadIrenes (many)2d ago
@VileLasagna yes, that does seem true. it's unfortunate.
Show threadAda Worcester 🏳️‍⚧️2d ago
@ireneista at some point, linux got a corporate takeover in effect, and it's truly bewildering given how many of the same people are still involved. it's like the _mindset_ got a corporate takeover and from that all else followed
Show threadIrenes (many)2d ago
@pikhq yes exactly :( we can even see some of the major milestones in how it happened...
Show threadWill 💜2d ago
@ireneista er, we would like to note that "DRM" first means "Direct Rendering Manager" in the general context of Linux kernel programming, and so we were briefly confused by your post
Show threadIrenes (many)2d ago
@Skirmisher sigh good point, thanks
Show threadPhilippa Cowderoy2d ago
@ireneista is there a commonly accepted "spartacus" id?
Show threadIrenes (many)2d ago
@flippac not to our knowledge. nice thought.
Show threadShadSterling2d ago
@flippac @ireneista you mean like this suggestion? https://fosstodon.org/@atoponce/116255862979155448
Aaron Toponce ⚛️:debian: (@[email protected])

Systemd merged age verification to comply with California state law. If you want to enter a birth date, I recommend "Friday, 13 December 1901 20:45:52". I like this for a few reasons: 1. This is the earliest date possible for a 32 bit datetime integer in C. 2. It's malicious compliance. 3. It's obviously faked. https://github.com/systemd/systemd/pull/40954 #linux

Fosstodon
Show threadgaytabase2d ago
@ireneista that's kind of funny. i'm glad we can use cpuid though, a lot of my performance gaming relies on it.
Show threadIrenes (many)2d ago
@dysfun sure, but you understand it relies on it in the sense that DRM and anticheat look at it, right? it's not a feature that helps with graphics or anything like that
Show threadIrenes (many)2d ago
@dysfun like notionally there was a possible world in which a harder line was taken, and game studios were forced to accept that selling on Linux means not being able to do those things. we don't live in that world, because the kernel did eventually sell out wrt DRM.
Show threadJosh Simmons2d ago
@ireneista @dysfun cpuid isn't something which anticheats will rely on the veracity of either fwiw, it's not a security feature and it's spoofable.
Show threadvriska, thief of light 2d ago
@dotstdy @ireneista @dysfun i have heard that there are games that check cpuid to only support the steam deck and not other hardware. this is trivially bypassable but they do it anyway
Show threadJosh Simmons2d ago
@leo @ireneista @dysfun stuff like that is not unheard of, just because they only test on steam deck and don't officially support anything else. It's a bit silly but not really hard to work around. But that's nothing to do with surveillance or performance. (It can just check the CPU model says aerith)
Show threadIrenes (many)2d ago

@dotstdy @leo @dysfun mm. similar stories have played out with browser user-agents, but it would be strange to claim that user-agents have nothing to do with surveillance... if anything, having innocuous uses for it widely-deployed makes the surveillance stronger because it means turning it off comes at a compatibility cost.

we agree of course that the intention is not to surveil, but good intentions don't even count in Horseshoes

Show threadJosh Simmons2d ago
@ireneista @leo @dysfun that's not the problem though, cpuid lets you enumerate feature support, which lets you fingerprint, but even without an instruction to enumerate features you can still just try to use them and fingerprint the CPU from that. So you make the non malicious use cases harder, and the malicious folks can keep doing what they already were doing.
Show threadgaytabase2d ago
@dotstdy @ireneista @leo yes that's technically possible, but it is not as easy as you think. there are ABI changes with some instruction sets and you can only tell you can't execute something by getting a trap trying.
Show threadJosh Simmons2d ago
@dysfun @ireneista @leo you can also time instructions, check exact behavior. Because cpuid is so trivially spoofed, this is what vm detection does anyway, it's far more sophisticated than just checking cpuid. I'm just saying because the indication is that games or anticheats are enabled by cpuid, and I'm just saying that era of sophistication is loooooong past.
Show threadIrenes (many)2d ago
@dotstdy @dysfun @leo we do agree that that sort of technique is widely deployed, at this point. alas.
Show threadgaytabase2d ago
@ireneista of course i understand, it's just there's quite a downside to saying no.
Show threadIrenes (many)2d ago
@dysfun yes, that makes sense. thanks - we weren't actually sure what level of understanding people had about that, so it's good to know.
Show threadgaytabase2d ago
@ireneista well i don't know that i qualify as average for these purposes...
Show threadIrenes (many)2d ago
@dysfun fair fair 💜
Show threadJosh Simmons2d ago
@ireneista @dysfun that's not what cpuid is used for, cpuid is used for feature detection, e.g. "if the CPU supports avx2 enable avx2" or "on this specific microcode version work around this bug". It's not literally giving you a serial number for the CPU.
Show threadgaytabase2d ago
@dotstdy @ireneista it can do that too. although they don't put in serial numbers any more i don't think.
Show threadPhilippa Cowderoy2d ago
@dysfun @dotstdy @ireneista data protection legislation seems likely to interfere there, yeah
Show threadIrenes (many)2d ago
@dotstdy @dysfun please see the other replies, we've had this explained to us at length. we agree that the cpuid instruction did a lot of things and apparently the serial-number feature in the Pentium 3 was very short-lived, and was an addition to the cpuid instruction not the entirety of what it did.