I keep thinking of silly ideas to do some tinkering with electronics, just for the sake of having fun. Today's idea: an adapter to use #Amiga mice on #MSX computers. That way one could use one of those newfangled USB “tank” mice in one more retro architecture, while looking period correct. I imagine somebody could have done such an adaptor back in the late 80s of early 90s, possibly using some i8051 microcontroller... Betcha @foone would have liked that, given how their “it's always an i8051” is their equivalent of Dr. House's “it's never lupus” :blobeyes:
People talk about how search engine results have gotten worse lately. Here's a clear example: trying to search how an #Amiga mouse works (protocol, pinouts, etc.) these days results in a few pages of links to sites trying to sell you adaptors, and links to actual documentation are a few pages deep (if at all). It used not to be like this, the #enshittification is real.
@aperezdc I'm also getting worried that more and more the answer to "information X can be found at..." is so often archive.org. I love archive.org, and the work they do is great, but that's a sign they're becoming a single point of failure for a lot of stuff, which also inevitably makes them more of a target too.
@hisham_hm
> I love archive.org, and the work they do is great, but that's a sign they're becoming a single point of failure for a lot of stuff, which also inevitably makes them more of a target
For a wide range of Bad Actors, on a number of levels (technical, organisational, legal etc). I worry about this with Wikipedia too. I don't know about them, but I know Archive.org are actively supporting decentralised tech and researching how to make use of it:
@hisham_hm while there are other sites for specific things (like Bitsavers) you make a good point about archive.org — I do trust their ability to keep infrastructure running, though. I would be more worrier about it being headquartered in a country with values and legislation often opposed to the Archive's goals. Also, mixing this with Google's recent Web Environment Integrity proposal makes me think we may see a day where two parallel Internets exist: the corporate one, and the “archived” one. And, oh boy!, do I want to be proven wrong about this thought!
@hisham_hm
> I haven't heard about this latest Google thing [Web Environment Integrity proposal] but from the name alone it gives me strong Microsoft Secure Boot vibes
The stated goals seem reasonable, but I guess as with Restrited Boot, the devil is in the details. I don't have the knowledge to fully evaluate it, but I look forward to seeing someone like RMS or @pluralistic comment on it.
@strypey@hisham_hm@pluralistic@aperezdc question: what would you make of a technology that allows websites to reject your request based on what machine/software you use?
@AlexVoss
> what would you make of a technology that allows websites to reject your request based on what machine/software you use?
That depends on why it rejects it. Let's say say a referendum voting website expects a certain hardware/ software profile, based on the combo I was using when I signed up (or another combo I've verified from the original one). If my device is compromised, the site informs me, and rejects my vote.
Before you call me a fool (no offence taken), note how I said "lower".
A device that is compromised in its entirety will be able to reproduce whatever proof of integrity is required by the protocol Google suggests. Surely, the whole thing builds on the idea of trusted platform computing, where some part of the system is tamper-proof - as-far-as-we-know(tm).
@AlexVoss
> Before you call me a fool (no offence taken), note how I said "lower"
True. That was an unwise choice of words on my part. I didn't mean to call you anything. It was just a flippant way of pointing out that good security practice does not assume devices are untamperable. Rather it designs for mitigations that reduce the harm compromised devices can do.
FWIW I was referencing an old anarchist slogan; a change of rulers is the joy of fools.
@AlexVoss
> A device that is compromised in its entirety will be able to reproduce whatever proof of integrity is required by the protocol Google suggests
I freely admit I may be out of my depth here. But if that was true, surely HTTPS would useless?
Basically, if your device is compromised then you can encrypt outside communications as much as you like. Whatever malware you have caught would be able to listen in locally, assuming it has managed to run with administrator rights.
@AlexVoss
> if your device is compromised then you can encrypt outside communications as much as you like
My limited understanding of WIM is that it's not based on encryption, but something more like the principle of Reproducible Builds. The very action of compromising the device would make a change to the way it appears to the website.
@strypey@hisham_hm@pluralistic@aperezdc It is not based on encryption because the purpose is not to keep something secret. It uses cryptographic methods to sign 'attestations' that contain a warrant for a claim about the hardware/software environment you use.
HTTPS does two things for us. One is encryption of the data we send around, the other is authentication of the server side so we know we are talking to the bank. The latter works using similar signatures mechanisms.
First, it's very doubtful that the stated goals (for the "user") are the true goals. Second, one should report not only what the user "desires", but what the full consequences for the user are.
The proposal is very deceitful in saying "the user desires...", "the user wants...", and so on. It says explicitly what the "user" desires, but it doesn't say explicitly that the user itself will in fact be abused.
Suppose I want some guard, who reports to me, to constantly follow you and check what you do. "Wouldn't you like to be safe on the streets?", I ask you. "Of course", you reply. And here's my solution: I'll assign a guard that controls your every movement, when you go out. Funny that this was done "for" you, but concretely it's done "against" you.
@pglpm
> Linux based OS will probably never implement it and will be locked out of all cloudflare hijacked websites in the near future
Holy christ-on-a-stick. If this is really a likely consequence of Web Environment Integrity being adopted, people with a large following like @pluralistic, @Rushkoff, and @aral need to investigate it and expose it, and we need tech regulators to smack it down and burn Goggle's fingers for even trying it.
Oh good. I was trying to be even-handed about this at first, and give the engineers proposing it the benefit of the doubt. But the more I read about it, the less I think they deserve that.
@pglpm
> it's very doubtful that the stated goals (for the "user") are the true goals
Why? Because the engineers all work for Goggle? Lots of widely used open standards were invented at Goggle; Jingle (XMPP voice chat), Wave (now stewarded by Apache), WebRTC etc.
Fun fact about this (which you may believe or not): When I first read the "Explainer", I started from the Introduction, and had not see who was writing this. After the very first lines I had a positive feeling, because they were mentioning "user" so much – it's nice that they have me in mind, I thought. But after reading the first bullet list this feeling became the exact opposite.
For example: "This creates a need for human users to prove to websites that they're human" – sure that's true, but then say clearly that what you're doing is for that website, not for the user. You can make a case for some websites' needs to economically sustain themselves – but don't turn this around as if your final goal is the user. Just be honest in what you say.
Incidentally, when someone says "Users like visiting websites that are expensive to create and maintain" I expect some verifiable statistics to prove this, otherwise this sentence is just as good as its denial.
Related to this: I, as a user, prefer and am happy to pay websites directly. I don't like the intermediary of ads. So now I don't only doubt that this is done "for the user", but also that it's done "for the website". It's done for the ads business.
The fourth item in that first bullet list sounds also contradictory or doesn't make much sense. At least where I live, banks already have two- or three-steps verification. I can't make transactions if I don't have my phone and an electronic gadget given to me by the bank. I don't see the need of any "WEI" here.
This was just the beginning. Continuing on reading the feeling gets stronger and stronger that there's some goal, but it's hidden behind rhetoric and roundabout wording. When your goal are sincere, you speak and present things honestly and directly.
@pglpm
A number of good points there. Definitely important to be critical of any such proposal. I guess I'm just pushing back against dismissing it out of hand, or calling its authors "odious", as I've seen people doing here.
> I can't make transactions if I don't have my phone and an electronic gadget given to me by the bank
Not the case with most banks in this country. I suspect your case is the exception, not the rule.
Thank you for the kind feedback! I don't call the authors "odious", but I've read the discussion that has gone on on github <https://github.com/RupertBenWiser/Web-Environment-Integrity/issues>, and I notice that the authors' replies never address the questions and arguments directly and honestly, they always take some different, evasive, direction. (Having grown up in Italy, I immediately detect this kind of evasive rhetoric, since it's the basis of politics in that country.) So I consider them deceitful and manipulative – or otherwise they have impaired comprehension skills.
I've used this kind of banking authentication in Scandinavia and England.
By the way, who's writing here is a human robot who did its university studies and part of its PhD using Yahoo and Ask Jeeves, and scanning articles by hand. I remember when Google appeared and the great things it did. it really felt it was something done by the people, for the people (was that their motto, or do I misremember?). I've witnessed its decline (not economic decline, of course). Decades later, only the noun "Google" is basically all that's left in common :(
@aperezdc
> I would be more worrier about it being headquartered in a country with values and legislation often opposed to the Archive's goals
Name one. When you consider the Snowden revelations (PRISM etc), FCC gutting on net neutrality, SOPA, PIPA, LAEDA, KOSA, etc, etc, the US is hardly a bastion of internet freedom. China is worse, but not by much, and mainly appears worse because the state does things itself that the US state outsources to corporations.
Add comment