It's important to understand that we could genuinely lose general purpose computing. I don't think it's in serious danger at the moment, but we've been in the midst of a slide in that direction for the last 10-15 years. Part of it is mobile phones, part of it is TPM, part of it is market forces. The latest turn is strictly political. We've really foolishly built the technology necessary for authoritarianism just a few years head of a general global trend towards authoritarianism. At the moment, anyone can use Linux; it's better and easier than ever. Will the laws of your country make it harder or more difficult to avoid? Will major vendors lock you out of basic functions? Will age verification require an agent run on your Windows or macOS computer? (or worse, require the use of a smart phone just to use the internet?)
We're not anywhere there yet, but we're closer than we've ever been, and things keep moving in the wrong direction.
I think it is unfortunate how many resources are put into making things secure with TPM's and how little resource is put into basically having secure and simple sandboxing...
All I really want is a computer that allows me to fully control the permissions and filesystem access of all the programs that I manually install on my system. Almost every program (in my case) needs 0 filesystem access outside of what it installed itself and shouldn't be looking or snooping at anything that isn't in its own process space.
I want a clear and simple way to limit the blast radius of how badly a program could actually screw up my system or have access to my files.
I recently experienced the opposite of this on Android, where I tried to install a very well reviewed ebook reader called MoonReader. But MoonReader seems to require complete access to every file on my Android device to work correctly. That is insane. I looked it up a bit more and it seems that Google has simplified (or something) permissions, but now there isn't much choice other than asking for full file access (I just want to give it access to one directory).
Anywho, just a minor vent, that we are insisting that the only way to make things secure is this sort of attestation path, but we don't spend any energy just making it possible to limit the blast radius of software on most OS'.
Its not 100% what you're looking for. Probably an 80% case..
But try looking into QubesOS. You create domains where applications can do whatever in the domain (a contained VM). So your personal domain is separate from your bank domain, which is separate from your media domain.
Of course, domains themselves can do naughty things. But they cant cross over to others.
And system resources are a separate domain, as is networking.
Some downsides - gaming is a no go mostly. And if you do SDR stuff, the USB domain is a heavy hit on performance. You really need dedicated machines for those things.
I love Linux, but if 90% of the US were on Linux the same commercial / political pressures would apply and Linux would just look like Android or ChromeOS. Can you run an alternate OS on your smartphone? Yes, but you can't run your banking app. Linux alone cannot save us.
EU CRA (enforced Dec 2027) prohibits shipment of non-certified binaries for "critical" software, including firmware and hypervisors. Operating systems like Linux are categorized as "important" software, https://www.whitecase.com/insight-alert/cyber-resilience-act...
I might be wrong but I don't think that open source software are subject to the CRA. If you look at article (18) here [0] it seems to explicitly exclude free software that you download from the internet.
This doesn't in general inhibit hobbyists, and for the most part for companies it just adds some fairly sensible requirements around handling security vulnerabilities and making updates available. It is in theory a framework that could be used to add more onerous requirements in future, of course.
Passkeys are another brick in this wall. The authors of the spec built in client software identification and attestation, which means authenticating parties can require you to only use certain, closed-source passkey clients. It's not hard to imagine a future where only blessed Passkey clients, such as Microsoft's, Apple's, and Google's implementations, are allowed by most services.
And web attestation, which almost became a thing about a year ago. It is gone for now, but it will only be a matter of time before it decides to rear its ugly head again.
This! I think we were all too naïve in having "we would never let it happen, right?" be the motto for our complacency and inaction.
I hope more people come around and recognize that Richard Stallman deserves a big, resounding "you were right, we're sorry" after being attacked for his dislike of "trusted computing" and TPMs [0].
Many big institutions lean heavily on mobile apps and other gated computing.
I live in BC Canada and by far the easiest way to authenticate a login to provincial sources involves using the BC ID App as a second factor, even when logging in via desktop. Many banks now also use their app as a second factor, rather than a generic OTP option that can run on any hardware.
There were also issues like running Netflix DRM in browser on Linux for a while.
General purpose computers won’t go away, but they will continue to be gated from more and more services until you are more or less required to have a phone or locked down ecosystem device.
>At the moment, anyone can use Linux; it's better and easier than ever. Will the laws of your country make it harder or more difficult to avoid? Will major vendors lock you out of basic functions?
Somewhat related, but if x86 loses dominance it will be even more difficult if not impossible to install Linux or other alternate OS's on ARM devices. The majority of consumer ARM electronics make it hard enough, and normally requires you to run a specific patched (and most likely outdated) Linux kernel in order to boot.
There are ARM devices which meet the ARM System Ready standard which allows you to boot whatever OS you want, but they are mostly enterprise devices such as servers. Cheapest one I've seen which your average consumer might buy was an ARM workstation with a starting price of about $1500
If you've ever looked at the plans for Absolute Zero 2050, they predict a world with no shipping or commercial air travel, among many other restrictions. That sort of thing could only be implemented under an authoritarian government. I think that's where all this is coming from.
I sincerely doubt it'll do much, but my next computer will not be Apple. Sadly, I just upgraded a year and a half or so ago, and sadly, good lord those damn arm chips are nice.
So hopefully in 8 years or so when I need a new machine, there's some decent options available to me.
But nice aint worth the cost when it comes at the expense of supporting something which is undermining everything else you believe in.
We're both closer than any of us believe. Insofar that ChromeOS is and isn't Linux, it's already locked down signed boot. But also we're further from it because general computing isn't going anywhere soon as long as people keep buying general purpose computers. Still until Qubes or similar sandboxed computing becomes the norm, blaming victims for getting malware onto their system only goes so far, and even if banks don't require it, regular people will start having a banking only computer because oh god please don't steal all my money.
> Vote with your wallet
Doesn't work when the only options are bad. Every Android OEM embraces the closing of android because it'll allow them to ship all the spyware they already do without the user being able to remove them (or disable them soon enough). Having 2 or 100 options has no difference if they're all bad.
I hear you but we are a minority. Apple will demolish the market when Gen Alpha grows up. Look at what phones are used to film at concerts by the crowd in the US. it's hard to find a single non-iPhone. Also for a more unbiased take, look up stats for teen preferences. It's not Gen Z that will change the world.
1) sign a petition on change.org against that APK lockdown (currently 10.5k votes) - https://c.org/BHZzNvR6pr
2) In your Android device or Google account use "Send Feedback" and articulate yourself or "Contact us" in Android under "System settings > Tips and support" or best, if you are paying subscriber for any Google LLC service, send the feedback through the subscription management channels (such as feedback in Google One, Workspace or any other paid service)
Which means that in the future will be less engineers and software developers because they never had a chance to learn. And if somebody will know how all of this works really, they won't be working for peanuts. So in an essence all of those companies are eating their own tails. Which is expected since all of it is driven by the stock exchange executives that are interested only by short term profit.
Yes it will be terrible but on the other hand all empires are terrible at some point ridden by the stagnation and multitude of radicoulus laws.
Will it be the same with technocracy? Probably yes if they lock it all down, new generations will never learn, they will be less and less people with knowledge to maintain the infrastructure and without maintenance it will collapsee eventually.
Which would be fine, if AGI would be real. It is not yet and even if this would be around the corner it would be rather like in some movies: giant computer with tones of equipment, security and personnel making it work. Ah and giant nuclear reactor powering it too. Till we will be having autonomous robots that have intelligence built-in into it, does not require constant connection to some server and can run for few days on internal power... I do not see it happening.
> However, there is an increasing userbase whose first experience of computing was in these locked-down tablet and smartphone environments. They aren’t so demanding about little things like proper filesystem access or the ability to run unsigned code. They might not blink if that goes away.
I would also suggest that there is another user base who has been using computers for a long time, before GUIs existed, is fed up with fighting malware, welcomes the protection of a sandboxed, protected system, but doesn't understand the importance of having the option of escaping the sandbox. These users might not see the loss of not being able to install a kext on Mac OS without booting into Recovery Mode. But they will notice the loss when, at some point, we can't run anything that isn't signed on any platform.
Google and Microsoft are slowly moving towards the Apple model because it works as far as decreasing support costs go.
When the day comes that there isn't any hardware we can purchase that we can't install OpenBSD/Linux/whatever we want, it will be too late. We have to push back before then somehow.
Alternate take: it's exactly as bad as you expected, but your timeline was off.
And even so, perhaps it's later than you realize. Device attestation in the browser is the final nail in the coffin, and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
> and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
I recently found a plugin that can alert to JS doing shady "fingerprint-like" activity. I did not expect it to go off quite as often as it does now.
It would seem that some sites are already asking _very_ probing questions about the browser so it's only a matter of time before they go one step further and demand proof and gate on furnishment of that proof.
I don't agree, it is absolutely dreadful, and we saw this coming and did nothing about it.
Think about it: you need permission to run software on your own hardware. Every time you launch a Mac App, it checks in with its masters to be sure its okay to do so - every time you install an app on your mobile device, it does the same thing.
People accept this terrible state of affairs because the "user experience is better" - but this is a fallacy. Under the cover of 'security issues' that their are incapable of fixing, due to very poor architecture decisions, OS vendors have instead bolted on an insanity and sold it to the user as progress.
Every computing device should have everything it needs, onboard, to write software for that computing device. That they don't is because the OS vendors are cowardly running from the bloat of yesteryear and adding more bloat tomorrow to cover it all up.
There will be a backlash against this. We see it already in the retro-computing and alternative-platform hacking communities, which are growing and growing, exponentially, by the year.
Its only a matter of time that someone wraps up this freedom-to-use concept in hardware that is sexy enough to compete with the totalitarian-authoritarian platform providers. Any .. day .. now ..
PC was an anomaly thanks to IBM not being able to go with their plans.
On UNIX, Sun was the vendor that introduced the concept of SDK SKU, thus for having developer tools, an additional SKU had to be bought, and the until then largely ignored GCC sundenly got a new focus of attention.
Mainframes and micros always needed having a group of folks from the vendor professional services for specific kinds of configurations.
I still remeber working on traditional timesharing UNIX systems, one single server for all teams, what you get to do is decided by IT for your role.
There are plenty of examples from the past on how this has been happening already.
But the "walled garden" on mobile (iOS mostly, but now also Android) isn't really about trusted computing at all. Trusted computing (locked bootloaders) is but a small part of it.
Trusted computing and even remote attestation have legitimate use cases. It's good, great even, that they exist. But just like everything, they can be used against you.
A more generous explanation is that it might be both — vendor lock-in also happens to be a security measure.
Having important info on your device and having that device accessible to the wild, wild, internet is a very real problem. If the "walled garden" is a flawed solution we should work on a better one.
it's in the name, but it's open source and it's replacing a hodgepodge of other stuff (the point isn't why it's replacing it, or how well it's going; the point is there are replacements).
if the computer won't allow to install or use other software until you install a vendor-signed version of systemd on a vendor-signed kernel we'll be there. it's about hardware attestation, not signed software, though.
The future is likely bifurcated trust: Official, encrypted, attested systems; and unofficial, unencrypted, unattested systems.
The GNU freedoms never specified the right to run free software side by side with proprietary software on the same hardware; so the FSF should actually be fine with such an outcome.
The problem with bifurcated trust is the ongoing efforts to force people into carrying a “trusted” pocket spy. Cashless payments, mobile train tickets, and digital ID are making it extremely difficult to live without a pocket spy in some places.
If my bank requires me to use a phone for transfers (mine doesn’t), it might be acceptable to leave one in a desk drawer powered off as you would do with a hardware authentication token. It’s a special device for occasionally accessing a service. Fine. But when governments and industry collude to force citizens to carry these devices in order to live life normally, that’s not OK.
My intent is to be as stubborn and obnoxious as possible in resisting this until they either give up and provide an alternate path or lock me away for noncompliance. Fortunately there is still an alternate path available for most things, primarily thanks to elders who have trouble with new tech. (Thank you elders!)
In fact FSF specifically exempts special purpose hardware like microwaves from its purview. The philosophy is targeted at software the user has a choice to install. If the hardware provider does not intend the user to choose to install an alternative version of the system software, software freedom doesn't come into play.
That seems to be either an oversimplified take on the FSF's position, or argument in bad faith. The FSF wants people to be able to run free software for all purposes, as they fight for user freedoms. If said free software cannot be used, because of all kinds of vendors limiting their services to proprietary software or platforms, then this should be a major concern to the FSF, because their advocated kind of software is being sabotaged.
I worry that this global push for 'Know Your Developer' and the attempt to make them legally liable for what they produce, is going to destroy open source, An 'open' linux included.
After that, certified locked down BigTech 'Personal Computing' will be the only menu choice.
Exactly. It’s a tactic so big tech doesn’t have to engage in activity that would justify anti-trust action if they want to ban a developer or even a whole class of apps. It’s also usable in general to benefit the wealthy.
They force anyone distributing software into the legal system so a “3rd party” can sue and destroy the life of anyone that goes against the system they want. Anything they don’t like will be accused of violating patents, etc. and the option to distribute anonymously for the good of users / society will no longer exist.
It seems like the path we’re heading to for the next 5-10 years is that we’ll still have general purpose compute, but many things will require a locked down smartphone as an access token. This is already the case in many corporate environments. More and more webpages are going to go this route in the name of security (along with only allowing access from a “trusted” browser authenticated with a TPM).
So you’ll still be able to write code and scripts and play on the side on your laptop, but if you want to access your banks webpage (or really, anything you get through someone else’s server: streaming media, the news, porn, whatever) you’ll be forced to Chrome + laptop with TPM + authentication through smartphone app.
Readit News
We're not anywhere there yet, but we're closer than we've ever been, and things keep moving in the wrong direction.
All I really want is a computer that allows me to fully control the permissions and filesystem access of all the programs that I manually install on my system. Almost every program (in my case) needs 0 filesystem access outside of what it installed itself and shouldn't be looking or snooping at anything that isn't in its own process space.
I want a clear and simple way to limit the blast radius of how badly a program could actually screw up my system or have access to my files.
I recently experienced the opposite of this on Android, where I tried to install a very well reviewed ebook reader called MoonReader. But MoonReader seems to require complete access to every file on my Android device to work correctly. That is insane. I looked it up a bit more and it seems that Google has simplified (or something) permissions, but now there isn't much choice other than asking for full file access (I just want to give it access to one directory).
Anywho, just a minor vent, that we are insisting that the only way to make things secure is this sort of attestation path, but we don't spend any energy just making it possible to limit the blast radius of software on most OS'.
But try looking into QubesOS. You create domains where applications can do whatever in the domain (a contained VM). So your personal domain is separate from your bank domain, which is separate from your media domain.
Of course, domains themselves can do naughty things. But they cant cross over to others.
And system resources are a separate domain, as is networking.
Some downsides - gaming is a no go mostly. And if you do SDR stuff, the USB domain is a heavy hit on performance. You really need dedicated machines for those things.
In which folders it can hide, which data to access, and which hardware resources to use.
> At the moment, anyone can use Linux; it's better and easier than ever.
Maybe Linux will save us.
This was a fascinating thing to watch for me (pewdiepie telling people to install Linux): https://www.youtube.com/watch?v=pVI_smLgTY0
My bet is that the momentum is strong enough that:
- A critical mass of PC makers will continue to offer a Linux preinstalled option, or at least some path to installing Linux.
- If Windows and macOS take more rights away, it'll just help Linux's market share.
So Linux's share will probably grow not only because Linux is getting better but because the corpo OSes trying to take away general purpose computing
[0] https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
And web attestation, which almost became a thing about a year ago. It is gone for now, but it will only be a matter of time before it decides to rear its ugly head again.
I hope more people come around and recognize that Richard Stallman deserves a big, resounding "you were right, we're sorry" after being attacked for his dislike of "trusted computing" and TPMs [0].
[0]: https://www.gnu.org/philosophy/can-you-trust.en.html
Hum... It was foolish, but it was decades after the trend started.
Looks to me that the real trend was started mostly by the wide distribution of TV and the subsequent media consolidation (that happened everywhere).
Also, who is "we" here? Because it was exactly the authoritarian-wannabes that created most of it.
Speech: https://www.youtube.com/watch?v=HUEvRyemKSg
Transcript: https://en.wikisource.org/wiki/The_Coming_War_on_General_Com...
(Of course, Stallman warned of this type of thing much earlier as well.)
Many big institutions lean heavily on mobile apps and other gated computing.
I live in BC Canada and by far the easiest way to authenticate a login to provincial sources involves using the BC ID App as a second factor, even when logging in via desktop. Many banks now also use their app as a second factor, rather than a generic OTP option that can run on any hardware.
There were also issues like running Netflix DRM in browser on Linux for a while.
General purpose computers won’t go away, but they will continue to be gated from more and more services until you are more or less required to have a phone or locked down ecosystem device.
Somewhat related, but if x86 loses dominance it will be even more difficult if not impossible to install Linux or other alternate OS's on ARM devices. The majority of consumer ARM electronics make it hard enough, and normally requires you to run a specific patched (and most likely outdated) Linux kernel in order to boot.
There are ARM devices which meet the ARM System Ready standard which allows you to boot whatever OS you want, but they are mostly enterprise devices such as servers. Cheapest one I've seen which your average consumer might buy was an ARM workstation with a starting price of about $1500
So hopefully in 8 years or so when I need a new machine, there's some decent options available to me.
But nice aint worth the cost when it comes at the expense of supporting something which is undermining everything else you believe in.
* Auth app deploys to one or two app stores. No financial incentive to do otherwise.
* App stores remain within walled gardens. Tracking, DRM, proprietary drivers come with.
Dead Comment
Also, my hardware, my choice. It seems there is no way to actually let them know.
1) sign a petition on change.org against that APK lockdown (currently 10.5k votes) - https://c.org/BHZzNvR6pr
2) In your Android device or Google account use "Send Feedback" and articulate yourself or "Contact us" in Android under "System settings > Tips and support" or best, if you are paying subscriber for any Google LLC service, send the feedback through the subscription management channels (such as feedback in Google One, Workspace or any other paid service)
I would also suggest that there is another user base who has been using computers for a long time, before GUIs existed, is fed up with fighting malware, welcomes the protection of a sandboxed, protected system, but doesn't understand the importance of having the option of escaping the sandbox. These users might not see the loss of not being able to install a kext on Mac OS without booting into Recovery Mode. But they will notice the loss when, at some point, we can't run anything that isn't signed on any platform.
Google and Microsoft are slowly moving towards the Apple model because it works as far as decreasing support costs go.
When the day comes that there isn't any hardware we can purchase that we can't install OpenBSD/Linux/whatever we want, it will be too late. We have to push back before then somehow.
And even so, perhaps it's later than you realize. Device attestation in the browser is the final nail in the coffin, and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
I recently found a plugin that can alert to JS doing shady "fingerprint-like" activity. I did not expect it to go off quite as often as it does now.
It would seem that some sites are already asking _very_ probing questions about the browser so it's only a matter of time before they go one step further and demand proof and gate on furnishment of that proof.
Think about it: you need permission to run software on your own hardware. Every time you launch a Mac App, it checks in with its masters to be sure its okay to do so - every time you install an app on your mobile device, it does the same thing.
People accept this terrible state of affairs because the "user experience is better" - but this is a fallacy. Under the cover of 'security issues' that their are incapable of fixing, due to very poor architecture decisions, OS vendors have instead bolted on an insanity and sold it to the user as progress.
Every computing device should have everything it needs, onboard, to write software for that computing device. That they don't is because the OS vendors are cowardly running from the bloat of yesteryear and adding more bloat tomorrow to cover it all up.
There will be a backlash against this. We see it already in the retro-computing and alternative-platform hacking communities, which are growing and growing, exponentially, by the year.
Its only a matter of time that someone wraps up this freedom-to-use concept in hardware that is sexy enough to compete with the totalitarian-authoritarian platform providers. Any .. day .. now ..
yet :D
On UNIX, Sun was the vendor that introduced the concept of SDK SKU, thus for having developer tools, an additional SKU had to be bought, and the until then largely ignored GCC sundenly got a new focus of attention.
Mainframes and micros always needed having a group of folks from the vendor professional services for specific kinds of configurations.
I still remeber working on traditional timesharing UNIX systems, one single server for all teams, what you get to do is decided by IT for your role.
There are plenty of examples from the past on how this has been happening already.
Trusted computing and even remote attestation have legitimate use cases. It's good, great even, that they exist. But just like everything, they can be used against you.
Having important info on your device and having that device accessible to the wild, wild, internet is a very real problem. If the "walled garden" is a flawed solution we should work on a better one.
Deleted Comment
I beg history to prove me wrong.
For anyone interested, please look at Hardware attestation and TiVoization, thanks.
if the computer won't allow to install or use other software until you install a vendor-signed version of systemd on a vendor-signed kernel we'll be there. it's about hardware attestation, not signed software, though.
The GNU freedoms never specified the right to run free software side by side with proprietary software on the same hardware; so the FSF should actually be fine with such an outcome.
If my bank requires me to use a phone for transfers (mine doesn’t), it might be acceptable to leave one in a desk drawer powered off as you would do with a hardware authentication token. It’s a special device for occasionally accessing a service. Fine. But when governments and industry collude to force citizens to carry these devices in order to live life normally, that’s not OK.
My intent is to be as stubborn and obnoxious as possible in resisting this until they either give up and provide an alternate path or lock me away for noncompliance. Fortunately there is still an alternate path available for most things, primarily thanks to elders who have trouble with new tech. (Thank you elders!)
https://www.fsf.org/campaigns/free-bios.html
There are more
AROS, GNU-HURD and more
you can always contribute code, maintain an app, report a bug
You can buy HW to run AOSP, like Raspberry-PI or RISC-V
We are the consumers, we have the wallet.
After that, certified locked down BigTech 'Personal Computing' will be the only menu choice.
They force anyone distributing software into the legal system so a “3rd party” can sue and destroy the life of anyone that goes against the system they want. Anything they don’t like will be accused of violating patents, etc. and the option to distribute anonymously for the good of users / society will no longer exist.
So you’ll still be able to write code and scripts and play on the side on your laptop, but if you want to access your banks webpage (or really, anything you get through someone else’s server: streaming media, the news, porn, whatever) you’ll be forced to Chrome + laptop with TPM + authentication through smartphone app.
Not ideal.