Readit News logoReadit News
akersten commented on Cross-Site Request Forgery   words.filippo.io/csrf/... · Posted by u/tatersolid
akersten · 18 days ago
I'm not really grokking the explanation in the article of why the SameSite cookie attribute doesn't fix CSRF. I thought that was the whole design intent of SameSite=Secure on an HTTPS cookie, was to fix CSRF. Can someone boil it down?

The article seemingly says "these cookies won't be sent with an unsafe request. But that doesn't fix it!" And doesn't elaborate?

akersten commented on Enlisting in the Fight Against Link Rot   jszym.com/blog/archiving_... · Posted by u/jszymborski
gkoberger · 19 days ago
I'm against link rot and I hate how Google doesn't maintain old projects. But this is one shutdown I 100% agree with.

Having an official Google domain that anyone can hijack is dangerous, given that many people's main internet identity is GMail (aka their Google account). I know anyone can create an offshoot (goooogle.org, etc), but Google was using goo.gl too.

It was easy to redirect a goo.gl to a Google login page (which is on a real Google domain), and trick people into authorizing access to their account.

I consider myself savvy, and I got a pretty convincing one recently. The email looked legit, and the link was a goo.gl link that ultimately landed me on a legitimate Google login page. It didn't trick me, but it did take me a few minutes to figure out how it wasn't legit.

NOTE: This article is kinda misleading. They already stopped letting people add new links in 2019. And now, they're only removing "inactive" links, AKA links that had no activity since 2024. If you visit a link right now, it will be kept. Here's more info: https://blog.google/technology/developers/googl-link-shorten...

akersten · 19 days ago
> Having an official Google domain that anyone can hijack is dangerous,

This makes me wonder if they're retiring sites.google.com any time soon?

akersten commented on Exit Tax: Leave Germany before your business gets big   eidel.io/exit-tax-leave-g... · Posted by u/olieidel
akersten · 24 days ago
Is there a look back period? What stops me from selling my business to my buddy the day I leave and then buying it back the day after?
akersten commented on Cadence Guilty, Pays $140M for Exporting Semi Design Tools to PRC Military Uni   justice.gov/opa/pr/cadenc... · Posted by u/737min
triactual · a month ago
If you read the article, you will see that the technology is specifically semiconductor design tools required for developing high performance computing that the PRC would use for nuclear weapons development. Can you do that with KiCAD? No.
akersten · a month ago
> specifically semiconductor design tools required for developing high performance computing

I call that EDA for brevity

> Can you do that with KiCAD?

Yes, depending how you define "high performance computing" (my question here)

akersten commented on Cadence Guilty, Pays $140M for Exporting Semi Design Tools to PRC Military Uni   justice.gov/opa/pr/cadenc... · Posted by u/737min
akersten · a month ago
So what's the secret sauce that cadence is not allowed to sell to personas non gratas? The article just says EDA tools but that's so broad. Is KiCAD export restricted?
akersten commented on EU age verification app to ban any Android system not licensed by Google   reddit.com/r/degoogle/s/Y... · Posted by u/cft
quantummagic · a month ago
They always start with "think of the children", but that's just the opening salvo. The wild west days of the internet are definitely behind us. We'll be lucky if we still have private personal computing in the future, or any semblance of free speech.
akersten · a month ago
If we're to regain any ground here we need to adjust the messaging wrt terms like "wild west" - that's precisely the kind of terminology that scares the average voter into thinking the government needs to do something about this whole internet thing. We need to use patriotic and inspiring language, like "free" as in "free speech for the internet," or "safe and private" etc
akersten commented on EU age verification app to ban any Android system not licensed by Google   reddit.com/r/degoogle/s/Y... · Posted by u/cft
altairprime · a month ago
That ship sailed decades ago when Intel promoted Secure Boot as a defense against malicious modifications; it stops rootkits and it stops cheaters, what more could one ask for, etc. App attestation of this sort has been offered in certain enterprise/government Windows 10 SKUs since day one. Apple’s web attestation protocol has been live on all T2 devices for about as long as T2 has been out.

Governments have real and serious need for verifications that are backed by their force. They’re a government; they are wielding force upon citizens by doing this, knowingly and intentionally. That is a normal and widespread purpose of the State existing at all: to compel people to align with the goals of the State, whether members of the State like it or not, until such time as the State’s goals are changed by whatever means it permits or by its collapse.

If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.

Western sfbay-style tech was founded on the libertarian principle that one should be able to tell the government to fuck off and deny taxation, representation, blah blah etc. in favor of one’s armed enclave that does what it feels like. It’s fine to desire that, but it’s proven too radical to be compatible with the needs of nation-states or the needs they enforce satisfactions for on behalf of their citizens. Attacking attestation won’t solve the problem of the “State”, and has led us to a point where Google can claim truthfully to a “State” that the Android forks ecosystem isn’t competent enough to be trusted, because they can’t be bother to do attestations.

akersten · a month ago
> If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.

we've banned all graphic depictions from the internet, required a verified name attached to every blog post, and made sure to confirm everyone's digital passport before letting them resolve a DNS query, but at least now I can vote from me phone instead of having to go outside. The future is bright!

akersten commented on EU age verification app to ban any Android system not licensed by Google   reddit.com/r/degoogle/s/Y... · Posted by u/cft
JeremyNT · a month ago
This is the pr on it [0]. It was linked on hn at the time too [1]

For all the shit Google deservedly gets they seem to be genuinely trying to implement good and privacy preserving solutions to a lot of these problems.

The issue of course is that there's essentially no way to do all this stuff with software and hardware the user actually controls themselves, so you end up with hard requirements that you use big tech as gatekeepers.

This is the slippery slope that IMO eventually ends the open web.

If you take that outcome as inevitable, which at this point I basically do given all the forces lined up to restrict access to information, I suppose Google is about the best steward you could hope for.

[0] https://blog.google/products/google-pay/google-wallet-age-id...

[1] https://news.ycombinator.com/item?id=43863672

akersten · a month ago
> If you take that outcome as inevitable,

I don't and I wish Google et al would take a god damned stand against it. All it takes is 2 or 3 big companies to just not play along with the destruction of the open internet (the very same responsible for their genesis and incredible success), and the bureaucrats will eventually relent. Unfortunately they've chosen the path of least resistance, which also is the path of regulatory capture to their sole benefit. Sad to see that win over the ideals of the early net.

akersten commented on EU age verification app to ban any Android system not licensed by Google   reddit.com/r/degoogle/s/Y... · Posted by u/cft
altairprime · a month ago
You would need to release a kernel and OS that requires users who modify the attestation and hardware token components of it to provide their own signing key rather than your production EU-registered one, chained back to the HSM signature emitted by the phone’s HSM signed bootloader; and then you would simply let the app check that its secure boot attestations chain to a secure bootloader/image/OS triplet that’s on file with the EU. Mix in some tech spice for the EU to prohibit OS releases that are validly signed but whose specific instance of a signature is found to be exploitable to bypass age checks and you’re set. None of this would prevent users from modding their devices, any more than macOS prevents modifications today if you turn off the security protections; but once you turn off the security protections, it can no longer attest with Apple’s signature because your modifications don’t match the signature any longer, and so Apple Wallet is inaccessible.

None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.

The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.

It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.

The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.

akersten · a month ago
> that bothered to implement hardware-to-app attestation chaining live in production end-user devices

This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.

> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.

I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.

akersten commented on Many ransomware strains will abort if they detect a Russian keyboard installed (2021)   krebsonsecurity.com/2021/... · Posted by u/air7
thrtythreeforty · 2 months ago
Is there any downside to unironically doing this? Seems like it'd actually work.
akersten · 2 months ago
Anticheat might throw a fit
a

u/akersten

KarmaCake day8575August 25, 2014View Original