I don't know how large a group who will do this is - but if the UK bans VPNs I can see Graphene having a very large target on its back.
- Buy Pixel, Get Graphene
- Use FDroid, don't sign up for Google Play, download Tor browser
- Censorship resistant access to the internet without handing over your ID.
Pixel being a fairly popular phone in the UK is the interesting bit - if you had to buy some niche device I couldn't see it hitting more than a few hundred people doing it, but there are likely 100k pixels in the UK, and it's still possible to buy one and put Graphene on it.
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
There must be 10s of millions of x86 PCs with unlocked bioses in the UK. The issue won't be running an open device. The problem is software - what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
The first wave will be to mandate ID verification for online services. Some people will then start using p2p services, so the next step is to ban devices that can run non-approved software. Probably having your own VPS running your own software will also not be allowed. And like that, all the avenues for escaping control will be closed… for your safety, of course.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
Linux intends to be left out of all this attestation garbage because it completely undermines the point of fully owning and controlling your own devices. I don't want or need to ask permission before I run a program - not from random megacorporations, and ESPECIALLY not from any of the various governments. If some third party service wants to make sure I'm not doing anything nefarious, they should do it at the border of their servers and the services they offer.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
So, in the scenario posed (quoted above again for context) that I’m responding to, where the government has mandated attestation online, it seems like you’re arguing that Linux should continue to opt-out of attestation, and thus be forced into non-internet uses only. Do I misunderstand your intended outcome to the scenario here? I took for granted that Linux users would want to retain access to the internet as a critical priority, given how strongly they’re objecting to attestation of internet apps (and eventually internet access), but if I’m mistaken then I’m happy to reverse course!
This way we will just have unremovable age verification, spyware, online accounts to use the os, name another bs from other vendors. What's the point of Linux then? The moment big corps and the state can seal spyware into your computer, they'll happily do it.
I'd rather have a separate burn device with whatever os for state services which lives in a faraday cage most of the time and have a proper OS I control on the main device than give somebody control over it.
I’m with you in spirit, but the ship is sinking, man. Your arguments were already made in the 90s when the first puff of smoke from all this was on the horizon. Thirty years of chicken little later, I’ve moved past being upset about this and am trying instead to persuade the Linux community to step up before the window of opportunity closes on GP computing altogether. Do something, act, if you want a better future; or do nothing if you don’t. What actions do you suggest people take in support of your viewpoint?
> We have a helicopter on Mars yet they still can't master a installation wizard.
Unexpectedly, the 'bootable thumb drive' models are actually pretty great — not the installers, but the ones that boot straight into a GUI that works and is usable. I haven't used one as my personal Linux uses predated thumb drives, but I have always (mistakenly?) assumed that once you're booted into a liveCD, you can click 'Install on a drive partition' and it will actually do something coherent and GUI and reasonable. Have I been too optimistic? Probably, yeah :(
I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.
When you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.
> I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.
I bet you would, though, if the built OS image were 100% reproducible except for the signature. Once you have a fully reproducible Linux OS build, you can literally copy paste the cryptosig from the vendor and it will work with the image you built yourself from source that you inspected yourself. Then it’s impossible for the government to tap it without breaking the reproducible image checksum and thus the published cryptosig. It’s a better defense than any warrant canary would be, and it satisfies your concerns fully.
Arch shows only 15 packages left for their core OS to be built reproducibly; what I don’t see at their dashboard is the state of their ISO build reproducibility, but I imagine that’s the same as the core, so maybe it’s just unstated for obviousness. https://reproducible.archlinux.org/
Does GrapheneOS publish their repro build efforts as a dashboard anywhere?
> I bet you would, though, if the built OS image were 100% reproducible except for the signature.
CryptoSecure, depends how done but again, neither can be fully trusted when they were headed by government agencies in the past.
I don't trust Linux now that Microsoft got mits on it with WSL. RedHat sold-out to IBM and Debian got in bed with Canonical. Arch & Valve I might lead more too but then again I guess they've got to make money somehow.
I use FreeBSD and I don't trust that either unless I can do make install world.
“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
It is far more likely that it is due to scams and grifts that pretend to be GrapheneOS, associated with GrapheneOS, or based on GrapheneOS, rather than GrapheneOS itself. Criminals tend to be not that bright.
I regret not signing up for Discord when they first introduced facial recognition and middle schoolers were trivially spoofing their ID checks with meme pics.
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
- drop wireguard / OpenVPN packets crossing the country border
- analyze https traffic to detect traffic patterns not matching https fully and block such connections
And some including mullvad already accept payment in crypto, there will always be some dodgy VPN company in some dodgy jurisdiction that will take your BTC in exchange for an account.
I live in $MAJOR_CITY, and Meta is a not a viable workplace for serious engineers anymore.
The short term pay for the lunacy of working there is not a sensible trade-off for decent engineers.
Aside from having the sword of Damocles over you at all times because Zuck has lost his mind, there is a sense he has had 1 too many failures after Metaverse and they are seriously floundering in AI, and their core products (Ad Manager) has a very poor image, even with non-technical users.
So it's not even a sure bet you will even get a short term monetary payoff
In their defense (haha), virtually all the ad management platforms for social and search are total dogshit. Like seriously, some of the worst software I’ve used. Constantly broken, incredibly poor UI / UX, slow, frequently burns money for no reason, ads just mysteriously stop working, etc, etc. Meta, Google, LinkedIn, Reddit, Twitter, they’re all like this. They don’t give a shit about the advertiser experience and it shows.
But I put up with it, just like everyone else, because it’s still amazing ROI when you get it working right. And there’s no other choice if you want access to these platforms with billions of potential customers.
I wonder if there is a tool that could equally waste their time. Like the worlds most pedantic code review bot that just gets the PR raising bot to spin wheels forever.
Don't agree with you. The agent looked to be malicious at various points. Screwing with people who wish you to do harm is principally correct.
If possible I would have contacted AWS with this and tried them to get rid of the discount because the person was at fault here.
What a cathartic read. I'm so sick of humans giving me AI slop to read without them reading it first. I just ignore them when they do this, but if I could cause them to really internalise a lesson I would love it.
Yeah, this is 100% the case - while not a FAANG I worked at a moderately large tech company in the UK and it was astonishing how slow everything moved, but people were always getting promoted. I eventually left because every project took about 10x the effort it should have.
The stock price went down 20% during the time I was there, and I could see why - it took months to ship a tiny button.
I work with a lot of ex-FAANG now and they haven't had much of a chance to do impactful things. I've heard a lot of "I was responsible for the reporting function on this dashboard that's 10 clicks deep on Google Play"
I do think Layoffs, while obviously very sad for those involved, were needed.
One of the "huh, didn't expect that to work" moment was getting GLM 5 to make me a user space driver for the Nintendo Switch Pro 2 Controller on Ubuntu.
When you plug it in, the device is recognised, but press any button and it attempts to start the pairing process. Then using evtest nothing is coming through.
That^ was pretty much my prompt too, and 10 minutes later I have a working driver with systemd unit so it works through restarts. Amazing stuff!
If you listen closely to UK cabinet ministers you can intuit that they are being horse whispered into handing over vast sums of taxpayer money to firms for AI who are promising solutions to the productivity gap (chasm?) that the UK is plagued by.
I can say with certainty lots of money will be spent, and the gap will not be filled. I would bet my life on it.
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
reply