@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity.
-
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission And the Volla Phone Quintus is the Daria Bond 5G from an Emirates company (marked up by 560 Euro). Given that Eurowashing, maybe attacking GrapheneOS for using Pixel hardware is a bit rich? At least Pixel has proper device security.
Back to to the original topic. I only have a stake in this as an EU citizen, but having a small set of companies decide who can run what is bad, it's another attack on the freedom of EU citizens.
@danieldk
I would agree to the lower paragraph and add the following thought:
Maybe it would be wise to not let the only companies with privacy in the mind get divided. Arguments ad hominem are not very convincing.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission @GrapheneOS -
@GrapheneOS please, how many people are hired by GOS for being all over social media 24/7? This day is my first and only day doing this. Would you guess why?
@vollaficationist @GrapheneOS shut your worthless larping. You don't answer GrapheneOS' queries regarding #VollaShit security in a mature manner. Its so obvious.
-
@guilg @GrapheneOS I suspect GOS is more, or different, from what they state they are. And from where do we always see v projection?
@vollaficationist @guilg @GrapheneOS May I have an explanation why a new centralised verification through a new API built on the Android hardware attestation API is a better solution? I'm genuinely curious because to me it sounds exactly like Google's solution with a different entity in control.
-
@vollaficationist @GrapheneOS An anti-competitive cartel violates the principle of fair competition not only in Canada but in most countries, including the EU.
Antitrust and Cartels
Antitrust and Cartels Overview
Competition Policy (competition-policy.ec.europa.eu)
Unified Attestation is an initiative with Murena, Iodé, and Volla, three untrustworthy for-profit companies that want to copy Google’s Play Integrity API, which is already abusive and illegal, to manipulate the market and impose their misleading standards.
There is nothing neutral about it, and the fact that it’s “open-source” doesn’t change a thing.
@Xtreix @vollaficationist @GrapheneOS So what are the alternatives? Sandboxed google? Not having banking apps? Not having alternative payment apps?
The issue is that banks are required to have this attestation by credit card companies. -
@Xtreix @vollaficationist @GrapheneOS So what are the alternatives? Sandboxed google? Not having banking apps? Not having alternative payment apps?
The issue is that banks are required to have this attestation by credit card companies.@meowki @vollaficationist @GrapheneOS Most banking apps work well on GrapheneOS; check out this list : https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
The attestation compatibility guide is a good, neutral approach that is not controlled by a centralized authority : https://grapheneos.org/articles/attestation-compatibility-guide
Unified Attestation threatens the compatibility of apps for developers who refuse to participate in their illegal cartels. This seriously undermines the efforts of a project like GrapheneOS, which strives to make as many Android apps as possible compatible with a truly secure and privacy-respecting operating system, one without user accounts, AI, age verification, client-side analysis, or any default Google services nor any other tech companies, etc
We need to support it because there’s no one else doing what GrapheneOS does.
-
@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.
@vollaficationist I think that what @GrapheneOS means is:
Let's say UA exists, and what it does is certify OSs and provide a signature for secure boot or something like that. What happens if GOS or LineageOS or PostmarketOS fail their certification? What happens if that's because they decided the change they made to lose the certication was in the user's interest?
-
@danieldk
I would agree to the lower paragraph and add the following thought:
Maybe it would be wise to not let the only companies with privacy in the mind get divided. Arguments ad hominem are not very convincing.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission @GrapheneOS@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission Centralized remote attestation is diametrically opposed to privacy, since it makes projects vulnerable to pressure to weaken security & privacy, delay updates, etc.
AFAIK the support for remote attestation that is already provided in AOSP does not suffer from this issue, because there is not a single entity that enforces it (banks can whitelist signing key fingerprints).
So the only reason I can think of is control.
-
@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission Centralized remote attestation is diametrically opposed to privacy, since it makes projects vulnerable to pressure to weaken security & privacy, delay updates, etc.
AFAIK the support for remote attestation that is already provided in AOSP does not suffer from this issue, because there is not a single entity that enforces it (banks can whitelist signing key fingerprints).
So the only reason I can think of is control.
@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission This is not just a theoretical concern.
Some European countries border on autocracy. Imagine that this initiative is successful. An autocrat could pressure Volla et al. to only attest phones that have a chat backdoor under the thread of banning them from the market.
It is anti-privacy, anti-security, and anti-freedom.
-
@celeduc @GrapheneOS @guilg @EUCommission Volla develops not only devices or OS, or AI and more. It's also developing a new ecosystem as well as an infrastructure. Full decoupling. A fully, autonomous communications system. GOS is a hundred thousand miles from this, right. They do googlag-ware and now even Moto, lol.
@vollaficationist
I was an early adopter and beta tester of the first Volla phone and VollaOS back in the days.
Development was a mess and the two supported operating systems were too much load for the company. Now that you develop AI I think that's the only chance to get things done for a bunch of rebranded low end devices running outdated insecure software.
@celeduc @GrapheneOS @guilg @EUCommission -
@danieldk
I would agree to the lower paragraph and add the following thought:
Maybe it would be wise to not let the only companies with privacy in the mind get divided. Arguments ad hominem are not very convincing.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission @GrapheneOS@khw @danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission I mean, Volla and co want to forbid you from running software of your choice. GOS wants you to be able to run any software you want. It's that's simple. That's not companies arguing, that's one company deciding to take away your personal freedoms for no reason.
-
@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission This is not just a theoretical concern.
Some European countries border on autocracy. Imagine that this initiative is successful. An autocrat could pressure Volla et al. to only attest phones that have a chat backdoor under the thread of banning them from the market.
It is anti-privacy, anti-security, and anti-freedom.
@danieldk
But that has nothing to do, whatsoever, with the attestation. That said state could pressure volla et al that only phones with backdoor are allowed in the EU.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission -
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
@vollaficationist @GrapheneOS "ease the tone"???? That was a succint couple of facts, you're being weird.
-
@khw @danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission I mean, Volla and co want to forbid you from running software of your choice. GOS wants you to be able to run any software you want. It's that's simple. That's not companies arguing, that's one company deciding to take away your personal freedoms for no reason.
@engideer
I don't know about volla trying to forbid me running certain Software, but you are right. I haven't seen real arguments in this case for a long time. That's all I said. No arguments ad hominem, but arguments on this case, please.
@danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission -
@danieldk
But that has nothing to do, whatsoever, with the attestation. That said state could pressure volla et al that only phones with backdoor are allowed in the EU.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission It has everything to do with a centralized attestation system. Once this system starts being adopted, the EU can require it for banking/government apps as they began the process of doing with the Play Integrity API. They can then hijack it and begin enforcing their own requirements such including disallowing encryption without backdoors. There should be no organization in charge of which devices and operating systems are allowed.
-
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission It has everything to do with a centralized attestation system. Once this system starts being adopted, the EU can require it for banking/government apps as they began the process of doing with the Play Integrity API. They can then hijack it and begin enforcing their own requirements such including disallowing encryption without backdoors. There should be no organization in charge of which devices and operating systems are allowed.
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission If companies insist on permitting only certain devices and operating to be used then the system should be one that's distributed around the world with multiple neutral organizations not tied to the companies making devices or governments. However, delaying updates for certification is inherently anti-security. It would be impossible to quickly ship security patches without breaking compatibility with many important apps.
-
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission It has everything to do with a centralized attestation system. Once this system starts being adopted, the EU can require it for banking/government apps as they began the process of doing with the Play Integrity API. They can then hijack it and begin enforcing their own requirements such including disallowing encryption without backdoors. There should be no organization in charge of which devices and operating systems are allowed.
@GrapheneOS
But they, the EU, can do this all along. No matter if there is something like attestation or not.
@danieldk @vollaficationist @celeduc @guilg @EUCommission -
@engideer
I don't know about volla trying to forbid me running certain Software, but you are right. I haven't seen real arguments in this case for a long time. That's all I said. No arguments ad hominem, but arguments on this case, please.
@danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission@khw @danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission
I was referring exactly to Unified Attestation, the topic of this thread. UA is essentially a direct clone of the Google Play Integrity API. The rough summary is that both technologies offer an API that apps can query, asking whether they (the app) is running on a "certified" operating system. In the case of GPI, Google has a list of OSes they deem "acceptable", while in UA's case, Volla has a list of OSes they deem "acceptable". In either case, the technology forbids you from running an operating system of your choice, since Google/Volla have to approve your choice, or otherwise you won't get to run apps on it. Technologically there's a bit more complexity and nuance here, but this is essentially what it comes down to.
This is why GOS is so strongly opposed to this. Because centralized attestation is fundamentally an anti-freedom technology. It doesn't matter whether the jail is run by company A or B: a jail is always a jail.
-
@GrapheneOS
But they, the EU, can do this all along. No matter if there is something like attestation or not.
@danieldk @vollaficationist @celeduc @guilg @EUCommission@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Attestation enables them to enforce it. Otherwise, people can import devices not complying with the rules they place on devices sold within Europe. Banning people from using devices from elsewhere is far more extreme and oppressive so that's a lot less likely. It's also far harder to enforce and if things have gotten that bad then many people are going to be unintentionally breaking oppressive laws regardless.
-
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Attestation enables them to enforce it. Otherwise, people can import devices not complying with the rules they place on devices sold within Europe. Banning people from using devices from elsewhere is far more extreme and oppressive so that's a lot less likely. It's also far harder to enforce and if things have gotten that bad then many people are going to be unintentionally breaking oppressive laws regardless.
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Being able to take away compatibility with banking and government apps based on a system imposing arbitrary rules with certification required for each release is authoritarian. Regardless of the motivation for building this kind of system, the end result is a powerful tool for a police state. Root-based attestation is inherently anti-competitive and primarily useful for controlling people rather than protecting people.
-
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Being able to take away compatibility with banking and government apps based on a system imposing arbitrary rules with certification required for each release is authoritarian. Regardless of the motivation for building this kind of system, the end result is a powerful tool for a police state. Root-based attestation is inherently anti-competitive and primarily useful for controlling people rather than protecting people.
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Pinning-based attestation is a useful security feature for protecting users and has little potential for abuse to prevent competition and enforce authoritarian laws. Root-based attestation is what causes those problems. Root-based attestation has poor security since it depends on none of the TEE/SE implementations getting exploited with their keys extracted. Not much of a security feature when any leaked key can be used to bypass it.
