Hacker News new | ask | show | jobs
by xoa 1640 days ago
For the record, I'm in favor of legal mandate that hardware owners have the buy-time option to enable adding their own keys to any root trust stores on their devices. However, that'd be in addition to Apple's keys and wouldn't be about the security of Apple's keys, because Apple is part of the fundamental trust foundation if you buy a Mac or iDevice. Period. The devices are massively vertically integrated, right down to the core silicon which is completely custom. Apple has absolutely unfettered ultimate low level access opportunity up and down the stack. If you completely don't trust Apple, then you absolutely should not use their hardware at all. So some level "trust Apple" is simply a security axiom on this platform.

And they've shown that to be not unreasonable at least when it comes something like root private keys. Fact is they've been operating for a long time now and like the rest of the big players that hasn't been a leak issue. It's not that big a deal for a big player to physically secure such things to a high enough degree that it's unlikely to be a limiting factor. Dedicated rooms, full offline, hardware backed Shamir's secret sharing for m-of-n key signing ritual requirements etc etc.
3 comments
lovelyviking 1640 days ago
>If you completely don't trust Apple, then you absolutely should not use their hardware at all. So some level "trust Apple" is simply a security axiom on this platform.

It is not about trusting Apple or any other company for that matter. It is about tendency and attempt to make it a norm/legalize to sell personal computers without respecting right of the owner to have a full control over their own computer. If owner cannot fully control own computer this computer cannot be called 'personal' anymore.

This practice needs a push back as it completely unacceptable. It should be made illegal to sell such devices if that is not already the case because you can be left without working computer just because link to the company isn't available for some reason.

Company goes away and you are left without a working computer. Internet isn't available and you have brick instead of your computer. This is crazy and even more crazy that there are bunch of people brainwashed enough to the level that they do not even perceive it as a problem. Probably because they can't think 3 steps forward.

link
jahewson 1640 days ago
> Company goes away

We’re talking about Apple, one of the most valuable companies in the world, sat on over $100bn in cash just “going away”, in what, the lifetime of a laptop? For me that’s 3-5 years, for others maybe 10. That’s an absurd premise. The probability of that is so close to zero it doesn’t bear consideration.

link
throwawayay02 1640 days ago
What if it's broken by legislators and the pieces are named something differently. Want to bet no apple.com links get broken? And their certificates?

The point is, if I want to buy a personal computer and stuff it in the closet for 50 years to use later, that's between me and the creator. Not Tim Cook.

link
GeekyBear 1640 days ago
> It is about tendency and attempt to make it a norm/legalize to sell personal computers without respecting right of the owner to have a full control over their own computer. If owner cannot fully control own computer this computer cannot be called 'personal' anymore.

I have bad news about Intel CPUs.

>[Intel] processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. We do know that with it there Neither Linux nor any other operating system have final control of the x86 platform.

https://www.zdnet.com/article/minix-intels-hidden-in-chip-op...

link
marcan_42 1639 days ago
And this isn't the case on M1 machines. On M1s, all blobs that remain after you launch Linux are sandboxed behind IOMMUs, so they cannot take over the system. Ignoring hardware backdoors (which you can never be sure don't exist, on any system), you can be reasonable confident that an M1 system doesn't have a (functional) backdoor running while you're running your own OS on it. Very few systems have this property; mostly only fully open boot systems like the Pinebook or Talos workstations. ~No x86 system does, not even the ones running Libreboot since they almost always have hardware with full DMA access running blobs.
link
offmycloud 1640 days ago
I thought that MINIX was running on the Intel Management Engine, not the main CPU.
link
HunterWare 1639 days ago
That has full access to, and modification/control ability over, the main CPU.
link
lovelyviking 1640 days ago
therefore I've said this before:

The full control of devices you own is absolutely essential. It requires a complete transparency of basic components like cpu micro-code, firmware and hardware otherwise it can and will be abused.[0]

.. unless everything is absolutely transparent including microcode and hardware it is not acceptable as freedom respecting solution.[1]

then I've got unexpected opposition from the one who is making linux for M1 ( marcan_42). If even him fail to understand the consequences of accepting such hostage situation with Apple devices and claim "Freedom isn't the answer." [2]. If even he is ready to downgrade discussion to the personal disrespect toward people like me [3] who merely trying to point out the the danger of the hostage situation while go 'easy' on Apple and ready to justify all of their current mistakes then we have a serious problem. I do not wish to use the term "doomed" but probably we observe limited ability of highly technical minds to resist to the primitive brainwashing and manipulation the big companies provide by presenting it as a norm to trade 'freedom' for the 'safety' . Some people can't even think a few steps forward and understand that by helping companies to promote such agenda we'll end up with loosing both 'safety' and 'freedom'.

[0] https://news.ycombinator.com/item?id=29658817

[1] https://news.ycombinator.com/item?id=29675597

[2] https://news.ycombinator.com/item?id=29676524

[3] https://news.ycombinator.com/item?id=29691816

link
marcan_42 1639 days ago
I love how every time you bring this up you link every post except the one where you compared Apple to a dictatorship, then went on to insult every user who chooses their hardware over others.

I'm happy to debate the pros and cons to different security approaches, and I want every prospective buyer of these machines to be informed about the decisions and trade-offs that went into their deaign, and what to expect. I'm not interested in debating someone who immediately dismisses all technical discussion and just invokes references to authoritarianism, brings up boiling frogs with no evidence, immediately dismisses my arguments as wrong and assumes they need correction, and ends with ad hominem attacks.

As I said, go buy a Pinebook and please leave the rest of us alone. We're trying to give the users of these machines choice. You're trying to take away our choice to use them through moral arguments.

link
smoldesu 1640 days ago
marcan seems to be part of a new breed of hacker, less interested in the "why" we do it and more interested in the "how" of it. Works pretty well for tackling a challenge like blindly picking at a black-box ISA/SIP, but I don't think his project has the kind of ideological understanding that keeps the libre desktop alive. Getting it to work is one thing; building a community to maintain your work is another.

Unfortunately, that's going to constitute a lot of the people you encounter these days. Half-measures are better than no-measures, but I really do miss the days of vigilant software development instead of cleaning up Apple's scraps.

link
kmeisthax 1640 days ago
You're not giving Hector Marcan enough credit. He was on Team Twiizers and fail0verflow; groups that did a lot of hacking to open up closed systems. It's not like he's unaware of the customer abuse that happens in the proprietary world.

The "look beyond freedom" quote probably should also be looked at with the context that he's talking about the FSF, which has an odd habit of being extremely absolutist in ways that actually hurt the user. Like, they'll point out that Wi-Fi cards with proprietary firmware are bad, but then endorse very similar hardware where the firmware blob is in ROM or some features are lasered off just to conform to the "proprietary ROMs don't count" rule. Marcan is arguing for creating a gradual sliding scale of "proprietary, user-hostile, and/or insecure" to "Free, user-respecting, and/or secure" and then looking at the trade-offs between them, rather than just creating a really high bar based on what made sense in the late 1980s and sticking to it forever.

link
smoldesu 1640 days ago
I'm giving the dude all the credit he deserves. fail0verflow is amazing, the stuff they did with Nvidia Tegra/Nintendo Switch was nothing short of miraculous and insane; that doesn't change the cards at the table though, and it doesn't make me any less skeptical of where all this leads. Again, I've got no intention of stopping people who are making progress, even if it's progress I disagree with, but he still has to prove himself here, and I'm not entirely confident that we're going to end up with "Linux, but on the M1" without a number of asterisks trailing the statement. That was the case with the Switch, that was the case with the PS4, and it's unfortunately crawling in that direction for the M1 as well.
link
kaba0 1639 days ago
> less interested in the "why" we do it and more interested in the "how" of it.

I mean, to be honest, someone only knowing “whys” alone is kind of disappointing — especially combined with the often seen narcissism of developers and you get someone who does not understand the problem domain spewing bullshit about it with confidence. We can see plenty of examples to that under any firefox, wayland or systemd threads.

link
cmurf 1640 days ago
I agree it's "your own device", but Apple's EULA makes it really clear it's only your own device insofar as you can choose to destroy it. They retain a residual right over the hardware, a partial ownership if you will, when it comes to what software is on it. You aren't buying hardware. You're buying an experience. You don't have the right to experience arbitrary software running on it, even if you trust it.

It's one of the reasons I'm not using Apple products anymore.

link
marcan_42 1639 days ago
Apple's EULA explicitly allows you to replace the open source components of the OS with your own. One such open source component is the XNU kernel itself. This is what allows Asahi Linux to exist not just technically, but also in full compliance with Apple's EULA.
link
duskwuff 1640 days ago
> hardware owners have the buy-time option to enable adding their own keys to any root trust stores on their devices

Would you really be more comfortable knowing that your hardware vendor had the capability to produce machines with a low-level, unremoveable backdoor? I'm not sure I would. A feature like that can be used against users more easily than it can be used by those users.

link
xoa 1639 days ago
>Would you really be more comfortable knowing that your hardware vendor had the capability to produce machines with a low-level, unremoveable backdoor?

What? They do. Apple absolutely has the capability to build any or all machines with low-level unremoveable backdoors, like, in the freaking processor if they wanted. I'm not clear on what your issue is here. The current state of affairs is that for devices like the iPhone, the manufacturer can setup a secure software tree where the root of trust contains only their keys. And for many (if not most) of their customers that's a good thing, because in their threat model running their own arbitrary code is of lower utility and much higher risk then getting social engineered into bypassing key protections or the like. There is important power in grouping together buying decisions in an unbypassable way, it's why the likes of Facebook for example cannot insist on bypassing iOS privacy protections. They can't pick people off, because people literally do not have the choice. Facebook must deal with Apple for the ~97% (or whatever it is who don't/can't jailbreak) majority of users.

However there are real issues with that too for a sizable number of owners. So all I want is that there be an option at purchase time which allows owners to load their own root keys. The whole chain of trust infrastructure is still there, but technical users or those with specific needs can then run their own (and still be better off). Making it buy-time means that users who want to ensure they cannot be compelled later can still do that too. Nobody loses.

A feature like that can be used against users more easily than it can be used by those users.

How? Most people will stick with defaults, and I'd be ok with Apple or whomever qualifying an open device with reduced software support or some small charge for example too. And once it's been sold, it's the same as currently. I think that's a reasonable tradeoff.

link
duskwuff 1639 days ago
You're missing my point. What I'm saying is that, as things currently stand, all of the CPUs that Apple ships in products are functionally identical -- all of them share the same root of trust in ROM (afaik?), and it would take a significant effort for Apple to produce devices which differ from that specification.

> How? Most people will stick with defaults

By having an attacker deliver a system to a user with a custom root of trust -- which could mean anything from a state-sponsored attacker to an abusive partner.

link
zaxbeast 1640 days ago
https://old.reddit.com/r/degoogle/comments/rosdbu/100_foss_s...

take a look at the "Why not Apple devices?" section

link