Most active commenters
  • lucideer(6)
  • tadfisher(5)
  • reddalo(3)
  • fragmede(3)

←back to thread

We should have the ability to run any code we want on hardware we own

(hugotunius.se)
2071 points K0nserv | 37 comments | 31 Aug 25 21:46 UTC | HN request time: 1.335s | source | bottom
Show context
zmmmmm ◴[01 Sep 25 02:51 UTC] No.45088995[source]
> In this context this would mean having the ability and documentation to build or install alternative operating systems on this hardware

It doesn't work. Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with. To be clear, this is fundamental, not incidental. You can't run your own operating system because it's not in Netflix's financial interest for you to do so. Or your banks, or your government. They all benefit from you not having control, so you can't.

This is why it's so important to defend the real principles here not just the technical artefacts of them. Netflix shouldn't be able to insist on a particular type of DRM for me to receive their service. Governments shouldn't be able to prevent me from end to end encrypting things. I should be able to opt into all this if I want more security, but it can't be mandatory. However all of these things are not technical, they are principles and rights that we have to argue for.

replies(38): >>45089166 #>>45089202 #>>45089284 #>>45089333 #>>45089427 #>>45089429 #>>45089435 #>>45089489 #>>45089510 #>>45089540 #>>45089671 #>>45089713 #>>45089774 #>>45089807 #>>45089822 #>>45089863 #>>45089898 #>>45089923 #>>45089969 #>>45090089 #>>45090324 #>>45090433 #>>45090512 #>>45090536 #>>45090578 #>>45090671 #>>45090714 #>>45090902 #>>45090919 #>>45091186 #>>45091432 #>>45091515 #>>45091629 #>>45091710 #>>45092238 #>>45092325 #>>45092412 #>>45092773 #
JeremyNT ◴[01 Sep 25 03:50 UTC] No.45089284[source]
This is the crux of the matter.

Maybe conceptually you will be able to run some kind of open operating system with your own code, but it will be unable to access software or services provided by corporate or governmental entities.

This has been obvious for some time, and as soon as passkeys started popping up the endgame became clear.

Pleading to the government definitely can't save us now though, because they want the control just as much as the corporations do.

replies(5): >>45089321 #>>45089323 #>>45089975 #>>45090561 #>>45090592 #
1. reddalo ◴[01 Sep 25 06:19 UTC] No.45089975[source]
> as soon as passkeys started popping up the endgame became clear

That's why I'm 100% against passkeys. I'll never use them and I'll make sure nobody I know does.

They're just a lock-in mechanism.

replies(3): >>45090207 #>>45090270 #>>45090402 #
2. kleiba ◴[01 Sep 25 07:00 UTC] No.45090207[source]
For someone who hasn't spent any time thinking about that matter, could you please elaborate your point?
replies(2): >>45090297 #>>45090312 #
3. lucideer ◴[01 Sep 25 07:11 UTC] No.45090270[source]
"Passkeys" is a new brand name slapped on an older open, interoperable technology, so it's difficult for me to be "against passkeys" as they haven't fundamentally changed anything.

Before the branding they were known as FIDO2 "discoverable credentials" or "resident keys".

Two things have changed with the rebrand:

1. A lot of platforms are adopting support for FIDO2 resident keys. This is good actually.

2. A lot of large companies have set themselves up as providers of FIDO2 resident keys without export or migration mechanisms. This is the vendor lock-in part (no export feature), but it's not a feature of the underlying tech itself.

Fwiw FIDO are actively working on some standard for exporting/importing keys so that's something.

If you want to use passkeys without lockin, just use Bitwarden or KeepPassXC - they all have full support. Or you can also store a limited number of passkeys on your FIDO2-compatible hardware key like Yubikey or the open-source Nitrokeys.

replies(3): >>45090466 #>>45090951 #>>45091194 #
4. progval ◴[01 Sep 25 07:16 UTC] No.45090297[source]
"Passkeys are incompatible with open-source software" https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
replies(1): >>45090365 #
5. dingaling ◴[01 Sep 25 07:19 UTC] No.45090312[source]
Imagine using ssh-keygen, but it locks the private key in a vendor-managed secure enclave. You can't copy it, export it, rename it or do anything wth it.
replies(1): >>45090507 #
6. fragmede ◴[01 Sep 25 07:30 UTC] No.45090365{3}[source]
Then how come KeePassXC has them?
replies(1): >>45090480 #
7. fragmede ◴[01 Sep 25 07:35 UTC] No.45090402[source]
Do you recommend a password manager to everyone you know? What's the adoption rate?
replies(3): >>45090751 #>>45090780 #>>45090786 #
8. breakingcups ◴[01 Sep 25 07:43 UTC] No.45090466[source]
Except the FIDO Alliance is trying to pressure KeepassXC to remove exporting passkeys in an open format: https://github.com/keepassxreboot/keepassxc/issues/10407
replies(3): >>45090617 #>>45090649 #>>45090815 #
9. indigo945 ◴[01 Sep 25 07:45 UTC] No.45090480{4}[source]
The linked blog post explains it. The spec can be implemented by open source software, but the upcoming (or now current?) update to the spec enables attestation, that is, it allows the auth provider to cryptographically verify which implementation the client is using. Under this scheme, auth providers can simply choose to no longer support open source implementations like KeePassXC, and since the spec authors have already claimed that KeePassXC is "non-compliant" because it doesn't ask for a PIN on every auth request, it seems likely that that would happen.
replies(2): >>45090540 #>>45090669 #
10. tadfisher ◴[01 Sep 25 07:50 UTC] No.45090507{3}[source]
I don't just imagine it, I do it, by using gpg-agent as my ssh-agent and using the private key generated by a Yubikey. Another way is to use tpm2-tools so only your laptop running your own signed boot chain can use the key. It is desirable to lock private key material in a physical thing that is hard to steal.

You can choose not to do this, and that's fine. Hardware attestation is dead because Apple refuses to implement it, so no one can force you to.

replies(1): >>45092306 #
11. fragmede ◴[01 Sep 25 07:55 UTC] No.45090540{5}[source]
Yes but it seems like KeyPassXC could just ask for PIN on every auth request to satisfy that requirement, without having to close their source.
replies(1): >>45090756 #
12. aw1621107 ◴[01 Sep 25 08:06 UTC] No.45090617{3}[source]
> trying to pressure KeepassXC to remove exporting passkeys in an open format

I'm not sure that's an entirely accurate representation of the request? At least from a quick skim the claimed issue is being able to export keys in plaintext. For example, from the issue author:

> I strongly recommend you temporarily disable this feature or at a minimum require file protection/encryption.

And later:

> > Besides, determined advanced users could just write code to decrypt the kdbx file and extract the passkeys anyway.

> That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.

> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.

To me that doesn't sound like they're requiring a proprietary format. Something like AES encrypted JSON sounds like it'd work as well, and that sounds pretty "open" to me?

replies(1): >>45092301 #
13. tadfisher ◴[01 Sep 25 08:13 UTC] No.45090649{3}[source]
That threat has no teeth; anyone requiring attestation these days will cut out Apple users, because Apple will not implement it (for consumer use cases). If they don't block Apple passkeys, then KeePass can send Apple's AAGUID and the game is over.

I've complained about this GH exchange in the past and have come to understand that Apple is also part of the alliance, and the entire concept of blocking software-only password managers is just dead outside of enterprise situations where they mandate the hardware/software anyway. Mr. Cappalli might disagree, but he and his employer do not have the power to change this without breaking the standard and throwing away over a decade of work.

14. tadfisher ◴[01 Sep 25 08:16 UTC] No.45090669{5}[source]
Attestation is dead outside of corporate environments. Apple will not implement it except through MDM.
replies(2): >>45090738 #>>45091137 #
15. freedomben ◴[01 Sep 25 08:29 UTC] No.45090738{6}[source]
Isn't PAT apple implementing attestation for everyone?
16. reddalo ◴[01 Sep 25 08:32 UTC] No.45090751[source]
I honestly suggest using Mozilla Firefox built-in password manager, it's enough for most people.
17. reddalo ◴[01 Sep 25 08:33 UTC] No.45090756{6}[source]
What if I don't want KeyPassXC to ask me for a PIN every time? I can modify its source code and nobody can stop me.
replies(1): >>45091712 #
18. pmontra ◴[01 Sep 25 08:39 UTC] No.45090780[source]
As a data point: when non technical friends of mine complain against password I tell them to use a password manager. The adoption rate is zero, probably because they don't even know what a password manager is, except the remember password / fill in password feature of their browser. The best I saw, from a not entirely non technical person is passwords on sheets of paper.
19. walthamstow ◴[01 Sep 25 08:40 UTC] No.45090786[source]
I have tried repeatedly to get my wife to use the family 1Password account for things we will both need, with minimal success. She is reasonably technical, she writes SQL, but she just won't do it.
replies(1): >>45092138 #
20. lucideer ◴[01 Sep 25 08:45 UTC] No.45090815{3}[source]
FIDO can't force any app developers to do anything but fwiw I think "pressuring" people to encrypt secrets at rest rather than storing them in plaintext is ok.

---

There's levels to appropriate paranoia around these things of course. SSH private keys are stored in plaintext for millions of engineers around the world - sometimes probably even passed around through unsecured emails or whatnot I would guess. They're still largely more secure than user:pass on aggregate, despite that rather major peril.

So ultimately, plaintext creds are not necessarily catastrophic. But still - imo - something worth concerted effort to dissuade at least at early stages of standards' implementation.

---

Edit: also, looks like the outcome of that thread was ultimately that KeepassXC have opted to implement the spec as per[0]. Good outcome to a good request.

[0] https://github.com/keepassxreboot/keepassxc/issues/11363

21. sunshine-o ◴[01 Sep 25 09:09 UTC] No.45090951[source]
By the way, notice Yubikey did not really release any new series/models and jacked up their price in just a few years. About 50% in 4 years.

The large adoption of those devices and standards did not lower the price.

They probably just banked on the enterprise market where every CISO was pressured to tick the hardware/2FA checkbox. And is then gonna allow to use the Microsoft/Google "software" one because it is hard to manage otherwise.

replies(1): >>45091334 #
22. GoblinSlayer ◴[01 Sep 25 09:43 UTC] No.45091137{6}[source]
Apple will implement it.
replies(1): >>45095690 #
23. ori_b ◴[01 Sep 25 09:50 UTC] No.45091194[source]
Passkeys would be wonderful if they removed remote attestation. Remote attestation is still there, so I will not touch it.
replies(1): >>45091311 #
24. lucideer ◴[01 Sep 25 10:11 UTC] No.45091311{3}[source]
Passkeys would be better without remote attestation, no doubt. But remote attestation is not only optional but also, passkeys are not a prerequisite for requiring remote attestation.

Lots of services that don't support passkeys currently require remote attestation. Boycotting passkeys (an open, possibly beneficial tech that doesn't require remote attestation) will not prevent bad actors from requiring remote attestation (with or without passkeys).

replies(1): >>45091320 #
25. ori_b ◴[01 Sep 25 10:13 UTC] No.45091320{4}[source]
Agreed. Boycotting them is necessary but insufficient.
replies(1): >>45095473 #
26. lucideer ◴[01 Sep 25 10:16 UTC] No.45091334{3}[source]
I think there's a bunch of factors to why yubi have upped their prices - not least, waiting for competition in their form factor & not seeing any emerge (token2 & nitrokey are much bulkier) probably gave them some confidence in the uniqueness of their product offering.

It's also become a much more niche product as software based (and/or primary-device-hardware-based) solutions have evolved & improved. & niche costs more.

All that said I'm really not sure why they've been so quiet on new series releases.

replies(1): >>45092612 #
27. pbhjpbhj ◴[01 Sep 25 11:12 UTC] No.45091712{7}[source]
Then your version of KeyPass will not be signed and won't pass TPM checks and so the banking app will refuse to run unless you open the signed version?
replies(1): >>45096544 #
28. mlrtime ◴[01 Sep 25 12:18 UTC] No.45092138{3}[source]
1Password is completely broken in android. I have barely a 50% success rate with it filling in passwords, I'm usually copy/pasting back and forth.

If there were anything better and as easy to use as Chrome, I'd switch.

29. g-b-r ◴[01 Sep 25 12:45 UTC] No.45092301{4}[source]
> > That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.

Has there even, ever, been an instance of that happening?

replies(1): >>45092819 #
30. oigursh ◴[01 Sep 25 12:45 UTC] No.45092306{4}[source]
Can you explain your motivation around gpg-agent and yubikey little more, please? So the private key can't be copied elsewhere?
replies(1): >>45095502 #
31. sunshine-o ◴[01 Sep 25 13:37 UTC] No.45092612{4}[source]
> I think there's a bunch of factors to why yubi have upped their prices - not least, waiting for competition in their form factor & not seeing any emerge (token2 & nitrokey are much bulkier)

It is true about the size.

Sill I do not understand the price difference between 5C Nano [0] and the PIN+ Mini-C [1]. 3 to 4 times more expensive depending on the currency.

- [0] https://www.yubico.com/pt/product/yubikey-5-series/yubikey-5...

- [1] https://www.token2.com/shop/product/pin-mini-c-release3-1-fi...

32. lucideer ◴[01 Sep 25 14:11 UTC] No.45092819{5}[source]
There have been literally thousands of documented incidents of this.

There's an entire subsection of the security industry dedicated to this happening. The DefCon international security conference holds an on-stage competition where security researchers demonstrate this happening to real targets in real time in front of a live audience.

replies(1): >>45094578 #
33. g-b-r ◴[01 Sep 25 17:13 UTC] No.45094578{6}[source]
> There have been literally thousands of documented incidents of this.

Of making people export all their credentials from a password manager and send them to a scammer?

34. lucideer ◴[01 Sep 25 18:48 UTC] No.45095473{5}[source]
No, boycotting them is entirely orthogonal to the issue. Passkeys have no role in ensuring that we do or don't rely on remote attestation - they're two totally separate considerations.

Passkeys have many benefits over current alternatives for auth, & the inclusion of remote attestation doesn't make them worse than current auth because all current auth can be coupled to remote attestation.

Continue to oppose remote attestation but do use Passkeys. They're a massive improvement.

35. tadfisher ◴[01 Sep 25 18:51 UTC] No.45095502{5}[source]
Yes, that's the motivation.

These days I would explore the TPM option, but I'm worried that has less legal teeth than a physical key if I'm in a law enforcement situation.

There's also practicality; I really, really don't want to tell my boss that TSA or whoever had access to the company git repositories and databases for X minutes or hours, and that's sidestepped by checking a bag with the Yubikey (wastes their time) or mailing it to the destination (needs a warrant).

36. tadfisher ◴[01 Sep 25 19:15 UTC] No.45095690{7}[source]
Source? That is surprising news.
37. yencabulator ◴[01 Sep 25 20:57 UTC] No.45096544{8}[source]
Which leads us back full circle to "Passkeys are incompatible with open-source software" from https://news.ycombinator.com/item?id=45090297