←back to thread

Epic celebrates "the end of the Apple Tax" after court win in iOS payments case

(arstechnica.com)
432 points nobody9999 | 2 comments | 12 Dec 25 16:04 UTC | HN request time: 0s | source
Show context
codedokode ◴[12 Dec 25 17:38 UTC] No.46246465[source]
In my opinion, every manufacturer of a programmable device should not be allowed to prevent the buyer from reprogramming it.
replies(8): >>46247960 #>>46248388 #>>46250102 #>>46250233 #>>46251819 #>>46252140 #>>46252929 #>>46280460 #
rstuart4133 ◴[13 Dec 25 03:50 UTC] No.46251819[source]
I would not buy a FIDO2 token if it allowed anybody to reprogram it, including me. If you managed to make selling me such a device illegal, then may a pox descend on your house.
replies(3): >>46252137 #>>46252249 #>>46256587 #
octoberfranklin ◴[13 Dec 25 05:25 UTC] No.46252249[source]
You're free to choose not to reprogram it, so the pox is actually upon your house.

Also, you should probably spend more time reading about cryptography and less time reading FIDO Alliance propaganda.

replies(1): >>46252426 #
rstuart4133 ◴[13 Dec 25 06:04 UTC] No.46252426[source]
I'm guessing you don't understand the reason I don't want it to be reprogrammable. Yes, there are some advantages to me being able to reprogram it. But it comes with two big downsides.

The first is if I can reprogram it, then so can anyone else. I don't know what the situation is where you live, but government has passed laws allowing them to compel all manufacturers of reprogrammable devices to all them to reprogram is with their spyware.

The second is places I interact with, like banks, insist on having guarantees on the devices I use to authenticate myself. Devices like a credit card. "I promise to never reprogram this card so it debits someone else's account" simply won't fly with them.

The easy way out of that is to ensure the entity who can reprogram it has a lot of skin in the game and deep pockets. This is why they trust a locked pixel running Google signed android to store your cards. But take the same phone running a near identical OS, but on unlocked hardware so you reprogram it, and they won't let you store cards.

But that's the easy way out. It still let's a government force Google to install spyware, so it's not the most secure way. One way to make it secure is to insist no one can reprogram it. That's what a credit card does.

In any case, if someone successfully got the law changed in the way the OP suggested, so people could not use their devices as a digital passport, it won't only be me wishing a pox on their house.

replies(4): >>46255232 #>>46256599 #>>46257484 #>>46271997 #
1. thesnide ◴[13 Dec 25 20:04 UTC] No.46257484[source]
for such security devices, there is OTP.

I prefer to have my auth device bricked than compromised.

for anything else, i want to be able to reprogram.

so for vendors, a simple choice :

* be OTP, but no "patching"

* be R/W, but also by its owner

replies(1): >>46258978 #
2. rstuart4133 ◴[13 Dec 25 22:48 UTC] No.46258978[source]
Fair enough. Sort of. You can get the same assurances OTP gives you using secure boot + open source + reproducible builds.

Regardless the rest us who don't want to go through the extra work OTP creates still of use want to put our credit cards, fido2 keys, government licences, concert tickets and whatever else in one general purpose computing device so we don't have to carry lots of little auth devices. To do pull that off securely this device must have firmware I can not change.

The OP wants to make it illegal to sell a device with firmware I can not change.

In asking for that, they've demonstrated they don't have a clue how secure and opening computing works. If they somehow got it implemented it would be a security disaster for them and everybody else.