Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
This might be a hot take but the best way to avoid or "bypass" onerous things like the "integrity API" is to opt out of the proprietary world as much as possible. Use exclusively free (Libre) software and technology where you can.
We should not be thinking in terms of how do we get proprietary crapware onto our free systems, because that defeats the purpose of a free system. The idea is to build an alternative to the proprietary world.
GrapheneOS is already working on it:
We're going to add a secure way of working around this without breaking the app source security model. We'll be adding support for having the OS automatically verify the Play Store signing metadata and then inform Play services those apps were installed from the Play Store.
That's already released and only deals with recent changes. It doesn't fix apps using strong integrity challenges
Do you think we can find a way to bypass these,
Yes. Direct physical access always wins. A device in my hands is my device.
or is the future of the digital world just authoritarian and dystopian?
Yes. Many people aren't going to explore the solutions, or be willing to give up the convenience that comes with not changing what they're doing.
A device in my hands is my device.
Could you then please help root the Meta Quest 3? So far I believe nobody managed.
We're a decade too early for open source vr.
That's not a VR headset, You bought an expensive Facebook paperweight.
Edit for TL;DR as this became lengthy : agreed, do NOT buy "an expensive Facebook paperweight" but also, open source VR exists today! Depending on your definition and needs, there is a lot that can be done and you can help.
Rooting isn't open source...
Anyway Valve Index runs perfectly on Linux, that's how I finished Half-life: Alyx. I also do already have a rooted Lynx XR1 and a Project NorthStar which is open hardware (even though not OSHW iirc).
There are also :
IMHO one of the best resource covering that and more is https://lvra.gitlab.io/
So... I'm a bit confused, maybe I misunderstood, what did you mean by being "a decade too early"? Which functionality specifically is missing today?
The Index and the Quest are entirely different things.
The index is a monitor with sensors attached to it.
The Quest is a proprietary PC with an ecosystem, DRM and billion dollar company backing.
Rooting isn't open source They don't have anything to do with each other other than the fact that you don't need to root open source devices. They lock us out of root because they don't want us to control our own devices, They want us to use their stores, they're walled gardens, and their support for everything which is very un-open source.
My point behind touting an open source mobile VR device would be that it would not need to be rooted.
I looked at the hardware you mentioned and while the open stuff looks very nice it looks very not available for anyone to purchase. Do you expect any of that hardware to be more available soon?
I sadly believe we’re fucked
We where fucked when the internet got consolidated into what five companies.
And them being in the USA as well
We were fucked a long time ago it's just the effects showing now. But I hope the rebels at Graphene OS and other custom ROMs will find a way.
Sadly I moved away from Graphene because of all the restrictions :(
IMO the only reason tech world can be authoritarian is people's negligence. Otherwise even if all major brands produce unhackable locked down hardware, people could boycott those and buy the one obscure open device (like pine64) and market force will force big names to revert.
Corporations do not have power by themselves. People refusing to think and understand gives them power. Same applies to mainstream politics.
They have money which means they advertise which influences peoples decisions. As much as some people might deny it ads work.
So unless I can convince my mom to install Firefox we're fucked.
...we're fucked.
Unless you can convince them to get out of the 'surveillance for free stuff' market then they're fucked, not everyone.
You can choose to use free and open source software and sped time learning and putting together a system that benefits you. Or you can just sign up for Google, let them do all of the work in exchange for spying on you with every device that you buy and put in your house.
I'm fucked either way. Big corporations control so much of the internet devices the chances are my stuff is going to them anyway.
yes. also your friends, not only mom.
(/s aside, most people of younger generations don't care as well, not only elderly less tech literate folks)
We are soooo fucked.
If you can root your phone and use an xposed module, maybe. Or the EU forces them. Otherwise, there's not much option.
Well the idea of having attestation isn't the problem. The problem is that apps requiring attestation (banks, insurance providers, ID-systems) use the most convenient solution. Slapping on Googles prebuild attestation. Graphene for example, provides alternative attestation for their OS and offers docs for anyone to implement a more fitting set of checks.
There are two approaches here: If you're upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I'd say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data. Breaking those checks is then breaking those compliances in an unsafe way.
If you believe your setup is actually secure and compliant, just not in a way the allmighty Google intended: Try and get an attestation module for your setup. Fight for these apps to accept non-Google attestation and fight for devices that don't artificially limit what can pass as secure.
What kind of bullshit is this. Breaks what regulations? You know everyone allows things to happen on a computer which guess what you have root access to and is "unsecure" This bullshit gets said so many times but it is not true.
If you're upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I'd say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data.
Hard disagree. If you own the device, you should be in full control of what's going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.
Yyyyyyupp
"Oh no, this device is rooted! :(" Yes because I know what I am doing, now show me my account balance you stupid piece of ahit banking app.
Banking app: "Oh no, your device does not conform to Google's latest whim, terribly insecure, can't let you make a SEPA."
Baking website: "Opera on an outdated, pirated copy of Windows? Looks a-ok to me!"
I don't disagree with owning your hardware. I'm saying that a regulatory body can pose rules on where critical software can run. Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an "I know what I'm doing"-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server. This is security through obscurity and I'd much rather have everything open-source, but it's what we're dealing with.
On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don't allow that, much like they don't allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where "let me do what I want" becomes anarchy.
Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn't fear you giving yourself a million dollars by changing your balance in memory. It's all about responsibility in case something goes south. They would love to shift it all onto you, but they're not allowed to do that. Attestation was never about protecting you, it's about protecting them from being blamed.
There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for "tamper-proof containers running in a unproven host", rather than signing an unlimited waiver.
Bullshit show me the regulations about a banking app nedding attestation on a phone. Most of them are just wrapped websites anyway. So why do they run on PC's if regulations demand data security? This is so much bullshit.