That’s the strength of public/private key encryption.

The application (or OS) knows what the hardware vendors public key is. Thus ,it can verify that any message (or application key) claiming to come from that hardware (TPM) is legitimate or not. Thus, the OS is just a proxy or the middle man.

Now what you could do (in theory) is to start modifying the application and replace the hardware vendor public key with your own. …but you’d need to do this with every application and they’ll probably have some sort of anti-tampering or (more likely) you won’t even be allowed to install the application because your OS isn’t “safe/secure”.

disclaimer: I’m a bit hazy on some of these details. There are probably more elegant solutions.

They’re two sides of the same coin. Can’t have privacy without security and can’t have security without privacy.

Hmmm… I half agree with what you said. The corner stone of most security is an element of initial trust.

With SSL, we’re trusting that the certificate authority is valid.

With tools like GPG, I (as the sender) are trusting that the key I’m using to sign a message is really yours.

With Android we (the users) and the application developers are trusting Google (hence why “sideloading” is now “bad”, because Google says it is).

I absolutely agree that privacy cannot exist without security. But, your privacy is dependent on who your security model trusts.

I don’t trust Google with my privacy (hence, I degoogle) , but my bank app doesn’t trust my security (hence, the app can only be installed via Google Play).

So, privacy is dependent on security, but security is built on trust.

To expand on this a bit:

It’s all built on top of the concept of “a chain of trust”, starting at the hardware level.

(as mentioned) TPM is a chip that’ll store encryption keys at a hardware level and retrieval of these keys can only happen if the hardware is unmodified.

I assume that part of this key is derived from aspects of your OS (ie: all device drivers are signed by MS).

The OS will fetch this key, if it’s valid - the OS knows that the hardware is untampered, it can then verify that the OS is unmodified, which can then be used by application to determine that their not modified, etc.

Now you could spoof your own TPM chip (similar to how Switch 1’s are chipped/nodded), but the deal-breaker is that when you add your key to the TPM chip, you sign it with a hardware vendor specific public key. And that vendor private key is baked into the hardware (often into the CPU, so the private key never crosses the hardware bus).

It’s totally possible to achieve. TPM is the desktop equivalent of the technology that runs on your cellphone to have apps detect if you have an unlocked bootloader or root. It’s the same technology prevents your favorite concole (ie: switch 2, ect) from running pirated games.

This improved security does come at a price: we/the users are the enemy and cannot be trusted. This means modifying your system will be prohibited and we (the consumer) will have to trust that Big Tech has our best interests in mind. /s

They forgot to add “… otherwise, my boss will fire me” /s

As far as I understand that’s exactly what this project has done. They took the leaked node code as “inspiration” and had it converted to python. Now they’re converting that python code in rust.

I’m curious how that’ll play out, but as github is owned by microslop - I’m guessing it’ll be shutdown all the same.

Would you have a recommendation where I could use minimax m2.5 for cheap (I don’t have the hardware to host it myself)?

I was experimenting with Kiro-cli (not to be confused with kiro-ide) and I really enjoyed the work flow: changes being communicated and reiterated as in memory diffs. Plus it really worked nicely from within neovim (so no ide or tui to get in the way). But I really want an OSS solution, maybe opencode is that solution.

I’m sure Anthropic will be including “Please, don’t include our source code” as part of their future release prompts.

While the BitTorrent angle is not new, the authors previously only included a ‘distribution’ claim based on direct copyright infringement. This claim has a higher evidence standard, as it typically requires evidence that the infringer shares a whole work with a third party.

Since BitTorrent transfers break up files into smaller chunks before they are shared, it might be difficult to prove that a whole work is shared.

If the case sides with Meta, I can see future defenses pouring in “Ya, see your honor - I’m innocent cause I only seeded 99.99% of that movie.”

I do use a (modded) version of graphene as a daily driver and I do appreciate many of the features that it offer.

And I totally agree that some people seem to try to turn graphene into some rigid cult (especially on the philosophy of running root and “who decides how application backup should be made? The application developer or the device/data owner”)

That said:

the idea that the only way I can not get assraped on the reg is to give a shitload of money to google and then use this elitist OS is something I have a gigantic problem with.

There is actually a technical reason for this. Pixel phones are the only ones to support custom AvB keys.

Basically, this allows you (or graphene) to create a key, which can be used to sign your custom firmware. So, you can have a locked bootloader that will only allow OS updates signed with your key.

You can basically create your own OTA updates. It’s fantastic.

It’s amazing and disappointing that most phone manufacturers don’t allow custom AvB keys, but it’s a reflection of how they truly don’t care about people who like to tinker.

Now, should the lack of custom AvB keys be a barrier towards using graphene? Tbh, I don’t think so - but it does fit the graphene rigid MO of “root is bad”.

edit : fixed link

Ahh, okay. I understand. Thank you for the clarification.

Considering he’s made $400B since acquiring Twitter…

Serious question: How?

AFAIK, Twitter wasn’t terribly profitable before they sold to Musk. Then after he purchased it, the enshittification accelerated.

How on earth does this result in $400 Billions in profit?!?

I totally agree.

I am so tired of this “slow boil”, bs.

I don’t think it’s that easy.

Interactivity only possible for most at small scale.

You’re overlooking the real OG of the internet: usenet, irc and bulletin board systems (bbs).

The internet has always needed an “easy access” place to communicate, ask questions, or joke around - with a broad audience from around the world.

Of course, gopher, ftp, and http - did exactly as you said: serve static content.

But the internet has always needed a place for “dynamic” conversation and it’s these places that are overran with bots.

is it worth it?

I’ll try to be objective.

The Pros:

1. Graphene gives you more “control” over your data “out of the box” than any other custom firmware. Yes, you can patch and mod your favorite firmware to your liking, but graphene “just works”
2. It’s rock solid and reliable. It only supports one hardware family. I’ve never had graphene lock-up, crash, camera stop working, etc
3. The installation and upgrading is amazingly easy (compared to other cfw) and streamlined. After the initial setup, it behaves just like any ofw.
4. You’ll see just how much of an intrusive cancer Google has become (Google play has a “feature” where they’ll dynamically load code and try to run it - graphene blocks this kinda crap).
5. Going back to stock Google (with locked bootloader) is rather easy. So you don’t have much to lose (other than a few hours) in trying.

The Cons:

1. Some apps will crash. Graphene hardens how applications behave (in terms of accessing memory, for example) some apps are buggy and will not work. Not many apps (may 1 or 2 out of 30+) but it does happen and you can fittle with the app settings to try to fix it, but it’s tedious through trial-and-error
2. Some apps won’t work, like maybe your bank because it will never pass the “Google integrity” checks. The fear and concern is that more and more apps will start to block cfw. So expect that you might need a second device.
3. Any apps/processes that deal with money (tap-to-pay, Google wallet) probably will not work (again, it fails the “Google integrity” checks).
4. (personal preference) I don’t like the graphene launcher nor their store nor their (boring) default icons. However, graphene empowers you to change/replace all this.

They’re just people doing a job that I regret is necessary…

I think this is the difference, many people believe that the TSA are not necessary nor effective.

9/11 (which was the fuel to create the TSA) happened because at that time the expected response when you (as the passenger) plane was hijacked, was to stay calm and sit and wait for the plane to land, while random demands/negotiations were made with local governments. Yes, a few people might be killed as an “example” or threat, but if you wanted patiently your government would save you.

9/11 shattered that illusion/“rules of engagement”. Now, all of the sudden, if your plane is hijacked you’ll find yourself as an unwilling participant in someone’s suicide run and your only way to survive will be to fight as though your life depends on it (because it does).

I this respect, the complacency of 9/11 will never happen again regardless if the TSA exists or not.

You would need to create yet another version of HTTP to handle that…

We’re going down the rabbit hole, but I’ll play along:

I don’t think we’d need a “new http” version to support this. It could all be done with http headers.

Disclaimer: I’m spit balling here, there are probably more efficient ways to do this.

Anyway, when you go to your bank, included in your banks response header would be a “challenge” (a blob of data in as X-Age-ThinkOfTheChildren-Request).

Your browser would pick this up and generate a “response” and send this as part of all future requests to your bank, like an http-cookie (X-Age-ThinkOfTheChildren-Response).

The “response” was created using the banks challenge plus using the unique age certificate stored on your pc (in your TPM module), which was generated (and “officially digitally signed”) during your initial “age registration process”.

The bank looks at the response, verifies that it was probably signed by the “official age verification organization” (simply using the same technology used to verify ssl certs are valid).

Of course, this entire process depends on a “chain of trust”. The bank needs to trust that you didn’t hack your browser to forward these challenges to another pc. However, this is realistic. As part of the initial age verification process, you can only use “trusted vendors” (ie: Red Hat, Ubuntu) - this means they are required to prevent you from installing “hacked” apps. This could be in the form of preventing certain browser plug-ins and only allowing distro provided versions of your web-browser.

Banks are the slowest companies to handle that kind of modification.

True, but this also depends on the bank. Fintech banks like Revolut were the first ones to start to blocking access to phones that are rooted or running custom firmware (… because they care about security /s)

Most of the effort to implement this will be at the OS and browse level, but this would be a univeral solution. Meaning, it would be trivial for your bank, email service, porn site to support it as it’s simply generating a challenge and verifying the response.

With microslop forcing tpm 2.0 as a hardware requirement into windows 11, all the pieces are in place to pull this off - it just needs the software and the legal requirement.

Back in the day, you went dumpster diving for PC parts.

Now, you just sift through the rubble of data centers in war-torn countries.

“They” have also been trying to prevent consumers/us from taking ownership of our devices and data for the last 2-decades.

… and, ya know what? It’s working.

Because Linux distributions can be created free-willy. Just check out Linux From Scratch, Gentoo, etc. Same with live boot from USB, same with stripped down server distros like Alpine — you have the same issue.

I don’t want to be “that person”, but here’s how it could play out…

The “free-willy” distros would not fulfill the “trust” requirements needed to pass the “certification process”. You can still use them, but think of it like running custom firmware on your cellphone: you’re not going to be able to access your bank, but somethings will still work.

Larger distros (Red Hat, Ubuntu, etc) would pay to pass the “certification process”, but this would come by making certain concessions:

1. The kernel would not be allowed to be tainted. Which means you can only use official kernel modules provided by your vendor (no self-compiling)
2. Certain kernel modules would needed to be removed (or nerfed). For example the Fuse filesystem.
3. You could probably keep root access or at least a nerfed version of it.

Then with theses concessions, your PC world be deemed “reliable” to perform the necessary age verification and have this confirmation passed through your browser to your favor porn site.