The whole law is dumb. They need to create a standard universal method first. So when does this protection get applied? Can’t somebody just boot a thumb drive?
What about system accounts that don’t have a user? Super users? Automated installs? Embedded system? What age is the ec2 user in aws? There are so many questions that I’m sure don’t have a good answer in this garbage legislation.
All the other problems with it aside literally this… All operating system providers, including Linux somehow, are supposed to implement a system with a background API that can be pinged by websites through a method that hasn’t even been made yet… concept of a thing to your software that communicates with this other concept of a thing or else we fined into the ground effective in less than one year… Good luck.
Pssst Microsoft… pssst Apple… Don’t worry we’ll send you exactly what to put in your code. Just keep it to yourselves tho
How I understood it would be that the api could be implemented as an API contained within your os. So it would be more equivalent to comparing it to a system call like open file or allocate memory than a REST API.
when major websites start doing this weird browser or os based signature verification, tails isn’t going to work very well on them anymore. using the internet without your signature will probably be about as fun as it is to browse with tor right now
It’s a solution that seems so divorced from reality… I don’t quite understand how the expectation is reasonable, unless the goal is to force complaints to surface from the OS developers so that they can refine future versions of the law with more accuracy.
Because Linux distributions can be created free-willy. Just check out Linux From Scratch, Gentoo, etc. Same with live boot from USB, same with stripped down server distros like Alpine — you have the same issue.
Linux isn’t a product in the same way that other products can be regulated. It would make more sense if they defined clearly who this law actually targets, being something that is actually enforceable; something like this:
Any general-purpose computing device sold to consumers that includes an operating system capable of executing third-party applications…
All systems built after <xyz> date must include a MINIX subos that reproduces this API…
All browsers with GUI must support integration with the API, if they also want to support viewing of sensitive content
All porn distributors must validate age range via the API exposed via the browser, or refuse serving content
That at least makes some sense. In a way, it only targets PC distributors and porn distributors. The end user could still do whatever they want, but porn distributors may not serve content to them without the functionality described.
Because Linux distributions can be created free-willy. Just check out Linux From Scratch, Gentoo, etc. Same with live boot from USB, same with stripped down server distros like Alpine — you have the same issue.
I don’t want to be “that person”, but here’s how it could play out…
The “free-willy” distros would not fulfill the “trust” requirements needed to pass the “certification process”. You can still use them, but think of it like running custom firmware on your cellphone: you’re not going to be able to access your bank, but somethings will still work.
Larger distros (Red Hat, Ubuntu, etc) would pay to pass the “certification process”, but this would come by making certain concessions:
The kernel would not be allowed to be tainted. Which means you can only use official kernel modules provided by your vendor (no self-compiling)
Certain kernel modules would needed to be removed (or nerfed). For example the Fuse filesystem.
You could probably keep root access or at least a nerfed version of it.
Then with theses concessions, your PC world be deemed “reliable” to perform the necessary age verification and have this confirmation passed through your browser to your favor porn site.
You would need to create yet another version of HTTP to handle that (a few years) and banks would have to handle it globally (at least 5 years from my own experience). It will never happen like that. Banks are the slowest companies to handle that kind of modification.
You would need to create yet another version of HTTP to handle that…
We’re going down the rabbit hole, but I’ll play along:
I don’t think we’d need a “new http” version to support this. It could all be done with http headers.
Disclaimer: I’m spit balling here, there are probably more efficient ways to do this.
Anyway, when you go to your bank, included in your banks response header would be a “challenge” (a blob of data in as X-Age-ThinkOfTheChildren-Request).
Your browser would pick this up and generate a “response” and send this as part of all future requests to your bank, like an http-cookie (X-Age-ThinkOfTheChildren-Response).
The “response” was created using the banks challenge plus using the unique age certificate stored on your pc (in your TPM module), which was generated (and “officially digitally signed”) during your initial “age registration process”.
The bank looks at the response, verifies that it was probably signed by the “official age verification organization” (simply using the same technology used to verify ssl certs are valid).
Of course, this entire process depends on a “chain of trust”. The bank needs to trust that you didn’t hack your browser to forward these challenges to another pc. However, this is realistic. As part of the initial age verification process, you can only use “trusted vendors” (ie: Red Hat, Ubuntu) - this means they are required to prevent you from installing “hacked” apps. This could be in the form of preventing certain browser plug-ins and only allowing distro provided versions of your web-browser.
Banks are the slowest companies to handle that kind of modification.
True, but this also depends on the bank. Fintech banks like Revolut were the first ones to start to blocking access to phones that are rooted or running custom firmware (… because they care about security /s)
Most of the effort to implement this will be at the OS and browse level, but this would be a univeral solution. Meaning, it would be trivial for your bank, email service, porn site to support it as it’s simply generating a challenge and verifying the response.
With microslop forcing tpm 2.0 as a hardware requirement into windows 11, all the pieces are in place to pull this off - it just needs the software and the legal requirement.
It’s like M$ secure boot on steroids. Speaking of which, we really ought to have our entire computing ecosystem less dependant on the wills of like 10 companies
Damn, that sounds like gunk. I’ve been so exciting about the day and age when phones reach the same level of customizability as a PC. Little did I know, they want to phoneify the PCs instead.
The whole law is dumb. They need to create a standard universal method first. So when does this protection get applied? Can’t somebody just boot a thumb drive?
What about system accounts that don’t have a user? Super users? Automated installs? Embedded system? What age is the ec2 user in aws? There are so many questions that I’m sure don’t have a good answer in this garbage legislation.
All the other problems with it aside literally this… All operating system providers, including Linux somehow, are supposed to implement a system with a background API that can be pinged by websites through a method that hasn’t even been made yet… concept of a thing to your software that communicates with this other concept of a thing or else we fined into the ground effective in less than one year… Good luck.
Pssst Microsoft… pssst Apple… Don’t worry we’ll send you exactly what to put in your code. Just keep it to yourselves tho
How I understood it would be that the api could be implemented as an API contained within your os. So it would be more equivalent to comparing it to a system call like open file or allocate memory than a REST API.
This has gotten me especially curious about Tails.
when major websites start doing this weird browser or os based signature verification, tails isn’t going to work very well on them anymore. using the internet without your signature will probably be about as fun as it is to browse with tor right now
generate a new signature with some fake history for every site you visit
that is not going to work
That’s what I was afraid of, and that sucks because using Tails could mean avoiding prison or worse for journalists doing certain work.
journalism is dead
It’s a solution that seems so divorced from reality… I don’t quite understand how the expectation is reasonable, unless the goal is to force complaints to surface from the OS developers so that they can refine future versions of the law with more accuracy.
Because Linux distributions can be created free-willy. Just check out Linux From Scratch, Gentoo, etc. Same with live boot from USB, same with stripped down server distros like Alpine — you have the same issue.
Linux isn’t a product in the same way that other products can be regulated. It would make more sense if they defined clearly who this law actually targets, being something that is actually enforceable; something like this:
That at least makes some sense. In a way, it only targets PC distributors and porn distributors. The end user could still do whatever they want, but porn distributors may not serve content to them without the functionality described.
I don’t want to be “that person”, but here’s how it could play out…
The “free-willy” distros would not fulfill the “trust” requirements needed to pass the “certification process”. You can still use them, but think of it like running custom firmware on your cellphone: you’re not going to be able to access your bank, but somethings will still work.
Larger distros (Red Hat, Ubuntu, etc) would pay to pass the “certification process”, but this would come by making certain concessions:
Then with theses concessions, your PC world be deemed “reliable” to perform the necessary age verification and have this confirmation passed through your browser to your favor porn site.
You would need to create yet another version of HTTP to handle that (a few years) and banks would have to handle it globally (at least 5 years from my own experience). It will never happen like that. Banks are the slowest companies to handle that kind of modification.
We’re going down the rabbit hole, but I’ll play along:
I don’t think we’d need a “new http” version to support this. It could all be done with http headers.
Disclaimer: I’m spit balling here, there are probably more efficient ways to do this.
Anyway, when you go to your bank, included in your banks response header would be a “challenge” (a blob of data in as
X-Age-ThinkOfTheChildren-Request).Your browser would pick this up and generate a “response” and send this as part of all future requests to your bank, like an http-cookie (
X-Age-ThinkOfTheChildren-Response).The “response” was created using the banks challenge plus using the unique age certificate stored on your pc (in your TPM module), which was generated (and “officially digitally signed”) during your initial “age registration process”.
The bank looks at the response, verifies that it was probably signed by the “official age verification organization” (simply using the same technology used to verify ssl certs are valid).
Of course, this entire process depends on a “chain of trust”. The bank needs to trust that you didn’t hack your browser to forward these challenges to another pc. However, this is realistic. As part of the initial age verification process, you can only use “trusted vendors” (ie: Red Hat, Ubuntu) - this means they are required to prevent you from installing “hacked” apps. This could be in the form of preventing certain browser plug-ins and only allowing distro provided versions of your web-browser.
True, but this also depends on the bank. Fintech banks like Revolut were the first ones to start to blocking access to phones that are rooted or running custom firmware (… because they care about security /s)
Most of the effort to implement this will be at the OS and browse level, but this would be a univeral solution. Meaning, it would be trivial for your bank, email service, porn site to support it as it’s simply generating a challenge and verifying the response.
With microslop forcing tpm 2.0 as a hardware requirement into windows 11, all the pieces are in place to pull this off - it just needs the software and the legal requirement.
It’s like M$ secure boot on steroids. Speaking of which, we really ought to have our entire computing ecosystem less dependant on the wills of like 10 companies
Damn, that sounds like gunk. I’ve been so exciting about the day and age when phones reach the same level of customizability as a PC. Little did I know, they want to phoneify the PCs instead.
Yeah, I have wanted my phone to be more like a computer for a long time, not the other way around! This timeline sucks.