Posted by marbartolome 10/27/2025
We're not anywhere there yet, but we're closer than we've ever been, and things keep moving in the wrong direction.
All I really want is a computer that allows me to fully control the permissions and filesystem access of all the programs that I manually install on my system. Almost every program (in my case) needs 0 filesystem access outside of what it installed itself and shouldn't be looking or snooping at anything that isn't in its own process space.
I want a clear and simple way to limit the blast radius of how badly a program could actually screw up my system or have access to my files.
I recently experienced the opposite of this on Android, where I tried to install a very well reviewed ebook reader called MoonReader. But MoonReader seems to require complete access to every file on my Android device to work correctly. That is insane. I looked it up a bit more and it seems that Google has simplified (or something) permissions, but now there isn't much choice other than asking for full file access (I just want to give it access to one directory).
Anywho, just a minor vent, that we are insisting that the only way to make things secure is this sort of attestation path, but we don't spend any energy just making it possible to limit the blast radius of software on most OS'.
But try looking into QubesOS. You create domains where applications can do whatever in the domain (a contained VM). So your personal domain is separate from your bank domain, which is separate from your media domain.
Of course, domains themselves can do naughty things. But they cant cross over to others.
And system resources are a separate domain, as is networking.
Some downsides - gaming is a no go mostly. And if you do SDR stuff, the USB domain is a heavy hit on performance. You really need dedicated machines for those things.
In which folders it can hide, which data to access, and which hardware resources to use.
> At the moment, anyone can use Linux; it's better and easier than ever.
Maybe Linux will save us.
This was a fascinating thing to watch for me (pewdiepie telling people to install Linux): https://www.youtube.com/watch?v=pVI_smLgTY0
My bet is that the momentum is strong enough that:
- A critical mass of PC makers will continue to offer a Linux preinstalled option, or at least some path to installing Linux.
- If Windows and macOS take more rights away, it'll just help Linux's market share.
So Linux's share will probably grow not only because Linux is getting better but because the corpo OSes trying to take away general purpose computing
I am happy to use a browser on my computer to log into my bank's website.
Piracy https://en.wikipedia.org/wiki/Widevine
They can't stop it, likely never will but they do keep fighting it.
- software that are not monetised by their manufacturers should not be considered to be a commercial activity.
- supply of products with digital elements qualifying as free and open-source software components intended for integration by other manufacturers into their own products with digital elements should be considered to be making available on the market only if the component is monetised by its original manufacturer.
- development of products with digital elements qualifying as free and open-source software by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives.
- does not apply to natural or legal persons who contribute with source code to products with digital elements qualifying as free and open-source software that are not under their responsibility.It’ll be incredibly easy to lock dissenters out of modern society. It’s too bad the vast majority of users will happily concede autonomy for a tiny bit of short term convenience.
I would say "I'm sure the mean well", but given that parties like Yubico benefit from not getting more competitors, the cynic in me is a bit worried.
Yeah, I wouldn't say that. It's clear from their public comments[1,2,3] that the spec authors don't believe the private key actually belongs to the user to do what they want with. They see services restricting what users may do with their own logins as a feature of Passkeys. It's really a shame it went in this direction. Replacing passwords with an easy-to-use keypair auth system would be a massive security improvement. But the Passkey ecosystem is poisoned at this point. Unless they remove the client ID & attestation anti-features, it should be considered a proprietary big tech protocol.
[1] Threatening an open-source passkey client with server-side bans because they don't implement passkey storage on the client device in the way the spec authors prefer. https://github.com/keepassxreboot/keepassxc/issues/10406
[2] Maintaining a list of "non-compliant" clients, including the above open-source one, presumably for use in server-side bans. https://passkeys.dev/docs/reference/known-issues/
[3] While writing an article about this on my website, I actually emailed the two involved spec authors on the above issue, politely asking how their interpretation of the Passkey spec could possibly be compatible with open source software. Neither replied.
Better to store passkeys in password manager. Then they become more secure passwords. The big advantage is that they can't be phished, and sites don't use 2FA with them. It also means you can choose password manager that you trust and work better than Apple and Google.
> Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shatt...
Fingers crossed the Passkey user experience remains so bad no one accepts them & they just die on the vine.
And web attestation, which almost became a thing about a year ago. It is gone for now, but it will only be a matter of time before it decides to rear its ugly head again.
I hope more people come around and recognize that Richard Stallman deserves a big, resounding "you were right, we're sorry" after being attacked for his dislike of "trusted computing" and TPMs [0].
Hum... It was foolish, but it was decades after the trend started.
Looks to me that the real trend was started mostly by the wide distribution of TV and the subsequent media consolidation (that happened everywhere).
Also, who is "we" here? Because it was exactly the authoritarian-wannabes that created most of it.
Speech: https://www.youtube.com/watch?v=HUEvRyemKSg
Transcript: https://en.wikisource.org/wiki/The_Coming_War_on_General_Com...
(Of course, Stallman warned of this type of thing much earlier as well.)
He said a bunch of things. They've all been collected here: https://stallman-report.org/
What I love about that report is that the author created it with the intention of making Stallman look bad. And if you look at the author's summaries, he looks bad. However, the author also made us the favour of collecting all the statements in one single place. And if you look at the things that Stallman actually said (as opposed to the author's summaries) he doesn't look bad, he looks strictly correct.
Like, someone says "C assaulted B". And Stallman says "If A forces B to offer herself to C, C didn't assault B". Which is obivously correct. It could only be incorrect if you were redefining words to serve your purposes.
I had a look at what Stallman said and what Minsky allegedly did.
Apparently, Minsky had sex with one of Epstein's girls, who later said she was forced into it. Now, his wife denies the allegation, as she was apparently with him at all times on Epstein's island.
Now, I can believe that he went once, and maybe had sex with someone he didn't know was not doing so willingly. But, what about his wife? Was he cheating on her? Was she a part of it?
And why did he return a second time? And after Epstein's conviction in 2011???
And here comes Stallman, and he's not even denying that he's slept with someone, potentially cheating on his wife? His issue is with the wording?
Nobody in this situation looks good.
Pretty obviously.
He is a weird, socially awkward, maybe autistic guy. And such people tend to be quite pedantic and focused on strange details that "normal" people just jump over.
https://news.ycombinator.com/item?id=45722901
I disagree it's "pedantic". I think it's taking advantage of the system.
Any sane person hears "assault" and thinks that means "assault" instead it means something else.
What is happening is that the meaning of words are being changed for the purpose of using pre-existing laws. Example, you think that Bla is very bad and isn't punished enough by the law. There's law that severaly punishes Fleem. So, whenever you see Bla you call it Fleem and argue that the anti-Fleem law applies. That way you can effectively re-purpose a law. Specific example: "catcalling" is now "sexual assault" in the UK. It's easier to do it this way, than to argue that people should be punished for catcalling.
It feels like Stallman wants to defend his friend, but doesn't really have any way to do that. So, instead, he pivots to pedantry.
Like ok, assuming that Marvin really did not know, it's wrong to label him as a sexual assaulter(?). Though legally a sexual assault still occured.
But, it still doesn't explain, justify or deny that he allegedly slept with someone , possibly behind his wife's back. And it also doesn't explain that they went *BACK* to Epstein's island after knowing he was a sex trafficker. And that presumably the girl he slept with might have also been trafficked.
Correct, it's the abuse of the legal system.
> Though legally a sexual assault still occured.
Just because something is true legally doesn't mean it's ok, good, correct, moral or ethical.
We're talking about sex trafficking, which we know did occur and Epstein was convicted of. Twice.
And possibly rape/sexual assault, even though the "perpetrator" did not know about it.
You're getting awfully close to defending Epstein there.
I also can't help but notice that you ignored everything else in my comment?
Coerced/forced by whom? Are you actually stupid or just pretending?
Anyway, I get that you're confused. However, I've lost interest in talking to you.
Many big institutions lean heavily on mobile apps and other gated computing.
I live in BC Canada and by far the easiest way to authenticate a login to provincial sources involves using the BC ID App as a second factor, even when logging in via desktop. Many banks now also use their app as a second factor, rather than a generic OTP option that can run on any hardware.
There were also issues like running Netflix DRM in browser on Linux for a while.
General purpose computers won’t go away, but they will continue to be gated from more and more services until you are more or less required to have a phone or locked down ecosystem device.
This is one I’m willing to tolerate, as long as it’s optional. Something I don’t understand though is banking app setup. When I got a new phone this year, the RBC app made me submit some kind of live selfie.
The thing is, I know they can scan your debit card with NFC and authenticate the PIN. I’ve used it for a password reset in the past. Why is a selfie better than that when they presumably have nothing to compare it to?
It would be quite a scandal, legally and socially, if it was discovered that a bank was creating a database of images of their customers without consent.
According to ChatGPT: Only Illinois, Texas, and Washington really constrain that, and Illinois is the only one with real teeth.
A financial institution I have an account with requires MFA to log in, and the only options they support are SMS MFA and their proprietary smartphone app. This is acutely annoying to me, because it means I have to get up and get my phone if I want to log into this site from my PC (or rig up a complicated Android emulator setup).
Somewhat related, but if x86 loses dominance it will be even more difficult if not impossible to install Linux or other alternate OS's on ARM devices. The majority of consumer ARM electronics make it hard enough, and normally requires you to run a specific patched (and most likely outdated) Linux kernel in order to boot.
There are ARM devices which meet the ARM System Ready standard which allows you to boot whatever OS you want, but they are mostly enterprise devices such as servers. Cheapest one I've seen which your average consumer might buy was an ARM workstation with a starting price of about $1500
Broadcom SOCs preferred by Raspberry Pi require proprietary blobs to function, and much of their functionality is buried under a mountain of NDAs.
So hopefully in 8 years or so when I need a new machine, there's some decent options available to me.
But nice aint worth the cost when it comes at the expense of supporting something which is undermining everything else you believe in.
* Auth app deploys to one or two app stores. No financial incentive to do otherwise.
* App stores remain within walled gardens. Tracking, DRM, proprietary drivers come with.
I think it's pretty uncontroversial that there is a global trend towards authoritarianism, but I'm happy to hear other opinions.
Also, my hardware, my choice. It seems there is no way to actually let them know.
1) sign a petition on change.org against that APK lockdown (currently 10.5k votes) - https://c.org/BHZzNvR6pr
2) In your Android device or Google account use "Send Feedback" and articulate yourself or "Contact us" in Android under "System settings > Tips and support" or best, if you are paying subscriber for any Google LLC service, send the feedback through the subscription management channels (such as feedback in Google One, Workspace or any other paid service)
I would also suggest that there is another user base who has been using computers for a long time, before GUIs existed, is fed up with fighting malware, welcomes the protection of a sandboxed, protected system, but doesn't understand the importance of having the option of escaping the sandbox. These users might not see the loss of not being able to install a kext on Mac OS without booting into Recovery Mode. But they will notice the loss when, at some point, we can't run anything that isn't signed on any platform.
Google and Microsoft are slowly moving towards the Apple model because it works as far as decreasing support costs go.
When the day comes that there isn't any hardware we can purchase that we can't install OpenBSD/Linux/whatever we want, it will be too late. We have to push back before then somehow.
And even so, perhaps it's later than you realize. Device attestation in the browser is the final nail in the coffin, and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
I recently found a plugin that can alert to JS doing shady "fingerprint-like" activity. I did not expect it to go off quite as often as it does now.
It would seem that some sites are already asking _very_ probing questions about the browser so it's only a matter of time before they go one step further and demand proof and gate on furnishment of that proof.
Sure thing!
https://jshelter.org/ is the homepage.
Think about it: you need permission to run software on your own hardware. Every time you launch a Mac App, it checks in with its masters to be sure its okay to do so - every time you install an app on your mobile device, it does the same thing.
People accept this terrible state of affairs because the "user experience is better" - but this is a fallacy. Under the cover of 'security issues' that their are incapable of fixing, due to very poor architecture decisions, OS vendors have instead bolted on an insanity and sold it to the user as progress.
Every computing device should have everything it needs, onboard, to write software for that computing device. That they don't is because the OS vendors are cowardly running from the bloat of yesteryear and adding more bloat tomorrow to cover it all up.
There will be a backlash against this. We see it already in the retro-computing and alternative-platform hacking communities, which are growing and growing, exponentially, by the year.
Its only a matter of time that someone wraps up this freedom-to-use concept in hardware that is sexy enough to compete with the totalitarian-authoritarian platform providers. Any .. day .. now ..
Meanwhile to install a kernel extension you now have to reboot into safe mode and disable part of system integrity protection (with big warnings that it's at your own risk).
For the average user, kernel extension are already gone, and unsigned software not far behind.
The wisdom of such a freewheeling ecosystem in today's era is maybe debatable, but given how user-hostile the mainline OS and software vendors can be, I say there's still plenty of room for that ecosystem and it should be preserved.
Thanks, you missed the point.
Or were you saying something else that I misunderstood?
yet :D
On UNIX, Sun was the vendor that introduced the concept of SDK SKU, thus for having developer tools, an additional SKU had to be bought, and the until then largely ignored GCC sundenly got a new focus of attention.
Mainframes and micros always needed having a group of folks from the vendor professional services for specific kinds of configurations.
I still remeber working on traditional timesharing UNIX systems, one single server for all teams, what you get to do is decided by IT for your role.
There are plenty of examples from the past on how this has been happening already.
The clones relied on GW-BASIC and later QBasic, which came on disk and was bundled with DOS, to supply this functionality, and didn't have BASIC in ROM. In fact, some early BIOS implementations, if they did not find a bootable disk, displayed a message "NO BASIC FOUND" or similar.
Trusted computing and even remote attestation have legitimate use cases. It's good, great even, that they exist. But just like everything, they can be used against you.
And this might be a reaction to the fact that music piracy is quite easy; if it wasn't, perhaps there would be no Spotify where you get basically All The Music in existence for peanuts. (Note that no equivalent subscription service exists with regards to movies or games: Netflix and Xbox Game Pass have only a limited selection of content included in their subscription.)
Having important info on your device and having that device accessible to the wild, wild, internet is a very real problem. If the "walled garden" is a flawed solution we should work on a better one.
I beg history to prove me wrong.
For anyone interested, please look at Hardware attestation and TiVoization, thanks.
Kernel being GPL has no point currently. Require hardware attestation with Microsoft private keys + systemd-boot + systemd + uutils can create a nice walled garden, allowing "vendors" to build locked-down hardware-OS pairs.
More importantly, uutils is MIT, which can attest at every level, without sharing a line of source code.
This will affect everything from small appliances to big iron and it can be very ugly.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware...
What prevents Microsoft from updating Windows PC standards and eliminate the possibility of turning off secure boot and allowance of enrolling your own keychain in the secure boot process?
These are long games. Being comfortable today doesn’t guarantee same comfort and allowances tomorrow.
Ironically, we’re discussing this under Android’s increasing restrictions.
The same Android which was championed as the bastion of mobile freedom when it first came out.
I worked at a big company where GPLv2 software could be used in our systems but not GPLv3. Is it better that that GPLv3 software didn't have more users? The company didn't contribute much back so maybe it's not a big loss.
- 22K stars
- 1600+ forks
- 33 releases
- 622 contributors
- 678 users (at minimum)
- Code of conduct (with a debian.org mailing address nonetheless)
- 1 distribution shipping it as default (so far)
> The uutils project reimplements ubiquitous command line utilities in Rust. Our goal is to modernize the utils, while retaining full compatibility with the existing utilities. We are planning to replace all essential Linux tools.
This is hell of a self-tutorial.
If this was GPL licensed, I'd love to try these. But at this point, it's looking for pushing GNU out of the Linux ecosystem, completely.
if the computer won't allow to install or use other software until you install a vendor-signed version of systemd on a vendor-signed kernel we'll be there. it's about hardware attestation, not signed software, though.
Combined with uutils, which is MIT, you can build a nice (!) walled garden.
Let me say I have seen enough shenanigans over the years.
The GNU freedoms never specified the right to run free software side by side with proprietary software on the same hardware; so the FSF should actually be fine with such an outcome.
If my bank requires me to use a phone for transfers (mine doesn’t), it might be acceptable to leave one in a desk drawer powered off as you would do with a hardware authentication token. It’s a special device for occasionally accessing a service. Fine. But when governments and industry collude to force citizens to carry these devices in order to live life normally, that’s not OK.
My intent is to be as stubborn and obnoxious as possible in resisting this until they either give up and provide an alternate path or lock me away for noncompliance. Fortunately there is still an alternate path available for most things, primarily thanks to elders who have trouble with new tech. (Thank you elders!)
Or… acknowledge this is a fear of a future 30, 40, 50 years away that may never happen, which is never an argument.
It’s like saying the government, because they have power, and the SCOTUS, because they have power, could decide to kill all children. Yes, they could. No, it’s absurd to let that power keep you up at night, or say the solution is to abolish their power.
Ha! Let me know how to achieve that and I will. I’ve advocated, donated, and volunteered for years on behalf of a number of causes, some with excellent organizations promoting them, and yet things continue to get worse. The only minor victories have been temporary delays of bad policy.
No, the best response for the average citizen is stubborn noncompliance and constant passive resistance. Drag your feet until the whole thing comes crashing down. And encourage your friends to do it too! (But don’t stop trying through conventional politics, maybe one day it will work. Just don’t get your hopes up.)
The banning of Parler did more for activism and awareness regarding platform control than all FOSDEM. Of course, HN happily piled on in favor of this decision, missing the moment to build common ground on platform control, for the sake of political expediency.
If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway. The rush to technical solutions seems to imply we already internally agree tech and government aren’t going to do anything the average person cares about - as it assumes the “bad future” can happen without a national policy discussion anywhere.
> HN happily piled on in favor of this decision
HN is not a monolith with a single opinion. The loudest users at the time (not just here, all over the internet) were pro-censorship political activists, so maybe that caused you to interpret things that way.
> If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway.
The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
This is a lazy argument, as I can safely say that 80% or more of HN has the same political bent, and every community ever has said “but not everyone.”
Read the comments on the Parler deplatforming. See what was upvoted. See what the consensus was. Nobody cares about the principles, even here, when rubber hits the road.
Imagine if the undesirables, on either side, started actively using all the decentralized censorship-resist tech for their cause. Would the builders and commentators here be saying “working as designed,” or would there be a sense of fury, a sense of “not like that?” A sense of “that was supposed to enable my cause, not yours?”
Suppose Proud Boys coordinated their Jan 6 activities on Signal and Tor. Suppose Truth Social was built on ActivityPub and MAGA developers were the loudest voices at FOSDEM advocating for censorship-resistant protocols. How do you feel? Are we still citing the same principles? If not, we never believed them.
> The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
I disagree, but even if you were correct: like, what’s your point? Are you grouping me in with them because I happen to be posting here? I reject that characterization.
Edit: I feel like this is an attempt at some kind of “gotcha” based on the example you provided. No, I don’t believe access to tech should be gated based on politics. IMHO everyone should have access to private and secure systems, as part of their human rights regarding speech, thought, and personal privacy. I attempted to raise this point in several venues during the “deplatforming” fad and explained how the political pendulum made it a bad idea. The mob remained unconvinced.
> I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
You tell me how people are going to protest effectively in the face of:
- Ubiquitous visual surveillance and facial recognition
- Ubiquitous audio surveillance via pocket spies and things like Flock/ShotSpotter/other competing systems
- Ubiquitous ALPR systems and GPS-enabled “digital plates” being trialed in some areas
- Data mining coupled with AI behavioral analysis (sloppy but likely good enough)
- An increasing percentage of cars with remote shutdown capabilities
- The replacement of cash with digital currency that can be remotely disabled
The future looks a lot like China, but without their “economic miracle” that has kept the population satisfied.
There are more
AROS, GNU-HURD and more
you can always contribute code, maintain an app, report a bug
You can buy HW to run AOSP, like Raspberry-PI or RISC-V
We are the consumers, we have the wallet.
After that, certified locked down BigTech 'Personal Computing' will be the only menu choice.
They force anyone distributing software into the legal system so a “3rd party” can sue and destroy the life of anyone that goes against the system they want. Anything they don’t like will be accused of violating patents, etc. and the option to distribute anonymously for the good of users / society will no longer exist.
So you’ll still be able to write code and scripts and play on the side on your laptop, but if you want to access your banks webpage (or really, anything you get through someone else’s server: streaming media, the news, porn, whatever) you’ll be forced to Chrome + laptop with TPM + authentication through smartphone app.
Not ideal.
I care about the free-ness and open-ness of my computer, because that's where I do all my work, my E-mail, my finances, and all my "serious computing." I feel that a different standard applies on a Real Computer because they are totally different devices, used for totally different purposes. So what I accept on phones, cars, and gaming consoles, I don't accept on my computer.
I believe the likelihood of a smartphone being the only form of computing (and access to the internet in particular) grows with diminishing income / cultural means.
This is based on anecdotal observation, does anybody here know of relevant survey data?
Based on a cursory look, keywords can include "smartphone-only internet users" and "large-screen computer ownership".
The American Community Survey asks questions related to that (income, computing devices). Comparing states, the poorer the residents of a state, the smaller the percent of households with regular computers ("large-screen computer ownership"), per "Computer Ownership and the Digital Divide" (Mihaylova and Whitacre, 2025) [0, 1, 2].
Also, Pew runs surveys on income and device usage ("smartphone-only"). Again, the lower the income, the higher the proportion that is smartphone-only [3, 4].
[0] Chart: https://files.catbox.moe/emdada.png
[1] Paper, "Census Data with Brian Whitacre.pdf": https://files.catbox.moe/1ttgee.pdf
[2] Web: https://www.benton.org/blog/computer-ownership-and-digital-d...
[3] Pew chart: https://files.catbox.moe/fs62tf.png
[4] Pew web: https://www.pewresearch.org/internet/fact-sheet/mobile/
The idea that smartphones aren't computers and their users aren't deserving of software freedom is frustratingly entitled.
