I actually don't disagree with you. As I mention in the article:
> I cannot say how much freedom it will take. Arguably, some of the new features will be “good.” Massively reduced cheating in online multiplayer games is something many gamers could appreciate (unless they cheat). Being able to potentially play 4K Blu-ray Discs on your PC again would be convenient.
However, I'm more worried about the questions the increased deployment of technology will bring, such as will Linux users be doomed to a CAPTCHA onslaught being the untrusted devices, or worse. Important questions that, unless raised, risk us just "going with the flow" until it is way too late.
> Massively reduced cheating in online multiplayer games is something many gamers could appreciate (unless they cheat).
I have a rooted Android phone and I had to spend effort spoofing attestation in order to even launch some of my games which don't even have multiplayer. Allow me to be the one to tell you that I do not appreciate it.
I don't even care enough to cheat at these games but if I wanted to cheat it would be merely an exercise of my computer freedom which nobody has any business denying.
IMHO I don't see a CAPTCHA onslaught happening - if only because at that point the CAPTCHAs will be practically useless at stopping bots. They will just ban untrusted devices.
The current landscape of CAPTCHA technology is pretty bleak. It's pretty easy to use ML to learn and solve the early first-gen CAPTCHAs that just used crossed-out words. Google reCAPTCHA relies primarily on user data, obfuscation, and browser fingerprinting to filter out bots, but that only works because of (possibly misplaced) trust in Google. It falls back to an image recognition challenge (which hCaptcha uses exclusively) if you don't have a good data profile - which can also be solved by automated means.
I don't see desktop Linux being fully untrusted off the Internet, if only because Google won't let it happen. They banned Windows workstations internally over a decade ago and they are institutionally reliant upon Linux and macOS. What will almost certainly happen is that Linux will be relegated to forwarding attestation responses between Pluton, some annoying blob in Google Chrome, and any web service that does not want to be flooded with bots in our new hellscape of post-scarcity automation.
Another "doomsday scenario" is that a distinct market for FOSS hardware will arise, albeit much shittier hardware than what everyone else uses. Those users will become fringe and progressively isolated.
This is already the case for FOSS communications software and social networks.
In the past you culd use your FOSS client to commicate with your ICQ, AIM, MSN Messenger-using friends. Today, not using the official client will likely get you banned from the network.
Unfortunately, it does seem likely that many services will require that your machine run a kernel/web browser signed by an entity they trust before they give you access to what they consider sensitive data. That will suck for those of us who want to build our own kernels/web browsers and use that software to interact with sensitive data from large corporations, but that's their choice to make (IMHO). And it's my choice not to use their service.
Often it's not your choice, when e.g. all banking apps have this requirement, and banks require an app to allow you access to your account at all. Or when it's a health service because the data is so "sensitive". Today, platforms like Discord and Twitter very often want your phone number despite not having any technological need for it. Will they in the future require this thing as well so that they are sure that you are not using ad blockers? Will you be unable to communicate with most of society through these "optional" services if you don't have one of these "trusted computing" devices?
This is way more than just about not watching movies in 4k that you could also pirate. This is about turning people who don't have "trusted computing" devices that track every behaviour of theirs into societal outcasts.
So how do you solve this? Get the government to ban CPU vendors from implementing hardware-rooted remote attestation? I can assure you that this technology is used inside corporations for their own internal security, and such a ban would weaken our ability to survive a cyberwar.
Using this technology to secure non-private infrastructure, including corporate networks, makes total sense. And yes, it has some helpful properties to secure that infrastructure. But don't be mistaken, configuration mistakes still exist, as do zero days. Attestation helps against persistence, and this is valuable, but it's only one link in the chain.
That being said, extending it to everyone in a way that curtails individual control of computing devices creates an environment that is dangerous in many ways. I don't want to be in a world where only "approved" software is allowed on my computer or something. This can get wrong really quickly, and a lot of the application of attestation technology for consumers is really just about removing their freedoms.
The place where the government should step in IMO is not to ban CPU vendors from implementing this, but to pass anti-discrimination laws, so ban companies from requiring remote attestation to unlock some specific feature. They should maybe endorse it, or be allowed to warn you, but they should still allow full access regardless.
For the B2B setting there are obvious dangers of monopoly abuse, here the government just needs to enforce existing laws. Microsoft dropping the requirement that the signing key for third parties has to be trusted is IMO a major antitrust violation.
> Get the government to ban CPU vendors from implementing hardware-rooted remote attestation?
Get the government to regulate the corporations requiring it. Classify any attestation requirement as discrimination or something. They're excluding people without good reason.
That's only part of it, Twitter is also in the ad business, and in the ad industry, phone numbers are used as identifiers to correlate users between datasets.
If it's just about limiting access, Cloudflare imposes a similar limitation of number of accesses you can have to a website via remote attestation. I think once remote attestation becomes more prevalent, it might become useful in the ad business too, e.g. to prevent you from using ad blockers, or similar things.
> I cannot say how much freedom it will take. Arguably, some of the new features will be “good.” Massively reduced cheating in online multiplayer games is something many gamers could appreciate (unless they cheat). Being able to potentially play 4K Blu-ray Discs on your PC again would be convenient.
However, I'm more worried about the questions the increased deployment of technology will bring, such as will Linux users be doomed to a CAPTCHA onslaught being the untrusted devices, or worse. Important questions that, unless raised, risk us just "going with the flow" until it is way too late.