Gregory's Server
 99 comments
@ipg so much pain and agony
0
0
28 Nov 2022 at 0:16 | Open on plem.sapphic.site
@ipg I remember this too well. We were already close to going over to XMPP, the momentum was there. Then Google came along and owned the market by offering a free, polished service. Then yanking it from everyone’s hands by building a wall around it while no one was looking. @pyne @ipg They did it to #RSS too when they killed #GoogleReader. 2013 was a bad year  @ipg I lived on XMPP through college (before that was AIM). I couldn't imagine a world without instant messenger. Then it died, but fortunately my personality had coincidentally pretty much driven away most of my friends around that time and now I don't remember the last time I had Pidgin open... Still, I'll never trust Google again (and apparently neither will anyone else, RIP Stadia!)  @ipg Good to remember that the next time Google does an "embrace and extend" strategy on open standards.  @didek @tchambers @ipg Android and iOS are two sides of the same coin now. Both closed source OS's running on an open source base. Just that more of Android used to be open source… Locking down specifically how? There is far more code Google is contributing to AOSP than 5 or 10 years ago. The main thing that is no longer supported in AOSP are the high-level apps (like e-mail and such), which were important early on when not many apps exist, but these days there are numerous better options than in AOSP. And these days most such apps need to have a close server integration to be competitive. Saying iOS and Android are the same here is honestly crazy.  @hackbod So yes, Google might support AOSP. At the same time running the McDonald's app to collect bonus points on a android with a custom rom? Not worth the work. And before you say it's about security. BS. You can run your online banking and your driving license app from our interior ministry on an android that has not been patched for 3 years. On such a phone, Malware can probably get root access via long list of known CVE. But it verifies as "manufacturer-provided-bootloader-locked" so everyone pretends that it's safe. If Google cared about safety, they would check the patch level. @hackbod But that would achieve security which nobody is interested in, right? @yacc143 @hackbod @Lillian_C14 Google have SafetyNet that is triggered when you uninstall preinstalled Facebook or YouTube from the phone, but not when OS is 5 years old. Not that checking if device is old will be a good idea eather... Actually checking how old the software is, would be probably not such a bad idea. But it would force giggle partners to provide security updates. The EU will do that in the next years (effectively from 2025 for 5 years I seen to remember), but Google could do that too. They don't. Not sure what you mean SafetyNet being triggered when uninstalling apps? Though I don't know what OEMs are doing on their devices, Pixel doesn't come with Facebook pre-installed and YouTube is pre-installed on the system image so you can't really uninstall it. Maybe this is some specific OEM doing something odd on their device? Which device do you see it on? What is the experience caused by SafetyNet being triggered? This wasn't direct or serious. Ah okay! I don't think you will ever get the ability to delete things from the system partition, because (1) that is always read-only (only modified by the boot loader and that is important), (2) it would mean factory reset couldn't return you to the original state, and (3) even if you did, you couldn't use the space because it would only free that space in the system partition, not data partition. OEMs are encouraged to use Play Auto Install instead. Ah so you are not talking about the source code, but the anti-abuse features. It is important to understand that this is not Google pushing stuff, but addressing developer demand. That is, the choice is not "Either Google provides SafetyNet or apps don't do anything," it is "Either SafetyNet or apps instead use other 3p solutions that are more fragile and problematic." In fact growing use of 3p solutions has made Android dev problematic as they break with each new platform version. By and large I don't think Google uses SafetyNet for its own apps, because it isn't seen as so necessary... except for stuff like contactless payments. And there is no way you would have contactless payments without device integrity verification. I also find it frustrating how much app developers feel the need to protect themselves from the platform with this stuff, but I don't see how to generally convince them otherwise. (And Apple's Android security FUD doesn't help.) @hackbod Ah, but the point is: Google requires manufacturers to provide the hardware functionality for a PlayStation level verification. Or they do not get the Google apps. OTOH, Google does not educate developers on correct security practices (as in check how fresh the security patches are, or even use a library that actively checks for exploits, instead of “verifying” that your user is running an unsecure 3 years old Android). Because that would cause havoc for their business. @hackbod Actually, with some tender love and care, my custom rom, with root, does Google Pay. And you won't believe it, nobody was defrauded because, shock, it's me, the owner who rooted the device. Not some malware. If I wanted to defraud anybody, I could read up on all the beautiful design faults in the EMV protocol that the payment industry managed to design into it. Google is not very anal about verification. But by not taking a stand, and not doing the right thing, they are spreading it. @hackbod So what exactly is Google fearing if Google Pay is running on a Custom ROM? The EMV protocol is meant to be cryptographically secure, and I'd hope that you store the card credentials on the secure hardware enclave that all Androids must have due to Google requirements. So what threats exactly is Google protecting against by doing a verification? @hackbod I mean I do online banking all the time on a Fedora Linux laptop, with, *gasp*, Secure Boot disabled. (Btw, SMS is still legal as a 2FA authentication under the current EU payment directive. While banks tend to force (“guide”) users into “smart apps”, the initial handshake still happens via SMS.) @hackbod So tell me because you said, “And there is no way you would have contactless payments without device integrity verification”. Against what threats does that device integrity verification protect the user/system? The secrets are in the secure hardware enclave in mobile. The EMV protocol is designed to be cryptographically secure. You should be able to publish the traffic on the Internet, and nothing bad happens. You should be able to modify the traffic and the payment fails. Okay given the false equivalence between Android and PlayStation; blanket dismissal of modern best practices of hardware security modules for software validation, at rest encryption and authentication and biometrics protection; and ignoring my points about the expectations and requirements of app developers... it seems clear there isn't really much opportunity for a discussion, so I am going to bow out. @hackbod You still have not explained which threat Google Pay protects against by verifying that the mobile is untampered, but not checking that the security patch levels are up to say in the past 12 months. And yes, Googlified Android gives App developers the tools into their hands to validate the whole system chain starting with the boot loader to the app. You call it “best practices in hardware security”. I call it Playstation style lock down. @hackbod You seem to forget that the newer "free software licenses" explicitely deal with the issue of the "freedom" of the user being able to modify the software and apply it to his device. What's the point of that freedom, if you make sure that "best practices" include making sure that the open source Custom ROM cannot run most of the software for the platform? So explain what's the threat for the Google Pay running on a Custom ROM? @didek @Lillian_C14 @ipg @tchambers isnt iOS BSD based? Or at least I know OS X used to be. @ipg Embrace Extend Extinguish. It's why some instance admins are preemptively blocking Tumblr    @ipg And they are at it again with email, employing the same practices. -.-' All in the name of fighting spam and malware. :-/  @ipg XMPP is brilliant. I used to be able to chat with Facebook Messenger uses from Google Talk. Wild times. Sucks that all the major players built their audience with it then locked the doors. Even WhatsApp essentially, as I understand it, still use XMPP just locked off from anyone else 😭 Maybe with the fediverse interest someone can cook up a federated Discord equivalent based on XMPP 🤔 @wiredfire XMPP protocol extensions support a lot of nice to have Discord features! the biggest issue would just be a client that has a similar UX. or just a good UX in general, that's something i can't find in any client... @ipg in a past professional life it’s something I’d have tinkered with! Alas for now I can but dream 💭 @ipg@wetdry.world @wiredfire@mas.to i think matrix does a lot better in this regard, most of the clients i've used were actually really pleasant @ipg Not just what they took away, but why we should be cautious and pay attention if they ever decide to support the fediverse in any form. People with a history of bait and switch do not deserve trust.   @confusomu i have no idea what this means lol. like are you relating or. i dont understand lol @ipg Gizmo Project... I used to them for a phone number. Google bought the company and shut down their service.  @ipg@wetdry.world They didn't take anything away from you. You can still use XMPP, but now without using Google's servers which is even better. @ipg ...and Apple removed Jabber from Messages in Mojave. Which vastly reduced the utility of MacOS X for enterprise users.
 @ipg there is a fundamental flaw in XMPP arch that Fediverse is repeating - for you & me to communicate we need BOTH of our servers while one is necessary & sufficient. @ipg And every replacement replacement has been smothered in its cradle, taken round the back of the shed and shot, or dressed up in the hand-me-down clothes of one of its murdered siblings. @ipg i'm really glad you posted this because i'm familiar with "embrace, extend, extinguish" in general, but i wasn't clear on just how extremely easy it is to get a big userbase and then just move off of the federated standard.  @ipg I have no idea what y'all are saying in the specifics, but I swear the internet started sucking badly after 2013...knew there was a reason, knew it was Google but had no idea what or why. But all my searches began to return things for sale instead of information, and all the good free apps dried up.   Never knew that. Might have been handy. There was even a period where Facebook Messenger was XMPP. You could chat with Facebook folks from GTalk and vice versa. Jabber was going to be THE IM protocol for a while before the big guys decided to wall it up. @danjones000 @ipg @floppy I'm still grieving. My XMPP is still up, I have 4 contacts remaining and we almost never talk (it mostly serves as a local net com with my partner). I remember messages starting not to get through with GTalk on either side, no error or anything. The thing died off progressively until they pulled the plug. I will never forgive Google for that. This scar is also probably the reason I will never trust a company ever again with anything.  Whatsapp is also based on xmpp if I remember my readings. They improved it to reduce its verbosity. But what is annoying is that, whatever the protocol is, they can technically provide an XMPP bridge for basic direct messaging. But : @danjones000 @floppy @ipg @danjones000 @ipg @floppy
Google may be evil, but Microsoft is the master of embrace and extend incompatibly. I'm (pleasantly) surprised that GitHub still works, and still allows open source projects to be hosted for free. @ipg and still people are waving the flags of $bigcorp to join the fedi. We just don't learn from the mistakes of the past  @ipg that's why I said Google is the biggest losser. The way hangouts used to work it was a great experience. Best part @daniel 's conversations came in those days. Then he slowly moved and killed hangouts. First they pushed it down my throat and then when people started using it they killed sms support first and then allo etc.  @ipg and that's why we should.never ever allow the #GAFAMs in the #Fediverse! #FediPact now!!!    |
