Bonum Certa Men Certa
ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

Recent Techrights' Posts

Slashdot is Once Again Publishing Lies and Revisionism for Bill Gates, Citing Microsoft's MSN to Rewrite History and Distract From the Jeffrey Epstein Crimes
Of course this also distracts
Too Big, Will Fail (How Linux Grew Way Too Fat)
Linux has very extensive hardware support, but that comes at a cost
Richard Stallman Gives Keynote Address in a Few Hours
Richard Stallman's personal site was updated to give more details
IBM Layoffs in 2025: Rumours Say Even Managers Will Get the Axe, Some Via Loopholes Like PIP and/or RTO (Preparations Already Underway)
Where does IBM's money go?
FOSDEM Talks Are Vanishing
They no longer seem to be taking money from Microsoft and/or its tentacles
 
Links 27/01/2025: Social Control Media Explores Propaganda for Racism as a Business Model, China’s Tibet Dam Criticised
Links for the day
Microsoft Relegated by Manchester United
No Microsoft
Gemini Links 27/01/2025: Mental Locomotion, Gemini Protocol Bots From China, and Domain-Specific Languages
Links for the day
Microsoft Still Hires Journalists to Reward Them (Belated Payment) for Microsoft Propaganda
The PR/lying pipeline
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, January 26, 2025
IRC logs for Sunday, January 26, 2025
Links 26/01/2025: Privacy Breaches and Growing Nationalism
Links for the day
The UK's Press Gazette Has No Credibility Anymore, It Celebrates Plagiarism and Cheap Misinformation (This Ruins Linux Sites Too)
They encourage a form of plagiarism and that even ruins "Linux" sites
Journalistic Malpractice Helps Bill Gates Cover Up His Marriage Collapsing Because of His Very Deep Ties to Jeffrey Epstein (and It's Melinda Who Dumped Him, Divorce Proceedings Started by Her in 2019)
you can alter narratives and perceptions worldwide
The Linux Foundation's Certificate Authority (CA) Let's Encrypt Hits New Lows in Geminispace
13 known capsules still use it
How "Open Source" Became Microsoft (But It's Actually Proprietary, OSI is an Openwashing Front Group Now)
They're still trying to rewrite history, but it's harder when Richard Stallman (RMS) is alive
Links 26/01/2025: Chatbot Woes and UnitedHealth Data Breach (Windows TCO)
Links for the day
Gemini Links 26/01/2025: The Postman and More
Links for the day
Links 26/01/2025: Fentanylware (TikTok) Turns to Hype/Pyramid Scheme, Insurers Failed to Comply With Federal Law
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, January 25, 2025
IRC logs for Saturday, January 25, 2025
Gemini Links 25/01/2025: Plaintext Weblog Posts and Software Development
Links for the day
More Details Emerge About Upcoming Long-Rumoured Layoffs at IBM
Without leadership there's no coordination
Links 25/01/2025: Microsoft Chaffbot Offline and Advocacy/Dissent in China Muzzled
Links for the day
Frequent Flyers of the 'Lolita Express' (Where Screwing Underage Girls is Big Business)
In the words of Bill's wife and mother of his 3 children
Microsoft-Sponsored Inauguration as a Reminder to Boycott Microsoft
If you do not support what's happening politically right now in the US, then stop giving money (or anything else) to Microsoft
Fund-Raising for Initiative Introducing Teens to Free Software Instead of Junk Like Bytedance's TikTok
A crowdfunding campaign coming soon
Bringing Down or Taking Down an Innocent Man is Difficult
One positive thing about all this is that we've come to witness (and meticulously document) how social control media works for the mob
Plagiarism at LinuxSecurity.com, Piggybacking Other People's Hard Work and Googlebombing "Linux"
They are googlebombing Google, and worse yet, they leverage bots to do this
Gemini Links 25/01/2025: Pictographs, Non-voters, and Frustrations
Links for the day
Links 25/01/2025: Microsoft Already Shutting Down Its UK "Experience Centre", "AI Deal" Linked to Atrocities
Links for the day
Red Hat is Required to Promote Microsoft's Proprietary Stuff and Even Produce Puff Pieces (Mindless Fluff) About It
Notice the aspect of bribed "media" or "news" or "press coverage" (pay-to-say)
The Limits of Freedom
This is generally not a new problem
The Fall of Corporate Media Controlled by Oligarchs Who Boost (or Are Compelled to Boost) Reckless Lies About the Poor While Normalising Rich People's Crimes
No wonder they have layoffs
IBM Layoffs (or Replacement With Low-Cost Labourers) Far Greater Than Reported by IBM
they serve to confirm what we've long said not only in relation to IBM but also Microsoft
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, January 24, 2025
IRC logs for Friday, January 24, 2025