10.15.20

Gemini version available ♊︎

A FIDO/FIDO2 False Sense of Security for Premium Prices

Posted in Deception, Free/Libre Software, Google, Microsoft, Security at 10:09 am by Dr. Roy Schestowitz

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we’ve seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It’s better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It’s really that simple. To alleviate that unjust leverage of power (developers or developers’ employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.

“Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt…”With all that in mind, we’ve grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren’t free; if they seem to be free, it’s because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They’re already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn’t about Let’s Encrypt. It’s about FIDO2. The patterns may be similar, at least some salient points. “I don’t know if you’ve been keeping up with the developments in hardware security tokens,” one reader told us this week, “but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let’s Encrypt was a thing.”

“We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.”The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. “Right now,” the reader noted, “companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a “FIDO2 Certified” logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a “trusted provider”. A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that’s happening around the security space.”

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

“I hope you can share this message with the right people,” our reader appealed, “to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There’s nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the “FIDO2 Certified” seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs.”

“A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society.”How many billions of dollars were washed down the drain because of these? And we ended up with “trusted” CAs that are mostly in bed with the world’s biggest spying operation. Which means they might be worse than useless…

“We decide who to trust with our OpenPGP certificates,” our reader noted. “We don’t let other bodies make that decision for us. Let’s work together to make sure we nip this FIDO nonsense in the bud. We’ve got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I’m almost certain that they’re using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin.”

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: “The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there’s a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren’t even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is “research quality” code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

“We might be the first site to touch this subject, but there’s more on the way for sure.”“Nitrokey has a FIDO2 product and I think it’s uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I’ve been around GnuPG dev a lot recently. I’m pretty sure the folks at Nitrokey see the dangers of monopolisation but they’re keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that…”

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They’ve long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as “weakening” encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there’s more on the way for sure. “Wanted you to be the first to throw a punch though,” our reader noted, “because people in the community trust you on these things.”

But there’s lots more on the way. Stay tuned.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. [Meme] Linus Gabriel Sebastian Takes GNU/Linux for a (Tail)'Spin'

    If you’re trying to prove that GNU/Linux is NOT Windows, then “haha! Well done…”



  2. GNU/Linux is for Freedom and It'll Gain Many Users When (or Where) People Understand What Software (or Computing) Freedom Means

    Software that respects people's freedom (and by extension privacy as well) is an alluring proposition; those who choose to try GNU/Linux for the wrong reasons are likely the wrong target audience for advocates



  3. Amid Reports of Microsoft's Competition Crimes in Europe...

    European companies are complaining, but they seem to overlook the principal aspect of an imperialistic system with bottomless pockets (almost 30 trillion dollars in debt already; US national debt soared again last month); Microsoft is shielded by a political system with military (“defence”) as bailout budget to help cushion international expansion for data grab and technical leverage, as we've seen in the case of EPO (this is all political, not technical, and should thus be treated as a political/corruption issue)



  4. Is Linus Trolling the GNU/Linux Community?

    This new video responds to what many sites have been provoked into amplifying



  5. Links 27/11/2021: Tux Paint 0.9.27 and SeaMonkey 1.1.19 in EasyOS

    Links for the day



  6. [Meme] Keeping Our Distance From Microsoft

    The OSI is the dagger, the Linux Foundation is the knife, and many others are the sword by which Microsoft tries to get into the very heart of GNU/Linux and extinguish the Free software movement



  7. Microsoft Edge Encourages Indebted Americans to Guilt-spend Just in Time for Christmas

    Guest post by Ryan, reprinted with permission



  8. IRC Proceedings: Friday, November 26, 2021

    IRC logs for Friday, November 26, 2021



  9. 38+ Years of GNU and 19+ Years of FSF Associate Membership

    “On November 25, 2002,” Wikipedia notes, “the FSF launched the FSF Associate Membership program for individuals.” As the above video points out, it all started almost 40 years ago.



  10. Gemini as a Platform for Gamers

    Contrary to what people often assume (or are led to assume), even without client-side scripting Gemini can accomplish a great deal; early adopters, many of whom are technical, test the limits of the very minimalistic (by design and intention) specification



  11. Improved Workflows: Achievement Unlocked

    Today we've completed a bunch of small projects that can make us more efficient (e.g. more Daily Links per day, more articles); the above video was recorded many hours ago to accompany the outline below



  12. Links 26/11/2021: New Complaint About Microsoft Competition Crimes in Europe, EuroLinux 8.5, GhostBSD 21.11.24, and Kiwi TCMS 10.5 Released

    Links for the day



  13. Links 26/11/2021: F35 Elections, Whonix 16.0.3.7, OSMC's November Refresh With Kodi 19.3

    Links for the day



  14. IRC Proceedings: Thursday, November 25, 2021

    IRC logs for Thursday, November 25, 2021



  15. IRC Proceedings: Wednesday, November 24, 2021

    IRC logs for Wednesday, November 24, 2021



  16. Links 25/11/2021: PHP 8.1.0 Released and Linux 5.15.5

    Links for the day



  17. IBM as Master of Hypocrisy

    Free software projects and Free software developers have long been humiliated by corporations of Western misogynists, falsely claiming that the Free software community isn’t inclusive enough (these are shameless projection tactics; as a matter of public record, the exact opposite is true) and even the eradication of supposedly offensive language isn’t something IBM takes seriously



  18. Links 25/11/2021: LibreOffice 7.2.3 and Mesa 21.2.6 Released

    Links for the day



  19. [Meme] So Desperate That Edge Cannot Even Exceed 4% That They Block Rival Web Browsers

    Linux/Android/Free Software/GNU (they go by very many names/brands) may continue to grow to the point where Windows is as irrelevant as Blackberry; this means that Microsoft’s grip on the Web too has slipped — to the point where Microsoft frantically uses 'bailout' money to hijack LinkedIn, GitHub, etc. (it also rebrands almost everything as "Azure" or clown to fake a perception of growth)



  20. Windows Vista Service Pack 11 (Vista 11) Has Failed to Curb the Growth of GNU/Linux

    Windows market share continues to decrease in spite of billions of dollars spent bribing the media for fake hype, especially in light of a new Windows Service Pack (SP), Vista SP 11



  21. Links 25/11/2021: Proton 6.3-8 and Linux Mint Compared to Ubuntu

    Links for the day



  22. 3.5 Years Later the 'Master' of Fedora is Still Microsoft and IBM Cannot Be Bothered to Alter Git Branch Names (Refuting or Ignoring Its Very Own Directive About Supposedly Racially-Insensitive Terms)

    Today we demonstrate the hypocrisy of IBM; years after telling us that we should shun the term "master" and repeatedly insisting it had a racist connotation at least 65 Fedora repositories, still controlled by Microsoft, still use "master"



  23. Changing the Arrangement While News is a Bit Slow(er)

    I've made it easier for myself to keep abreast of things like IRC channels and networks (incidentally, a day ago Freenode reopened to anonymous logins) and I've improved monitoring of the Web sites, Gemini capsule etc. (this video is unplanned and improvised)



  24. Links 24/11/2021: Alpine Linux 3.15 and Endless OS 4.0 Released

    Links for the day



  25. [Meme] Jimmy Zemlin Loves Microsoft

    It’s funny, isn’t it? Lying for a living and sucking up to the liars pays off; you get to plunder actual Linux users while leaving Linux morally and financially bankrupt



  26. Links 24/11/2021: PHP Foundation and Flatpak Criticisms

    Links for the day



  27. IRC Proceedings: Tuesday, November 23, 2021

    IRC logs for Tuesday, November 23, 2021



  28. Links 24/11/2021: Rust Crisis and Team UPC Still Faking 'Progress'

    Links for the day



  29. Links 23/11/2021: New GNU Parallel and Memories of David H. Adler (Perl, Raku)

    Links for the day



  30. In Light of Fast-Accelerating Deterioration -- Sometimes Weaponisation -- Getting Off the World Wide Web (to the Extent Feasible) Makes You Saner and Less Susceptible to Manipulation, Lies

    Almost no sites are speaking about it (probably because they have no presence on the Internet except on the Web), but it's time to motivate more people to get off the Web, for their own good and for society's sake...


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts