Bonum Certa Men Certa

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

Recent Techrights' Posts

The Persistent Nature of Freedom Isn't About Easy Routes
Resistance to oppression takes effort and sometimes money
Linux Months-Old News (LWN Uncorrected)
They could at least update the original
 
Links 21/06/2024: Overpopulation, Censorship, and Conflicts
Links for the day
IBM and Subsidiaries Sued for Ageism (Not Just for Racism)
This is already being discussed
UEFI is Against Computer Security, Its True Goal is to Curtail Adoption of GNU/Linux and BSDs on Existing or New PCs
the world is moving away from Windows
[Meme] Chat Control (EU) is All About Social Control
It won't even protect children
EFF Not Only Lobbies for TikTok (CPC) But for All Social Control Media, Irrespective of Known Harms as Explained by the US Government
The EFF's own "free speech" people reject free speech
Microsoft's Search (Bing) Fell From 3.3% to 1% in Turkey Just Since the LLM Hype Began
Bing fell sharply in many other countries
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 20, 2024
IRC logs for Thursday, June 20, 2024
The Real FSF Lost Well Over a Million Dollars Since the Defamation Attacks on Its Founder
2020-2023 income: -$659,756, -$349,927, -$227,857, and -$686,366, respectively
The Fake FSF ('FSF Europe') Connected to Novell Via SUSE, Not Just Via Microsoft (Repeated 'Donations')
'FSF Europe' is an imposter organisation
Just Less Than 3 Hours After Article on Debian Suicide Cluster Debian's Donald Norwood Recycles a Fortnight-Old 'Hit Piece'
The fall of Debian is its attack on its very own volunteers
IPFS censorship, Edward Brocklesby & Debian hacker expulsion
Reprinted with permission from disguised.work
Links 20/06/2024: Dumbphone Experience and Bad Encryption
Links for the day
Official Project Gemini news feed — Five years of Gemini!
the official statement
Ultimate Judgment: the Debian Suicide Cluster
Reprinted with permission from Daniel Pocock
Links 20/06/2024: Bruce Schneier Adds Moderation Policy, FUCKSHITUP Can't Be Trademarked in the US
Links for the day
Mass Layoffs Happening in IBM Subsidiaries, Almost No Media Exists Anymore (to Cover That)
They can drive people out with R.T.O. of lay off in small batches to prevent any media scrutiny
Links 20/06/2024: Trying to Maintain Health and the Implosion of LLM Bubble/Hype
Links for the day
Microsoft's Bing Share in Canada Has Only Decreased Since the LLM Hype ("Bing Chat")
According to statCounter
Gemini Links 20/06/2024: Golden Ticket and Looking for Web 1.0 Communities
Links for the day
Not Even TRYING to Compete With Microsoft
CMA (UK) ought to step in and investigate why Canonical (UK) refuses to even compete
Poul-Henning Kamp: Why Freedom in 'FOSS' Matters
Openwashing is more widely recognised as a growing problem
[Meme] EU Chat Control: The Problem is Too Much Privacy???
So what's with GDPR then? The EU is contradicting itself!
Lithuania: GNU/Linux Usage Climbs to Highest Level in Years
consistent abandonment of Microsoft
"Remarkably Little Had Changed."
Black or African American not even mentioned
This Week Fedora Celebrates Diversity, But It is Pushing Proprietary Software and Censorship
IBM openwashing, perception management, and reputation laundering gone awry?
Rumours That Nat Friedman (CEO) Was 'Fired' by GitHub/Microsoft
"Microsoft Refused to Fix Flaw Years Before SolarWinds Hack"
linuxsecurity.com: A Step in a Positive Direction
We hope that Guardian Digital and linuxsecurity.com will rectify the matter and persist with real articles
Links 20/06/2024: Somali Piracy Surges, Juneteenth Discussed
Links for the day
Gemini Links 20/06/2024: Gemini is 5 Today (Still No Gemlog Entry From its Founder)
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 19, 2024
IRC logs for Wednesday, June 19, 2024
Morocco: GNU/Linux Surges From 0.1% to 4.21%
Microsoft has mass layoffs in Africa these days
EU 'Chat Control' Law is Already Discrediting the Stated Goals of GDPR
Equip kids with always-on always-connected microphones and double-sided cameras, just to be safe...
[Meme] EU Chat Control II
Stuff like "Chat Control" means that GDPR will lose credibility and the true motives be rightly scrutinised/questioned
You're Only Proving Our Point, Sir
clearly obsessed with what we write
Just Because It Happened Over 20 Years Ago Doesn't Mean It's "Old News" or Stopped Happening
This strategy merely evolved
Thanking Solderpunk for 5 Years of Gemini Protocol
Long live Gemini Protocol and long live Solderpunk!
[Meme] He Who Controls the Boot
And licks the Microsoft boot
[Meme] systemd-recovery
Imagine "Linux" (Poetterix) becoming so unreliable that it needs factory resets
Almost Every Day This Month the GNU/Linux "Market Share" Grows in statCounter
Advocates like to see progress
Dawg, I Herd You Like Freedom
In the context of Software Freedom, little is ever said about free speech
Links 19/06/2024: Microsoft Faces Big Backlash, Bytedance Referred to US Department of Justice
Links for the day
Gemini Protocol Turns 5 in 15 Hours
Geminispace is still very much alive
OSI's Blog is Still 100% "AI" Nonsense Sponsored by Microsoft (the Authors Are Also Salaried by Microsoft)
The founder of the OSI no longer supports the OSI
Poland is Another Country Where Bing Lost a Lot of Market Share Since the LLM Gimmicks
down from 3.24% to 2.4%
Jean-Pierre Giraud, Possible Forgeries & Debian: elections, judgments, trademark already canceled, archaeologist
Reprinted with permission from Daniel Pocock
It Took Microsoft More Than 3 Years to Get a Quarter of Windows Users to 'Upgrade' to Vista 11 (3 Out of 4 Windows Users Still Reject It)
That is exactly what's happening right now
[Meme] The Empire
Don't be like Putin
They Want 'Transparency' Only for the General Public (Every Bit of Communication Available to the Government, Usually Via Corporations)
The EU might decide to effectively ban SSH
Justices Jeremy Johnson and Victoria Sharp to Decide the Fate of Julian Assange in About Three Weeks
Will he be back home in Australia by year's end?
Free Software Won't Fix Equality, But It Helps
Let's examine Free software in the context of: 1) money. 2) justice.
Treating Them as Teammates, Not as Political Props, Trophies, or Objects
Most of the world's people are women
Links 19/06/2024: SFTP and Gopher Milestone
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 18, 2024
IRC logs for Tuesday, June 18, 2024
US Surgeon General's Advice on Social Control Media (and "Smart" Phones) Seems Reasonable
People forget what the real world is about
Quiet at Planet Debian
planet.debian.org has not had any updates since 5 days ago
Belarus: Bing Fell From 1.1% to 0.6% Since Microsoft Started the LLM Hype (Yandex is 50 Times Bigger Than Bing)
Now enter Belarus
Morale at Microsoft Sinks to New Lows
The annual 'Employee Signals' survey showed a drop from 69% to 62% in positive responses