> I'm not sure what you are trying to argue but people routinely buy used computers on market place. Rasperry pies with locked keys are essentially paper weights once the owner doesn't want to use them anymore.
Why cant the owner who wants to sell their locked Pi give the buyer the key?
>
And what exactly do you call a machine that you are, by design, cryptographically locked out of, but a third party has access to?
Not a perfect solution, but such a problem can be mitigated by a firewall that blocks such ingoing/outgoing packets.
> I'm playing devils advocate here, but fundamentally if you don't care about actually controlling or being able to modify something, and pricing is cheaper to rent, why own?
Since I love to tinker with my computers, the answer is obvious to me.
> I think the argument that locking down hardware is unfair to thieves
That was not my point. Most times, users of a stolen device are unaware and not complicit in the fact it was stolen in the first place. They usually have acquired it from legitimate second-hand markets.
Adding an optional "You phone us and we can unlock your car with a copy of your key" is fine by me. As long as I still have the fucking key.
----
For the second part - The security boogey man is not a compelling argument to give up ownership rights and enter digital serfdom where you only own a device if you use it in the way the manufacturer intends and approves of.
I'm not asking them to stop selling devices with locks. Hell, I'm even fine with them keeping a copy of the keys (which they have right now). I'm just saying: As the owner of a computer, I deserve to have a copy of the fucking keys that make it work.
> I wouldn't really want to just give everybody a copy of that key.
Why would you give the key to everybody? Just give it to the owner... That's what I want. I shouldn't need to hack my own smartphone or have to solder a board to my Xbox to run my own code on it.
> you just need someone to buy a bunch of Yubikeys
This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.
What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...
If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.
> Nobody seems to reflect that if you physically steal the laptop, guess what, the usb key that's still in there was also stolen.
Not in how I use it. I only connect my yubikey when I need it (rarely at that).
> right? Right?
Just generally don't do this. It comes of as unnecessarily aggressive. Instead you could say "Do use USB locks on your laptop, because ....". The "right? Right?" is not making your point more persuasive.
> Because if not then all that added layer of secure feelings is pointless from an operational security perspectiv
You are assuming all kind of things about the threat environment and the concerns the person has.
> This is a good thing. Combined with remote lock, it renders stolen devices useless.
I’ve heard a long, long time ago that the market for stolen devices had switched to stripping them for parts rather than selling them as working replacement devices. From that perspective, activation locks don’t help much. For thieves, even if some parts won’t work, any gain is better than nothing.
> The appeal is that thieves need to do the same thing.
Couldn’t you achieve that with a hardware key though? You don’t really need a server and still have a hardware Bluetooth key that is secure with the bike being useless without it? Then you don’t depend on a company staying afloat and granting you the privilege to keep using your bicycle as they see fit/VC greed dictates.
>If I buy a laptop and I have to crack all the passwords first to get access to the system then that would not be considered 'owning it' in any normal sense of the term.
I think a better comparison would be a locked bootloader with remote access built in (and phones are already this way more or less)
> Just like on any website. Just because something isn't 100% unbreakable, doesn't mean it's a bad idea (you do lock your doors, don't you?)
Don't you think it's a completely different thing to extract keys from a remote server (try https://news.ycombinator.com/ for example) and a physical gadget you own?
Doubly so if the gadget is open source, as you apparently prefer.
>solution that retains the anti-theft capabilities of the device
First, this is a self-imposed problem; spread crime (theft) won't be solved by reducing the access.
Next, I could have an encrypted drive and a key stored in a key stored in a bank, or an USB storage, or print, or whatever. As a matter of fact, I do have such laptop.
And last - car thievery is still a thing in the EU, even though registering a stolen car is exceeding hard - they are either sold for parts... or exported to Russian (not so much recently for obvious reasons). Of course, Apple comes and tells that only they can repair the laptops/phones/etc. b/c of thievery and serialized parts.
> Many security applications, situations where you're providing equipment to others and want to make sure it's not modified, etc. It's not that hard to come up with legitimate uses for this.
Why isn't just making sure the expected private key didn't get wiped a good enough way of making sure it's not modified?
> You should at the least demonstrate that their existence is causing great societal harm.
Okay, how about that it destroys the secondhand CPU market? Once you use an AMD CPU in a Lenovo computer, it blows e-fuses to keep you from ever using it in any other brand of computer: https://news.ycombinator.com/item?id=29958247
Why cant the owner who wants to sell their locked Pi give the buyer the key?
reply