If I get your FIDO2 token and reprogram it without somehow also wiping the data on it, your problem is that I got your FIDO2 token, not that I could reprogram it without erasing it (which theoretically could perhaps be true right now)
For this exact reason, I store my cryptographic keys in a ring which I never remove from my finger.
Also, you should probably spend more time reading about cryptography and less time reading FIDO Alliance propaganda.
The first is if I can reprogram it, then so can anyone else. I don't know what the situation is where you live, but government has passed laws allowing them to compel all manufacturers of reprogrammable devices to all them to reprogram is with their spyware.
The second is places I interact with, like banks, insist on having guarantees on the devices I use to authenticate myself. Devices like a credit card. "I promise to never reprogram this card so it debits someone else's account" simply won't fly with them.
The easy way out of that is to ensure the entity who can reprogram it has a lot of skin in the game and deep pockets. This is why they trust a locked pixel running Google signed android to store your cards. But take the same phone running a near identical OS, but on unlocked hardware so you reprogram it, and they won't let you store cards.
But that's the easy way out. It still let's a government force Google to install spyware, so it's not the most secure way. One way to make it secure is to insist no one can reprogram it. That's what a credit card does.
In any case, if someone successfully got the law changed in the way the OP suggested, so people could not use their devices as a digital passport, it won't only be me wishing a pox on their house.
It's actually the other way around, the only way to garantue that your device is free of spyware is you reprogramming it. You shouldn't have to trust the potentially compromised manufacturer.
The fact that there is always something you must trust in a device, as opposed to being able to prove it's trustworthy to yourself by just looking at it is so well known it has a name: is called the root of trust.
The interesting thing is it can ensure the root of trust the only thing you need to trust. The ability to do that makes your statement factually wrong. In fact it's drop dead simple. The root of trust only need let you read all firmware you loaded back, so you can verify it is what you would have loaded yourself. TPM's and secure boot are built around doing just that. Secure boot is how the banks and whoever else know you are running a copy of Android produced by Google.
In this case the government may mandate to have spyware pre-installed in the factory - which is already the case for phones and laptops in some countries.
> I promise to never reprogram this card so it debits someone else's account
When reprogramming, the card should wipe private keys so it becomes just a "blank" without any useful information.
Secondly, they have no control over companies not based where I live. So I could just import it myself, provided you are successful get ever country to pass a law the denies me the right to do this the way I want to do it.
If that's the only option they have, it will fly. Just like you used to be able to use banking apps with any Android before they had the option to restrict that to only Google-controlled ones.
I prefer to have my auth device bricked than compromised.
for anything else, i want to be able to reprogram.
so for vendors, a simple choice :
* be OTP, but no "patching"
* be R/W, but also by its owner
Regardless the rest us who don't want to go through the extra work OTP creates still of use want to put our credit cards, fido2 keys, government licences, concert tickets and whatever else in one general purpose computing device so we don't have to carry lots of little auth devices. To do pull that off securely this device must have firmware I can not change.
The OP wants to make it illegal to sell a device with firmware I can not change.
In asking for that, they've demonstrated they don't have a clue how secure and opening computing works. If they somehow got it implemented it would be a security disaster for them and everybody else.
It should very much be enforced though, similar to speed limits on the road. It's much easier to zero in on weird electromagnetic waves than it is to catch people speeding on roads.
I'm all in to allow free access to reading waves, but broadcasting is regulated for good reason. Today I was in the subway when my Bluetooth headset started lagging, it's happened once before on a highway close to a specific car, this is DOS.
The radio spectrum is limited and it must be regulated and follow regulations, enforcement is really hard, it's a lot easier and reasonable to dump it on the manufacturers by locking the juice behind closed firmware.
2.1033 Application for grant of certification. Paragraph 4(i) which reads:
For devices including modular transmitters which are software defined radios and use software to control the radio or other parameters subject to the Commission’s rules, the description must include details of the equipment’s capabilities for software modification and upgradeability, including all frequency bands, power levels, modulation types, or other modes of operation for which the device is designed to operate, whether or not the device will be initially marketed with all modes enabled. The description must state which parties will be authorized to make software changes (e.g., the grantee, wireless service providers, other authorized parties) and the software controls that are provided to prevent unauthorized parties from enabling different modes of operation. Manufacturers must describe the methods used in the device to secure the software in their application for equipment authorization and must include a high level operational description or flow diagram of the software that controls the radio frequency operating parameters. The applicant must provide an attestation that only permissible modes of operation may be selected by a user.
2.1042 Certified modular transmitters. Paragraph (8)(e) which reads:
Manufacturers of any radio including certified modular transmitters which includes a software defined radio must take steps to ensure that only software that has been approved with a particular radio can be loaded into that radio. The software must not allow the installers or end-user to operate the transmitter with operating frequencies, output power, modulation types or other radio frequency parameters outside those that were approved. Manufacturers may use means including, but not limited to the use of a private network that allows only authenticated users to download software, electronic signatures in software or coding in hardware that is decoded by software to verify that new software can be legally loaded into a device to meet these requirements.https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A...
Likewise for requiring someone to change out drivers or firmware.
> The radio spectrum is limited and it must be regulated and follow regulations, enforcement is really hard, it's a lot easier and reasonable to dump it on the manufacturers by locking the juice behind closed firmware.
By far the largest problem in this space is users importing devices purchased via travel abroad or drop shipping and then those devices don't follow the rules.
Getting domestic users to follow the rules is not a significant problem because a) most people don't know how to modify firmware anyway, b) the people who do know how to do it are sophisticated users who are more likely to understand that there are significant penalties for violating regulatory limits and know they actually live in the relevant jurisdiction, c) if those users really wanted to do it they're the sort who could figure out how to do it regardless, and d) there is negligible benefit in doing it anyway (increasing power increases interference, including for you, and it works much better to just get a second access point).
It's not a real problem.
I am against regulation of broadcasting equipment. There's a difference.
At most, it prevents people from accidentally doing it. Anyone who wants to do can figure it out on their own.
No more reasonable than limiting cars to 75mph (which some people, admittedly, are probably in favor of).
I wouldn't be in favour of a hard 75mph because current speed limits are set by social consensus on the basis that they aren't strictly enforced. The police are extremely unlikely to stop you for doing 76mph in a 70, so I don't think your car should.
https://github.com/meshtastic/firmware/blob/develop/src/mesh...
The true limits are imposed by the hardware, not the software, as it should be!
Let's get them opened up next.
I swear not even Micro$oft attained this level of commitment.
Being able to reprogram a pacemaker isn't enough!
We should require that any devices that our lives depends on, especially devices that go inside our bodies, to be open source: not just reprogrammable, but with source code available for inspection and modification.
I've been working in this industry for too long in order to trust a closed source pacemaker to be bug-free.
Requiring that the pacemaker be outside a human body in order to reprogram it seems like a very sensible solution.
You're legally (and technically) prohibited from re-programming GPS modules, GSM modules, and probably many stuff in cars as well.
(Actually, maybe contractually when it comes to GPS modules.)
Besides that your point is missing the fact that you are dealing with outside services that provide a contract for their usage (GPS, GSM). You should be free to program your own devices but if you use an external service, then yes they can specify how you use their service. Those are contractual obligations. Cars on the road have clear safety risks and those are legal obligations. None of those obligations should govern what you do with your device until your device interacts with other people and/or services.
It wouldn't be fit for purpose (letting soldiers know precisely where they are on the globe) if it required transmission of any type from the user. That would turn it into a beacon an adversary could leverage.
Sounds like something Apple would say.
GPS et al would be non-functional if everybody could make a jammer.
(That’s not to say that app stores fall even remotely in that category.)
>GPS et al would be non-functional if everybody could make a jammer.
Then it should be illegal to make a GPS jammer. Making it illegal to reprogram a GPS receiver in any way is unnecessarily broad.
It would be difficult to catch in an inspection if you could reprogram the OEM parts.
I don't care about closed-course cars, though. Do whatever you want to your track/drag car, but cars on the highway should probably have stock software for functional parts.
The only reason it's "illegal" is because they were thinking people would use it to make missiles easily - but that's already the case even with non-reprogrammable gps. And in big 2025 you can also just use drones with bombs attached to it.
Hardware receivers cannot be reprogrammed as transmitters.
We already have well known areas with constant GPS manipulation. https://www.flightradar24.com/data/gps-jamming
They're becoming self aware!
That's the whole point.. parent is arguing that it should not be illegal.
It is however, illegal to broadcast into spectrums you're not allowed to.
But if I modify the uc in a GPS module to calculate 1+1=3 then AFAIK that's totally allowed.
In support of this irrefutable statement:
• > "Whatever is, is right." — Alexander Pope
• > "If you want to get along, go along." — Sam Rayburn
• > "Reform? Reform! Aren't things bad enough already?" — Lord Eldon
• > "We've always done it this way." — Grace Hopper (referred to it as a dangerous phrase)
• > "Well, when you put it that way..." — [List of millions redacted to protect the compliant]
Rebuttal:
• > "“The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.” ― George Bernard Shaw
• > "Yeah, well, ya know, that's just like, uh, your opinion man." — The Dude (In someone's pharmaceutically elevated dream, addressing the Supreme Court.)
John Deere is already subject to extra regulation in Europe; it's only in America that they're allowed to molest consumers in the aftermarket. And Xbox has had sideloading for decades now, in case you were unaware: https://learn.microsoft.com/en-us/previous-versions/windows/...
Which clearly shows the problem is not John Deer, Apple, etc.
The problem is weak consumer protections in the US from corrupt US lawmakers who were bought by the companies they are supposed to regulate.
For those who didn’t click the link, Xbox allows you to either load your own software or load software you buy from the Xbox store. Not both.