Just so you know, from looking at the wall of text you pasted by proxy: those are arguments against the notion that a tpm can make the device itself secure, not that it is untrustworthy for the notion of signing and storing encrypted data.

Next time, make your point and provide references (or not), rather than just link bombing.

I’m not seeing anything that’s not a great look about requiring strong authentication for access to sensitive portions of a users account. What you’re saying is akin to calling it a bad look that they force users to use complex passwords against user wishes.

I’m not sure what “trust me bro, my cloud is safe” has to do with anything. Passkeys live on your device. There are ways of facilitating device to device migrations of the keys if you want. You don’t need to use them to use passkeys. And at least on Android you don’t need to even use Google to manage the keys.

Most semiconductors are closed source. The processor, ram, and radio are also more than likely closed. The software interfaces to all of them have open specification and implementation. There’s like, six for Linux. Microsoft open sourced theirs.
Tpms are not security through obscurity. They are obscure, but that’s not a critical component to their security model.

What they do isn’t really what “collecting biometrics” implies. They’re storing key points in a hashed fashion that allows similarities to be compared. Even if it wasn’t encrypted in a non-exportable way you still can’t do anything with it beyond checking for a similarity score.

You’ve done a good job explaining what I said previously: there’s sometimes a disjoint between privacy and security concern, and so sometimes people don’t understand something about security.

That’s close enough for a privacy perspective. There’s also limitations on domains that can request the auth, specifically ”only the one the credential is for", and there’s a different key per domain and user typically.
It’s also implemented in a way where if the user doesn’t choose to disclose their account to the service, the service can’t know.

Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunate because the way it authenticates is a lot harder to track across domains by design.

I understood they had a lot of concerns, one of which was biometrics via passkeys since GitHub was a very early adopter due to the supply chain risk they pose.

I know how device fingerprinting works, thank you though.

You don’t need my fingerprint, hardware or personal, or biometric shit.

To me that sounds like hardware identifiers, but also quite specifically the things passkeys use. Hence I mentioned it as aside from their main point, which was “don’t track me”, because the biometrics GitHub or any website is going to ask you to use can’t be used for that.

Tangential to the main point you’re going for: when you say fingerprint or biometrics I think you’re referring to passkeys.
Passkeys don’t share any of your fingerprint or other biometric identifiers with anyone.

https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy

One of the major design criteria of their creation was to be an increase in security without sacrificing privacy. It’s made them more finicky to get working but there’s a very good reason they’re very popular with security professionals.

This came from looking up how much people are currently spending to build a ram fab. It’s worth remembering that the tools used are very complex and are also impacted by the massive spike in semiconductor prices.

https://www.blackridgeresearch.com/project-profiles/tsmc-arizona-fab-united-states-us-details-cost-expansion-latest-update

https://www.eteknix.com/micron-begins-construction-of-its-massive-ram-factory-in-new-york-to-help-prevent-shortages-by-2030/

https://www.tomshardware.com/tech-industry/intel-delays-usd100-billion-ohio-site-to-next-decade-first-fab-now-coming-online-in-2030

They’re quite literally making some of the most complicated and intricate things on the planet.
The vast majority of the cost is tools, and when the price of those spikes due to shortage the cost goes up insanely fast.

Cost estimates from even a just a few years ago have the cost being $10 to $20 billion.

Ballpark $100,000,000,000 and five years per factory.

Modern semiconductors are very complicated to produce.

Yeah, the conventional ones still draw a good chunk of power, and they’re not clean but they’re not dirty. Same as how a grocery store isn’t good for the environment but you’re not looking at them first for places to clean.

They tend to be boring, and are usually not a public thing but just something owned by a company to house their computers. The only reason I know about the ones near me is I used to work at one and people would move jobs to or from other ones. (As an aside, a datacenter is a great place to nap if you like white noise).

For a sense of scale:

This is the site of an open AI data center. The yellow square is about 1 square mile and mostly encompasses the area they plan to/have filled.

That angle shows more build out.

This photo has two normal data centers in it. The yellow square is also about 1 square mile. I’ve highlighted the data centers in red. One is to the left of the square near the middle, and the other is down from the right side near the big piles of what looks like rocks. (Spoilers: it’s rocks. They make asphalt). The sprawling complex in the upper right is a refrigerated grocery store distribution complex. The middle on the other side of the block from the asphalt is a coal power plant.

Of the things in this picture, I’m most upset about the giant freeway interchange. Coal is shit, but it’s a modern plant so it’s not belching soot, just co2, and the utility is phasing it out anyway. The grocery traffic is mostly dead except between the hours of midnight and 7am when they do restocks.
I can hear the freeway if I go outside.

I think the part you’re missing is that 1) it’s my community too 2) they’re not talking about AI data centers, or new data centers or anything like that, they’re petitioning to ban all data centers, and 3) we have multiple data centers in the city already that no one complained about until AI data centers became a thing people felt concerned about.

There’s a major difference between the 2 square mile hyper scale AI data center that requires a nuclear reactor and a full water treatment plant to cool and the 2 acre data center that’s air cooled and has no more ground pollution than any other parking lot and essentially a warehouse.
The state government has two in the city, at least, for processing electronic tax records, applications and hosting service sites. We have a few national insurance companies that need to process all the things they process. A research university, and a web hosting company round out the list of ones I know about.

This is my entire point about why sometimes it’s really necessary to point out that what someone is referring to is only a small part of what the words they’re using describe. The language being imprecise doesn’t matter until someone proposes a law outlawing chemicals, shuttering all data centers, or banning AI.

LLMs are problematic. My fancy rice maker isn’t.

I take your point. :)

It’s worth mentioning in my opinion though, because if someone were to say “we should ban chemicals” it’d be worthwhile to point out what that actually means.

I don’t actually think the broadness of the category is intentionally abused, it’s just that it’s an incredibly common thing to remove anything from the AI category that’s explicable.

I feel slightly more hanlons razor about it since there’s people in my city talking about and petitioning on the popular notion of banning all data centers from the state, and how it would be awful if s data center came here. I know what they mean, but it’s not what they’re trying to get the law to do, and our city already has six data centers I know of off the top of my head. The language drift is fine, but when it starts to conflate with policy it’s another issue.

https://blog.mozilla.org/en/mozilla/leadership/mozillas-next-chapter-anthony-enzor-demeo-new-ceo/

The root of the current discussion.

A conservative guess would be around 60 people.

https://bugzilla.mozilla.org/describecomponents.cgi

You can click around and see the bug reports they’re working on. There are a few, to say the least.

https://www.firefox.com/en-US/releases/

This is a way to see what’s in each release. The ones on the left are major releases and tend to have bigger features, and the others tend to be bug fixes.

Web browsers start with core functionality that’s very complex. Then you tack on that they’re being used for things like banking, and managing the critical details of people’s lives. That means security galore, which is hard and constant. Then you have ad people, who are also something that’s hard to defend against.
Then there’s the constant flood of new features you have to implement to keep up with Google.

Chrome has 1,000 to 4,000 people working on it. Mozzila employs about 700 to work on firefox, with maybe 1,000 additional open source developers.

My initial guess was very wrong.

It’s less a vague umbrella and more an academic category. It just feels odd to call it vague in the same way you wouldn’t call “chemistry” vague, despite it having applications ranging from hand soap to toxic waste.

Yeah, ocr is a type of AI. The big advantage of modern techniques is that it can factor in context a bit better. It’s the same principle but a different mechanism for how you know a red hexagon with S__P on it says stop, even if the sign is dented, a letter fully fell off, it’s raining and dark.

It also means it’s sometimes wildly inaccurate, like in cases where it’s just so much more likely that it said something else. Like how on a bright sunny day, with perfect clarity, and a crisp new sign with extra good visuals, you’ll hit the breaks for a sign that’s a red hexagon that says §¥¢¶. It’s just very unlikely that that would coincidentally be on a red hexagon near the road, so it’s more likely you saw wrong and it was actually the normal thing.

That’s not them being authoritative for the information, that’s them being a consumer of the information. There’s a difference.

A store needs to see my drivers license to sell me alcohol. That doesn’t mean that the receipt is proof I’m allowed to drive. If I get pulled over I can’t give it to a cop to prove I have a license because the store isn’t an authoritative source for that information, despite having an integration with the state I’d verification service.

This is just how paperwork works. You can search for this information yourself if you don’t believe me. A social security name change is not proof of citizenship.

And you’re missing the point that other people are making: the SSA is not responsible for knowing your citizenship status, and so documents from them don’t establish citizenship.

That they know it has nothing to do with anything. They’re not an authoritative source, so they can’t be used for that purpose.
You’re thinking like it’s an evidentiary chain. A requires B, therefore proof of A implies B.
It’s not though: it’s a list of valid documents from a list of valid sources.

And all that’s moot because you can get an SSA name change or a real id without meeting the criteria to vote, so even if it was a proof A wouldn’t imply B.

Fire stations are everywhere, staffed by trustworthy people, who inevitably also have medical training. Additionally they aren’t scary like the police are.
They’re the people you call if you need help.

You can surrender an infant at a hospital too, as well as a police station, but fire stations are just more frequent.

That’s still not proof of citizenship. The SSA is not in charge of tracking citizenship, so a document from them doesn’t work for that purpose.

As you said yourself, non-citizens can get social security cards. Changing your name in that circumstance is hardly proof of citizenship.

Sure. That’s not mutually incompatible with preferring the least terrible option to the most terrible though.

People view it as “Democrats don’t deserve to win because they didn’t have a good enough candidate”, when they should be viewing it as “Democrats didn’t field the candidate I deserve, but I still deserve better than the Republican”.

And also the source of the term “grandfathered in”.

The law was typically along the lines of “literacy test or your grandfather could vote”.