"Piracy" is a buzzword too. Copyright infringement is a crime so victimless they feel the need to compare it to literal high seas piracy in order to make an impact.

> This break is great news for everybody that wants their computer to remain under their own control, rather than an increasingly locked down Big Tech WebTV.

Completely agree. This "security breach" is only bad for corporations who want to track users and implement DRM. It's great for the freedom of the people who are actually using the computers.

> "Internet-of-Things attestation" ?? A poor attempt to stick a refreshing buzzword in front of a fundamentally unwanted user-betraying open-society-undermining technology.

While I agree with you at a consumer level, at the industrial level this is a thing. Like, imagine a vertical farm that is controlled by a thousand, networked on-prem robots. An "attestation" mechanism makes setting this up easier and less-error prone.

How so specifically, compared to say just imaging the devices? Are we really worried about rogue employees putting rootkits on said robots, and to what end?

Remote attestation in general does have positive uses, and would be freedom preserving if the signing keys were controlled by the device's owner. The problem is Intel's design of baking in privileged keys that they themselves control, such that hostile parties can require that you run software that they provably control.

> Are we really worried about rogue employees putting rootkits on said robots, and to what end?

Not about rogue employees, but adversary states, just think of Stuxnet. Messing up a nation's food supply can induce everything from mild unrest to full scale civil war and mass migration. For now (!) we have the lucky advantage that most farm labor is still manual / the machines that exist can either be trivially replaced with older non-smart machines or by manual labor... but imagine 20, 30 years in the future?

Agreed about the evil of DRM and treacherous computing, but do not conflate the shift in trust to a remote party with the attestation mechanism itself, which can be neutral. The idea behind attestation is that hardware signs a quote regarding that which is running on the device, one that is cryptographically verifiable. Verifiable for what purpose is a separate question.

The purpose depends entirely on who creates/vouches for the attestation key. If the attestation key can be generated by the owner and then loaded into the secure element, then the owner can prove to themselves that the system has not been tampered with. But they cannot prove to anybody else what code is running on the system, as the owner can use a copy of the attestation key outside of the secure element to sign whatever they like. This is a good thing.

If the attestation key has been created by Intel (or within the secure element and signed by Intel), then the system can verify to arbitrary parties that the owner has not "tampered" with their own system. This creates a security vulnerability, as now overly aggressive (aka hostile) parties can demand that the owner gives up control of their own system as a condition of interacting with them.

Given the extreme power imbalance in B2C relationships, if this vulnerability exists it will eventually be abused in lockstep. Remember the days of dual-booting Windows to run some proprietary crapware? Yeah, that again, but with websites. And you couldn't just run a headless second machine with VNC, or even use too old of a monitor, depending on the business whims of the proprietary OS!

Second that. And yet, the B2C asymmetry was and is there regardless of whether one is "forced" to relinquish control over part of their machine. The current attestation models are an extension of the power imbalance. Intel, being a profit driven company, sought to meet its customers' demands.