A secure OS is a prerequisite for secure digital services. We can agree on that, right?
The task, therefore, is to convince enough politicians to establish an independent unit that can address this issue without direct political influence.
Fund the unit with enough money so that it can take care of the cybersecurity and sovereignty of all citizens.
A side effect of this would hopefully be that these politicians would then be digitally literate enough to recognize nonsense such as chat control as such and reject it outright. I hope that most politicians would not really want such omnipotent surveillance tools if they could truly grasp their scope.
While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.
Do not accept the premise of assholes.
I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.
--- edit ---
Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.
The time to fight against this was when they pushed the first kind of this extortion services.
But do not accept it as a given now. The next best time to fight agains this is always now! Do not buys cars that are sold that way.
If you have to buy a 'new' car, buy a used one that you can repair.
Try to see this pattern in other products and avoid those too.
And please, do not think that 'the market' could solve this. Once 'the market' sees adoption, it will follow suit. Only regulation can help with these issues.
Wow, that exploded over night :D
It's nice to see, I am not alone.
With Android working on including a "desktop mode" where you can add a screen and HID devices, I sure hope that the phone screens will get smaller again.
I don't think the issue really stems from putty.org being there. It stems from a "trusted" third-party, the search engine, suggesting you the wrong place.
Therefore I think you are missing the point with your analogy.
This is definitely something that should be raised to the putty team. But with how the rest of the text is worded, I doubt that will change their mind.
I have seen [1] a long time ago. But AFAIK until this day, the Workstation installer still asks whether you are either a private user or have a license key... So is it really free?
In the case of Attack scenario 2, I do not get why in a secure design you would ever forward the client originating data to the auth service. This is more of a broken best practise then a footgun to me.
The logic should be "Parse, don't validate"[0] and after that you work on those parsed data.
Mailbox.org is completely ignoring DMARC since months... And their handling of the issue IMHO is incompetent at best.
See this thread (in German) https://userforum.mailbox.org/topic/10676-mailbox-org-akzept...