Just one team working on Teams, and they are doing their best to make it worse.

I for one encourage them, it apparently needs to be even worse before my work will consider changing

TBH this sounds to me like something specifically intended to not be an Australian-like solution, which they could have copied.

I am not sure what’s required of a bare bones Linux install (general computing device) that has access to a package manager (application store)!

Yeah perhaps. Or that “account” doesn’t really need to bw what we think of as an account.

Could it be covered, but they would still have to ask? It says if it wasn’t done at setup it has to ask, so perhaps an account-less OS would still be expected to ask for an age and provide it when asked?

Nah I don’t think it does. You don’t really get that because the intent of a law is important in court cases.

Mobile phones are specifically covered:

(g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.

Windows doesn’t ask at install, and also this law requires them to ask for already set up accounts too.

This will make it a lot more visible.

Nah it seems it doesn’t apply to physical devices (except general computing devices as mentioned elsewhere)

(f) This title does not apply to any of the following:

(1) A broadband internet access service, as defined in Section 3100.

(2) A telecommunications service, as defined in Section 153 of Title 47 of the United States Code.

(3) The delivery or use of a physical product.

(3) seems to imply the OS that runs your switch or gas pump isn’t included. But I see nothing in the law that clarifies servers or any CLI only interface, or even any OS that doesn’t have accounts.

Where do you quote “reasonable” from? The only part of the law with that word is referring to a different, already existing law (or the bit about reasonable technical limitations causing the wrong signals sent in the API).

Ok I did it, I read the full text of the law, and you’re right.

The existence of Linux or anything not big tech and the broad range of options within seems to be ignored. Does a CLI only OS need to provide a GUI for its “accessible interface”?

On a different note, I did see the last point here:

(f) This title does not apply to any of the following:

(1) A broadband internet access service, as defined in Section 3100.

(2) A telecommunications service, as defined in Section 153 of Title 47 of the United States Code.

(3) The delivery or use of a physical product.

(3) seems to imply the OS that runs your microwave isn’t included.

I think the next bit from the article I didn’t quote explains that:

“(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user.” The categories are broken into four sections: users under 13 years of age, over 13 years of age under 16, at least 16 years of age and under 18, and “at least 18 years of age.”

I think the idea is that you would say that under 16s can’t use social media. Then you’d enforce this not with the horrendous Australian strategy of having everyone IDed, but instead you would enforce it by having an API that websites and apps could use that would tell them the age of the user.

So basically:

• Parent sets up device for kid and sets their age.
• Kid tries to download Facebook app
• Gets denied because they are under age
• Kid tries to go to facebook website instead
• Website sends request to browser for user’s age, browser asks Windows (or whatever OS) for age and provides this age back to Facebook
• Facebook denies access because user is under age

Windows might already have parental controls within Windows, but it’s the ability for apps and websites to know the age (or in this case age range) that is the important part.

I much prefer this than handing over ID.

Sorry but I don’t think the article text backs up the title?

The claim is that they have to enforce age verification, but the quoted law says:

Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.

Doesn’t this just mean it needs to ask for an age at setup, so e.g. parents can set it up with an age and they can automatically be restricted?

I don’t see anywhere actual verification is required, if you’re setting it up yourself then just lie?

Honestly, this sounds like my preferred path if we are gonna do anything.

Even better than a coin flip is asking this what to do then doing the opposite!

You sound like you want to go all in on federated services but there are plenty of other things to do.

I love Nextcloud, works well when set up through the Nextcloud All In One docker setup, but it is a little different to other things so it might not be a starting point depending on your experience. Lots of apps to add for extra functionality. But don’t replace your cloud storage with it until you’re confident of your backups (and ability). I ran it for years to use for the apps and minor things before I finally went all in.

I think a wiki is a great thing to have. Use it to document what you’ve done so you can remember.

Then there’s media. With the storage I guess TV/movies might be out, but there’s Audiobookshelf for Audiobooks, Kavita or Calibre Web for eBooks. I like Jellyfin for music (but using the Finamp app not the Jellyfin one), but others like dedicated music setups like Navidrone.

I buy my music from Bandcamp where available and Qobuz where it’s mainstream labels, then I can have my own little Spotify. Finamp even lets you download playlists or your whole library to your device for offline listening. I use Findroid for watching things, which also allows downloading. Last I checked the Jellyfin app didn’t have Netflix-like downloading, just downloading the files to your downloads folder.

I guess you might not fit a whole lot with 300GB storage though, especially after you fit the databases of half a dozen federated services.

If you have space, perhaps a photo service like Immich or Photoprosm.

If you have friends maybe a private sharing forum like Zusam.

If you have family then maybe family tree software like webtrees.

I run so many things, they all get used, and I’m always happy to talk about them!

That’s an interesting proof of concept, but I don’t think it shows it’s different. That’s a server side attack, whoever has control of the server could just have the script download a malicious binary instead and you wouldn’t be able to tell from the script.

Firstly, it is much, much easier to compromise the website hosting than the binary itself, usually. Distributed binaries are usually signed by multiple keys from multiple servers, resulting in them being highly resistant to tampering. Reproducible builds (two users compiling a program get the same output) make it trivial to detect tampering as well.

Yeah this is a fair call.

But at the same time, I have little confidence in my ability to spot these bugs.

This is the key thing for me. I am not likely to spot any issues even if they were there! I’d only be scanning for external connections or obviously malicious code, which I do when I don’t have as much trust in the source.

As a sidenote, docker doesn’t recommend their install script anymore.

Yeah I used it as an example because there are very few times I ever remember piping to bash, but that’s probably the most common one I have done in the past.

You can, but to me it seems weird to say it’s crazy to pipe to bash when people happily run binaries. If anything, the convenience script is lower risk than the binary since people have probably checked it before you.

I wouldn’t pipe a random script to bash though, nothing where I wouldn’t trust the people behind it.

Yeah I get that, but I would install docker, cloudflared, etc by piping a convenience script to bash without hesitation. I’ve already decided to install their binary, I don’t see why the install script is any higher risk.

I know it’s a controversial thing for everyone to make their own call on, I just don’t think the risk for a bash script is any higher than a binary.

Ok but not everyone has that skill. And anyway, how is this different to running a binary where you can’t check the code?

Is it different from running a bash script you downloaded without checking it? E.g. the installer that you get with GOG games?

Genuine question, I’m no expert.

He probably just wishes he put it in the contract signed with the mothers.

I guess the most plausible explanation is incompetence, there wouldn’t be a reason to do this on purpose (a backdoor), right? Since the company could have easily used different credentials per device that they store anyway?