I think the conversation needs to change from "can't run software of our choice" to "can't participate in society without an apple or google account". I have been living with a de-googled android phone for a number of years, and it is getting harder and harder, while at the same time operating without certain "apps" is becoming more difficult.
For example, by bank (abn amro) still allows online banking on desktop via a physical auth device, but they are actively pushing for login only via their app. I called their support line for a lost card, and had to go through to second level support because I didn't have the app. If they get their way, eventually an apple or google account will be mandatory to have a bank account with them.
My kid goes to a school that outsourced all communication via an app. They have a web version, but it's barely usable. The app doesn't run without certain google libs installed. Again, to participate in school communication about my kid effectively requires an apple or google account.
I feel like the conversation we should be having is that we are sleepwalking into a world where to participate in society you must have an account with either apple or google. If you decide you don't want a relationship with either of those companies you will be extremely disadvantaged.
> If you decide you don't want a relationship with either of those companies you will be extremely disadvantaged.
Even more worrying is the inverse of this - if Google and/or Apple decide for whatever reason they don't want a relationship with you (aka they ban you for no reason) - you are completely screwed
Even if they ban you for a reason, you're screwed. Granted, the ban may have been warranted, but you're essentially put into a societal prison with no due process or recourse.
That is a great analogy. There are countries where a police can throw you into a lifetime jail with zero option for justice unless you are a famous person from a well known western country.
Those countries are North Korea, Iran, Russia, Google and Apple.
Well the US can do it with CBP/ICE, but not for life. I was placed in a jail without being arrested or being accused of a crime and they were very clear at all times I was not even arrested, nor did a federal criminal history search show any record of arrest. No access to lawyer either.
US Citizen. Contacted lawyers, all informed me they'd given up trying to sue for these things because it's hopeless.
You should contact IJ. They recently took up a case like this.
https://ij.org/press-release/us-citizen-and-army-veteran-sub...
Looks like the statute of limitations has ran out.
I typed up a ~100 page document with very thorough records of the retroactive warrant, what happened, and medical records to try and hold at least the "medical care providers" accountable but the board determined that the medical care providers were performing a (warrantless) law enforcement search and not medical care so their license wasn't in jeapordy. Not sure how they determined this since they were in no way deputized nor were they employed by the government, and in fact I was personally being billed for it.
The CBP argued the opposite, that medical care was rendered and not a search so CBP was not liable for extending the ~12 hours during which they "detained" me with no evidence. CBP argued they held me for my own safety because I could die of non-existent drugs.
The challenges to this have all failed (see Ashley Cervantes, basically identical legal facts) so it seems the courts are pretty satisfied with the catch-22 of any challenges of the criminal aspect to be ruled as medical care (thus unchallengables) and then any challenge of the medical care to be ruled as a detainment for a criminal search (thus unchallengable).
how long were you in jail? How did you get out?
~12 hours in jail, a few hours shackled in prisoner transport vans, and then ~12 hours in cuffs at a couple different hospitals hospital (where I was touched by health care professionals without my consent and without a warrant) while they waited for signs of non-existent "drugs." Shortly before I was released they served me retroactive search warrant, signed by a judge after it happened, using made-up PC that did not even state the name of the person or animal they claim prompted it.
I was released after an HSI guy showed up, took a quick look at me, decided I wasn't a terrorist or whatever, served me the retroactive warrant, and then I was sent on a prisoner transport van to be dumped at the border with my all my shit (including my shoelaces) in a plastic bag.
For the hospital part I was sent a ~$1k bill, which is still in collections.
>to be dumped at the border
does this mean you were originally on your way into the US and that's where they nabbed you, and then when they finished with you they took you back to where they picked you up?
i'm not here to debate or defend in either direction, i don't know enough about any of it, but i believe that i have heard from a lawyer podcast that whether you are a US citizen who is entitled to enter or not, the rules (including your bill of rights status) are different "at the border" because you are not in the US yet
if you're telling a real story and not just AI generating bullshit for karma you should go to the PRESS. this story, if it's real, should be something the press would eat up.
screw the lawyers. go public and name names
The press did an almost identical story for Ashley Cervantes, who had almost the same thing happen, except she was digitally (finger) raped by doctors as part of the process and was a young barely adult ~poor woman vulnerable minority so way way more public sympathy for her vs me (I'm a middle class white native English speaking boring white boy with a hick accent so basically at the bottom of the interest at ACLU, they do occasionally feature some people that have had it happen if they have sympathetic backgrounds).
Nothing changed. Same port of entry, same hospital network, same everything (I don't think she was jailed like me though). Lawsuit failed and public press did nothing. Later the ACLU won some kind of suit that forced all involved parties to be warned, which they promptly ignored, and that was the end of it.
https://www.southernborder.org/woman-suing-border-patrol-ove...
https://www.kgun9.com/news/local-news/woman-sues-cbp-over-bo...
> I'm a middle class white native English speaking boring white boy with a hick accent so basically at the bottom of the interest at ACLU
This in itself should be shocking to us
Very similar stuff has been in the press often this year. Everyone mostly forgets each case after a couple of weeks (did that end up being a real gang tattoo or not?, etc.).
I think my case might have gotten picked up by someone if it happened under Trump or close enough it would have still been under the statute of limitations. There wasn't much interest in immigration law under Biden, lately IJ and others have become interested in defending CBP/ICE overreach.
Assuming what you're saying is true, this is the kind of thing 2A was written for. I don't mean for you personally, but for society it's really the last line of defense against a rogue government. But, even if your story is totally made up it's completely believable. Scary times.
2A might have been written hundreds of years ago but it is now an instrument to sell guns. no amount of guns you buy will help you against rogue government
Hard disagree. Guerilla resistance has proven itself surprisingly effective against modern militaries. Multiply that by a military which would be going to war against its own citizens and you have a very uncertain situation.
Yes, if the military was targeting you individually you'd almost certainly be fucked. But a guerilla resistance spread out over a continent would be very difficult to eradicate. Just look at Afghanistan.
I think there are enough stories of armed religious groups raided by three letter agencies to prove otherwise.
Apples and elephants. I'm talking about a double digit percentage of the population fighting a guerilla resistance against a rogue state and you link me to like 50 guys in a house that's surrounded.
lol, rebuttal https://youtu.be/WOSqCjMRXWA
> Just look at Afghanistan.
Not if the supreme court wouldn't enforce it!
Founding fathers rolling in their graves.
The US has done just that to Abrego Garcia, and is now giving him the choice between confessing to a crime that he hasn't been convicted of (and likely didn't commit) and deportation to a country he has never been in.
Very true. They are effectively a new type of non-territorial state with absolutely no separation of powers or rule of law or principle of proportionality.
What makes this difficult though is that they are under constant attack from highly organised and automated criminal operations that create and exploit accounts en masse.
Any solution to the tyrannical state of affairs we are subjected to (even more so as developers) needs to balance better protections for real people (including as you say for people who have committed some transgressions) with fighting organised crime.
It's also used by the actual territorial state to project power through corporations, by influencing them to project their policies. I'm reminded of the story of the guy that had his google account shut down for "CSAM" because they took explicit medical pictures of their child at the directions of physicians, that were only privately shared solely for the purpose of aiding diagnosis. Apparently google works with the government to create these systems to scan your cloud images in the background.
Yes, I think governments love centralisation of control in very few hands. It gives them far greater powers than they would otherwise have, both technically and legally.
"Harmful" content has significant overlap with freedom of speech, so governments find it hard to ban directly. But when there's a big corporation facilitating access to that content, then it becomes a clear case of "evil capitalist profiting from harmful content - corporations need to take responsibility!".
When a government doesn't like end-to-end encrypted photos and cloud drives, all they have to do is issue a secret order telling Apple to disable it.
And when people find workarounds for intrusive and insecure age verification methods, what's better than a total sideloading ban to regain control?
> governments love centralisation of control in very few hands
Honestly, that was one of the things that shocked me about the Digital Markets Act in the EU. It gives them less power over their citizens, not more. (Of course, they also passed the Digital Services Act around the same time, and now they're looking at age verification and breaking E2EE, so I guess they figured they had to balance things out...)
I think these are separate initiatives by different parts of EU agencies and national governments. The markets and competition crowd does not coordinate at all with the law enforcement and security people.
I don't mind this being a bit chaotic. At least it shows that there are trade-offs.
Let's hope people remember this and don't cheer the precedent when it's set against "undesirable" like it was with Alex Jones.
It always starts like that.
This happens already in dating apps. https://www.vice.com/en/article/banned-from-dating-apps/
Date didn't go as well as the other person was hoping? They can report you to the app, some tired and overworked support person in an emerging market bans you, they keep whatever cash you already spent on bonus likes and your multi-month subscription, no refunds.
And you can never sign up from the same Google/Apple account, the same phone, and with the same face, because of course now you have to verify your biometric information with some of these apps (Bumble is introducing submitting your id or taking verification photos).
Or their AI misfires and deems you as having said something inappropriate, again, off you go. You have no recourse, hope you know someone who works at that company who can flip the bit in their database.
Want to know the reason why they banned you? Sorry, that's sensitive information, you will never know, only that you "violated the terms of service". Which one? Sorry, we can't tell you, goodbye.
Oh, now 60% of society meets through datings apps? Too bad, you don't get to anymore, shouldn't have violated our terms of service. Oh, and most of these apps are run by the same company, so you get banned on one, you likely get banned from all on them at once. Have fun.
I think this is the thing we need to change most. These big companies effectively have as much power as courts to break your life, but no transparency, oversight, appeals process or even a clear process in some cases. They can destroy a person or a small business without even noticing.
I have to unlock my apple id on a daily basis "To continue to use facetime"
It's esentially boolean social scoring, just think about it.
Say, if you're blacklisted by a fascist government, for example. Tim Cook's pledge of loyalty was disturbing on many levels.
I don't own a phone, but the most shocking revelation came when my child's school required us to use an app to specify how our children will be picked up or ride the bus.
So far I've been able to avoid using apps for pretty much anything, but when the school says "use an app or you won't get your kids" and then also say they will call CPS and have your kids seized if you don't get them in time, that puts you in a real fucked up situation.
We've reached the point where people without devices or common online services are so rare that society no longer accommodates them. It's similar to how we need legislation to ensure that disabled people have accessible infrastructure, except I doubt there will ever be legislation mandating offline/off-app accessibility.
File it under faulty assumptions organizations make about their clients or customers. If you live in a rural area in the United States it is still quite possible to have:
* No cellular service
* No landline service
* No postal delivery to your property, and a physical address that isn't in any database
* No public utilities
I don't think its unreasonable for private companies not to bother to offer their services to these people. Why should they have to? Many services require nearby physical infrastructure. Electing to live in the woods is not really a disability. Plus you can just get internet out there if you want and thereby receive SMS.
You're right, it's not a disability. However, it's also not always elective. Sure, a private business has no requirement to serve people outside of the market they want to serve, but what if that business is providing a service that is de-facto required in order to access government services?
But further up this thread you're responding to it says:
> the school says "use an app or you won't get your kids" and then also say they will "call CPS and have your kids seized if you don't get them in time"
Is it reasonable for a school to "call CPS and have your kids seized" because the school couldn't "bother to offer their services to these people"?
Yes, but to me there is a very big difference between being forced to adopt a class of technologies (online services in general) along with the rest of society and being forced to contract with a handful of specific companies that impose extremely one-sided contractual terms on everybody, touching almost every aspect of life.
Yes, but both permutations of digital coercion suck, right? ^^D
General technological progress may well suck in some cases, but it's not coercion.
This is how it happens that the appearance of a new option, which you are free to voluntarily choose or refuse (eg. buy a smartphone and an internet connection, maintain a Google account, accept everyone's ToS contract) gradually morphs into something mandatory if enough other people choose it.
Well, many areas have banned app-only payment requirements (along with card-only) so it’s possible we’ll get some mandated alternatives.
This is not even about having a device but about forcing you into the duopoly with no choice, https://news.ycombinator.com/item?id=45092669
I work for some local governments in Belgium and with every system they put in place I keep insisting on a analogous version. Online forms? Great but if anyone chooses the should be able to send in a paper form or get assisted by someone who fills in the online form for them.
As the spouse of someone blind it's becoming increasingly difficult to get accomodations from doctors and govt things. Surprisingly so much so that even making ada complaints goes nowhere. Very few offices are willing to sit and fill out paperwork nor willing to provide an accessible version.
The only saving grace has been be my eyes and other apps that allow for some level of access without needing another human available. It really sucks though as back in the early 2000s strides were being made for the blind community but now it feels like things have regressed because of technology and basic human dignity and kindness has lost out.
I'm sure the app is perfectly ADA complaint too. /sarcasm
I think I might enjoy the CPS scenario... let them call CPS, and wait for CPS to arrive, and then discuss with CPS who is endangering the child, the parent or the school. I'm pretty sure a judge will quickly decide whether their rule makes sense or not, and I think judges in child protection cases are going to quickly side with what's important for the child.
I HATE this kind of nonsense, and threatening you as a parent is only making things worse. Why not offer a way to handle this on a simple website? It would have lower cost to the school and be more accessible to anyone with any device able to access websites. Nonsense.
Well the judge will likely rule the app is bullshit, but in the meantime CPS will argue they need to go into your house, look to see if you have a dirty dish, or the wrong proportion of snacks to vegetables, or maybe take notice your child is playing independently outside while they come around. Then they will portray that in the most insane way possible, and since it is a civil and not criminal process their is no requirement anything is shown beyond a reasonable doubt.
There's also the problem that once they have your kid, the tables are completely turned, rather than them showing why they should take them, now you have to show why you should get them back and that is a process that can be dragged out for over a year.
Unfortunately CPS has wide latitude, secret courts, and the ability to unendingly fuck with you, so it's better just to not "invite" them in your life if you can. And if they do manage to snatch your kid, note they give so little fucks for the kid that their contractors will leave a kid in a hot car to die because apparently that's safer than being with their parents.[]
[] https://abcnews.go.com/US/3-year-dies-hot-car-custody-contra...
Damn. When I had a child in Germany, our version of CPS came over and told me what fun things the city offers for children and asked me about my plans for day care and how I can get help to get a spot.
I once called them because the day care lady of a friend‘s kid is a bit of an idiot and kinda scared us about mass closure of day care centers and it was probably the nicest interaction I’ve ever had with a government agency.
But from what I’ve heard, America in general is a whole other beast both regarding expectations for parents, trust in the kids and the trouble you can get in for minor things.
I wouldn't be so quick to equate differences in personal anecdotes with stark country-level differences (though it's plausible that everything is worse in America as usual)
I grew up in a low income neighborhood in the Netherlands and many times saw people be utterly terrified of CPS. In many cases these were households where outside help could've been really useful, but even in the worst cases where heavy CPS involvement was the only option (real "take the child away" cases), the child's situation often unfortunately hardly got better, just different. In less intense cases CPS involvement often just seemed to thrust a compliance burden on households without offering much real support, mostly just leaving people feeling guilty and stigmatized. Overall still better for them to exist than not, and budget cuts and restructuring really hurt the situation later, but still an organization with very real odds of making the situation worse, sometimes catastrophically worse.
What country is that in?!??
That's pretty fucked. It should be utterly illegal to put parents in a triple bind like that. You have my sympathies.
The danger is when solutions that are convenient, but require giving up some sort of freedom, are made mandatory even for those who would like to stay free. I hope this is a lesson we avoid having to learn the hard way.
I have done some backpacking these past two years, and it is worrying how easy it is to get into big trouble if you lose your phone or payment cards.
As an example, my debit card got eaten by an ATM on my way to Argentina, and after my 6 month travel, the backup credit card I had brought was about to expire.
Despite my card working as a means of payment, I was starting to feel the effects of this corner case in every aspect of modern life. I could not use our equivalent of cashapp, I assume because my card was about to expire. I could not ride public transit, or trains, or do things like book a yoga class with my friends, all because all these institutions basically only let you interact with their service through their apps, where I had no way to pay.
I spent some time visiting friends in the capitol on my way home, and tried to sort the situation out with my bank. They thankfully were able to order some new cards to their office, rather than to my home address. But immediately after my talk with them I found that my one remaining card had been cancelled.
Then I tried bringing my passport to withdraw some cash, but the bank teller almost laughed at me, before explaining that you can't just do that anymore. The bank isn't even allowed to let you get your money in cash and leave. You can get bits of it in bills at the ATM for a fee the price of a coffee, but also that requires a card, of course.
Electronic payment solutions are so convenient, for the public and for institutions, for law enforcement and control, that we've forgotten how much we need to give up in order to use them, and now they're being made mandatory as we trudge along into a cashless society.
Now I couldn't even get food or shelter, if not for my friends. I remember half stumbling out of the bank with my passport in my hand, half dizzy with shock and anger. This, along with lots of other small mishaps like losing my phone and encountering trouble, kind of radicalized me on these topics.
Add "can't participate in society without agreeing to user-hostile Terms of Service clauses, such as indemnities, behavior profiling, and opted-in marketing subscriptions."
It's amazing where those dark patterns are cropping up (government services, SPCA, etc).
I sometimes contemplate that this sort of incidental ToS should be 100% unenforceable.
Here’s what I mean: suppose I want to order a cup of coffee at a cafe. I’ve made a choice to go to that cafe, and it’s at least generally reasonable that the cafe and I should agree to some terms under which they sell me coffee, and those terms should be enforceable.
But if the cafe requires me to use an app, and the app requires me to use a Google account, then using the app and the Google account is not actually a choice I made — it’s incidental to my patronage of the cafe. And I think it’s at least interesting to imagine a world in which this usage categorically cannot bind me to any contract with the app vendor or Google. Sure, I should have to obey the law, and Google should have to obey the law, but maybe that should be it. If Google cannot find a way to participate without a contract, then they shouldn't participate.
I might even go farther: Google and the app’s participation should be non discriminatory. If the cafe doesn’t want to sell me coffee, fine. But Google should have no right to tell the cafe not to serve me coffee.
(For any of this to work well, Google should not be able to incorporate its terms into the terms of the cafe. One way to address this might be to have a rule that third parties like Google cannot assert any sort of claim against an end user arising from that end user’s terms of service with the cafe. If Google thinks I did something wrong (civilly, not criminally) in my use of the app, they would possibly have a claim against the cafe, but neither Google nor the cafe would have a claim against me.)
>One way to address this might be to have a rule that third parties like Google cannot assert any sort of claim against an end user arising from that end user’s terms of service with the cafe.
Or just require retail businesses to accept cash. Which many jurisdictions have done.
Problem solved.
That doesn’t help if you need to use an app to order.
I don't know about you, but I don't have my device super-glued to my hand. In fact, if I'm going out to run errands in my neighborhood, I often don't bring such a device at all.
If I walk into a cafe (which is what GP was talking about), I'm going to (horror of horrors!) speak to the nice person standing behind the counter to ask them to make me my coffee.
I'm certainly not going to go full on passive aggressive and stand in front of the person taking orders and place my order on an "app."
In fact, if a retail establishment attempted to require that, I'd just leave.
Which I've done several times at restaurants who, when I ask for a menu, am informed that I should "scan the QR code" on a label stuck to the table with my phone to get the menu.
No thanks.
To me the point where the law needs to intervene is the bank or the school. You need a bank to function--that means the bank should be prohibited by law from tying you to an app from a particular company, whether it's Google or Apple or anyone else. You should be able to access their functions using any client that supports the appropriate open standards (such as web browsers).
Similarly, if the school is going to have control over your kids, the school should be prohibited by law from requiring you to use an app that's tied to a particular company. They should be required to provide you functional access using any client that supports the appropriate open standards.
If it is a public school, the state should “intervene,” but really it isn’t an intervention, it’s the state’s school they should fix their stupid policy.
For the bank, I don’t really see why it would be preferable to intervene with the bank vs the tech company. Either way the state will have to impose on a private company.
> You need a bank to function--that means the bank should be prohibited by law from tying you to an app from a particular company, whether it's Google or Apple or anyone else. You should be able to access their functions using any client that supports the appropriate open standards (such as web browsers).
Really this is an interoperability problem, so the government would have to impose on both sides. An OS should be mandated to come with a browser than supports some locked down functionality—a subset of HTML, nothing fancy, no scripting or anything like that. The bank should be required to provide a portal that speaks that language.
> For the bank, I don’t really see why it would be preferable to intervene with the bank vs the tech company.
Because the bank has a fiduciary responsibility to its customers. The tech company doesn't. The bank can't just deny you access to your money because you don't want to have a Google or Apple account. That should already be the legal framework, but apparently it needs to be clarified and enforced better.
> Either way the state will have to impose on a private company.
Banks are already not "private companies" the way tech companies are; banks are already agents of the state in a number of important ways (such as being required to report all kinds of transactions, follow know your customer rules, etc.).
You mean like if there were a standard (JSON, XML, whatever) format of document that you could cryptographically sign which would order a transaction to take place? Kind of like a digital teller's slip?
That would be nice, but how would the bank verify the signature? It's the same old key exchange problem all over again.
In any case, that's not what I was suggesting. I was simply suggesting that banks shouldn't be allowed to force you to depend on certain apps or app stores to get access to your money. Similarly, schools shouldn't be allowed to force you to depend on certain apps or app stores to take proper care of your kids.
> That would be nice, but how would the bank verify the signature? It's the same old key exchange problem all over again.
I suppose you could print your public key as a QR code on a piece of paper, or display it on a phone, or use a USB security key device, and physically give it to an authorized employee at a local bank branch. Or if there is a way to electronically open an account you submit it then, along with whatever other proof of identification is deemed acceptable. I think root of trust has been, and always will be, a hard problem. It's just about finding the acceptable level of risk. Security is weaponized inconvenience.
Edit: Just to think down that road a little further, I expect the issue exists because the solution chosen by the school/bank/gov't/business will not be the optimal one for users, but the most expedient for the org. They're going to do the lazy thing that works for 80-90%, because there currently is no better alternative that they can implement with minimal effort.
If we look at the past we see that postal mail and telephones became standard methods of communication, but you could always walk into an office somewhere and handle business in person. Now that last default is quickly being phased out. So what should be final fallback method of communication?
So I see two problems: there is no better way, and there is no required minimum. Both need to be solved.
You can use the majority of the banking apps without a Google Account on an Android through the Aurora Store:
* https://f-droid.org/packages/com.aurora.store/
I've tried it, it works.
With Apple, it's all far worse. On iOS, I've discovered that even some preinstalled premium apps, like Pages, Numbers, Keynote, GarageBand, iMovie, don't work unless you add an Apple Account to the system.
But with Android, it's relatively easy to set it up without any accounts, through Chrome, F-Droid, Aurora Store. (And I usually uninstall Chrome after installing F-Droid, too.)
I think it is kind of levels:
"can't participate in society without a mobile phone" "can't participate in society without internet" "can't participate in society without google"
not sure where is the logical correct threshold making it wrong. because we all accept maybe people not participating without internet.
Clearly the logical threshold is when a single private corporation becomes the gatekeeper to your life. The internet itself is decentralized so that's fine. Mobile phones as a concept is also fine.
Almost. Having access to the internet requires a device, or public computer if available. A just society would at least maintain ability to interact with all government services through in-person and through post office. Universal access.
At least in some countries you can use a public computer at a library or other government-provided institution. I agree that it ideally shouldn't be required though.
This seems to be percieved as an explicit intended loophole. I've seen contests where they say "for free entry, go to website..." followed with "internet access can be obtained at libraries".
Obviously, the idea of "you don't have to pay to participate" has a strong legal footing, but I have to wonder if they can find a way to pivot that to "I don't have to acquire an Android/iOS device". Maybe they would develop a kiosk-mode version of the OS that will run apps tethered to a placeholder library account.
> At least in some countries you can use a public computer at a library or other government-provided institution
...for now, at least.
> not sure where is the logical correct threshold making it wrong
This can't be more clear: Forcing to use the duopoly is against the competition and is totally wrong.
I meant a bit like: Let's say you have 2 mobile phone operators in your country ( duopoly ) we are ok that for example using SMS for banking interaction ( second factor etc )
I think this is a process; and somehow slowly people accepting those levels, and in a society it becomes normal ( to have whatsapp for friend group, to have facebook for family photos etc etc ) and you are being left out eventually if you are outside of those norms.
So it is not so different for bank to require something like google provided software.
I think if we accept that market concentration for essential services cannot alawys be avoided, there must be an obligation for these companies to provide those services to everyone.
The difficult part is how to guarantee this right without opening the floodgates for all sorts of scammers and organised criminals.
We need some sort of due process proportional in cost to the effects of account terminations (or rejections) on people's lives.
Isn't this how utilities are regulated?
In the UK some utilities do have a legal duty to supply.
I'm not familiar with the details though, so I have no idea what happens if someone is accused of having violated their terms of service. I think there are different rules for different utilities.
> "can't participate in society without an apple or google account".
Wow. You nailed it. Thank you.
When desktop operating systems were dominant, the need for the freedom to control your own software installation was beyond obvious.
But now our phones are an even more dominant/necessary computing/communication tool.
Apple and Google's appeal to security is such a fig leaf. They can continue to lock down our phones, add even more security.
BUT, simply provide a way for users to mindfully bypass that. They could make the pass through screen as scary as they feel they need to. That's it.
(If they did that, customer pressure would naturally build over time, for less draconian warnings, as other verifiably/clearly responsible sources became popular.
Another benefit. Apple would soon put its considerable resources competing to delivering the most robust security of a more valuable kind. The kind that enforces the walls between unpermissioned/dark behavior without limiting desired behavior and innovation. That would create healthier quality-loyalty based "lock in" that their vertical integration and high focus DNA already gives them advantages to "win".)
Thanks. This matters a lot to me. I focus on it from the angle of not owning a smartphone, but it's even more urgent from your perspective. I want businesses to understand that some number of people, in order to avoid toxic behavior patterns involving social media or doom-scrolling, find a dumbphone to be the healthiest choice for themselves. And yet, the places you cannot park your car, the airlines you cannot fly on, the events you cannot attend... all because you don't have an app.
I do think the personal mental health angle matters a lot, but it adds urgency to consider school, banking, etc being dependent on private company memberships.
My local gym did something wonderful. They retained a keyfob-based access system instead of using an app, specifically because the owner knew "someone's going to have a dumbphone and complain they can't get in."
This is one of the things I wish the EU would intervene. Requiring a smartphone and an app should be illegal for corps of a specific size and for public entities (see school example above/below).
I also don't like the push towards accounts with google / apple etc or using apps to do everything, or the walled gardens that are the apple and google app stores.
To play the devil's advocate though, hasn't this always been the case when new technology gains widespread adoption? e.g. going backwards in time, at some point not having an email address wasn't a big hinderance, nor was not having a phone number etc. Telcos got regulated, maybe that's the next step for google, apple etc.
Having either Google or Apple should not be an obligation to any human being and governments should do whatever is in their power to allow us to continue operating basic services without them. It should be as simple as that. So all companies that choose the "app" way must also offer a possible equal or better webapp solution for their customers.
+1 on this. This is a privacy tie in sale. You buy product x, but after the buy it turns out it only works when you also accept the terms and conditions of product y.
Normally tie in sales are illigal, but because it happens in the digital world, we/they fail to notice...
Its banks, but also government and health (the dutch digi-d app), food markets, schools, more and more
If there is a EU DMA, where is an independent app store?
If you live outside the US, it's even worse with WhatsApp.
If for whatever reason you dislike WhatsApp, you just can't also be a society's functioning member.
Some companies have decided to deprecate email and phone support and only have a WhatsApp chat, potentially with AI slop. I've had to discontinue my services with some of these companies because of that.
Even some government services are going through WhatsApp; I've had to be there in person, among senior citizens just because of their tech choices.
I pretty much vouch for "vote with your wallet," but I am running out of alternatives.
In the Philippines everyone uses Facebook because you can use Messenger for free without data charges.
I never do business with those kind of companies, and it's not any problem in my life. If you can't reach them by email or phone, then they don't get any money.
This.
I really liked Huawei phones and I wanted to keep using them after the US forced them to part with Google, but after doing some research and finding out some of the everyday things I wouldn't be able to do due to not having the Google Play Services (I'm not even talking about not having a Google account!), I just gave up.
Huawei isn't much better in terms of user freedom.
Being disadvantage and not able to own multiple phones for different purposes is a problem.
The main issue is we’re not there today and it’s not obvious what that world looks like.
We all had junk drawers of useless charging cables, everyone agreed it was stupid, hence a universal charging connector standard along with the promise that the charger junk drawers will be freed.
Even if we mandate the “POSIX of smart phones”, for lack of a better term, what problem today, for everyday users, does it solve? It might even make interactions with various government technology worse as that API will likely only be begrudgingly supported, which won’t win any hearts or minds.
Basically until you have a one line slogan that most people can relate to which, and is a problem they have today, movement will be very slow.
Also, in the short term, if these various site are AI coded, and thus follow existing software patterns, expect this to get worse.
Give Google and Apple anything they want, in exchange for a reasonable life.
When the majority of people want what you want, democracy is great.
When the majority of people don’t want what you want, democracy sucks.
Can you make an argument as to how this is different from having to have an account with, say, your ISP?
A few points:
1. It's not necessarily different. Your ISP has monopolistic power over you, and it should be regulated more aggressively.
2. A non-mobile ISP is currently much less important than an Apple/Google account for interacting with modern society, and less important than it was even a decade ago. If all 1.5 of my available home ISPs turned evil I could manage just fine without them.
3. Given the relative public perceptions this feels weird to say, but Comcast and their ilk are much less problematic than the Apple/Google monopolies. You can largely just pay for internet (plus an extra 10-40% from scammy business practices) and do whatever you want to do, with the analytics they're selling about you being less invasive than those which Apple/Google use.
Your ISP is an utility, it doesn't hold your de-facto identity.
Google and Apple increasingly become the entity required to identify yourself, either directly ("login with Google/Apple to participate") or indirectly ("use our App on iOS/Android to confirm your identity and participate")
You have many ISPs to choose from. There are not many "Googles" nor "Apples" to choose from.
My apartment, smack bang in the middle of Manhattan, has a single coax cable opened by Spectrum, and is the only option for me to get reliable internet connection. I have no choice but to (1) sign whatever their ToS are, (2) pay whatever they want to charge, and (3) have them do what they want with my metadata. I’ve decided it’s not the hill I want to die on, but no, I don’t have many ISPs to choose from.
You have at very least: * Mobile connection, a few carriers * Starlink/Eutelsat
It's not perfect, but nowhere near Google/Apple duopoly. Also this is very local US issue, solvable on city level regulation, while smartphones are everywhere.
You also have the option to move. I mean, that's not ideal, obviously you don't want to have people up and change addresses to deal with a problem with a single company, but if you end up on both Google and Apple's shitlists, there's nowhere you can go to where Schmapple is a third option.
Starlink in an apartment in the middle of Manhattan? Suggesting Eutelsat is just funny frankly.
Eutelsat has pretty reasonable unlimited data package at $75/MO. Might only be available in Europe & Africa though.
>Might only be available in Europe & Africa though.
Yep. We just need to move Manhattan there. Problem solved.
It's crazy how some people think there's no solution when the solution is "clear as an unmuddied lake...As clear as an azure sky of deepest summer."[0]
Doesn’t Manhattan have radio based ISPs like 5G providers? Perhaps not ideal but far from a single ISP provider.
Depending on where you live, a lot of times you don’t many to choose from. Maybe 2-3, but sometimes only one with fast enough speeds that it becomes the only option.
Where?
Cellphone providers + Starlink mean there’s more than 3 options in basically every US home.
Even in places without those, there are a ton of little hamlets in BFE around me that have one guy that gets fiber from wherever is cheapest, then runs a point-to-point directional antenna relay system to a home-brew ISP.
We're talking about participating in society not Netflix. There are a lot more options for that, including mobile and even good old dial up.
So they are effectively utilities and must be regulated accordingly.
I have exactly one to choose from. Two thirds of americans households have exactly two, exactly the same number as the count of googles and apples.
Than your region has a problem that your government should work to fix. Just like the one with Google/Apple.
That's not a universal problem though, so random people on the internet won't relate.
Two thirds of Americans could connect to the internet via:
- Starlink
- AT&T wireless
- T-Mobile wireless
- Verizon wireless
The choices of fixed ISPs is often more limited (in my area, the physical options are AT&T copper, Xfinity cable, Monkeybrains wireless).
If ISPs pose a similar problem, that still doesn't minimize the Apple/Google problem.
This question is a non sequitur.
No one is arguing for using ISP-hosted accounts as an alternative.
The core problem isn't even rooted in identity per se, it's about platform owners actively working to limit access to essential information from platforms they cannot profit from.
Even granting the most cherubic motives, this ongoing behavior is atrocious on it's face and should be prevented by any means, including competition, rule making and legislation.
I've been phoneless for 5 years, and I've experienced this too. I do have a google account, but I get occasionally locked out of it because I don't participate in 2FA. I fought my bank for nearly 5 months before they provided a code generating dongle to 2fa into there web portal. I had to stop using Amazon and EvilBay for exactly the same reasons.
Frankly I think it's a lost cause and sadly doesn't make sense to waste energy on it anymore. I eventually abandoned my de-googled phone exactly because I couldn't use my bank with it.
I don’t use a bank with a phone. What do you do with it?
(One exception, I used to scan checks five years ago, but thankfully that finally ended.)
Some banks require an app for pretty much everything other than retrieving cash from an ATM, because they don't have a web app anymore:
1. Transfer money to another account. The alternative is to waste half a PTO to go to the actual bank (because they only open at working hours) to make that transfer.
2. Make an online payment. Most new cards no longer have a CVV (3 digit code) and instead require you to use the app to get a dynamic number. Many banks do not offer that option in their web app.
3. Forced 2fa for in-person payments with your card.
Today it's still possible to workaround many of these issues but they're closing these workarounds little by little.
Same. I have a very old iPhone stuck on an old version of iOS that's incompatible with most apps these days. In the rare case I need to deposit a check there are banks like Ally that don't have physical branch locations but still let you deposit checks via their website.
I'm curious what people need a bank app for.
If you think it's bad now, just wait until passkeys are ubiquitous and best practice is to only trust a small list of providers. The only way to prove you're human will be to prove that you're Google's human.
To an extent, I already saw ads on various fora effectively asking for pretend humans ( you sign up to a list with your info and 'they' use it in your name ). It is going to be another cat and mouse game to track and I am getting tired.
The only thing protecting you from this is a strong government.
Bur if you look around theres a lot of money going into defacing democracy and electing morons, by the same business forces.
You aint getting a fundamental freedom by individual contributors, the same way bitcoin is turning into a centralized scam bank.
Remember those naive days when everyone was scared about Big Government running their lives? Remember how the Free Market™, unimpeded by government interference, was going to ensure our personal freedoms were never compromised?
Good times.
Franchise-Organized Quasi-National Entities (FOQNEs)
AKA Peter Thiel's utopia
Necessary but not sufficient.
> I think the conversation needs to change from "can't run software of our choice" to "can't participate in society without an apple or google account".
This won't work out for you. It just turns into technically being able to, but it being practically impossible. In Sweden (i.e. basically your future), we're already there.
What's it like in Sweden? When I lived in Denmark the government had its own e-boks system for mail. I only ever accessed it via web, but I'm sure there's an app as well. Back then everything was authenticated via NemID which defaulted to the option of using codes printed on physical cards sent in the mail. I know they've moved to MitID now. Does anyone know if MitID can be installed on a de-googled device? Apparently there are a couple other options https://www.mitid.dk/en-gb/get-started-with-mitid/how-to-use...
In Sweden, we have BankID for one thing. You can't do anything at all without it, including (in many cases) buying things online with your Visa or Mastercard. You can't even do stupid things like look up license plates or other simple tasks. You certainly can't deal very well with the medical system without it. In many cases even mail can be a pain in the ass without it.
Then we have another problem. Cashlessness. There are fewer and fewer places that accept cash for payment and even if they do some of them won't have change (since it's so rare that other people are paying in cash).
I have a friend now who was cut off from the BankID (and thus cashless) system and it's quite a struggle for him. He has to constantly have other people (i.e. us) do things for him, or drive 40km to one city or another during specific hours to do things (since all the local outlets for everything closed since 99% of people do 99% of everything online now).
Painful!
How does one get shut out?
Perhaps a story of his life now could be told to whatever politician may make sense? (I just do not know that for your part of the world)
Seems to me there must be some basic government run thing to manage this. Using corporations has too many problems.
And you may tell me BankID is government! Hope not.
He gave a copy of his bank card to his ex-wife who was living in Uganda and using it there. The card was under his name though, which is against their policy. He could have easily gotten a card in her name, but he's extremely irresponsible in general (and doesn't really care what the rules are). They banned him for six months. He hasn't even bothered to figure out if it's automatically re-instated or whether he has to appeal. I don't know how such people live to be 65 years old.
The government isn't requiring BankID except for on their own services (where sometimes other options are provided). It's kind of just the most convenient thing that all agencies and businesses end up using. There's no laws around it, I mean. They all opted into it. It's run by a private consortium of banks.
Oh, not lifetime then. Good. Seems quite reasonable. Thanks for the details.
Does it? It doesn't seem reasonable to me to effectively ban a non-criminal citizen from the economy and from civic life, not even for "just" six months, no matter how "irresponsible" the citizen is.
> I called their support line for a lost card, and had to go through to second level support because I didn't have the app.
What’s the alternative? The bank sending out a debit card to anyone who calls up and says “I’m @kristov, trust me…”
You were not able to served by the standard path, because you couldn’t authenticate yourself via the standard mechanism. You still got service by an alternate path. No different from opting out of the airport scanner; it takes longer and is a little less convenient, but you still get service.
Not sure if you're genuinely asking because there are a dozen proven ways to verify identity or residency either digitally and physically without being locked down to 2 mobile OSes owned and controlled by 2 American companies.
Exactly, as was demonstrated by GGP's "had to go through to second level support". That seems perfectly reasonable to me, yet seems somehow objectionable to GGP.
"Can you believe that I had to prove my identity to the support group in charge of requesting replacement cards in order to get a replacement card?!"
"Uh, yeah, that makes total sense; what part of this tale of woe is surprising or interesting?"
Off the top of my head: going in-person to the bank, email, phone call or sms to a number that you previously informed to the bank (say when opening the account), otp a la authy or aegis. None of these require you to be on google or apple's walled garden.
Banks have been closing up their in-person services as fewer and fewer people use them.
https://www.kiplinger.com/personal-finance/banking/is-your-l...
> Since 2020, the rate of bank branch closures in the U.S. has doubled. The majority of those closures come from large and very large banks, contributing to an overall 5.6% decline in total bank branches nationwide since the start of the pandemic.
Nor did GGP's approach require them to be in google or apple's walled garden.
That's exactly the point: there's an easy and common method that many people choose to use, but there is still a perfectly working method for people who choose to not use apple or google.
the part you are missing is that this is the situation for now. Emphasis on for now. Google are already moving to restrict what software your phone can run i.e. they control your device.
Please, don't be so obtuse just for the sake of argument. Any rational, well-informed person can wee where this is going.
I think the upthread argument is the weak one in that regard. "See how terrible it is that banks offer a new method to get more convenient service for people who have an Apple or Google device? Because I choose not to, I had to use a perfectly viable method that people relied upon for decades and that still worked just fine."
That's an example of how the banks are continuing to accommodate customer preference, not the other way around. As to "where this is going", ATMs and debit cards are nearly pervasive and, yet almost 60 years after their introduction, I can still choose to bank with a teller if I insist on not having a debit card.
What’s the alternative? The bank sending out a debit card to anyone who calls up and says “I’m @kristov, trust me…”
Are you under the impression that this wasn't a solved problem for the half-century before "apps?"
Yes, there was some tiny fraction of fraud, but it's not like adding all these layers upon layers of technology has fixed anything. The difference is that instead of getting ripped off by one of the people in your own town, anyone anywhere on the planet can rip you off now.
Wait, how you being on the Google/Apple ecosystem help the identification process?
You need Google/Apple blessed phone to install most banking apps
> opting out of the airport scanner
slightly OT, but where can you opt out of the scanner?
Every time I've tried they told me I won't be allowed through security unless I subject myself to the scanner, despite me protesting that they can search me however else they please.
Anywhere that US TSA runs the AIT scanners, you can opt out of them*.
That is domestic US airports plus airports like Toronto and Dublin where you, for practical purposes, clear into the US on foreign soil and land in the US as a domestic flight.
* - I think this only doesn't apply if your boarding pass got tagged with the dreaded "SSSS" enhanced screening tag, but that's a fairly rare corner case for most passengers.
My understanding, which may be wrong. It's been a few years since I did this dance.
You can opt out of the millimeter wave radar.
Opting out means you go through a metal detector, a 20-second pat-down and perhaps a hand swab for explosives sniffer.
If you have SSSS on your boarding card, that means the pat-down, hand swab and digging through your carry-on luggage happen whether you opt out of the mmwave or not.
It's clear that you can opt out of AIT (mm wave) scanning if you don't have SSSS and uncertain otherwise.
From the TSA website, https://www.tsa.gov/news/press/factsheets/technology , "Most passengers have the opportunity to decline AIT screening in favor of physical screening. However, some passengers will not be able to opt out of AIT screening if their boarding pass indicates that they have been selected for enhanced screening."
> In this context this would mean having the ability and documentation to build or install alternative operating systems on this hardware
It doesn't work. Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with. To be clear, this is fundamental, not incidental. You can't run your own operating system because it's not in Netflix's financial interest for you to do so. Or your banks, or your government. They all benefit from you not having control, so you can't.
This is why it's so important to defend the real principles here not just the technical artefacts of them. Netflix shouldn't be able to insist on a particular type of DRM for me to receive their service. Governments shouldn't be able to prevent me from end to end encrypting things. I should be able to opt into all this if I want more security, but it can't be mandatory. However all of these things are not technical, they are principles and rights that we have to argue for.
What I like about your comment is that it points out that all technical work-arounds are moot if people as a whole are not willing to stand up with pitchforks and torches to defend their freedoms. It will always come down to that. A handful of tech-savvy users with rooted devices and open-source software will not make a difference to the giant crushing machine that is the system.
And I'm afraid most of us are part of the system, rage-clicking away most of our days, distracted, jaded perhaps, like it historically has always been.
Only competition can provide a solution. We have lost sight of this principle even though all Western democracies are built on the idea of separation of powers, and making it hard for any one faction of elites to gain full control and ruin things for everyone else. Make them fight with each other, let them get a piece of the pie, but never all of it. That's why we have multiple branches of government, multiple parties etc. That's why we have markets with many firms instead of monopolies.
There has never been a utopian past and there will never be a utopian future. The past was riddled with despotism and many things that the average man or woman today would consider horrific. The basic principle of democratic society is to prevent those things from recurring by pitting elite factions against each other. Similarly business elites who wield high technology to gain their wealth must also compete and if there is any sign of them cooperating too closely for too long, we need to break them up or shut them down.
When Apple and Google agree, cooperate, and adopt the same policies - we are all doomed. It must never happen and we must furthermore break them up if they try, which they are now doing.
>There has never been a utopian past and there will never be a utopian future.
I wouldn't call it utopian, but I'd say we are way past "peak democracy" at this point.
There was a time in which corporations did get broken up when too large, when we did understand that it's about serving the population first and accumulating wealth after that, when corporations influencing politics was widely seen as a negative. It does seem to me we are now way past that.
There's no reason why democracy can't peak again and reach new heights. But that won't happen automatically.
Personally I think there are technological preconditions for stable democracy that have recently been countered by authoritarian leaning technology. We need to invent counter technology to those things.
There is no authoritarian leaning technology. People figured out how to create 1984 while saying they defend free speech.
It is simply that, eventually, people learn how to use technology to their advantage.
I agree with this. And yet.
> It is simply that, eventually, people learn how to use technology to their advantage.
What should we call this accumulation of lessons in how to do things for your benefit? It can be and is encoded as algorithms is it not?
There is a small community of billionaires who control everything to the best of their ability. They control for their own benefit.
Technology, its development and production, is one thing that they control.
The rest of the population (the nonbillionaires) is another thing that they seek to control. It's near the top of their list.
Phones, internet and social media are tools for controlling us. Arguably. Right?
I disagree that there's a technological solution to late stage capitalism and the slow death of liberal democracy.
New technology doesn't change anything about social institutions - the most powerful groups before the technology was invented simply own the technology after it's invented and use it to further cement their power.
I think the luddites were on to something. We don't need technology, we need humans doing things a little differently, maybe even doing bizarre things like setting factories on fire. Personally I hope we can try other things before setting factories on fire, see Keith McHenry's version of The Anarchist Cookbook for peaceful resistance solutions as well.
The point is though without a restructure, new technology doesn't liberate, in fact it further entrenches existing power structures.
> New technology doesn't change anything about social institutions
This is of course demonstrably untrue. Marshall McLuhan devoted his life to illuminating how technology changes society. The printing press, radio, television and the Internet have all undoubtedly changed our social institutions. It's hard to imagine secular democracy ever becoming a thing if we hadn't been able to mass produce books and newspapers, and writing manuscripts had remained mostly under the control of the Church. It seems less probable that the Nazis would have come to power if not for the immense skill Goebbels and Hitler had in the use of radio. And I doubt Trump would have been elected if he hadn't known how to press people's buttons so well on social media.
Let's not forget that more ancient things like fire, agriculture and accounting are also technology that irrevocably changed humanity and put new people in power. Or take a look at how railroads remade American society. Or how sufficiently advanced sailboats placed half the world under the thrall of colonialism...
Absolutely there can exist technologies which are anti-democracy, and surveillance technologies are exactly that. You become afraid to say or write the wrong thing in public, and then to say or write it in private, and then to even think it, and finally the thing is forgotten. I felt like Orwell made the point well enough in 1984.
All that said I don't see technology saving us from our current problems, it needs to be invented, it needs to mature, there needs to be adoption. One might imagine mesh networking and censorship proof distributed messaging or something having an influence on society but we simply aren't there yet.
>I felt like Orwell made the point well enough in 1984.
True enough. Although I think Frederick Pohl and C.M. Kornbluth came closer to our current situation with The Space Merchants[0] (which I just read, almost by accident).
Orwell was more explicit in his exposition of totalitarianism and told a more compelling story than Pohl/Kornbluth did in their tale of authoritarian/corporatist dystopia.
That said, the universe of The Space Merchants more closely matches the current environment, IMHO.
That looks like a great book, I'll have to check it out!
My go-to in fiction for comparison with the authoritarianism of the modern world is actually Brave New World. We were drugged (whether pharmacologically or psychologically) into submission, more than we were beaten into it.
1984 is great however for getting the surveillance point across in the most brutally direct way possible. The telescreen was a mind-bogglingly prescient idea for a guy writing a book in the 1940s. "Omnipresent and almost never turned off, they are an unavoidable source of propaganda and tools of surveillance." We actually did it. We invented and embraced George Orwell's telescreens of 1984, en masse. The only difference is we put them in our pockets and carry them around all day, instead of having them in our living rooms.
I didn't use the right word, maybe you can help me pick a better one. You are of course correct that technology has many times completely changed our societies, but my point is that despite overwhelming transformations, the core of societal organization doesn't change: those with capital control those without. Those with capital determine what labor those without may do, when, where, and what becomes of the result of that labor.
The printing press resulted in the first ultrapowerful media companies that were able to capitalize on later revolutionary technologies such as radio and television (for those nimble enough to keep up with the times). Even in that era the newspaper was leveraged to serve the needs of the wealthy and solidify their power. Countless unpublished books that couldn't get picked up by the publishing houses. And the end game of those media technologies is Rupert Murdoch, Disney.
You are right, power shifted from the church to other Capital holders. And the laborers continued to labor at the whim of some new master.
Railroads led to Standard Oil and America's first ultra powerful monopolies, laying rail to serve their needs (or wasting rail to suck money from the government) rather than the needs of the people.
Sailboats created the East Indian trading company and actual corpotocracies, as you said.
Incredible changes to society in so many ways except perhaps the most important, and that's my point: it won't be technology in the end. It wasn't technology that led to the syndicalization of pre Franco Spain, or the revolutions in Russia and the ROC, or the development of the Paris commune, events that signify some of the few brief times in our history that the core paradigm was shifted if only briefly.
We are totally talking about a technology-driven shift in who controls society though. In the past it was kings and the church and their wealth was certainly a factor but the king's direct control over the state monopoly on violence, and by extension over land, and the church's control over information and belief, were the greater factors. Remember all these kings started out mostly as thugs with bands of other thugs behind them who had the biggest weapons and the most violent tendencies. And the churches started out as smaller dudes who were willing to eat mushrooms, wear face paint, and tell stories about how the biggest thug in the pack was the son of a god so you had better obey him.
Now, because of technology shifts, it's the political/bureaucratic and merchant classes in charge. The king and the church are pretty much powerless. The military class has gone both ways depending on what country we're discussing. In some their growing ability to commit mass killing has given them dictatorship powers. In others they are relatively defanged by the political/merchant classes.
Wealth is a very interesting thing because it was originally a byproduct of power. The king sent soldiers to collect taxes. The church propagandized you into tithing. Now the relationship is inverted and the wealth creates the power. Silicon Valley spends $140M on lobbying to get the legislative outcomes they want.
IMO the more we zoom in to shorter spans of time the less we see technology toppling an entire class of elites in favor of another. It doesn't happen in 30 years. It takes hundreds. That said, technology seems to just keep on moving faster, so I wouldn't discount it playing a bigger role in the future than it did in the past.
> You become afraid to say or write the wrong thing in public, and then to say or write it in private
It's called "social cooling": https://news.ycombinator.com/item?id=24627363
> but we simply aren't there yet
Actually, I2P is already here. It should be promoted more.
And when was this utopia in your opinion? This sounds like rosy retrospection to me.
Or are you talking about a very specific industry, because the thread sounds like it is all society or "Late capitalism" which I disagree with.
I don't believe there was any utopian period in the past, but in US history, the Gilded Age had a lot in common with our current day (corruption, centralization of wealth and power, stemming from new technologies). And it was followed by the Progressive era and then the New Deal which were distinctly more populist in nature. Those were the eras of American history where the US got serious about anti-trust and unionization respectively.
In fact true competition is only possible via open standards, protocols and technology stacks.
We need agreement to ensure the large corporations adhere to these.
This doesn't seem right to me. It is often in companies' best interests to adopt standards, but that is because it allows them both to have an optimized supply chain.
Car manufacturers today have a lot of standards that I expect would make competition from any new contenders harder not easier. Tesla would be an example of that, they did survive but the industry thought it was never going to work precisely because of all the standards and regulations required.
On the other hand, early car manufacturers didn't have standards and shared technology stacks. At that time new car makers popped up everywhere and we had a ton of competition in the space.
Open standards are good for the consumer and good for any features that require interoperability. It has nothing to do with competition though.
Sorry, but you're incorrect.
If a particular product is tied to a specific proprietary tech stack, then the consumer is also tied to specific suppliers. This is known as vendor lock in.
Microsoft used this approach with Internet Explorer back in the old days; ensuring that it provided proprietary elements and implementation, that would encourage developers to provide websites that only functioned using their browser.
Open standards allow choice.
That can be one aspect of it, though I would argue that doesn't mean open standards are always better for competition.
I think you're also assuming the only competition that matters is long term. In the short term the potential for locking users into your own ecosystem can incentivize short term competition.
Long term competition seems like a good goal, but that assumption wasn't part of it at the beginning of this chain.
If we don't think about long term competition we end up in the scenario we are in now.
Two main players. No choice.
> that doesn't mean open standards are always better for competition
Yes, they are. Show us a counter-example.
The web is open and is famously very competitive. We have three whole browser engines and only two of them are implemented by for-profit corporations whose valuations have 13 digits. I mean other ones exist, but the average modern developer claims it's your fault when something doesn't work because you use firefox or safari and also demands the browser rewrap all the capabilities the operating system already provides for you because they can't be assed to do the work of meeting users where they are.
In a world with over 3 billion people we have 'three whole browser engines'.
I don't want to be mean, but this isn't a great counterpoint.
I'm not sure what the number of people in the world has to do with whether an open standard does or doesn't promote innovation. The user asked for a case where an open standard didn't do that and I provided one. Whether you think it's a great counterpoint is entirely irrelevant to me.
But browser engines are entirely functional based on open standards!!!!!
This is the core proposition!
The benefit of open standards here, is to the consumers of these standards .. not the engines.
Open standards allow the consumers (websites / apps) to be able to benefit.
The presumption that started this thread is that open standards are always good for competition. I think browsers are a good counter example where open standards led to three browser vendors, we have less competition rather than more.
Without open standards, we would need to pick a browser and provide for it.
If we needed to support another browser we'd need to provide a new solution built to its specification.
Open standards have allowed the possibility of multiple browser vendors, without making the life of browser consumers (i.e. developers and organisations providing apps and sites) a living hell.
Without this, we'd be providing apps and sites for a proprietary system (e.g. Macromedia Flash back in ancient history).
Furthermore, when Flash had cornered a market, it had absolutely no competition at all. A complete monopoly on that segment of the market.
It took Steve Jobs and Apple to destroy it, but that's a different story.
--
The reasoning for only three engines, isn't the fault of open standards.
There are many elements of our economic system that prevent competition. Open standards is not one of them.
Browser engines are extremely difficult to start today because of the extensive, complicated, and ever growing list of specifications.
We had a web before open standards. It wasn't the best user experience and each browser was somewhat of a walled garden, but there was heavy competition in the space.
Do you expect that browsers relying on closed standards would result in more competition under the same circumstances? You didn't demonstrate that.
My original demonstration wasn't actually the browser question. Auto manufacturers did show much higher levels of competition before standards and shared components.
Though it is worth noting that there was heavy competition in the browser space prior to the specs we have today. Part of the reason we ended up with a heavily spec-driven web is precisely because the high level of competition was leading to claims of corporate espionage, and it was expected that end user experience would be better with standards.
I absolutely agree the end user experience is better. I disagree that has anything to do with competition.
Did you see my earlier comment? Car manufacturing for decades or so years didn't have open standards with regards to parts used or how they were built. We ended up with a huge number of competing car manufacturers compared to what we have today.
Didn't older cars rely on open standards making it possible to go to any repair shop? Or maybe it was effectively open stanards, i.e., nothing prevented you from learning how they worked and modifying them.
Nowadays, all cars became hostile to users thanks to the closed software: https://www.theregister.com/2023/09/06/mozilla_vehicle_data_... I wouldn't call it "better competition".
Older cars could go to most mechanic shops because older cars were more simple. The fundamentals of how the cars worked were similar not because the companies collaborated on parts and designs but because they were comparatively simple and all were based on combustion engines that required certain components and physics to be similar.
Well, most. There were the odd steam powered and even early electric vehicles back then. I wouldn't expect either to roll into any mechanic shop in town and get service.
I'm not opposed to open standards, but what makes you think that a corporation which simultaneously violates anti-trust law in three markets and evades meaningful enforcement can be forced to comply with standards?
The problem is not primarily technological, it is a problem of rule of law. Google is a serial violator, found guilty multiple times. So it is a failure of enforcement of law (unless government actions in the near term end up being very dramatic).
If someone points a gun to your head, I guess you could solve that by inventing a personal forcefield. But until you do, we need law enforcement as a deterrent against murder. Otherwise murderers will just keep on doing it.
We don't need agreement for this. In the past, hardware was limited, and you could only really implement one (maybe two) network stacks before things got silly. Nowadays, a software-defined radio can speak ten thousand protocols, for a lower cost than saving a cat video to your hard drive.
We only need that the standards are open, and described clearly enough for a schoolchild to implement, and that we are not prevented from adding additional protocol support to systems we acquire.
Hardware protocols are a bit different, but I actually dislike the USB-C standardisation. We already had better de-facto standards (e.g. small, "fixed-function" devices like feature phones and e-readers all use Micro USB-B for charging). Our problems were mainly "this laptop barrel charger is incompatible with this other laptop barrel charger", and proprietary Apple connectors.
The most important hardware protocol is power supply, which we can fix by requiring well-documented, user-accessible contacts that, when sufficiently-clean power is applied to them, will power the device. These could be contacts on the motherboard (for something designed to be opened up), or something like Apple's Smart Connector (without the pointless "I'll refuse to charge until you handshake!" restriction).
Requiring open, well-documented protocols which aren't unnecessarily-complicated is imo more important than requiring standard protocols.
We're not just talking about hardware here.
Any standard that is developed closed-source and is protected or proprietary, can and will prevent consumer choice further down the line.
Interoperability of data, choice between vendors, and the ability for smaller players to compete with established larger players are all directly negatively affected by a lack of open standards.
They're negatively affected by a lack of openness. Some proprietary XML nonsense that's well-documented makes interoperability a week's work, maximum. Meanwhile, Microsoft's incomprehensible "open standard OOXML", supported by every document editor I care to name, is a huge impediment to interoperability. Limiting myself to even the well-designed ODF format means there are features I can't implement in my software: standardisation comes at the expense of innovation.
In software, the problem is closedness, protectionism, and undocumentedness, not proprietary wheel reinvention.
>In software, the problem is closedness, protectionism, and undocumentedness, not proprietary wheel reinvention.
Quite simply, the first three problems are actually caused by proprietary wheel reinvention.
Correct. But proprietary wheel reinvention is necessary (albeit clearly not sufficient) for progress, so we mustn't prohibit it!
No it isn't necessary for progress.
Standards can be (and are) developed cooperatively and these still allow and encourage progress.
C23 would not be nearly as good as it is without proprietary C compiler extensions, and other non-C programming languages. Sure, C23's versions of some features are better than many proprietary implementations, but they wouldn't exist at all if the lessons hadn't been learned from that exploration.
Once upon a time, Jabber was the messaging protocol. But what killed interoperable instant messaging wasn't a shift away from Jabber: it was a shift away from interoperability. Requiring all chat communication systems to be Jabber wouldn't have helped, and it would have prevented IRCv3.
>Once upon a time, Jabber was the messaging protocol. But what killed interoperable instant messaging wasn't a shift away from Jabber: it was a shift away from interoperability.
And how is interoperability possible without agreed standards?
The same way it always has been? Microsoft Office implements the WordPerfect formats, and WordPerfect implements the Microsoft Office formats.
I wish this was a higher up comment because it's such an important point, and it's totally an achievable thing.
Governments should be supporting this competition, or at the very least not encouraging monopolies/duopolies. Give loads of support/help to startups, small businesses. Let the large corps fund themselves.
But instead, we end up giving them huge tax breaks, anti-competitive legislation and even give them a voice in government.
in the face of large monopolies such as today's platforms, to keep competition you must regulate with laws that stop consumer abuse
This doesnt work if the market incentives themselves encourage these rent seeking actions.
We have given capitalists more and more power pver the last few decades and instead making things better, its just allowed them to nueter the government regulations that would have prevented them from fucking common people over. The market can not solve for this the same way it cant solve for education or the military. This needs laws
Of course I'm in support of consumer protection laws but what needs to be more widely understood is that with Google specifically, probably with Apple and maybe with Microsoft, we are at a unique point in history where passing laws isn't enough.
There are laws on the books, Google's breaking them, and it's just forging ahead with more of this anti-consumer control crap anyway. Google's unique in American history, it has recently been ruled an illegal monopolist in two cases in two markets and a third ruling against them in a third market is likely to drop soon. Even Standard Oil didn't achieve a rap sheet like Google's.
Yeah of course we need government action and I'm calling for that. But people need to realize that this monster is way bigger than just passing a law. The judges need to be choosing harsher remedies including a breakup. The enforcement apparatus needs to be stronger, willing and able to seize direct control of the company if it doesn't comply or complies maliciously. EVERYTHING in the system needs an upgrade because Google is so uniquely huge and criminal in the context of American history.
They are a different, far larger and more intractable problem than your standard, garden variety corporate criminals and extreme measures are needed to rein them in.
Now, imagine a future where the Web platform didn't become a duopoly and Phone+Tablet+PC OSes didn't become a triopoly. A half dozen vendors globally for one, and a different half dozen for the other. That's a very very different world where someone is going to carve out plenty of market share by letting you continue to install your own apps even if they're ad blockers or whatever else you would like. You just wouldn't get 12 companies plus the US, EU and Chinese governments or whoever to all agree on a single platform. We need the big guys to fight. We need the market to be divided. We need competition. We need to slay Google and never have another Google again.
So exactly what law is Google breaking? They are not a monopoly in the US or even 50% of the phone market.
And are you going to force app developers to support all of these platforms?
Weirdly, when the market was smaller, when there was less money available, developers DID support multiple platforms.
Today, when we have significantly fast tools, more standards, more shared knowledge, and MUCH more noney moving through the ecosystem, yet somehow it’s harder to support more platforms.
There’s a problem either at the level we’re talking about (the mono/duo-polies), or perhaps one level higher (national economies). My hunch is that it’s the same problems that are widening wealth gaps the world over (not just in the tech industry), but I’m open to other ideas.
> So exactly what law is Google breaking?
I mean, why do you need us to repeat these very well publicized convictions that have been all over the news? They've been found guilty of anti-trust violations in multiple cases in multiple American markets. The details are just a Google search away... Are you disputing the court rulings that Google possesses a monopoly? Which court?
In the US where has Google been found guilty of anti trust when it came to mobile?
For your convenience, I've accessed a summarizer technology which you can try out any time you need it. You'll find it at https://chat.openai.com/ .
Here are the big, recent U.S. antitrust rulings against Google, with what each court actually decided and where things stand:
#1 Search monopoly (DOJ v. Google – “Search” case) — liability found (Sept 2024) A federal judge found Google illegally maintained monopolies in general search services and general search text ads, violating Section 2 of the Sherman Act. Remedies are being handled separately.
#2 Open-web ad tech (DOJ & states v. Google – E.D. Va.) — liability found (Apr 17, 2025) The court ruled Google monopolized multiple digital advertising technology markets (tools used by publishers and advertisers), harming publishers, competition, and consumers. Remedies proceedings are underway.
#3 Android app distribution & in-app billing (Epic Games v. Google) — jury verdict + injunction affirmed on appeal (Dec 2023 → Oct 2024 → Jul 31, 2025) A jury found Google violated antitrust laws through exclusionary Play Store practices and tying Google Play Billing. The trial judge issued a nationwide permanent injunction (Oct 2024) requiring Google to open the Play Store to rival stores and payment options; the Ninth Circuit unanimously affirmed (Jul 31, 2025).
Case #3 is the direct answer to your question, but I want to again point out that the really serious problem is how Google has abused its market power in MANY US technology markets, and found guilty of these abuses independently by multiple judges in a short span of time, a feat of criminality even Standard Oil failed to achieve. This is why a historic level of action against Google, probably greater than that taken against Standard Oil, needs to be taken.
It's all in the court cases and it's all available publicly online for the interested public to read.
Edit: also, this comment is already too long, but in case it doesn't stand out as obviously to everyone else as it does to me, Google now introducing an additional layer of Google approvals above the multiple app stores that the court is forcing them to accept in case #3 is so amazingly, obviously a telegraphed case of malicious compliance, they are not even trying to hide it. This is the kind of thing I'm talking about when I'm saying passing more laws is part of the solution but not nearly enough on its own.
> A handful of tech-savvy users with rooted devices and open-source software will not make a difference to the giant crushing machine that is the system.
Agreed, although I don't think that's entirely true, its just that post-smartphones we no longer have any political agency over a significant volume of the new traffic. Much of the new traffic represents that faction of people who initially mocked the internet as "nerd shit". But we don't have to get discouraged by our smallness here.
Rather we can offer a sub-system that satisifes our demands and is an open door to those willing to find it. We could try to fight our corner, but unless we're incredibly organised, its unlikely they'll listen due to how less relevant we are, now that all the normies transitioned online.
So we either jump ship to other, more permissive platforms and help make them good by developing software that closes the gap, or we counter by attacking the systems that prevent people from installing software on the device they have bought.
We just shouldn't expect the general population to care about our problems en-masse because they never have and never will. We will make a difference by creating an alternative sub-system that is poised to grow when the giant crushing machine stumbles at some point in the future.
We can't hate people for picking the parental wing of Apple because for most normies they don't enjoy the freedoms of technology, its the choice and difficulty that they conversely find oppressive.
On Android they do enjoy the freedoms and fall for "side load this random app ignoring warnings" scam.
I'd imagine the volume we're discussing aren't even aware of options outside of the appstore.
A study was done a while back of average user competence and when given the task of arranging a meeting in a calendar app for a time where all participants could attend (given calendar conflicts) a meagre 5% of participants succeeded. The bar is tragically low for technical literacy and 95% of people (ballpark) fail to clear it. I'd imagine the first time these sorts of people are aware of side-loading is when they get scammed by being told to side-load some malware. So for these people they wouldn't even notice their digital rights being eroded or taken away completely, because they don't even understand how or why they'd be important.
The problem is that tech-savvy users are like bikers, most of us are law-abiding and want the best for society.
Then there's the 1%'ers, people causing trouble, be it by being biker thugs or malware authors or toplevel pirates, actually disrupting the system but often not in a way that's good for the masses and when clashing authoritans the authoritans win due to the masses good.
And yes, the "good" for the masses is more about malware whilst DRM is more of powergrab by media industries that were unwilling to adapt.
I am looking forward for the day I remote ssh into a <insert kvm solution> controlling my iPhone/Android so I can login to my bank app because they stopped allowing web access, and I don't want to compromise on privacy. Shit is nuts.
> What I like about your comment is that it points out that all technical work-arounds are moot if people as a whole are not willing to stand up with pitchforks and torches to defend their freedoms.
If your system requires extraordinary political efforts from large numbers of people, your system will fail. We are the elites, we have to oppose this. If Netflix asks us to implement this kind of DRM, we have to resign. If Facebook asks us to implement sophisticated surveillance, we have to resign. Etc. etc. We can't keep cashing the checks and then point to the body politic like "I beg you to stop me".
We are the elites
Wait, what?
Different kind of elites.
I’m not “elite” of any kind.
Telling people how they have to design their systems is the opposite of freedom.
Most people don't want to have to learn multiple operating systems or ways of doing things.
My parents are getting old and they aren't tech savvy. The missing piece here is that I want my parents to have a computer they can safely do their banking on, without leaving them vulnerable to scams and viruses and the like. I like that they have iphones. Doing internet banking on their phone is safer than doing it on their desktop computer. Why is that?
The reason is that the desktop PC security model is deeply flawed. In modern desktop operating systems, we protect user A from user B. But any program running on my computer is - for some reason - completely trusted with my data. Any program I run is allowed to silently edit, delete or steal anything I own. Unless you install special software, you can't even tell if any of this is happening. This makes every transitive dependency of every program on your computer a potential attack vector.
I want computers to be hackable. But I don't also want my computer to be able to be hacked so easily. Right now, I have to choose between doing banking on my (maybe - hopefully - safe) computer. Or doing banking on my definitely safe iphone. What a horrible choice.
Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.
I think the argument against locked down computers (like iphones and androids) would be a lot stronger if linux & friends provided a real alternative that was both safe and secure. If big companies are the only ones which provide a safe computing experience, we're asking for trouble.
Your parents are more likely to be a victim of a phone call scam than malware, even on PC. There is also no guarantee that malware will not slip through cracks of official stores or signatures.
You can also choose to do your banking at the physical branch.
We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well; these permissions could be locked or frozen if there is concern about users, just like work devices are provisioned with limitations. It all depends on your threat model.
In the netherlands we do not have physical branches anymore. They died out. All banking started to go through browser. This was very sensitive to malware and viruses, so two-factor was added through phones. Then less and less people had PCs because phone provides enough. Now mobile apps for banking is the only way to do banking. Or it is required for MFA. Even if you’re calling with the bank it is used as MFA
Same in Sweden, physical bank branches are rare and even they will often require an appointment. All banking is through bank apps or websites, and you use 2FA extensively. Sweden's digital ID system is called BankID because it was made by banks and, initially, for banking, though now BankID is used extensively for all kinds of government and private services.
That doesn't stop scammers. They also keep getting more sophisticated, often using a combination of social engineering and technical skill, and they keep tricking people into giving them money. So unfortunately, while malware is pretty much a non-factor, scammers still thrive.
Good to know. People should read this when they say cryptocurrencies are bad. Well, guess what, so is cash and your card. Any alternatives?
So far in Canada... I must reiterate this, so far, this can and has been fought by one thing. Rural life, and nationalism.
There are plenty of places where mobile phones don't work, especially in the summer when there are leaves on the trees. This means SMS won't really work. So for this path, SMS, the bank has an alternative -- call a number on your account with a voice reading the 2FA code. Thus, landlines or VOIP work here.
When it comes to an app, forcing Canadians to use a phone OS controlled by US companies, still has pushback. An example being, the concept of "A Canadian having to use software from a US company, to identify themselves to a Canadian company" is still a hotspot. Especially with the US wanting to annex us.
So this lock in has not yet occurred.
Really, the phone call to a phone number on your account, not using SMS is as solid a protection, as an app running on a phone controlled by a foreign country's company. It's an alternate path. And it solves the whole 'rural person' access.
Many people living in rural areas don't even bother with a phone type device. Some have Kindles. But by buy a phone, if it doesn't work where you live?
This logic, combined with them closing rural banks, means they have to be quite sensitive here. EG, closing rural banks, then making it difficult to do online banking is political poison for our banks.
I wouldn't be surprised if it becomes impossible to even use cash in the Netherlands soon enough. The first year I was here I don't think I did even once. I've been using cash a lot more lately just out of principle and it's annoying - lots of pin-only check out lines, etc.
Laws would need to be changed for that to happen, so don't expect it anytime soon. Also, cash is kind of the one remaining option when there's no electricity. So for disaster planning people have been asked to keep an amount of cash around. With recent developments in European security, the need for this has become all the more clear.
I still do banking through a random reader at ABN AMRO. I really hope they never get rid of it because I trust that little dumb plastic device 1000% more than my phone.
Even better, the system that Rabobank has.
They make you use this separate device to scan a color qr code generated by the app. The details of the transaction you're authorizing are then displayed on this completely decoupled device, no internet, nothing. After keying in your pin you're given an OTP to put back into the app to authorize.
And I haven't checked, but I'm sure the 'payload' the qr code conveys is signed.
What is a "random reader at ABN AMRO"?
Physical OTP generator. Stick your bank pass in the plastic decice and type your pin in the calculator like front and it will give you an OTP for online use.
Phone scams have you install malware. Banks don’t know if you’re on the phone with the scammer, but they would like to detect if you’re using a screen sharing app on the password or transfer screens.
> You can also choose to do your banking at the physical branch
The ones banks that do have physical presence are closing left and right? Also, I don’t think I can money transfers at the physical office of my bank.
> The ones banks that do have physical presence are closing left and right? Also, I don’t think I can money transfers at the physical office of my bank.
It's crazy if you really can't
Also the good old phishing emails/links. So many people are simply unaware when a website is pretending to look like an app/floating window. Even younger people who you'd hope know better are falling for it today. I work on a PC game and players (mostly young adults) are constantly getting their accounts compromised by the same phishing sites that pop up monthly.
AI voice and video cloning scams are also only going to increase. Why would scammers need to get people to install random APKs when they can just impersonate a family member and tell them what to give directly?
To me it seems very much like the classic "think of the children" type argument. It's not going to really fix anything in the end but it will benefit Google.
> Your parents are more likely to be a victim of a phone call scam than malware, even on PC. There is also no guarantee that malware will not slip through cracks of official stores or signatures.
So what? The lack of perfect security is a terrible argument against better security.
For example, lockpicks exist. Is that a reason to stop locking your house? Our TLS ciphers might eventually be broken. Should we throw away TLS and go back to unencrypted HTTP?
I'm not expecting anything to 100% stop all scams. But modern computer security is a joke. We could do an awful lot better than we are today at keeping people safe from this stuff.
> We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well
Yes. I want something like this on desktop too - but I want to own the signing keys, of course. It seems strange that this is so controversial.
It's not about being defeatist, atleast not for me. It's about what is considered good enough.
Sure, locking down the OS in this way is more secure, but it's also very restrictive and personally I don't think the added security justifies this. Lock picks do exist, but I am still entirely content with a single lock on my front door. I do not need an extra biometric sensor or camera or security representative standing outside my door to check id's of people passing by in order to consider myself reasonably safe.
Maybe this is cultural/geographical, but I've yet to hear of anyone who lost access to their mail or had unauthorized access to their bank account as a result of malware. I'm sure you can find examples, but I do not consider this an attack vector that is prevalent enough to warrant requiring signed apps or preventing manual installation.
This hardly stops anything, app stores are full of malware, and the cost is very high.
It's like having an automated turret on your lawn because sometimes people bring bad snacks to your dinner parties.
I don't think Google play integrity and only allowing installing blessed apps on blessed devices is more secure. I just don't.
Google blesses malware all the time because otherwise they would go bankrupt. They're an ad company, not a security company.
Everything in life is about trade-offs. Certain trade-offs people aren't going to make.
- If you want to run an alternative operating system, you got to learn how it works. That is a trade off not even many tech savvy people want to make.
- There is a trade-off with a desktop OS. I actually like the fact that it isn't super sand-boxed and locked down. I am willing to trade security & safety for control.
> Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.
The market and demand for that is low.
BTW. This does exist with Qubes OS already. However there are a bunch of trade-offs that most people are unlikely to want to make.
No, not everything is a trade-off. Some things are just good and some are just bad.
A working permission system would be objectively good. By that I mean one where a program called "image-editor" can only access "~/.config/image-editor", and files that you "File > Open". And if you want to bypass that and give it full permissions, it can be as simple as `$ yolo image-editor` or `# echo /usr/bin/image-editor >> /etc/yololist`.
A permission system that protects /usr/bin and /root, while /home/alex, where all my stuff is is a free-for-all, is bad. I know about chroot and Linux namespaces, and SELinux, and QEMU. None of these are an acceptable way to to day-to-day computing, if you actually want to get work done.
No everything is a trade off. That is a reality of life in general.
Anything that is proposed has a cost associated with it (time, money). That always has to be weighed up against any potential benefit.
That claim is too generic to add anything to this discussion. Ok, everything has a trade off. Thanks for that fortune cookie wisdom. But we’re not discussing CS theory 101. In this case in particular, what is the cost exactly? Is it a cost worth paying?
The cost is that developing that simple script to execute something and accessing files will have to be constructed differently. It will be much more complex.
That or the OS settings for said script will need to be handled. That is time and money.
I've said this elsewhere in this thread - but I think it might be interesting to consider how capabilities could be used to write simple scripts without sacrificing simplicity.
For example, right now when you invoke a script - say "cat foo.js" - the arguments are passed as strings, parsed by the script and then the named files are opened via the filesystem. But this implicitly allows cat to open any file on your computer.
Instead, you could achieve something similar with capabilities. So, I assume the shell has full access to the filesystem. When you call "cat foo.js", the shell could open the file and pass the file handle itself to the "cat" program. This way, cat doesn't need to be given access to the filesystem. In fact, literally the only things it can do are read the contents of the file it was passed, and presumably output to stdout.
> It will be much more complex.
Is this more complex? In a sense, its exactly the same as what we're doing now. Just with a new kind of argument for resources. I'm sure some tasks would get more complex. But also, some tasks might get easier too. I think capability based computing is an interesting idea and I hope it gets explored more.
> That claim is too generic to add anything to this discussion. Ok, everything has a trade off. Thanks for that fortune cookie wisdom.
It isn't fortune cookie wisdom and no it isn't "too generic". It is something that fundamentally wasn't understood by the person I was replying to from their comment. I also don't believe you really understand the concept either.
> But we’re not discussing CS theory 101.
No we are not. We are discussing concepts about security and time / money management.
> In this case in particular, what is the cost exactly? Is it a cost worth paying?
You just accused me of "fortune cookie wisdom" and "being too generic". While asking a question where the answer differs dependant on the person / organisation.
All security is predicated on what you are protected against. So it is unique to your needs. What realistically are your threats. This is known as threat modelling.
e.g. I have a old vehicle. The security on it is a joke. Without additional third party security products, you can literally steal it with a flat blade about two inches long and drive away. You don't even need to hot-wire it. Additionally it is highly desirable by thieves. I can only realistically as a individual without a garage to store it in overnight, protect it from an opportunist. So I have a pedal box, a steering wheel lock, and a secret key switch that turns off the ignition and only I know where it is in the cab. That is like stop an opportunist. However more determined individuals. It will be stolen. Therefore I keep it out of public view when parked overnight. BTW because of the security measures, it takes about a good few minutes to be able to drive anywhere.
Realistically. Operating system security is much better than than it was. It is at the point that many recent large scale hacks in the last few years were initiated via social engineering to bypass the OS security entirely. So I would say it is in the area of diminishing returns already. So the level of threats I face and most people face, it is already sufficient. The rest I can mitigate myself.
Just like my vehicle. If a determined individual wants to get into you computer they are going to do so.
Thanks for educating me there champ. I'm sure you're very smart. But I've been writing software for a few decades now. Longer than a lot of people on HN have been alive. There's a good chance the computer you're using right contains code I've written. Suffice it to say, I'm pretty familiar with the idea of engineering tradeoffs. I suspect many other people in this thread are familiar with it too.
You missed the point the person you were replying to upthread was making. You're technically right - there is always some tradeoff when it comes to engineering choices. But there's a pernicious idea that comes along for the ride when you think too much about "engineering tradeoffs". The idea is that all software exists on some paraeto frontier, where there's no such thing as "better choices", there's only "different choices with different tradeoffs".
This idea is wrong.
The point made upthread was that often the cost of some choice is so negligible that its hardly worth considering. For example, if you refactor a long function by splitting it into two separate functions, this will usually result in more work for the compiler to do. This is an engineering tradeoff - we get more readability in exchange for slower compile times. But the compilation speed difference is usually so miniscule that we don't even talk about it.
"Everything comes with tradeoffs" is technically true if you look hard enough. But "No, not everything is a trade-off. Some things are just good and some are just bad" is also a good point. Some things are better or worse for almost everyone. Writing a huge piece of software using raw assembly? Probably a bad idea. Adding a thorough test suite to a mission-critical piece of software? Probably a good idea. Operating systems? Version control? Yeah those are kinda great. All these things come with tradeoffs. But the juice can still be worth the squeeze.
My larger point in this thread is that perhaps there are ways we can improve security that don't make computing measurably worse in other ways. You might not be clever enough to think of any of them, but that isn't proof that improvements aren't possible. I wasn't smart enough to invent typescript or rust 20 years ago. But I write better software today thanks to their existence.
I would be very sad if, in another 30 years, we're still programming using the same mishmash of tools we're using today. Will there be tradeoffs involved? Yes, for sure. But no matter, the status quo can still be improved.
> Realistically. Operating system security is much better than than it was. [...] So I would say it is in the area of diminishing returns already. So the level of threats I face and most people face, it is already sufficient.
What threat models are you considering? Computers might be secure enough for you, but they are nowhere near secure enough for me. I also don't consider them secure enough for my parents. I won't go into detail of some of the scams people have tried to pull on my parents - but better computer systems could easily have done a better job protecting them from some of this stuff.
If you use programming languages with a lot of dependencies, how do you protect yourself and your work against supply chain attacks? Do you personally audit all the code you pull into a project? Do you continue doing that when those dependencies are updated? Or do you trust someone to do that for you? (Who?). This is the threat model that keeps me up at night. All the tools I have to defend against this threat feel inadequate.
This is getting a lot better with Flatpaks and Wayland (and its "portal" system to access resources).
AFAICT the only trade off is there's no support and few apps for Qubes OS. If it was as popular as MacOS or Windows what would the trade off be?
Apps for QubesOS??
>If you want to run an alternative operating system, you got to learn how it works.
You only need to learn how to start a browser. You're a little behind the times, today browser is the OS.
What happens when the OS that is running the browser fails to update because /boot has run out of room for a new Linux kernel (this happened to me the other week)?
What happens when the browser update fails because the package database got corrupted?
What happens when a lock file stop the whole system updating because of a previous iffy update?
You are going to need to drop to a terminal and fix that issue or reinstall the whole OS.
Either way you are going to need to know something about how the machine works.
Does flatpak update automatically? As for /boot, format the whole drive and make it /boot
> If you want to run an alternative operating system, you got to learn how it works.
The typical user doesn't know how Windows works, and they can run that. These days, users can run a friendly GNU/Linux distribution not knowing how it works. So, disagree with you here.
> The typical user doesn't know how Windows works, and they can run that.
That is because Windows for the most part manages itself and there are enough IT professionals, repairs shops and other third support options (including someone that is good with computers that lives down the road) where people can problems sorted.
This is not the case with Linux.
> These days, users can run a friendly GNU/Linux distribution not knowing how it works. So, disagree with you here.
Sooner or later there will be an issue that will need to be solved with opening up a terminal and entering a set of esoteric commands. I've been using Linux on and off since 2002. I have done a Linux from Scratch build. I have tried most of the distros over the years, everything from Ubuntu to Gentoo.
When people claim that you will never have to know how it works. That is simply incorrect and gives a false impression to new users.
I would rather that other Linux users tell potential users the truth. There is trade off. You get a lot more control over your own computer, but you will need to peek under the hood sooner or later and you maybe be on your own solving problems yourself a lot of the time.
> That is because Windows for the most part manages itself
Windows is the least "manage itself" OS out of all OS available today. It needs pretty constant maintenance and esoteric enchantments to keep trucking.
No it doesn't. I barely do anything to manage my Windows Installation. I install loads of garbage (I mostly still run the same programs as I did 15 years ago).
I don't understand why people propagate these falsehoods.
That’s not my experience with it. I have 2 windows installations at home and they both seem fine.
I must admit - I spent about an hour figuring out how to turn off telemetry and other junk after installation. But since then, windows has been trucking along just fine.
Anybody who is good with computers should be able to install linux, it's easier than to install windows, because you don't need to jump through capitalist dark patterns.
>Sooner or later there will be an issue that will need to be solved with opening up a terminal and entering a set of esoteric commands.
That's what I did to export drivers from previous windows installation in suspicion of regression.
> Anybody who is good with computers should be able to install linux
Installation is not the same as support and isn't the same as trouble shooting.
That why people distro hop. They keep on installing thinking that distro X will solve there problem. It may do, but it frequently has it own problems.
> That's what I did to export drivers from previous windows installation in suspicion of regression.
Which is unusual situation. It isn't unusual situation in Linux.
>Installation is not the same as support and isn't the same as trouble shooting.
The meme is still alive that windows accumulates garbage and becomes slower with time, so you need to reinstall it periodically. Reinstallation is also how you fix regressions, because ms is busy with cloud services.
>It isn't unusual situation in Linux.
As I remember, on linux I have an ample choice of kernel versions, but I didn't encounter regressions. For windows intel provides only the latest drivers.
> The meme is still alive that windows accumulates garbage and becomes slower with time, so you need to reinstall it periodically.
I've not needed to worry about this since Windows XP. Which was what? 25 years ago almost.
> Reinstallation is also how you fix regressions, because ms is busy with cloud services.
I've never had hardware regressions with Windows. I've had plenty of weird and annoying bugs return with Linux.
e.g. My Dell 6410 has an issue where the wifi card would die after suspend with kernel 6.1. However it would get fixed by a patch, and then get unfixed the next patch.
> As I remember, on linux I have an ample choice of kernel versions, but I didn't encounter regressions. For windows intel provides only the latest drivers.
"Swings and Roundabout".
Again. It is a pretty niche problem. I've had plenty of weird hardware regressions with the Kernel. Recently there was a AMD HDMI audio bug, IIRC it was kernel related.
I’ve had the same experience. Never had a regression with windows. Had plenty with Linux.
One Linux kernel version broke hdmi audio and another fixed it. Recently a change to power management has made my Intel Ethernet controller stop working about an hour after the computer boots up. And so on. Each time I’ve needed to pouring through forums trying to find the right fix. That or pin an older version which worked correctly.
exactly, people want all the benefit without the consequences
like if there are OS utopia exist that has all the advantage without the downside then everybody would use that
but people complaining don't live in reality
A lot of it already exists in one form or another and the trade-off for sand-boxing is usability a lot of the time.
It isn't even a freedom vs security. It is usability vs security.
> It is usability vs security.
I think a lot of it is "nobody has bothered building it yet" vs security.
Eg Qubes runs everything in Xen isolates - which is a wildly complex, performance limiting way to do sandboxing on modern computers. There are much better ways to implement sandboxing that don't limit performance or communication between applications. For example SeL4's OS level capability model. SeL4 still allows arbitrary IPC / shared memory between processes. Or Solaris / Illumos's Zones. But that route would unfortunately require rewriting / changing most modern software.
> I think a lot of it is "nobody has bothered building it yet" vs security.
All of this takes considerable time, money to build and after that you need to get people to buy into it anyway. Large billion dollar software companies have difficulty doing this. If you think it is so easy, go away and build a proof of concept.
BTW They have implementing sand-boxing in most desktop operating system. It is often a PITA. Phone like permissions model already exist in Windows, Linux and I suspect MacOS in various guises.
For development there are various solutions that already exist.
e.g.
https://code.visualstudio.com/docs/devcontainers/containers
So these things already exist and often people don't use them. The reason for that is that there is usually reduces usability by introducing annoyances.
> Eg Qubes runs everything in Xen isolates - which is a wildly complex, performance limiting way to do sandboxing on modern computers.
It exists though today. If I care about security enough, I am willing to sacrifice performance. That is a trade off that some people are willing to make.
> There are much better ways to implement sandboxing that don't limit performance or communication between applications. For example SeL4's OS level capability model. SeL4 still allows arbitrary IPC / shared memory between processes. Or Solaris / Illumos's Zones. But that route would unfortunately require rewriting / changing most modern software.
If you solution starts with "rewriting most modern software". Then it isn't really a solution.
BTW what you are suggesting is a trade off. You have to trade resources (time and money typically) to build the thing and then you will need to spend more resources to get people to buy into using your tech.
It is the other way around. The security model of mobile devices seriously inhibits innovation and we end up with ever the same crappy apps we don't really need.
I also don't believe more people get scammed on PC compared to mobile platforms. Scammers go where the most naive people congregate.
A sensibly configured Linux system is very secure compared to your mobile device. No security model can really shield against user stupidity. The people would need completely different devices as they simply aren't fit to use a computer. My parents are the same, but I won't accept a bad compromise of an OS just because they essentially need other devices.
At some point a user will be asked to allow execution of code they got through some fishy mail. There is no defense against that other than for the user sticking to books.
>A sensibly configured [desktop, i.e., not just a headless server] Linux system is very secure compared to your mobile device.
That is not true. It is understandable that you believe it because it gets repeated a lot, but those repeaters are doing what you are, namely repeating what they heard (and sometimes what they want to be true) without sufficient actual knowledge of what they are talking about.
It is fairly true, what is your definition here? The main attack vector today is malicious mails being opened. These usually don't target linux systems and fail to execute.
Sure, it is circumstancial security, but exploits exist for mobile devices as well.
Media decoders are an important attack vector. Examples include PDF viewers and the library that produces thumbnails for display by the file browser. (One way to attack a media decoder is to get the user to open a malicious email, but there are other ways.)
The web browser is an important attack vector, and there are no Linux distros that sandboxes the browser anywhere near as effectively as Android and ChromeOS do except maybe Qubes, but Qubes is stuck using X for the display server and using Zen, both of which have been abandoned by their maintainers and aren't receiving enough maintenance attention to fix security vulnerabilities. I.e., Qubes's reputation for security probably comes from the fact that it was relatively secure many years ago.
Android and ChromeOS use selinux to sandbox the browser. Fedora uses selinux, too, but it only sandboxes server software: any program including a web browser started by the user is unconstrained (unaffected) by Fedora's selinux implementation.
The kernel is another important attack vector (and Linus has always been bored by and impatient with security considerations.)
Ditto the C library. Note that GrapheneOS uses a special, hardened C libary (which in the last few years has migrated to at least one security-focused Linux distro, namely, secureblue, but of course none of the people that show up here on HN proudly proclaiming that Linux is more secure than iOS or Android use secureblue, and the lead of the secureblue project freely admits that MacOS iOS Android and ChromeOS are more secure than secureblue is).
You know how one of the arguments for Wayland is the fact that there is no way to prevent any process from reading the contents of any X window? Well, to actually achieve this "window privacy" inherent in Wayland requires active support from the compositor, and Gnome has the only Wayland compositor that actually provides this support.
Till the vulnerability started getting exploited some time last year, anyone could upload a theme to KDE's theme store that could run arbitrary code when the user chose to install it. No one was reviewing uploaded themes for malware or warning users of the danger.
Hyprland uses a trampoline (files at a known location in the file system that are occasionally executed by Hyprland) for reasons that are hard to explain if we assume that Hyprland's maintainers care anything about security.
Of course the browser still is an attack vector but the relevancy of that vector is lower today. Same goes for these examples. These are exploits and they will always exist, sandbox or not. A few years ago you could log in to MacOS as root without a password. Meta just released a memo two days ago that Whatsapp exploits compromised Android and iOS devices. Guess it was sandboxed, but all users allowed the app to access files and contacts anyway.
Today the main problem is social engineering and scams. The disadvantage of mobile OS are too great to justify bad approaches to desktop systems or security in general. And for browsers that means the security threat isn't some arcane media decoder, it is the well made phishing site.
But my argument is more that perhaps I don't want window privacy because it doesn't fit my security needs and reduces functionality and access. And one assumption in that is that one compromised app can compromise the whole system in the worst case and believe risks must be mitigated elsewhere. In case of doubt, I can reasonably sandbox something I execute myself, if the need is warranted.
I would love a good file explorer for my mobile device. But file access is restricted. How many hours wasted to bad security...
It's always entertaining to see security people struggling to understand what security is there for. They just consider "security" as the goal in itself, because being more secure is obviously good, right? Yo dawg, I've put a sandbox into your sandbox so you can be secure while you are secure.
If you insist that using software with trampolines means not "caring anything about security", I'm afraid it's a you problem. I'll still be happy to hug my partner when she comes home regardless of what germs might have been on a tram's seat she was sitting on on the way there, regardless of whether someone thinks that this means I don't care anything about health (I'm sure someone does).
In case someone needs it spelled out: I do care, but there are other things I care about too and I won't let some minuscule threats ruin them.
The threat model I think about a lot is supply chain attacks.
We’ve found out about a handful of such attacks over the last few years - like xz. And I’ve seen the number of random dependencies which get pulled in by most nodejs, cargo or python projects. The dependencies just scroll on by. There is no vetting process for putting code in npm or cargo. Nobody signs off on anything. Nobody reads the source code. There are no checks, and you can put anything in there.
If malicious code slipped in, would you even notice? I probably wouldn’t. How terrifying.
Linux’s security model means that any malicious code in a crate can run as me and access all of my files. Or delete them or whatever it wants to do. To me this is crazy. There’s no reason to give arbitrary untrusted code full permissions to all of my files and data - but there we have it.
I worry that it’s only a matter of time before we see more attacks like this. It’s such an obvious attack. And our lax endpoint security makes the vulnerability a way bigger problem than it needs to be. It would be trivial for a remote attacker to install C&C software on my computer. They could grab my SSH certificates and install backdoors in any of my projects on github. Read my email. Impersonate me. Crypto locker my stuff. Install malicious extensions into my web browser. And on and on.
None of this would be possible with proper isolation. There’s no reason a build.rs file needs write access to my whole filesystem. It’s crazy.
As is Android has support for multi user more.
Get some real sandboxing, let me install whatever I want in my sandbox.
That's a bare minimum.
I also want "I am an adult" mode where I get to do what I want. If Google wants to flag secure net, fine. Not every thing is going to work.
yeah this whole shit where lets optimize it for the lowest common denominator is stupid. I hate everything about it.
im a older millennial, so i have older parents and young kids. My father could not bother with a smartphone or does not care about internet at all. My mother uses whatsapp and everything after initial year she is quite handy with it. Im not scared about her, im more scared that she is reading AI slop.
My kids are now at the age where a lot of the pears are getting a smartphone for them im not giving them a smartphone. If i give them a smartphone in a year or i will be using parental controls.
Good point. The current security model of desktop OSs sucks. I was recently reminded of this by an issue at work. I'm used to devs having admin rights on their laptops, but here they closed that down: you have to request admin rights for a specific purpose, and then you get them for a week.
I recently requested those rights again because I needed to install something new for a PoC I was working on, and that wasn't allowed anymore. But during onboarding I had those rights and installed homebrew to more easily install dev tools, and homebrew keeps its admin rights to install stuff in a directory owned by admin. So that circumvents this whole security model (and I did, for my PoC).
The problem is that it's all or nothing. Homebrew should have the right only to install in a specific directory. Apps shouldn't automatically get access to potentially sensitive data. Mobile OSs handle that sort of thing more granularly. Desktop OSs should too.
Because the overly restrictive security rules at my work are little more than security theatre when it's so easy to circumvent.
There is software that does exactly that. You install a software kiosk were users can pick from and users don't get admin rights.
Won't satisfy developers for long though because it cannot work.
The problem is that mobile OS security systems isn't fit to develop anything but shit. It is simply no solution for desktop.
Well, one issue with the app store solution at my workplace is that you can still download anything, even if you can't install it. And executables can still be executed even from your downloads folder. Or your personal bin folder. So preventing people from executing unknown apps is not going to work that way.
But then again, we write and execute our own code, so of course we have to be able to execute unknown code.
The whole thing feels like an exercise in futility to me. It would make more sense to specify what rights a specific application should have. Let me approve the external urls it wants to visit, the folders it wants to access, etc. Shield everything else off.
It's not theater, your IT department just isn't implementing it correctly. I recently switched jobs and gave up one macbook pro for another (work issued).
Company A gave me sudo access and I could do anything I wanted.
Company B locks down everything, no sudo, no brew, nothing. But I do get a big VM with root to do anything I want. There is an approved "appstore" of many different varieties of IDEs/tools.
TLDR: Not having brew is not a problem, and /can be/ a better experience if done right.
It took a couple weeks to shift the mental model but I have no problems. The dev experience is quite good because they provide all the libraries you need to do your job.
Interesting. If you don't mind, I have a few questions:
1. Is the "big VM with root" running macOS itself, or a different OS?
2. Do you do any work on the bare metal version of macOS, or do you just start the VM in the morning and do everything from there?
3. How do you experience the performance/UX of the VM?
4. Do you know why Company B IT has set up this VM solution, instead of a plain old MacBook locked down with Apple's enterprise management tools?
5. Can you explain more about the App Store? Is it the actual Apple App Store but restricted to a curated set of apps, or is it a different system? If so, is the store a custom in-house thing or is it provided by a vendor?
It's funny because some 25 years ago we did the exact opposite. Corporate IT insisted on some Windows software, so we each ran a Windows VM that the corporate could pretend to remote manage.
(This was at a branch office where every employee worked on very low-level Linux kernel code, so yeah everyone ran their favorite Linux distro.)
There is an app store here too, but lots of vital dev tools simply aren't in there. We should probably make sure they get added.
> Any program I run is allowed to silently edit, delete or steal anything I own ... there's currently no desktop environment that provides that ability
Putting aside the philosophical issues, that statement isn't true for a few years now. It's not well known, even in very technical circles like HN, but macOS actually sandboxes every app:
• All apps from outside the app store are always sandboxed to a lesser degree, even if they are old and don't opt-in.
• All apps from outside the app store may opt in to stricter sandboxing for security hardening purposes.
• All apps from the app store are forced to opt-in, must declare their permissions in a fine grained way, and Apple reviews them to make sure they make sense.
To see this is true try downloading a terminal emulator you haven't used before, and then use it to navigate into your Downloads, Photos, Documents etc folders and run "ls". You'll get a permission prompt from the OS telling you the app is requesting access to that folder. If you click deny, ls will return a permission error.
Now try using vim to edit the Info.plist file of something in /Applications. ls will tell you that you have UNIX write permissions, but you'll find you can't actually edit the file. The kernel blocks apps from tampering with each other's files.
Finally, go into the settings and privacy/security area. You can now enable full disk access for the terminal emulator, or a finer grained permission like managing apps. Restart the terminal and permissions work like you'd expect for UNIX again.
Note that you won't see any permission popup in a GUI app if you open the file via the file picker dialog box. That's because the dialog box is a "powerbox" controlled by the OS, so the act of picking the file grants the app permission implicitly. Same for drag and drop, opening via the finder, etc. The permission prompt only appears when an app directly uses syscalls to open a file without some OS-controlled GUI interaction taking place.
So, if you want a desktop OS with a strong sandbox that you actually control, and which has good usability, and a high level of security too, then you should be using macOS. It's the only OS that has managed this transition to all-sandboxed-all-the-time.
>It's the only OS that has managed this transition to all-sandboxed-all-the-time.
Apps are all-sandboxed-all-the-time on iOS and Android, too; right?
But you can choose, your parents can have a phone with the "lockdown" setting turned on and I can have it off if I want. How we expose and handle that setting is a UX problem we can solve.
What's wrong with that?
Because parents typically have bad eyes and need big monitors, or they just want to be able to use a computer like we have been for years?
This is where Linux and Apple's centralized repository method shines.
Social engineering is really where the threat is at these days.
Is it really safer on a phone ? Don't banking apps reject latest community Androids builds with all the CVE fixes or Graphene OS yet work totally fine on years old, full of vulnerabilities yet signed official Android ROMs ?
Sadly yes. The average joe is not a target for technical exploits that use CVEs. They are, however, targets for meatsack exploits tricking them in installing crap like remote control software.
In this case I install Linux Mint. No virus problem. This is a popularity problem: you are more likely to have a sandbox escape on iphone than a virus on PC, because iphone gets more attention.
All this will do is ensure that if malware does get through the official channels (which it can and regularly does) it will be more widely distributed
Security doesn't need to be 100% effective to add value. The more hoops we make scammers jump through, the fewer people will end up getting scammed.
I know angle grinders exist. I still lock up my bike.
Scams have absolutely nothing to do with anything relevant. Scams happen regardless of whether software is installed in the first place. Social engineering is what most scams are based on. Refusing me banking access because I want to use my phone as a computer brings extra security to nobody.
What are the stats here, this sounds like pure bs to be honest.
Main way people around me get scammed by far like 90% is social engineering
It will need just one more additional authentication factor and blocking side loading apps on Android - We promise, total security is close! /s
Don’t forget to change your password every week too
I don't think we'll ever have total security. But we still put locks on our doors and send our internet traffic through TLS.
All or nothing thinking is counterproductive.
> think of the elderly
This stuff is not just for the elderly and computer illiterate. It's for you as well. You think they're going to stop?
You're giving up freedom for safety. You will have neither.
> It's for you as well. You think they're going to stop?
No! Which is why I don't want every npm package I install to have unfettered access to my internet connection and to access all my files. If this is being exploited now, I might not even know! How sloppy is that!
> You're giving up freedom for safety.
At the limit, sure, maybe there are tradeoffs between freedom and security. But there's lots of technical solutions that we could build right now that give a lot more safety without losing any freedom at all.
Like sandboxing applications by default. Applications should by default run on my computer with the same permissions as a browser tab. Occasionally applications need more access than that. But that should require explicit privilege escalation rather than being granted to all programs by default. (Why do I need to trust that spotify and davinci resolve won't install keyloggers on my computer? Our computers are so insecure!)
Personally I'd like to see all access to the OS happen through a capability model. This would require changes in the OS and in programming languages. But the upside is it would mean we could fearlessly install software. And if you do it right, even `npm install` could be entirely safe. Here's how we do it: First, all syscalls need to pass unforgable capability tokens. (Eg SeL4). No more "stringy" syscalls. For safe 3rd party dependencies, inside processes we first make an "application capability" that is passed to main(). 3rd party libraries don't get access to any OS objects at all by default. But - if you want to use a 3rd party library to do something (like talk to redis), your program crafts a capability token with access to that specific thing and then passes it to the library as an argument.
Bad:
// Stringy API. Redis client can do anything.
redisClient.connect("127.0.0.1", 6379)
redisConnCap = systemCap.narrow(TCPConnect, "127.0.0.1", 6379)
redisClient.connect(redisConnCap)
This would require some PL level changes too. Like, it wouldn't be secure if libraries can access arbitrary memory within your process. In a language like rust we'd need to limit unsafe code. (And maybe other stuff?). In GC languages like C# and javascript its easier - though we might need to tweak the standard libraries. And ban (or sandbox) native modules like napi and cgo.
IMO what's needed is less per-app sandboxing, and more per-context.
Think user accounts but for task classes.
If I'm doing development work, I want to be able to chain together a Frankenstein of apps, toolchain, API services and so on, with full access to everything else in that specific context.
But that doesn't need visibility of my email, my banking and accounting software should have visibility to/from neither, and random shareware apps, games and movies should run, like you say, with a browser tab level of permission.
Making this work in practice while keeping performance maximised is harder than it sounds, preventing leaks via buffers or timing attacks of one sort or another (if apps can take screenshots, game over).. for now I use user accounts, but this is becoming less convenient as the major desktop OS and browser vendors try to force tying user accounts to a specific online identity.
> IMO what's needed is less per-app sandboxing, and more per-context.
I think you could do this with capabilities!
The current model makes of security implicit, where an application can make any syscall it wants and its up to the OS to (somehow) figure out if the request is valid or not. Capabilities - on the other hand - restrict access of a resource to the bearer of a certain token. The OS knows that by invoking capability X, the bearer can make requests to a certain resource / account / file / whatever. (Think of it like unix file descriptors. You just call write(1, ...) and the OS knows what file you're writing to, and what your access to that file is.)
There's lots of ways to use capabilities to build the sort of frankenstein app you're talking about using caps. Eg, you could have a supervisor task (maybe the desktop or a script or something) that has a capability for everything the user cares about. It can create sub-capabilities which just have access to specific network ports / files / accounts / whatever. It launches subprocesses and hands the right capabilities to the right sub processes. The sub processes don't even need to know what the capability they were given connects to. They just need to know - for example - that reading from the capability gives it the data it expects to receive. Then you can do all the routing & configuration from the supervisor task.
Because all the sub processes only have the specific capabilities that were passed to them, the security surface area is automatically minimised.
SeL4 shows that you can do this without losing much performance. (In SeL4, the IPC overhead is tiny.) But as I said upthread, I'm sure there's also ways to design our programming languages to allow within-process isolation. So, for example, you can call the leftpad package without giving it capabilities held by other parts of the same program.
Capabilities can also make it easy to virtualise filesystems, the network, and so on. Or to do interdiction - and snoop on the messages being sent. Its easy because you can just make virtual network / filesystem / whatever capabilities and pass those to subprocesses.
> At the limit, sure, maybe there are tradeoffs between freedom and security. But there's lots of technical solutions that we could build right now that give a lot more safety without losing any freedom at all.
Everything you have suggested in this post takes away freedom. There is no solution that doesn't take away freedom / your control. There is always a trade off.
> Like sandboxing applications by default. Applications should by default run on my computer with the same permissions as a browser tab. Occasionally applications need more access than that. But that should require explicit privilege escalation rather than being granted to all programs by default. (Why do I need to trust that spotify and davinci resolve won't install keyloggers on my computer? Our computers are so insecure!)
This already exists on Linux.
I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.
If you don't want to worry about things like keyloggers, you should run an open source OS and use open source programs where you can verify that there are no key loggers. You should also make sure you find out what firmware your keyboard is using (many keyboards themselves have complex micro controllers on them that can be programmed).
> Everything you have suggested in this post takes away freedom. There is no solution that doesn't take away freedom / your control. There is always a trade off.
Huh? In what way does application sandboxing take away my freedom? What can I do today that I can't do with a sandbox-everything-by-default model?
In my mind, it gives me (the user) more freedom because I can run any program I want without fear.
> I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.
Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)
> Huh? In what way does application sandboxing take away my freedom? What can I do today that I can't do with a sandbox-everything-by-default model?
I've just explained that sand-boxing causes issues with file access, clipboard sharing etc.
Every hoop you add in makes it more difficult for the user to gain back control, even if that is modifying permissions yourself. Most people will just remove permissions out of annoyance.
If you remove control, you remove people's freedom.
> In my mind, it gives me (the user) more freedom because I can run any program I want without fear.
Any security mechanism has a weakness or it will be bypassed by other means. So all this will give you a false sense of security.
The moment you think you are safe. Is when you are most unsafe.
> Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)
I don't. It is a PITA. Eventually people just turn it off. I did.
The reality is that if you want ultimate security you have to make a trade offs. Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.
> I've just explained that sand-boxing causes issues with file access, clipboard sharing etc.
You've explained that flatpak has issues with file access and clipboard sharing. My iphone does sandboxing too, but the clipboard works just fine on my phone.
I don't think "failing clipboards" is a problem specific to sandboxing. I think its a problem specific to flatpak. (And maybe X11 and so on.)
> If you remove control, you remove people's freedom.
Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.
Maybe you're trying to say that security often comes with the tradeoff of accessibility? I think thats true! Security often makes things less convenient - for example, password prompts, confirmation dialogue boxes, and so on. But I think the sweet spot for inconvenience is somewhere around the iphone. On the desktop, I want to get asked the first time a program tries to mess with the data of another program. Most programs shouldn't be allowed to do that by default.
> Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.
I think you might be arguing with a strawman. I totally agree with you. I don't think a perfect system exists either. Of course there are tradeoffs - especially at the limit.
But there's still often ways to make things better than they are today. For example, before rust existed, lots of people said you had to make a tradeoff between memory safety and performance. Well, rust showed that by making a really complex language & compiler, you could have memory safety and great performance at the same time. SeL4 shows you can have a high performance microkernel based OS. V8 shows you can have decent performance in a dynamically typed language like JS.
Those are the improvements I'm interested in. Give me capabilities and sandboxing. A lot more security in exchange for maybe a little inconvenience? I'd take that deal.
> You've explained that flatpak has issues with file access and clipboard sharing. My iphone does sandboxing too, but the clipboard works just fine on my phone.
> I don't think "failing clipboards" is a problem specific to sandboxing. I think its a problem specific to flatpak. (And maybe X11 and so on.)
There are other examples.
e.g. There are other things that become a PITA on the phone. Want to share pictures between apps without them having full access to the everything. You need to manually share each picture between apps.
The point being made is that it causes usability issues. What those usability issues are will vary depending on platform. However they will exist.
> Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.
Anything that gets in my way is something that taken control away from me. Unfortunately giving me full control comes with dangers. That is a trade off.
> Maybe you're trying to say that security often comes with the tradeoff of accessibility? I think thats true! Security often makes things less convenient - for example, password prompts, confirmation dialogue boxes, and so on. But I think the sweet spot for inconvenience is somewhere around the iphone.
No usability and control.
BTW, Your sweet spot is a platform which is the most locked down.
> On the desktop, I want to get asked the first time a program tries to mess with the data of another program. Most programs shouldn't be allowed to do that by default.
Well I don't want to be asked. I find it annoying. I assume that this is the case when I install the program. So I don't install software in the first place that I think might be risky. If I need to install something that I might think is iffy then I find a way to mitigate it.
> But there's still often ways to make things better than they are today. For example, before rust existed, lots of people said you had to make a tradeoff between memory safety and performance. Well, rust showed that by making a really complex language & compiler, you could have memory safety and great performance at the same time.
You aren't selling it to me. I got so annoyed by Rust that I didn't complete the tutorial book. Other than the strange decisions. One thing I hate doing is fighting with the compiler. That has a cost associated with it.
I spend a lot of time fighting with the TypeScript compiler (JS ecosystem is a mess) as a result to have some things work with TypeScript you need to faff with tsconfig and transpilers. Then once you are past that you have to keep the compiler happy. Frequently you are forced to write stupid code to keep the compiler happy. That again has a *cost*.
> V8 shows you can have decent performance in a dynamically typed language like JS.
I work with JavaScript a lot. While performance is better, it isn't actually that good.
There was also two secondary effects.
- Websites ballooned up in size. Also application development moved to the browser. This meant you can lock people in your SaaS offering. Which reduces control/freedom.
- There is a lot of software that is now written in JavaScript that really shouldn't be. Discord / Slack are two of the slowest and memory hogging programs on my computer. Both using Electron.
> Those are the improvements I'm interested in. Give me capabilities and sandboxing. A lot more security in exchange for maybe a little inconvenience? I'd take that deal.
Again. It is a trade-off that you are willing to take. I am willing to make the opposite trade-off.
You seem to be arguing that adding complexity reduces freedom, but I don't think that's true in a reasonable interpretation of the word.
Your argument would suggest that virtual memory takes away user freedom, because it's now much harder to access hardware or share data between programs, but that sounds ridiculous from a modern perspective. I think it's better to keep freedom and complexity separate, and speak about loss of freedom only when something becomes practically impossible, not just a bit more complex.
> You seem to be arguing that adding complexity reduces freedom, but I don't think that's true in a reasonable interpretation of the word
No I am not arguing that at all.
Yes, you do:
> Anything that gets in my way is something that taken control away from me. Unfortunately giving me full control comes with dangers. That is a trade off.
No I am not. The example given was ridiculous and absurd and you are doing exactly the same thing.
There is a big difference between basic memory protections and what was being discussed.
This is the issue with a lot of people that work in software. They take the most ridiculous interpretation because "that is technically" correct while not bothering to try to understand what was said.
The problem is that if what "really counts" is too vaguely defined, then it's hard to pin down and argue the point.
Virtual memory probably isn't what you meant, but take something like user privilege separation. It's usually considered a good idea to not run software as root. To interpret the statement generously, privilege separation does restrict immediate freedom: you have to escalate whenever you want to do system-level changes. But I think josephg's statement:
> Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.
can be directly transposed to user privilege separation. While it's true that escalating to root is more of a hassle than just running everything as root, in another sense it does provide more control because the user can run arbitrary code without being afraid that it will nuke their OS; and more freedom because you could always just run everything as root anyway.
Maybe josephg's sense of freedom and control is what you're saying there is a trade-off between. But the case of privilege separation shows that some trade-offs are such that they provide a lot of security for only a little bit of inconvenience, and that's a trade-off most people are willing to make.
Sometimes the trade-off may seem unacceptable because OS or software support isn't there yet. Like Vista's constant UAC annoyances in the case of privilege separation/escalation. But that doesn't mean that the fundamental idea of privilege levels is bad or that it must necessarily trade off too much convenience for control.
I think that's also what josephg is suggesting about sandboxing. He says that the clipboard problem could probably be fixed; then you say, "but there are other examples". What remains to be shown is whether the examples are inherent to sandboxing and must degrade a capabilities/sandbox approach to a level where the trade-off is unacceptable to most.
> The problem is that if what "really counts" is too vaguely defined, then it's hard to pin down and argue the point.
It really wasn't. It isn't hard to understand what was meant.
> Virtual memory probably isn't what you meant,
No it wasn't and there is no need to put "probably". It was obvious it wasn't.
> can be directly transposed to user privilege separation. While it's true that escalating to root is more of a hassle than just running everything as root, in another sense it does provide more control because the user can run arbitrary code without being afraid that it will nuke their OS; and more freedom because you could always just run everything as root anyway.
The difference is that there are very few things I need to run as user directly daily as root on my Desktop Linux box. I can't think of anything.
However having to cut and paste a meme into ~/Downloads so I can share it on Discord or Slack is a constant PITA. If you sandbox apps you have to restrict what they can access. There is no way around this. The iPhone works the same way BTW. I know I used to own one. You either have to say "Discord can have access to this file", or you have to give it all the access.
> Maybe josephg's sense of freedom and control is what you're saying there is a trade-off between. But the case of privilege separation shows that some trade-offs are such that they provide a lot of security for only a little bit of inconvenience, and that's a trade-off most people are willing to make.
No they are a false sense of security with a lot of inconvenience. The inconvenience is inherent and always will be because you will need to restrict resources using a bunch of rules.
> Sometimes the trade-off may seem unacceptable because OS or software support isn't there yet. Like Vista's constant UAC annoyances in the case of privilege separation/escalation. But that doesn't mean that the fundamental idea of privilege levels is bad or that it must necessarily trade off too much convenience for control.
There are many things that seem like they are fundamentally sound ideas on the face of it. However there are always secondary effects that happen. e.g. Often people just ignore the prompts, this is called "prompt fatigue". I've literally seen people do it on streams.
Operating systems are now quite a lot more secure than they were. So instead of going for the OS, most bad actors will use a combination of social engineering to gain initial entry to the system. The OS security often isn't the problem. Most operating systems have either app stores, some active threat management.
If you are running things from npm/PyPI/github without doing some due diligence, that is on you. This is well past what non-savvy user is likely to do.
> I think that's also what josephg is suggesting about sandboxing. He says that the clipboard problem could probably be fixed; then you say, "but there are other examples". What remains to be shown is whether the examples are inherent to sandboxing and must degrade a capabilities/sandbox approach to a level where the trade-off is unacceptable to most.
It is inherent. It obvious it is. If you want to share stuff between applications like data, which is something you want to do almost all the time. You will need to give it access at least to your file-system. The more of this you do, you will either have to give more access or having to faff moving stuff around. So either you work with a frustrating system (like I have to do at work), or you disable it.
So what happens is you only have "all or nothing".
> If you want to share stuff between applications like data, […]. You will need to give it access at least to your file-system. The more of this you do, you will either have to give more access or having to faff moving stuff around.
Why are those the only answers?
If we had free rein to redesign our computers from the ground up, there’s lots of other ways that problem could be solved.
One obvious example is to make copy+paste be an OS level shortcut so apps can’t access the clipboard without the user invoking that chord. Then just copy paste stuff between applications.
Another idea: right now when I invoke a shell script, I say “foo blah.txt”. The argument is passed as a string and I have to trust that the program will open the file I asked - and not look instead at my ssh private keys. Instead of that, my shell program could have access to the filesystem and open the file on behalf of the script. Then the script can be invoked and passed the file descriptor as input. That way, the script doesn’t need access to the rest of my filesystem.
If we’re a little bit creative, there’s probably all sorts of ways to solve these problems. The biggest problem in my mind is that Unix has ossified. It seems that nobody can be bothered making desktop Linux more secure. A pity.
Maybe it’s time to give qubes a try.
> However having to cut and paste a meme into ~/Downloads so I can share it on Discord or Slack is a constant PITA.
Why round trip it through the file system or Files.app? That seems like extra (annoying) work On my iPhone, I copy the meme onto the clipboard and then I open discord/slack/signal/Whatsapp and find the right channel/chat, and paste right in there.
> It isn't hard to understand what was meant.
At least two independent people understood you in the same way. So just dismissing it isn't productive.
> PITA. If you sandbox apps you have to restrict what they can access. There is no way around this.
This has nothing to do with freedom though.
> You will need to give it access at least to your file-system.
On Qubes, you copy-paste with ctrl+shift+v/c and nothing is shared unless you actively do it yourself. It becomes a habit very quickly (my daily driver). Sharing files is a bit harder (you send them from VM to VM), but it's not as hard as you want it to look.
> At least two independent people understood you in the same way. So just dismissing it isn't productive.
Two people that we are aware of.
BTW, I often encounter this when talking to other techies. People go to the most ridiculous extremes to be contrarian. Often they don't even know they are doing. I know because I used to engage in this behaviour.
So I feel like I am well withing my rights to dismiss it.
I didn't say you weren't within your rights. I said it's counter-productive for the discussion.
I think it is counter productive to bring up ridiculous examples, which was obviously not what I meant.
Both things can be counterproductive simultaneously.
> Any security mechanism has a weakness or it will be bypassed by other means. So all this will give you a false sense of security.
> The moment you think you are safe. Is when you are most unsafe.
This is demonstrably false. Qubes OS has the lowest number of CVEs, even less than that of Xen. Last VM escape in it was found in 2006 by the Qubes founder (it's called "Blue Pill").
You are only thinking of attacking computer directly itself. Often people socially engineer access to a computer system. Many UK super markets were hacked, using some of the software that is very secure, because people managed to socially engineer access.
There is nothing and I mean nothing that is completely secure.
> There is nothing and I mean nothing that is completely secure.
You're not wrong, but dismissing security because there are always other threats is just security nihilism. See my link.
What do you mean by "locked down computer." Maybe something like ChromiumOS?
Might be a tough sell for the volunteer open source community ("linux & friends") to work on such an alternative "locked down" computing experience. Free and open source software is usually more focused on unlocking use cases, not locking them up.
That all said, I basically consider macOS to be a locked down computing experience. So that's my solution for older people.
It's not a perfect solution but the Apple closed ecosystem is better designed for the limited use cases of the elderly. Rely on iCloud and built-in Apple approaches to data security as much as possible.
For example, an iMac and an iPhone can get all "adulting" use cases done, including typing/receiving emails, printing documents, online banking, government services, and so on. Apple Passwords plus Face ID helps to simplify password-based security. My biggest issue is getting TOTP-based two-factor adopted. Apple Passwords supports this but I usually have to do remote tech support to get it set up initially. It's also annoying that right now, the current generation of iMacs don't support FaceID, because that would simplify authentication across the two primary platforms (desktop/mobile).
I would never use this setup myself since I like to run F/OSS everywhere as much as possible. But I am realistic about tech expectations for the elderly who just want to live their life with minimal investment in learning about data/software security.
But you're right, along with other commenters, that it's dangerous for society to rely on a monopolist technocorporate overlord (or a pair of overlords forming a de facto duopoly) for the basic administrative tasks of adult living and lawful citizenship.
Well no, if your parents truly are tech illiterate, I would give them Ubuntu and not an iPhone.
With the iPhone they get the risk of answering to a scam call or scam sms and giving them the access of their bank account.
Ubuntu is almost bullet proof for beginners.
In fact, that's what I've done for my parents and I had to retire the computer and get another one because it's the hardware which became too old after 15 years of running Ubuntu without any problem.
Security for users isn't just about bootloader expoits.
Like the parent said Ubuntu has horrible security. It would be better to just not buy a phone line for the iphone if you don't want phone calls or texts.
It hasn't, security isn't just technical features but a social contract.
Even on an iPhone without a sim card, they can download one of the scam casino games from the appstore and give away a lot of money, on Ubuntu they can't do that.
There's more to security than just bytes.
The threats to your average user isn't a bootloader exploit built by some Israeli firm but privacy breaches, social engineering and scams.
Sure; but technical features can certainly make security better.
Like, iOS makes most unsafe actions incredibly clear. Apple pay always requires the user to double tap the power button. The OS makes it impossible for an application to charge you money through apple pay without an explicit user action.
Phone apps also can't take control of my entire device, or steal my cookies or cryptolocker my hard drive. Any program you download and run from the internet on a desktop computer can do all of this stuff and more. We shouldn't allow that stuff by default on desktop computers either.
Phones have the right idea. I just don't want Apple and Google to be the only ones who can modify the system at the OS level.
Double taping to pay is actually making things worse for tech illiterate users. There's a lot of scam games on the appstore and it's way to easy to fall into it if they aren't too careful.
And then no, it's not clear for me (even as a developer!) how data transfer between apps work, how the advertising id works and how much data Apple and Google really have that they shouldn't. If it's not clear to me as a software engineer, it certainly isn't for your average user.
The browser is just a much easier mental model, especially that I can install an ad blocker on it to make them safer, which I can't on mobile apps.
> Phone apps also can't take control of my entire device, or steal my cookies or cryptolocker my hard drive.
It never happened once with my parents in 15 years of running Ubuntu. Even if that stuff somehow existed, I don't think they would have the tech knowledge to mark the downloaded virus as executable anyways.
> The browser is just a much easier mental model, especially that I can install an ad blocker on it to make them safer, which I can't on mobile apps.
I'd like that security model to be the default for desktop apps on my computer as well. Its weird that davinci resolve and spotify and all the rest have full access to look through all my files.
> It never happened once with my parents in 15 years of running Ubuntu.
Probably just because so few regular people use ubuntu, scammers & malware authors don't bother targeting it. Still good for your parents though!
> I'd like that security model to be the default for desktop apps on my computer as well. Its weird that davinci resolve and spotify and all the rest have full access to look through all my files.
That's how it works on Ubuntu, proprietary apps are usually distributed through snaps which are sandboxed. And unlike on mobile, the OS doesn't have an advertising ID or built-in ad networks.
Normal apps don't need that though because there's a chain of trust which doesn't exist on mobile.
> Probably just because so few regular people use ubuntu, scammers & malware authors don't bother targeting it. Still good for your parents though!
No, it's because the bar on publishing on Ubuntu is much much higher than on an iPhone. Nobody would ever accept those scam casino games on Ubuntu.
>which are sandboxed
Not always. The app can claim to need filesystem access and it will get it without the user knowing.
> No, it's because the bar on publishing on Ubuntu is much much higher than on an iPhone. Nobody would ever accept those scam casino games on Ubuntu.
Uhhh are you claiming ubuntu has a stricter app review process than apple has with the iphone app store?
As a rule, yes. Both Apple and Google are horrendous stewards of their respective storefronts. Their review processes are infamously capricious and black boxes, in the case of Apple they put additional moral rules on what the app is allowed to do, and in spite of that capriciousness, scamware still regularly makes it's way onto the App Store. (Scamware defined here as having a specific set of anti-features[0] that a user would ordinarily pay to remove.)
This one isn't even hard to argue against; Apple being a good steward for its storefront was true in 2011. It is no longer true today. I'd consider a tech-illiterate user less likely to randomly lose a lot of cash by using different storefronts from the Apple App Store (or again, the Google Play Store), if only because those different storefronts actually do a bit of curation instead of focusing on quantity over quality.
[0]: Most of the ones listed here apply that aren't "non-free dependency" or are meant to be a category filter like NSFW. I'd also throw in "microtransactions to unlock basic functionality", but F-Droid effectively bars those with other inclusion rules. https://f-droid.org/docs/Anti-Features/
Yes I do, none of those scam games you have on iPhone would be allowed to be published on Ubuntu.
The app review process on the appstore isn't designed for the user's benefit but Apple's benefit. There's no problem publishing a casino game but if your app doesn't pay the tax, be sure that it will be rejected.
most reason OSes are insecure is bexause they are designed badly regarding security. they are from a time it wasnt important and most ways of building them also from that same era. its hardly modernized -_-. sure its not the same OS as 20 years back,... it has a lot of layers of junk ontop.
again, no incentive to improve it. its either unpaid work or the OS vendor has a stake in it being insecure. (both exists)
The answer to this is a physical switch on the machine that enables/disables hackability.
This argument doesn't contradict the article.
An expensive iPhone ships with iOS and a rigid security model.
If you tap the `about` button 16 times and click a confirmation dialog, you disable certain security mechanisms against arbitrary software installation. Do something else easy but impossible to do accidentally, and you unlock the bootloader. You progressively lose portions of your warranty in doing so.
This is the path I think we should be going down.
Citation please? It’s my understanding that there is no officially approved way to unlock an iPhone.
They’ve had something like that for a long time on Android, and I think it’s a reasonable middle ground between making the platform open and closed. But as far as I know, Apple never did something like that on iOS.
That was my fictional proposal, I wasn't clear enough about that in my post.
> I want my parents to have a computer they can safely do their banking on, without leaving them vulnerable to scams and viruses and the like
So you need to install Qubes OS for them?
> My parents are getting old and they aren't tech savvy. The missing piece here is that I want my parents to have a computer they can safely do their banking on, without leaving them vulnerable to scams and viruses and the like.
Purists always forget this point :) What is best for 99% of people.
And dumb Euro bureaucrats.
That's what can be achieved by encapsulation/containerization of apps: a la flatpak, snaps, docker or VMs...
I found my parents to install random crappy adware apps from official stores too. What protects their banking application is granular permissions, not root access.
Why not give people the freedom to choose what they want
It will be exploited. Key word above - not tech savvy.
The only reason we have convenient banking, gov and streaming apps today is because of guaranteed and enforced mobile security by big boys Apple and Google. (Google being Ad company is another matter, not relevant here).
No, we have convenient online services in spite of the endless security theater that permeates consumer tech. All it's done is gradually increase maintenance burden and technical complexity until useful features are slowly stripped out to create a more "streamlined" experience. The mobile app for my credit union has become so shitty that I'm not even sure if losing access to it is a deal-breaker for rooting my phone - I already prefer to do my online banking and shopping on my laptop.
There is no "just works" technical solution for a problem caused mainly by naivete and gullibility. Governments and the private sector know this, of course; as others have said, the real purpose is to control users, not to protect them.
> No, we have convenient online services in spite of the endless security theater that permeates consumer tech.
Disagree. No banking app can resist root access owned by attacker.
Why is the banking server trusting the client? Thats criminally incompetent security. If your website gets hacked because a client had "root" whose fault is it?
Because the unknowing user has entered their auth credentials?
I see the cause of confusion. I was assuming and talking about the case of the legitimate user have a root/non locked down device as being imputed as the "attacker". I don't think he was talking about other people stealing or having acces to your device. And in any case, all bets are off then if you meant that scenario. At least with a browser user can choose not to save passwords and the attacker won't get bank creds, so even in that case a web app would be better.
They all existed before mobile apps on systems you don't control became prevalent.
This was just useful for them.
All of these existed well before mobile phones and so called "enforced security". Almost all these apps are wrappers around web functionality.
We've literally had convenient online banking for two decades at this point without any DRM.
Don't rewrite history.
If we have to always appeal to the lowest of the low, the stupidest of the stupidest, then society sucks ass.
What's even the point of me being alive is I can't do anything that isn't completely idiot-proof and made for goo goo ga ga users?
Look, I get it. Think of the children! Think of the granny!
But I'm not a child, I'm an adult. I would like to be treated as such. Otherwise what the fuck are we even doing here? Why can't I just live in daycare forever? Why am I paying bills?
Really? They couldn't just use a website?
This is the crux of the matter.
Maybe conceptually you will be able to run some kind of open operating system with your own code, but it will be unable to access software or services provided by corporate or governmental entities.
This has been obvious for some time, and as soon as passkeys started popping up the endgame became clear.
Pleading to the government definitely can't save us now though, because they want the control just as much as the corporations do.
> as soon as passkeys started popping up the endgame became clear
That's why I'm 100% against passkeys. I'll never use them and I'll make sure nobody I know does.
They're just a lock-in mechanism.
"Passkeys" is a new brand name slapped on an older open, interoperable technology, so it's difficult for me to be "against passkeys" as they haven't fundamentally changed anything.
Before the branding they were known as FIDO2 "discoverable credentials" or "resident keys".
Two things have changed with the rebrand:
1. A lot of platforms are adopting support for FIDO2 resident keys. This is good actually.
2. A lot of large companies have set themselves up as providers of FIDO2 resident keys without export or migration mechanisms. This is the vendor lock-in part (no export feature), but it's not a feature of the underlying tech itself.
Fwiw FIDO are actively working on some standard for exporting/importing keys so that's something.
If you want to use passkeys without lockin, just use Bitwarden or KeepPassXC - they all have full support. Or you can also store a limited number of passkeys on your FIDO2-compatible hardware key like Yubikey or the open-source Nitrokeys.
Except the FIDO Alliance is trying to pressure KeepassXC to remove exporting passkeys in an open format: https://github.com/keepassxreboot/keepassxc/issues/10407
> trying to pressure KeepassXC to remove exporting passkeys in an open format
I'm not sure that's an entirely accurate representation of the request? At least from a quick skim the claimed issue is being able to export keys in plaintext. For example, from the issue author:
> I strongly recommend you temporarily disable this feature or at a minimum require file protection/encryption.
And later:
> > Besides, determined advanced users could just write code to decrypt the kdbx file and extract the passkeys anyway.
> That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.
> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.
To me that doesn't sound like they're requiring a proprietary format. Something like AES encrypted JSON sounds like it'd work as well, and that sounds pretty "open" to me?
> > That's fine. Let determined people do that, but don't make it easy for a user to be tricked into handing over all of their credentials in clear text.
Has there even, ever, been an instance of that happening?
There have been literally thousands of documented incidents of this.
There's an entire subsection of the security industry dedicated to this happening. The DefCon international security conference holds an on-stage competition where security researchers demonstrate this happening to real targets in real time in front of a live audience.
> There have been literally thousands of documented incidents of this.
Of making people export all their credentials from a password manager and send them to a scammer?
FIDO can't force any app developers to do anything but fwiw I think "pressuring" people to encrypt secrets at rest rather than storing them in plaintext is ok.
---
There's levels to appropriate paranoia around these things of course. SSH private keys are stored in plaintext for millions of engineers around the world - sometimes probably even passed around through unsecured emails or whatnot I would guess. They're still largely more secure than user:pass on aggregate, despite that rather major peril.
So ultimately, plaintext creds are not necessarily catastrophic. But still - imo - something worth concerted effort to dissuade at least at early stages of standards' implementation.
---
Edit: also, looks like the outcome of that thread was ultimately that KeepassXC have opted to implement the spec as per[0]. Good outcome to a good request.
[0] https://github.com/keepassxreboot/keepassxc/issues/11363
That threat has no teeth; anyone requiring attestation these days will cut out Apple users, because Apple will not implement it (for consumer use cases). If they don't block Apple passkeys, then KeePass can send Apple's AAGUID and the game is over.
I've complained about this GH exchange in the past and have come to understand that Apple is also part of the alliance, and the entire concept of blocking software-only password managers is just dead outside of enterprise situations where they mandate the hardware/software anyway. Mr. Cappalli might disagree, but he and his employer do not have the power to change this without breaking the standard and throwing away over a decade of work.
By the way, notice Yubikey did not really release any new series/models and jacked up their price in just a few years. About 50% in 4 years.
The large adoption of those devices and standards did not lower the price.
They probably just banked on the enterprise market where every CISO was pressured to tick the hardware/2FA checkbox. And is then gonna allow to use the Microsoft/Google "software" one because it is hard to manage otherwise.
I think there's a bunch of factors to why yubi have upped their prices - not least, waiting for competition in their form factor & not seeing any emerge (token2 & nitrokey are much bulkier) probably gave them some confidence in the uniqueness of their product offering.
It's also become a much more niche product as software based (and/or primary-device-hardware-based) solutions have evolved & improved. & niche costs more.
All that said I'm really not sure why they've been so quiet on new series releases.
> I think there's a bunch of factors to why yubi have upped their prices - not least, waiting for competition in their form factor & not seeing any emerge (token2 & nitrokey are much bulkier)
It is true about the size.
Sill I do not understand the price difference between 5C Nano [0] and the PIN+ Mini-C [1]. 3 to 4 times more expensive depending on the currency.
- [0] https://www.yubico.com/pt/product/yubikey-5-series/yubikey-5...
- [1] https://www.token2.com/shop/product/pin-mini-c-release3-1-fi...
Passkeys would be wonderful if they removed remote attestation. Remote attestation is still there, so I will not touch it.
Passkeys would be better without remote attestation, no doubt. But remote attestation is not only optional but also, passkeys are not a prerequisite for requiring remote attestation.
Lots of services that don't support passkeys currently require remote attestation. Boycotting passkeys (an open, possibly beneficial tech that doesn't require remote attestation) will not prevent bad actors from requiring remote attestation (with or without passkeys).
Agreed. Boycotting them is necessary but insufficient.
No, boycotting them is entirely orthogonal to the issue. Passkeys have no role in ensuring that we do or don't rely on remote attestation - they're two totally separate considerations.
Passkeys have many benefits over current alternatives for auth, & the inclusion of remote attestation doesn't make them worse than current auth because all current auth can be coupled to remote attestation.
Continue to oppose remote attestation but do use Passkeys. They're a massive improvement.
For someone who hasn't spent any time thinking about that matter, could you please elaborate your point?
"Passkeys are incompatible with open-source software" https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
Then how come KeePassXC has them?
The linked blog post explains it. The spec can be implemented by open source software, but the upcoming (or now current?) update to the spec enables attestation, that is, it allows the auth provider to cryptographically verify which implementation the client is using. Under this scheme, auth providers can simply choose to no longer support open source implementations like KeePassXC, and since the spec authors have already claimed that KeePassXC is "non-compliant" because it doesn't ask for a PIN on every auth request, it seems likely that that would happen.
Attestation is dead outside of corporate environments. Apple will not implement it except through MDM.
Apple will implement it.
Source? That is surprising news.
Isn't PAT apple implementing attestation for everyone?
Yes but it seems like KeyPassXC could just ask for PIN on every auth request to satisfy that requirement, without having to close their source.
What if I don't want KeyPassXC to ask me for a PIN every time? I can modify its source code and nobody can stop me.
Then your version of KeyPass will not be signed and won't pass TPM checks and so the banking app will refuse to run unless you open the signed version?
Which leads us back full circle to "Passkeys are incompatible with open-source software" from https://news.ycombinator.com/item?id=45090297
Imagine using ssh-keygen, but it locks the private key in a vendor-managed secure enclave. You can't copy it, export it, rename it or do anything wth it.
I don't just imagine it, I do it, by using gpg-agent as my ssh-agent and using the private key generated by a Yubikey. Another way is to use tpm2-tools so only your laptop running your own signed boot chain can use the key. It is desirable to lock private key material in a physical thing that is hard to steal.
You can choose not to do this, and that's fine. Hardware attestation is dead because Apple refuses to implement it, so no one can force you to.
Can you explain your motivation around gpg-agent and yubikey little more, please? So the private key can't be copied elsewhere?
Yes, that's the motivation.
These days I would explore the TPM option, but I'm worried that has less legal teeth than a physical key if I'm in a law enforcement situation.
There's also practicality; I really, really don't want to tell my boss that TSA or whoever had access to the company git repositories and databases for X minutes or hours, and that's sidestepped by checking a bag with the Yubikey (wastes their time) or mailing it to the destination (needs a warrant).
Do you recommend a password manager to everyone you know? What's the adoption rate?
As a data point: when non technical friends of mine complain against password I tell them to use a password manager. The adoption rate is zero, probably because they don't even know what a password manager is, except the remember password / fill in password feature of their browser. The best I saw, from a not entirely non technical person is passwords on sheets of paper.
I have tried repeatedly to get my wife to use the family 1Password account for things we will both need, with minimal success. She is reasonably technical, she writes SQL, but she just won't do it.
1Password is completely broken in android. I have barely a 50% success rate with it filling in passwords, I'm usually copy/pasting back and forth.
If there were anything better and as easy to use as Chrome, I'd switch.
I honestly suggest using Mozilla Firefox built-in password manager, it's enough for most people.
> passkeys started popping up the endgame became clear.
This logical leap puzzles me, as it is completely unrelated to HW lock-in and a rather generic medium.
This is more of a case of OP diverting a topic to shove in his pet peeve on technology they don’t like or understand.
Ironically, if everyone adopted passkeys (the real deal tied to secure enclaves or TPMs), then Android malware could not steal your credentials through any kind of social engineering.
> Maybe conceptually you will be able to run some kind of open operating system with your own code
Why do you think they would even allow this? If you think that governments don't have the incentives or the means to criminalize running non-approved OSes, or the unauthorized use of non-approved hardware, you're insufficiently cynical.
It's hard to enforce, and not dangerous enough. Accessing something serious from this unapproved code is the opposite, and is being locked down. Try running your own code on your phone's baseband processor, or boot your own OS with Secure Boot on.
Should have made open-source components in some key nodes of the ecosystem popular and profitable. But that was a tall order.
Open-source software permeates the Internet infrastructure. Netflix is one of the biggest contributors to FreeBSD code. Tons of TVs run OSS-based stack.
But once it touches the money-extraction path, like DRM, things expectedly lock up.
> However all of these things are not technical
You understand it, but even in this thread you have people proposing solutions like switching from traditional banking to bitcoin, stoping using Netflix and starting torrenting again etc.
Tech crowd always tries to solve non-technical problems through technical means, and this is why I don't have much hope.
Netflix isn't worth to use or pirate even if it was free as in freedom.
Technical solutions and alternatives can provide enough leverage for the common citizen to force the hand of those in power. It might not fully "solve" the issue, but making it easier to route around will always force those in power to bend somewhat.
In practice the opposite happens - when new technical workarounds are popularized, more technical solutions are found to prevent them and legislation is proposed to mandate them.
Look at Chat Control in the EU: they started with mandating server-side scanning. Nobody liked that so everyone implemented E2EE. Now there's a new law that adds mandatory client-side scanning.
Most of my tech-brained friends are saying "whatever, we'll just compile from source or use alternative means of distribution. But is that becomes popular, what's the next step? I'm fully expecting the EU's to then try to mandate the service providers need to ensure their apps aren't tampered with, which can only be done by locking devices down to official means of distribution and implementing end-to-end cryptographic attestation. Then we truly are out of options.
> whatever, we'll just compile from source or use alternative means of distribution.
google is clamping on this already so yeah
I'm unconvinced. Look at the current wave of attacks on privacy-focused chat + file sharing. The niche tools and workarounds are getting vilified and used as _reasons_ for more elite control.
Joining all the other comments agreeing completely with this take.
I think it's worth adding that this is fundamental enough to not just be a tech issue. There's a strong legal framework in almost all developed companies for regulating companies where acting in their self interest harms the consumer interest. Without which, lots of things we take for granted (electrical safety certification, usb c, splits between serviceand investment banking).
I think the key thing that's missing at the moment is that the types of restrictions OP is mentioning (DRM, blocking encryption) harm both consumer rights and economic development.
That's an argument that needs to come from people knowledgable about both the indistry, and the technology. Like a lot of the people reading this post.
Most politicians would find that argument confusing and not agree with you. I don't think the outcomes of running to government would be what you expect. It could easily backfire.
Politics is a spectrum. Some claim that model is oversimplified but it's not. Here you're making a left wing argument that individual bad actors must be regulated for the good of the collective. However, left politicians would look at the situation and see the opposite. They prioritize an authoritarian safety-first victim-first mindset, in which individual freedoms are sacrificed to help the weakest. But companies like Google and Apple are already doing that. And whilst you're trying to hammer this situation into a left wing framing, the number of individuals who care about the freedom to install apps from anonymous developers is very small. Trivial, on the scale of a country. They do not represent the "consumer interest" in any meaningful way.
So if you lobbied politicians this way, Google/Apple would lobby back and they'd say, we are exactly what you always demand! We're acting proactively to protect the victims by limiting the freedoms of bad guys for the greater good. And the left would be not only highly receptive to that message, but having suddenly become aware of what is technically possible would likely demand they go much further! We already see this with left wing governments banning VPNs and DNS resolutions so they can better control the internet in order to keep this or that group safe.
Which sort of politicians care about the rights of freedom-loving minorities over the safety of the collective? Libertarian politicians do. But they are themselves in a minority, and would not be receptive to an argument framed as "we must regulate the big evil corporations for the greater good", because regulation is always about removing freedoms: in this case, the freedom to design a computing device as you see fit. They probably would be receptive to an argument of the form "it is important to be able to distribute code and communicate anonymously", but prioritizing something so few people care about is exactly why they don't tend to win elections.
So there's no direct solution in politics, but the closest approximation is to support politicians who are more libertarian than average. They won't solve the problem but they will at least not make it worse, and might be open to very targeted regulations that can be framed as protecting market competition e.g. requiring unlockable bootloaders can be framed as protecting competition in the operating systems market. Meanwhile you can try and increase the popularity of platforms that prioritize freedom over safety. In practice that means demonstrating some sort of use case that the big vendors disallow, which is valuable, morally positive and requires anonymous app distribution.
I think the framing that "individual bad actors must be regulated for the good of the collective" is wrong here. In my opinion, what GP is saying is more along the line of "powerful actors must be regulated for the good of the collective powerless people".
When you look at it like that, then what Google and Apple is doing does not fit this point of view. They are (extremely) powerful entities imposing themselves on the whole world.
Those are exactly the same framing and the most likely outcome is left politicians saying, "why do you allow this 'sideloading' at all Google? I have a constitutent who got scammed, why did you allow it? Are you one of those awful libertarians? You should be more like Apple and review all software, otherwise you clearly aren't caring about consumer protection as much as Tim Cook does, up your standards or else we'll regulate you".
> here you're making a left wing argument that individual bad actors must be regulated for the good of the collective. However, left politicians would look at the situation and see the opposite. They prioritize an authoritarian safety-first victim-first mindset, in which individual freedoms are sacrificed to help the weakest.
I think you're simplifying a few things here, mainly the amount of different views that are under the umbrella you're classing as "left-wing" (some of which will fit your categorisation, and some won't) and the amount of different issues under the umbrella of "running your own things".
What I'm trying to say is that there's multiple arguments to be made along the lines of "large companies can and should be restricted from blocking out freedoms of smaller companies and individuals". There's a big economic argument to allowing competition, and I think that's something that unites a lot of thinkers you'd probably class as right wing, as well as the traditional left.
You could just not watch Netflix. Most of the content is kind of crap anyway, low effort filler. And the streaming services have trouble even licensing third-party content at all unless they have robust copy protection. That may be stupid because it drives more consumers to privacy but copyright holders are free to negotiate any licensing terms they want.
Netflix is right in its prime right now, K-Pop Demon Hunters is a smash hit and probably the biggest cultural thing going on right now, it has like 4 songs from it in the top 10. Wednesday is coming back this weekfor the end of season 2. Stranger Things is wrapping up in November,
Odd to hear for me. Netflix Australia has been in steep decline for years now. The only shows I recognise by title or actors in the poster are 15+ years old, or are adorned with 'Leaving Soon'. Everything of value has been poached by a competitor.
It's the same situation in Italy. Netflix doesn't have any interesting content anymore, only their own originals.
Any other examples? None of those scream prime to me - however I haven't heard of kpop demon hunters
Maybe it's the marketing? It's on the main home page every time I open it.
You could just not watch Netflix.
The digital hermit argument is not going to resonate with 99.9% of users. People buy devices because they want to do stuff. Telling them they shouldn't do what they want to do is never going to convince anyone.
The real question is where are the representatives who are supposed to be acting in the interests of their people while all this is happening? We seem to have regulatory capture on a global scale now where there isn't really anyone in government even making the case that all these consumer-hostile practices should be disrupted. They apparently recognize the economic argument that big business makes big bucks but completely ignore the eroding value of technology to our quality of life.
You could also not bother with any of it and return to a dumb phone. That's not a solution though.
A smartphone is not a good video device due to small screen. If you do, you just become zombiewalking.
There’s a scenario where this does work: you can install any operating system on the hardware you own, if you complete a “erase all content and settings” dire scary confirmation screen.
- If you want to run something other than iPadOS or Google TV, go for it. (Smart TVs are just tablets with a don’t-touch screen.)
- If you want to install spyware on someone’s phone, you can’t; the HSM keys held by their OS are lost when you try to install a patched version and restore from a backup, and their backup doesn’t restore properly because half of it depends on the HSM or the cloud and everything is tagged with the old OS’s signature.
- If you want to patch macOS and then deploy it to your fleet, you can; it won’t be Signed By Apple but you’re an enterprise and don’t care about the small losses of functionality from that.
- If you want to dual boot, go ahead; the issues with the HSMs not permitting you to host two OSes worth of partitioned keystones can be resolved by regulatory pressure.
This satisfies all the terms of “let me install whatever I want”, while allowing the OG App Store to continue operating in Safe Mode for everyday users in a way that can’t be entrapped without the scammer on the phone telling them to delete everything, which destroys the data the scammer wants.
My car already allows me to do this. My phone should too.
> My car already allows me to do this. My phone should too.
If you're referring to CarPlay and/or Android Auto you should know that it's not actually running on your car. It's basically RDPing your phone onto your car screen. You can already install RDP apps on your phone and connect to systems that provide more freedom, of course.
No, I’m talking about the Engine Control Module.
Your phone can allow that. Many Android devices allow exactly that. Google Pixel devices do, for instance, exactly because Google's Android team has always agreed with you.
I appreciate your support of this position :)
There is also the possibility that without a [paid] curator (the vendor, like Google or Apple) we can't have security for how do we ascertain provenance? You might not buy that argument, but the vendor will make it, and it will resonate with the public and/or the politicians.
Establishing trust with hardware, firmware, and operating system software is currently an intractable problem. Besides the halting problem and the reflections on trusting trust problem (i.e., supply chain problems) the sheer size of these codebases and object code (since you'll need to confirm that the object code is not altered as in the reflections on trusting trust paper) is just too big for the public to be able to understand it. Sure, maybe we could use AI to review all of this, but... that's expensive if every person has to do it, and... that's got a bootstrapping problem.
Basically the walled garden is unlikely to go away anytime soon. It would be easier to change the rules politically to do things like reduce transaction fees, but truly allowing the wide public to run anything they want seems difficult not just politically but technically, because the technical problems will lead to political ones.
The digital sovereignty angle will end up quilling the platform lockdown.
There is no way countries agree to have American companies getting so much control on key infrastructures especially in the current context.
Not really. Many countries emit digital signatures that could be used to prove that someone signed something. We would just need to convince countries to use that same infra for companies. So it may be possible to require everything to be properly signed, without requiring everyone to be bound to certain company wishes.
I wouldn’t be totally opposed to having some sort of totally locked down device that I was just used for banking. The bank could even sell them or give them away with the account (doesn’t need high performance).
Another though; if we were actually able to pass laws that helped people, one that I’d like to see would be: for a totally locked down proprietary device, everything done with it should be the legal liability of the vendor. If your bank account gets broken into via the device, you can’t audit what happened, you couldn’t have have broken it, so it ought to be their responsibility.
That's basically how it used to work. Before the app my bank required the use of a card and QR reader with a screen that could authorize transactions
>It doesn't work. Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with.
Theres nothing stopping a hardware vendor from being able to delete the system installed keys/certificates, breaking trust to allow you to install your own. Sure netflix might not like it but you still have the right to run your own code and netflix has the right not to trust your OS.
>Governments shouldn't be able to prevent me from end to end encrypting things.
Agreed.
I think you're right but I'd say it even more generally: we just can't let companies get so big that they can do these things without facing pushback and competition from other entities.
You'll find that a lot of 'normal', for lack of better word, support this.
While you have a point there is another aspect to this: If our current situation were already different, netflix and banks would not be able to pull these things in the first place.
E.g. if using open free platforms was already the norm, netflix requiring a verified OS would just result in netflix becoming unusable for most people rather than just killing a couple edgecases used by a relatively small number of people. And so it would no longer be in their financial interest. It's why we've had desktops for so long without this happening, although the pieces are finally being put in place to make it a reality.
I agree, but your points becomes stronger when you leave Netflix away. Netflix is a private entertainment company, and when I don't like their conditions I can always quit.
Banks on the other hand have so much more control over my life. With their apps being locked to the two major mobile OS I have many hoops to go through when I want to use an alternative one. It's not impossible yet, but it becomes very cumbersome to do so.
We need an open web, with open principles and to prevent any commercial enterprise from dominating our social / tech sphere via monopolisation or methods of proprietary control.
This isn't a surprise. A vocal minority have been saying the same ad infinitum.
The need hasn't changed, and won't change; however there's a strong likelihood we'll get to a point where action isn't possible because we've passed the point of no return.
We need legislation mandating that all hardware[a] have at least one fully-functional[b] open source driver for any operating system[c]. And that any device with a microprocessor with writable memory permit custom software to be run on it.
[a] whether that's a single device like a fingerprint scanner, or a device like a phone or tablet
[b] no crippled or low-performance open source driver
[c] any OS, including Windows, Mac, Linux, BSD, or some obscure minor OS as long as such OS is readily available for free or for a reasonable price
I agree with your point. And meanwhile in Korea (according to article I've read) to use any bank's website you have to install a spy software in your PC. It looks like every major service vendor is organising a crawling subversion against their users and they really count we won't notice.
One of the articles: https://palant.info/2023/01/02/south-koreas-online-security-...
I'm attempting to revive/create a streaming service to compete with Netflix et al. without any DRM. This would leverage physical media to eliminate requirements from copyright holders about how you might access something you actually own. There are challenges, and I'm almost certain to be sued, but it's a fight I believe is needed.
They do not benefit from having control, they risk if they don't. This is fundamental.
I do love freedom but such freedom will come with a disclaimer. You do want to use a bank app unsigned and you do not want the bank to check your latest SIM card replacement. You understand and assess the risk and will not discriminate the bank for any loss occurred. Same with Netflix and piracy.
This is fair.
This is a sad reality. I see 2 paths forward 1) we somehow build the right layers into the internet that we can withstand open hardware. 2) open hardware running any software becomes an education use and hobbyist market only. I could see an edu slice to every corporate entity deploying open and free stuff just as onboarding to paid. Hackable hardware with kiddyflix.
It is of high financial interest of Netflix. I killed my subscription because they couldn't support my sensibly configured browser.
I often recommend people to kill their subscription as well because of this fact. Netflix just isn't oriented to improve their service for their users and it shows.
It won't hit any of their KPI or metrics, but their shitty behavior has a real effect. That said, most other alternatives suck as well. Killed Paramount almost immediately, can't remember why I left Disney. I think there were similar issues.
Perhaps we should pick a page from the example of radio and force all video content to be openly reproducible for a forced flat fee.
> Netflix shouldn't be able to insist on a particular type of DRM for me to receive their service.
Maybe it’s just a bad example, but why would this be true? As a private company delivering entertainment, they can have any restrictions they want as a condition to selling to you.
How feasible is it currently (I never tried as I don't want or need it yet) to run Android under Linux for your banking/gov apps? I can accessibility tooling to control them, so only in those cases, I could communicate with the android layer. I don't care about Netflix etc (I know many people do) but I must he able to login to banking and gov.
> Everything from banks to Netflix and others
I have unlocked bootloader. That's it, I don't even have enabled root account. One app refuses to work anyway: McDonald’s. I actually can't decide if it is more funny or scary.
Maybe we must find individual solutions to each controlling application? Replace netflix with bittorrent, replace banks with bitcoin, etc?
Arguing doesn’t work for principles.
This is ultimately a form of collusion and anti-competitive behaviour - practices that we prohibit in other scenarios because we consider them harmful to our society. It's obvious why some large organisations would like more control over our lives. It's not obvious why we should let them have it.
Unfortunately for now it seems our representatives are letting them have it so personally I'm rooting for a snake-eating-its-tail moment as a result of Windows 10 losing support. There will inevitably be erosion of security and support for applications on Windows 10 once Microsoft declares it yesterday's OS - as we've seen with past versions of Windows. This time there is the added complication that a lot of perfectly good hardware can't run Windows 11 - largely because of the TPM/verification issue we're discussing.
So probably a lot of people who haven't moved to 11 yet aren't going to unless their current computer breaks and they get 11 by default when they buy a replacement. If the charts are correct then 11 only recently overtook 10 in user numbers. After all this time and despite all the pressure from Microsoft and the imminent EOL of Windows 10 over 40% of Windows users are still running that version. (https://gs.statcounter.com/os-version-market-share/windows/d...) So how exactly do the big organisations that want to control the client plan to deal with that over the next few years?
Unfortunately unless there is also some sort of intervention to deal with the collusion and market manipulation by vested interests I doubt enough Windows 10 refugees will jump to open platforms when their current devices fail for those open platforms to reach a critical mass of users. If five years from now Windows 10 user levels are negligible and almost all of the former users are now on Windows 11+ by default then the controlled client side probably wins effectively forever. I think it would take something dramatic happening that increased the desktop market share of open alternatives like Linux to say 10+% to avoid this fate. The only likely source of that drama I can see is if Valve's support for gaming on Linux encourages significant numbers of home users to switch and then general public awareness that you don't have to run Windows or macOS increases.
Really not a libertarian, but why shouldn’t Netflix have the right to choose who they distribute content to? They negotiated conditions with the creators, why shouldn’t they be able to specify the DRM? No one is forcing you to subscribe to Netflix. Or even to buy an iPad.
The issue is the means of enforcement requires taking away other rights they shouldn't be able to.
What if I want to require (for anti-piracy reasons) that to use my software you must also give me complete access to your computer, all the data on it, and all your communications. You might say, "Well, if anyone is stupid enough to make that deal, let them." But it's easy to sugar coat what you're doing, especially with less technical users. I think it's better to say, "That's just not something you are allowed to do. It's trampling on rights more important than your anti-piracy rights."
In the same way, you cannot murder someone even if they agree to be murdered (an actual case in Germany).
> What if I want to require (for anti-piracy reasons) that to use my software you must also give me complete access to your computer, all the data on it, and all your communications.
That's exactly what happens with anti-cheat kernel modules. As one might expect, ordinary people couldn't care less, as long as it works good enough.
Except that... we have history of them not working well. For instance, the Sony rootkit https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_roo...
We cannot expect those rootkits to be properly supported long term for any security issues they may cause. I would think that the solution is simple: nobody forces them to make their IP available in non hacked computers...
If they want a hardened computer to deliver their IP, then they should sell their own hardware. But forcing their blocking into the whole stack is not acceptable.
For instance: I cannot see any udemy or netflix content from my computer, because their IP protection blocks the lenovo docking station I use to connect my monitors to my MBP... each part is standard! And somehow nobody tested that scenario. So, no, that tech is barely tested, it must not be forced into any computer.
Forgive me, but is Netflix asking for that?
As I understand it, Netflix wishes to authenticate the device, and DRM their content. I'm not aware of anything beyond that (but I'm also not paying attention. )
Now you may have used the example of what might happen, but then Netfix seems a strange example. Surely Apple and/or Google are more likely players in that example?
> Now you may have used the example of what might happen,
OP said "What if", it's clearly a hypothetical scenario and not something Netflix is doing or planning to do
Because it's bad for consumers to lose choices, even if they don't normally exercise those choices. The choice is the distributed power we have against the consolidated corporate power. We can choose not to let them restrict those choices, for example with interoperability regulations.
>why shouldn’t Netflix have the right to choose who they distribute content to?
power asymmetry
There are dozens of sources of online streaming entertainment, and its not exactly a vital good.
Sure, Netflix may not be as important as, say, housing, food, or whatever else, but I think there is something to be said about the cultural importance of [at the very least some] film and television.
There's a lot of media worth studying, analyzing, and preserving. And in that sense, between the constant churn of catalog items, exclusive content, and the egregious DRM, I think these sorts of streaming services are, unfortunately, kind of harmful.
Doesn't your second paragraph run against the grain of your first? If streaming services like Netflix are harmful then we should avoid using them. Thus it should not be important for our freedom-preserving computers to be able to access Netflix.
Now, if you want to do an in-depth study of film and television material as a whole, you're actually better off avoiding Netflix and making use of archives such as public libraries, university libraries, and the Internet Archive.
I mean, I agree that you should be able to avoid things like Netflix and make use of libraries and other archives, but that's sort of the point; there is a ton of media that never even gets a physical release anymore; once one of these platforms goes under, or something enters licensing hell, or whatever else and gets removed, all you can do is hope someone out there with both the know-how and access went out of their way to illegally download a copy, illegally decrypt it, and illegally upload it somewhere.
I say "know-how" and "access" because, while I'd still argue decrypting, say, Widevine L3 is not exactly super common knowledge, decrypting things like 4K Netflix content, among other things, generally requires you to have something like a Widevine L1 CDM from one of the Netflix-approved devices, which typically sits in those hardware trusted execution environments, so you need an active valuable exploit or insider leaks from someone at one of the manufacturers.
But also on top of all of that, you also need to hope other people kept the upload alive by the time you decide to access it, and then you also often need to have access to various semi-elitist private trackers to consistently be able to even find some of this stuff.
The legal issues with DRM here are hardly exclusive to Netflix and other streaming services, but at least in the case of things like Blu-rays or whatever — even if it is technically illegal in most countries to actually make use of virtually any backed-up disc due to AACS — you usually don't have the same time-pressure problem nor the significant technical expertise barrier.
>If streaming services like Netflix are harmful then we should avoid using them. Thus it should not be important for our freedom-preserving computers to be able to access Netflix.
I generally do avoid them whenever possible, though, yes. And I've explicitly disabled DRM support in Firefox on my computer. But I am just one person and I don't think my behavior reflects the average person, for better or for worse.
>decrypting things like 4K Netflix content, among other things, generally requires you to have something like a Widevine L1 CDM from one of the Netflix-approved devices, which typically sits in those hardware trusted execution environments, so you need an active valuable exploit or insider leaks from someone at one of the manufacturers.
Or just use a cheap Chinese HDMI splitter that strips HDCP 2.2 and record the 4K video with a simple HDMI capture device.
But if you are talking about preserving media or making media accessible, then it's not like we NEED 4K.
Yeah, there are a lot of torrent sites! Netflix doens't want my business anymore, I don't really care.
There exist dozens of online services where you can store your photos, doesn't mean companies should be allowed to do whatever they want with your photos...
TBH I don't care if Netflix wants to abuse such an asymmetry. I don't need Netflix in my life, so I'll just cancel my subscription(already have). I honestly don't want my lawmakers to spend even a second thinking about Netflix when we have so many large issues in the world right now. If we were talking about something like financial services where I have to engage I would be more sympathetic.
Capital doesn't really care what you want, it will exert control regardless. So in this case Netflix will continue to be part of capital that normalizes the need for DRM to access videos, write IP law, and generally force you into either accepting the world they want or forcing you to become a hermit.
Edit: i mean to say this is true whether or not you've even heard of the company.
Well then I will get mad when that actually happens. Until then don't care.
The whole notion of DRM and penalties if you circumvent it comes from the entertainment industry, and it's written into law/official treaties. This already affects everything from secure boot to HDMI standards.
Which part of what I said do you think hasn't already happened and metastasized?
...and it will be too late.
For Netflix sure. I don't care. But when it comes to banking and you are forced to use between two OS or this means no access to your bank digitally, this is a massive problem and restriction to citizens' freedom. Everyone needs a bank to operate, and they need to maximize the options available to use them.
I mentioned that in another thread, but banks have a legal obligation to to assess and mitigate risks in the service they give to you- you, personally, might be tech savvy enough to understand what you are doing but most people are not and the bank is held accountable when something bad happens.
This is why they limit service to certain devices or OS versions, even when it comes at the expense of convenience.
Perhaps the solution then is to invent a new bank that is more resistant to regulation and gives users more freedom to secure their own funds.
> legal obligation to to assess and mitigate risks
It's obviously not about risks. It's about convenience on their side to only support 2 platforms and call it a day.
well no one to force you to do banking from smartphones
You can do manually like the old days, EXPLICTLY ALLOWING NON GOOGLE/APPLE to do banking in their own mobile phone meaning THERE ARE MILLIONS OF USERS that can fall victim to scammer+cracker
how cant you see all of that???? ITS JUST NOT ABOUT YOU
edit: please educate first, y'all need to know differences between mobile banking and internet banking
You can downvote me all you want, but I don't want to hear lecture from non-security compliant engineer about what to do about security
Locking down a website to only be available to users on Apple and Windows doesn't make it safer. It just reduces the cost of building it because you don't have to bother testing it on any other platforms. Rather than tell users "Danger, we haven't tested your choice of OS" companies prefer to lock it down.
Users on Apple and Windows are not safer because a bank has chosen to block Linux.
ITS NOTHING TO DO WITH WEBSITE
internet banking via browser has been OS agnostic way before mobile banking exist
please educate/research what is mobile banking before making an literally false argument that is not about mobile banking
Until they decide to force you to use the mobile app as a 2FA for the website. My bank did that, I literally had to buy a new phone because the old one couldn't update their stupid app. It locks you in to the latest N versions of Android/iOS.
Before you ask, no, other banks aren't any better where I live. They all stopped using physical 2FA keys years ago. And no, they won't let you come in physically for things that can be done online.
good for them to care more about security then
My bank lets me do everything just fine on Firefox/linux.
For now, until they come up with some stupid 2FA solution that requires installing and updating their Android/iOS app. Banks where I live already have and there's literally no way around it (they don't use physical 2FA keys anymore).
its not mobile banking if you use browser
its just browser/internet banking
also mobile banking has much more capabilites in forms of app than just "web page"
It's sort of antitrust adjacent. They are big enough to set market rules on the manner of distribution, like DRM and hardware-software lock-in, which doesn't directly stifle competition in their field (only a little) but in another field, and the results are arguably anti-consumer. That sort of power should not be in the hands of a single company.
A non libertarian might ask: Is it good for society?
I prefer to live in a society where adults are free to come to their own arrangements with other adults. Not one where those with a penchant for authoritarianism set terms for others.
Sometimes this system may have warts like not getting to watch Netflix on your Switch, but that seems like a small price to pay for respecting individual autonomy.
> This is why it's so important to defend the real principles here not just the technical artefacts of them.
You're not wrong, but technical artefacts can be an important step in the right direction. I came to my bank, showed them my Librem 5 phone and asked where I can download an app for it. It was a much clearer message than "but Android isn't free!" (which is of course true). I do the same with governmental services. It also makes it much easier to explain to ordinary people that the choice must not be artificially restricted to just two megacorps.
Let’s say we do all that. How do you explain to a common layperson exactly what has been achieved? What is the ultimate benefit?
Right, so "defend" does a lot of lifting in there.
What are you prepared to do to reverse the contemporary tide of tyranny? What have you done to make those in power afraid to move forward with policy founded in loathing of humanity?
I'm going to get wild-eyed now but you can blame Google for that as they're the ones who just announced they'll retroactively ban me from installing software on the computer I bought and own.
I don't think you can really solve this problem as long as there's an operating system monopoly, or even duopoly/triopoly. The lure of total control is just too great. Every operating system vendor, hell every intellectual property vendor will always dream of it. A company that becomes powerful enough to put chains on its users will do so.
From the British Raj to Standard Oil to IBM and Microsoft, monopolies are some of the most powerful forces in history. There is a case to be made that we were on a similar path with Microsoft until a combination of the Internet and a half-assed but not completely ineffective anti-trust campaign made them hit the brakes, for a while.
I think that the solution is to highlight the abuses perpetrated by the biggest tech giants specifically, and advocate for radical government action on multiple levels. #1 to break up these companies. #2, to shackle them and anyone who gets as large as them so that they can't do anything like this again. #3, publicly fund the development of competing, open operating systems.
If you are a US citizen then #1 and #2 are the more realistic paths and you should be watching the various anti-trust cases against Big Tech like a hawk, the celebrity du jour is really Amit Mehta who is scheduled to release his Google remedies any day now. You need to make it clear to your representatives that this is your top issue at the ballot box. We need a second American Progressive Era that's seasoned with digital rights and anti-megacorp sentiment and with "doomscroll" and "Luigi" having entered the vernacular I think we could be closer than many here believe.
If you are an EU or Chinese citizen you should support the development and adoption in those polities of alternative, Linux-based operating systems. In the way the South Korean government specifically encouraged the growth of Samsung into a company with a global footprint, you should do that for local companies which develop OSes that compete with Apple and Google's. These geographies fundamentally can't do much to influence the American legal system so they should instead lean into public sentiment around nationalism and sovereignty and tie these to software freedom because that is likely the only elemental, emotional force that will capture enough public attention and support. Use state-scale resources to create competition for the American tech giants and establish a balance of power, because they are assuredly your enemies at this point.
And lastly for the ten millionth time I'll say it - Stallman predicted this. He saw it all coming. He warned us. He told us what would happen and what we needed to do. It's time to listen and to think big.
Meanwhile FOSDEM and similar conferences are full of people carrying Apple devices, and most folks keep picking non-copyleft licenses instead of dual licensing.
The Stallman generation is slowly leaving this realm, the opportunity has been lost already.
Sure is slow. The FOSDEM audience you're describing sounds identical to the one from 15 years ago.
It is no coincidence whatsoever that the control accelerated at a pace seen never before just as those two words entered the vernacular. Censorship of such topics on places like Reddit and Youtube tenfolded. It scared them. It's the only thing that works.
Well said!
> Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with.
We need to make that illegal. Classify it as discrimination. They should be obligated to treat any client that tries to connect the same as they would treat their own software. Anything else is illegal discrimination against users, a crime comparable to racial discrimination.
Anything short of this means they've won. Everything the word "hacker" ever stood for will be destroyed. Throw all FOSS into the trash. None of it matters anymore. What's the point of free software that we can't run? That can't actually do anything useful because it fails remote attestation? Completely useless.
So you want the “freedom” of being able to run the hardware you want. But you don’t think Netflix should have the “freedom” to decide where there software should run?
You don’t have the right to other people’s content - especially for rental content in the case of Netflix.
Even if you don’t agree with that, do you really think that Google should allow Google Wallet run on hardware where they can’t verify the security? No one in the payment chain would trust Android devices. Credit card terminals and every one else has to fall under compliance regulations.
The banks are liable for fraud. Are you okay to say if use unverified hardware to use banking services they aren’t liable for any losses?
I mean you’re right but it seems like the equilibrium we’re heading towards is one where the opposite is true and our internet and society looks more like China’s. Principles unfortunately mean little in the face of societal and technological change, the only thing that matters is the resulting incentives.
This makes the point that the real battle we should be fighting is not for control of Android/iOS, but the ability to run other operating systems on phones. That would be great, but as the author acknowledges, building those alternatives is basically impossible. Even assuming that building a solid alternative is feasible, though, I don't think their point stands. Generally I'm not keen on legislatively forcing a developer to alter their software, but let's be real: Google and Apple have more power than most nations. I'm all for mandating that they change their code to be less user-hostile, for the same reason I prefer democracy to autocracy. Any party with power enough to impact millions of lives needs to be accountable to those it affects. I don't see the point of distinguishing between government and private corporation when that corporation is on the same scale of power and influence.
> Google and Apple have more power than most nations.
Yep. They control our information - how we make it, what we are allowed to find, and what we can say. And they are large enough to not face real competition. So let’s treat them like the state owned corporations they are and regulate heavily. Smaller companies can be left unregulated. But not companies worth 500 billion or more.
> So let’s treat them like the state owned corporations
If they were state owned, we could vote for how the profits get used and we would have larger budgets for healthcare and education.
The US federal government alone (not including state and other local governments) spends north of $1 trillion dollars per year on healthcare.
https://fiscaldata.treasury.gov/americas-finance-guide/feder...
Another $1.3 trillion on wealth transfers from workers to non workers (including disability). And another $608B on wealth transfers from people with higher income to people with lower or no incomes.
Alphabet and Apple, combined, earned $193B in 2024, from the entire world.
https://www.macrotrends.net/stocks/charts/GOOG/alphabet/net-...
https://www.macrotrends.net/stocks/charts/AAPL/apple/net-inc...
How does your suggestion make any difference, other than destroying 2 of the very few organizations driving demand for US assets, and hence help support the US dollar's purchasing power?
But if they were, they would never have become what they are in the first place, including the good things.
States are neither good at innovation nor dynamism.
But they are very good at telling you what you should and should not do.
The latter part has some wonderful consequences for consumer or worker protections, but it has some terrible ones for creating new stuff or improving the old.
> But if they were, they would never have become what they are in the first place, including the good things.
Does the good outweigh the bad?
Perhaps in the beginning. Today? Definitely not.
The real battle is over Google selling the public on the notion that Android would be the "open" platform that allowed people to run anything they liked on their device, and then deciding to use anticompetitive means to take that freedom away.
Without that fraudulent marketing, Android never would have crowded out other options so quickly in the marketplace.
The solution is to either have Google back down on breaking its promise that Android would be open or to have an antitrust lawsuit strip Android from Google's control.
What worries me is that Google has a fairly legit argument to say "then Apple should as well". But we've accepted Apple's status for so long now, a lot of consumers are stockholmed into thinking giving away control is the only way to have a good phone (evidence: see any thread discussing that maybe Apple should allow other vendors to also use their smartwatch hardware to offer services in non-smartwatch-hardware markets that Apple also offers services in. Half the users seem like they're brainwashed by the marketing material they put out). I don't know that we can convince the general public anymore that 1984 is bad (thinking of Apple's own 1984 ad, specifically) and, without general public, there can theoretically also not be political will
I was part of this problem. I've accepted what Apple is doing because I had Android. I didn't think they'd come for me next so I didn't speak up
> What worries me is that Google has a fairly legit argument to say "then Apple should as well".
Not a legal argument, since Apple never claimed the iPhone was anything else but a walled garden, and walled gardens are legal as long as you are clear that users will be buying into a walled garden from the start.
(For example: Nintendo, PlayStation and Xbox)
Legally, the only thing you could do is change the law to make walled gardens illegal, as they did in the EU.
The changes Google has proposed for sideloading are illegal under existing law, since Android was sold to consumers with the promise that it was the "open" platform that allowed users to run anything they like.
That argument would only last as long as current Android devices are supported for. In seven years, the last devices will run out of support and we'd be back to square one
Legislation, as you say, seems like it'll be necessary :/
It's about the lifespan of the platform, not the lifespan of a device.
When you chose to create an open platform with multiple participants, you are creating a new open market where antitrust laws will apply... even to you as the platform creator.
Microsoft, for example, was found guilty of antitrust in the personal computer market long after the original computers running Windows were gone.
> Google and Apple have more power than most nations.
And that is what is wrong here. Even the smallest nation should be far more powerful than the largest corporation. But corporations are now more powerful than most nations, including some really big ones. So the only way to solve this is to for an umbrella for nations that offsets the power that these corporations have.
The first thing you notice when you arrive at Brussels airport is the absolute barrage of Google advertising that tries to convince you that Google is doing everything they can to play by the rules. When it is of course doing the exact opposite. So at least Google seems to realize that smaller nations banding together wield power. But they will never wield it as effectively as a company can, so we still have many problems.
Well, an umbrella for nations or a sledgehammer for companies. I'd say just start shredding large companies left and right.
These are basics of capitalism.
Company aims for profit.
Bigger scale allows for better efficiency.
So companies naturally grow big. The bigger they are, the easier for them to compete.
Big companies have access to tremendous resources, so they can push laws by bribing law makers, advertising their agenda to the masses.
There's no way around it, not without dismantling capitalism. Nations will serve to the corporations, no other way around.
There are natural boundaries of the growth scale, which are related to the inherent efficiency of communications between people and overall human capability. Corporations are controlled by people and people have limited brains and mouths. I feel that with AI development, those boundaries will move apart and allow for even greater growth eventually.
> There's no way around it
Yes there is, the population passing laws to regulate this. The problem is though, that most people don't understand and don't care enough until its too late.
Or forcibly taking over a factory.
Bigger scale allows for better efficiency.
This is dogma, not proven fact, and most people that argue this tend to use self-serving metrics and a tailored definition of "efficient". Some counterexamples: early Google was much more efficient in responding to market changes than the current top-heavy organization; small hospitals tend to have better health outcomes (both per patient and per dollar) than large chains. Tesla was able to innovate much faster than established behemoths.
I think you mean "nimble", "versatile", or "agile". None of these imply efficiency in the same sense economy of scale does (ie cost to produce a single deliverable unit).
There are good examples, though—you can produce a single gold ring a lot cheaper than you can produce a one-of-a-trillion of them, cuz at some point you simply run out of gold. Another example is running into a cap in demand. Classic sigmoid vs exponential patterns.
"And that is what is wrong here. Even the smallest nation should be far more powerful than the largest corporation"
Since nations can be really small, I don't agree.
Even the smallest nations have the legal right to permanently incarcerate, strip you of your assets or even murder you if you are in their sphere of influence. I would hope you'd agree those are not powers that we should grant to large corporations...
I think it's shocking how many people Google can affect through its search algorithms (more than any nation on Earth) and yet there is no democratic system to hold them accountable.
>Even the smallest nations have the legal right to permanently incarcerate, strip you of your assets or even murder you if you are in their sphere of influence.
A nation that did that would be able to do that exactly once before everyone decides to never do business with it ever again, which they can afford to do because it's such a small market. Exercising arbitrary power is not the trump card you think it is. Hell, even a tiny nation with reasonable but annoying (from the point of view of a corporation) laws may not be worth it to deal with.
> > Even the smallest nations have the legal right to permanently incarcerate, strip you of your assets or even murder you if you are in their sphere of influence.
> A nation that did that would be able to do that exactly once before everyone decides to never do business with it ever again
US CBP and ICE would like a word with you.
Or more. If some small state decides to officially murder a US tourist while he never broke a local law, I do believe the public outcry would make the US government do more than just stop doing buisness.
Well, Saudi Arabia and Israel are not "some small state".
Ah, the well known true small state fallacy. Should have seen that one coming I guess.
Seriously?
True "some small state fallacy" please. And here I believe it matters if we are talking about some small state, or a small state that happens to be a close ally with lots of influence for various reasons.
Singapore.
Kill, not murder. If the country ends your life they are doing it under their authority, not outside their authority.
Context is everything. There are plenty of instances of countries murdering people. Authority does not define murder, ethics does.
So for example the Nazis did not murder people? It was under their authority after all ...
Point being, also states can do murder.
This was my first thought too, but the largest corporations are way too large any healthy society.
> Google and Apple have more power than most nations.
To push further, Google and Apple have basically as much power as the US.
The UK going after Apple, only to get rebutted by the US is the most simple instance of it. International treaties pushed by the US strongly protecting it's top corporations is the more standard behavior.
Any entity fighting the duopoly is effectively getting into a fight with the US.
> To push further, Google and Apple have basically as much power as the US.
If this is true then why is Tim Cook visiting Trump? Shouldn’t it be the other way around.
The power dynamic between the gifter and the giftee isn't that simple. Even bribes dynamics will change a lot depending on who does it and to which amount.
There is a whole antropologic field around that, but to keep it short, if you pay your palace and all expenses with the money funneled to you as gifts, you're not the one in control.
CGP Grey's "The Rules for Rulers" (on YouTube) may also be relevant here.
How feeble they might be in today's political arena, optics are still important.
Remember, the law provides patent, copyright, trade mark, and NDA protection.
While it would be a burden to require a degree of openness, it's not like companies are all rugged individualists who would never want to see legal restrictions in the field.
It's just a question of what is overall best and fairest.
Restrictions can both help and hinder innovation, and it's innovation that in the ling run makes things improve IMO.
> It's just a question of what is overall best and fairest.
If only it were so. But it's not just that. It's also a question of which section of society has the power to demand or prevent the creation of such a system.
Whether enacting labor protections or the Magna Carta, these beneficial restrictions require some leverage. Otherwise what is overall beat and fairest won't be coming up.
>Restrictions can both help and hinder innovation
I'm not sure innovation is really impacted when restricting the private sector. Traditionally, innovation happens in public (e.g, universities) or military spaces.
This is extremely dubious. There are hundreds (thousands?) of examples of innovation happening in the private sector - I could name the blue LED off the top of my head, and got personal computers, search engines, smartphones, cloud computing, and integrated circuits with less than a minute of searching.
> ability to run other operating systems on phones
> building those alternatives is basically impossible
For smart people it is not impossible. Just few years ago, few folks wrote complicated drivers for completely closed hardware, and I'm talking about M1 Macbook.
Google Pixel, on the other hand, was pretty open until very recently. I might be wrong about specifics, but I'm pretty sure that most of software was open, so you could just look at the kernel sources in the readable C to look for anything. You can literally build this kernel and run linux userspace and go from there to any lengths of development. Or you can build alternative systems, looking at driver sources.
I don't understand why mobile systems do not attract OS builders.
> I don't understand why mobile systems do not attract OS builders.
They're graphical consumer devices, the quality bar is so high nobody can reach it except huge well funded teams. It's like asking why desktop Linux doesn't still attract OS builders, or for that matter, why the PC platform doesn't attract OS builders. Occasionally someone makes an OS that boots to a simple windowed GUI as a hobby, that's as far as it gets now.
A lot of these HN discussions dance around or ignore this point. When people demand the freedom to run whatever they want, they never give use cases that motivate this. Which OS do they want to dual boot? Some minor respin of Android with a few tweaks that doesn't disagree with Google on anything substantial (Google accepted a lot of PRs from GrapheneOS people).
Nobody is building a compelling new OS even on platforms that have fully documented drivers. There's no point. There are no new ideas, operating systems are mature, it's done, there's nothing to do there. Even Meta gave up on their XROS and that was at least for a new hardware profile. Google did bend over backwards to let people treat phones like they were PCs but it seems regular Android is in practice open enough for what people want to do.
> Nobody is building a compelling new OS
Eh, Redox probably counters your statement here. It's just in that wide gulch of "the easy part is done and the hard parts are hard".
But it is being built, and some would definitely consider it compelling.
Do you think that Redox will ever run a mainstream web browser, i.e., one that can render most web sites without the user's knowing a lot of technical details about, e.g., Javascript and constantly tweaking configurations?
>I don't understand why mobile systems do not attract OS builders.
My guess would be that it's a continuously moving target. There's no point in spending years working to support some weird integrated wifi adapter+battery controller when by the time you're done the hardware is already obsolete and no longer being manufactured. Repeat that for every device on the phone. The only ones who can keep up with that pace are the manufacturers themselves. It'd be different if there was some kind of standardization that would make the effort worthwhile, though.
> I don't understand why mobile systems do not attract OS builders.
Cellphones are not very useful as programming tools (too small), which is what Open Source excels at.
Also, cellphones need to handle some annoying things, like it should always be possible and easy to call emergency services. Which is to say, the UI work seems stressful.
I’m fairly sure the modem firmware on the Pixels was never open. There’s some hardware that will never have open firmware to it. Especially when that firmware deals with regulated airwaves like cell signals.
My laptop has plenty of chips with closed firmware. They matter not. Open hardware is a noble goal, but open software is enough. Firmware is part of hardware block, so having open operating system, which sends blobs into some devices for initialisation is perfectly acceptable compromise.
With the right trusted computing modules, it will be impossible. As far as I am concerned, the asahi developers are building on a foundation of sand because Apple could just lock down the bootloader for the iMac laptops or whatever next generation
"This makes the point that the real battle we should be fighting is not for control of Android/iOS, but the ability to run other operating systems on phones."
Sometimes owner control, cf. corporate control, can be had by sacrificing hardware functionality, i.e., features, closed source drivers. Choice between particular hardware feature(s) working and control over the hardware in general.
Have at least two phones. One with corporate OS for banking, commerce. Another with user-chosen OS for experimentation, able to boot from external media.
Yes but in the phone space the sacrifice is too much. You often times forgo the ability to even participate in many aspects of society, e.g. banking. It's not your typical "rough around the edges open source alternative", it's just not even a comparison.
Can’t you do banking on the web via your phone? Same as desktop users?
I heard some banks don't have web sites, only apps.
Sounds like they are outliers. None of my banks are like this. Multiple countries and continents.
> let's be real: Google and Apple have more power than most nations.
Lets be real, they do not have more power than any nations. They have a lot of power in a few tiny silos that happen to make up like 90% of the mental space of a lot of terminally online folk.
Heck they probably have less power than Coca Cola or Pepsi did during the Cola wars, or United Fruit Company at its height.
Wake me up when Apple rolls a tank into red square or Google does anything but complain about national security legislation it then goes and assertively complies with.
There are power rankings where these top companies are considered more influential than many nations.
https://www.realbusinessrescue.co.uk/advice-hub/companies-wo... https://techcrunch.com/2023/06/29/so-who-watches-the-watchme... https://www.theguardian.com/business/2024/sep/23/amazon-tesl...
Sorry for the terrible formatting. Tried to fix it but the last edit seems to have borked it completely.
www.realbusinessrescue.co.uk/advice-hub/companies-worth-more-than-countries
techcrunch.com/2023/06/29/so-who-watches-the-watchmen
www.theguardian.com/business/2024/sep/23/amazon-tesla-meta-climate-change-democracy
EDIT: Now in plain text since the last URL does not show up otherwise. And why is it rendering with --, its only - in the URL?
Influence and power are related but separate concepts.
And often the influence of an organisation is related to the state willing to back it. The US intervening for Tesla for instance. And China Petroleum wouldnt be so big if it wasnt for the chinese state.
The primary problem is that we can't build a phone and run it on a cellular carrier network. This is where legislation is needed.
Apple and Google are still a problem, but they are a secondary problem.
You kind of can? The carrier network has no way to verify that your cellular modem is a real modem made by a real modem company, and not 3 SDRs in a trench coat standing on the top of each other.
The sheer technical difficulty is what makes this kind of thing impractical.
The network does validate that a SIM card is a real SIM card, but you can put a "real SIM card" in anything.
Yeah pretty much. I don't disagree on principal that people should be able to install a custom OS on their device. But in practical terms it doesn't really matter all that much because hardware is so complex and moves so fast that no hobbyist has even close to the time and resources to develop a custom OS for the latest phones.
The M1 Macbook Air is 5 years old now, has an active development, lots of community funding and attention, yet is still missing basic functionality like external monitors and video decoding. Because it's just a mammoth task to support modern hardware. Unless you have a whole paid team on it you've got no hope.
IMEI whitelisting is common in the US at least... I think this shuts down the trench coat idea.
Oh no, you'd have to spoof an IMEI, if only that wasn't completely impossible!!
You'll run into a variant of the tragedy of the commons; without any kind of regulation or provable assertions from people taking part in common communication infrastructure, it'd be quite easy to ruin it for everyone.
You don't need to allow completely unrestricted access to the network. However, there needs to be a process with a defined cost to certify your hardware. The cost can be expensive and time consuming but it needs to be known and published and the cellular companies need to be held to it.
The problem right now is that even if I had a couple of million dollars lying around, I STILL couldn't reliably get a piece of hardware certified for the cellular network. I would have to set up a company, spend untold amounts of money bribing^Wwooing cellular company executives for a couple years, and, maybe, just maybe, I could get my phone through the certification process.
The technical aspects of certification are the easy part.
The problem is that the cellular companies fully understand that when it happens their power goes to zero because they suddenly become a dumb pipe that everybody just wants to ignore.
That's why this will take legislation.
Monopolists always talk about the tragedy of the commons, but don’t see anything wrong with the tragedy of the monopoly and don’t want you to think anything can exist in between.
But how do we start a movement for these ideas? I feel like there isn’t awareness outside of niche circles and the public may not see the short term benefit. Meanwhile politicians are lobbied by the same corporations and won’t listen.
I don't think the cellular network is the problem at all - everything except SMS and PSTN calls works on wifi. The problem is the apps. Netflix only runs on a verified bona fide electrified six car Google- or Apple-approved device; so do most financial apps (EU law requires them to) and basically everything else where the app developers are trying to get money off you (which is most apps). Some apps will refuse to play ads on a non-genuine device and then refuse to function because you aren't watching ads. Play Store does its best to stop you installing its apps on a nongenuine device, but it has to support older devices without TPMs so it's not fully locked down yet. Even YouTube has some level of attestation.
In the US at least, you could already have a lot of trouble with Wi-Fi calling when using unlocked Android phones. And it is basically nonexistent if you use a phone purchased outsiden US.
And why can Netflix ignore everybody who doesn't have a bona fide Google or Apple phone?
Because the number of non-Google and non-Apple phones is a rounding error.
And why is that? Because, except for the incumbents, it is almost impossible to certify a phone.
We could have nice sub-$100 phones (remove camera, etc.) if people could get them certified. But they can't; so we don't.
Well there's Huawei's Harmony OS. Can someone who knows what's going on with that report in? Is it anything close to an open platform?
It is also equally closed, so not the champion you are looking for. It could still be a major player breaking the duopoly.
GrapheneOS?
Only runs on a handful of hardware, and still uses the binblobs from google for the hardware devices.
That is a fair point, this is a similar issue that Libre-boot went through a few years back. Yes, you try to stick clear of binary blobs as much as possible but at a certain point you just run out of hardware that meets that criteria.
I think GrapheneOS focuses on privacy and security, not liberation. I think their pragmatic and narrow-minded approach is valid, it's important not to conflate their scope with related issues they are unable/unwilling to tackle.
Personally, I think a usable pure Linux phone is required to weaken the desktop vs. mobile distinction and break the lock-in. This would additionally empower the desktop platform, confirm it as baseline.
Forces users to directly give money to Google and to rely on Google's OS underneath.
This is one of the real canaries I watch on "real AI" for programming.
It should be able to make an OS. It should be able to write drivers. It should be able to port code to new platforms. It should be able to transpile compiled binaries (which are just languages of a different language) across architectures.
Sure seems we are very far from that, but really these are breadth-based knowledge with extensive examples / training sources. It SHOULD be something LLMs are good at, not new/novel/deep/difficult problems. What I described are labor-intensive and complicated, but not "difficult".
And would any corporate AI allow that?
We should be pretty paranoid about centralized control attempts, especially in tech. This is a ... fragile ... time.
AI kicks ass at a lot of "routine reverse engineering" tasks already.
You can feed it assembly listings, or bytecode that the decompiler couldn't handle, and get back solid results.
And corporate AIs don't really have a fuck to give, at least not yet. You can sic Claude on obvious decompiler outputs, or a repo of questionable sources with a "VERY BIG CORPO - PROPRIETARY AND CONFIDENTIAL" in every single file, and it'll sift through it - no complaints, no questions asked. And if that data somehow circles back into the training eventually, then all the funnier.
That's one of the boil-ups. Why would lack of Linux compatibility for hardware be a thing? If AI can write the drivers in 1/10th the effort/time, it should be a game changer for open source.
I haven't heard much from the major projects yet, but I'm not ear-to-the-ground.
I guess that is what is disappointing. It's all (to quote n-gage) webshit you see being used for this, and corpo-code so far, to your point.
AI can't write full drivers, and certainly not to mainline Linux quality. But it does make "take apart a proprietary driver to figure out how it works" much easier.
>It should be able to make an OS. It should be able to write drivers.
How is it going to do that without testing (and potentially bricking) hardware in real life?
>It should be able to transpile compiled binaries (which are just languages of a different language) across architectures
I don't know why you would use an LLM to do that. Couldn't you just distribute the binaries in some intermediate format, or decompile them to a comprehensible source format first?
I agree that it's a challenging problem.
My line of thinking is that AI essentially is really good at breadth-based problems wide knowledge.
An operating system is a specific well-known set of problems. Generally, it's not novel technology involved. An OS is a massive amount of work. Technical butrudgerous work.
If there's a large amount of source code, a great deal of discussion on that source code, and lots of other working examples, and you're really just kind of doing a derivative n + 1 design or adaptation of an existing product, that sounds like something in llm can do
Obviously I'm not talking about vibe, coding and OS. But could an OS do 99% of that and vastly reduce the amount of work to get a OS to work with your hardware with the big assumption that you have access to specs or some way of doing that?
> as the author acknowledges, building those alternatives is basically impossible
I don't understand why everybody is ignoring existing, working GNU/Linux phones: Librem 5 and Pinephone. The former is my daily driver btw.
Apparently they just can't live without Netflix and its even worth their freedom.
We need both options to coexist:
1. Open, hackable hardware for those who want full control and for driving innovation
2. Locked-down, managed devices for vulnerable users who benefit from protection
This concept of "I should run any code on hardware I own" is completely wrong as a universal principle. Yes, we absolutely should be able to run any code we want on open hardware we own - that option must exist. But we should not expect manufacturers of phones and tablets to allow anyone to run any code on every device, since this will cause harm to many users.
There should be more open and hackable products available in the market. The DIY mindset at the junction of hardware and software is crucial for tech innovation - we wouldn't be where we are today without it. However, I also want regulations and restrictions on the phones I buy for my kids and grandparents. They need protection from themselves and from bad actors.
The market should serve both groups: those who want to tinker and innovate, and those who need a safe, managed experience. The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.
Incorrect.
Choice 2. Empowered user. The end user is free to CHOOSE to delegate the hardware's approved signing solutions to a third party. Possibly even a third party that is already included in the base firmware such as Microsoft, Apple, OEM, 'Open Source' (sub menu: List of several reputable distros and a choice which might have a big scary message and involved confirmation process to trust the inserted boot media or the URL the user typed in...)
There should also be a reset option, which might involve a jumper or physical key (E.G. clear CMOS) that factory resets any TPM / persistent storage. Yes it'd nuke everything in the enclave but it would release the hardware.
I like the way Chromebooks do things, initially locking down the hardware but allowing you to do whatever if you intentionally know what you're doing (after wiping the device for security reasons). It's a pity that there's all the Google tracking in them that's near impossible to delete (unless you remove Chrome OS).
> I like the way Chromebooks do things, initially locking down the hardware but allowing you to do whatever if you intentionally know what you're doing
Did you hear? Google's not allowing "sideloading" (whitewashing the meaning of installing) third party apps by unknown developers.
> after wiping the device for security reasons
Think of the ~~children~~ data!
I wonder if full device wipe would be the solution to "annoying enough that regular users don't do it even when asked by a scam, but power users can and will definitely use it".
That's how bootloader unlocking has worked on Android phones for ages, and I've never heard of it being abused, so I think it's a good model.
If that comes to pass I hope that one would be able to install a regular firmware with full DRM support / banking app support which only differs by allowing one to install apps freely. I don't think that's the case currently with firmwares that allow root. The security implications are somewhat different (root is more permissive) but I guess that the kind of person that wants to run arbitrary apps also prefer root access (maybe not at the cost of access to everyday apps with bullshit protections however).
I agree, if Google's going to disallow "normal users" from installing apps from unknown sources, I'd like there to be some escape hatch other than the (increasingly blocked) nuclear option of rooting/bootloader unlock.
Consider the possibility of an evil maid type attack before a device is setup for the first time, e.g. running near identical iOS or macOS but with spyware preloaded, or even just adware.
We already have that today. And locked down systems don't prevent it, because you can always exploit some part of the supply chain. A determined actor will always find a path.
Right now you'd need a zero-day bootrom exploit to do something like this - still a possibility for the average high-level intelligence operative, but not the average white collar citizen. The proposal is making such a thing a feature.
Stuxnet did not require a bootrom zero day. Just people's propensity to plug in USB devices out of curiosity.
You don't need the NSA to target someone and replace their device with a malware driven one. Just a porch pirate and your own delivery - two to three years and you're almost guaranteed an attack window.
It's possible to make this detectable, and chromebooks already do.
On a chromebook, if you toggle to developer mode you get a nag screen on early-boot telling you it's in developer mode every time, and if you're not in developer mode you can only boot signed code.
Basically, just bake into device's firmware that "if any non-apple keys have been added, forcibly display 'bootloader not signed by Apple, signed by X'", and if someone sees that on a "new" device, they'll know to run.
With the root of trust and original software wiped, what used to be, say, an iPhone stops being an iPhone. It becomes a generic computer with the same hardware. All the software designed to run on iPhones like the App Store is likely to stop working. You won't fool the user for long.
And this attack is already doable by simply replacing the iPhone with a fake. It won't fool the user for long either, but you get to steal a real iPhone in exchange for a cheap fake.
You can have TPM with your own hardware key, which allow to verify the integrity of the BIOS. Works fine on my Librem laptop with a Librem Key.
This can be fixed by adding some user-controlled "fuse". For example, with a TPM you will lose access to stored keys if the boot sequence is modified.
Incorrect. For us as tech people this is an option. My older family members will definitely install malware and send all their data to China.
Please don’t let me go back to the early days of the internet where my mother had 50 toolbars and malware installed
> Please don’t let me go back to the early days of the internet where my mother had 50 toolbars and malware installed
I removed hundreds of toolbars from my mother/grandmother/anyone computer.
I still prefer that to techno-fascism where it's ok for companies to brick my hardware remotely, to lock me out of all my hardware because I have a picture of my kid in a bath, to read all my messages for whatever reason, to extract value from my personal files, pictures, musical tastes, to not allow me to install an app I bought because it have been removed from the store, to not allow me to install an app my friend created, to not allow me to create an app and sell it myself, to not allow me to not do the action ever but just "Later this week", and so on and so on.
This toolbar thing is a wrong excuse. And it was 90% because Windows was shitty.
Most mothers would have easily downloaded and installed crapware embedded with whatever they downloaded, but most mothers aren't doing to go to "Settings > About > Tap 10 times on OS version > Bootloader > Disable Bootloader protection > "Are you sure because your phone will become insecure ?" > Yes > Fucking yes.
And if they still do it to purposefully install malware, I'm sorry to say they are just stupid and I cannot care less about the toolbars.
Yes. So both options should be allowed to exist. One of them shouldn’t be banned because you don’t like it.
Keep in mind one of these third parties would almost certainly be Meta (because users want their stuff), and that would almost certainly be a privacy downgrade.
Freedom > Privacy > Security
Never give up your freedom.
If you have to give up your privacy to ensure your freedom, so be it.
If you have to give up your security to ensure your privacy, so be it.
This goes for governments and phones.
Always fun to interact with some internet Thomas Jefferson giving freedom speeches from his mother's basement.
Reality is that people pay a lot of money because they 'trust' Apple (and to a lesser extent Google), but Meta is the sleaziest one of them all. (And I don't use their shit either.) But people want Whatapp and Instagram, and so you are telling them now they have sell-out and go to the "Meta App Store" to talk to their friends. That fucking sucks. And I think you agree with that.
Under such topics there are always comments about each vendor making their own store, yet it didn't happen on Android, where it's currently perfectly possible.
Sorry, I haven't had an Android phone since the original Nexus, so hopefully you can clarify. Could you install some hypothetical 'Meta Store' from the Google Store? Or do you mean more like Meta could just sell their own phone (eg Amazon)?
Both are possible.
You can have alternative app stores on Android without any restrictions — the most famous example would be F-Droid which hosts free software. Nothing stops Epic, Meta or any company from also having such a store.
When you ship a certified Android, it has to come pre-installed with the Google Play Store but some vendors like Amazon and Huawei ship an alternative OS with their own stores to replace the Google one. It's not officially Android but can be based on the Android Open Source Project.
Very few companies have chosen to do either and it was usually because they were forced to (Huawei).
We keep mocking and laughing at the "internet Thomas Jefferson"s of the world but they seem to be getting increasingly prescient about the dystopian world where we are giving bad actors disproportionate control over our lives on the pretext of keeping us or children safer.
I will agree with your point, and will also say a lot of the "bad actors" are actually in the house here. So don't take anything on face value. Hacker news has some straight computer criminals, adware types, cryptobros, dubious startup types, whoever is vibe-coding these crawlers, and etc. So of course they all believe in "maximum freedom" (to scam people).
And yet you're apparently not losing your mind over Mark Zuckerberg having his products on the web? He's doing everything you claim on the open web - third party trackers embedded on other websites, etc. Do you want to lock down the web?
I think you have a reason for defending Apple. Maybe you love the company, maybe you've got their stock, maybe you've worked for them.
Apple is a trillion dollar behemoth that has distorted the market and removed freedom and choice. They're a menace that needs to be regulated. Period.
I also think Zuckerberg's tracking needs to be regulated, but that's a battle for another day. It's one we haven't so egregiously lost yet.
People don't need Meta. People need smartphones. And smartphones are draconian dictatorships that the government has been too asleep and too lax to regulate.
> I think you have a reason for defending Apple.
Guilty as charged. My parents had a Windows laptop and all sorts of evil shit was "sideloaded", and when I started reformatting it, some indian 'microsoft tech support' guy was actually screaming at them through the speakers. This is what happens in your world.
I bought them an iPad (and another) and it's now been almost 15 years with zero tech support calls, zero problems, zero scammers. That is fucking great for me. Money well spent. So yeah, I wish you guys could just buy a free software phone with no ABI and go away to recompile your software. But it is fucking terrible idea on a societal level.
> This goes for governments and phones.
Apple does not have the ability to throw me in prison or take away my freedoms. Only to not grant me extra freedoms subsidized by their R&D budget.
Apple has removed your freedom from day one.
Their R&D budget is at the expense of a free market that would have delivered the same or better products.
Did you ever see how wild and innovative the Japanese mobile phones were before iPhone monoculture took over?
I want crazy stuff like a smartphone that has the form factor of a Raspberry Pi. Or a smartphone with e-Ink. Crazy new categories of devices.
Sadly, the Apple/Google monopoly has turned smartphones into one of the shittiest, most locked down device categories. It's a death place for innovation.
Nobody is forcing you to buy their products, so they haven’t taken away anything from you.
If you do decide to buy their products, nothing has changed since the day of your purchase, so they haven’t taken away anything from you.
Their “monoculture” didn’t “take hold” - it beat the Japanese offerings through innovation and a better product.
They operate in a free market, their R&D budget is made possible by their market success. If things change in the market (e.g. AI) the market will vote the way it always does.
Do you honestly believe "a free market" would only produce two alternatives?
In that case, the free market sucks and I want government intervention.
> Do you honestly believe "a free market" would only produce two alternatives
No. A free market will eventually produce a single monopolistic winner.
If you have ability to buy your competition, and most of people consider it a job and not some religious calling, monopoly is the most logical outcome.
Same way a black hole is the most logical outcome of gravity.
> They operate in a free market
They operate in the illegal duopoly, where you have the "free choice" between a tiny amount of freedom with unlimited telemetry and no freedom with convenience for a big buck.
The market has forced us all to buy Apple or Google. There is not a vibrant field of alternatives, and there is certainly a desert of hobbyist tech.
The market is now so depressed that everyone has to jump through these companies' hoops to participate in the most important computing form factor in the world.
Don't apologize for trillion dollar hyperscalers. They don't need your love, adoration, or apology. They do not care about you at all.
Too much power has accrued to these two and it's being leveraged against all of society and the open market. Competition is supposed to be difficult, ruthless, challenging, and frenetic. I see two companies resting on their laurels that are happy to tax us into the next century while we wear their little straightjackets.
Technically for US residents Apple can throw you in prison for attempting to maintain and use your freedoms, thanks to the anti-circumvention parts of the DMCA.
This.
We need a mobile bill of rights for this stuff.
- The devices all of society has standardized upon should not be owned by companies after purchase.
- The devices all of society has standardized upon should not have transactions be taxed by the companies that make them, nor have their activities monitored by the companies that make them. (Gaming consoles are very different than devices we use to do banking and read menus at restaurants.)
- The devices all of society has standardized upon should not enforce rules for downstream software apart from heuristic scanning for viruses/abuse and strong security/permissions sandboxing that the user themselves controls.
- The devices all of society has standardized upon should be strictly regulated by governments all around the world to ensure citizens and businesses cannot be strong-armed.
- The devices all of society has standardized upon should be a burden for the limited few companies that gate keep them.
>big scary message
Open question:
Any idea on making it so difficult that grandma isn't even able to follow a phisher’s instructions over the phone but yet nearly trivial for anyone who knows what they’re doing?
Sure. You ship the device in open mode, and then doing it is easy. The device supports closed mode (i.e. whatever the currently configured package installation sources are, you can no longer add more), and if you put the device in closed mode, getting it back out requires attaching a debugger to the USB port, a big scary message and confirmation on the phone screen itself, and a full device wipe.
Then you put grandma's device in closed mode and explicitly tell her never to do the scary thing that takes it back out again and call you immediately if anyone asks her to. Or, for someone who is not competent to follow that simple instruction (e.g. small children or senile adults), you make the factory reset require a password and then don't give it to them.
Very nice!
I’m sure I’m missing a problem with the following approach: shipping in _closed_ mode with a sticker on the front notifying the person they should do a factory reset immediately to make sure they can do everything they want to do. During the reset, include a scary message for those who opt in to get to open mode.
Everyone simply goes by defaults so it would only be technical people presumably who would even get into the open mode in the first place. And then require the debugger to leave closed mode like you said.
Edit: this comment worries about solo/asocial/“orphaned” members of our society
The problem with that is the owner has to choose which package sources they want to allow before the device is in closed mode, because after that adding more requires the scary reset, and the vendor of course has the perverse incentive to ship the device in closed mode with only their own store enabled, which has to be prohibited because it's anti-competitive.
Make it an obscure option in the first time setup so all the users that click next next next will end up with the secure mode, while the open mode requires fiddling.
This isn’t a gdpr opt out where both alternatives need to be equally easy. We (as a society) absolutely need the devices to default to the current model when purchased.
> This isn’t a gdpr opt out where both alternatives need to be equally easy. We (as a society) absolutely need the devices to default to the current model when purchased.
I feel like this is completely the opposite. The case for closed devices is that if grandma is senile she can't be trusted to make sound choices and needs a piece of hardware to limit her options, whereas that isn't the case for random chemists and college students and farmers, i.e. the general population.
It's one of the cases where tech people can't see the forest for the trees. The vast majority of people can make reasonable decisions about their own lives, but then if a tiny percentage make mistakes, those are the ones who come to you with problems and then it seems like everyone who comes to you is having problems because only the people having problems come to you.
Then megacorps use that false perception that everyone is incompetent to try to weasel their way in as a middle man taking a thick margin while locking the doors so the average person can't go to the competition, which is the option that needs to be not just preserved but actually used by ordinary people.
And not just because of the margins. Centralizing everything is a skeleton key for authoritarians. If you want to ban a social media app because people are using it to find out about something you want to censor or organize opposition to your administration and having it banned from Google Play and Apple makes it so 99% of people can't use it, you'd win when we need you to lose.
I don't think the centralization and security must be mutually exclusive. So long as the alternative is _also_ secure, it's a win-win. But that's the big problem.
Fix the phone system so calls must positively identify themselves.
There is no reason anyone purporting to be from a business or the government should be able to place a call without cryptographically proving their identity.
I like that! I’m sure it would take a little bit of time for folks to stop trusting calls from personal numbers where highly-capable social engineers do their best work, but eventually I expect nearly all of us would learn the lesson.
And presumably we could set up notifications so our elderly relatives’ phones would alert us to calls from unverified numbers not in their contact list lasting longer than a minute or two.
Stop gatekeeping actually useful apps. Nobody should never need to see the message to do anything they actually want to do, otherwise it leads to normalization of deviance.
False positives from PC virus scanners are very rare.
Interesting, mind elaborating a bit/clarifying the first couple of sentences there? A point I’d like to understand
What are you on about? The last 10 years of computing the only time windows defender pinged was on false positives.
I'd argue that even the 'safe' devices should at least be open enough to delegate trust to someone besides the original manufacturer. Otherwise it just becomes ewaste once the manufacturer stops support. (Too often they ship vulnerable and outdated software then never fix it.)
If the user cannot be trusted to maintain the hardware and software, then the only responsible thing is to rely on the manufacturer to do so. In those cases, if the support is dropped you buy the newest device.
Paul knows that. He is arguing for a different future. google is about to remove my ability to remotely control my thermostat. Not even local control. Imagine a world where they would have to choose between continued device support or unlocking… or maybe just building out the local control and cleaning their hands of it. Having corpos as the arbiter of a consumers buying schedule and creating unnecessary easter is pretty undesirable.
easter?
I'm guessing autocorrect for e-waste / ewaste
What if that is the newest device?
What if the only hospice in town closes down and your grandma is there? What if Mozilla or Linux die out and the only browsers/OSs that remain are proprietary? You find alternatives or make do, like all aspects of life.
You can't expect services and organizations to last forever, there is always some risk they'll collapse when you are around.
But is it too much to ask to at least let me get my grandma back out of the hospice? Don't just lock all the doors and put up a sign saying "Thanks for your loyal business, it's been an amazing journey". And if I'm the one who owns the building and you were just staffing it, then I'd appreciate having the door keys back as well, please!
Did they ask? Some users can be trusted. Is there even a certification program?
This is just insane. Lock the devices down by default, and allow the user to unlock them if they want. Why do we have to have Big Brother devices that "benevolently" restrict what you can run "for your own good"? Why can't all phones have unlockable bootloaders? My phone has a big, scary "DO NOT DO THIS UNLESS YOU'RE A COMPUTER EXPERT" warning screen to unlock the bootloader, and that's fine.
Why do we need devices we can't unlock? Who is harmed by unlocking? This is the major point nobody has ever been able to explain to me. Who exactly does the big scary unlocked bootloader hurt? My parents have unlockable devices and they haven't had all their money stolen, because they haven't unlocked them.
> The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.
The problems is that vendors use "locked down devices" as an excuse to limit competition.
Suppose you have a "locked down" device that can only install apps from official sources, but "official sources" means Apple, Google, Samsung or Amazon. Moreover, you can disable any of these if you want to (requiring a factory reset to re-enable), but Google or Apple can't unilaterally insist that you can't use Amazon, or for that matter F-Droid etc.
Let the owner of the device lock it down as much as they want. Do not let the vendor do this when the owner doesn't want it.
On Steam Deck, you never even have to set a 'sudo' password. You can have a safe managed experience and still allow a device to be open. Option 2 is ridiculous because it will just be exploited by companies and governments that want to control what you do or what content you see.
> The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.
Not for lack of trying. See for yourself
https://en.m.wikipedia.org/wiki/List_of_open-source_mobile_p...
The list is not short.
Plenty of companies have attempted this over the years but it’s not obvious that a big enough customer base exists to support the tremendous number of engineering hours it takes to make a phone. Making a decent smart phone is really hard. And the operations needed to support production isn’t cheap either.
Government maybe rather than legislating big companies stores could not back up smaller open HW/SW vendors? It seems we gave up increasing competition on HW and what is left is app store level...
I know you weren't using it in this way, but I do appreciate the double meaning of the word "protection" here.
A.k.a, "nice google account you've got there, holding all your memories, emails, contacts, and interface to modern living; would be a shame if something happened to it because you decided to sideload an app ..."
Option 1 is a superset of option 2 - meaning, any hackable device can also be a locked down device because hackability means the power to do whatever.
We don't need option 2, period, and it shouldn't exist.
Just put the hackability behind a switch or something. If people turn it on, that's on them.
If there is a big enough market for 1), shouldn't it exist?
The problem in my eyes seems to be that there isn't enough capital interested to sufficiently fund 1) to compete and create a comparable product. Thus, at best, we end up with much inferior products which even people semi-interested in 1) are not willing to adopt due to the extreme trade offs in usability.
In theory these 2 options seem like a sensible way to have a choice. But the average user is not going to own and carry 2 devices. We want to have all we need in a single device, and things like paying with your phone have become way too common by now to not have them.
Agreed and I think we're already here. Hardware is so cheap now its trivial to have both multiple streaming devices and multiple open computer platforms. There are advantages to both and no way to compromise to have one device for everything.
Regardless of whether we expect manufacturers to let us run any code on the device, we should not restrict people from attempting to bypass the manufacturers limitations. That gives the manufacturer freedom to try and lock the device down but also the owner freedom to break those locks. Otherwise it worsens situations like the FutureHome scandal.
No, we need to only have option 1, because if option 2 exists, things like banking apps will all only run on it and will refuse to work on option 1.
You're wrong.
My hardware. My decision.
I don't think it will convince you in any way, but the whole point is/will be that it's not your hardware, you're paying for a perpetual license to use a terminal bound to someone else's service.
And it really shouldn't be this way. Everyone is tricked into believing that they own devices they bought. And we are somehow supposed to accept that the abilities of the device can be reduced after we bought it just because the vendor said so. Same with (lack of) right to repair. It's really not ok, nobody (especially here) should accept that.
Yes. Also, it is a crazy hard battle to fight.
The first step needs to be people moving out of the denial phase and realizing that we're already there. Our current laws are written that way.
That's the prerequisite to have any significant initiative to move the needle in the right direction. Most people won't care about fighting hard to secure rights they assume they still have in full.
I was a kid once. The hackability of the devices I owned is what led me to this career. Let's give our young ones a little more credibility.
The issue with this is that inevitably the locked down devices, which will end up being 98%+ of the market, become required for ordinary living, because no-one will develop for the 2%.
Open hardware is essentially useless if I need to carry both an open phone and a phone with the parking app, the banking app, messenger app to contact friends, etc.
For security reasons it makes sense for them to be different devices. People and services may not want to allow insecure devices to communicate with them.
Why? It's not like the insecure device doesn't have my identity key on it. If I program it to spam people, I go to jail for spamming.
If only you went to jail for spamming.
It would be easier to spoof such identities and some services may not want to deal with the overhead of using the legal system. Spammers today already can be taken to court, but in practice people don't do that.
You can have somr option burried in the settings, a 10yo kid would be able to think of this
People too stupid to use computers safely should be kept away from computers for their own safety. Giving that kind of person any kind of computer would be immoral by definition. They shouldn't have phones at all, they're just going to fall for corporate approved scams from Meta, Applovin, and Indian call centers.
Open and hackable products have a niche user base, so these users get a niche set of options. The only way to get mainstream products to play to this tiny user base is to demand that all products be open and hackable by fiat. Otherwise, there’s no incentive from anybody involved (manufacturers, app developers, etc.) to give them something that can run both their banking app and some open source app they compiled themselves. There’s a lot of dancing around the security effects this will have on “normies”, and although there are plenty of armchair proposals I haven’t heard one that doesn’t obviously degrade into some sort of alarm fatigue as both legitimate apps and malware tell you to click though a dialog or flip a setting.
I think this is a false dichotomy. Open hardware with open source software would be more protected simply by being more stress tested and vetted by more people. If you need even more protection you can employ zero-knowledge proofs and other trustless technologies. I have long been dreaming about some kind of hardware/software co-op creating non-enshittifying versions of thermostats, electric kettles, EV chargers, solar inverters, etc, etc. Hackable for people who want it, simply non-rent-seeking for everyone else.
The issue here is rarely whether the security features themselves are circumventable. It’s that at some point this turns into trusting users not to give malware apps permissions (whether that’s a dialog, a system wide setting, adding a third-party app store, etc.). Almost no users can usefully evaluate whether a particular bit of digital trust is a good or bad idea, so people will constantly get scammed in practice. If you’re thinking about ZNP as a solution, you’re not trying to solve the actual security problems of normal users.
I think normal users will figure it out if you give them a couple of generations
> more stress tested and vetted by more people
Grandma and grandpa aren't reading the source code and certainly not up at a professional level. This is one of the core misconceptions of the "free/libre" formulation of OSS.
> Grandma and grandpa aren't reading the source code and certainly not up at a professional level.
This is one of the core misconceptions of the anti "free/libre" formulation of OSS. Most users don't need to read the entire Debian source to know that it is safe to use. You are free to look up who maintains any part of the project and look at the history of changes that have been made. A lot of projects have nice, easy to read notes along with the actual code.
If you are so paranoid that you can't even trust open release notes then why would you trust a closed project at all?
> A lot of projects have nice, easy to read notes along with the actual code
This alone doesn't improve the quality of the source.
> Paranoid
Nothing to do with it. Please be logical. Having millions of people who can't program trust maintainers doesn't make those maintainers do better work.
The whole idea of more eyeballs is an appeal to a vision of crowdsourcing that was a new idea in the early internet. What we found out is that complacency sets in, the notes eventually don't mean anything, and most source code is not read.
This vision of more programmers spending more time reading other people's programs is wholly born from within programmer communities, from programmers talking to other programmers, forgetting that the average user will never program and not because they lack access. It's a romanticized ideal that is only even a plausible idea in a room full of programmers.
Until you focus on how the non-programmer is going to meaningfully improve the review and production of the open technologies, you will never have a scalable or equitable solution.
The non-programmer never going to meaningfully improve the review and production of the open technologies. The solution is to make a society where people are literate in the technology they rely on or suffer otherwise.
And the solution to cavities is to increase self-dentistry literacy? The solution to a bridge collapsing is to increase civil engineering literacy? The solution to a plane crash caused by a cracked turbine blade is to increase casual aerospace engineering literacy? How much of how many literacies will we be willing to acquire so as to balance the responsibility we ask of every other profession and even those who are low and unskilled?
This incredibly selfish point of view put forth by a particular sect of _OSS polls sufficiently well at the engineer's only meeting in Palo Alto and nowhere else.
When people were coming up with the idea of computer literacy being ubiquitous like math, they meant math like addition and subtraction. To make the kind of impact that "free/libre" advocates want the everyday Joe to be responsible for, Joes need to know the CS equivalents of perturbation theory and how to solve partial differential equations. It's not happening, but believing that it can happen allows those ostensibly in favor of it to keep acting like they have a plan, like they want a solution.
As long as the hardware hacker is stuck in the mindset of what 0.01% of users want to do with devices, while they may find sympathy from the 0.1% who are software engineers, many of whom gather on this site, this is not even blowing at the gauge from halfway across the room in terms of moving the needle. Either figure out what is important to the consumer and how it aligns with your interests or just go home.
>And the solution to cavities is to increase self-dentistry literacy?
This is what is done, in practice. You teach people at a young age how to take care of their own teeth and gums. The majority of the problem is preventative, you don't outsource the management of your health to some monopoly. And it's not unimaginable that the average person would have the ability to fill a cavity or something. If anything, dentistry is less archaic than computer software, the reason it's a profession is a more a matter of skill.
>The solution to a bridge collapsing is to increase civil engineering literacy? The solution to a plane crash caused by a cracked turbine blade is to increase casual aerospace engineering literacy?
I think that the difference in this situation is that anyone can play a role auditing and changing computer software they use (and recognize malware vs well built open software), but not everyone gets to build the bridge that everyone uses.
You might say that a lot of the world's software right now exists in the form of services, and you would be right. The goal is to make a world in which people are less dependent on centralized services. I think that most programmers here get paid to think in terms of client-server architecture instead of directly create useful software which is harder to monetize.
>When people were coming up with the idea of computer literacy being ubiquitous like math, they meant math like addition and subtraction. To make the kind of impact that "free/libre" advocates want the everyday Joe to be responsible for, Joes need to know the CS equivalents of perturbation theory and how to solve partial differential equations.
Not really, I think most computer software is a lot simpler than that. And I also generally don't believe that complex topics are inaccessible to most people. If it's the kind of information you learn about in college, then you just have to read textbooks and digest the information. Thanks to the internet, information on most topics are pretty accessible. I don't think there is some sort of "IQ" cap on the vast majority of topics, and you can pretty much learn anything as long as you are reasonably intelligent and motivated.
I think you are stuck in this "consumer vs producer" mentality with regards to technology, where some part of the population is destined to be drooling serfs and we just have to design everything to accommodate them. I take the opposite stance, which is that people are generally capable of learning and adapting to a far wider range of challenging environments than exist in modern society, and that those who can't are a small minority that should be culled anyways.
It was only a couple of decades ago that access to computers was limited to the elite few who understood computers, and society seemed to hum along fine back then.
With increasing automation and access to information, you would think that people would have more time and info to study and become knowledgeable on a wider range of topics. Instead, they are even busier working fake jobs and competing in zero-sum arenas. Instead of setting lower standards for competence in society, why not increase standards and elevate the agency of the common man?
I must say, amidst all this pretending, justifying, hand-waiving, and appealing, I was surprised to find the eugenics:
> and that those who can't are a small minority that should be culled anyways
Don't get me wrong, this doesn't invalidate everything else you wrote. It was mostly all completely invalid anyway.
You need to start from fundamentals. Logical argument is a DAG. Circular reasoning is trivially invalid. If there is a skill I would see becoming ubiquitous, it is that.
It's not eugenics, it's just nature and non-interventionism.
There are many barriers to entry in modern society. If you can't read, if you can't drive, if you can't do algebra or arithmetic, you're screwed in this world. What I'm proposing would just be adding a single new expectation to the list: how to use a computer without installing malware. they could probably teach it in middle schools if they don't already.
We don't dumb down all cars because some people can't drive. What you're suggesting is that we dumb down every general purpose computer because some people can't cope with them. It's the equivalent allowing every general-purpose car in the world into a fixed-purpose train with a limited network and surveillance to boot.
We disagree because I think that society should be built around the capability of the common man rather than the needs of the lowest common denominator.
> When people were coming up with the idea of computer literacy being ubiquitous
If you require everyone to have a computer/phone to live in society for example by digital ID - then is ubiquitous and you must regard it as such.
> This incredibly selfish point of view put forth by a particular sect of _OSS polls sufficiently well at the engineer's only meeting in Palo Alto and nowhere else.
No one forces you to change your OS. No one forces you to code. No one forces you to dissemble. No one forces you to compile. No one forces you to add or remove certification authority (change the trust).
We only want to force corporations and states to allow Us to do that to device we own.
You are already responsible on code - closed source also GIVES NO WARRANTY.
> sect
the 'sect' as you called it - envisioned world in which when you get device you have driver to it and code to it.
Should manufacturer decide that you will get no new updates - you COULD go to another company and buy updates from them - because you would have ownership of software.
Should your phone manufacturer decide that you will not get no new updates - you COULD go to another company and buy updates from them - because you would have ownership of software.
Should your washing machine manufacturer decide to s-you and force you to connect to cloud via their app - you COULD go to another company and buy software that doesn't force you to do that, and let them install it for you - because you would have ownership of software.
If you want to use smart home - you could without any manufacturer connectivity bs - because you would have ownership of software.
You could decide that you trust company A for OS updates - and if they deceive your trust, change it to B. because you would have ownership of software.
Yes you would need to pay for updates and software - unless software company did sign a real deal with you for your data.
I hate when people say that Free Software is communism - it is not, it is consumer capitalism in purest form.
The whole point wasn't you SHOULD do it yourself - but you CAN do it yourself. The problem - you need market before any company can enter it. No libre drivers, no libre firmware - no such company.
And before anyone asks - yes you could extend it to cars. You would need stricter CA check (here you can make a reasonable exception that self-signed should not work) on that type of device though, but no longer ONLY MANUFACTURER. Why would you pay another company to do software updates / change when you do buy a repair / parts from third party?
This was intent - not 'increase self-dentistry literacy' - the literacy part came from the users of Linux mostly - you should think about it as after-effect.
> The solution to a bridge collapsing is to increase civil engineering literacy?
If the bridge collapsed because you have no good engineers then yes.
> How much of how many literacies will we be willing to acquire so as to balance the responsibility we ask of every other profession and even those who are low and unskilled?
You are not making good engineers/politicians/doctors etc. if you take ones who want to get paid big money - you are making good ones if the people teach are interested in their work and are willing to get better in it.
To do that you must give them opportunity to grow.
You need casual->small->big->"anti-monopoly split" company path
if you remove casual you don't have a market, you have a graveyard of one.
This is the worst thing that I will read all day, probably for the next month.
So, what I concluded, and I'm just speaking my mind since I have no desire to further engage, is that the FSF intentionally adopted religious mechanisms of growth and cult-like thinking because they couldn't think of any other way to recruit enough software engineers to their cause. Most of the engineers grew disillusioned and left. What remains are the loudest zealots with the least code written. They have the most to gain from shouting their message, hoping to make it seem true so that someone else will write their drivers and desktop software.
I’m not suggesting grandpa reads code, contributors do. We all know that most commercial code is much shittier than open source. Sure, commercial code usually covers more edge cases and has better UX, but is cobbled together from legacy and random product asks.
> contributors do
More users != more contributors. As software gets more popular, you begin getting 10, 100, 1000, 1,000,000 users for every contributor.
This doesn't just affect non-programmers. We can't even police NPM.
People want it to be true so that it will be a talking point, but it's not true, and we need to find new talking points that align with facts that are evident outside the echo chambers.
NPM is... special... It's up to platform owners to set standards and police. NPM's failures have nothing to do with open source as a whole.
> We all know that most commercial code is much shittier than open source
Citation needed. Seriously.
I'm not the one who made that assertion, but... Windows Millenium Edition almost makes his case all by itself.
That makes the case that a _single_ piece of commercial code was shitty.
I could make the same argument about MongoDB of a decade ago implying that all open source is trash...
Norton, McAfee, in fact most virus scanners.
Plenty of examples I've heard about but haven't actually used myself so I can't confidently assert the quality of the software. But Windows ME, Norton, and McAfee, I have personal experience with.
Oh, and also Windows Vista.
Plenty of badly-written open source software, too; won't argue against that. But one of the biggest reasons, for me at least, why I prefer to use open-source software rather than commercial if I have a choice is bug fixes. I've reported over a dozen bugs against open-source software I use over the years; most of them have been fixed (in a couple cases I was able to fix it myself). I've rarely even been able to report a bug against closed-source software, let alone get those bugs fixed. So even if if were true that commercial software as a whole has similar or better quality than open-source, my personal experience is the other way around: open-source quality gets better over time while the closed-source software that I have to use (lacking open-source alternatives) doesn't improve the same way.
Windows ME, Windows Vista, Internet Explorer, Adobe PDF Reader, Siemens Step7, Norton, McAffe, the list goes on. If you look at it as a function of terribleness * users then corporate ware takes the cake. There are loads of terrible open projects but nobody uses them.
> contributors do
I would argue most code of any license is not actually regularly audited if at all, and certainly nowhere near the levels people seem to think they are.
> We all know that most commercial code is much shittier than open source
citation needed
> I would argue most code of any license is not actually regularly audited if at all, and certainly nowhere near the levels people seem to think they are.
Every device should run OpenBSD. And only the audited part.
> Locked-down, managed devices for vulnerable users who benefit from protection
Thats fine! Just make sure it is possible for someone to take the same device and remove the locked down protections.
Make it require a difficult/obvious factory reset to enable, if you are concerned about someone being "tricked" into turning off the lockdown.
If someone wants baby mode on, all power too them! Thats their choice. Just like it should be everyone else's choice to own the same hardware and turn it off.
> Make it require a difficult/obvious factory reset to enable, if you are concerned about someone being "tricked" into turning off the lockdown.
Is there also a way to make it obvious to the user that a device is running non-OEM software? For example, imagine someone intercepts a new device parcel, flashes spyware on it, then delivers it in similar/the same packaging unbeknownst to the end user. The same could be said for second-hand/used devices.
It's potentially possible the bootrom/uefi/etc bootup process shows some warning for x seconds on each boot that non-OEM software is loaded, but for that to happen you need to be locked out of being able to flash your own bootrom to the device.
Pixel phones do this. Flashing a non-oem rom causes it to show a very "your device is broken" looking screen every time you boot.
Do we need the second option to exist? The world is dangerous place. If you can't figure out a computer perhaps you're just unfit to participate in the modern economy.
The existence of locked-down hardware eliminates the feasibility of open hardware through network effects. That is what is happening now.
You realize you’re discounting 98% of the world’s population, right?
I think that the majority of the population can figure out how to stop installing software from untrustworthy sources, seeing as that was pretty much the norm 20 years ago.
Everyone else can put on their loincloths and go back to living in flinstones-esque rock huts.
I think you’re mistaken, assuming that you’re even serious.
98% of the world population is rooting their phone and installing unsigned binaries? Really?
Are you sure you maybe don't have this the complete opposite way around?
I don’t know what you think I wrote, but I wrote that comment about discounting 98% as a reply to:
> If you can't figure out a computer perhaps you're just unfit to participate in the modern economy.
I think you just made up that number.
I did! You’re welcome to make your own estimate of how many people are able to correctly judge when snd what software is safe to install on their phone.
I think we really need to discuss whether IP/copyright protections were a mistake. A LOT of our "modern" problems stem from IP protections. Whether that be not being able to own media, right to repair, DRM, censorship, a lot of monopolistic behavior, medicine prices, etc. And no wonder, IP protection is government sanctioned monopoly, and it is generally recognized that monopolies are bad; is it such a surprise that government enforced monopolies are bad?
Agreed. Monopoly is the killer of the market engine that powers the positive sum society we all benefit from.
Actually enforcing the anti-monopoly rules on the books would help, too.
And while we're making wishes, we could kill the VC-backed tech play by enforcing a digital version of anti-dumping laws.
With those rules in place, we'd see our market engine quite a bit more aligned with the social good.
Not really sure what this has to do with running your own code, though.
If a manufacturer makes a device locked down, it's the technological protections preventing you from running your own code. Not IP/copyright. Sometimes they get jailbroken but sometimes not.
Plenty of barriers around circumventing such obstacles hinge on IP legislation.
The protection period simply needs to be adjusted downward to reflect the faster pace of change. Rewarding 1700's technology pace today is asinine.
The original copyright from the 1700s was 14 years. You could file for an additional 14 years after that. It was extended starting in 1909 until the monstrosity it is today.
We're far from the promotion of useful arts and sciences and instead guarding the likeness of a cartoon mouse.
A lot of us get to live thanks to IP protections too. >90% of Hacker News readers I'd say, including myself. Software development is all about IP, most of art too, and medicine, and chemistry in general. Who wants to pay people to develop software, or even design new hardware or medicine if competitors can take all that hard work for free?
There may be alternatives to copyright and IP in general, but that would require dramatic changes to society, and maybe not in a good way. What you would get is essentially communism. Rejection of intellectual property is a form of rejection of private property, which is at the core of communism. Problem is, looking at past examples, it didn't work great.
> It should be possible to run Android on an iPhone and manufacturers should be required by law to provide enough technical support and documentation to make the development of new operating systems possible
As someone who enjoyed Linux phones like the Nokia N900/950 and would love to see those hacker-spirited devices again, statements like this sound more than naïve to me. I can acknowledge my own interests here (having control over how exactly the device I own runs), but I can also see the interests of phone manufacturers — protecting revenue streams, managing liability and regulatory risks, optimizing hardware–software integration, and so on. I don't see how my own interests here outweigh collective interests here.
I also don’t see Apple or Google as merely companies that assemble parts and selling us "hardware". The decades when hardware and software were two disconnected worlds are gone.
Reading technical documentation on things like secure enclaves, UWB chips, computational photography stack, HRTF tuning, unified memory, TrueDepth cameras, AWDL, etc., it feels very wrong to support claims like the OP makes. “Hardware I own” sounds like you bought a pan and demand the right to cook any food you want. But we’re not buying pans anymore — we’re buying airplanes that also happen to serve food.
It being difficult is different from it being possible. If a company wants to raise $50m to read all the documentation and build an alternative OS to run on this crazy piece of hardware, as the consumer I still benefit. If you'd prefer, let's stick with repair? I also need all of that information to be able to repair my phone, but again, it wouldn't necessarily be ME who repairs my own phone: I take it to a third-party expert who has built out their own expertise and tools.
(Hell: I'd personally be OK without "documentation"... it should simply be illegal to actively go out of your way to prevent people from doing this. This way you also aren't mandating anyone go to extra effort they otherwise wouldn't bother with: the status quo is that, because they can, they thrown down an incredible amount of effort trying to prevent people from figuring things out themselves, and that really sucks.)
> $50m to build a modern OS from scratch
heh.
In practice, it'll look more like what PostmarketOS or Asahi Linux madmen are doing - porting Linux onto the platforms where the sun doesn't shine.
Of course, having any kind of documentation or driver sources that could be referenced would make it much easier, and much less taxing on sanity.
Nobody would invest $50 million to enter a trillion dollar market.
>“Hardware I own” sounds like you bought a pan and demand the right to cook any food you want.
Because I did. How come I can do what I want with my computer, but not my phone? Why are phones so inferior in this area?
My phone is more powerful than many of the computers I've had in the past, yet I need to jump through a million hoops to use it as a software development platform. Why?
Your smartwatch is probably more powerful than some of your past computers too. Same with your DSLR camera. Even your smart fridge. These are specialized hardware+software gadgets designed to a particular purpose, which is very different from being a development platform. Same with a phone.
A modern smartphone is mostly a general-purpose computer designed to run arbitrary software with a couple tightly integrated and/or regulated bits. That's very different from a DSLR, which is designed to take pictures.
That said, a camera with a fully open software stack would be fun.
Oh, so no specialized hardware? Just a general-purpose components for general computation tasks?
>These are specialized hardware+software gadgets designed to a particular purpose, which is very different from being a development platform.
Then I shouldn't be able to install software on it at all. For any given device either its functions are fixed, or they're modifiable at the sole discretion of the owner. There should be no middle ground.
> There should be no middle ground.
Why?
Because that's what ownership is. The owner of something has complete decision power over that thing, not anyone else. That might leave him with some liability depending on what he does, but that's his prerogative.
Ownership is rarely absolute. It can be partial, segmented and with different degrees of control.
Think about music rights ownership - there are mechanical rights, performance rights, sync rights, derivative rights, etc. I'm not defending music industry ownership system, but it shows clearly that binary view of ownership is far from reality.
You own the flat, but you can't remove the wall. You may own the house, but you can't build a factory there due to zoning regulations. You can own electric car, but you can't put diesel fuel there.
I see that main disagreement here is whether phones are "general purpose computers" or not. I have no idea why anyone would call these ultra-packed cameras on steroids a "general purpose computer". Framed like this, this is a debate about OP demanding private companies to transform their product into something very different and urging governments to step in. And the thing is those products exists – Libreum 5, Ubuntu Phone or PinePhone phones, or already mentioned Maemo/MeeGo phones (N900/N9/N950). If they were a better product on the market, we would have them everywhere, but industry and market decided otherwise (PinePhone was discontinued just couple of weeks ago, sadly).
>Think about music rights ownership
What are we talking about exactly? Ownership as in IP, or ownership of a copy?
>You own the flat, but you can't remove the wall.
Of course I can, as long as the wall is internal and non-structural. Everything inside the inner surfaces of the external walls is mine.
>You may own the house, but you can't build a factory there due to zoning regulations.
Well, zoning laws exist because plots of land don't exist in isolation, and affect each other. If I choose to run software X on a computer I own, how does that per se affect anyone else, that I should not be allowed to do so? Not that I should be punished if I do it, but that I should be stopped technologically from being able to attempt it? As I see it, there should be a very compelling reason to infringe on property rights in such an invasive way.
>You can own electric car, but you can't put diesel fuel there.
Literally what's stopping you from opening the charging port of your electric car and pouring in a can of diesel if you really want to? Or, for a more realistic example, what's stopping you from modifying your car by installing a diesel generator in the backseat that continuously charges the battery as you drive?
>I have no idea why anyone would call these ultra-packed cameras on steroids a "general purpose computer".
If you really wanted, you could build an APK yourself to use an Android phone to host a website. Is it good idea? I don't know. That's for you to decide. But in what way is a device that's capable of doing this not a "general purpose computer"? What more does it need?
>Framed like this, this is a debate about OP demanding private companies to transform their product into something very different
No. Phones are already this. They have processing elements, memory, stored programs... They're just computers. No one should get to decide what my computer runs over me. If I want to run something I should be able to run it, and if I want to stop something from running I should be able to stop it. Whether that causes problems for myself is my own business. I don't understand what's so complicated about this, or why anyone would argue against this.
> What are we talking about exactly?
About your claim that ownership as a concept is black and white, and no middle ground should be allowed.
> I don't understand what's so complicated about this, or why anyone would argue against this.
It's hard to understand the world if you see things through a binary lens - no ownership vs full ownership, or total support vs outright rejection. A more useful framework is to see what people support, reject, and tolerate.
For example, I totally support open-source hardware and software, and would love to see more of it. But I also tolerate proprietary hardware and software stacks, for many reasons. I'm definitely not rejecting the concept of private companies making hardware that runs their proprietary software and taking control over decisions about what software should run on their hardware.
From your comments, I see that you also support what I support, but you're totally rejecting the idea of hardware that runs proprietary software or not allowing you to run your own. So these calls for the government to step in and force private companies to disallow that concept are something I definitely can't support.
>A more useful framework is to see what people support, reject, and tolerate.
It's certainly more useful for those who want to take what's yours.
>I'm definitely not rejecting the concept of private companies making hardware that runs their proprietary software and taking control over decisions about what software should run on their hardware.
What "their" hardware? It's not their hardware, it's your hardware! You didn't lease it, you didn't borrow it; you bought it outright. On top of that, it's running on your electricity. If you let someone else tell your hardware what it is or isn't allowed to do, you're just a fool. Congratulations, you paid money to give a conglomerate of corporations permission to run software on your premises, on your dime. What a deal! Hey, wanna buy my game console? Just put it in your home with access to the Internet and once in a while I'll let you play a game on it, provided it's been "idling" enough for my tastes.
>but you're totally rejecting the idea of hardware that runs proprietary software
No I'm not. I'm not even arguing that we should be able to change the OS. Honestly, I don't think that's that important. But we shouldn't accept not being able to even install any application software we want. What's even the point of it being a computer at that point?
Why shouldn't I be able to reflash my fridge? I own it. I did this with my vacuum robot for example.
It doesn't have to be easy or convenient, but it shouldn't be impossible.
A smartphone is not a specialized hardware or software, it's a general computation device.
Its just a completely bogus argument. Its not a fucking smart fridge, come on
> a smartphone is ... a general computation device
Right, just a motherboard with CPU and memory put into small case, like in old good garage days.
Just a nit …
As this is HN - a very thoughtful and technically astute demographic - it’s very unlikely that your parent, or others reading, own a “smart fridge”.
Yeah, this is the sleight of hand. They used to all be computers, now we have reduced freedom to "development platforms". No. It's hardware, I bought it, I should be able to run any code I want on my DSLR (and I do), my fridge, my oven, my smartwatch, anything I own.
>How come I can do what I want with my computer, but not my phone?
It kind of started because phones interact with phone networks and the network companies didn't want hacked software mucking up their networks. I realise the baseband part is separate from the rest of the phone but it's always been that way with every cell phone I've had over 30 years, that they are part locked down.
Whereas none of the regular computers and laptops have been especially locked down.
It would be cool if you could just connect your laptop to a radio and connect to cell networks but I don't think any of them allow that?
> Because I did. How come I can do what I want with my computer, but not my phone? Why are phones so inferior in this area?
Apple and Microsoft are constantly working on fixing the issue with their appstores and requiring app signing in more places. The way industry going is to lock down more of laptops, than allowing phones to be like computers.
A very profitable instance of market segmentation
> I can acknowledge my own interests here (having control over how exactly the device I own runs), but I can also see the interests of phone manufacturers — protecting revenue streams, managing liability and regulatory risks, optimizing hardware–software integration, and so on. I don't see how my own interests here outweigh collective interests here.
However the interests you mention aren't collective at all but very singularly the ones of the manufacturer only
Its only the manufacturers interests because they dont want people to brick their phone on accident. Really theyre only a secondary party of interest, the real interested party is grandma/anyone who can fall victim to malware. Apples decision to ban sideloading is a huge part of how they became the most popular phone maker in the us
The real interest is their protection of their sweet 30% revenue stream. There are many ways to protect security, leaving all your keys in the hands of one party is not the only one.
And there should also be the right to be able to opt out of the manufacturers' protections of course.
Youre not wrong about the real interest but security is another very real one.
> There are many ways to protect security, leaving all your keys in the hands of one party is not the only one.
When youre dealing with idiots its a bit harder than you might expect. Tons of idiots own phones and if apple allowed them to be the victim of security vulnerabilities they get terrible pr.
Yeah, I see it all the time that car companies get terrible PR, because someone killed someone with their car.
In reality the victim is the first being blamed, the driver second and the government third
> Apples decision to ban sideloading is a huge part of how they became the most popular phone maker in the us
I'm skeptical. A robust permission model limiting the damage an ill-behaved app was surely part of it, as was the existence of a curated app store. The relative rarity of people directly installing apps on Android suggests Apple didn't really need to force the use of that curated store.
> because they dont want people to brick their phone on accident
Or worse, blow them up.
>I also don’t see Apple or Google as merely companies that assemble parts and selling us "hardware". The decades when hardware and software were two disconnected worlds are gone.
That when you buy a phone you're also buying software components doesn't change the fact that the phone is owned entirely by you. You're not entering into a partnership to co-own the phone with anyone else, it's entirely yours. No one should get to decide how you use it but you.
>But we’re not buying pans anymore — we’re buying airplanes that also happen to serve food.
So the argument is that by taking a piece of electronics I paid for that is running on electricity I pay for, and making it run some arbitrary piece of software, I'm putting people's lives at risk?
that has never been true, your phone contains a radio, governed by the relevant laws of your locale.
My pan is also governed by the relevant laws of my locale. I can cook what I like, but I can't legally beat someone over the head with it.
> As someone who enjoyed Linux phones like the Nokia N900/950 and would love to see those hacker-spirited devices again
Why haven't we seen a spiritual successor to the N900? It's a little strange to me that it's cheaper than ever to produce hardware, even in relatively small quantities, but no one (AFAIK) is producing any geek-oriented phones like the N900. Linux hardware support gets better every year. It shouldn't be terribly hard to have a factory produce a small number of open phones that can run Linux. They wouldn't be any good without significant investment in phone-specific usability, but still.
Not to mention, it's an authoritarian attitude, talking about forcing companies to support arbitrary software stacks
Op here: The point I'm trying to make in the piece is that this is less authoritarian than the common suggestion that Apple and Google be forced to change how iOS and Android works. The piece is meant to be a juxtaposition to that idea.
That's not what they wrote at all.
> It should be possible to run Android on an iPhone and manufacturers should be required by law to provide enough technical support and documentation to make the development of new operating systems possible
I was writing in reference to this quote ^
It would have been more accurate for me to say "support the development of arbitrary software stacks," but where do you draw the line between "supporting the development of" and "supporting"?
Because the documentation is already written, it just isn't opened up. All you need to do is open it up. The big stumbling block when writing drivers for new hardware is simply to know what goes where.
Is it authoritarian to stop other people from being authoritarians?
If I make a product and I don't specifically help you do certain things with it, is that authoritarian?
Regardless, we're talking about products here—"authoritarian" is a word reserved to situations where the threat of force is involved.
In this specific example, forcing a company to do something is authoritarian (because they will be fined or jailed if they do not comply with the rules). Corporations are not, as a rule, authoritarian—they may, however, do things that are not to your benefit or liking.
> If I make a product and I don't specifically help you do certain things with it, is that authoritarian?
If were referring to products necessary to function in society, YES! Obviously yes, a big exclaiming yes, yes with no room for debate.
A car, but you can't drive anywhere but to work. Electricity, but you can't use it to listen to radio that criticizes our dear leader. A TV, but you can't use it to watch anything other than military parades.
A phone, but you can only use it to perform government approved actions on government approved software.
That argues for opening up the hardware more, not closing down the software.
In fact it further argues that the degree of vertical integration is monopolistic. Why should a Sony CMOS camera be tied to some Apple computational photography code only available in Apple firmware or iOS? What if I do not like that it makes up images that don't exist? What if someone has a better method but now cannot bring it to market?
Break it up and open it up. I assure you it can be done.
There is already open source software for UWB, computational photography, various depth cameras, direct link WiFi, etc...
Will it be as good as the iOS implementation? Probably not. But it's hardly an impossible fact and not one that has to be done entirely over and over for every device. The Asahi folks showed it could be done despite hostile conditions.
Here's the deal for you young'ns. Richard Stallman (rms) had it right on this topic and alot of people had to fight to have the limited stack we have.
It's not enough though.
All we can do is make all the decisions possible to keep an open stack as viable as possible - even though what we have now is woefully incomplete. We need to push for this within our teams, within our companies, within our governments, in civil society, and everywhere else that we can because the corporate crowding out of a free technology stack will crowd out everything else if it's allowed to.
It's not the devices, or the operating systems. RMS didn't see TiVo coming, but TiVo was never the problem: by the time GPL3 was ready, the industry (e.g. AOSP) has mostly moved to MIT/BSD. In the end, none of this mattered.
The real problem is that @gmail.com or @icloud.com are now required to participate in society. I'm happy to use an iPhone, it's in my subjective opinion the best device on the market. My concern is that I need an iCloud account to talk to my bank. It's become nearly as powerful as my ID card.
> The real problem is that @gmail.com or @icloud.com are now required to participate in society
They absolutely are not, though. I've been fully bought into the Apple ecosystem for nearly 2 decades and have used a Fastmail email address with it for the last decade (when I ditched my MobileMe email address). Similarly, I have never had an @gmail.com email address, though I've used various Google products.
They meant an apple or Google account, not literally the email address.
Try to live without an Apple ID or Google account. Probably about as difficult as living without an ID.
Then the argument is just that you need an Apple or Google account to use Apple or Google products. But that's widely true across all kinds of companies and product categories. I need a Microsoft account to use XBox, I need an account to pay my water bill, I need an account to use my home security system, etc. People expect products and services to have internet connected features. Accounts are what allow that to happen.
The author doesn't seem to understand that you don't need your PlayStation 5 to travel, pay your rent, or authenticate to government services. That's the fundamental difference and why it is valuable that Android is open
I agree that there is currently no expectation for Sony to open up their OS to run just any software (such as pirated games). Nobody said that. There should be an open widely supported mobile OS because that's fast becoming about as fundamental to modern life (in my country at least) as roads and electricity are
Android being so easy to make software for is what hooked me as a teenager, after failing to develop for my previous Symbian phone. Taking that away is possible now because the alternatives are all gone. Where are you going to migrate to without making major concessions in your life? You'll have to forfeit popular messengers that your family, friends, landlord, etc. are on; no more mobile banking; extra fees to use online banking at all; extra fees to legally use public transport; no downloading of episodes or music from streaming services for offline use; no phone calls depending on your country's 2G status; etc.
100 percent agree.
I’ve given talks on how various jailbreak exploits work in order to teach people how to protect their own software but also with the suggestion that we should be able to do this.
It’s nuts that personal computers aren’t personal anymore. Devices you might not think of as PC’s… just are. They’re sold in slick hardware. And the software ecosystem tries to prevent tampering in the name of security… but it’s not security for the end user most of the time. It’s security for the investors to ensure you have to keep paying them.
The context of "ownership" is more nuanced when it comes to hardware devices - and even software.
What do you think when you say ownership?
I think - "this is totally mine. Nobody else's. I can do with this what I want. It is entirely up to me."
Do you own your passport? In fact, you probably do not. Most passports have a page stating to the effect that "this passport remains the property of <relevant authority>".
DO you own your device? I feel like I own my devices. I will defend them from theft, or loss. Because they are "mine". But ownership in a broader or legal context implies more rights that I don't think I have. I don't own the IP to the hardware and software on the device. These components have licenses to which I agree and am bound simply because I possess and use the device. These contracts restrict the things I am allowed to do. So my "ownership" also comes with certain "responsibilities" - which I personally don't believe I ever think about. But they exist.
For instance, probably somewhere in these contracts something is said to the effect that I cannot reverse engineer, reproduce and resell components or plans for these components. And myriad other things. Designed to protect the business and investment and people who invented and built them.
"Ownership" in the age of complex "finished products" that result from trillions dollar global supply changes of incomprehensible complexity is more nuanced than the idea that I found a log in the forest, and now the log is mine.
You try to make an analogy with the passport, but you achieve exactly the opposite: you make it obvious that they are not the same.
I don't "own" my passport. I'm not allowed to alter it in any way. I have to report it to the authorities if it gets lost or stolen. I'm not allowed to sell it or give it away. It's an official government document.
I do own my smartphone. I can put stickers on it. I can open it and modify the hardware (if I can work around the various roadblocks by the manufacturer). I don't have to tell anybody if I lose it. I can destroy it on purpose if I like. I can sell it, give it away, share it etc.
You mention IP. That has nothing to do with my use of the device. That concerns (as you mention) reverse engineering with the purpose to make money from it.
You certainly picked some phrases in there that could be combined and interpreted to imply something different. You have a good skill at finding what could be improved. You'd be great at music or maths I think - is that your passion?
Command+F 'drivers'
0 results
These things are never thought through. Sure, Apple could unlock the whole thing, tell everyone to go nuts. Who's writing the damn drivers? Apple's certainly not obligated to open source theirs, I also can't imagine them signing someone else's. So we end up with a bunch of homebrew drivers, devices crashing, getting pwned, and the dozens of people who install a third party OS on their iPhone write furious articles that get voted up to the front page of HN.
Open source drivers are the overlooked heroes that make everything work. If linux hadn't had all these drivers written or ported to it (think of your intel NICs) the OS would be dead in the water
Yeah but those times were easy. Now drivers are binary blobs and firmwares basically.
Bingo. They may not be as fast or feature complete but they do work.
The author makes a good point but for the wrong reason I think. The fact that companies lock down their software, and hardware (looking at you Apple), is their choice just like it is yours to give them the finger.
However, at least in Sweden, a smart phone is practically mandatory since it has become a means of identification used by banks, police, our IRS counterpart etc. Even our physical mail is slowly being digitalised, and these services practically require you to own a smart phone. You can get by without one, but it’s a real struggle.
Therefore there should be laws requiring more transparency of these devices, in my opinion.
Not only transparency, but freedom.
Freedom to use something you bought the way you want, without having a private foreign company decide for you.
I reckon a whole lot of these things wouldn't hold up in court. Either Swedish court or EU court. If not, then German court, or Australian court.
Here in this very thread I'm quite sure there's dozens of people who have pretty much made millions off of the back of this exact thing, i.e. working as developers at the likes of Google, Meta and Apple, part of the machine.
We need those people to atone and start funding lawyers out of pocket and bringing such cases, rather than just chatting about woe is me. In Europe that is, where the judiciary is still much less captured - the US is a lost cause. Such lawsuits are also much cheaper than going up against MegaCorp in US court.
As other comments have pointed out, this statement (one I 100% support, BTW) is a little naive. I can see how it might be unreasonable to expect companies to publish documentation, build infrastructure, etc. to support running your own code on the hardware you own (which 99% of people will never need to do).
However, I strongly believe that - should one choose to do so - you should not be stopped from jailbreaking, cracking, etc. manufacturer restrictions on the hardware you own. Companies aren't obligated to support me doing this - but why should legislation stop me if I want to try? (You can easily guess my thoughts on the DMCA.)
> I can see how it might be unreasonable to expect companies to publish documentation, build infrastructure, etc. to support running your own code on the hardware you own (which 99% of people will never need to do).
Did you know that television schematics used to come with the documentation for the TV? Discussed not-too-recently on HN: https://news.ycombinator.com/item?id=26996413
> Companies aren't obligated to support me doing this
Where does one draw the line on support? If I jailbreak an iPhone, should I still get Apple customer support for the apps on it, even though they may have been manipulated by some aspect of the jailbreak? (Very real problem, easy to cause crashes in other apps when you mess around with root access) Should I still get a battery replacement within warranty from Apple even though I've used software that runs the battery hotter and faster than it would on average on a non-jailbroken iPhone?
I feel like changing the software shouldn't void your warranty, but I can see arguments against that. I probably fall on the side of losing all software support if you make changes like this, but even then it's not clear cut.
As you said, this might be a complex one to figure out. I am biased because I tend not to use customer support services (with more of a "figure it out" approach) and am confident I could replace parts myself, though the latter might be harder with parts pairing today.
Can see how people more interested in the software side of things would care about support from [parent company] though. "Lose all support if you bypass our restrictions" is the relatively straightforward approach, but the collateral damage might be quite high. In an ideal world, perhaps the network of third party repair services could take up the slack?
It's up to the manufacturer to prove that the software modification had a material impact on the issue being covered. Yes that's expensive, yes that's the point.
Imagine Lenovo refusing to service your ThinkPad because you've compiled your own kernel.
Charging IC has NTC thermistor and battery absolutely must withstand the system running on 100% and then some.
As for battery lifetime, batteries are cheap, unless you glue them to an expensive assembly and force people to replace whole assembly as phone vendors do.
Laptop manufacturers are most definitely not designing their laptops to run at the top of the thermal envelope for 100% of the time, and honestly that's probably the right choice because no one does that – that's what you pay for when you buy high end servers, and the fact these corners are cut is why consumer hardware is so much cheaper.
If you run the software they provide and their guardrails aren't strict enough, that's clearly a warranty case. But if you modify the software to remove their guardrails, it feels reasonable that they can deny a warranty fix.
Overclocking is perhaps a clearer cut version of this – it's a "software change", but can affect the hardware lifespan.
The line is definitely crossed if you jailbreak your phone. It seems pretty clear. Either you're using the device as the manufacturer intended or not. If I take a device rated for 2m of water down scuba diving to 25m, it voids my warranty too.
But that's no the point here, a more similar point is to have the scuba diving manufacturer imposing which body of water you can use the device in.
And if you decide to give the device a try in your own swimming pool or a random spot you'd like to explore, the device won't work and you might be banned from using it elsewhere. Would that make any sense?
13 years ago, Cory Doctorow warned us: https://www.youtube.com/watch?v=gbYXBJOFgeI
So basically market forces and profit optimization is at work here as always.
However, if we can still unlock the boot loader and install Lineage OS or something like that and have a way to pay for developers to release their apps on stores like f-droid we can use the hardware.
The biggest problem with having freedom to use our devices is that the model is broken for the developers who support them. You "can donate", but from the numbers I've seen it's like 1 in 1000 donate. No pay == developers can't invest their time to improve the software.
So if there is "really" a substantial number of enthusiasts that are ready to pay for the freedom they crave, then companies like Librem will have enough customers to create decent and usable products for this audience. Want digital freedom - prepare to support the people who provide it.
Yes, that might mean that we'll need to have 2 devices, 1 for "banking/government services" that is "certified" and one for our own usage. Shitty but we'll be forced to do that sooner on later. The efficiencies for the government to enforce the policies is so strong that they can't helps themselves. And corporations like to have more data to squeeze every cent from the customer.
So if there is a working business model for "freedom" we might have a partial freedom. If there isn't we'd be just a digital farm animals to be optimized for max profits and max compliance.
> However, if we can still unlock the boot loader and install Lineage OS or something like that
This is based on hacks and unsustainable, because now even Pixels do not release their device trees. Expect them to drop support for this entirely in a few years.
EU is dropping the ball here. Instead of mandating open hardware they trying to force companies to comply with random stuff, mostly censorship and spying. In theory EU can mandate open bootloaders like EU mandates USB-C charging, but they won't. Open hardware is the enemy of the EU, since that means everyone would be able to bypass the chatcontrol of the day.
> In theory EU can mandate open bootloaders like EU mandates USB-C charging, but they won't.
The EU cannot simply mandate random stuff, it needs to make a strong case and prove an economic benefit considering also the possible negative consequences.
Noone is forced to do business in the EU, so it always has to consider the cost and risk for a company vs. the overall benefit for a company of doing business in the EU.
Defining a mandate for "open hardware" is a MASSIVE undertaking, creating investment risks for innovators, potential security-risks for the entire EU, additional costs for development, maintenance, support for all manufacturers selling in that market.
What is the economic, technology-agnostic case in favor of open bootloaders which would make EU member-countries support such a regulation?
How much would a manufacturer be required to provide to be compliant? Continued operation even when the trust-chain is broken? Developer Documentation? compilable source-code? Hardware-warranty?
Should a car still be allowed to operate after it's unlocked? Should it behave somehow differently to ensure safety for its owner as well as others? How about an elevator? How about a Microwave?
What would be the tangible economic benefit of such a mandate to companies and citizens in the EU sector?
For a regulatory action, all of this needs to be described in an agnostic way, providing a clear path for a manufacturer to be compliant without creating too much burden on any party in the process.
Eu has the Digital Markets Act and what google is doing is illegal in Eu. Gatekeepers must allow people to side-load software by regulation.
Makes me think that google did this now since trump has been criticizing the DMA, so now they feel empowered by their leader to break the law
Google does still let you sideload though. The publisher has to submit ID but other than that, there are no restrictions.
Google has to approve the publisher (so Google can ban any developer, also no more apps from countries the US sanctions, e.g. Iran or Venezuela) and only one person can publish the same namespace (so no more fdroid).
Apple also permits people who follow an application process to sideload software. That's still illegal. I'm not sure what the details are of this EU law, but it's entirely possible that Google will be noncompliant here.
Side loading is absolutely not equal open bootloader!
I recently bought an iPhone (Pro Max, on a secondary number) to have one on-hand to better tutor and troubleshoot for my parents. I just had to provide an instance of that this weekend on a phone call.
My daily driver is a recent Pixel Pro. If Google takes away the already limited additional flexibility it provides me over an iPhone, I don't see the need to provide them my money nor my attention, going forward.
Actually, I've been thinking about carrying some sort of Linux device and relegating the phone to being a hot spot for it, plus traditional calls and texts (and "necessary" apps, I guess). I don't really want to schlep more around with me, but even less so do I want to be squeezed into the box of BigCo corporate approved activities.
It's a matter of ownership vs. licensing. You own the hardware you buy, but you license the software. I agree with the author that as long as you use that software, you should be subject to the constraints of the license.
The key is that if you choose not to run that software, your hardware should not be constrained. You own the hardware, it's a tangible thing that is your property.
Boils down to a consumer rights issue that I fall on the same side of as the author.
The hardware should not be equipped with undefeatable digital locks. Put a physical switch on the hardware (like Chromebooks have-- had?) to allow the owner to opt out of the walled garden.
Also worrisome are e-fuses, which allow software to make irrevocable physical changes to your hardware. They shouldn't be allowed to be modified except by the owner. (See Nintendo Switch updates blowing e-fuses to prevent downgrades.)
E fuses are needed so people can't downgrade the device to old insecure software to exploit it. Without it or an equivalent like a secure monotonic counter how do you think such attacks be protected?
There's a disagreement on who the attacker is. From Nintendo's perspective, the owner of the device is the attacker. From the owners perspective it's Nintendo.
Obviously the parent commenter believes you should be able to exploit your own device and downgrade the OS if you wish.
Is this is a real threat that's actually happening on a scale that matter or moreso a make believe type thing?
Because I can do make believe type arguments all day. We should lock everyone up, because what if a super astroid hits the Earth and only prison is strong enough to protect them??
See, easy, and kind of fun. Doesn't mean much though.
First, we had bespoke computer systems where the hardware and software were tailored to solve specific problems. Then, as computers became commoditized, the hardware was more standardized and software interacted with it through an abstraction layer. Now, we're circling back to heterogeneous hardware where software and hardware are tightly coupled for the best performance and power efficiency. Of course there's always a trade-off. In this case, it's flexibility.
The smartphone does not consist of just one processor, it's a collection of dedicated processors, each running custom algorithms locally. Sure, there's software running in the application layer, but it's playing more of a coordination role than actually doing the work. Just think of sending a packet over the internet and how different it is between a smartphone and a computer, how much more complex a cellular modem is compared to a network card.
It's less about software now and more about hardware accelerated modules. Even CPUs run primarily on microcode which can be patched after the fact.
These patterns are cyclical. It will take a number of years before we return to standardized compute again, but return we will. Eventually.
That's an oddly legalistic line to draw. What if they start licensing the hardware too? Surely if we care about users being respected by technology, the line between software and hardware or between ownership and licensing is immaterial. These are all excuses to deny users the opportunity to do things they should be entitled to do, like installing arbitrary applications.
Well, the line is drawn by the fact that hardware and software have intrinsic differences. It sounds like we're on the same page about hardware -- with the software, should we not be bound by licenses in client/server services (phones, consoles)? You are using someone else's service with others, for some collective benefit like playing a game, and being bound to constraints on that software doesn't seem that offensive. Modified clients can piss in the pool for others using the services and affect the network's quality.
Again, if you want to run purely OSS software with permissive licenses, that should be your prerogative. But you might miss out on the Play store. If you want to mess with Valve anti-cheat, you can't connect to Steam games online. Etc. I think these companies do have a right to dictate software requirements for client code accessing their servers.
But, you should be able to wipe those clients if you don't care about them and play tux racer on Arch.
> Well, the line is drawn by the fact that hardware and software have intrinsic differences.
Do they? Is microcode hardware, or software? If I open up the plugboard on my IBM 407 and rewire the connections, am I updating software or reconfiguring hardware? I think this is a false dichotomy. Software or hardware, kernel or userspace, these are all just parts of a machine. I care about the holistic behaviour of that machine, not about which specific parts do which specific things.
> But, you should be able to wipe those clients if you don't care about them and play tux racer on Arch.
I don't need to play tux racer. I need to use my bank.
> I think these companies do have a right to dictate software requirements for client code accessing their servers.
They're not just dictating the requirements of the client code, they're dictating requirements for the entire execution environment. Following your logic to its conclusion, if I'm going to do banking from my phone (and that's a foregone conclusion), I have to have to cede that bank the right to veto any other piece of software from my phone.
I could buy a second phone, because I'm a relatively affluent software developer, but most people have neither the money nor the energy to buy a special phone for banking. They'll just let the bank control their phone. I consider this is an unacceptable abridgement of their freedom.
I have no problem with Valve anti-cheat, so long as it's reasonably permissive. Valve anti-cheat won't stop me from installing my own software. I'm not drawing a hard technical line here; there's a grey area of reasonable integrity provisions. Sideloading restrictions in Android cross well beyond that grey into the black.
When the hardware is complicated enough that the software required to run it al all would take many millions of dollars to replicate, hardware freedom alone doesn't cut it. Just like a modern processor needs mountains of microcode to do anything you'd actually want. And that's without companies needing to obfuscate their hardware to avoid interoperability they don't want.
In practice, a whole lot software would have to be open source too so that the hardware is reasonably usable. The layers you'd need to let an iPhone run android well, or a Pixel phone to run iOS are not small.
One of the biggest problems (if not the biggest) is that this desire is still a niche desire. If non-techie people would somehow be convinced that indeed hardware/software freedom is a basic right no matter the device we would be in a different position to pressure governments.
How can people be convinced about it is the hardest part. How do you convince people that have no idea about how technology and corporation interests work that the little device that you carry is bascially a brick at the mercy of its vendors?
Talk to people. I know many of us are socially awkward but if you never talk to people they will never learn. Big tech is not combating hate on their platforms because they know it divides people. Combat that by being social and talk to people.
Is not that easy and is not a matter of being awkward or not, being social or not. People get tired very easily when talking about things they don't understand, especially technology.
And when they kind of get you, they don't see the point that you are trying to make, easily dismissing you on why would you want to do something like that when you have "all the apps for free" with a few taps and that there is not such need for what you are trying to explain to them.
People don't even get it when you explain that FB, Google, etc are not free products and so on. Is kind of a rabbit hole and people don't want to dive on such topics because is an endless talk and they lose patience very quickly.
Is very hard to make them see the problem. People are happy with new phones, apps and entertainment every day, they don't care if they are unable to run custom software that may benefit their very own interests. As long as they can do the things that they usually do, to them there's no problem at all. Is as simple as that.
Then communicate it digestible without going too deep. The people I talk to usually care about my worries because I also care about theirs.
I do think there is growing discontent with MS and Google, and you see Linux sentiment changing and the userbase growing. But it's still a small fraction of the populus even though it's grown a lot in the last decade probably
One should not forget the reason for this growth though - the issues with privacy and users' control of devices on windows go back at least a decade, but most of this time nobody cared. It was only when Microsoft locked a lot of old computers out of Windows 11, Windows 11 proved a buggy slow mess, the google search results went down the toilet and the amount of adds on YouTube increased several times did people start to talk about "de-googling" and moving to Linux.
People are switching to Linux now because it works better. The privacy is still a nice-to-have bonus.
Perhaps we should stop viewing iOS/Android devices as true general-purpose computing devices. They are merely gadgets, like Walkmans, portable CD players, game consoles, blood pressure meters, car infotainment systems, etc. They contain CPUs with enough power and RAM to act as general-purpose computers, but Apple and Google did not design them for that purpose. However, Windows and macOS were designed as operating systems for general-purpose personal computers, and restrictions on the software you can run are also happening there. To me, this is more worrisome than the openness of mobile OSs.
> An iPhone without iOS is a very different product to what we understand an iPhone to be. Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.
Rules for thee, not for me. Every typical Apple lover's argument.
There’s something weird about it. My phone needs to be hyper secure, and a lot of companies went to monetize that and introduce insecurities with their software.
That’s why I love my iPhone, but I’m not super happy about what happens with my Mac.
There’s something in the reality that it’s the app developers not the user that are being restricted by Apple. Apple keeps the app developers from doing things I don’t like for the most part. I don’t feel very restricted.
But I don’t want my computer to become a walled garden. It’s only OK for my phone.
> There’s something in the reality that it’s the app developers not the user that are being restricted by Apple.
Reading this comment as a user and developer in one person, it's so weird to see this disjointed picture of developers and users. You should have rights and feel unrestricted as a user but I shouldn't? Have you considered that being a developer is about the same as being a writer instead of a reader? We're the same...
> I don’t want my computer to become a walled garden
Why not? I don't think I can articulate an answer to the "I don't feel restricted" remark earlier better than you can probably do yourself by seeking what it is that rebels against these walls
The fact that I go to McDonald’s and they play a recording every time asking me for an app code. Or I go to Petsmart and they give me all kinds of discounts for installing their app. Or Reddit barely works unless you install their stupid app. There is clearly some invasive behavior happening with apps on phones that doesn’t seem to happen on computers the companies are so insanely motivated to get you to install their freaking app
The difference is I bought the device so I don’t care if you feel restricted as a developer. I’m just saying as a user I feel protected by having someone review the apps that are going on my phone and denying ones they feel suck.
I’m also a developer however I don’t write phone apps
> The difference is I bought the device so I don’t care if you feel restricted as a developer.
I don't see how that logically follows. I bought my device, too. How does that consequence developer-me not being allowed to make software?
If you think I'm behind one of these obnoxious corporations, no sir the 180° opposite. I haven't made a mobile app in my life that I haven't also published the source code of, nor made a dime off of them, salaried or otherwise. Desktop or mobile is all the same ethos, if I'm reading correctly that you seem to expect the worst just because I code things up for my own device and whoever else wants to use it?
I’ve installed Xcode. Pretty sure you can write anything and install it on your own device, the restrictions are on distribution.
What does this have to do with the article?
The article is a discussion about google‘s android app processes becoming more strict and the authors opinion that that’s terrible.
My comment is an argument against sideloading for phone devices because there’s a lot of nefarious behavior in these types of apps by comparing apples process because Apple is the other operator in this duopoly of phone operating systems. Sorry that was not clear.
Flexibility is usually inverse of security
These phones are more powerful than my laptop used for engineering in college. And stop calling it side loading, it's installing software on a computer.
Installing software on a computer
The inevitable conclusion of this battle is an acknowledgment that you never really own an iPhone or android in the first place, and the companies stop selling the hardware at all. You’ll only be able to rent a device as part of your service plan.
Or stop treating Android as Linux for mobile but rather Windows for mobile and finally start pushing and supporting a 3rd major alternative like we have on desktop/laptops.
I would personally love to start contributing to a truly open alternative which doesn't rely on Google being not evil anymore.
Easier said than done. The main reason companies don't allow it is sadly for security reasons, it's a cost/benefit.
If the government would enforce laws about computer security, tech companies would not have to restrict user freedom.
Obviously this situation benefits those tech companies, but honestly the solution is not as easy as it seems.
Of course it's a different story for the right to repair and DRM.
This might be controversial but I'm not sure you should be able to install whatever you want on "hardware you own". Reason being (and I was trying hard to explore an "other side of the argument" and whether there was/is one) examples like Kindles, where I think originally Amazon had it as a loss leader to sell ebooks. I reckon they brought a great product into the market and established a new category (mass market ebooks and ebook readers) and if they want to restrict us from rooting it then so be it (they could not sell it at a loss if it was super easy to root and not even use it as a Kindle initially) as long as they're clear about the restrictions up-front. Thoughts? :)
Some other examples of why this could be bad:
- Running code on your car that compromises safety, like modifying/disabling legally-required safety features.
- Modifying code on health devices, like pacemakers
- Protective code involving things like overheating protections (e.g., firmware preventing you from disabling cooling fans in your laptop or running your 3D printer so that it catches fire)
- Running devices with parameters known by the manufacturer to damage them (e.g., processor manufacturers will let you overclock their chips but will keep some parameters limited/locked that the designers know will not work)
It’s notable that Google is implementing this change first specifically in countries that are impacted by a specific style of fake app scam. They seem to be responding to a legitimate consumer safety issue.
Should we be able to run our own code on our own devices? Generally, yes, and it’s also already legal to do so even if the manufacturer doesn’t want you to. But it’s also legal for manufacturers to set their own parameters.
Like you said, examples like Kindles and game consoles exist where the business needs to have some level of freedom in defining their business model. Would you be able to buy a $150 4K TV at Walmart if the included Roku software wasn’t subsidizing it?
The issues surrounding anticompetitive lock-down only occur in markets with a lack of competition and I think those issues can be balanced agains the manufacturer’s desires to sell a specific experience.
I should be able to modify the software on all of those things, if I want to toast my CPU, my car, or my heart, that's entirely reasonable and there are tons of other ways to do them anyway
Your heart, sure. I don't care because it just affects you. Your car, no. An issue there could hurt other people.
Is it necessary to establish the difference between "firmware" and "software"?
Most of the use-cases you listed are about modifying devices which do not run "software" per se.
Phones, more and more like computers, are becoming general purpose computing devices, which require software to be useful. I think there's a distinction that we need to be aware of.
IMO the distinction between firmware and software is somewhat arbitrary and my answer to your question is “no.”
Something like Tesla’s self driving program really isn’t firmware and fits as an example, especially if it reaches a level where it’s government approved for unattended operation.
Start with buying the right hardware. Fairphone offers more control over the hardware:
https://support.fairphone.com/hc/en-us/articles/104924762388...
The OS they ship has Google services on it. They've previously chosen not to give you root access by default because Google wouldn't allow it: https://forum.fairphone.com/t/fairphone-s-approach-to-root-o...
They'll make the same choice again because it's not really a choice. Nobody would buy the device, or could make much use of it, without Google services on it. They'd be out of business
Edit, to be clear: that is not to say I disagree with what they do. They allow you to unlock the bootloader and they even supply an open and degoogled version of the OS! That is more than any other vendor I'm aware of. Every time I need a new phone, I check if the latest Fairphone fits my needs, and even though it's a compromise, I've tried it out in the past for several weeks. It's really worth supporting. But Google's new restriction will almost certainly affect Fairphone users, too
They also offer a Google-free Android:
https://support.fairphone.com/hc/en-us/articles/997915455681...
https://shop.fairphone.com/the-fairphone-gen-6-e-operating-s...
You can also run Ubuntu Touch on the Fair Phones.
I feel like such initiatives miss one obvious target - the well heeled tech savvy user (who quite often is also privacy minded) and wants the latest. At the price point they are selling a Snapdragon 7 device, I can get a Snapdragon 8 Elite phone from the market quite easily. Now I am happy to pay more because of what they stand for but I don't see them selling a model that features the latest and greatest + the privacy focus. Surely the latest hardware and privacy/environmental responsibility are not mutually exclusive. I change my phone every 4-5 years on average so I try to not contribute to the landfills but I do want the latest when I buy.
They said with the latest device release (like 2 months ago) that they're shifting their focus towards what you're saying (good quality without paying a huge premium), but it's still hard because what's good for you isn't good for me. I find the device too large and not fast enough; my partner would find the device already quite expensive as well as on the small side. The device won't work for everyone, even if they'd make it cost twice as much (and very few people are willing to pay even a 50% premium). Instead, they're trying to now please more people while making somewhat more compromises in the ethics department as compared to being more strict there and having it work for even fewer people
None of their previous phones were (at release) as close to competitive as the Fairphone 6 is today
We could have both an ethical/privacy device and many models at competitive price points, but that requires economies of scale to the same extent as non-fair competitors are doing. It sounded for a short time (like ten years ago) as though more vendors would go this route when incontrovertibly shown that it is possible and they merely need to tell FP's vendors "give some of that fairly mined Cobalt to us, too", but FP is here and history hasn't played out that way so this is what we've got. I assume this is the best that they were able to achieve with the resources they could muster. All we can do to help it grow is buy the device, or start a competitor or collaboration
> Surely the latest hardware and privacy/environmental responsibility are not mutually exclusive.
It pretty much is. The engineering for bringing out a latest-and-greatest device and opening it up is something a small independent outfit can't afford, and the big companies capable of it are not interested in doing it.
Including cars, TVs, and home appliances -- those are the items I really want to hack.
Conversely those are some of the devices that make me question the principle “I should be able to run whatever code I want on hardware I own”.
Cars are increasingly controlled more via code than driver, but that (hopefully) goes through certification and oversight processes. Lane control, collision detection, self parking, self driving features - should people be able to hack these systems? Do we want people running their own collision detection routines that are less sensitive, because the stock option keeps slowing them down so much everyday when they drive past a school?
I imagine many of us here have encountered a computer that's broken because the user installed a programe to "make their machine faster" which deleted important windows files or removed everything from the startup folder that the user needs to use. I'm sure I could make a lot of money with a programme that decreases the time it takes to recharge your EV. Might remove heat protections, run at your own risk! (And the risk of passengers, neighbours, pedestrians and anyone your share a road with...)
I don't care if you want to run code that can allow more nuances to the seat heating, but do I think that's an important enough principle to also allow drivers to watch netflix on the in car display?
TVs and home appliances are less concerning, but I'm sure there's users out there who'd like to disable the annoying "don't run the dryer when it's full of lint" lock out or stop their garage door from beeping at their car everyday, not realising that setting also keeps it from closing on top of neighbourhood kids or cats.
I don't know if there's anyway to balance a reasonable right to tinker with a general right to live in a safe environment. I also suspect EU and US readers will have quite different takes on it - in part because of the current culture, in part because I think a lot of it is quite effected by geography. Live in dense housing and your neighbours ability to burn their house down is much more of your concern!)
People have been running modded firmware and custom computers in their cars for a long time and it seems you haven't even noticed.
And tractors
I think a different perspective on this is required. This requires taking Google in good faith (for the arguments sake). The requirements are being rolled out first in countries with high amounts of scam apps. Let's assume it's causing a real issue for the people, which then is a bad look for Google because all these apps are hosted on their store. I could imagine in the future a country sueing Google for allowing these apps on the store. So due to image issues and potential future litigation, Google feels like it has to do something so they do this.
I think the real problem is that these countries are abdicating their duty to govern. Why are they not jailing these people running these scams? Or if they are in another country, using political and economic pressure on the other country to crack down?
I don't believe that Google's intentions are actually that great, but there is a real problem in these countries with scams and people's lives being harmed by them.
> I think the real problem is that these countries are abdicating their duty to govern. Why are they not jailing these people running these scams?
I 110% agree with you. I advocate for blocking entire countries from the Internet until they start enforcing criminal liabilities to the scum.
Unfortunately, business loves the scum. I'd argue business wants the scum because it's a playground field for "innovating" locked down hardware.
I didn't buy a box of transistors, I bought a "smart phone", a pocket sized computer.
The OS and hardware are parts of the whole.
So you're phrasing it wrong.
I should have the ability to run any code I want on my smart phone that I own.
And to my clear, I own my smart phone. You own your smart phone. Any EULA to the contrary should be null and void.
Yes, but did you buy a general purpose computer? I don’t think smart phones were ever marketed that way.
Now, if you want to install Linux on that hardware you should be allowed to do so.
So many people paraphrasing Stallman and GPL, and so few realizing that without legal enforcement these problems will keep happening over and over again.
Yet there is more BSD and MIT code than ever.
Android is full of open source stuff. GPL3 would have prevented this. We've all been bamboozled and we are starting to realize it.
I wonder if any project will start switching license. Unlikely, but one can dream.
Switching licenses on a FOSS project without copyright assignment is almost impossible, unless the license already allows for it. See Linux kernel GPLv3 relicensing discussions of the latter aughts.
All software distributed under permissive licenses can be sublicensed under GPLv3 overnight. And all future contributions can only be accepted under GPLv3. Software licensed as exactly GPLv2 (rather than GPLv2 or later) is harder to do this upgrade for because of the reasons you mention, but lots of software can have their license fixed.
So a broader philosophical take,
Before the middle ages, you'd make your own product. That turned into local production, mass productio, but still devices could be desicected and analyzed how they worked. A car from the 60's as an example.
So for the most part of our society, reverse engineering was possible. It is only the last decades with closed source software that the opposite is occuring. But did 'we' ever made this a consious decision? Or our we sucker punched by progress
In my country two groups most hated by educated, civilized and self-labeled liberal people are miners and farmers. There are good reasons to not like them, especially miners (they have lot of privilege and cost a lot of money, whereas our (coal) mining industry is useless), but I came to the conclusion that the actual reason behind the hate is the fact that those two groups are able to force government to do their will, even though they are a small minority in the overall population. They achieve this by blocking streets, burning tires and causing overall mayhem, and are very consistent about it. At the same time those educated, civilized and liberal people can helplessly complain between each other, and maybe write some hateful article in the newspaper.
Forgive me this seemingly unrelated introduction, but when I read such threads I don't have much hope something will change, for similar reasons. People that care about computer user's freedom and agency will write blog posts and create hundreds of comments about how things should look like, how government and corporations want to enslave them etc. And then do nothing to give those adversaries even a smallest inconvenience. Some will create a new "privacy-oriented" and "freedom-focused" project on GitHub, naively thinking it will solve problem that is not technical at all.
Those without power always become victims. If it is all bark but no bite, no one is going to back down.
Have you heard about transversality of the fight? Do you have common ground with those farmers and coal miners? Do they have some with you. They are humans, after all. They feel and fear and hope.
I come from a place famous for social unrest. A successful protest is one uniting the student to the truckers, to the miner to the teachers.
Punching up. Not sideways or down. Their is a greater enemy than the farmers.
But I have nothing against miners or farmers, I just diagnosed why they are so resented - they succeed.
You don't own the hardware, it's now a license just like the software..... problem solved.
> If you want to play Playstation games on your PS5 you must suffer Sony’s restrictions, but if you want to convert your PS5 into an emulator running Linux that should be possible.
This is what Sony did with the PS3, but afaik Linux was then used as a backdoor to jailbreak the "PS3 OS" and sideload games.
I guess, this is why Sony abandoned the idea of allowing Linux on their consoles. Kind of sad, but understandable.
The overarching issue is that this feature of the PS3 not only created cost in development/maintenance, but then negatively affected the core revenue-stream. So it was shut down, and Sony will never do this again.
Now we're at a point where there is no justification even for the cost of development/maintenance of such "open compute" features. Why even create a path for parts of your product to be "without rails" when there is no (legal) requirement for it and no significant commercial market, but just increased cost and complexity as well as security-risks.
I would like to see more devices being unlockable and provide the freedom to run "any code we want". But as there is no visible critical mass willing to pay for this, there is no market, and this means the current economic system doesn't support a company walking such a path.
So the only path I can see is to introduce an incentive for this into the system via a legal mandate, or change the system.
If I cannot degoogle my phone or maintain my apps with F-Droid, I'd need to install the Huawei HarmonyOS. Technically superior and already usable. Plus I don't care what China spies on me because they won't share their data with my home country or neighbors.
Personally, I'm not demanding to enable tinkering on everything if that's raising prices, it could be as simple as having some "This unit is serviceable" label, I'd let people to value it and manufacturers to follow it.
TBH, I think most people wouldn't care, specially in USA, it is way easier and cheaper to replace than to repair, workmanship is really expensive here.
But If a manufacturer shuts down a Cloud service that bricks my device they should open the interfaces and protocols to make them functional.
This feels like an arbitrary level of abstraction for how much control a user should have. When you buy a phone, you're buying a combination of components designed and paired for that manufacturer's software. Can the user potentially replace that software? Sure, but should they be expected to?
If they just wanted hardware, they could buy their own and piece something together, if we're exploring those kinds of hypotheticals. But buying an Apple or Android device is a different choice and I think, within that context, a user should be able to run the software they want.
I think it is more a case of, at least provide the option to have another OS. Chances are that nobody else will be able to make it work but having it closed off before even getting a chance to try feels a little unfair to those that buy the hardware.
As long as the hardware vendor and teleoperator are able to run arbitrary, closed-source code on baseband processors without the user even knowing that it’s happening, no mobile device is truly free (libre).
”In March 2014, makers of the free Android derivative Replicant announced they had found a backdoor in the baseband software of Samsung Galaxy phones that allows remote access to the user data stored on the phone.”
Seems like >=2026 will be the year I'll start buying stuff again that has been replaced by mobile phones during all the years (Camera, Mp3Player, etc.) With this coming, buying a flagship mobile phone simply doesn't worth for me anymore. Currently i own a S24Ultra, my next mobile phone will probably be the cheapest Chinese crap I can get, just for the mobile things i "have" to use it.
I started the desmarting process two years ago with a new camera and protrek casio watch, no more BigTech Pay, etc.
I think fighting for the ability to write a custom OS for a phone misses the point.
It should be possible to participate in the modern economy using standard technology.
To this end, I think there should be a mandate that all govt and commercial infrastructure apps offer a progressive web app with at least feature parity with proprietary phone apps.
Want me to use a phone to pay for lunch, EV charging, parking or a toll? Great. It needs to be doable with anything running firefox, safari or chrome.
Should be one of the top comments.
IBM didn't want their PCs and OS APIs to be open and for IBM compatible clones to exist either, they were just bad competitors. I think the relative user freedom we have on PCs is quite exceptional in the truest sense of the word.
I want there to be the same openness on devices too, don't get me wrong.
Capital doesn't want you to own anything, it wants you to rent everything. In the absence of any pressure to the contrary, it will continue to turn everything into a rental or a license. Because it's a feedback loop, the more capital accumulates, the more market (and political) power it exerts and the faster it accumulates.
The question is: What's ownership? How do I ascertain that I own a device and not, say, the guy who just robbed it from me at knifepoint?
From a government perspective, I think the issue is anonymity. In the long run, governments cannot accept ownership of a thing without being able to attribute usage of that thing. From that perspective, as much as you cannot anonymously own a warehouse, you cannot anonymously own a programmable radio device.
From the corporate perspective, it's even worse: They cannot accept you using a device freely if they license you software or data. They would probably be fine if you could prove to them that you were not violating the terms (or vice versa, they could prove when you did), but that probably has a massive impact on privacy.
Truly logical thinking to me :D
We have always had the ability to make or run any application.
If we allow this, then we will never be able to make or run apps again.
Do your part in any way to stop this.
Talk about this with your family and make them aware.
For a technical user, being able to install any software you like means you have full control. But another perspective is that if someone else installs the wrong software (such as if a housemate installs spyware), your phone could betray you.
Security-conscious people might actually prefer to own hardware-limited devices. An example of this is having a camera with a physical shutter, or a light that shows camera activity that can't be disabled by software.
Similarly, some people might prefer to own devices that don't allow side-loading at all, since it disables a potential vulnerability. Maybe it would be best if Google allowed this to be a configurable option when buying an Android phone. (I suppose they could buy an iPhone, though.)
I think there are two issues, that maybe we should point out to help the debate:
- As a user sometimes I want to sideload legitimate applications (the question now is why can't these apps get approved on the appstore?)
- As a user sometimes I want to be able to use different devices from different vendors, I don't want to be forced to stay on Apple because airdrop or the keychain or login with Apple or my airpods pro don't work on Android anymore.
Where do you draw the boundary between code and hardware? System code has become more like a firmware. Vendor sees it as device, not as code + hardware. It's like a TV or a cassette player. There is no code. You can bring your content and "play" it. Any additional ability that you build on your own (you want the cassette player to play DVDs?), would void the warranty. But you can buy a DVD module from the vendor that is made to fit into your cassette player.
In reality, what you are expecting is, to be able to use your common tools to modify the device. But the vendor uses some weirdly shaped screws for which you don't have tools to work with. That is the real complaint.
This reminds me of the early days of gaming consoles where modchips were a grey area. The iPhone jailbreaking exemption in DMCA was a rare win for user rights, but we've seen that precedent hasn't extended much beyond phones. The technical capability exists - it's purely policy/business decisions blocking it.
I would say also that if Google and Apple control what you can install, they are responsible for it if there is a problem.
> building new operating systems to run on mobile hardware is impossible, or at least much harder than it should be.
Why isn't there a linux flavor for phones with an app store?
There is Sailfish os Ubuntu Touch, you can run Fedora and Debian rebuilds on phones. I think it is finally getting there & all this Google and Apple bullshit will hopefully make it move faster and be more attractive to people. :)
The same reason why linux isn't broadly used on PCs: Lack of hardware support and drivers.
Yes, PureOS, Mobian, postmarketOS and more.
Genuine question and some random thoughts please downvote if you think I am ranting too much: one argument played by Google on this is that they want to protect users from malware, specially for banking apps, etc. However my queations/two cents regarding this:
Banks offer web frontends and many make you use 2FA and even hardware keys, which work on phones. We have been doing e-banking even before smartphone phones existed. We still do. On our full of malware and virus windows desktops.
These mobile apps are in reality web frontends disguised as mobile apps with biometrics on top of it. Nothing else really. I develop an iOS app for a bank. It’s really like that.
Despite that I have to obfuscate the binaries, check for cydia, make sure I am not jaibtoken and all kinds of useless stuff.
When you buy a PlayStation you are buying a piece of hardware that Sony sells you at a break even or a loss so that you can buy their games. You are not buying your hardware. You are buying means to run video games on a piece of hardware Sony is selling to you.
When I buy an iPhone I am paying a lot of money for my pocket computer, my internet communicator. The margins are so big, it doesn’t even make sense to squeeze more out of them.
When I buy an Android phone I fail to see the end game except that Google wants to have absolute control over everything I do in my life.
I cannot really deny them their right to do whatever they want.
Still I can’t see really how they want to protect users by having full control. That’s a big lie.
I worked on a product where we tried to keep it open for end users to modify what they wanted.
To be honest, it was way more of a problem than I ever imagined. The average user who tries to mod their system isn’t as proficient as you imagine they would be. As an engineer you imagine other engineers approaching the system as you would. In practice, it’s a lot of people with a lot of free time who copy and paste things into terminal sessions from forum posts and YouTube video comments. When it doesn’t work, they try to get your customer support team to fix it. They will deny, deny, deny when asked if they’ve modified the system because they want to trick support into debugging it anyway. When customer support refuses to handle their modified system, they try to RMA or return it for a refund in protest.
Over time, it drains you. You see the customer support request statistics and realize that a massive support burden could be avoided by locking it down. You see the RMA analysis and realize a lot of perfectly good devices are being returned with weird hacks applied. Every time you change an API or improve the system you have to deal with a vocal minority of angry modders who don’t want you to change anything, ever, because they expect the latest updates to work perfectly with all of their customer software.
It’s tiresome. I think the only way this works is if customers have to log in to a system and agree to surrender all customer support and warranty service for a device to enable the free-for-all mode for them. That doesn’t work, though, because warranty laws require that you service the device regardless unless you can prove it was the modification that caused the RMA, which is a model that works with vehicle service but not the $100 consumer hardware device.
So I get. I wish every device could be totally open, but doing that with normal customer service and support is a huge burden. The only place it really works is devices like Raspberry Pi where it’s sold as something where you’re on your own, not something where customer support agents have to deal with what the product was supposed to do before all of the different mods were applied.
18ish years after the 3rd version of the GNU General Public License, and tivoization is now the norm.
This ist what the four essential freedoms are all about.
The hardware aspect is quite irrelevant to the whole point: the hardware only runs with software that does not respect your freedom and there's no feasible way to make the hardware run software that does respect our freedom. And of course our banks and streaming services and whatever else we need also don't offer us any software that respect our freedoms. So no, it's not about hardware, it's about free software. Always has been.
Absolutely must have the right to run any software on hardware we own. It should be mandated for hardware built by large companies, who are soaking up the capital and labor that’s available. It’s sensible regulation.
Or:
One (a big entity with enough resources) should take this as an opportunity and create a new, third truly open alternative to iOS and Android (no, I'm not talking about an AOSP fork, I'm saying something totally new) and let iOS/Android have their thing as they want, letting consumers decide between the three instead of forcing vendors into ridiculous business decisions like forcefully opening their own platforms for others.
There's SailfishOS being cooked
I just want to wake one day and install desktop Linux on my iPad.
For anyone saying otherwise:
There is ONLY ONE valid way to check trust - it is called keyring.
All linux distributions do use it.
Think on how you use SSL certificates on your browser, now remember that you can always import your own Certificate authority.
As simple as that. Unless you have nefarious purposes.
> It should be possible to run Android on an iPhone and manufacturers should be required by law to provide enough technical support and documentation to make the development of new operating systems possible.
Why?
The author doesn't explain why and I've yet to see any justification for this other than, essentially, "because I want to" - usually evoking supposed freedoms and rights that exist only in the realm of wishful thinking.
Once we have a decentralized trust protocol that has been widely adopted, it will hopefully solve most of these problems. As it stands right now, we can validate control, but not actual ownership. As such, ownership has to be proven via KYC and other centralized methods that rest on state authority. Not a good solution for those who care about privacy and individual freedom!
> It’s through this control of the operating system that Google is exerting control, not at the hardware layer.
True, but many phones use the hardware layer to prevent you from installing a different OS. It's all part of the same system designed to deny us real ownership of the computer we paid for.
It is interesting, that when Apple, with small steps, slowly disallowed any kind of sideloading merely nobody took notice of it... and now Google is doing the same, and whole internet protest. Who knows, maybe fact that now there is no alternative for tech-savy, and people are angry now it is good thing in longer perspective for both platforms.
Because I used to have a choice. Since dipping my toes in Android, I remember distinctly in 2012 or maybe 2013 the feeling when I got Xorg and Wireshark running on a Galaxy Note device within the first days. Dead simple! Heck, VirtualBox let me emulate Windows. I could play Rollercoaster Tycoon by attaching a USB keyboard and mouse over this little OTG dongle! Coming from Symbian and having recently started to run Linux on my desktop, and now all that being compatible on my phone, it felt like a miracle
Ahem, where was I
Ah yes: ever since dipping my toes in Android, I've always said I'd never buy an Apple device where I can't run my own software or control what proprietary software does. Now that the freedom is being taken away, the world is changing and I care about it. Until now, it was just a matter of buying any brand except one closed one. Not that hard to avoid
> When Google restricts your ability to install certain applications they aren’t constraining what you can do with the hardware you own, they are constraining what you can do using the software they provide with said hardware.
No. Incorrect. Because the argument that we should be focusing on software is a distraction. They use restricting the OS as an argument to restrict the Hardware. Their is pressure put on on hardware devs to toe this line.
You can see this with secure enclaves. If they didn't care about what software was running on their hardware, they wouldn't be designing hardware to restrict the kind of OS you can run on the hardware. Secure Boot/UEFI is going in that direction and Mobile devices are already there to some extent.
This whole argument is a distraction designed to lure people away from the real problem. That all technology (Hardware and Software) is being designed to restrict freedoms. If you are focus on this distraction, you are missing the point.
I don't really agree with this take.
I do think that it should be easier for people to build and install alternative OSes on their phones.
However, building your own mobile OS is just really hard. And on top of the technical challenges, the UX challenges, the overall polish challenges, there are non-technical challenges that are often impossible for alternative OSes.
* Industry connections problems. As an example, no open source mobile OS has a contactless payments app, at least not one that is generic and can support more or less any credit card out there. That is, you can't build an Apple/Google Wallet analogue and have it work.
* As much as I wish Jobs had stuck to his guns on the "no iPhone SDK" thing, and had instead developed and improved the mobile web stack, that's not the reality today. There are many things you just cannot do current mobile OSes through its web browser. Native apps are required there. And so that means companies need to choose the platforms they build for. Today that's easy: iOS and Android. But getting governments and banks and various companies to build apps for your niche mobile OS is going to be essentially impossible. And with closed-source kitchen-sink libraries like Google Play Services, it's incredibly difficult even to get a lot of Android apps running properly (and consistently reliably) on "de-Googled" Android phones.
Ultimately the real problem is that there's no capable, standardized, OS-agnostic platform for building mobile apps. The web platform could have been it, but it's not, and now Apple and Google have a vested interest in ensuring that it never can be, because building native iOS and Android apps locks people and companies into those ecosystems.
Ultimately^2 the real problem is that free markets are a myth, and don't work. Companies want to become monopolies, and want to bar new entrants. I would absolutely love some mandate/legislation/whatever that made it mandatory that we have a fully open source mobile OS, and that all the players involved need to be allowed to build equivalent functionality into it that Android and iOS have. I know that sounds radical and like government overreach (and current governments wouldn't go for it anyway). But the alternative is what we have today: monopolists that don't care about the rights of their customers. There's really no "free-market" way out of this.
The first step is legally mandated unlocking of bootloaders.
More and more phones are locking them down until exploits are found to unlock them.
I don't think government should be involved here, but what they can do is (a) always provide alternatives where interacting with government doesn't require a smartphone or apps, and (b) mandate the same for regulated or essential industries like banks and airlines etc.
I'm not convinced there is some inalienable right to load an OS onto any hardware but said hardware/OS should never be on the critical path to anything a citizen needs to do.
If left to the generosity of companies to allow us to control the hardware we purchase then we will never be able to modify the hardware we purchase again. There are no inalienable rights that we, as humans, do not define and legislate ourselves. If we want unfettered control of the hardware that we purchase then we need to codify it into law.
I'm two days into switching my Pixel 6 from Android to GrapheneOS. No issues so far. I haven't set up my banking app, but it's supposed to be supported.
The situation we have is fine. You can make hardware with features these people want, or you can make hardware with features those people want.
It has never been easier to realize your own open source hardware platform. Those dedicated to freedom can chose to offer alternatives. The challenge is we don't live in a post job society and people need to make money to survive. Until that changes, practical professionals will gravitate towards non-ideal systems that optimize for short term value over freedom.
Why not launch a new startup focused on building an open smartphone? This is HN after all, with the right pitch someone will throw money at it.
Because only a bunch of nerds would use it, your bank wouldn't support running its shitty app on it, and it's back to square 1.
The first thing that came to mind when I heard hardware we own was vehicles like a Rivian where they do run a lot of software. I can understand why they'd not want people to run software in order to avoid bad press. If someone writes something and things go wrong, it will look bad for the manufacturer, even if they're not at fault.
I know I'm going to get downvoted to hell for this, but I genuinely think it's OK for a device manufacturer to say: "we are building this device to run this software. If you don't want to run this software, then don't buy this device. There are plenty of other devices out there that will run other software, you can buy one of those if you want to run other software - our devices are designed to only run our software, and we're only going to support that".
I think that's a huge difference from the sideloading issue, though. Which is effectively saying "you must purchase all your software for this device from us, even if it's not our software, and even if it's available elsewhere for less".
I get how one statement creates the monopoly that allows the other statement, but I think they are still two separate statements.
+1. Smartphones aren't a monopoly. GrapheneOS is a thing. More companies can build hardware for it if there's demand. Not every piece of hardware needs to be general purpose computer.
I've been delighted to get my parents on iPhone+iPad for simplicity (and they have too). It feels this crowd sometimes assumes every barrier put in place is anti-consumer, but it's not. Blocking access to sensors, limiting background runtime, blocking access to other app's data, limiting it to reviewed apps... are all great things for most people. Most people don't have the technical literacy to have "informed consent" prompts popping up every 5 minutes, and most of them know it too. Most folks don't mind trusting Apple to make the tougher technical calls for them, and actually appreciate it.
Make cool hacker centric hardware. Make cool easy to use, locked down, and foolproof hardware. Both can and should exist.
There is exactly one device produced in the entire US that can legitimately run graphene is in a usable way.
Not a monopoly my ass.
> Make cool hacker centric hardware. Make cool easy to use, locked down, and foolproof hardware. Both can and should exist.
Yes, what a splendid idea! Let me just invest a few billion I have lying around here. And maybe after that we can all take a spaceship to Mars and colonize it!
Get real.
Also, doesn't even fucking matter. Guess what, let's say I do invest the 10 billion dollars to make said device.
Will my bank allow it? No. Why? Because Google says so. Google says "no, that's not attested"
It doesn't matter if I make one device, two devices, or one trillion devices. Its still ALL Google. They decide everything.
That means there are infinitely more devices produced in the US that can run graphene than can run iOS. Seems like a weird metric.
What? Can you elaborate? This makes no sense to me.
There's only one device currently produced in the US which can run grapheneos. Grapheneos is the only custom rom which can get even an ounce of attestation.
There are many devices produced which can run iOS.
Zero iOS devices are produced in the US. Production is all China/India.
>There are plenty of other devices out there that will run other software, you can buy one of those if you want to run other software - our devices are designed to only run our software, and we're only going to support tha
except in about a hundred million examples where the niche software that is running on the niche hardware has no viable alternative.
In The Real World when you have a component that breaks somewhere, and the manufacturer of the thing either fails to help or no longer exists you contract a third party to retrofit a repair module of some sort, or you do the work yourself to get the thing working.
How does this principle apply when the producer of the thing booby traps it with encryption and circuit breakers?
Software is special, comparing it to other industries never works well.
I agree that there's a difference between just not supporting the device running other software, and actively preventing the device from running other software. The latter doesn't serve anyone.
> There are plenty of other devices out there...
No there isn't, and one of the main problems.
There are if you are willing to have two devices. One secure phone for banking, phone calls, etc. And a portable linux device for installing whatever you want on. Where installing malware doesn't risk losing all of your money.
> secure phone for banking
Secure from the owner doesn't equal security in general.
I know of no reasonable, modern Linux devices besides the Starlite tablet and potentially the Furiphone. And boy, have I looked and looked. But the second has not been around long enough to be reviewed by a reputable entity.
Much harder to make a secure device that is resistant to getting pwn'd if you can run any code you want. I personally prefer my iPhone to be more secure than to be more open.
Buy a more open phone if you want one, but stop trying to use legal means to force the software on my phone to be worse for my use-case just because you want to have your cake and eat it too.
Once you decide to trade your liberty for security, it becomes the norm and then no one has liberty.
Apple is a company, not a government. I haven't traded my liberty for anything. Again, you can buy a different phone – that is where liberty comes into this equation.
If the USG decides to pass a law saying you can only buy iPhones, then we will have more to talk about w.r.t. liberty.
Nothing actually prevents you from modifying your iPhone however you see fit, btw. If you are incapable of breaking Apple's security without bricking the phone, that's a "you" problem.
> If the USG decides to pass a law saying you can only buy iPhones, then we will have more to talk about w.r.t. liberty.
Is what the US government does the only concern to you? This feels like a very semantic argument that tries to define the government as the sole arbiter of what's expected in our society. Majority consensus has an equal if not greater reach in telling us what we can and can't do. Case in point: the only two types of smartphones you can reasonably use nowadays are iOS devices and Android devices (and that is Google-sanctioned Android devices, custom ROMs are being rooted out as we speak). Sure, you can technically buy a random dumbphone, and just accept losing access to most of society, including services where using specific apps on specific platforms is mandatory. Is that liberty to you? Everyone telling you that you must pick from one of these options, but you're not forced to at gunpoint, so it's fine?
> Nothing actually prevents you from modifying your iPhone however you see fit, btw. If you are incapable of breaking Apple's security without bricking the phone, that's a "you" problem.
I would agree if we were still in the 2000s, when people could actually plug their phones in and flash whatever firmware they desired on them. Current-day phones, iPhones especially, are black boxes that are designed to be impenetrable by anyone by Apple, under the guise of 'security'. Everything is cross-checked to ensure that you can't as much as screw your phone open without consequences. The threat vectors they're supposedly addressing are utterly ludicrous. It's gotta be stuff like "Oh, what if a malicious actor steals grandma's iPhone, opens it, installs a battery that wasn't blessed by Apple, and explodes it after giving it back to her?".
Everyone knows they're doing this because they want every facet their devices to be in their tight grip, so that you just obtain temporary permission to do some things with it under their watchful eye, as long as you stay in your lane. Best of all, they can just incessantly scream something about "safety", "security" or "integrity" and that will be good enough justification.
And 99% of people don't even have the capacity to care about any of this, they'll just pick "security" and cheer on for any new "secure" update that tightens corporate control over you and what you can do. The 1% is too small of a market to care about, they will just reluctantly use the socially acceptable option because what choice do they have?
You're being a conspiracy theorist. You can in fact replace the battery with a non-Apple battery without issue. The things that break when you replace them without a properly signed version are in fact related to the security of the device. It's not a "guise". I don't want someone with physical access to my phone to be able to access anything on the phone. If I can do this, so can anyone else.
> You can in fact replace the battery with a non-Apple battery without issue.
No you can't. The apple batteries have a chip in them with a code that tells the phone they're authentic - only authentic apple components are allowed.
Its not a conspiracy theory. Apple is just a piece of shit company.
If you think being a piece of shit has to be a conspiracy, you're just naive.
Do you own an iPhone? Because I replaced my own battery with a non-OEM replacement and it works fine.
Yes I have owned many iPhones and I have known people who have bricked iPhones by installing non OEM batteries.
Maybe you got lucky or the manufacturer cheated and copied Apples chip. Probably the latter.
Which, good for the manufacturer, but kind of goes your whole ethos, doesn't it?
Regardless, none of this is really a secret. You can look it up. Its not a conspiracy - again, companies don't need a conspiracy to be pieces of shit. They can just be pieces of shit. You don't need to go bat for them buddy, I promise they don't care about you.
> Which, good for the manufacturer, but kind of goes your whole ethos, doesn't it?
Mostly it just betrays your lack of understanding of how any of this works.
When there is a natural monopoly/oligopoly, it needs to be regulated as a utility, otherwise we’re all doomed.
Completely agree. This is a general issue with technology in general, if someone uses a new technology to their advantage and at your disadvantage, you are essentially forced to adopt said technology just to keep up. In that sense a lot of technological change isn't voluntary. This also explains why a lot of open source/proprietary software is always chasing each other to keep up.
Closed devices are secure, yes. Apps can use pinned https certs. Apple signs the binary. This ensures that when your personal data is exfiltrated, it will go undetected by malicious third parties such as yourself.
Nobody said that...
You can keep your device enslaved to Apple all you want. You don't have to use the administrator permissions on Windows if you don't want them. Some of us do want freedom
You've got it completely backwards that having the option to control your hardware means you, as an individual, are impacted by anything at all if you don't want to administrate your own device
How do you enable administrator permissions on your Windows computer?
Depends on settings, but usually just click "Ok" in a popup
Indeed. Doesn't sound particularly secure to me.
And yet online banking still is a thing. If they're banning Android devices where you need to buy the right vendor and (from the perspective of a regular user) move heaven and earth to fricking read the data on your own device, then that absolutely has to go first for it to not be hypocritical
Install the version of Windows that allows you to do that.
If you share the post opinion, it means you believe there is value in an hardware that provides enough details in order to run any software we want on it. If that is the case, go build a company that builds such an hardware.
Hardware vendors are like creepy ex's that won't let go. You sold the device. Move on. It's not yours anymore.
You already have that ability, afaik there is nothing stopping you or your friends from loading and running whatever software you want except your own technical ability.
If you want the government to force other people to do the work to let you have your cake and eat it too, I can't support that.
iPhones have a locked bootloader; it is impossible to run an OS not signed by Apple unless you find an exploit.
So what? Should security features be illegal so people can more easily run their own OS's on phones?
Yes?
A car that can only drive itself at 10 MPH by a software lock is certainly safer.
But that's stupid and that should be illegal.
Also, the horse is driving the carriage here. Why do you think Apple is just de facto more secure?
That's just pure blind faith. You have zero evidence for that and you couldn't find evidence if your life depended on it. The entire device is closed-source.
Youre just blindly trusting Apple not to pwn you.
We trust a lot of organizations to not do illegal things to us. It's not really any different with Apple. You're trusting that the computer you're using to post your comment doesn't have a hardware back door in it. Except I'd argue that the incentives for Apple to do this are less than they would be for other companies. Not blind faith.
Well no. I agree with your overall point in that I don’t really think vendors should be forced to allow you to install whatever software you want. I’m just pointing out that the way you described the current situation is inaccurate.
Ah ok my bad.
Going to be contrarian.
Why not build your own hardware and run your own software on it, instead of screaming at clouds of big tech.
There is Fairphone as an example so it is possible to build/buy hardware directly.
> Why not build your own hardware
Haven't looked at this in depth, but designing and manufacturing a phone with a similar miniaturization level and performance to commercial models is a huge electronics/firmware/design engineering challenge. Additionally, often the datasheets for processors, etc. are difficult to obtain and/or under NDA.
Nothing a group of determined engineers with the funding and connections couldn't achieve, but it's no easy task. Fairphone required a few million $ to develop the first model.
Either way, developing software is hard enough - having to build hardware too moves the project toward "pipe dream" territory IMO.
Yes, let me just invest 100 billion dollars into creating my own device so that I'm not censored by one of the biggest companies on Earth.
Jesus fucking Christ. We're asking for a drop here from a mega corporation, and still there will be people bending over backwards and spreading their cheeks and actually begging for it. Its not enough to get fucked, we actually have to want to get fucked, and not wanting it is weird or something.
The only way this happens is if people & organizations vote with their $$.
My immediate follow-up to people who take this position: Are you using Framework laptops, pinephone or other OSS devices already? If not, then it's just empty air -- vote with your $$.
We as tech enthusiasts killed a viable 3rd option. For all its warts Microsoft created a great mobile os, but we killed it. If we could convince them to bring it back to be the true alternative to the existing duopoly in might fix these issues.
I wouldn't expect Microsoft, of all people, to be a "viable third option". They weren't exactly keen on user freedom either - they aren't now, and they weren't in Windows Phone 7 days.
We need a law to have mandatory storage of precise and complete technical specification to be able to write drivers for hardware peripherals. With heavy fines if they are incomplete.
Technically true, the worst kind of true.
The original phrase is good as is and much better than this nitpicking if we'd like to see actual movement on the issue.
“I should be able to run whatever code I want on hardware I own”
> Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.
Even if this is true… so what? Perhaps the App Store monopoly has helped make the iPhone successful, but that doesn't make it a good thing.
> If you want to play Playstation games on your PS5 you must suffer Sony’s restrictions, but if you want to convert your PS5 into an emulator running Linux that should be possible.
Why? What if Sony's restrictions are bad? Why are we ceding corporations the right to treat us however they want, so long as we're using their software?
You shouldn't have to flash a new OS onto your hardware in order for it to respect you as its user & owner. You shouldn't need to be tech-savvy, either. The happy path for the median user should be privacy and freedom.
Free/libre alternatives to consumer software are always going to be second-class, because respecting users is at odds with making money off them. If we people to be treated well by tech, it's not enough to provide an alternative ecosystem. We have to deny corporations the option to treat users badly in the first place.
The word "badly" means different things to different people, so I believe you could not get a majority to agree that any law to such effect is perfectly good.
I don't expect a single monolithic law could work, but I see no reason why a constellation of specific laws couldn't work.
For instance, the "stop killing games" proposal¹ is by far one of the most demanding laws I can imagine in this vein, but I've (anecdotally) seen massive support for it in gaming communities.
In order to create a new type of right, we need a term that can be promoted. For exemple "The Right to Digital Autonomy".
But we can't. Not on PS5, not on Iphone..
Interesting perspective but unfortunately with smartphones you'll have cellular carriers lock down their bootloaders because of bogus "security" reasons.
My PS5 is lying around being useless for me now.
I can't recall a post staying at the top this long. I hope this is a sign of how hard we're going to reject Google's stance.
isn't that google just make the android reach parity with iOS???
this is happening with apple ecosystem since forever and people fine with it, so what is the issue here???
oh I know, people mad because someone take what they been able used to
not because they cant sideload. you can (just need an developer account for that)
You can’t run any code you want on the phone because of the radios.
Realistically there would be a non-zero cost to allowing this, tech support, or compliance issues, or even PR issues when somebody’s modified hardware does something bad. So few people actually care or want this, it doesn’t feel like a fight worth having as a unilateral mission.
> Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.
Successful for whom? If you're talking about the commercial success of apple through lock down behaviour, sure. But there is *nothing* that would prevent them from providing the exact same experience while adding a toggle in settings "allow sideloading". You want the "crisp" experience that comes from apple's strict review process, just use the official app store.
Looking at android till now, it is still possible to offer a "certified" os that is flexible enough for you to use foss stores. The argument pretending that removing sideloading is customer centric are borderline fallacious. I don't think that playing on semantics between hardware and OS changes any of that
I want my less tech savvy family members to be able to buy locked-to-the-company-store hardware, that they can’t run other things on, as it protects them from one avenue of scams and hacks. This protection can and will be worked around if it can be easily disabled.
Fully open phone systems consistently fail to sell enough to make a difference, which is a bit of a shame, but honestly at this point the market has spoken.
You provided an alterative solution yourself. Make protection harder to disable, so non-tech savvy users can't disable it easily, always inform them of the consequences of disabling it and make it that it's only needed in exceptional cases (there a lot of room for improvement here).
If they want to climb over the protection fence, they should be able to do it as they clearly WANT to do it. Why should you have control what they can or cannot do? (Unless they are your kids.) Should experts in other fields also be able to control over what their layman family members are allowed to do?
> always inform them of the consequences
This would be about as useful as telling the cat why he can’t go out right now. The words would not be understood, as they won’t be by probably 90% of humanity.
> If they want to…
They don’t. Categorically. The only reason they would try is because they are being scammed with offers of getting something or cajolement entreating them to allow it.
> Why should you have control what they can or cannot do?
Me? I’m not asking for control. I’m saying that most people aren’t equipped to understand the threats they face, even in the face of explanation or warning, and their use-cases are comprehensively covered without it. My parents are old. My brother ends up with any PC he owns full of malware and viruses. The current status quo serves them and many millions of other people very well, and we need to be very cautious when arguing to rip this away in the name of our freedom - to them it only represents freedom to be exploited.
> Should experts in other fields also be able to control over what their layman family member…
Experts in other fields determine the extent of what all laypeople may do legally all the time. Or do you live somewhere that there are zero restrictions on (for example) gas plumbing or work on electrical systems?
You are overblowing it out of proportions. Majority of people are capable of understanding warnings just fine, you're not that special. When they can't, it's usually because it was communicated poorly. More often, they choose to ignore it, because of too many useless and overblown warnings.
Why aren't your family members sending money to the Nigerian prince? I bet your parents and brother are able to perform money transfer, so the tech isn't blocking it, but they don't do it.
Windows has very poor security model. It fails all security requirements I mentioned in my previous post. Needing elevated permissions to move a shortcut to a subfolder on their desktop just trains users that a lot of warning in Windows are useless.
A lot of dangerous and stupid activities are legal. Experts influence laws, but they don't have the power to prohibit laymen around them from doing legal things. Running software of your choice on your devices is legal last time I checked.
I remember that in order to unlock the bootloader of my trusty old Xiaomi Mi 5 (I still use it to this day as a test device for development) I had to go to some website, say that I'm happy with unlocking it, agreeing to the terms and stuff and at the end be willing to wipe my device clean and have an "unlocked" written under my boot animation. I think these would stop your average joe, but now I've heared Xiaomi has blocked unlocking your bootloader in its entirety which is a shame, they used to allow root access from inside a stock app.
>They don’t. Categorically.
They do. Categorically.
> The only reason they would try is because they are being scammed with offers of getting something or cajolement entreating them to allow it.
F-Droid installed German university made QR app. Messaging app that government does not like because it disallows spying on citizens.
> The current status quo serves them and many millions of other people very well
Said you.
So well that only time I had to deal with malware and scam in one was when my parent installed QR App from Google Play and got AD served to them to confirm mobile payment.
REALLY * WELL.
> to them
To you.
> it only represents freedom to be exploited.
There is no reason that verification cannot happen in SSL style - and no layperson will create CA certificate, believe me.
> be very cautious when
Because of that Google decided that it will first introduce it in Brazil, Indonesia, Singapore, and Thailand... wait a moment I think I seen that list somewhere...
https://en.wikipedia.org/wiki/Censorship_in_Brazil https://en.wikipedia.org/wiki/Censorship_in_Thailand https://en.wikipedia.org/wiki/Censorship_in_Singapore https://en.wikipedia.org/wiki/Censorship_in_Indonesia
This was created so governments can censor any application that allow people to communicate. To limit freedom of expression. You are made into useful idiot.
The fact alone that the 'test subjects' are people living in censorship-like countries should tell you enough.
> Experts in other fields determine the extent
There is exception here - no one determines who can speak - but now Google can do so by revoking application certificate.
> rip that away
You are ripping that away - all of current democratic infrastructure now requires computer communication.
You are removing user's ability to install software, You are giving governments way to censor and spy on citizen on massive scale. You want change. You should be careful not us.
> all the time.
Not all the time - only when there is reasonable ground. You do not provide one - if you think your 'reason' is good then we should ban all communications because someone may send malware in one of links in them.
If you want apple go apple.
> Me? I’m not asking for control.
Yes you do - you asking for control to be given to governments in long run, saying otherwise is disingenuous.
Nothing prevents that the device is locked by you instead of the "store" or even that the device has a "safe" mode that has to be explicitly disabled by the user in a non obvious way like connecting the device to a computer and running a command or so.
The only important thing is for the bank, Netflix and co to not be able to discriminate. But again nothing would provide the bank to offer a setting for the user to restrict where it can use it's banking app if it was not discriminatory. But we know well where this goes, in the end if you don't enable it
I think the bank should be able to discriminate, they should be allowed to say they only work on locked devices, surely.
It’s a security measure, particularly as we place more responsibility on banks to prevent their customers being defrauded.
You must allow your government issued brain chip in order to have money. But don't worry citizen - you have the choice. You can always choose to never have money.
How will we use the brain chip? Citizen, for your security, you must not ever see the brain chip software. You must trust it is perfectly secure and will not be used for nefarious reasons.
All citizens who deny the brain chip, please board the train to your designated shanty town.
That is understandable, most people are not technical but the few who has a need for it should have an option for it.
As a developer I write apps for myself and I side-load them. Why take away my right to do so, just because other people can't then nobody should?
Because you’re in a tiny minority and it’s more important that more people be protected from malware.
Buy a specifically open phone, and support that market segment.
Well luckily its illegal to do this in Europe due to the Digital Markets Act, so maybe the tiny minority can win .
Nope. The masses have voted with their wallets for the walled garden approach. Maybe if the Linux phone wasn't as terrible or worse than bottom contender Android devices the argument could stand. In an era where move fast and break things is business as usual, we've correctly chosen the devices that just work, even when we must sell our privacy to make it so. The days of IBM/PC compatible are ancient history.
We need a Linux like OS for mobile devices!
PureOS?
This seems counter intuitive.
All nflix da should require is the interfaces outer needs.
Network stack CODECS CRYPTO stack (DRM)
The OS seems irrelevant.
I mean sure you worked be limited to whatever interface a browser could provide.
It's not as if certification of a certain operating system means anything other than the certificate.
Netflix used play4sure beck in my days at Apple, and literally t out was a tick box for them to assure the content owners they had DRM.
Nobody certified apple's netflix app for ATV back then, I know, Ben Lee and I wrote it...
We desperately need OS research, exokernels should be a thing by now, at least then the question becomes moot.
Windows, (alphabet)OS, Linux and BSD all provide operating systems that enable productive work but there's a lot of cruft
alternatively, we should have the ability to run [doom] on hardware we own.
Ha-ha.
Android doesn't even let you access your files. It has famously blocked acess to the subfolders of /Android/data - every app has a subfolder there where it sfores files. And you can not visit these subfolders since Android 11.
A buggy app accumulates gigabytes (literaly, i am not exagregating) of temp files there, but i cant visit the folder to delete them.
Google explains that "it's for you safety".
I have to call it with the strong word "idiotic".
There are apps now where storing files in a shared, accessible folder is a payed option.
And in this world you want to own your hardware.
These arguments always suggest that the hardware/software divide is rigid. A cell phone does not have a single OS, it has many.
Right to repair and right to modify
Is this your human right?
Run doom on my Air conditioner?
just turn it off in summer. it'll be doom level 30 shortly.
Not defending Apple, but when they restrict sideloading it's because they made both the software and the hardware. They didn't exploit thousands of open source developers who basically worked for free making Android what it is right now, only to be hijacked by Google. I used to use Android but I did notice a huge decline around 2015, which was around the time when the Android creator left Google.
If sideloading goes, so does their OS.
What are you planning to use instead?
Cuda disagrees with you !
I think it's time we start revoking our agreements to these terms and conditions or altering them after the fact, taking non-self-destruction of the service providing firm as an explicit acceptance of the new user-defined terms.
Programmers make the same Faustian bargain with all these "safe" languages.
No, please, don't let me touch memory! It's too dangerous. Give me a nice bubble wrapped playpen to "program" in.
What a weird take, here we're discussing fighting the duopoly and hegemony of 2 US companies dictating what and how to use our own devices.
Complaining about programming languages which allow me not to think of malloc bugs when making something not critical makes no sense whatsoever.
It's trading freedom for safety in a different domain no? We deride normies for preferring their closed down operating systems and mobile devices yet make our own freedom/safety trade in our own domain.
This is a relatively obvious universal sentiment with no suggestion as to how to make it happen.
there are plently of choices for hardware you can buy which freely allow any software you want to run.
Governments should be protecting consumers not companies. Every time that company tries to limit consumers in any way, government should step it and forbid it.
That's the whole benefit of having strong central government, that it can curb ambitions of smaller local tyrants.
It is depressing having a government that facilitates and support the mass rape of the populace. I thought the entire point was to lift people up
Why are folks so worried about this. If necessary we build a new generation of phones.
A gentle reminder to the readers here at HN that it doesn't have to be this way. Computer Security is a solved problem[1], and has been so since the 1980s[2]. It's my strong opinion that the only methods you've seen to this point[3-7] were deliberately chosen to be ones that don't work, and make things worse in the long run.
There's no reason we shouldn't be able to run what we want on our hardware, without having to trust anything other than the microkernel inside the operating systems.
[1] https://en.wikipedia.org/wiki/Capability-based_security
[2] https://en.wikipedia.org/wiki/Capability-based_operating_sys...
[3] https://en.wikipedia.org/wiki/User_Account_Control
[4] https://en.wikipedia.org/wiki/AppArmor
[5] https://en.wikipedia.org/wiki/Security-Enhanced_Linux
Your opinion is not "a gentle reminder", "a friendly reminder" or "a public service announcement". It's just your opinion and nothing more.
Ok, so I've trigged quite a reaction with my phrasing. I'm very sorry about that.
Put yourself in my place... Computer Security is a solved problem, and has been for decades, yet we find ourselves in an infinite loop of crises that result in ignorance of solutions. Maybe 5% of all discourse here on HN is about a problem we don't have to have.
How would you push the world to resolution?
You put me on the spot, because I don't understand the subject matter in such depth. I hope somebody who does chimes in. All I can think about is when a man's paycheck depends on not understanding the issue... Many people make a lot of money from cyber security, so would they want the problem to be completely solved?
It's obvious you don't understand what is written in those links. The capability security architecture breaks the false dichotomy of either having to have a fully locked down or open operating system, it provides the technical foundation to grant individual programs, and even parts of these programs, recursively, only the (data, filesystem, network) access and resource consumption (cpu, memory) rights that they need. This is not an opinion, this is a decades old technical solution that humanity ignores at its own peril. While I wouldn't argue that it completely solves computer security, it allows programmers and users to minimize the attack surface of their systems.
I appreciate that I probably don't understand what is written in those links. But whether you're right or wrong - and you're probably right - phrasing your comment in the clichéd "gentle reminder" makes people refrain from taking your message to heart.
Can't you with enough effort?
Sorry, but I was thinking that Apple was forced to allow side load? And now you're telling me that Good Guy Google is disallowing this? How this is legally possible?
Relevant XKCD - https://xkcd.com/86/
I agree with this take, but my view is that it is one step detached from the root cause. The right to property is fundamental and inalienable. A person who can't own things isn't free, they have no claim on liberty.
That said, service providers, corporations and the like should be allowed one remedy: They can refuse future services and business to anyone if that person violates whatever b.s. rule they came up with.
However, the government (any government) has no authority to police post-ownership activity in a manner that deprives the owner of their property rights. In other words, they can say "You can't own an AK-47" or "You can't generate sound over certain dB" , but they can't say "You can't shoot your AK-47 on your property, even if it pauses no risk of harm to others, but you can own it", and they can't say "You can't use your speaker at maximum volume" (they can police the sound you generate but not the usage of your property, if the speaker passes the legal threshold then the speaker isn't relevant, the sound generated is).
This also applies to free (not commercial) sharing of property (copyright laws are fundamentally invalid).
The problem is, I am talking logic and reason which doesn't translate well into real-world scenarios. In the real world, the guys with the biggest guns make up random rules and pretend it is just and valid.
The reason I'm stating all this, is in the hopes that I can convince anyone who reads this and maybe if enough of us agree, some day democracy might work and laws can change.
The government can prevent ownership of things. It cannot however pass laws that dicate you can come into possesion of things and by all reason it is your property, but as a matter of technicality it can't be considered property and is subject to arbitrary usage laws by the government or rules by third-parties.
That said (I promise, my last one!), access to network services is special. If someone made some software where to function it requires some network service, and they came up with random rules on the network service side, then that is also their right, since that service is on their property. The remedy people have for this is to avoid that service. And if that service is the only one of its kind and using it is required, then the government has a natural obligation to protect the public against monopolies.
I had a hole other post/thread that got negative feedback and some interesting discussion about Google, Android and their sideloading policies. If you glean anything from this post of mine, please let it be that I am advocating for solving of the root causes of these problems. It is all too easy to be reactionary and fall into these rage-baiting events. Solving root causes is never easy, but good solutions are often simple. If reasonable minds can have a healthy discourse to find these solutions then many problems are solved, instead of playing whack-a-mole forever.
Termux
Some things shouldn't be left to amateurs to repair. Just because you "own" the hardware doesn't mean you're equipped to fix it safely or securely. Modern devices are tightly integrated systems -- tinkering with them can make them less reliable, less secure, and sometimes outright dangerous. Manufacturers lock down certain layers not just out of greed, but because risk management protects both users and the people around those users.
If you agree with this article, do you also agree with these statements?
* "We should be able to repair our firearms with freely available full-auto conversions kits."
* "We should be able to repair our own cars, and add software like Volkswagen did to bypass EPA and state inspection testing."
* "We should be able to repair our own homes and offices, and ignore building codes and ADA guidelines."
Non-sequitur. Full-auto conversion kits are illegal. If you're not repairing the house for the intent of selling it, there's no reason for it to be inspected, so that is already possible. Not even gonna comment on the car example, because it's hilariously out of touch.
We are talking about software.
As for the new Android restrictions I assume my Galaxy S20 will be immune to them because it's not getting (major) updates anymore. I'll continue using it as long as I can to avoid this. Does anyone know the most recent Galaxy phone that will be safe from this? I want to get a backup.
It likely won't be safe - they're probably going to enforce it through a Google Play Services update rather than an Android update, which means all previous Android OS versions after 5.0 (Lollipop, released in 2014) will be hit with the changes. In order to bypass that you'd need to install a Custom ROM or stop using and uninstall the Google Play Store entirely (since it's not possible to selectively disable just this).
Android uses Google Play Services updates to update some features or security without relying on manufacturers to update the OS and drivers.
I seriously doubt they can restrict sideloading through Google play services.
But if they do then it’s worse than what I thought.
Entirely possible, i.e. by not allowing Google Play Protect to be toggled off anymore.
tbh I don't even care about support, just give me the keys
but ultimately it doesn't matter, if the market could bear the additional cost a competitor could emerge... but they barely do anywhere
honestly at this point in life I think it would be easier to change society to be structured in a way to make the people running these companies want to give it to you
Anyone who doesn't agree with this is a collaborator and should be publicly shamed.
No, says the man in Hollywood - those cycles belong to the MPAA
No, says the car manufacturers, those cycles belong to us
No, says the nerds in Redmond, your computer belongs to us
Weird last example, Windows is freer than Apple/Google. There's no path to locking down Windows like Android or iOS, half the world would break. Apple originated and normalized this, Google is following.
Microsoft will absolutely go down this path, they just have longer commitments and product cycles.
I’d guess in 5 years you’ll start getting friction for using AD, and heavy push towards cloud services first. You’ll probably have to subscribe to legacy features or migrate to Azure to use them.
Their legacy systems management tool is a zombie product, and the replacement is Intune, which and an MDM solution which locks you out of your computer similar to Android or iOS.
I’ll be retired, so IDNGAF, but in 15 years, Microsoft will be capturing all of the value they give you for free in windows. The future will look like a 1980s mainframe.
A few weeks ago someone was posting links to a thing MS is trying to push, which would require signed code for local execution. It had a weird name but seemed like they’re trying.
Windows 10/11 S is that path. Microsoft has walked it already; They just have to push the net wider over time.
apt Pkg install nmap
no, we must.
That doesn’t benefit the corporations, so it’s communism.
no, however, bootloader muck be unlocked and software must be open sourced when device reaches EOL
Run meant run ok and that meant support if it not running … should have the ability meant we can do it on our own … does it major any sense in general. No.
You can agree on anti-monopoly but to say we (who is we here) can do this without any resource consideration is not thinking but wishful thinking.
Open source is not wishful thinking but until the user pay …
We’ve got a solution to that.
What makes you think you can own hardware, you fascist capitalist pig dog!
the Android change doesn't impact your ability to plug in your own device and run your own code or someone else's code
the change impacts closed source software distributed without verification which is by definition unknown so the "want" is not possible - i.e. you can't know if you want to run it.
The editorializing of this article title changes the meaning, please restore it.
But to answer the claim, no, only software that you own or are allowed by the software owner to run, is obviously what should be allowed. And clearly illegal and harmful software should not be allowed at all. It's a no-brainer.
You can. You can jailbreak your iPhone. I assume you can do so with Android. Problem solved.
Oh, you want to jailbreak it and use it as an authenticator? No. That doesn't seem like a reasonable requirement.
You don't have to jailbreak some Android devices, namely the Google devices (provided you didn't buy them from a carrier).[1] They are designed to allow alternate firmware.
Instructions for installing alternate firmware : https://grapheneos.org/install/web
"you can run anything you want as long as it's not what I don't want you to run" seems like an odd argument to make.
Jailbreaking iPhone doesn't let you install GNU/Linux on it.
I like the idea of course, but such legislation would also be very disruptive, because it affects the entire supply chain. Every maker of any gadget, be it random white label android smartphone, set top box or smart home camera would have to negotiate with all their component suppliers to obtain full documentation instead of just driver and firmware blob. So would these suppliers with their suppliers. For mor niche components it seems plausible that no proper hardware spec exists and it’s instead through a combination of hardware descriptor languages, the driver code and good old tribal knowledge. Forcing Google and Apple to allow side loading on their OSs just requires them to flip a switch. I think there are also compelling reasons why smartphones are special. It’s a duopoly and most people have got to have one to properly participate in modern society.
Good. It only needs to be done once and the datasheets are already written and often circulate underground.
Component supplier should not be allowed to only provide datasheet upon signing an NDA and only to some customers while providing chips to the resellers. If you put it on the open market, cough up the FULL datasheet, period.
This seems like the perfect case for legislation that starts out targeting higher volume devices/larger companies and lower over time.
I don’t see why the industry couldn’t move to providing this documentation/full source over a few years.