There are a ton of products on the market that are vastly more dangerous than computers: guns, cars, motorcycles, bicycles, chainsaws, table saws, cigarettes, alcohol, junk food. Yes, consumers do sometimes harm themselves by using these products. That's the price of freedom. I think it's bizarre that we treat computers as the most dangerous products in the world that for some reason demand paternalism, when none of these other products are locked down by the vendor.
The reason that computers are locked down by the vendors is not that computers are somehow more dangerous than other things we buy. The reason is simply that it's technically possible to lock down computers, and vendors have found that it's massively, MASSIVELY profitable to do so. It's all about protecting their profits, not protecting us. We know that the crApp Store is full of scams that steal literally millions of dollars from consumers, and we know that the computer vendors violate our privacy by phoning home with "analytics" covering everything we do on the devices. This is not intended for our benefit but rather for theirs.
If protection of the casual user was an argument, there would be an easy option to unlock your system, be that phones or desktop computers.
But on many systems these options do not exist because the vendor likes people dependent on them. This is why devices like chromebooks or all mobile phones are more or less e-waste in the making. In my opinion it is a waste to use any development capacity for these systems apart from consumer devices offering the next shitty app that hopefully always stays optional.
We even have dysfunctional laws that require banking apps to only run on these shitty systems. In my opinion, these errors need a quick correction.
Also, the most cases of scam still work as they did before and exfiltrating information, e.g. tracking and "diagnostic data" by bad operating systems are an additional security problem.
> If protection of the casual user was an argument, there would be an easy option to unlock your system, be that phones or desktop computers.
Making it easy to unlock could make it easy(er) for scammers to get it unlocked:
> I received the same type of call a little later in the day. They were very adamant they were calling from the Bell data centre, on a terrible line and I made them call back three more times while I considered their requests. They wanted to have me download a program that would have given them controI of my laptop. […]
> But on many systems these options do not exist because the vendor likes people dependent on them.
Dependent is not exactly the right thing here. Lower support costs probably is. If a vendor gives out root access. If that root access can brick a machine. Then you will get a small percentage of very high touch broken things as returns. Customers like this are in the 'dangerous enough' but not 'good enough to do it correctly' stage of hacking. They will then not claim any responsibility for breaking it. As they are hoping you just fix it for free.
I had one customer who would randomly change out stored procedures on our code. Then yell at our tech support for thing not working or being broken. Wasting hundreds of hours of time until we realized what he was doing. Locking him out is very appealing. Instead we sold him and his management on 'we will do the work for you for a fee'. Which was more along the lines of 'you do this again we will fire the customer'.
Before we put all the blame on vendors, I submit to you, ladies and gentlemen, this: the public finds this tradeoff (privacy for entertainment) completely acceptable. With all the outrage, privacy-centric solutions are out there and relatively easy to find, how come they don't get more traction? Including among the HN crowd?
There is nothing inherent to the benefits that these companies tout that require them to lock us out of our own devices.
What you are describing is not a tradeoff but a magnificent bribe. They bribe us with measly benefits in order to accept the deal that is incredibly favourable for them.
I'd argue the general population doesn't even know this trade off exists (not helped by the pros being advertised to users and the cons purposely not mentioned). Even then the minority (us) shouldn't be stopped from doing what we want with our stuff just so some company can make more money.
> privacy-centric solutions are out there and relatively easy to find
Really? Please name them. Over the past 10 or 15 years, I've never seen anything other than the iPhone/Android or Mac/Windows duopoly for sale in any retail store. I've never seen any advertising for other than those duopolies. The HN crowd may be aware of obscure options, but for the vast majority of consumers, they don't exist. And since we as developers make money catering to the vast majority of consumers, we're kind of stuck with the duopoly too, at least as far as our work is concerned.
I have no data to back this up. So what follows is purely my personal opinion.
I think the reason people don't care, is because they don't know. The average person either doesn't know or barely knows That anything deeper than what they see in the user interface is happening on their system.
We humans are very much an out of sight out of mind type of creature. If we can't see it, it's hard for us to imagine that it exists.
Exactly. Even the people who complain about these things immediately get defensive when you call them out on their uses: "Well, I can't switch because what about my banking app?" or "Well, games don't count as software to me." or "It won't make any difference to the big tech companies if I'm the only one who switches, so why bother?"
This isn't about privacy. Not directly anyway. This is about your right to have control of your own property.
You make a fair point though; the case does need to be made as to why this is a market failure and not just consumer choice working as expected. Why _do_ consumers tolerate manufacturers retaining ultimate control of consumer's property after the sale? It certainly doesn't seem to be that important to them. Maybe greater awareness of the issue would help somewhat?
was that when they said “instead of uploading the images to our servers to do the CSAM scan, we’ll do a quick once over in the privacy of your own phone to see if we can allow-list your photo” ?
And then the whole world suddenly went apeshit, so Apple basically shrugged, said “fine, we’ll do it just like everyone else and put your photos in the relatively unprotected server domain to do the scan”. Sucks to be you.
Understand that at no point was there an option to not do the scan on upload, like all cloud providers, Apple scans for CSAM on any uploaded photos to stay out of any government grey areas.
It also significantly hampers progress and the utility of tools themselves.
This is hacker news after all. What made the computer great was programs. What made the smart phone great (smart) is applications. It's insane to me that these companies are locking down their most valuable assets. The only way this works is if you're omniscient and can make all the programs users could want yourself. This is impossible considering both individuality and entropy (time). Both in the sense that time marches on and the fact that you don't have time nor infinite resources to accomplish all that. I mean we're talking about companies that didn't think to put a flashlight into a phone but it was one of the first apps developed. You could point to a number of high utility apps, but I'm also sure there's many you all use that you're unlikely to find on most people's phones.
We can also look at the maker community. Its flourished for centuries, millennia even. People are always innovating, adapting tools to their unique needs and situations. To some degree this is innately human and I'm not embellishing when I say that closed gardens and closed systems are dehumanizing. It limits us from being us. That person obsessed with cars and makes a sleeper Honda civic, that person that turns trash into art, that person that finds a new use for every day objects. Why would you want to take this away? It even hurts their bottom lines! People freely innovate and you get to reap the rewards. People explore, hack, and educate themselves, dreaming of working on your tech because of the environment you created. By locking down you forgo both short term and long term rewards.
I also want to add that we should not let any entity claim to be environmentally friendly or climate conscious that does not create open systems. No matter how much recycling they do. Because it is Reduce, Reuse, Recycle. In that order. You can't reuse if your things turn to garbage and reusing certainly plays a major role in reducing.
this!!! sustainability is a huge aspect that seems to be getting lost in the broader discussion. locked devices are leading to an incredible amount of e-waste and it's entirely preventable.
And there are plenty of laws in many countries on how to use them, seatbelts, helmets, chain gloves, plastic cover, minimum age, access exam,...
Failure to obey them, might get jail time on those countries if caught disobeying, or an hefty fine, not counting what misuse might bring in, regardless of the country.
> I think it's bizarre that we treat computers as the most dangerous products in the world that for some reason demand paternalism, when none of these other products are locked down by the vendor.
That's because there are people behind every product, and the people behind computers tend to be the paternalistic, nanny-state type. Just read through the histrionics in any HN thread about leaf blowers, they want every landscaper locked up and their tools of the trade taken away. Someone once suggested they should be forced to use rakes. Imagine if some landscaper insisted what laptop you should use.
As you wouldn't expect to find many in-the-Army buzz-cut guys roaming the Google campus as you would at a gun company, you wouldn't expect some blue-haired face-pierced sales engineer selling you table saws.
By "we" I meant online commenters debating the issue of tech company device lockdown.
I didn't mean "the law". To the contrary, the submitted article author was proposing that we pass laws giving greater individual consumer rights over their devices. But the big tech companies have been viciously fighting against consumer rights, such as the right to repair.
Actually, chainsaws, table saws, cars, motorcycles, and even guns all have safety mechanisms installed by the manufacturers and tampering with them voids the warranty.
Nobody is arguing that computers shouldn't have safety mechanisms. But the manufacturers of those devices don't have remote control over what I do with them. There's no equivalent of a "curated App Store" (and one that requires a 30% cut to the manufacturer, which is the real point behind it).
The equivalent would be if you could only use specific brands of replacement chains, blades, tires, or bullets that are approved by the manufacturer, for which the manufacturer gets a cut of the sales of those replacements.
Tampering with safety mechanisms on your car voids the warranty on the safety mechanism, not on your whole car. Otherwise using third party mechanics would be impossible.
> There are a ton of products on the market that are vastly more dangerous than computers
The thing with chainsaws and motorcycles is that they look and feel dangerous, and people have an intuitive understanding of how to approach those dangers.
If you ask a random person on the street about safe motorcycle riding, they'll probably tell you about respecting speed limits, wearing protective gear, only doing it when sober, not pulling stunts / showing off etc. I've never been on a motorcycle, have 0 interest in them, and I know those things.
Computers don't work that way. People can't distinguish between a real banking app and a fake banking app that looks real, an update pop-up and a fake "you need to update Adobe Flash Player" pop-up on a phishing website etc.
I've done plenty of "helping non-technical people out with computers" during my middle / secondary school days. That was when people still used Windows a lot, as opposed to doing everything on their phones. Most computers I've seen back then had some app that hijacked your start page, changed your search engine to something strange, would constantly open random websites with "dpwnload now free wallpapers and ring tones for your mobile now" etc. You didn't even have to fall for a scam to get something like that, plenty of reputable software came with such "add-ons", because that's how you made money back then.
I feel like that era of "total freedom" has somehow been erased from our minds, and we're looking at things through rose-tinted glasses. I, for one, vastly prefer the world of personalized ads and invasive surveillance over one where I constantly have to be on alert for my default browser being changed to Google Chrome for the hundredth time this year, just because I decided to update Skype.
> If you ask a random person on the street about safe motorcycle riding, they'll probably tell you about respecting speed limits, wearing protective gear, only doing it when sober, not pulling stunts / showing off etc. I've never been on a motorcycle, have 0 interest in them, and I know those things.
How did this matter? People may know these things, but they nonetheless ignore speed limits, don't wear helmets, drive drunk, pull stunts, etc. And the motorcycle manufacturer can't stop them. They have the freedom to harm themselves.
> Computers don't work that way. People can't distinguish between a real banking app and a fake banking app that looks real
Guess what, people can't distinguish between the real and fake apps in the crApp Store either. Let's stop pretending that it's safe, when we've seen over and over that it's not.
> That was when people still used Windows a lot, as opposed to doing everything on their phones.
People still use Windows a lot. Smartphones have not replaced desktop computers but rather added to desktop computers. Almost every desktop computer owner also has a smartphone I believe that desktop computer sales are as high now as ever; I know that's true for Apple Macs, specifically.
> I feel like that era of "total freedom" has somehow been erased from our minds, and we're looking at things through rose-tinted glasses.
It hasn't been erased. The desktop never left. It's been surpassed in volume by smartphones, of course, but let's not pretend that desktops were somehow made obsolete and removed from the Earth. The people who have enough money buy smartphones and desktops. Many even have a smartphone, a desktop/laptop, and a tablet. The choice is not about security, it's about money and form factor. When I leave home, I put a phone in my pocket. When I'm on the couch, I use a laptop. When I'm reading an ebook, I use a tablet.
> You didn't even have to fall for a scam to get something like that, plenty of reputable software came with such "add-ons", because that's how you made money back then.
That's why you never blindly clicked "next" in installers. Everyone got one of those IE toolbars accidentally at some point, but it usually only took doing it once to learn the lesson.
> There are a ton of products on the market that are vastly more dangerous than computers
An irrelevant "whaddabout" argument.
It doesn't change that we need security and privacy for our information handling devices, as well as personal control. The real conversation is about how to best balance these.
> It doesn't change that we need security and privacy for our information handling devices, as well as personal control. The real conversation is about how to best balance these.
An irrelevant false dichotomy argument. There's no inherent conflict between security/privacy and personal control. I would argue that a device which has to phone home to the vendor to get approval for everything results in both less privacy and less personal control.
> It doesn't change that we need security and privacy for our information handling devices, as well as personal control.
I can do online banking on my PC as root user if I so choose, but I cannot do online banking on my phone because my bank's app employs a rooting detector SDK that as of now even Magisk+a host of (questionable) modules can't bypass.
Thanks, but no. I'm never buying a device with easy root access for a non technical family member ever again. Freedom is great, and I'm using this freedom to buy something with exactly the capabilities I need.
So they'll never use a PC or laptop or anything of that ilk again?
To use the same logic, they shouldn't be given anything with a visible screw, or are you going to tell me they _wouldn't_ take a screw driver to an appliance because that would be silly for someone who doesn't know what they're doing in there?
It doesn’t have to be easy enough to let through a person who doesn’t understand what they’re doing (aka blindly click through the annoying popups - that’d be bad).
And non-owners shouldn’t be able to have access solely based on their physical possession - quite the contrary, owner should have means to fully use hardware security features for their personal benefit, locking their own device as tight as they want (within the device’s technical capabilities).
I take it you mean easily unlockable bootloader, not really out-of-the-box root access which no phone have.
I have taken the opposite stance on that. Never again will they be left with some Samsung bloatware which hardly receives any Android updates when phones such as Nexus, Nokia and Nothing costs the same and has excellent LineageOS support.
Lineage is stable, bloat-free self-updating and requires no maintenance from my side.
And here is (in effect) a completely legitimate reason for manufacturers to wall off root access. They did not want to sell and support a full-access, general-purpose computer. Nor provide liability coverage for anyone who reprograms their toaster and starts a fire.
"The reason that computers are locked down by the vendors is not that computers are somehow more dangerous than other things we buy "
It makes sense to allow the _buyer_ to responsibly lock out others. This is common in other products that could be dangerous. But allowing the _seller_ to lock out others, e.g., competitors or the buyer, is a recipe for malfeasance, at the buyer's expense. Interestingly, with computers and pre-installed software, there is no option to lock out the sellers such as Apple or the companies that partner with sellers and pre-install software on the computers, such as Microsoft, Google, etc.
"It's all about protecting their profits, not protecting us."
It is interesting that the "protections" are not optional. It assumed _every_ buyer wants the protections from others _and also from themselves_ enabled by default, and also for protections from so-called "tech" companies to be _disabled_ by default. A remarkable coincidence.
Perhaps if buyers were given the option to login as single user and change the default protections some (not all) might disable phoning home to Silicon Valley or Redmond. They might block unwanted access to their computers by so-called "tech" companies who sell them out as ad targets. The so-called "tech" companies and their customers (advertisers) from other peoples' computers might be locked out.
Indeed letting buyers lock out whomever they choose might diminish the profits of so-called "tech" companies.
In the past HN commenters often sidestepped the question of these "protections" as self-serving and argued that so-called "tech" companies serve the "majority" of computer users and in fact these "protections" are what computer users want even though these users were never asked or given the choice to opt-out. If that were true then allowing a "minority" of users to control the protections themselves, i.e., operate as root, would only affect a minority of profits.
my fuel injected chain saw, has a data port,
but luckily, my back woods repair shop showed me the computerless,seasonal re-tune procedure
that only requires a stop watch, works a charm
As to other devices....phones, we need a whole re write of the privacy and publishing laws, to allow each person to regulate themselves. With an ultra basic "standard" set up for the masses who do want
to be entertained, while having buying "oportunites" presented to them. But it has to be consentual, and basics like a phone number, email address, and personal/comercial web space, a non alienable birth right.Ban utopian concepts outright, and get back to bieng the quarlsome and somewhat violent species, that we are.
I am starting to wonder, is the root cause of all of the ancient civilisations, lying in there own dust, what we are doing now, and the vast echoing silence from the stars, the same.
We're heading the opposite way of not being able to buy anything "dangerous" thanks to consumers that you're describing. I've been using a Xiaomi phone that stopped receiving updates in 2020, and have since been running LineageOS, which was made possible by the unlocked bootloader. Xiaomi has since changed its policy and it's basically impossible to unlock the bootloader on newer devices.
If not for the "dangerous" unlocking, I would have to run with dozens of severe vulnerabilities right now, all five years worth of them. A decent phone costs large amounts of money here, the hardware on mine is still very good, and so I would have used it regardless. (Yes, I understand that the firmware does not receive updates, but it's still much better than nothing.)
My guess is that you're assuming, wrongly, that vendor locked devices are "safe" and unlocked devices are "unsafe".
All computers that are connected to the internet are unsafe in some ways. The most dangerous apps on your computer are the vendor's own built-in web browser and messaging app.
Also, the vendor-controlled software stores are unsafe cesspools. You will never find a more wretched hive of scum and villainy. Moreover, the vendors deliberately make it impossible for you to protect yourself. For example, iOS makes it difficult or impossible to inspect the file system directly, and you can't install software such as Little Snitch on iOS that stops 3rd party apps—as well as 1st party apps!—from phoning home.
In any case, most computers, including Apple computers, have parental controls and the like, so you can lock down your own device to your heart's content if you don't trust yourself, or you don't trust the family member that you're gifting the device.
> Yes, consumers do sometimes harm themselves by using these products. That's the price of freedom.
"Freedom" is also a terrible argument for this. What does it even mean? Freedom from what? Freedom to do what? It's such a meaningless word you're going to lose half your audience just by bringing it up.
"Freedom - the condition of being free; the power to act or speak or think without externally imposed restraints"
When the context is "digital devices", it becomes pretty clear what it means. You should be free to use it however you want, without externally imposed restraints.
Locking down the device so much so users cannot run applications they've written themselves without the approval of the company who made it, isn't "freedom" as the required approval from the company breaks the "without externally imposed restraints" part.
This is a very popular HN opinion; but not a very popular real world opinion.
The average customer wants a device that works consistently, every day, that is easy to use, with a collection of 3rd party apps who won’t steal their life savings.
Windows failed to deliver this; the average customer never downloads an Exe from a newer publisher without terror. The average consumer is literally dozens of times more likely to trust a new smartphone app than a new desktop app.
We can also see this in the console market. Windows exists; old gaming PCs exist; the locked down console market will be with us forever because even Windows can’t deliver a simple experience that reliably works.
The average customer wants a car that doesn't explode because you installed a sketchy spark plug. Does that mean the manufacturers should install locks on the hood of every new car, with the threat of jail time if you pick the lock and look underneath?
Sounds a lot like "We don't need free speech because I have nothing to say".
Just because you don't need or want it, doesn't mean it's not an important right to protect. Considering the influence of computers these days, the right of general purpose computing is probably at least as important as the right to free speech.
> The average customer wants a device that works consistently, every day, that is easy to use
And it can only be archived with a fully locked down hardware?
Of course not. The modern OS archives system security through permission and isolation, which don't require bootlock etc to work. In fact, it worked well too even after the device is unlocked & rooted.
> Windows failed to deliver this; the average customer never downloads an Exe from a newer publisher without terror
Windows (and Linux for that matter) is not modern OS. They're classic OS that offers the entire computer as playground for the program running on top of it. That's why Windows can be contaminated with a single malice EXE, but not Android or iOS.
OSs are not the same, don't try get the water muddy that way.
There's nothing wrong with wanting that, but as the author said those of us who want to opt-out should have the choice to do so.
If I buy an iPhone, I should have the option to completely disconnect it from Apple and be able to replace the OS with whatever I want. If I do not have the option to do that do I REALLY own the device? The answer is no bacause what I have is a device that I can only use the way Apple allows. When the phone is obsolete and Apple stops updates then all I can do is send it off for recycling since Apple won't allow me to repurpose it with new software.
You are putting a lot of trust in the manufacturers as well. For example, they have the technical capabilities to kill the second hand market in their devices if they simply decided to refuse to allow a new user to login to a device. Sure, you could still sell the hardware, but it wouldn't be much use if the manufacturer stopped it from connecting and autorizing. I know this is an extreme example and no sane manufacturer would implement it, but I think it demonstrates why having to option to disconnect is a good thing.
The same applies to all other devices that are locked down, things like smart TVs, IP cameras and appliances. Just look at how many early smart TVs are now dumb because the manufacturer stopped updating the on-board apps. There should be no reason why the owner of such devices should be allowed to do whatever they want with them to try and bring them back to life.
> with a collection of 3rd party apps who won’t steal their life savings.
This is blatant unempirical scare mongering. How many desktop computer users have had their life savings stolen by 3rd party apps? Citation needed.
> The average consumer is literally dozens of times more likely to trust a new smartphone app than a new desktop app.
This is a false dichotomy. Almost all desktop computer users have a smartphone too. The people who have enough disposable income buy both smartphones and desktop computers. There's no inherent conflict between the two.
> the locked down console market will be with us forever because even Windows can’t deliver a simple experience that reliably works.
That's a competely ahistorical interpretation. Originally, the gaming consoles had no third-party games: the games were all written by the vendors. The first third-party game development company was Activision, a group of former Atari programmers who learned that their games were responsible for most of Atari's revenue, but Atari refused to give them a cut, so they left and formed their own company. There was a lawsuit, and it was ultimately settled, allowing Atari to get a cut of Activision while allowing Activision to otherwise continue developing console games. It had nothing to do with "reliablity" or "security" or any kind of made-up excuse like that.
> Windows failed to deliver this; the average customer never downloads an Exe from a newer publisher without terror. The average consumer is literally dozens of times more likely to trust a new smartphone app than a new desktop app.
Yet that trust is, for the most part, unfounded. There's a ton of malware in app stores - you can assume any app that contains ads is sending data about you to some shady server, for example. You can't even trust the most popular apps not to be malware [0].
If you explain all details about the advantages and disadvantages to them, I am sure they would think differently.
There are much more "hostile" smartphone apps that exfiltrate your data and sell it to the largest bidder than there are compromised executables these days. Also there are more profitable scams than compromising a PC system outside of industrial espionage.
PC in contrast to consoles always were a cost or usage factor. The difficulties of operating a PC isn't significant. It also heavily increases digital competency of the user for computer systems. If you really don't want that, you have other options.
that's a, frankly, stupid argument. the conclusion doesn't follow the premise.
then don't root your phone or download an .exe. having the ability to do something doesn't mean you are forced to do it.
not safe enough for you? fine! make the current status quo comfortable walled-garden-of-illusionary-fake-safety the default. for example, there's no reason windows needs to by default allow unsigned code to run. hell, even make it really annoying to turn off.
but the "safety" and "easy to use" arguments against right-to-repair, digital rights, ownership, etc. is simply nonsense. there is literally ZERO negative safety or usability impact to anyone else's device because i'd like to own mine.
it's also an insulting and disingenuous argument to hear anyone on this forum make: our careers and entire segment of the economy would not exist if it were not for open systems. and it's insulting to basically say "bubba/granny is too dumb to be trusted" with owning their own device.
I detest Google, but I do think they made the right call with Android devices and Chromebooks. You can unlock either as long as you are willing to totally wipe the device first and start over as a new device under a new security context.
This removes the risk of this being abused to compromise the data of stolen devices or evil maid attacks unless a user that knows what they are doing has explicitly opted themselves into that risk.
I contacted the Google through the BBB. Made the statement that lack of ability to install and configure a Kernel level firewall, edit the HOSTS file, and remove unwanted bloat-ware reduces the security of the product. Google agreed their actions do this and said they find the lack of security acceptable. Having a firewall like Little Snitch should be acceptable to know where the phone is communicate, with whom, and how to prevent it.
Re-imaging with a rooted image is not acceptable because this also reduces the device's security by prevent OTA updates!
Gated community is broken when the end user cannot improve the security of the device above and beyond the lack polices of Google and Apple. For instant there should be no reason my device ever communicates with organizations I do not support such as Facebook or X-Twitter. X-Twitter is often used as command and control service in plain site.
It is not just out-wards communicate to monitor but in-wards too. I've used Zone Alarm in the past at an international company to help find the infected servers and computers that where serving up viruses and other malware.
*I would argue that the "Gated Community" analogy is flawed. A real world gated community still allows for the home owner to improve the security. By installing cameras, security system, and guards. Apple & Google prevent such actions.
There are indeed software firewalls on Android that use the VPN functionality to implement something like this so they don't even require root, I believe Glasswire offers one.
It does create an interesting choice, though. For example, certain apps will enforce attestation based on the bootloader status. Even if the user wipes their device and relocks their bootloader with their own keys, this doesn't count as fully secure per the bootloader status. Only Google's keys count. Of course, it is also almost prohibitively difficult to deliver yourself OTA updates after this point. I worry that one day I will have to keep two mobile phones; one for bank apps, which has not been altered from the vendor's security defaults, and one for everything else, that I am actually allowed to modify.
At the moment, I just run GrapheneOS and don't bother with any modification. It is not worth the hassle. I've already had my bank account locked out because a Google Store-bought Pixel phone was flagged as "stolen", probably due to some attestation measure (they could not tell me why). They recommended that I purchase a new phone.
Right now, although it's possible to use Android with either root or a third party ROM, attestation breaks all sorts of little things. Today this is mostly banking apps, and anything that involves NFC, but this isn't where it's going to end.
Attestation requirements are only going to become more prevalent. I predict that in a few years basically all proprietary software for Android will require attestation.
So... you may still be able to unlock the device and make it yours, but you'll also be locked out of the ever expanding and ever-more-isolated walled garden.
If you can live off of GrapheneOS and F-Droid, that's great, but for a lot of users this won't be a real choice, because you increasingly need proprietary software for access to real things in the physical world (i.e. I needed to install a special app for event tickets recently).
The problem with bootloader unlocking on modern Android devices is that they have a hypervisor that you don't get to ever unlock but that will snitch on you and make some apps, like some banking ones, refuse to work because the "integrity" of your device could not be verified. In other words, because these apps can no longer be certain they are able to hide data from you the device owner.
Magisk exists, yes, but it's a flimsy temporary solution. It only works because it's able to lie to Google that your device doesn't support hardware attestation. As soon as Google starts requiring that all devices support hardware attestation, it will stop working.
If software doesn't want to run on your hardware because it can't make sure you're not tampering with it, why is it wrong for doing so? You're not necessarily entitled to the ability to run the software right? I understand the implications this has on ones ability to create custom operating systems is troubling (eg this could destroy desktop Linux), but at the end of the day I guess it is just a choice the developer is allowed to make. It's not like they distribute the binary with no strings attached.
And there are some real strong reasons why you benefit from this sort of ability, such as preventing folks from cheating in competitive games. I can't say that all uses seem to have good reasons to use it, but that seems like more of a vote with your wallet sort of situation. Perhaps the play store should also have stricter requirements on acceptable use of attestation and ensure they are upheld.
They require hardware certification for the Pixel Screenshots app... and for anything that uses Gemini Nano (Call recorder summary, weather, pixel screenshots, etc).
I agree useful rooting should be easier, but it's definitely possible and not super hard to hide rooting.
I'm typing this on a rooted phone where all (banking) apps work just fine. All it takes is downloading an app (magisk) and add apps to a list that need to have rooting hidden.
> We don't just need root access, we need undetectable root access.
At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.
The fact that Google allows this shows that
1. Apple could do it with zero security impact on anyone who doesn't opt in
2. They could keep any service-based profit source intact
But they still would never do it. Because it's not only service based profit they want to protect. They want to restrict customers from running competitor's software on their hardware, to ensure they get their cut.
Agreed, that's a good solution. I can root my phone immediately when I buy it, or I can leave it locked if that's my choice. That's the best of both worlds.
I would argue that the best of both worlds is being able to add your own keys and then relock the bootloader. Which Pixel devices also do:) Not sure about Chromebooks; I kinda think you maybe could reflash the firmware and then put back the write-protect screw?
The reason why this will never happen is simply due to things like DRM.
We right now have ENCRYPTED signal going from our computer to our displays, not just computers, but phones too SIMPLY to prevent people from dumping raw data.
All of that extra processing done just so you're allowed to for ex: watch netflix with a resolution higher than 720p. Then comically there's Chinese capture cards that you plug your GPU into, use mirroring mode and completely bypass it.
DRM is just one example, there's many more motivations such as preventing paid apps / pay for currency games from having these things given for free. This is the primary reason why iOS devices make significantly more money than android as it's near impossible to pirate / hack / crack for an average user.
I think in the not too far future, every electronics device will be locked down. Laptops and desktops can be locked down too. The technology is already there. They can also throw in AI for recommendations i.e. lock down users' mind too. Think what this is going to do to the next generation if they start using electronic products from 6.
For example, if anyone is interested, check out the computers Chinese governments are using right now. They are basically large mobile phones running some sort of Linux, but the whole thing is locked down. Fortunately things are OK on the commercial side but again it's more and more difficult to root or unlock a device.
And now the Western states are following suite, except it's the corporations that are leading the charge.
If they achieve this, and wipe out all commercial electronics distributors such as Mouse, then we need another underground railway movement to teach people to scavenge and build computers in that Dark Age.
I'm not joking. This could be real. It's already shaping.
I suspect DRM will eventually be self defeating. For example, I prefer to torrent content just so that I can get stuff to play using my media player of choice (and the instant seeks) without any hassle. Most normal people probably aren't even aware this is an option.
But with cryptocurrencies normalizing it's only a matter of time before a paid piracy service emerges that is both cheaper, simpler and better than Netflix or any other streamer. Some arguably already have.
DRM was being broken for years without even a monetary incentive, with one it won't stand a chance.
I'm a senior person who looks after content protection and anti-piracy at a major streaming company.
The idealism of those who want to see the demise of DRM doesn't actually hold up in the face of reality. Even when we remove restrictions and give global access to content, for free, pirates don't give up. One of the reasons is that many pirate sites get ad revenue, piracy is a business for many folk and they get the benefit of not paying for the most expensive part. They also don't have legal/regulatory compliance, taxes and will often operate their infrastructure using stolen credit cards or accounts (we can see this).
Then you have people who are selling legitimately and trying to provide the best service for customers, but who have to pay for the content, competing with people who don't have any such responsibilities. So, customers take the cheap deal.
Some folk are also under the assumption that streaming services are money grabbing. Except when you actually look, most streaming services are running at a loss, or barely profitable.
I'm just working to protect our company and reduce losses, ultimately I am not preventing people getting access to fresh food or water. I am protecting premium goods from being illegitimately exploited and protecting the jobs of my colleagues when we're already under significant cost pressures.
One reason I post about these things on the internet is in the hope that one day we might have a constructive dialogue about how to balance freedoms AND enable commerce. But at the moment we have extremism, libertarian ideals against company lawyers.
Perhaps it imposes some restrictions, like using TPMs, but I don't think it excludes what the author is suggesting, which is the ability to run as root.
Case in point: every popular desktop PC let's you run as root, and also watch DRM content. They aren't totally mutually exclusive.
You can't play 4K Netflix on Linux, period. Because of DRM. Before you say "this is just a Netflix issue" - you can't play 4K Prime Video on Linux either. Nor 4K Disney+. And many other services. Piracy is the only way to watch most 4K streaming content on Linux. You may have the most capable and up-to-date hardware on the market, you still can't.
There is nothing stopping anyone from selling an HSM (hardware security module) that can decode their protected video without fisting the control into the computer itself
These are sort of prevented by signing the hardware, you have a module on your computer that creates a web request identifying that this module is present.
OP here. Really glad to see others engaging with this topic, I wrote up this post because I felt like there wasn't anything out there that was advocating for unlocked hardware as part of the discussion on "right to repair".
As someone that works in security, I fully understand the need for sane defaults that protect the average user. I even advocate in the article that we should keep these defaults in place for the most part.
What I tend to not understand is the argument that there should be no option for more enterprising users to access their hardware at the lowest levels because we need to protect the average consumer. It may be a footgun for some, but that's sort of the point. I expect to be able to modify something I own, whether it's to my detriment or not.
My argument isn't that root access should be the default, but at the very least it should be an option. I just don't think it's right that we've normalized corporations blocking the ability to load / inspect software, which often is marketed as a safety or privacy thing, but is arguably more a business decision meant to protect profit margins.
Thanks for this article, it was the most succinct way to describe the right to own and right to repair regressions I've noticed. I'm glad I can point to your article instead of trying to describe it myself. If you're looking for others advocating for this I know of Louis Rossmann. He also recently started a wiki on consumer protection that I hope to contribute and collaborate with to empower users.
The way to balance security and freedom is with a hardware switch. By default, keep secure boot etc. But if someone opens the case, takes out the battery, and moves a little switch on the board? Start with a fresh, unprotected context. Because it's a hardware switch, it can't be remotely hacked. An adversary who gets the hardware anyway can get control (are we going to pretend otherwise?). So just do the right thing and make it easier for people to take over their own hardware.
> I believe consumers, as a right, should be able to install software of their choosing to any computing device that is owned outright.
While I agree, I think even legislation will not fix this, because what is a computing device, and who decides what is and what is not ? I'm sure apple will argue that nothing they sell should be considered computing devices. While the hacker will consider anything they can trick into arbitrary code to be one (is your fridge a computing device?)
If we go the legal route, I think the only way is to give the right to flash firmware of _ANYTHING_ that has programmable bits, and that's probably not going to fly either because lots of legislation already dictates users should be prohibited and prevented.
> While I agree, I think even legislation will not fix this, because what is a computing device, and who decides what is and what is not ?
If there is legislation, it will contain a definition of what is a computing device and what isn't. It will be imperfect, and the edge cases will be contested in courts. Courts deal with blurry boundaries all the time.
That's how it always is with legal matters, and doesn't mean we have to demand that anything with a firmware must be flashable.
What I mean is that I think this is the fastest way to end the era of widely-available general-purpose-computing devices that we are currently in (and that is currently ending, but at a glacial speed).
It's not that hard to imagine a version of the world where computers as we know them do not exist, but are mere appliances (like tablets and smartphones), and if companies feel threatened that they might be forced to open up their computing devices, they will be quick to make them not fall under the definition.
Instead of a smartphone, you will get a "Can telephone and access facebook and instasnap" device with whatever technical cripplement is needed to make it not a computing device and be exempt from the law. And as the general public and justice system is pretty ignorant with regard to technology, it's going to be pretty resource intensive to convince a judge why every gadget around that suddenly identifies as "not a computing device" is in fact on anyway.
German here - I do believe this legislation already exists - the owner of a thing has full rights of disposal and no other entity is allowed to interfere (except for the state itself). And this is part of the common property rights. afaik the property rights in the US are even stronger.
But i wonder, why these rights do not seem to be enforced on computing devices. Either everyone is failing to assert their property rights or i am in the wrong here. Probably the latter.
I have talked about this before. The issue goes further in my opinion and starts to effect property rights themselves. In particular locked down hardware starts to effect the owners right of exclusion. The right of exclusion loosely is the right include or exclude something from/usesing some property. When the hardware is locked down the owner can know longer solely make those decisions. Instead in the instance of like an iDevice Apple makes those choices instead of the owner by only allowed code they have signed or signatures they allow.
thanks for sharing. the loss of property rights is an aspect I hadn’t considered… would be great to brainstorm further with an actual lawyer on these topics
The problem is larger than that, it's the IT industry's obsession with denying users the ability to evaluate their own risks and take their own responsibility. You do that all the time every day in most other areas of life, but somehow interacting with technology is different. The manufacturer always knows better. Don't want to have a time component to your biometric authentication because you know your risks? Too bad. Google and Apple know better. Password is required to unlock Touch ID.
I doubt any Apple engineer is very against the idea that an iPad user roots it. It's more like the legal and financial mindset. Legal doesn't want trouble and can shoot anyone who it doesn't like with law bullets, Finance just want MAW $$$.
Readit News
The reason that computers are locked down by the vendors is not that computers are somehow more dangerous than other things we buy. The reason is simply that it's technically possible to lock down computers, and vendors have found that it's massively, MASSIVELY profitable to do so. It's all about protecting their profits, not protecting us. We know that the crApp Store is full of scams that steal literally millions of dollars from consumers, and we know that the computer vendors violate our privacy by phoning home with "analytics" covering everything we do on the devices. This is not intended for our benefit but rather for theirs.
But on many systems these options do not exist because the vendor likes people dependent on them. This is why devices like chromebooks or all mobile phones are more or less e-waste in the making. In my opinion it is a waste to use any development capacity for these systems apart from consumer devices offering the next shitty app that hopefully always stays optional.
We even have dysfunctional laws that require banking apps to only run on these shitty systems. In my opinion, these errors need a quick correction.
Also, the most cases of scam still work as they did before and exfiltrating information, e.g. tracking and "diagnostic data" by bad operating systems are an additional security problem.
Making it easy to unlock could make it easy(er) for scammers to get it unlocked:
> I received the same type of call a little later in the day. They were very adamant they were calling from the Bell data centre, on a terrible line and I made them call back three more times while I considered their requests. They wanted to have me download a program that would have given them controI of my laptop. […]
* https://forum.bell.ca/t5/Internet/Call-stating-that-an-issue...
Dependent is not exactly the right thing here. Lower support costs probably is. If a vendor gives out root access. If that root access can brick a machine. Then you will get a small percentage of very high touch broken things as returns. Customers like this are in the 'dangerous enough' but not 'good enough to do it correctly' stage of hacking. They will then not claim any responsibility for breaking it. As they are hoping you just fix it for free.
I had one customer who would randomly change out stored procedures on our code. Then yell at our tech support for thing not working or being broken. Wasting hundreds of hours of time until we realized what he was doing. Locking him out is very appealing. Instead we sold him and his management on 'we will do the work for you for a fee'. Which was more along the lines of 'you do this again we will fire the customer'.
That is but one small thing that can/will happen.
What you are describing is not a tradeoff but a magnificent bribe. They bribe us with measly benefits in order to accept the deal that is incredibly favourable for them.
See: https://reallifemag.com/the-magnificent-bribe/
Really? Please name them. Over the past 10 or 15 years, I've never seen anything other than the iPhone/Android or Mac/Windows duopoly for sale in any retail store. I've never seen any advertising for other than those duopolies. The HN crowd may be aware of obscure options, but for the vast majority of consumers, they don't exist. And since we as developers make money catering to the vast majority of consumers, we're kind of stuck with the duopoly too, at least as far as our work is concerned.
I think the reason people don't care, is because they don't know. The average person either doesn't know or barely knows That anything deeper than what they see in the user interface is happening on their system.
We humans are very much an out of sight out of mind type of creature. If we can't see it, it's hard for us to imagine that it exists.
You make a fair point though; the case does need to be made as to why this is a market failure and not just consumer choice working as expected. Why _do_ consumers tolerate manufacturers retaining ultimate control of consumer's property after the sale? It certainly doesn't seem to be that important to them. Maybe greater awareness of the issue would help somewhat?
And then the whole world suddenly went apeshit, so Apple basically shrugged, said “fine, we’ll do it just like everyone else and put your photos in the relatively unprotected server domain to do the scan”. Sucks to be you.
Understand that at no point was there an option to not do the scan on upload, like all cloud providers, Apple scans for CSAM on any uploaded photos to stay out of any government grey areas.
This is hacker news after all. What made the computer great was programs. What made the smart phone great (smart) is applications. It's insane to me that these companies are locking down their most valuable assets. The only way this works is if you're omniscient and can make all the programs users could want yourself. This is impossible considering both individuality and entropy (time). Both in the sense that time marches on and the fact that you don't have time nor infinite resources to accomplish all that. I mean we're talking about companies that didn't think to put a flashlight into a phone but it was one of the first apps developed. You could point to a number of high utility apps, but I'm also sure there's many you all use that you're unlikely to find on most people's phones.
We can also look at the maker community. Its flourished for centuries, millennia even. People are always innovating, adapting tools to their unique needs and situations. To some degree this is innately human and I'm not embellishing when I say that closed gardens and closed systems are dehumanizing. It limits us from being us. That person obsessed with cars and makes a sleeper Honda civic, that person that turns trash into art, that person that finds a new use for every day objects. Why would you want to take this away? It even hurts their bottom lines! People freely innovate and you get to reap the rewards. People explore, hack, and educate themselves, dreaming of working on your tech because of the environment you created. By locking down you forgo both short term and long term rewards.
I also want to add that we should not let any entity claim to be environmentally friendly or climate conscious that does not create open systems. No matter how much recycling they do. Because it is Reduce, Reuse, Recycle. In that order. You can't reuse if your things turn to garbage and reusing certainly plays a major role in reducing.
Failure to obey them, might get jail time on those countries if caught disobeying, or an hefty fine, not counting what misuse might bring in, regardless of the country.
That's because there are people behind every product, and the people behind computers tend to be the paternalistic, nanny-state type. Just read through the histrionics in any HN thread about leaf blowers, they want every landscaper locked up and their tools of the trade taken away. Someone once suggested they should be forced to use rakes. Imagine if some landscaper insisted what laptop you should use.
As you wouldn't expect to find many in-the-Army buzz-cut guys roaming the Google campus as you would at a gun company, you wouldn't expect some blue-haired face-pierced sales engineer selling you table saws.
It's a cultural thing, nothing more.
We do not? You don't even need a license to buy /operate a computer unlike with some other examples on your list
I didn't mean "the law". To the contrary, the submitted article author was proposing that we pass laws giving greater individual consumer rights over their devices. But the big tech companies have been viciously fighting against consumer rights, such as the right to repair.
The equivalent would be if you could only use specific brands of replacement chains, blades, tires, or bullets that are approved by the manufacturer, for which the manufacturer gets a cut of the sales of those replacements.
The thing with chainsaws and motorcycles is that they look and feel dangerous, and people have an intuitive understanding of how to approach those dangers.
If you ask a random person on the street about safe motorcycle riding, they'll probably tell you about respecting speed limits, wearing protective gear, only doing it when sober, not pulling stunts / showing off etc. I've never been on a motorcycle, have 0 interest in them, and I know those things.
Computers don't work that way. People can't distinguish between a real banking app and a fake banking app that looks real, an update pop-up and a fake "you need to update Adobe Flash Player" pop-up on a phishing website etc.
I've done plenty of "helping non-technical people out with computers" during my middle / secondary school days. That was when people still used Windows a lot, as opposed to doing everything on their phones. Most computers I've seen back then had some app that hijacked your start page, changed your search engine to something strange, would constantly open random websites with "dpwnload now free wallpapers and ring tones for your mobile now" etc. You didn't even have to fall for a scam to get something like that, plenty of reputable software came with such "add-ons", because that's how you made money back then.
I feel like that era of "total freedom" has somehow been erased from our minds, and we're looking at things through rose-tinted glasses. I, for one, vastly prefer the world of personalized ads and invasive surveillance over one where I constantly have to be on alert for my default browser being changed to Google Chrome for the hundredth time this year, just because I decided to update Skype.
How did this matter? People may know these things, but they nonetheless ignore speed limits, don't wear helmets, drive drunk, pull stunts, etc. And the motorcycle manufacturer can't stop them. They have the freedom to harm themselves.
> Computers don't work that way. People can't distinguish between a real banking app and a fake banking app that looks real
Guess what, people can't distinguish between the real and fake apps in the crApp Store either. Let's stop pretending that it's safe, when we've seen over and over that it's not.
> That was when people still used Windows a lot, as opposed to doing everything on their phones.
People still use Windows a lot. Smartphones have not replaced desktop computers but rather added to desktop computers. Almost every desktop computer owner also has a smartphone I believe that desktop computer sales are as high now as ever; I know that's true for Apple Macs, specifically.
> I feel like that era of "total freedom" has somehow been erased from our minds, and we're looking at things through rose-tinted glasses.
It hasn't been erased. The desktop never left. It's been surpassed in volume by smartphones, of course, but let's not pretend that desktops were somehow made obsolete and removed from the Earth. The people who have enough money buy smartphones and desktops. Many even have a smartphone, a desktop/laptop, and a tablet. The choice is not about security, it's about money and form factor. When I leave home, I put a phone in my pocket. When I'm on the couch, I use a laptop. When I'm reading an ebook, I use a tablet.
That's why you never blindly clicked "next" in installers. Everyone got one of those IE toolbars accidentally at some point, but it usually only took doing it once to learn the lesson.
An irrelevant "whaddabout" argument.
It doesn't change that we need security and privacy for our information handling devices, as well as personal control. The real conversation is about how to best balance these.
An irrelevant false dichotomy argument. There's no inherent conflict between security/privacy and personal control. I would argue that a device which has to phone home to the vendor to get approval for everything results in both less privacy and less personal control.
I can do online banking on my PC as root user if I so choose, but I cannot do online banking on my phone because my bank's app employs a rooting detector SDK that as of now even Magisk+a host of (questionable) modules can't bypass.
How do you even formulate these values so that they're in conflict in the first place?
To use the same logic, they shouldn't be given anything with a visible screw, or are you going to tell me they _wouldn't_ take a screw driver to an appliance because that would be silly for someone who doesn't know what they're doing in there?
And non-owners shouldn’t be able to have access solely based on their physical possession - quite the contrary, owner should have means to fully use hardware security features for their personal benefit, locking their own device as tight as they want (within the device’s technical capabilities).
I have taken the opposite stance on that. Never again will they be left with some Samsung bloatware which hardly receives any Android updates when phones such as Nexus, Nokia and Nothing costs the same and has excellent LineageOS support.
Lineage is stable, bloat-free self-updating and requires no maintenance from my side.
It makes sense to allow the _buyer_ to responsibly lock out others. This is common in other products that could be dangerous. But allowing the _seller_ to lock out others, e.g., competitors or the buyer, is a recipe for malfeasance, at the buyer's expense. Interestingly, with computers and pre-installed software, there is no option to lock out the sellers such as Apple or the companies that partner with sellers and pre-install software on the computers, such as Microsoft, Google, etc.
"It's all about protecting their profits, not protecting us."
It is interesting that the "protections" are not optional. It assumed _every_ buyer wants the protections from others _and also from themselves_ enabled by default, and also for protections from so-called "tech" companies to be _disabled_ by default. A remarkable coincidence.
Perhaps if buyers were given the option to login as single user and change the default protections some (not all) might disable phoning home to Silicon Valley or Redmond. They might block unwanted access to their computers by so-called "tech" companies who sell them out as ad targets. The so-called "tech" companies and their customers (advertisers) from other peoples' computers might be locked out.
Indeed letting buyers lock out whomever they choose might diminish the profits of so-called "tech" companies.
In the past HN commenters often sidestepped the question of these "protections" as self-serving and argued that so-called "tech" companies serve the "majority" of computer users and in fact these "protections" are what computer users want even though these users were never asked or given the choice to opt-out. If that were true then allowing a "minority" of users to control the protections themselves, i.e., operate as root, would only affect a minority of profits.
If not for the "dangerous" unlocking, I would have to run with dozens of severe vulnerabilities right now, all five years worth of them. A decent phone costs large amounts of money here, the hardware on mine is still very good, and so I would have used it regardless. (Yes, I understand that the firmware does not receive updates, but it's still much better than nothing.)
My guess is that you're assuming, wrongly, that vendor locked devices are "safe" and unlocked devices are "unsafe".
All computers that are connected to the internet are unsafe in some ways. The most dangerous apps on your computer are the vendor's own built-in web browser and messaging app.
Also, the vendor-controlled software stores are unsafe cesspools. You will never find a more wretched hive of scum and villainy. Moreover, the vendors deliberately make it impossible for you to protect yourself. For example, iOS makes it difficult or impossible to inspect the file system directly, and you can't install software such as Little Snitch on iOS that stops 3rd party apps—as well as 1st party apps!—from phoning home.
In any case, most computers, including Apple computers, have parental controls and the like, so you can lock down your own device to your heart's content if you don't trust yourself, or you don't trust the family member that you're gifting the device.
"Freedom" is also a terrible argument for this. What does it even mean? Freedom from what? Freedom to do what? It's such a meaningless word you're going to lose half your audience just by bringing it up.
When the context is "digital devices", it becomes pretty clear what it means. You should be free to use it however you want, without externally imposed restraints.
Locking down the device so much so users cannot run applications they've written themselves without the approval of the company who made it, isn't "freedom" as the required approval from the company breaks the "without externally imposed restraints" part.
The average customer wants a device that works consistently, every day, that is easy to use, with a collection of 3rd party apps who won’t steal their life savings.
Windows failed to deliver this; the average customer never downloads an Exe from a newer publisher without terror. The average consumer is literally dozens of times more likely to trust a new smartphone app than a new desktop app.
We can also see this in the console market. Windows exists; old gaming PCs exist; the locked down console market will be with us forever because even Windows can’t deliver a simple experience that reliably works.
Just because you don't need or want it, doesn't mean it's not an important right to protect. Considering the influence of computers these days, the right of general purpose computing is probably at least as important as the right to free speech.
And it can only be archived with a fully locked down hardware?
Of course not. The modern OS archives system security through permission and isolation, which don't require bootlock etc to work. In fact, it worked well too even after the device is unlocked & rooted.
> Windows failed to deliver this; the average customer never downloads an Exe from a newer publisher without terror
Windows (and Linux for that matter) is not modern OS. They're classic OS that offers the entire computer as playground for the program running on top of it. That's why Windows can be contaminated with a single malice EXE, but not Android or iOS.
OSs are not the same, don't try get the water muddy that way.
If I buy an iPhone, I should have the option to completely disconnect it from Apple and be able to replace the OS with whatever I want. If I do not have the option to do that do I REALLY own the device? The answer is no bacause what I have is a device that I can only use the way Apple allows. When the phone is obsolete and Apple stops updates then all I can do is send it off for recycling since Apple won't allow me to repurpose it with new software.
You are putting a lot of trust in the manufacturers as well. For example, they have the technical capabilities to kill the second hand market in their devices if they simply decided to refuse to allow a new user to login to a device. Sure, you could still sell the hardware, but it wouldn't be much use if the manufacturer stopped it from connecting and autorizing. I know this is an extreme example and no sane manufacturer would implement it, but I think it demonstrates why having to option to disconnect is a good thing.
The same applies to all other devices that are locked down, things like smart TVs, IP cameras and appliances. Just look at how many early smart TVs are now dumb because the manufacturer stopped updating the on-board apps. There should be no reason why the owner of such devices should be allowed to do whatever they want with them to try and bring them back to life.
This is blatant unempirical scare mongering. How many desktop computer users have had their life savings stolen by 3rd party apps? Citation needed.
> The average consumer is literally dozens of times more likely to trust a new smartphone app than a new desktop app.
This is a false dichotomy. Almost all desktop computer users have a smartphone too. The people who have enough disposable income buy both smartphones and desktop computers. There's no inherent conflict between the two.
> the locked down console market will be with us forever because even Windows can’t deliver a simple experience that reliably works.
That's a competely ahistorical interpretation. Originally, the gaming consoles had no third-party games: the games were all written by the vendors. The first third-party game development company was Activision, a group of former Atari programmers who learned that their games were responsible for most of Atari's revenue, but Atari refused to give them a cut, so they left and formed their own company. There was a lawsuit, and it was ultimately settled, allowing Atari to get a cut of Activision while allowing Activision to otherwise continue developing console games. It had nothing to do with "reliablity" or "security" or any kind of made-up excuse like that.
Yet that trust is, for the most part, unfounded. There's a ton of malware in app stores - you can assume any app that contains ads is sending data about you to some shady server, for example. You can't even trust the most popular apps not to be malware [0].
[0] https://news.ycombinator.com/item?id=42651115
There are much more "hostile" smartphone apps that exfiltrate your data and sell it to the largest bidder than there are compromised executables these days. Also there are more profitable scams than compromising a PC system outside of industrial espionage.
PC in contrast to consoles always were a cost or usage factor. The difficulties of operating a PC isn't significant. It also heavily increases digital competency of the user for computer systems. If you really don't want that, you have other options.
then don't root your phone or download an .exe. having the ability to do something doesn't mean you are forced to do it.
not safe enough for you? fine! make the current status quo comfortable walled-garden-of-illusionary-fake-safety the default. for example, there's no reason windows needs to by default allow unsigned code to run. hell, even make it really annoying to turn off.
but the "safety" and "easy to use" arguments against right-to-repair, digital rights, ownership, etc. is simply nonsense. there is literally ZERO negative safety or usability impact to anyone else's device because i'd like to own mine.
it's also an insulting and disingenuous argument to hear anyone on this forum make: our careers and entire segment of the economy would not exist if it were not for open systems. and it's insulting to basically say "bubba/granny is too dumb to be trusted" with owning their own device.
This removes the risk of this being abused to compromise the data of stolen devices or evil maid attacks unless a user that knows what they are doing has explicitly opted themselves into that risk.
Re-imaging with a rooted image is not acceptable because this also reduces the device's security by prevent OTA updates!
Gated community is broken when the end user cannot improve the security of the device above and beyond the lack polices of Google and Apple. For instant there should be no reason my device ever communicates with organizations I do not support such as Facebook or X-Twitter. X-Twitter is often used as command and control service in plain site.
It is not just out-wards communicate to monitor but in-wards too. I've used Zone Alarm in the past at an international company to help find the infected servers and computers that where serving up viruses and other malware.
*I would argue that the "Gated Community" analogy is flawed. A real world gated community still allows for the home owner to improve the security. By installing cameras, security system, and guards. Apple & Google prevent such actions.
At the moment, I just run GrapheneOS and don't bother with any modification. It is not worth the hassle. I've already had my bank account locked out because a Google Store-bought Pixel phone was flagged as "stolen", probably due to some attestation measure (they could not tell me why). They recommended that I purchase a new phone.
Attestation requirements are only going to become more prevalent. I predict that in a few years basically all proprietary software for Android will require attestation.
So... you may still be able to unlock the device and make it yours, but you'll also be locked out of the ever expanding and ever-more-isolated walled garden.
If you can live off of GrapheneOS and F-Droid, that's great, but for a lot of users this won't be a real choice, because you increasingly need proprietary software for access to real things in the physical world (i.e. I needed to install a special app for event tickets recently).
Magisk exists, yes, but it's a flimsy temporary solution. It only works because it's able to lie to Google that your device doesn't support hardware attestation. As soon as Google starts requiring that all devices support hardware attestation, it will stop working.
And there are some real strong reasons why you benefit from this sort of ability, such as preventing folks from cheating in competitive games. I can't say that all uses seem to have good reasons to use it, but that seems like more of a vote with your wallet sort of situation. Perhaps the play store should also have stricter requirements on acceptable use of attestation and ensure they are upheld.
They require hardware certification for the Pixel Screenshots app... and for anything that uses Gemini Nano (Call recorder summary, weather, pixel screenshots, etc).
The problem though is that rooting by itself is not that useful when a lot of apps use remote attestation to deny you service if you're rooted.
We don't just need root access, we need undetectable root access.
I'm typing this on a rooted phone where all (banking) apps work just fine. All it takes is downloading an app (magisk) and add apps to a list that need to have rooting hidden.
At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.
The fact that Google allows this shows that
1. Apple could do it with zero security impact on anyone who doesn't opt in
2. They could keep any service-based profit source intact
But they still would never do it. Because it's not only service based profit they want to protect. They want to restrict customers from running competitor's software on their hardware, to ensure they get their cut.
We right now have ENCRYPTED signal going from our computer to our displays, not just computers, but phones too SIMPLY to prevent people from dumping raw data.
All of that extra processing done just so you're allowed to for ex: watch netflix with a resolution higher than 720p. Then comically there's Chinese capture cards that you plug your GPU into, use mirroring mode and completely bypass it.
DRM is just one example, there's many more motivations such as preventing paid apps / pay for currency games from having these things given for free. This is the primary reason why iOS devices make significantly more money than android as it's near impossible to pirate / hack / crack for an average user.
For example, if anyone is interested, check out the computers Chinese governments are using right now. They are basically large mobile phones running some sort of Linux, but the whole thing is locked down. Fortunately things are OK on the commercial side but again it's more and more difficult to root or unlock a device.
And now the Western states are following suite, except it's the corporations that are leading the charge.
If they achieve this, and wipe out all commercial electronics distributors such as Mouse, then we need another underground railway movement to teach people to scavenge and build computers in that Dark Age.
I'm not joking. This could be real. It's already shaping.
But with cryptocurrencies normalizing it's only a matter of time before a paid piracy service emerges that is both cheaper, simpler and better than Netflix or any other streamer. Some arguably already have.
DRM was being broken for years without even a monetary incentive, with one it won't stand a chance.
The idealism of those who want to see the demise of DRM doesn't actually hold up in the face of reality. Even when we remove restrictions and give global access to content, for free, pirates don't give up. One of the reasons is that many pirate sites get ad revenue, piracy is a business for many folk and they get the benefit of not paying for the most expensive part. They also don't have legal/regulatory compliance, taxes and will often operate their infrastructure using stolen credit cards or accounts (we can see this).
Then you have people who are selling legitimately and trying to provide the best service for customers, but who have to pay for the content, competing with people who don't have any such responsibilities. So, customers take the cheap deal.
Some folk are also under the assumption that streaming services are money grabbing. Except when you actually look, most streaming services are running at a loss, or barely profitable.
I'm just working to protect our company and reduce losses, ultimately I am not preventing people getting access to fresh food or water. I am protecting premium goods from being illegitimately exploited and protecting the jobs of my colleagues when we're already under significant cost pressures.
One reason I post about these things on the internet is in the hope that one day we might have a constructive dialogue about how to balance freedoms AND enable commerce. But at the moment we have extremism, libertarian ideals against company lawyers.
Case in point: every popular desktop PC let's you run as root, and also watch DRM content. They aren't totally mutually exclusive.
As someone that works in security, I fully understand the need for sane defaults that protect the average user. I even advocate in the article that we should keep these defaults in place for the most part.
What I tend to not understand is the argument that there should be no option for more enterprising users to access their hardware at the lowest levels because we need to protect the average consumer. It may be a footgun for some, but that's sort of the point. I expect to be able to modify something I own, whether it's to my detriment or not.
My argument isn't that root access should be the default, but at the very least it should be an option. I just don't think it's right that we've normalized corporations blocking the ability to load / inspect software, which often is marketed as a safety or privacy thing, but is arguably more a business decision meant to protect profit margins.
https://wiki.rossmanngroup.com/index.php/How_to_help
aren't we in fact pretending otherwise?
Right now I believe that stolen iPhones are effectively bricks (barring state-level actors with unpatched zero-days)?
While I agree, I think even legislation will not fix this, because what is a computing device, and who decides what is and what is not ? I'm sure apple will argue that nothing they sell should be considered computing devices. While the hacker will consider anything they can trick into arbitrary code to be one (is your fridge a computing device?)
If we go the legal route, I think the only way is to give the right to flash firmware of _ANYTHING_ that has programmable bits, and that's probably not going to fly either because lots of legislation already dictates users should be prohibited and prevented.
If there is legislation, it will contain a definition of what is a computing device and what isn't. It will be imperfect, and the edge cases will be contested in courts. Courts deal with blurry boundaries all the time.
That's how it always is with legal matters, and doesn't mean we have to demand that anything with a firmware must be flashable.
It's not that hard to imagine a version of the world where computers as we know them do not exist, but are mere appliances (like tablets and smartphones), and if companies feel threatened that they might be forced to open up their computing devices, they will be quick to make them not fall under the definition.
Instead of a smartphone, you will get a "Can telephone and access facebook and instasnap" device with whatever technical cripplement is needed to make it not a computing device and be exempt from the law. And as the general public and justice system is pretty ignorant with regard to technology, it's going to be pretty resource intensive to convince a judge why every gadget around that suddenly identifies as "not a computing device" is in fact on anyway.
But i wonder, why these rights do not seem to be enforced on computing devices. Either everyone is failing to assert their property rights or i am in the wrong here. Probably the latter.
This seems reasonable to me. What's wrong with it?
“What’s a computer?”
An other post I have posted regarding this: https://news.ycombinator.com/item?id=39349288