Wherever you are from or whatever side of the conflict you are on, I think we can all agree that it’s never been easier to infer so much about a person from “semi-public” sources such as companies selling customer data and built-in apps that spy on their users and call home. It allows intelligence agencies to outsource intelligence gathering to the market, which is probably cheaper and a lot more convenient than traditional methods.
“Privacy is a human right” landed on deaf ears but hopefully politicians will soon realise that it’s a matter of national security too.
Yes, privacy is a question of civil defense in the drone age. But the existing crop of states will never acknowledge that; their structure and institutions presume precisely the kind of mass databases of PII that create this vulnerability, as well as institutional transparency for public accountability. This makes them structurally vulnerable to insurgencies that expropriate those databases for targeting. The existing states will continue to clutch at their fantasies of adequately secured taxpayer databases until their territorial control (itself an anachronism in the drone age; boots on the ground can no longer provide security against things like Operation Spiderweb) has been reduced to a few fortified clandestine facilities.
Things are going to be very unpredictable and, I suspect, extremely violent.
Or investigation into some russian topics: https://theins.ru/en/inv
30 milligrams of high explosive is enough to open your daughter's skull, or, more relevantly, your commanding officer's daughter's skull, and there are a thousand ways to deliver it to her if she can be tracked: in pager batteries, crawling, swimming, floating, waiting for ambush, hitchhiking on migratory birds, hitchhiking on car undercarriages, in her Amazon Prime deliveries, falling from a hydrogen balloon in the mesosphere, and so on. And if 30mg is too much, 2mg of ricin on a mechanical ovipositor will do just as well.
All of this is technically possible today without any new discoveries. At this point it's a straightforward systems development exercise. And you can be sure that there are bad people working for multiple different countries' spy agencies who know this; they don't need me to tell them.
While we are talking about flying drones, we are not far off from Slaughterbots becoming reality.[0] Why bother with surgical assassinations if you can blanket entire regions with with swarms of autonomous seek-and-destroy explosives?
After all, as last two years have so amply demonstrated: people are fine with genocide.
Technologies are morally agnostic: a knife, a rifle, a piece of cryptography, they all work equally well for the noblest and the most nefarious purposes. It's the humans' task to structure the society in such a way that good uses of technology mostly dominate evil uses.
Why bother? For the same reason to bother with surgical assassinations if you can blanket entire regions with nuclear fireballs. Radioactive wastelands are unprofitable! This is a general problem with genocide: it only gets you land, and since the Green Revolution land is abundant. Protection rackets, on the otehr hand, are highly profitable, but only with some exclusivity; if extortionists multiply, the unique Nash equilibrium is multiple gangs that collectively demand many times the victims' total revenues, resulting in ecological collapse.
More generally, the threat of violence is only effective as a form of coercion when you can credibly withdraw the violence as a reward for compliance. Violence provides no incentive to comply to someone who believes they are just as likely to be a victim whether they comply or not.
But swarms of autonomous seek-and-destroy explosives are plausibly the most effective way to provide that surgical-assassination threat, perhaps combined with poisons, solid penetrators, and/or incendiaries. The Minority Report spiders (not yet technically feasible) or a quadcopter can be enormously more selective than a GBU-57, a Hellfire missile, or even a hand grenade, and can choose to avert their attack at the last millisecond upon the presentation of properly signed do-not-assassinate orders, even if long-distance communication is jammed.
Hence, I suppose, important figures will eventually disappear from the public eye. Definitely, a president or a governor must be present in person at many events. But e.g. CEOs of military contractors, or even key scientists and developers in certain fields, may start to fade away, turn pseudonymous, and virtualize, now that remote work and videoconferencing is normalized. They would still be somehow trackable as normal citizens, but their visible connection to their work would be severed and kept an utmost secret, literally a life-and-death secret.
This would be good news for national defense, but bad news for any dissenters who cross any powerful-enough entities for those to consider an assassination or at least blackmailing. Unlike a hitman, a hit drone can be completely and safely destroyed beyond recognition within an hour, by burning it and grinding the ashes.
Also, precisely delivered non-lethal means could be quite effective, and hard to track. Inject or just spray a bad virus to disable your opponent for several critical months. Spray a potent allergen if the target is allergic. Inject some LSD into politician's bloodstream an hour before an important meeting or speech. "Innocent" stuff like that.
Last two years? Try last few decades at the very least. People only care about the war in Gaza more because it's controversial. For non-controversial cases people just agree it's bad but shrug their shoulders.
https://en.wikipedia.org/wiki/Bosnian_genocide
This also explains the more prevalent ignorance concerning the other two genocides of your list: they are simply for away from the place the respective person lives.
And open war crimes like intentionally killing civilians (TV broadcasters in Iran for example, or Gaza en mass)
Here is how Pegasus seems: - China has 1.5 billion people, lots of resources, would profit a lot economically if they found a way to hack iOS, etc. But yet couldn't hack it. - Israel with its 7 million people, not only hacks iOS multiple times, but does it to spy on its allies.
Now I've seen the threads analysing Pegasus' complexity, I don't know if it's been reproduced, and if it has then I guess it logically proves me wrong (the tinfoil hatter in me still thinks its right though).
Here is why:
Israel has a lot of silicon fabs or R&D centers, now it makes ZERO sense for the US to have fabs or R&D centers in Israel, since that country is (allegedly) always at the risk of being bomber for no reason at all (yeah right).
Intel has had fabs in Israek since the 80s, why not in Japan or France or the UK (France and the UK are close allies to the US and have no earthquakes or risk of being bombed), why not even Canada?
And I compared the dates of when intel started putting the Intel Management Engine in all of their CPU and the date of which they built their biggest fab in Israel, then I went down the rabbit hole of when AMD started using PSP (similar tech to Intel ME), and it coinciding with it buying a large pentesting startup in Israel, then starting to build its R&D centers there, Apple and Qualcomm have similar stories.
Obviously this is all tinfoil, and while the dates coincide it's obviously not enough.
But to each their own, and I choose to treat my tech as if it was all was backdoored already, because for me the evidence (while not enough to be sure) is enough for how much I value my privacy.
What makes you think China can't hack iOS?
- the smaller country hacked ios, have to sell it to recoup r&d costs, got caught many times.
- the larger country hacked ios, don't need to sell it around, haven't been caught.
That you know of. Maybe they just don't indiscriminately sell the results to anybody who shows they have money. Or maybe they have different strategies for spying.
> - Israel with its 7 million people, not only hacks iOS multiple times,
NSO and friends find zero-days or buy them on the open market (not just from Israel). Citizen Lab has identified specific vulnerabilities used to install Pegasus. The exploits don't require or use CPU back doors.
... and you think Israel's smaller population somehow translates into better infiltrators than China has, but not better hackers than China has? Israel also makes better halva than China, by the way.
That kind of "logic" is what turns you into a loony raving on a street corner somewhere.
> but does it to spy on its allies.
Everybody spies on their allies, at least opportunistically. But Pegasus is a commercial product, sold to basically every government and mostly used to spy on normal people, not other governments. The people writing it have ties to Israeli spies, and I'm sure it's been used by Israeli spies, but it's general-purpose.
> Israel has a lot of silicon fabs
As far as I can tell, Israel has one facility capable of making remotely serious CPUs. It's owned by Intel. There are no phones using Intel processors.
The processors in iPhones are "Designed by Apple in Cupertino" and fabbed by TSMC in Taiwan. The processors in basically all other phones are ARM, and most of them also come from TSMC. Pegasus does not run on Intel processors, ever.
> And I compared the dates of when intel started putting the Intel Management Engine in all of their CPU and the date of which they built their biggest fab in Israel
So the fab somehow reached out into the rest of Intel and retroactively caused it to develop a heavily advertised feature?
We all like to imagine this super cool clandestine hacking operation using peoples mobile phones to secretly track people who visit nuclear facilities back to their homes.
The much more logical explanation is someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university.
If there are spies in foreign countries going around offering life-changing sums of money for USB sticks, which people are accepting
is it not also plausible that folks at google/samsung/apple/aws/cloudflare/microsoft are getting offered life-changing sums of money for leaving their work-from-home laptop unattended for 5 minutes?
From what I've seen with bribes, it doesn't even take life-changing amounts of money.
One thing to keep in mind is those people are already paid quite well. What life can you offer them that they don't already have? Blackmail is a likelier angle.
In addition, saying that
> someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university
is an oversimplification on multiple levels:
1. Low-level employees typically don't have access to sensitive information.
2. With human intelligence, there is always a risk that the person you (e.g. Israel) are in touch with (e.g. an Iranian officer) who pretends to be a "double agent" (e.g. leaking info to Israel), is in fact a "triple agent" (e.g. actually working for Iran to mislead Israel).
3. You can send your kids to foreign universities but not your siblings, your parents, your wife's family, and so on... Some of your beloved ones are almost certain to suffer the consequences of your actions. High treason is no joke.
You would think, but when I was interning (well, it was a paid internship) for a company, I was fixing an excel spreadsheet with payroll information for an entire department of a few hundred people. Not the best piece of "opsec", but when you are in a hurry (pay was due in a couple of days) and most people are on vacations "hey the junior kid can probably fix it, he seems fine" is a way too common approach. And it is fine - sometimes for a long time. Until it isn't.
Snowden was a contract Sharepoint admin. He was on the absolute bottom of the org chart.
Since then there has been a movement to reduce Chinese vendors in general our if security concerns, as well as to improve the security posture of the mobile networks by doing things like "encrypting connections" and "switching away from telnet".
On the other hand, the Chinese managed to break into the US wiretapping system, so it's not like other networks aren't vulnerable either.
Plausible deniability.
SW coming out of Korea's domestic industry giants isn't any better. Because they used to treat SW like a cost center or another item on the BoM.
IIRC, the only way to do online banking in Korea years ago, was you needed Internet explorer and some active-X plugin that supported encryption.
Some Korean giants do have good SW, but a lot of it is developed internationally by offices outside of Korea.
https://www.cve.org/CVERecord/SearchResults?query=supermicro
There are many ethnicities in China, people of all genetic backgrounds. It is the culture that is the problem, not the race.
For example, there are many ethnically Chinese people who grew up in the West, working in businesses, in countries where there is a culture of security.
Now, you could label it 'culturalist', and maybe it is, but there are definitely inferior and superior cultures. Especially, there are parts of cultures which are quite comparable this way.
Security and encryption is taken as a given by Western regulators given how many times they pass laws to break encryption. If you look at targeted 0-days, the conclusion would be more along the lines of the very best hardware+software is barely secure.
>There are many ethnicities in China, people of all genetic backgrounds. It is the culture that is the problem, not the race.
This just seems like nitpicking to me. Colloquially most people would classify discrimination based on country of origin, or "culture" (whatever that means) as racism, even if it doesn't meet the technical definition. For instance Trump's travel bans have been called by many as "racist", even though it covers a bunch of countries, and even though the countries are majority muslim, it also excludes major muslim countries like Pakistan and Indonesia.
Now, we do still need to respect cultural differences where it makes sense and consider the historical context behind cultural differences, such as colonialism.
Like, for example, cultures which are outwardly hostile towards women and their autonomy don’t keep that as a secret. In those places, it’s well known and obvious.
It's interesting you would write this as if nobody's pointed out actual cultural differences yet.
Nobody is going to believe you're talking about real things if you let people call your argument "racism" so it's not nitpicking if you can explain why it's not. Also the word "discrimination" is itself a loaded term.
And yes areas having cultures is real. Sometimes it's tied to country, sometimes it's not.
> Trump's travel bans have been called by many as "racist", even though it covers a bunch of countries,
I'm confused? Covering a whole bunch of countries sharing a demographic is much more likely to be a racist move than picking one or two.
> and even though the countries are majority muslim, it also excludes major muslim countries like Pakistan and Indonesia.
That's a good argument against saying "muslim ban" but I'm pretty sure a focus on the middle east makes it more about race.
I've worked in many restaurants and a lot of the health scores are stacked against ethnic restaurants and how they prepare foods.
Your score gets knocked down if you have soups simmering for too long, but in Chinese cuisine it's often times common to have the broth cooking for more than 12 hours.
Check the weather today, get bombed tomorrow.
What's "just" a war crime amongst friends?
[The nuclear scientists on the other hand are much more questionable because its pretty unclear if they are legal targets at all]
Of course, Israel has hit hospitals in Tehran. And condos. War crimes.
So, no matter how you slice it, Israel commits war crimes as a matter of course.
Now, one could object and say that Israel has to commit war crimes because it's so endangered. If that's the case, why doesn't it go to the security council and get authorization for lethal military action? Who on the security council would vote against Israel if the threat was remotely real?
Other actions in this conflict of course could be crimes and require appropriate analysis.
> Since Israel started the war without authorization being the security council, it's legally the aggressor. Which means the actions in of themselves are crimes, regardless of where they are conducted.
I disagree with the way you phrased this. The analysis of if the use of force is legal in general should be separate from if individual actions are war crimes. See https://www.icrc.org/en/law-and-policy/jus-ad-bellum-and-jus... which emphasizes that jus ad bellum is separate from jus in bello.
Israel is probably going to claim self-defense here (you do not need UNSC permission for a defensive war). The claim is probably pretty far-fetched unless there is some bombshell evidence we are not privy to, as the threat does not seem imminent the way self-defense normally requires.
OTOH - the last time anyone cared about the crime of agression was germany in WW2 (although there are some voices about ukraine & russia). People tend to care much more about war crimes than crimes of aggression.
> Israel has hit hospitals in Tehran
I'm not aware of this allegation. I did hear an allegation from Iran about a hospital in Kermanshah. Regardless, if it is true, it would indeed probably be a war crime. (Generally speaking. Details do matter in these sorts of things)
> And condos
I think the analysis of this would require knowing what specificly was targeted. Generally of course, civilian housing is not an acceptable target, but if for example,it was housing for senior military leadership, that might change things.
> Now, one could object and say that Israel has to commit war crimes because it's so endangered.
If by war crime you mean commit "agression" (to be clear, the crime of agression is not a war crime. These are two separate categories of crimes), this would be an argument that the act is not "agression", since defensive wars are allowed to be done without UNSC approval. You only need UNSC approval if you are not facing an imininent threat.
> Who on the security council would vote against Israel if the threat was remotely real?
Security council is largely about geopolitics, and russia & iran are allies.
The US behaviour is despicable, but ultimately it hasn't really changed anything.
Anyone who runs a country, especially senior politicians, just shouldn't have a standard mobile.
It should be a built from the ground up phone by your own countries government services. Running GrapheneOS or something.
And you shouldn't have a second phone to have your affairs either.
We, the people, need to demand and force our politicians to work for us.
The gop is controlled by donors who are mostly free market liberals. Elon won’t let anyone “censor” (regulate) x. The democrats don’t care about national security historically, and it’s not currently an issue their cosmopolitan TikTok loving base cares anything, at all, about. “Security” is something that most democrats I talk to now associate with deportation or military spending, both of which they ferociously hate. Across parties, policy and discourse are reactive. Security requires a proactive orientation that it seems the public sector may structurally lack.
lol. lmao even.
this is the holy mary of security, politicians (US) will not give a damn as long as they’re not the ones being targeted and as long as the ad giants like google and co keep lining their pockets.
https://www.wired.com/story/minnesota-lawmaker-shootings-peo...
https://web.archive.org/web/20250506145643/https://smex.org/...
The article leaves out quite a lot about what AppCloud is, but it's essentially how Samsung monetizes their non-flagship device users and can do things like insert installation advertisements into the notification tray, and silently install apps.
Personally, if I found this on my device it'd be the final straw to grit my teeth and finally get a personal apple device.
Samsung’s A and M series smartphones are their cheapest models so their buyers probably cannot afford better phones. I don’t know of any other brands selling in the region with similarly priced models that have better privacy practices than Samsung either—they’re all the same at that price point I’m afraid.
But yeah, presumably in the cheaper markets the Candy Crush whales are subsidizing the phones. Like with Windows these days. Anyway time to go back to playing Fortnite and Marvel Rivals
I mean, if I was the mosad guy planting a deal with samsung, I wouldn't even name the app "AppCloud"
heck, why would you even make it appear to the user?
this is a classic competitor-bashing article -- no substance, only hand-wavy "this guys bad!"
I'm guessing this can be traced to others like xiami/huawei/etc who definitely want to get samsung's slice of the market there
If you're in the middle east, I'm sure you'd rather be spied on by China.
Do you imagine that shit? You're a nuclear scientist, working on a program for generating electricity, your country is open to being audited and complies with the restrictions and has no weapon's program, one day you come home and then a fucking rocket comes right inside your appartment and kils you and your whole family.
Ain't that a bitch? I get Khamas was hiding there too... And since they have all that precise rockets that can take a single appartment down, why did they reduce Gaza to rubble?
The ramifications of this make me sick: evil not only wins but also writes history... And yeah the midwits here will unironically look you in the eye and explain how killing children is ok because of this of that... You being able to explain horrors doesn't make you smart or pragmatic, it makes you have no self respect and makes your personal boundaries weak, and the same mind that finds arguments to cope with the horror his tax money funds will find arguments to cope with a lot more until it's his turn on the grinder and by then it'll be too late.
A refurbished iPhone 13 is $300 on amazon, which is close to the cheapest M ($250). I can’t find new 13’s for sale except via budget carriers.
(Sent from my 12 mini which is better than all that followed it: $200-ish for excellent condition, refurbished.)
Now hey, I won't suggest that Apple would stoop as low as Samsung has here. But discerning customers might not want Tim Apple's phone if he's been cozying up to a crusty politician that can remember to stay for dinner but can't recall his name.
Is this Amazon US? Because even in Ireland, iPhone 16 costs 41% higher than in the US (979 EUR = 1,128 USD in Ireland vs 799 USD in the US).
(Some US states have no sales tax, but most do)
If you don’t want bloatware (spyware), it’s either pixel or iPhone.
Recommending Apple for privacy only makes sense for those who don't actually care and just want the feel-good premium brand
On iPhone, I can use the app without giving it the permission because if meta were to put up the same bullshit, they would get their app rejected from the store.
Now, you say you can install barebones Android ? Ever tried it ? It suck, lineageos and other have security issue, often poor battery, lack features and plenty of bugs.
You could uninstall the bloatware on your stock operating system ? Except that you don’t always know what is necessary and what isn’t. Meta (Facebook) have 3 app preinstalled on Samsung, 1 as user app, 2 as system app. Other are systemized and have extremely convulated name, or even embedded in an actual system app like the antivirus in Samsung device managements that used to send back lot of data to Chinese server.
Fairphone are expensive and not well built, murena ? They run e/os/, exact same issue as lineageos.
No really, it’s either pixel (and I’m not speaking of grapheneos, it got more and more issue with play service integrity being forced everywhere) or iPhone. Pick your poison.
It works just fine with OpenContacts.
Their stock android is fine. If you want more privacy, installing e/OS/ is trivial. It blows my mind that anyone is concluding Samsung stuff is worth buying under any circumstances.
Sure, better than, say, Sony (and as an ex-Sony user I kind of know what I'm talking about), but far from calling it good.
And for US carriers, you are basically locked out of Wi-Fi calling if you are not using one of the whitelisted devices.
I just replaced my iPhone XS, not out of necessity, but I wanted to see what the new ones were like. The 16 is barely better and I was suprised to find just how little the old one was worth second hand, considering it still runs circles around most midrange Android handsets.
That's what I have been thinking recently -- given that Samsung is quietly doing these shady things with my phone, and other annoyances like Samsung forcing Galaxy AI on me (try selecting some texts in a browser or webview) which cannot be uninstalled and the terrible Samsung Pay interface, I am questioning my device choice every day.
adb shell pm uninstall --user 0 com.package.name
> you can't completely remove it
Maybe my English isn’t very good but that sounds like the definition of unremovable.
Also, English is not my native language. I feel like I did get my point across anyway.
If people are paying for upgrades to storage space it's completely reasonable for them to be annoyed by bloatware
On my 128 GB Pixel 9 Pro, /data is 109 GB. The rest is /system (although `df -h` doesn't show it explicitly, no idea what's up with that) and various other system-related partitions.
Meaning the user would have access to more of the phone’s advertised storage.
And there are other analogies too, e.g with certain diseases being "functionally cured" vs "cured." Did the GP use the wrong word? Sure. But making that the sole focus of criticism misses the intent of the GP and the greater value of the whole comment, which instructs people on how to disable it so that it's functionally non-impactful.
No, still not removed...the idea and possibility for implementation still exists in people's minds.
On my 2025 Motorola RAZR 5G, in /product/etc/nondisable are a series of XML files listing carrier and activation apps for Dish Wireless, Tracfone/Verizon Value, T-Mobile, the Amazon App Manager, and two apps provided for finance providers PayJoy (who lock and disable phones for financial product recovery) and one for Claro internally (that operates similar to Payjoy).
But then I haven't had any experience with carrier phones. We just don't do that where I live, all phones are sold unlocked for full price and all plans are prepaid.
I agree that it's not easy, but anyone sufficiently annoyed by these non-otherwise-removable apps who is able to follow instructions should be able to get it done without needing a computer or special knowledge or messing with the command line.
$ pm list packages
2. Plug phone in to computer using USBC cable.
3. Answer prompt on phone granting permission to computer.
4. Run adb commands.
The universal android debloater makes uninstalling packages easier, it has descriptions and categorizes packages by how safe they are to uninstall.
https://wiki.archlinux.org/title/Android_Debug_Bridge#Add_ud...
Starting the server manually under a privileged user is the easiest way to circumvent those restrictions if you don't want to fiddle with udev rules, which is the recommended solution, but is more work.
Other dristros surely offer the same support
It appears to be a similar case across the MENA region. While the SMEX post primarily focuses on WANA, it is possible to find other reports (e.g. [1]) from the MENA region that describe similar practices by Samsung. There, however, the stories talk about "Aura", rather than "AppCloud".
[1] https://www.moroccoworldnews.com/2025/06/212144/samsung-embe...
WANA - West Asia & North Africa
SMEX - "a non-profit that advocates for and advances human rights in digital spaces across West Asia and North Africa." (from their website)
it just means that they don't pay taxes
A.k.a. I tried to be as politically correct and cite the term used by the respective reporting. The main point I was trying to bring across was that apparently there are two apps involved, not only a single one.
[1] https://en.wikipedia.org/wiki/Middle_East_and_North_Africa
This AppCloud crap has also been pushed to devices in the Europe Open Market.
I also know that this shouldn't have been installed on enterprise devices (either Android Enterprise managed by MDM or E-FOTA managed - don't remember exactly). We had an akward conversation with some Samsung representatives..
Yes the Unity 3D engine company wow.
https://www.pcgamer.com/unity-is-merging-with-a-company-who-...
>Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.
unity was dying for lack of revenue
[1] https://www.fxguide.com/quicktakes/unity-software-with-a-com...
I argued against the acquisition at the time, including against accepting the framing that it was a "merger", and I think everything that's transpired since then has validated my views.
Sadly, I was outnumbered and “it is difficult to get a man to understand something, when his salary depends on his not understanding it” applied as it always does.
John Riccitiello was a terrible CEO
I think there's non-zero chance this company will go down in flames. I think its only hope at this point is a sufficiently motivated activist shareholder.
At 2¢ per install, with a million Unity games installed every year, they'd make a profit in 300,000 years.
Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.
These restrictions extend outside the particular device. It must also be illegal as a commercial entity to enforce security schemes which involve remote attestation of the software stack on the client device such that service providers can refuse to service clients based on failing attestation. Service providers have other means of protecting themselves, taking away users control of their own devices is a heavy handed and unnecessarily draconian approach which ultimately only benefits the ad company that happens to make the software stack since they also benefit from restricting what software users can run. Hypothetically, they might be interested in making it impossible to modify video players to skip ads.
1. Devices should be allowed to display a different logo at boot time depending on whether the software is manufacturer-approved or not. That way, if somebody sells you an used device with a flashed firmware that steals all your financial data, you have a way to know.
2. Going from approved to unapproved firmware should result in a full device wipe, Chromebook style. Possibly with a three-day cooldown. Those aren't too much of an obstacle for a true tinkerer who knows what they're doing, but they make it harder to social engineer people into installing a firmware of the attackers' choosing.
3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons. Otherwise, devices become extremely attractive to steal.
Not sure how to phase this legally, but please also add a provision against manufacturers making the "custom firmware" logo hideously ugly on purpose to discourage rooting - like e.g.Microsoft did for Surface tablets.
> 3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons.
Full agreement here. I very much would like to keep the bootloader locked - just to my own keys, not the OEMs.
I think it's a difference in mindset whether you view custom firmware as a grudging exception for techies (with the understanding that "normal" people should have a device under full control of their respective vendor), or whether you want an open OS ecosystem for everyone.
Another thought on that point: Why of all things is manufacturer approval so important? We know manufacturers often don't work for - or even work against - the interests of their end users. Manufacturer approval is not an indicator for security - as evidenced by the OP article.
If anything, we need independent third parties that can vet manufacturer and third party software and can attach their own cryptographic signatures as approval.
I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.
If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.
You could also imagine having them integrated directly into the phone, but with a physically separated button or fingerprint reader to authenticate. The TAN generator could even have the ability to override the display to replicate the UX of authenticator apps.
The web app has been running with this security model for decades on PCs, and it has been fine. The whole narrative about remote attestation being necessary to protect users is an evil lie in my opinion, but it is an effective lie which has convinced even knowledgeable IT professionals that taking away device ownership from users is somehow justified.
The bank’s bad processes are not an end device fault.
I'm alright with limiting liability for an unlocked/customized phone (for things that happen from that phone) - but that's a legal/contractual thing. For that to work, it's enough for a judge to understand that the phone was customized at that time - it doesn't require the app to know.
We can talk about the consequences of spyware but definitely not a total liability shift. Also preventing root doesn't prevent spyware.
Won't this also forbid virus scanners that quarantine files?
> This pertains to all programmable components on the device, including low-level hardware controllers.
I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted.
There might be a couple messy edge cases if applied at the software level but I think it would work well.
Applied at the hardware level it would be very clear cut. It would simply outlaw technical measures taken to prevent the user from installing an arbitrary OS on the device.
Regarding warranties, what's so difficult about flashing a stock image to a device being serviced? At least in the US wasn't this already settled long ago by Magnuson-Moss? https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...
Yes, I think that would cover most cases if we take it to its logical conclusion of wiping all device state (hard disk). OTOH, a few points:
1. I would accept the need to wipe the hard disk if I had messed with firmware or the OS, but not if a couple of keys on the keyboard had stopped working. This implies that (for me at least) a meaningful distinction remains between these two "levels" of warranty service. Do you agree?
2. Activities like overclocking or overvolting a CPU have the potential to cause lasting damage that can't be reversed by re-flashing. Under the policy you're suggesting, it would be illegal for manufacturers to offer users the option "You can pull this pin low to overclock outside the supported range, but you will void the warranty by doing so", and too expensive for them to endlessly replace parts damaged by these activities for free under warranty, so that consumer option, rare as it already is, would go away completely.
3. I still think there may be some devices that are impractical to completely re-flash. According to this 2021 Porsche article [0], modern cars contain 70-100 ECUs (microcontrollers), each of which will have its own flash/EEPROM.
[0]: https://medium.com/next-level-german-engineering/porsche-fut...
1. I expect wiping any given component to be entirely up to the manufacturer's discretion. If doing so is not trivial and is legitimately required for the repair to proceed then I'd expect the user to be charged for the additional service.
2. Violating manufacturer specifications and being at fault for damages are sometimes distinct. A manufacturer arbitrarily saying "you must not do X" should not necessarily mean that doing X will void the warranty. It might though. Discretion is obviously required.
3. If your car stops working after you mess with the firmware and you take it in to the dealer I imagine they'd charge you to reflash things since the issue was caused by your own actions. That doesn't mean they should be able to decline to cover entirely unrelated defects.
Also I don't think vehicle firmware would be caught up by the original proposal in the first place since cars aren't generally intended to run third party software. There's a grey area with infotainment systems that have an app store depending on if those are viewed as standalone or part of the larger vehicle. However reframing the proposal to revolve around intent would likely leave the firmware on unrelated embedded components in the clear to be locked down so long as those components don't interfere with the ability to freely use the general purpose computing element.
Personally I'd like vehicle firmware to be covered by similar protections but I recognize that falls outside the scope of a proposal about products intended for use as general purpose computing devices.
I don't like the "intended for general purpose computing" concept so much. For one, it seems to offer lots of easy wiggle room to manufacturers: Just say that your product is not intended for that, but for something marginally more specific. For another, it's not clear to me why general purpose computing ought to enjoy consumer protections that other manufactured devices do not. (One exception I'd grant is for safety reasons: If tinkering with a device could make it cause injury, fine, that device can be in a different class.)
Yes. If I really _want_ to execute malware on my device, I should be allowed to do so by disabling the antivirus or disregarding a warning.
> I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted
It is very reasonable and already the rule of law in "sane" jurisdictions, that manufacturer and mandated warranties are not touched by unrelated, reversable modifications to both hard- and software.
I agree.
> already the rule of law in "sane" jurisdictions, that manufacturer and mandated warranties are not touched by unrelated, reversable modifications to both hard- and software.
Do you have any examples of such jurisdictions? I think whether this is reasonable turns on how "reversible" is interpreted. If it means "reversible to factory settings", including wiping all built-in storage media, then it seems reasonable to me that manufacturers should support this (possibly modulo some extreme cases like cars that have dozens of CPUs). But I would not be happy with having my hard disk wiped if I sent in my laptop for repairs because a couple of keys stopped working, which tells me that (to me) there remain at least two classes of "problem that should be fixed for free under warranty by the manufacturer".
Words written on toilet paper. Only thing that exists today are “billionaire rights”.
But even the DRM that is already there often only uses copyright laws as suggestions. E.g. YouTube's takedown guidelines are defined through their TOS, not through the DMCA.
Watching copyrighted stuff on general purpose computers is a very new phenomena, and it's still quite atypical IMO.
The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Also for the record I think it's a silly attack vector for the average person to worry about. A normal person does not have secret agents attempting to flash malicious images to his phone while he's in the shower.
No, but millions of women have controlling partners or friends who betray their trust and, for example, many people going through U.S. Customs are being asked to surrender control of their devices so they can be used without their knowledge. There’s a well-funded malware industry with a lot of customers now.
Oh that's pretty cool, wasn't aware.
> The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Hold on, could you elaborate a bit on this? I thought it was an either/or type deal cause they do the same thing.
It's possible this has changed or was never widespread in the first place. I have a very limited (and historic) sample size.
In other words, DRM.
https://en.wikipedia.org/wiki/Trusted_Computing#Criticism
(I knew from the beginning that this was known as the Palladium project, and until recently, a search for "Palladium TCG" would find plenty of information about that history, yet now references to that group and its origins in DRM have seemingly disappeared from Google. Make of that what you will...)
https://www.tcgplayer.com/product/593140/yugioh-quarter-cent...
Bizarre, I did find it on bing though..
If I want my device to be secure, I want this trust. If I want to sell a copy of my virtual asset to only be used in ways I approve of, I want this trust. You can't have only one of these at the same time, either your device can provide this trust or it cannot. That's not the battle in my view. The battle is to implement this appropriately, such that e.g. if we're representing access control, identity, and ownership, then that representation should match reality. So if I'm said to own a device, the device can and will attest so, and behave accordingly. It's just that instead of that, I'm always somehow just being loaned these things, only have some specified amount of control over these things, and am just a temporary user somehow. That's the issue. And that these systems are not reimplementable, and as such entitlements do not carry around.
Device security and mediated trust between mutually distrustful entities are separate things.
> If I want to sell a copy of my virtual asset to only be used in ways I approve of, I want this trust.
I don't want you to be able to do that. At least not with general purpose computing devices (ie my phone). Maybe for something like a game console or set top box but that doesn't seem to be what's being discussed here.
> either your device can provide this trust or it cannot
It is entirely possible for device firmware to do nothing more than verify that the bootloader was signed with a particular user configurable key.
Especially in Africa, where privacy and consumer rights are probably less relevant than the US/EU.
Well, then it's high time the laws of ownership in just about evey country in the world were updated.
As it stands, if I buy something then I own it.
That's the point: you can't buy it, only license.
The minute Apple sees a clear path to get away with it, iPhone will essentially become licensed devices.
Then other phone makers will jump through the opening, at some point it becomes the standard, and we'll laugh at the "voting with your wallet" joke again.
> software
We're already full in licensing books, as truly the most pragmatic choice. Amazon opened the door, and many other ebook stores have jumped on the bandwagon.
To say it's unlawful is moot. Apple may have jurisdiction in the US but not across the globe, there are plenty of places I can think of to send an iPhone to have it fixed the way I want (and I'd do so the moment that market is established). There's no way Apple can police what people do with their hardware once it's in their hands, it's fanciful to think otherwise.
Open hardware is on the move, eventually considerably cheaper open products will become popular just on price alone. Competition will then be fierce, Apple will have to change its policies if changes to laws don't beat them to it. Remember also the US isn't the whole world, so those changes are likely to be enacted first outside the US. If Apple wants to sell there then it'll have to comply with those laws just as it did with USB-C in Europe.
Also keep in mind Apple, Google, Microsoft etc. have become the richest and fastest growing corporations in human history—they even beat out the previous contenders the Dutch and British East India Companies of the 17th and 18th Centuries.
These corporations became so rich so quickly because of a confluence of circumstances—the new tech paradigm of the personal computer, the wow factor that took the world by storm and a compete lack of regulations worldwide. Without regulations to keep these corporations in check they simply ran amuck.
That's now over. Yes, it will be some while before they're brought to heel but they'll never get such a straight run again.
Apple is on top now but let's see where it'll be in 20 years.
Similarly it is pretty messed up when people say stuff like “fire can burn you if you aren’t careful” because so many people rely on fire for food and warmth.
Cooking animal products at home poses a health risk. You should be sure to only ever consume animal products prepared by a duly licensed establishment.
The chauffeur's union would like to take this opportunity to remind you that amateurs operating their own motor vehicles risk serious injury and even death.
The FSD alliance would like to point out that hiring a licensed chauffeur also poses a non-negligible risk. Should you choose to make use of a personal vehicle it is strongly recommended that you select one certified by the FSD alliance. Failure to do so could potentially impact your health insurance premium.
Good tongue in cheek post, but in the US Magnuson-Moss prohibits warranty claim denials merely on the basis of non-OEM parts and service. It also puts the burden on the manufacturer to demonstrate the defect or failure was the direct result of the non-OEM part. Other jurisdictions have similar laws on the books.
Right to repair already exists in certain aspects and needs to be expanded (and enforced. Tons of those ‘will void warranty’ stickers are lies and you have legal rights to poke around)
The problem is getting the companies to change their act, and they probably won't without a class action lawsuit, and I have no idea if there's enough financial incentive there for a law firm to tackle it.
We can get so bogged down with “things that are real” and “exist in this universe” that we completely fail to focus on the vital stuff like “Bigfoot is circumcised” and “Who did it?” and “Why?”
Or do you dispute that you could be hospitalized for salmonella if you botch cooking poultry at home? Or perhaps you feel that there is no straightforward way to inadvertently endanger your life by servicing your vehicle incorrectly?
I genuinely do not understand the last two sentences. Are you pro- or anti- “telling people that salmonella exists” ? Is saying “salmonella exists and can be a problem” FUD or what? Do you think salmonella isn’t real
> Is saying “salmonella exists and can be a problem” FUD or what?
Obviously that depends on context. If a bunch of restaurants form a PAC and start lobbying with that message to restrict the sale of animal products at the grocery store then it is. If the FDA mentions it on a page about basic food handling safety then it probably isn't (depending on the surrounding text ofc).
Rooting your device is a security risk the same way that servicing your own car is a safety risk. When I hear "security risk" or "safety risk" I'm expecting something that's inherently dangerous like wingsuit jumping or cave diving. I'm not expecting something that should only ever fail if I don't exercise due diligence. This difference in perceived meaning is being exploited by those spreading the message similar to when Coca-Cola got sued for a label that implied pomegranate juice when the bottle contained only 0.3 percent.
When device vendors lock end users out of their own devices and then aggressively spread such a message to justify doing so it qualifies as FUD or propaganda. A vested interest has disenfranchised people as part of a long term strategy to enrich themselves and is attempting to manipulate the public narrative regarding their actions.
You posted actual nonsense and then declined to say if you are for or against telling people that salmonella is real.
Anyway, in good faith
> Obviously that depends on context.
This makes sense. Context matters, and it is important to imagine some when it is missing. For example, in this exchange you saw a stranger on the internet post “rooting your phone can void your warranty and pose a security risk” and, in a vacuum of any relevant information, pictured a world where they work at Samsung in their Awful Spyware Division and started posting from that premise.
Or just saying it at all FUDs up the vibe and ruins the context?
The point you are making is either that it is important to invent context if you feel FUD, or that the wrong context for certain correct information is “the context wherein it is shared”.
Can you clarify which is it?
Either we agree that rooting your phone can void your warranty and pose a security risk and you just sort of imagine me working for a terrible company,
or
We both agree that rooting your phone can void your warranty and pose a security risk but you and I are the only people that should know that. Any context where this fact that we agree about could be shared is made inappropriate by its inclusion.
Like are we dealing with hallucinations or are we dealing with Untouchable Facts
> and, in a vacuum of any relevant information
The context was your original reply rebutting the suggestion that this is corporate propaganda. Yet you play dumb and pretend that doesn't exist.
Rooting your phone can void your warranty and pose a security risk in precisely the same way that servicing your own car can. If we were on an automotive forum and you replied with that I would also accuse you of spreading FUD.
Something being true when interpreted in a literal sense does not make the commonly perceived meaning true. Willfully ignoring that is where the bad faith element lies. Well that and the part where you've been repeatedly playing dumb for the perception of winning an argument.
For starters, in most places, warranty is a legal requirement and the manufacturer isn't allowed to void it for whatever reason they want. If my phone's battery starts getting really hot in normal use, or I start getting dead pixels on my screen or whatever else, the fact I have a custom OS on my phone isn't relevant to the warranty claim any more than having it in a case or putting some stickers on it. Yes, it'll make claiming it more difficult, but that doesn't mean it's void, just that you'll have to fight through a few more tiers of support agents to get it fixed.
More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits. The same can be said for any other system-level software. Like if you buy an Nvidia graphics card in your computer and that loads its kernel driver, malware now has one more place to exploit. Are Nvidia graphics cards a security risk?
We've come an incredibly long way from just dropping /xbin/su and calling it a day. Modern (as in the last 10 years) root solutions have caller checks based on a user-defined whitelist and really modern implementations use kernel-level checks to make sure the app wanting root access is allowed to get it. The only way this can be dangerous is if one of those apps or the root solution itself has a code execution exploit. But again, the same can be said for the plethora of system-level bloatware vendors install these days.
This only makes the statement untrue if you use “can” and “will” interchangeably.
>More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits.
This is a good point. What even is “attack surface” anyway? Does anybody actually consider it when “evaluating security posture”? If I simply choose not to care about attack surface because I don’t want to, then doesn’t it simply become a factual nonissue? There are no answers to these questions
But if you really want a thorough reset, simply re-lock the bootloader and flash stock firmware from there. Nothing can persist through that without an exploit in the verification chain and if you have that kind of exploit, you don't need the bootloader to be unlocked in the first place.
Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
Some can, some can't. Even when it can persist, escalating to root after every reboot may be unreliable or noisy (e.g. 70% chance of success, 30% crash) compared to straight persistence as root without verified boot.
> Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
This still applies to those devices. It's the main reason GrapheneOS (which exclusively runs on Pixels, with the bootloader relocked to a GrapheneOS key) is opposed to building in root access: Verified boot would be "enabled", but effectively bypassed. https://xcancel.com/GrapheneOS/status/1730435135714050560
Literally 0 here, have you really?
Like I literally do not know anyone who is even using Linux to begin with but also people do have “root” in their Windows and MacOS systems. I do not see anyone destroying their computers at random.
Also to steal someone’s information you don’t need root access or any administrative access - if you already tricked the user into running your code then you can steal their passwords or whatever, all of that is user-level data.
* Pedantically speaking, you can not even log in as root, any root level access would have to go through sudo (which is indeed enabled for most users).
* But additionally, even as root, Macs by default have System Integrity Protection enabled, which makes most system files non-modifiable. Users still have full control in that they CAN disable System Integrity Protection, but that involves a reboot and some (documented) command line commands, so most users don't bother doing that.
I accept this metric. It means non-rooted devices are unsafe.
I'm career IT support. In the entire age of smartphones, 100% of the malware/crapware I've seen was on non-rooted devices - most of it pushed on users by manufacturers, carriers and OS devs.
To add on, almost all the money people I know who have lost to scams have been through non-rooted devices. Sending an OTP or making a bank transfer because "you're under police investigation" is cheerfully easy even without the user knowing what "root" is.
Also see: the recent phish on Krebs (on security). A malicious email and entering a password to a webpage does not need root access, for better or worse. In fact, a rooted device might block your bank app, actually making money transfer scams tougher, ironically.
Same here. It's manufacturers and software vendors such as Google and Microsoft that we need to most guard against.
Fully agree wirh your second paragraph, I've only seen viruses on non-rooted devices and I've never had a virus on any of the many rooted phones I've owned over the years.
Sure there are viruses and they can be troublesome but when you look below the surface much of the hype about locking down one's devices comes from manufacturers and software vendors, Google, MS et al, who benefit financially from not allowing users to control what runs on their phones.
It's not only phones, what Microsoft has done with TPM and Windows 11 and the deliberate obsoleting of millions of perfectly good PCs/forcing users to buy new hardware when it's unwarranted is simply outrageous.
Microsoft ought to be sued for committing environmental vandalism. …And that's just for starters.
It’s also important to learn how the modern abuse industry works. Since the 2000s, malware has grown into a multi-billion dollar highly professional industry used by governments around the world and the scammers have professionalized as well. You should look at some of the YouTube videos of scammers social engineering people into giving them remote access, approving bank MFA challenges, or talking them into making cryptocurrency purchases - and while we might sneer and say they’re uneducated or careless, most of them are distracted or old, just like most of us will be some day. If there’s a prompt, millions of people will approve it and if it means their device can no longer be trusted that’s a lot of money and e-waste.
I don’t like any of this. I want to have root on every device because I grew up with unfettered PCs (first installed Linux .9 using a disk editor, etc. etc.) but the landscape has changed since then. We can’t pretend otherwise, but we could call for regulation to balance the interests of owners and device manufacturers just as we allow people to customize their cars without giving up the concept of safety or emissions testing.
Computers were utopia 20 years ago as compared to today - especially when it comes to privacy, security and user-control.
Oh, the Matrix is also parasitic, certainly; before it was smoothed over for mass appeal it was I think a story much more obviously inspired by They Live, the central conceit being that the system both runs on and exploits human neural cognitive capacity, ie the brains are the thing being farmed as components of the Machines' own computers, with the rest of the human (including consciousness and experience!) basically tolerated as the best available life support system for the 500 grams or so of brain tissue that's actually worth having. But a cow can live a long and happy life on a farm, be genuinely loved, and still end up as cutlets. Looking at it even from Daisy's end, how unjust can we honestly call that deal?
For you and me, the gunslinger's life has a decided appeal, sure. If that and Buy-n-Large World are the only two options on the table - which so far they have been, though I agree the real answer is to add a better third - can we really say that, for everyone, the Matrix isn't the less worse of the two?
However, all this comes with the caveat that SafetyNet will flay you alive. The cat and mouse game with Magisk and other methods to maintain root undetected is moot when I've used apps these days that make a fuss when you have developer settings enabled. To be honest, that seems acceptable to me, I can do what I want with my device, software vendors like banks and the like have a say in how I choose to access their more convenient services. I can play nice with them if I want, even using a second phone perhaps, but I have a choice.
I disagree. I don't understand how it's fine that I can access my banking services with my Gentoo machine, with everything compiled from source by myself, but it's somehow a problem when I'm not using either Apple or Google certified OS on my phone.
I'm sure they want to prevent the first scenario, like various streaming cartels already do, but I hope something like EU throws a fit if they do.
Because it's a bank there's going to be insurance behind the scenes to cover them if something goes wrong, and I assume part of that is ticking off enough points to be confident a transaction is secure or different payment limits on confidence levels.
Isn’t this just a second device? How can you hold a manufacturer liable if the user was given unsupervised time as root?
PCs had root access by default, so why wasn't it a significant problem for them? Banking is possible on a PC without a banking app.
As Noam Chomsky has said, as in politics, manufacturers and OS vendors such as Google and Microsoft have been deliberately "manufacturing concent" — a widespread belief in the population of users that benefits them to the disadvantage of many of said users.
PS: While he maybe in effectively hospice now, at least he outlived Kissinger.
Right, I've never fully understood why the media was (and still is) so complicit. There's a long history of the media, especially the tech media, mags etc. ass-licking the likes of Microsoft, Google et al. It's been horrible sight to watch over the decades. Perhaps it's because of kickbacks, fear of exclusion from events, press releases, or handouts—free software etc., or that many had/have shares in such entities—or the belief that those who run such entities are only one step removed from the gods—hero worshiping.
We users would now be in a damn side better prosition if the media had done its job professionally.
"technical vocations are still frowned upon in socially most of America."
Right again, and America is not the only place, such thought is endemic across the anglosphere.
They weren't networked. They were notoriously buggy. And most importantly, they weren't warrantied [1].
Root should always be an option. But once you root, it's fair for the warranty to be voided.
> OS vendors such as Google and Microsoft have been deliberately "manufacturing concent"
Nitpick, the propaganda model [2] attempts to describe traditional mass media. Two of its five pillars (ownership and sourcing) fall apart in a world with smartphones and social media.
[1] https://www.studocu.com/ph/document/university-of-rizal-syst...
[2] https://en.wikipedia.org/wiki/Propaganda_model#Criticism
Where on earth did you get that notion from? Just because some vendor [your links] has conned the unfortunate client into an unacceptable contract doesn't mean it's commonplace or ever was.
Literally cited the source.
> My PCs and corporate PCs I've been responsible for were networked including the internet
These came later, in the mid 90s. If you have a source for any PC having been "warranted with no conditions about what software was run on them," I'd love to see it. Practically every warranty for PCs voided if you e.g. overclocked the CPU. And almost all PC warranties were limited warranties, not the no-questions-asked up-to accidental-damage common today.
User software is another matter altogether. Users could always install whatever they wanted.
It seems you are not old enough to remember that the PC was originally designed to be modular and flexible and that applied to both the hardware and software.
The whole raison d'être from the S-100 bus of the 1970s and the IBM PC† of the '80 was to provide users with a computer system that was flexible and that users could adjust and alter to suit their needs. This meant that users were actually required to alter the configurations of their PCs. No one would have questioned such action, it was considered completely normal.
Moreover, warranties took this into account and it was a normal procedure to add RAM, disk drives and video cards etc. without voiding the warranty. What's more, one could even upgrade the CPU (and if necessary its clock speed) and the rest of the hardware would still remain in warranty—that's why CPUs until recently were 'socketed' and not soldered into place. Of course, the third-party CPU wouldn't be warranted—not on the PC's warranty anyway.
What you are referring to is a sleight-of-hand by some sleazy ratbag manufacturers to change the PC from an open system and make it proprietary. Any system administrator or corporate buyer (at least until recently) would have objected to any clauses in the warranty that would have forbidden modifying equipment as mentioned. I know, I was head of a government IT department for years and contacts that included such punitive warranties would never have been awarded—they would never have passed my desk. Not that I ever saw any mind you. (BTW, there some were warranty claims, altering the equipment was a non issue.)
What we are seeing now (and this whole discussion) is about reclaiming the open nature of the PC—and our computing equipment in general, our phones, etc.
Fortunately, the Right to Repair movement and the Right of Ownership—people like Louis Rossmann and iFixit—are beginning to make inroads into keeping these sleazy carpetbaggers in check. As we've seen Right to Repair laws are getting enacted.
† The original IBM PCs had full service manuals that included electronic circuit diagrams and even the BIOS source code! To suggest we weren't meant to alter things is sheer nonsense. (I still have my copies of these manuals.)
Again, very limited warranties that only covered manufacturing defects. Not the warranties integrated products have today. In most cases, a manufacturing-defect warranty is not voided by rooting your device. (It may become more difficult to prove it’s a manufacturing defect, however. The law varies state to state.)
What fundamentally changed is warranties expanded as products became more integrated and the market expanded beyond power users. You cannot provide accidental-damage insurance for a user adjusting their BIOS.
Rightly so because adjusting the BIOS won't cause harm!
PS: if you are referring to damage caused by oveclocking (if perchance it's available in the BIOS), then this is a user-accessible feature. As such, it'd be covered under warranty.
If a manufacturer played hardball and tried to dishonor the warranty then they wouldn't stand a chance against most consumer legislation in most parts of the world. They'd be toast where I am, not only would they have to honor the warranty but they'd be fined in the process.
Perhaps you're in a part of the US where consumer legislation is essentially nonexistent then things might be different. (The US is known worldwide for having the worst consumer legislation in the Western world.)
These additional restrictions are not there for security despite what we are told.
I've had to cloak the rooted state from an app or two or they'd choose to withhold functionality. That was a couple of phones ago. I've not had trouble with banking, payments, etc since.
I think they're supposed to prevent people from reverse-engineering banking app APIs and writing bots that perform millions of requests per second, trying to brute force their way into peoples' accounts.
As an extra protection, SafetyNet also makes it harder to distribute apps that repackage your genuine banking app, but with an extra trojan added.
If a bank (or any entity for that matter) needs to control the client in order to make their systems secure, then it's bad security. The system must be secure despite the client.
Making it easy to root phone makes it easy for scammers to ask people to unlock it.
It should not void warranty if you unlock the phone. But security concerns are real. Mobile banking apps refuse to run on rooted phones.
I would agree.
> Making it easy to root phone makes it easy for scammers to ask people to unlock it.
I would also agree, so then: don't make it easy.
> Mobile banking apps refuse to run on rooted phones.
... but they do run on my web browser. On a computer using open-source software without even secure boot enabled. So, it seems to me this is a cop-out by said banks. They shouldn't require client-side absolute trust to run, and evidently they actually, practically, today, do not require that. It's simply a choice they made, presumably out of laziness or greed.
Historically, computers have not granted you access to everything. Most home computers used to have ROM cartridges, which could not be modified, at least not by an average user. Also, when using unrestricted operating systems, such as as MS-DOS, a simple virus could wipe all your hard work.
In our current time, devices are connected to other machines, and the problem of security and privacy has increased dramatically. Unfortunately, we still don't have operating systems that are secure enough to be used by untrained persons. It makes perfect sense to lock down these devices.
I basically see only two ways out:
1. Allow developers exclusive access to development systems, similar to how console development works.
2. Implement a secure operating system.
It will take an extreme amount of effort to do the latter, and it might even be impossible to gradually absorb the mess of interfaces that people and companies expect to work.
So that probably leaves us with the first option. Personally, I would love devices to be locked down more, so that the crazy threats from hackers will be less severe. But I would also love to keep developing software. Having to jump through some hoops is probably unavoidable. The situation could be compared to requiring a driver's license in order to safely drive on the shared infrastructure.
As much as I agree with your sentiment to have freedom, it still seems somewhat overly optimistic to expect this to work in our complex society.
Anything else and you lose freedom, and the whole ethos that enabled the advanced IT landscape of today.
Of course you lose freedom, but that is exactly what is needed, because some people just cannot help themselves from exploiting that freedom.
Unless someone figures out a way where we can safely share computing power and connections to real-life services (e.g. banking, having an identity, communication in general), I think there is no real alternative.
Perhaps having separate internets for various purposes would be an option. Ond where we can socialize anonymously, but not trust each other, and one where it's pretty boring, but where you can safely buy goods using your paycheck.
>Unless someone figures out a way where we can safely share computing power and connections to real-life services (e.g. banking, having an identity, communication in general), I think there is no real alternative.
I think the opposite is true. We don't have adequate sandboxing of userspace on most desktop OSes. If your malware has access to the victim's home directory and can phone home, they've been pwned for all intents and purposes. Root access would matter if userspace programs were well sandboxed.
On OSes where this is true like android, you have terrible interoperability of userspace programs and it's impossible to get "real work" done. Not to mention that without root access, you are just relying on the corporation to manage your system for you, which isn't tenable for a democracy.
You don't need all of this trusted computing stuff to have secure, private payments. Chaumian ecash and cryptocurrencies have known this for a while. Just use a digital signature scheme instead of relying on open-source information.
I totally agree that user space is not as much of a useful concept on a single-user device. Originally, it helped to shield users of the same system from each other. Most of this was based on file system authorization. This hasn't been extended to internet access in a very useful way.
However, even on single-user devices, having root access makes it easier to hide malicious processes. Granted that in modern operating systems it is already totally unclear what most processes are doing, so one can simply hide in plain sight.
I'm still not convinced we can get by without a lot of trusted computing stuff to have secure payments.
Can be given control [by handset manufacturers] is an unfulfilled potential. And it will always be unfulfilled - because otherwise, users could protect themselves from manufacturers/providers foistware.
Given their reality, users root.
That doesn't give me any less power than root, but does give those apps less power and limits the potential impact if one gets compromised. I think when most people say the device owner should be able to get root, they mean that the owner, rather than the manufacturer or OS vendor should have the final say in all cases, not that it has to literally work just like root on Unix.
Yes, this is kind of approach of coming up with a design to security instead of going with the easy route of everything being allowed is harder to do and takes more time, but it leads to better security.
I mean, we all agree that such permissions are not required during everyday operations, but there should be a way for the consumer to have control over the software being used. And I mean all aspects of the software: firmware should be updatable, the OS should be replaceable, and the security concepts within the OS should be customizable by the user as well. I have no problem with hiding such functionality and requiring users to read the documentation to find out how it can be done, but it should still be possible.
Having root access is not in the interest OR benefit of most regular users. Rooting your phone is a footgun for 99% of people who install random apps and will get hacked and have their life savings transferred or ransomed.
For them the article does the right thing. For everyone else, like you or me, we will not care what this article says anyway.
That's why what Samsung does is double bad. Noot rooting phone is good hygiene if your phone respects you. But if it comes with malware then thats a stab in the back.
What about desktop OSes for the last 40/50 years?
Sure they aren’t the foam-padded locked down phone OSes, but isn’t this fear a case of leaving said padded room?
If you talk to regular non IT savvy people many of them don't bother and correctly assume that at some point it will "get a virus" or something. And it is fine for them because almost no one uses desktop for critical stuff like payment or finance. But majority do use phones for that. They jumped from cash straight to phones and now it's a lucrative attack vector.
Edit to reply because throttled by downvotes: yea I'm in your boat, we live in a bubble. It's hard to believe. But now I'm using a payment system that literally has "get app" on its site and no other way to manage money or even sign up. And apps like that can be the only way for many people to get some sort of plastic card to pay cashless
And I see how it happened. Many people have no personal desktop computers. Many payment vendors don't trust desktop computers because an ordinary person's windows machine is a malware breeder.
So many people in the world depend on mobile security (especially underprivileged people). Anyone who wants them all to get fucked for own libertarian ideal of "hardware ownership" is basically a psychopath to me. Especially considering that he is literally free to root his device and not make it a problem for others.
I'm not saying this is wrong (in fact I assume it is accurate), but relative to my life experience this is crazy to me.
Mu mother-in-law does not have a laptop or desktop. She barely uses her iPad. If it’s not on the phone, it might as well not exist. My father-in-law has a PC at work and a Mac laptop, but he uses them only for work - his casual internet use is entirely on the phone. My wife uses multiple iPads and her phone, but only uses a desktop at work or when working at home.
Most people I know don’t actually own personal computers other than their phone or tablet.
What? This makes no sense. For something where security matters, using the desktop is the only rational choice. I never, ever, allow any sensitive information through the phone since it is not a trusted device.
South Korean needs USA to protect it.
Consider everything from South Korea to be under the blessings of the NSA.
I own a $50 Android tablet just for the required certificates to run DUO for work and other than that just use a UMPC with a modem card and VOIP for everything.
And as much as I hate sending all the data to Google, their Translate app is indispensable for communicating in non-English speaking countries.
Google Maps's search/review works fine on the web, I'd imagine the experience is probably nicer on the web than mobile.
Qwen and gemma both run locally on Linux and are excellent for translation.
In retrospect I think I would have preferred something with a small celleron CPU to the AMD.
Id gather you could go very far with the following list:
- Proved correct micro kernel
- Encrypted messaging by default
- Encrypted memory
- Encrypted messaging between processes.
- hardware switches for modems, peripherals and battery
I was able to disable it but not remove it, unclear if it will re-enable itself. It had sent about 35mb of data since March 1st, and was enabled as a background service.
I don't see how any company can compete with this unless they somehow figure out how to make a vastly superior product.
I did not expect the thing I made games with as a teen to be involved in a global war.
Go to Settings->Apps and find the app in the list. Click "Configure in AppCloud" and then click "Personal Data". A form shows up where you can request access to the data or request a deletion of the data.
I just requested access to my data, received an email confirmation where I had to click a link. I am curious to see what they will send me (if they will send me anything).
Not found on this Samsung phone.
---
I just received the data inside an email. It is just a HTML file with the headers "Data Privacy Report" and "Aura Up Privacy Report" but other than that it is empty. Obviously this is all just bullshit to pretend to comply with GDPR.
As an aside, I recall getting a lot more ads when I used Samsung Keyboard.
Yeah, all Samsung software is a liability.
Don't even get me started on the Samsung smart TVs. Just horrible all-around.
Strangely enough, I cannot reproduce this now.
I'll see when it happens again, and if I can uninstall keyboard via adb. It's just a pre-installed app, after all.
Unless you have already used adb to disable or remove the app, the issue is guaranteed.
We need to decouple phone hardware from phone software, as we did with computers.
As it's usually not viable to opt-out of those, the solution seems to be having a separate device.
So the question is who would we like to be exploited by?
We have new spyware coming from Israel, let's update the list:
- Pegasus
- Candiru
- QuaDream
- Cellebrite
- Paragon Solutions
- Nemesis
- AppCloud
I even refuse to buy QD-OLED monitors out of indignation that Samsung makes the panels. Maybe I'm alone but maybe one day we'll boycott lousy companies out of business.
Genuine question.
In my case I also wanted an SD card slot so it was slim slim pickings indeed. (And still there are some misfits who insist that there is no such thing as progress!)
Pixel phones get 7 years of OS and security updates. Do you consider Pixel phones to allow you to easily migrate to a new phone?
Disclosure: I work at Google, but not on Android or Pixel.
We've been having some warm weather (~30ºC) around here and the other day my Pixel 8 Pro started warning me about the phone being too hot when I tried to record a video.
I like Google's Android skin and their long support periods, but Tensor holds these newer Pixels back.
Has any smartphone maker succeeded in getting more than a few percent of market share, released more that 2 phones while being immune to that level of fiasco ?
There have been other phones that had very occasional battery fires, but nothing on remotely the same level.
Each of these is also unique and unseen ever before for a phone.
Let that sink in.
You are suggesting that Apple is actively tracking you in other apps (apps that aren’t allowed to track you themselves). I find that completely preposterous and a huge risk for Apple to take given their marketing.
> Because Apple blocks everybody else from spying on you but Apple themselves are still perfectly spying on you.
Extraordinary claims require extraordinary evidence. Specifically Apple spying on users and collecting info tied to their identities in 3rd party apps.
https://ads.apple.com/app-store/help/attribution/0093-adattr...
Möbius Sync and Synctrain are the options for Syncthing. Both work, neither are official (nor is the currently-maintained Syncthing fork for Android).
There's no need to present it as anything less than what it is, it is enough of a scandal already. Fear mongering using the words "Israeli Spyware" just undermines the very just point being made.
Would be funny if antisemitism led to good outcomes for once
Unity the ones doing a game engine?
And of course I don't keep anything valuable on the phone, do not login anywhere, do not install apps etc. It is an untrusted device because it does not run Linux.
2. Scroll down and tap Apps.
3. Look for AppCloud in the list of apps. If it’s not visible, tap the three-dot menu in the top-right corner and choose Show system apps to find it.
4. Once you’ve found AppCloud, tap it, and then tap Disable to stop it from running.
https://hackerdose.com/tips/remove-appcloud-from-samsung/#:~...
There are no innocent world superpowers.
I've recently learned that movie "7 years in Tibet" is full of lies, starting with the fact that the main character was hardcore Nazi follower in real life.
There are a lot of things that we don't know because media are not interested in enlightening people. They are interested in pushing the current agenda.
E.g. Tibet was a poor feudal state with slavery, but you won't easily find this information, because all you can find now if you search for it is: "China is bad, bad, and Tibet is very good, enlightened people, very warm and kind". It is not like that.
Well I imagine there was a lot less persecution by the Chinese government at that time.
> media are not interested in enlightening people
You're right, the media in China are mostly or exclusively mouthpieces for the state.
Is feudal society with slavery and human sacrifices better? How can we really be sure about more or less persecution by Chinese government if we don't live in Tibet, do not know Tibetan and Chinese, and all we know about those "persecutions" are somebody else's translated words?
> You're right, the media in China are mostly or exclusively mouthpieces for the state.
You're right, the media are mostly or exclusively mouthpieces for the state. FTFY. There are not exceptions anywhere in the world.
You're conflating your lack of knowledge about the subject with a general lack of knowledge about the subject; those are not the same.
> You're right, the media are mostly or exclusively mouthpieces for the state. FTFY. There are not exceptions anywhere in the world.
That's a false equivalence; yes, most or all countries' governments have captured the press to some extent, but the degree to which it happens varies wildly by country, and again the fact that you don't see that speaks more to your own experiences than any objective reality.
Capitalist technologies are the surveillance state incarnate. They must study people in order to manufacture consent.
Remember democracy is majority rule, when have you ever had true control over your political destiny? You KNOW the answer is never.
Democracy =/= trust.
Democracy = control.
Only countries with regular coalition governments can be classed as a actual democracies.
Oh you like phones? Well our phone companies require us to directly or indirectly create proxy wars in this region in order to acquire the raw materials necessary.
This is the democracy of western nations: policy hidden behind capitalist interests that the people engage with through consumption.
Its democracy for the rich not for the millions of us.
That's why they NEED to manufacture consent, in order to get you on board with murder and fabricated poverty in order to have goods and services.
I think that is the will of the masses.
I've got this fairphone in my pocket that has a replaceable cobalt-free battery and a replaceable OS for a reasonable price. But people by-and-large don't want fairphones, they want iphones.
The third worlders fighting over cobalt don't want peace, they want wealth for themselves.
People don't want niche third parties and alternative stuff, they want to be part of a larger cultural group.
Captialism is based on individual voluntarism, and the problems you describe are not caused by manufactured sentiment but a lack thereof. The problems are caused by the distributed actions of a silent majority, as opposed to some greater rational plan.
They are enabled into fighting by big, huge interests. They ship them weapons and rationales.
Who are the customers in the end? Western nations. They create the abject poverty, they use poor governments to exploit and enslave their own people. There is no "poverty" in the world only exploitation. All poverty is fabricated and sustained.
Why is it that Mali is one of the poorest nations on earth but is also one of the top 10 exporters of gold? How does that work?
Capitalism is not voluntarism. That is the myth of philosophical liberalism.
To say that someone who owns as much wealth as a few million people is equal to those same millions of persons who directly own nothing except credit(debt)? It's a myth.
Voluntarism would only be true if we were on equal economic standing. Therefore voluntarism implies that no one can be coerced or leveraged, its a moot and infantile viewpoint of social dynamics.
The "silent majority" has no real way to speak. You choose candidates based on talking points who can then REALLY do anything they please. That is called "trusting campaigns", not democracy.
In reality what happens in elections is that we are choosing a group of people to enact policies based on the market-demands of a society that cannot control its market/production. There is a huge disconnect. It's not a real influence WE have. It's an influence that is given.
IE. The majority of people dont want to use plastic materials for anything related to their consumption. But plastic is cheap and easy to produce. I'm sure that if given a choice people would rather their society work a bit more, spend a bit more of human-energy if it means we dont have nuts full of microplastics.
It is how we produce that determines what choices we have, and how we produce is determined by market dynamics which are reduced to sustainability of production and profits. It is profits that determines production, not consumers' will.
So tell me: if we dont directly control the options we have, but you say we are making a choice, what is that?
There is another word for that. Coercion, manipulation.
I dont want child soldiers killing for control over resources or kids mining for 12 hours a day, I want a good, cheap phone. It is not the same.
Is there really no other way? I would sure as hell try to have it any other way.
Whoever conflates these is doing so because they profit off of it, not because its the only way.
In capitalism the heads of production and their profits determine the directions of our societies.
Weapons and rationales don't fight wars themselves (yet).
>Why is it that Mali is one of the poorest nations on earth but is also one of the top 10 exporters of gold? How does that work?
Gold is just a shiny rock. No one needs gold to survive and it has few industrial uses. If your only asset is a resource like that, you are going to be stuck digging it out of the ground and trading it for everything else you need (including protection).
The wealthiest nations in the world are industrious. Not those built on top of some natural resource that they are incapable of defending- that's a recipe for instability. Look at taiwan, japan, ukraine, even isreal. These little nations can leverage greater nations to fight on their behalf by using their industrial capability, even when they are surrounded by enemies. The "divide and conquer" principle is not only used by larger nations to control smaller nations, but also by smaller nations in dealing with larger nations.
>Capitalism is not voluntarism. That is the myth of philosophical liberalism.
>To say that someone who owns as much wealth as a few million people is equal to those same millions of persons who directly own nothing except credit(debt)? It's a myth.
You are conflating voluntarism and democracy. Capitalism is voluntaristic, but democratic insofar as wealth is well-distributed.
>The "silent majority" has no real way to speak.
You vote with your dollar. Most people in the USA are not willing to pay for the premium associated with ethical production. Hence, iphones dominate while fairphones lag behind. You see this everywhere you go. At the supermarket, there is a premium associated with organic foods. Actions speak louder than words.
>IE. The majority of people dont want to use plastic materials for anything related to their consumption. But plastic is cheap and easy to produce. I'm sure that if given a choice people would rather their society work a bit more, spend a bit more of human-energy if it means we dont have nuts full of microplastics.
I would make this tradeoff, but I wouldn't be so sure others would, in the large. There are some things that only plastics can do, so it would be a slippery slope of what applications would be allowable.
>It is how we produce that determines what choices we have, and how we produce is determined by market dynamics which are reduced to sustainability of production and profits. It is profits that determines production, not consumers' will
>So tell me: if we dont directly control the options we have, but you say we are making a choice, what is that?
The only way you could directly control the options you have is by producing goods and services yourself. Farm your own food, build your own smartphone. The economies of scale and capital costs are not a result of any specific economic system, they are often the result of the realities of production and logistics. These tradeoffs exist even within communist command economies.
The only difference is that in capitalism, it is voluntaristic enough that you have the ability to choose what you do with your own wealth and time. You can affect change gradually, on a small scale.
>I dont want child soldiers killing for control over resources or kids mining for 12 hours a day, I want a good, cheap phone. It is not the same.
Then buy a fairphone or something. You have some options.
>In capitalism the heads of production and their profits determine the directions of our societies.
If you don't buy their product, then it won't be profitable. Boycotts are an effective political tool. Divide and conquer!
And people dont fight wars without weapons and rationales.
I am specifically saying that a lot of the chaos in the third world is the result of opposing global-capitalists interests in order to sustain poverty and exploitation for the sake of the first worlds' economies.
> Look at taiwan, japan, ukraine, even isreal. These little nations can leverage greater nations to fight on their behalf by using their industrial capability, even when they are surrounded by enemies.
Those are all nations developed during or after the cold war in regions of conflict. They are not independent nations that developed due to "natural" regional history. They are neocolonial experiments.
They are neo-colonies of a global capitalist hegemony centered in the "west". Taiwan developed from Formosa from the aid of western capitalist nations as a base for defense from China. Israel is the same idea in the middle east. Japan essentially the same thing. Ukraine is currently in their neocolonial war for deciding which capitalist block to align with. These are not true independent nations, they are neocolonial experiments of essentially captive economies.
All this to say: Development is not down to a type of industry alone, it is also due to an economic context. Mali does not develop because it is not allowed to develop. This is what colonialism has done in the global south, this is how they prop up western nations. With slavery, misery and exploitation.
Your analysis of the global south is also what racists use to defend racial capacity while completely ignoring history and current economic contexts.
> You are conflating voluntarism and democracy. Capitalism is voluntaristic, but democratic insofar as wealth is well-distributed.
Ok, so competition and corruption in capitalism always makes capitalism undemocratic and exploitative. This is what we see in the leading nations of the world. Working classes who get the illusion of choice in their democratic institutions.
> You vote with your dollar.
This is one of the oldest lies in the book. It's circular reasoning. If someone else's dollar defines the choices; I'm not voting with my dollar. I'm just buying what I can afford.
> I would make this tradeoff, but I wouldn't be so sure others would, in the large. There are some things that only plastics can do[...]
Nobody wants plastic in their nuts. Plastic cannot be eliminated world wide, but maybe we could stop letting producers get away with not dealing with the trash they produce.
Imagine living in a system where you're allowed to innovate and create products and not deal with the consequences. It's almost as if the system is designed by those producers. Should they be allowed to create trash and not deal with it?
Sure, that's more like bourgeois logic, the voluntarist cop-out that is capitalism.
Remember: I buy what I can afford, they make what they can profit off of.
> The economies of scale and capital costs are not a result of any specific economic system, they are often the result of the realities of production and logistics. These tradeoffs exist even within communist command economies.
You are describing why capitalism is inherently flawed and leads to more and more and more exploitation.
And just to add, command economies is the same as a planned economy. Which we have the tech to build right now. No exploitation needed, because no private profits are allowed. We literally have the tech to create an unexploitable system of production right now.
> The only difference is that in capitalism, it is voluntaristic enough that you have the ability to choose what you do with your own wealth and time. You can affect change gradually, on a small scale.
You literally dont. I literally have to create wealth for someone else in order to eat. That is the opposite of "choose what you do with your own wealth and time". And sure I could find another job, or another. But there are hard limits to choosing a job, as well as hard limits to being your own boss. We can't all be capitalists or indefinitely choose jobs. The billions of us can't be capitalists and we'd all die before we find a job with the perfect trade-offs.
The only way to reconcile this contradiction is to be a classist who truly believes that some people are just doomed to be exploited because of their inherent qualities or lack.
Voluntarism is a cop out from inherent capitalist exploitation.
> Then buy a fairphone or something. You have some options.
A person who believes that wanting a good, cheap phone requires child soldiers, child labor and abject poverty should really re-think what they are doing and promoting in the world. Just because it's far away and detached doesn't mean it isn't real. And remember, we're truly all connected.
I don't judge you for thinking this way tho. This is what the capitalists promote. They literally control the airwaves, and while there is no "soviet" style censorship there is still the actual censorship of monopoly platforms deciding what gets amplified and what doesn't.
I guess you shouldn't find yourself against Western and/or Israeli interests then. It's time you learned to love Big Brother.
