Posted by marbartolome 2 days ago
I don’t like that governments are forcing companies to open their environments up to random code, I wish they instead put legislation in place about transparent vetting processes, and allowing different kinds of apps.
In general I think software engineers get away with things no real engineering job gets away with, and it baffles me.
> Apple sold the walled garden as a feature. It wasn’t ashamed or hiding the fact—it was proud of it... The iPhone’s locked-down nature wasn’t a restriction; it was a selling point.
Please, write as a human, I promise you it's good enough. I'd much rather read something that's a bit clunky but human written than something that's very polished but leaves me wondering what the author actually was trying to say.
Respect your reader, but most importantly, respect yourself as a writter too.
I don't really think an LLM wrote this, because the use of punctuation is actually a bit clumsy. However, I have no problem parsing the author's intended meaning.
> The iPhone’s locked-down nature wasn’t a restriction; it was a selling point.
Was it really? I thought it was more about having 1 device that did it all when it launched, and app stores were a rather late addition if anything that still was more pro app store than pro lockdown.
To be clear, I think most of the text in that article was human written. I have absolutely no issues with em dashes or other humane figures of speech that LLMs have unsurprisingly picked up on.
But it was a few paragraphs here and there (like the example I gave) that felt odd and just out of place.
As much as I want to agree with this author (and do, to an extent) they are also providing the exact and honestly-pretty-good reasons for why this is happening: computers have breached containment, and they did it a long time ago. Computers are not just for us weird nerds anymore and they haven't been for some time; they're tools for a larger, more complicated, more diverse userbase, many of whom are simply not interested in learning how to computer. They just want shit to work, reliably. Random software on the Internet is not a path to reliability if you also don't know how your thing actually works.
I mourn this too but let's not pretend it's simply what happened because corporations are evil (though they are for sure that).
I do understand the broader point. I know a few elderly people in particular who are walking targets for cybercrime. But I wish we had more differentiation. Locked down, easy to use phones for those who want or need that, and more open phones that act similar to laptops for those who know what they're doing (or, in any case, are willing and able to bear the risk).
When the software on these locked down devices breaks down, and it does, everyone is helpless.
When a zero day is found, again everyone is helpless.
If we cannot understand how something works on all layers, stability and security are only promises.
This is a recurring pattern: people make bad choices, mostly out of ignorance, but no one blames the public because we always assume that in a democracy the costumer and the voter are always right.
Behind every corrupt politician or every greedy corporation there are thousands or millions of negligent and ignorant voters and costumers.
So it sucks ass that a greater and greater share of what we consider computing has to occur in platforms that are utterly locked down to the core, but again, at the same time, putting my "regular user" hat on here: I don't want my phone to run anything from an untrustworthy source. My computer? Shit yeah, I'll try just about anything with a healthy skepticism as required, but not my phone. Losing a computer is irritating. Losing a phone is a fucking MESS.
Then I have raspberry pi and steam deck which I use for messing around with and running whatever weird software.
there are plenty of "honestly-pretty-good reasons" we plebs shouldn't have access to general purpose computers, and we're only a few decades away from them reclassified into the equivalent of fully automatic rifles.
If this was genuinely about security and UX then they would continue to provide viable "escape hatches", but it isn't and so they don't. That's what's being criticized.
I would characterize it more as Google is responding to the needs of the vast majority of its users, most of whom do not care to run unsigned software, certainly don’t write it, and have no need of escape hatches. Escape hatches are great, but each also represents a security weakness waiting to be exploited.
And not to leave it merely implied: they are also responding to large development organizations who want locked down platforms in which they can distribute, and more importantly crack down on those who would pirate their, software.
Having money and using them without supervision is a safety risk. You can unknowingly buy food that isn't good for your health. And good food is what you actually need. So transfer your money to me and I will benevolently manage your diet for you. No other motives but your safety and wellbeing, I swear.
By the way, can you really trust the supermatkets? They sell alcohol and alcohol is bad for you.
> more importantly crack down on those who would pirate their, software.
If you represent the interests of corporations then try leading with that next time.
> Escape hatches are great, but each also represents a security weakness waiting to be exploited.
Besides being a broad statement that lacks citations and no doubt relies on contrived examples where this was implemented poorly, it's also clearly a violation of the EU Digital Markets Act.
I don't. I'm just saying Google and whichever boogeyman you'd care to slot into position 2 share the same interests. Far more than you or me and Google anyway.
> Besides being a broad statement that lacks citations and no doubt relies on contrived examples where this was implemented poorly
To a laymen user, any software that is running without code signing has a much much much higher chance of being something that has gone wrong rather than Joe Public found a cool image editing app that doesn't want to be distributed via the Play store. Are there exceptions? Sure, I'm certainly a big one. Does that mean I don't understand Google's position here? No.
> it's also clearly a violation of the EU Digital Markets Act.
If true, they'll end up in court, same as Apple did.
Don't give me these "political" answers. That's just another broadly-agreeable statement that's completely unrelated to the one I asked you to substantiate:
> Escape hatches are great, but each also represents a security weakness waiting to be exploited.
There are 3 problems here:
0. If Google genuinely cared about Android security to this degree, they wouldn't be giving threat actors 4 months to run wild with 0-days before publishing them:
https://news.ycombinator.com/item?id=45158523
https://xcancel.com/GrapheneOS/status/1964754118653952027
1. Crossing the escape hatch != security breach
Mobile security relies on sandboxing, not on Google's approvals. Even the most malicious app approved by Google shouldn't be able to steal information, access information from other apps without authorization, or execute actions on user's behalf.
Whenever this core principle is broken due to inevitable security vulnerabilities, it should be treated as such and promptly patched. Instead these shortcomings are used as convenient excuses to advance these political goals.
2. An escape hatch can be anything:
- "allow installation from unknown sources" like we've always had
- secret settings menu + PIN/password + require a switch to be flipped in the recovery menu during boot + require an ADB command to executed + warnings at every step.
- ADB commands + switch in recovery menu + time delay + require a full device reset with all data being lost
First one is somewhat vulnerable to social engineering though I've personally never encountered a device where someone was tricked into doing this, so it must be more resistant than downloading malware on Windows.
Second is close to impervious to social engineering. Grandma isn't going to be accessing the recovery menu or running ADB commands any time soon.
Third one, while far too restrictive in my opinion would still be better than nothing, it would be impenetrable to social engineering, and safeguard any existing data on the device even in case of a serious concurrent vulnerability in the Android sandbox.
Are all of these completely unacceptable?
On the balance of probabilities, "Joe Public" isn't being tricked into doing anything, he is trying to install ReVanced to get ad-free Youtube.
I am allowed to own multiple computers. Many do. I've got a Linux hand held, a windows desktop, an iPhone and a MacBook. All with varying degrees of freedom and function. I don't feel like I'm constrained right now.
HDCP is an example of the other thing in my mind. It adds zero value to anyone's experience. Any potential value add is hypothetical. You can't survey a person after they watch an unprotected film and receive a meaningful signal. It's pure downside for the customer. There's no such thing as competitive Netflix lobbies.
If I want to run arbitrary code, I'll do it on my windows box or fire up a Linux VM in the cloud somewhere. I don't need weird problems on my phone. If you are trying to touch all platforms at once, try using the goddamn web. I've been able to avoid Apple enterprise distribution hell with a little bit of SPA magic and InTune configuration for business customers. For B2C I just don't see it anymore. You need to follow the rules if you want to be in the curated environments.
How far away are we from hooking up a vision model to the display output of let’s say, Battlefield 6 and hooking in mouse+kb input from said vision model + an aimbot that perfectly replicates a top performing players mouse movements?
I’d say not very far away.
Much like how in online chess, no technical solution can attest that a move is really from a human brain and not a chess program running on his phone.