I almost agree! I’ve opted for the X230 instead (typing this comment from one), though I have an X220 as well, which I do agree has a better keyboard! Such awesome computers. Perfect for OpenBSD, too :) I’m using i3wm, similarly resource-efficient.
What I’m wondering is, where does one get a new 9-cell X220/X230 battery (in Canada especially)? I don’t know how to filter between horrible/questionable knockoff things and can’t tell what’s legit. My X230’s batteries are all like 1-2hour life at absolute best, unfortunately, which means I never use any of them unplugged.
Attestation means you can only use approved clients, which is terrible for competition and innovation (sorry, it’s now impossible to make a new browser or OS!)
Sounds really bad. This will make it hard to run non-mainstream platforms.
I guess regulators might step in and demand alternative modes of attestation, like they have done in case of iOS and the single-store monopoly. However, they are exceedingly slow at doing so. For instance, now it is impossible to do online banking in some places if you don’t run iOS or Android. Something as innocent as AOSP is not supported, even if you run the same banking app, due to the lack of SafetyNet attestation.
It’s also not clear to me that policymakers have any particular reason to care about non-commercial platforms or software modification as civil liberties issues. So we might not get the regulation we want…
Honestly not a bad time to start thinking about what the rules OUGHT to be in an ideal world. Even if we can’t get there anytime soon, knowing where we want to go has to help somehow.
The EU has a good reason to care. All of the big OS vendors are based in the US. If things require an attestation that only a US company can provide then this makes it impossible for any EU startup to ever grow to being a big company in this space.
This is especially true when you consider that things like the YouTube and Android are owned by the same US entity. If Google decides to require attestation to watch YouTube videos (so that they know that you aren’t using a client that skips ads, for example) then there is a fairly clear argument under existing monopoly law that they’re using their effective monopoly in one market to ensure that there can be no competition entering another market where they’re a significant player.
I think we need to learn a lot from the problems with DRM here. We pushed back on the technologies, rather than the uses. We didn’t block the technology in standards bodies (in part because there are some non-evil uses, such as access control within an organisation) and we didn’t get regulations on acceptable use. I’d love to see using DRM that prevents users from exercising fair use rights treated as vigilanteism and grounds for having copyright on the work in question revoked. Similarly, anyone using this kind of attestation to lock in clients to a particular platform should be subject to serious antitrust investigation.
The political leaders of the EU have a good reason to care that European keys find their ways into the TPMs of digital devices. They have no reason whatsoever to care about civil liberties of Europeans, or that people can run their own libre software on their devices. Quite the contrary - free computing is a threat to governing bodies, especially those that like to grow in size and power. The TPM menace will only grow worse as time goes on.
My immediate vision is of a future where I end up having to literally drive to the bank to pay my bills because, eventually, I will no longer run a rights-infringing OS that happens to be the only one supported by online banking. It doesn’t even seem farfetched. I already am excluded from lots of software, games, and online services that require an OS I refuse to utilize, and the rate of that exclusion definitely seems to be accelerating quickly.
I’ve been using this exact analogy the last month explaining to people the issues with Web Environment Integrity.
I remember why devices were considered yours when you bought them & you were expected to tinker & administer them. Now everything has become an appliance.
I was looking at a new phone as mine is starting to show serious signs of wear. I almost pulled the trigger on a Zenfone 9 after the 10 launch looking to slap on OmniROM + microG to find out back in May ASUS yanked the unlock tool & the servers required to get the unlock keys. ASUS says they’ll be up again after “maintenance” in Q3, but it’s almost Q4… and I have little reason to believe they ever will return. (I guess Sony is the only one left with OLED, 3.5 mm headphone jack, with a vaguely compact offering)
I switched banks a couple years ago after my banking app started detecting root even with Magisk Hide. I cited that they don’t tell me how to use my laptop so why can they with my general compute phone. Last month the new bank finally caught up. Either its the custom ROM or the root, but updating to the latest hide root option, I had no such luck. The web experience can work but it’s awful & not optimized (including checks for Netscape Navigator 4, disabled pasted, etc.). I wouldn’t be surprised if they yanked the website soonish which makes me wonder if I should go ahead with my plan to build a UserScript to alleviate some of the pain. Even then I’m reliant on SMS as the only 2FA & changing numbers (normal for prepaid) involves paperwork & a week of waiting. I asked them how I would do transfers abroad if roaming without SMS & the staff bit their tongue in the middle of saying do a transfer thru the (mobile) app.
The online stores are ruining it too. I picked up some Nike gear on sale. Due to the shoddy 3rd-party code in the checkout that didn’t handle users blocking fingerprinting + ad/tracking blocking I couldn’t get thru. I brought it up with their customer service that said I should disable my anti-virus, make the purchase, then re-enable …Funny, since I don’t download random BS & am on Linux, I don’t use an anti-virus, but why do I always need to use a less secure setup for payment? If you want to know it’s me, I already authenticated & you could add TOTP or FIDO2 2FA if you wanted to make sure instead of reading all my sensors & canvas. I ended up having a friend who doesn’t care about his privacy buy it on my behalf for a Hong Kong pie. At least it scrambles in false data for his personal footprint.
Things are only going to get increasingly worse. The complaints I have all came from just last month.
I switched banks a couple years ago after my banking app started detecting root even with Magisk Hide. I cited that they don’t tell me how to use my laptop so why can they with my general compute phone
They’re not telling you how to use your devices. They’re telling you the terms on which they’ll allow you to access their systems, which they own as surely and completely as you own yours, and over which they have rights just as strong as your rights over your devices.
You do not have an inherent right to access their systems, after all. And you don’t, strictly speaking require that access to use a bank. You can manage your banking in person at a branch, over the phone with their customer service, etc.
A similar argument can be made with how workers are supposed to work in a factory:
Communist workers: we work here, we ought to dictate how we work!
Capitalist owner: you work in my factory, I ought to dictate how you work!
Sure, corporations would like to secure their connections, and minimise their own costs. But there is a point where that desire to do so actively infringes on the users, especially if the service they provide have no easily accessible alternative, or the switching costs are non-trivial. At some point they are actively extorting compliance.
And you don’t, strictly speaking require that access to use a bank.
I don’t, strictly speaking require to buy things online. Realistically though…
What this misses is that access to digital financial services is pretty much a prerequisite for existing in western societies. You can make an argument in the positive, sure: that you don’t have some god-given right to access their services. But in the negative space, when every equivalent service has similar such restrictions and use of those services are on the critical path to your continued well-being, it’s difficult to interpret that as anything other than authoritarian. It’s not conceptually different to the use of the term ‘wage-slavery’, used to describe situations in which there’s a superficial veneer of choice but, in practice, all reasonable employment options are monopolised by exploitative employers.
What this misses is that access to digital financial services is pretty much a prerequisite for existing in western societies.
This is true. But demanding that the existing financial world accept customers using rooted phones will move the needle towards more equitable access to financial services not a whit.
Maybe. I’ll just state that if the price for everyone having equitable access to financial services is that the devices used for access are “locked down”, that’s a price I’m personally ok with paying.
Equitable access to financial services using any device presupposes that everyone can afford the devices, and one of the ways the devices could be (more) affordable is by letting their owners maintain them after they’re abandoned by their manufacturers. User freedom extends the life (and, frequently, capability) of hardware.
In general, I think ceding control of our window into most of modern society would be a mistake, no matter what. But even if you don’t, it must surely be a bit concerning that we’re ceding that control to profit-making companies which have repeatedly demonstrated their willingness to exploit that position for money.
In many ways I wish they gave out something akin to those Trezor / Ledger cryptocurrency hardware wallets (not an endorsement)–a dedicated, purpose-built device with all the 2FA protections & account info on a portable, ‘dumb’ piece of hardware as opposed to co-opting mobile phones which have other, general-compute needs. If it was something I could slap on a keyring and could, I dunno, do NFC transfers between two accounts & only used a host device for network access (without tracking/analytic nonsense), then I could be into it.
Someone needing to use the bank’s website on their phone instead of the bank’s app on their phone is not “a superficial veneer of choice”, in my opinion. They continue to have meaningful access to the bank, at which point the rest of your argument falls apart (since it’s predicated on the lack of such access).
Also, as noted elsewhere, I am willing to accept that as the tradeoff of vastly increased security for the average user. Even if a worldwide law were passed requiring that every single device everywhere be a 100% Free software/hardware StallmanPhone™, the number of people who would actually make use of all that glorious freedom would likely round to zero, relative to the total population. And what we’re talking about here is not denying them participation in society; they still can bank on their phones, just not via the app. I am willing to accept those sorts of occasional speed bumps as the cost of vastly improved conditions for everyone else. You presumably are not, but I don’t see how any argument that claims to be on the side of the masses can choose not to make this sort of tradeoff.
(you will recall that I argued we should break up Google as a solution to “web attestation”, since a broken-up Google would not be able to enforce its will the way the current Google does)
I mean sure technically speaking about usage terms being whatever they decide to write—they could write you can’t use the service without a banana on your head if they wanted. But why are the rules so strict (crossing the line as many folks see it) & different versus the web browser experience? In this case, at least until Google forces WEI, the regulations on my machine are… that I have a browser that support TLS? (They don’t even support TOTP/FIDO2) With the website, there’s nothing against root/admin, modifying hosts, ad blocking, etc. so why the shift when it comes to the general-compute of a smart phone? These are two very different standards. One could say they would have done it all along if they had the ability, but we’ve had 2 decades of online banking being just fine.
Also why isn’t the “risk” of root my burden? I have done few modifications with root: modifying hosts, setting up a firewall, and eliminating the faux shutter sound of the camera—with ⅔ making my device safer. The workaround is the web, but I am afraid website will start disappearing saying they only support mobile applications “for my safety”. I do go to branches frequently, almost exclusively use cash for real world purchases, use the physical ATM/debit card over digital scans, but more shopping even here has moved online which requires dealing with the digital banking situation.
There probably is a mundane reason for it that has to do with some compliance checklist somewhere.
But the real answer is to ask why you think you have a right to press on that question. You’d probably be very offended if someone else kept pressing you and pressing you about why you set up and manage your devices and systems the way you do. It’s none of anyone else’s business, after all, because they’re yours and you own them and that gives you the freedom to manage them how you like without needing to account for your preferences to anyone else. And exactly the same thing is true of the bank and its systems. If the bank only wants to allow access from apps whose integrity can be attested, then that’s the bank’s choice and they don’t need to account for that choice to you.
Or, more succinctly: it is not possible to have a just and coherent philosophy where you get to tell people “my systems, my rules” but others do not.
But the real answer is to ask why you think you have a right to press on that
question. You’d probably be very offended if someone else kept pressing you and
pressing you about why you set up and manage your devices and systems the way
you do.
That’s the thing. They do keep pressing and have been doing so for
decades, and yeah, I’m offended. Your argument is utterly specious and
without merit, because it is founded on a false equivalency. There is a
huge imbalance of power between people and large corporations or
organizations of any kind. Requiring approved devices is how monopolies
gain strength. Doing things like rooting devices is how people can take
back power from monopolies. Would you find it acceptable for your bank
to require that you visit a branch with an approved vehicle or method of
transportation? “Sorry. You didn’t arrive in a Tesla newer than 2020,
so no service for you.” “Oh, you came on foot? You must be a threat.
No service.” Sorry but I’m not buying it.
As I recall, you and I have gone round and round on this exact issue in the past with no useful result. But I’ll try again.
I think the flaw in your worldview is that it’s based on binary thinking rather than on tradeoffs, and tradeoffs are really what’s happening.
To take an example, if I were to walk into my local bank branch one day and ask to wire or withdraw in cash a significant amount of money, they probably would not immediately comply, and would first ask me a series of questions about why I want to do that. Not because they’re evil and hate my freedom, and not because the government hates my freedom and wants surveillance of my transactions (anything large enough gets auto-reported to them anyway). But because, unfortunately, there are tons of scammers out there and tons of scam victims who get conned into making big withdrawals or transfers to the scammer, and bank staff are trained to watch for things that match the pattern and ask questions before the money goes anywhere.
Similarly, staff at many stores are now trained to question large quantities or denominations of gift cards, because a lot of scams use them as a form of currency.
Does this make life marginally harder for me, a bona fide citizen going about my lawful business? Sure. But is it a worthwhile tradeoff? Probably it is; those minor obstacles actually are pretty effective at stopping situations where people lose what they can’t afford to lose, and dealing with them cost me no more than a moment or two of my time.
The same is broadly true, in my opinion, of modern computing security. Is it harder for someone who wants to run custom and customized everything to do so? Sure. But it hasn’t been made harder out of some evil motive to destroy freedom; it’s been made harder because it’s a tradeoff. In return for some legitimate uses being more difficult, a lot of attack vectors can be significantly mitigated or even eliminated.
Does this mean that if you root your phone you might need to access the bank via a web browser instead of their app, since it no longer trusts the environment it finds itself running in? Yes. Does this mean you might need to check some boxes in a deeply-concealed preferences panel, or click through some warnings when running random code you downloaded off the internet on your laptop? Yes.
But it’s a minor inconvenience and, despite dubious popular quotations, it doesn’t actually “give up” any “essential liberty” and does in fact achieve better security overall. It’s the same reason that Facebook started logging a huge scary warning when you open the browser console, telling you that whatever someone told you paste in there was going to hack you – is it annoyingly paternalistic to someone who’s sufficiently technically competent? Absolutely. But it’s probably saved a lot of people a lot of pain, and that’s a tradeoff I am willing to make.
Does this mean that if you root your phone you might need to access the bank via a web browser instead of their app, since it no longer trusts the environment it finds itself running in? Yes. Does this mean you might need to check some boxes in a deeply-concealed preferences panel, or click through some warnings when running random code you downloaded off the internet on your laptop? Yes.
If it was just that I could live with it. But if rooting my phone means I can no longer access my bank at all, then it and I have a serious problem.
I’m pretty sure I could still “bank” even without a cell phone at all, but I would still be seriously pissed off if I could no longer buy things online. I would switch banks over this.
OK, story time: my bank pretty required me to install an proprietary app on my phone so I can buy things online. I am not aware of any alternative, not even SMS 2FA. I haven’t tested what happens if I root my phone, or (gasp!) switch to a flip phone.
What I’m telling you is, my bank suggested I might not be able to buy things online without an Android or iOS phone.
I have questions about how that situation was reached. Is it actually a blanket policy of the bank that all customers are required to install the bank’s app and that no method of payment is available other than that app?
Or does the bank offer other options – such as a debit card that could be entered into an online form, or the ability to link an account number or debit card to a popular payments system like Paypal or Apple Pay (or whatever Google’s payment system is called nowadays) – but those options had already been rejected by you and the app was offered as a last resort?
The method I use (IIRC it was the only one that was presented to me), is to enter my credit card info into some web form (no need for an app for that), and then I receive a 2FA push notification on my banking app, on which I have to enter a 6-digit PIN code of my choosing to validate.
The notification also appear when I simply try to login to the banking website. I could use the banking app if I knew my banking password, but I don’t: it’s 20 random characters stored in my local password database, and I’m not simplifying it for such a minor convenience.
I also have an array of PIN codes written on a small card that I can use as recovery codes, but but as far as I know they can’t be used for online payments. Perhaps I could contact my bank and cry about having broken my phone or something, but no guarantee.
For some reason my payments on Steam don’t trigger the 2FA.
Linking my credit card to a FAANG is unholy enough that it didn’t even cross my mind. But I don’t recall this option having ever been presented to me. I’m not sure this is even possible since my bank is French.
Here in Thailand most online purchases require scanning a QR code with some garbled code for the app (no 2FA beyond logging into the app required). When you can use a form online, you will always be redirected to an iframe asking for SMS 2FA (no TOTP, no FIDO2, no proprietary app option), but this already assumes you have a SIM & aren’t roaming. On their investment accounts you can opt into some form of proprietary TOTP that is tied to their app, which also won’t run, but that luckily hasn’t been rolled to the general banking (but I could see a future where that is enforced, rather than allowing general TOTP that doesn’t require anything specific). WEI can enforce the same anti-consumer policies onto the web (& banks can/will use this before Google is “broken up” & even if they were Google could still shill for for this pro-DRM garbage corpos love, so bad argument).
WEI can enforce the same anti-consumer policies onto the web
Fuck. Fuck fuck fuck.
We want reliable 2FA that is sufficiently resilient to most hacks. SMS is vulnerable to SIM swapping, and requires a phone. Not good. TOTP doesn’t require a phone (or even a separate device), but it still not phishing resistant. Besides, online payments involve giving your credit card number to some third party, so FIDO2 can’t work there…
Wait a minute, something could work, if not now, at least in the near future:
Customer gives away their credit card number.
Vendor does what it does to require payment.
Customer logs in to their banking website (FIDO2).
Banking website shows pending payment requests.
Customer confirms the payment.
Or better yet, have the bank issue a temporary credit card number, good for one payment of a specified sum (or at least up to some limit).
As someone who has had a phone break in a foreign country with sky-high import fees, I know it. I went to buy a phone online to be shipped to my home upon the return in 5 or so days. I couldn’t do QR scanning for checkout because I didn’t have a phone. I couldn’t do credit/debit cards because SMS 2FA iframe required I was a) in the country & b) had a phone to receive SMS. The fact most phones are brittle & carried everywhere seems absurd they want proprietary apps or these new “private access tokens” that live on a phone and/or in someone else’s cloud.
Banks would likely save money & security headache by giving out FIDO2 keys with every account, but they don’t think about it that way.
…But ideally we’d pick a system that removed the credit card middlemen altogether skimming money for dubious value when direct bank transfers absolutely could be implemented (popular here, & credit cards usually aren’t accepted).
Yeah, facial scanning is something I refuse to use. I don’t trust whoever is holding onto the info or how it could be used on my while asleep or unconscious. Do they demand it?
I think consumers should have the upper hand over banks & corporations in such push-pull scenarios. Attesting the integrity of your app & its updates but not my whole system—games have done this for a while but not prevented you from modifying your PC. I don’t think it’s an unreasonable ask—and should be in line with right to repair where the corporations said you can’t touch the hardware or your warranty is void, etc. Are users wanting right to repair inconsistent in their logic? Consumers could pick another device, except that it got to the point where reasonably they couldn’t. I could argue host blocking and firewalls repair the software side of my system. In the vein, I did switch banks since the previous started checking for custom ROMs/root, but I looked around & I don’t think any of the options available anymore. We lost power.
Are users wanting right to repair inconsistent in their logic?
No, because they’re (usually) not asking for right to someone else’s systems. You are asking for access to the bank’s systems, and the bank is laying out the terms on which that access will be granted. And trying to measure the relative “power” of the parties is not a useful approach and likely would not produce the outcomes you want. For example, should you lose the right to root your phone once you’re above a certain level of net worth? Above a certain level of social influence? Should others be able to just yoink your devices out of your pocket and claim them if the wealth or power disparity between you and them is large enough? These are questions that your approach has to consider and have answers for, and I don’t think you’re going to like where they end up.
Blocking users based on income (which was never suggested) is the same anti-consumer sentiment as blocking a user from being the admin or super user of their device–the same way we’d call out companies making it harder to replace car/motorcycle/tractor parts, or voiding warranty for replacing them ourselves, or locking down the computers in those systems because of “safety”. This isn’t about access to their server’s hardware but access to the APIs (usually simple HTTP) with that system regardless of the OS setup on the client side. They can set some terms about the clients/authentication, but the entire device on the other end? Nah. Hardware was easier for laggard politicians to fight for, but it’s going to be more difficult getting them on board for the freedom of the software too as they largely go unaware of something they don’t buy off a shelf or understand that can modify the OS. Arguing that banks get to be the only ones setting terms for your device (which with Google’s WEI they could close all internet access) is the sort of pro-corporate take I’m not interested in entertaining.
The messaging of the article/infographic is about “boiling the frog”, and how slowly we’ve had more & more of our ability to do what we want with the thing we own away by the corporations who, without regulation, we never get prevent them eroding our technology. This balance isn’t fair, and each individual chip away has been maybe-sorta good, but cumulatively have been detrimental.
Blocking users based on income (which was never suggested)
You seem to think some people deserve the “upper hand” over others, based on relative economic power. I’m not sure how else to characterize that than making one’s technology-related rights inversely correlate to one’s wealth.
This isn’t about access to their server’s hardware but access to the APIs (usually simple HTTP) with that system regardless of the OS setup on the client side.
So is a DDoS OK because it doesn’t actually damage the other party’s server hardware? One can easily do harm via simple network connection without the need for physical contact to the hardware on the other end. And people who run networked services have both a right to defend against such attacks, and a right to set out the terms on which they will allow networked access to their services.
Arguing that banks get to be the only ones setting terms for your device (which with Google’s WEI they could close all internet access) is the sort of pro-corporate take I’m not interested in entertaining.
This is the opposite of the argument I’m making. I’m arguing that the bank has rights to their own hardware, systems, etc. which are equal in force and scope to your rights to your hardware, systems, etc. You don’t seem to like that very much, though, and seem to be arguing, as noted above, that one’s rights to one’s devices (etc.) should be reduced in proportion to one’s economic standing. That’s the only way to get to a stance where you get to enforce policies about your devices but the bank is not able to enforce policies about theirs. And it leads to the sorts of hypotheticals I already raised, where your rights might have to become null against someone of lower economic standing than yourself. I don’t think that’s what you actually want, of course, but it is the logical consequence of what you’re arguing.
I don’t know how you jump from all devices getting to run what the owners decides implies anything about income. One of the best ways to keep old devices running because you can’t afford (or just don’t want to) upgrade is moving to LineageOS or similar or postmarketOS where you can at least keep software updates rolling—especially since the manufacturers don’t see a profit incentive to bother with updates for perfectly fine hardware. To think an individual has any amount of press against a bank/corporation & that there is anything equal in that fight & still trying to hammer it out as fair leads me to believe you are just playing devil’s advocate. Consumers/workers can & should unite against such restrictive policies either by legislation or otherwise—just like right to repair.
Feel free to respond further—but I won’t. I wasn’t going to but you keep pulling this notion out of your butt that I would be arguing it favor of folks with more economic power.
I think consumers should have the upper hand over banks & corporations in such push-pull scenarios.
From the context of that and other things you’ve posted, it seems you think there should be some sort of sliding scale of digital rights versus economic power, where people/entities with more economic power get fewer rights. This, at least, seems to be how you justify giving yourself more of a right to control your own systems and devices than you’re willing to grant to other entities, such as banks, to control their own systems and devices.
What I keep saying, over and over, is that this is a problematic approach, and leads to questions about whether someone with less economic power than you can override your choices and your rights to your devices/systems, the same way you seem to want to override the choices and rights of entities more economically powerful than yourself.
Reduced to its simplest form, suppose we have three people: Alice, Bob, and Carol.
Carol does not want to let Bob access her systems in a certain way. Bob argues “ah, but Carol is significantly more economically powerful than I am, therefore Carol’s rights to make such choices are reduced, and I shall be permitted to access those systems whether Carol wants me to or not. However, I will retain the right to control my own devices and systems.”
But then Alice comes along and says “Bob is significantly more economically powerful than I am, therefore Bob’s rights are reduced and I will make use of Bob’s systems whether he wants me to or not”.
My argument is you are Bob and you are getting upset when presented with the hypothetical of Alice.
Please see some of the other comment chains where I’ve been pointing out how difficult (honestly, I’d say impossible) it is to actually cleanly separate businesses from individuals.
Yes, you can separate them even in sole-proprietorships or taxing under your national ID & folks are pointing it out, but you are having an out-of-touch-Skinner moment where you think everyone else is wrong.
The tax agency has no issues because the tax agency has the concept of taxpayers who fall into multiple categories.
The sliding scale of digital rights being posed here has issues for several reasons, but in the current iteration it has issues because it assumes every entity is at most exactly one of (“business”, “individual”).
But the real answer is to ask why you think you have a right to press on that question. You’d probably be very offended if someone else kept pressing you and pressing you about why you set up and manage your devices and systems the way you do.
This feels like you’re equating people and corporations. I wouldn’t. Human rights are vastly more important than corporations rights. In fact, in fact, I’d say corporation rights only matter as far as they can be derived from human rights. There’s also a difference in scale: suppliers have a wider reach than users. What they do have more consequences, so they warrant more scrutiny.
it is not possible to have a just and coherent philosophy where you get to tell people “my systems, my rules” but others do not.
If it was people on both sides, sure. But it’s not: it’s a user on one side, and a business on the other. We can apply different rules and still be coherent.
If it was people on both sides, sure. But it’s not: it’s a user on one side, and a business on the other. We can apply different rules and still be coherent.
According to the tax agency of the country I live in, I am both an individual and a business. And this is not a terribly unusual situation to be in.
So I don’t think your proposed distinction is one that can be coherently drawn in the first place, let alone used productively to determine policy.
Sure you are. I still submit that your individual rights and freedoms should be separate from your business rights and freedoms.
My “business” is residual royalties from a tech book I wrote years ago. How do you propose to separate that from me? Due to being a “business”, do I not have any rights over my own words?
My opinion on copyright is simple: the thing is too damn expansive. The duration at the very least should be seriously limited. 20 years after publication date, tops. After that it belongs to the public domain (attribution should still be a thing though).
You do have rights over your own words. But if you published your book more than 20 years ago, I can live with denying you any monetary benefit from it.
By “over my own words” I meant my website. Since it’s been infected by business-me on the occasions when I mentioned the book, and thus presumably individual-me’s rights were reduced automatically when that happened.
As I keep saying, your attempt to draw a clear line between businesses and individuals has problems.
As I mentioned in another comment, my “business” is royalties from a tech book I wrote.
How does that affect, say, my personal blog? I mentioned the book in a couple blog posts; does that cause the “business me” to infect the “individual me” and take away my rights to run my website the way I want?
I just don’t think there is a coherent way to draw the line people seem to want to draw here, or to do it in a way that won’t have all sorts of terrible consequences.
There are heaps of laws around commercial speech that aren’t applicable to individuals. There are also heaps of laws around things like, hmm, accessibility or privacy (GDPR, DMA), that businesses have to follow that individuals don’t.
That’s not really what’s being discussed here, though. Remember that the thing that kicked all this off was a complaint that a bank wasn’t supporting a broad a set of mobile devices with a native app as the user would have desired. The bank’s website almost certainly still works, though, and is likely to be compliant with applicable laws around accessibility, for example. Same for the bank’s physical branches, or its customer-service phone line, etc.
But the user wants to override the bank’s choices, and is asserting a right to do so on the basis that they, as an individual, are allowed to “own” their own devices and systems and exercise rights of ownership over them, but that the bank, as a business, somehow should not be allowed to own its own devices and systems or exercise rights of ownership over them.
I’m merely exploring the argument that, once you go down that road, it’s very hard as a supposed “individual” to actually enforce your “ownership” against others, because of how easy it is to wind up being labeled a “business”.
Yes, I frequently cannot use websites because I have “strict” privacy setting enabled in Firefox, and have “resist fingerprinting” enabled. Also running OpenBSD. I am frequently completely blocked from sites (actual 403 forbidden) due to Cloudflare (wtf?), and even outside of that, so many sites just don’t function when their tracking/spyware scripts can’t load. Personal computing is on such a poor trajectory I feel more discouraged about it every day :\
This is a long thread, but you’re suggesting that in the relationship between you and a bank or payment processor, the latter is an adversary? Because this is not the business relationship I’m familiar with.
Does your payment processor use pervasive tracking technology to monitor their consumer “customers” (even cart holders who never check out!) and then sell those data to their merchant customers?
Edit: a little less snarkily, what I mean is: there are multiple ways that payment providers can and do monetise you. It’s not just that they take a clip of the transaction, or charge the merchants a fee - that’s the obvious bit and entirely above board. It’s the rest that’s usually not transparent, and the tracking of users for subsequent monetisation of the business intelligence establishes a more traditionally adversarial relationship between parties.
I switched banks a couple years ago after my banking app started detecting root even with Magisk Hide. I cited that they don’t tell me how to use my laptop so why can they with my general compute phone
They’re not telling you how to use your devices. They’re telling you the terms on which they’ll allow you to access their society, which they own as surely and completely as you own your device, and over which they have rights just as strong as your rights over your devices.
You do not have an inherent right to participate in society, after all. And you don’t, strictly speaking require that participation in order to survive. You can just, like, live in the woods and eat berries, or something. Convenience has a cost, after all, and it’s your choice—as one half of an equitable, mutually beneficial partnership between you and your bank—whether to pay it.
over which they have rights just as strong as your rights over your devices.
I disagree. I think that DRM, anti circumvention laws, and the widespread adoption of proprietary firmwares has dramatically reduced the degree to which people have rights over their “own” devices.
Though I still agree with your central tenet: that people can choose their providers, and vote with their wallets if they turn evil. I just changed ISPs for that reason, myself. Capitalism works :)
The framework is designed to be very thin, which makes it much more difficult to repair than an X201. It’s really too bad they went this route instead of prioritizing user serviceable parts as the primary design principle.
Thin is a feature for me; the laptop fits with my other laptops in my bag. I’ve not found the thinness to hamper my efforts any time I’ve opened the case (rare but I’ve e.g. upgraded the speakers to the higher quality ones).
Design constraints are not bad things, and the thinness makes it so nobody bats an eye when I pull it out. It’s expected that modern laptops be light and easy to transport, it’s unusual that they also are able to be repaired (ship of theseus style perhaps) by the end user.
It makes “repairability” about “you want me to give up my sleek devices” instead of “just choose the right devices and life gets better.” The values we hold dear will lose if we don’t do them well enough to promote them to people who are not convinced.
I switched away from the Mac ecosystem because I wanted something that I could upgrade over time (amongst many other reasons). I think reminding folks that computers should be user-serviceable and -upgradeable, without being ugly bricks only a dork would use, is cool.
When people see my Framework (13) they see a thin, light laptop, with an unusual logo. The modular ports are always fun for demos, and most folks are at least somewhat interested in the Framework’s ability to be upgraded, which is in stark contrast to Apple’s philosophy. Yeah, I run Linux, yeah I miss some of the good third-party apps that are MacOS-only, but not having to buy a whole new laptop in two years is worth it. Great conversations.
I also used to carry around around older ThinkPads, too: absolute thicc black chonkers. The only conversations those things raised were folks giving me shit because I was lugging around a heavy, ancient-looking beast.
I switched to Mac hardware for the opposite reason. I used to build my own desktops, but I kept running into things like needing to upgrade the motherboard to upgrade the CPU, needing new RAM to go with the new motherboard because it didn’t support the old kind, and then needing a new graphics card to actually get the benefits of the other bits. I have a NAS that is a box I assembled and in my last upgrade only the case and disks remain the same. That’s a reasonable trade for a NAS because the disks are its main reason to exist and so upgrading them separately from everything else is nice.
The main reason that the new Apple laptops feel fast is that they have carefully scaled everything to avoid bottlenecks. If you upgrade any one part, you’re unlikely to get much more performance, you’ll just see bottlenecks elsewhere. I’d rather have a machine that lasts a long time (I’m probably going to replace my MacBook Pro soon, it’s 10 years old now) than one where I can keep upgrading bits but need to ship-of-Theseus it to actually see a significant benefit.
That makes sense, but there does exist a world where you don’t have to buy the top-of-the-line laptop and use it for a decade. While I may upgrade my Framework to an AMD chip (partially because I can and partially for the increased battery life), I can also not do that and just increase the RAM and SSD size as-needed. That may not be as finely tuned as an Apple machine but I’m not going for “fastest bus throughput” there, I’m going for “I don’t have to buy a new laptop to double my RAM.”
To each their own though, I was about that Apple life for a few decades and they treated me well!
While I may upgrade my Framework to an AMD chip (partially because I can and partially for the increased battery life), I can also not do that and just increase the RAM and SSD size as-needed.
If you do, I’d be really curious to hear how well it works for you. It’s been almost 20 years since my daily work machine was one where I could upgrade components piecemeal. I suspect a lot has changed in that time, when the RAM technology that different CPUs supported was completely different. I upgraded the RAM in my PowerBook (largely because Apple charged insane markup on SO-DIMMs), but suffered from multiple motherboard replacements because the solder kept coming off on the DIMM slots but for newer machines (including the NAS) I’ve just bought the maximum that the motherboard supports, even when the RAM has been upgradable.
Replacing the CPU wasn’t a significant win for me in any machine since the end of the Socket 7 era (and even then often didn’t give the maximum speedup until I upgraded the motherboard and RAM as well).
I used to upgrade disks a lot and the jumps from 1 GiB to 20 GiB and 40 GiB were each accompanied by running out of disk space before I could afford the bigger disk, but my personal and work laptops (bought 7 year apart) both have 1 TiB SSDs and that hasn’t been a space constraint for me. With the growth of cloud storage for cool storage, I suspect that my local SSD will gradually become more a local cache than a truly local filesystem, which reduces the pressure further.
You can upgrade the SSD in Macs (I’ve replaced the battery in mine and that involved removing the SSD is vastly easier), but I’ve not felt the need to. The 1 TiB disk was expensive back then, but now it’s one of the cheaper options. I stopped running VMs locally a while ago, but I can imagine wanting a 2+ TiB disk if I had a bunch of VMs on my laptop.
capitulating to thinness fetishism because losers gave you shit for your thinkpad is the opposite of cool; it reflects a lack of confidence. the “cool” approach would be to hold the course if you really believe sacrificing cooling and repairability is not objectively worth fitting 1/4” more of who-knows-what in your backpack. if your principles crumble in the face of marketing-induced irrationality expressed by random people, maybe you don’t actually believe in them.
I know I shouldn’t feed the trolls, but here I go anyway.
capitulating to thinness fetishism because losers gave you shit for your thinkpad is the opposite of cool; it reflects a lack of confidence.
Or alternatively, as was the point of my comment, understanding that different users have different wants and needs might be a reasonable thing to do; as well as understanding that locking repairablity and longevity together with devices and laptops that most folks do not want to use only pushes folks away.
if your principles crumble in the face of marketing-induced irrationality expressed by random people, maybe you don’t actually believe in them.
If your principles require you to post inflammatory, ideological creed, you may want to reconsider your approach.
I don’t think it’s cool to associate thick computers with being a dork, or to assume ordinary people would be unable to overcome thinness fetishism if they understood the objective tradeoffs.
Your perspective seems to partially adapt Apple’s mindset, giving up some repairability for the sake of attracting customers while offering no objective benefit. That’s not necessarily wrong–Apple is extremely successful after all–but it suggests a pessimistic view of human nature, and is certainly not cool. IMO compromising principles for the sake of adoption at least requires some empirical justification, e.g. some evidence that there are non-dorks who use the Framework laptop, which is far from obvious to me.
Another feature is that they actually need to sell laptops, and in this day and age selling something as thick as an x200 is just not viable. I think it’s amazing what they’ve pulled off in a form factor that still looks like a ‘modern’ laptop.
Yeah exactly. I have a Logitech C925 on my home desk setup, because I like having an HD camera with FreeBSD and Linux support. But with my ThinkPads I know that when I’m away from my desk, I don’t have to cart it around with my and plug in every time I want to make a video call.
Honestly the lack of an integral webcam is the one design decision on the Reform that I don’t understand. It’s 2023 and much of the tech world is hybrid or remote; being able to make a video call from your device is table stakes.
I’m curious as to how you mean this. I’m a happy Framework daily user, but now that I think about it I’d take a slightly thicker model in exchange for an externally replaceable battery. Aside from that I can’t think of anything I’d categorize as a tradeoff between “serviceable” and “thin.”
Although I do miss my Macbook’s amazing trackpad and software support for same.
Aside from that I can’t think of anything I’d categorize as a tradeoff between “serviceable” and “thin.”
I’ve built probably two or three hundred keyboards by hand. Any individual piece could break on that board and it would be at most a 20 minute repair; more like 5 minutes for the majority of the parts. Most of those 5 minutes would be waiting for the soldering iron to heat up.
Last weekend I had to replace a key switch mechanism in a Thinkpad. Luckily it was an old Thinkpad from 2011, so it still had key caps which were easier to remove, but replacing the switch mechanism was difficult; I had a spare donor board in my closet, but I had destroyed three different switches in the process because the miniaturization process had made them so fragile and tiny. Something which would have been trivial on a larger device required tweezers and a magnifying glass.
So I would say that the X201-era Thinkpads are already making significant sacrifices to repairability in favor of miniaturization. I’ve also replaced the fan on a couple of these models, and it’s already very difficult to get it reseated precisely within the tolerances which will allow the case to close back up the way it’s supposed to. I have never even attempted to repair a super-thin laptop, (I’ve been avoiding them for what I hope are obvious reasons) but it is no great leap to assume that miniaturizing it even further would reduce these tolerances even further. Plus you have trade-offs like the RAM or the battery being soldered in, because it’s just a simple fact of engineering that connectors which allow modularity take up a lot of space.
Plus you have trade-offs like the RAM or the battery being soldered in, because it’s just a simple fact of engineering that connectors which allow modularity take up a lot of space.
That’s something fantastic Framework addresses. Their batteries and RAM are modular, despite being so thin! See, being thin doesn’t require all of these trade-offs!
But I wouldn’t want to try and repair a single key-switch on that keyboard, I agree.
Hmm, so in the case of the Framework the individual key switches aren’t easily replaceable either (to my knowledge).
I’ve also replaced the fan on a couple of these models, and it’s already very difficult to get it reseated precisely within the tolerances which will allow the case to close back up the way it’s supposed to. I have never even attempted to repair a super-thin laptop, (I’ve been avoiding them for what I hope are obvious reasons) but it is no great leap to assume that miniaturizing it even further would reduce these tolerances even further. Plus you have trade-offs like the RAM or the battery being soldered in, because it’s just a simple fact of engineering that connectors which allow modularity take up a lot of space.
For what it’s worth these jobs are all straightforward on the Framework, despite it being thin. The fan module is four captive screws so you don’t lose them and the forum is full of people doing things like comparing different heatsink pastes for the sake of it (i.e. pulling the module on and off constantly). The RAM is as simple to replace as laptops from the 90s, and the battery is three screws (also captive).
I’ve repaired a lot of laptops (including a classic ThinkPad and a couple of modern super-thin ones). I was expecting this Framework to be more repairable than the super-thin ones, but was still pleasantly surprised when it got here at how it was nicer to work on than my (high) expectations. Especially small things like how almost every screw is captive so you can’t lose it, but you can still remove a screw if it somehow gets damaged. They’ve really thought about repair aspects in the design.
Huh, what do you find lacking about the Framework’s trackpad?
I use a modern MBP for work and a Framework at home, and while other PC laptops’ trackpads have seemed noticeably deficient to me, I consider the Framework’s trackpad on par with the MBP’s. Am I missing something though?
To be fair, I could just be experiencing Wayland’s (or KDE’s or Gnome’s or whatever’s) trackpad support being less than stellar, which I gotta say the MBP has traditionally been stellar++.
Huh, what do you find lacking about the Framework’s trackpad?
I find it really hard to go back to mechanical trackpads after using force touch ones. The ones that are hinged are really infuriating - I shouldn’t have to apply more force at the top than the bottom. I can’t tell what kind the Framework is using, however.
Genuine question, which repairs are made more difficult by the Framework’s lack of thickness?
I got a Gen12 Framework last month and I’m super impressed with its potential repairability, so far. Replacing the display hinges looks potentially fiddly as you have to work around the cables, but on a lot of thinkpads you have to take a bunch of other stuff out instead.
(I’ve not owned an X201 but have owned an X61 and an X230. I loved them and I still have the X61, almost got convinced to do the X62 upgrade on it instead of buying a Framework. However glad I bought a Framework!)
I’ve never played with a Framework so I don’t have direct experience. I agree with the other response that the Framework is a little too thin (not to mention expensive!)
AFAICT, there are 2 motivations for running any of *BSD as a daily driver desktop.
Education. You want to learn more about FreeBSD because you need to know about *BSD or how unix OSes other than linux work.
You have older or unusual hardware that you want to use as your daily driver, in which case, of course it works with NetBSD.
Outside of those, running these as your main computing interface to the rest of the world is just opening yourself up to a world of pain. You will be forever tinkering with esoteric command lines and text files to do things that just work on Windows, or Mac, or even Linux.
“That’s fine,” I hear you say, “I love tinkering with my computer”, and I do, too, but the need to tinker to get something to work inevitably comes up when you’re in the middle of something important and need your daily driver, not when you have a free afternoon to tinker with cups because you need to print something important.
I would also say that some people (like me for example) prefer to their system (and hardware controlled by this system) to behave in a specified way. That way may be different from popular systems like Windows or macOS … or even from Linux.
Some people do not like being ‘misleaded’ by systemd(1) or PulseAudio in the name of convenience.
Some people prefer to know what is happening and being sure that other thing will not happen no matter what … and they are willing to pay for that specific behavior in their time with step learning curve on BSDs.
I think this is the case for most BSD (or even Illumos) users preferring to learn more to have exactly (or closer to) what they believe suit their needs best.
That has not been my experience with BSDs. Unless you’ve read over and understood every line of BSD source code, you will be surprised or misled occasionally by the way the system works. It happened to me with FreeBSD multiple times where the way the system ran did not match the documentation. What are simple operations under Linux or MacOS take hours of googling and experimentation.
You may not like systemd, or pulseaudio, but they don’t mislead you. It’s just software. It may not work the way you like, but that’s not misleading you.
I’ve used OpenBSD as a daily-driver desktop for about 2 years now. As vermaden says, it’s an OS that behaves exactly as described. I feel I can trust it more than other OSes, in so many ways. The hyper-focus on security and sanely-designed related features is a huge benefit as well. The computer isn’t doing a bunch of stuff I don’t want it to, and it allows extremely granular control over what it does. The maintenance and upkeep is extremely straightforward (shockingly so), and applying system upgrades is the easiest of any OS I’ve ever used in my life. The more I use it, the more I want to install it on all my other systems. Yeah, I’ve learned a bunch along the way, but that was just a side-effect of wanting an OS that doesn’t enrage me constantly – something that literally no other OS has provided me in years.
Sidebar, my Pop!_OS install is broken again, I can’t update despite always using the built-in software management tools - at the moment it appears /boot is full because for some reason it doesn’t prune the ancient kernels my system no longer uses, and the default partition size is enough for like 2 kernels or something ridiculous like that. That’s not the only issue though, but I haven’t reviewed the logs yet. Last time it was because for some reason the apt repos were moved to a completely different domain because apparently if you wait too long to update, the packages you need are just… moved away? I had to switch my apt config to point to some other domain and then spend literally hours trying to update everything: fix the broken installs, try to update, fix the broken stuff, try to update.. rinse and repeat. I 100% don’t care why, this approach to upgrading is just ridiculous.
If you use UEFI hardware, it uses the systemd bootup tool, which keeps your kernel and your initrd in the UEFI ESP. This means you need an extra-large ESP… but Gparted can’t resize ESPs because it can’t resize FAT32 drives under a certain minimum size, and typically ESPs are smaller than that. (TBH it makes little sense to use FAT32 under 0.5GB, but that’s UEFI for you: it makes little sense in general. Nor does systemd in a lot of ways.)
So, general guidelines:
either run Pop on BIOS boot (then it uses GRUB);
or, make an extra-large ESP before you install;
ideally, don’t try to dual-boot Pop on UEFI;
for distro vendors, don’t use experimental bootup tools on PCs that already have >1 OS in place;
for the systemd-boot team, if you need a big ESP, fix the standard partitioning tool so it can make one for you;
Ubuntu (& spinoff) users: on the end of your normal cleanup commands, add:
It’s less the app developers, and more the forced frameworks app developers have to work within. Without these walled gardens, this hardware obsolescence wouldn’t really exist, IMO.
Yes, the technical (and sometimes legally-protected) inability to control what runs on your machine effectively guarantees some degree of forced obsolescence, as the “latest and greatest” replaces what worked just fine. Indeed, developers essentially have no choice: even the devices they own and develop on are subject to the same forces of basically being coerced into updating/“upgrading” whether they like it or not, thus ensuring the software they develop is dragged along into the newer system requirements as well. Today, I am really starting to feel like all proprietary software is essentially a ticking time bomb as we have no ability to keep it functional after the vendor casts it aside as “obsolete”.
Yeah, this post raises a great point: adopting new iOS SDK features automatically exempts older devices. I have some old iOS devices that are of course far behind the latest iOS, and unfortunately many apps ship required updates that are not possible to install (because they require a newer version of iOS). So, over time the services I was able to use on those iOS devices simply become permanently inaccessible. Good times.
I use an iPhone 8 from launch day (Sept 2017). It works just fine, and the battery lasts all day. Why would I replace it if it works fine and there’s nothing wrong with it? It runs the latest iOS, too (though I’m sure that won’t be the case for much longer). Not that I want it to, because every new major revision brings changes I don’t want, but that’s another subject.
Also an iPhone 8 user, and we recently got a refurbed 8 for our kid as a replacement for their old 5. I do not feel a pressing need to get a new phone in the near future.
Yeah, actually, a family member’s iPhone 8 had a failed baseband IC (so no cellular service worked anymore), and we tried to get it repaired but it was fruitless. They decided to just buy another iPhone 8, preowned. Super affordable and, unsurprisingly, it’s working great.
(iPhones are actually one of the best options for battery replacement because you can pretty easily find an OEM-quality replacement battery for them, unlike less common phone models where you’re stuck playing “ebay/amazon roulette” on quality.)
What’s the battery life on an iPhone from 2016? Like 15 minutes?
I don’t know iPhones, but my Nexus 6, an Android phone from 2014, can sustain maybe around 12 hours of continuous mild usage (although, as its charge declines over that time, it becomes increasingly likely to shut off immediately if its power usage spikes).
The only reason that I stopped using a 2017 phone was that the cellular radio stopped working after an accidental trip through the washer-dryer (i think it survived the washing but the static cooked the radio).
I’m typing this on a 2016 iPad. The battery in that is starting to struggle a bit, but Apple can replace it in store.
These devices are still very powerful. The laptop I used for my PhD was worse in every specification (CPU power, RAM, storage space, GPU performance, even screen resolution) than either device.
When I was an undergrad, the university had a 3-year rolling update programme for desktops because after three years they were so far behind that they were almost unusable. That gradually moved to 6 or 7 years because the newer machines didn’t make a material difference to performance for most workloads and the replacements were mainly to avoid unreliable machines. Laptops took a few years longer to get to this point, but I’m still using a 2013 MacBook Pro as my main personal machine and only just starting to think about replacing it. Phones took longer, but 2016 is around the point where I’d say that they passed the ‘good enough’ point for most users.
Apple is well aware of this trend, which is why they’re trying so hard to reinvent themselves as a services company. Their revenue comes, increasingly, from selling things to iPhone users, rather than selling iPhones. This is one of the reasons the Android ecosystem is having such a problem: handset makers make money from selling devices, Google makes money from selling services, and so the incentives are completely misaligned.
The issue of state resetting when swapping between apps is what eventually made me change my last two phones as well. Hopefully now that modern phones contain a few gigs of ram that’ll be a thing of the past, but rate of software memory bloat continues to surprise so who knows.
Hopefully now that modern phones contain a few gigs of ram that’ll be a thing of the past, but rate of software memory bloat continues to surprise so who knows.
Once most phones contain a few gigs of ram, devs will start thinking “who cares if I waste a few hundred megabytes? RAM is so ubiquitous nowadays”. This isn’t a problem of technology, it’s a problem of values.
In fact, I’d argue that fast RAM increases make the problems worse - imagine if literally half the market today still had the same amount of RAM as phones had in 2012; nobody would even think of being liberal with memory, and your old 2012-phone wouldn’t run out.
I’ve been thinking for a while now that the best possible thing for right-to-repair and the environment, would be for Moore’s law (and specifically, all exponential scaling terms for computing) to visibly sputter out.
Yeah, I’m pretty stoked about the fact that new processors/systems aren’t substantially faster than their predecessors. In prior decades the iterative improvements were blatantly noticeable. Today, they are moreso just inching forward (subjectively speaking). The best thing about this is the staying power of “older” hardware (as I type this from a ThinkPad X230 with i5-3320M processor), so supposedly-old stuff is still usable and worth keeping around. The behaviour of frequently replacing your perfectly-working hardware is less worthwhile.
Desk looks like this only messier (that’s from 2020; since then I’ve replaced the monitor (with an LG 27” 16:9), the speakers (with some little Edifier bookshelves on the shelves), and the HF-AUTO (with a Tuner Genius XL)).
PC is a Ryzen 9 3900X, 80GB RAM, around 20TB of SSD (ZFS, except the Windows drive, and all SATA 2.5” except the Linux boot drive which is NVMe), an RTX 3080, and an IBM/Lexmark keyboard from 1994 with a TrackPoint IV. Runs Ubuntu with KDE (and I’ve got KWin configured to act almost tiling-ish), and a very occasional boot into Win11. Not quite the latest and greatest of anything, but more than sufficient to do the job.
Ham stack is a Flex 6600M, SPE 1.3K-FA amplifier, TGXL, DEMI transverters for 2m and 70cm, Green Heron rotator controller, and a LeoNTP as 10MHz reference. Outdoors is a 160m loop @30’, a KIO Hexbeam @30’ (on top of a Rohn 9H50, spun by a Yaesu G-800 at the base), a Diamond X200 @25’, and a LZ1AQ loop for receive.
I’ve also got a server for my ionospheric modeling site, which I’m very happy is not in my house, and also very happy that I got someone else to pay for. That’s an Asus 1U server with dual EPYC Milan 7413 (total 48 cores / 96 threads), 256GB RAM, 4TB SSD, dual 1200W PSU, dual 10GbE, and a decent BMC. Runs Debian plus a whole lotta podman. Tech stack is about 10 different components/services in a combination of Python, Perl, and Fortran (no, I’m not serving HTTP from Fortran, those bits talk stdin/stdout and they’re fronted by Python).
Turns out the big issue with finding a home for a machine like that is power density. Sure, there are lots of places that sell colo 1 or 2 U at a time, but they’re kind of like budget airlines — no legroom. They want you to be using 100W per U, maybe 150 if you’re lucky. If you tell them you’ve got a 1U machine that hits 450 or 500W every 15 minutes, and idles at 200W, they’ll quote you a price that’s about 4x the usual 1U rate, if they talk to you at all. Because… well, if you stacked 40 machines like that on top of each other it would be quite the space heater.
TS-480SAT is a nice machine. A few years ago I was on a quest to make everything remotable, because I was living with my girlfriend in a city apartment, so I upgraded a lot of stuff. These days I’m back in the house, but the Flex is still nice :)
Yeah, I love the TS-480SAT! Super “accessible” and quick to use, and of course the built-in tuner is a huge plus. Seems to be a very well-designed and engineered rig.
hahah, yeah now you get the best of both worlds - not having to use your radio remote (but having the option), AND having such a super-awesome radio to use! awwww yeah :D
Yup. Makes for a nice break from coding when I get particularly stuck on something.
I had a two-level keyboard setup with an electric piano and a separate computer for sequencing, but it turned out to be too much overhead for what I use music for. The keyboard and an analog mixer are just fine.
Ahhh nice, yup that should indeed be sufficient! I’ve got a two-level keyboard stand as well, but yeah, currently just laying folded up against the wall. Hmmm, a synth/keyboard next to the workstation seems like an excellent idea… :D
This sounds frickin’ awesome. I don’t quite understand how it works from the explanation, but I guess I’ll have to take a look at the whitepaper (which I’m sure to also have difficulty understanding, haha)… Intriguing!
Yup, I’d be glad if it’s added. Some time ago I added my mastodon profile link in the “About” section of my profile (and just recently removed the twitter profile link). Probably a specific sequence of events occurring with greater frequency lately, I’d guess.
BTW, my suggestion would be to call it an “ActivityPub” link, or something, because maybe the federated social platform the user wants to link is PixelFed, PeerTube, Pleroma or something else (not necessarily Mastodon). Just my $0.02.
Kiiiind of but not exactly. ActivityPub is one of four currently-noteworthy federated networks[0], and is the one that’s the most popular (and most likely to warrant linking in one’s profile). You could indeed call the link a “Fediverse” link but that makes it ambiguous as to what actual protocol/network the profile would be for. Saying ActivityPub explicitly would scope it to that specific network, ensuring potential connectivity with certainty (rather than having to click through and not knowing until you see the profile).
Then again, it also depends, you could totally just call it “Fediverse profile”. The only downside being that occasionally someone might be surprised when it’s a Diaspora profile rather than Mastodon, for example. Not a big deal, but for me I prefer to just make it very explicit, reducing uncertainty. /shrug
I love all the talk about security, encryption etc we can do in regards to the Fediverse (I really do want it to, wish it could work), but without some kind of ranking system around it’s full-text search, it’s practically useless as a Twitter competitor. That’s why it markets itself as “microblogs”, which is something nobody really wants. If you want a ranking system, Twitter is very strong evidence that basically you need need to pipe all of your data to GCP.
Ignoring the lack of ranking, we have a network that has demonstrated it fragments and disintegrates given time, where admins can grep your DMs if they want, and anyone with enough users and/or domains will spam you as much as they please without any kind of access restriction; a large part of the product of Twitter is the content and user moderation, something which they struggled with as a $44bn company - I don’t see a couple German nonprofits and guys on basement Raspberry Pi LAMP stacks coming up with an adequate solution to this problem that doesn’t require centralisation.
Actually the standard search and ranking system on commercial social media is one of their flaws, and the lack of it is one of the key advantages the fediverse has over them. Globally searchable content makes it possible for behaviour modification. Governments and advertising agencies just need to find ways to optimise the search results and they can get global reach, not based on quality of content but on quantity of capital. Good content on the fediverse gradually spreads to users that are interested in it but in a way that can’t easily be manipulated for profit and power.
I know this is not a popular position. I know people coming from other platforms expect to have world-wide reach from the word go, but we need to examine this desire and have a real debate about whether it is necessary or desirable to have instant world-wide reach in a social network. Social networks are not news platforms, so instant spread of information is less important than the ability to communicate easily with a specific group of personal contacts. The very definitions of the words ‘social’ and ‘network’ strongly imply not having a system of mega-influencers with millions of followers and legions of unwashed nobodies that follow them.
I feel like the social aspect of social networks has been lost in the churn somehow. Even if what you really want is a new twitter, shouldn’t there be a place for people like me that just want to share information and news with friends and family? To keep in touch and communicate without being bombarded with advertising and attempted behaviour modification?
I’m not saying you shouldn’t or can’t have a fediverse, or microblogs, but I’m saying they’re not a competitor to Twitter et. al because the apparent similarities are mostly surface-level, user-facing. The value Twitter had over everyone just blogging or texting eachother is lost in the migration to federation.
The search and ranking features are only “flaws” because you don’t like them. Great. I don’t care, I find utility in these features and millions of other people do too, with centralisation being one of the few things that can coordinate defense against malicious actors wrt these features.
Right but you are suggesting we change something into something else. I just think it is fair to point out that maybe not everyone wants it changed. Making mastodon just like twitter might be attractive to some people, but a lot of the people that have used the fediverse and supported and developed it for years might not want that. It is easy enough to just make a new twitter exactly as it was and leave the fediverse alone.
…only “flaws” because you don’t like them
I think you might be misreading the opinion of most fediverse users towards commercialisation and centralisation. Maybe I am wrong, time will tell. It should be interesting to see how things develop.
I’m not at all suggesting Mastodon should become Twitter. All I’m saying is it’s not the competitor to Twitter people want it to be, and it won’t have the migration of users people pray it’ll have, because it’s not what people want.
without some kind of ranking system around it’s full-text search, it’s practically useless as a Twitter competitor.
Maybe that’s a personal preference? I have never once thought “gee, I’d like to search all the text on this social network.” Because 99.9% of that text will be crap written by stupid people I don’t know. Part of the usefulness of a social network is that you find stuff (and people) through the people you already follow. But then, I’ve never understood the appeal of Twitter.
You’ve never used the search function on Twitter to find new things, or people? I used to find so many smart or funny accounts to follow by searching “sentence fragment that’s interesting”.
I find utility in Twitter, but I very rarely use search, especially so for discovery.
To me, Twitter stuff is ephemeral and if I didn’t see it “there and then” I probably don’t need it now. I very rarely ever used the “trending” stuff.
This requires aggressive pruning, you constantly have to modify who you follow, though. The “algorithm” had made this difficult; instead of managed and moderated stuff, I see a ton of content from people I don’t know about, on topics I don’t care about. E.g. I follow a tech person, I like their blog posts and tweet threads. But, they liked (not responded to!) someone’s political update. Now my timeline is polluted with this political situation.
Plus now everybody there is treating it as an outreach platform. Not honest discussions and daily sharing of thoughts.
I think that is why Twitter lost it’s apeal to me. It’s still interesting sometimes, but signal to noise is quite bad, I open it once or twice a week, or when I wanna announce the next angular meetup.
For the last few years, I’ve liked fediverse much more, for “social” part of my internet needs. All this is to say, I don’t think search is that important.
I’d guess 95% of my searches on Twitter were “I know person X posted something about Y” but of course I didn’t bookmark it and even if I had faved it I wouldn’t find it easily.
I mean they already created a high-quality platform that is good enough to warrant something like 7 million users (estimated), ~550,000 of those having joined in the last week.[0] Pretty sure they’ll figure out something suitable for search. Regarding content & user moderation, a couple German nonprofits and randos with basement RPi’s aren’t the ones doing the moderation. Each instance is responsible for moderating properly. It’s not up to some outsourced below-minimum-wage team. Further, the actual design of content moderation in mastodon makes it substantially easier to deal with. Any user on an instance can report content (or a user) and if the admins/moderators block a user (or instance), all members of the instance benefit from that action immediately. Thus, the entire community works together to keep things running smoothly. Who knows, we’ll see how it goes, but so far the platform has been working extremely well, even despite adding another ~million users over the past handful of months.
A good recipe app designed for power users. I want to be able to plan party menus and see flavor pairings and take notes on new recipes. All the recipe apps I tried are little more than recipe storage + shopping list.
The funny thing is that I know so many people, and I’ve seen so many people [on github], that tried to solve this problem with their own bunch of scripts or apps. It always break down later either because of unexpected feature creep that’s too hard to add or just by lack of motivation.
(I think I found something to try to model in alloy xD)
The funniest thing to me is that “a place for all your recipes!” was a big selling point of computers in the 1980s and we still don’t have a good recipe app
Ha! Just like computers were supposed to get rid of all paper documents… We’re getting there, but meanwhile computers made the quantity of paper we use simply explode :shrug:
I’m a little puzzled. I thought the storage was actually encrypted on these things, and the existence of this bug seems to strongly suggest otherwise unless I’ve severely misunderstood. If swapping out an attacker controlled SIM can get you access to the device storage, it’s not encrypted, right? Is everything here a lie?
After accepting my finger, it got stuck on a weird “Pixel is starting…” message, and stayed there until I rebooted it again.
After rebooting the phone, putting in the incorrect PIN 3 times, entering the PUK, and choosing a new PIN, I got to the same “Pixel is starting…” state.
I thought the same thing until I saw these snippets. I believe the “Pixel is starting…” screen is it decrypting the phone using your pin (and failing in this case).
To my knowledge an Android phone is encrypted (if you have encryption enabled) when shut off. On boot, you decrypt it using a pin or password.
After the decryption after boot the lock screen is just a simple lock screen. It prevents somebody from accessing your data through the GUI, but the decryption key is loaded somewhere and a dedicated attacker might be able to get the data off a running phone.
There is also a small difference between the two lock screens. The first lock screen (which decrypts the device) has a small additional message telling you to unlock the phone to use all features (translated it from my language, probably other words on native English devices). The lock screens afterwards do not show this message.
I’m really bad at mobile phones though, so my understanding might be wrong. That’s how I understood it when I researched android device encryption.
To my knowledge an Android phone is encrypted (if you have encryption enabled) when shut off. On boot, you decrypt it using a pin or password.
For a while now android uses file-based encryption and not full-disk encryption. This means that on boot there is no longer a point where you need to type the password to continue booting. Android’s file-based encryption allows the phone to boot all the way to the lockscreen. However at this point user data is still all encrypted.
After the user types their pin correctly (the first time after boot) user data is decrypted.
And yes you’d be correct that after this point the user data is decrypted and the lockscreen now just acts as a lockscreen.
but the decryption key is loaded somewhere and a dedicated attacker might be able to get the data off a running phone.
That’s not entirely correct, at least not for modern phones with dedicated security chips, like the Pixel’s Titan M. The decryption key is ‘stored’ in the Titan M - its very much protected in there. I say ‘stored’ in quotes because its technically a lot more complicated than that (Key Encryption Keys, Weaver tokens, etc).
That’s how I first interpreted this too, but in the demo video you can see that they never turn the phone off.
It’s still a pretty useful bug. If someone steals/seizes your phone you don’t have time to turn it off, and you probably don’t carry it around powered off.
I’m surprised that unlocking the phone is as easy as calling .dismiss() on a UI element. The fix of calling dismiss(enum) is still flimsy.
I’d expect locking to go deep into the OS. Make the kernel and window manager unable to run normally until they’re explicitly told to allow normal operation by auth-handling code, not the GUI stack. Perhaps even keep the disk locked and make unlock actually impossible without a decryption key derived from the pin or provided by fingerprint scanner, so no matter how buggy the UI code is, it can’t fail open.
But the whole phone security is just a screen saver!?
They may have fixed the race condition, the post doesn’t specify. In any case, having an enum is a good idea. Having .dismiss() blast away whatever security screen is on top of the stack clearly opens the door for bugs. It would be better to have each security screen have something like a session ID (or unique object handle) that can be dismissed explicitly, but targeting the type is certainly better than nothing.
But I know it, and I know I can log in as me and pkill i3lock and have my computer unlocked. Phone users don’t know this, and it should be more secure in an integrated environment like that.
Right, this just suggests that the entire security model of the system is mediocre at best. Like. as a trivial example, the user filesystem shouldn’t even be mounted without the biometric/PIN explicitly unlocking it. Instead it seems like the entire system is up and running before any authentication has occurred? Or something?
Developers have always known how to make these secure, usually involving some black magic where a microcode block or a set of machine instructions is the output from the unlocking sequence. On the down side, it is black magic and so some of your developers will not understand making calls into data returned.
I almost agree! I’ve opted for the X230 instead (typing this comment from one), though I have an X220 as well, which I do agree has a better keyboard! Such awesome computers. Perfect for OpenBSD, too :) I’m using i3wm, similarly resource-efficient.
What I’m wondering is, where does one get a new 9-cell X220/X230 battery (in Canada especially)? I don’t know how to filter between horrible/questionable knockoff things and can’t tell what’s legit. My X230’s batteries are all like 1-2hour life at absolute best, unfortunately, which means I never use any of them unplugged.
Sounds really bad. This will make it hard to run non-mainstream platforms.
I guess regulators might step in and demand alternative modes of attestation, like they have done in case of iOS and the single-store monopoly. However, they are exceedingly slow at doing so. For instance, now it is impossible to do online banking in some places if you don’t run iOS or Android. Something as innocent as AOSP is not supported, even if you run the same banking app, due to the lack of SafetyNet attestation.
It’s also not clear to me that policymakers have any particular reason to care about non-commercial platforms or software modification as civil liberties issues. So we might not get the regulation we want…
Honestly not a bad time to start thinking about what the rules OUGHT to be in an ideal world. Even if we can’t get there anytime soon, knowing where we want to go has to help somehow.
The EU has a good reason to care. All of the big OS vendors are based in the US. If things require an attestation that only a US company can provide then this makes it impossible for any EU startup to ever grow to being a big company in this space.
This is especially true when you consider that things like the YouTube and Android are owned by the same US entity. If Google decides to require attestation to watch YouTube videos (so that they know that you aren’t using a client that skips ads, for example) then there is a fairly clear argument under existing monopoly law that they’re using their effective monopoly in one market to ensure that there can be no competition entering another market where they’re a significant player.
I think we need to learn a lot from the problems with DRM here. We pushed back on the technologies, rather than the uses. We didn’t block the technology in standards bodies (in part because there are some non-evil uses, such as access control within an organisation) and we didn’t get regulations on acceptable use. I’d love to see using DRM that prevents users from exercising fair use rights treated as vigilanteism and grounds for having copyright on the work in question revoked. Similarly, anyone using this kind of attestation to lock in clients to a particular platform should be subject to serious antitrust investigation.
The political leaders of the EU have a good reason to care that European keys find their ways into the TPMs of digital devices. They have no reason whatsoever to care about civil liberties of Europeans, or that people can run their own libre software on their devices. Quite the contrary - free computing is a threat to governing bodies, especially those that like to grow in size and power. The TPM menace will only grow worse as time goes on.
Yes, absolutely. Good thoughts.
My immediate vision is of a future where I end up having to literally drive to the bank to pay my bills because, eventually, I will no longer run a rights-infringing OS that happens to be the only one supported by online banking. It doesn’t even seem farfetched. I already am excluded from lots of software, games, and online services that require an OS I refuse to utilize, and the rate of that exclusion definitely seems to be accelerating quickly.
Yes, agreed. Quite distressing, but that’s the path we’re on and the route I’ll take as well.
I’ve been using this exact analogy the last month explaining to people the issues with Web Environment Integrity.
I remember why devices were considered yours when you bought them & you were expected to tinker & administer them. Now everything has become an appliance.
I was looking at a new phone as mine is starting to show serious signs of wear. I almost pulled the trigger on a Zenfone 9 after the 10 launch looking to slap on OmniROM + microG to find out back in May ASUS yanked the unlock tool & the servers required to get the unlock keys. ASUS says they’ll be up again after “maintenance” in Q3, but it’s almost Q4… and I have little reason to believe they ever will return. (I guess Sony is the only one left with OLED, 3.5 mm headphone jack, with a vaguely compact offering)
I switched banks a couple years ago after my banking app started detecting root even with Magisk Hide. I cited that they don’t tell me how to use my laptop so why can they with my general compute phone. Last month the new bank finally caught up. Either its the custom ROM or the root, but updating to the latest hide root option, I had no such luck. The web experience can work but it’s awful & not optimized (including checks for Netscape Navigator 4, disabled pasted, etc.). I wouldn’t be surprised if they yanked the website soonish which makes me wonder if I should go ahead with my plan to build a UserScript to alleviate some of the pain. Even then I’m reliant on SMS as the only 2FA & changing numbers (normal for prepaid) involves paperwork & a week of waiting. I asked them how I would do transfers abroad if roaming without SMS & the staff bit their tongue in the middle of saying do a transfer thru the (mobile) app.
The online stores are ruining it too. I picked up some Nike gear on sale. Due to the shoddy 3rd-party code in the checkout that didn’t handle users blocking fingerprinting + ad/tracking blocking I couldn’t get thru. I brought it up with their customer service that said I should disable my anti-virus, make the purchase, then re-enable …Funny, since I don’t download random BS & am on Linux, I don’t use an anti-virus, but why do I always need to use a less secure setup for payment? If you want to know it’s me, I already authenticated & you could add TOTP or FIDO2 2FA if you wanted to make sure instead of reading all my sensors & canvas. I ended up having a friend who doesn’t care about his privacy buy it on my behalf for a Hong Kong pie. At least it scrambles in false data for his personal footprint.
Things are only going to get increasingly worse. The complaints I have all came from just last month.
They’re not telling you how to use your devices. They’re telling you the terms on which they’ll allow you to access their systems, which they own as surely and completely as you own yours, and over which they have rights just as strong as your rights over your devices.
You do not have an inherent right to access their systems, after all. And you don’t, strictly speaking require that access to use a bank. You can manage your banking in person at a branch, over the phone with their customer service, etc.
A similar argument can be made with how workers are supposed to work in a factory:
Sure, corporations would like to secure their connections, and minimise their own costs. But there is a point where that desire to do so actively infringes on the users, especially if the service they provide have no easily accessible alternative, or the switching costs are non-trivial. At some point they are actively extorting compliance.
I don’t, strictly speaking require to buy things online. Realistically though…
What this misses is that access to digital financial services is pretty much a prerequisite for existing in western societies. You can make an argument in the positive, sure: that you don’t have some god-given right to access their services. But in the negative space, when every equivalent service has similar such restrictions and use of those services are on the critical path to your continued well-being, it’s difficult to interpret that as anything other than authoritarian. It’s not conceptually different to the use of the term ‘wage-slavery’, used to describe situations in which there’s a superficial veneer of choice but, in practice, all reasonable employment options are monopolised by exploitative employers.
This is true. But demanding that the existing financial world accept customers using rooted phones will move the needle towards more equitable access to financial services not a whit.
Yes. I think you might have gotten the wrong end of the stick about what I’m arguing for.
Maybe. I’ll just state that if the price for everyone having equitable access to financial services is that the devices used for access are “locked down”, that’s a price I’m personally ok with paying.
Equitable access to financial services using any device presupposes that everyone can afford the devices, and one of the ways the devices could be (more) affordable is by letting their owners maintain them after they’re abandoned by their manufacturers. User freedom extends the life (and, frequently, capability) of hardware.
In general, I think ceding control of our window into most of modern society would be a mistake, no matter what. But even if you don’t, it must surely be a bit concerning that we’re ceding that control to profit-making companies which have repeatedly demonstrated their willingness to exploit that position for money.
In many ways I wish they gave out something akin to those Trezor / Ledger cryptocurrency hardware wallets (not an endorsement)–a dedicated, purpose-built device with all the 2FA protections & account info on a portable, ‘dumb’ piece of hardware as opposed to co-opting mobile phones which have other, general-compute needs. If it was something I could slap on a keyring and could, I dunno, do NFC transfers between two accounts & only used a host device for network access (without tracking/analytic nonsense), then I could be into it.
I don’t see any reason to imagine that those two things are mutually exclusive.
Someone needing to use the bank’s website on their phone instead of the bank’s app on their phone is not “a superficial veneer of choice”, in my opinion. They continue to have meaningful access to the bank, at which point the rest of your argument falls apart (since it’s predicated on the lack of such access).
Also, as noted elsewhere, I am willing to accept that as the tradeoff of vastly increased security for the average user. Even if a worldwide law were passed requiring that every single device everywhere be a 100% Free software/hardware StallmanPhone™, the number of people who would actually make use of all that glorious freedom would likely round to zero, relative to the total population. And what we’re talking about here is not denying them participation in society; they still can bank on their phones, just not via the app. I am willing to accept those sorts of occasional speed bumps as the cost of vastly improved conditions for everyone else. You presumably are not, but I don’t see how any argument that claims to be on the side of the masses can choose not to make this sort of tradeoff.
(you will recall that I argued we should break up Google as a solution to “web attestation”, since a broken-up Google would not be able to enforce its will the way the current Google does)
I mean sure technically speaking about usage terms being whatever they decide to write—they could write you can’t use the service without a banana on your head if they wanted. But why are the rules so strict (crossing the line as many folks see it) & different versus the web browser experience? In this case, at least until Google forces WEI, the regulations on my machine are… that I have a browser that support TLS? (They don’t even support TOTP/FIDO2) With the website, there’s nothing against root/admin, modifying hosts, ad blocking, etc. so why the shift when it comes to the general-compute of a smart phone? These are two very different standards. One could say they would have done it all along if they had the ability, but we’ve had 2 decades of online banking being just fine.
Also why isn’t the “risk” of root my burden? I have done few modifications with root: modifying hosts, setting up a firewall, and eliminating the faux shutter sound of the camera—with ⅔ making my device safer. The workaround is the web, but I am afraid website will start disappearing saying they only support mobile applications “for my safety”. I do go to branches frequently, almost exclusively use cash for real world purchases, use the physical ATM/debit card over digital scans, but more shopping even here has moved online which requires dealing with the digital banking situation.
There probably is a mundane reason for it that has to do with some compliance checklist somewhere.
But the real answer is to ask why you think you have a right to press on that question. You’d probably be very offended if someone else kept pressing you and pressing you about why you set up and manage your devices and systems the way you do. It’s none of anyone else’s business, after all, because they’re yours and you own them and that gives you the freedom to manage them how you like without needing to account for your preferences to anyone else. And exactly the same thing is true of the bank and its systems. If the bank only wants to allow access from apps whose integrity can be attested, then that’s the bank’s choice and they don’t need to account for that choice to you.
Or, more succinctly: it is not possible to have a just and coherent philosophy where you get to tell people “my systems, my rules” but others do not.
That’s the thing. They do keep pressing and have been doing so for decades, and yeah, I’m offended. Your argument is utterly specious and without merit, because it is founded on a false equivalency. There is a huge imbalance of power between people and large corporations or organizations of any kind. Requiring approved devices is how monopolies gain strength. Doing things like rooting devices is how people can take back power from monopolies. Would you find it acceptable for your bank to require that you visit a branch with an approved vehicle or method of transportation? “Sorry. You didn’t arrive in a Tesla newer than 2020, so no service for you.” “Oh, you came on foot? You must be a threat. No service.” Sorry but I’m not buying it.
As I recall, you and I have gone round and round on this exact issue in the past with no useful result. But I’ll try again.
I think the flaw in your worldview is that it’s based on binary thinking rather than on tradeoffs, and tradeoffs are really what’s happening.
To take an example, if I were to walk into my local bank branch one day and ask to wire or withdraw in cash a significant amount of money, they probably would not immediately comply, and would first ask me a series of questions about why I want to do that. Not because they’re evil and hate my freedom, and not because the government hates my freedom and wants surveillance of my transactions (anything large enough gets auto-reported to them anyway). But because, unfortunately, there are tons of scammers out there and tons of scam victims who get conned into making big withdrawals or transfers to the scammer, and bank staff are trained to watch for things that match the pattern and ask questions before the money goes anywhere.
Similarly, staff at many stores are now trained to question large quantities or denominations of gift cards, because a lot of scams use them as a form of currency.
Does this make life marginally harder for me, a bona fide citizen going about my lawful business? Sure. But is it a worthwhile tradeoff? Probably it is; those minor obstacles actually are pretty effective at stopping situations where people lose what they can’t afford to lose, and dealing with them cost me no more than a moment or two of my time.
The same is broadly true, in my opinion, of modern computing security. Is it harder for someone who wants to run custom and customized everything to do so? Sure. But it hasn’t been made harder out of some evil motive to destroy freedom; it’s been made harder because it’s a tradeoff. In return for some legitimate uses being more difficult, a lot of attack vectors can be significantly mitigated or even eliminated.
Does this mean that if you root your phone you might need to access the bank via a web browser instead of their app, since it no longer trusts the environment it finds itself running in? Yes. Does this mean you might need to check some boxes in a deeply-concealed preferences panel, or click through some warnings when running random code you downloaded off the internet on your laptop? Yes.
But it’s a minor inconvenience and, despite dubious popular quotations, it doesn’t actually “give up” any “essential liberty” and does in fact achieve better security overall. It’s the same reason that Facebook started logging a huge scary warning when you open the browser console, telling you that whatever someone told you paste in there was going to hack you – is it annoyingly paternalistic to someone who’s sufficiently technically competent? Absolutely. But it’s probably saved a lot of people a lot of pain, and that’s a tradeoff I am willing to make.
If it was just that I could live with it. But if rooting my phone means I can no longer access my bank at all, then it and I have a serious problem.
I’ve not seen anyone complain about being unable to bank at all – just that if they root their phone certain apps stop working.
I’m pretty sure I could still “bank” even without a cell phone at all, but I would still be seriously pissed off if I could no longer buy things online. I would switch banks over this.
Nobody’s suggested you aren’t able to buy things online.
I think you should probably stick to engaging with what’s actually been said and claimed.
OK, story time: my bank pretty required me to install an proprietary app on my phone so I can buy things online. I am not aware of any alternative, not even SMS 2FA. I haven’t tested what happens if I root my phone, or (gasp!) switch to a flip phone.
What I’m telling you is, my bank suggested I might not be able to buy things online without an Android or iOS phone.
I have questions about how that situation was reached. Is it actually a blanket policy of the bank that all customers are required to install the bank’s app and that no method of payment is available other than that app?
Or does the bank offer other options – such as a debit card that could be entered into an online form, or the ability to link an account number or debit card to a popular payments system like Paypal or Apple Pay (or whatever Google’s payment system is called nowadays) – but those options had already been rejected by you and the app was offered as a last resort?
The method I use (IIRC it was the only one that was presented to me), is to enter my credit card info into some web form (no need for an app for that), and then I receive a 2FA push notification on my banking app, on which I have to enter a 6-digit PIN code of my choosing to validate.
The notification also appear when I simply try to login to the banking website. I could use the banking app if I knew my banking password, but I don’t: it’s 20 random characters stored in my local password database, and I’m not simplifying it for such a minor convenience.
I also have an array of PIN codes written on a small card that I can use as recovery codes, but but as far as I know they can’t be used for online payments. Perhaps I could contact my bank and cry about having broken my phone or something, but no guarantee.
For some reason my payments on Steam don’t trigger the 2FA.
Linking my credit card to a FAANG is unholy enough that it didn’t even cross my mind. But I don’t recall this option having ever been presented to me. I’m not sure this is even possible since my bank is French.
Here in Thailand most online purchases require scanning a QR code with some garbled code for the app (no 2FA beyond logging into the app required). When you can use a form online, you will always be redirected to an iframe asking for SMS 2FA (no TOTP, no FIDO2, no proprietary app option), but this already assumes you have a SIM & aren’t roaming. On their investment accounts you can opt into some form of proprietary TOTP that is tied to their app, which also won’t run, but that luckily hasn’t been rolled to the general banking (but I could see a future where that is enforced, rather than allowing general TOTP that doesn’t require anything specific). WEI can enforce the same anti-consumer policies onto the web (& banks can/will use this before Google is “broken up” & even if they were Google could still shill for for this pro-DRM garbage corpos love, so bad argument).
Fuck. Fuck fuck fuck.
We want reliable 2FA that is sufficiently resilient to most hacks. SMS is vulnerable to SIM swapping, and requires a phone. Not good. TOTP doesn’t require a phone (or even a separate device), but it still not phishing resistant. Besides, online payments involve giving your credit card number to some third party, so FIDO2 can’t work there…
Wait a minute, something could work, if not now, at least in the near future:
Or better yet, have the bank issue a temporary credit card number, good for one payment of a specified sum (or at least up to some limit).
As someone who has had a phone break in a foreign country with sky-high import fees, I know it. I went to buy a phone online to be shipped to my home upon the return in 5 or so days. I couldn’t do QR scanning for checkout because I didn’t have a phone. I couldn’t do credit/debit cards because SMS 2FA iframe required I was a) in the country & b) had a phone to receive SMS. The fact most phones are brittle & carried everywhere seems absurd they want proprietary apps or these new “private access tokens” that live on a phone and/or in someone else’s cloud.
Banks would likely save money & security headache by giving out FIDO2 keys with every account, but they don’t think about it that way.
…But ideally we’d pick a system that removed the credit card middlemen altogether skimming money for dubious value when direct bank transfers absolutely could be implemented (popular here, & credit cards usually aren’t accepted).
This is roughly how my bank (HSBC UK) confirms payments, except the website is displayed by an app which authenticates me with FaceID.
Yeah, facial scanning is something I refuse to use. I don’t trust whoever is holding onto the info or how it could be used on my while asleep or unconscious. Do they demand it?
This sounds less like a problem with the way the app was coded, and more a problem with the bank itself. There are banks which don’t operate that way.
(also, PayPal and Apple Pay, from a quick web search, appear to be both legal to use, and available to use, in France and in Europe generally)
Thanks for writing the comment I had in my drafts.
I think consumers should have the upper hand over banks & corporations in such push-pull scenarios. Attesting the integrity of your app & its updates but not my whole system—games have done this for a while but not prevented you from modifying your PC. I don’t think it’s an unreasonable ask—and should be in line with right to repair where the corporations said you can’t touch the hardware or your warranty is void, etc. Are users wanting right to repair inconsistent in their logic? Consumers could pick another device, except that it got to the point where reasonably they couldn’t. I could argue host blocking and firewalls repair the software side of my system. In the vein, I did switch banks since the previous started checking for custom ROMs/root, but I looked around & I don’t think any of the options available anymore. We lost power.
No, because they’re (usually) not asking for right to someone else’s systems. You are asking for access to the bank’s systems, and the bank is laying out the terms on which that access will be granted. And trying to measure the relative “power” of the parties is not a useful approach and likely would not produce the outcomes you want. For example, should you lose the right to root your phone once you’re above a certain level of net worth? Above a certain level of social influence? Should others be able to just yoink your devices out of your pocket and claim them if the wealth or power disparity between you and them is large enough? These are questions that your approach has to consider and have answers for, and I don’t think you’re going to like where they end up.
Blocking users based on income (which was never suggested) is the same anti-consumer sentiment as blocking a user from being the admin or super user of their device–the same way we’d call out companies making it harder to replace car/motorcycle/tractor parts, or voiding warranty for replacing them ourselves, or locking down the computers in those systems because of “safety”. This isn’t about access to their server’s hardware but access to the APIs (usually simple HTTP) with that system regardless of the OS setup on the client side. They can set some terms about the clients/authentication, but the entire device on the other end? Nah. Hardware was easier for laggard politicians to fight for, but it’s going to be more difficult getting them on board for the freedom of the software too as they largely go unaware of something they don’t buy off a shelf or understand that can modify the OS. Arguing that banks get to be the only ones setting terms for your device (which with Google’s WEI they could close all internet access) is the sort of pro-corporate take I’m not interested in entertaining.
The messaging of the article/infographic is about “boiling the frog”, and how slowly we’ve had more & more of our ability to do what we want with the thing we own away by the corporations who, without regulation, we never get prevent them eroding our technology. This balance isn’t fair, and each individual chip away has been maybe-sorta good, but cumulatively have been detrimental.
You seem to think some people deserve the “upper hand” over others, based on relative economic power. I’m not sure how else to characterize that than making one’s technology-related rights inversely correlate to one’s wealth.
So is a DDoS OK because it doesn’t actually damage the other party’s server hardware? One can easily do harm via simple network connection without the need for physical contact to the hardware on the other end. And people who run networked services have both a right to defend against such attacks, and a right to set out the terms on which they will allow networked access to their services.
This is the opposite of the argument I’m making. I’m arguing that the bank has rights to their own hardware, systems, etc. which are equal in force and scope to your rights to your hardware, systems, etc. You don’t seem to like that very much, though, and seem to be arguing, as noted above, that one’s rights to one’s devices (etc.) should be reduced in proportion to one’s economic standing. That’s the only way to get to a stance where you get to enforce policies about your devices but the bank is not able to enforce policies about theirs. And it leads to the sorts of hypotheticals I already raised, where your rights might have to become null against someone of lower economic standing than yourself. I don’t think that’s what you actually want, of course, but it is the logical consequence of what you’re arguing.
I don’t know how you jump from all devices getting to run what the owners decides implies anything about income. One of the best ways to keep old devices running because you can’t afford (or just don’t want to) upgrade is moving to LineageOS or similar or postmarketOS where you can at least keep software updates rolling—especially since the manufacturers don’t see a profit incentive to bother with updates for perfectly fine hardware. To think an individual has any amount of press against a bank/corporation & that there is anything equal in that fight & still trying to hammer it out as fair leads me to believe you are just playing devil’s advocate. Consumers/workers can & should unite against such restrictive policies either by legislation or otherwise—just like right to repair.
Feel free to respond further—but I won’t. I wasn’t going to but you keep pulling this notion out of your butt that I would be arguing it favor of folks with more economic power.
You said, originally:
From the context of that and other things you’ve posted, it seems you think there should be some sort of sliding scale of digital rights versus economic power, where people/entities with more economic power get fewer rights. This, at least, seems to be how you justify giving yourself more of a right to control your own systems and devices than you’re willing to grant to other entities, such as banks, to control their own systems and devices.
What I keep saying, over and over, is that this is a problematic approach, and leads to questions about whether someone with less economic power than you can override your choices and your rights to your devices/systems, the same way you seem to want to override the choices and rights of entities more economically powerful than yourself.
Reduced to its simplest form, suppose we have three people: Alice, Bob, and Carol.
Carol does not want to let Bob access her systems in a certain way. Bob argues “ah, but Carol is significantly more economically powerful than I am, therefore Carol’s rights to make such choices are reduced, and I shall be permitted to access those systems whether Carol wants me to or not. However, I will retain the right to control my own devices and systems.”
But then Alice comes along and says “Bob is significantly more economically powerful than I am, therefore Bob’s rights are reduced and I will make use of Bob’s systems whether he wants me to or not”.
My argument is you are Bob and you are getting upset when presented with the hypothetical of Alice.
Corporations aren’t people. Alice Corp.™ & Carol Inc.™ are not the same as Bob.
Please see some of the other comment chains where I’ve been pointing out how difficult (honestly, I’d say impossible) it is to actually cleanly separate businesses from individuals.
Yes, you can separate them even in sole-proprietorships or taxing under your national ID & folks are pointing it out, but you are having an out-of-touch-Skinner moment where you think everyone else is wrong.
The tax agency has no issues because the tax agency has the concept of taxpayers who fall into multiple categories.
The sliding scale of digital rights being posed here has issues for several reasons, but in the current iteration it has issues because it assumes every entity is at most exactly one of (“business”, “individual”).
This feels like you’re equating people and corporations. I wouldn’t. Human rights are vastly more important than corporations rights. In fact, in fact, I’d say corporation rights only matter as far as they can be derived from human rights. There’s also a difference in scale: suppliers have a wider reach than users. What they do have more consequences, so they warrant more scrutiny.
If it was people on both sides, sure. But it’s not: it’s a user on one side, and a business on the other. We can apply different rules and still be coherent.
According to the tax agency of the country I live in, I am both an individual and a business. And this is not a terribly unusual situation to be in.
So I don’t think your proposed distinction is one that can be coherently drawn in the first place, let alone used productively to determine policy.
Sure you are. I still submit that your individual rights and freedoms should be separate from your business rights and freedoms.
My “business” is residual royalties from a tech book I wrote years ago. How do you propose to separate that from me? Due to being a “business”, do I not have any rights over my own words?
My opinion on copyright is simple: the thing is too damn expansive. The duration at the very least should be seriously limited. 20 years after publication date, tops. After that it belongs to the public domain (attribution should still be a thing though).
You do have rights over your own words. But if you published your book more than 20 years ago, I can live with denying you any monetary benefit from it.
By “over my own words” I meant my website. Since it’s been infected by business-me on the occasions when I mentioned the book, and thus presumably individual-me’s rights were reduced automatically when that happened.
As I keep saying, your attempt to draw a clear line between businesses and individuals has problems.
And different rules apply to the individual you and the business you.
As I mentioned in another comment, my “business” is royalties from a tech book I wrote.
How does that affect, say, my personal blog? I mentioned the book in a couple blog posts; does that cause the “business me” to infect the “individual me” and take away my rights to run my website the way I want?
I just don’t think there is a coherent way to draw the line people seem to want to draw here, or to do it in a way that won’t have all sorts of terrible consequences.
There are heaps of laws around commercial speech that aren’t applicable to individuals. There are also heaps of laws around things like, hmm, accessibility or privacy (GDPR, DMA), that businesses have to follow that individuals don’t.
So … yes?
That’s not really what’s being discussed here, though. Remember that the thing that kicked all this off was a complaint that a bank wasn’t supporting a broad a set of mobile devices with a native app as the user would have desired. The bank’s website almost certainly still works, though, and is likely to be compliant with applicable laws around accessibility, for example. Same for the bank’s physical branches, or its customer-service phone line, etc.
But the user wants to override the bank’s choices, and is asserting a right to do so on the basis that they, as an individual, are allowed to “own” their own devices and systems and exercise rights of ownership over them, but that the bank, as a business, somehow should not be allowed to own its own devices and systems or exercise rights of ownership over them.
I’m merely exploring the argument that, once you go down that road, it’s very hard as a supposed “individual” to actually enforce your “ownership” against others, because of how easy it is to wind up being labeled a “business”.
Yes, I frequently cannot use websites because I have “strict” privacy setting enabled in Firefox, and have “resist fingerprinting” enabled. Also running OpenBSD. I am frequently completely blocked from sites (actual 403 forbidden) due to Cloudflare (wtf?), and even outside of that, so many sites just don’t function when their tracking/spyware scripts can’t load. Personal computing is on such a poor trajectory I feel more discouraged about it every day :\
Because they’re the adversary. Of course they want you to use less secure options.
This is a long thread, but you’re suggesting that in the relationship between you and a bank or payment processor, the latter is an adversary? Because this is not the business relationship I’m familiar with.
Does your payment processor use pervasive tracking technology to monitor their consumer “customers” (even cart holders who never check out!) and then sell those data to their merchant customers?
Edit: a little less snarkily, what I mean is: there are multiple ways that payment providers can and do monetise you. It’s not just that they take a clip of the transaction, or charge the merchants a fee - that’s the obvious bit and entirely above board. It’s the rest that’s usually not transparent, and the tracking of users for subsequent monetisation of the business intelligence establishes a more traditionally adversarial relationship between parties.
Ah ok I was still on the access to banking part of the rant, apologies.
This is why it’s important that rants are correctly factored ;)
They’re not telling you how to use your devices. They’re telling you the terms on which they’ll allow you to access their society, which they own as surely and completely as you own your device, and over which they have rights just as strong as your rights over your devices.
You do not have an inherent right to participate in society, after all. And you don’t, strictly speaking require that participation in order to survive. You can just, like, live in the woods and eat berries, or something. Convenience has a cost, after all, and it’s your choice—as one half of an equitable, mutually beneficial partnership between you and your bank—whether to pay it.
I disagree. I think that DRM, anti circumvention laws, and the widespread adoption of proprietary firmwares has dramatically reduced the degree to which people have rights over their “own” devices.
Though I still agree with your central tenet: that people can choose their providers, and vote with their wallets if they turn evil. I just changed ISPs for that reason, myself. Capitalism works :)
What do you think about the framework laptop as a spiritual successor to these ThinkPads?
The framework is designed to be very thin, which makes it much more difficult to repair than an X201. It’s really too bad they went this route instead of prioritizing user serviceable parts as the primary design principle.
Thin is a feature for me; the laptop fits with my other laptops in my bag. I’ve not found the thinness to hamper my efforts any time I’ve opened the case (rare but I’ve e.g. upgraded the speakers to the higher quality ones).
Design constraints are not bad things, and the thinness makes it so nobody bats an eye when I pull it out. It’s expected that modern laptops be light and easy to transport, it’s unusual that they also are able to be repaired (ship of theseus style perhaps) by the end user.
who cares if someone bats an eye because your laptop is a few mm thicker than “normal”?
It makes “repairability” about “you want me to give up my sleek devices” instead of “just choose the right devices and life gets better.” The values we hold dear will lose if we don’t do them well enough to promote them to people who are not convinced.
if we sacrifice repairability in order to appeal to ultrabook enjoyers, that value has already lost.
I switched away from the Mac ecosystem because I wanted something that I could upgrade over time (amongst many other reasons). I think reminding folks that computers should be user-serviceable and -upgradeable, without being ugly bricks only a dork would use, is cool.
When people see my Framework (13) they see a thin, light laptop, with an unusual logo. The modular ports are always fun for demos, and most folks are at least somewhat interested in the Framework’s ability to be upgraded, which is in stark contrast to Apple’s philosophy. Yeah, I run Linux, yeah I miss some of the good third-party apps that are MacOS-only, but not having to buy a whole new laptop in two years is worth it. Great conversations.
I also used to carry around around older ThinkPads, too: absolute thicc black chonkers. The only conversations those things raised were folks giving me shit because I was lugging around a heavy, ancient-looking beast.
I switched to Mac hardware for the opposite reason. I used to build my own desktops, but I kept running into things like needing to upgrade the motherboard to upgrade the CPU, needing new RAM to go with the new motherboard because it didn’t support the old kind, and then needing a new graphics card to actually get the benefits of the other bits. I have a NAS that is a box I assembled and in my last upgrade only the case and disks remain the same. That’s a reasonable trade for a NAS because the disks are its main reason to exist and so upgrading them separately from everything else is nice.
The main reason that the new Apple laptops feel fast is that they have carefully scaled everything to avoid bottlenecks. If you upgrade any one part, you’re unlikely to get much more performance, you’ll just see bottlenecks elsewhere. I’d rather have a machine that lasts a long time (I’m probably going to replace my MacBook Pro soon, it’s 10 years old now) than one where I can keep upgrading bits but need to ship-of-Theseus it to actually see a significant benefit.
That makes sense, but there does exist a world where you don’t have to buy the top-of-the-line laptop and use it for a decade. While I may upgrade my Framework to an AMD chip (partially because I can and partially for the increased battery life), I can also not do that and just increase the RAM and SSD size as-needed. That may not be as finely tuned as an Apple machine but I’m not going for “fastest bus throughput” there, I’m going for “I don’t have to buy a new laptop to double my RAM.”
To each their own though, I was about that Apple life for a few decades and they treated me well!
If you do, I’d be really curious to hear how well it works for you. It’s been almost 20 years since my daily work machine was one where I could upgrade components piecemeal. I suspect a lot has changed in that time, when the RAM technology that different CPUs supported was completely different. I upgraded the RAM in my PowerBook (largely because Apple charged insane markup on SO-DIMMs), but suffered from multiple motherboard replacements because the solder kept coming off on the DIMM slots but for newer machines (including the NAS) I’ve just bought the maximum that the motherboard supports, even when the RAM has been upgradable.
Replacing the CPU wasn’t a significant win for me in any machine since the end of the Socket 7 era (and even then often didn’t give the maximum speedup until I upgraded the motherboard and RAM as well).
I used to upgrade disks a lot and the jumps from 1 GiB to 20 GiB and 40 GiB were each accompanied by running out of disk space before I could afford the bigger disk, but my personal and work laptops (bought 7 year apart) both have 1 TiB SSDs and that hasn’t been a space constraint for me. With the growth of cloud storage for cool storage, I suspect that my local SSD will gradually become more a local cache than a truly local filesystem, which reduces the pressure further.
You can upgrade the SSD in Macs (I’ve replaced the battery in mine and that involved removing the SSD is vastly easier), but I’ve not felt the need to. The 1 TiB disk was expensive back then, but now it’s one of the cheaper options. I stopped running VMs locally a while ago, but I can imagine wanting a 2+ TiB disk if I had a bunch of VMs on my laptop.
capitulating to thinness fetishism because losers gave you shit for your thinkpad is the opposite of cool; it reflects a lack of confidence. the “cool” approach would be to hold the course if you really believe sacrificing cooling and repairability is not objectively worth fitting 1/4” more of who-knows-what in your backpack. if your principles crumble in the face of marketing-induced irrationality expressed by random people, maybe you don’t actually believe in them.
I know I shouldn’t feed the trolls, but here I go anyway.
Or alternatively, as was the point of my comment, understanding that different users have different wants and needs might be a reasonable thing to do; as well as understanding that locking repairablity and longevity together with devices and laptops that most folks do not want to use only pushes folks away.
If your principles require you to post inflammatory, ideological creed, you may want to reconsider your approach.
I don’t think it’s cool to associate thick computers with being a dork, or to assume ordinary people would be unable to overcome thinness fetishism if they understood the objective tradeoffs.
Your perspective seems to partially adapt Apple’s mindset, giving up some repairability for the sake of attracting customers while offering no objective benefit. That’s not necessarily wrong–Apple is extremely successful after all–but it suggests a pessimistic view of human nature, and is certainly not cool. IMO compromising principles for the sake of adoption at least requires some empirical justification, e.g. some evidence that there are non-dorks who use the Framework laptop, which is far from obvious to me.
Another feature is that they actually need to sell laptops, and in this day and age selling something as thick as an x200 is just not viable. I think it’s amazing what they’ve pulled off in a form factor that still looks like a ‘modern’ laptop.
To be fair the MNT Reform project has remained afloat.
Nobody floats the idea of the Reform being issued as a corporate laptop
The point is that it’s viable.
The only reason I wouldn’t use a Reform for work is the lack of a webcam.
Oh, they just recently released a compatible webcam actually! https://shop.mntre.com/products/mnt-reform-camera :)
That … doesn’t really count ;)
What? Why not, because it’s a separate thing you have to carry around?
Yeah exactly. I have a Logitech C925 on my home desk setup, because I like having an HD camera with FreeBSD and Linux support. But with my ThinkPads I know that when I’m away from my desk, I don’t have to cart it around with my and plug in every time I want to make a video call.
Honestly the lack of an integral webcam is the one design decision on the Reform that I don’t understand. It’s 2023 and much of the tech world is hybrid or remote; being able to make a video call from your device is table stakes.
having an excuse not to enable video can be a killer feature for some :)
Fair enough. I’m one of those people who prefers having my video on and being able to see others, but I’d never make it policy.
I’m curious as to how you mean this. I’m a happy Framework daily user, but now that I think about it I’d take a slightly thicker model in exchange for an externally replaceable battery. Aside from that I can’t think of anything I’d categorize as a tradeoff between “serviceable” and “thin.”
Although I do miss my Macbook’s amazing trackpad and software support for same.
I’ve built probably two or three hundred keyboards by hand. Any individual piece could break on that board and it would be at most a 20 minute repair; more like 5 minutes for the majority of the parts. Most of those 5 minutes would be waiting for the soldering iron to heat up.
Last weekend I had to replace a key switch mechanism in a Thinkpad. Luckily it was an old Thinkpad from 2011, so it still had key caps which were easier to remove, but replacing the switch mechanism was difficult; I had a spare donor board in my closet, but I had destroyed three different switches in the process because the miniaturization process had made them so fragile and tiny. Something which would have been trivial on a larger device required tweezers and a magnifying glass.
So I would say that the X201-era Thinkpads are already making significant sacrifices to repairability in favor of miniaturization. I’ve also replaced the fan on a couple of these models, and it’s already very difficult to get it reseated precisely within the tolerances which will allow the case to close back up the way it’s supposed to. I have never even attempted to repair a super-thin laptop, (I’ve been avoiding them for what I hope are obvious reasons) but it is no great leap to assume that miniaturizing it even further would reduce these tolerances even further. Plus you have trade-offs like the RAM or the battery being soldered in, because it’s just a simple fact of engineering that connectors which allow modularity take up a lot of space.
That’s something fantastic Framework addresses. Their batteries and RAM are modular, despite being so thin! See, being thin doesn’t require all of these trade-offs!
But I wouldn’t want to try and repair a single key-switch on that keyboard, I agree.
Hmm, so in the case of the Framework the individual key switches aren’t easily replaceable either (to my knowledge).
For what it’s worth these jobs are all straightforward on the Framework, despite it being thin. The fan module is four captive screws so you don’t lose them and the forum is full of people doing things like comparing different heatsink pastes for the sake of it (i.e. pulling the module on and off constantly). The RAM is as simple to replace as laptops from the 90s, and the battery is three screws (also captive).
I’ve repaired a lot of laptops (including a classic ThinkPad and a couple of modern super-thin ones). I was expecting this Framework to be more repairable than the super-thin ones, but was still pleasantly surprised when it got here at how it was nicer to work on than my (high) expectations. Especially small things like how almost every screw is captive so you can’t lose it, but you can still remove a screw if it somehow gets damaged. They’ve really thought about repair aspects in the design.
Huh, what do you find lacking about the Framework’s trackpad?
I use a modern MBP for work and a Framework at home, and while other PC laptops’ trackpads have seemed noticeably deficient to me, I consider the Framework’s trackpad on par with the MBP’s. Am I missing something though?
To be fair, I could just be experiencing Wayland’s (or KDE’s or Gnome’s or whatever’s) trackpad support being less than stellar, which I gotta say the MBP has traditionally been stellar++.
I find it really hard to go back to mechanical trackpads after using force touch ones. The ones that are hinged are really infuriating - I shouldn’t have to apply more force at the top than the bottom. I can’t tell what kind the Framework is using, however.
Genuine question, which repairs are made more difficult by the Framework’s lack of thickness?
I got a Gen12 Framework last month and I’m super impressed with its potential repairability, so far. Replacing the display hinges looks potentially fiddly as you have to work around the cables, but on a lot of thinkpads you have to take a bunch of other stuff out instead.
(I’ve not owned an X201 but have owned an X61 and an X230. I loved them and I still have the X61, almost got convinced to do the X62 upgrade on it instead of buying a Framework. However glad I bought a Framework!)
I’ve never played with a Framework so I don’t have direct experience. I agree with the other response that the Framework is a little too thin (not to mention expensive!)
Agreed 100%, the BSDs are a serious breath of fresh air. Try one. For me personally I suggest OpenBSD but just try one.
AFAICT, there are 2 motivations for running any of *BSD as a daily driver desktop.
Outside of those, running these as your main computing interface to the rest of the world is just opening yourself up to a world of pain. You will be forever tinkering with esoteric command lines and text files to do things that just work on Windows, or Mac, or even Linux.
“That’s fine,” I hear you say, “I love tinkering with my computer”, and I do, too, but the need to tinker to get something to work inevitably comes up when you’re in the middle of something important and need your daily driver, not when you have a free afternoon to tinker with cups because you need to print something important.
I would also say that some people (like me for example) prefer to their system (and hardware controlled by this system) to behave in a specified way. That way may be different from popular systems like Windows or macOS … or even from Linux.
Some people do not like being ‘misleaded’ by systemd(1) or PulseAudio in the name of convenience.
Some people prefer to know what is happening and being sure that other thing will not happen no matter what … and they are willing to pay for that specific behavior in their time with step learning curve on BSDs.
I think this is the case for most BSD (or even Illumos) users preferring to learn more to have exactly (or closer to) what they believe suit their needs best.
Regards.
That has not been my experience with BSDs. Unless you’ve read over and understood every line of BSD source code, you will be surprised or misled occasionally by the way the system works. It happened to me with FreeBSD multiple times where the way the system ran did not match the documentation. What are simple operations under Linux or MacOS take hours of googling and experimentation.
You may not like systemd, or pulseaudio, but they don’t mislead you. It’s just software. It may not work the way you like, but that’s not misleading you.
I’ve used OpenBSD as a daily-driver desktop for about 2 years now. As vermaden says, it’s an OS that behaves exactly as described. I feel I can trust it more than other OSes, in so many ways. The hyper-focus on security and sanely-designed related features is a huge benefit as well. The computer isn’t doing a bunch of stuff I don’t want it to, and it allows extremely granular control over what it does. The maintenance and upkeep is extremely straightforward (shockingly so), and applying system upgrades is the easiest of any OS I’ve ever used in my life. The more I use it, the more I want to install it on all my other systems. Yeah, I’ve learned a bunch along the way, but that was just a side-effect of wanting an OS that doesn’t enrage me constantly – something that literally no other OS has provided me in years.
Sidebar, my Pop!_OS install is broken again, I can’t update despite always using the built-in software management tools - at the moment it appears /boot is full because for some reason it doesn’t prune the ancient kernels my system no longer uses, and the default partition size is enough for like 2 kernels or something ridiculous like that. That’s not the only issue though, but I haven’t reviewed the logs yet. Last time it was because for some reason the apt repos were moved to a completely different domain because apparently if you wait too long to update, the packages you need are just… moved away? I had to switch my apt config to point to some other domain and then spend literally hours trying to update everything: fix the broken installs, try to update, fix the broken stuff, try to update.. rinse and repeat. I 100% don’t care why, this approach to upgrading is just ridiculous.
Not enough info to diagnose, but the 1st time I reviewed PopOS it nuked my system. I was not impressed.
https://www.theregister.com/2021/12/16/pop_os_2110_new_system76/
If you use UEFI hardware, it uses the systemd bootup tool, which keeps your kernel and your initrd in the UEFI ESP. This means you need an extra-large ESP… but Gparted can’t resize ESPs because it can’t resize FAT32 drives under a certain minimum size, and typically ESPs are smaller than that. (TBH it makes little sense to use FAT32 under 0.5GB, but that’s UEFI for you: it makes little sense in general. Nor does systemd in a lot of ways.)
So, general guidelines:
It’s less the app developers, and more the forced frameworks app developers have to work within. Without these walled gardens, this hardware obsolescence wouldn’t really exist, IMO.
Yes, the technical (and sometimes legally-protected) inability to control what runs on your machine effectively guarantees some degree of forced obsolescence, as the “latest and greatest” replaces what worked just fine. Indeed, developers essentially have no choice: even the devices they own and develop on are subject to the same forces of basically being coerced into updating/“upgrading” whether they like it or not, thus ensuring the software they develop is dragged along into the newer system requirements as well. Today, I am really starting to feel like all proprietary software is essentially a ticking time bomb as we have no ability to keep it functional after the vendor casts it aside as “obsolete”.
Yeah, this post raises a great point: adopting new iOS SDK features automatically exempts older devices. I have some old iOS devices that are of course far behind the latest iOS, and unfortunately many apps ship required updates that are not possible to install (because they require a newer version of iOS). So, over time the services I was able to use on those iOS devices simply become permanently inaccessible. Good times.
Why the dismissive/condescending attitude?
I use an iPhone 8 from launch day (Sept 2017). It works just fine, and the battery lasts all day. Why would I replace it if it works fine and there’s nothing wrong with it? It runs the latest iOS, too (though I’m sure that won’t be the case for much longer). Not that I want it to, because every new major revision brings changes I don’t want, but that’s another subject.
Also an iPhone 8 user, and we recently got a refurbed 8 for our kid as a replacement for their old 5. I do not feel a pressing need to get a new phone in the near future.
Yeah, actually, a family member’s iPhone 8 had a failed baseband IC (so no cellular service worked anymore), and we tried to get it repaired but it was fruitless. They decided to just buy another iPhone 8, preowned. Super affordable and, unsurprisingly, it’s working great.
As much as the manufacturers want everyone to believe these things are sealed for life and unrepairable, they’re not: https://www.ifixit.com/Guide/iPhone+SE+Battery+Replacement/61303
(iPhones are actually one of the best options for battery replacement because you can pretty easily find an OEM-quality replacement battery for them, unlike less common phone models where you’re stuck playing “ebay/amazon roulette” on quality.)
I don’t know iPhones, but my Nexus 6, an Android phone from 2014, can sustain maybe around 12 hours of continuous mild usage (although, as its charge declines over that time, it becomes increasingly likely to shut off immediately if its power usage spikes).
The only reason that I stopped using a 2017 phone was that the cellular radio stopped working after an accidental trip through the washer-dryer (i think it survived the washing but the static cooked the radio).
I’m typing this on a 2016 iPad. The battery in that is starting to struggle a bit, but Apple can replace it in store.
These devices are still very powerful. The laptop I used for my PhD was worse in every specification (CPU power, RAM, storage space, GPU performance, even screen resolution) than either device.
When I was an undergrad, the university had a 3-year rolling update programme for desktops because after three years they were so far behind that they were almost unusable. That gradually moved to 6 or 7 years because the newer machines didn’t make a material difference to performance for most workloads and the replacements were mainly to avoid unreliable machines. Laptops took a few years longer to get to this point, but I’m still using a 2013 MacBook Pro as my main personal machine and only just starting to think about replacing it. Phones took longer, but 2016 is around the point where I’d say that they passed the ‘good enough’ point for most users.
Apple is well aware of this trend, which is why they’re trying so hard to reinvent themselves as a services company. Their revenue comes, increasingly, from selling things to iPhone users, rather than selling iPhones. This is one of the reasons the Android ecosystem is having such a problem: handset makers make money from selling devices, Google makes money from selling services, and so the incentives are completely misaligned.
The issue of state resetting when swapping between apps is what eventually made me change my last two phones as well. Hopefully now that modern phones contain a few gigs of ram that’ll be a thing of the past, but rate of software memory bloat continues to surprise so who knows.
Once most phones contain a few gigs of ram, devs will start thinking “who cares if I waste a few hundred megabytes? RAM is so ubiquitous nowadays”. This isn’t a problem of technology, it’s a problem of values.
In fact, I’d argue that fast RAM increases make the problems worse - imagine if literally half the market today still had the same amount of RAM as phones had in 2012; nobody would even think of being liberal with memory, and your old 2012-phone wouldn’t run out.
I’ve been thinking for a while now that the best possible thing for right-to-repair and the environment, would be for Moore’s law (and specifically, all exponential scaling terms for computing) to visibly sputter out.
Yeah, I’m pretty stoked about the fact that new processors/systems aren’t substantially faster than their predecessors. In prior decades the iterative improvements were blatantly noticeable. Today, they are moreso just inching forward (subjectively speaking). The best thing about this is the staying power of “older” hardware (as I type this from a ThinkPad X230 with i5-3320M processor), so supposedly-old stuff is still usable and worth keeping around. The behaviour of frequently replacing your perfectly-working hardware is less worthwhile.
desk with 12000 lm of daylight, ErgodoxEZ keyboard, Herman Miller chair.
desktop with Debian, stumpwm, Firefox, st terminal (forked), Emacs.
nice, Mirra ftw. I got two (one each for my wife and I)! way prefer it over the Aeron due to the more-supportive back.
Desk looks like this only messier (that’s from 2020; since then I’ve replaced the monitor (with an LG 27” 16:9), the speakers (with some little Edifier bookshelves on the shelves), and the HF-AUTO (with a Tuner Genius XL)).
PC is a Ryzen 9 3900X, 80GB RAM, around 20TB of SSD (ZFS, except the Windows drive, and all SATA 2.5” except the Linux boot drive which is NVMe), an RTX 3080, and an IBM/Lexmark keyboard from 1994 with a TrackPoint IV. Runs Ubuntu with KDE (and I’ve got KWin configured to act almost tiling-ish), and a very occasional boot into Win11. Not quite the latest and greatest of anything, but more than sufficient to do the job.
Ham stack is a Flex 6600M, SPE 1.3K-FA amplifier, TGXL, DEMI transverters for 2m and 70cm, Green Heron rotator controller, and a LeoNTP as 10MHz reference. Outdoors is a 160m loop @30’, a KIO Hexbeam @30’ (on top of a Rohn 9H50, spun by a Yaesu G-800 at the base), a Diamond X200 @25’, and a LZ1AQ loop for receive.
I’ve also got a server for my ionospheric modeling site, which I’m very happy is not in my house, and also very happy that I got someone else to pay for. That’s an Asus 1U server with dual EPYC Milan 7413 (total 48 cores / 96 threads), 256GB RAM, 4TB SSD, dual 1200W PSU, dual 10GbE, and a decent BMC. Runs Debian plus a whole lotta podman. Tech stack is about 10 different components/services in a combination of Python, Perl, and Fortran (no, I’m not serving HTTP from Fortran, those bits talk stdin/stdout and they’re fronted by Python).
Turns out the big issue with finding a home for a machine like that is power density. Sure, there are lots of places that sell colo 1 or 2 U at a time, but they’re kind of like budget airlines — no legroom. They want you to be using 100W per U, maybe 150 if you’re lucky. If you tell them you’ve got a 1U machine that hits 450 or 500W every 15 minutes, and idles at 200W, they’ll quote you a price that’s about 4x the usual 1U rate, if they talk to you at all. Because… well, if you stacked 40 machines like that on top of each other it would be quite the space heater.
Ooh Flex, nice. I’ve just got a Kenwood TS-480SAT and Yaesu FT-857D myself. They get the job done though! haha :)
TS-480SAT is a nice machine. A few years ago I was on a quest to make everything remotable, because I was living with my girlfriend in a city apartment, so I upgraded a lot of stuff. These days I’m back in the house, but the Flex is still nice :)
Yeah, I love the TS-480SAT! Super “accessible” and quick to use, and of course the built-in tuner is a huge plus. Seems to be a very well-designed and engineered rig.
hahah, yeah now you get the best of both worlds - not having to use your radio remote (but having the option), AND having such a super-awesome radio to use! awwww yeah :D
Still working on this. Started right after the holidays.
https://www.dropbox.com/s/garl6am1m7mg0vc/2023-01-17%2009.38.25.jpg?dl=0
nice. Nord Stage?
Yup. Makes for a nice break from coding when I get particularly stuck on something.
I had a two-level keyboard setup with an electric piano and a separate computer for sequencing, but it turned out to be too much overhead for what I use music for. The keyboard and an analog mixer are just fine.
Ahhh nice, yup that should indeed be sufficient! I’ve got a two-level keyboard stand as well, but yeah, currently just laying folded up against the wall. Hmmm, a synth/keyboard next to the workstation seems like an excellent idea… :D
This is my WFH Desk. I use it for writing, coding, streaming and gaming!
I’ve been real happy to see almost everyone using a Gecko-based browser on Lobsters
I’m curious, if you don’t mind sharing, what is the significance of the framed newsprint pages?
They are the frontpages of a national newspaper on the days my wife and I were born.
Oh neato! That’s a cool idea! Did your parents happen to save those, or did you go back and find them? Or just reprinted digital scans?
No, the newspaper sells them. Or, at least, they used to: https://www.irishtimes.com/pagesales/.
This sounds frickin’ awesome. I don’t quite understand how it works from the explanation, but I guess I’ll have to take a look at the whitepaper (which I’m sure to also have difficulty understanding, haha)… Intriguing!
Yup, I’d be glad if it’s added. Some time ago I added my mastodon profile link in the “About” section of my profile (and just recently removed the twitter profile link). Probably a specific sequence of events occurring with greater frequency lately, I’d guess.
BTW, my suggestion would be to call it an “ActivityPub” link, or something, because maybe the federated social platform the user wants to link is PixelFed, PeerTube, Pleroma or something else (not necessarily Mastodon). Just my $0.02.
Doesn’t “Fediverse” include all ActivityPub implementations?
Ideally yes, but most of the suggestions in the above linked GitHub Issue are mostly Mastodon specific.
Kiiiind of but not exactly. ActivityPub is one of four currently-noteworthy federated networks[0], and is the one that’s the most popular (and most likely to warrant linking in one’s profile). You could indeed call the link a “Fediverse” link but that makes it ambiguous as to what actual protocol/network the profile would be for. Saying ActivityPub explicitly would scope it to that specific network, ensuring potential connectivity with certainty (rather than having to click through and not knowing until you see the profile).
Then again, it also depends, you could totally just call it “Fediverse profile”. The only downside being that occasionally someone might be surprised when it’s a Diaspora profile rather than Mastodon, for example. Not a big deal, but for me I prefer to just make it very explicit, reducing uncertainty. /shrug
Thanks for expanding. I see your point.
I believe you’ve missed a reference as you have included a ‘[0]’ footnote reference that’s not pointing to anything.
haha sorry! This is why I usually add the links the moment I make a reference to them! :’D
The link was supposed to be to: https://en.wikipedia.org/wiki/Fediverse
I love all the talk about security, encryption etc we can do in regards to the Fediverse (I really do want it to, wish it could work), but without some kind of ranking system around it’s full-text search, it’s practically useless as a Twitter competitor. That’s why it markets itself as “microblogs”, which is something nobody really wants. If you want a ranking system, Twitter is very strong evidence that basically you need need to pipe all of your data to GCP.
Ignoring the lack of ranking, we have a network that has demonstrated it fragments and disintegrates given time, where admins can grep your DMs if they want, and anyone with enough users and/or domains will spam you as much as they please without any kind of access restriction; a large part of the product of Twitter is the content and user moderation, something which they struggled with as a $44bn company - I don’t see a couple German nonprofits and guys on basement Raspberry Pi LAMP stacks coming up with an adequate solution to this problem that doesn’t require centralisation.
Actually the standard search and ranking system on commercial social media is one of their flaws, and the lack of it is one of the key advantages the fediverse has over them. Globally searchable content makes it possible for behaviour modification. Governments and advertising agencies just need to find ways to optimise the search results and they can get global reach, not based on quality of content but on quantity of capital. Good content on the fediverse gradually spreads to users that are interested in it but in a way that can’t easily be manipulated for profit and power.
I know this is not a popular position. I know people coming from other platforms expect to have world-wide reach from the word go, but we need to examine this desire and have a real debate about whether it is necessary or desirable to have instant world-wide reach in a social network. Social networks are not news platforms, so instant spread of information is less important than the ability to communicate easily with a specific group of personal contacts. The very definitions of the words ‘social’ and ‘network’ strongly imply not having a system of mega-influencers with millions of followers and legions of unwashed nobodies that follow them.
I feel like the social aspect of social networks has been lost in the churn somehow. Even if what you really want is a new twitter, shouldn’t there be a place for people like me that just want to share information and news with friends and family? To keep in touch and communicate without being bombarded with advertising and attempted behaviour modification?
I’m not saying you shouldn’t or can’t have a fediverse, or microblogs, but I’m saying they’re not a competitor to Twitter et. al because the apparent similarities are mostly surface-level, user-facing. The value Twitter had over everyone just blogging or texting eachother is lost in the migration to federation.
The search and ranking features are only “flaws” because you don’t like them. Great. I don’t care, I find utility in these features and millions of other people do too, with centralisation being one of the few things that can coordinate defense against malicious actors wrt these features.
Right but you are suggesting we change something into something else. I just think it is fair to point out that maybe not everyone wants it changed. Making mastodon just like twitter might be attractive to some people, but a lot of the people that have used the fediverse and supported and developed it for years might not want that. It is easy enough to just make a new twitter exactly as it was and leave the fediverse alone.
I think you might be misreading the opinion of most fediverse users towards commercialisation and centralisation. Maybe I am wrong, time will tell. It should be interesting to see how things develop.
I’m not at all suggesting Mastodon should become Twitter. All I’m saying is it’s not the competitor to Twitter people want it to be, and it won’t have the migration of users people pray it’ll have, because it’s not what people want.
Maybe that’s a personal preference? I have never once thought “gee, I’d like to search all the text on this social network.” Because 99.9% of that text will be crap written by stupid people I don’t know. Part of the usefulness of a social network is that you find stuff (and people) through the people you already follow. But then, I’ve never understood the appeal of Twitter.
You’ve never used the search function on Twitter to find new things, or people? I used to find so many smart or funny accounts to follow by searching “sentence fragment that’s interesting”.
I’ve used search on Twitter to see reactions to a current event or meme, but I’ve never followed someone as a result. By definition, search is randos.
I find utility in Twitter, but I very rarely use search, especially so for discovery.
To me, Twitter stuff is ephemeral and if I didn’t see it “there and then” I probably don’t need it now. I very rarely ever used the “trending” stuff.
This requires aggressive pruning, you constantly have to modify who you follow, though. The “algorithm” had made this difficult; instead of managed and moderated stuff, I see a ton of content from people I don’t know about, on topics I don’t care about. E.g. I follow a tech person, I like their blog posts and tweet threads. But, they liked (not responded to!) someone’s political update. Now my timeline is polluted with this political situation.
Plus now everybody there is treating it as an outreach platform. Not honest discussions and daily sharing of thoughts.
I think that is why Twitter lost it’s apeal to me. It’s still interesting sometimes, but signal to noise is quite bad, I open it once or twice a week, or when I wanna announce the next angular meetup.
For the last few years, I’ve liked fediverse much more, for “social” part of my internet needs. All this is to say, I don’t think search is that important.
I’d guess 95% of my searches on Twitter were “I know person X posted something about Y” but of course I didn’t bookmark it and even if I had faved it I wouldn’t find it easily.
I mean they already created a high-quality platform that is good enough to warrant something like 7 million users (estimated), ~550,000 of those having joined in the last week.[0] Pretty sure they’ll figure out something suitable for search. Regarding content & user moderation, a couple German nonprofits and randos with basement RPi’s aren’t the ones doing the moderation. Each instance is responsible for moderating properly. It’s not up to some outsourced below-minimum-wage team. Further, the actual design of content moderation in mastodon makes it substantially easier to deal with. Any user on an instance can report content (or a user) and if the admins/moderators block a user (or instance), all members of the instance benefit from that action immediately. Thus, the entire community works together to keep things running smoothly. Who knows, we’ll see how it goes, but so far the platform has been working extremely well, even despite adding another ~million users over the past handful of months.
[0] https://bitcoinhackers.org/@mastodonusercount
These are the nonprofits and raspis.
A good recipe app designed for power users. I want to be able to plan party menus and see flavor pairings and take notes on new recipes. All the recipe apps I tried are little more than recipe storage + shopping list.
This 1000x.
The funny thing is that I know so many people, and I’ve seen so many people [on github], that tried to solve this problem with their own bunch of scripts or apps. It always break down later either because of unexpected feature creep that’s too hard to add or just by lack of motivation.
(I think I found something to try to model in alloy xD)
The funniest thing to me is that “a place for all your recipes!” was a big selling point of computers in the 1980s and we still don’t have a good recipe app
Ha! Just like computers were supposed to get rid of all paper documents… We’re getting there, but meanwhile computers made the quantity of paper we use simply explode :shrug:
Oooh… is this the “Alloy” you’re referring to? https://en.wikipedia.org/wiki/Alloy_(specification_language)
Yes, and the personI was replying to knows a thing or two about specifications. https://www.hillelwayne.com/tags/alloy/
I gotta say, Alloy is pretty cool because it’s somewhat simple and it gives you nice visualization
I’m a little puzzled. I thought the storage was actually encrypted on these things, and the existence of this bug seems to strongly suggest otherwise unless I’ve severely misunderstood. If swapping out an attacker controlled SIM can get you access to the device storage, it’s not encrypted, right? Is everything here a lie?
I thought the same thing until I saw these snippets. I believe the “Pixel is starting…” screen is it decrypting the phone using your pin (and failing in this case).
To my knowledge an Android phone is encrypted (if you have encryption enabled) when shut off. On boot, you decrypt it using a pin or password.
After the decryption after boot the lock screen is just a simple lock screen. It prevents somebody from accessing your data through the GUI, but the decryption key is loaded somewhere and a dedicated attacker might be able to get the data off a running phone.
There is also a small difference between the two lock screens. The first lock screen (which decrypts the device) has a small additional message telling you to unlock the phone to use all features (translated it from my language, probably other words on native English devices). The lock screens afterwards do not show this message.
I’m really bad at mobile phones though, so my understanding might be wrong. That’s how I understood it when I researched android device encryption.
For a while now android uses file-based encryption and not full-disk encryption. This means that on boot there is no longer a point where you need to type the password to continue booting. Android’s file-based encryption allows the phone to boot all the way to the lockscreen. However at this point user data is still all encrypted.
After the user types their pin correctly (the first time after boot) user data is decrypted.
And yes you’d be correct that after this point the user data is decrypted and the lockscreen now just acts as a lockscreen.
That’s not entirely correct, at least not for modern phones with dedicated security chips, like the Pixel’s Titan M. The decryption key is ‘stored’ in the Titan M - its very much protected in there. I say ‘stored’ in quotes because its technically a lot more complicated than that (Key Encryption Keys, Weaver tokens, etc).
The key is stored, there but the data is not. Which is what the commenter above said that the attacker could get.
Oh, I see.
So, is the thought here that inserting the new SIM and resetting its PIN then resulting in a “unlock encrypted user volume” functionality?
I honestly have no idea. In fact I’m surprised doing anything with the SIM affects the encryption system like this.
I was assuming the physical SIM swap involved a reboot. Maybe that was too generous an assumption.
The video clearly shows doing the SIM swap whilst powered on.
I didn’t doubt that. But I thought swapping it would reboot from a cold state, not hold any decryption keys in memory.
That’s how I first interpreted this too, but in the demo video you can see that they never turn the phone off.
It’s still a pretty useful bug. If someone steals/seizes your phone you don’t have time to turn it off, and you probably don’t carry it around powered off.
I’m surprised that unlocking the phone is as easy as calling
.dismiss()on a UI element. The fix of callingdismiss(enum)is still flimsy.I’d expect locking to go deep into the OS. Make the kernel and window manager unable to run normally until they’re explicitly told to allow normal operation by auth-handling code, not the GUI stack. Perhaps even keep the disk locked and make unlock actually impossible without a decryption key derived from the pin or provided by fingerprint scanner, so no matter how buggy the UI code is, it can’t fail open.
But the whole phone security is just a screen saver!?
Yeah, after reading I too find it kind of obscene the “fix” is an enum instead of fixing the underlying race condition
They may have fixed the race condition, the post doesn’t specify. In any case, having an enum is a good idea. Having
.dismiss()blast away whatever security screen is on top of the stack clearly opens the door for bugs. It would be better to have each security screen have something like a session ID (or unique object handle) that can be dismissed explicitly, but targeting the type is certainly better than nothing.It’s almost like it’s just pretending to be locked.
I wish we could see the iOS source to compare the two and try to get the best possible solution.
This seems informative: https://securephones.io/main.html#Ch1.S1
That’s how it works on my laptop.
But I know it, and I know I can log in as me and pkill i3lock and have my computer unlocked. Phone users don’t know this, and it should be more secure in an integrated environment like that.
I posted a comment linking to a JWZ blog rant about these kinds of bugs in screen lockers, and then discovered someone else had already posted it as a top-level comment.
Right, this just suggests that the entire security model of the system is mediocre at best. Like. as a trivial example, the user filesystem shouldn’t even be mounted without the biometric/PIN explicitly unlocking it. Instead it seems like the entire system is up and running before any authentication has occurred? Or something?
Developers have always known how to make these secure, usually involving some black magic where a microcode block or a set of machine instructions is the output from the unlocking sequence. On the down side, it is black magic and so some of your developers will not understand making calls into data returned.