We should have the ability to run any code we want on hardware we own

We need both options to coexist:

1. Open, hackable hardware for those who want full control and for driving innovation

2. Locked-down, managed devices for vulnerable users who benefit from protection

This concept of "I should run any code on hardware I own" is completely wrong as a universal principle. Yes, we absolutely should be able to run any code we want on open hardware we own - that option must exist. But we should not expect manufacturers of phones and tablets to allow anyone to run any code on every device, since this will cause harm to many users.

There should be more open and hackable products available in the market. The DIY mindset at the junction of hardware and software is crucial for tech innovation - we wouldn't be where we are today without it. However, I also want regulations and restrictions on the phones I buy for my kids and grandparents. They need protection from themselves and from bad actors.

The market should serve both groups: those who want to tinker and innovate, and those who need a safe, managed experience. The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.

I'd argue that even the 'safe' devices should at least be open enough to delegate trust to someone besides the original manufacturer. Otherwise it just becomes ewaste once the manufacturer stops support. (Too often they ship vulnerable and outdated software then never fix it.)

If the user cannot be trusted to maintain the hardware and software, then the only responsible thing is to rely on the manufacturer to do so. In those cases, if the support is dropped you buy the newest device.

I think this is a false dichotomy. Open hardware with open source software would be more protected simply by being more stress tested and vetted by more people. If you need even more protection you can employ zero-knowledge proofs and other trustless technologies. I have long been dreaming about some kind of hardware/software co-op creating non-enshittifying versions of thermostats, electric kettles, EV chargers, solar inverters, etc, etc. Hackable for people who want it, simply non-rent-seeking for everyone else.

> more stress tested and vetted by more people

Grandma and grandpa aren't reading the source code and certainly not up at a professional level. This is one of the core misconceptions of the "free/libre" formulation of OSS.

I’m not suggesting grandpa reads code, contributors do. We all know that most commercial code is much shittier than open source. Sure, commercial code usually covers more edge cases and has better UX, but is cobbled together from legacy and random product asks.

What if that is the newest device?

Incorrect.

Choice 2. Empowered user. The end user is free to CHOOSE to delegate the hardware's approved signing solutions to a third party. Possibly even a third party that is already included in the base firmware such as Microsoft, Apple, OEM, 'Open Source' (sub menu: List of several reputable distros and a choice which might have a big scary message and involved confirmation process to trust the inserted boot media or the URL the user typed in...)

There should also be a reset option, which might involve a jumper or physical key (E.G. clear CMOS) that factory resets any TPM / persistent storage. Yes it'd nuke everything in the enclave but it would release the hardware.

> Locked-down, managed devices for vulnerable users who benefit from protection

Thats fine! Just make sure it is possible for someone to take the same device and remove the locked down protections.

Make it require a difficult/obvious factory reset to enable, if you are concerned about someone being "tricked" into turning off the lockdown.

If someone wants baby mode on, all power too them! Thats their choice. Just like it should be everyone else's choice to own the same hardware and turn it off.

Paul knows that. He is arguing for a different future. google is about to remove my ability to remotely control my thermostat. Not even local control. Imagine a world where they would have to choose between continued device support or unlocking… or maybe just building out the local control and cleaning their hands of it. Having corpos as the arbiter of a consumers buying schedule and creating unnecessary easter is pretty undesirable.

The issue with this is that inevitably the locked down devices, which will end up being 98%+ of the market, become required for ordinary living, because no-one will develop for the 2%.

Open hardware is essentially useless if I need to carry both an open phone and a phone with the parking app, the banking app, messenger app to contact friends, etc.

easter?

> contributors do

I would argue most code of any license is not actually regularly audited if at all, and certainly nowhere near the levels people seem to think they are.

> We all know that most commercial code is much shittier than open source

citation needed

I'm guessing autocorrect for e-waste / ewaste

For security reasons it makes sense for them to be different devices. People and services may not want to allow insecure devices to communicate with them.

Keep in mind one of these third parties would almost certainly be Meta (because users want their stuff), and that would almost certainly be a privacy downgrade.

>big scary message

Open question:

Any idea on making it so difficult that grandma isn't even able to follow a phisher’s instructions over the phone but yet nearly trivial for anyone who knows what they’re doing?

Consider the possibility of an evil maid type attack before a device is setup for the first time, e.g. running near identical iOS or macOS but with spyware preloaded, or even just adware.

On Steam Deck, you never even have to set a 'sudo' password. You can have a safe managed experience and still allow a device to be open. Option 2 is ridiculous because it will just be exploited by companies and governments that want to control what you do or what content you see.

> The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.

The problems is that vendors use "locked down devices" as an excuse to limit competition.

Suppose you have a "locked down" device that can only install apps from official sources, but "official sources" means Apple, Google, Samsung or Amazon. Moreover, you can disable any of these if you want to (requiring a factory reset to re-enable), but Google or Apple can't unilaterally insist that you can't use Amazon, or for that matter F-Droid etc.

Let the owner of the device lock it down as much as they want. Do not let the vendor do this when the owner doesn't want it.

Fix the phone system so calls must positively identify themselves.

There is no reason anyone purporting to be from a business or the government should be able to place a call without cryptographically proving their identity.

Stop gatekeeping actually useful apps. Nobody should never need to see the message to do anything they actually want to do, otherwise it leads to normalization of deviance.

False positives from PC virus scanners are very rare.

This.

We need a mobile bill of rights for this stuff.

- The devices all of society has standardized upon should not be owned by companies after purchase.

- The devices all of society has standardized upon should not have transactions be taxed by the companies that make them, nor have their activities monitored by the companies that make them. (Gaming consoles are very different than devices we use to do banking and read menus at restaurants.)

- The devices all of society has standardized upon should not enforce rules for downstream software apart from heuristic scanning for viruses/abuse and strong security/permissions sandboxing that the user themselves controls.

- The devices all of society has standardized upon should be strictly regulated by governments all around the world to ensure citizens and businesses cannot be strong-armed.

- The devices all of society has standardized upon should be a burden for the limited few companies that gate keep them.

Freedom > Privacy > Security

Never give up your freedom.

If you have to give up your privacy to ensure your freedom, so be it.

If you have to give up your security to ensure your privacy, so be it.

This goes for governments and phones.

Why? It's not like the insecure device doesn't have my identity key on it. If I program it to spam people, I go to jail for spamming.

> Make it require a difficult/obvious factory reset to enable, if you are concerned about someone being "tricked" into turning off the lockdown.

Is there also a way to make it obvious to the user that a device is running non-OEM software? For example, imagine someone intercepts a new device parcel, flashes spyware on it, then delivers it in similar/the same packaging unbeknownst to the end user. The same could be said for second-hand/used devices.

It's potentially possible the bootrom/uefi/etc bootup process shows some warning for x seconds on each boot that non-OEM software is loaded, but for that to happen you need to be locked out of being able to flash your own bootrom to the device.

You're wrong.

My hardware. My decision.

What are you on about? The last 10 years of computing the only time windows defender pinged was on false positives.

> This goes for governments and phones.

Apple does not have the ability to throw me in prison or take away my freedoms. Only to not grant me extra freedoms subsidized by their R&D budget.

Apple has removed your freedom from day one.

Their R&D budget is at the expense of a free market that would have delivered the same or better products.

Did you ever see how wild and innovative the Japanese mobile phones were before iPhone monoculture took over?

I want crazy stuff like a smartphone that has the form factor of a Raspberry Pi. Or a smartphone with e-Ink. Crazy new categories of devices.

Sadly, the Apple/Google monopoly has turned smartphones into one of the shittiest, most locked down device categories. It's a death place for innovation.

Sure. You ship the device in open mode, and then doing it is easy. The device supports closed mode (i.e. whatever the currently configured package installation sources are, you can no longer add more), and if you put the device in closed mode, getting it back out requires attaching a debugger to the USB port, a big scary message and confirmation on the phone screen itself, and a full device wipe.

Then you put grandma's device in closed mode and explicitly tell her never to do the scary thing that takes it back out again and call you immediately if anyone asks her to. Or, for someone who is not competent to follow that simple instruction (e.g. small children or senile adults), you make the factory reset require a password and then don't give it to them.

> I would argue most code of any license is not actually regularly audited if at all, and certainly nowhere near the levels people seem to think they are.

Every device should run OpenBSD. And only the audited part.

> contributors do

More users != more contributors. As software gets more popular, you begin getting 10, 100, 1000, 1,000,000 users for every contributor.

This doesn't just affect non-programmers. We can't even police NPM.

People want it to be true so that it will be a talking point, but it's not true, and we need to find new talking points that align with facts that are evident outside the echo chambers.

I like that! I’m sure it would take a little bit of time for folks to stop trusting calls from personal numbers where highly-capable social engineers do their best work, but eventually I expect nearly all of us would learn the lesson.

And presumably we could set up notifications so our elderly relatives’ phones would alert us to calls from unverified numbers not in their contact list lasting longer than a minute or two.

Interesting, mind elaborating a bit/clarifying the first couple of sentences there? A point I’d like to understand

Very nice!

I’m sure I’m missing a problem with the following approach: shipping in _closed_ mode with a sticker on the front notifying the person they should do a factory reset immediately to make sure they can do everything they want to do. During the reset, include a scary message for those who opt in to get to open mode.

Everyone simply goes by defaults so it would only be technical people presumably who would even get into the open mode in the first place. And then require the debugger to leave closed mode like you said.

Edit: this comment worries about solo/asocial/“orphaned” members of our society

> We all know that most commercial code is much shittier than open source

Citation needed. Seriously.

It would be easier to spoof such identities and some services may not want to deal with the overhead of using the legal system. Spammers today already can be taken to court, but in practice people don't do that.

If only you went to jail for spamming.

The problem with that is the owner has to choose which package sources they want to allow before the device is in closed mode, because after that adding more requires the scary reset, and the vendor of course has the perverse incentive to ship the device in closed mode with only their own store enabled, which has to be prohibited because it's anti-competitive.

We already have that today. And locked down systems don't prevent it, because you can always exploit some part of the supply chain. A determined actor will always find a path.

I don't think it will convince you in any way, but the whole point is/will be that it's not your hardware, you're paying for a perpetual license to use a terminal bound to someone else's service.

I like the way Chromebooks do things, initially locking down the hardware but allowing you to do whatever if you intentionally know what you're doing (after wiping the device for security reasons). It's a pity that there's all the Google tracking in them that's near impossible to delete (unless you remove Chrome OS).

Nobody is forcing you to buy their products, so they haven’t taken away anything from you.

If you do decide to buy their products, nothing has changed since the day of your purchase, so they haven’t taken away anything from you.

Their “monoculture” didn’t “take hold” - it beat the Japanese offerings through innovation and a better product.

They operate in a free market, their R&D budget is made possible by their market success. If things change in the market (e.g. AI) the market will vote the way it always does.

I'm not the one who made that assertion, but... Windows Millenium Edition almost makes his case all by itself.

Technically for US residents Apple can throw you in prison for attempting to maintain and use your freedoms, thanks to the anti-circumvention parts of the DMCA.

That makes the case that a _single_ piece of commercial code was shitty.

I could make the same argument about MongoDB of a decade ago implying that all open source is trash...

The market has forced us all to buy Apple or Google. There is not a vibrant field of alternatives, and there is certainly a desert of hobbyist tech.

The market is now so depressed that everyone has to jump through these companies' hoops to participate in the most important computing form factor in the world.

Don't apologize for trillion dollar hyperscalers. They don't need your love, adoration, or apology. They do not care about you at all.

Too much power has accrued to these two and it's being leveraged against all of society and the open market. Competition is supposed to be difficult, ruthless, challenging, and frenetic. I see two companies resting on their laurels that are happy to tax us into the next century while we wear their little straightjackets.

NPM is... special... It's up to platform owners to set standards and police. NPM's failures have nothing to do with open source as a whole.

> The problem isn't that locked-down devices exist - it's that we don't have enough truly open alternatives for those who want them.

Not for lack of trying. See for yourself

https://en.m.wikipedia.org/wiki/List_of_open-source_mobile_p...

The list is not short.

Plenty of companies have attempted this over the years but it’s not obvious that a big enough customer base exists to support the tremendous number of engineering hours it takes to make a phone. Making a decent smart phone is really hard. And the operations needed to support production isn’t cheap either.

Always fun to interact with some internet Thomas Jefferson giving freedom speeches from his mother's basement.

Reality is that people pay a lot of money because they 'trust' Apple (and to a lesser extent Google), but Meta is the sleaziest one of them all. (And I don't use their shit either.) But people want Whatapp and Instagram, and so you are telling them now they have sell-out and go to the "Meta App Store" to talk to their friends. That fucking sucks. And I think you agree with that.

No, we need to only have option 1, because if option 2 exists, things like banking apps will all only run on it and will refuse to work on option 1.

Government maybe rather than legislating big companies stores could not back up smaller open HW/SW vendors? It seems we gave up increasing competition on HW and what is left is app store level...

> Grandma and grandpa aren't reading the source code and certainly not up at a professional level.

This is one of the core misconceptions of the anti "free/libre" formulation of OSS. Most users don't need to read the entire Debian source to know that it is safe to use. You are free to look up who maintains any part of the project and look at the history of changes that have been made. A lot of projects have nice, easy to read notes along with the actual code.

If you are so paranoid that you can't even trust open release notes then why would you trust a closed project at all?

Right now you'd need a zero-day bootrom exploit to do something like this - still a possibility for the average high-level intelligence operative, but not the average white collar citizen. The proposal is making such a thing a feature.

This can be fixed by adding some user-controlled "fuse". For example, with a TPM you will lose access to stored keys if the boot sequence is modified.

Norton, McAfee, in fact most virus scanners.

Plenty of examples I've heard about but haven't actually used myself so I can't confidently assert the quality of the software. But Windows ME, Norton, and McAfee, I have personal experience with.

Oh, and also Windows Vista.

Plenty of badly-written open source software, too; won't argue against that. But one of the biggest reasons, for me at least, why I prefer to use open-source software rather than commercial if I have a choice is bug fixes. I've reported over a dozen bugs against open-source software I use over the years; most of them have been fixed (in a couple cases I was able to fix it myself). I've rarely even been able to report a bug against closed-source software, let alone get those bugs fixed. So even if if were true that commercial software as a whole has similar or better quality than open-source, my personal experience is the other way around: open-source quality gets better over time while the closed-source software that I have to use (lacking open-source alternatives) doesn't improve the same way.

Stuxnet did not require a bootrom zero day. Just people's propensity to plug in USB devices out of curiosity.

You don't need the NSA to target someone and replace their device with a malware driven one. Just a porch pirate and your own delivery - two to three years and you're almost guaranteed an attack window.

What if the only hospice in town closes down and your grandma is there? What if Mozilla or Linux die out and the only browsers/OSs that remain are proprietary? You find alternatives or make do, like all aspects of life.

You can't expect services and organizations to last forever, there is always some risk they'll collapse when you are around.

Do you honestly believe "a free market" would only produce two alternatives?

In that case, the free market sucks and I want government intervention.

> A lot of projects have nice, easy to read notes along with the actual code

This alone doesn't improve the quality of the source.

> Paranoid

Nothing to do with it. Please be logical. Having millions of people who can't program trust maintainers doesn't make those maintainers do better work.

The whole idea of more eyeballs is an appeal to a vision of crowdsourcing that was a new idea in the early internet. What we found out is that complacency sets in, the notes eventually don't mean anything, and most source code is not read.

This vision of more programmers spending more time reading other people's programs is wholly born from within programmer communities, from programmers talking to other programmers, forgetting that the average user will never program and not because they lack access. It's a romanticized ideal that is only even a plausible idea in a room full of programmers.

Until you focus on how the non-programmer is going to meaningfully improve the review and production of the open technologies, you will never have a scalable or equitable solution.

The issue here is rarely whether the security features themselves are circumventable. It’s that at some point this turns into trusting users not to give malware apps permissions (whether that’s a dialog, a system wide setting, adding a third-party app store, etc.). Almost no users can usefully evaluate whether a particular bit of digital trust is a good or bad idea, so people will constantly get scammed in practice. If you’re thinking about ZNP as a solution, you’re not trying to solve the actual security problems of normal users.

Did they ask? Some users can be trusted. Is there even a certification program?

Open and hackable products have a niche user base, so these users get a niche set of options. The only way to get mainstream products to play to this tiny user base is to demand that all products be open and hackable by fiat. Otherwise, there’s no incentive from anybody involved (manufacturers, app developers, etc.) to give them something that can run both their banking app and some open source app they compiled themselves. There’s a lot of dancing around the security effects this will have on “normies”, and although there are plenty of armchair proposals I haven’t heard one that doesn’t obviously degrade into some sort of alarm fatigue as both legitimate apps and malware tell you to click though a dialog or flip a setting.

And yet you're apparently not losing your mind over Mark Zuckerberg having his products on the web? He's doing everything you claim on the open web - third party trackers embedded on other websites, etc. Do you want to lock down the web?

I think you have a reason for defending Apple. Maybe you love the company, maybe you've got their stock, maybe you've worked for them.

Apple is a trillion dollar behemoth that has distorted the market and removed freedom and choice. They're a menace that needs to be regulated. Period.

I also think Zuckerberg's tracking needs to be regulated, but that's a battle for another day. It's one we haven't so egregiously lost yet.

People don't need Meta. People need smartphones. And smartphones are draconian dictatorships that the government has been too asleep and too lax to regulate.

But is it too much to ask to at least let me get my grandma back out of the hospice? Don't just lock all the doors and put up a sign saying "Thanks for your loyal business, it's been an amazing journey". And if I'm the one who owns the building and you were just staffing it, then I'd appreciate having the door keys back as well, please!

> Do you honestly believe "a free market" would only produce two alternatives

No. A free market will eventually produce a single monopolistic winner.

If you have ability to buy your competition, and most of people consider it a job and not some religious calling, monopoly is the most logical outcome.

Same way a black hole is the most logical outcome of gravity.

Do we need the second option to exist? The world is dangerous place. If you can't figure out a computer perhaps you're just unfit to participate in the modern economy.

The existence of locked-down hardware eliminates the feasibility of open hardware through network effects. That is what is happening now.

I think normal users will figure it out if you give them a couple of generations

The non-programmer never going to meaningfully improve the review and production of the open technologies. The solution is to make a society where people are literate in the technology they rely on or suffer otherwise.

You realize you’re discounting 98% of the world’s population, right?

Windows ME, Windows Vista, Internet Explorer, Adobe PDF Reader, Siemens Step7, Norton, McAffe, the list goes on. If you look at it as a function of terribleness * users then corporate ware takes the cake. There are loads of terrible open projects but nobody uses them.

Pixel phones do this. Flashing a non-oem rom causes it to show a very "your device is broken" looking screen every time you boot.

I think that the majority of the population can figure out how to stop installing software from untrustworthy sources, seeing as that was pretty much the norm 20 years ago.

Everyone else can put on their loincloths and go back to living in flinstones-esque rock huts.

Regardless of whether we expect manufacturers to let us run any code on the device, we should not restrict people from attempting to bypass the manufacturers limitations. That gives the manufacturer freedom to try and lock the device down but also the owner freedom to break those locks. Otherwise it worsens situations like the FutureHome scandal.

I wonder if full device wipe would be the solution to "annoying enough that regular users don't do it even when asked by a scam, but power users can and will definitely use it".

I think you just made up that number.

That's how bootloader unlocking has worked on Android phones for ages, and I've never heard of it being abused, so I think it's a good model.

I did! You’re welcome to make your own estimate of how many people are able to correctly judge when snd what software is safe to install on their phone.

I was a kid once. The hackability of the devices I owned is what led me to this career. Let's give our young ones a little more credibility.

It's possible to make this detectable, and chromebooks already do.

On a chromebook, if you toggle to developer mode you get a nag screen on early-boot telling you it's in developer mode every time, and if you're not in developer mode you can only boot signed code.

Basically, just bake into device's firmware that "if any non-apple keys have been added, forcibly display 'bootloader not signed by Apple, signed by X'", and if someone sees that on a "new" device, they'll know to run.

I think you’re mistaken, assuming that you’re even serious.

If that comes to pass I hope that one would be able to install a regular firmware with full DRM support / banking app support which only differs by allowing one to install apps freely. I don't think that's the case currently with firmwares that allow root. The security implications are somewhat different (root is more permissive) but I guess that the kind of person that wants to run arbitrary apps also prefer root access (maybe not at the cost of access to everyday apps with bullshit protections however).

And it really shouldn't be this way. Everyone is tricked into believing that they own devices they bought. And we are somehow supposed to accept that the abilities of the device can be reduced after we bought it just because the vendor said so. Same with (lack of) right to repair. It's really not ok, nobody (especially here) should accept that.

With the root of trust and original software wiped, what used to be, say, an iPhone stops being an iPhone. It becomes a generic computer with the same hardware. All the software designed to run on iPhones like the App Store is likely to stop working. You won't fool the user for long.

And this attack is already doable by simply replacing the iPhone with a fake. It won't fool the user for long either, but you get to steal a real iPhone in exchange for a cheap fake.

Make it an obscure option in the first time setup so all the users that click next next next will end up with the secure mode, while the open mode requires fiddling.

This isn’t a gdpr opt out where both alternatives need to be equally easy. We (as a society) absolutely need the devices to default to the current model when purchased.

Yes. Also, it is a crazy hard battle to fight.

The first step needs to be people moving out of the denial phase and realizing that we're already there. Our current laws are written that way.

That's the prerequisite to have any significant initiative to move the needle in the right direction. Most people won't care about fighting hard to secure rights they assume they still have in full.

If there is a big enough market for 1), shouldn't it exist?

The problem in my eyes seems to be that there isn't enough capital interested to sufficiently fund 1) to compete and create a comparable product. Thus, at best, we end up with much inferior products which even people semi-interested in 1) are not willing to adopt due to the extreme trade offs in usability.

This is just insane. Lock the devices down by default, and allow the user to unlock them if they want. Why do we have to have Big Brother devices that "benevolently" restrict what you can run "for your own good"? Why can't all phones have unlockable bootloaders? My phone has a big, scary "DO NOT DO THIS UNLESS YOU'RE A COMPUTER EXPERT" warning screen to unlock the bootloader, and that's fine.

Why do we need devices we can't unlock? Who is harmed by unlocking? This is the major point nobody has ever been able to explain to me. Who exactly does the big scary unlocked bootloader hurt? My parents have unlockable devices and they haven't had all their money stolen, because they haven't unlocked them.

I agree, if Google's going to disallow "normal users" from installing apps from unknown sources, I'd like there to be some escape hatch other than the (increasingly blocked) nuclear option of rooting/bootloader unlock.

You can have TPM with your own hardware key, which allow to verify the integrity of the BIOS. Works fine on my Librem laptop with a Librem Key.

> They operate in a free market

They operate in the illegal duopoly, where you have the "free choice" between a tiny amount of freedom with unlimited telemetry and no freedom with convenience for a big buck.

Incorrect. For us as tech people this is an option. My older family members will definitely install malware and send all their data to China.

Please don’t let me go back to the early days of the internet where my mother had 50 toolbars and malware installed

I know you weren't using it in this way, but I do appreciate the double meaning of the word "protection" here.

A.k.a, "nice google account you've got there, holding all your memories, emails, contacts, and interface to modern living; would be a shame if something happened to it because you decided to sideload an app ..."

And the solution to cavities is to increase self-dentistry literacy? The solution to a bridge collapsing is to increase civil engineering literacy? The solution to a plane crash caused by a cracked turbine blade is to increase casual aerospace engineering literacy? How much of how many literacies will we be willing to acquire so as to balance the responsibility we ask of every other profession and even those who are low and unskilled?

This incredibly selfish point of view put forth by a particular sect of _OSS polls sufficiently well at the engineer's only meeting in Palo Alto and nowhere else.

When people were coming up with the idea of computer literacy being ubiquitous like math, they meant math like addition and subtraction. To make the kind of impact that "free/libre" advocates want the everyday Joe to be responsible for, Joes need to know the CS equivalents of perturbation theory and how to solve partial differential equations. It's not happening, but believing that it can happen allows those ostensibly in favor of it to keep acting like they have a plan, like they want a solution.

As long as the hardware hacker is stuck in the mindset of what 0.01% of users want to do with devices, while they may find sympathy from the 0.1% who are software engineers, many of whom gather on this site, this is not even blowing at the gauge from halfway across the room in terms of moving the needle. Either figure out what is important to the consumer and how it aligns with your interests or just go home.

You can have somr option burried in the settings, a 10yo kid would be able to think of this

People too stupid to use computers safely should be kept away from computers for their own safety. Giving that kind of person any kind of computer would be immoral by definition. They shouldn't have phones at all, they're just going to fall for corporate approved scams from Meta, Applovin, and Indian call centers.

In theory these 2 options seem like a sensible way to have a choice. But the average user is not going to own and carry 2 devices. We want to have all we need in a single device, and things like paying with your phone have become way too common by now to not have them.

> Please don’t let me go back to the early days of the internet where my mother had 50 toolbars and malware installed

I removed hundreds of toolbars from my mother/grandmother/anyone computer.

I still prefer that to techno-fascism where it's ok for companies to brick my hardware remotely, to lock me out of all my hardware because I have a picture of my kid in a bath, to read all my messages for whatever reason, to extract value from my personal files, pictures, musical tastes, to not allow me to install an app I bought because it have been removed from the store, to not allow me to install an app my friend created, to not allow me to create an app and sell it myself, to not allow me to not do the action ever but just "Later this week", and so on and so on.

This toolbar thing is a wrong excuse. And it was 90% because Windows was shitty.

Most mothers would have easily downloaded and installed crapware embedded with whatever they downloaded, but most mothers aren't doing to go to "Settings > About > Tap 10 times on OS version > Bootloader > Disable Bootloader protection > "Are you sure because your phone will become insecure ?" > Yes > Fucking yes.

And if they still do it to purposefully install malware, I'm sorry to say they are just stupid and I cannot care less about the toolbars.

Agreed and I think we're already here. Hardware is so cheap now its trivial to have both multiple streaming devices and multiple open computer platforms. There are advantages to both and no way to compromise to have one device for everything.

Under such topics there are always comments about each vendor making their own store, yet it didn't happen on Android, where it's currently perfectly possible.

Yes. So both options should be allowed to exist. One of them shouldn’t be banned because you don’t like it.

> When people were coming up with the idea of computer literacy being ubiquitous

If you require everyone to have a computer/phone to live in society for example by digital ID - then is ubiquitous and you must regard it as such.

> This incredibly selfish point of view put forth by a particular sect of _OSS polls sufficiently well at the engineer's only meeting in Palo Alto and nowhere else.

No one forces you to change your OS. No one forces you to code. No one forces you to dissemble. No one forces you to compile. No one forces you to add or remove certification authority (change the trust).

We only want to force corporations and states to allow Us to do that to device we own.

You are already responsible on code - closed source also GIVES NO WARRANTY.

> sect

the 'sect' as you called it - envisioned world in which when you get device you have driver to it and code to it.

Should manufacturer decide that you will get no new updates - you COULD go to another company and buy updates from them - because you would have ownership of software.

Should your phone manufacturer decide that you will not get no new updates - you COULD go to another company and buy updates from them - because you would have ownership of software.

Should your washing machine manufacturer decide to s-you and force you to connect to cloud via their app - you COULD go to another company and buy software that doesn't force you to do that, and let them install it for you - because you would have ownership of software.

If you want to use smart home - you could without any manufacturer connectivity bs - because you would have ownership of software.

You could decide that you trust company A for OS updates - and if they deceive your trust, change it to B. because you would have ownership of software.

Yes you would need to pay for updates and software - unless software company did sign a real deal with you for your data.

I hate when people say that Free Software is communism - it is not, it is consumer capitalism in purest form.

The whole point wasn't you SHOULD do it yourself - but you CAN do it yourself. The problem - you need market before any company can enter it. No libre drivers, no libre firmware - no such company.

And before anyone asks - yes you could extend it to cars. You would need stricter CA check (here you can make a reasonable exception that self-signed should not work) on that type of device though, but no longer ONLY MANUFACTURER. Why would you pay another company to do software updates / change when you do buy a repair / parts from third party?

This was intent - not 'increase self-dentistry literacy' - the literacy part came from the users of Linux mostly - you should think about it as after-effect.

> The solution to a bridge collapsing is to increase civil engineering literacy?

If the bridge collapsed because you have no good engineers then yes.

> How much of how many literacies will we be willing to acquire so as to balance the responsibility we ask of every other profession and even those who are low and unskilled?

You are not making good engineers/politicians/doctors etc. if you take ones who want to get paid big money - you are making good ones if the people teach are interested in their work and are willing to get better in it.

To do that you must give them opportunity to grow.

You need casual->small->big->"anti-monopoly split" company path

if you remove casual you don't have a market, you have a graveyard of one.

Option 1 is a superset of option 2 - meaning, any hackable device can also be a locked down device because hackability means the power to do whatever.

We don't need option 2, period, and it shouldn't exist.

Just put the hackability behind a switch or something. If people turn it on, that's on them.

98% of the world population is rooting their phone and installing unsigned binaries? Really?

Are you sure you maybe don't have this the complete opposite way around?

> I like the way Chromebooks do things, initially locking down the hardware but allowing you to do whatever if you intentionally know what you're doing

Did you hear? Google's not allowing "sideloading" (whitewashing the meaning of installing) third party apps by unknown developers.

> after wiping the device for security reasons

Think of the ~~children~~ data!

>And the solution to cavities is to increase self-dentistry literacy?

This is what is done, in practice. You teach people at a young age how to take care of their own teeth and gums. The majority of the problem is preventative, you don't outsource the management of your health to some monopoly. And it's not unimaginable that the average person would have the ability to fill a cavity or something. If anything, dentistry is less archaic than computer software, the reason it's a profession is a more a matter of skill.

>The solution to a bridge collapsing is to increase civil engineering literacy? The solution to a plane crash caused by a cracked turbine blade is to increase casual aerospace engineering literacy?

I think that the difference in this situation is that anyone can play a role auditing and changing computer software they use (and recognize malware vs well built open software), but not everyone gets to build the bridge that everyone uses.

You might say that a lot of the world's software right now exists in the form of services, and you would be right. The goal is to make a world in which people are less dependent on centralized services. I think that most programmers here get paid to think in terms of client-server architecture instead of directly create useful software which is harder to monetize.

>When people were coming up with the idea of computer literacy being ubiquitous like math, they meant math like addition and subtraction. To make the kind of impact that "free/libre" advocates want the everyday Joe to be responsible for, Joes need to know the CS equivalents of perturbation theory and how to solve partial differential equations.

Not really, I think most computer software is a lot simpler than that. And I also generally don't believe that complex topics are inaccessible to most people. If it's the kind of information you learn about in college, then you just have to read textbooks and digest the information. Thanks to the internet, information on most topics are pretty accessible. I don't think there is some sort of "IQ" cap on the vast majority of topics, and you can pretty much learn anything as long as you are reasonably intelligent and motivated.

I think you are stuck in this "consumer vs producer" mentality with regards to technology, where some part of the population is destined to be drooling serfs and we just have to design everything to accommodate them. I take the opposite stance, which is that people are generally capable of learning and adapting to a far wider range of challenging environments than exist in modern society, and that those who can't are a small minority that should be culled anyways.

It was only a couple of decades ago that access to computers was limited to the elite few who understood computers, and society seemed to hum along fine back then.

With increasing automation and access to information, you would think that people would have more time and info to study and become knowledgeable on a wider range of topics. Instead, they are even busier working fake jobs and competing in zero-sum arenas. Instead of setting lower standards for competence in society, why not increase standards and elevate the agency of the common man?

> This isn’t a gdpr opt out where both alternatives need to be equally easy. We (as a society) absolutely need the devices to default to the current model when purchased.

I feel like this is completely the opposite. The case for closed devices is that if grandma is senile she can't be trusted to make sound choices and needs a piece of hardware to limit her options, whereas that isn't the case for random chemists and college students and farmers, i.e. the general population.

It's one of the cases where tech people can't see the forest for the trees. The vast majority of people can make reasonable decisions about their own lives, but then if a tiny percentage make mistakes, those are the ones who come to you with problems and then it seems like everyone who comes to you is having problems because only the people having problems come to you.

Then megacorps use that false perception that everyone is incompetent to try to weasel their way in as a middle man taking a thick margin while locking the doors so the average person can't go to the competition, which is the option that needs to be not just preserved but actually used by ordinary people.

And not just because of the margins. Centralizing everything is a skeleton key for authoritarians. If you want to ban a social media app because people are using it to find out about something you want to censor or organize opposition to your administration and having it banned from Google Play and Apple makes it so 99% of people can't use it, you'd win when we need you to lose.

I don’t know what you think I wrote, but I wrote that comment about discounting 98% as a reply to:

> If you can't figure out a computer perhaps you're just unfit to participate in the modern economy.

We keep mocking and laughing at the "internet Thomas Jefferson"s of the world but they seem to be getting increasingly prescient about the dystopian world where we are giving bad actors disproportionate control over our lives on the pretext of keeping us or children safer.

I must say, amidst all this pretending, justifying, hand-waiving, and appealing, I was surprised to find the eugenics:

> and that those who can't are a small minority that should be culled anyways

Don't get me wrong, this doesn't invalidate everything else you wrote. It was mostly all completely invalid anyway.

You need to start from fundamentals. Logical argument is a DAG. Circular reasoning is trivially invalid. If there is a skill I would see becoming ubiquitous, it is that.

This is the worst thing that I will read all day, probably for the next month.

So, what I concluded, and I'm just speaking my mind since I have no desire to further engage, is that the FSF intentionally adopted religious mechanisms of growth and cult-like thinking because they couldn't think of any other way to recruit enough software engineers to their cause. Most of the engineers grew disillusioned and left. What remains are the loudest zealots with the least code written. They have the most to gain from shouting their message, hoping to make it seem true so that someone else will write their drivers and desktop software.

It's not eugenics, it's just nature and non-interventionism.

There are many barriers to entry in modern society. If you can't read, if you can't drive, if you can't do algebra or arithmetic, you're screwed in this world. What I'm proposing would just be adding a single new expectation to the list: how to use a computer without installing malware. they could probably teach it in middle schools if they don't already.

We don't dumb down all cars because some people can't drive. What you're suggesting is that we dumb down every general purpose computer because some people can't cope with them. It's the equivalent allowing every general-purpose car in the world into a fixed-purpose train with a limited network and surveillance to boot.

We disagree because I think that society should be built around the capability of the common man rather than the needs of the lowest common denominator.

Sorry, I haven't had an Android phone since the original Nexus, so hopefully you can clarify. Could you install some hypothetical 'Meta Store' from the Google Store? Or do you mean more like Meta could just sell their own phone (eg Amazon)?

> I think you have a reason for defending Apple.

Guilty as charged. My parents had a Windows laptop and all sorts of evil shit was "sideloaded", and when I started reformatting it, some indian 'microsoft tech support' guy was actually screaming at them through the speakers. This is what happens in your world.

I bought them an iPad (and another) and it's now been almost 15 years with zero tech support calls, zero problems, zero scammers. That is fucking great for me. Money well spent. So yeah, I wish you guys could just buy a free software phone with no ABI and go away to recompile your software. But it is fucking terrible idea on a societal level.

I will agree with your point, and will also say a lot of the "bad actors" are actually in the house here. So don't take anything on face value. Hacker news has some straight computer criminals, adware types, cryptobros, dubious startup types, whoever is vibe-coding these crawlers, and etc. So of course they all believe in "maximum freedom" (to scam people).

I don't think the centralization and security must be mutually exclusive. So long as the alternative is _also_ secure, it's a win-win. But that's the big problem.

Both are possible.

You can have alternative app stores on Android without any restrictions — the most famous example would be F-Droid which hosts free software. Nothing stops Epic, Meta or any company from also having such a store.

When you ship a certified Android, it has to come pre-installed with the Google Play Store but some vendors like Amazon and Huawei ship an alternative OS with their own stores to replace the Google one. It's not officially Android but can be based on the Android Open Source Project.

Very few companies have chosen to do either and it was usually because they were forced to (Huawei).

Yes, and in the context of play integrity: this means knowing not to root your phone or install unsigned binaries.

I don't think that's an unreasonable expectation for the average person. Not sure if you just hang out with oddly stupid people or what, but I don't think this is something we need to enforce with Google.

Suppose Apple makes devices and has an app store, but you're not required to use their app store, and then if someone can coerce Apple to censor something, anyone can route around it by using one of the others who can't be coerced, e.g. because they operate in a different jurisdiction. That's not centralized; there is no single party who can serve as a chokepoint for the bad guys to set up their nefarious surveillance/censorship apparatus.

Now suppose that only one company has an app store for a given platform, or the alternatives only exist on paper because there are too many barriers for ordinary people to use something else and then the one store still has 99% market share, or they use their control over the device to exclude apps even if you use a different store. That's still centralized and that type of centralization has to be broken in order to solve the problem.