Most active commenters

    ←back to thread

    We should have the ability to run any code we want on hardware we own

    (hugotunius.se)
    2071 points K0nserv | 21 comments | 31 Aug 25 21:46 UTC | HN request time: 0.001s | source | bottom
    Show context
    zmmmmm ◴[01 Sep 25 02:51 UTC] No.45088995[source]
    > In this context this would mean having the ability and documentation to build or install alternative operating systems on this hardware

    It doesn't work. Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with. To be clear, this is fundamental, not incidental. You can't run your own operating system because it's not in Netflix's financial interest for you to do so. Or your banks, or your government. They all benefit from you not having control, so you can't.

    This is why it's so important to defend the real principles here not just the technical artefacts of them. Netflix shouldn't be able to insist on a particular type of DRM for me to receive their service. Governments shouldn't be able to prevent me from end to end encrypting things. I should be able to opt into all this if I want more security, but it can't be mandatory. However all of these things are not technical, they are principles and rights that we have to argue for.

    replies(38): >>45089166 #>>45089202 #>>45089284 #>>45089333 #>>45089427 #>>45089429 #>>45089435 #>>45089489 #>>45089510 #>>45089540 #>>45089671 #>>45089713 #>>45089774 #>>45089807 #>>45089822 #>>45089863 #>>45089898 #>>45089923 #>>45089969 #>>45090089 #>>45090324 #>>45090433 #>>45090512 #>>45090536 #>>45090578 #>>45090671 #>>45090714 #>>45090902 #>>45090919 #>>45091186 #>>45091432 #>>45091515 #>>45091629 #>>45091710 #>>45092238 #>>45092325 #>>45092412 #>>45092773 #
    josephg ◴[01 Sep 25 04:34 UTC] No.45089489[source]
    My parents are getting old and they aren't tech savvy. The missing piece here is that I want my parents to have a computer they can safely do their banking on, without leaving them vulnerable to scams and viruses and the like. I like that they have iphones. Doing internet banking on their phone is safer than doing it on their desktop computer. Why is that?

    The reason is that the desktop PC security model is deeply flawed. In modern desktop operating systems, we protect user A from user B. But any program running on my computer is - for some reason - completely trusted with my data. Any program I run is allowed to silently edit, delete or steal anything I own. Unless you install special software, you can't even tell if any of this is happening. This makes every transitive dependency of every program on your computer a potential attack vector.

    I want computers to be hackable. But I don't also want my computer to be able to be hacked so easily. Right now, I have to choose between doing banking on my (maybe - hopefully - safe) computer. Or doing banking on my definitely safe iphone. What a horrible choice.

    Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.

    I think the argument against locked down computers (like iphones and androids) would be a lot stronger if linux & friends provided a real alternative that was both safe and secure. If big companies are the only ones which provide a safe computing experience, we're asking for trouble.

    replies(21): >>45089546 #>>45089576 #>>45089598 #>>45089602 #>>45089643 #>>45089690 #>>45089745 #>>45089884 #>>45090077 #>>45090112 #>>45090128 #>>45090605 #>>45090660 #>>45091074 #>>45091275 #>>45091454 #>>45091793 #>>45092007 #>>45092495 #>>45092746 #>>45114735 #
    1. spaqin ◴[01 Sep 25 04:59 UTC] No.45089598[source]
    Your parents are more likely to be a victim of a phone call scam than malware, even on PC. There is also no guarantee that malware will not slip through cracks of official stores or signatures.

    You can also choose to do your banking at the physical branch.

    We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well; these permissions could be locked or frozen if there is concern about users, just like work devices are provisioned with limitations. It all depends on your threat model.

    replies(5): >>45089779 #>>45089876 #>>45089927 #>>45090044 #>>45090132 #
    2. Rohansi ◴[01 Sep 25 05:41 UTC] No.45089779[source]
    Also the good old phishing emails/links. So many people are simply unaware when a website is pretending to look like an app/floating window. Even younger people who you'd hope know better are falling for it today. I work on a PC game and players (mostly young adults) are constantly getting their accounts compromised by the same phishing sites that pop up monthly.

    AI voice and video cloning scams are also only going to increase. Why would scammers need to get people to install random APKs when they can just impersonate a family member and tell them what to give directly?

    To me it seems very much like the classic "think of the children" type argument. It's not going to really fix anything in the end but it will benefit Google.

    3. rahkiin ◴[01 Sep 25 06:02 UTC] No.45089876[source]
    In the netherlands we do not have physical branches anymore. They died out. All banking started to go through browser. This was very sensitive to malware and viruses, so two-factor was added through phones. Then less and less people had PCs because phone provides enough. Now mobile apps for banking is the only way to do banking. Or it is required for MFA. Even if you’re calling with the bank it is used as MFA
    replies(4): >>45090113 #>>45090136 #>>45090149 #>>45090407 #
    4. Someone ◴[01 Sep 25 06:13 UTC] No.45089927[source]
    > You can also choose to do your banking at the physical branch

    The ones banks that do have physical presence are closing left and right? Also, I don’t think I can money transfers at the physical office of my bank.

    replies(1): >>45092336 #
    5. itake ◴[01 Sep 25 06:32 UTC] No.45090044[source]
    Phone scams have you install malware. Banks don’t know if you’re on the phone with the scammer, but they would like to detect if you’re using a screen sharing app on the password or transfer screens.
    6. AndyMcConachie ◴[01 Sep 25 06:43 UTC] No.45090113[source]
    I still do banking through a random reader at ABN AMRO. I really hope they never get rid of it because I trust that little dumb plastic device 1000% more than my phone.
    replies(2): >>45090476 #>>45091212 #
    7. josephg ◴[01 Sep 25 06:45 UTC] No.45090132[source]
    > Your parents are more likely to be a victim of a phone call scam than malware, even on PC. There is also no guarantee that malware will not slip through cracks of official stores or signatures.

    So what? The lack of perfect security is a terrible argument against better security.

    For example, lockpicks exist. Is that a reason to stop locking your house? Our TLS ciphers might eventually be broken. Should we throw away TLS and go back to unencrypted HTTP?

    I'm not expecting anything to 100% stop all scams. But modern computer security is a joke. We could do an awful lot better than we are today at keeping people safe from this stuff.

    > We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well

    Yes. I want something like this on desktop too - but I want to own the signing keys, of course. It seems strange that this is so controversial.

    replies(3): >>45091790 #>>45091815 #>>45093464 #
    8. ACS_Solver ◴[01 Sep 25 06:46 UTC] No.45090136[source]
    Same in Sweden, physical bank branches are rare and even they will often require an appointment. All banking is through bank apps or websites, and you use 2FA extensively. Sweden's digital ID system is called BankID because it was made by banks and, initially, for banking, though now BankID is used extensively for all kinds of government and private services.

    That doesn't stop scammers. They also keep getting more sophisticated, often using a combination of social engineering and technical skill, and they keep tricking people into giving them money. So unfortunately, while malware is pretty much a non-factor, scammers still thrive.

    replies(1): >>45092316 #
    9. bbarnett ◴[01 Sep 25 06:48 UTC] No.45090149[source]
    So far in Canada... I must reiterate this, so far, this can and has been fought by one thing. Rural life, and nationalism.

    There are plenty of places where mobile phones don't work, especially in the summer when there are leaves on the trees. This means SMS won't really work. So for this path, SMS, the bank has an alternative -- call a number on your account with a voice reading the 2FA code. Thus, landlines or VOIP work here.

    When it comes to an app, forcing Canadians to use a phone OS controlled by US companies, still has pushback. An example being, the concept of "A Canadian having to use software from a US company, to identify themselves to a Canadian company" is still a hotspot. Especially with the US wanting to annex us.

    So this lock in has not yet occurred.

    Really, the phone call to a phone number on your account, not using SMS is as solid a protection, as an app running on a phone controlled by a foreign country's company. It's an alternate path. And it solves the whole 'rural person' access.

    Many people living in rural areas don't even bother with a phone type device. Some have Kindles. But by buy a phone, if it doesn't work where you live?

    This logic, combined with them closing rural banks, means they have to be quite sensitive here. EG, closing rural banks, then making it difficult to do online banking is political poison for our banks.

    10. CalRobert ◴[01 Sep 25 07:36 UTC] No.45090407[source]
    I wouldn't be surprised if it becomes impossible to even use cash in the Netherlands soon enough. The first year I was here I don't think I did even once. I've been using cash a lot more lately just out of principle and it's annoying - lots of pin-only check out lines, etc.
    replies(1): >>45091192 #
    11. ted_dunning ◴[01 Sep 25 07:45 UTC] No.45090476{3}[source]
    What is a "random reader at ABN AMRO"?
    replies(1): >>45090894 #
    12. anonzzzies ◴[01 Sep 25 08:59 UTC] No.45090894{4}[source]
    Physical OTP generator. Stick your bank pass in the plastic decice and type your pin in the calculator like front and it will give you an OTP for online use.
    13. hvb2 ◴[01 Sep 25 09:50 UTC] No.45091192{3}[source]
    Laws would need to be changed for that to happen, so don't expect it anytime soon. Also, cash is kind of the one remaining option when there's no electricity. So for disaster planning people have been asked to keep an amount of cash around. With recent developments in European security, the need for this has become all the more clear.
    14. hvb2 ◴[01 Sep 25 09:53 UTC] No.45091212{3}[source]
    Even better, the system that Rabobank has.

    They make you use this separate device to scan a color qr code generated by the app. The details of the transaction you're authorizing are then displayed on this completely decoupled device, no internet, nothing. After keying in your pin you're given an OTP to put back into the app to authorize.

    And I haven't checked, but I'm sure the 'payload' the qr code conveys is signed.

    15. Okawari ◴[01 Sep 25 11:23 UTC] No.45091790[source]
    It's not about being defeatist, atleast not for me. It's about what is considered good enough.

    Sure, locking down the OS in this way is more secure, but it's also very restrictive and personally I don't think the added security justifies this. Lock picks do exist, but I am still entirely content with a single lock on my front door. I do not need an extra biometric sensor or camera or security representative standing outside my door to check id's of people passing by in order to consider myself reasonably safe.

    Maybe this is cultural/geographical, but I've yet to hear of anyone who lost access to their mail or had unauthorized access to their bank account as a result of malware. I'm sure you can find examples, but I do not consider this an attack vector that is prevalent enough to warrant requiring signed apps or preventing manual installation.

    16. mathiaspoint ◴[01 Sep 25 11:28 UTC] No.45091815[source]
    This hardly stops anything, app stores are full of malware, and the cost is very high.

    It's like having an automated turret on your lawn because sometimes people bring bad snacks to your dinner parties.

    17. johnisgood ◴[01 Sep 25 12:47 UTC] No.45092316{3}[source]
    Good to know. People should read this when they say cryptocurrencies are bad. Well, guess what, so is cash and your card. Any alternatives?
    replies(1): >>45104038 #
    18. g-b-r ◴[01 Sep 25 12:51 UTC] No.45092336[source]
    > The ones banks that do have physical presence are closing left and right? Also, I don’t think I can money transfers at the physical office of my bank.

    It's crazy if you really can't

    19. const_cast ◴[01 Sep 25 15:25 UTC] No.45093464[source]
    I don't think Google play integrity and only allowing installing blessed apps on blessed devices is more secure. I just don't.

    Google blesses malware all the time because otherwise they would go bankrupt. They're an ad company, not a security company.

    20. rahkiin ◴[02 Sep 25 15:04 UTC] No.45104038{4}[source]
    Cryptocurrencies do not solve any issues described above. It even solves fewer of them as there is no bank giving you support or giving back insured money
    replies(1): >>45115968 #
    21. johnisgood ◴[03 Sep 25 14:04 UTC] No.45115968{5}[source]
    They could, but in any case, any alternatives to cryptocurrencies, cash, and cards?