Right to root access

If protection of the casual user was an argument, there would be an easy option to unlock your system, be that phones or desktop computers.

But on many systems these options do not exist because the vendor likes people dependent on them. This is why devices like chromebooks or all mobile phones are more or less e-waste in the making. In my opinion it is a waste to use any development capacity for these systems apart from consumer devices offering the next shitty app that hopefully always stays optional.

We even have dysfunctional laws that require banking apps to only run on these shitty systems. In my opinion, these errors need a quick correction.

Also, the most cases of scam still work as they did before and exfiltrating information, e.g. tracking and "diagnostic data" by bad operating systems are an additional security problem.

Before we put all the blame on vendors, I submit to you, ladies and gentlemen, this: the public finds this tradeoff (privacy for entertainment) completely acceptable. With all the outrage, privacy-centric solutions are out there and relatively easy to find, how come they don't get more traction? Including among the HN crowd?

Not only profits, but control. Remember the whole CSAM scanning debacle from Apple?

It also significantly hampers progress and the utility of tools themselves.

This is hacker news after all. What made the computer great was programs. What made the smart phone great (smart) is applications. It's insane to me that these companies are locking down their most valuable assets. The only way this works is if you're omniscient and can make all the programs users could want yourself. This is impossible considering both individuality and entropy (time). Both in the sense that time marches on and the fact that you don't have time nor infinite resources to accomplish all that. I mean we're talking about companies that didn't think to put a flashlight into a phone but it was one of the first apps developed. You could point to a number of high utility apps, but I'm also sure there's many you all use that you're unlikely to find on most people's phones.

We can also look at the maker community. Its flourished for centuries, millennia even. People are always innovating, adapting tools to their unique needs and situations. To some degree this is innately human and I'm not embellishing when I say that closed gardens and closed systems are dehumanizing. It limits us from being us. That person obsessed with cars and makes a sleeper Honda civic, that person that turns trash into art, that person that finds a new use for every day objects. Why would you want to take this away? It even hurts their bottom lines! People freely innovate and you get to reap the rewards. People explore, hack, and educate themselves, dreaming of working on your tech because of the environment you created. By locking down you forgo both short term and long term rewards.

I also want to add that we should not let any entity claim to be environmentally friendly or climate conscious that does not create open systems. No matter how much recycling they do. Because it is Reduce, Reuse, Recycle. In that order. You can't reuse if your things turn to garbage and reusing certainly plays a major role in reducing.

A chainsaw does not introduce an opportunity for thousands of remote criminals to steal money from your bank account.

And there are plenty of laws in many countries on how to use them, seatbelts, helmets, chain gloves, plastic cover, minimum age, access exam,...

Failure to obey them, might get jail time on those countries if caught disobeying, or an hefty fine, not counting what misuse might bring in, regardless of the country.

> I think it's bizarre that we treat computers as the most dangerous products in the world that for some reason demand paternalism, when none of these other products are locked down by the vendor.

That's because there are people behind every product, and the people behind computers tend to be the paternalistic, nanny-state type. Just read through the histrionics in any HN thread about leaf blowers, they want every landscaper locked up and their tools of the trade taken away. Someone once suggested they should be forced to use rakes. Imagine if some landscaper insisted what laptop you should use.

As you wouldn't expect to find many in-the-Army buzz-cut guys roaming the Google campus as you would at a gun company, you wouldn't expect some blue-haired face-pierced sales engineer selling you table saws.

It's a cultural thing, nothing more.

> think it's bizarre that we treat computers as the most dangerous products in the world

We do not? You don't even need a license to buy /operate a computer unlike with some other examples on your list

I contacted the Google through the BBB. Made the statement that lack of ability to install and configure a Kernel level firewall, edit the HOSTS file, and remove unwanted bloat-ware reduces the security of the product. Google agreed their actions do this and said they find the lack of security acceptable. Having a firewall like Little Snitch should be acceptable to know where the phone is communicate, with whom, and how to prevent it.

Re-imaging with a rooted image is not acceptable because this also reduces the device's security by prevent OTA updates!

Gated community is broken when the end user cannot improve the security of the device above and beyond the lack polices of Google and Apple. For instant there should be no reason my device ever communicates with organizations I do not support such as Facebook or X-Twitter. X-Twitter is often used as command and control service in plain site.

It is not just out-wards communicate to monitor but in-wards too. I've used Zone Alarm in the past at an international company to help find the infected servers and computers that where serving up viruses and other malware.

*I would argue that the "Gated Community" analogy is flawed. A real world gated community still allows for the home owner to improve the security. By installing cameras, security system, and guards. Apple & Google prevent such actions.

It does create an interesting choice, though. For example, certain apps will enforce attestation based on the bootloader status. Even if the user wipes their device and relocks their bootloader with their own keys, this doesn't count as fully secure per the bootloader status. Only Google's keys count. Of course, it is also almost prohibitively difficult to deliver yourself OTA updates after this point. I worry that one day I will have to keep two mobile phones; one for bank apps, which has not been altered from the vendor's security defaults, and one for everything else, that I am actually allowed to modify.

At the moment, I just run GrapheneOS and don't bother with any modification. It is not worth the hassle. I've already had my bank account locked out because a Google Store-bought Pixel phone was flagged as "stolen", probably due to some attestation measure (they could not tell me why). They recommended that I purchase a new phone.

The problem with bootloader unlocking on modern Android devices is that they have a hypervisor that you don't get to ever unlock but that will snitch on you and make some apps, like some banking ones, refuse to work because the "integrity" of your device could not be verified. In other words, because these apps can no longer be certain they are able to hide data from you the device owner.

Magisk exists, yes, but it's a flimsy temporary solution. It only works because it's able to lie to Google that your device doesn't support hardware attestation. As soon as Google starts requiring that all devices support hardware attestation, it will stop working.

This, or even sell "dev units" with the bootloader unlocked so that you explicitly have to accept the risk before purchasing the device.

The problem though is that rooting by itself is not that useful when a lot of apps use remote attestation to deny you service if you're rooted.

We don't just need root access, we need undetectable root access.

Agreed, that's a good solution. I can root my phone immediately when I buy it, or I can leave it locked if that's my choice. That's the best of both worlds.

I think in the not too far future, every electronics device will be locked down. Laptops and desktops can be locked down too. The technology is already there. They can also throw in AI for recommendations i.e. lock down users' mind too. Think what this is going to do to the next generation if they start using electronic products from 6.

For example, if anyone is interested, check out the computers Chinese governments are using right now. They are basically large mobile phones running some sort of Linux, but the whole thing is locked down. Fortunately things are OK on the commercial side but again it's more and more difficult to root or unlock a device.

And now the Western states are following suite, except it's the corporations that are leading the charge.

If they achieve this, and wipe out all commercial electronics distributors such as Mouse, then we need another underground railway movement to teach people to scavenge and build computers in that Dark Age.

I'm not joking. This could be real. It's already shaping.

I suspect DRM will eventually be self defeating. For example, I prefer to torrent content just so that I can get stuff to play using my media player of choice (and the instant seeks) without any hassle. Most normal people probably aren't even aware this is an option.

But with cryptocurrencies normalizing it's only a matter of time before a paid piracy service emerges that is both cheaper, simpler and better than Netflix or any other streamer. Some arguably already have.

DRM was being broken for years without even a monetary incentive, with one it won't stand a chance.

Perhaps it imposes some restrictions, like using TPMs, but I don't think it excludes what the author is suggesting, which is the ability to run as root.

Case in point: every popular desktop PC let's you run as root, and also watch DRM content. They aren't totally mutually exclusive.

There is nothing stopping anyone from selling an HSM (hardware security module) that can decode their protected video without fisting the control into the computer itself

Thanks for this article, it was the most succinct way to describe the right to own and right to repair regressions I've noticed. I'm glad I can point to your article instead of trying to describe it myself. If you're looking for others advocating for this I know of Louis Rossmann. He also recently started a wiki on consumer protection that I hope to contribute and collaborate with to empower users.

https://wiki.rossmanngroup.com/index.php/How_to_help

> are we going to pretend otherwise?

aren't we in fact pretending otherwise?

Right now I believe that stolen iPhones are effectively bricks (barring state-level actors with unpatched zero-days)?

> While I agree, I think even legislation will not fix this, because what is a computing device, and who decides what is and what is not ?

If there is legislation, it will contain a definition of what is a computing device and what isn't. It will be imperfect, and the edge cases will be contested in courts. Courts deal with blurry boundaries all the time.

That's how it always is with legal matters, and doesn't mean we have to demand that anything with a firmware must be flashable.

German here - I do believe this legislation already exists - the owner of a thing has full rights of disposal and no other entity is allowed to interfere (except for the state itself). And this is part of the common property rights. afaik the property rights in the US are even stronger.

But i wonder, why these rights do not seem to be enforced on computing devices. Either everyone is failing to assert their property rights or i am in the wrong here. Probably the latter.

> I think the only way is to give the right to flash firmware of _ANYTHING_ that has programmable bits

This seems reasonable to me. What's wrong with it?

> I'm sure apple will argue that nothing they sell should be considered computing devices.

“What’s a computer?”

thanks for sharing. the loss of property rights is an aspect I hadn’t considered… would be great to brainstorm further with an actual lawyer on these topics

I doubt any Apple engineer is very against the idea that an iPad user roots it. It's more like the legal and financial mindset. Legal doesn't want trouble and can shoot anyone who it doesn't like with law bullets, Finance just want MAW $$$.

> your smartphone doesn't (really) belong to you.

Speak for yourself. Sent from my Librem 5.

There's not nearly enough awareness of this. Even with root access, on modern Android you have to set up a virtual USB connection just to get at the files in the data folders of android apps if you want to, for example, sync the savegames between your mobile emulators and your desktop emulators. It's fucking disgusting. With every new edition they shave off a little more user agency.

The TEE is where both the device encryption keys (not DRM) and Widevine keys (DRM) are stored..

Yeah I mean theres not even any way to really know what your communicating with without taking the thing apart and following the traces + an ocilliscope. If it was worth obfuscating to a determined company it would be hell to figure out.

You could just be a sandbox root which is pointed at a guest user in a higher namespace.

I just call it "Software Freedom", like GNU has since the 80s:

> the freedom to change a program, so that you can control it instead of it controlling you

I don't necessarily endorse all of Stallman's philosophy on software. But I think in this point at least he was very prescient.