[raesene9]

Those may be norms for IT professionals, but the needs of IT professionals are very different from those of standard users.

Realistically most people (numerically) don't want a computer, they want a thing that lets them communicate, create and consume content.

Lockdown isn't a problem for them, and walled gardens like iOS are generally the best way for them to stay secure.

If you provide a method to escape the sandbox, it is likely that attackers will work out how to exploit that. For example try going to facebook.com and open the developers tools. They've had to put a warning in there to stop people from "self-XSS" ...

[mpartel]

That's why I'm entirely OK with making it scary and a little difficult.

And it's not just IT professionals, but also their friends and family, especially those that can't afford to or don't want to get a new device that often. I think this is a pretty significant set of people.

[raesene9]

So are you not ok with the concept that some people don't need that option and, as long as the vendor is clear about what is and isn't possible, having some devices that are more locked down that others is acceptable?

[mpartel]

If I knew that to be the end-game and if I knew it to be an informed choice on the part of consumers, yes, I'd be OK with that.

My two reservations:

1. I think such a lockdown is a kind of hidden anti-competitive "dark pattern" that benefits the seller much more than it benefits the consumer by significantly lowering the the reuse/resale value of the device. One could argue it makes the device cheaper to begin with, but I have serious doubts about that. The anti-competitive effect seems more likely to increase the price instead. Hindering reuse also implies an environmental impact, though I'm not sure how significant that is.

2. If lockdown becomes the norm for >99% of devices/users and even we tech people start to accept it the way of things, some sufficiently bribed lawmakers will no doubt be inclined to make unsurveiled general purpose computing illegal because "security" and "copyright" and "pro-business" etc. Yes, it's a "slipper slope" argument, but when it comes to social norms, I think that's a valid form of argument.

[raesene9]

I see a benefit to lockdown, which is improved safety/security for non-technical end users.

Security is a difficult topic, even for IT professionals, and it is easier to secure a locked down environment for non-technical users than an open one.

If you look at mobile platforms as an example, the prevalence of malware on Android compared to iOS is significant.

Now for many I'm sure that trade-off is worth it, but I also feel there is a place for more controlled environments.

[mpartel]

If a significant number of Android security breaches indeed happen through misleading a user into unlocking their bootloader, that would be a convincing statistic to me.

But I'm under the impression that that is exceedingly rare and that Android has many way more pressing security concerns (e.g. the lack of driver security updates to even slightly old devices).

[raesene9]

Access to root on the device is the pre-requisite of a lot of attacks, and this presents risks.

https://www.kaspersky.com/blog/android-root-faq/17135/

Also the control which allows users to install sofware from different sources, leads in many cases to them installing malware masquerading as "free games" or similar.

Android malware is a much larger problem than malware in the more controlled iOS world.

so to me that's a real trade off. you have control of your device and the ability to install software from more locations, however your security risks increase.

For some people that risk will be entirely justifiable, for others, it makes sense to have an option of a more locked down environment.

Personally I like Linux for servers (I have control/responsibility) but for my smartphone I use iOS as it's easier to secure and I don't really want to use that device for "proper" computing.