[Wowfunhappy]

> IMO it comes down to this: do we advocate for laws that give companies the ability to decide what is right/safe for the public, or do we advocate for laws that reflect trust in the individual?

This is a really great way to put it, and it applies broadly to so many fundamental disagreements in the tech world.

I firmly believe it’s better to trust the individual—so I think users should be able to sideload iOS apps (only if they want to) and install their own root certificates. Others think individuals can’t be trusted, and so we should let tech companies dictate what is safe for everyone else.

[sneak]

I agree that individuals should control their own devices.

I also agree with Apple's implicit claim that if iOS users could sideload apps, millions of idiot iOS users would get their devices owned after they followed some "follow these seven steps to get free $POPULAR_MOBILE_GAME tokens!" guide they found on the web, making the platform less trustworthy overall.

Apple makes a good argument that buying an iPhone is also buying, in a sense, a remote managed security service for the device at the same time. The net effect of this is that millions of people now have devices mostly free of the most egregious malware (and it's limited to just spyware, delivered via the App Store). For most users, this is a better state of affairs (at least in peacetime, or outside of China/Vietnam/Russia/etc).

[wernercd]

and yet, despite occasional problems, the same hasn't happened in the Android sphere with sideloading. Problems? Sure... but not "ZOMG MILLIONS!"

"Apple makes a good argument" Their argument doesn't give near enough excuses for their mafia level racket to shake down businesses of protection money. "Pay us or Joey will break your kneecaps. Its for your own protection."

[sneak]

> and yet, despite occasional problems, the same hasn't happened in the Android sphere with sideloading. Problems? Sure... but not "ZOMG MILLIONS!"

Millions of Android devices have malware problems, yes. I might even agree with a claim that it is ZOMG millions.

Estimates claim that as far back as 2016, a million new Android devices were being infected with malware per month. The current figures are estimated by AV vendors at 4-7 million infections per month.

[joshspankit]

Hot take: it seems more like “This disorder is a blemish on our glossy surface. We must sweep it away so that it no longer exists.”

[Dracophoenix]

It's only a good argument if you assume that Apple is fundamentally interested in consumer security. It isn't. Apple is fundamentally interested in control. Security, however Apple defines it, is a chosen means to the extent that is fulfills the company's primary goal. That's not to say that Apple should behave like a charitable force. A company's goals and decisions are its own prerogative. But as we've seen with the revelations of the Epic trial, the Darth Vader-style rule changes, updates that interfere with the basic operation of the device, etc., you're not just buying into a remotely managed system like a remote desktop at a colocation center. You're buying into the blackbox of Apple's present and future business decisions whether that suits your needs or not. Should security no longer justify the cost to Apple, they'll contort the meaning of the word to suit their ends just like Tim Cook has done to the word "equal" during his congressional hearing.

[sneak]

> You're buying into the blackbox of Apple's present and future business decisions whether whether that suits your needs or not.

You don't have to install updates.

[Dracophoenix]

You can't downgrade/upgrade the OS to a specific version of an update after a fortnight or thereabouts. That's an artificial constraint applied by Apple. It's not even possible to do so offline with iTunes even if one has the IPSWs. If you check the /r/jailbreak subreddit, talented coders have to hack the SEP and build complicated, low-level-interacting software like futurestore in order to perform a semi-successful downgrade/upgrade.

[Wowfunhappy]

iOS updates aren't forced, no.

However, if you install an update to try it out, or because you didn't realize that it would e.g. break 32bit support, you can never downgrade again (unless you happen to be within a two-week-ish period.)

[Karunamon]

Technically, no, but you'll be repetitively bothered by modal popups until you do.

[joshspankit]

As well: older versions have known exploits that you (as a locked-out user) are unable to patch.

[Wowfunhappy]

Right, whereas on macOS I literally patched an exploit myself a couple of months ago, because I could inject my own code. https://github.com/Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922

[Wowfunhappy]

Your first paragraph contradicts the second and third paragraphs! If you believe that individuals should control their own devices, why are you in favor of Apple retaining control of every iPhone it sells? Pick one!

[sneak]

I didn't claim to be in favor of Apple retaining control of every iPhone they sell. Please re-read my comment.

My claim is that for most users of iPhones, the situation of Apple being in control of their device, rather than themselves, results in a better outcome for that user (and is oftentimes explicitly preferred by that user as a result, and is reflected in their purchase of an iPhone).

In fact, Apple delegates control of an iPhone's userspace execution environment to any iPhone owner who wants it: they will give you a signing cert for use in xcode to run any app you want on your own device (no developer subscription necessary). This is how AltStore works, and allows AltStore users to run emulator apps on the iPhones they own.

[Wowfunhappy]

> My claim is that for most users of iPhones, the situation of Apple being in control of their device, rather than themselves, results in a better outcome for that user (and is oftentimes explicitly preferred by that user as a result, and is reflected in their purchase of an iPhone).

Okay, but that comes out to the same thing, since I can't buy an iPhone which isn't Apple managed. If Apple offered a choice, that would be one thing—but they don't.

> In fact, Apple delegates control of an iPhone's execution environment to any iPhone owner who wants it: they will give you a signing cert for use in xcode to run any app you want on your own device.

What they give you is the ability to sign up to three apps at a time, all of which expire after seven days. It's not useful for anything but testing.

Plus, you're stuck in the App Store sandbox. You can't downgrade to an earlier operating system, you can't inspect the HTTPS traffic being sent out of your phone, and you can't even run anything that uses a JIT.

[joshspankit]

> What they give you is the ability to sign up to three apps at a time, all of which expire after seven days. It's not useful for anything but testing.

And if they decide to they can flip a switch on their server to disable your account and stop “your” apps from launching.

[sneak]

> Okay, but that comes out to the same thing, since I can't buy an iPhone which isn't Apple managed. If Apple offered a choice, that would be one thing—but they don't.

Well, you know this state of affairs well now, so when you buy an iPhone you willingly opt in to these remote management restrictions. There are lots of smartphones you can buy without such cryptographic boot restrictions.

Many people willingly choose iPhones (even given these constraints), and would prefer a remote party manage their device's security.

Apple's argument is a legitimate one, and you should be able to operate in the market in this fashion. Nobody's forced to buy an iPhone if they don't like how the bootloader is configured or the App Store is run.

[Wowfunhappy]

> Many people willingly choose iPhones (even given these constraints), and would prefer a remote party manage their device's security.

I mean, but you're making a big assumption there! I buy iPhones in spite of those restrictions, because the only other options have worse processors and cameras, and because most of the people I know use iMessage.

I'd pay double the cost of a normal iPhone for a Security Research Device, if they were available to the general public.

[spicybright]

Absolutely when it comes to tech. It's fairly inconsequential sideloading something to your phone.

Medical devices I think should need a someone well versed to work on it.

With cars, the current model most states in the US have is a good middle ground. You can do whatever you want to your car, but it needs to pass a safety inspection every 2 years to drive it legally.

The inspections in my state are fairly comprehensive. Airbags, seat belts, headlight brightness, and structural stability of the frame to name a few.

It also helps the US has a strong car culture with tons of experienced DIY-ers, which I imagine helps.

[Teknoman117]

I think we should just have some pretty clear literature that if you modify a device, the manufacturer is not responsible for any injuries it might cause you.

Modify a dishwasher and now it fills your kitchen with soap bubbles? Modify a CPAP machine and get killed by it? Not the manufacturer's fault.

The US is too litigation happy as it is...

[bastijn]

By passing a right to repair on medical devices you also open up the aftermarket for repairs. Would you like to be handed a medical device by your insurance company that has been repaired by an untrained person that considers himself to be a handyman? Or be put in a scanner that was repaired by a service engineer from a broker that is cutting corners to win in the competing market.

Without clear quality and regulatory control there must be an objective method to discern between personal repairs and non-personal ones.

Disclaimer: didn't read the actual right to repair being passed in detail. Not sure if it does discern already.

[timzentu]

But if the insurance company doesn't want to be liable for it it would require a certified and/or bonded tech. In the US cars don't even require this to be stringent. You don't need any schooling to become ASC Certified mechanic, just take a test, no limiting factors for how often you need to recertify, or if you fail it so many times you need to school/train. At least in Canada you need to go to school, and then be a journeyman for a number of years before you can actually be a mechanic.

To really fix it we need a non-profit group to be in charge of the certification, preferably one who can be held accountable for failure due to their certification. My removing the incentive for profit we make it so the Medical industry won't try to control it, the insurance industry to mitigate their requirements, and government from trying to have political agendas pushed.

I have more that I would love to put in here but my employer has opinions that might differ from mine, and can be directly involved with some things that the law can impact.

[rascul]

> In the US cars don't even require this to be stringent. You don't need any schooling to become ASC Certified mechanic, just take a test, no limiting factors for how often you need to recertify, or if you fail it so many times you need to school/train.

There's no legal requirement in the US federally, or in any state I'm aware of, to have any certifications for general automotive repair. The EPA does require it for working on air conditioning systems, though. [0] However, many employers do require certification and/or will assist in getting the certifications. Some of the smaller shops are more likely to have mechanics without certifications or with expired certifications (I believe ASE certs are five years). ASE does require hands on experience for their certifications in addition to the test, though. [1]

The BLS also describes this, probably better than I do. [2]

[0] https://www.epa.gov/mvac/section-609-technician-training-and...

[1] https://www.ase.com/work-experience

[2] https://www.bls.gov/ooh/installation-maintenance-and-repair/...

[Wowfunhappy]

IANAL or even a law-enthusiast, but surely we already have case law on this if nothing else? You can't sue the car company if you remove the breaks in your car... right?

[kube-system]

I'm not a lawyer either, but I'm fairly sure that "we didn't cause the harm" is a good defense to a claim that they caused harm.

[kube-system]

> I think we should just have some pretty clear literature that if you modify a device, the manufacturer is not responsible for any injuries it might cause you.

That's not nearly nuanced enough. Manufacturers should still be responsible unless they can prove you caused the failure. We currently require this standard for something as simple warranty coverage, we ought to require it for something as severe as death.

[joshspankit]

For reference, see “It’s clear you caused water damage because the water damage sticker changed colour. Warranty claim denied” from not too long ago. Spoiler: It was regular moisture from being in the pants pocket during a warm day.

[kube-system]

> With cars, the current model most states in the US have is a good middle ground. You can do whatever you want to your car, but it needs to pass a safety inspection every 2 years to drive it legally.

Only 4 US states have biannual safety inspections. Another 11 have annual inspections. The other 35 states + DC do not have safety inspections.

https://en.wikipedia.org/wiki/Vehicle_inspection_in_the_Unit...

[Too]

If one thinks that self driving cars are scary. Imagine having Look ma! I improved the autopilot in my Tesla!! driving on public roads or being sold 2nd hand.

Car SW that can control the vehicle motion goes through very rigorous ISO processes, it's not something you just casually tinker with as an individual. Given its hard to visually inspect, one needs a way to understand if a car has been modified or not. This article also on the front page here yesterday explains the complexity and cost of integration verification https://spectrum.ieee.org/cars-that-think/transportation/adv...

Enabling serious third party aftermarket companies that have gone through same level of certification, nothing against that, but individuals, not so sure.

[Wowfunhappy]

There's an additional wrinkle for cars that make them unlike other devices, which is that they drive on public roads. I can't drive on a public road without a license, and neither should software.

But if little Johnny wants to drive his Tesla around a private racetrack with homespun Autopilot software, by all means! It's hardly the weirdest hobby, and who knows—maybe he'll grow up and form a startup that uses modified Tesla's to transport products in large warehouses. That's how innovation happens.

[_Understated_]

> Look ma! I improved the autopilot in my Tesla!!

I see where you are coming from but right now, if autopilot kills someone, then Tesla are on the hook for it (ok, there may be grey areas but ultimately, they made it so that has to point back to them in a big way when it comes to court cases). However, if I jailbreak my autopilot and kill someone, it's me that has to face the music!

I don't see the harm in scaling the jailbreak hoops you need to jump through.

For example, if I wanted to safely jailbreak my iPhone, there is nothing stopping Apple having an official app that you need to get a special key from Apple for. Maybe a phone call or something, or an email to support. It would come with a caveat that says your jailbroken phone forfeits any warranty claims. Fair enough.

When you are talking about jailbreaking a Tesla, there could be other layers. Like, for example, you have to go to a Tesla dealer where they explain the legal and support ramifications and whatnot. Then you sign a bit of paper with witnesses. Then they send you out a usb dongle in the post after a few days etc. Maybe, though with the Tesla, there would be limits. Like, you can't get the source code, or you are only able to to X things with it.

You get the idea... there could potentially be a scale for stuff like this.

I'm just chucking stuff out there, this isn't a realistic example so please put your pitch forks away :)

[wiz21c]

> IMO it comes down to this: do we advocate for laws that give companies the ability to decide what is right/safe for the public, or do we advocate for laws that reflect trust in the individual?

In the US, I think, some companies sell weapons and nobody seems to care if people can hurt themselves with them.

[ff317]

The comparison is more appropriate than you maybe even intended. Cars are considered weapons (e.g. driving at someone is assault with a deadly weapon), and cars are very dangerous in general and kill lots of people (and not just the drivers!). Yet, we still want right-to-repair on cars.

[naikrovek]

we HAVE right to repair on cars, and we've had it for decades. it's why the OBD-II port is standardized and mandated. it's why you can buy tools built only by the auto manufacturers for working on their own cars. it's why auto manufacturers are required to sell every part and every tool to end customers for at least 10 years after a model year is no longer manufactured. it's why third-party replacement parts are available AT ALL.

people forget all this. this is the same thing people want for farm vehicles and personal electronics.

we got it done for cars and trucks in the late 1980s. I don't understand why it's so hard to get lawmakers on the side of the customer --their constituents-- today.

[vageli]

It's ridiculous they sell knives in supermarkets, where anyone could procure them and without background checks.