open letter about the universal right to install any software on any device

[ps67]

From Libre Office The document foundation:

https://blog.documentfoundation.org/...on-any-device/

"If you cannot install the software you want on your own device – you don’t own it."

For example If I could install KOReader on a Kindle without jailbreak it (a complicated and risky procedure, and not always available) I would buy a Scribe. So I won't buy it.

Let's also not forget the possibility of extending the life of our devices.

Obviously I have no hope that the initiative will be successful.

[meeera]

Quote:

Originally Posted by ps67

Obviously I have no hope that the initiative will be successful.

This clause caught my eye:

"we need the universal right to install and develop any operating system and software we want on any of our devices. Any legal, technical or other obstacles to reuse these devices for any purpose must not be allowed."

Wouldn't this mean, if enacted completely, that anyone who stole a phone could immediately erase all security measures on the phone, install a fresh OS, and stop the owner tracing or locking the phone?

[Leseratte_10]

Quote:

Originally Posted by meeera

Wouldn't this mean, if enacted completely, that anyone who stole a phone could immediately erase all security measures on the phone, install a fresh OS, and stop the owner tracing or locking the phone?

Yes. Just like it is with any normal computer, any normal (non-Apple) laptop, or any other non-smartphone device in the world. If you have physical control over a device, you should be able to wipe it and flash whatever software you want onto it and get it back into stock condition removing everything the previous owner did.

A car also doesn't brick itself when it's been stolen, even though it's worth way more than a phone, and it also has a cell connection where that could be implemented. When a car is stolen then it can be driven by the thief as usual, until the police happens to find it (or not).

I'm fine with a software re-flash wiping all internal storage so attackers can't access any personal data, but there's already way too much electronic waste being generated, and throwing away perfectly functional devices just because they're locked with a password nobody knows is a thing that shouldn't happen. It means throwing away perfectly functional devices because of stupid decisions from Apple or similar manufacturers.

Otherwise that'll leave way too many loopholes. Apple currently has a way to theoretically remotely brick all iPhones in existance just by pushing a software update or whatever that engages an iCloud-lock-like thing that only Apple can remove. That's not supposed to be a thing. There's way too many devices that go dead and unusable because the servers are being shut down.

Same as what a couple of Android manufacturers are doing (like Xiaomi): The bootloader is locked by default, but they graciously allow you to unlock it - by manually requesting it through their support which takes a week or two. That's also not an open device, because they may stop providing these unlock requests at any time. If they no longer want you to install custom firmware, they just stop responding to these unlock requests, and done, no open devices anymore.

In my opinion, every device is supposed to have a non-updateable bootloader that you can use to flash new (and/or old and/or custom modified) firmware onto a device, no matter what A) the currently installed firmware does, B) any previous owners did, or C) what the manufacturer does through its cloud or through its servers.

Like it's currently already implemented in AVM's routers and access points (very very common in Germany). They can all be linked to a cloud account and controlled from there, and through the UI / the Cloud you can only update the firmware to a firmware signed with the same keys as the currently installed one (so, AVM's), but through the unchangeable bootloader which you can access locally (without opening the device or voiding the warranty!), you can flash any firmware you desire, official or custom-made, upgrade or downgrade, whatever. You need to have physical access (a direct LAN connection to the device without any switch/hub/router/etc. in between), but you do not need to know any account or device passwords. And once you do that, all changes that have been made to the device before, including any cloud connection, software modding, software hacks, and so on, are gone completely.

[popej]

IMHO rights to install software doesn't exclude rights to install protection against tampering. The only difference is, who is the admin of the device.

[Leseratte_10]

I agree with that, protection against tampering as in, protection against data exfiltration. But if you allow a user to set a hard Admin password, that's going to cause the same issue - people forget that password, devices are being sold without removing the password, and so on. Like the crap with some newer business laptops where losing the BIOS admin password means replacing the mainboard.

Protection against tampering is stuff like HDD encryption. If I have a laptop with an encrypted HDD, an attacker can't tamper with it. Sure, the attacker can format the HDD or boot from a flash drive. But that doesn't give him any of the data on the device, and he also can't do stuff like install a backdoor onto an existing system. All he could do would be to install a new (tampered) system which the user is going to notice.

Just go on eBay and seach for stuff like "Lenovo BIOS locked". A bunch of technically functional Laptops that are now basically eWaste just because there's no way to reset a fucking password. Is that necessary?

What's the point? The laptop is stolen anyways, the HDD is encrypted with a password. Do they think the thief is going to voluntarily return the laptop to where it was stolen from just cause he doesn't have the BIOS password?

The admin is the person who can prove that they're in physical possession of a device (and, if necessary, can do stuff like open it up and remove the BIOS battery, or switch an internal jumper or whatever, to prevent random people from coming and resetting a device in a couple seconds).

[meeera]

Quote:

Originally Posted by Leseratte_10

What's the point? The laptop is stolen anyways, the HDD is encrypted with a password. Do they think the thief is going to voluntarily return the laptop to where it was stolen from just cause he doesn't have the BIOS password?

The point is to discourage the stealing in the first place. Everyone with half a brain knows that mugging someone for their iPhone is likely to be completely pointless. I'm ok with that. I'm also ok with people choosing a more open, more stealable device. Chacun a son gout.

[DiapDealer]

*Yawn*

More like an "open letter concerning my overly simplistic belief that the world needs to work the way my whingeing, entitled butt thinks it should."

[haertig]

Quote:

Originally Posted by meeera

The point is to discourage the stealing in the first place.

Bad guys aren't necessarily discouraged from doing something just because it is pointless or provides no benefit to them. It's called vandalism. Some people enjoy being cruel and mean.

[Quoth]

Quote:

Originally Posted by meeera

This clause caught my eye:

"we need the universal right to install and develop any operating system and software we want on any of our devices. Any legal, technical or other obstacles to reuse these devices for any purpose must not be allowed."

Wouldn't this mean, if enacted completely, that anyone who stole a phone could immediately erase all security measures on the phone, install a fresh OS, and stop the owner tracing or locking the phone?

No. Because the serial number could in theory be inviolate. IMEI.

[meeera]

Quote:

Originally Posted by haertig

Bad guys aren't necessarily discouraged from doing something just because it is pointless or provides no benefit to them. It's called vandalism. Some people enjoy being cruel and mean.

Yes, there are multiple possible motivations for 'bad guys' attacking people. The resulting theft being useless (and potentially trackable) goods removes one of them.

[ps67]

Quote:

Originally Posted by popej

IMHO rights to install software doesn't exclude rights to install protection against tampering. The only difference is, who is the admin of the device.

I agree. If you then lose your password, it's your fault.

[ps67]

Quote:

Originally Posted by DiapDealer

*Yawn*

More like an "open letter concerning my overly simplistic belief that the world needs to work the way my whingeing, entitled butt thinks it should."

It is important to let MEPs know how things should work. Although I am sure that neither most of them nor the European Commission will take our side.
But if it's not important to you then there's nothing I can tell you, just that we don't agree.

[DiapDealer]

Quote:

Originally Posted by ps67

But if it's not important to you then there's nothing I can tell you, just that we don't agree.

No problem. I wasn't planning to go to war over it.

My personal preference for open source software and unlocked hardware has no bearing on my opinion that people should be free to create both as proprietary/walled/licensed as they want.

[Pajamaman]

Absolutely correct. This is a pure ideology that must be defended.

[meeera]

Quote:

Originally Posted by Quoth

No. Because the serial number could in theory be inviolate. IMEI.

Can knowing the serial number allow the owner to trace and lock the phone?