[ale] Cory Doctorow, right again

[Charles Shapiro]

Heh!  I started this discussion.  What Mr. Doctorow said was that the
user should have control over the processes running on her computing
device.  My original point was that closed systems such as Apple IOS
and the vendor or service provider builds of Android will impede that
control.

Curated software repositories such as Apple's App Store or the Android
Market are fine, as long as users can opt out of them if (when) they
no longer trust the curators.  On an open build of Android, this is
simple -- you can remove any application you want, up to and including
anything in "the Google Apps" (the applications Google distributes to
talk to their servers). If you want to install an application not in
the Market, you just check a config box saying that you understand
what you're doing.

On -- for example -- the Verizon build of Android which came on my
phone, it's not so clear-cut.  Verizon's Android build won't let me
un-install the several applications (e.g. "NFL Mobile", "Verizon
Video", "Verizon Messages", et cetera)  which Verizon thinks I should
have.  That's a gaping security hole, plus being bad, wrong and
outrageous.  I have no interest in trusting the NFL with any software
on my phone, nor do I need Verizon to read all of my email as it
passes through their aggregators.  Show me where I can remove
arbitrary applications from an IOS device ?  Perhaps it's possible, I
don't know.   I DO know that without that capacity, IOS devices are
only as secure as Apple is.  From the URL I provided, that might not
be quite secure enough.

Please to note this issue is only tangentially related to the "I can
read the code" security argument over open source software.  This is
more basic.  Regardless of your feeliings about open versus closed
software and the security or other trade-offs involved in that, you
must Must MUST have control over what's installed on your device.  (
And yes, the Radio and other binary blobs in Cyanogen-Mod bother me. )

-- CHS


On Sat, Mar 17, 2012 at 12:37 AM, James Sumners <james.sumners at gmail.com> wrote:
> On Fri, Mar 16, 2012 at 23:19, Michael H. Warfield <mhw at wittsend.com> wrote:
>> On Fri, 2012-03-16 at 17:48 -0400, James Sumners wrote:
>>> I said "yourself" for a reason. I am well aware of the benefits of
>>> many people reading the code. I'm not a member of this list because I
>>> hate Linux.
>>
>> That much is obvious.  It shows.
>
> I don't know if we are saying the same thing here. I can't figure out
> your intended tone.
>
>>> But whe the thread is started off with the statement that the platform
>>> is inherently bad because _you_ don't control it, that leads to the
>>> assertion that _you_ should be vetting all the code run on it.
> *snip*
>> Even if it isn't.  If it's on the net, you can still be had.  There have
>> already been two SMS exploits out here that only fortuitously did not
>> get exploited and turned into worms in those Apples.  :-)  You will not
>> always be so lucky.
>
> I don't have an SMS plan :P
>
> Seriously. I have it totally disabled. If someone wants to send me one
> of those then they can use my Google Voice number. I'm not a big SMS
> person.
>
> As an aside, going back to my (sort of) tongue-in-cheek suggestion
> that webapps could be used instead, the Google Voice app for iOS is
> really just a webapp in a "native" wrapper. So I do use a webapp for
> SMS.
>
>>> My argument is simple: the claim that one platform is better simply
>>> because you "control" and some people download bad software is silly.
>>> The platform "you control" has seen many more instances of malware,
>>> and completely bogus, stolen, applications that the one that you don't
>>> control. Does that make it an inherently bad platform? No. You have to
>>> use your good judgement just like with every other platform on which
>>> you can install software on your own.
>>
>> Again...  You have demonstrated no advantage to NOT having this control
>> and some of us have demonstrated where there is an advantage TOO having
>> this control.  So...  What have you got to offer?  What advantage is
>> there to giving up this control and being oblivious to what's under the
>> hood and trusting implicitly in the benevolence of the vendor?  For a
>> person who is not interested, too lazy, or able to look deeper, it's
>> probably a wash.  No advantage on either side.  But I see no
>> circumstance where there's an advantage on that side and we have
>> circumstances where there is a clear advantage on the OpenSource side.
>> Where is your balance?  Where is your advantage to outweigh the
>> advantage that many of us CAN take advantage of.  For those who can't,
>> who cares?  Enjoy your little walled garden and quit crying to us if we
>> have toys you can't have and can maintain our devices more securely.
>> Just don't try to tell us there is no difference for those of us who
>> can.
>
> Because I wasn't trying to have such a conversation. I found the
> statement "The User of a Device should have Control over the Software
> Running on
> that Device." to be untrue in regard to iOS devices, so I replied as
> such. No, you don't have the same kind of control as you do on other
> platforms (personal computers included), but you do have control. That
> is all I had intention to say. I never even hinted that iOS is more or
> less secure than Android or any other phone/tablet OS. I also never
> said one form of control is better than the other.
>
> When I wrote "The argument that open source is safer because you,
> yourself, can look at the code before installing it is ludicrous. If
> you have the time to do that for _every_ piece of software you
> install, then you must not be doing anything else," I was specifically
> responding to Mike's comment:
>
> "And what if you install a highly-rated, seemingly legitimate app that
> does things that you aren't aware of because you have no way to possibly
> be aware of them?
>
> There are security concerns with any application software on any
> platform or device that are a mile long and simply cannot be addressed
> by the average user.  These problems will likely never go away, unless
> the entire world moves to a model where the source code for all software
> becomes generally available."
>
> This suggests that any software you want to install on your phone
> should have the source code made available to you so that you can vet
> it, personally, for malicious code. Mike responded with his thoughts
> on my reply, I read it, and decided to leave it at that. But you want
> an advantage to the iOS model...
>
> Okay. I'll just tell you why I use an iPhone. Several years ago (just
> before OS 10.4), I needed to purchase a laptop for school because I
> didn't want to use my work supplied laptop for school (they were
> separate things). At the time, I was running Debian Sid as my desktop
> OS on all of my computers; that included my laptop. It had been this
> way for several years. Thus, I was well aware of the work that comes
> with maintaining a Linux desktop on a portable computer (probably not
> nearly as much anymore, but still not exactly easy). I did not have
> time to mess with that. I needed something that would work when I
> needed it to work. For example, if I needed to give a presentation for
> class, I didn't want to get up there and fight with X and the
> projector; I just wanted to be able to plug up and get going.
>
> I knew that I _did not_ want to use Windows. It is too limiting and
> impacts my workflow. I had not previously been impressed with OS 10,
> having messed with it very little in incarnations 10.1 and 10.2, but I
> knew that under the clicky buttons and menus there lay a proper OS. So
> I took a plunge and bought a PowerBook Pro, knowing that it would have
> resell value if I wasn't happy. But, as I think you can guess, I did
> find OS 10 to my liking after all. There was a cohesive GUI for
> everyday tasks (something that Linux still doesn't really offer), but
> there was also that proper OS I mentioned, and a passable
> implementation of X for the few things for which I required it.
>
> So I started using OS 10 for my primary desktop OS and Linux in other
> situations (servers, my HTPC, my job, etc.). Thus, when it came time
> for me to break down and get a cell phone, I opted to get an iPhone
> because I knew it would integrate with my primary OS with minimal
> trouble. Maybe I'm wrong, but it seems to me that opting for an
> Android phone (which didn't even exist then) would set me back to
> dealing more with configuration and maintenance than actually using my
> device. And that's the advantage for me -- I can spend my time using
> my device instead of feeling like I have to keep it maintained. I have
> plenty else to do.
>
> No, I don't like the closed nature of iOS. It upsets me that I can't
> write an application on my computer and then put it on my _own phone_
> to test it on an actual device without first acquiring a developer
> license. It doesn't make any sense, and is what, if I'm not mistaken,
> kept developers away from the Macintosh platform prior to OS 10. Apple
> did the right thing in keeping the development tools open for OS 10,
> but went way backwards with iOS. But that also isn't likely to change,
> given the adoption of the bullshit.
>
> So, again, I was never trying to argue that closed source is more
> secure. Or that one platform is better than another. Or whatever
> you've been reading into my replies. I never "cried" or suggested you
> "have toys [I] can't have."
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts
> pathological personalities. It is not that power corrupts but that it
> is magnetic to the corruptible. Such people have a tendency to become
> drunk on violence, a condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo