Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bigbadfeline 19 hours ago

> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.

Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.

Provide a way to unlock the phones and a standard BSP, it should be the law.

chasil 16 hours ago | parent | next [-]

If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.

LineageOS has a build roster of current devices at this URL:

https://lineageos.org/Changelog-30/

The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).

Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).

If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.

askvictor 16 hours ago | parent [-]

Unfortunately, even with the best after-market support, banking apps and/or contactless payments becomes a cat-and-mouse game, that, even if it works, can stop working at the drop of a hat.

chasil 15 hours ago | parent [-]

I can tell you that Wells Fargo works both on Lineage with Mind the Gapps, and Graphene with the Play store installed. I have it on my OnePlus 5 and Pixel 6a.

I understand that most U.S. banking apps work on Graphene.

As far as contactless payments, try a Pixel watch. I understand that it is entirely separate from the phone.

tadfisher 15 hours ago | parent [-]

Provisioning payment cards on your watch without being able to run the phone app will be quite a challenge, however!

chasil 15 hours ago | parent [-]

I have never tried this, as I am happier with RFID on my individual credit cards.

However, Google Pay will certainly run on my Lineage OnePlus 5. It will not provision localhost, but I am guessing that it will provision a watch.

I would go buy the parts and try it just to know, but I doubt interest would remain here by the time I assembled everything.

Edit: Graphene has a page on this subject, and Garmin appears to be the best option.

https://discuss.grapheneos.org/d/1040-compatibility-with-sma...

celeryd 15 hours ago | parent | prev | next [-]

> Being reliant on a single OS permanently nailed to the hardware is no less crazier.

Locking OS upgrades to a network vendor is substantially crazier. It creates pockets where the hardware vendor ships a security update but your network doesn't care to ship it and isn't incented to. It is BANANAS.

GuB-42 15 hours ago | parent | prev | next [-]

Just because one layer of the security stack is compromised doesn't turn your device into a paperweight. I know many people who use out-of-support and vulnerable devices and I am not aware of a single one getting pwned by a system exploit, it is always some kind of phishing or scam. This is anecdotal evidence but I couldn't find actual data, as most don't distinguish between malware that rely on system-level vulnerabilities (as in 0-day) and the ones that don't (like fake apps that steal credentials, mine crypto or inject ads). But it is clear that the former are a minority on Android.

If you don't know what to do with it because your security standards are so high, just give it to someone with lower standards then you, or use it for some project that doesn't involve sensitive data. And if security is broken to the core, there is probably some vulnerability you can exploit to root your phone and do whatever you want with it, including installing a custom ROM.

Still, I agree with you on making it mandatory to provide an unlock method, at least for out-of-support phones.

avadodin 14 hours ago | parent | next [-]

It's not 1999 anymore. If you get RCEd today as a nobody you don't get a purple gorilla.

Just silently enlisted into a "Residential VPN" and a background script that checks for the SSID "Iranian Research Facility" every time you turn your wifi on for some reason.

_factor 14 hours ago | parent | prev [-]

"I've never had someone steal from my car, so the fact that my car lock doesn't work is not a problem."

GuB-42 13 hours ago | parent [-]

More like: "Every time someone stole from my car, that's because I forgot to lock the door, that the lock can be picked is not a problem".

Sure, a thief may pick your lock, but unless he knows there is something valuable in there, he will probably go find a car the owner forgot to lock, it less effort and there are plenty of them, or he may look for more valuable targets.

edoceo 18 hours ago | parent | prev [-]

Please try to e-recycle rather than normal land-fill trash.

secstate 16 hours ago | parent [-]

e-recycling is only marginally better than a landfill. At least a landfill in pseudo-regulated government economy has the chance to be safely abated in 100 years. Though a few things of value are sometimes extracted, mostly it all ends in places like Turkey or India and burned or buried.

Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.