If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.

If their APIs are done correctly, they shouldn't be afraid to expose them.

Yeah sure, the company behind Dieselgate and single handedly destroyed the diesel market is worried about compliance? Give me a break.

If I had to guess it’s liability concerns around the app-based remote unlock and parking + R155 and CRA. A lot of european companies have moved to require attestation in their apps, likely spurred on by the CRA.

VW didn’t seem too concerned with compliance when they were rigging their pollution tests.

Actually we need to force our European governments to use services that do not depend on foreign services (ie. Google or Apple). Then I guess it will only then become obvious to them how crazy the situation has become.

The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.

I don't use Graphene, but now I'm out of the market for a VW.

Vendor lock-in to Play services is ridiculous.

A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.

Go with Dacia, though their EVs seem to have very low range.

> their ICE cars are notorious for being unreliable compared to the Japanese car-makers.

I always read this online, but my personal experience in EU doesn't match that at all in quite a sample of people and cards of last ~15 years. At least not for older cards. The reliability after 100k km seems to be somewhat similar.

The repairability of VW-group stuff in 3rd party services is soo much better and cheaper. The WV-group is huge and many models across the brands share same parts and full engines. There exist non-OEM alternatives and people know how to fix those cars.

I have never bought new car. But driving anything but VW got expensive fast.

Toyota cars can have bespoke parts even between different parts of the year for the same model. Continuous improvement isn't really that cool for cars.

The emissions scandal is completely different, because in that case they were illicitly making the car work better for its owner.

As opposed to the rest of the auto industry which has a stellar track record of adhering to emissions and fuel economy regulations /s

https://en.wikipedia.org/wiki/Diesel_emissions_scandal https://en.wikipedia.org/wiki/Defeat_device

Things like this can actually be a good way to nudge a company in the right direction sometimes. Nobody uses those internal review systems, and sometimes their stats are actually important. A handful of users might make up a really big chunk of the reviews.

In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".

Developers have to go out of their way to implement triggering Play Integrity API checks in their app and then retrieve the results to check on their services. They're putting a lot of effort into banning anything not licensing Google Mobile Services. It's definitely not a security feature since it permits devices with no security updates for more than 8 years but not a far more secure OS than anything Google certifies. Google doesn't allow GrapheneOS to obtain certification and certification comes with highly anti-competitive rules which would be completely unacceptable. Their licensing system has been ruled illegal in South Korea and other countries should not only do the same but ban the Play Integrity API and other related anti-competitive features. These are not actual security features and that's an excuse for the actual purpose of enforcing their GMS licensing model including forcing including a bunch of Google apps with extremely privileged access and using their builds of many OS components shipped from the Play Store.

Probably made worse by the fact that _every_ VW brand car I’ve driven has read about 10% high on the speedometer. I think I’m going 100 kph, but timing using the km markers on the highway show I’m going about 90.

When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.

After DieselGate I assumed that the high reading was to game the fuel consumption game.

Never again, VW auto group…

This thing makes me crazy. But I can somehow ignore my Skoda’s whining. The other car was bought months before this regulation happened and I will keep it as long as I can.

Am currently trying to open a business bank account in the UK, several banks require running a proprietary ID validation app.

Don't use those services. You're not gonna miss most of the crap after a few weeks anyways. Everything else is consent.

> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?

One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).

> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work

This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.

Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.

This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.

The "Technology Secretary" is actively investigating it[0].

[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...

When they realise their social media ban for children doesn't work

https://stateofsurveillance.org/articles/government/uk-lords...

It mostly happened already and it's in motion.

https://xcancel.com/BBCBreakfast/status/2066788360606138759

They said so. "Nothing is off the table" was the quote, iirc.

Think of the children that will bypass all of the "protections" recently adopted by the UK.

My recollection of HN 15 years ago includes a lot of annoyance with apps that could have been a website and how these walled gardens harm our freedom

> everyone was jumping and praising mobile Eco-systems.

Literally who?

I'm filling my shop with machining equipment without all the extras, but my first 6 years of retirement will be fixing those machines before I can make anything... (and family history doesn't give me good odds of living that long - which is average.)

Supporting mainstream OEM variants can already be enough of a nightmare in behavioural differences. What motivation do most companies have to support Graphene, which will be a handful of customers at best? Developers may be fine with offering a best effort support model, but legal certainly wouldn't.

That's a starting point, but it seems the VW app is using a Google SDK for integrity checks, so maybe we need certain SDKs to be banned.

They don't need to do anything to support GrapheneOS. They only need to stop actively going out of the way to block it and any other alternative OS via the Play Integrity API. They put significant effort into blocking anything other than iOS or a Google Mobile Services Android stock OS certified by Google. They're not only blocking a non-stock AOSP-based operating system but rather anything other than iOS or a Google Mobile Services Android device certified by Google.

The app worked without issues until a few weeks ago. I used it for a year. It was not broken. GrapheneOS is just AOSP Android, optionally with Google Play Services.

My take is that they were trying to block rooted phones and/or custom ROMs of questionable origin and GrapheneOS just became collateral damage because all these companies do go the minimal route of using Play Integrity. GrapheneOS supports remote attestation through AOSP APIs, in fact, they have a page about it.

I think it's worth letting this be heard. GrapheneOS has > 400,000 users and is rapidly growing. Breaking things is not going to affect 5 people anymore, but thousands, ten thousands or hundreds of thousands, depending on what the app is.

> expensive to support

"Support" is such an overloaded and vague word in the software industry. What does it mean for a company to "support" an app/os configuration?

1. They deliberately target that app/os configuration, QA tests it, and answer customer support requests about it.

2. They target the configuration, QA tests it, but it's offered without customer support.

3. They target the configuration, but only release an untested build, use at your own risk.

4. They don't target the configuration at all, but the builds they do release happen to work on the configuration, totally unacknowledged by the company.

5. They don't target the configuration, and deliberately sabotage their application such that un-targeted configurations are actively blocked. Only adversarial users who hack the software are able to use it.

Too many companies say: "We can't do 1 because we don't 'support' it, therefore we must do 5!"

Its not a different os though. Its still android. VW seems to just have turned on integrity checks which constantly cause issues for non-google androids. Plenty of banks do the same.

> If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?

Because of those bug reports, very few may be specific to the non-mainstream OS? https://news.ycombinator.com/item?id=28978086

The app worked until a few weeks ago. GrapheneOS does not miss any functionality (nor security) for the app to work. The only change is that they started blocking non-GMS Android through the thoroughly anti-competitive Play Integrity.

Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.

How is that not anti-competitive?

The issue here is not that they didn't test on alternative distributions of Android, the issue is that they went out of their way to prevent anything but the officially blessed distributions.

Here it is, the true hacker mentality.

Increasingly these kinds of apps are a requirement for a lot of features so ...

Sure the app is not required, though one loses on all of the remote-control functionality (remote start, remote climate control, etc.).

Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!

"tEsT yOuR PlatTfORM"

Fuck that.

> Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.

Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.

Those two set of systems are separate and very distinct.

“Users shouldn’t be same to control their own engines actually” hmm well ok then

Because laws are (mostly) a reflection of what society wants.

People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.

Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).

Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.

Next thing you know these dirtbags are going to want to choose what wheels and tires to put on these things. The nerve!

(Yes, repairability and standardization are encouraged where feasible.)