Advertisement
Advertisement
ā” Community Insights
Discussion Sentiment
53% Positive
Analyzed from 5514 words in the discussion.
Trending Topics
#car#app#grapheneos#support#google#play#apps#don#users#services
Discussion Sentiment
Analyzed from 5514 words in the discussion.
Trending Topics
Discussion (150 Comments)Read Original on HackerNews
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
If their APIs are done correctly, they shouldn't be afraid to expose them.
But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
So understanding why they drop it is IMHO easy. Understanding why they use only attestation based API despite and forcing their third party ecosystem out is stupid. Companies do not understand open communities.
The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
It's an easy market to win at this point. The bar has been lowered so much. Already have a nice car? Just don't display utter disdain for your user's privacy and you get our $$.
You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.
I always read this online, but my personal experience in EU doesn't match that at all in quite a sample of people and cards of last ~15 years. At least not for older cards. The reliability after 100k km seems to be somewhat similar.
The repairability of VW-group stuff in 3rd party services is soo much better and cheaper. The WV-group is huge and many models across the brands share same parts and full engines. There exist non-OEM alternatives and people know how to fix those cars.
I have never bought new car. But driving anything but VW got expensive fast.
Toyota cars can have bespoke parts even between different parts of the year for the same model. Continuous improvement isn't really that cool for cars.
https://en.wikipedia.org/wiki/Diesel_emissions_scandal https://en.wikipedia.org/wiki/Defeat_device
The "app" they provide is 60% advertisement, 30% features, and I unironically preferred using a Home Assistant connection instead of of it for everything. Even for automations like "when to preheat the car", since that was easier and more intuitive outside of their native function.
This also means, that charge control from the cars side is not possible to automate anymore.
Sure, one could take the position "but it was never officially promised", but for some people, including me, having the api (which is paid btw) was a selling point.
Yes, I registered specifically for this comment.
There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.
In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".
I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.
[1] https://www.youtube.com/watch?v=f-S76WEl25k
When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.
After DieselGate I assumed that the high reading was to game the fuel consumption game.
Never again, VW auto groupā¦
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
One dual-boots to a reputable Linux vendorās signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts oneās relevant governing body to petition for the addition of that vendorās signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that āattestation doesnāt really workā is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestationās threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to āgetting some Linux into the approval listā. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: itās a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernelās signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. Iād really prefer that to be Graphene, Ubuntu, and Valve ā but Grapheneās customer base is hostile to this, Ubuntu doesnāt have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
If it's not installed by myself, I am not using it.
As you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.
This way we will just have unremovable age verification, spyware, online accounts to use the os, name another bs from other vendors. What's the point of Linux then? The moment big corps and the state can seal spyware into your computer, they'll happily do it.
I'd rather have a separate burn device with whatever os for state services which lives in a faraday cage most of the time and have a proper OS I control on the main device than give somebody control over it.
āEvery time we see a Google Pixel, we suspect it might belong to a drug dealer,ā said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
Genuine question. That's news to me and I'm here.
[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...
It mostly happened already and it's in motion.
There's no way to verify the integrity of the system, and any malicious app can just grab your banking credentials or enable criminals to unlock and drive away with your car.
It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.
Reminds me of this: https://www.robinsloan.com/notes/home-cooked-app/
Literally who?
The rest of us groan when we hear "DOWNLOAD OUR APP" or grocery stores that want you to install their spyware coupon app.
These days, nost apps are just data exflitrators, spyware portals, and surveillance pricing initiatives, wrapped up with a "FREE THINGY" wrapping.
Not surprising to me at all that their software is a similar high quality experience, but in general I think it's weird that cars have to be connected to the Internet anyways and I doubt the competition is substantially better.
Happy voting with your wallet folks. See ya.
Oh, and Android 17 has been released so there is hype for that.
This is the WEF future your conspiracy uncle was telling you about during family gatherings. Well.
Increasingly my vision of retirement is a life of luxury surrounded by hardware from before the internet era, things that do what I tell them, rather than telling me what I am and am not allowed to do.
Nissan sells a ton of cars to subprime borrowers, quality isnāt exactly their focus. Hyundai/Kia and Stellantis also target the same buyers.
> Please note that the use of the Volkswagen app is only supported on iOS devices and Android devices with supported operating system versions.
Is it time to mandate app developers support all operating systems for a device?
Dont let their boilerplate responses fool you, tools like play integrity only serve to push anticompetitive practices. The claims about not being able to support GOS are nonsense, and all they did was break existing support.
If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?
GrapheneOS is also not responsible for bugs in this app. Any bug reports coming from GOS are likely to be from the hardening toggles, which uncover bugs in the app. This is the apps fault, and these bugs still exist on other OSs. It should be resolved for the benefit of all users.
My take is that they were trying to block rooted phones and/or custom ROMs of questionable origin and GrapheneOS just became collateral damage because all these companies do go the minimal route of using Play Integrity. GrapheneOS supports remote attestation through AOSP APIs, in fact, they have a page about it.
I think it's worth letting this be heard. GrapheneOS has > 400,000 users and is rapidly growing. Breaking things is not going to affect 5 people anymore, but thousands, ten thousands or hundreds of thousands, depending on what the app is.
There are only bad reasons for them to do that. End users don't get compromised that way in reality, but it does mean they might convince the app to do something that's bad for profits.
"Support" is such an overloaded and vague word in the software industry. What does it mean for a company to "support" an app/os configuration?
1. They deliberately target that app/os configuration, QA tests it, and answer customer support requests about it.
2. They target the configuration, QA tests it, but it's offered without customer support.
3. They target the configuration, but only release an untested build, use at your own risk.
4. They don't target the configuration at all, but the builds they do release happen to work on the configuration, totally unacknowledged by the company.
5. They don't target the configuration, and deliberately sabotage their application such that un-targeted configurations are actively blocked. Only adversarial users who hack the software are able to use it.
Too many companies say: "We can't do 1 because we don't 'support' it, therefore we must do 5!"
About the only time it doesn't work is when the game uses an anticheat system that intentionally blocks Linux. I can even see where the game devs are coming from when it comes to competitive games; cheating ruins the game for other players, and there's no way to prevent certain kinds of cheating without trusting the client to a degree.
I can't see any reasonable and user-respecting place VW could be coming from intentionally blocking access from open systems.
Because of those bug reports, very few may be specific to the non-mainstream OS? https://news.ycombinator.com/item?id=28978086
If you choose to use something like GrapheneOS, you are signing up for the fact that almost no one will test on your platform and plenty of things will be broken.
Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.
How is that not anti-competitive?
This site talks at length about running businesses, identifying your target market and focusing hard on them. The same thing applies to other aspects of software.
If I ran a cross-platform app (built on Electron or whatever) and a certain platform made up 0.1% of my users but 20% of my customer support team's time, I'd stop supporting that platform. It's literally not worth the effort. And I wouldn't just let it rot (that would keep the customer support issues going), I'd block it.
It can even make you a great/better oneā¦
Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!
https://news.ycombinator.com/item?id=48319509
Fuck that.
There are already massive problems with people miswiring head units to play videos while driving and updating their ECU to spew pollution into the air. You're not going to convince any significant number of people that it's a good idea to allow arbitrary code to run and control most of the other systems too.
Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.
* Backup Camera
* Turning traction control on/off
* Turning auto hold (maintaining the brake pedal while stopped) on/off
* Window defrosting
Many cars are even more integrated - are there any physical buttons inside a Tesla or is it all through the touchscreen?
People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.
Laws are really needed when businesses donāt play nicely. I donāt know the legal specifics, but Iām sure glad I donāt need to buy $1000ās of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).
Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesnāt work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.
(Yes, repairability and standardization are encouraged where feasible.)