However, VW just seem to make gaff after gaff. Collecting information they shouldn't, exposing information they shouldn't have to hackers via lax security practices.

How many rakes can a company step on?

Now, they're blocking GapheneOS? They've got two hopes of selling me another 'Dub.

(Bob and No).

It's an easy market to win at this point. The bar has been lowered so much. Already have a nice car? Just don't display utter disdain for your user's privacy and you get our $$.

So understanding why they drop it is IMHO easy. Understanding why they use only attestation based API despite and forcing their third party ecosystem out is stupid. Companies do not understand open communities.

Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.

You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.

I'm not arguing that the modem should be mandatory, or that you shouldn't be able to control what it does. But forcing car vendors who want to built in a modem to make this modem do an automatic emergency call by default, that seems quite sensible. Even more sensible would be if the modem did nothing unless you allow it, except when it detects that crash, but... profits.

  "You will own nothing and be happy" - WEF Prime Objective.

It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.

Reminds me of this: https://www.robinsloan.com/notes/home-cooked-app/

Oh, and Android 17 has been released so there is hype for that.

There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.

IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.

Play integrity is an anticompetitive tool that ignores this, and artificially limits itself on GrapheneOS. It is not due to any incompatibility.

I always read this online, but my personal experience in EU doesn't match that at all in quite a sample of people and cars over the last ~15 years. At least not for older cards. The reliability after 100k km seems to be somewhat similar.

The repairability of VW-group stuff in 3rd party services is soo much better and cheaper. The WV-group is huge and many models across the brands share same parts and full engines. There exist non-OEM alternatives and people know how to fix those cars.

I have never bought new car. But driving anything but VW got expensive fast.

Toyota cars can have bespoke parts even between different months of the same year for the same model. Continuous improvement isn't really that cool for cars.

The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.

I have moved most of the my finance activity to it, along with my license and passport. I would never trust a Google device with this much, and the convenience has been profound in a few circumstances.

I would relegate any intrusive apps here, and happily deny them cross-app tracking privileges.

If their APIs are done correctly, they shouldn't be afraid to expose them.

There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.

I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.

Nissan sells a ton of cars to subprime borrowers, quality isn’t exactly their focus. Hyundai/Kia and Stellantis also target the same buyers.

Increasingly my vision of retirement is a life of luxury surrounded by hardware from before the internet era, things that do what I tell them, rather than telling me what I am and am not allowed to do.

It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.

Has this ever happened?

“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."

Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)

Genuine question. That's news to me and I'm here.

https://en.wikipedia.org/wiki/Diesel_emissions_scandal https://en.wikipedia.org/wiki/Defeat_device

Vendor lock-in to Play services is ridiculous.

A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.

Not quite an SUV, but maybe fits the same use case?

In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".

[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...

It mostly happened already and it's in motion.

https://youtube.com/shorts/WvHl3G6KojI

I believe they're "doing research" into it, which basically means they don't understand how any of it works.

In fact, that's how a lot of compliance works in industries where there's little little enforcement and relies a lot on self regulation.

If you don’t want/need a new car, the used car market in Germany is pretty active with EQAs and EQBs.

If you choose to use something like GrapheneOS, you are signing up for the fact that almost no one will test on your platform and plenty of things will be broken.

There are already massive problems with people miswiring head units to play videos while driving and updating their ECU to spew pollution into the air. You're not going to convince any significant number of people that it's a good idea to allow arbitrary code to run and control most of the other systems too.

Literally who?

When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.

After DieselGate I assumed that the high reading was to game the fuel consumption game.

Never again, VW auto group…

One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).

> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work

This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.

Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.

This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.

https://www.theguardian.com/environment/2015/sep/24/uk-franc...

Of course the governments probably lobbied for this stuff because it improves their car industry tax profits/employment numbers.

In Dieselgate VW got caught, made the supervisory authorities and politicians look bad, which is why the authorities also weren't inclined to sweep it under the rug completely. They just shielded VW from the financial consequences in Germany (German VW customers got shafted).

Blocking GrapheneOS is the useless "pretending" part of compliance. They don't really want to do security, because that would cost money, so they pick some actions that seem drastic, harsh and don't cost them anything to implement. Later, when there is a security incident, they will point to their huge heap of pretend compliance, whine a bit about state sponsored actors, high criminal intent and other obvious deflecting bullshit. But they will get away with it, because they did the compliance dance, so they are obviously compliant and did nothing wrong. Nobody in authority will look twice als long as they are neither annoyed or made to look bad.

tl;dr: compliance in Germany is performative

Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.

How is that not anti-competitive?

But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.

Obviously VW broke the app for GrapheneOS (or any other custom ROM) on purpose, and ironically, things usually works fine for custom ROMs than some Chinese OEM customized ROMs, and when it works, it means the developer went extra miles to implement workaround to cater the flawed OS.[1]

[1]: ref: Years of Android community experience

The issue is not that this application isnt tested on GOS, its that an anticompetitive, illegal tool is being used to ban non-certified OSs when these apps would work perfectly otherwise.

Fuck that.

The rest of us groan when we hear "DOWNLOAD OUR APP" or grocery stores that want you to install their spyware coupon app.

These days, nost apps are just data exflitrators, spyware portals, and surveillance pricing initiatives, wrapped up with a "FREE THINGY" wrapping.

Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!

Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.

(Yes, repairability and standardization are encouraged where feasible.)

People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.

Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).

Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.

When you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.

Call me paranoid.

This way we will just have unremovable age verification, spyware, online accounts to use the os, name another bs from other vendors. What's the point of Linux then? The moment big corps and the state can seal spyware into your computer, they'll happily do it.

I'd rather have a separate burn device with whatever os for state services which lives in a faraday cage most of the time and have a proper OS I control on the main device than give somebody control over it.

Dont let their boilerplate responses fool you, tools like play integrity only serve to push anticompetitive practices. The claims about not being able to support GOS are nonsense, and all they did was break existing support.

That is why so many rich fly private jets to environment conferences. People put Greenpeace and similar bumper stickers on their SUVs that never go off road and rarely have more than one person inside. They care about the environment, but only when it doesn't impact anything else in their life.

Only naive laymen or newcomers to Germany think it's not possible. German business leaders, lawyers and politicians know exactly how much corruption and scamming is going on in the business sector, and it's not a little.

>first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.

That was purely malicious to try to protect Wirecard, not because the regulators couldn't possibly imagine corruption and law breaking exists, that was the story they used as cover for their corruption.

Like you're a regulator and instead of doing the thing you were hired for and look at the evidence The Economist showed you, you instead "use your instincts" to decide not to do your job and not look into Wirecard because you can't imagine something bad can ever happen? Come on! All those regulators should have been fired and tried for corruption and/or accessory to crime.

https://news.ycombinator.com/item?id=48319509

10 out of random 10 drivers out there don't care about the software running in the car.

> Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).

You drive a self-maintained car. Nothing wrong with that, but I would guess 95 out of 100 drivers on the road don't care about the car at all - they just want reliable transportation from A to B and perhaps some confort.

> Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.

I don't have to imagine that al all, all premium car manufactures digitally id their components and will not accept 3rd party replacements.

* Backup Camera

* Turning traction control on/off

* Turning auto hold (maintaining the brake pedal while stopped) on/off

* Window defrosting

Many cars are even more integrated - are there any physical buttons inside a Tesla or is it all through the touchscreen?

It can even make you a great/better one…

This site talks at length about running businesses, identifying your target market and focusing hard on them. The same thing applies to other aspects of software.

If I ran a cross-platform app (built on Electron or whatever) and a certain platform made up 0.1% of my users but 20% of my customer support team's time, I'd stop supporting that platform. It's literally not worth the effort. And I wouldn't just let it rot (that would keep the customer support issues going), I'd block it.

Like, the head unit is in control of all that happens on the slow bus of the car, and needs to pass independent safety certifications for a complex system.

    - drop wireguard / OpenVPN packets crossing the country border
    - analyze https traffic to detect traffic patterns not matching https fully and block such connections

I don’t think that will stop them trying though

So, in the scenario posed (quoted above again for context) that I’m responding to, where the government has mandated attestation online, it seems like you’re arguing that Linux should continue to opt-out of attestation, and thus be forced into non-internet uses only. Do I misunderstand your intended outcome to the scenario here? I took for granted that Linux users would want to retain access to the internet as a critical priority, given how strongly they’re objecting to attestation of internet apps (and eventually internet access), but if I’m mistaken then I’m happy to reverse course!

I bet you would, though, if the built OS image were 100% reproducible except for the signature. Once you have a fully reproducible Linux OS build, you can literally copy paste the cryptosig from the vendor and it will work with the image you built yourself from source that you inspected yourself. Then it’s impossible for the government to tap it without breaking the reproducible image checksum and thus the published cryptosig. It’s a better defense than any warrant canary would be, and it satisfies your concerns fully.

Arch shows only 15 packages left for their core OS to be built reproducibly; what I don’t see at their dashboard is the state of their ISO build reproducibility, but I imagine that’s the same as the core, so maybe it’s just unstated for obviousness. https://reproducible.archlinux.org/

Does GrapheneOS publish their repro build efforts as a dashboard anywhere?

If you're going to use the worst example as the comparison, then we'll get no where fast.

In the States, for example: Every state I've looked at has laws that make it illegal to roll coal.

And at least in my own state (Ohio), it's a primary offense. A person can be pulled over and ticketed for this even if they're doing everything else by the book. It's super easy to spot.

It seems that it persists not because of a lack of laws, but because of a lack of enforcement.

also, what scale of harm do you think exists from those people?

do you really believe that control of one’s own engine should be removed from all vehicle owners if a few people misuse it?

do you understand that vehicle manufacturers use their proprietary systems that control the vehicle to exploit customers?

I use FreeBSD because of and I don't trust that either unless I can do make install world.

"Starting anaconda", "Enable Kdump", on anything RedHat.

Debian spews an ancient terminal window of options upon options and who knows how to install Arch.

Linux installation has never been click, click go and installation wizards are still designed for tech enabled and not the common user.

We have a helicopter on Mars yet they still can't master a installation wiziard.

Serious health complications, particularly to cyclists and pedestrians. Significant pollution surges:

> According to government estimates, the practice can increase nitrogen oxide emissions as much as 310 times, non-methane hydrocarbons 1,400 times, and carbon monoxide 120 times. [https://www.rawstory.com/raw-investigates/rolling-coal-donal...]

> AED estimates that the emissions controls have been removed from more than 550,000 diesel pickup trucks in the last decade. As a result ofthis tampering, more than 570,000 tons of excess oxides of nitrogen(NOx) and 5,000 tons of particulate matter (PM) will be emitted by these tampered trucks over the lifetime of the vehicles. [https://int.nyt.com/data/documenttools/epa-on-tampered-diese...]

> GrapheneOS is a privacy and security focused mobile OS with Android app compatibility [https://grapheneos.org/]

Tools such as play integrity are illegal. Using anticompetitive and monopolistic tools is not the right of application developers.

It works in tunnels. It works in cities with tall buildings. It works on Lower Wacker Drive in Chicago.

Is there some technological limitation that precludes using this data to determine whether or not a movie can be played?

(It's not like it's new tech. It's decades-old. Honda started using it over 20 years ago.)

> Using anticompetitive and monopolistic tools is not the right of application developers.

Please talk to an actual lawyer before making legal claims, because to be blunt it's very clear you don't know what many of those terms mean in a legal context. VW is not a "monopoly". They have no obligation to allow the use of their software on platforms they don't want.

It's also not clear what the purpose of this line of argument is. Some sensor says "car is moving". The operating system in the car/head unit is responsible for enforcing that signal, and it could ignore it equally from either OBD or some pile of gyroscopes. Where that signal comes from has nothing to do with why you will not see cars accepting custom operating systems.

It completely dismantles your previous goalposts, which were planted firmly on GPS:

>> Not with the necessary precision. GPS doesn't work in tunnels or parking garages and can be wildly inaccurate in city centers with skyscrapers blocking line of sight, for instance.

(I guess we all have the freedom to be as flexible with our goalposts as we wish. I didn't come here for a tireless argument that is motivated by nothing but the desire to argue, though. Have a great day!)