this post was submitted on 30 Jun 2024
23 points (87.1% liked)

Right to Repair

1472 readers
1 users here now

Whether it be electronics, automobiles or medical equipment, the manufacturers should not be able to horde “oem” parts, render your stuff useless if you repair it with aftermarket parts, or hide schematics of their products.

I Fix It Repair Manifesto

Summary article from I Fix It

Summary video by Marques Brownlee

Great channel covering and advocating right to repair, Lewis Rossman

founded 1 year ago
MODERATORS
 

I have a Pixel 4a (with Calyx) for a few years already (start of 2021) and it's still going great. The battery is okay. Everything works nice. It's smooth. It runs everything perfectly fine.

This makes me glad to see that hardware wise this phone was really built to last, I can't even count how many times I dropped it so hard that I was scared to see the damage (which was always either nothing or a broken screen protector)

But software wise I'm screwed as security updates are already gone from Google and I only get the extended support from Calyx which will also end soon.

Now I'm forced to choose between having a phone that is insecure or buying a new one.

So thanks Google for the high quality hardware, but what's up with this software planned obsolescence??

I know this isn't exactly right to repair, but it also kind of is because if Google decided to ditch the 4a, they should be forced to open source the software so that the public can actually repair it.

I'm sure that some of their latest updates can be modified slightly to work for the 4a, but they don't care and for them this is a win-win since they don't have to maintian support and they get new customers who would otherwise be satisfied with an "old" phone.

What happened to the days when an old phone meant a phone that was already crumbling to pieces, and not a fully functional computer that is slightly older then a toddler?

top 34 comments
sorted by: hot top controversial new old
[–] oleorun@real.lemmy.fan 9 points 4 months ago (1 children)

GrapheneOS is an option. The Pixel 4a is not really supported any longer with the current branch but...it's GrapheneOS so it'll be secure(ish). https://grapheneos.org/faq#supported-devices.

Do keep in mind GrapheneOS has some weird, deal-breaking issues, like RCS not working and other weird, random shit like that.

[–] threelonmusketeers@sh.itjust.works 5 points 4 months ago (3 children)

RCS

Reaction control system?

[–] downpunxx@fedia.io 3 points 4 months ago

you do not want to have to depend on it for an EVA

[–] ma11en@lemmy.world 2 points 4 months ago

Really Cool Shoes?

[–] ForgotAboutDre@lemmy.world -1 points 4 months ago

Googles attempt at intercepting all text messages.

It’s supposed to be SMS 2.0 but only google took it serious and it’s only supported by Google. Most carriers that do support it are using Googles Jibe system, they’ve now pressured apple into using it as well. Likely tied to the many billions they pay apple every year.

Google doesn’t let anyone else make a RCS app except them and Samsung. So you can’t get a free and open messenger with it.

[–] hendrik@palaver.p3x.de 8 points 4 months ago (1 children)

I own the same phone. Also mine still is perfectly alright. I'm currently on GrapheneOS but that's also not supported anymore. Sometimes I get some smaller patches. I'm planning to switch to LineageOS. The phone seems still supported there and they even have Android 14 available.

I'm certainly not wasting that phone. Except for the camera which seems a bit outdated to me, compared to the camera of my partner's Samsung... It's still a really nice phone. And I refuse to buy a new one at this point.

[–] MTK@lemmy.world 2 points 4 months ago (1 children)

Lineage OS doesn't have secure boot which is a huge security issue

[–] hendrik@palaver.p3x.de 8 points 4 months ago

Sure. But running an unmaintained operating system also is an huge security issue. I mean the proper choice is quite obvious: get rid of the phone and buy a new one that's supported by Calyx or Graphene. But since I'm not willing to do that, I have to choose what's more important to me.

And with security, it always depends on the specific threat model. I'm not sure if I need secure boot that badly. Can people steal my phone, flash a different OS and access the cryptographic key to my storage? Because that'd be one of the things I worry about. If not, I don't think I care about secure boot that much... YMMV

[–] orcrist@lemm.ee 1 points 4 months ago (1 children)

Lineage OS could be OK for you.

[–] MTK@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

I'm on the fence in that, but thank you!

[–] downpunxx@fedia.io -3 points 4 months ago (1 children)

when was the last time you heard of an older model smart phone model or line becoming so insecure due to the lack of ongoing "operating system" or "manufacturers security updates", off the top of my head I can't think of one

[–] ZeroPointMax@discuss.tchncs.de 7 points 4 months ago (1 children)
[–] downpunxx@fedia.io 0 points 4 months ago (2 children)

cheers for that, but all i see on that list is a whole bunch of "this could lead" and "there's a possibility", not any widespread outtages of breaches of entire product lines, like we have seen in the past with botnets and viruses in the pc world. i'm all for precaution, but again, i can't think of a time there's been a worldwide, or even nationally localized, smart phone infection across a brand or product line due to the ending of regular security updates, and i'd be interested if anyone knew if there ever has been.

what i'm thinking is, while it's best practice to have manufacturers/phone company os gui security updates for any smart phone in use, it's not the end of the world if there aren't. i could be wrong, but "this could lead" and "there's a possibility" is warning, not proof or anything at all

[–] MTK@lemmy.world 8 points 4 months ago (1 children)

I'm sorry but you are wrong, if there is a CVE it means it works, and "could lead to" means that it literary can lead to that outcome.

All you need it one really bad CVE or a few bad-ish ones to do a lot of damage.

[–] downpunxx@fedia.io -1 points 4 months ago (1 children)

sure, could lead to, show where it has, in small groups, or large, ever, for any smart phone

[–] CosmicGiraffe@lemmy.world 2 points 4 months ago (1 children)

Botnets targeting android devices are a thing, here's an example: https://blog.fox-it.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/

In this example, they're renting access for thousands of dollars. These people have a clear motivation to find ways to exploit devices and unpatched CVEs are an easy way for them to do that.

[–] downpunxx@fedia.io 1 points 4 months ago (1 children)

ok, i browsed through that, and again, am not seeing where it actually was deployed and affected end users, just a breakdown of how it could, and what i've continually been requesting, wondering about is if a botnet/virus campaign has ever been actually pushed out to smart phones, anywhere, at any time, due to the ending of manufacturers security updates, and again, i've yet to be presented with any evidence it has (only that it could be)

[–] MTK@lemmy.world 1 points 4 months ago (1 children)

Look, when it comes to security statistics, a lot of it is locked behind closed doors in all kinds of big security companies. I can tell you personally that I have worked in such a company and you could see a lot of exploitation (attempts) on Android devices. It was there.

Look once there's a CVE and there is a POC for it. Usually there comes a Metasploit module for it and then it's for sure being used by a bunch of people.

[–] downpunxx@fedia.io 1 points 4 months ago (1 children)

aha, the old, i know it happened, i just can't produce any real proof of it happening, anywhere, to anyone, at any time. got it. well, shit, i'm convinced, guess you shouldn't use that Pixel 4a then. question answered, problem solved. be well.

[–] MTK@lemmy.world 1 points 4 months ago

Look, I have no interest in convincing you, you can also find some materials online but yeah, plenty of this info is closed source, that's just how it is with some industries.

If you want to throw caution to the wind because you couldn't find anything that is your choice.

[–] rand_alpha19@moist.catsweat.com 4 points 4 months ago* (last edited 4 months ago) (1 children)

It's a vulnerability that is actively able to be exploited on any compatible system that isn't explicitly protecting against it (i.e., any outdated phone connected to the internet).

So a very big fucking deal in general, even if your specific phone may not be targeted. Your only defense is hoping that you're not unlucky, which is a really shitty approach to security.

[–] downpunxx@fedia.io 2 points 4 months ago (1 children)

sure, able to be exploited, show where it has, in small groups, or large, ever, for any smart phone, ever

[–] rand_alpha19@moist.catsweat.com 3 points 4 months ago (1 children)

I don't really care enough to spend a lot of time searching, but I found this opinion article breaking down a severe Apple iOS vulnerability from 2019: https://www.tomsguide.com/opinion/your-iphone-is-less-safe-than-it-was-yesterday-and-thats-good

If a device isn't getting security updates anymore, it's vulnerable. And a lot of the time these things aren't caught right away. This is the exact same reason why you should never put a computer running Windows XP or 7 on the internet - it's no longer secure and your system can be accessed by any person motivated to do so.

If you don't care, that's another matter. But you're inarguably at a higher level of risk when your system can be exploited in a greater number of ways than one with more recent security patches.

[–] downpunxx@fedia.io 2 points 4 months ago (1 children)

and again, not being a sea lion, as sea lions request others to research easily identifiable information, which my posit is precisely the oposite of, i've asked if there ever has been a smart phone vulnerability like a botnet/virus campaign that has ever been actually pushed out to smart phones, anywhere, at any time, any where due to the ending of manufacturers security updates, and again, i've yet to be presented with any evidence it has (only that it could be). so, not knowing of one personally (which in no way means it hasn't happened, just that i don't know about any such occurance) i put it to the comment section, and having been replied to almost a dozen times now with "vulnerabilities" i've yet to be presented with an actual infection case. not one.

[–] rand_alpha19@moist.catsweat.com 2 points 4 months ago (1 children)

If you want documented evidence that there is a nefarious cadre of organizations hacking phones en masse using high-profile exploits before you'll believe that out of date phones are something to give a shit about, then you'll never be "presented with an actual case."

What you're describing isn't the reason why we should care about security. If you don't care, whatever, but planning for bad things that could happen is just basic preparedness even outside of computing. If a fire started in my apartment and I didn't have a fire extinguisher I'd be fucked regardless of how likely I think a fire would be.

[–] downpunxx@fedia.io 2 points 4 months ago (1 children)

I know people who have had fires in their apartments, I have seen news reports on tv and the internet, there are entire subsections of literature giving excruciatingly grand detail of historical fires throughout time. You know, proof that a thing happened, and investigation of why and how it happened.

What I have not seen any proof of, at any time, from any source, is a mass infection of consumer grade smartphones which would have been prevented by ongoing timely security updates. Not one. Rien. Bubkas. What I am seeing a lot of is people convinced that a warning is as good as an experience which has been studied and learned from. What I'm seeing without fail in this thread are people so jammed up with "could" and "possibly" but no "here's what we learned from this exploit being detonated in the wild, and here's the reason it happened".

I like your fire analogy, I'm worried about fires, I've seen the results. The same can't be said about not getting ongoing manufacturers security updates for smart phones.

[–] rand_alpha19@moist.catsweat.com 1 points 4 months ago (1 children)

Okay, then you don't care. That's fine. There's no mass hacking of phones going on, that's not the risk and whoever told you that it was is stupid.

It's an individualized problem, which is why it doesn't make the news and why you're on your own when companies fail to keep your device up to date. It's not as sensational as a massive fire so it's hard to care about.

Anyway, hopefully you'll never have to worry about being hacked. The odds are in your favour, after all. The issue is when you get unlucky.

[–] MTK@lemmy.world 2 points 4 months ago

I do want to add that there are also mass hacking of phones, they just tend to be non-disruptive to the user, so it rearly gets coverage.

[–] rekabis@lemmy.ca -4 points 4 months ago* (last edited 4 months ago) (2 children)

I have a Pixel 4a (with Calyx) for a few years already (start of 2021)

  1. That’s just a little over three years ago.

This is why I run with Apple. Because even though their repairability sucks even more than Android, they are built like tanks and they get six to seven years of full OS updates, and not just security patches.

And the security patches continue for another year or two after that.

Nothing else comes close. Sure, the big players in Android have now claimed five years of OS updates, but I was promised Android 13 with my Nokia 7.2, yet I am still on the original Android 11 that the phone came with - Nokia never even released 12, much less 13 for that model.

I will believe these vendors once they are actually pushing Android v.X+5 to a phone that launched with v.X.

[–] MTK@lemmy.world 5 points 4 months ago (1 children)

Apple is not an option for me as they are completely closed source and super invasive of customer privacy (their privacy claims are "only we will know everything about you" which is creepy AF)

On the same concept I can also say that hou should just use a linux phone as these are very likely to be kept updated for years, but it's not really a reasonable option for this situation.

[–] rekabis@lemmy.ca -1 points 4 months ago* (last edited 4 months ago) (1 children)

and super invasive of customer privacy (their privacy claims are "only we will know everything about you" which is creepy AF)

Completely false. If you enable advanced data encryption, your iCloud data is encrypted such that even Apple cannot access it.

Which is why they introduced Legacy Contacts for next of kin… if someone with an iPhone dies, and their relatives want access to the deceased’s data but no-one knows the phone passcode or the iCloud credentials and don’t have legacy access, they can spend hundreds of millions of dollars suing Apple and Apple will be unable to provide access.

As someone who has actually worked on a system like this in another capacity, it really does works as advertised.

[–] MTK@lemmy.world 3 points 4 months ago

Sure, your iCloud data is encrypted, but what about all the metadata that Apple collects from your phone or on the files in iCloud? What about everything else you're doing on your phone? It's not just about having access to the data of your files.

Also, not having encryption on by default is creepy and purposeful.

[–] Rogue1633@discuss.tchncs.de 2 points 4 months ago (1 children)

New Google Pixels come with 7 years of security updates and 7 major Android updates. With GrapheneOS you generally geht all AOSP updates. https://grapheneos.org/faq#recommended-devices After that GrapheneOS offers 3 years of harm reduction updates https://grapheneos.org/faq#device-lifetime New Samsung devices (like the S24) also come with 7 years of security updates + 7 Android Version updates.

[–] rekabis@lemmy.ca 1 points 3 months ago* (last edited 3 months ago)

Get back to me when an Android phone that was released with Android 15 gets an OTA update from the manufacturer to Android 22.

My experience with the Nokia 7.2 (and a few others) leads me to strongly suspect that these “promises” are nothing more than pinkie swears from everyone short of Google itself.