Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>I don't get why it has to be this hostile toward developers and why no option is offered to disable it.

If you can convince someone to install a certificate to violate their privacy you can just block the network, forcing the user to flip the setting. This allow apps to be able to protect their user's privacy from nosy enterprise network administrators.



I get it, but that's ultimately the user's choice.


That line of thinking leads you to the path where users are free to install malware and give it all the capabilities it needs because the user chose to do so.


Are you also in favor of passing a law that prohibits selling knives because they might cut their owner?


No, but if someone made a knife that was unable to cut their owner I would expect it to have a competitive advantage in the marketplace against a normal knife.


It only does that if you do a poor choice of letting users make informed choices.


Yes, if the user want to disable all the protections and choose to install malware it's their choice. You can already do so on *nix, Windows, and macOS (albeit more complicated). Not sure why a phone OS would be different.

Your line of thinking is basically "think of the children".


>Not sure why a phone OS would be different.

As a new platform that does not have to worry about backwards compatibility they can better design the operating system with lessons learned over the years that desktops have existed.

>Your line of thinking is basically "think of the children".

My line of thinking is that with proper design a platform can have good security. The web platform got sandboxing right. It's a good thing that a website can not cryptolock all your files by just visiting it. Does a website really need to be able to read and write all the files on your system, or perhaps is exposing just a single folder dedicated to the site good enough for most legitimate purposes. A platform can choose what kind of apps it should support. I don't think it is bad for a platform to decide that it does not want to support the needs of a cryptolocker even if that may be limiting what a user can do.

I don't believe that "think[ing] of [user's security]" is a bad thing. User security is valuable for a platform and is essential for scaling.


...yes.

Unavoidable hard restrictions like this make it dramatically harder to do malware research (thereby reducing security overall) and cause huge & unreasonable problems the moment you see a false positive.

I'm all for user protection, but there is a limit. There's no point aiming for 'impossible' - if the user could be convinced past enough security warnings in the OS, they can equally be convinced to just type their banking passwords into the attacker's phone directly.

I think there's a responsibility on the platform to make possible consequences clear, and make dangerous actions quite difficult, but totally blocking full user control of their own devices is counter productive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: