I’ve been using Linux for a long time for personal purposes and I understand what the blog says. But I also feel like it doesn’t have to be this way: Linux should be easy to use, with little hassle, friendly to newbies, with a community of support.
Over the years Linux desktop has indeed improved, but still with much problems to use. We should adopt a growth mindset instead of sticking to asceticism.
It’s better that what people are currently doing. You can cut and paste your auth token into 3rd party services that will give you stats and remote control over your car.
As of 6 months ago there was no way to manually revoke an auth token
I mean, oauth2 is pretty much the standard/best practice for third party access to user-controlled identity and/or resource permissions. I'd like to know more about scopes and how they do authz, but as far as access goes, this has the makings of a best practices implementation like you'd see from Google, reddit, etc. Fine grained access control via scopes, user-facing "you want this app to get access to <list> permissions?" and the ability to later revoke that access.
I'm sure you can find people who'd disagree, but it's far better to build on a standard than something homegrown.
oauth2 was the best practice way to do that back in 2014.
Now, companies like Facebook have discovered the hard way that most users don't think carefully before giving away access to their data. All it takes is one app that says "I'd like access to everything you can see on facebook please", and that's how cambridge analytica happened.
Ever since then, the vast majority of companies have locked down API's - because the company doesn't want to get in legal hot water for the actions of a third party app granted full access by the user.
That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.
What you're saying is orthogonal and more about figuring out how to effectively manage users and the accesses they can grant, how easily they can grant certain permisisons, how often they should review access, all that.
Facebook has had issues there, and I'd say Android has also had issues with similarly vague/permissive grants (local-only, completely outside OAuth2), and has learned ways to proactively manage those for users and keep sets of permissions minimized to apps you actively use/want. But none of those really has much to do with whether or not oauth2 is a great way to allow third party access to user resources. That remains a really solid control mechanism.
If anything this is making it safe for the owners because pretty much all the third part apps have full access to vehicle because some owners shared their password to some random third party company so that they can have some additional features on their app.
Probably not a huge risk. Currently third party apps just take your username and password, and log in pretending to be you.
This is a more official and more secure way to do the same - the user/tesla is in full control of which apps have access, what data each app can see, and can revoke access anytime.
I'll take it over the existing situation and over the situation of fully undocumented APIs that others seem to use. I'm afraid there is likely a lot of security by obscurity left in the auto industry.
I'm partially degoogled thanks to Hacker News as well as "Tech Twitter."
And as much as I don't think people can be completely "degoogled", we need some healthy competition to keep juggernaut's power in check. And hopefully we can nudge it towards more privacy-aware and open practices.
Interesting.
Would be really helpful to see a more detailed expert audit on the reverse-engineered source code, and point out to the actual privacy offenses, and analyze how dangerous they really are compared to other social media apps (Twitter, Facebook, ...)
FWIW, people are already using Apple Pay and Google Pay through a phone with fingerprint sensors. So... it's really not a new thing we're sacrificing privacy for convenience.
I use biometrics locally with my phone, but do not transmit that data to Apple, to Amazon, to MasterCard, to anyone. All they get is the usual credit card info.
Amazon it trying to cut out the middleman here, but the middleman they're trying to remove is under my control, and Amazon definitely isn't, so the shift is enormous.
Difference is that a fingerprint is only stored on your device, and it's just a single print.
This is your entire hand, and it's stored off-site and owned by a company who at any point in time can change their mind about that data and sell it to whoever will pay for it.
That's very different--that's on my own hardware, and my fingerprints don't leave the phone. This is amazon's hardware, and they store the fingerprints in a centralized database.
Thanks for the work. It's quite some materials to compile. I love how you organize your thoughts and knowledge together and I've just started doing that too.
This could be the right step towards algorithm transparency. It is critical in the information age we're in, while Facebook is promoting alt-right conspiracies, and YouTube is feeding flat-earthers.
Yes. There are more technical issues to resolve. (e.g., How do we verify the algorithm they present is the actual algorithm they use?) Perhaps third party audit, APIs for third parties to test the algorithm? We need constructive criticism than cynicism.
I see another problem, and that is the one where they dump a model on the internet somewhere and whenever something goes wrong shrug their shoulders and say "well, that is what the model gave us…we don't know why; you can see for yourself how we didn't bias anything".
