Having used the reMarkable 1 tablet for over a year now, the hackability is so refreshing to have in a consumer device. The tablet runs Linux and you can SSH into with root access.
The hacking community is quite active, one frequently asked question is how to get and run custom software on the device.
There's the Entware[0] package repository for running ARMv7 software on the tablet. Recently a community maintained package repository, toltec[1] for tablet-specific software was created and is actively maintained.
For Nix users, I've been helping build a Nix-based cross-compile toolchain[2], so you could easily cross-compile a good amount of the 60K packages on Nixpkgs for the tablet. Upstreaming the cross toolchain to Nixpkgs is in the works.
To see what the community is up to, see the IRC channel[3], Reddit[4] and Discord server[5].
I stumbled on some article describing that Remarkable calls home and sends some statistics. I've checked and indeed it does.
My hacking attitude says it is absolutely unacceptable. The good news you can disable it, and I did. But for poople to be aware , this is what it does by default. Can't say I like that part of rM software.
Unfortunately now I've looked for the article and can't find it. If you saw one, please drop the link here, there is more info there.
Apple and Google do the same thing, except they aren't open source or user modifiable. (Well, Apple isn't.)
It's interesting that the second most visible comment on a thread about an open platform product holds them to a much higher standard. (I'm not calling out your comment, but rather the general perception.)
I wish more people would take your perspective for our phones and devices.
Some of us hackers feel the same way. I'm the author of a paid-but-GPLv3+ program called RCU[1] that almost 400 people use because they don't want to, or legally can't, interface with a cloud. I never connect my tablet to the net except to get software updates.
Thanks for the software and documentation you've written for the reMarkable. I've taken a different approach for running Debian buster, but your guide [1] saved me a lot of time nonetheless.
chroot for now, systemd-nspawn as soon as I have time to hack on it later, as I want to be able to switch between whatever I'm running and reMarkable's original software.
I'm really glad you found it useful! Do you think it saved you $20 worth of time? :)
Parabola-rM is really a labor of love, and half of the proceeds are donated to the FSF and Parabola project. It would mean a tremendous amount to have your financial support for independent free software development (and if you have already bought a copy, thank you!).
Would love to buy once I restore access to online payments after pandemic. As I understood you do provide sources if I am correct? I am thinking about porting to rM some programming languages and curios how you've managed with framebuffer .
Ah. I see the issue, the HTTPS-Only mode of Firefox and the Encrypt-all-sites mode of HTTPS-Everywhere thinks that you do, because closed TCP ports on your server don't respond to TCP SYN requests at all, whereas normally servers indicate connection refused by sending a TCP RST packet. So anything trying to access HTTPS on your site will just time out.
Thank you for that tip. Yes, I was blocking all connections to 443 on my firewall but I didn't realize that clients like those had such long timeout periods. Those connections should now be explicitly refused.
I cannot reply to your lower-level comment at the max nest level, but I disagree with you about https.
The contents of the https transaction is not available to the CA.
The data is not available for snooping for intermediaries.
And tampering, while it seems like a silly check, is actually done almost casually by ISPs for a variety of reasons. They will insert executable code into a HTTP reply.
In other words, preventing HTTPS might support the subjugation of your users by others.
Sounds silly but once RMS said "proprietary software subjugates people" and it sounded like weird over-the-top political rhetoric when I heard it. But over time I notice that indeed subjugation is a huge part of our use of computers
> I cannot reply to your lower-level comment at the max nest level, but I disagree with you about https.
You've somewhat misunderstood me, or perhaps not cared to listen to what I stated, and now you're disagreeing with your incorrect interpretation of what I said. I wish you had given a point-by-point argument to what I said, and tell me each sentence you disagreed with (I'll do that here).
> The contents of the https transaction is not available to the CA.
I never said that. I said, "both sides of the connection, and everyone in the middle, know who they're talking to." E.g. if you're talking to Google, then you know that you're talking to Google, and Google knows it's talking to you, and your ISP knows that you and Google are talking.
> The data is not available for snooping for intermediaries.
Yes, it is. See: NSA FLYING PIG. See: all bogus certificates ever issued by a CA. See: "Flame" malware that was signed using a bogus Microsoft certificate. See: <just do a web search>
> And tampering, while it seems like a silly check, is actually done almost casually by ISPs for a variety of reasons. They will insert executable code into a HTTP reply.
How did you interpret this statement? "...that is a social problem and not a technical one. Sure, some technical measures may mitigate that from happening, but ultimately the problem is social and users of that network should stop using it, or start tunneling their traffic some other way."
> In other words, preventing HTTPS might support the subjugation of your users by others.
No, if I don't want to support HTTPS then that is _my freedom_. Would I not be subjugated by a corporate CA, and would I not need to support that for the rest of my website's life? (Yes, I would.) And, again, it is not my responsibility to protect people from their malicious ISPs. The problem is obviously the ISP, not my website. And again, I offer trust and validity checks for all important files served by me in the form of PGP certificates.
> Sounds silly but once RMS said "proprietary software subjugates people" and it sounded like weird over-the-top political rhetoric when I heard it. But over time I notice that indeed subjugation is a huge part of our use of computers
That doesn't sound silly at all, what RMS said, but your interpretation of it certainly is. Do you believe conscientious objectors support war if they are not actively trying to dismantle the military?
I don't support the subjugation of users--I believe users ought to hold all the freedom themselves, including the freedom to protect their communications if they wish, but I don't have to actively participate in the obvious corporate racket of acquiring SSL certificates, and the eternal responsibility they require. I deserve the freedom, too, to host a site independently--and that is what mandatory HTTPS (without a distributed web of trust) will take away--not away from me, because I can always host a site no one visits, but away from users who won't anymore have the choice.
"we need completely distributed human-to-human trust without any corporate authorities."
Just to be clear: I'm not against HTTPS--I would love to have trust and validation to those I'm speaking with electronically. But, the way SSL is implemented today (with CAs) is not something I am willing to support for my personal website.
ok, but although HTTPS has some drawbacks, I think HTTP has many more drawbacks.
I think this is sort of like "lock you car doors". Yes, a dedicated thief can bypass the locks and open your car, but you don't have to leave your car doors unlocked and let anyone enter you car at will.
I think a reasonable middle ground might be to maintain HTTP and do HTTPS using letsencrypt. If one of the CAs does something to limit your freedom, you could redirect https to http and turn it off.
Anyway, it's good to see you're basing your argument on your principles, many people cave early and easily.
There are a few reasons, but since you worded that question ambiguously, I'm not sure if you know that HTTPS doesn't protect privacy. It can verify data in-transit is not tampered (maybe--see NSA note below), but nothing is anonymous (both sides of the connection, and everyone in the middle, know who they're talking to). Maybe the URL is private, but that's a very low bar for privacy.
There's also a problem with how certificate authorities are run which I strongly disagree with. People trust them because corporations trust them, which is already bad, because those same corporations are in-bed with NSA and probably other "security" agencies (which are hard to tell apart from criminal syndicates). If we moved to an HTTPS-only world (Universe, please forbid) there would be an absolute CA racket, and any website could be censored by having the CA revoking its certificate. I fear very much for that possibility, and I completely disagree with the direction that corporate browsers are taking by moving towards HTTPS-only, and especially false messaging like when Chrome reports websites as "non-secure". Firefox, which along with Mozilla is almost entirely funded with Google dollars, is going the same direction.
Another problem is if an ISP is tampering with a customer's connection, that is a social problem and not a technical one. Sure, some technical measures may mitigate that from happening, but ultimately the problem is social and users of that network should stop using it, or start tunneling their traffic some other way.
I provide HTTPS as a convenience for people downloading my software who otherwise wouldn't check my PGP sigs. Browsers like Chrome have false messaging claiming sites are "not secure" and techno-illiterate users don't understand what that really means, and they complained, so I listened but still advise everyone to check the signatures anyway.
Another major reason is that I don't care to support HTTPS for the rest of my life on my personal website. If I were to start supporting it, then everyone will start linking to the HTTPS version, then I could never get rid of that because redirecting back to HTTP requires HTTPS. I never collect any kind of data through my website--there are no form submissions, it's read-only and purely serves .html pages (not even server-side rendering). There's not really a purpose to a secure connection for that.
This only scratches the surface of these problems. I won't even get into how certificate authorities assign, then revoke, bogus certificates all the time--but that happens more than they will ever admit to. If you do a search for that, even just on Ars Technica, you'll find a lot of examples.
My biggest complaints may be summarized as, "we need completely distributed human-to-human trust without any corporate authorities."
In what situations would someone not legally be allowed to interface with a cloud? Something like GDPR, or a personal injunction? Just out of curiosity, I've not heard of such a restriction.
I usually use two squares of toilet paper per wipe. Occasionally I’ll use three, sometimes accidentally and sometimes because I need three. Whenever I use three I wonder to myself how that will appear when the numbers are crunched. Then I remember there’s no analytics for my toilet paper.
> otherwise they don’t know how to improve the product.
Or, you know, they could just ask customers how the product is working for them. Automated data collection is a huge, huge problem and stampedes over civil liberties. We ought to control our computers, and not be controlled by them, which is why I vigorously oppose all non-free (proprietary, non libre) software.
I send error data from all of my web and mobile apps. We catch a LOT of bugs that we don't see in test due to browser differences or state differences. While this may be invasive, it's necessary to deliver a good customer experience.
I believe a gradient exists here. That's why we don't collect any usage information, but error reporting is something I've found life changing especially given how fragmented the experience is across different browsers and devices.
I see your point here, and then I count the number of times I have responded to survey requests or participated in nielsen ratings surveys, even when paid to do it.
I agree, most companies conduct feedback in a completely impersonal way. I tell my customers that my software doesn't contain any tracking or telemetry, and that human-to-human feedback (direct email) from users is the only way I can know of problems. I also make it very clear that I am open to all kinds of feedback. This is great because I get bug reports directly, can understand how people are using the program in their workflow, and can contextualize feature requests and build solutions that fit for everyone.
Users like this because they are actually being listened to by the software's author, there is no overhead to fixing problems, and they aren't being shoehorned into a database.
Of course direct feedback is good. But it's not scalable and you risk of running a very real case of bias towards whoever you're asking. Running telemetry on your software is not "evil" or "stampedes over civil liberties". You can most certainly run telemetry in a way that protects people's privacy and gives you insightful data on how your users operate and interact with your software. I know this, I've worked on an analytics service serving hundreds of millions of users. I'm building right now a feature-flagging/configuration/core metrics service that does exactly that: preserve user privacy and allow developers to learn about their users (not easy and there are some trade offs, like accuracy).
I can't count the number of times I have seen a new product or bit of software and though immediately "That sounds like a horrible idea, how useless" And then later eventually trying it and liking it.
Asking customers what they want can be useful sometimes but mostly people don't know what they want other than a slightly improved version of the thing they already like.
> Majority of consumer facing products collect usage analytics, otherwise they don’t know how to improve the product.
Producers managed to improve products for thousands of years without violating the privacy of their customer. Equating slightly inconvenient with impossible doesn't make for a great argument.
The improvements were stumbles in the dark by comparison — people didn’t even realise colour blindness existed until the industrial revolution.
That said, while I am fine with automated bug tracking for this sort of goal, I absolutely agree that all automated tracking needs to be opt-in rather than opt-out.
Yeah, while I'm not a fan of involuntary data collection it completely makes sense why firms do it. Unskewing data collected in voluntary and self reported scenarios is a treacherous and sometimes impossible undertaking.
Edit: Often times we're not talking about the difference between good data and really good data. We're talking about the difference between useful and useless data.
I don't agree it's a 0 or 1 decision, you can gather analytics in a privacy-preserving way, see e.g. plausible.io [1] or similar implementations that track users without collecting personal data.
I suppose your mattress phones home to tell its makers how often you sleep and with which frequency you do other vigorous physical activities on it. Only way to improve it.
I think that a mattress is a bit simpler than an application with hundreds of thousands of possible interactions. There are not so many different ways you can use a mattress.
There is a limit to what majority can decide for a person and it's called "rights of a person" designed exactly for that purpose.
So, for instance, majority in Nazi-Germany was ok with humiliating and eventually killing Jewish people and that fact doesn't make it justifed anyhow. Majority sometimes disrespect freedom of speech using bullying innocent comments advocating respect for a freedom which we observe recently even here in form of downvoting and it also have no justification what so ever.
>otherwise they don’t know how to improve the product.
they should ask and pay for participation if they wish to know, or they simply don't know, it's ok.
If I wasn't asked about it I consider it a spyware activity and we have no idea what they do with this information now or in the future.
> absolutely unacceptable. The good news you can disable it
Sounds pretty acceptable to me actually
I like Syncthing's approach: In Syncthing, telemetry is enabled by default, so they get statistics and can improve their product. But there's also a prominent info banner about this, so everyone learns about it, and can opt out.
The hacking community is quite active, one frequently asked question is how to get and run custom software on the device.
There's the Entware[0] package repository for running ARMv7 software on the tablet. Recently a community maintained package repository, toltec[1] for tablet-specific software was created and is actively maintained.
For Nix users, I've been helping build a Nix-based cross-compile toolchain[2], so you could easily cross-compile a good amount of the 60K packages on Nixpkgs for the tablet. Upstreaming the cross toolchain to Nixpkgs is in the works.
To see what the community is up to, see the IRC channel[3], Reddit[4] and Discord server[5].
[0] https://github.com/evidlo/remarkable_entware
[1] https://github.com/toltec-dev/toltec
[2] https://github.com/siraben/nix-remarkable
[3] #reMarkable on Freenode
[4] https://reddit.com/r/RemarkableTablet/
[5] https://discord.gg/JSSGnFY