I once had an interesting conversation with an Android OEM. I sat down with them to discuss what security issues they'd like to see the Android security team work on. They asked me "When are you going to fix the USB hole?". I didn't know what they meant and asked for clarification. They explained that in some parts of the world, notably India and China, there were "free" charging stations set up in bus stops, train stations and other public areas. These charging stations allow the public to charge their phones, for free! There's just one catch. On a sign above the charging station there's a set of instructions that tells users how to go about activating the charging. The sign tells them to go into the Settings app, then "About Phone", then scroll down to the build number, tap it seven times, then... it walks them through enabling ADB and accepting the key of the "charging station" computer, which would then proceed to install malware -- and to start charging.

Huge numbers of people used these charging stations every day, to the point that the biggest problem users had (besides the malware) was that they were always occupied. No one had a problem with "activating" charging for their device.

90% of people are capable of following a list of instructions. 100% of people are capable of either following a list of instructions or getting someone nearby to do it for them.

Anyway, this OEM wanted us to disable ADB entirely, or allow them to, because their users were doing it, getting loaded up with malware, and then blaming the OEM for making a crappy phone. I, of course, told them that we were not going to disable ADB and we were not going to remove the compliance requirement that forces them to support ADB.

Unfortunately, the current change still doesn't fix the "USB hole", but it does offer a way to rate-limit malware installation via downloadables.

Anyway, if you really think your users can't follow instructions, or can't get someone else to do it for them, you can always just register for a developer account. As long as you don't distribute malware, people will be able to sideload your APKs without using ADB. If the $25 is too much for you, maybe share the cost with some buddies, or get one of the limited accounts, though your APKs will only be installable on a small number of devices. Except, of course, by people who can follow instructions, or get someone else to.

Yep. It allows them to stop malware. How terrible!

How did you learn this?

I suspect you actually do derive a lot of utility from AWS and Azure, you just don't realize how many of the services you use every day are running on them.

Oh, actually, I missed the most obvious flaw in this argument: The verification doesn't give Google any significant control! It does give them the real-world identities of registered developers, yes, but then what? It doesn't do anything to require registered developer to use the Play store or comply with any Play policies other than one: Don't distribute malware.

The real purpose here is malware rate-limiting. Right now, malware authors can pump out huge numbers of apps with small variations to defeat identification. Google may identify one malicious app and warn all of the user that have it installed, but the malware author has thrown out a hundred variations of that app and Google only twigged to one. What ID verification does is require the developer to tie each app to a unique government-issued ID. In countries where you can't just go get a hundred government IDs, this means teams of malware authors can make approximately one malicious APK per team member. In countries where they can go get a hundred unique government IDs per person (because the government is actively cooperating or because they have a cousin in the ID office) it doesn't help so much, but Google can then start working with the governments to crack down.

I don't know if you noticed in the announcement, but this program is starting in a small number of countries, with the cooperation of and at the request of the governments who are trying to defend their populace against waves of malware. This isn't an accident.

Actually, though, your comment and my off-the-cuff response both miss the real difference which is why malware authors would choose to use F-Droid to distribute their apps. They'd have to publish source, which would be a disadvantage in the competitive world of malware authoring, and publishing source code would also make it easy for their malicious code to be identified. It makes a lot more sense for them to publish via downloadable sideloads or -- even better, if they can manage it -- in the Play store.

From a security perspective, it makes sense to treat F-Droid differently from random downloadable sideloads... but how is the Android OS supposed to tell the difference? The Android mechanism for establishing APK trust is signatures. So... F-Droid could arrange with Google to get the platform to trust APKs signed by F-Droid, which would make F-Droid work fine. And, actually, there's no need for Google to go through any complicated process to set that up: F-Droid can simply register as a developer and sign the APKs it distributes. Done. Of course, if F-Droid ever screws up and does distribute malware, it could result in all of their apps being evicted from Android device, but since F-Droid is a zero-malware platform, that's not a problem, right?

How many apps in F-Droid vs how many in the Play store?

I just got the v14 upgrade a few days ago, and it's a mixed bag. On the plus side, it now handles parking, as in I give it a destination, it drives me there, goes into the parking lot, picks out a spot and parks in it, all with zero human input or intervention. On the negative side, I think v14 needs a little more compute horsepower than my 2025 Model S has. I used to have a 2020, with previous-gen computer, and as FSD got more capable it actually degraded a bit, becoming indecisive and occasionally "stuttering". With the new car that went away entirely. I was very impressed. With v14, in the new car, it's began to get indecisive and stutter again. Not often, but it happens. I think this is a result of the model not being able to complete its processing quickly enough, because it doesn't have enough compute.

I'm hopeful that they can refine and optimize v14, though, to fix that problem. Other than that, and the fact that on the country roads where I live it always wants to drive too slow (the roads are small, but the speed limit is 45 and everyone drives 50-55, while the car is clearly not comfortable going over 35-40), it's extremely good.

Experience is just a feedback loop. Stuff happens externally, triggering computation and generation of explanations, then the events are stored in memory -- including the memory of the explanations. Then, later explanatory computation (reflection / introspection) uses those memories and creates additional memories. These layers of reflective/introspective computation constitute the experience of consciousness, but there's really nothing special about it. It's just cycles of self-referential computation.

I'm pretty confident that as our AI models begin to run more continuously as agents rather than episodically as task-focused systems, and as they gain better ability to reason about and generate explanations of their own previous "thoughts", they'll reach a point where we'll have to call them conscious or at least admit that we can't distinguish what they do from what we do.

If it's about control, why is Google leaving ADB installation open? That undermines their control. Unverified limited distribution accounts also undermine their control. Why isn't Google just doing what Apple does, and requiring a verified developer account before you can do anything at all?

I'm curious how you interpret these decisions within your "100% about control" theory.

So... your argument is that if Google isn't 100% successful at keeping malware out of the Play Store, they aren't doing the job at all? You think identifying malware at scale is easy? I used to work on Android security and know a lot of people on the anti-malware team. It's incredibly difficult, especially since it's a continual cat-and-mouse game with malware developers who do all sorts of things to obfuscate what their code does. Google has hundreds of talented engineers focused on this problem, but there are tens of thousands of people producing malware; it's big business and there's a lot of money in it.

As the announcement said, Google finds that 50X as many malware installations on Android devices are from sideloading. You really don't think it makes sense for Google to try to reduce that?

From Google's FAQ

Will Android Debug Bridge (ADB) install work without registration? As a developer, you are free to install apps without verification with ADB. This is designed to support developers' need to develop, test apps that are not intended or not yet ready to distribute to the wider consumer population.

Obviously, ADB can't distinguish the cases of (a) an app developer who just wrote an app using ADB to install an APK on their device for testing and (b) any random person using ADB to install an APK on their device for whatever reason they like. This means that random people can use ADB to install APKs from unverified developers.

Well, if that were the point of the system, you'd be right, but it's not. The point of the system is to make it hard for malware authors to distribute malware to large numbers of users without getting quickly shut down. This system doesn't "scan apps" at all... Android just won't install downloaded APKs that don't have a Google-provided signature on them, but it will install ADB-installed APKs without a Google-provided signature because app developers need to be able to build and test apps without having to send every version off to a Google server for signing.

I don't know about more explanatory power, but here's another theory for you: Consciousness doesn't really exist, at least not as far as we know. What we perceive as our own consciousness is just a result of the effort of one part of our brain to generate explanations for the results of computations by another part of our brain. The process of generating explanations requires a little bit of recursive analysis that looks like introspection and self-awareness, except that nearly all of what it's allegedly introspecting is actually completely opaque to the computation that generates the explanations. Note also that there needn't be any actual correlation between the generated explanations and the computation that is being explained (there's actually pretty good empirical evidence that our explanatory systems are just as good at explaining something we actually disagree with as something we decided, BTW).

Now, why did we evolve such an explanation engine? Because it was adaptive for a communal species, of course, especially when coupled with another ability that co-evolved with it: Rich, detailed communication (speech, and more). We developed the explanation engine so we could use the explanations to convince others in our community that our unexplained computation results (decisions, actions, etc.) are better than theirs. This development was both communally adaptive, because battling explanation engines (people arguing with each other) actually result in the construction of better joint computations, enabling the community to make better collective decisions and thrive, and individually adaptive because the better explainer is able to get their way more often and increase their status within the community.

So, within this theory, your questions are all pretty easily answered: (1) Consciousness is just an illusion that arises from the layered structure of our brains, which are, indeed, purely physical objects, though incredibly sophisticated. (2) This apparent consciousness and the logic circuitry that underpins/enables it closely matches evolutionary adaptiveness because it is actually an evolutionary process: The explanatory engine operates by generating, testing and selecting postulates, just as evolution operates by generating, testing and selection genotypes. (3) Consciousness is illusory so the question of where to draw the line doesn't make sense, but you can also clearly see that rocks don't have anything that might appear to be consciousness because are no computational processes going on in them. Cities might, however, especially when you note that human cities contain institutions that both compute (make decisions) and attempt to explain those computations, but we'd really need a much more precise definition of "consciousness" to attempt to answer this question. Such a definition is impossible, however, because consciousness is just an illusion anyway.

From the summary:

In its blog post, F-Droid warns about the impact on users and Android app developers. "You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google's approval,"

You can still develop an app and share it directly with whoever you want without registering, you just have to convince them to use ADB to install it, rather than clicking a link on a web site or downloading from an app store (like F-Droid). This adds a lot of friction and requires your potential users to trust you quite a bit more, because it feels like they're taking a bigger risk, even though there isn't any actual difference in risk. I expect that we'll start to see apps packaged with ADB for a "single-click install" from a Windows machine, to reduce the friction as far as possible. Users would still have to do the dance to enable developer options, enable USB, then tap "accept" on the ADB key popup, though an installer could (and probably will) walk them though that.

Also, although I don't think details are available yet, Google says there will be an option for "limited distribution accounts" which don't require any fee or ID verification, but can only distribute their apps to a limited number of devices. For people who just want to share with friends and family, this should cover them.

Food was a significantly larger percentage of disposable income in the 60s and 70s. And, as I mentioned before, that steady decline in the money spent in food was actually offset to a large degree by an increase in eating out (or ordering in). If we still ate at home as much as we used to, the drop would be even larger.