phendrenad2 a day ago | next |

A cynical person (not me, not I, I'm not a cynical person) might think that this is the opening salvo in a campaign to "save" the US tech sector by getting rid of old hardware. See the comments in this very thread calling for a "cash for clunkers for old devices" or a "remote kill-switch" to disable them (!)

Right now you can go to eBay and buy a used PC for $200 that will do everything you need to do, including gaming. You can buy a 64GB iPhone X for $100, which will do everything a new phone will do (basically). Can you imagine the drain on the hardware sector in the US due to these old devices piling up? And the trend is only going to accelerate. If the powers that be aren't conspiring to "fix" this "issue", it's only a matter of time until they do.

isodev a day ago | root | parent | next |

I think hardware vendors have been allowed way too much freedom in trying to turn hardware into a subscription. The yearly release of new phone models isn’t helping either.

winwang a day ago | root | parent | next |

What if we turned hardware support into a subscription (kind of like JetBrains model I think?) and stopped yearly releases in favor of more interesting releases? I wonder how many resources are used just to make the next iteration a bit shinier to catch the consumer's eye.

qwertycrackers a day ago | root | parent | next |

I think what is this ignoring is that "security updates" are generally corrections to defects in the original product.

In principle, a complete product would ship with no defects. You could run it for 1000 years unpatched and it would be no less secure than the day it shipped.

Manufacturers ship security updates because the original product was defective. So it makes sense that they remain on the hook for security updates -- we paid them full price up front.

latexr 9 hours ago | root | parent | next |

> In principle, a complete product would ship with no defects. You could run it for 1000 years unpatched and it would be no less secure than the day it shipped.

Not necessarily. Something could be perfectly secure today and for the next 100 years but be trivial to crack in 1000 years because the landscape changed so much. Something that is inconceivable to crack by brute force now won’t be as compute power keeps rising.

It’s impossible to cover every base from the start and forever. Who would’ve thought that soundproof glass could be beat with a camera filming an object?

https://www.newscientist.com/article/dn25999-caught-on-tape-...

> We were able to recover intelligible speech from maybe 15 feet away, from a bag of chips behind soundproof glass

Joeri 13 hours ago | root | parent | prev | next |

As a web developer I really want all devices to have evergreen browsers, and that in turn implies on-going feature updates at the OS level to support those evergreen browsers.

It also doesn’t really matter whether updates are fixes or features. Somebody has to do the work, and they have to get paid, and only so many years of that work can be baked into the original purchase price, before buyers go to a competitor who offers less support. You paid full price for X years of support, but what happens after that?

Wowfunhappy 21 hours ago | root | parent | prev |

I am extremely sympathetic to this view--but is it practical? Like, should Apple be forced to continue releasing security fixes for the original iPhone?

diggum 20 hours ago | root | parent | next |

A relatively small ongoing investment in a phone with which they earned billions of dollars in profit. Doesn't necessarily require new feature updates, but security updates should be available for a far more significant length of time than the single-digit years the have self-regulated themselves. As an alternative, perhaps these companies should be held responsible for the e-waste of their prematurely expired hardware...

Wowfunhappy 20 hours ago | root | parent |

> A relatively small ongoing investment in a phone with which they earned billions of dollars in profit.

That's fair. But what about a product which doesn't turn a profit? The iPhone could have been a total flop, no one knew in advance!

I worry that if releasing a hardware product carried an unlimited support burden, companies would release far fewer products. Less risk taking would lead to less innovation, and so on.

I think I would be more on board with a rule like "once you stop releasing security updates, you must share hardware documentation and unlock the bootloader", so consumers can install their own (presumably patched) operating systems. But this wouldn't actually affect most of society, because 90% of consumers (I'm being generous) are never going to install Linux on their phones.

Qwertious 15 hours ago | root | parent |

Expecting consumers to DIY install Linux is unrealistic but also irrelevant - that's what commercial refurbushers are for.

graemep 10 hours ago | root | parent |

They could also sell their devices to those users who will install their own OS, or volunteers could help them do it, or simple device specific plug and play installers could be developed.

cwillu 20 hours ago | root | parent | prev | next |

Software copyright law should acquire a concept of defense: if it's no longer profitable for you to maintain it, that should delimit the end of the copyright term, with a short grace period of (say) one year.

Qwertious 15 hours ago | root | parent |

Hollywood accounting says no movie is ever profitable. Your proposed law would just create a perpetual copyright for companies with sufficiently creative accountants.

EraYaN 11 hours ago | root | parent |

The idea being that the security updates would then also have to keep coming as long as copyright is held.

sitkack 20 hours ago | root | parent | prev | next |

Yes they should, they should also be forced to unlocked the bootloaders and release specs to the hardware so that 3rd part OSes can target the devices. Hardware recycling is a joke. I have first gen ipad that would make a great photoframe, video play and ebook reader but instead it is a fully functional paper weight.

genewitch 13 hours ago | root | parent |

First gen "Google" Nexus tablet, factory restored before being put in storage and it's got 15 seconds between touching the screen and the UI even attempting to update. It was a decent small tablet when i bought it, too.

My Nokia N800 runs the exact same as it did when i bought it, used, about 4 years after the release. I can even stream transcoded video to it, still. The camera works. The terminal works fine. That's probably why apple has trillions of market cap or whatever and Nokia is making $50 feature phones with touchscreens (i haven't seen any nor do i care, the n900 (910?) should have been a bigger deal and i'm still mad)

superjan 14 hours ago | root | parent | prev | next |

How about applying the idea behind ESCROW: if you market hardware with software dependencies, you are required to provide the source to a trusted third party who will release/opensource it if you stop maintaining said software before the expected lifetime of the hardware.

genewitch 13 hours ago | root | parent |

Sounds great, how do you enforce this with the deluge of things like IP cameras and the like from Chinese companies?

100% tariffs? Every outdoor IP camera, for example, is either Chinese manufactured or outlandishly expensive. even a 200% increase in purchase price makes these devices competitive, still.

vineyardmike 12 hours ago | root | parent |

You don’t force regulatory compliance with a tariff, you force regulatory compliance with import bans. Enforcement is a whole separate issue.

“If you doesn’t follow rule X, you can’t import the cheap IP camera into America”

realusername 8 hours ago | root | parent | prev |

I'm okay for them to stop supporting it but in return they have to open the bootloader and release all the hardware documentation to not turn it into a brick.

SketchySeaBeast a day ago | root | parent | prev | next |

I'm reading this as "Samsung charges a $10 monthly subscription fee to keep your phone up to date" and I already know how that would turn out.

winwang 11 hours ago | root | parent |

I was thinking more like "Samsung charges $50/year after the typical 3-4 years of updates they normally give."

drtgh 12 hours ago | root | parent | prev |

That would only feed their current programmed obsolescence strategy.

If they stop supporting the device, they should release the drivers for the hardware.

kypro 7 hours ago | root | parent | prev |

People don't have to buy this stuff you know...

In a free market vendors should have the freedom to create bad subscription services and consumers should be free to buy other hardware if they don't like it...

I buy a $100 phone like once every 3 years... No one is forcing me to buy a premium Apple phone every year. Doing so is purely a consumer choice. Perhaps a stupid one, but one consumers should have imo.

Just because you and I don't like it surely doesn't mean it should be regulated.

isodev 6 hours ago | root | parent |

The problem is, it's not a free market. We as consumers are literally stuck between gatekeepers. Regulation is not only recommended, it's desperately needed (or alternative way to force corps out of dark patterns).

getcrunk a day ago | root | parent | prev | next |

I’ve bought three laptops this year from eBay. The second was shortly after the first because I thought it was such a good deal.

A few months later the first laptops exhaust started smelling like burning plastic and i also discovered that if you move the lid/screen a certain way the laptop hard freezes. A few months after that same smell from the second laptop (different model/seller) that progressed into a proper burning smell. In both cases I’m out my purchase price and for the total could have bought new.

On a whim after coming across the thinkpad subreddit I bought a t480s recently. As soon as I got it paid attention to folding the hinges excessively and noticed it creaks sometimes and the exhaust also gets a little too toasty. So this one is going back.

I’m not against used. I’m a lifelong 2nd hand buyer. No problems with phones or even mini pcs.

I don’t recommend laptops anymore tho. Too delicate and can have hidden issues.

If you read this far. It’s not enviornmental cus my bought new laptop (4yo) doesn’t have any issues. And also I did take off the back cover in both laptops and didn’t see any obvious blown parts. And neither are overheating from sensor data even under p95

cstrat 19 hours ago | root | parent | next |

If you're not against supporting Apple, their laptops always seem to have the most longevity. I am still running my M1 with 8G of RAM and it out performs the latest "top of the line" Windows laptops my work are handing out.

Prior to this one I had a MacBook Pro for about 7 years and before that one the black plastic MacBooks from 2007.

So three laptops for the better part of 20 years.

maeil 9 hours ago | root | parent | next |

We use multiple M1 airs as dev machines and they're all still working perfectly fine and very fast, nothing has broken, on top of that they were all bought used. We're not looking to replace them any time soon. Not an Apple fanatic personally (don't own a single iProduct), but the M series of laptops is extremely well built and performant. I expect them to last at least 6 years from time of purchase.

therein 12 hours ago | root | parent | prev |

My first generation M1 Macbook Pro has been a great workhorse as well. It is still chugging along. The backlight on the keyboard is a distant memory. One of the two USB-C ports decided to retire its data bus. It also made a high voltage arc and rebooted earlier today for the first time ever. I was very pleasantly surprised when I found out the speakers were spared any damage during this process.

It came back online right away as if nothing happened and has outstanding battery life that's still making the M1 Max envious.

transpute 20 hours ago | root | parent | prev | next |

Some eBay ex-enterprise laptops include vendor warranty that can sometimes be extended. Dell US-based ProSupport and Lenovo International Warranty (3 years, optional years extra) offer competent phone support and relatively quick repairs. Well worth the insurance for mobile computing devices in a hostile world.

makeitdouble 21 hours ago | root | parent | prev | next |

Yes, laptops are really not a great for resell.

We only buy new and kept ours until they die, and they sure die or become quirky in ways we'd be pissed about if we bought it in that state.

The big issue is of course repairability: buying a second hand business DELL Opiplex is mostly fine because replacing anything other than the motherboard/power supply will be dead simple, and even that can be managed either through salvaging or diy. A flacky or half broken laptop is a world of hurt, for any brand, even if you're into soldering.

JohnMakin 21 hours ago | root | parent | prev |

After going through 6 very high end gaming laptops the last few years, I agree. 4/6 of them failed for insanely stupid issues, 2 were my fault.

sandwichmonger 17 hours ago | root | parent | prev | next |

I use multiple Windows 2000 computers as daily drivers for hobbies, writing documents, internet, et cetera.

It's hilarious to me that I get better performance doing those things on a 20+ year old computer and OS than I used to on a recent computer simply using an internet browser.

zekica 13 hours ago | root | parent | next |

You are not "simply using" an internet browser. You are using an entire (browser) OS in itself on a 4x pixel count display with antialiased text, transparency, blur, scaling, video compositing... The OS itself is using additional compositing for windows using indirect rendering - all the things that add latency. Additionally, you are using a remote application that has it's own latency when talking to the remote server and even locally executing JS is doing everything in a single thread, plus V8 JIT only works for hotspots in the code.

jjk166 3 hours ago | root | parent |

Do any of those additional things add value to the user in this application?

If your taxi driver takes you for a 2 hour scenic tour of the city when you simply wanted a direct 20 minute trip, you don't cut them slack for all the extra work they did, you complain they provided a terrible service.

rdujdjsjehy a day ago | root | parent | prev | next |

This seems like that useless definition of "need" that completely discards any real standards for the sake of an argument. A 200 dollar computer at best is going to let you play low demand indie games and things with garbage mode settings for running on potatoes.

dangrossman a day ago | root | parent | next |

$200 on eBay will get you a used laptop with a Core i7, 16GB RAM and SSD; essentially the same specs as my year-old $1000+ laptop, other than having a newer generation CPU. It'll play many brand new games at 720p or better and acceptable framerates.

I still use an original Microsoft Surface Pro pretty often, and can barely tell the difference between using it and that year-old PC for web browsing, document editing, and tablet-style gaming. The Surface Pro came out in 2013.

rdujdjsjehy 21 hours ago | root | parent |

Would you say that your laptop can get 120fps on non-minimal settings while playing the current Call of Duty? What about Grand Theft Auto V or Overwatch?

dangrossman 21 hours ago | root | parent |

I don't get 120fps on non-minimal settings with a PlayStation or Xbox, yet 150+ million people do all their gaming on those consoles (including almost half of Overwatch's player base according to some polls). That's not the test.

rdujdjsjehy 21 hours ago | root | parent |

Would you say you can get 60fps on non-minimal settings on the current call of duty then?

sulandor 13 hours ago | root | parent |

probably not, and you know, because aaa-shooters are typically made for push the boundaries.

the point was that most things are playable and the list is only getting longer

rdujdjsjehy 12 hours ago | root | parent | next |

It seems weird to write off CoD as just another AAA meant to push boundaries. It's a franchise that has been in the top 3 most sold games every year for over a decade. And the counterpoint was never that nothing would run it was that this idea a 200 dollar laptop would be fine for the average gamer seems like a stretch. The average gamer is trying to play the games that are the most popular on average. Sure they could probably run Roblox and Minecraft but that's about it until you hit the old and indie markets unless you start making heavy setting sacrifices.

genewitch 13 hours ago | root | parent | prev |

the ratio of "playable" to "unplayable" vis a vis FPS or any other measure is around 10000000:1, and that grows even if you never upgrade the hardware. Lots of indie games run fine on old hardware - it's just not that demanding.

Sure a plurality of the 10mm will be shovelware or otherwise bad, but do we have to play FFXVII? COD MWII BOIII WW2?

rdujdjsjehy 12 hours ago | root | parent |

You don't but lots of gamers want to and the idea that a $200 machine is somehow going to service them is absurd. Hence my original point that the idea a $200 machine will do everything you "need" seems like a stretch unless your needs are well below what's typical for someone who plays video games.

ruthmarx a day ago | root | parent | prev |

> A 200 dollar computer at best is going to let you play low demand indie games and things with garbage mode settings for running on potatoes.

That's not true. I still regularly use an old Dell Latitude from almost 15 years ago sometimes - it cost under $150. I can do everything I need on it, even compile Firefox. I can't run most new AAA games, but can play a bunch of FPS games from about up until when it came out. It still plays CSGO just fine, for example.

The real advances in performance the last decade has been in GPU performance, not general performance.

rdujdjsjehy a day ago | root | parent |

What settings do you play CSGO on? And is it just CSGO or can you play Counterstrike 2?

ruthmarx 10 hours ago | root | parent |

Low to be fair, it depends how hot the laptop gets, but usual around 800x600 or 1024x768 and everything low quality. Not great compared to modern hardware, but not as useless as you were suggesting either.

Can't play CS2 because of it needing DirectX12 and the last driver for the video card not supporting it. I've wondered if it would work on Linux since DirectX isn't a factor but haven't tried yet.

hnuser123456 a day ago | root | parent | prev | next |

As soon as they feel like TPM isn't pushing enough HW upgrade purchases...

heraldgeezer a day ago | root | parent |

Yup Windows 10 EOL will be fun...

Windows 10 is "still" on 47% of PCs with Steam installed.

Windows 11 is at 49%.

https://store.steampowered.com/hwsurvey

sandwichmonger 17 hours ago | root | parent | next |

It'll be another Windows XP situation of a large percentage of people refusing to upgrade for 8 years past EOL, the only difference is that XP was a better operating system and doesn't have anything built in that could forcefully update you at M$' will.

heraldgeezer 12 hours ago | root | parent |

>refusing to upgrade

Well, Windows 11 has pretty strict requirements on CPU and TPM to be officially supported. If my computer could have it officially, I would have installed it already.

moffkalast a day ago | root | parent | prev |

> Linux: 1.92% (-0.16%)

> Arch Linux (64-bit): 0.16% (-0.01%)

> Ubuntu 22.04.4 LTS (64-bit): 0.07% (-0.01%)

> Linux Mint 21.3 (64-bit): 0.07% (-0.04%)

> Ubuntu 24.04 LTS (64-bit): 0.07% (0.00%)

> Linux Mint 22 (64-bit): 0.06% (+0.06%)

> Ubuntu Core 22 (64-bit): 0.06% (0.00%)

> Manjaro Linux (64-bit): 0.06% (0.00%)

Year of Linux in gaming, everybody! :(

technofiend a day ago | root | parent | prev | next |

>Right now you can go to eBay and buy a used PC for $200 that will do everything you need to do...

100%! And the average HN poster presumably has the skills to make that work. My suggestion to retire vulnerable devices isn't a US jobs or tech sector program; it was born from a sincere desire to see vulnerable and most likely already compromised devices removed from use.

It seems logical to me if we're going to look for vulnerabilities in order to help harden devices you might want to address ones with known issues. And frankly the reason so many devices still out there are in use because their owners simply don't know any better or see no value in upgrading. Cash for clunkers creates an incentive to fix a situation that I'm guessing many don't even know exists.

phendrenad2 18 hours ago | root | parent | prev |

I mean if we're committed to spending a bunch of taxpayer money on this problem, maybe education and investment into Linux is better than spending it to increase the amount of toxic waste in the ground.

heraldgeezer a day ago | root | parent | prev |

200 for gaming might be cutting it close for me but I am using a 10 year old PC with an upgraded GPU. I guess thats "bad" lmao. Can we end of life the people who will decide and implement some shit like that? :)

Also enterprise will buy new and then sell, why Thinkpad etc is popular. Should that also be banned?

No used cars too, sound good. No used goods at all. Imagine the productivity!!!

Rygian 12 hours ago | prev | next |

In my fictional country, in order to release a software product to the market, or a hardware appliance that runs software, the vendor must:

- Subscribe to an end-of-life insurance package for security software patches. Vendor must contribute periodically. The amount contributed is proportional to the number of appliances sold, with a multiplication factor to account for how hard it is to upgrade the software. Vendor is still legally bound, by SLA, to release software patches and provide an upgrade path to customers for as long as devices remain operational (ie. no fixed EOL). The insurance is only there in case vendor goes bankrupt.

- Or else release the software under an FSF-approved free software license, including all the needed toolchain to deploy software fixes on an appliance. Any third party is then legally empowered to provide patching services (caveat: the third party must agree to same SLA as vendor in point above).

- Or else vendor must put in place a guaranteed-buyback scheme whereby consumers can get at least 75% of the ongoing retail price (or last known retail price) by bringing back a device. The funds must be put in escrow, to protect users if vendor goes bankrupt.

euroderf 10 hours ago | root | parent |

Musing...

All these things might need some flavor of escrow-with-indie-verification. For example, does the published source actually compile other what's on the device? And some flavors of escrow (like your #3) need a bankroll or some sort of insurance.

And anyways, given the inevitable enshittification of all the things, including "assurance", how is a grand scheme for preventing willful software obsolescence enforceable by anything less imposing than the gummint?

Rygian 9 hours ago | root | parent |

In my fictional country, the gummint is BDFL-style. Regulation is broadly accepted as the lesser evil, when compared to letting the free market enshittify itself.

busterarm a day ago | prev | next |

Would be cool but "responsible disclosure" is a non-starter for me. Full disclosure is the only way to operate, IMO.

Techbrunch a day ago | root | parent | next |

Depending on the target and the severity of the vulnerability the vendor might consider fixing the vulnerability even if EOL.

If the target is an IOT device the vulnerability will likely be mass exploited to create a botnet.

The U.S. government recently ‘took control’ of a botnet run by Chinese government hackers made of 260,000 Internet of Things devices... (Source: https://techcrunch.com/2024/09/18/u-s-government-took-contro...)

sidewndr46 a day ago | root | parent | prev |

If the device is explicitly past EOL what is the point anyways? Just to wait 60 days and hear they aren't going to do anything?

winnona a day ago | root | parent |

not necessarily! If the 0day is bad enough the vendor may patch it or release further guidance - most recent case is Ivanti this week (https://cyberscoop.com/ivanti-vulnerability-cisa-kev/)

slt2021 a day ago | root | parent |

likely used by vendor as sales strategy to upgrade device:

we will give you patch for this EOL 0day, but this will be the last one. Please buy new version and btw here is 20% discount code, you are welcome

GTP a day ago | root | parent | next |

Still better than leaving devices unpatched. The end user still has the final word, can totally refuse to buy a new one if he/she doesn't think getting a new one is worth it.

Retr0id a day ago | prev | next |

> 60-90 day disclosure windows with vendor

This is not 0day. (but I think this is a fun initiative nonetheless)

Retr0id a day ago | root | parent | prev | next |

I'm also not sure what the point of vendor disclosure is, if the product really is EOL

codetrotter a day ago | root | parent | next |

Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.

Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.

citrin_ru a day ago | root | parent | prev | next |

Depending on vulnerability impact and difficulty fixing it, some vendors may choose to release a fix even after EOL. Generally EOL means that users should not rely on getting an update (but it still may be released as an exception).

krisoft a day ago | root | parent |

Or the vendor might want to warn users about the vulnerability. It is a different story to stay “there might be vulnerabilities, consider updating to some other gizmo” vs “there is a vulnerability, you have to abandon the gizmo”.

myself248 a day ago | root | parent | prev | next |

I think the point is to embarrass vendors into extending their support periods. Giving them 60 days to think about that is a shot across the bow.

qwery a day ago | root | parent | prev |

An attempt to avoid unnecessary harm, I'd guess.

To see what they do?

Because it will be more damning if they ignore something significant they had explained to them?

userbinator 19 hours ago | prev | next |

There are already communities around providing fixes and drivers for OSes going back to at least Windows 3.x(!), so I hope things like this will also come with fixes too.

The complexity of essential system software has ballooned out of control, and it has always been my belief that "EOL" means eventual stability; known unknowns are better than unknown unknowns. They always tell you how many bugs they fixed in the new version, but they never tell you how many new ones they introduced.

londons_explore a day ago | prev | next |

> - You are not under any restrictions or sanctions from the US.

Can we make this a condition of giving any prizes, rather than of entry to the competition? This restriction affects literally 200 + million people.

drclegg 11 hours ago | root | parent | next |

It's more likely to cover the organizers legally.

I imagine no-one wants to be on the receiving end of "You are accused of actively encouraging Iranian / Russian / <insert other sanctioned state here> hackers to identify exploitable security vulnerabilities in appliances owned and operated by Americans; how do you plead?"

tonetegeatinst 17 hours ago | root | parent | prev | next |

Wouldn't the legal definition of "restriction" also include the laws covering computers etc?

A technicality but one could argue that if the law is the only barrier to exploiting something then the vulnerability needs to be fixed and proven, which a US citizen can not do.

asabla a day ago | prev | next |

Ooh, this looks like a lot of fun. Really hope they'll either have recordings and/or stream this event.

technofiend a day ago | prev | next |

This just underscores the fact (IMHO) we need a "cash for clunkers" program for obsolete and unsupported devices. I mean I'd love to see more moonshot programs like DARPA's Tractor but in the meantime why not create incentives to get insecure equipment off the net?

throwaway48476 a day ago | root | parent | next |

A lot of the time the EOL hardware is exactly the same as the supported hardware. The software just needs to be supported for longer. For example the 2014 and 2015 mac book pro, same CPU, same motherboard, etc and yet the 2014 is EOL a year earlier.

bee_rider a day ago | root | parent | next |

Reaching the the legal hammer out to be a last resort, but IMO, EOL-ing a device should require open sourcing it and handing over any info required for administration to the users. Or refund for full price.

A device which can not be administered by the end user is administered (perhaps negligently) by the company who sold it.

archi42 10 hours ago | root | parent | next |

I would love that, but I can see some issues: Embedded stuff (e.g. in your car) might use a proprietary RTOS, like "VxWorks" [1]. Then the developers might had to use a commercial toolchain from e.g. Hightec [2]. They could also have licensed some 3rd party libs. What about external verification tools for critical stuff? What about cloud-connected services (e.g. music streaming)?

For a manufacturer to opensource "all that's necessary to build, deploy and use the soft-/hardware", the whole ecosystem would need a massive paradigm shift.

For certain device classes this is probably much easier than for others. And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.

[1] https://en.wikipedia.org/wiki/VxWorks [2] https://hightec-rt.com/products/development-platform

bee_rider 6 hours ago | root | parent |

First some thoughts about your specific example: My impression (although, just from working in something very tenuously related to automotive stuff) is that the real time, safety critical stuff, and the entertainment center stuff, are on two unrelated computers, ideally with very little connection between them.

The safety critical stuff really ought to be supported for the lifetime of the car. But it shouldn’t have internet access anyway, so a big source of attacks is not available. They sometimes update that software when you go in for maintenance, right? It seems fine.

The entertainment center, why shouldn’t we be able to install our own OS on it? Those things are always quite buggy anyway, I’d love to install Linux on mine.

More generally:

Yes, I’ll admit I was going for a bit of back door trickiness. I do think it would be hard to just open up a lot of current platforms.

If the law is that manufacturers must either release “everything” (hand-wave-ily) or offer a full refund in order to release their support obligation, then I’d expect them to do one of the following:

* Make new designs that are easier to open up. A win for everybody! They can push back on the license terms for the libraries they use. Or, perhaps some mechanism could be designed so that they open up the rest of their platform, and the library developer that doesn’t want to open up can keep their part of the support obligation.

* Extend the support lifetime to the point where they are happy to just offer refunds to the few remaining users.

As you say,

> And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.

But I think a reasonable lifespan depends on the type of device, locking in a specific number with the law seems difficult. Offering a choice instead would let the lifetime be set dynamically, but without the current odd situation where obligations just evaporate into nothingness.

mnau a day ago | root | parent | prev |

What would be the point of open sourcing it? Serious question.

Custom DIY ROM might interesting to some geek out there, but it does nothing for security. There is no automatic update and some custom ROM is never going to get it anyway.

Security through obscurity is a better option in this case.

scrapheap 9 hours ago | root | parent | next |

It would depend a lot on the device, but open sourcing it would at least make it easier to move some devices to existing community supported projects (e.g. openWRT, DD-WRT, Rockbox). When that happens then there usually an improvement in both security ad features of the devices.

bee_rider a day ago | root | parent | prev |

It would be nice for the community, so they can at least try to fix things.

But mostly, I think it would clarify the responsibility and obligations for support. Obviously a device which hasn’t been opened up can’t possibly be the responsibility of the user, who is locked out and unable to administer it. By default manufacturers should be responsible for the things they manufacture and should have an obligation to make sure they are reasonably free of defects. Devices with known security vulnerabilities are defective.

If they want to release themselves of that responsibility, they should have to actually make it possible for somebody else to pick it up.

saagarjha 12 hours ago | root | parent | prev | next |

You know you can look up the specs of those machines, right? The 2015 MacBook Pro updates the processor from fourth-generation Haswell (22nm) to fifth-generation Broadwell (14nm) cores and also bumps the memory speed slightly to 1866MHz. They're not the same hardware.

Qwertious 14 hours ago | root | parent | prev |

"Cash for clunkers" only made sense because they weren't fuel efficient. If old devices are insecure, then the only sane long-term solution is to incentivize long-term device security.

We already have 10-year-old devices which are perfectly performant for their tasks but are being turned to ewaste due to lack of support, rather than any material need. Moore's law isn't coming back, devices will have longer and longer performances relevant lifetimes from here on out, and if the current market doesn't support that then it's the market that's broken, not the devices.

computersuck a day ago | prev | next |

Why would they do this? Knowing that any bugs found won't be patched since EOL, and will just be used for mass exploitation and harm??

Why is the cyber industry so desperately stupid for attention?

hedgehog a day ago | root | parent | next |

Without splashy narrative and quantifiable risk the vendors won't change and the general public won't perceive the danger of unsupported devices. Public bounties are one way to change both so this seems like a reasonable project with net benefit.

sandwichmonger 17 hours ago | root | parent |

Let's say there's a group of people living a small, old house. They have the money to move to a bigger, newer one, but there's sentimental and other value to the one they're in.

Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.

Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.

That sounds like an evil thing to me.

hedgehog 10 hours ago | root | parent |

A better analogy is a product safety bulletin, if your stove has a design flaw that can burn down your house the main difference is whether you or the manufacturer knows to do something about it. The bugs exist and people exploit them, it's mostly a question of whether the general public is aware. Breaking into houses requires a lot of labor to scale, exploiting software bugs doesn't so past some point more people knowing about them doesn't increase risk in the same way.

After 25 years of this debate it's pretty clear what works.

Aissen a day ago | root | parent | prev | next |

To protest stupidly short EOL deadlines.

schlauerfox a day ago | root | parent |

Just went to get some BIOS files for the 5th gen Intel NUCs and they've purged them from the site. It's like when Microsoft purged the KB of everything not in current support. Burning of libraries, it's sickening.

Hackbraten a day ago | root | parent | prev | next |

I think this contest is a good thing.

It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.

wpm a day ago | root | parent |

>It might put pressure on customers to demand products with longer support lifecycles

It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.

teeray a day ago | root | parent | next |

It puts pressure on regulators to realize the shitty situation MBAs create when they EOL products that aren’t reaching revenue targets.

freehorse a day ago | root | parent | prev | next |

The first best thing for vulnerabilities is fixing them, the second best is knowing they exist and what they specifically are (so one can either try to mitigate them or make an informed choice on replacing equipment).

asabla a day ago | root | parent | prev | next |

I don't see it like that at all. Some 0-days can (somewhat) be mitigated by other hardware/software.

I rather have as many "known" 0-days in the open. Then having it the other way. Even if it means I won't see any updates to affected devices or software

thomascountz a day ago | root | parent | prev | next |

I'm thinking that bugs may not necessarily disappear when the device or application where they are discovered is EOL'd. This research could discover attack vectors and vulnerabilities that will need to be addressed in active implementations.

1oooqooq a day ago | root | parent | prev | next |

I cannot say if your comment is sarcasm.

Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.

Or do you truly believe you are safe if you hide under your bedsheet?

computersuck a day ago | root | parent | next |

It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.

Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).

mulmen a day ago | root | parent |

You’re assuming bad actors don’t already know about these zero days. You have to assume any possible vulnerability is already being exploited. Publishing zero days in EOL devices reduces the information asymmetry.

computersuck a day ago | root | parent | prev |

When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.

IshKebab a day ago | root | parent | prev | next |

These devices don't magically become secure just because white hats decide not to attack them.

You're advocating security through sticking-your-head-in-the-sand.

frankharv a day ago | root | parent |

I think we need a cyber swat team to assassinate anybody doing a port scan.

You want to play with something you don't own or have permission to play with it.

Assassinate target. You want to make money/fame off others. DIE.

If somebody came to you house and started jiggling doorhandles what would you do?

Why is cyber different?

NO CONSEQUENCES.

PhilipRoman a day ago | root | parent | next |

Fun idea, although nobody who is serious enough about hacking will use their home PC as source, more likely it will be some random grandpa's old router. Even putting that aside, we can't exactly send a SWAT team to China...

nashashmi a day ago | root | parent | prev |

Look at what they are saying. They want to document all sorts of bugs in past products for future research purposes. And they want to draw attention to the product that it be replaced.

I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.

jon-wood a day ago | root | parent |

If you put a product out in the field which can potentially be remotely exploited it’s on you to either patch it when someone does find an exploit or possibly open source everything so others can. If you genuinely can’t support it I guess you could put a self-destruct mechanism in which remotely bricks the device instead, just don’t expect your customers to be happy about it.

nashashmi a day ago | root | parent |

... or maybe build a foolproof product that cannot be hacked or attacked. Maybe products that don't get updated loose their access to the internet. And the only way you can get access is through some clamped down application.

meindnoch a day ago | prev |

EoL devices are a huge liability. We need laws that require vendors to equip smart devices with remote hardkill switches, so they can be permanently disabled by the vendor when they reach EoL. A disabled smart device is better than one that can be weaponized by threat actors.

UniverseHacker a day ago | root | parent | next |

That is insane. I mostly buy and use “EOL” devices because they’re cheaper and have no issues. Recently bought my son an old Intel Mac Mini and he loves it.

You can easily still secure an EOL device- with the old Mac I just use it with the firewall on, no ports open, and a modern secure browser. There is really no attack surface from the OS which is EOL, and this old device has aged past being worth developing attacks for.

getcrunk a day ago | root | parent |

Tell that to the recent windows bug where even if you block ipv6 in your device firewall or was it even turn off the stack your device is vulnerable to specially crafted ipv6 packet

Cheetah26 a day ago | root | parent | prev | next |

Much better legislation would be requiring that the firmware/software source be released at EOL, so that users can maintain the hardware they purchased for as long as they like.

meindnoch a day ago | root | parent | next |

Probably we need both. Hardkill all devices, and let determined users resurrect their own devices with the open source firmware if needed. The point is that millions of vulnerable devices won't stay online by default.

mnau a day ago | root | parent | prev | next |

How big percentage of customers even logged to their home router. It will be way below 10% (I would wager in lower single digit percents).

So

* manufactures open source it

* "someone" is going to maintain it, for free

* all these people are going to find non-malware infested fork

* upload custom ROM to their devices.

I just don't see it.

Automatic updates/killswitch are the only way forward.

olabyne 9 hours ago | root | parent | prev | next |

The planet is dying and the way you think is part of it. IT security is important, but none of that is more important the planet's ressources

nashashmi a day ago | root | parent | prev | next |

The terms of service of the device did not require replacement nor issue end of life date. What basis would the law have to enforce replacement?

aeternum a day ago | root | parent | prev | next |

Auto-applying security updates is actually a major threat vector. It's often easier to compromise a cloud deployment system/key rather than thousands of edge-deployed devices.

An EOL device that has withstood the test of time, and has had many security patches but is no longer connected if often one of the most secure devices.

compootr a day ago | root | parent | prev | next |

Right, but do you want these still usable devices to become e-waste?

for those that can secure them properly (e,g air-gapping) why do we need to make old iot stuff non-functional bricks?

something I'd be more ok with is to disable it, but in the device's settings, allow it to be re-enabled