Right now you can go to eBay and buy a used PC for $200 that will do everything you need to do, including gaming. You can buy a 64GB iPhone X for $100, which will do everything a new phone will do (basically). Can you imagine the drain on the hardware sector in the US due to these old devices piling up? And the trend is only going to accelerate. If the powers that be aren't conspiring to "fix" this "issue", it's only a matter of time until they do.
In principle, a complete product would ship with no defects. You could run it for 1000 years unpatched and it would be no less secure than the day it shipped.
Manufacturers ship security updates because the original product was defective. So it makes sense that they remain on the hook for security updates -- we paid them full price up front.
It also doesn’t really matter whether updates are fixes or features. Somebody has to do the work, and they have to get paid, and only so many years of that work can be baked into the original purchase price, before buyers go to a competitor who offers less support. You paid full price for X years of support, but what happens after that?
That's fair. But what about a product which doesn't turn a profit? The iPhone could have been a total flop, no one knew in advance!
I worry that if releasing a hardware product carried an unlimited support burden, companies would release far fewer products. Less risk taking would lead to less innovation, and so on.
I think I would be more on board with a rule like "once you stop releasing security updates, you must share hardware documentation and unlock the bootloader", so consumers can install their own (presumably patched) operating systems. But this wouldn't actually affect most of society, because 90% of consumers (I'm being generous) are never going to install Linux on their phones.
My Nokia N800 runs the exact same as it did when i bought it, used, about 4 years after the release. I can even stream transcoded video to it, still. The camera works. The terminal works fine. That's probably why apple has trillions of market cap or whatever and Nokia is making $50 feature phones with touchscreens (i haven't seen any nor do i care, the n900 (910?) should have been a bigger deal and i'm still mad)
100% tariffs? Every outdoor IP camera, for example, is either Chinese manufactured or outlandishly expensive. even a 200% increase in purchase price makes these devices competitive, still.
If they stop supporting the device, they should release the drivers for the hardware.
A few months later the first laptops exhaust started smelling like burning plastic and i also discovered that if you move the lid/screen a certain way the laptop hard freezes. A few months after that same smell from the second laptop (different model/seller) that progressed into a proper burning smell. In both cases I’m out my purchase price and for the total could have bought new.
On a whim after coming across the thinkpad subreddit I bought a t480s recently. As soon as I got it paid attention to folding the hinges excessively and noticed it creaks sometimes and the exhaust also gets a little too toasty. So this one is going back.
I’m not against used. I’m a lifelong 2nd hand buyer. No problems with phones or even mini pcs.
I don’t recommend laptops anymore tho. Too delicate and can have hidden issues.
If you read this far. It’s not enviornmental cus my bought new laptop (4yo) doesn’t have any issues. And also I did take off the back cover in both laptops and didn’t see any obvious blown parts. And neither are overheating from sensor data even under p95
Prior to this one I had a MacBook Pro for about 7 years and before that one the black plastic MacBooks from 2007.
So three laptops for the better part of 20 years.
It came back online right away as if nothing happened and has outstanding battery life that's still making the M1 Max envious.
We only buy new and kept ours until they die, and they sure die or become quirky in ways we'd be pissed about if we bought it in that state.
The big issue is of course repairability: buying a second hand business DELL Opiplex is mostly fine because replacing anything other than the motherboard/power supply will be dead simple, and even that can be managed either through salvaging or diy. A flacky or half broken laptop is a world of hurt, for any brand, even if you're into soldering.
It's hilarious to me that I get better performance doing those things on a 20+ year old computer and OS than I used to on a recent computer simply using an internet browser.
though i also miss the ui-latency of the civilized age ...
I still use an original Microsoft Surface Pro pretty often, and can barely tell the difference between using it and that year-old PC for web browsing, document editing, and tablet-style gaming. The Surface Pro came out in 2013.
the point was that most things are playable and the list is only getting longer
Sure a plurality of the 10mm will be shovelware or otherwise bad, but do we have to play FFXVII? COD MWII BOIII WW2?
That's not true. I still regularly use an old Dell Latitude from almost 15 years ago sometimes - it cost under $150. I can do everything I need on it, even compile Firefox. I can't run most new AAA games, but can play a bunch of FPS games from about up until when it came out. It still plays CSGO just fine, for example.
The real advances in performance the last decade has been in GPU performance, not general performance.
Windows 10 is "still" on 47% of PCs with Steam installed.
Windows 11 is at 49%.
> Arch Linux (64-bit): 0.16% (-0.01%)
> Ubuntu 22.04.4 LTS (64-bit): 0.07% (-0.01%)
> Linux Mint 21.3 (64-bit): 0.07% (-0.04%)
> Ubuntu 24.04 LTS (64-bit): 0.07% (0.00%)
> Linux Mint 22 (64-bit): 0.06% (+0.06%)
> Ubuntu Core 22 (64-bit): 0.06% (0.00%)
> Manjaro Linux (64-bit): 0.06% (0.00%)
Year of Linux in gaming, everybody! :(
100%! And the average HN poster presumably has the skills to make that work. My suggestion to retire vulnerable devices isn't a US jobs or tech sector program; it was born from a sincere desire to see vulnerable and most likely already compromised devices removed from use.
It seems logical to me if we're going to look for vulnerabilities in order to help harden devices you might want to address ones with known issues. And frankly the reason so many devices still out there are in use because their owners simply don't know any better or see no value in upgrading. Cash for clunkers creates an incentive to fix a situation that I'm guessing many don't even know exists.
Also enterprise will buy new and then sell, why Thinkpad etc is popular. Should that also be banned?
No used cars too, sound good. No used goods at all. Imagine the productivity!!!
- Subscribe to an end-of-life insurance package for security software patches. Vendor must contribute periodically. The amount contributed is proportional to the number of appliances sold, with a multiplication factor to account for how hard it is to upgrade the software. Vendor is still legally bound, by SLA, to release software patches and provide an upgrade path to customers for as long as devices remain operational (ie. no fixed EOL). The insurance is only there in case vendor goes bankrupt.
- Or else release the software under an FSF-approved free software license, including all the needed toolchain to deploy software fixes on an appliance. Any third party is then legally empowered to provide patching services (caveat: the third party must agree to same SLA as vendor in point above).
- Or else vendor must put in place a guaranteed-buyback scheme whereby consumers can get at least 75% of the ongoing retail price (or last known retail price) by bringing back a device. The funds must be put in escrow, to protect users if vendor goes bankrupt.
If the target is an IOT device the vulnerability will likely be mass exploited to create a botnet.
The U.S. government recently ‘took control’ of a botnet run by Chinese government hackers made of 260,000 Internet of Things devices... (Source: https://techcrunch.com/2024/09/18/u-s-government-took-contro...)
we will give you patch for this EOL 0day, but this will be the last one. Please buy new version and btw here is 20% discount code, you are welcome
The complexity of essential system software has ballooned out of control, and it has always been my belief that "EOL" means eventual stability; known unknowns are better than unknown unknowns. They always tell you how many bugs they fixed in the new version, but they never tell you how many new ones they introduced.
Can we make this a condition of giving any prizes, rather than of entry to the competition? This restriction affects literally 200 + million people.
I imagine no-one wants to be on the receiving end of "You are accused of actively encouraging Iranian / Russian / <insert other sanctioned state here> hackers to identify exploitable security vulnerabilities in appliances owned and operated by Americans; how do you plead?"
A technicality but one could argue that if the law is the only barrier to exploiting something then the vulnerability needs to be fixed and proven, which a US citizen can not do.
This is not 0day. (but I think this is a fun initiative nonetheless)
Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.
Why is the cyber industry so desperately stupid for attention?
Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.
Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.
That sounds like an evil thing to me.
It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.
It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.
I rather have as many "known" 0-days in the open. Then having it the other way. Even if it means I won't see any updates to affected devices or software
I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.
Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.
Or do you truly believe you are safe if you hide under your bedsheet?
Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).
Burglaries aren't getting enough attention.
You're advocating security through sticking-your-head-in-the-sand.
You want to play with something you don't own or have permission to play with it.
Assassinate target. You want to make money/fame off others. DIE.
If somebody came to you house and started jiggling doorhandles what would you do?
Why is cyber different?
NO CONSEQUENCES.
A device which can not be administered by the end user is administered (perhaps negligently) by the company who sold it.
Custom DIY ROM might interesting to some geek out there, but it does nothing for security. There is no automatic update and some custom ROM is never going to get it anyway.
Security through obscurity is a better option in this case.
But mostly, I think it would clarify the responsibility and obligations for support. Obviously a device which hasn’t been opened up can’t possibly be the responsibility of the user, who is locked out and unable to administer it. By default manufacturers should be responsible for the things they manufacture and should have an obligation to make sure they are reasonably free of defects. Devices with known security vulnerabilities are defective.
If they want to release themselves of that responsibility, they should have to actually make it possible for somebody else to pick it up.
We already have 10-year-old devices which are perfectly performant for their tasks but are being turned to ewaste due to lack of support, rather than any material need. Moore's law isn't coming back, devices will have longer and longer performances relevant lifetimes from here on out, and if the current market doesn't support that then it's the market that's broken, not the devices.
You can easily still secure an EOL device- with the old Mac I just use it with the firewall on, no ports open, and a modern secure browser. There is really no attack surface from the OS which is EOL, and this old device has aged past being worth developing attacks for.
So
* manufactures open source it
* "someone" is going to maintain it, for free
* all these people are going to find non-malware infested fork
* upload custom ROM to their devices.
I just don't see it.
Automatic updates/killswitch are the only way forward.
An EOL device that has withstood the test of time, and has had many security patches but is no longer connected if often one of the most secure devices.
for those that can secure them properly (e,g air-gapping) why do we need to make old iot stuff non-functional bricks?
something I'd be more ok with is to disable it, but in the device's settings, allow it to be re-enabled