SoylentNews is people
SoylentNews
TechDirt reports
In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:
A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.
A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.
A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."
Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job; that overseas companies would be consistently willing to comply; or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?
That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020--is expected to balloon to 82 billion by 2025.
(Score: 5, Insightful) by pendorbound on Friday June 02 2017, @09:19PM (9 children)
So because manufacturers can't manage to debug their garbage before they foist it on the world, I'm stuck with a device that turns into a brick if they go out of business or forget to deliver an update on time? No thanks.
Debug, then ship. Not the other way around. I wouldn't even consider buying a device with that kind of user-hostile "feature."
(Score: 5, Interesting) by jmorris on Friday June 02 2017, @09:56PM (6 children)
It is now the defects that drive sales and adoption of new versions of things. Think about it, if Microsoft still supported XP, if 7 weren't already out of mainstream support and heading to the end of the line, would anyone even look at 10? Why do we upgrade our browser every week when we KNOW the new version will be a regression in function? Because it is the only way to get the security fixes. It has literally become embedded in the business model of every software vendor now that they capitalize on their defects to drive upgrades, that they pick when to abandon security patches to drive their release cycles of new product. I really do not know how we can possibly break out of the downward spiral to Hell this implies because the obvious next step is to ensure sufficient bugs to permit using them to drive future sales. And both Firefox and Chrome prove Open Source is no defense.
(Score: 2) by c0lo on Friday June 02 2017, @10:29PM (5 children)
The apology of planned obsolescence (aka deliberate waste) as a sacrifice to the God of Capitalism, if I ever saw one.
Irrelevant example.
None of the MS OSes used by your example from Microsoft bricked the computers they were installed on. Also, they could be removed and another OS installed without rendering the computer unusable.
Another irrelevant example for the "I don't want a deliberately bricked device because the software is faulty".
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Troll) by jmorris on Friday June 02 2017, @10:57PM (3 children)
Continuing to use an OS or browser without updating for the security patches is a quick way to get worse than bricked. That is the point, you MUST update or quickly become so dangerous that the only safe move is to disconnect from the Internet, either willingly or upstream detecting you and blocking... either before or after you become a bot spam cannery. That vendors like Microsoft depend on that knowledge to drive sales is the problem I'm making an issue of.
And no, you can't even just upgrade in most cases. Good luck putting a new Windows on a machine, no drivers; At least one piece of hardware won't be supported so you will be spending additional money at minimum. And the Penguin is for we the few, normies can't generally install ANY OS on bare metal. And have you noticed the current trend toward making the PC an XBox? All tablets are locked, laptops and desktops MAY be unlocked, vendor option... for now. Now we get Windows S, the mandatory chains go onto a 'laptop' form factor. So no, even that argument is quickly vanishing. When the OS updates stop you get a brick or a forced payment to upgrade. Is forced payments every couple of years to fix the defects in the original product by trading up to a new product with all new defects really so much better?
(Score: 3, Insightful) by kaszz on Friday June 02 2017, @11:30PM
That is the point, you MUST update so we can continue to spy on you, now even better! :p
(Score: 2) by c0lo on Saturday June 03 2017, @12:21AM
There's more ways to skin this cat.
- I should be able to replace the OS/browser with something of my choice - certainly I should not be bound to a monopoly as a provider of security.
- I can install extra external protection (firewalls) and restrict myself to where I go while browsing the internet
- I can even use the combination not connected to the Internet (but to a local network) and still derive some restricted benefits I need - i.e. IE4.0 is still safe to use in a local intranet never connected to Internet.
Granted, if the needs require me to go in promiscuous places, I will need to make sure I have the best protection of the moment or suffer the consequences.
And should the rights on us, non-normies, be sacrificed because the majority of the others aren't capable to defend themselves?
Where's the advantage in that? 'cause I see the immediate disadvantage - it is the non-normies that create something new and have the incentive to explore non-normal solutions.
Stop us and you'll get into the same situation we had before the personal computers broke the monopoly on... well.. computing to those who could afford buying a mainframe.
I still have alternatives to this situation - and I vote with my wallet and not buy a device that is bricked when unsupported by the manufacturer or seller - and I don't like the idea of someone telling me I need to stop thinking that alternatives exists.
If you like this idea, whatever floats your boat... but what right that researcher or you have to tell me I should desist?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by frojack on Saturday June 03 2017, @01:44AM
Actually, that is apparently NOT true - at least not in the recent cases.
Windows XP was notably absent from the Wannacry malware. In fact it is suspected that the only examples of XP that were successfully compromised were researchers deliberately installing it and bypassing the blue screen crashes that the malware caused while trying to infect XP.
No, you are mistaken. I've always had this sig.
(Score: 2) by Bot on Saturday June 03 2017, @08:03AM
> None of the MS OSes used by your example from Microsoft bricked the computers they were installed on. Also, they could be removed and another OS installed without rendering the computer unusable.
for some values of "bricked" and "could"...
Account abandoned.
(Score: 5, Insightful) by Justin Case on Friday June 02 2017, @10:05PM (1 child)
No, no, a thousand times no! Sigh. The ocean of stupidity is astounding, and things are getting worse.
First, every time you install software you increase your risk, because there is a chance the software will do something you don't want. You do the research to reduce your risk, but it is never zero. Adding or changing any software you didn't write (and maybe some you did) should be regarded as a dangerous operation to be performed rarely, only when absolutely necessary, with care, including a back-out plan.
From this principle, obvious to any computer professional, it is apparent that downloading and executing software on the fly from unknown untrusted sources is, well, terminally moronic. Yes, I'm looking at you EcmaScript and your ill-begotten peers. Likewise for installing every random "app" that promises new shiny for your phone.
Those who understand computing warned about this from day one but were obliviously dismissed.
And now, somehow, we have evolved to a world where crap software is not only tolerated but expected, even to the point where it is allegedly a good practice to update your software frequently! Automatically, even!!!
Oh, but that's not enough; now we are going to pass a worldwide law (good luck with that) that requires updates which never should have been needed in the first place? Hey, if you do pass that worldwide law, why not require some minimum level of quality, and liability for defects, instead of just assuming everything will be vulnerable from the factory and there's nothing that can be done about that.
Face it: every Windows Update or other security patch regardless of platform is proof of FAILURE by whoever wrote the junk! Get it right the first time. Or leave the job to somebody competent. And yes, maybe it shouldn't be so complicated that nobody can understand what it does.
Now get off my lawn. For that matter, I wish these clueless "developers" and their managers would get off my planet.
(Score: 1) by Ethanol-fueled on Friday June 02 2017, @11:07PM
1. Sell IOT garbage with bug-ridden firmware with expiration date to lazy rubes
2. Firmware expiration date arrives
3. Change only a few comments in the firmware code and release it as V 2.0
4. ???????? [cubeupload.com]
5. Profit!