>This month, Google shipped the last update for my Pixel phone. The hardware is functional and in great shape, but I don't think there are any truly viable ways for me to keep it secure.
The same thing happened recently with the Chromebook I purchased for my significant other. She's a very light computer user, so we thought it was a perfect device. It was great, until one day she received a message saying, essentially, "this device is no longer supported and is now insecure". Meanwhile, I've got an Ubuntu distribution running on a 10 year old computer in my basement (and soon will on this Chromebook).
I certainly won't buy another Chromebook to have it unsupported in 3 years.
Actually MacBooks get 6/7 years from when Apple stops selling them. In contrast, the timer starts as soon as the first Chromebook with that cpu is released. It was a nasty surprise when I found that out
That is terrible. So they'll never create a device that is good enough that they'll sell for for 6 years unless they sell something they don't support.
Other than that, few vendors sell 6 year old computers. Since Apple is often put up as model company here: 2013 had the iPhone 5s which was sold until early 2016, and the end-2013 MacBook Pro (based on Haswell) which was replaced by its successor in 2014 (based on Haswell-Refresh).
I didn't realize that. When I think about how many schools have bought racks of Chromebooks and how long they keep them in use I realize that there are lots of kids out there using insecure machines. And all of them have cameras and microphones. Yikes!
It appears that the hardware is older than I assumed (yet perfectly capable for browsing the web), which begs another question: I bought this thing brand new a few years ago. Should it be up to the consumer to ensure that there is life left for updates? I will be certain to now, going forward. But I can't expect less-savvy consumers to do the same. It looks like there are models on that list that will stop receiving updates in less than 2 years for sale as new computers on Amazon...
The current best practice is to check the manufacturing date of the chromebook you're buying, because the clock starts from when the first unit ships, not when the unit you're purchasing was made. For a part number that may have a 2 year manufacturing run, that can make a HUGE difference.
Given old inventory, you can lose more than 2 years. For example, the chromebit CS10 got a design award in 2015 and can still found on asus' website with a link for where to buy.. About 1 year of support remaining.
Already plan on it! But to be honest, the physical hardware isn't that great, and of course the battery is mostly shot. The appeal was ChromeOS. Oh well.
Windows 7 is due to stop being updated very soon, all the while the only alternative is to downgrade into Windows 10.j sure don't call that "basically forever".
>You're free to repair it on your own... If you can.
You literally can't. It's proprietary software that you have a limited license to. This isn't like a deprecated Linux distro that you can always jump in and patch the security issues yourself.
Hell I'm sure if these tractors ran on free software, there'd be a business out there competing against the manufacturer by fixing old tractor software if it meant pulling in consulting fees from the farmers. But they can't, because we live in a world where you don't own software, you lease it.
It works, it activates, and Windows will say it's genuine if you ever reinstall windows from scratch on that machine but technically you don't have a valid license for Windows 10. It's a complete non-issue for personal use and Microsoft is blatantly still allowing the upgrade process and issuing digital entitlements, but for a business this would cause you to fail an audit and need to pay up to license Windows 10. Basically it's a free upgrade for home users but no different than pirating Windows for businesses.
Of course not, but 10 years is a lot better than Google's 3-5 for Chromebooks. Though consistent with their habit of nuking their own products, it seems like a foolish business move by Google--I too was burned by this and will never buy a Chromebook again.
How is your fourth point relevant in this discussion? Nobody is saying that devices are bricked as soon as they're unsupported, just that they become increasingly insecure without support and they contrast this with free and open OSes that keep working forever.
It absolutely fucking is. Ads infesting everything on my desktop. Pervasive tracking. Breaking updates pushed against my will. I'm happy that it doesn't bother you, but for me no f*cking thanks.
I've disabled the lock screen ads and most of the tracking stuff. It's possible it's still tracking me in some way that I'm not aware of, but as far as ads.. I don't recall Windows showing me ads for anything. Where are you getting ads?
Relative to software, it's basically forever. At some point you're still riding a horse and demanding that a highway be horse-accessible. It's unreasonable.
I don't think being better than the rest entitles you to abuse whatever superlative you wish. If the tallest man in the world claimed to be "basically as tall as Everest" I'd scoff at him too.
"They FORCED free upgrades to Windows 10 for a long time (a year?)"
Fixed that little lie for you. I still have two hard drives with Win10 still half-installed because I sure as fuck did not authorize Microsoft to change my computer, yet somehow they re-enabled automatic updates and forced that shit onto my systems..
Windows 7 is a 10 year old operating system and pretty much any hardware that ran it can also run Windows 10. Windows 10 was a free upgrade for Windows 7 users for years as well. This is wholly different from something like a phone or Chromebook that has no upgrade path at all when the OS support ends.
In fact, developers make a loss on the unit productivity of their time by using Microsoft products, but make it up on volume because they use those products forever.
I wonder if we can imagine a future where most software is simply released in a secure state, or it's not humanly possible to design sufficiently-advanced software that is anything but a teetering stack of security holes just waiting to be discovered.
I think it's possible to make fairly secure software but it's a massive change from the way software is put together today. Nobody really wants to pay for that.
Even stuff like OS research (which is what we need if we want a proper security model and a system not written in a horribly unsafe language) is virtually dead because the second you bring up some new experimental system, geeks are going to gang up against you with "what about my legacy proprietary applications, and what about drivers! this is worthless! everyone should just use linux!"
The problem is even though we can do this, the average user doesn't. They get the unsupported message and they then throw the laptop in the bin and buy the same thing again.
All electronics makers should be required by law to supply security updates and spare parts for devices for at least 10 years after the point of sale (not after the release date).
Another thing I think would have a big impact is requiring all consumer electronics with a battery to have a user accessible method for replacing the battery. This used to be standard with all consumer electronics until very recently.
These laws aren't just needed to protect the customers from corporate bullshit, they are critical for the survival of our environment. Designing electronics to last for 2-3 years is devastating.
> All electronics makers should be required by law to supply security updates and spare parts for devices for at least 10 years after the point of sale (not after the release date).
Let's start by requiring then that chip vendors sell and support their chips for at least that long?
To stick to "10 years since introduction to market" which is a much easier requirement: 2009 was the year of AMD Phenom II (EOL 2012) and Intel Nehalem (EOL around 2012), and Qualcomm MSM7227 (couldn't find EOL date, but its direct successor came out 2011).
How much stock should they keep around for the 10 extra years after 3 years on the market? (and what happens if they underprovision, will they be sued, or overprovision, throw it all in the bin? they can't sell it, or the 10 year clock starts again)
> to have a user accessible method for replacing the battery. This used to be standard with all consumer electronics until very recently.
... and then vendors sold thinner and thinner devices, and customers preferred them over the others. The only way to get the same mileage out of a thinner device is to put batteries in every nook you can find, which doesn't work so well if the battery is supposed to be a single replaceable part. Also, there are two layers of plastic (chassis, battery container) that take away space that could be better used to store energy.
Regulation gets interesting too. What devices does this apply to? Does it apply to smart tvs, thermostats, printers, anything with software? (which will soon be everything). Components?
Can I import a device? What vetting / certification process will be applied? Who does that? What happens when devices are manufactured by subsidiaries which get folded after 3 years? What if "updates" are provided that don't actually fix any vulnerabilities? What counts as a vulnerability for the purpose of the law?
Security updates need to be supplied for anything that can connect to a network. Vulnerabilities are anything that allows remote read or write access to the device without the user's explicit consent. Companies need to open source everything needed for supplying security updates before going bankrupt (perhaps setting up a suitable insurance to make sure there is money for work needed to do so). You can't import products that don't meet these requirements, just like you can't import products that don't meet other safety requirements. If the provided updates don't actually fix the problem the manufacturer is liable for all damages. You can't sell things that depend on external servers for normal operation without also maintaining those servers (and enabling community replacement in case of bankruptcy).
A thermostat that can't be counted on to function properly for at least several times longer than ten years shouldn't be legal to sell in the first place.
I don't mean to suggest that this is a simple problem to solve. But the importance of this is far to great to ignore.
>How much stock should they keep around for the 10 extra years after 3 years on the market? (and what happens if they underprovision, will they be sued, or overprovision, throw it all in the bin? they can't sell it, or the 10 year clock starts again)
There is no reason they need to replace parts with the exact same chip they came with. If newer CPUs/chips are available they could put a new model in. There will likely need to be more standardization so individual parts can be replaced/upgraded but this is not impossible and is very common for parts like GPUs and pci cards.
There are also mountains of these parts floating around after sale. The OEM could encourage the return of unwanted electronics and then gut them for parts to use in repairs after they have been tested. Any leftovers after 10 years can be sent to recycling.
>vendors sold thinner and thinner devices, and customers preferred them over the others.
Customers preferences need to take a back seat over environmental needs. A customer can live with a 1mm thicker phone. They can't live without air and survivable weather.
None of this is trivial and it will be a massive shakeup to the status quo but there is no other alternative. In the end we will all be better off.
> There is no reason they need to replace parts with the exact same chip they came with. If newer CPUs/chips are available they could put a new model in. There will likely need to be more standardization so individual parts can be replaced/upgraded but this is not impossible and is very common for parts like GPUs and pci cards.
The tighter integration of components (instead of routing everything through pluggable buses) reduced power consumption.
Every time a data line passes through a connection (solder joint, connector) you have to crank up power a bit to make sure that the signal makes it. Every time you have to decrease clock a bit, which means more parallel connections (with higher physical requirements == more waste at some point) for the same throughput.
At some point there's a trade-off to be made between inherent eco-friendliness (because it runs on much lower power) and replacability.
> There are also mountains of these parts floating around after sale. The OEM could encourage the return of unwanted electronics and then gut them for parts to use in repairs after they have been tested. Any leftovers after 10 years can be sent to recycling.
Return programmes already exist (although they generally end up in recycling, not as reused parts), and some countries mandate them (e.g. WEEE in the EU, plus RoHS to eliminate troublesome compounds).
Reuse can be troublesome since quality control is so much harder than for parts in factory fresh condition: All the paranoia here (and elsewhere) about three letter agencies tampering with devices during shipment? Multiply that by some large number because supply chain attacks just became trivial.
I'm all for designing products in an eco-friendly way, but a 2019 laptop is so much better in that regard than a 2009 model, that the decision doesn't seem simple to me at which point the 2009 model shouldn't be refurbished any longer.
> Customers preferences need to take a back seat over environmental needs. A customer can live with a 1mm thicker phone.
I agree and a thicker phone has more room for longevity (eg. sufficient shock absorbance built into the frame simply by virtue of being larger than the components inside) than a thin one that I long for a robust device. The majority of customers seems to prefer other aspects though.
> Let's start by requiring then that chip vendors sell and support their chips for at least that long?
You should make laws as close to the desired effect as possible. The market will sort out the most efficient way to accomplish that. Manufacturers will start placing availability terms into their contracts or stockpile as necessary.
Why they should electronic makers be "required" to do supply security updates and spare parts for 10 years? To begin with, 10 years is somewhat arbitrary. Why not 12? 15? 20? These tractors could be serviceable for 50 years or more? So why not 50?
Not every consumer wants or cares about this, but every consumer would be forced to pay for it. How would this even be enforced? Who will be the judge of what updates were important and what were not? What if they provide only cheap replacement parts which regularly fail? What if the company goes out of business a few years later? So many problems...
In my opinion it's one thing to create protections that prevent the stoppage of unauthorized repair, or the development of 3rd party replacement parts. However, it's another thing entirely to force companies to provide these services themselves for an arbitrary length of time.
Security updates should absolutely be a legal obligation. Their absence enables theft, criminal activity, botnets, etc.
For the same reason we have laws on fire safety, food safety, carcinogens and asbestos. Average consumer may not know or care about their existence.
But if we get rid if them all, organised society will collapse.
I can totally get behind them having to enter into a legally binding statement, given that it increases the transparency allowing me to make an informed decision as a buyer.
However I still have difficulty in the grey area between "security" and "other" update...
Well, sure its grey but it's a finite and definable quantity
Addressing known and reported vulnerabilities would be a start - many routers and phones have known vulnerabilities and can be pwned in minutes.
Then I would include degradation of service - example, I have samsung bluray box that came with YouTube functionality. Withing 1 year that didnt work any more because of changes to youtube.
Withing a period of time they should be judged to maintain such software degradations.
I'm happy to listen to alternative solutions on how the environment can be protected from needless product waste. And no, recycling doesn't come close to reuse/repairs.
>Not every consumer wants or cares about this
What consumers want or care about is less important than the ability to live on the planet in 100 years.
My argument was from the standpoint of consumer protection. If environmental protection is your goal, then I would point out a few issues.
Newer products are often more efficient. It's not clear to me that supporting older products is always better for the environment. For example, newer tractors may be orders of magnitude more efficient in fuel consumption and pollution control. I don't know this for a fact but I think there is sufficient precedent to make this assumption for at least some products. Many consumers will favor short-term gains (not having to pay the cost of a new tractor) over long-term solutions (upgrading and recycling equipment).
Leaving aside products that fit into the above category, lets look at an example of a product commonly discarded before it's usable life. Laptops, for example.
Here again it's not clear to me that legislating requirements for spare parts and security updates would make much difference. After 5 years or so all the laptops of average users that I've encountered are in terrible shape. Tons of spyware, extremely slow, and almost unusable. In this case I would usually just erase and reinstall. Now add a broken part to the list. Especially on cheap laptops, components are increasingly integrated so a single broken part could mean replacing essentially 50% of the machine. Laptops are so cheap. What do you think the consumer will chose: pay for the repair and cleanup of an essentially useless machine, or just buy a new one? So often it's the later.
The closed ecosystems that have sprung up thanks to the App Store have actually improved this, but still, in my experience, people tend to just buy something newer (and better) rather than deal with (and wait for) a repair.
I'm not claiming there would be no impact in legislating around this, but I believe it would be small, riddled with holes and problems, and that there are better approaches (to solving environment problems).
Just a wacky example but consider the following.
Manufactures typically design for a particular lifespan (such that no more than a certain % of devices would fail within a specified number of years). The idea is to reduce the amount of devices being trashed, so perhaps we could create tax incentives to encourage (a) longer life spans and (b) better recyclabiltiy.
Maybe I think too much like a programmer but then again I think maybe everyone else should think a little more like programmers too... especially legislators.
> All electronics makers should be required by law to supply security updates and spare parts for devices
I don't think that is feasible and could ruin manufacturers. But in the case they end the support, they should provide access for users to install other sofware solutions and remove protective barriers.
The same thing happened recently with the Chromebook I purchased for my significant other. She's a very light computer user, so we thought it was a perfect device. It was great, until one day she received a message saying, essentially, "this device is no longer supported and is now insecure". Meanwhile, I've got an Ubuntu distribution running on a 10 year old computer in my basement (and soon will on this Chromebook).
I certainly won't buy another Chromebook to have it unsupported in 3 years.