Coming soon to smart home devices? Best Before labels – with patch cut-off dates

I agree with that last guy...

Don't fekkin' connect what doesn't need connectin', it's just a security nightmare waiting to maul yer arse.

Security patches need to be mandatory for the life of the product. If there's an IOT dohickey as part of my fridge then I'm not throwin' out my fridge because the IOT doodad went titsup. Either you fix that thing or not only will I never buy anything with your name on it but I'll make sure to let all my local & online circle of contacts know as well.

If my damned thermostat helps DDOS some site then you had better patch that fekkin' thing right bloody now else I rip it out & replace it with a purely mechanical one salvaged from the tip.

The security holes don't stop existing after a mere two years, your device had better keep working after that time, & if you fail to keep it secure then I'll fail to buy anything from you ever again.

Android, Apple, Windows, IOT, all of you had better listen the fek up 'cuz I'm bloody well talkin' to you. If your software is buggy then fix it. Just because the device is a year old means sweet-fek-all. You made it, you sold it, now support the fekkin' thing!

GAH!

this may be a step in the right direction

Once the hardware has shipped and the manufacturer has pocketed the money the ongoing support just looks like cost. And as the device is supported it also means people aren't as motivated to replace them so the vendor loses out on those replacement sales too. This all works against the consumer.

So maybe educating the consuming public, and embarrassing vendors into declaring their support plans, may be the way to get this translated into business results and business terms that the beancounters can understand.

Connected Cars

Should list when patches are no longer available too. It is one thing if a DVR goes crackers, quite another if cars become homicidal remote controlled bullets.

Maybe the connectivity should just shut down at a point after the last patch date, since eventually any script kiddie will be able to crack whatever the digital signatures are used to sign software patches, never mind unpatched security holes in "XP" cars.

ID-Iot

Incredibly Dangerous - Internet of Things

Or IDIoT as I prefer to think of it. I do not see an upside to this stuff. I already have a very effective remote method of controlling the lights in my house. It is conveniently located on the wall near the entry to the room. It's called a light switch.

The best part,is that if my internet goes down they still work. (Amazing, I know.)

Not sure this "expiration date" helps consumers much

Sure, people who read El Reg know the security risk of IoT devices and the importance of patches, but the average consumer probably associates patches with Flash constantly bugging you to update or Windows wanting to reboot at an inconvenient time and might go out of their way to buy the one with the shortest patch window!

The other problem is just because the OEM has committed to delivering "patches" through 2020 doesn't mean all security issues will be addressed. Sure, if some really bad exploit comes out that could be used to cause your toaster to set your house on fire they'll fix it, but if there's something that can cause your toaster to go from off to some sort of warmup state that consumes 100 watts 24x7 they might ignore it.

It's insidious

There's this very invasive framework mentality in play, quite Orwellian in nature, that there are psople who want to get inside our homes, inside our heads, strip us down to the source code and analyse us from every possible angle. While that sounds like the essence of paranoia, there are many reasons why people would want to do this.

The primary one of course, is marketing and advertising. The original purpose of advertising was simply to let people know a product exists, what problems it solves, and where to buy it. The whole concept of trade developed around this process:

1. I have a problem and I need something to fix it (e.g. an apple to assauge my hunger, a hammer to nail this plank to patch my house, a shirt to keep me warm, whatever)

2. You have what I need.

3. What do you want in exchange for that item?

But since then there's been a gradual but ineluctable evolution away from this purpose, towards one of making us want to buy the product, and that superseding all other considerations. The usefulness of the product, its ability to solve a problem which is the reason we'd normally buy it in the first place, is losing relevance. All the companies care about is selling more product, regardless of its usefulness or any point of trade, Their sole objective has become to extract money from our wallets.

To that end, an entire science has sprung up around figuring out exactly what makes people tick for the express purpose of manipulating that process to their own gain, regardless of our loss. But control first requires understanding. So inevitably this leads to, the more we know abut someone, the more we can predict and therefore influence their decisions; the more we can influence their decisions, the easier it becomes to extract more money from them.

The IoT is the manifestation of this principle. There is no valid, consumer-oriented purpose in connecting a light bulb, a kettle, a toaster, a washing machine, to the internet. There is no problem that it solves to make the trade worthwhile. The only purpose of all this connectivity is to inject more observation points into our homes and our lives in order to better predict and thereby influence our behaviour.

So these bastards can all fuck off and die. I will never embrace this technology because it brings me no advantage whatsover, but it puts me at a distinct disadvantage to whoever wants to find ways to milk me for more money, while giving me nothing of value in exchange.

And if it becomes impossible to buy a lightbulb that works without this connectivity, I will go back to using candles. Actually, I can foresee an entire cottage industry springing up around this: Buy a smart device because you can't buy anything else, then take it down to Bodgy Bob's Mods and have him rip out its innards leaving only the basic mechanical function active. A fridge has a cooling element powered by a compressor and regulated by a thermostat. It can't be too hard to rip out all the electronics and leave just the thermostat-compressor loop active. Same with any other device. You just have to be prepared to chuck your warranty out the window. But considering the high turnover the planned obsolescence this article clearly refers to will cause, warraties aren't worth anything anymore anyway.

"stop connecting everything to the internet & spend more time doing better systems engineering"

*** I've been following the process and feel that the elephant in the room is that some corporations are bullying the market into IoT / Smart, simply by removing choice.

*** Samsung here's looking at you! Its not ok to stop selling basic non-Smart TV's, basic phones, basic washers etc. Forcing consumers over to overpriced Smart / IoT that are not ready for prime-time and lawlessly slurp... That's highly deceptive shitty economics!

*** But there needs to be incentives for offering choice in the market. Consumers especially, need to be able to buy cheap basic reliable tech while all the complexities of security and standards for IoT are resolved. This incentive needs to come from strict consumer rulings and hefty fines arising out of sloppy IoT tech, not private lawsuits where only the lawyers win or back room deals.

*** Privacy didn't get much of a mention today or its being lugged in with security. C'mon corporations, wake the fuck up. We don't want every device prying like a mini-omnipotent Facebook / Google. That's 'surveillance-capitalism'! If that's the future, i.e. no choice, then its finally time to turn the clock back and stop living in a consumer led society imho.

Don't connect my toaster / no more Orwellian tech...

That all falls on deaf ears... Here's why... Consumers need to wake up and stop buying, send a message:

https://www.theguardian.com/technology/2016/may/02/google-microsoft-pact-antitrust-surveillance-capitalism

Patches, and Patches

It's one thing to say "We will provide patches for this device until YYYMMDD", and quite another to guarantee "And the device will still be fit for purpose after the patch". I've lost track of the number of times I "upgraded" a device that was listed as satisfying the "system requirements", only to find that "runs" is not equivalent to "runs sufficiently well to not be completely useless". Annoying when the device is a phone or PC. Worse when it's my furnace, or auto.

C-Bus

Currently working out a plan for fitting a C-Bus system to my house, initally for lighting. It's been a standard for decades. It's expandable and future proof. It's the only way.

Internet fridges can fuck right off though.

More than IoT

This should cover a lot more than little IoT devices. I've had two cellphones that were abandoned while under warranty. Lenovo is selling Moto phones right now that lost support months ago.

IoT seems to be one Big Fail

Most products have some kind of processor in them these days and somehow they get by without being patched every five minutes. There's actually a reason for this and its not just that 'they're too simple' or that 'they're not connected to the Internet'. IoT seems to be an accident waiting to happen, an accident caused by badly designed, constructed and implemented protocols using significant complexity to perform simple tasks. These protocols come about because of a combination of shortsighted engineering -- Web protocols are apparently all people know these days -- and the omnipresent marketing push to stick their nose into everyone's business 'the better to get to know them'.

This kludge may be why there's no huge rush to buy IoT devices. Its a bit like the early days of music players. A MP3 player is a simple thing but early designs were screwed up by a need to monetize the customer base (something only Apple really figured out how to do). Then, as now, customers are faced with an array of devices that cost a lot, don't do very much, are prone to be hacked and can have support withdrawn from them at a moment's notice. What's not to like about that?

(Incidentally, if you like remote on/off, dimmers and so on then you've been able to buy them for over 40 years as 'X10' devices. Hooking an X10 controller to a remote protocol is a no brainer.)

This:

"That means that when you buy your smart thermostat, or lightbulb, or door lock, a manufacturer will commit to updating and patching it for N number of years, with the date stuck on the box on a label".

Until, 6 months after purchase the company goes tits-up. Then your 10 years patch garantee isn't worth shit.

A better idea would be an open source core that can be picked up by "hobbyist" coders as thats about the ONLY way to guarantee* continued support.

*In an ideal world.

I'm not sure this is a good idea at all.

Say I buy a smoke detector and it says "google will support this for two years". I'm not going to buy it knowing it only has a two year effective lifespan. I'd honestly rather buy the Internet-free version even without such a "guarantee".

Alternatively I buy a smoke detector with a two year support guarantee and ignore it, like any good shopper would. After two years it's still a smoke detector but now it's also a botnet.

I'm not seeing what real purpose this serves.

It surely also leaves the way open for "generic smoke detector with an online component" with support and updates and mods so you can play pong on it from a Linux community. I hesitate to say "like Cyanogen" given their current circumstances but something like that anyway. Maybe a modular system so ongoing support can also help you build the IoT house. If Google don't slap you down of course.

Future robot overlords - Please forgive us our sins, we weren't all in "Marketing"

Manufacturers trying to limit less time for a "cheap" device vs an expensive one is a business decision (duh). Bad news is they're all (almost certainly) going to be connected for a VERY long time...

There is a solution, but personally I REALLY don't like it:- instead of "buying" devices, it will be "licensed" for a limited TIME. So when support runs out the device stops working (or at least the internet functionality). Revenue for the manufacturer up front and repeatedly into the future thanks to (now explicit) planned obsolescence.

Of course device security will come with cryptographic protection, which carries jail time if circumvented so "adding" law that "regulates" manufacturers here is actually in their favor and brings a governmental guarantee to protection of revenue streams.

Sorry, did I say "will"? It's already happening... :-(

Question then becomes how is the "deactivation" handled? Folks are going to be mighty interested in manipulating that expiration functionality (both ways).

Take a more existential point of view and it should be pretty clear that Skynet and Batty's motivation are the same as Johnny 5's - "No disassemble! Alive!".

TLDR - Substitute "IoT" for "AI" or "Thing" for "Machine" and we have the plot of practically every SciFi movie in recent history.

What manufacturers are not taking into account is the simple fact that a fridge is not like a mobile phone. Most people will happily upgrade their phone annually to get the latest model often paying extortionate monthly prices to have the latest fastest shiny.

People replace their fridge when it no longer keeps their food cold. I can understand the desire from manufacturers to further build in timed planned obsolescence. But are the general public going to stand for it? I do think their is a limit to this.