[Analemma_]

> Unfortunately, forced firmware updating is an area our governments should not be mandating.

It absolutely is an area that governments should be mandating, because the problem is an externality. These attacks are a cost imposed on neither the producer nor the consumer of the device itself, and (apart from some highly speculative libertarian conjectures) the only things that can fix externalities are taxes, regulations, and lawsuits.

Lawsuits are infeasible in this case since we probably can't prove whose devices were involved in any given attack, so that leaves taxes and regulations - and the latter would be better so we don't have to go through the business of collecting taxes from manufacturers and then distributing them to the victims of attacks.

> That puts unnecessary strain on small companies

Clearly it isn't unnecessary, because I can't get to any friggin websites today. If small companies don't have the resources to update the devices, they shouldn't be building them in the first place.

[lalalandland]

If you are a chemical company you have regulation on the stuff you put out and the environmental hazard of you product and waste products.

Something similar could work for IT.

[Jtsummers]

Yeah, this seems, to me, the most apt existing analog. We have regulation for environmental pollution, this would be digital pollution (of a sort). Insecure devices create a harm to the digital environment.

But this is incredibly hard, due to ease of manufacture and distribution, to regulate in the case of IoT devices and software.

[Falkon1313]

Which business model works best:

- planned obsolescence cranked to 11, you must replace everything in your house every month

- monthly subscription fees for each lightbulb, refrigerator, and everything else

- all products must refuse to operate unless they can connect to a central update server (which is being DDOSed by competing products made in a country without that government mandate, that are still working, while no products made in your country work)

- company shuts down, goes out of business, and a new company with a different name (but all the same employees and products except for the logo) opens every month

- all software created must be maintained indefinitely into the infinite future for free by...magic elves?

[fatbird]

This one: Companies offer products that meet a consumer need without creating an effective, easily accessed platform for criminal third parties to tax the rest of us. If they can't do that, then they don't fucking offer the product. "The only way we can sell this is to enable DDOSes by Russian hackers!" is a reason to say "then don't offer the product!"

[vertex-four]

Fun fact, we have working systems for peer-to-peer publish/subscribe systems that only need a known peer to bootstrap off of, and then are reasonably resilient to nodes disappearing etc. No need to have central update servers - just push a signed message into some random selection of machines and go!

[ptaipale]

But then there is also the risk of government mandating a firmware update that has government features.

[kakarot]

The consumer takes on some of the cost. But the only reason you are so for this legislation is because you don't understand the full-scale logistics involved in mandating such a feat as well implementing them as a tech company. If you want to mandate security to include well-established, cost-appropriate solutions, that's cool, but requiring future updates to these IoT devices is not the correct solution. It brings into question free speech issues for one, requiring companies to support the life of products they no longer wish to support. And the only companies who will not feel the full brunt of this would be the elite.