[ghaff]

I daresay people aren't going to like this answer but, you ultimately have to align the interests of the manufacturers and the consumers. Which probably means some sort of subscription model and even a requirement that the subscription be current to function.

I know. Yuck. But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

[eropple]

> the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions

I am unclear why this is not the preferential solution here. "Don't sell lemons" is a societal good.

[redwall_hp]

Laws requiring that consumer electronics not be effectively disposable is also a net good for the environment as well. I'd like my router to have active cooling (so it doesn't self destruct from heat) and run an open source firmware that will survive longer than a single manufacturer may be willing to maintain it. (They all can jointly contribute.)

Phones should have some level of modularity and repairability, so they can last a multiple of their present service life. (Think smaller scale standards like in desktop PCs.)

[ryandrake]

We would need stronger consumer protection laws and regulations around defective products. My car’s manufacturer just fixed my 10 year old airbag for free, presumably not out of the goodness of their hearts but because they are required to.

[ghaff]

They're not necessarily lemons at the time of sale though. In general, we don't legislate that products need to upgraded and maintained after they're sold. (Yes, there are lemon laws and warranty requirements for defects--which are at least related.)

However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

There is an idea of harm to the ecosystem/society with unpatched IoT and other network devices though. So perhaps a heavy-handed approach is justifiable.

[eropple]

They were lemons at time of sale, though, we just didn't know it yet. Between that and the ecosystem/society argument, I think it's a no-brainer.

> However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

This analogy doesn't work for me; software bugs are defects, they aren't something getting old and falling apart. I think that a defect in an automobile should be repaired at manufacturer expense whether it's a year old or twenty.

[__jal]

The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

The economics of providing 5 years of defensive patching on a $100 device simply does not work.

[snuxoll]

Maybe they need to stop shipping a dozen different $100 models with wildly different specifications and come up with a common platform to reduce support costs, like most other industries.

Support costs increase as fragmentation does, it things sold at a reasonable price and without dozens of variations it would be more feasible to maintain longer supported life cycles - but these companies have no incentive to think beyond the next quarter’s earnings call.

[aaron_m04]

> The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

Not yet.

[crankylinuxuser]

Then maybe they shouldn't be able to make a profit on doing society wrong in the medium or long term.

[OJFord]

It drives prices up in equivalence with subscription pricing over the typical lifespan.

(i.e. not obviously better or worse)

[eropple]

Subscriptions are ongoing cash-flow. There's no reward to doing a good job, and there's only a perverse reward to not doing a good job--it keeps people subscribed.

Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.

Businesses fear only the big stick; it should be swung on the consumer's behalf.

[ghaff]

Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.

[eropple]

Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?

Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.

[ghaff]

Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.

Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.

That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

[eropple]

> But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

Sure. Hence the use of a very big stick.

The lack of restraint on bad actors is a societal problem, not an economic one.

[anderskaseorg]

Maybe the manufacturers would figure out more efficient solutions given incentives that encouraged them to do so. For example, they might decide it’d be more efficient to use OpenWrt than to do separate security maintenance for N incompatible closed platforms.

[AnthonyMouse]

> But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

What would be better is to require that the firmware be replaceable with something like DD-WRT or OpenWRT. One of the biggest issues with hardware like this is that the original manufacturer goes out of business and yet millions of people still have their devices.

You can't require updates from a company that no longer exists, but that's not really a problem if their hardware can run the latest versions of half a dozen different open source router firmwares.

[jdnenej]

There is an even better solution. Simply use open source firmware on these devices and this will not be an issue. It's much less effort to maintain one common firmware rather than a new one for every device.

[ghaff]

Some subset of the code may be common. A lot of code that is specific to a particular device won't be. I'm actually open to the idea that vendors could benefit from working with open source firmware and differentiate in other ways. But "use open source" doesn't magically reduce the effort. They probably already have core software bases that they don't need to change all that much for new devices.

[zanny]

The thing is that for a new device you only need hardware enablement in the kernel - something largely one off that manufacturers can do in the same cadence as device sales so their priorities align.

What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT and using regulation to compel device manufacturers seeking approval by the bureau to submit their requests contingent to providing device specific hardware enablement upstream and to default-ship their devices with this common OS. Then those certification costs fund the ongoing operating system project.

If a company then wanted to implement a new feature to push their hardware, they could... by submitting it upstream.

There have been so many billions of developer hours wasted in the pursuit of profit by reinventing every single damn wheel a trillion times over its disgusting to think about and governments should be recognizing this flaw in US-IP-driven software business models and work to correct it.

[AdieuToLogic]

> What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT ...

The exact opposite is what actually happened. In late 2016, the FCC specifically banned owner-based firmware upgrades[0]. It was ostensibly due to RF configuration, it could also be seen as a concession to the manufacturers.

0 - https://hackaday.com/2016/02/26/fcc-locks-down-router-firmwa...

[wtallis]

Pretty much the only custom code that router vendors write is the web UI, which is sometimes a fully custom job and sometimes a reskin of DD-WRT or OpenWRT's web interface. Otherwise, they're generally shipping whatever code they got from the SoC vendor, which is generally a fork of OpenWRT from around when that SoC taped out.

"Use open source" would make the situation appreciably better, because it would mean not accepting any closed-source or out of tree drivers that lock you in to particular kernel versions and non-standard management APIs. Once those problems are out of the way, frequently rebasing the web interface on current upstream OpenWRT is pretty straightforward.

[jdnenej]

If they used open source the drivers could be mainlined and then you really could just drop one standard OS on it

[chooseaname]

Or increase the initial price enough to cover the N years it is expected to be in service. If you make a 5 year router, charge for that. If you make a 10 year router, charge for that. But don't charge for a 5 year router and drop it after 2.