[prognu]

Simple. Give the manufacturers the choice: either they must provide full (FLOSS) source code and documentation (full schematics) to the user to enable them to maintain, patch and thus secure their devices (see also: right to repair), OR they are liable for all damages (direct, indirect) for a 30 year expected lifetime that arise from security issues with the device AND must have insurance to cover those damages (so that they cannot get out of that liability by bankruptcy). Most will opt for FLOSS, and none will have the excuse that it would be more secure to make it proprietary. And then users will at least be able to fix issues -- and the security community will be way more effective at finding issues as it wouldn't have to do the slow reverse engineering.

[parentheses]

30 years of expected support is pretty unreasonable. Stating a requirement like this makes the discussion about competing dogmas. Rather, it's about the right way to keep devices operational as long as possible while also allowing companies to remain possible.

30 years of support expectations immediately makes the cost of any device go up to hedge against the risk of fines during the entire 30 years. It also makes it harder to disrupt an industry with hardware at its core.

I don't have a single computing device that has lasted longer than 10 years. Reasonably speaking, either performance or features start to make the device largely obsolete and unusable.

I think a better way to propose this would be the expectation that when a product is EOL, it should be supportable by the buyer for a certain period. This requires figuring out the right period of support. I'd propose something that scales period based on cost or device class. A $1200 phone should be usable for 10 years while a $10 disposable glucose sensor with a battery should not.

[prognu]

Sorry, but some people will run routers (and other IoT devices) for > 10 years, and long past some random 2 year EOL a manufacturer may set. We need less e-waste, and if manufacturers have to warrant security for 30 years, they may also invest enough to make the hardware itself last longer. More expensive is totally fine if the product is useful for longer! Oh, and please double-check if you really have no 1st generation Raspberry PI anywhere, or maybe some ancient Arduino? What about your washer? Modern washers are IoT devices. My (admittedly not yet IoT washer) is > 10 years old. Or take your car. Sure, you may buy a new one every 10 years, but there are plenty of cars > 10 years on the road. Do you want all of them to be vulnerable and out of warranty in the future?

[Animats]

> 30 years of expected support is pretty unreasonable.

I happen to know, having been with a Ford unit at the time, that the Ford EEC-IV engine control unit in 1980s Ford cars and trucks was designed for a 30 year lifetime. Many are still working.

The average age of light vehicles in the US is 12.2 years.

This is more in NHTSA's wheelhouse, though.

[justin66]

> I don't have a single computing device that has lasted longer than 10 years. Reasonably speaking, either performance or features start to make the device largely obsolete and unusable.

Are you just buying cheap junk? An i7-3770 PC - a good example of an 11 year old PC, and one I happen to use every day - can be quite usable today.

[wiremine]

> either they must provide full (FLOSS) source code and documentation

I like the spirit of this, but one problem with this is that the software stack is likely not FLOSS, and the manufacturers don't own all the software.

A second problem is that lot of the software for production IoT-devices doesn't live in the device.

Third, there are safety concerns with a lot of devices that you'd need legal productions for.

Finally, the best IoT devices use a zero-trust architecture. You'd need to support a variation of this pattern to allow users to modify the devices.

[ndriscoll]

If parts of the supply chain aren't FLOSS, then manufacturers would have to lean on those suppliers to change their licensing or find different suppliers. Same with other regulations around things like lead in consumer products. Anyone wanting to be part of consumer product software supply chains would have to start offering it as FLOSS if they want any customers, so the supply chain would adjust to the new reality.

We do need to establish common sense liability if it's not already there. If you modify your circular saw to remove the guard and injure yourself, that's your fault. If you modify some software to run outside of safe design parameters and it malfunctions/injures you, that's your fault.

I don't see why zero-trust is incompatible with user-modified devices. In fact it's in line with the spirit of zero-trust: don't assume just because something is able to talk to one of your servers (e.g. because it's on your VPN/LAN) that it's friendly. People should already always be assuming customer-owned hardware will potentially be completely controlled by a malicious actor and acting accordingly.

[joezydeco]

I'm working on an IoT device for industrial use, and we're wrestling with this very problem.

The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription.

This solves a ton of problems about FLOSS and support of the same. It's now a closed device, and you have no rights to the code inside. If we go out of business, you have a brick that you don't have to pay for anymore.

[Kim_Bruning]

I think it's always better for the customer to have access to the code inside. I'll actively recommend FLOSS solutions to customers even if they're not quite as good as the competition on paper right away. Simply because a large part of the cost of industrial hardware is actually supporting it for a long time. And support is SO MUCH EASIER if you have all the source code and schematics. Of course big customers get to demand this kind of arrangement (floss, escrow, or even just "give us all the paper") while small industrial operations end up paying a premium for inferior service.

[rolph]

>> The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription. <<

1000% wrong answer, unless you straight up front sell a service with an installer making a site visit to deploy chattels of service.

such as satellite television, or DSL internet.

when you swap handfulls over the counter before any contractual agreements i.e. clickthrough TOS , you are selling a hardware, that means user ownership.

[joezydeco]

No, we're straight up selling with a dealer/installer in the pipeline. We're not that stupid to try and sell direct to the customer these days.

[rolph]

i find that revealing, it seems direct enduser engagement has really stung you, is there something other than people being people, or are there onerous requirements that are not worth it?

[guzik]

Ah, the utopian dream of a world where every manufacturer gives away their intellectual secrets just so users can play tech guru. You're suggesting that companies offer up decades of R&D and risk their competitive edge, or else face 30 years of liability? With the speed at which technology evolves, we're lucky if a device is even relevant after 30 months. And let's not forget the minor detail of skyrocketing costs. Want a device built under these fantasy rules? Hope you're ready to pay through the nose—think 10 times the current price. Because nothing says 'accessible technology' like pricing out the average consumer.

[rndmize]

I favor something like this, if less strong. It should be required that a product that reaches end-of-life as defined by the manufacturer should have all documentation and source code released and open sourced; prior to end-of-life (and perhaps for one year after), they're required to provide security updates. The manufacturer is then free to decide the point at which closed source is no longer worth the maintenance cost.

A few additional thoughts:

- Perhaps hardware design/specs should be released as well?

- A government body should probably host this information after EOL.

[mcdonje]

^^^ This right here ^^^

Additionally, this cannot be an excuse to charge subscriptions or force lease agreements into the fine print for items consumers buy outright.

[eru]

You as a customer can already give the manufacturer that choice, and simple refuse to buy from any manufacturer that doesn't comply.

[digging]

I've been not-buying IOT trash as hard as I can for decades. But nothing's changing... please tell me how to do this correctly!

[eru]

Well, lots of people have been not-buying liquorice their whole life, but nothing's changing. The market for liquorice candy is alive and well.

Less snarky: if other people still want to buy certain products, manufacturers will provide. But that's not a bad thing. Different folks have different preferences.

[digging]

Why did you suggest not-buying as a better action than regulation if you acknowledge that it doesn't work? Are you a manufacturer of low-quality IoT devices? People don't prefer insecure devices, they just want convenience and manufacturers are not being upfront about how dangerous these "convenient" devices are. Ergo, regulation.

[eru]

Convenience and low price are legitimate preferences, even if you disagree.

[digging]

Not when the consumer doesn't know the trade off they are making. Buying a bottle of colorful poison and drinking it and dying because it looked tasty is not a legitimate preference.

You are being willfully ignorant of the power dynamics and information disparity that exist between manufacturers and consumers. The whole point of the label is to better inform consumers.

[emiliobumachar]

Insecure IOT has the huge externality of providing muscle to criminal botnets, though.

[eru]

Tax them, then?

[chromoblob]

Consumer's power is not the same as FCC's

[eru]

Indeed. And that's good.

[chromoblob]

It's good that consumers have much less power in context of forcing manufacturers to the described choice?

[eru]

What do you mean by less power? It's different.

One manufacturer can't force you to buy stuff you don't want, nor ban you from buying from a different manufacturer that does what you want.

(In contrast with the FCC, which has a lot of power over you, by banning you from buying what you want.)

[chromoblob]

What if no or very few manufacturers produce a thing, yet the thing would be very beneficial to many owners?

Why would one want specifically to buy a product not conforming to the choice described in the first-level comment?

[beardedmoose]

So what we need is giant warning stickers on products of which their parent companies don't follow good practices. Kind of like tobacco products.

"Leaks your personal data to unknown servers" Or "Manufacturer typically does not support their products beyond 2 years after which critical features and functions may stop working"

[Bilal_io]

A relatively small group of people won't have an effect, that's why regulation plays an important role.

[eru]

Perhaps we should respect the wishes of the large rest of the people who are outside that relatively small group?

[Bilal_io]

Ignorance is not a wish. We're talking about users that don't know any better when buying products

[SkyMarshal]

Are there any that currently do comply?

[eru]

Many large companies open their wallets to buy hardware (and software) that comes with guaranteed long term support.

If you are willing to pay, manufacturers are happy to comply with a lot of weird requests.

[bestouff]

I love this.