We should be pushing some of the "repair" legislation to include clauses about, "If you're no longer going to provide OS updates for a device, you must provide a way to install alternate firmware on it." We'd either get continued updates for devices, or a way to install something else. Either way is a win.
> you must provide a way to install alternate firmware on it.
Seems like a common sense measure that shouldn't be conditional on whether or not OS updates stop. PCs have worked this way for decades, and some phones and tablets, as well. It's a shame that competition is limited like this.
I would certainly prefer that this be the case, but I also don't think it's particularly likely to pass as legislation - because there are plenty of devices that are sold at a loss, expecting to make it up on other later software sales.
I believe almost all modern game consoles live in this space, I would expect Amazon's Kindle devices are in this category, etc. And while I don't like this model and won't participate in such ecosystems, neither can I deny that such things are fairly common and popular. Forcing open firmware on those would likely generate a much larger, and, frankly, better funded response to being able to maintain a locked down firmware for the useful life of the system.
Picking specifically on the "no longer receiving firmware updates" category makes it much harder for those companies to argue that having to do this will hurt their profits or hinder their ability to recover losses on subsidized hardware - they literally don't care enough to bother updating them at this point, so it would be much harder for them to make these claims. You abandon a device once you're done earning your money back on it. I doubt Sony, for instance, still expects much return on deployed Playstation 3s. And it's exceedingly hard for Apple to argue that they're making any money on an iPhone 3GS or something, because it doesn't even run modern app store packages.
So my logic here is that "you must unlock abandoned devices for those who care" is likely to be winnable, whereas "All devices must be unlockable from day 1" isn't.
Who cares what these companies want or what their business models are? Dumb business models are dumb and it’s not our job to consider their dumb business models when making legislation.
We wouldn’t even be having a discussion like this in a functioning democracy. But instead we’re discussing whether the big corporate bribery machine will get in the way of completely reasonable legislation.
>Who cares what these companies want or what their business models are?
A spoonful of sugar helps the medicine go down. You're not going to convince Congress critters to do something that can legitimately be argued to hurt businesses. So you tweak things to create a minmax situation where the businesses can not be said to be injured and we still gain access to abandoned hardware and are able to repurpose it.
The key is to go in with carefully charged words. Abandoned hardware is a good one. So is recycling electronics to extend their usefulness. How can companies argue they're being hurt by competition from abandoned hardware that is just e-waste unless it is allowed to be recycled?
>How can companies argue they're being hurt by competition from abandoned hardware that is just e-waste unless it is allowed to be recycled?
By pointing out that the products they are currently selling could be replaced by the reanimated spirits of the products they sold last year. Labor performed without a transfer of money to go along with it is not counted in the GDP or taxed, in modern mercantilism it is better for $100 to circulate in a day to produce a little value than for $1 to circulate in a week to produce much more value.
> They can say that, but it makes them look like assholes. So it's not effective for them to do that
Unfortunately, there a lot of assholes that only act like assholes behind closed doors with other assholes that tolerate them being assholes because they spend money out the asshole.
/s
But actually my point is that public PR team can't say that but Tim Cook giving Ted Cruz a quiet phone call can totally say that (off the record), probably followed up with "this would keep us from affording that new Texas factory/office/thing we were about to build with this money we make"
I don't disagree with the idea here, but this sort of decision has to have a public facing, somewhat valid reason for opposing legislation.
An example of this would be marijuana legislation and the idea that marijuana is a "gateway drug." This is a somewhat sensible view that a political party can latch onto and push without losing too much popular support.
I have to wonder if "new firmware on old devices" has a public-facing view that won't crater a politician's popularity. I'm sure there has to be one, but I don't know what it would be.
> I have to wonder if "new firmware on old devices" has a public-facing view that won't crater a politician's popularity. I'm sure there has to be one, but I don't know what it would be.
The lack of any large important group that cares about this enough to try and smear a politician against it is enough. No one outside of nerds cares because no one knows to care. Compare it to abortion or guns, lots of regular people care or could be corralled into caring.
If a politician is quizzed about their stance on end of life firmware, they can just say "I want to not end the life... of babies! The other guys want to abort your children" and then the whole topic is lost and they deflected successfully.
Because if the question is "Would I pay $200 more for an Xbox just to be able to install Linux on it", I think you will find the vast majority of consumers would respond with a resounding and an in-unison "hell no".
If the manufacturer is selling at a loss, with the intention of making that money back through software, and that subsidy is removed, the majority of customers will see this as a loss.
It already has, and companies have based business models on it, which has led to consoles being more affordable in exchange for restrictions on what you can do with it.
It's hard to rely on the argument that 'the market decides the price of goods' if you would like to restrict what companies are allowed to offer for purchase.
Yeah I like the idea of if it’s no longer receiving firmware updates but I suspect the tech companies would get around that by releasing symbolic updates that just bump the version number.
I would prefer something like after 5 years they have to unlock the bootloader and allow people to install anything. So you have 5 years to make a profit and then you have to open up the device.
> I suspect the tech companies would get around that by releasing symbolic updates that just bump the version number.
Wouldn't that be invalidated by games no longer working? They were very eager to move to cloud gaming, always on networking style DRM but once the servers are down and the games become less and less functional or stop working altogether that excuse goes bye-bye, doesn't it?
> while I don't like this model and won't participate in such ecosystems
I've tried to keep away from ecosystems like this, but the way is very much dark and full of terrors. As far as I can tell, a smartphone is a prerequisite for participation in much of society today. What phone do you use -- an unlocked Android model, I'd guess? Or something like the Fairphone that I can't get in the USA?
I believe almost all modern game consoles live in this space
Nintendo does not sell their consoles at a loss. They make a profit on every console sold. Their hardware is never bleeding edge but they make up for it on the strength of their first party franchises and their innovative controllers/input devices.
Wouldn't this necessarily include "devices" like nuclear-reactor control systems? Because AFAICT there's no clear line where a "computer" stops and something like that starts.
I imagine there would need to be a special protections in the clause for "secure embedded industrial" devices like that — something like: "if opening your company's devices to free modification would create a national security risk, then your company is not allowed to go out of business in the first place; instead, bankruptcy of your company will lead to immediate nationalization of such assets as are required to keep your devices up-to-date with secure firmware in perpetuity."
(It's actually kind of weird that there isn't already anything like this on the books in America; so it was possible for the private sector to e.g. shut down all the 5.25"-floppy-disk factories, despite military missile control systems still actively depending on them. You'd think governments would wield at least contract law — if not legislation — more eagerly, to protect "critical logisticla dependencies" like these.)
What if firmware or other updates have to be signed to be accepted? Who manages the private key(s) when a vendor goes under? How are they distributed and to whom? I'd worry less with nuclear plant owner/operators as they are used to safeguarding certain types of information, but let's imagine something like firmware for large transformers or other critical infrastructure where security postures vary across owner/operators.
I'd support that as long as there are exemptions for those devices that aren't quite like a consumer iPad. For example, there are a range of devices where your primary threat actors already have physical access to the device in question and it's important to prevent tampering.
These can include electric, gas, and water meters on homes and businesses; computing devices in correctional settings; certain military systems; gaming (gambling) systems like slot machines; etc. They aren't the usual use case but they are real and they are out there in significant numbers.
Don't make an exception for almost any of those, add in functionality so the administrator can set a password and lock it. You still don't want the manufacturer to have ultimate power.
Maybe for a gambling machine you'd do it differently, but those are already very specially handled.
I haven't figured out the exact wording or requirements - feedback welcome.
My goal is not to discourage "Fully Finished" sort of products - if you have some widget that does X, and you've optimized the firmware to do X, and it won't need to do anything else beyond X, then... OK, good job, please make more things.
The target here is "consumer electronics" sort of devices - phones, speakers, fridges, washers, etc. And I don't think it has to be a "default unlocked" process, so much as "Some process to allow you to boot what you want." And if that's "I submit a blob upstream and they sign it so it can shim my kernel," well... not great, but OK.
However, the reality for something like your scenario, nuclear control systems, is that anyone who can get close enough (physically or digitally) to one for it to matter isn't going to be hindered by some pesky firmware lock.
Sounds sort of like Richard Stallman's boundary on what software is required to be free:
>The case of the toaster is very clear: we can't tell, except by taking it apart, whether it has a processor and software or a special-purpose chip. Since that we can't tell the difference, it makes no difference: therefore, a program that will never be changed is equivalent to a circuit. I don't care whether a toaster or microwave oven contains software.
My point wasn't so much about "fixed function" devices like toasters, but rather about higher-level industrial IoT devices like commercial security-monitoring control systems, or electricity meters (the kinds of things that have embedded 5G radios); and also about complex, flexible-purpose, networked "embedded" systems like SAN hardware appliances or network switches.
These types of devices do receive regular firmware updates. And (certain models of them) are required to operate in high-security environments, where the end-to-end logistical security of update delivery is part of what the customers of those systems are paying for by buying them. Also, in general, these systems have "no user-modifiable parts"; all the useful configuration for them is exposed on the outside, where nothing you'd want to do with them would require hacking them — because much of the point of these devices is to be a hermetic environment isolating the data they evaluate or carry from interference by third parties.
Maybe the best example in this category would be an Intrusion Detection System. It's definitely a full computer! But if you're the sort of company that needs one of those, then you certainly don't want the IDS itself to have any exploit surface whatsoever — including at the firmware level. And you'd rather lose out on ability to install custom firmware on your own IDS, if that means that an APT loses the ability to rootkit your IDS.
Hmm, I'm not sure what the answer is. One idea is to regular devices for consumers differently than devices for businesses. That's not a full solution though, because there's lots of news about farmers having to hack their tractors to get them to work, which is evidence that even businesses want to be able to modify their firmware sometimes.
Thanks - I'd not seen that before, and I think it generally covers the principle well. I don't care if a fixed function device that does its job well can be updated, but I do care if something like a fridge that talks to Google Calendar ends up obsolete with nothing but a warning message on screen because it's out of date. Though why a fridge needs a screen anyway is beyond me...
> anyone who can get close enough (physically or digitally) to one for it to matter isn't going to be hindered by some pesky firmware lock.
I mean, being unable to modify secure embedded systems by getting close to them "digitally" is the whole positive point of the much-reviled-in-personal-computing Trusted Computing Base paradigm. If Intel CPUs can cryptographically verify that microcode updates come only from Intel, and that the bootloader ROM is signed by the manufacturer key stored in the CPU's own TPM, then the microcontrollers in critical systems like these should be doing no less. "Unlocking" such a system to free modification by the installation IT administrator really does lose you some quite-powerful security advantages vs. having an end-to-end-secure logistical pipeline for updates direct from the manufacturer to your microcontroller, that not even the site admin can tamper with.
Also, on a tangent — with really-critical embedded systems, there are ways to prevent physical proximity from giving someone the keys to the kingdom as well. For example: making the system a distributed-majority-consensus system run across several secure installations, where you'd need to physically penetrate several installations at once — hopefully all with independently-designed security policies — in order to get the system as a whole to do something else. Where any timing slip-ups would reveal one of the systems as faulty, and prompt an immediate [probably armed] investigation response.
> ...then the microcontrollers in critical systems like these should be doing no less.
Should be, I agree. Though I would doubt that they are. We've seen plenty of malware packages related to industrial control systems over the past decade or so, which mostly rely on "compromising the workstation that programs PLCs and fixes their behavior over the network to meet the attacker's desires."
My goal here certainly isn't to impact industrial control systems, but to generate less ewaste of "Well, we're bored with it, good luck!" end of life devices.
> Should be, I agree. Though I would doubt that they are.
I think that's mostly to do with the fact that many industrial control systems still in use predate TCB or anything like it. "Why change what works", etc. Contracts for new designs, meanwhile, tend to specify all the security they can think of.
> (It's actually kind of weird that there isn't already anything like this on the books in America; so it was possible for the private sector to e.g. shut down all the 5.25"-floppy-disk factories, despite military missile control systems still actively depending on them. You'd think governments would wield at least contract law — if not legislation — more eagerly, to protect "critical logisticla dependencies" like these.)
1. The government can just say "we'll spend $10,000 per flop-disk reader" and some one will probably find a way to produce that profitably.
I feel like this is especially important for game consoles. The 3DS store is on its way to being shut down and with it a set of digital-only games will be effectively unplayable for most people going forward. It feels correct to me that if the creator of the platform kills off the only way to pay the creators for the games you should be able to install alternate firmware and play them for free.
