- If a firmware can be updated, it must keep a minimum ROM feature so it can be recovered.
- No device should be updated without the *owner* explicit intention to do so.
- Full docs must be released if the vendor stops supporting it.
- if the manufacturer retains some form of ownership after "sale", it is obligated to provide free repairs/replacements for the duration of the contract
In EU, Cyber Resilience Act requires automatic updates, so the second point is moot.
Most owners want just plug and play, so it makes sense.
Even third point is pretty moot. We don't do that for hardware, why for software... A component is no longer manufactured? Tough luck, hopefully you stockpiled it.
> No device should be updated without the *owner* explicit intention to do so.
That point has practical issues, because most consumer electronic customers are technically dumb.
Consequently, you end up with a long-tail of deployed device firmware versions, which makes support a nightmare (fix this external integration that broke... across 20 different versions).
I'd phrase it more in terms of:
- Every device must include an option for owners to disable automatic firmware updates.
Customers will gladly use an outdated browser or OS with known exploits to access their most sensitive information. Automated updates are necessary evil. Even a smart speaker with a vulnerability could end up as part of a botnet.
I can only assume you’ve never worked in desktop support if you think that is something the general populace is remotely interested in. Smartphones are a step in the right direction for the tech illiterate and uninterested. There is zero reason to give lay users enough rope to hang themselves with despite that being the opposite of what I or most users of this site would like for ourselves.
I actually did work with customer support in my very first job :) We had a limited IT crew, so programmers on-site would often go to the users' office to help with software and hardware issues.
My anecdote is the opposed of yours: they were interested in knowing why something wasn't working, but only as long as you're willing to be patient, talk slowly, and explain any unknown concepts to them, if required.
Insulting them, or just telling them it's their fault something wasn't working would be a sure way to get a negative reaction instead.
Fair enough. Many of my end users were indeed eager or at least willing to learn as you say. A non-insignificant portion were not though, and those are the ones I'm speaking of. But that was also a professional environment. Your interested users had some obligation to the company and the support of professionals like yourself to guide them.
Additionally, I don't think these people are stupid, and I'm not demeaning them. They simply do not care to know and that's perfectly fine. I wouldn't demean someone for not understanding how their car works, or even failing to get their oil changed. The computer is a tool to file taxes and shop on amazon for most people, they have a million other priorities in their lives that come before making sure windows is up to date, let alone actually considering its security. It's the job of these companies to ensure their technology can be used safely without consideration by the end user.
> I don't think these people are stupid, and I'm not demeaning them.
Sorry if it sounded like I was implying you thought that, or called them stupid, I didn't mean it that way. That statement wasn't trying to 'refute' anything you said either - it was just expanding on my anecdote of what I saw that it worked or not, whether in a professional environment or somewhere else.
Now, replying to your recent post,
> It's the job of these companies to ensure their technology can be used safely without consideration by the end user.
I think we just hard disagree here. I believe ultimately the user is/should be on control of how their own computer is used.
No worries, I agree with you in principle and for my own usage but, in practice I don’t want my grandma to have to think about security at all and I’d prefer if there were very few ways she could be social engineered to circumvent what security is there.
Beyond that I think total control can still be achieved in the realm of hobbyists who can run Linux or flash alternative firmwares etc.
I think this is completely rational given a realistic threat model. As a customer, I've had my browser hacked exactly never, but examples of feature downgrades from vendors abound. Vendors are a much more serious attack vector than a random hacker.
Also the number of times I want my speaker or TV to go online is zero, while Samsung apparently wants that number to be greater than zero for both products. So it is frequently the companies that put us in this situation in the first place.
I would assume your browser automatically applies security updates in the case of 0day exploits, no?
Like I said, automatic updates are an evil. But the general populace will absolutely defer every security update until the end of time so long as they don't have to spend five minutes waiting to get to their desktop.
Obviously vendors enshitify their products via firmware updates and potentially brick devices or introduce new vulnerabilities but, it's ludicrous to pretend that the general populace are good stewards of their internet connected devices or that they ever will be. They simply do not care, they never will, and its up to the rest of us to design products for the lowest common denominator if we want protect end users and have a safer internet.
A law? As an engineer, I really don’t want a bunch of technologically-inept congressmen telling me how I have to build software, firmware, or hardware.
As if engineers actually get to make decisions about software, firmware, or hardware. Ha! That is truly hilarious.
I would rather have a bunch of mildly responsive legislators setting the boundaries of what is acceptable than a bunch of middle-managers trying to justify their salary to their private equity overlords.
As an engineer you should be familiar with laws and regulations. Try creating health care software without regarding HIPAA, for example, should make for lots of fun and lawsuits!
Construction, hardware, radiation, dam and wastewater engineers are highly regulated professions. Do you take responsibility for bugs in your technology? Do you have insurance for your mistakes in professional work? Are you an engineer or a coder? Are you certified to do your job or just passed a boot camp?
As an end user I don’t really care what you want. I want the thing I paid money for to keep working after you’ve disappeared. Otherwise, in my estimation you’ve stolen from me.
