0day Contest for End-of-Life Devices Announced
(districtcon.org)261 points by winnona 2 days ago
261 points by winnona 2 days ago
I think hardware vendors have been allowed way too much freedom in trying to turn hardware into a subscription. The yearly release of new phone models isn’t helping either.
What if we turned hardware support into a subscription (kind of like JetBrains model I think?) and stopped yearly releases in favor of more interesting releases? I wonder how many resources are used just to make the next iteration a bit shinier to catch the consumer's eye.
I think what is this ignoring is that "security updates" are generally corrections to defects in the original product.
In principle, a complete product would ship with no defects. You could run it for 1000 years unpatched and it would be no less secure than the day it shipped.
Manufacturers ship security updates because the original product was defective. So it makes sense that they remain on the hook for security updates -- we paid them full price up front.
I'm reading this as "Samsung charges a $10 monthly subscription fee to keep your phone up to date" and I already know how that would turn out.
People don't have to buy this stuff you know...
In a free market vendors should have the freedom to create bad subscription services and consumers should be free to buy other hardware if they don't like it...
I buy a $100 phone like once every 3 years... No one is forcing me to buy a premium Apple phone every year. Doing so is purely a consumer choice. Perhaps a stupid one, but one consumers should have imo.
Just because you and I don't like it surely doesn't mean it should be regulated.
I’ve bought three laptops this year from eBay. The second was shortly after the first because I thought it was such a good deal.
A few months later the first laptops exhaust started smelling like burning plastic and i also discovered that if you move the lid/screen a certain way the laptop hard freezes. A few months after that same smell from the second laptop (different model/seller) that progressed into a proper burning smell. In both cases I’m out my purchase price and for the total could have bought new.
On a whim after coming across the thinkpad subreddit I bought a t480s recently. As soon as I got it paid attention to folding the hinges excessively and noticed it creaks sometimes and the exhaust also gets a little too toasty. So this one is going back.
I’m not against used. I’m a lifelong 2nd hand buyer. No problems with phones or even mini pcs.
I don’t recommend laptops anymore tho. Too delicate and can have hidden issues.
If you read this far. It’s not enviornmental cus my bought new laptop (4yo) doesn’t have any issues. And also I did take off the back cover in both laptops and didn’t see any obvious blown parts. And neither are overheating from sensor data even under p95
If you're not against supporting Apple, their laptops always seem to have the most longevity. I am still running my M1 with 8G of RAM and it out performs the latest "top of the line" Windows laptops my work are handing out.
Prior to this one I had a MacBook Pro for about 7 years and before that one the black plastic MacBooks from 2007.
So three laptops for the better part of 20 years.
We use multiple M1 airs as dev machines and they're all still working perfectly fine and very fast, nothing has broken, on top of that they were all bought used. We're not looking to replace them any time soon. Not an Apple fanatic personally (don't own a single iProduct), but the M series of laptops is extremely well built and performant. I expect them to last at least 6 years from time of purchase.
My first generation M1 Macbook Pro has been a great workhorse as well. It is still chugging along. The backlight on the keyboard is a distant memory. One of the two USB-C ports decided to retire its data bus. It also made a high voltage arc and rebooted earlier today for the first time ever. I was very pleasantly surprised when I found out the speakers were spared any damage during this process.
It came back online right away as if nothing happened and has outstanding battery life that's still making the M1 Max envious.
Some eBay ex-enterprise laptops include vendor warranty that can sometimes be extended. Dell US-based ProSupport and Lenovo International Warranty (3 years, optional years extra) offer competent phone support and relatively quick repairs. Well worth the insurance for mobile computing devices in a hostile world.
Yes, laptops are really not a great for resell.
We only buy new and kept ours until they die, and they sure die or become quirky in ways we'd be pissed about if we bought it in that state.
The big issue is of course repairability: buying a second hand business DELL Opiplex is mostly fine because replacing anything other than the motherboard/power supply will be dead simple, and even that can be managed either through salvaging or diy. A flacky or half broken laptop is a world of hurt, for any brand, even if you're into soldering.
I use multiple Windows 2000 computers as daily drivers for hobbies, writing documents, internet, et cetera.
It's hilarious to me that I get better performance doing those things on a 20+ year old computer and OS than I used to on a recent computer simply using an internet browser.
You are not "simply using" an internet browser. You are using an entire (browser) OS in itself on a 4x pixel count display with antialiased text, transparency, blur, scaling, video compositing... The OS itself is using additional compositing for windows using indirect rendering - all the things that add latency. Additionally, you are using a remote application that has it's own latency when talking to the remote server and even locally executing JS is doing everything in a single thread, plus V8 JIT only works for hotspots in the code.
Do any of those additional things add value to the user in this application?
If your taxi driver takes you for a 2 hour scenic tour of the city when you simply wanted a direct 20 minute trip, you don't cut them slack for all the extra work they did, you complain they provided a terrible service.
Not a problem, I just won't visit anywhere dodgy. Either way, I've got the latest service pack and have been using them for a year or so every day without issue.
This seems like that useless definition of "need" that completely discards any real standards for the sake of an argument. A 200 dollar computer at best is going to let you play low demand indie games and things with garbage mode settings for running on potatoes.
$200 on eBay will get you a used laptop with a Core i7, 16GB RAM and SSD; essentially the same specs as my year-old $1000+ laptop, other than having a newer generation CPU. It'll play many brand new games at 720p or better and acceptable framerates.
I still use an original Microsoft Surface Pro pretty often, and can barely tell the difference between using it and that year-old PC for web browsing, document editing, and tablet-style gaming. The Surface Pro came out in 2013.
Would you say that your laptop can get 120fps on non-minimal settings while playing the current Call of Duty? What about Grand Theft Auto V or Overwatch?
> A 200 dollar computer at best is going to let you play low demand indie games and things with garbage mode settings for running on potatoes.
That's not true. I still regularly use an old Dell Latitude from almost 15 years ago sometimes - it cost under $150. I can do everything I need on it, even compile Firefox. I can't run most new AAA games, but can play a bunch of FPS games from about up until when it came out. It still plays CSGO just fine, for example.
The real advances in performance the last decade has been in GPU performance, not general performance.
What settings do you play CSGO on? And is it just CSGO or can you play Counterstrike 2?
Low to be fair, it depends how hot the laptop gets, but usual around 800x600 or 1024x768 and everything low quality. Not great compared to modern hardware, but not as useless as you were suggesting either.
Can't play CS2 because of it needing DirectX12 and the last driver for the video card not supporting it. I've wondered if it would work on Linux since DirectX isn't a factor but haven't tried yet.
As soon as they feel like TPM isn't pushing enough HW upgrade purchases...
Yup Windows 10 EOL will be fun...
Windows 10 is "still" on 47% of PCs with Steam installed.
Windows 11 is at 49%.
It'll be another Windows XP situation of a large percentage of people refusing to upgrade for 8 years past EOL, the only difference is that XP was a better operating system and doesn't have anything built in that could forcefully update you at M$' will.
>refusing to upgrade
Well, Windows 11 has pretty strict requirements on CPU and TPM to be officially supported. If my computer could have it officially, I would have installed it already.
> Linux: 1.92% (-0.16%)
> Arch Linux (64-bit): 0.16% (-0.01%)
> Ubuntu 22.04.4 LTS (64-bit): 0.07% (-0.01%)
> Linux Mint 21.3 (64-bit): 0.07% (-0.04%)
> Ubuntu 24.04 LTS (64-bit): 0.07% (0.00%)
> Linux Mint 22 (64-bit): 0.06% (+0.06%)
> Ubuntu Core 22 (64-bit): 0.06% (0.00%)
> Manjaro Linux (64-bit): 0.06% (0.00%)
Year of Linux in gaming, everybody! :(
>Right now you can go to eBay and buy a used PC for $200 that will do everything you need to do...
100%! And the average HN poster presumably has the skills to make that work. My suggestion to retire vulnerable devices isn't a US jobs or tech sector program; it was born from a sincere desire to see vulnerable and most likely already compromised devices removed from use.
It seems logical to me if we're going to look for vulnerabilities in order to help harden devices you might want to address ones with known issues. And frankly the reason so many devices still out there are in use because their owners simply don't know any better or see no value in upgrading. Cash for clunkers creates an incentive to fix a situation that I'm guessing many don't even know exists.
For example getting rid of these: https://apnews.com/article/fbi-justice-department-chinese-ha...
I mean if we're committed to spending a bunch of taxpayer money on this problem, maybe education and investment into Linux is better than spending it to increase the amount of toxic waste in the ground.
200 for gaming might be cutting it close for me but I am using a 10 year old PC with an upgraded GPU. I guess thats "bad" lmao. Can we end of life the people who will decide and implement some shit like that? :)
Also enterprise will buy new and then sell, why Thinkpad etc is popular. Should that also be banned?
No used cars too, sound good. No used goods at all. Imagine the productivity!!!
In my fictional country, in order to release a software product to the market, or a hardware appliance that runs software, the vendor must:
- Subscribe to an end-of-life insurance package for security software patches. Vendor must contribute periodically. The amount contributed is proportional to the number of appliances sold, with a multiplication factor to account for how hard it is to upgrade the software. Vendor is still legally bound, by SLA, to release software patches and provide an upgrade path to customers for as long as devices remain operational (ie. no fixed EOL). The insurance is only there in case vendor goes bankrupt.
- Or else release the software under an FSF-approved free software license, including all the needed toolchain to deploy software fixes on an appliance. Any third party is then legally empowered to provide patching services (caveat: the third party must agree to same SLA as vendor in point above).
- Or else vendor must put in place a guaranteed-buyback scheme whereby consumers can get at least 75% of the ongoing retail price (or last known retail price) by bringing back a device. The funds must be put in escrow, to protect users if vendor goes bankrupt.
Musing...
All these things might need some flavor of escrow-with-indie-verification. For example, does the published source actually compile other what's on the device? And some flavors of escrow (like your #3) need a bankroll or some sort of insurance.
And anyways, given the inevitable enshittification of all the things, including "assurance", how is a grand scheme for preventing willful software obsolescence enforceable by anything less imposing than the gummint?
Depending on the target and the severity of the vulnerability the vendor might consider fixing the vulnerability even if EOL.
If the target is an IOT device the vulnerability will likely be mass exploited to create a botnet.
The U.S. government recently ‘took control’ of a botnet run by Chinese government hackers made of 260,000 Internet of Things devices... (Source: https://techcrunch.com/2024/09/18/u-s-government-took-contro...)
If the device is explicitly past EOL what is the point anyways? Just to wait 60 days and hear they aren't going to do anything?
not necessarily! If the 0day is bad enough the vendor may patch it or release further guidance - most recent case is Ivanti this week (https://cyberscoop.com/ivanti-vulnerability-cisa-kev/)
> 60-90 day disclosure windows with vendor
This is not 0day. (but I think this is a fun initiative nonetheless)
"Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available." - Source: https://en.wikipedia.org/wiki/Zero-day_vulnerability
Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.
Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.
Sometimes an EOL is ignored if it's serious enough - https://msrc.microsoft.com/blog/2017/05/customer-guidance-fo...
> - You are not under any restrictions or sanctions from the US.
Can we make this a condition of giving any prizes, rather than of entry to the competition? This restriction affects literally 200 + million people.
It's more likely to cover the organizers legally.
I imagine no-one wants to be on the receiving end of "You are accused of actively encouraging Iranian / Russian / <insert other sanctioned state here> hackers to identify exploitable security vulnerabilities in appliances owned and operated by Americans; how do you plead?"
Wouldn't the legal definition of "restriction" also include the laws covering computers etc?
A technicality but one could argue that if the law is the only barrier to exploiting something then the vulnerability needs to be fixed and proven, which a US citizen can not do.
How likely is it that a sanctioned individual shows up for an event in Washington DC?
There are already communities around providing fixes and drivers for OSes going back to at least Windows 3.x(!), so I hope things like this will also come with fixes too.
The complexity of essential system software has ballooned out of control, and it has always been my belief that "EOL" means eventual stability; known unknowns are better than unknown unknowns. They always tell you how many bugs they fixed in the new version, but they never tell you how many new ones they introduced.
This just underscores the fact (IMHO) we need a "cash for clunkers" program for obsolete and unsupported devices. I mean I'd love to see more moonshot programs like DARPA's Tractor but in the meantime why not create incentives to get insecure equipment off the net?
A lot of the time the EOL hardware is exactly the same as the supported hardware. The software just needs to be supported for longer. For example the 2014 and 2015 mac book pro, same CPU, same motherboard, etc and yet the 2014 is EOL a year earlier.
Reaching the the legal hammer out to be a last resort, but IMO, EOL-ing a device should require open sourcing it and handing over any info required for administration to the users. Or refund for full price.
A device which can not be administered by the end user is administered (perhaps negligently) by the company who sold it.
I would love that, but I can see some issues: Embedded stuff (e.g. in your car) might use a proprietary RTOS, like "VxWorks" [1]. Then the developers might had to use a commercial toolchain from e.g. Hightec [2]. They could also have licensed some 3rd party libs. What about external verification tools for critical stuff? What about cloud-connected services (e.g. music streaming)?
For a manufacturer to opensource "all that's necessary to build, deploy and use the soft-/hardware", the whole ecosystem would need a massive paradigm shift.
For certain device classes this is probably much easier than for others. And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.
[1] https://en.wikipedia.org/wiki/VxWorks [2] https://hightec-rt.com/products/development-platform
First some thoughts about your specific example: My impression (although, just from working in something very tenuously related to automotive stuff) is that the real time, safety critical stuff, and the entertainment center stuff, are on two unrelated computers, ideally with very little connection between them.
The safety critical stuff really ought to be supported for the lifetime of the car. But it shouldn’t have internet access anyway, so a big source of attacks is not available. They sometimes update that software when you go in for maintenance, right? It seems fine.
The entertainment center, why shouldn’t we be able to install our own OS on it? Those things are always quite buggy anyway, I’d love to install Linux on mine.
—
More generally:
Yes, I’ll admit I was going for a bit of back door trickiness. I do think it would be hard to just open up a lot of current platforms.
If the law is that manufacturers must either release “everything” (hand-wave-ily) or offer a full refund in order to release their support obligation, then I’d expect them to do one of the following:
* Make new designs that are easier to open up. A win for everybody! They can push back on the license terms for the libraries they use. Or, perhaps some mechanism could be designed so that they open up the rest of their platform, and the library developer that doesn’t want to open up can keep their part of the support obligation.
* Extend the support lifetime to the point where they are happy to just offer refunds to the few remaining users.
As you say,
> And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.
But I think a reasonable lifespan depends on the type of device, locking in a specific number with the law seems difficult. Offering a choice instead would let the lifetime be set dynamically, but without the current odd situation where obligations just evaporate into nothingness.
What would be the point of open sourcing it? Serious question.
Custom DIY ROM might interesting to some geek out there, but it does nothing for security. There is no automatic update and some custom ROM is never going to get it anyway.
Security through obscurity is a better option in this case.
I'm thinking of the millions of IOT devices like old internet firewall appliances that make up modern botnets. Those need to die ASAP.
There are easier ways to play doom. https://youtu.be/aq6mtEciX2c
You know you can look up the specs of those machines, right? The 2015 MacBook Pro updates the processor from fourth-generation Haswell (22nm) to fifth-generation Broadwell (14nm) cores and also bumps the memory speed slightly to 1866MHz. They're not the same hardware.
As someone who works at an e-waste recycler, I can tell you that what you are describing is an environmental and ecological nightmare.
"Cash for clunkers" only made sense because they weren't fuel efficient. If old devices are insecure, then the only sane long-term solution is to incentivize long-term device security.
We already have 10-year-old devices which are perfectly performant for their tasks but are being turned to ewaste due to lack of support, rather than any material need. Moore's law isn't coming back, devices will have longer and longer performances relevant lifetimes from here on out, and if the current market doesn't support that then it's the market that's broken, not the devices.
Why would they do this? Knowing that any bugs found won't be patched since EOL, and will just be used for mass exploitation and harm??
Why is the cyber industry so desperately stupid for attention?
Let's say there's a group of people living a small, old house. They have the money to move to a bigger, newer one, but there's sentimental and other value to the one they're in.
Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.
Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.
That sounds like an evil thing to me.
A better analogy is a product safety bulletin, if your stove has a design flaw that can burn down your house the main difference is whether you or the manufacturer knows to do something about it. The bugs exist and people exploit them, it's mostly a question of whether the general public is aware. Breaking into houses requires a lot of labor to scale, exploiting software bugs doesn't so past some point more people knowing about them doesn't increase risk in the same way.
After 25 years of this debate it's pretty clear what works.
Just went to get some BIOS files for the 5th gen Intel NUCs and they've purged them from the site. It's like when Microsoft purged the KB of everything not in current support. Burning of libraries, it's sickening.
I think this contest is a good thing.
It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.
>It might put pressure on customers to demand products with longer support lifecycles
It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.
Possibly but a website that says 'vendor vulnerable' is bad PR and readers won't care if it's EOL or not.
Why do you think the industry is morally obliged to have them remain untouched?
I'm thinking that bugs may not necessarily disappear when the device or application where they are discovered is EOL'd. This research could discover attack vectors and vulnerabilities that will need to be addressed in active implementations.
I cannot say if your comment is sarcasm.
Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.
Or do you truly believe you are safe if you hide under your bedsheet?
It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.
Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).
When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.
> Why is the cyber industry so desperately stupid for attention?
Burglaries aren't getting enough attention.
Dunking on Internet of Shit^H^H^H^HThings vendors is always a win in my book.
I think we need a cyber swat team to assassinate anybody doing a port scan.
You want to play with something you don't own or have permission to play with it.
Assassinate target. You want to make money/fame off others. DIE.
If somebody came to you house and started jiggling doorhandles what would you do?
Why is cyber different?
NO CONSEQUENCES.
Fun idea, although nobody who is serious enough about hacking will use their home PC as source, more likely it will be some random grandpa's old router. Even putting that aside, we can't exactly send a SWAT team to China...
Look at what they are saying. They want to document all sorts of bugs in past products for future research purposes. And they want to draw attention to the product that it be replaced.
I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.
If you put a product out in the field which can potentially be remotely exploited it’s on you to either patch it when someone does find an exploit or possibly open source everything so others can. If you genuinely can’t support it I guess you could put a self-destruct mechanism in which remotely bricks the device instead, just don’t expect your customers to be happy about it.
EoL devices are a huge liability. We need laws that require vendors to equip smart devices with remote hardkill switches, so they can be permanently disabled by the vendor when they reach EoL. A disabled smart device is better than one that can be weaponized by threat actors.
That is insane. I mostly buy and use “EOL” devices because they’re cheaper and have no issues. Recently bought my son an old Intel Mac Mini and he loves it.
You can easily still secure an EOL device- with the old Mac I just use it with the firewall on, no ports open, and a modern secure browser. There is really no attack surface from the OS which is EOL, and this old device has aged past being worth developing attacks for.
How big percentage of customers even logged to their home router. It will be way below 10% (I would wager in lower single digit percents).
So
* manufactures open source it
* "someone" is going to maintain it, for free
* all these people are going to find non-malware infested fork
* upload custom ROM to their devices.
I just don't see it.
Automatic updates/killswitch are the only way forward.
Auto-applying security updates is actually a major threat vector. It's often easier to compromise a cloud deployment system/key rather than thousands of edge-deployed devices.
An EOL device that has withstood the test of time, and has had many security patches but is no longer connected if often one of the most secure devices.
Right, but do you want these still usable devices to become e-waste?
for those that can secure them properly (e,g air-gapping) why do we need to make old iot stuff non-functional bricks?
something I'd be more ok with is to disable it, but in the device's settings, allow it to be re-enabled
Go ahead and disable 47% of gaming PCs in 2025 then. lmao ur insane.
A cynical person (not me, not I, I'm not a cynical person) might think that this is the opening salvo in a campaign to "save" the US tech sector by getting rid of old hardware. See the comments in this very thread calling for a "cash for clunkers for old devices" or a "remote kill-switch" to disable them (!)
Right now you can go to eBay and buy a used PC for $200 that will do everything you need to do, including gaming. You can buy a 64GB iPhone X for $100, which will do everything a new phone will do (basically). Can you imagine the drain on the hardware sector in the US due to these old devices piling up? And the trend is only going to accelerate. If the powers that be aren't conspiring to "fix" this "issue", it's only a matter of time until they do.