Comment by meindnoch

Comment by meindnoch 2 days ago

16 replies

View on Hacker News

EoL devices are a huge liability. We need laws that require vendors to equip smart devices with remote hardkill switches, so they can be permanently disabled by the vendor when they reach EoL. A disabled smart device is better than one that can be weaponized by threat actors.

UniverseHacker 2 days ago

That is insane. I mostly buy and use “EOL” devices because they’re cheaper and have no issues. Recently bought my son an old Intel Mac Mini and he loves it.

You can easily still secure an EOL device- with the old Mac I just use it with the firewall on, no ports open, and a modern secure browser. There is really no attack surface from the OS which is EOL, and this old device has aged past being worth developing attacks for.

Reply View 1 reply
  • getcrunk 2 days ago

    Tell that to the recent windows bug where even if you block ipv6 in your device firewall or was it even turn off the stack your device is vulnerable to specially crafted ipv6 packet

    Reply View 0 replies
Cheetah26 2 days ago

Much better legislation would be requiring that the firmware/software source be released at EOL, so that users can maintain the hardware they purchased for as long as they like.

Reply View 4 replies
  • meindnoch 2 days ago

    Probably we need both. Hardkill all devices, and let determined users resurrect their own devices with the open source firmware if needed. The point is that millions of vulnerable devices won't stay online by default.

    Reply View 0 replies
  • mnau 2 days ago

    How big percentage of customers even logged to their home router. It will be way below 10% (I would wager in lower single digit percents).

    So

    * manufactures open source it

    * "someone" is going to maintain it, for free

    * all these people are going to find non-malware infested fork

    * upload custom ROM to their devices.

    I just don't see it.

    Automatic updates/killswitch are the only way forward.

    Reply View 0 replies
  • liotier 2 days ago

    Want to sell a device ? Deposit the software in escrow, released one year after the firm stops supporting the device !

    Reply View 1 reply
nashashmi 2 days ago

The terms of service of the device did not require replacement nor issue end of life date. What basis would the law have to enforce replacement?

Reply View 0 replies
aeternum 2 days ago

Auto-applying security updates is actually a major threat vector. It's often easier to compromise a cloud deployment system/key rather than thousands of edge-deployed devices.

An EOL device that has withstood the test of time, and has had many security patches but is no longer connected if often one of the most secure devices.

Reply View 0 replies
olabyne a day ago

The planet is dying and the way you think is part of it. IT security is important, but none of that is more important the planet's ressources

Reply View 0 replies
notfed 2 days ago

Yikes -1 to that. Sounds like a vendors dream anyway, I don't know if that needs to be incentivized.

Reply View 0 replies
compootr 2 days ago

Right, but do you want these still usable devices to become e-waste?

for those that can secure them properly (e,g air-gapping) why do we need to make old iot stuff non-functional bricks?

something I'd be more ok with is to disable it, but in the device's settings, allow it to be re-enabled

Reply View 1 reply
  • meindnoch 2 days ago

    If you truly air-gap the device, then the kill signal wouldn't reach it, so all is well.

    Reply View 0 replies