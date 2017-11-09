Algorithmic Videos Are Making YouTube... >>
(Mis)Uses of Technology

by Karl Bode

Thu, Nov 9th 2017 1:28pm


Logitech Once Again Shows That In The Modern Era, You Don't Really Own What You Buy

from the sorry,-I-can't-do-that-Dave dept

Time and time again we've highlighted how in the modern era you don't really own the hardware you buy. In the broadband-connected era, firmware updates can often eliminate functionality promised to you at launch, as we saw with the Sony Playstation 3. And with everything now relying on internet-connectivity, companies can often give up on supporting devices entirely, often leaving users with very expensive paperweights as we saw after Google acquired Revolv.

The latest example of this phenomenon is courtesy of Logitech, which annoyed consumers this week by announcing that it would be shutting down all support for the company's Harmony Link hub. Released in 2011, the Link hub provided smartphone and tablet owners the ability to use these devices as universal remotes for thousands of devices. But users over at the Logitech forums say they've been receiving e-mails informing them these devices will be effectively bricked in the new year:

"This is an important update regarding your Harmony Link. On March 16, 2018, Logitech will discontinue service and support for Harmony Link. Your Harmony Link will no longer function after this date...There is a technology certificate license that will expire next March. The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub."

Again there's no monthly subscription fee for the service, and Logitech is compounding the problem by not really clearly communicating why it's deciding to completely brick Link units. On the plus side, Logitech says it's giving Link owners under warranty a Logitech Hub for free, and providing out-of-warranty Link owners a one-time, 35-percent discount on the Hub. But many users in the company's forums and over at Reddit are questioning why the hardware needs to be crippled entirely (instead of just, say, ending formal support):

"This exact situation right here is why Ive always said “if it requires a cloud service to function, I dont want it” hosting things locally on my own network is where its at.

Indeed. While this entire fracas was unfolding, several Reddit users discovered that the company was banning users from using the phrase "class action lawsuit," which unsurprisingly is only making frustrated Link owners more annoyed.

Update: After some notable backlash, Logitech has announced that all existing Harmony Link owners will be upgraded to the company's Harmony Hub, for free. Which is nice, but doesn't really change the reality that you no longer actually own what you buy.

  • identicon
    Rich Kulawiec, 9 Nov 2017 @ 1:44pm

    One more time, for the slow learners

    If your device depends on someone's cloud service, then it's not YOUR device.

    reply to this | link to this | view in chronology ]

    • identicon
      Mark s, 10 Nov 2017 @ 3:22pm

      Re: One more time, for the slow learners

      And if it's NOT connected to the cloud, it likely won't get timely security updates, if at all. So pick your poison...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Nov 2017 @ 1:59pm

    On the one hand, this was handled incredibly poorly by Logitech and there is certainly an issue with loss of functionality on purchased products.

    On the other hand, unless we come across a paradigm change in the software/firmware/hardware interaction model (which may or may not be possible), this is also a necessary part of the process of "securing the internet of things," another problem that Techdirt talks about a lot.

    Because the reality is that devices we own have security holes. Probably all of them, but certainly most of them. And patching those holes requires a continuous level of development support. So given that we can't require that all companies provide eternal security support for their products (it's simply unrealistic to do so without the above paradigm change), we will have to make a choice.

    We will either have an ever increasing number of insecure, internet connected devices that can be used by bad actors to cause any number of problems. Or we can routinely experience loss of functionality in older products.

    And while certainly broader support of various open source firmware/software can provide some relief to this for tech-savvy consumers... it's not the tech-savvy consumers whose devices are a major issue here.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Nov 2017 @ 2:16pm

      Re:

      Because the reality is that devices we own have security holes. Probably all of them, but certainly most of them. And patching those holes requires a continuous level of development support. So given that we can't require that all companies provide eternal security support for their products (it's simply unrealistic to do so without the above paradigm change), we will have to make a choice.

      The choice is easy:

      • The company can support the device until reasonable consumers would have discarded it for other reasons.
      • The company can explicitly and publicly commit up front to not providing that support, so purchasers know before they buy that they product may be unnecessarily bricked at corporate whim. Hiding that type of warning in a EULA does not count.
      • The company can commit to not locking out interested users from self-supporting. This means, at minimum, that before the company-hosted cloud servers shutdown, the company releases to the community everything that the company's own staff would need in order to stand up a replacement cloud data center: estimates on bandwidth, storage, and CPU requirements; dependency information; source to rebuild all relevant previously proprietary components; certificates to update the device or, if available, instructions on how a physically present owner can override the certificate check; information on how to redirect the device to use an alternate server of the owner's choosing (whether self-hosted or run by a group of interested users).

      We will either have an ever increasing number of insecure, internet connected devices that can be used by bad actors to cause any number of problems. Or we can routinely experience loss of functionality in older products.

      I have a keyboard and mouse that are older than most still-functioning laptops (more than 10 years, maybe longer). They were built to last, and they have lasted well. Of course, the manufacturer at the time had no option to stupidly make them "Internet of Things" devices, so they're classic "dumb" devices that cannot be remotely disabled at the manufacturer's whim. Nothing in this announcement says that they needed to halt this line because of unfixable security vulnerabilities. It looks to me like they simply got tired of running the cloud server it required, didn't want to let anyone else run the cloud server, and so decided to scuttle the whole project.

      And while certainly broader support of various open source firmware/software can provide some relief to this for tech-savvy consumers... it's not the tech-savvy consumers whose devices are a major issue here.

      Non-savvy iPhone users loved using jailbreaks on their phone to enable installing third-party enhancements written by savvy non-Apple-approved developers. There's no requirement that all customers be tech-savvy for this, only that there are some who are tech-savvy, willing to share, and that the device doesn't make it unnecessarily difficult for the non-savvy to benefit from that sharing.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Nov 2017 @ 3:32pm

        Re: Re:

        I have a keyboard and mouse that are older than most still-functioning laptops (more than 10 years, maybe longer). They were built to last, and they have lasted well.

        Obviously not a Logitech mouse. Don't buy Logitech mice. There's no internet-enabled bullshit, just crappy microswitches that will be glitching in a couple of years.

        Of course, the manufacturer at the time had no option to stupidly make them "Internet of Things" devices

        Not true. The CueCat, released 17 years ago (late 2000 during the dotcom boom), is the prototype of uselessly-internet-enabled things. They used cryptography to make sure nobody could use it without the service. The service, of course, had a security breach that exposed the private details of 140000 users. And it was all shut down in January 2002, which gives it a lifetime of less than 18 months. All devices were then bricks, except to a few techies who could mod them... liquidators were offering them for 30¢ each but I doubt people would've paid for shipping if they were free.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Nov 2017 @ 2:42pm

      Re:

      A good start would be to avoid unnecessary permanent connection to the Internet. If the device is not on-line, or only on the users network, security becomes much less of an issue.

      reply to this | link to this | view in chronology ]

      • icon
        ralph_the_bus_driver (profile), 10 Nov 2017 @ 8:34am

        Re: Re:

        While very true, that is increasingly unfeasible. Many organizations are, if not using cloud based operations, using off site servers shared by several sites.

        Add in the push to make apps and programs cloud/server based will only further that.

        And that sucks.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Nov 2017 @ 12:24pm

          Re: Re: Re:

          What is unfeasible about avoiding connecting everything to the cloud. About the only reason many of these devices do so is because the senior management of the company want to collect user data because somehow big data analysis will increase the companies profit.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Nov 2017 @ 2:47pm

      Re:

      We will either have an ever increasing number of insecure, internet connected devices that can be used by bad actors to cause any number of problems. Or we can routinely experience loss of functionality in older products.

      Or we can decide that maybe a universal remote control doesn't require internet access. It might be nice to make it compatible with newer hardware (though it's a problem entirely caused by AV-equipment companies' refusal to use standards)... but we could have people insert an SD card to load new codes. Unless by "universal remote" they mean something that allows me to control all the devices of the universe from my couch, and that's why internet access is needed...

      Or as was already stated, they could drop support but release enough information for the community to take over. It's Logitech that decided to keep all this stuff secret so far. PCs from 20 years ago can still get on the internet as securely as any other, as long as you find a recent and supported OS.

      reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 9 Nov 2017 @ 9:54pm

      Re:

      I will believe it has anything to do with patching security holes when i see it.

      The general security problems with these sorts of devices are that they are IoT for no readily discernible reason in the first place (other than slurping your information and behavioral data), so one can secure them by not making them internet-connected. If someone really needs to turn on their TV while they are 500 miles away, give them that as an extra option instead of a main functionality, and don't require the traffic go to a company server - there is zero need for that.

      Another problem is that the code and settings should not be so laughably poor that a ridiculous little device could ever require so many software patches in the first place.

      But the thing is, the number of IoT devices receiving security patches is laughably small, so claiming that as a reason for product EOL (literally, EOL), requires some evidence first and reasons why a patch or other fix is impossible next.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Nov 2017 @ 2:17pm

    People are

    Easy to fool, because of their massive ignorance. It is just how things go, nothing is going to change. For every expert telling the government how things would probably work best there are 10 experts paid by a company to say the opposite.

    And people wonder why no one takes the experts seriously or believe them when they "bust out that science".

    It is just too easy to sell you cardboard and call it something else.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 9 Nov 2017 @ 2:27pm

    It used to be that if someone at your cloud service even hinted at withdrawing support, they would be fired.

    reply to this | link to this | view in chronology ]

    • icon
      ThaumaTechnician (profile), 9 Nov 2017 @ 2:50pm

      Re:

      Thanks for the link - I'll be looking into this story.

      If you're not familiar with this, look into the story of one of my long-time heroes: Stanislav Petrov.

      People should know his name by heart.

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 9 Nov 2017 @ 3:39pm

        Re: Re:

        Yup!

        Sadly, Petrov died in May. And that item on Petrov's resume isn't unique.

        There was also the 1995 Norwegian rocket incident. The first and only known incident where any nuclear weapons state had its nuclear briefcase activated and prepared for launching an attack.

        And over on the American side...

        The New Yorker: Nukes of Hazard

        In 1960, the computer at the North American Air Defense Command (NORAD) in Colorado Springs warned, with 99.9-per-cent certainty, that the Soviets had just launched a full-scale missile attack against North America. The warheads would land within minutes. When it was learned that Khrushchev was in New York City, at the United Nations, and when no missiles landed, officials concluded that the warning was a false alarm. They later discovered that the Ballistic Missile Early Warning System at Thule Airbase, in Greenland, had interpreted the moon rising over Norway as a missile attack from Siberia.

        In 1979, NORAD’s computer again warned of an all-out Soviet attack. Bombers were manned, missiles were placed on alert, and air-traffic controllers notified commercial aircraft that they might soon be ordered to land. An investigation revealed that a technician had mistakenly put a war-games tape, intended as part of a training exercise, into the computer. A year later, it happened a third time: Zbigniew Brzezinski, the national-security adviser, was called at home at two-thirty in the morning and informed that two hundred and twenty missiles were on their way toward the United States. That false alarm was the fault of a defective computer chip that cost forty-six cents.

        Other sources:

        Wikipedia: List of nuclear close calls

        Union of Concerend Scientists: Close Calls with Nuclear Weapons (PDF)

        reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 9 Nov 2017 @ 2:41pm

    You brick it to force people to buy the new version. As I am sure that's why they chose to do it in the first place, and only the massive backlash made them change their minds

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Nov 2017 @ 3:18pm

    If you don't own what you buy (hardware), then you should start stealing it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Nov 2017 @ 3:51pm

    Not buying logitech.

    To think I was about to buy a G710+ (only because it was on sale, I'm already squeamish after my experience with some of their wireless mice) - nope. I'm not buying any of their stuff again.

    I wonder how many other customers they're about to lose over this.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Nov 2017 @ 4:06pm

    Silver

    With the track record of IoT security, maybe it's a good thing these devices have a finite lifespan.

    reply to this | link to this | view in chronology ]

  • identicon
    coward (anon), 9 Nov 2017 @ 11:12pm

    I think everyone is ignoring part of their announcement

    Not to minimize or disagree with any of the IoT threads, but the announcement says "There is a technology certificate license that will expire next March". I'm guessing there is some piece of patented tech in the device and Logitech is either unwilling or unable to renew the license. Its possible the patent is on the cloud side, or that Logitech is worried that the patent holder will go after users of the device once the license expires (we've seen that happen before).

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 10 Nov 2017 @ 3:33am

    If it was a subscription based system then it would make more sense and it should not be expensive but if you paid full, 1-time price for it then it should work until it breaks. If online connectivity is absolutely needed then let private servers be used. Or don't sell at all.

    It's clearly another example on how the private sector can't adhere to good practices by itself and needs to be regulated.

    reply to this | link to this | view in chronology ]

  • icon
    The Wanderer (profile), 10 Nov 2017 @ 4:59am

    All devices which require specific online services for their functionality should come with service agreements which contain a clause stating (in effect) "if we ever choose to stop providing the service which enables this device to work, we will release all information necessary to enable others to provide a replacement service". The absence of such a clause should be treated as reason to refuse to purchase the device.

    (Ideally the absence of such a clause would even be treated as sufficient to invalidate the agreement and require the refund of the purchase price, but it's a bit unlikely that courts would take it that far.)

    reply to this | link to this | view in chronology ]

  • icon
    Peter (profile), 10 Nov 2017 @ 10:21am

    You Do Really Own What You Buy: If you buy a horse, the previous owner has no right to drop by an shoot it to force you to buy another one!

    The Supreme Court of the United States of America disagrees with Logitec: the justices have "a long tradition of ownership known as “first sale,” which does not allow owners to automatically control a product past its first sale: If a farmer buys a horse from a breeder, the breeder no longer has any say about what the farmer does with the horse. The same goes for CDs, books and works of art."
    https://www.insidehighered.com/news/2013/03/20/supreme-court-sides-against-textbook-publishers- resale-imported-works

    reply to this | link to this | view in chronology ]

    • icon
      John85851 (profile), 10 Nov 2017 @ 10:48am

      Re: You Do Really Own What You Buy: If you buy a horse, the previous owner has no right to drop by an shoot it to force you to buy another one!

      This would be a good argument except many companies have already thought of it: this is why so many transactions are now called "licenses" instead of "purchases". There's no "first sale" doctrine for "licenses".

      reply to this | link to this | view in chronology ]

  • icon
    united9198 (profile), 10 Nov 2017 @ 10:54am

    Ownership

    Most people would be shocked to learn that GM claims that THEY own the software on the car you paid for and they have the rights to all the data that is collected and transmitted to them on an hourly basis. They are taking your data and selling it for a lot of money and you have no "opt out" privileges. As we move forward, the ownership of software/data/ etc will become increasingly cloudy. Washington DC has been totally asleep at the switch on this and perhaps has no ability to comprehend the impact.

    reply to this | link to this | view in chronology ]

    • identicon
      Digitari, 10 Nov 2017 @ 2:56pm

      Re: Ownership

      "Washington DC has been totally asleep at the switch on this and perhaps has no ability to comprehend the impact."


      That is not a Bug, it's a Feature!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2017 @ 3:26pm

    like this is news ?
    I got a logitech squeezebox loved it
    till they dropped supporting it .
    Thank goodness for Amazon echo and line in inputs
    So I can still use it for internet radio

    reply to this | link to this | view in chronology ]


