I think it's time to encode in law security requirements, a minimum timespan for security patches to be provided post purchase, a maximum timeframe for security patch provision, and liability for unpatched security holes.
Just normal consumer-protection and product-liability law ought to take care of it for the most part, if really applied. Computer software has somehow managed to almost entirely escape liability, avoiding legal responsibility for shipping software with serious defects that makes it not fit for advertised purpose. But I suspect people shipping physical devices will find it harder to avoid, because the legal regime for physical devices like ovens and toasters is well established. Nest being forced to issue a product recall of its thermostats over a software flaw is one example of this starting to play out.
> Computer software has somehow managed to almost entirely escape liability, avoiding legal responsibility for shipping software with serious defects that makes it not fit for advertised purpose.
So did early car manufacturers etc etc.
Personally I think if everything had been thoroughly regulated from the start a lot of the innovations we are all benefiting from today wouldn't have happened or would have taken far longer time.
So I am not against regulations, but I can understand why waiting a bit and thinking very carefully before implementing regulation might be smart.
Early car manufacturers in no way almost entirely escaped liability. There were many people killed or injured by the starter crank alone and the law suits to go along with it. It's the single biggest reason that steam cars were around until the advent of the electric starter.
The Ford Model T, "generally regarded as the first affordable automobile" (https://en.wikipedia.org/wiki/Ford_Model_T), over 15 million manufactured, had a hand crank. A '40s era tractor that my family "inherited" when we bought our 25 acres of land had a hand crank.
That said, while hard to use, that tractor's hand crank automatically disconnected well enough once the engine got started. Then again my father, born in the early '30s, grew up using them.
> That said, while hard to use, that tractor's hand crank automatically disconnected well enough once the engine got started. Then again my father, born in the early '30s, grew up using them.
Hell, I was born 30 years later, and they still existed on tractors, fork lifts, and other, assorted engines.
There are a couple 'safety rules' when using a hand crank on a gasoline engine:
1) Always grip the crank with the thumb wrapped below with the fingers. So, all your fingers on ONE side of the crank, instead of four fingers on one side, and the thumb on the other
2) NEVER push the crank down the right side of the rotation.
3) If the hand crank binds when inserted through the starting crank bushing and into the crank ratchet, don't crank start the car. Too much bind will prevent the crank from releasing from the ratchet.
Ah, yes, 1) is a rule for self-loading rifles with reciprocating charging handles, starting in the US I suppose with the '30s M1 Garand. On the off chance the gun will fire while you're manipulating the handle, make sure your thumb is out of the way so at worst your palm will be beat up a bit.
The AR-15/M16/M4 which follows that family (M1 and '50s M14) lacks that "feature", replacing the lost functionality with a separate forward bolt assist. In other major rifles of that general era, the AK-47 etc. and SIG SG 55x and I think it's 510 predecessor reciprocates, this in fact goes back to the original Nazi StG 44 "storm rifle", the FAL and G3 don't.
Samsung is actually in a lawsuit in the EU over this right now. The lawsuit says Samsung should provide at least 2 years of software updates as part of the 2 year mandatory "warranty".
So just to be clear... you want the same entities that are demanding backdoors and key escrows and the like to ultimately be the gatekeepers of security? I can only imagine what a regulatory required update may include for, say, "homeland security" or other reasonable compromise... reasonable in the mind of a regulator or legislator. I can see nothing but a legal framework rife with unintended consequences coming out of the practical implementation of such a suggestion. I wonder how the current Apple controversy would work in such a world (not that there aren't laws that may already apply in that case).
Look, I understand why you would want such a thing and I don't believe that your desire is wrong. However, the method you propose I don't think would work the way you expect in the final analysis.
If you really want to do something in this area: why not work to create a consumer products security organization. Yes, it wouldn't have force of law, but you could certify products which manufacturers could use as a valuable distinguishing characteristic in the marketplace. Yes, all of that requires good marketing, etc. and not everyone would pay attention... but that may be better than the use of government force.
Better add to that list minimum company/market size and target audience exclusions, otherwise nobody will ever innovate again, companies like SparkFun will have to shut down, there'd never be another successful Kickstarter campaign by anybody not a front for an existing company, ...
So basically all your devices just phoning home to make sure they are updated, maybe even updating themselves and crashing/bricking at bad times, and while they are phoning home manufacturers just passing some stats on how you are using their devices.
I completely agree but what happens when some startup produces a product with serious flaws and is then sued out of business before they're able to fix the product. Who's liable for fixing the product then?
IMO the people who lead the corporation that released the product should be held personally liable but I realize that's an unfavorable opinion. Otherwise the government ends up footing the bill, which means WE foot the bill, and we're back to being in an unfair situation.
