When you buy a cloud-connected appliance, how long should the vendor support it for with software updates? That’s the question that home audio company Sonos raised this week when it dropped some unwelcome news on its customers.
The company has announced that it will discontinue software updates for older products in May this year (here’s a list of products that it marks as legacy). Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.
Sonos points out that it supports software updates on products for at least five years after it stops selling them. However, the issue here is that all products in a Sonos network must run on the same software, meaning that any newer (‘non-legacy’) equipment connected to the speakers will also stop downloading new software updates. The only way around this for Sonos users is to disconnect their new equipment from their legacy kit and run them independently of each other.
From Sonos’s email to customers:
Please note that because Sonos is a system, all products operate on the same software. If modern products remain connected to legacy products after May, they also will not receive software updates and new features.
This carries service implications for users, because while products will continue working without software updates, it doesn’t mean that they will work as well. Sonos explains that as third-party connected cloud partners change their own services, they may become incompatible with the legacy software.
This isn’t just a product service issue; it’s a cybersecurity problem. Any cloud-connected equipment is potentially vulnerable to attack, and researchers frequently discover new exploits. Ugo Vallauri is co-founder and policy lead of the Restart Project, a European organisation that promotes user repairs of consumer electronics in a bid to cut down on e-waste. He told us:
A big issue is the lack of separation between security updates and software updates. While we can’t expect a product’s software to be improved indefinitely, security updates should be ensured for as long as possible. In this case, Sonos is not even mentioning security updates when suggesting that “legacy” products could continue to be used.
When we asked Sonos about this, it replied:
We take our customer’s security seriously and will work to maintain the existing experience and conduct critical bug fixes where the computing hardware will allow.
So perhaps there’s hope, but there’s no official policy that tells you exactly what to expect in terms of cybersecurity fixes.
Contrast that with computer software companies like Microsoft. It also ceases support for its products (a concept known as end of life, or EOL). However, it lets customers know about it years in advance, rather than giving them four months’ notice, as Sonos has done. It offers cybersecurity updates for an extended period and allows customers to buy extended support after that. And EOL Microsoft software connected to the network doesn’t affect software support for non-EOL software.
Sonos customers are furious. On the company’s forum, one, named Stueys said:
Just received the legacy email that tells me that half my 10 unit system will be obsolete from May. So it appears that I can either pile more money into Sonos, accept that my modern equipment (less than 2 years old) will no longer be updated because I have the audacity of being a long term customer or go somewhere else.
So how long should companies maintain software support for their products?
Gay Gordon Byrne is executive director of the Repair Association, a US non-profit that advocates for the right for people to repair products. She told us:
There are ZERO support obligations in the US. There are no requirements that any product be updated for any reason other than for “Defect Support”. Even fixing known defects is voluntary until/unless there is a mandatory recall or other banishment, such as when the Samsung Galaxy 7 phones were so prone to battery fires that they were prohibited on planes.
We asked Sonos why it couldn’t have introduced a software feature that would enable newer products to maintain backwards compatibility with older products. After all, games console vendors engineer entire operating systems to be backwards-compatible with old games, which is a much tougher task. We’ll update this article when the company respond.
Stueys asked Sonos:
So I can make an informed decision Sonos must now publish the support windows for all products currently available. At least try to recover some credibility.
We put this to Sonos, and it restated that it will support products with regular software updates for at least five years after it stops selling them.
Sonos explains that if customers don’t want to keep their old legacy kit, they can trade up. This program, announced in October 2019, gives customers a 30% credit for each legacy product they replace.
There’s a catch, though: to take advantage of the trade-in deal they have to activate ‘recycle mode’, which is effectively a kill switch for legacy equipment. Activating this mode deliberately bricks Sonos equipment in 21 days with no chance of recovery. It’s designed to stop legacy kit from falling into the hands of second-hand customers and degrading their experience, Sonos told The Verge.
All this leads to a bigger question: Do you really own your equipment when it’s connected to a cloud service? Companies have trampled over user rights in the past, such as when Nest bought IoT home hub device Revolv and then bricked all the devices in the field. It’s an ongoing problem and we document other examples.
Increasingly, products are rendered useless via software before they are physically obsolete. We first experienced this with mobiles and tablets, but we will experience this with many of the products we buy. This is totally unacceptable, given their cost to consumers and their environmental cost.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.
A new internal policy at the FBI will ensure “timely
federal notification” to state and local election officials when a cyber
intrusion affect the election infrastructure, the bureau said.
“Understanding that mitigation of such
incidents often hinges on timely notification, the FBI has established a new
internal policy outlining how the FBI will notify state and local officials
responsible for administering election infrastructure of cyber activity
targeting their infrastructure,” the FBI said in a release, noting that “each state
has a designated person to serve as its chief state election official with
ultimate authority over elections held” the state holds, often including the
certification of election results.
“All of this is welcome
news, but it is not enough. I will continue to push for federal officials to
provide more information to the voting public when foreign powers interfere
with our democracy,” Rep. Stephanie Murphy, D-Fla., said in a statement. “Our
citizens will then be in a position to check their voter registration data to
confirm it wasn’t tampered with and to hold accountable state and local
officials who fail to protect election infrastructure.”
Want to read more?
Please login or register first to view this content.
Source: National Cyber Security – Produced By Gregory Evans We are excited to welcome 2020 with the release of Tufin Orchestration Suite 19-3 with new features and enhancements, including greater support of our customers’ Software-Defined Networking (SDN) initiatives, whether they implemented Cisco Application Centric Infrastructure(ACI) or VMware NSX-T (NSX Transformer). Tufin 19-3 also provides new automation […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Lawmakers locked in a nine-month fight with the White House over access to a classified 2018 directive on offensive cyber operations, known as National Security Presidential Memorandum 13, prevailed with the defense spending bill being signed by President Trump on Friday. “Even if you support the […]
View full post on AmIHackerProof.com
As is the case with both international terrorism and protection of the environment, cooperation is a prerequisite to deal with cyberthreats given their borderless nature. India’s National Cyber Security Policy (2013) did not assign much weight to this aspect and defined no measurable outcomes against which progress could be judged. With its upcoming National CyberSecurity Policy (2020-2025), India has the opportunity to align its domestic policy with its global aspirations.
Warfare in Cyberspace Is Unique
Cyberspace is an amalgamation of the virtual with the physical. Actions in the virtual realm can affect the physical domain. With low barriers to entry, cyberspace provides attractive options for the launch of attacks and allows actors to achieve strategic outcomes both within and outside of the information domain. From crumbling critical infrastructure to designing a smart misinformation campaign that can influence democratic processes, the spectrum of outcomes that cyberattacks can achieve is broad. The Stuxnet malware, a U.S.-Israel joint operation to target Iran’s nuclear enrichment plant in Natanz, displayed the capabilities of a highly sophisticated and targeted cyber-offensive operation. Operations against Ukraine’s power grid in 2015, misinformation campaigns targeting U.S. presidential elections in 2016, and the WannaCry and NotPetya ransomware outbreaks in 2017 all showed the potential for real-world impact and collateral damage.
There are two features that distinguish these attacks from conventional ones. First, cyberattacks are hardly predictable. Accurately determining an incoming attack is at present not possible. Second, as long as there is plausible deniability, attribution is tough. As such, warfare in cyberspace poses a unique challenge to national security and the lack of rules to govern it intensifies this challenge.
Enjoying this article? Click here to subscribe for full access. Just $5 a month.
Security in Cyberspace
The United Nations Charter, the Laws of Armed Conflict (LOAC), and other regional arrangements provide a general overarching framework for governments to manage problems of security across all domains. Cyberspace differs from conventional domains of warfare because it functions as both a battlefield and a weapon. It is therefore risky to assume that existing rules of conflict can be extended to cyberspace as well.
American political scientist Joseph Nye has discussed the absence of coherence among existing norms that govern cyberspace. Existing practices are based on agreements between private players (largely multinational corporations) with only a mild degree of enforceability. Since providing security is a critical function of government and it is most susceptible to attacks, only governments are properly incentivized to set the rules. Numerous track two groups and various private conferences and commissions continue to work on the development of norms. Successive UN-GGEs (Governmental Groups of Experts) have developed a consensus that the UN Charter and international law apply to cyberspace. But cyberspace is changing faster than countries can legislate internally and negotiate externally.
There is no denying that all security efforts need to be collaborative. But as with international terrorism and environmental protection, effective norms and rules can only be set if all stakeholders consensually arrive at what the rules should be. Currently there are two camps on the global stage: a Sino-Russian camp and a rival one comprising the United States, Western Europe, Japan, Australia, and New Zealand. The former espouses the supremacy of national sovereignty in the governance of domestic cyberspace, risk of destabilization by the application of existing international humanitarian law to cyberspace, and the need for new, binding international agreements. The latter advocates for a free and open internet as well as the full applicability of international law (including the right to self-defense, use of countermeasures) to cyberspace. Resolutions sponsoring the formation of the Russia-backed Open Ended Working Group (OEWG) and the UN-GGE 2019-21 were both passed in the United Nations General Assembly in 2018. The UN now has two parallel tracks working toward the establishment of norms in cyberspace. The OEWG is open to all member states and will hold consultations with stakeholders across members, NGOs, and private industry while the UN-GGE is comprised of 25 member states with consultation typically limited to regional organizations. The prevailing atmosphere of mistrust portends further deterioration rather than improvement. This variance between great powers has weighed heavily on international discussion on norms while cyberattacks continue to happen, quietly.
There is some scope for optimism yet. At a panel in the recently concluded Internet Governance Forum in Berlin, the Global Commission on the Stability of Cyberspace (GCSC) proposed eight norms including protection of the public core of internet and infrastructure essential to elections, referenda, and plebiscites. This was followed by informal consultations at both the OEWG and UN-GGE in early December. Through the Paris Tech Accords, Digital Geneva Convention, and Charter or Trust, private companies have also sought to play a more active role in the shaping of norms, which is significant as they operate a significant portion of the public internet.
There is no single approach that captures India’s engagement with multilateral institutions. Its rule-taker instinct is evident from India’s support for the United Nations’ peacekeeping operations. Contrary to this is the rule-breaker approach, which is evident from India’s endeavor to be recognized as a nuclear weapon state while also challenging the norms established by the Nonproliferation Treaty. The expectation that India will be a rule-maker all by itself is unrealistic. In the multipolar world that exists today, no single country, let alone India, can become make the only rule-maker. A more achievable goal for India would be to play the role of a rule-shaper, an active voice among rising powers. This goal finds its strength in India’s economic prowess and diplomatic experience in working with alliances.
India’s success in shaping the international narrative on climate change has already proven its ability as a rule-shaper. With its upcoming National Cybersecurity Policy (2020-2025), India must look to articulate and justify its position on the applicability of international law to cyberspace. It should bring its domestic policy in line with its global aspirations. Given the importance of private companies in this exercise, it must also consider creating an office of a tech ambassador that will present its position consistently. This level of transparency can serve as an important confidence-building measure as it engages across multiple stakeholders and fora to shape future norms.
Prateek Waghre and Shibani Mehta are Research Analysts at The Takshashila Institution, an independent center for research and education in public policy.
Google has announced plans to restrict political advertising on its platforms ahead of the UK General Election and next year’s US Presidential election, in a move which will further turn the heat up on Facebook.
Although the web giant claimed that it never allows controversial micro-targeting of election ads, it announced a further clarification of its policy on Wednesday to limit election ad targeting to “age, gender, and general location.”
It’s also explicitly banning deep fake content, misleading claims about the election process, and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”
“Whether you’re running for office or selling office furniture, we apply the same ads policies to everyone; there are no carve-outs,” argued Google Ads VP of product management, Scott Spencer.
“It’s against our policies for any advertiser to make a false claim — whether it’s a claim about the price of a chair or a claim that you can vote by text message, that election day is postponed, or that a candidate has died.”
That appears to put more distance between Google and Facebook, whose stance is that tech firms should not be the arbiters of what politicians can and can’t say — despite it having strict rules on false advertising elsewhere on its platform.
This position has invited heavy criticism from various quarters as tantamount to allowing politicians to lie — especially after Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former vice president.
“Of course, we recognize that robust political dialogue is an important part of democracy, and no one can sensibly adjudicate every political claim, counterclaim, and insinuation,” Spencer continued.
“So we expect that the number of political ads on which we take action will be very limited — but we will continue to do so for clear violations.”
Twitter has already announced a ban on virtually all political advertising, which will begin today.
The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for urgent legislation to regulate the “wild west” of political advertising, fearing that outside forces could sway elections and that secret micro-targeting of voters undermines the legitimacy of results.
Google has previously blocked political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.
Source: National Cyber Security – Produced By Gregory Evans The Indian e-commerce industry is grow to $200 billion by 2026. The National e-commerce policy earlier had a deadline of being introduced by the end of 2019. A recently released consumer protection draft is waiting for comments from leaders. The draft e-commerce policy spelt trouble for […]
View full post on AmIHackerProof.com
There are concerns the Australian Taxation Office (ATO) has more work to do on cyber security standards, with Commissioner of Taxation Chis Jordan telling Senate estimates last night sustained outages at the tax office may have slowed down plans for security policies.
On Wednesday a joint committee report into cybersecurity compliance in government departments highlighted the committee “is most concerned that the audit found that the ATO and [Department of Immigration and Border Protection] are still not compliant with the mandatory ‘Top Four’ mitigation strategies”.
The mitigation strategies, which are the top four of eight “essential” tools recommended by the Australian Signals Directorate for warding off cyber security threats, include restricting administrative privileges, using latest operating systems, patching systems and application whitelisting.
The ATO told the committee it would take until November to become compliant with the practices, but in a Senate estimates hearing on Wednesday evening Commissioner of Taxation Chris Jordan told the room there was a reason for the delay in the plan for cyber security: the sustained system outages that hit the office from December last year.
Jordan told Labor Senator Jenny McCallister the December outage “slowed down” progress on cyber security compliance.
The tax office has undertaken a comprehensive review of systems stability after system knockouts started playing havoc with clients after an initial major outage on December 11, 2016.
PricewaterhouseCoopers was engaged to conduct an external audit of ATO systems, which identified 14 key areas for improvement to ensure systems stability at the tax office for the long term. However, the focus of this was on how the ATO’s various portal systems interacted, rather than on cyber security priorities.
The accounting sector has previously told SmartCompany cyber security planning is not the only thing to be slowed down by the December outage. Finance professionals were expecting overhauls to a range of tax office portal systems in the near future, but the Institute of Public Accountants says these have been put on hold.
“Priority one, two and three is just maintaining a stable system. All of the system upgrades and moving to better platforms are all on hold,” the IPA’s general manager of technical policy Tony Greco told SmartCompany in June.
“The existing systems aren’t perfect, and we’re having to wait longer for new ones.”
According to the joint committee report, if Commonwealth entities were to all comply with the four most important strategies for cybersecurity, 85% of targeted cyber attacks could be prevented.
Overall, the committee noted that evidence provided about cyber security policies at government departments “from both submitters and witnesses [suggest] that compliance with the Top Four mitigation strategies is a minimum standard and does not necessarily equate to cyber resilience”.
In 2013, the government mandated the top four strategies for fighting cyber attacks and put a timeline in place to have all departments on board by June of 2014.
SmartCompany contacted the ATO for comment but did not receive a response prior to publication.
Source: National Cyber Security – Produced By Gregory Evans DESCRIPTION: Conducts research, analysis, development, and coordination of strategy, policy, and doctrine for cyberspace operations at the national, DOD, Service, and Command level Provides technical expertise on executive-level projects, analyzes, assesses, and develops future strategies, policies, and doctrines governing cyberspace operations Supports interagency and coalition policy […]
View full post on AmIHackerProof.com | Can You Be Hacked?
Source: National Cyber Security – Produced By Gregory Evans President Trump was the driver of a “change” election in 2016, but after four months in office it remains unclear what kind of change he wants to bring to the cybersecurity policy space. The Trump administration has killed Obama-era cybersecurity regulations in the telecommunications sector, but […]
View full post on AmIHackerProof.com | Can You Be Hacked?