> This is tangential, but I really wish that their would be legislation, valid retroactively, to enable old unsupported devices to still be utilized.
Not at all. This is precisely on point, and directly intersects with the Right to Repair as well. It's about damn time we, as a society, put a stop to black box devices over which we have no ability to inspect, repair, or repurpose after the vendor decides to end support.
I'm trying to think of a situation where this is objectively bad, and I having trouble thinking of areas where this is objectively bad. The best I came up with is purchasing an elevator, which has a key for firemen. I wouldn't really want to just give everybody a copy of that key. But on the other hand, you can buy that key on Amazon for $5. It would maybe help people think about security a bit more if they bought a TSA-approved lock and it came with a TSA key with a little warning that read "Note: this key opens any TSA-approved locks, please only open your own baggage."
One possibility is around DNS. A public/private keypair is basically a lock and a key. If you can't put ANY public keys on my device without giving me the private key, HTTPS is going to be problematic. Software updates become a little scarier as well, since a man-in-the-middle attack becomes MUCH easier to pull off. But perhaps the answer there is, like DNS on a desktop computer, to simply allow the user to edit those local keys. As long as there's a "Yes, I am also cool with installing unsigned software updates," then I don't see a problem.
> I wouldn't really want to just give everybody a copy of that key.
Why would you give the key to everybody? Just give it to the owner... That's what I want. I shouldn't need to hack my own smartphone or have to solder a board to my Xbox to run my own code on it.
The reason Apple doesn't do this is because users will get deceived into providing those keys to malicious entities which will compromise their devices and everything on them in exchange for the promise of free games, or free in-game currency, or whatever.
Thinking about situations [...]
> where this is objectively bad
Thinking here about a smartphone. Note that I'm explaining the current state of things, I am *not* excusing the state of things.
Directly for end-users, generally no real scenario where it's bad as long as they can enroll their own keys in a safe fashion preventing evil-maid type attacks.
Tangentially for end-users, locked devices are easier to make worthless for thieves. FRP on Android, or whatever Apple does, when it's locked to a user account even when reset. This is one thing that would become harder to implement when the root of trust can be manipulated on the device.
Then there's supply chain integrity for OEMs. This is the reason some android vendors only allow unlocking when attached to an online account after a delay (e.g. xiaomi). Some unscrupulous vendors would open the box, replace the system image with a malware-ridden system image, and sell those to end-users.
Finally, there's somewhat a case for DRM and similar uses. The current implementations are built on the current "security" model, where it's security for the businesses first, then security for end-users last.
Still, I agree wholeheartedly that users should be in control of the root of trust, in a way that does not reduce their abilities to use their owned devices. Add to that that standards-based boot should be used. All the time. All devices.
They're absolutely related. In fact, a lot of discussions around the Right to Repair specifically center on the issue of e-waste. For example, you'll find that all over Framework's website. From https://frame.work/ca/en/about :
> Consumer electronics is broken. We’ve all had the experience of a busted screen, button, or connector that can’t be fixed, battery life degrading without a path for replacement, or being unable to add more storage when full. Individually, this is irritating and requires us to make unnecessary and expensive purchases of new products to get around what should be easy problems to solve. Globally though, it’s much worse. We create over fifty million tons of e-waste each year. That’s 6 kg or 13 lb per person on earth per year, made up of our former devices. We need to improve recyclability, but the biggest impact we can make is generating less waste to begin with by making our products last longer.
Certainly, for myself, the right to repair is very much about ending the cycle of disposable products so we can create a more sustainable future.
Not at all. This is precisely on point, and directly intersects with the Right to Repair as well. It's about damn time we, as a society, put a stop to black box devices over which we have no ability to inspect, repair, or repurpose after the vendor decides to end support.