Hopefully this flushes out the elephant in the room of the irresponsibility of manufacturers selling devices like this and then leaving the software unpatched / unupdated within a year or two of selling it.
Unfortunately this needs to become regulated. Either commit to "lifetime" updates (at least 10 years) or be forced to put a massive warning on the label advising the secure period for which the product can be used. Just like food has expiry dates, so too do these devices need them.
They are still pushing security patches for ios 12 which is older than 5 years. I doubt there are many iphone 4s users left at all since most apps won't work.
>Does it come with any guarantees of lifetime for those patches though?
This guarantee is called "consumer law". The requirement of a patch means that the product you paid for was broken. So yes, they absolutely have a legal requirement to fix that (or refund your purchase), and compensate for any damages that their broken product caused you.
Not that this is enforced particularly often, but given Apple's ubiquity and active hostility towards users that would want to patch vulnerabilities themselves, they specifically would get in a lot of hot water if they didn't provide patches for a device's lifetime.
But lifetime is evidently not as long as the device lasts, as we see with Microsoft. Plenty of XP machines are still alive out there and they have long been out of support. So while Apple does provide a lot of support for older devices seemingly, how much are they legally/contractually required to provide currently?
> But lifetime is evidently not as long as the device lasts, as we see with Microsoft. Plenty of XP machines are still alive out there and they have long been out of support.
This will vary from jurisdiction to jurisdiction, but where I live, "lifetime" is defined as the period of time in which a product is reasonably expected to last.
Talking about "XP machines" is a bit weird, because you're really talking about two different products there. You can very easily install whatever OS you want on there, so it's not an "XP machine", it's a machine and then a copy of XP.
In that specific case, the expected lifespan of a desktop computer is probably on the order of a decade. Maybe you'll have to replace a component or two (particularly HDD) before then, but you wouldn't expect to need serious repair work prior to that. But also, you wouldn't feel cheated if it died after 11 years.
The lifetime of the Operating System is another matter entirely. It's probably reasonable to make the case that the OS's lifetime is infinite, given that software doesn't degrade in the same way physical components do - if a non-networked program is broken in 2021 it was broken in 2001 as well (assuming you're running the same functional hardware, which isn't Microsoft's problem). It's also totally reasonable to make the case that the OS's expected lifetime is similar to the lifetime of the hardware it's going to be installed on, and I think this is probably the stronger case.
But whichever of those you side with, it doesn't really matter. If you buy a washing machine and it breaks after 2 years, you're entitled to either a full refund, or a replacement. If you opt for a replacement, the company doesn't have to send you the exact same model of washing machine, just something that's equivalent. Similarly, if there's a bug in Windows XP that renders it broken (e.g., a critical vulnerability that makes it impossible to enable network connectivity without getting your machine compromised), then Microsoft can just go "here's a copy of Windows 10, go buck wild". Even if you operate under the idea that software does not have a lifetime, Microsoft are still providing updates for what is fundamentally the same product (Windows). That it's not specifically Windows XP isn't really a problem in terms of their legal responsibilities.
Now, could you call Microsoft up right now and finagle yourself a free copy of Windows 10 just because there's some unpatched vulnerability in Windows XP? I'm not sure, but I reckon there's a chance they'd do it just to get you off their backs. It's not like there aren't millions of pirated copies out there anyway.
> how much [support] are [Apple] legally/contractually required to provide currently?
The expected lifetime of a phone is lower than that of a desktop computer (for many reasons), so I'd say around 5-6 years per device. The software/hardware distinction mentioned above doesn't really exist for devices that Apple sells seeing as they actively try to stop you from installing any software that they don't explicitly approve of, so that would cover both hardware defects and software defects.
At an absolute minimum it would be 3 years, as if Apple tried to argue otherwise you could very easily point to things like their environmental impact reports that assume a lifespan of 3 years per device (and even describe this as "conservative"!).
That said, as far as I'm aware Apple typically goes above and beyond their legal support requirements for software on their devices. They did get sued where I live over warranty periods (they were claiming that customers needed to pay extra to get warranty for more than 12 months, which is absolutely false), but that was in relation to hardware.
> If you buy a washing machine [here] and it breaks after 2 years, you're entitled to either a full refund, or a replacement.
This really stood out to me. If I bought a washer here in the US and it broke after two years, I expect I’d be on my own.
I’d be frustrated, of course, but I’d either fix or replace it and go on, probably not buying from that brand again. (Although, buying another brand could still get me the same internal parts and defects nowadays.)
I find it fascinating that I’m not at all upset by this situation. I’m guessing that I conclude it happens rarely enough that I’d rather bear the risk over pushing that risk back into a bundled insurance product with every purchase. I don’t feel like an insurance fight and waiting for a service call while I have a pile of wet laundry and another of dirty. (But maybe I’m suffering Stockholm Syndrome here.)
> This really stood out to me. If I bought a washer here in the US and it broke after two years, I expect I’d be on my own.
You probably would be. The US has by far the weakest consumer law of any Western country. Possibly the most egregious example of this is that businesses can advertise something as costing $5, you walk into the store with a crisp $5 bill to purchase it, and then get told that you don't have enough money.
Whenever this is mentioned online there's typically a flood of people who live in America commenting on how that's totally normal and "there's nothing they can do dude", completely oblivious to how absolutely mental that idea is to the rest of the planet. So I think your idea of it just being a case of growing up in a system without consumer protections making it seem normal is correct.
> I don’t feel like an insurance fight and waiting for a service call while I have a pile of wet laundry and another of dirty.
Ah, but here you've missed the trick! Yes, if your product broke and you needed to get a completely new one and/or a full refund, that's a pain in the arse. But it's an even bigger pain in the arse for the business, who functionally just lost the entire value of the product. They're incentivised to prevent that from happening.
The effect of this law isn't actually to give you an option if a product is broken (although it does that as well), the purpose of it is to make manufacturers stop selling broken products. Because they know that you can get a full refund for years after the point of sale, they make damn-well sure that the product lasts that long.
There's no need to do that. They could render the internet connectivity part inert during the last patch when they don't want to maintain it anymore. Make it LAN-only. If the firmware is locked, unlock it so people can run their own stack.
I hope it doesn't just translate into subscriptions but also manufacturers thinking hard about the security footprint of these devices in the first place. Stop making these things so promiscuous in terms of their functionality and ship a minimalist hardened kernel, possibly even externalise it to a 3rd party for patches / updates. We may even get some open standards and protocols support out of it as an upside (since it will be so much more expensive to build custom proprietary crap if it means you have to support it yourself).
I think if long term support is your thing, ownership doesn't really make sense for anything. Ownership is always going to come with a certain level of do it yourself.
I find it funny that we simultaneously work in places that understand that software requires constant maintenance and charge customers a recurring fee for it while being gobsmacked that we have to pay indefinitely for the same.
You go on-prem for the same reason you work does. Because the software licensing plus the amortized cost of hardware is less than the subscription.
I'm surprised since data storage, transfer, and compute are the things that you can absolutely beat every cloud provider on in terms of price. It was why we keep our storage in our own DC.
There is no reason. It's even hard to justify non iot drives when you consider having to buy drives for backups and maintain those backups. The cloud options just come out really good value.
I keep hard drives around for data I don't care about like games and movies but my personal data like photos is all in the cloud and it costs me next to nothing to store it.
This was an issue caused by a negligent company failing to keep their devices secure. For me the solution to this is not just to rely on another potentially-also-negligent company. In my opinion on-prem+off-prem, or multiple off-prem solutions are necessary for anything of actual value.
I think we need to lean into the environmental angle to have a chance of addressing this in a better way. Frame this legislation as anti e-waste. Any computer device with an expiration date shorter than 10 years gets a 500% tax, or something like that. I'm just spitballing here but it seems like a surmountable problem to me.
Unfortunately this needs to become regulated. Either commit to "lifetime" updates (at least 10 years) or be forced to put a massive warning on the label advising the secure period for which the product can be used. Just like food has expiry dates, so too do these devices need them.