entwine413

You guessed correctly. I was a senior SecOps engineer for a federal contractor before DOGE decided that my company increasing government efficiency by 900% was a bad thing.

I disagree that it breaks the trust. No one buys a computer and expects software updates 20 years later. Of course you can make the case with Linux, but that's a general purpose OS and requires knowledge beyond that of a typical consumer. A more apt analogy would be to expect Microsoft to still provide updates for Windows 98.

If you're going to support legacy hardware indefinitely, or even for decades, you're going to have to continuously add developers, and developers for legacy code are super expensive. Sure, COBOL still works fine, but you have to pay someone $250k a year to maintain it.

If the public expects their smart devices to be supported for 20 years, then their expectations need to be broken. Hardware, cyber security, and resource utilization will continue to rapidly evolve, and old equipment literally won't be able to keep up.

Hell, most of the smart devices out there have critical vulnerabilities. The ESP32 stack has been found to have hidden commands whose attack vector isn't fully understood. Literally every smart device on the market should have been EoLd months ago, and I can only imagine what holes tech from 2014 has.

The people down voting me to hell just don't understand how fucking dangerous the Internet is, and how much effort is required to protect an infrastructure. People like me bust our asses to keep shit like this safe, but there's a limit to what we can reasonably be expected to do. We're already really fucking overworked.

Of course, I would prefer that it be codified into law that companies need to allow the ability to manually flash a firmware before marking something EoL. Block it from your servers, but let volunteers maintain the hardware for as long as possible.

It's an Internet connected computer that has a temperature sensor and relays. Computers run operating systems, and those operating systems require constant updates to patch vulnerabilities. When those updates stop, the clock starts ticking on when they'll become attack vectors. You don't allow attack vectors to access your servers.

The only thing being taken offline is access to their servers (which is a plus for me). The thermostats still function as thermostats.

So no, it's not a fucking thermostat. If you want one that'll last 50 years, go buy an old mercury thermostat or one that relies on other laws of physics instead of literal computers. Everything has an expected lifespan.

Honest to God, I could have sworn I remembered Google bricking these same devices like 10 years ago, which is why I find it weird that anyone cares about Nest products. I built my own smart thermostat (super easy, you just need homeassistant, an ESP32 or pi pico, a 4x relay board, and a sht-3x sensor (plus 18vac to 3.3vdc or 5vdc converter to power everything). The hardest part is an enclosure, but I guarantee there's a nerd like me in your city that would design you one for fun (literally, building custom smart devices is what I do for fun)

Building and programming smart devices is my hobby, and cyber security is my career. So I do actually know what I'm talking about.

Yeah, it sucks when a device reaches EoL, but it can definitely be for legitimate reasons.

TP-link does. My Kasa devices work completely locally.

Also, you can get (certain) dirt cheap Tuya based devices and flash tasmota on it. Esphome is also a possibility.

I build most of my own smart devices, though.

Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it's from a device that hasn't had any vulnerabilities patched because they were end of lifed.

And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can't run the new cyphers.

The thermostats still work as thermostats, you just can't connect to their servers to control them remotely.

I agree. Not being able to connect to their cloud service would be an upgrade in my book.

No, I just understand smart devices and cyber security.

Even if it's made in the US, many of the raw materials aren't, so the tariffs don't even help US businesses.

You're not being forced to replace anything. The thermostats still operate as thermostats. You just can't use their cloud service.

Because you have to pay developers to maintain it. Developers are expensive. At some point it doesn't make sense to keep doing that, so products are end of lifed.

You're more than welcome to attempt to flash a custom firmware on it, though. I'm sure there are devs working on it.

Also, that 20 year old computer is running a general purpose OS that is designed to work on just about any system. The OS on a smart device, especially one from 2014, is heavily customized

Working as well and being secure are two different things. Smart devices are computers that connect to the Internet, and devices that no longer receive security updates are attack vectors.

From a SecOps standpoint, it's perfectly reasonable to block such devices from hitting your servers.

These thermostats still work as thermostats, you just can't use the cloud service.