Any connected device NEEDS continual updates in order to continue to be secure.

This is particularly true of internet connected devices, but is also true for IOT devices that only connect to the internet indirectly. Security holes get found, if you can't patch and update devices in the field then you are leaving your customers unprotected.

> Any connected device NEEDS continual updates in order to continue to be secure.

And I feel that updates are being abused too much by device makers now:

-allows making devices worse, say "optimizing" the UI e.g. to make you spend more time in the parts they (not necessarily the user) want you to see

-allows releasing half-finished games since they can just be updated later anyway

-allows breaking old functionality for whatever reason

-allows the device makers to choose when to do the update rather than the user, say just when you want to start playing a game

It's a shame there's no less invasive way to ensure devices are secure. It sure is convenient for the device makers that the solution to security also gives them continuous control over your device's features and when you can actually use it

There is security and there is cargo cult. "unprotected" really depends on what the user is using the device for, what the vulnerabilities are, and what's the worst thing someone with total root level access to the device can actually do.

If the device is using a read-only firmware, has a secure boot chain of trust, lives behind a firewall and only makes outgoing connections, the risk is very limited. You can't directly connect to it, so your only option is to tamper with traffic in transit and exploit some buffer overflow in how it parses replies to its requests - that's already a very targeted attack that's really hard to scale, and with an intact secure/trusted boot chain it still means you can't persist so you'd need to redo this every time the device is rebooted.

And finally, assuming you manage to do all the above, what't the payoff? For a "Car Thing", the payoff is quite limited. I guess you can blast obnoxious music at full volume against the user's wishes?

It's not just security, but simple functionality too. Connected devices rely on remote services, by definition. Those services' APIs will change and get deprecated over time. At the very least, you need to keep clients up-to-date to conform to those API changes.

I would argue that connected devices should only rely on your services - otherwise how do you know that they're not going away?

And if they're your services then you can maintain their stability.

"Your services" aren't entirely yours. Practically speaking, no one builds systems entirely from scratch. A service likely has remote dependencies too, some of which will trickle down to the clients of your service. For Spotify specifically, they rely on SSO providers and third-party payments services; if those APIs change, then the client will likely require updates even though Spotify didn't change anything in their own core functionality.

I have never updated my ethernet switches. Ever.

Doesn't sound like its an update that bricks them, thought the article is a bit confusing on that point. Sounds to me like they broke the API (or just blocked this particular User-Agent)

Situation: there are now 15 competing music streaming standards.

FM and AM were only 2 and were long running

EU legislation on power chords gave us micro-USB phones, when USB-C could have been a better option, but a real solution would be let consumers decide inputs/outputs.

Micro-USB was legislated years ago when each phone had a different charger plug. Currently the standard is USB-C. I also suspect that the EU only mandates a charging & plug standard but it's up to the industry to choose one.

A regulation requiring companies to "let consumers decide inputs/outputs" would be much more burdensome than merely standardizing one specific connector per ~decade. With the compactness of modern devices, they'd basically have to spin a new board for every connector type a consumer might what. But you're right - it would be kind of neat if I could have Google make me a new Pixel 8 with the bespoke data connector from my old SPH-A580, so I'd finally once again have a use for that cable that's just sitting around in a box. This is what you meant, right?

Yup, or alternately mandate a standard and incorporate the charging port into an open-source case, or some such.

> EU legislation on power chords

Regular major and minor chords were unaffected though :)

(I actually started reading this comment as a pun, as in "The EU can regulate music streaming - they already regulated power chords", and that made me smile)

I thought the same thing and was going to reply before I saw your comment. I wonder if there’s a term for typos/mis-spellings that form an unintended word or phrase that still makes sense for that particular context.

https://en.wikipedia.org/wiki/Power_chord

Whatever it is, it needs to be a pun on "oak trees", because they're _eggcorns_ that grew up.

This is a fascinating misunderstanding of history. Were you not around when phones all had unique, non USB charging cables? It was a nightmare trying to charge a phone or device if you forgot your charger.

The EU legislation will require USB-C, not micro USB

> but a real solution would be let consumers decide inputs/outputs.

When trillion-dollar companies consider a serial connector to be a proprietary and DRM-enabled apparatus I think the "real solution" is precluded by entirely unnecessary corporate greed.