Ignore for the moment the whole customer satisfaction / company PR aspect of the story. I'm just going to dig into the technology and explain WHY this is happening.
The company first said: "On March 16th, 2018, Logitech will discontinue service and support for Harmony Link. Your Harmony Link will no longer function after this date"
People think this means they're bricking it, and that's kind of true... but they're bricking it *passively*, not *actively*. Read on to understand why.
A rep later explained: "There is a technology certificate license that will expire next March. The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub."
This is an incompetent translation of what an internal engineer told some externally-facing rep or manager.
By "technology certificate license" they almost certainly mean *an SSL certificate*. That's all. Nothing fancy. Just an SSL cert.
Most recently, the company put out an official response, where they're addressing the PR nightmare by giving everyone the new product for free.
It included this explanation:
So here you see "technology license certificate" has been replaced by "encryption certificate", i.e. an SSL cert.
So why is it going to stop working when the cert expires?
Because this device phones home from time to time, probably at least every time it boots, probably to download its configuration from Logitech.
You see, one of the features of the Harmony series is that you configure *your* device using *Logitech's* website. It stores your device's config there and the device downloads it.
This download is over HTTPS, secured with a certificate. If the certificate is not valid, the download is aborted. What happens next I'm not sure of - probably the device simply continues to use its previous configuration.
... but it's possible it will fail to operate at all. Not sure.
But at any rate, when the cert expires next March, all these devices will at the very least become unable to be reconfigured (almost certainly), and at worst will actually stop working entirely (less likely).
Okay, so, why can't Logitech just renew the cert?
Well, they can. But guess what? THE CERT IS USING SHA-1
(I don't know this for sure, but this is my VERY strong hunch, because reasons)
SHA-1 certs are difficult to renew these days. There's basically only one company that will still issue them any more.
Well, fine, so why don't they just do that?
Two possible reasons:
Number one: like they said in their FAQ: "we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability"
i.e. someone told them that using SHA-1 would be insecure and responsible.
(*irresponsible)
This is crap, but it's crap that everyone believes these days. But never mind that.
Number two - it is entirely conceivable that the trusted roots which are hard-coded into the device firmware do not include the one trusted root still willing to issue SHA-1 certificates.
Reason numbers three through infinity have to do with business decisions about not wanting to support old products any more.
The people who developed it originally have all quit or been fired, the code base is ugly, the infrastructure for configuring the devices over the web and deploying the configurations is unstable and keeps breaking, etc etc etc.
In this scenario, this conversation happened:
"Hey, we need to renew the cert again. Remember, it has to be SHA-1."
"Ugh, what a pain."
"I hate this whole product line. Can't we just retire it?"
"... sure. Let's do it when the cert expires."
"We still have customers using the product."
"Not that many of them. And it's not like they're paying us, it's a free service. And they've already gotten a bunch of years out of it, and it's only a one-year warranty in the first place."
"Okay. Let's do it."
I GUARANTEE that conversation happened.
Okay, so if it's breaking because the SSL cert is expiring, and the cert isn't getting renewed because it's a SHA-1 cert...
Why not just get a SHA-256 cert instead?
Because the SHA-1 requirement is HARD-CODED in the FIRMWARE.
Jeez, okay, fine. Then why not update the firmware?
BECAUSE THIS PRODUCT IS SIX YEARS OLD.
The code base is ugly.
The infrastructure keeps failing.
Everyone who knows how it works quit or was fired.
It's entirely possible that this device doesn't even HAVE the ability for Logitech to remotely update the firmware. It might be the case that they'd have to tell their customers how to do it themselves.
This is a huge investment in internal testing and troubleshooting BEFORE releasing it to customers, and a huge support effort AFTERWARDS when things don't work right.
Yet another reason for that conversation to have happened.
Bottom lines:
1) Logitech isn't bricking these devices. They're simply refusing to do the work required on THEIR part to prevent the devices from automatically bricking themselves every year or so.
2) Logitech is allowing the devices to brick themselves next March because the otherwise simple task of renewing an SSL certificate is a MONEY-LOSING business proposition.
... not because of the cost of the certificate, mind you. That's a few hundred bucks.
... but rather, because of the cost of the infrastructure necessary to make all the various pieces of this work.
Or rather, the cost of the MAINTENANCE of this infrastructure.
... and very specifically, the cost of maintenance of LEGACY infrastructure: legacy code, legacy systems, legacy operational procedures.
Stuff that nobody knows how to do any more. Because it wasn't very good to start with, and everyone who worked on it is gone, and they have something newer and better that they're working on now.
All this over one certificate. A trivial thing.
This is why we can't have nice stuff. At least, not if the nice stuff is more than five years old.
/fin
Addendum - I just learned that someone might read this thread and think that I am defending, excusing, or apologizing for Logitech.
I am not. Even if I am right about what Logitech is doing and why they are doing it, what they are doing is still wrong.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
TIL that in Swedish culture (and maybe other Nordic countries) it’s weird to feed guests in your home, and that when it’s mealtime you expect them to go home to eat or to wait in your home alone and hungry while you eat
Here’s a thread (in Swedish, use Translate) where Swedes, puzzled, ask things like “But of course we’ve only planned to cook enough for ourselves, how could we possibly feed another person” and “But your mother at home would have to throw away what she made for you”
no reviews
no previews
no trailers
no spoilers
no nothing
Be patient with it early on and your patience will be rewarded
I will now attempt to tell you about it without telling you about it
It's a zero-budget film, where the director had an idea and a camera and made it work. So cut it a lot of slack when it comes to production aspects - but even so, the zero-budget visual style fits perfectly with the concept, and was honestly quite well done.
My current thinking is that the best thing to do is to toss them in the trash so that they get landfilled
It seems that "e-waste recycling" ends up shipping it to third-world countries where the labor cost is low enough to make scavenging the few dollars worth of reclaimable material profitable
And then the rest gets left to rot in a ditch where it poisons the local water table
Much better to keep the junk here in the developed world, where we have landfills that are engineered to contain and control the decay byproducts and protect water supplies
That kind of stuff is expensive, but we can afford it and so we do it