Here is my guess about what's going on with the Logitech Harmony Link fiasco:
The story so far: Logitech is bricking an older device that lots of people use and which is working just fine.

See, e.g. theverge.com/circuitbreaker…
Ignore for the moment the whole customer satisfaction / company PR aspect of the story. I'm just going to dig into the technology and explain WHY this is happening.
The company first said: "On March 16th, 2018, Logitech will discontinue service and support for Harmony Link. Your Harmony Link will no longer function after this date"
People think this means they're bricking it, and that's kind of true... but they're bricking it *passively*, not *actively*. Read on to understand why.
A rep later explained: "There is a technology certificate license that will expire next March. The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub."
This is an incompetent translation of what an internal engineer told some externally-facing rep or manager.

By "technology certificate license" they almost certainly mean *an SSL certificate*. That's all. Nothing fancy. Just an SSL cert.
Most recently, the company put out an official response, where they're addressing the PR nightmare by giving everyone the new product for free.

It included this explanation:
So here you see "technology license certificate" has been replaced by "encryption certificate", i.e. an SSL cert.
So why is it going to stop working when the cert expires?

Because this device phones home from time to time, probably at least every time it boots, probably to download its configuration from Logitech.
You see, one of the features of the Harmony series is that you configure *your* device using *Logitech's* website. It stores your device's config there and the device downloads it.
This download is over HTTPS, secured with a certificate. If the certificate is not valid, the download is aborted. What happens next I'm not sure of - probably the device simply continues to use its previous configuration.
... but it's possible it will fail to operate at all. Not sure.

But at any rate, when the cert expires next March, all these devices will at the very least become unable to be reconfigured (almost certainly), and at worst will actually stop working entirely (less likely).
Okay, so, why can't Logitech just renew the cert?

Well, they can. But guess what? THE CERT IS USING SHA-1
(I don't know this for sure, but this is my VERY strong hunch, because reasons)
SHA-1 certs are difficult to renew these days. There's basically only one company that will still issue them any more.
Well, fine, so why don't they just do that?

Two possible reasons:
Number one: like they said in their FAQ: "we would be acting irresponsibly by continuing the service knowing its potential/future vulnerability"

i.e. someone told them that using SHA-1 would be insecure and responsible.
(*irresponsible)

This is crap, but it's crap that everyone believes these days. But never mind that.
Number two - it is entirely conceivable that the trusted roots which are hard-coded into the device firmware do not include the one trusted root still willing to issue SHA-1 certificates.
Reason numbers three through infinity have to do with business decisions about not wanting to support old products any more.
The people who developed it originally have all quit or been fired, the code base is ugly, the infrastructure for configuring the devices over the web and deploying the configurations is unstable and keeps breaking, etc etc etc.
In this scenario, this conversation happened:

"Hey, we need to renew the cert again. Remember, it has to be SHA-1."
"Ugh, what a pain."
"I hate this whole product line. Can't we just retire it?"

"... sure. Let's do it when the cert expires."
"We still have customers using the product."
"Not that many of them. And it's not like they're paying us, it's a free service. And they've already gotten a bunch of years out of it, and it's only a one-year warranty in the first place."

"Okay. Let's do it."
I GUARANTEE that conversation happened.
Okay, so if it's breaking because the SSL cert is expiring, and the cert isn't getting renewed because it's a SHA-1 cert...

Why not just get a SHA-256 cert instead?
Because the SHA-1 requirement is HARD-CODED in the FIRMWARE.
Jeez, okay, fine. Then why not update the firmware?
BECAUSE THIS PRODUCT IS SIX YEARS OLD.

The code base is ugly.
The infrastructure keeps failing.
Everyone who knows how it works quit or was fired.
It's entirely possible that this device doesn't even HAVE the ability for Logitech to remotely update the firmware. It might be the case that they'd have to tell their customers how to do it themselves.
This is a huge investment in internal testing and troubleshooting BEFORE releasing it to customers, and a huge support effort AFTERWARDS when things don't work right.
Yet another reason for that conversation to have happened.
Bottom lines:

1) Logitech isn't bricking these devices. They're simply refusing to do the work required on THEIR part to prevent the devices from automatically bricking themselves every year or so.
2) Logitech is allowing the devices to brick themselves next March because the otherwise simple task of renewing an SSL certificate is a MONEY-LOSING business proposition.
... not because of the cost of the certificate, mind you. That's a few hundred bucks.
... but rather, because of the cost of the infrastructure necessary to make all the various pieces of this work.

Or rather, the cost of the MAINTENANCE of this infrastructure.
... and very specifically, the cost of maintenance of LEGACY infrastructure: legacy code, legacy systems, legacy operational procedures.
Stuff that nobody knows how to do any more. Because it wasn't very good to start with, and everyone who worked on it is gone, and they have something newer and better that they're working on now.
All this over one certificate. A trivial thing.
This is why we can't have nice stuff. At least, not if the nice stuff is more than five years old.

/fin
Addendum - I just learned that someone might read this thread and think that I am defending, excusing, or apologizing for Logitech.

I am not. Even if I am right about what Logitech is doing and why they are doing it, what they are doing is still wrong.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eddie, Son of Richard

Eddie, Son of Richard Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @random_eddie

Jun 30
The EPA SCOTUS decision in brief:

Imagine the FDA, in pursuit of its mandate to regulate tobacco, decreed that children born in south Georgia must be sent to live in New York because they might otherwise grow up to farm tobacco.

SCOTUS says that would exceed their authority.
Another way to look at it:

Congress said the EPA can require plants to clean up their outputs using the best available methods. So the EPA decided that the best available method to reduce carbon outputs at a coal-firing power plant is to shut it down and switch to windmills.
EPA: No, it's good, Congress said we can do that!

SCOTUS: Image
Read 16 tweets
Jun 30
Yes … ha ha ha … YES! Image
Read 6 tweets
Jun 28
Note, though, that this wasn't a drug case. It was a burden-of-proof / standard-of-guilt case, focusing on technical legal stuff about whether the government had to prove that the docs knew their patient was abusing pills.
The plain text of the law said they did, and the Court agreed that the government had to abide by the plain text of the law. Unanimously.
Read 12 tweets
May 29
This thread is wild

TIL that in Swedish culture (and maybe other Nordic countries) it’s weird to feed guests in your home, and that when it’s mealtime you expect them to go home to eat or to wait in your home alone and hungry while you eat

UNLIKE EVERY OTHER CULTURE ON EARTH
Here’s a thread (in Swedish, use Translate) where Swedes, puzzled, ask things like “But of course we’ve only planned to cook enough for ourselves, how could we possibly feed another person” and “But your mother at home would have to throw away what she made for you”
Reading that thread it seems that the concept of “leftovers” is completely alien to them

As is the concept of spontaneously finding and preparing an extra quantity of food of any sort whatsoever

I’m gobsmacked
Read 6 tweets
Mar 8
great thread about fraud and why the banks need to take it on the chin to protect the normies
a)
b)
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(