elmerfud 12 days ago

This is where I wish governments would step in and stop allowing companies to make appliances that are throw away. I understand that a company can only viably support or offer warranty for a limited time period but that should not cause something to become trash when it falls out of the warranty period.

The right to repair movement focuses mostly on the actual repair of the item but when so many of these items are using microcontrollers that are running software code instead of simply running solid state systems the right to repair the hardware itself is insufficient. The United States is too dumb and too controlled by a businesses to pass any meaningful legislation but I would hope that the EU would step up and pass legislation that says when you EOL a product, like this, which is a physical appliance that is running software code you must also open source along with all appropriate tooling that software code. So this way the community can continue to repair these devices because they are not functionally obsolete they are obsolete because the cannot support them forever but third parties absolutely can. We have technology that's now 50 plus years old that is integrated circuits transistors etc that third parties are supporting and repairing had manufacturers have long abandoned. Well you complain all the time about e-waste but recycling is not the only option rebuilding and reusing our options as well.

One other thing that should be considered is that even though this is an end of life product this was a defect that existed from the beginning of the life of this product. Therefore this was defective the entire time it just wasn't discovered until now. This is another area a legislators need to step in and correct. Automobiles have no time limit on a safety recall. The reason for that is that safety issue was present from the beginning it doesn't matter if it took 15 years to be discovered once it's discovered you know it's in absolutely every single one of these that's in service and has always been there. Therefore the manufacturer is required to correct it.

cstrahan 12 days ago

Ha, several days after hearing about CVE-2024-10914 (https://nvd.nist.gov/vuln/detail/CVE-2024-10914)

> Description > > A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

The "The exploitation appears to be difficult" bit, AFAICT, is solely based on the presumption that most users won't put their NAS on the internet.

First heard about it was from the "Low Level" channel on YouTube -- https://www.youtube.com/watch?v=-vpGswuYVg8 -- the bug/vulnerability is pretty embarrassing. And D-Link's approach of "scrap your old purchase, buy a replacement model" is pretty insulting.

Probably going to avoid D-Link products where I can.

bn-l 12 days ago

> Vendor offers 20% discount on new model

Nice