Unless these devices would auto-update, it also doesn't matter one bit. Sure HN users might go in and update their router, but the majority of users doesn't.

Whoever, because the are routers, that users will install and forget about, how are they even suppose to be made aware that these are end of life? D-Links, and other producers of consumer hardware, seems to think that it's fine to just EOL their products and say "go buy a new one". Being D-Link should be much harder than being Cisco. At least Cisco can assume that their customers are keeping up with product information, patches and so on. What is D-Links plan for informing users that their product is no longer secure? I don't think they have one and that pretty irresponsibility because they should know that the majority of their customers aren't all that technically savvy.

I don't know if D-Link devices automatically pulls update, my guess is that they don't, but there should at least be a on device indicator that this device is now EOL and should be used at the customers own risk. It fine to say that a device is EOL and no more updates will be made available, but they need to indicate to the customers that these devices are now at risk.

> These devices are end of life

If I told you that your fridge or car would be EOL in 5 years, and after that you should throw it away and buy a new one, you'd rightly laugh me out of the room.

I think it's worth taking a moment to consider why we let manufacturers get away with abandoning tech gadgets so quickly...

While I don’t expect DLink to support every router indefinitely, there has to be a reasonable number of years, maybe the feds should set one and have the machine let the user know “you are outside of security time length and you are now easily attacked by hackers” for papaw and memaw. Also it’s profoundly unfair do say that is “bandwagoning d-link haters” and unfair to expect everyone to be a security power user.

Why do you think there is such a thing as 'D-Link haters'?

I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...

Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?

I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"

How long should a consumer expect their modem to last? How long ago were they last being sold at retailers?

Wait, has Apple ever exposed an end-point like this?

Do we know how they'd react if they ever did?