I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
> You knew your device was no longer supported and would no longer receive security updates
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
As an adult paying for your ISP service: you have some responsibility here. Whether you want that responsibility or not.
you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?
A legally binding as well as moral yes. If you drive a 2000 pound death machine, know how it can kill you. The idea that you are somehow not culpable in the situation you've given is baffling. Of course you are.
you should delete this comment :)
nah, people who know that cars kill a _whole_ bunch of people each year, and believe that car ownership should come with full responsibility by the owner when it comes to whether their computer-on-wheels is compromised or not are just as free to post to HN as people who think that that's not the car owner's responsibility. If you have car with remote shutoff/control, you owe it to both yourself and especially your family to stay up to date on news about that. The world's bigger than just the US, some countries place more value on personal responsibility than others.
so in your world anyone that uses anything which is connected to the internet (which is basically everything) needs to be a cybersecurity engineer? :)
my dad (and most dads) will be pissed he can’t drive his EV or anything of the tech gadgets he likes cause he’s not technically qualified for ownership and responsibilities that comes with it…? that sounds reasonable :)
in this world I would say the very least business could do is put up a disclaimer on the product “requires PhD from Carnegie Melon to own”
Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".
> if it was 10 years ago it is ridiculous to expect them to patch it
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
Also, how many hundreds of dollars would it really cost them to release an update, even if it was 15 years old?
For at least one remote access vulnerability reported earlier this year, D-Link declined to patch even though the device only hit EoL during the disclosure period, and was still within the EoS (end-of-service) date (which by D-link policy is EoL + 1 year):
https://supportannouncement.us.dlink.com/announcement/public...