If you sell a device that relies on an external service to function, then you are no longer in the hardware business, you are in the services business, and should sell the service as such.
Likewise, if you are a consumer and buying a physical device that needs an upstream service, you dont really own, or really even need to own the device. What you really want is the value the device brings, without any of the headaches that go along with devices becoming obsolete.
Logitech is so used to selling hardware products that they didn't realize that they became a service provider as soon as their Harmony Link required connectivity. They should not be marketing or selling devices, despite their history of being a physical product vendor.
If users had purchased a "Harmony Link" service agreement, and Logitech was responsible for keeping their users devices up to date and functioning with their service, then nobody would complain.
Cable companies figured this out a long time ago. When was the last time anyone had to care about cable modem or set top boxes being deprecated? The cable companies have always sold the service, and the hardware was either rentable, or, sometimes, provided by the consumer, but always with the understanding that the hardware wasnt why people bought cable.
I've avoided any of these connected home hardware specifically because the manufacturers try and push ownership to the consumers. As soon as its the service providers responsibility to ensure the devices are secure and work with their service, I'll sign right up.
This reminds me of the "Keurig model" of hardware sales [1]. As a hardware guy myself, it's easy to focus on the physical product instead of the real reason anyone would buy it.
I hate this model. I'm old fashioned, in that anything I rely on day to day, I want to own. My tools, my games, my pots and pans. Every service license you agree to adds another layer of external control to your life.
Might as well make it 20 years. For something like a remote control you can fit 100k users on a server, and a little bit of money per device can go an extremely long way. Extra large ec2 servers (which you can easily do better than on cost) are about a thousand dollars a year, and you only need a few hours of sysadmin work per month across the entire fleet.
And you can cut servers as people end up using devices less on their own.
Having a physical remote isn't the value proposition. Being able to remotely control a wide variety of aspects of my home is the service I would pay for. The hardware that accomplishes that is irrelevant.
If you charge enough, and have enough year-over-year device turnover, your service—or at least its basic tier—can be subsidized by device purchases. Like Apple's iCloud.
There was apparently a period of time following the announcement on the Logitech forum where the words "class action lawsuit" were being censored as profanity.
My guess would be the company lawyers told them they were digging themselves into a very deep hole, and that replacing the Harmony Links would be the least damaging / expensive option.
> Q: Are you censoring the words “class action lawsuit” in your Logitech Forum?
> Our intention is to ensure our forums help our customers when they need support. This includes keeping the conversation productive by monitoring the language used and automatically blocking profanity or personal attacks. This is common practice. The words “class action lawsuit” were blocked as our Community Terms of Use do not allow solicitation, including legal solicitation. We have unblocked the terms and are reviewing our list of blocked terms.
I would never discuss or threaten a CLA on a company's forum. That puts the company in a conflict of interest: They are sponsoring the forum that's discussing a lawsuit where they are the defendant.
If you are in the position of being threatened with legal action step one would be to take a long look at your behavior and decide if you are in the wrong legally or morally and decide if you ought to head off such discussion with corrective measures.
Shutting down such discussion isn't going to shut down the discussion on the rest of the internet and is unlikely to help. Its a pretty easy conflict of interest to resolve because your ultimate interest is not looking like an asshole to your potential customers.
They probably estimated the number of people who will actually file for the replacement, and found that it would cost less than paying their lawyers to defend in a class action suit that they may or may not win.
The funny thing is, people here and on Reddit bring out the argument "it's only censorship when a government does it! A private company can do whatever they want!" all the time when it's opinions they don't like being removed. But when it affects them, all a sudden it's censorship again.
I think you've got that wrong. Pretty much anyone can engage in censorship. It's first amendment violations that can only be committed by the government.
So was Logitech censoring? Yes. Was it a free speech issue? No.
Have you thought that there’s a variety of users with different opinions that don’t represent a monolithic single opinion? People crying censorship not being the same ones as the one understanding company’s right to control the message on their own platform?
And yet folks stress how much we need to put moderators at Facebook, Twitter etc in charge of determining what is acceptable political speech on their platforms beyond existing legal requirements...
Repeating cycle of "medium gains mass acceptance from open and unmoderated communication, somebody starts to abuse system, people call for moderation."
Lesson 1: Don't buy stuff like this that depends on an online component to locally control your electronics.
Lesson 2: Don't buy Logitech, as they make the things from lesson 1. The new hub is the same as the old hub and will probably break once they get tired of its online service too.
So does Phillips, when they remotely nuked 3rd party light bulbs. The 3rd parties used their specs that were available. But that didn't matter. Something something profit. (They too reversed their decision after a few days of really bad press. I'm just waiting for them to reverse it again, with less internet fanfare.)
My bigger question here is of "reasonable sale" and CFAA. How are these NOT violations of the CFAA? Cause I can think of no customer who bought the Phillips Hue sets who wanted the "feature" of 'nuke 3rd party bulbs'.
And yeah, it's only time when Phillips, Logitech, and the rest of IoT crap gets remote-nuked. Give me MQTT/CoAP/AMQP or you can keep your shit!
(And yeah, this topic, like my name, makes me CRANKY. My hardware is mine, and I expect that the vendor I buy stuff from doesn't vandalize or destroy functionality now or in the future. That's vandalism, computer hacking, and/or fraudulent transaction. Take your pick.)
UPDATE: I didn't mention what I'd like as a way forward. Sure, I'm OK with updates as long as they FIX problems, and potentially add features. My ideal setup is: supports basic MQTT/CoAP/AMQP with local server, along with their proprietary cloud control. If cloud control bails, you might lose add-on value but you can re-implement yourself. The devices don't end up dead, just temporarily reduced. You might have to buy a VPS, or poke a hole in your firewall and do the dyndns song and dance..
It would be nice if there were a clear, unambiguous logo that we as consumers could look for, which designated that the device does not require the internet to function or to be activated. I'm envisioning a picture of cloud with a red "X" over it.
It's about time companies disclosed in their specifications whether or not a product functions without their permission.
That would be like having a logo that indicates a food product is not poisonous. The expectation should be that hardware does not require internet access to function. If it does it should be prominently disclosed.
Sadly there is a lot of truly great stuff you'll miss out on, if you rigorously apply Lesson 1. My smart sprinkler controller and thermostat are examples.
(Needless phone-home stuff is another matter, all the risk with no value add)
Why does a sprinkler system or a thermostat need a backing Internet service? I can see an Internet connection, receive-only for remote control, but why would they need to transmit anything out of the home to a hosted service?
A variety of reasons; for example, the ubiquity of NAT plus the use of sleep modes means it's painful to get smartphone apps to talk directly to the hardware in question. Far easier and more reliable to have a hosted intermediary.
Additionally, the thermostat supports demand-response features (where your utility shuts off the thermostat), and can even pre-warm or pre-cool before the demand-response event as needed. The sprinkler controller checks the weather and works out optimal scheduling. Both receive regular firmware updates, and feed telemetrics back to the company for further improvement of their firmware.
Technically all of this could be done independent of their own hosted service, such that everything would still run normally without it. But there's a lot of connected features, and integrating a centralized hosted service simply makes everything far easier to develop.
At which point keeping a centralized service out of the equation becomes a feature requiring money & manpower to develop- a feature most customers don't care about, at that. (And let's be honest, what company wants to spend their energy on a future where they are out of business?)
For those looking for an alternate hacker-friendly solution, you can make your own smart remote with a Raspberry Pi Zero W. I made an IR blaster that replaced all my IR based remotes [1]. I’m sure you can make one for RF ones as well. And they’re not too hard to integrate with Amazon Echo or Home Kit.
I wonder if Logitech will be willing to share of their roadmap and plans for the Harmony Hub.
It might be fair to presume the security certificates are needed to communicate with the Logitech cloud and not for the operation of the device itself, and this product might not be affected if there was no cloud.
Logitech should provide options to keep their existing devices running.
You wouldn't expect a keyboard or a mouse to stop working when software updates end.
Cloud only connected devices by Logitech have been exposed in this case to remain at the mercy of Logitech.
"Looking out for users security" could also have been carried out proactively to communicate the reasons and an exchange program.
Potential solutions:
- release something open source for users to to handle the back end once a device is eol
- update the harmony mobile app to directly update the Harmony Hub on your local network and not need the Logitech cloud.
- if the software and possibility exists, load a locally hosted offline first progressive web app if possible on the hub device itself. The harmony mobile app at last glance was a Microsoft Silverlight based app so the one codebase to multiple platform philosophy should not be new.
These type of solutions could allow updates to Logitech's cloud while it's available, and responsibly allow the devices to survive when Logitech moves forward.
I just don't want to be buying a Harmony Hub when in fact I'm renting it and could be turfed at any time. That's a bait and switch, however unintended and it is probably a fair question for a lot of our cloud connected devices to answer, not just Logitech.
Anyone here work for/with Logitech? I'd love to know the nitty gritty behind the "encryption certificate expires" PR simplification and why a new one can't/won't be cut. (sole embedded root expiring? something else?)
Having worked for a flailing IoT startup before, I can tell you that it's not uncommon for products to ship with TLS certificates, but without any notion of a PKI or cert management infrastructure that would enable these devices to keep working in the future. As usual, a rush to launch leads to corners being cut. Sometimes these arguably crucial pieces are added later; other times, customers are left holding the bag when renewal of certificates turns out to be impossible for one reason or another.
Their doodad had all the features. Yours has a really great update framework. Guess which one gets funded at demo day, or makes it to retail shelves this christmas?
If your doodad has a weak enough update framework that it bricks itself a handful of years after production, good luck getting any revenue or funding going forward.
The phrase I read was not "encryption certificate" but "technology certificate" which sounded more like something along the lines of a license for some third party IP, or an API key for a subscription service that Logitech had been paying for. But I agree it's a vague simplification and more details would be interesting.
It could be similar to when YouTube stopped supporting shorter encryption keys, and a lot of streaming hardware suddenly became useless because they couldn't support longer keys.
I'd love to understand the thought process of the exec or product manager who sat in that meeting and said, "You know what we should do? We should just turn off the service and make all of our customers' devices not work anymore! And then see if they'll buy another similar device from us after hearing the news."
This is pure speculation, but if I had to guess, I'd bet they baked a Symantec-owned root into the product without an upgrade path, and they use a third-party provider who is moving their endpoint away from Symantec (or one of Symantec's other brands) because of the big distrust that's happening next month due to all of their misissuances. That means the devices won't be able to connect to the endpoint once the cert changes.
- Firmware is running SSL which doesn't support SHA-256, and a SHA-1 cert is expiring soon.
- Device (or other devices it communicates with) rely on cert pinning back to Symantec owned roots, and will somehow be affected by the Symantec distrust and Digicert acquisition.
If it weren't for the bad PR, Logitech wouldn't have done anything here, and I doubt this is the last time they'll be trying to do the same thing since companies have been gradually getting consumers acclimated to this being "the norm".
People should still be upset about this, even after Logitech's bean counters calculated that the negative PR cost would have been greater than the cost of doing the right thing in this instance.
If you stick a knife in my back nine inches and pull it out six inches, there's no progress.
Not that extreme, but come on... if you screw people over in a product space as janky and anti-consumer as the IoT, then replacements or refunds should be standard and not reluctantly extracted from you.
... will say some shit like, "I take care of my kids." You're supposed to, you dumb motherfucker! What kind of ignorant shit is that? "I ain't never been to jail!" What do you want, a cookie?! You're not supposed to go to jail, you low-expectation-having motherfucker!
I have a Sony Dash, even though I don't really use much of it, I find it irreplaceable for the ability to program complex alarms. It's been working fine for at least 4 years.
A couple of days ago we had a power failure, the thing hadn't been rebooted in looong time. Since the reboot it hasn't been able to get passed an 'Authorizing...' screen.
Long story short, Sony discontinued some servers, the thing is a brick now.
I knew there were some cloud services been consumed but had no idea it wouldn't work at all without those services. It's a freaking alarm clock!!!!
Even if Sony would make this same move, and I would happily take the replacement, I would never buy another thing like this.
Yep. They'll keep shooting until enough buyers just give up and accept that tech is arbitrary and terrible in this way, too. The end state is negative-option billing protected by layers of automated phone "support" backed by a few people who barely speak your language.
The Dash doesn't have to be a brick, as long as it's the original HID-C10 model. Chumby has a software hack that will connect it to their service, see http://forum.chumby.com/viewtopic.php?id=9752
Previous situation was apparently "That newish home automation device that you bought from Logitech? It'd be a shame if anything were to happen to it - so we're shutting it down for you. But by coincidence, here's a very similar device that we're selling, and you're lucky, we'll give you a discount!" That announcement...was not received amiably amongst the userbase. After a day or two of internet's ire, it looks that the "loss of goodwill" column has finally outstripped the "cost of total replacements" column.
tinfoilhat:
Anyway, I for one deeply regret this - not least because I have some great Logitech devices that I depend on, and now I'm worried someone might decide to accidentaly brick them in a firmware upgrade, as they're no longer generating profit for Logitech.
/tinfoilhat
I think you are confusing the link and the hub. The link has no home automation functions and hasn't been sold for 4 years.
That said, they badly mishandled this situation, and the fact that there was so much product confusion (people thought they had just bought a link, when they had bought a hub, and people who bought a link even when it was released 6 years ago have a reasonable expectation for it to keep working) and I am glad they have shifted their position.
Am not. "Harmony Link allows you to use your Apple mobile device (iPhone, iPad, or iPod touch)
or Android mobile device to control your entertainment system. Using the Logitech
Harmony Link app, you can launch activities and control devices with a single touch. " That, in my opinion, falls under "home automation" - consolidated, remote control of household entertainment system is a part of that, IMNSHO. Also, while 6 years might be hopelessly outdated for a mobile phone or a tablet, here I am, typing on an even older computer (which has been only upgraded slightly), and don't get me started on the car.
For home automation, I would expect the appliance's lifecycle to be closer to the refrigerator and oven (20 years and still going; EDIT: this applies to audio as well, my previous A/V setup was mostly older than me while it worked, and I'm no audiophile), not to "get your ass on the HW upgrade treadmill and replace again with iWhatever2017 or suffer the consequences." There's the point, as you note: the expectation to keep working, as opposed to an endless pile of discarded gadgets.
Another comment has a link to a Verge article that can probably explain it better than I can, but basically, Logitech initially announced the discontinuation of Harmony Links, with the device being bricked post-March 2018 due to some certificate not being renewed. If you were out of warranty, the best they could do at the time was 35% off the new device.
People got mad, media found out about it. Now they suddenly can replace everyone's no problem.
They should make a FOSS tool for configuring their devices. Current approach is a horrible mess. Using some on-line server to configure a remote is very wrong.
Idea: insurance (that looks like or is part of an extended warranty or service contract) for cloud services.
Companies should be required to label whether a device depends on cloud service. Customers could buy a guarantee, like a service contract, that the service will keep running {for some amount of time, forever}.
If the company itself sells the guarantee, then it has to price the cost of breaking these contracts into decisions about whether to maintain the service. This doesn't protect the customer from a company going out of business, though. Maybe the provider is required to put the money in escrow; or maybe they're backed by re-insurer.
This allows customers to opt in or out, depending on their risk aversion and other factors. And it's more predictable, and maybe more efficient, than a class action lawsuit.
There's a model for this: consumers buy extended warranties and service contracts for some goods, especially appliances.
And that hardware doesn't need to communicate with the cloud, see things like this zwave usb stick (which works GREAT for zwave with home assistant and a raspberry pi): https://aeotec.com/z-wave-usb-stick
I agree! I personally have a z-wave stick, hue bridge, lutron bridge, a custom IR transceiver, etc automated w/ hass. But I can see the temptation to buy a one-size-fits-all device which can communicate with all those products(or at least their other hubs).
The worst part about this whole thing is the lack of clarity (or a simple landing page) describing the difference between a Logitech Hub & Logitech Link. I've had a Hub for years and didn't know the difference; had a hard time the last week or so determining whether I was affected or not.
Now the real question is what Logitech hardware is safe and what Logitech hardware supports network-based firmware updates or the like.
Currently I only have a M235 wireless mouse; it works well, but what about its drivers? Microsoft and Trust sell similar mice, and the choices for a replacement have just reduced.
If you're looking for driverless mice, check out Zowie. They're expensive but have amazing sensors and smooth gldiing and you can change the DPI through buttons on the mouse on any OS. The EC2-A is very very comfortable too.
March 2018 is when the Links stop working, so it's reasonable that they wouldn't set an earlier deadline with basically zero notice. They're just giving themselves as much time as possible...
From their post it seems like their SSL/TLS certificate is expiring? Seems rather overkill to discontinue an entire product in the first place just because of that.
All of my mice are Microsoft branded (I assume they are still manufacturing them). Pretty basic, cheap laser mice, one wired, one USB wireless. Never had any issues with them, and the wireless one is probably going on ten years old now.
Logitech is disabling the service required by the Harmony Link, essentially bricking it. This made customers mad. Logitech offered a discount for Harmony Link users to purchase a Harmony Hub. Apparently Logitech also thought it would be a good idea to make "class action lawsuit" display in asterisks as if it was profanity. All this sort of blew up, and became widely known and reported and Logitech had to adjust their response to quell the ongoing PR shit storm.
Likewise, if you are a consumer and buying a physical device that needs an upstream service, you dont really own, or really even need to own the device. What you really want is the value the device brings, without any of the headaches that go along with devices becoming obsolete.
Logitech is so used to selling hardware products that they didn't realize that they became a service provider as soon as their Harmony Link required connectivity. They should not be marketing or selling devices, despite their history of being a physical product vendor. If users had purchased a "Harmony Link" service agreement, and Logitech was responsible for keeping their users devices up to date and functioning with their service, then nobody would complain.
Cable companies figured this out a long time ago. When was the last time anyone had to care about cable modem or set top boxes being deprecated? The cable companies have always sold the service, and the hardware was either rentable, or, sometimes, provided by the consumer, but always with the understanding that the hardware wasnt why people bought cable.
I've avoided any of these connected home hardware specifically because the manufacturers try and push ownership to the consumers. As soon as its the service providers responsibility to ensure the devices are secure and work with their service, I'll sign right up.