All first person view (FPV) goggles (used for drones) produced by the company ORQA have suddenly been bricked due encrypted time-bomb code produced by a subcontractor.
It's funny how many people are insta-blaming SWARG and e.g. asking to see the licensing agreement. And outright calling out the "expired license" concept, as if that's unheard of. It's not uncommon to see time-limited licensing arrangements in software.
At the same time, it's _very_ common for license deals to be signed in a rush without proper consultation.
If this was really a good-faith move and suing would not work somehow, then instead of breaking the product, they could have added a nag screen, or 1 minute delay, or maybe only break new products (so they fail QA). Pretty annoying and would definitely cause the company to do something, while not completely bricking products many people paid money for.
There's really no question as to whether the current outcome is possible under a licensing agreement. This is why random people are asking to see the licensing agreement in question, lol.
Sometimes when there's figurative smoke, there are figurative paragraphs of fire that somebody signed off on in a moment of assumption, excitement, or whatever.
There's a fallacy implicit in your question, which is that anyone can be held responsible for outcomes. The reality is that people are responsible for their actions, not the outcomes of those actions. The confusion here comes from the fact that actions aren't completely divorced from outcomes: you usually take an action because you have a desired outcome in mind. But ultimately, this is at best a percentage game: no matter how much power you give someone they don't completely control outcomes.
What this means is that you can't look at an outcome, such as "a bunch of consumer devices got bricked" and decide who to blame for it. You can only look at people's actions, and each of those people is 100% to blame for their own actions.
In this case ORQA is 100% to blame for shipping 3rd party code which they hadn't audited, possibly licensed under an agreement they didn't follow and maybe didn't even read, and probably not auditing network calls to discover calls home to check the license.
And the contractor is 100% to blame for including bootloader code intended to brick devices, possibly with calls home to check the license, and not communicating effectively the gravity of consequences of not complying with the license, in a manner timely enough to allow ORQA to remediate the problem before it becomes catastrophic.
ORQA is 100% responsible for their actions, and the contractor is 100% responsible for their actions.
I don't particularly care about the licensing agreement. People who write gotchas into licensing agreements and then exercise those gotchas without ample warning are bad people[1]. I want nothing to do with people who make it easy to make mistakes and then jump on the opportunity to take advantage of me when I inevitably trip up.
The flip side of this is that the problem for ORQA goes far deeper than this particular piece of licensed code. It's obvious they can't be trusted to protect the security of their users. This code clearly wasn't audited, not even at a high level, such as seeing what network calls are made--this software has some way to call home to the contractor, since the contractor was able to issue a temporary fix.
[1] There's some nuance here about what a "bad person" is: I'm not talking about some sort of universal morality here, and I believe people can change. This is more about what behaviors I want from the people around me, and what behaviors I think society should reward/punish for the greatest benefit to society.
> and not communicating effectively the gravity of consequences of not complying with the license, in a manner timely enough to allow ORQA to remediate the problem
Whomever came up with the idea, designed and implemented the code to check the date and disable the boot has bricked it.
Sometimes answer is murky: there might be miscommunications or changing requirements or software bugs or evil management.. but in this case the answer is pretty obvious: SWARG came up with the idea, SWARG designed this, SWARG implemented this.
(unless you think ORQA itself came with the idea of beicking their own product.. but I seriously doubt this based on their reaction)
Even without this reply, the licensing agreement probably does not matter. What matters is the work order and the corresponding contract under which the code was produced. For example, if that contract says that all rights to the code must be transferred to ORQA, then SWARG simply had no right to license the code this way.
P.S. I am not a lawyer, but I was involved in dealing with a similar case (a sub-contractor giving out obfuscated code) before, and the "all rights must be transferred" clause was successfully used back then to force giving us the code without any obfuscation.
10 comments
[ 2.9 ms ] story [ 26.5 ms ] threadThe manufacturer is framing this as a ransomware attack, where-as the subcontractor is saying this is due to a time-limited license for their code: https://www.facebook.com/Swarg-Antenski-sustavi-107429465531...
https://www.facebook.com/permalink.php?story_fbid=pfbid02KSr...
It's funny how many people are insta-blaming SWARG and e.g. asking to see the licensing agreement. And outright calling out the "expired license" concept, as if that's unheard of. It's not uncommon to see time-limited licensing arrangements in software.
At the same time, it's _very_ common for license deals to be signed in a rush without proper consultation.
So, I wonder...
If this was really a good-faith move and suing would not work somehow, then instead of breaking the product, they could have added a nag screen, or 1 minute delay, or maybe only break new products (so they fail QA). Pretty annoying and would definitely cause the company to do something, while not completely bricking products many people paid money for.
There's really no question as to whether the current outcome is possible under a licensing agreement. This is why random people are asking to see the licensing agreement in question, lol.
Sometimes when there's figurative smoke, there are figurative paragraphs of fire that somebody signed off on in a moment of assumption, excitement, or whatever.
Warning, philosophy ahead.
There's a fallacy implicit in your question, which is that anyone can be held responsible for outcomes. The reality is that people are responsible for their actions, not the outcomes of those actions. The confusion here comes from the fact that actions aren't completely divorced from outcomes: you usually take an action because you have a desired outcome in mind. But ultimately, this is at best a percentage game: no matter how much power you give someone they don't completely control outcomes.
What this means is that you can't look at an outcome, such as "a bunch of consumer devices got bricked" and decide who to blame for it. You can only look at people's actions, and each of those people is 100% to blame for their own actions.
In this case ORQA is 100% to blame for shipping 3rd party code which they hadn't audited, possibly licensed under an agreement they didn't follow and maybe didn't even read, and probably not auditing network calls to discover calls home to check the license.
And the contractor is 100% to blame for including bootloader code intended to brick devices, possibly with calls home to check the license, and not communicating effectively the gravity of consequences of not complying with the license, in a manner timely enough to allow ORQA to remediate the problem before it becomes catastrophic.
ORQA is 100% responsible for their actions, and the contractor is 100% responsible for their actions.
I don't particularly care about the licensing agreement. People who write gotchas into licensing agreements and then exercise those gotchas without ample warning are bad people[1]. I want nothing to do with people who make it easy to make mistakes and then jump on the opportunity to take advantage of me when I inevitably trip up.
The flip side of this is that the problem for ORQA goes far deeper than this particular piece of licensed code. It's obvious they can't be trusted to protect the security of their users. This code clearly wasn't audited, not even at a high level, such as seeing what network calls are made--this software has some way to call home to the contractor, since the contractor was able to issue a temporary fix.
[1] There's some nuance here about what a "bad person" is: I'm not talking about some sort of universal morality here, and I believe people can change. This is more about what behaviors I want from the people around me, and what behaviors I think society should reward/punish for the greatest benefit to society.
Do you see your own argument's fallacy here?
Sometimes answer is murky: there might be miscommunications or changing requirements or software bugs or evil management.. but in this case the answer is pretty obvious: SWARG came up with the idea, SWARG designed this, SWARG implemented this.
(unless you think ORQA itself came with the idea of beicking their own product.. but I seriously doubt this based on their reaction)
P.S. I am not a lawyer, but I was involved in dealing with a similar case (a sub-contractor giving out obfuscated code) before, and the "all rights must be transferred" clause was successfully used back then to force giving us the code without any obfuscation.
there's no official definition for "bricking" but it used to mean that the device was irrecoverable, at least by end users, thus as useful as a brick.