Forced Obsolescence / Obsolescence by Design

Some cafes have the shitty practice of imposing a captive portal for Internet access. Sometimes they demand personal information, and sometimes the captive portal discriminates against people with older phones.

Currently these cafes have the field “Internet access: customers”. That’s misleading and unjustly described. Some of them should be tagged with “Internet access: only for customers with new phones”. It’s not really fair to say it’s for all customers when they use exclusive technology.

Shitty new captive portals are a new form of enshitification. Captive portals are getting so fancy that they are dysfunctional on old phones. They managed to fuck up the simple task of merely presenting a button that basically says “I agree not to shit on your network”.

It’s really infuriating to be on a bus or train for hours, unable to use Wi-Fi to plan your trip because some jackass dipshit coded a captive portal that assumes everyone is a pushover who continously buys recent phones, when all they need is to render a fucking button or tickbox.

I am betting that the clueless pricks behind the captive portals have enough incompetence that DNS traffic gets through. But for that to work you must run a server for the purpose of serving AndIodine. So it would be useful if some Tor entry nodes supported DNS traffic.

Captive portals are a form of oppression against people with old phones or non-standard software, esp. those w/out GUI browsers. I believe an anti-obsolescence mission to support people with old phones or non-standard software would be compatible with Tor Project’s principles.

A DNS bridge would be useful in other situations as well, such as where Tor is blocked deliberately. Normal traffic is slow over DNS, so Tor client could treat it as a last resort by attempting DNS after X number of connection failures. It would generally overall increase the availability of Tor access.

I have two Beko washing machines, both of which are trapped in an error state despite all components functioning.

Protectionism puts service manuals out of reach. I happen to have two service manuals that were leaked to me (against Beko’s will). One of the most important pieces of information for repair is clearing the error state (thus the most important info to suppress if you want to prevent repair and force a new purchase).

• machine 1 (WMD 2625t) service manual: “After entering the failure code observing mode, pressing and holding “Run/ Pause/Cancel” button for a short time will erase the error code from the memory.”
• machine 2 (WMB 51420) service manual: “Even if a new program has been started, this error code in here will not be cleared; the last error code occurred will always be displayed here. … When a new program is started, the error on the machine is cleared and the error code is no more displayed when Speed and YF1 keys are pressed.”

The machine 2 guide is self contradictory. Can we escape the error state or not? I hold “start” while rotating from OFF to COTTON (the 1st program). It shows error code 18, which means “unbalanced load” (yet there is no load). The service manual implies that programs can run when it’s in an error state, which seems unlikely and bizarre. It refuses to run programs in my case. In any case, there are no functional instructions for clearing the error state in the service manual.

The machine 1 service guide lies. Pressing and holding “Run/Pause/Cancel” while the error code is indicated has no effect. It’s forever stuck on error code 101 (E5), which also seems unlikely because the drain pump is fine (tested by hot-wiring).

Is Beko diliberately concealing the real/effective way to escape error states perhaps on the basis that the service manuals get leaked? Is the secret verbally given to Beko repairers in training instead?

It’s also suspicious that many of the fault flow diagrams lead to “replace controller card”. I really doubt PCBs would go bad in so many situations. Seems like a combination of laziness on the repair procedure to maybe sell more PCBs, which seem to have a high markup and also have an artificially short supply to force whole machine replacement.

I’m mostly confident that I have the right manuals, but it’s a shitshow because for machine 1 (WMD 2625t) there is a RAR file for a hodgepodge of models in the same family. And the svc manual for machine 2 is actually for “B7S B7SLED xxxx d/d”, which is apparently the US version of the WMB 51420.

A Transcend Storejet external HDD has this software:

• RecoveRx_v2.6.zip
• RecoveRx_Win_4.3_setup.exe
• SecureEraseTool_Win_v1.10_setup.exe
• TranscendElite_Win_v4.28_setup.exe

I am offline, so I went to a public library to fetch the above files. Early in the installation process the piece of shit tries to connect to the Internet and craps out when it discovers there is no Internet connection. WTF?

It’s a nasty trend. I’ve seen other drivers and various hardware support tools pull this shit in recent years.

Is it legal? Seems questionable considering:

• They use deception. The packaging for the harddrive probably does not have an “Internet required” disclosure, nor would any reasonable buyer expect Internet to be required to use a hard drive. Then they use deception again when you download the tools. I am led to believe I am downloading a “SecureEraseTool” and a “TranscendElite” software package, but in fact these are just proprietary download managers pretending to be tools.
• (GDPR regions) By forcing you to needlessly access the cloud with their proprietary tool, they collect your IP address and whatever else that download manager collects to share with them. This does not seem compliant with data minimization.

⚠ Avoid Transcend products for being anti-consumer

Anyway, the main point of this thread is to expose the shit Transcend pulls by shipping download managers that masquerade as tools. It’s a shitty practice because:

• The tools are forever dependent on the supplier keeping a host running. Not only to snoop on you but so to do a sneaky form of designed obsolescence. When your drive model is old enough to need the tools, that is when they will pull the plug. You only think you have the software, until it’s game over. You lose autonomy and control over your own product without knowing it.
• Discriminates against offline people.
• Discriminates against tech illiterates, who rely on the easy tools and cannot handle tools like dd, smartctl, and UBCD.
• Assaults right to repair. No right to repair laws are good enough to think of this kind of dark pattern.
• Obsolescence by design. If you cannot install the tools you need to keep the device running, they are effectively bullying you into buying your way out of the problem.

cross-posted from: https://slrpnk.net/post/19802696

I have an old TomTom. Abandoned by TomTom with no map updates available. They claim the maps are too big for the storage space (apparently they don’t know they could distribute smaller regions to overcome that).

Anyway, I connected the standalone TomTom device to a PC running the old software, which normally syncs points of interest and manages the data. The piece of shit software decided to go to the cloud and discover a lack of map maintenance, and then took the liberty of removing the maps from my device with no replacement maps. The desktop software basically sabotaged the device.

So I reinstalled the original factory desktop software from CD and kept it air gapped -- with an expectation to at least install the original factory maps. The software refused to run until it could check for updates. Would not move forward. Once I let it connect, TomTom had taken their server offline. So I’m dead in the water.. no way forward and no way backward.

Regarding lifetime updates: IIRC TomTom and Garmin both advertise free map updates for a “lifetime” on their not-so-old devices. Don’t be fooled.. it’s not your lifetime they are talking about, but something they have defined as like 10 years or something. Read the fine print.

cross-posted from: https://slrpnk.net/post/19802629

Smartphones are a shit-show so I bought some old Sony Ericsson feature phones from a flea market, expecting Gammu¹ to work as reported. It worked on one phone but not others (despite all of them reportedly working with Gammu).

Some msgs arrived and got trapped on the phone, which happened to have a dysfunctional screen. And gammu failed to access the phone (though it works on some phones). So I needed to run Sony’s proprietary garbage (“PC Companion”) on a Windows machine to get the msgs.

Sony’s PC Companion is designed to phone-home. The software launches but immediately goes to the cloud to check for updates so it can update itself. So obviously offline people are inherently fucked -- they can never sync their desktop and phone without the cloud.

But worse: Sony has taken down their server. Thus rendering all Sony phone syncing software installations useless. This thread is to document the big “Fuck you” from Sony to their customers.

¹ Gammu is free software syncs to old feature phones. You can send and receive SMS using the commandline this way.

cross-posted from: https://slrpnk.net/post/14841773

Hardware far outlasts software in the smartphone world, due to aggressive chronic designed obsolescence by market abusing monopolies. So I will never buy a new smartphone - don’t want to feed those scumbags. I am however willing to buy used smartphones on the 2nd-hand market if they can be liberated. Of course it’s still only marginally BifL even if you don’t have demanding needs.

Has anyone gone down this path? My temptation is to find a phone that is simultaneously supported by 2 or 3 different FOSS OS projects. So if it falls out of maintence on one platform it’s not the end. The Postmarket OS (pmOS) page has a full list and a short list. The short list apparently covers devices that are actively maintained and up to date, which are also listed here. Then phones on that shortlist can be cross-referenced with the LineageOS list or the Sailfish list.

So many FOSS phone platforms seem to come and go I’ve not kept up on it. What others are worth considering? It looks like the Replicant device list hasn’t changed much.

Component obsolescence management is a newer discipline, requiring a strategic approach that identifies which parts of every product may become obsolete. And it involves continual monitoring of the availability of key components.

cross-posted from: https://infosec.pub/post/11021006

The red padlock (at a cafe)

The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously.

Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not.

So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them.

TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

• I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

• Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

• ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
• SSH tunnel
• others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

• MultiVNC - VNC over SSH
• AVNC - VNC over SSH
• ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
• VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

• Captive Portal Controller
• ~~CaptivePortalLogin~~ (AOS 6+, and no Izzy archives on this)
• Hotspot Login

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

The linked article states:

“You always have the right to a minimum 2-year guarantee if the digital content or service turns out to be faulty, not as advertised or not working as expected.”

IIUC, this means if a service is paired with software, and the API + software employs #forcedObsolescence mid-contract, they must fix or refund. Thus two example scenarios come to mind:

• If you were to pay ProtonVPN for premium service in the year leading up to June 2021 and you ran AOS 5, you would have lost service after less than an annual subscription period. ProtonVPN would have to remedy it under EU law.
• If your bank charges annual fees and they push a forced upgrade at any time that obsoletes your platform (so you cannot use the forced upgrade), the bank might be in violation of this EU consumer protection law.

Wire version 3.38.826 is apparently the last version to target Android 5. The app executes but users get a stupidly written block message:

“Important update Please install the latest version of Wire. [Download]”

Yet a piece of the app continues to function: messages that arrive are still decrypted and sent to the notifications panel. But users are only allowed to see as many words as will fit in the width of screen.

There’s a lot of incompetence and embarrassment here:

• Quite early obsolescence: AOS 5 users were sabotaged around 2019. (so AOS 5 dropped probably ~7-8 years after it was introduced)
• Security nannying. Only the user or user’s admin has knowledge of the use case and threat model. Wire cannot possibly know this. Yet they take the liberty of nannying and misplacing power.
• If there really is a serious security vuln that calls for such drastic measures as forcing people to throw away their hardware and buy a new phone, then why is it ok to process messages for the notification panel?
• The block screen does not bother to check the AOS version, so it offers users a false option that can only lead to defeat.
• #Wireapp can normally be fetched directly from wire.com so deGoogled users can reach it. But the block screen tries to force users into Google Playstore, which means the update mechanism is broken for deGoogled users.
• The app was never in an F-Droid repo, so apparently there is no archive of old versions.

Going forward:

• It’s FOSS, so if the API did not change then perhaps version 3.38.826 can be hacked to remove the offending code or even just give a fake user-agent string to the server.

• Software Conservatory should perhaps be tipped off that Wireapp should be archived. And ideally binaries too although I don’t suppose that’s in the normal scope of their role.

cross-posted from: https://slrpnk.net/post/8092448

ProtonVPN did an API bump in this version: Version 2.7.56.1 (2021-06-18) which left everyone with an Android version older than AOS 6 in the dust. So I went to the archives and grabbed the version just before that one. Ran it for the first time, configuration wizard had no issues but as soon as I tried to reach out to the server it refused to stand up a tunnel saying my version was too old. Not only did they leave permacomputing folks behind for sustaining their still-quite-functional devices, but they proactively sabotaged us from the server side.

AFAIK they made no excuses for the API bump. The usual excuse is “for security reasons”... yeah.. bullshit. Anyway, here’s the workaround:

The absolute latest openvpn app still supports AOS 5 (somewhat suggesting there is no compelling security reason to force AOS 5 users to throw away their devices). Or if you have AOS 4 you can take the openvpn version from 2 years ago. ProtonVPN distributes openvpn config profiles and the openVPN app can simply import those.

Also worth noting that F-Droid warns of anti-features on the ProtonVPN app but OpenVPN is free of anti-features. That said, I got an authentication error, but I doubt that’s related to this procedure.

update

ProtonVPN is possibly breaking EU law. If someone subscribed to service less than two years before the forced obsolescence, ProtonVPN is obligated to continue service as long as necessary to serve the consumer for 2 years.