User: Password:
|
|
Subscribe / Log in / New account

The ColorHug adds a remote disable "feature"

Benefits for LWN subscribers

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

By Jake Edge
January 11, 2012

The ColorHug is an open hardware and software colorimeter that can be used to calibrate monitor screens for color matching purposes. It is the brainchild of GNOME and Red Hat hacker Richard Hughes, who has put in a rather large investment of time and money to get the project off the ground. It was announced back in November and the first 50 units have rolled off the "assembly line", but Hughes is concerned that fraudsters may cause him to lose money by claiming they didn't receive ColorHugs that he shipped. To combat that, he turned to a technique that many may find surprising: the capability to remotely disable ColorHugs that were reported lost in shipping.

According to Hughes, it was his bank manager that alerted him to the problem of people who order things over the internet and then fraudulently claim that they never received them. Due to a UK "distance selling" law from 2000, Hughes's company is on the hook to refund the £48 selling price even if it has reason to believe that the device actually was delivered. Given that he is funding the company out of his own pocket (and sweat), Hughes wanted some way to deter would-be fraudsters.

What he came up with is a way to remotely disable ColorHugs. If the user runs the GUI firmware update application, it will send the serial number of the ColorHug to a server, which will check it against a blacklist of serial numbers for ColorHugs that were reported lost. If the serial number is on that list, no firmware update will be provided and the ColorHug device will be disabled by setting a flag in the firmware; it will become a free brick, rather than the free colorimeter the scammer thought they were getting.

One might guess that the number of scammers interested in free colorimeters is low, and Hughes essentially agrees, noting that he will likely never use the feature. But he does believe it will act as a deterrent that protects him. The bank painted a fairly stark picture that clearly has him worried:

I was advised by my bank manager that a lot of small businesses without large profit margins do not understand how many people try the "it didn't arrive" trick, and how many small businesses fail because of this (he quoted numbers like 80% of business failing in the first 3 years, and much higher than that for new remote sales businesses). I'm not running a traditional business to make loads of money, but I can't afford to work for free, and lose money on missing stock.

But, the existence of a remote kill switch—even in the hands of a longtime free software developer who can be trusted not to abuse it—makes some people uncomfortable. It's also unclear that it actually serves as much of a deterrent. It is fairly simple to avoid using the GUI tool, get a copy of the updated firmware from somewhere (like the ColorHug download page), and use the command-line tools to update the firmware. Even a "bricked" ColorHug can be restored by flashing a new bootloader (something any "moderately clever geek" could do, Hughes said). One could also set the serial number to a non-blacklisted value (unlike many other blacklists, the ColorHug blacklist is available for inspection).

One of the obvious choices that would seem to avoid the entire problem is to require ColorHug purchasers to pay for some form of tracked shipping (e.g. FedEx, UPS, or DHL), though even that may be insufficient. There are, evidently, folks out there who will sign for a package using someone else's name then claim the package never arrived. In addition, tracked shipping from Hughes's UK location to other countries can be expensive, on the order of £8-9, which represents a 20% surcharge on the device. It also means that all of the honest customers (presumably the overwhelmingly vast majority) have to pay more to protect against the unscrupulous minority.

For those reasons, Hughes added the remote disable. When he mentioned it on the ColorHug Google+ page, reactions were mixed, which seemed to take Hughes somewhat by surprise. Simo Sorce said "Remote deactivation is a really nasty feature, but beyond that is going to be a major headache to maintain." Kay Sievers was even more blunt:

Oh, I thought all that was about calibrating a monitor, and not trying to establish a dictatorship.

Maybe you should just get a few beers and rethink what you are trying to accomplish.

Others were more understanding. Paweł T. Jochym points out that Hughes is the one with something to lose: "He is working in real world and had to invest his own coin. The risk is his not yours." The deterrence rests on the understanding that the device will be disabled if it is "lost" in the mail, in much the same way that anti-theft signs at houses work, John Tamplin said. He continued with some ideas for more active tracking, but did note the negatives:

If instead you had some way of "phoning home", you could find who has the "stolen" device and contact them, telling them to give you your money back or you will file charges (which will likely be successful). The downside is it requires net connectivity which may be inconvenient for some uses, and privacy concerns about phoning home.

Phoning home is not going to be a very popular feature with privacy-conscious users, as Tamplin notes. One might also guess that scammers who actually want to use the device will find ways around the "feature".

There is a real question whether the deterrence will truly be effective. It's not at all clear that casual scammers will even notice the disablement feature; anyone who truly wants a free colorimeter is likely to have the minimal technical skills required to circumvent the problem. In the end analysis, colorimeters are not likely to be ultra-popular much-sought-after devices—we aren't talking about music players, tablets, or phone handsets after all—the resale market will be vanishingly small, so what's the business model for the scammer?

There is also the logistical overhead of tracking serial numbers, ensuring that only the right one(s) get on the blacklist, and so on. The remote disable is not completely risk-free either, and could lead to unhappy customers if something goes awry. Overall, it seems like a very large hammer for a fairly small problem. But, as Jochym noted, it is Hughes's money that is at risk, thus it is his decision to make.

Things like remote disable are generally considered to be "anti-features" that proprietary companies bake into their products, so it's not surprising that some open source proponents would find it to be less-than-welcome on an otherwise open device. But, since the schematics and code are available, someone suitably motivated could create different firmware without remote disable and/or build their own ColorHugs and even market those. Given that Hughes doesn't seem to have a huge profit motive behind this effort, he might just welcome someone else taking on the burden.

Plenty of other devices are sent from the UK without a remote disable feature; many are likely to be in more popular device categories where fraud is a bigger problem than it is in the colorimeter realm. Presumably, those companies are pricing their products with this fraud factor in mind, but Hughes is reluctant to do so because it puts the device "out of the reach of many students" and may push others toward the proprietary colorimeters due to the price.

While it may be tempting to take Hughes to task over this (and some are), it is hard to argue that he should take risks he is unwilling to take—even if those risks seem fairly miniscule from the outside. Those who would like a colorimeter, but are unhappy with remote disable, can either hack the firmware or the GUI tool—or decide not to buy one. The ColorHug itself looks like a very nice piece of hardware that fills a hole for free desktops that the proprietary alternatives can't. We plan to review it once we can get our hands on one—the first 50 flew off the "shelves" before we could do so. Given the overall openness of the device, and the ability to hack around the remote disable "problem" in various ways, it is really more of an annoyance than anything else—though one that many would argue could and should have been avoided.


(Log in to post comments)

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 4:07 UTC (Thu) by jackb (guest, #41909) [Link]

Perhaps it would be more fruitful to employ technological solutions around the method of payment to reduce this kind of risk.

Someone should invent a protocol for a distributed cryptographic payment system that was cash-line to eliminate chargeback risk and that supported N-of-M authorizations so that escrow services could be established to protect both buyers and sellers.

It's too bad that something like that doesn't exist yet.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 4:56 UTC (Thu) by dlang (subscriber, #313) [Link]

I don't understand how such a process that you are describing when the issue is that the buyer is claiming that they did not get something the seller shipped.

at that point someone is going to loose out.

either the buyer looses his money with no product

the seller replaces the product and looses the cost of the product (plus shipping)

the seller refunds the purchase price and still looses the cost of the product (plus shipping)

If the product really did not arrive, one of the latter two is the correct answer, and due to abuse by businesses, the law where he lives is explicitly biased in favor of the buyer as a result.

how would any technological solution around a payment method change this?

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 5:05 UTC (Thu) by jackb (guest, #41909) [Link]

I don't know all the details of the law but from what information I can find the risk to a seller comes from the credit/debit card chargebacks. If a method of payment were used that did not involve the banking system or credit card companies than someone who wanted to run the scam would need to involve the court system in some way which would presumably require some amount of evidence (although this may be giving the legal system too much credit).

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 9:27 UTC (Thu) by anselm (subscriber, #2796) [Link]

someone who wanted to run the scam would need to involve the court system in some way which would presumably require some amount of evidence

OK, what evidence does somebody (honest customer or scammer) provide to prove they didn't get the package?

The ColorHug adds a remote disable "feature"

Posted Jan 19, 2012 16:11 UTC (Thu) by farnz (subscriber, #17727) [Link]

The scam is fairly simple; The Consumer Protection (Distance Selling) Regulations 2000 say that the consumer has the right to cancel up to 7 days after they receive the goods. If they cancel, they must return the goods undamaged except in as far as damage is needed to inspect the goods. So, the scumbag tells the supplier that the goods have not arrived yet, and that they're cancelling the contract. The supplier must refund - they have no other legal options.

The courts aren't a deterrent to such a scumbag; they simply state that they're exercising their rights under regulation 10 of the DSRs, and that the goods have not yet arrived. This is a civil matter, so the supplier now has to demonstrate, on the balance of probabilities, that the scumbag is lying.

The ColorHug adds a remote disable "feature"

Posted Jan 14, 2012 1:35 UTC (Sat) by IkeTo (subscriber, #2122) [Link]

How about: the product sent includes a hard-coded challenge-response system to prove that the one performing initialization of the device holds a private key, which is not sent together with the product. Without performing the initialization the product won't work. Before getting the key, it is fully paid, but can be claimed to not arrive. To get the key sent, the owner must send to the company the serial number, which at the same time acknowledge that he does receive the product (otherwise he would not be able to send the serial number). Once the key is sent the product can only be refund with the return of the product using registered mail.

Improve snailmail protocol instead

Posted Jan 12, 2012 5:37 UTC (Thu) by eru (subscriber, #2753) [Link]

Within my country, it is possible to mail a package so that to receive it, the recipient must pay the price at his post office, who will then forward the money to the sender. So no payment, no package. This counters fraud very effectively (naturally this costs more than a normal delivery, but not excessively so). I guess this does not work internationally, it would be ideal if it did.

Improve snailmail protocol instead

Posted Jan 12, 2012 5:49 UTC (Thu) by dlang (subscriber, #313) [Link]

you and jackb are both forgetting the low cost of the device,
at 48 pounds cost, adding 8-9 pounds for a delivery option is a 20% surcharge to the price of the purchase (as is noted in the article about the option for delivery notification)

Improve snailmail protocol instead

Posted Jan 12, 2012 8:11 UTC (Thu) by eru (subscriber, #2753) [Link]

Yes, 8-9 pounds is obviously excessive. The domestic COD service I mentioned adds just 3.80 € (about 3 pounds) to the cost, which usually is tolerable. Fedex quotes 9$ for COD within the U.S., I could not find what the international rate is, even if it exists. Surprising. One would expect an affordable COD system would be a moneymaker for them (just how much does one electronic money transfer actually cost? Probably pennies).

Distance Selling Regulations / FunCubeDongle

Posted Jan 12, 2012 8:34 UTC (Thu) by sladen (subscriber, #27402) [Link]

Neither of these address the issue that Richard has highlighted, which is the DSR:

Here, the buyer (scammer) has paid for the device—otherwise Richard would not have not posted it—but the buyer (scammer) is then requesting a no-quibble refund after, being sure they've got it in their hands.

It would probably be interesting to get in contact with Howard Long G6LVB, the Brit behind the USB FunCubeDongle software defined radio (100 GBP + postage), who is presumably in a similar situation of selling to a worldwide niche geek audience, distributing from the UK and doing so as a hobby:

Distance Selling Regulations / FunCubeDongle

Posted Jan 12, 2012 9:18 UTC (Thu) by epa (subscriber, #39769) [Link]

Cash on delivery would address the issue here. You don't pay until you receive the item. There is no possibility to claim that you have paid money but it didn't turn up.

As far as I can tell from the Wikipedia article, the law doesn't give the right to a "no-quibble refund" simply because you changed your mind - not for purchase of a physical item. Even if there is such a right, it's certainly not the case that the seller is obliged to give your money back while allowing you to keep the item.

Distance Selling Regulations / FunCubeDongle

Posted Jan 12, 2012 9:37 UTC (Thu) by grantingram (guest, #18390) [Link]

Actually you do have an explicit right to return the goods for any reason after delivery - that is one of the key points of the legislation. Though there are exceptions for example if you order custom built parts.

This was put in place in response to a number of scams (like sending you stuff that you didn't order and demanding payment) and it encourages people to order online as they have some confidence about their ability to return goods.

This is the first time that I've heard of this issue being a problem in the UK. I'm not sure that the failure rate of new businesses is down to the distance selling regulations - it seems more likely just be an infant mortality of new ideas....

Distance Selling Regulations / FunCubeDongle

Posted Jan 16, 2012 20:27 UTC (Mon) by smoogen (subscriber, #97) [Link]

Actually the cash on delivery has a bug in it. A person pays for it, and then claims they weren't the one who paid for it. Or the mailman/fedex man pocketed the money and then went through various layers of bueracracy for it to be found that it had been pocketed. Then there was the transmittal of the money via the delivery agency back to you. That might be once a month or more which meant the business man had to pay up front for the device and its replacement stock AND then wait for the money to be transmitted to them if it did at all.

While the problem may occur in only <10% of cases of COD, the costs involved in tracking those cases made it much more expensive than dealing with banks or credit cards. Plus you can get various levels of "insurance" via credit card purchases you couldn't via COD.

Improve snailmail protocol instead

Posted Jan 12, 2012 10:12 UTC (Thu) by gidoca (subscriber, #62438) [Link]

In /my/ country this adds a surcharge of CHF 18 (about $20) to the shipping, so it really isn't feasible, even if it does work internationally.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 16:28 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

> Someone should invent a protocol for a distributed cryptographic payment system that was cash-line [cash-like?] to eliminate chargeback risk and that supported N-of-M authorizations so that escrow services could be established to protect both buyers and sellers.

> It's too bad that something like that doesn't exist yet.

Perhaps you were being sarcastic with that last line, but this is one of the things that Bitcoin was specifically designed to support. The client does have an interface for N-of-M authorizations yet, but the transaction protocol does support it, and you don't have to use the official client to generate transactions. See Example Two at <https://en.bitcoin.it/wiki/Contracts> for details on Bitcoin escrow transactions.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 6:57 UTC (Thu) by tjasper (subscriber, #4310) [Link]

What about offering a chargeable download which provides software without the remote disable. That way, once the product is in the hands of the correct purchaser, checked via registration etc at an online facility, can purchase revised software which eliminates thie "anti-feature"?

If that was clear in the original purchase agreement, then I for one would be happy for that.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 7:42 UTC (Thu) by epa (subscriber, #39769) [Link]

Or indeed the device could be shipped without firmware, which becomes available (as a download locked to a particular serial number) once you've confirmed that you received the device. Again not bulletproof since a competent programmer can reverse engineer the firmware from another ColorHug device, but likely to be enough.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 9:09 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> Or indeed the device could be shipped without firmware, which becomes available (as a download locked to a particular serial number) once you've confirmed that you received the device.

Or require the device to be enabled. The device comes with some alternative one-time locked firmware, and you have to confirm reception to get the key. Devices shipped with a postal service that confirms reception could be sent unlocked, so that people get to choose between paying a little more or taking a little initial inconvenience.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 17:12 UTC (Thu) by dashesy (guest, #74652) [Link]

This sounds an interesting idea! borrowing from the idea of locked and signed kernel but actually giving customers the real ownership. On the other hand, I believe any remote-control feature is only a counter marketing for the average Joe user, a likely non-geek photographer or hobbyist.

Just name it "security feature"...

Posted Jan 12, 2012 17:42 UTC (Thu) by khim (subscriber, #9252) [Link]

Well, credit cards are handled like that and Joe user knows how to use them, so...

Note: to make ColorHug less attractive for thiefs it's shipped in factory disabled form. It must be activated before use (link will be provided in confirmation letter). This process is similar to activation of credit card, but fully automatic (no need to call the bank representative and discuss details of your family life). Activation process also ensues that your device is new and was not used by anyone before.

Just name it "security feature"...

Posted Jan 12, 2012 18:04 UTC (Thu) by dashesy (guest, #74652) [Link]

I am actually agreeing with the idea, I think remote-enable (with or without involvement of internet) is a much better idea than remote-disable. If a device is locked with no (or limited?) functionality, and I can enter per-unit generated S/N by hand (got by email or phone) or do verification over internet or phone and become white-listed to do an update, I for one will purchase it. But knowing that my device can talk to the manufacturer behind my back, and disclose anything (even if S/N) I will never run the GUI. Maybe I am paranoid, but it is similar to the Windows Genuine Advantage at best, which is a privacy concern. I trust open source better on this but argument is the same.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 18:31 UTC (Thu) by bronson (subscriber, #4806) [Link]

> The device comes with some alternative one-time locked firmware, and you have to confirm reception to get the key.

Interesting idea, sounds workable. I wonder about licensing... Presumably that initial firmware must not contain any GPLv3 components?

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 19:52 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> Presumably that initial firmware must not contain any GPLv3 components?

From "A Quick Guide to GPLv3"[1]:

"Distributors are still allowed to use cryptographic keys for any purpose, and they'll only be required to disclose a key if you need it to modify GPLed software on the device they gave you."

So presumably if the person denies receiving the device and demands a refund, giving up their right to it, then the GPLv3 doesn't require you to give them the key?

[1]http://www.gnu.org/licenses/quick-guide-gplv3.html

Perhaps use Bitcoins?

Posted Jan 12, 2012 10:11 UTC (Thu) by job (guest, #670) [Link]

May I suggest the option of using Bitcoins to pay? It's free software, fast enough for mail order, and very low fees. There is also no one to turn to for getting your money back but the seller or the police, which may be a feature or a misfeature depending on which your side of the transaction is.

Perhaps use Bitcoins?

Posted Jan 12, 2012 10:29 UTC (Thu) by fb (subscriber, #53265) [Link]

> May I suggest the option of using Bitcoins to pay?

Great idea! Start a business but make sure to make it cumbersome for almost any prospective customer to buy from you!

I just placed a pre-order on ColorHug, and I can assure you that I would never have ordered it, had it demanded me to set up yet-another-payment-system.

> It's free software, fast enough for mail order, and very low fees. There is also no one to turn to for getting your money back but the seller or the police, which may be a feature or a misfeature depending on which your side of the transaction is.

What advantage does that offer against credit-cards? The "free software" or the part where I don't have insurance on what I buy?

Perhaps use Bitcoins?

Posted Jan 12, 2012 18:35 UTC (Thu) by bronson (subscriber, #4806) [Link]

Also, attach your business success to the most volatile currency this side of the Zimbabwean Dollar?

Perhaps use Bitcoins?

Posted Jan 13, 2012 14:26 UTC (Fri) by job (guest, #670) [Link]

That's "option", not "requirement".

I can likewise assure you that given the option I find it an easy way to pay.

The volatility is a larger problem but you don't hold on to it long if you tend a mail order business. In the UK there are companies that help you with that part and you just get the money in bulk.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 10:19 UTC (Thu) by etienne (guest, #25256) [Link]

I was thinking it was against the law to sell a device with a "remote disable feature" in France, but I do not really know - IANAL...
It was about a company turning off remotely a software for non payment of software rent or maintenance, long time ago.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 11:34 UTC (Thu) by leonov (guest, #6295) [Link]

My biggest business mistakes have always come down to trying to solve problems before I had them -- it's the 'premature optimism' of the business world, and is exactly what Richard Hughes has done here.

The cost of this blacklist has been technical effort, community good will, and actual dollars in lost sales (at least one). The benefit has been... well, nothing. It's possible that the move might result in a lower rate of fraud, but as there is no baseline, measurement is impossible. It's Tiger Repellent.

Richard, your bank manager gave you bad business advice. (People with no experience running their own business often do, especially when they're trying to impress.) Focus your efforts instead on making the ColorHug as accurate and user-friendly as you can. Keep it open, but charge a little more -- enough to keep you interested long-term and protect your wallet when losses do happen. Read about, then try to talk to folks who make their living selling Open Source Hardware. Mitch Alman of TV-B-Gone fame and Limor Freid ('Lady Ada') spring to mind. Both are approachable and run very successful businesses.

Distance selling

Posted Jan 12, 2012 13:03 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Someone in the EU (this is the UK implementation of an EU directive, so there will be equivalent law in other EU countries, now or later) will have collected data about shrinkage from DSR (I'm not sure if shrinkage is the term the direct selling industry would use, but the analogy to "shrinkage" in retail makes sense) and if anyone finds a summary that might help put minds at ease over this.

My guess, and it is only a guess, is that shrinkage is minimal for products like ColorHug, which are of interest to a limited audience most of whom can easily afford the price; and which are shipped to the customer's address more or less immediately, not after a long wait. The latter parameter matters because mis-deliveries are frequently a result of the customer forgetting to update their address details. Technically the DSR doesn't require you to eat this cost, but it's a lot of hassle to prove what really happened, so most companies will.

If a lot of these little projects got together (more than I suspect exist) you could collect some primitive risk data, by tracking the postcodes of addresses at which delivery supposedly failed, and eventually rejecting orders to addresses in those postcode areas, or insisting on higher-cost assured delivery service. But as I said, there probably aren't enough of these projects to get statistically sound results.

Distance selling

Posted Jan 12, 2012 13:12 UTC (Thu) by boudewijn (subscriber, #14185) [Link]

Maybe a case in point... For the Comics with Krita DVD we had about eighty orders and not a single complaint about non-delivery, even though there was a big timegap between pre-ordering and sending them out.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 17:06 UTC (Thu) by rillian (subscriber, #11344) [Link]

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 14:38 UTC (Thu) by gioele (subscriber, #61675) [Link]

FSF has put up a Defective by design campaign against Nintendo [1] because they can, among other things, remotely brick your 3DS console. Is this all that much different from the ColorHug situation?

Actually, my biggest complain is that the whole project started under a different light and ethos: open board, GPL firmware, etc. Openness is what we ordered, not a colorimeter: those who _need_ one already have a proprietary one, all others ordered it just to support a nice open project.

[1] http://www.defectivebydesign.org/nintendo

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 14:45 UTC (Thu) by lkundrak (subscriber, #43452) [Link]

As far as I understand, this does not make the project closed. You still have the source to the firmware and can replace it with one without remote disable anytime you want.

This measure really only targets ones who are stupid AND bad at the same time.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 15:08 UTC (Thu) by hughsient (guest, #52199) [Link]

>those who _need_ one already have a proprietary one, all others ordered it just to support a nice open project.

That's a good point, and I am reading all these comments with open ears and an open mind. If all of the first 100 orders reach their destinations then perhaps then I can chill out a little and remove the anti-feature completely.

I think if this was an actual business with a business loan (the bank ran a mile when I mentioned I was giving the code away for "free" and had no patent protection) then I could afford to be a bit more cavalier with this kind of "shrinkage". But, as it's my hobby, funded with my own hard-earned cash and giving my own leisure time for free, I felt it was prudent to include some kind of safeguard.

Whether this was a mistake or not remains to be seen, but so far *today* I've had over 50 extra orders, and exactly one person has cancelled their preorder because they disagreed with the remote disable feature.

Richard Hughes.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 19:02 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> I think if this was an actual business with a business loan (the bank ran
> a mile when I mentioned I was giving the code away for "free" and had no
> patent protection) then I could afford to be a bit more cavalier with this
> kind of "shrinkage". But, as it's my hobby, funded with my own hard-earned
> cash and giving my own leisure time for free, I felt it was prudent to
> include some kind of safeguard.

But, what is it really "safeguarding"? Say someone does claim to never receive a device and you have to make use of the feature... You still either need to refund the buyer's money or send out a replacement unit... All you've done is bricked your original device, but not recovered it or your money for it... And, as has been said, anyone clever enough can just un-brick it and go on, anyway... So, I'm failing to see how the idea helps you at all... Presumably, you're counting on it deterring people that otherwise would have from pulling the stunt in the first place, since they know it's there? I think that's just completely misunderstanding the criminal mind, right there... It's the same thinking that leads companies to use DRM on their software/music/movies... Does that deter people from pirating them? No, if anything, it ENCOURAGES them to do so! It provides a challenge to crack them, and provides a certain cover of legitimacy of "fighting back against the man" in doing so... To pirate completely DRM-free stuff sold for a fair price, you have to basically be an unrepentent sociopath or feel horribly guilty... But, to pirate DRM-infested stuff, you can feel like a hero fighting against evil! So, I just hope your little scheme here doesn't backfire and cause people to now try to scam you simply because they see you challenging them to do so and get away with it... *shrug*

The ColorHug adds a remote disable "feature"

Posted Jan 13, 2012 0:12 UTC (Fri) by PaulWay (subscriber, #45600) [Link]

> (the bank ran a mile when I mentioned I was giving the code away for "free" and had no patent protection)

I think the problem is right there. There's a number of conflations in what the bank has said - possibly because they've been left behind in the editing process. For example: do most small businesses fail in three years because they have lots of customer fraud, or is it because most of them are selling chocolate teapots? Maybe most of them just don't understand that it's difficult to lock up intellectual property - which is why saying "we're not going to try" makes so much sense. Maybe they just weren't very good businesses.

I support you having this anti-feature as a way of saying "please don't bother trying to rip us off". Your prices and openness does that more, in my opinion.

Have fun,

Paul

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 18:30 UTC (Thu) by prokoudine (guest, #41788) [Link]

Do we even care about FSF? :)

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 23:07 UTC (Thu) by andreasb (subscriber, #80258) [Link]

> Openness is what we ordered, not a colorimeter: those who _need_ one already have a proprietary one, all others ordered it just to support a nice open project.

Forget needing one. If someone *wants* a colorimeter without paying for it, why would they choose the cheap hobbyist's project instead of the cool expensive one for their fraudulent order? It's not as if they pay for the difference if they succeed.

why not remote enable?

Posted Jan 12, 2012 15:45 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Ship the device with a non-free bootloader. When the order is placed supply the person doing the ordering with a token. The token must be used by the purchaser to confirm delivery, and the device won't work until delivery has been confirmed (and payment received, if not paid in advance).

If all goes well the purchaser confirms delivery and the delivered device's serial number is OK'ed for re-loading. It goes online, sends its serial number, and is then able to download the code to re-flash itself to contain a freeware boot loader that can in turn load the free software it runs. This is a one-shot. There is no remote disable once it has been remotely enabled.

If the device is not delivered it is never authorised to re-flash itself so it forever remains a brick.

My credit card is delivered in a similar manner. It turns up in the post as a "brick". I have to phone the bank and authorize myself to confirm delivery, they then enable the card. If it's intercepted in the post, it's useless.

This is interesting separate project...

Posted Jan 12, 2012 16:58 UTC (Thu) by khim (subscriber, #9252) [Link]

Actually it can be interesting alternative to secure boot. The loader itself can even be free, too - just the key will be secret. Device will be shipped in locked state and when you receive it you must activate it using web-form (which will sent pre-signed firmware for your particular unit), but you can also add your own key while doing this. You can even remove factory key and then only firmwares signed by you will be accepted. Nice security feature and delivery protection at the same time.

P.S. Mode where factory key is removed should not default because people tend to forget about such things - this is only for paranoid ones who know what they are doing.

why not remote enable?

Posted Jan 12, 2012 17:03 UTC (Thu) by rillian (subscriber, #11344) [Link]

How is remote-enable better than remote-disable?

Remote-enable can be one-tine thing.

Posted Jan 12, 2012 17:34 UTC (Thu) by khim (subscriber, #9252) [Link]

It's easy to design system which makes it impossible to enable something without key but allows you to do anything with the device once it's enabled. Basically with remove disable switch you never can claim ownership over the device because "someone out there" can disable it. With remote enable you can not claim that your device is owned by you till you active it (and signal that yes, you've successfully received it), but afterwards it's 100% free and 100% under you control.

why not remote enable?

Posted Jan 12, 2012 18:15 UTC (Thu) by cmccabe (guest, #60281) [Link]

Remote-enable only requires you to register with the company's servers once. In order to actually be effective, remote-disable requires you to contact the server every time you want to use the device.

It probably could be made fairly easy, even for non-technical users. The biggest problem is that remote-enable commits you to running a server 24/7. If there's any outages, you may get some very unhappy customers.

I still feel like this whole concern is absurd. If you're committing mail fraud, wouldn't you choose to steal something that's expensive and easy to resell? A $50 (or whatever) colorimeter isn't exactly the kind of thing you want to be wasting your time on. A $3000 laptop is. Somebody failed to exercise common sense here.

Still, it looks like a great project. I hope it can overcome this little bit of silliness.

The ColorHug adds a remote disable "feature"

Posted Jan 12, 2012 17:44 UTC (Thu) by drag (subscriber, #31333) [Link]

The problem is the retarded UK 'Distance Selling Law' and it's design that favors internet fraud, not the color meter.

This sort of thing is typical of these sorts of laws. Instead of letting parties solve problems voluntarily they force buyers and sellers into a hostile relationship.

If people disagree with this it's a open device and they are allowed to drop their own cash into selling them over the internet.

The ColorHug adds a remote disable "feature"

Posted Jan 13, 2012 1:50 UTC (Fri) by nix (subscriber, #2304) [Link]

But that law was brought in to prevent an almost precisely inverse form of fraud, damaging individuals rather than merchants. Strangely there was little chance of an individual 'voluntarily solving' the problem that a company had shipped her something she had never asked for and was now demanding payment with menaces.

(Aside: your religion is getting very, very tiresome. Please stop.)

The ColorHug adds a remote disable "feature"

Posted Jan 28, 2012 21:55 UTC (Sat) by steffen780 (guest, #68142) [Link]

If you don't like UK law you're free to shop in jurisdictions that don't protect consumers leading to a severe trust issue and thereby reduced business for all companies. Just remember not to use a credit card or direct debit as those are also "retarded" in the same fashion.

The ColorHug adds a remote disable "feature"

Posted Apr 26, 2012 17:22 UTC (Thu) by pboddie (guest, #50784) [Link]

I don't agree with the hostility to "these sorts of laws" - terminology that suggests a problem with regulation in general - but it's clear that honest retailers and sellers have significant problems with fraudsters to whom the law in question has given a substantial amount of room to profit without any serious repercussions.

Try buying stuff from UK retailers on the Internet from outside the UK: it has become increasingly difficult to use non-UK payment cards, and frequently a UK address has to be provided. Given that the UK is in recession, you'd think that moderately trustworthy foreign spending would be welcome, so this actually hurts the UK economy, too.

In fact, this whole business seems to reflect the "car boot sale" mentality that is pervasive in the UK: try to buy things for next to nothing; if they don't work properly then just try and sell them on to some unsuspecting "punter"; or claim that the thing you just bought was broken and demand your money back even though it works perfectly. Either way, the supposedly unintentional consequences of badly written laws like this are that it's every man for himself, and the more selfish you are the more you gain.

No wonder eBay is so popular in the UK.

Remote callback

Posted Jan 12, 2012 19:57 UTC (Thu) by man_ls (guest, #15091) [Link]

This is a fascinating technical problem. Forget about remote disable or remote enable; the first part of any solution, as with any technical problems, has to be to study the problem, get data and measure how bad the problem is. A "remote callback" is needed to find out which devices are activated, which are updated or upgraded, and which are never used at all. The firmware tracking could be done behind the scenes without users noticing any negative impact.

The article discusses such a "phone home" feature, and states that it should be unpopular with users. I don't really see why: the vendor already has all your contact and financial info, so adding a bit of "... and this device was activated at this precise moment from this IP address" would not be especially worrying. Of course it would not be possible to contact the eventual thief with such a simple phone home.

After Hughes gets his data, he can back up any features he wants to bake with reasonable arguments, not just with his bank manager's advice. I think people would be very reasonable if he implements such a remote disable after suffering 5% fraud, or whatever.

I remember reading about how Microsoft was doing something similar in the early 00's when OS activation became mandatory with W2k, but in practice it was only enforced for business customers. First they got their data about who the "pirates" were and what they were doing (tracking serial numbers, system updates and so on); then they sent some messages about disabling upgrades for unlicensed users, but didn't do it even with XP. Now I guess they know enough to deter possible circumventors without bothering real customers, because these things are not in the news any more (or at least they don't make too much noise as to reach my Linux-oriented news-sphere).

Remote callback

Posted Jan 13, 2012 0:16 UTC (Fri) by drag (subscriber, #31333) [Link]

The way it should be is that it ships from the factory with a 'phone home' firmware and the first time you activate and update the firmware will never phone home again.

If this is now how it currently functions then it's a severe oversight on the side of the firmware author and it is probably a feature that should be carefully considered, IMO.

Types of fraudsters involved

Posted Jan 16, 2012 20:41 UTC (Mon) by smoogen (subscriber, #97) [Link]

The general case of buyer fraud is usually some organization which will order various items from vendors, say it never arrived and then ship it to a third party or flip it directly on ebay. Most of the people don't have an interest in whatever the item was. The group that sells them will then say they are having a great deal on XYZ items and then people looking for X get it without knowing it was basically stolen.

Now for larger manufacturers they can account for the 10-20% shrinkage that can occur, but small companies can be quickly wiped out by even a 1:100 buys shrinkage since they have higher margins and usually do not "account for it" in price. [EG richard needs to charge 10% more to cover the costs that will happen on the 1% he loses.]

The ColorHug adds a remote disable "feature"

Posted Jan 19, 2012 4:50 UTC (Thu) by jamesh (guest, #1159) [Link]

I buy things mail order from the UK semi-regularly. The usual method of complying with these regulations seems to be simple postal insurance (which is cheaper than a tracked parcel service that requires a signature on delivery).

If the parcel doesn't arrive, the seller lodges a claim with their insurer after a certain period has elapsed and sends a replacement shipment. It doesn't eliminate the chance of fraud, but it lets the seller transfer the liability at a fixed price. It also helps cover any monetary losses in the situation where a delivery has legitimately been lost.

The ColorHug adds a remote disable "feature"

Posted Jan 19, 2012 9:41 UTC (Thu) by callegar (guest, #16148) [Link]

In many countries you can ship stuff with a receipt notification for a minimal extra charge (e.g., 1-2 €). Basically, when you ship your item, a 'postcard' gets attached to it and at delivery time the recipient is asked to sign the postcard that is then returned back to the original sender.

If this system could work internationally, that would be the best option. The extra charge seems way cheaper than the cost of any infrastructure to support remote disable or remote enable.

Furthermore, the remote disable feature has a problem. It pushes people who steal items to basically learn that they simply must never upgrade. So not only you loose money, but you also end up having products around that may malfunction giving you at best a bad image and at worst real trouble.

The ColorHug adds a remote disable "feature"

Posted Jan 19, 2012 18:22 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I think what is interesting here is how these kind of DRM features get added to products. If this weren't an open project that was discussed on LWN then the maker would probably have just listened to their business guy and not thought twice about adding DRM to their product. No one would have told them it was a bad idea and they would probably be legitimately surprised if people complained later

People go down the DRM path because it seems like an obvious solution to an obvious problem even if it ends up being neither of those things, not a problem and not a solution.

The ColorHug adds a remote disable "feature"

Posted Jan 22, 2012 9:03 UTC (Sun) by Zizzle (guest, #67739) [Link]

Just wondering if buyer reputation systems (ala ebay) helps combat this problem?

The ColorHug adds a remote disable "feature"

Posted Apr 26, 2012 17:26 UTC (Thu) by pboddie (guest, #50784) [Link]

Probably not. Buy anything on eBay and you're hounded to give a positive rating to the seller whether it is deserved or not. It's like asking the sharks in a shark tank to agree on which one is the best behaved.

The ColorHug adds a remote disable "feature"

Posted Jan 25, 2012 6:51 UTC (Wed) by tux1968 (guest, #58956) [Link]

Oh for gawd sake, add $5 to the price to cover potential losses and forget the damn remote kill cruft. Yes this sucks, but it's the price of doing business.


Copyright © 2012, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds