Auto Firmware Upgrade made official - a new Note in Asus FAQ

[RMerlin]

Is ASD update another thing that @RMerlin does not do auto as well?

No, ASD signature updates are supported (otherwise ASD would be useless). Asuswrt-Merlin gets a different set of signatures however.

 

[L&LD]

@L&LD I thought you were ignoring @Tech9 posts. Regardless, your comments were unwarranted and I've deleted them. One more and you'll get a timeout.

I don't ignore any posts. I read the entire forum daily.

I guess I had a moment of weakness and responded where I shouldn't have. Sorry. I'll go back to before.

 

[sbsnb]

I think some folks are missing a point about forced updates and unmanaged devices...

In managed devices - the code is signed, as is the bootloader - since this needs certificates to validate the source and the code signatures, this is fairly safe.

There is a bigger problem, here. Sometimes there is a specific reason that a user is avoiding an update. Maybe there's some application that is broken by the newer version. It could be any number of legitimate things. Just because an update hasn't taken place isn't sufficient evidence of negligence on the owner's part. Even if it was negligence, that's the owner's problem. Only they know the particulars of their situation and the associated costs vs. benefits. In the case of negligent owners, the negligent equipment owner should be liable for any damages caused by their own negligence just as a car owner driving on bald tires that causes a collision would be liable for their negligence.

It seems odd to me from a legal standpoint for a manufacturer like Asus to take on the liability here. Now that they are auto-updating firmware against the owner's wishes they are establishing themselves as the party ultimately responsible for the post-sale maintenance of security on their consumer equipment. If a damaging breach takes place, now it's Asus' fault rather than the negligent owner's. It also encourages apathy on the part of owners. Why keep up with security updates if Asus will "just take care of it"?

 

[Tech9]

It seems odd to me from a legal standpoint for a manufacturer like Asus to take on the liability here.

It will become mandatory for all manufacturers and wide range of products. The consumers have no clue what runs inside and how - they buy a product. If it's not secure or safe* - it's the manufacturer's fault. Just wait few more years and we'll discuss the topic again. It's happening as we speak.

* - you perhaps have noticed newer cars come with features that can't be disabled by the driver. I personally hate it, but there is nothing I can do.

 

[cptnoblivious]

There is never going to be a satisfactory 'one-size-fits-all' solution.
The factors are well know:

1. The vast majority of consumers would be best served by auto-updates
2. The vast majority of truly tech savvy customers (or IT professionals, whatever that means today) want a level of control, the ability to not be a beta tester for poorly tested software and want the choice on when and how their systems are updated
3. Over and over, various vendors have proved that they often have poor processes when it comes to testing and release

I count myself in category 2. I want the choice and am not willing to completely turn over control of the software running on devices that protect my network to some corporation.

Given what recently happened with the asd "glitch", I'm debating buying a mini-PC and putting a 'proper' firewall on it.

 

[Tech9]

Given what recently happened with the asd "glitch", I'm debating buying a mini-PC

This is perhaps going to be the only option avoiding automatic upgrades in just few years time. Talking about consumer products.

 

[philw12]

Well, Asus just auto-updated my "do not auto update" configured XT12, which was running Asus standard Beta firmware. The result is I can't log into it - so I can't be entirely sure it was actually successfully upgraded. However they published new firmware, and the result appears to be my password is not longer encrypted in whatever way they changed it to. Something like that.

I'd report it to them, but they'll just say "factor reset it", to which my response is... why don't you send someone over to do that and then reload the config (assuming you didn't change that too...), because it's not a cost free process.

So yeah, it's an aggressive way to push out updates. I've run one or two ISPs and our standard first response to anyone asking for service would be to get them on the latest code base first, because that's the most effective way to do things. But they could at least have warned me what they were going to do so I'd know who to blame.