
Manufacturer 'make worthless' users devices after some stolen from a warehouse - infosecrf
https://phasenoise.livejournal.com/5612.html
======
fencepost
I can't bring myself to be bothered by this - and wouldn't be even if I were
using these devices.

For crying out loud, equipment with unique recorded serial numbers was stolen,
so the company is blocking the _specific_ stolen devices. That makes perfect
sense to me. Objecting to how they do it (bulking up software with a list of
serials, requiring software to phone home, whatever) is fine and their
customers have a legit basis to be unhappy if it's impacting their use, but
people with the stolen devices? _Those aren 't SDRPlay's customers because
SDRPlay hasn't been paid for those devices._

Quoting from the article: _In a PR disaster the manufacturer gives "Because we
can" as an explanation to make end user devices worthless._

I'll note that this complaint very carefully leaves out a key word: STOLEN.
I'm not seeing the PR disaster except that it's going to seriously hurt their
image in the community of people who steal stuff from warehouses. _tiny violin
plays sad music_

If you've purchased one of these, as I said above you're not a customer of
SDRPlay or one of its distributors because payment is part of a vendor-
customer relationship. You're someone who bought "Bose" speakers out of the
back of a white van in a parking lot. Get your money back from the seller -
you may even be able to get the police report from SDRPlay if you need it for
a chargeback - and tell SDRPlay where you bought it so they can try to track
down the thieves.

Edit: reading the original SDRPlay forum posts, they ID the specific ebay
sellers, note that this is the _third_ time they've had things stolen like
this and sold by the same accounts, and note that "We will NOT penalise
innocent people so that assumption that this is our intent is frankly WRONG!!"
Basically they're likely looking for anything like saved packaging, shipping
return addresses, etc. to be turned over to the police. Also, this whole thing
is about (in this case at least) a total of 39 devices. We're not talking
about thousands of people affected.

SDRPlay:
[https://www.sdrplay.com/community/viewtopic.php?f=6&t=3225](https://www.sdrplay.com/community/viewtopic.php?f=6&t=3225)

~~~
sandworm101
How far can we take this? Theft is a big deal for manufacturers. They spend
good money on preventing it. But will they continue to spend good money on
prevention if instead they can just brick any lost devices? The nightmare is a
manufacturer turning to a whitelist model, one where post-purchase the
consumer must legitimize their purchase before use of the device. That DRM.
There is massive overlap between the community of people who purchase SDR
products and the group that will riot in the streets in protest of DRM.

Anyone who purchases tech devices owns some "pirate" content. When you buy a
motherboard you don't know the pedigree of its hundreds of components. Trace
each one and you will find a licensing or counterfeit issue somewhere. Should
everyone be able to automagically brick counterfeit or stolen devices when
those devices have been integrated, resold three times, and are now in the
hands of innocent consumers? There are policy-based principals in western law
that have long prevented such behavior in other arenas.

See:
[https://www.law.cornell.edu/ucc/2/2-403](https://www.law.cornell.edu/ucc/2/2-403)

Not exactly on point, but an example of how we protect good-faith purchasers,
even black-market purchase of "stolen" goods.

~~~
gambiting
While I agree with you mostly, this is really a basic issue - devices stolen
from the manufacturer are still owned by the manufacturer. They are, and
should be, free to do with them however they please. It's a basic question of
ownership and control over one's property in here.

~~~
sandworm101
I'd have to know more about the "theft". I suspect that this wasn't a robbery
in the dead of night.

UCC § 2-403 states: When goods have been delivered under a transaction of
purchase the purchaser has such power even though ... the delivery was
procured through fraud punishable as larcenous under the criminal law.

[https://www.law.cornell.edu/ucc/2/2-403](https://www.law.cornell.edu/ucc/2/2-403)

Basically, if an employee to other person who was "entrusted" with these goods
by the manufacturer sells them, then innocent purchasers take full legal
title. The good-faith purchaser is now the legal owner even if they purchased
the goods from someone who wasn't a legal owner. The goods don not belong to
the manufacturer. This is specifically to protect innocent people from debates
between manufacturers and distributors, even where those distributors have
stolen goods.

The knock-on effect of this is that people who buy things in good faith from
distributors don't have to worry about manufacturers (or police) raiding their
homes ... which appears to be exactly what this manufacturer is doing by
bricking these devices.

~~~
gamblor956
That's not what the law states.

It actually says:

(1) A purchaser of goods acquires all title _which his transferor had or had
power to transfer_ except that a purchaser of a limited interest acquires
rights only to the extent of the interest purchased.

The part you're quoting refers to the recipient being the fraud, not the
seller. The recipient never acquires more rights than the seller had. This is
why stolen goods can be seized by police, even from innocent purchasers.

[ _Edit:_ ] Actually more complicated than that. The provision contemplates
the middle-man acquired the rights to the goods sold through fraudulent means.
In this case, it still requires the middle-man to have acquired the rights
from the original seller in a transaction in which the seller gave up the
rights to the goods. I.e., theft by fraud would suffice but mere theft would
not. It's hard to explain theft by fraud. In a nutshell, the original seller
is deceived as to one or more details of the transaction itself, such as
price, identify of the seller, or even as to what they are exchanging. The UCC
expects all parties to a contract governed by the UCC to exercise due
diligence with respect to a contract, so if the transaction includes the
"stolen" goods, the UCC doesn't provide any relief. Generally in a situation
like this, it would happen where the language of the transaction clearly would
include the goods at issue, but the middleman misrepresents to the original
seller that those goods aren't included in the contract.

~~~
icebraining
The seller doesn't have to give up their rights:

"Suppose Ed takes his bicycle to Merv, a bicycle dealer, for repairs, but
instead of making repairs Merv sells the bicycle to Betty. Who now owns the
bicycle? Section 2-403(2) states that "[a]ny entrusting of possession of goods
to a merchant who deals in goods of that kind gives him power to transfer all
rights of the entruster to a buyer in ordinary course of business." Ed has
entrusted possession of goods to Merv, a merchant dealing in goods of that
kind. Assuming Betty is a buyer in the ordinary course of business (BIOC),
Merv now has the power to transfer all of Ed's rights in the bicycle to Betty.
Betty now owns the bicycle, and Ed cannot validly assert any ownership claim
against her. Ed's only remedies would be against Merv."

[https://scholarship.law.campbell.edu/cgi/viewcontent.cgi?art...](https://scholarship.law.campbell.edu/cgi/viewcontent.cgi?article=1144&context=clr)

~~~
gamblor956
Guys, the UCC isn't the only law that applies to the situation...

Ed might not have rights under the UCC, assuming it applied to the
transaction, which is questionable since Ed does not appear to be a merchant.
He would have rights under state laws that override the provisions of the UCC.

[Edit] Most states actually override this provision of the UCC to define
entrusting narrowly. See, e.g, California's provision:

3) “Entrusting” includes any delivery and any acquiescence in retention of
possession _for the purpose of sale, obtaining offers to purchase, locating a
buyer, or the like_ ; regardless of any condition expressed between the
parties to the delivery or acquiescence and regardless of whether the
procurement of the entrusting or the possessor's disposition of the goods have
been such as to be larcenous under the criminal law.

------
huhtenberg
Sounds like a reasonable thing for any manufacturer to do if your supply
pipeline is prone to large-scale theft and your goal is to deter further
incidents. The best option obviously is to fix the pipeline, but that takes
time and not always doable in practical terms.

Caveat emptor. Buying from a 3rd party and presumably at a deep discount
always carries a risk of goods being stolen.

PS. FTDI case is of no relevance here - they were bricking devices of _other_
vendors, not their own.

~~~
smitherfield
Yeah, the burden is on the buyer not to purchase stolen goods. The
manufacturer is certainly under no obligation to support them. In many states
even unknowing possession of stolen goods is a crime, so many of the "users"
here are in fact getting off lightly.

~~~
jhall1468
> Yeah, the burden is on the buyer not to purchase stolen goods.

1 party has 100% of the information, 1 party has 0% of the information, and
the burden is on the party with 0% information. That's absurd.

> The manufacturer is certainly under no obligation to support them.

Not support and bricking are two different things.

> In many states even unknowing possession of stolen goods is a crime

Generally the state has to prove the defendant took receipt of the items for
an unlawful purpose. Ohio is an exception, but I'm not sure if there is
another one.

> so many of the "users" here are in fact getting off lightly.

You use "many" incorrectly here: Very, very few are. Because very, very few
jurisdictions make it a crime to unknowingly receive stolen property and even
fewer would actually press charges even if allowed.

Your post is nonsense.

~~~
Azeolus
His post is mostly nonsense, but not entirely. First while the burden of proof
is not necessarily on the purchaser, if you have in fact purchased stolen
goods, you must still forfeit them to law enforcement. There are no
jurisdictions that let you keep stolen goods. In most jurisdictions you then
need to get restitution from whomever sold you the device, and they can
obviously face charges.

The manufacturer can definitely brick, or do whatever they want. The devices
are still their rightful property, this isn't a gray area, they were stolen,
no one has rightful claim to them except the owner, who was the manufacturer.

------
Robadob
Is this really that different from blocking stolen mobile phones from
connecting to mobile networks via their IMEI number?

The database behind that is apparently shared internationally between mobile
networks, and most people would find a phone unable to connect to anything but
WiFi useless.

~~~
tankenmate
There's a big difference, the owner requested the bricking not the
manufacturer.

~~~
alibarber
If they were stolen from the manufacturer, then surely the manufacturer is the
owner - and is therefore entitled to block them?

------
dazhbog
I used to always be pro-consumer in cases where the manufacturer does
something like that to clones (Salae and FTDI cases)

After slowly getting into the manufacturing game myself and after USPS
auctioned some of my cute early engineering samples that ended up on ebay, I
definitely think this is totally reasonable from the manufacturer. Also the
title of the article is already attacking the manufacturer. If you brick the
devices, you hurt the person stealing and indeed it seems that this wasn't the
first time it happened to them. On the consumer side maybe a discount would
also be a nice gesture.

~~~
woodrowbarlow
i'm curious to hear more about your story!

if i'm understanding you correctly, the postal service somehow ended up in
possession of your early prototypes and they sold them to somebody who then
re-listed them on ebay. was this a lost parcel situation?

~~~
dazhbog
We sent the prototypes with USPS, within US, and down the line they said they
couldnt deliver and we asked them to re-route it to another address because of
that. They even gave us a tracking number.

After a month went by (adding to the already another month of delay) they said
its on its way, etc. We randomly searched ebay with our brand name and saw an
active listing with our prototypes in it. Other things in the box like our
gopro were gone, but at least we found the prototypes and contacted the
seller. The seller said that she got the items at an auction for items that
couldnt be delivered a MONTH earlier, while USPS was telling us it was on the
way.

Seller ended up giving us the prototypes for a small fee.

------
djrogers
People who receive stolen goods have _always_ been kinda screwed over - it's
been part of our laws forever. Even if one isn't charged with a crime, one
will lose the goods, and likely never recover their money.

The reasons for this are obvious - to make it as hard as possible to sell
stolen goods. The effects encourage the innocent purchasers to have some level
of caution when looking at buying goods.

------
kizer
I had to re-read each sentence three times.

~~~
kortex
I'm glad I'm not the only person who found this piece weirdly dense/obtuse.

------
pavel_lishin
> _Those that do and assist us in tracking down the thieves will be treated
> VERY sympathetically._

Does that mean they'll unbrick their hardware? That's about the only sympathy
I'd expect after purchasing a product in good faith, and discovering that it
was bricked or disabled by the manufacturer.

~~~
Azeolus
[https://blogs.findlaw.com/blotter/2014/08/can-you-get-
arrest...](https://blogs.findlaw.com/blotter/2014/08/can-you-get-arrested-for-
buying-stolen-goods.html)

If you buy stolen good, you don't get to keep them. These are stolen goods,
why would you ever expect the company to simply allow you to use it?

~~~
pavel_lishin
I take issue with the fact that the company has any say in the matter at all,
tbh. I dislike devices that phone home and can be disabled remotely as a
matter of principle.

But you're right, in the end they are stolen goods.

~~~
Azeolus
> I take issue with the fact that the company has any say in the matter at
> all, tbh.

What? How does that make any sense. Someone stole their property, it's still
theirs, of course they have a say in what happens to it. "Finders Keepers" is
not how the world works...

~~~
pavel_lishin
But they can also brick non-stolen equipment. I don't want a company to be
able to remotely disable a device I own.

------
vilda
Sony offers to block stolen PlayStations. It's a similar case - you may buy a
used item that may suddenly stop working. Moreover, Sony does cooperate with
authorities re locating those devices. You may have a surprising visit.

------
shawnz
Seems totally acceptable to me. The comparison with the FTDI incident is not
really applicable here because those were not stolen parts, just replica/clone
parts.

------
codedokode
Those who bought stolen devices should return them and ask for a refund from
EBay. You are generally not allowed to resell stolen goods, although I am not
sure if EBay is liable here.

> Back in October 2014, the FDTI manufacturer shipped a device driver that ...
> would make any operating system stop seeing the device by setting its USB
> product ID to 0 , basically killing the USB device.

Well, if that id can be set to 0, it can also be set back to original value,
isn't it?

~~~
Jonnax
If I recall correctly, it didn't get recognised as a USB device anymore so you
couldn't reflash it.

~~~
crankylinuxuser
Linux was able to allow connections to VID:0 PID:0 for usbserial.h about 3
days after the initial reports. From there, it was possible to rewrite the
FTDI firmware to restore functionality.

------
chatmasta
Wouldn’t it be pretty trivial to remove the blacklisting code?

It’s not like this is a cellphone sold to my mom. It’s an extremely specialist
product aimed at a group of users with vast electronics and reverse
engineering knowledge. Probably won’t be long before one of them reverse
engineers the device and releases the code to ignore the blacklisting.

Anyone know the technical details of how the blacklisting works?

~~~
discreditable
If you unintentionally buy a blacklisted phone online, do you try to break the
blacklist or report the seller and get a refund?

~~~
chatmasta
The blacklisting code is in every device, even those sold legitimately. That
is, the device “phones home.” Some users may not be okay with that.

In my experience, the kind of person who buys an SDR is (a) unlikely to
appreciate a $400 device that phones home on boot, and (b) likely to reverse
engineer the blacklisting code simply for the fun of it.

------
malik9
Previously owned devices sales next? If they are including blacklisting code
like this their software simply cannot be trusted.

~~~
Azeolus
No. There is a simple explanation too. Once a valid sale happens ownership
changes. They still own these devices, because they were stolen. That means
they can do whatever they please, the devices are still theirs.

~~~
icebraining
Ownership change doesn't magically disable their remote control, though.

------
crankylinuxuser
If they can do this before it is sold (eg: theft) and remotely prevent the
device from working, how do users defend against having this done later for
more capricious reasons?

Everything I've learned, is that for capabilities like this, the good reasons
are the justifications, and then the owners migrate to less good reasons. The
overall distrust I have with these kinds of systems are that they are
Treacherous Software/Hardware. This capability is something that shouldn't be
implemented. No user in their right mind would - but the companies that wish
to retain ownership rights after sale do.

I would also object to this 'hacking of these devices' as violations of CFAA.
Yes, the devices had lost chain of custody, and were reported as stolen. That
doesn't allow any entity to then engage in more illegal behaviors exigent to
the initial situation. If I am being robbed, I am allowed to defend myself and
my goods. However I cannot stalk the robber, and then bash his/her kneecaps in
after the fact. 2 wrongs, separated by time, do not make a right.

------
post_break
Wasn't this the same company who banned users for leaving bad reviews?

------
huevo5050
I imagine this standardized in a supply chain blockchain

~~~
jandrese
Yeah. I mean nobody has ever managed to steal a Bitcoin right?

