How many spies and saboteurs with well-placed bombs (or high-powered rifles) would it take to disable the power grid? Not many, I would think. There are a lot of threats besides 'the cyber.'
Far more than it takes to set a flag on a C&C server. Those spies and saboteurs also have to be physically present around the time of the coordinated attack, increasing the risk they'll be caught, and the opportunity for them to double-cross the attacker and reveal the plan to the target.
On the other hand, malware can lurk for years undetected from a single entry point. A small team of sub-sub-sub-contracted service technicians can deploy malware to an embedded system, and walk away. Sufficiently advanced threats can hide their traffic inside the normal monitoring operations of the utility, cross through the network, and even add personnel records, effectively making their actions look like legitimate employee operations until they shut everything down.
Targeting infrastructure has been a military strategy for as long as there have been militaries. Modern tactics, however, focus on efficiency. If five malware-assisted spies can take down a target country's utilities with no risk, why spend the budgeted resources to recruit and train (and possibly extract) fifty to do the same job? That budget can then go toward hiring cryptographers to decrypt the target's movement orders, so you spend less budgeted resources trying to find the enemy units. That leaves more budget to use on building better bombs and guidance systems, and so on.
Ultimately, the goal is to win the war. With modern society relying on border-crossing communications, it is no longer really important who can put supplies into what territory, as was important until around 1960. Now, it's important to convince the locals that you're protecting them from the evil oppressive enemy, and doing that means minimizing civilian deaths. Better targeted bombs, better intel, and attacks that don't involve blowing up a power plant full of civilian workers, are all ways to reduce your side's death count.
Security is something for professionals like us to think about always while we're working, but it's not something to panic about. A lot of these news stories like this one are designed to spread panic...
There's very little panic, except for a few uninformed headlines where a laptop with malware became a complete takeover of the US power grid. On the other hand, the DNC hack is a great example of how information-based warfare will be conducted, and the news article you linked explains it well. Unlike Watergate, there was never a Russian physical presence in the DNC. There's nobody in the US that can be arrested for it. After the initial breaches, there was almost no evidence of the digital presence. The reality of the situation once it was discovered was met with skeptics like you, who underestimate how useful such an attack could be.
While that holds true, the attacks won't likely escalate. As soon as an enemy attacks the American power grid, every American company will treat information attacks more seriously, and the low-hanging fruit will disappear.
...and to increase power to those who are spreading panic.
There's nobody really getting more power from this, though, except for a few hucksters who are selling fraudulent security systems. The threats have been real and the attacks have been ongoing for the past few decades, and the people who have been wise enough to care have found that there are solutions available. There are backup generators and UPSes protecting vital systems from outages of the power grid. There are airgaps and mitigations protecting secret information. There are encryption algorithms and opsec protocols protecting identities... Security is cheap, but it is very user-driven. The user has to care for security
Squirrels and birds are also never going to be launching coordinated events designed to overwhelm the utilities' abilities to bypass and repair damage. Nobody cares that a foreign nation might be able to shut down a provider. The concern is that they might shut down all providers.
Use Windows 7, and everybody with access to malware techniques from the last decade can get in, or
Use Windows 10, and only the nation-state threats with access to the latest techniques or legal avenues will be able to get in.
Windows 10 integrates a lot of the malware mitigations that were either add-ons or unavailable for Windows 7. The default configuration also requires stronger security, and the system internals are much better hardened against malware compromising system integrity. In effect, whole classes of malware that could affect Windows 7 are ineffective on Windows 10.
I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.
If you actually want a secure system, opsec is still your best bet. Start with an isolated system for processing, keep it isolated, and use an airgapped (preferably with several walls and rooms between) system for communication. Never transfer electronic data, change service providers occasionally, relocate erratically, and follow all of those other paranoid guidelines that are more effective than "use old software".
$DEITY forbid they should have a marketing department.
The casino doesn't know (and may in fact not be allowed to know) who has a gambling problem. All they know is that a long-time customer has stopped coming, so they fire up the marketing machine and incentivize future business. To use your analogy, the bartender might pass a known regular on the street, say "I haven't seen you in a while", and offer a drink on the house next time the customer comes in.
Yes, some people think they're lucky. Some people are addicted. That doesn't change the legality of the casinos' operations, and doesn't make them liable.
If you are entertained by playing games of chance, the small percentage the house takes is your bill for the night's entertainment. Everybody knows the deal going in.
That's intentional, even necessary. There is no data on antibiotic-resistant infections prior to the discovery of antibiotic-resistant infections. Since my whole point is that historical data is absolutely critical when making comparisons to historical practices, that's the best data we have available.
"Each year in the United States, at least 2 million people become infected with bacteria that are resistant to antibiotics and at least 23,000 people die each year as a direct result of these infections."
Well, that sucks. Now, how do those numbers compare to historical measurements, accounting for the significant improvement in reporting reliability? The reality is that infectious disease rates were about three to five times worse in the 30s and 40s, because we were still at the beginning of a large-scale improvement process in general sanitation throughout daily life, not just hospitals.
"Antibiotic-resistant infections can happen anywhere. Data show that most happen in the general community; however, most deaths related to antibiotic resistance happen in inpatient healthcare settings, such as hospitals and nursing homes"
Let's say that again, simplified: "most deaths occur in care facilities". That's a great talking point, but what about where most fatal infections were acquired? If you get infected with a resistant bacteria in your kitchen, and go to the hospital for it before dying, it still counts as a hospital death.
Lusting for the good old days is a very dangerous habit. You have to remember that you are only able to recall the stinging pain because you were one of the survivors. The people whose lethal infections weren't cleaned by iodine can't speak up to remind you of their story, except as historical statistics.
The problem is also far more complicated than just "clean things". Over-use of antibiotics contributes to the prevalence of AR strains, but careful management is actually mostly what protects vulnerable patients. That is hindered by the stupid humans in the mix, who don't trust doctors and undermine their practice (for example, by bringing home-cooked desserts into a hospital isolation room). That in turn is a symptom of poor medical knowledge among the public, partly due to the confirmation bias you've shown here.
Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.
So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?
From my own experience, it's an exercise in professionalism, extinguishing the bridges that are burning without your knowledge.
The key (that is apparently missed elsewhere in this discussion) is to maintain absolute professionalism. The letter is not just whining. It is a dissection of the factors that forced you out of the company. It serves as an explanation of your actions to the people who would otherwise be left with questions that would be answered with rumors, often spread by the bully himself.
Until you walk out the door (or otherwise enact termination), you still work for the company. Your job doesn't end when you decide you're leaving. Right up to that last minute, you're still a part of the team, and they're still expecting you to help the company improve. While it can also be cathartic to say "fuck you all" and sit idly waiting for that two-weeks-notice paycheck, that leaves a very bad final impression on your colleagues. While they might end up being your opposition next month, they might also be your reference (or recruiter) next year.
When that time comes that others think back on you, will they recall a embittered man who just gave up and left, or will they remember the guy whose last act was a professional attempt to point out the proverbial elephant in the room? While the managers are ultimately responsible for the decisions (right or wrong), very few are actually all-knowing, even in their own minds. Rather, they have their particular perception, and a sufficiently manipulative employee can control their perspective and prevent them from ever seeing the unethical behavior. While it is not your place to tell management what they're doing wrong, it is your place to ensure that they accurately see the effects of their decisions. They can decide for themselves if it matches their expectations and other employees' descriptions.
It is not enough to "leave with a smile" any more. Now recruiters look at LinkedIn to see if you play well with others, and referrals from past colleagues is the easy way through the HR bureaucrats. Now, the best way to ensure your bridges aren't burning is to try to leave your colleagues with the understanding that you hold no hard feelings toward them, but only the environment you worked under.
The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.
Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.
There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.
Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.
On the other hand, with no documented explanation, it's very easy to blame the problems on the guy who is "no longer with the company", blackball him, and move on with no improvement. Saying just a name to HR does nothing, as it doesn't provide any context in which to investigate. In a large company, it may be the first time the interviewer has heard the name, and the guy leaving tomorrow will work with a different interviewer, so it'll never be correlated.
That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?
The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.
An open-source mandate fixes the ability to develop new patches, but it becomes much more difficult to thoroughly test on all versions of affected devices, and there's no easy channel to get the new software to the end users.
Write a well-written letter of resignation, detailing the facts and verifiable events that led to your departure, in an informative and non-confrontational way. Express that you're choosing to leave the environment, rather than blaming the company. Avoid specifically naming the culprit, but frame the situation as a product of the environment that idealizes rock-stars at the expense of a healthy collaborative environment.
While you're still in the company, any complaint you make about the company's favored genius can be construed as an attempt to advance your own career at their expense. Any threats to leave are also idle. You and your opponent are both still working here, so the company still gets the rock-star's work and whatever you manage to do when you're not complaining.
In an exit interview, the attendance won't be as selective as a letter's addressees. Your manager may not have the power to do anything about the gaslighter if he's under a different manager's authority. HR may not be prepared to discuss another employee at your interview, so their hastily-scribbled notes may be the only actionable evidence. I've also seen companies treat the exit interview as their last chance to get information from an employee, so they'll bring in the resident expert to absorb any technical knowledge they can before it walks out the door. That would be very unproductive in this case.
A letter puts you in control. You decide to whom it goes first, you decide exactly its tone and contents, and you decide how incriminating it actually is. In the worst case, someone pulls it out to use against you years later, and it's no less professional than a technical document. In the best case, it's the wake-up call and first-hand evidence that HR or management needs to start improving the company.
Anecdote time. First, I've worked at a company that couldn't/wouldn't do anything punitive without primary written evidence. Verbal descriptions weren't good enough, because the company was large enough that the chain of command turned into a game of Telephone. I've also worked at a company that had a manager covering up for a bad apple, and watching the manager try to hide written evidence ended up making enough visible evidence to get them both fired.
The reason you're telling management about the bullying isn't to help management. It's to help your ex-coworkers and colleagues who still have to stay in that environment. It may be too late for you, but management still has a chance to prevent the problem from getting worse. The purpose of the letter isn't to tell management why you personally left. It's to ensure that management is aware of a problematic situation that has caused the departure of at least one employee.
In short, maintain your professionalism to the end and beyond. Say exactly what happened, and let management come to the conclusion of what to do about it.
And in the letter of resignation (perhaps a separate one to management, rather than one to your colleagues), document in great detail the actual reason for your departure. It's pretty hard to ignore a complaint that isn't just an idle threat. The gaslighter drove someone out of the company, so management will notice.
Originally, I believe the idea of Wikileaks was to have a place for people to safely and anonymously without fear of retaliation, leak information people in power didn't want publicized.
That might have been the idea, but it was never really the result.
WikiLeaks made a name for itself with the Collateral Murder video which, through heavy editorializing, pandered to the anti-war populist opinion of the American public. With that fame and adoration as a first impression, they promoted themselves as a champion of the underdog, ready to fight any power anywhere.
Unfortunately, since then they've shown a very heavy bias in the subject of their leaks, and also a bias in the amount of care exercised in minimizing harm. When a US government interest is the target of a leak, they'll happily leave personal information in the data, in the interest of transparency and completeness, of course. When information could harm their own reputation or their benefactors (notably Russia and Ecuador, but others to a lesser degree), the leaks get a more thorough redaction.
This is not transparency. This is propaganda, using the viewer's own judgement against them.
Effectively, WikiLeaks uses its information not to drive change, but to encourage fear. Rather than seeing a report of a mistake and thinking "I can do that better", WikiLeaks' publications encourage fear that one might be the target of a leak. The collateral damage against uninvolved "innocent bystanders" also causes general mistrust and a fear of working with any organization WikiLeaks targets. After the fact, leakers get harsher treatment because of the damage their leaks caused, and real lawful whistleblowing gets undermined by its association with such harm.
Prove it, then. Show me any legal doctrine requiring a manufacturer to make products that remain perfect years after their sale.
Even LG came to agree with my position and finally divulged the sooper sekret cheat code to actually restore to factory. It's even documented in a video.
Providing a reset code does not imply they agree with your position. Again, prove it. Show me their public apology admitting they made a mistake.
There's no point trying to twist logic into a pretzel with your what ifs that clearly did not come to pass.
And yet, that's exactly what the $340 was. It was an offer for a business deal that did not come to pass.
Clearly those instructions were either wrong or meant for a different model.
So it was user error, then, and still not any mistake on LG's part.
Do you not believe in the KISS principle? Apparently not Occam's razor either.
Actually both, but above that I believe in rule of law. LG may have pissed somebody off by keeping secret procedures, but that does not change the legal or moral framework around the situation.
As for the kindergarten comment, that was in reference to your big red button story. I made that clear by quoting from your reply to that argument.
Yes, I got that, but you seem to have missed the point of the story. The flawed product is obvious, and it's clearly traceable back to manufacturing, but in both cases the manufacturer was unaware of the issue, and the product was accepted and operated for a significant amount of time, effectively terminating any initial implicit warranty under the perfect-tender doctrine. You still haven't shown any liability for LG, or the amp manufacturer in my anecdote, and you haven't shown that enforcing eternal implicit warranties is fair, or established any boundary which would be fair.
Again, I'll ask you to please prove your assertions. Please provide links to established laws or precedents on the subject.
If you're just going to try to talk around the simple fact that time and events have demonstrated my point and refuted yours, don't bother.
You're making ridiculous claims about what LG "should" do, and how you assume their repair shops work, and how you assume their products are designed. You provide no evidence for your claims, but simply keep saying that you're right. You can't even piece together a moral basis for your claim, and you haven't coherently refuted any of mine.
Like I've said several times now, it's time for proof. Please explain precisely where in established legal procedure or moral philosophy your claims come from.
Or concerned about physical space, reverse-engineering, or any other reason not to have a feature that's almost never used. Unlike you apparently are, I'm not pretentious enough to assume that I know LG's motives and design criteria.
Sure, there's overhead. So slap a repair tag on it matching the customer paperwork. Place it on a designated shelf with the tag visible. If that takes 9 HOURS, the shop is screwed anyway. Although repair shops are not as common as they once were, none ever needed to have a 10 hour minimum charge to be profitable.
That's funny... most of the shops I've seen had at least a one-day turnaround time, and usually charged several hours' labor with it. Then again, they also did put things on a shelf with the tag visible, and maybe that's why those repair shops often had a bad reputation for losing customers' devices.
Anyone who attended kindergarten knows that if you make a mistake you should fix it.
You're begging the question. You haven't shown that LG made any mistake. They built a product, the customer bought it, and it worked just fine for several years. There's no reason to fault them for any of this.
As for the update, I am glad that LG decided after all to divulge the simple yet sooper sekret method... Somehow it worked without a solder rework station or 10 hours of labor.
Gee, that's fortunate... but you're still ignoring the possibility of what exactly happens if it didn't work? If LG accepts it to their repair shop, they're (almost certainly, depending on local laws) guaranteeing that it will be repaired.
Might have been nice had they just told him that in the first place rather than "offering" to do that for him for a $340 fuck-off fee.
Per TFA, he had already tried a reset procedure, and it didn't work. Without more detail on exactly what happened, I can claim with equal evidence that he had the right procedure originally, and screwed it up, leading LG's support to recommend a more drastic option.
As for your increasingly absurd suppositions of physically breaking the TV, everyone knows you shouldn't break the screen with a rock (so it is a reasonable expectation for a casual TV owner) and there is no UI or other invitation from the manufacturer to do so.
I can also claim that "everyone knows" you shouldn't install malware on your TV, and there's no invitation from the manufacturer to do so. In fact, LG's terms of service
make it pretty clear that they have no control over the content of those third-party apps. They even explicitly disclaim any responsibility for loss or damage due to malware, and the customer accepted those terms.
Even LG came around to agree with my position after a bit of pressure.
Your "position" is so terribly uninformed that you don't even understand why it's wrong, and you don't understand that LG's position hasn't actually changed at all. That they went out of their way to give the user a reset procedure is a nice PR move, but it's not acknowledging any kind of mistake or failure on their part.
Let me say it again, to make it absolutely clear for you: The customer accepted. They accepted that LG had no responsibility to fix malware. They
accepted the TV at the time of purchase, and they used it for years. They accepted the service, and they accepted the risk. There's nothing left that LG is liable for. You don't have to like it, but everybody with an actual interest in this matter agreed that LG had no requirement to assist the user.
Either way, there exists a board that the CPU is mounted on. There will be a JTAG for that board. The CPU will be in the chain.
That's not how it works. Not all boards have a place to connect the JTAG, not even CPU-bearing boards.
That missing button was a manufacturing defect. It would be unfair to charge the time and materials to correct that to the customer.
That's not how fairness works, either. It is indeed a defect, but the customer had accepted the product and used it for a significant period of time already. In the US, the general rule is "perfect-tender", which requires the manufacturer to deliver a product that's suitable for use, within reason. If the customer inspects the item with reasonable promptness and finds it to be defective, then the manufacturer has to repair/replace/refund it.
If they can't do an hour's work without 9 hours of overhead, they deserve to lose money.
That's not how a repair shop works. The time with the case open might be an hour, but it's also vitally important to do the overhead, like not lose track of where the customer's TV is. Again, there's also no guarantee that it's only an hour of work. Your baseless assertion that every board has JTAG accessible and that nothing ever goes wrong is ludicrous.
The legal term you're looking for is "due diligence". Viruses, trojans, and rootkits rarely destroy their host, so a reset procedure that rewrites the OS memory from a stored file would have been generally sufficient at the time the TV was designed.
Right. So they apparently failed to exercise due diligence here.
That's not how due diligence works, either. The product passed inspection, worked fine for years for its intended purpose, and the issue is limited to an incredibly small number of units? That sounds like they did a perfectly fine job of the diligence that was actually due.
As an aside, according to an update to TFA, LG did have the user try the reset again. It turns out he had performed it incorrectly the first time. So they apparently exercised due diligence here, and more.
No, I am expecting them to take into account a threat that was very much in the wild at the time they designed the thing.
The malware in question didn't exist until late 2015. Ransomware has been around since the mid-eighties, but didn't become widespread until Cryptolocker in 2013, and didn't arrive on Android until June of 2014, coincidentally when Google discontinued the Google TV project.
The user did nothing but exercise the UI provided by the manufacturer with the level of skill that is to be expected of someone who simply bought a TV (that is, none). Had it been pro video gear, the manufacturer MIGHT have the right to expect better from the owner.
As noted by david_thornley, you have no evidence of that. The ransomware in question is a payload from other malware, which could have been a remote exploit, or it could have been a side-loaded app. For all we know, the user could have connected the TV to a computer to extract and reverse-engineer the components.
Let's suppose this was physical damage, rather than electrical. If the user had placed the TV face-down on a rock and cracked the screen, is it still LG's fault? After all, the user simply behaved "with the level of skill that is to be expected of someone who simply bought a TV (that is, none)". This is why manufacturer liability should never depend on what the end user does. You can't justly hold someone liable for someone else's actions.
That's a wonderfully naive idea of reality you have there. Good luck with that.
The same JTAG that writes the image will be able to run tests on the boards as well.
Hopefully, but not necessarily. I'm not familiar with LG's product internals, but it's not uncommon for systems to have multiple JTAG connections for the various component boards. JTAG can only test things it has access to which (again, not being familiar with LG's internals) may not cover things like "did the tech set the tv down on a screw and shatter the screen?". After repair work, you still have to run an end-to-end quality check, which is not just plugging in the JTAG and looking for the happy lights.
You seem to be desperately imagining a complicated and difficult procedure (even though you don't seem to know much about it, have you ever used or even SEEN a JTAG programmer in person?) to justify a crazy high cost to do a simple thing.
I've spent a few decades around electronics, including a few years doing electronics repairs. My day job currently involves occasionally programming via JTAG. I'm intimately familiar with the bone-headed processes and procedures involved in doing actual quality repair work.
The JTAG will certainly have access to the right parts. The right part is the CPU.
Not necessarily. If the TV is designed as a monolithic processing unit, and the CPU's JTAG is accessible, then that's a reasonable assumption. On the other hand, it could have been designed as a regular TV with the "smart" parts tacked on, as was the trend when smart TVs first came out, in which case the CPU is embedded into another module, which may or may not still have an accessible JTAG connector. Yes, I've seen a number of devices where the JTAG connectors were removed after use, because the manufacturers don't want competitors reverse-engineering their products.
It would be an amazing coincidence that this mythical second failure just happened to occur while the TV was infected
That actually comes from a "fun" story from my past as a sound tech. I was modifying an old rig, which involved pressing a nice big red button to switch how an amp worked. When I tried to find the big red button, I instead found a nice big empty hole. The button had never been installed, the failure was never caught in QA, and the customer had never needed to change that from the default, so it was never a problem until I arrived. Now I assume that every plan carries the implicit warning that equipment may or may not actually work, or even exist.
To clarify, I don't think it's a second failure that happened recently, but more that the reset procedure (again, I'm not familiar with the details here) may require something unusual, and that function may have already been broken, but nobody noticed, so that's why the reset failed.
but even so, they could offer to do the re-flash for free but warn that other repairs will be charged at $30/hr plus parts.
That is an option, but again it's not the "real work" that takes the most time. Rather, it's the handling and overhead to run the procedure. How long does it take to generate a work order saying that this TV belongs to this customer? How long does it take to get the TV out of the receiving bay (or front desk) and get it to the staging area? How long does it take to move the TV to the work area? Is it a two-man lifting job, doubling the cost of the move? How long does it take to check out tools from the controlled tool room?
They're all tiny actions, never taking more than a moment... but those moments add up. Then there's the general overhead like air conditioning and lighting, but those costs are fairly low compared to the per-item workflow.
As for the rest, viruses and trojans have been with us for decades. Even when the TV was made,
Per TFS, the "secret incantation" (at least as available online) doesn't work. Maybe the procedure's wrong, or the software engineer screwed it up, or maybe the unit is broken more than the simple reset can fix.
The whole thing including opening the back and closing it back up again should take an hour.
It "should take an hour", except for the handling, workspace management, inventory control, testing, rework, and other complications that come up in a "normal" repair job. If you expect to take an hour and things go abnormally (like the JTAG not having access to the right parts), there's no time budget left to fix it.
You might be able to do the actual repair in an hour, but the company's not putting their legal fate in your hands.
And if the device was perfectly suitable for purpose (which included unskilled people downloading new apps to it) it would have a fool-proof way for the end user to recover from bad software (intentionally bad or not).
At the time the TV was built, that was assumed to be "delete the offending app". Ransomware wasn't a major thing yet. There's a reset procedure, but apparently that either doesn't work on this particular unit (perhaps due to a second unrelated failure, also to be diagnosed and fixed in the 10-hour window), or there's a highly skilled fool out there who screwed it up.
While you are spot on about the actual work involved to fix a modern device, I'm curious as to your assertion that some fraction of the world thinks that modern electronics are easily repairable. As far as I can tell, it's just the fine folks at iFixit that think modern electronics should be repairable.
To clarify, there is a small fraction of Slashdotters specifically (themselves a subset of a fraction of the world population... I hope) that complains often about how manufacturers don't make user-repairable devices any more. They're most commonly found on articles about legal changes affecting repairs.
There is also a surprisingly large fraction of the world that has no idea how modern electronics works. When something (integrated, no spare parts available) breaks, they think they can take it to a repair shop or to someone "good with computers", and the technician will pop open the case, poke some things with a probe, shine a fancy light on it, and it'll be as good as new again. After all, that's what they did on Star Trek. They get quite upset when told about reality, like "it'll take days to fix this", or "it's cheaper to buy a new one", or "your data is already lost". Now, I've done a number of miracles myself, finding and replacing bad surface-mount components and reflashing memory. Sometimes it's possible, but usually it isn't.
As for the fine folks at iFixit, they're in an interesting middle ground. The vast majority of their guides are not really the detailed repair I describe, but more "how to replace X", where X is somewhat less than the whole device. While this does restore the device to functionality, I want to distinguish them from low-level repairs. iFixit's goals and methods are reasonable and admirable, not delusional.
Yes, it's subjective, but also extremely common in any discussion of warranty. Given the age of the device in question, it looks like LG did "good enough". Remember, when this TV was built, ransomware wasn't really a common threat, nor were IoT botnets. An expert may have been able to find flaws, but it wouldn't have been expected that they'd really disrupt the TV.
Slashdot Mirror
How many spies and saboteurs with well-placed bombs (or high-powered rifles) would it take to disable the power grid? Not many, I would think. There are a lot of threats besides 'the cyber.'
Far more than it takes to set a flag on a C&C server. Those spies and saboteurs also have to be physically present around the time of the coordinated attack, increasing the risk they'll be caught, and the opportunity for them to double-cross the attacker and reveal the plan to the target.
On the other hand, malware can lurk for years undetected from a single entry point. A small team of sub-sub-sub-contracted service technicians can deploy malware to an embedded system, and walk away. Sufficiently advanced threats can hide their traffic inside the normal monitoring operations of the utility, cross through the network, and even add personnel records, effectively making their actions look like legitimate employee operations until they shut everything down.
Targeting infrastructure has been a military strategy for as long as there have been militaries. Modern tactics, however, focus on efficiency. If five malware-assisted spies can take down a target country's utilities with no risk, why spend the budgeted resources to recruit and train (and possibly extract) fifty to do the same job? That budget can then go toward hiring cryptographers to decrypt the target's movement orders, so you spend less budgeted resources trying to find the enemy units. That leaves more budget to use on building better bombs and guidance systems, and so on.
Ultimately, the goal is to win the war. With modern society relying on border-crossing communications, it is no longer really important who can put supplies into what territory, as was important until around 1960. Now, it's important to convince the locals that you're protecting them from the evil oppressive enemy, and doing that means minimizing civilian deaths. Better targeted bombs, better intel, and attacks that don't involve blowing up a power plant full of civilian workers, are all ways to reduce your side's death count.
Security is something for professionals like us to think about always while we're working, but it's not something to panic about. A lot of these news stories like this one are designed to spread panic...
There's very little panic, except for a few uninformed headlines where a laptop with malware became a complete takeover of the US power grid. On the other hand, the DNC hack is a great example of how information-based warfare will be conducted, and the news article you linked explains it well. Unlike Watergate, there was never a Russian physical presence in the DNC. There's nobody in the US that can be arrested for it. After the initial breaches, there was almost no evidence of the digital presence. The reality of the situation once it was discovered was met with skeptics like you, who underestimate how useful such an attack could be.
While that holds true, the attacks won't likely escalate. As soon as an enemy attacks the American power grid, every American company will treat information attacks more seriously, and the low-hanging fruit will disappear.
...and to increase power to those who are spreading panic.
There's nobody really getting more power from this, though, except for a few hucksters who are selling fraudulent security systems. The threats have been real and the attacks have been ongoing for the past few decades, and the people who have been wise enough to care have found that there are solutions available. There are backup generators and UPSes protecting vital systems from outages of the power grid. There are airgaps and mitigations protecting secret information. There are encryption algorithms and opsec protocols protecting identities... Security is cheap, but it is very user-driven. The user has to care for security
Squirrels and birds are also never going to be launching coordinated events designed to overwhelm the utilities' abilities to bypass and repair damage. Nobody cares that a foreign nation might be able to shut down a provider. The concern is that they might shut down all providers.
Let's rephrase this a bit more realistically:
Windows 10 integrates a lot of the malware mitigations that were either add-ons or unavailable for Windows 7. The default configuration also requires stronger security, and the system internals are much better hardened against malware compromising system integrity. In effect, whole classes of malware that could affect Windows 7 are ineffective on Windows 10.
I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.
If you actually want a secure system, opsec is still your best bet. Start with an isolated system for processing, keep it isolated, and use an airgapped (preferably with several walls and rooms between) system for communication. Never transfer electronic data, change service providers occasionally, relocate erratically, and follow all of those other paranoid guidelines that are more effective than "use old software".
$DEITY forbid they should have a marketing department.
The casino doesn't know (and may in fact not be allowed to know) who has a gambling problem. All they know is that a long-time customer has stopped coming, so they fire up the marketing machine and incentivize future business. To use your analogy, the bartender might pass a known regular on the street, say "I haven't seen you in a while", and offer a drink on the house next time the customer comes in.
Yes, some people think they're lucky. Some people are addicted. That doesn't change the legality of the casinos' operations, and doesn't make them liable.
It depends on your definition of "winning".
If you are entertained by playing games of chance, the small percentage the house takes is your bill for the night's entertainment. Everybody knows the deal going in.
That's intentional, even necessary. There is no data on antibiotic-resistant infections prior to the discovery of antibiotic-resistant infections. Since my whole point is that historical data is absolutely critical when making comparisons to historical practices, that's the best data we have available.
"Each year in the United States, at least 2 million people become infected with bacteria that are resistant to antibiotics and at least 23,000 people die each year as a direct result of these infections."
Well, that sucks. Now, how do those numbers compare to historical measurements, accounting for the significant improvement in reporting reliability? The reality is that infectious disease rates were about three to five times worse in the 30s and 40s, because we were still at the beginning of a large-scale improvement process in general sanitation throughout daily life, not just hospitals.
"Antibiotic-resistant infections can happen anywhere. Data show that most happen in the general community; however, most deaths related to antibiotic resistance happen in inpatient healthcare settings, such as hospitals and nursing homes"
Let's say that again, simplified: "most deaths occur in care facilities". That's a great talking point, but what about where most fatal infections were acquired? If you get infected with a resistant bacteria in your kitchen, and go to the hospital for it before dying, it still counts as a hospital death.
Lusting for the good old days is a very dangerous habit. You have to remember that you are only able to recall the stinging pain because you were one of the survivors. The people whose lethal infections weren't cleaned by iodine can't speak up to remind you of their story, except as historical statistics.
The problem is also far more complicated than just "clean things". Over-use of antibiotics contributes to the prevalence of AR strains, but careful management is actually mostly what protects vulnerable patients. That is hindered by the stupid humans in the mix, who don't trust doctors and undermine their practice (for example, by bringing home-cooked desserts into a hospital isolation room). That in turn is a symptom of poor medical knowledge among the public, partly due to the confirmation bias you've shown here.
Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.
So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?
From my own experience, it's an exercise in professionalism, extinguishing the bridges that are burning without your knowledge.
The key (that is apparently missed elsewhere in this discussion) is to maintain absolute professionalism. The letter is not just whining. It is a dissection of the factors that forced you out of the company. It serves as an explanation of your actions to the people who would otherwise be left with questions that would be answered with rumors, often spread by the bully himself.
Until you walk out the door (or otherwise enact termination), you still work for the company. Your job doesn't end when you decide you're leaving. Right up to that last minute, you're still a part of the team, and they're still expecting you to help the company improve. While it can also be cathartic to say "fuck you all" and sit idly waiting for that two-weeks-notice paycheck, that leaves a very bad final impression on your colleagues. While they might end up being your opposition next month, they might also be your reference (or recruiter) next year.
When that time comes that others think back on you, will they recall a embittered man who just gave up and left, or will they remember the guy whose last act was a professional attempt to point out the proverbial elephant in the room? While the managers are ultimately responsible for the decisions (right or wrong), very few are actually all-knowing, even in their own minds. Rather, they have their particular perception, and a sufficiently manipulative employee can control their perspective and prevent them from ever seeing the unethical behavior. While it is not your place to tell management what they're doing wrong, it is your place to ensure that they accurately see the effects of their decisions. They can decide for themselves if it matches their expectations and other employees' descriptions.
It is not enough to "leave with a smile" any more. Now recruiters look at LinkedIn to see if you play well with others, and referrals from past colleagues is the easy way through the HR bureaucrats. Now, the best way to ensure your bridges aren't burning is to try to leave your colleagues with the understanding that you hold no hard feelings toward them, but only the environment you worked under.
The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.
Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.
There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.
Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.
On the other hand, with no documented explanation, it's very easy to blame the problems on the guy who is "no longer with the company", blackball him, and move on with no improvement. Saying just a name to HR does nothing, as it doesn't provide any context in which to investigate. In a large company, it may be the first time the interviewer has heard the name, and the guy leaving tomorrow will work with a different interviewer, so it'll never be correlated.
That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?
The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.
An open-source mandate fixes the ability to develop new patches, but it becomes much more difficult to thoroughly test on all versions of affected devices, and there's no easy channel to get the new software to the end users.
Perhaps I should clarify, then.
Write a well-written letter of resignation, detailing the facts and verifiable events that led to your departure, in an informative and non-confrontational way. Express that you're choosing to leave the environment, rather than blaming the company. Avoid specifically naming the culprit, but frame the situation as a product of the environment that idealizes rock-stars at the expense of a healthy collaborative environment.
While you're still in the company, any complaint you make about the company's favored genius can be construed as an attempt to advance your own career at their expense. Any threats to leave are also idle. You and your opponent are both still working here, so the company still gets the rock-star's work and whatever you manage to do when you're not complaining.
In an exit interview, the attendance won't be as selective as a letter's addressees. Your manager may not have the power to do anything about the gaslighter if he's under a different manager's authority. HR may not be prepared to discuss another employee at your interview, so their hastily-scribbled notes may be the only actionable evidence. I've also seen companies treat the exit interview as their last chance to get information from an employee, so they'll bring in the resident expert to absorb any technical knowledge they can before it walks out the door. That would be very unproductive in this case.
A letter puts you in control. You decide to whom it goes first, you decide exactly its tone and contents, and you decide how incriminating it actually is. In the worst case, someone pulls it out to use against you years later, and it's no less professional than a technical document. In the best case, it's the wake-up call and first-hand evidence that HR or management needs to start improving the company.
Anecdote time. First, I've worked at a company that couldn't/wouldn't do anything punitive without primary written evidence. Verbal descriptions weren't good enough, because the company was large enough that the chain of command turned into a game of Telephone. I've also worked at a company that had a manager covering up for a bad apple, and watching the manager try to hide written evidence ended up making enough visible evidence to get them both fired.
The reason you're telling management about the bullying isn't to help management. It's to help your ex-coworkers and colleagues who still have to stay in that environment. It may be too late for you, but management still has a chance to prevent the problem from getting worse. The purpose of the letter isn't to tell management why you personally left. It's to ensure that management is aware of a problematic situation that has caused the departure of at least one employee.
In short, maintain your professionalism to the end and beyond. Say exactly what happened, and let management come to the conclusion of what to do about it.
And in the letter of resignation (perhaps a separate one to management, rather than one to your colleagues), document in great detail the actual reason for your departure. It's pretty hard to ignore a complaint that isn't just an idle threat. The gaslighter drove someone out of the company, so management will notice.
Originally, I believe the idea of Wikileaks was to have a place for people to safely and anonymously without fear of retaliation, leak information people in power didn't want publicized.
That might have been the idea, but it was never really the result.
WikiLeaks made a name for itself with the Collateral Murder video which, through heavy editorializing, pandered to the anti-war populist opinion of the American public. With that fame and adoration as a first impression, they promoted themselves as a champion of the underdog, ready to fight any power anywhere.
Unfortunately, since then they've shown a very heavy bias in the subject of their leaks, and also a bias in the amount of care exercised in minimizing harm. When a US government interest is the target of a leak, they'll happily leave personal information in the data, in the interest of transparency and completeness, of course. When information could harm their own reputation or their benefactors (notably Russia and Ecuador, but others to a lesser degree), the leaks get a more thorough redaction.
This is not transparency. This is propaganda, using the viewer's own judgement against them.
Effectively, WikiLeaks uses its information not to drive change, but to encourage fear. Rather than seeing a report of a mistake and thinking "I can do that better", WikiLeaks' publications encourage fear that one might be the target of a leak. The collateral damage against uninvolved "innocent bystanders" also causes general mistrust and a fear of working with any organization WikiLeaks targets. After the fact, leakers get harsher treatment because of the damage their leaks caused, and real lawful whistleblowing gets undermined by its association with such harm.
I've hated them for as long as they've been undermining rule of law in favor of political machinations.
...For those of you just tuning in, that was pretty much their very beginning.
You were dead wrong.
Prove it, then. Show me any legal doctrine requiring a manufacturer to make products that remain perfect years after their sale.
Even LG came to agree with my position and finally divulged the sooper sekret cheat code to actually restore to factory. It's even documented in a video.
Providing a reset code does not imply they agree with your position. Again, prove it. Show me their public apology admitting they made a mistake.
There's no point trying to twist logic into a pretzel with your what ifs that clearly did not come to pass.
And yet, that's exactly what the $340 was. It was an offer for a business deal that did not come to pass.
Clearly those instructions were either wrong or meant for a different model.
So it was user error, then, and still not any mistake on LG's part.
Do you not believe in the KISS principle? Apparently not Occam's razor either.
Actually both, but above that I believe in rule of law. LG may have pissed somebody off by keeping secret procedures, but that does not change the legal or moral framework around the situation.
As for the kindergarten comment, that was in reference to your big red button story. I made that clear by quoting from your reply to that argument.
Yes, I got that, but you seem to have missed the point of the story. The flawed product is obvious, and it's clearly traceable back to manufacturing, but in both cases the manufacturer was unaware of the issue, and the product was accepted and operated for a significant amount of time, effectively terminating any initial implicit warranty under the perfect-tender doctrine. You still haven't shown any liability for LG, or the amp manufacturer in my anecdote, and you haven't shown that enforcing eternal implicit warranties is fair, or established any boundary which would be fair.
Again, I'll ask you to please prove your assertions. Please provide links to established laws or precedents on the subject.
If you're just going to try to talk around the simple fact that time and events have demonstrated my point and refuted yours, don't bother.
You're making ridiculous claims about what LG "should" do, and how you assume their repair shops work, and how you assume their products are designed. You provide no evidence for your claims, but simply keep saying that you're right. You can't even piece together a moral basis for your claim, and you haven't coherently refuted any of mine.
Like I've said several times now, it's time for proof. Please explain precisely where in established legal procedure or moral philosophy your claims come from.
Only if they're idiots.
Or concerned about physical space, reverse-engineering, or any other reason not to have a feature that's almost never used. Unlike you apparently are, I'm not pretentious enough to assume that I know LG's motives and design criteria.
Sure, there's overhead. So slap a repair tag on it matching the customer paperwork. Place it on a designated shelf with the tag visible. If that takes 9 HOURS, the shop is screwed anyway. Although repair shops are not as common as they once were, none ever needed to have a 10 hour minimum charge to be profitable.
That's funny... most of the shops I've seen had at least a one-day turnaround time, and usually charged several hours' labor with it. Then again, they also did put things on a shelf with the tag visible, and maybe that's why those repair shops often had a bad reputation for losing customers' devices.
Anyone who attended kindergarten knows that if you make a mistake you should fix it.
You're begging the question. You haven't shown that LG made any mistake. They built a product, the customer bought it, and it worked just fine for several years. There's no reason to fault them for any of this.
As for the update, I am glad that LG decided after all to divulge the simple yet sooper sekret method ... Somehow it worked without a solder rework station or 10 hours of labor.
Gee, that's fortunate... but you're still ignoring the possibility of what exactly happens if it didn't work? If LG accepts it to their repair shop, they're (almost certainly, depending on local laws) guaranteeing that it will be repaired.
Might have been nice had they just told him that in the first place rather than "offering" to do that for him for a $340 fuck-off fee.
Per TFA, he had already tried a reset procedure, and it didn't work. Without more detail on exactly what happened, I can claim with equal evidence that he had the right procedure originally, and screwed it up, leading LG's support to recommend a more drastic option.
As for your increasingly absurd suppositions of physically breaking the TV, everyone knows you shouldn't break the screen with a rock (so it is a reasonable expectation for a casual TV owner) and there is no UI or other invitation from the manufacturer to do so.
I can also claim that "everyone knows" you shouldn't install malware on your TV, and there's no invitation from the manufacturer to do so. In fact, LG's terms of service
make it pretty clear that they have no control over the content of those third-party apps. They even explicitly disclaim any responsibility for loss or damage due to malware, and the customer accepted those terms.
Even LG came around to agree with my position after a bit of pressure.
Your "position" is so terribly uninformed that you don't even understand why it's wrong, and you don't understand that LG's position hasn't actually changed at all. That they went out of their way to give the user a reset procedure is a nice PR move, but it's not acknowledging any kind of mistake or failure on their part.
Let me say it again, to make it absolutely clear for you: The customer accepted. They accepted that LG had no responsibility to fix malware. They accepted the TV at the time of purchase, and they used it for years. They accepted the service, and they accepted the risk. There's nothing left that LG is liable for. You don't have to like it, but everybody with an actual interest in this matter agreed that LG had no requirement to assist the user.
Either way, there exists a board that the CPU is mounted on. There will be a JTAG for that board. The CPU will be in the chain.
That's not how it works. Not all boards have a place to connect the JTAG, not even CPU-bearing boards.
That missing button was a manufacturing defect. It would be unfair to charge the time and materials to correct that to the customer.
That's not how fairness works, either. It is indeed a defect, but the customer had accepted the product and used it for a significant period of time already. In the US, the general rule is "perfect-tender", which requires the manufacturer to deliver a product that's suitable for use, within reason. If the customer inspects the item with reasonable promptness and finds it to be defective, then the manufacturer has to repair/replace/refund it.
If they can't do an hour's work without 9 hours of overhead, they deserve to lose money.
That's not how a repair shop works. The time with the case open might be an hour, but it's also vitally important to do the overhead, like not lose track of where the customer's TV is. Again, there's also no guarantee that it's only an hour of work. Your baseless assertion that every board has JTAG accessible and that nothing ever goes wrong is ludicrous.
The legal term you're looking for is "due diligence". Viruses, trojans, and rootkits rarely destroy their host, so a reset procedure that rewrites the OS memory from a stored file would have been generally sufficient at the time the TV was designed.
Right. So they apparently failed to exercise due diligence here.
That's not how due diligence works, either. The product passed inspection, worked fine for years for its intended purpose, and the issue is limited to an incredibly small number of units? That sounds like they did a perfectly fine job of the diligence that was actually due.
As an aside, according to an update to TFA, LG did have the user try the reset again. It turns out he had performed it incorrectly the first time. So they apparently exercised due diligence here, and more.
No, I am expecting them to take into account a threat that was very much in the wild at the time they designed the thing.
The malware in question didn't exist until late 2015. Ransomware has been around since the mid-eighties, but didn't become widespread until Cryptolocker in 2013, and didn't arrive on Android until June of 2014, coincidentally when Google discontinued the Google TV project.
The user did nothing but exercise the UI provided by the manufacturer with the level of skill that is to be expected of someone who simply bought a TV (that is, none). Had it been pro video gear, the manufacturer MIGHT have the right to expect better from the owner.
As noted by david_thornley, you have no evidence of that. The ransomware in question is a payload from other malware, which could have been a remote exploit, or it could have been a side-loaded app. For all we know, the user could have connected the TV to a computer to extract and reverse-engineer the components.
Let's suppose this was physical damage, rather than electrical. If the user had placed the TV face-down on a rock and cracked the screen, is it still LG's fault? After all, the user simply behaved "with the level of skill that is to be expected of someone who simply bought a TV (that is, none)". This is why manufacturer liability should never depend on what the end user does. You can't justly hold someone liable for someone else's actions.
No inventory or rework required.
That's a wonderfully naive idea of reality you have there. Good luck with that.
The same JTAG that writes the image will be able to run tests on the boards as well.
Hopefully, but not necessarily. I'm not familiar with LG's product internals, but it's not uncommon for systems to have multiple JTAG connections for the various component boards. JTAG can only test things it has access to which (again, not being familiar with LG's internals) may not cover things like "did the tech set the tv down on a screw and shatter the screen?". After repair work, you still have to run an end-to-end quality check, which is not just plugging in the JTAG and looking for the happy lights.
You seem to be desperately imagining a complicated and difficult procedure (even though you don't seem to know much about it, have you ever used or even SEEN a JTAG programmer in person?) to justify a crazy high cost to do a simple thing.
I've spent a few decades around electronics, including a few years doing electronics repairs. My day job currently involves occasionally programming via JTAG. I'm intimately familiar with the bone-headed processes and procedures involved in doing actual quality repair work.
The JTAG will certainly have access to the right parts. The right part is the CPU.
Not necessarily. If the TV is designed as a monolithic processing unit, and the CPU's JTAG is accessible, then that's a reasonable assumption. On the other hand, it could have been designed as a regular TV with the "smart" parts tacked on, as was the trend when smart TVs first came out, in which case the CPU is embedded into another module, which may or may not still have an accessible JTAG connector. Yes, I've seen a number of devices where the JTAG connectors were removed after use, because the manufacturers don't want competitors reverse-engineering their products.
It would be an amazing coincidence that this mythical second failure just happened to occur while the TV was infected
That actually comes from a "fun" story from my past as a sound tech. I was modifying an old rig, which involved pressing a nice big red button to switch how an amp worked. When I tried to find the big red button, I instead found a nice big empty hole. The button had never been installed, the failure was never caught in QA, and the customer had never needed to change that from the default, so it was never a problem until I arrived. Now I assume that every plan carries the implicit warning that equipment may or may not actually work, or even exist.
To clarify, I don't think it's a second failure that happened recently, but more that the reset procedure (again, I'm not familiar with the details here) may require something unusual, and that function may have already been broken, but nobody noticed, so that's why the reset failed.
but even so, they could offer to do the re-flash for free but warn that other repairs will be charged at $30/hr plus parts.
That is an option, but again it's not the "real work" that takes the most time. Rather, it's the handling and overhead to run the procedure. How long does it take to generate a work order saying that this TV belongs to this customer? How long does it take to get the TV out of the receiving bay (or front desk) and get it to the staging area? How long does it take to move the TV to the work area? Is it a two-man lifting job, doubling the cost of the move? How long does it take to check out tools from the controlled tool room?
They're all tiny actions, never taking more than a moment... but those moments add up. Then there's the general overhead like air conditioning and lighting, but those costs are fairly low compared to the per-item workflow.
As for the rest, viruses and trojans have been with us for decades. Even when the TV was made,
Per TFS, the "secret incantation" (at least as available online) doesn't work. Maybe the procedure's wrong, or the software engineer screwed it up, or maybe the unit is broken more than the simple reset can fix.
The whole thing including opening the back and closing it back up again should take an hour.
It "should take an hour", except for the handling, workspace management, inventory control, testing, rework, and other complications that come up in a "normal" repair job. If you expect to take an hour and things go abnormally (like the JTAG not having access to the right parts), there's no time budget left to fix it.
You might be able to do the actual repair in an hour, but the company's not putting their legal fate in your hands.
And if the device was perfectly suitable for purpose (which included unskilled people downloading new apps to it) it would have a fool-proof way for the end user to recover from bad software (intentionally bad or not).
At the time the TV was built, that was assumed to be "delete the offending app". Ransomware wasn't a major thing yet. There's a reset procedure, but apparently that either doesn't work on this particular unit (perhaps due to a second unrelated failure, also to be diagnosed and fixed in the 10-hour window), or there's a highly skilled fool out there who screwed it up.
While you are spot on about the actual work involved to fix a modern device, I'm curious as to your assertion that some fraction of the world thinks that modern electronics are easily repairable. As far as I can tell, it's just the fine folks at iFixit that think modern electronics should be repairable.
To clarify, there is a small fraction of Slashdotters specifically (themselves a subset of a fraction of the world population... I hope) that complains often about how manufacturers don't make user-repairable devices any more. They're most commonly found on articles about legal changes affecting repairs.
There is also a surprisingly large fraction of the world that has no idea how modern electronics works. When something (integrated, no spare parts available) breaks, they think they can take it to a repair shop or to someone "good with computers", and the technician will pop open the case, poke some things with a probe, shine a fancy light on it, and it'll be as good as new again. After all, that's what they did on Star Trek. They get quite upset when told about reality, like "it'll take days to fix this", or "it's cheaper to buy a new one", or "your data is already lost". Now, I've done a number of miracles myself, finding and replacing bad surface-mount components and reflashing memory. Sometimes it's possible, but usually it isn't.
As for the fine folks at iFixit, they're in an interesting middle ground. The vast majority of their guides are not really the detailed repair I describe, but more "how to replace X", where X is somewhat less than the whole device. While this does restore the device to functionality, I want to distinguish them from low-level repairs. iFixit's goals and methods are reasonable and admirable, not delusional.
I'd laugh at you for thinking that finding the screws is the time-consuming part.
The term you're looking for is "due diligence".
Yes, it's subjective, but also extremely common in any discussion of warranty. Given the age of the device in question, it looks like LG did "good enough". Remember, when this TV was built, ransomware wasn't really a common threat, nor were IoT botnets. An expert may have been able to find flaws, but it wouldn't have been expected that they'd really disrupt the TV.