Home Assistant blocked from integrating with Garage Door opener API(home-assistant.io) |
Home Assistant blocked from integrating with Garage Door opener API(home-assistant.io) |
no one has time for it
you bought the device you should own it
it's not even anything fancy where you could argue that continuous software updated need to be done or similar
also pass a law that all smart home devices had to go through a hub, no direct internet connection allowed, uh put it under "reducing DDOS potential due to long term issues with internet connected smart home device security"
I fully agree, this is the reason I mostly buy Zigbee devices for my smart home. The problem with this rule is that there is already a device on the market that complies with it on paper, but not how you intended: Amazon Echo devices act as Zigbee gateways. While I never tried it, I bet it will not turn on your lights without calling the mothership.
If this rule were to become reality, vendors would just sell your their "mandatory" hubs that handle the calling home part. Smaller vendors would no longer be able to offer their ESP based devices, even though I can easily decloud them via ESPHome etc, if even necessary.
From a purely idealistic PoV, I guess the only way we achieve ownership as you described is if we require by law, with proper enforcement, that reasonable technical people are able to connect to the device on a local interface. But this has so many weasel words already, it would be ineffective and/or lead to regulatory capture ("implement this 600 page, 200$ ISO standard based on XML, don't mind the proprietary extensions ensuring no interop!").
For me, the way to have some degree of ownership of my smart home is doing research before buying to ensure the device either runs on Zigbee, has a local network interface and does not rely on the cloud even for initial configuration or can be flashed with Tasmota or ESPHome with minimal fuzz. I don't see this changing any time soon. It is sad that you need to have the knowledge and time to be able to "own" your smart home, but I at least can help my "tech support circle" where possible to make informed decisions.
I think that part is more important than demanding a hub. Demanding that the device can connect to a local hub (where "can" means "can easily be reconfigured without going through the original manufacturer or requiring expensive tools"...) speaking open protocols (and specify clearly what "open protocol" means, to avoid your 600 page, 200$ ISO standard) is more important than requiring that they must connect to a local hub. Also necessary to specify that you can carry out all the functions of the device via open protocols, or you'll get bullshit where essentials get locked away.
Personally, I don't care if I have proprietary smart home devices. I do care that the maximum cost and hassle if a manufacturer goes "rogue" like in this linked article remains low. So each proprietary device in current use reduces my willingness to get another one. Currently, all of my devices can be controlled via open source, and though some of them (some cheap Govee led strips) do call home, there are open source to talk to them, and worst case I can literally cut them off with a pair of scissors and replace the controllers for a pittance if they ever become a nuisance, and that makes them an acceptable choice (though whenever there are multiple options I will look for the more open one).
No, what should become the reality is that only HARDWARE vendors that make a living off the hardware and some corollary service will have the incentives to be on the market, instead of the behemoths like Amazon or Google that just want to harvest your data with mostly loss leader products.
Assuming no authentication/encryption/intentional obfuscation shenanigans (which would need to be covered), I don't really care if it is forced to go through a local hub if only they were required to provide an easy mechanism for pointing the device at a local network endpoint.
> all smart home devices had to go through a hub
I think ultimately this is the only way to get it to even work properly, let alone last long enough that the next purchaser of a smart home can use it reliably. But it will also slow innovation and Big Tech will hate it.
https://www.grainger.com/product/LIFTMASTER-Commercial-Door-...
Reading this is the first I've learned about ads in the app (sure enough, I looked and they are there now). This annoys me greatly as if the device bought and paid for isn't enough, so now they get to serve up ads...
Are the device brand that are more adequate for Home Assistant?
I have a meross garage door opener that uses homelink (a standard that virtually ever garage door opener supports) to open/close the garage door with a sensor on the top of the door to detect when it's open and closed. It was $49. That's cheaper than myQ addons for chamberlain. It works with google home, ifttt and home assistant. (I have reminders set if the door is open for more than X minutes and if it is still open after a certain time of day).
Having to have "yet another app" (myQ) installed just to use a garage door is pretty ridiculous - if you're a power user you should understand the folly of using unofficial integrations and as an unofficial integration provider you should know you're walking on ice.
A garage door opener can be activated from the inside with a momentary pushbutton switch. It should be trivially easy to have a Raspberry Pi or similar wired in parallel, and have that running some code to enable remote operation by an app or service.
Having done some research into Chamberlain's products, I don't recommend anyone to use them if they have the choice.
I don't know what such a mandate would look like. I just know that we're at least a decade behind where we should be because the market isn't getting it done.
A quick Google search shows there were approximately 144 million homes in the US. Do wifi door openers really have 1% total home penetration?
More discussion over here: https://news.ycombinator.com/item?id=38186303
In our current system I see two ways to try to make this reality: 1) economic factors and 2) regulation. 1) will not happen, because the data is worth enough to big players that a small competitor can not compete on the hardware/software/service margins alone. You need to become as big and integrated as the current players to be able to offer similar features and prices. Sure, it is more choice, but the option is just as bad.
2) will not happen due to regulatory capture problems as I already stated. A big player can shoulder the burden of compliance easier than a small shop. Maybe, just maybe, there is hope if anti-trust actions split up the existing big players, but I am not holding my breath.
The third way, one small group of indomitable Gauls^Wnerds still holds out against the invaders, is what we currently have and what offers a little bit of hope to me. But I fear this will never become the norm.
Just one of the most awful customer hostile products I've ever wasted money on.
I just clicked ratgdo's buy link to support the nice, well-documented open-source [3] project. In truth though I have the right hardware sitting around here already, so I might just use that depending on how long the "back ordered" status lasts...
[1] There's a Home Assistant integration for the Elk M1 Gold with some Python library; I also have my own WIP Rust library for interacting with it here: <https://github.com/scottlamb/elkm1>
[2] something like this one: https://www.amazon.com/Gebildet-Security-Rolling-Magnetic-Ap...
[3] docs at <https://paulwieland.github.io/ratgdo/> but the actual code is in a separate repo at <https://github.com/ratgdo/esphome-ratgdo>
ratgdo[1] is close.
I'm not big on DIY hardware. This has made the "pre-packaged" solution around an open standard nice. Integration within HA was very straightforward.
It is exactly this. Average Joe just downloads the MyQ app for remote control. Or uses Wyze, or Tapo, Kasa, etc, for whatever they buy. The number of people trying to get everything integrated into a single environment like Home Assistant is low. Which makes sense, because HA is a pain in the ass if you're not already technically inclined. Regular folks just don't have any appetite to deal with that.
If there's one thing I'm dedicated to now, it's that all of these custom cloud IoT things are transient user hostile junk. If it's not open source and in my control, then it's not mine.
Also I understand one of the reasons this isn’t a standard offering is because garage openers have a hard time not crushing things? Kind of surprised me.
I'm thinking I'll just get a cheap garage door opener remote, solder the trigger pin to the button on the remote, and tape that to the ceiling next to the z-wave controller. Janky, but at least I'll be able to get it functional again to send the command.
Honestly I was always bothered that it used a cloud API at all. The device is right there in my house, on my own wifi. Why should it even phone home if I don't need it to?
I just chucked my MyQ device and replaced it with a Meross MSG100HK--it works perfectly and natively with HomeKit--no cloud service required. Incidentally, the latency is much lower too.
The device is basically a wifi-enabled, USB powered "dry contact" switch. You connect the pigtail in parallel with your existing wired open/close button. There's also a magnetic sensor (similar to what old door alarms used) that goes near the door to verify it has closed.
Homebridge + HomeKit is also an excellent middle ground between Home Assistant and HomeKit alone w/o having to go with some cloud-based solution.
For example, I wanted my garage door to automatically open and close as I leave and arrive in my car. Here's how I did that.
I have a pair of dummy switches in Homebridge. One of those tracks the state of whether my phone is in CarPlay mode or not. I do this with a Siri Shortcut on my phone that toggles the "CarPlay status" dummy switch when my phone enters/exits CarPlay mode. The second dummy switch triggers my garage door to open/close whenever the dummy switch turns on/off. This is a work-around for the opener itself being a secure accessory which HomeKit won't operate w/o the phone being unlocked. The last piece of the puzzle is a HomeKit location-based automation: if my phone leaves my home location and the "CarPlay status" dummy switch is on, then set the garage door dummy switch to off; if my phone enters my home location and the "CarPlay status" dummy switch is on, then set the garage door dummy switch to on.
I drew the home location as tight as possible around my home. The door opens just as I'm pulling up to my home and I see it close just as I'm leaving.
As to why I don't just use the CarPlay garage door button: I mean, why automate anything? Also, if you have multiple garage doors, there seems to be no rhyme or reason to which door CarPlay gives you the button for.
As to why I don't just use the button on my rear view mirror: Again, why automate anything? My mirror also has 3 buttons and it's easy to accidentally press the wrong one.
I have about 20 schedules to close the door lol
That said, I _do_ have an automated gate controller. The installer wanted some insane amount to connect it to wifi. Politely no. An esp32, a couple of relays, some reading in the installation manual about control circuits and a bit of custom code... And now the gate is on local wifi, easily integrated with HA, and nothing opaque about it.
Do garage door openers have the same sort of control circuits?
My solution, after looking into every off-the-shelf option, was to take an esp32 running esp32home + Home Assistant and hot wire it to buttons and status LEDs on a remote + base unit and stick it on the shelf in the garage. It's not pretty, but it works reliably.
I’ve already soldered contacts to a garage door opener to a relay with esphome. That works well, but doesn’t give me as much info as theirs does. I also am at risk of the battery dying.
It’s incredibly annoying and dumb and I now have to get some. grumble
Edit: no you can't, if it's the fancy one. You gotta hack a switch like this: LiftMaster 883LM Security+ 2.0 MyQ Door Control Push Button
On a side note, i do love my home assistant, but ANYTHING that has to do with entry into my house is not and will not be automated, garage doors, door locks, etc. However that is my personal paranoia talking.
Aren't there plenty of great stand alone garage door openers that you can wire a smart relay or whatever into?
From what I can see there are plenty of "wifi garage door adaptor" options and everything looks to have pretty standard wiring, it's only not "plug and play" cause it's bare wires rather than plugs but it's essentially the same.
It's more like 'why not?'. It's still a dumb opener with a physical button and wireless remotes, and all the same third-party tricks work the same.
A nice thing about tight integration is that you don't need a bunch of extra wiring and a kludge to figure out door status. Minor annoyance, but real.
In any case, I'd wager a fair number of the people complaining about this don't even have the newer 'smart' openers, they have the original MyQ Internet Gateway or the newer MyQ Home Bridge. Liftmasters have been a very popular opener for decades.
No doubt they want to exploit that data and begin integration with all their shady Real State business [3].
Their new CTO/Executive VP says in one of their PR news: "With Blackstone’s partnership, we will capitalize on new market opportunities". And a Senior Management Director says "...unique opportunity to build on its leadership position at the center of housing and e-commerce megatrends (...) expansion into connected homes, businesses and communities" [4].
Very alarming in times that big owners are trying also to force biometric data collection in their buildings (see Atlantic Plaza Towers) or are blindly giving information to agencies (see Amazon Ring cameras and the likes).
Now, the rant:
Of course, with one hand the CEO is donating to buy his name in institutions: "There is a Stephen Schwarzman building at the New York Public Library, a Schwarzman centre at Yale University and the Schwarzman College of Computing in Massachusetts. Soon, the University of Oxford will open the Schwarzman Centre for the Humanities, funded by the largest single donation it has ever received." [5] and the other is receiving billions from universities like UC to speculate in real state [6].
One would say it's curious how Schwarzman creates a huge publicity stunt with "biggest single donation 'since the Renaissance'" (£150m) [7], but why would be important to donate to Oxford, when they have almost £8b in endowments... [8]
1: https://www.blackstone.com/news/press/the-duchossois-group-completes-saleof-chamberlain-group-to-blackstone/
2: https://www.wsj.com/articles/blackstone-to-buy-chamberlain-group-11631019601
3: https://www.theguardian.com/us-news/2019/mar/26/blackstone-group-accused-global-housing-crisis-un
4: https://www.prnewswire.com/news-releases/chamberlain-group-adds-top-tech-leader-dan-phillips-as-cto-to-accelerate-companys-technology-transformation-301744538.html
5: https://www.theguardian.com/business/2022/sep/29/blackstone-rebellion-how-one-country-worlds-biggest-commercial-landlord-denmark
6: https://www.latimes.com/business/story/2023-01-20/university-california-blackstone-real-estate-fund-housing-prices
7: https://www.theguardian.com/education/2019/jun/19/oxford-receive-biggest-single-donation-stephen-schwarzman
8: https://en.wikipedia.org/wiki/List_of_universities_in_the_United_Kingdom_by_endowment#Endowments_over_%C2%A31_billionThere is a part of me that wants to break the damn thing open to hunt for a 3.3V line so I can power the ratgdo without a USB PSU...
Is it hard to find an "IR blaster" equivalent for this kind of signaling? I'm just bewildered to understand why someone with the focus on self-hosted infrastructure that Home Assistant implies can still end up in a position where a third-party API restriction can pose a problem in controlling a locally installed device.
> Buy products that work locally and won’t stop functioning when management wants an additional revenue stream.
1. My wife can check that we didn't forget to close it instead of driving 20 minutes back home to quell her nerves.
2. We can let a friend or neighbor into the garage (or into the house if we use the smart lock on the door inside the garage) when we're not home. Without giving permanent access to a key or PIN code.
Seems like a bit of an ill-adaptation. I used to want a smart door lock for exactly this reason, but instead I learned to be mindful when I close my dumb door...
Also many smaller smart home device manufacturers with an app seem to be heading in the direction of wanting to expand into other smart home devices and lock you into their proprietary ecosystem, while the rest of the industry simultaneously seems to move towards more interoperability via things like the Matter protocol, presumably to make it easier to interact with various voice assistants without requiring an individual gateway for each one.
This is just another reason to distrust any smart home device that doesn't support ZigBee, Matter, or a similar purpose-built local protocol.
I thought all garage doors had this, but from ratgdo's website I learned that the newer Security+ 2.0 ones don't. Possibly as part of the same money grab to prevent local/third-party; paulgerhardt's comment nicely explains the motivation for that. [1]
If only there was a LOCAL way. But I can't poll the device locally. I can't send it commands.
But it is external to the device, you're right :) And for some crazy reason this guy is getting a lot of orders recently ;)
To each their own. The other options seem to work great for most people. But RatGDO will work best for me (And they arrive tomorrow. Stoked). I want to know exactly when my door starts to open. Not 10 seconds later when the tilt or reed sensors are triggered, because I want my exterior lights to come on immediately and voice notifications to not be delayed. Also I want to lock my wireless remotes out at night and when I'm away because my wife uses her garage for projects and parks outside with her remote in the car. Lastly I want something that appears the least messy.
My only minor concern is Chaimberland would somehow try and gimp this solution with a firmware update. My initial thoughts were that they would probably break the wall buttons in everyone's homes. I still don't believe they have the ability to update the wall button firmware to work with any changes to the software in the motor. Everyone started echoing that after I made an assumption about it, but I'm not 100% certain if it's the case or not. Alas it doesn't matter because I'm disconnecting my doors themselves from wifi, unpairing them from MyQ and deleting my account once my RatGDOs are wired up.
I can open the door from anywhere to let someone in if they've forgotten their keys (times I've done this is > 0).
I can enter the house through the garage if I've forgotten my keys (times I've done this is > 0).
I have given access to my house to a houseguest without giving them a set of keys to my house; I easily revoked this access when they left.
> Our customers rely on us to make access simple without sacrificing quality and reliability. Unauthorized app integrations, stemming from only 0.2% of myQ users, previously accounted for more than half of the traffic to and from the myQ system, and at times constituted a substantial DDOS event that consumed high quantities of resources.
Yeah, that sounds plausible, because:
- Home Assistant users are power users, thus more likely to actually use the devices in question;
- Official IoT software and integrations are uniformly shit, designed to discourage effective use (while maximizing data collection).
Thus, I read this statement as: "We're not happy that some of our customers decided to actually use the 'smart'/'connected' aspects of our product; our service-providing part was not ready to provide the service, and unlike the data collection part, it was never intended to."
I bought a Miku baby monitor specifically because of the 2 devices that offered a feature I wanted, Miku had no subscription fees. And they advertised that they never would. It cost $400.
Then they went bankrupt and during bankruptcy they sent out a proposal to start charging for previously free features. Then they retracted that proposal. Not sure if the judge shut that down, or what happened. But then they sold to a company conveniently created the day of the sale.
Within a month the new company forced out an over the air update that disabled most functionality until you pay them $10 a month (they went bankrupt in the first place because they did a normal over the air firmware update that bricked every single unit and had to replace them all).
Last time I checked they were still being advertised on Amazon as being subscription free.
Honestly I think we need regulation to force companies to purchase a bond to provide basic security and support for any IOT devices they sell for some number of years from the purchase date. I don’t see any sign of the market solving this anytime soon.
Sounds to me like it's about time to publish some 3rd party firmware for the hubs/embedded controllers in the openers. Software developers who tolerate implementing consumer-hostile antipatterns all day long tend to be absolute shit at embedded systems security. At the end of the day it's just a garage door opener. The hardware is based on an FN-Link WiFi IOT module with fairly minimal customization. The door sensor is BLE. This shouldn't be too hard to root.
You don't need anyone's permission or API to control any garage door opener --- smart or dumb. The suggested "ratgo" device is one option but looks kinda overpriced to me.
Every garage door opener has 2 sets of dry contacts. One set controls the open/close function and normally connects to a physical button on the inside wall. This is easily shared with any other device. The other set is a limit switch that tells the motor to stop once the door is open. This too can be easily shared and read.
All that is required for full control is a wifi device with 1 output and 1 input that speaks Home Assistant. Sonoff or some other manufacturer must have an affordable one. If not, maybe I'll make one. It's not that hard with readily available hardware.
Either way, they'll almost certainly pull the plug on this service sometime before the end of the decade.
Why in the hell does a garage door opener need a server?
Oh, data collection. And subscriptions. Nothing for the user.
I avoid any home automation thing that has any cloud backing that's not strictly optional. It's a strong anti-feature. In home stuff cloud means it won't work when the Internet is down, it spies on you, and it can become a brick or start requiring a subscription at any time.
This makes sense (and myQ’s privacy policy is a nightmare: https://www.myq.com/privacy-notice) but I’ve never understood how this particular bit of data is valuable to anyone. Any ideas?
Because the user is almost certainly installing the device behind a NAT with a dynamically assigned public IP. These are mass-market garage door openers, not devices targeted to those familiar with advanced network configuration.
I also avoid cloud connected IoT stuff. I have the luxury of doing so because I have IT skills. For those who do not, accessible alternatives simply don't exist.
And obviously people with HA will use it more than people that have to wait a ridiculous amount of time every time they open that stupid myq app. It was terrible.
>50% traffic from 0.2% of the users is far too big of a discrepancy to just explain it away with powerusers. Customers too have to follow a fair level of usage.
> designed to discourage effective use (while maximizing data collection).
What valuable data can they collect, if nobody is using it?
What permissions does the app have? If it has location data so it can open/close the garage door based on proximity, it can probably collect your location whenever the phone is on and that can be sold to data brokers. That's just an example. There is potentially a trove of information the app could collect and sell and not just when the user has the app open.
Of course if the app is never installed it collects nothing. I wonder if the vendor requires the app to be installed for initial configuration.
And IAC, it would be preferable (to me) to have a device that works entirely locally.
They do support allowing their paid partners (eg, Amazon) to open your garage door for deliveries. I think this last part is where they get "value".
This is bullshit. Their app is bloatware that they use to try to push additional services like Amazon home delivery etc. I mean it’s just a button, that’s all it needs to do.
I’m going to replace it with one of the recommended devices. This is such an overt money grab.
In the past the app has gone the lengths of make us try to use their own assistant (!).
Why the fuck would I ever want to use a voice assistant from my garage door provider? Seems like a desperate attempt to enter a market that doesn't even make sense for them as they currently are.
I don't mind it at all. App works, fairly fast, the stupid extra stuff is just a chunk of the screen I can ignore / don't have to do / interact with.
I don't approve of the API situation but the app itself doesn't feel particularly bad.
Chamberlain/myQ makes very low cost (likely loss-leader) mass manufactured devices. Like anything else if you can identify 0.2% of your users leading to 50% of an issue you're having the reasonable thing to do (from a business perspective) is to just cut them loose. If this CTO or anyone at Chamberlain were to try to champion support for HA users people with the numbers would look at them like they are crazy. For 0.2% of the user base it barely justifies anything more than a 10 minute conversation with a foregone decision.
I use and love Home Assistant. While it's a "big deal" to techies and power users like us the total installed base (as these numbers show) is infinitesimally small when you zoom out and look at the total "smart home" market. There are 275k active Home Assistant installations[0]. This number is already tiny compared to myQ sales. Then you can check the myQ integration and see that it's only used by 3% of HA installs[1]. Home Assistant is insignificant to Chamberlain and Chamberlain is insignificant to Home Assistant.
For a device that sells for $30 8,250 HA installs is $247,500 of total device lifetime revenue. Chamberlain has $820m of revenue per year. Even if every one of these installs bought four devices that's less than $1m. They. Do. Not. Care.
Again, I don't love this either. It's a jerk move but when viewed through the eyes of a cold and calculating business it makes perfect sense. Frankly I'm surprised this decision didn't come sooner. Especially when you consider all of these awful commercial devices really want you to install their app so they can push who-knows-what and upsell at every possible opportunity. That's an entire revenue stream they will never tap into with users utilizing the API and few businesses can resist gobs of money they see as ripe for the taking. Sad but true and standard for nearly any business. Even more so for a de-facto monopoly like Chamberlain.
HA users and people here are outraged, and that is completely fair but with these numbers Chamberlain isn't even going to remotely feel this.
At the end of the day HA is extremely powerful and the ecosystem and maker-ish community around it is incredibly robust. A device with a contact sensor on door close/open and relay (or something) to toggle the door is trivial. It's what I've been using since before MyQ or anything like it was even on the market.
Just avoid the commercial "IoT/smart home" junk whenever possible.
Nit: That they know of. As you say it's a techy product and I would assume that techy types are the exact kind of people to turn off analytics.
Why is Chamberlain's API so brittle it can't stand prodding from what they claim is a tiny fraction of users, even if those are misbehaving? Do you agree that comparing that to DDoS is ludicrous, and suggests either dishonesty or a fundamental misunderstanding of what "DDoS" means?
Judge for yourself, here's the code:
https://github.com/home-assistant/core/tree/5523e9947d82ac14... (before it was removed)
These days the local RF ones are very solid. Modern DECT-based systems use encryption and frequency hopping so once paired you're not realistically going to get someone listening in.
The only benefit I see for these cloud connected cameras is if you're out of the house and are going to check in on the baby sitter, but in the end I'm not even a big fan of that feature. There's tons of pros for the local RF ones and few negatives, and mostly a bunch of unknowns and concerns with the cloud ones.
My wife is a pediatric ER doctor and she thinks the breath tracking radar is stupid, but I like to be able to look over and see the graph because I’m a crazy person and otherwise I’d zoom in on the camera and stare at it until I see movement.
You can report this action to the ftc https://reportfraud.ftc.gov/#/
"Location" (while using App) and "Notifications". So it can locate you when you trigger it, but it can't track you all the time.
Legit solution would be for the company to allow local access to the garage door to check the state without needing to go through their servers.
But let's get real, 0.2 of customers are probably also matching around 0.2% of their income with those products. So it's probably not really a problem, short term.
Long term, they probably have damaged their brand hard, and missed out on some revenue from grassroot marketing. But that's a problem of future chamberlain. Today, the one responsible for this has solved their problems, calls it done and gets their paycheck.
And who knows, maybe next year they switch to Matter, get some good marketing from it, raise the sales and the victims from today are forgotten. That's business..
I was not aware of there being ads in it, but I just looked, and you are absolutely right, there is an ad at the top. It looks like its for their home security camera.
Based on my experience with the company, I would not purchase additional products from them. Not based on my desire to use home automation or homekit, just on the fact that the app is poor.
The garage door openers themselves, however, which have battery backup and which open quietly and with a gradual slowing near the finish, are pretty decent. Mainly I wish they had a better, faster app, as the garage door is the smart home thing I used most (followed by maybe Rachio).
It used to ask me to provide a rating every time I opened the app. I eventually added a negative rating because it kept asking even after I had answered "Do not ask me".
I just want to get local access to my openers.
If it works for you, that's great. I'm not trying to yuck your yum, just sharing my own personal experiences.
It used to lol! But it’ll be a cold day in hell before I pay to use the thing I already bought.
We’re about to have our next baby and I have no idea what solution we’ll end up with. I might end up trying to hack the Miku. I used to be an embedded software guy long ago.
I initially bought the bridge because I thought a wireless relay spliced into the hardwired door switch would be too much trouble, so I'll spend a little and save some time. Boy, was I wrong.
It'd be possible for a knows-enough-to-be-dangerous customer to modify their system in such a way that they unwittingly allow unauthenticated local access. From my point of view, Chamberlain/MyQ should be totally indemnified in such scenarios but I'm not sure how murky the legalities would be in terms of getting judges/juries to accept "caveat emptor".
EDIT: Maybe there's a way to ensure customers have signed an indemnification agreement before unlocking local API access? I guess there'd also need to be a way to ensure/promote a factory reset if/when ownership/rentalship changes.
I'm sure this is a solvable and solved problem, but I do believe it is non-trivial, and potentially a major headache for a company to implement just to support a tiny niche of users. I'd be delighted to find out I'm wrong though!
And, unfortunately, the business case isn't there, since this weakens lock-in effects. I don't endorse this reason—that's why I run my own HA instance and don't buy or use any products that require the cloud or otherwise can't be operated entirely locally (including flashing Valetudo to my robot vacuum!).
It’s not a perfect solution since it costs money but it’s a nice alternative to exposing your HA instance or some other front end proxy to the internet.
It is also much easier for those without easy access to extra static IP addresses. Given the target audience I think it's probably the right approach.
If you served the entire US (130 million households) and had a 1 hour keepalive, that's only 36k packets per second, which is nothing.
You could also auto-train the idle timeout by using a pair of TCP connections. One uses a known good value while the other probes upwards until it finds its connections start getting closed (with some optional binary search fanciness), feeding new known good values back to the first.
(Obviously the no-cloud solution is better still)
https://support.nuki.io/hc/en-us/articles/12947926779409-MQT...
Then a few months later I decided to try again and be very careful and deliberate, and ... it worked. Just like it was supposed to. Sigh. No idea what incantation I did right, but now it has been working for several years without a hitch.
I did recently buy a ratgdo (well, ordered it at least, it hasn't arrived). That's my backup plan if the Home Bridge decides to go tits up.
Order of magnitude higher, same point, same result.
I agree it's wiser to avoid such situations but a lot of people end up delegating this kind of responsibility. If enough of them end up burning their own fingers, that could go badly for a provider. Even if frivolous lawsuits weren't a thing, a spate of ignorant but angry social media posts could be very damaging.
Again, I'm not saying I necessarily have a solution or that hardware owners should have hurdles placed in their way. I'm just pointing out that in some ways the provider may be damned in one way if they do and damned in another way if they don't.
I suppose the IoT sub-sector will end up in similar proportions to other, older tech: Some vendors, analogous to e.g., Red Hat or Linode, will specialize in catering to enthusiasts / power-users and have fairly noncommittal / at-your-own-risk / no-warranty license agreements. However, if the past is any indication, most people will end up doing a lot of business in walled-garden analogs of Apple or Facebook.
In fact, after my initial irritation, I thought "at the end of the day, if they made a couple shortcuts available then I could still say <Hey Siri> Open the Garage door" – It's not perfect like homekit but it'll go a long way to placating many of us who don't want to keep launching a separate app.
I buy a connected garage door opener. The provider knows my geolocation, my name, email address, socioeconomic status, even the phone I own. Inferences can be made on activity such as "they leave for work at 7am when garage door opens".
The collection of data doesn't need to be used specifically for reengaging me with Chamberlain. It is now an asset to the company that can be sold to others as outlined in their Information Sharing section. Which basically says "we share it with everyone".
Partners can be anyone from insurance companies to academic researchers. Remember that partners aren't limited to just one data set. They have the ability to ask multiple companies: "What data do you have for all occupants of houses in this geographic area?"
Yup. And to make the issue clear: there is no such thing as "anonymized data", there's only "anonymized until correlated with enough related data sets".
* someone who drives frequently may rank higher for automotive products and services
* use to independently rank other statistics, i.e. someone with kids probably comes and goes more than a single person or non-child-rearing couple. Take the dataset where you know they have kids (and myQ) and see if you can detect the ones with kids using only myQ data (plus other statistics). If it allows you to infer this property accurately enough, profit.
* Someone who comes and goes a lot is most likely not physically disabled, so exclude them from those specific marketing materials.
* someone who is home a lot (hardly ever opens their garage door) might like to spend money on useless gadgets, try selling them IoT toasters
Having options like this is great for powerusers, but the vast majority of people are not that. They need something that just works. Of course that still doesn't mean they need their garage door collecting telemetry data, but they need something more than a LAN-connected smart device.
That being said, setting up the HA and Wireguard server is definitely a more demanding experience. Although once setup it's pretty much a once and done sort of thing, and they're are integrated ready to go solutions available.
It would be nice to see something like "Geek Squad" offering that sort of service instead of just running AV software while trawling for nudes on customer laptops. No guesses on what's more profitable though.
You don’t need a cloud server to remotely access a device.
For example, Apple Home does not work by default over WireGuard.
Not for the average consumer.
I actually have gotten to know a lot of folks who are massive into home automation, who also know precisely fuck all about computers or whatnot.
Allow package deliverers to put a package in your garage instead of on your step.
When I had MyQ, I used it almost exclusively when I was on my motorcycle. I had it configured so that I could tap a button on my phone that tracked my location and enabled a geofence around my house so it would ping the MyQ to open when I got about a quarter mile from home. I called this my "riding home" mode. This saved me the trouble of having to get my gloves off and open the door through the app when I got to my driveway, and I didn't have to leave a garage door opener on/with my bike.
These very practical daily occurrences can make devices incredibly annoying and frustrating for typical consumers who want it to just work.
I'd rather that it use the LAN, if I'm there at the time.
Data collection and remote access can just be their own functionality.
Haha, she's got you there.
I guess you started using Home Assistance recently / shortly... and/or you use only a few HA integrations.
Otherwise, you would have already run into enough troubles with updates.
2) Even if the above were not true, at that point you're back to an internet enabled smart home device system, and now we're simply picking which vendor to trust over the other. But in both cases, the option for the vendor to collect telemetry data about your usage of the products exists.
There is really no viable way for the typical consumer to be able to both have a good product experience for something like this, and to prevent a cloud vendor from having access to their data. Unless I'm missing something obvious.
Home Assistant Cloud is essentially a TCP-level proxy (IOW Nabu Casa sees jack squat):
> The remote UI encrypts all communication between your browser and your local instance. Encryption is provided by a Let’s Encrypt certificate. Under the hood, your local Home Assistant instance is connected to one of our custom built UI proxy servers. Our UI proxy servers operate at the TCP level and will forward all encrypted data to the local instance.
> Routing is made possible by the Server Name Indication (SNI) extension on the TLS handshake. It contains the information for which hostname an incoming request is destined, and we forward this information to the matching local instance. To be able to route multiple simultaneous requests, all data will be routed via a TCP multiplexer. The local Home Assistant instance will receive the TCP packets, demultiplex them, decrypt them with the SSL certificate and forward them to the HTTP component.
> The source code is available on GitHub:
> SniTun - End-to-End encryption with SNI proxy on top of a TCP multiplexer
> hass-nabucasa - Cloud integration in Home Assistant
Typical consumers have no way of ensuring their UI is, in fact, encrypting the data and not farming it out. They cannot verify the source code themselves, because they don't have the technical skill set they'd need to do so (nor, frankly, the time). They're reliant on the goodwill of whoever packaged and installed the offering for them not doing anything to that offering.
Technical power users can circumvent this because they can build/install from source, verify keychains, read the source, etc. Non-technical users can't do this, and need someone to help them. That someone will most likely be in the form of a third party organization that does this in exchange for money. They're placing their trust in that third party.
The point I'm getting at is that, eventually, a consumer has to trust a third party who may have incentives that don't align with their own. They're just playing a game of which vendor to place that trust in. This is why centralization is still the predominant architecture choice for the overwhelming majority of products, even in a world where myriad decentralized solutions exist for almost everything. It turns out that having bespoke third parties run decentralized solutions for customers is often not a better product experience, and still has the same root problem even if it manifests in different ways.
That's true for literally anything, not just IoT security and privacy. I mean, even for highly technical users, one can't do everything from scratch, nor even check and control every single aspect: you gotta trust the the computer hardware or OS you're using isn't backdoored, you gotta trust the people that built the place you live in didn't put half the rebar actually needed or wired the whole thing backwards or with thinner-than-required wires, you gotta trust that the food you eat isn't going to make you sick...
Same for HASS, one could delegate trust to a specialist that would install a HA Green or Yellow box for them, just as they do for electrical wiring. HA is only "third party" because the IoT place lacks standards but is in essence no different than wiring stuff from different vendors, where "myriads of decentralised solutions" exist only because of standards, and for which decentralisation essentially means everyone is a third party to everyone else.
So I don't think dismissing HASS as third party is fair, and wiring IoT with virtual wires is no different than wiring a breaker box. If you don't know how to do it it can be dangerous, and so you delegate and trust someone to do their job properly.
The problem is that approximately NONE of the commercial vendors are in any way trustworthy. They're really pushing hard the degree of abuse they inflict on the customers, and social immunity takes long time to build.
The ultimate solution IMO is to have people trust in people they can actually trust - that is, make the third parties local. A partner, a kid, a neighbor, a small company servicing the local community and physically located in it. At this scale, trust can be managed through tried-and-true social techniques humans are innately good at, and have successfully used for many thousands of years. This is how you make most of the tech industry and adjacent problems go away.
This is where ideas like non-shit IoT, Right to Repair, Free (Libre) Software, and even "how to not fuck up foreign aid 101", all converge. The point isn't to make everyone their tech support. The point is to allow local communities to be more self-sufficient, able to manage technology on their own - as opposed to outsourcing everything to some faceless companies that have no attachment to any given community.
Note that this doesn't preclude business - on the contrary, local businesses are the fundamental part of any community larger than couple dozen people; the ideas converge not on everyone doing stuff pro bono, but on small, local businesses* doing things for their communities, accumulating and retaining know-how.
I wish more people from aforementioned movements realized their ultimate goal (at least in form that's possible in the real world) is the same, and joined forces.
They're really two different markets, the bulk of the home automation market doesn't want to spend $10K+ for a contractor to check the same feature boxes that something on the shelf at Home Depot can do for a 3-digit price tag. Labor is really expensive, so home automation contractors operate almost exclusively on the high-end of the market.
Contrary to the popular sentiment in a lot of the comments here, there’s not much value in the analytics. As we all painfully found out in the 2010’s, there are only two viable recurring revenue streams in the IoT space - charging for video storage and charging for commercial access. Chamberlain does both with the MyQ cameras and with the garage access program to partners like Amazon and Walmart. Both retailers have a fraud problem (discussed here https://news.ycombinator.com/item?id=38176891). “In garage delivery” promises dropping delivery fraud to zero - ie users falsely claiming package theft. That solution is worth millions to retailers, naturally Chamberlain would like a cut but only if they can successfully defend that chokepoint.
For historical reasons having to do with the security of three or four generations of wireless protocols used in garage doors they can’t (and products like ratgdo and OpenSesame exploit this.) Other industries such as automotive have a more secure chain of control over their encryption keys so one has to (for instance) go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Given the turnover in leadership there I’m not surprised the new guy needs to put their hand on the plate to see it’s hot, but there’s a reason this wasn’t implemented before and it wasn’t because of lack of discussion. I can see the temptation in going for monetization given their market share but I think this approach was ill conceived rather than fix foundational issues which would allow home users to integrate with 3rd party services and still charge industry partners for reducing incidences of fraud.
AND
Chamberlain expects me to weaken my digital security posture so they can run some opaque crap on my network¹ that I have very little observability into and even less control over so they can make money?
Money is one hell of a drug because they are high.
How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
[1] I have a default deny in AND out isolated vlan for crap like this, even if you don't have a network background try to set one up if your networking equipment is capable.
E.g for us in South Africa, this would be unthinkable, regardless of how much time it saves the delivery company. The only time a parcel is left at the door is when it's UberEats. Otherwise delivery is rescheduled if we don't physically collect parcels in person. This is partly an access issue (many houses/apartments/estates have gated access) and largely a trust/crime issue.
I mean, they already do exactly this — this is what Amazon Lockers are. It's just only seemingly worth it to Amazon to deploy them to commercial customers, e.g. at post offices, in front of Whole Foods locations, in some very large apartment building complexes, etc.
(My own guess as to why the economics don't work out for individual residences, is that a hypothetical smaller locker — one small enough to fit on a porch — would also inherently be lightweight enough for thieves to just cart away wholesale.)
Let’s just take a step back here and recognise that we’re asking online retailers to leave our deliveries outside our homes, with direct access to members of the public, but we’re also asking for them to assume responsibility if the packages are stolen.
Morally, in isolation, it’s not a very defensible position for the consumer to take. I personally don’t feel so bad about it when it’s Amazon — they can afford it, basically — but in general it’s not realistic for porch pirates to be anyone else’s problem except the consumer’s.
Most people get quite irked when someone steals their Amazon package between the time it was left at their door and the time they actually try to get the package. Hence for most people who occasionally receive Amazon packages when no one is home to quickly take it inside a way to let Amazon put the package in their locked garage is a benefit.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
Like Amazon Lockers? That's not as convenient as delivery to your home. Or do you mean they should provide lockers to individual homes?
I'm not sure that would work. If the home locker was not very heavy or very securely attached to something immovable package thieves would just steal the lockers.
As for your security concern it's not unfounded but if your garage is built like most in the US there's probably already a locking exterior grade door between it and the outside because a garage door isn't that great as a security barrier to begin with unless you remove the pull cord that unlocks the door from the carrier.
About Amazon, how fucking hard is it to use a fucking Naive Bayes classifier to just check if product title or description changes significantly? Hell, do it with Babbage or some other (not L)LM that's cheap as fuck. We already have clear leaks showing that they fuck over sellers with their price lockins, are you really hurting them more by dropping all those product reviews? You can also do way better by using an image classifier. I have a hard time believing a company that's bragging about how many robots it uses in its warehouses and replaces shitty support with even shittier LLMs is not going to actually result in higher profits by doing this. A few returns probably covers the cost because shipping is expensive (something they already don't get right. Haven't had 2 day prime delivered in 2 days since 2018...)
Also, anyone else find it weird that stores on Amazon don't list all their products? Like you can click on the store page from the product and then that product is nowhere to be found. Want to reduce scams? Force the listing of their entire product directory. I already can't rely on reviews, you just are making it harder to trust you.
I really do wish there was a halfway decent alternative to Amazon. Even Target and Walmart's online stores are more attractive, just limited. But this seems to be a generally sucky space and I don't understand why. Don't even get me started on NewEgg...
> Money is one hell of a drug because they are high.
They're so high they're even turning down higher profits. But I guess the issue is caring FAR more about short term profits (quarterly statements) than long term (hell, even a fucking year). I really don't get this metric hacking bullshit bureaucracy we've built (and its not just isolated to the US or the West).
Ah, chokepoint capitalism. The problem with every company becoming a tech company is that they all expect unsustainable tech company growth. The strip mining of customers is also scaling up, so efficient that industries will destroy themselves. Can't wait until private equity owns the radios in my home, and controls not just the output but inputs.
Your campaign felt like a “butterfly flapping its wings causing a hurricane” kind of moment. You inspired so many entrepreneurs of that time to take a risk and crowd fund which then inspired another generation. Some of whom ended up huge and going public like Peloton.
Regarding choke points - I don’t think they’re all bad. Sometimes certainly, but others it’s a defensible moat that forces an industry to specialize into various key players that serve integral roles. I’m thinking specifically of semiconductors with companies like Western Digital locking up storage, Qualcomm with radios, ARM with compute, Samsung/Hynix with memory, etc This creates a stable enough ecosystem to build various software abstractions on top.
Personally, I hope that Amazon doesn't play ball. You can TRY and seek rent from the world's largest retailer, but you need them, they don't need you.
My main takeaway is that Amazon should offer a discount to deliver packages to buildings with staff to accept the packages. They never go missing, so less refunds, and the building staff does not charge Amazon to receive packages.
The business dynamics are pretty interesting, though. It could be that paying this company reduces missing packages so much that it actually saves Amazon money, which they pass on to consumers in terms of lower prices. Or, it could be that they charge $1 per access, and Amazon passes that on to the customer, and then people are disincentivized from using Amazon. Meanwhile, a competitor (say, Walmart?) brokers a deal where they hide that fee, and take enough customers away from Amazon that Amazon has to play ball (and now the price is $2 per access). Costs go up for everyone.
The phenomenon of partnerships like my hypothetical above are very interesting to me. Every so often I check what I can use my credit card rewards points for, and most of the offers, to me, seem like "failing retailer desperately needs a customer" rather than anything I actually want. Thus, the partnerships must be a pretty important tool for companies that are not in first place.
Finally, I think about the long term effects of this sort of thing. Everyone wants a % of every transaction. "Oh, you turned your lights on when someone came to deliver a package? Pay the manufacturer of the light bulb $1 and your electric company an extra $1." This will look like "economic growth" to each of those intermediaries, but in the end, they just devalued the dollar. ("Inflation.") We end up with bigger numbers, but actually decrease the amount of "value" floating around.
That's most of the tech industry in a nutshell. From the office suite through all the "self-service" web/mobile interfaces, self-service checkouts in stores, to stuff like this - it's all making you do the work that was previously done by full-time professionals. It's a net loss of efficiency, and it only looks otherwise because salaries of full-time professionals are legible to bean-counters, while the same workload redistributed in tiny bits to masses of people is invisible in balance sheets.
In short: I'm starting to believe that most of the "improvements" that came with software are actually just accounting tricks, and this is why actual performance gains don't seem to track expected gains.
Off topic, but FWIW: Teslas don't in general use fobs (maybe you get one with an S or X?). You can buy one for $175 if you want, but in general the primary unlock mechanism is the app on your phone, with the effective root of trust held in an RFID wallet card (of which you can buy extras for $20 each).
If a homeowner wants to let Amazon, Walmart, etc to open their garage door, it should be up to him to provide them with an access token/secret/etc to enter, just like you can put a door keycode in the order notes. The interaction should be purely between him and the retailer and there is absolutely no need for some rent-seeking scum to be involved.
The disgusting business model you seem to be justifying is akin to house builders/contractors being perpetually owed a cut every time you invite over a guest into your house or they switch on the lights.
2. Through research they find user wants to interact with their smart device while outside of range of wifi/bluetooth.
3. Company builds device firmware and cloud infrastructure to support this goal.
4. Company wants to simplify business logic and doesn't provide local (wifi/bluetooth/zigbee) support. Online only can service both on-premise and off-premise.
5. Company needs to reduce costs and justify ongoing operational costs of supporting this cloud + device service.
6. We arrive at the current solution.
If a garage door manufacturer offers me a (free, local) API to fully control my door and allows me to check a box to let Amazon in, what, exactly, is the problem? Sure, I could also allow Amazon in without checking the box (assuming Amazon offers the appropriate integration and I'm willing to deal with maintaining my side of it), but it also seems okay for Amazon to pay the garage door opener company for the first-party version. Everybody wins.
Forcing the actual device owner to use a crappy cloud service is an entirely different story, but it's not required for the Amazon business model. Similarly, many video recording devices support ONVIF and have an optional paid first-party video storage. (And I imagine that quite a few commercial users demand the former -- no one who operates a concierge/security desk or a serious office building or a warehouse or an industrial site has the slightest interest in using four different first-party cloud offerings from four different vendors of their various gizmos that contain cameras. They are going to run one NVR, possibly with off-site backup, with one integrated system for viewing and analyzing the feeds. And they will pay handsomely for that, and they're paying that money to one of several established companies in the space, all of whom require at least token ONVIF or RTSP compliance, and they aren't about to kick any of that money over to the camera makers, because there is no shortage of competing camera makers.)
https://i.imgur.com/lNOXdhe.jpg
If you have a Chamberlain garage door opener and looking to connect it to HA you can do this too.
Same, but this is irrelevant to the point GP was making. Some minority of people do want Amazon Key (and similar services), and those people are now unable to claim their package wasn't delivered once they sign up for the service.
Add those people up and you have something worth millions, even if there aren't many of them.
It doesn't work like this. Delivery workers use an app that opens the door, so if they are at a wrong location, it will be immediately apparent.
Swap in a more traditional automaker, and your point remains correct.
Premium users pay $300 to replace the fob on their Model S / Model X. Mid users pay $175 to replace the fob on the Model 3 / Model Y. And an entry level option exists for the cards. Plus programming fee. Handling fee. Local taxes. Processing fee. Etc :-)
Without control of their PKI anyone could self program a replacement for a few dollars as is the case with the garage door market.
As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
The keyfob is super-useful. It fits perfectly into that small jeans pocket (that was originally meant for watches), so you can trigger the trunk/frunk opening without taking the fob (or phone) out.
I was burned by this change. I don’t know if anyone at Chamberlain is reading this, but you guys have neighbors, users just wanna keep their home safe. You’re one TikTok away from a crisis when you do stuff that is anti-consumer.
The API breakage coincides pretty well with their brand new CTO, whose objective is apparently "transformation to a smart access software company".
It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
Good news: ratgdo, an ESP-based local solution works great. I hope the author is making a decent profit on the kits.
Then I watched the discussion on discord and realized I’m not alone albeit still a small percentage.
Then I see this as top post on hn.
It’s frustrating to have a company do this. I don’t agree with their choice. Plus forcing you to see ads whenever you open or close the door is Orwellian.
Now I need to somehow sell this device on eBay with hopes a large percentage still wants it.
I wish ratgdo a ton of success and have several on order.
One reason this is tricky to do is because up until let's say the last 6 months or so, myQ _wasn't_ hostile, even if it was Cloud-based. (I get that that aligns with your point! I'm not arguing with you there.)
The obvious way to implement this would be to have a front-and-center filter for cloud/local, so that one could use it to check which brands to consider before buying new connected hardware. It's a use case people have been asking for years. It's the only reason one would want to access a searchable list through their own page (as opposed to googling "${brand name} home assistant").
What's the blocker here?
any takers?
Wow, what a contemptuous statement.
I have news for you, Chamberlain Group. You are not only alienating, being hostile and losing a "Small percentage of users" (most companies would prefer to call them "valued customers", but I get it). You are causing an enormous permanent damage to your own brand.
I am in the market for a new opener.. I just need the physical clicker.
I will not be buying one from this brand, as even if I do not need the HA functionality I no longer trust them as a company.
That doesn't need to happen for the Charlatan Group to struggle. Most current hardware companies are dependent on the customer to renew their hardware every 5 years.
Well, you could always strip it for copper, I guess...
That internet connection for cloud services for smart gear always costs someone.
Smart home devices that can’t be locally hosted or easily made to be locally hosted should be avoided.
There’s no reason a light switch that normally works for 10-20 years will only work for 2-5 due to cloud connectivity.
Luckily for the time being a lot of the providers can be reflashed with Tuyo based firmwares.
The same for software. Even Microsoft is going fully Cloud. Just had problems to activate my MS Office for Mac Business 2019, which I bought in physical. They now require on @outlook.com email address to be able to activate. Otherwise I can't use my "box" software.
40 bucks, HA, and about half an hour each (mostly fiddling with the ESP/shield pcb wiring inside the light cover of the opener from the awkward overhead-on-a-ladder position) for me to no-cloud smartify two chamberlain MyQ openers. Special sauce is that the device can MITM the "Security2.0+" signal and emulate the discrete functions of the wired wall remote, not just act as a dry contact relay on the motor.
Result is that separate entities are created not just for the door open(ing)-clos(ing) states, but also for the obstruction sensor and a separate switch to turn the opener's light on or off remotely, all exposed (as MQTT topics) in HA.
It's not terribly complicated but for reasons that are polarizing to many in the garage-door-automation society, the author of the software, although leaving the code completely open source is averse to publishing schematics for the PCB board itself, so others have had to step in and reverse engineer these.
It appears that this project has gone from a very minor side hobby an actual business for the author, and the PCB schematics are pretty much the only IP moat he has, without them he's just providing a very easily (and cheaply) replicated PCB assembly service.
I believe, although I have not verified because I haven't tried this myself, that this site provides both the schematics you need as well as information necessary to Flash the software onto your ESP device.
Why not "This device does not support local cloudless control" and "This device does not allow 3rd party software access" labels too
Garage opener is a 10+ year device, expecting the company/cloud service to survive for that long and still be supported is too optimistic, but local control will still be usable, even if some 'adjustments' are needed.
> The MyQ integration was introduced in Home Assistant 0.39, and it's used by 3.1% of the active installations. Its IoT class is Cloud Polling.
"Cloud Polling", meaning they don't have a way for an API client to register for state change callbacks. I'm sure this is why there is so much traffic - if Home Assistant wants to support triggers based on state changes (eg door opening, turn on home lights), then it needs to repeatedly check the status so that it becomes aware of the change in a timely manner.
(Personally I only buy/use devices with local control, and generally cut them off from Internet access. Just saying though)
IOW, this real reason is better than their dumb comment about "unauthorized use".
I' absolutely pissed - I just called the folks who installed my garage door and explained the situation to them, and recommended that they look for a different brand for anyone that wants wi-fi access in the future.
APIs were more readily available and open. Mashups were usually encouraged, so long as you didn't generate undue stress.
Nowadays its a million tiny business silos hoarding tediously-obscure-but-still-sometimes-useful data. And you have to prove that what you want to do with the API doesn't infringe on their ability to capitalize on it better.
The irony is that all the data is way more easily accessible from a technical POV now due to the prevalence of SPAs and REST, but the legal environment is significantly more dangerous.
https://github.com/make-all/tuya-local
One of the main things these “smart” devices do is use your internet connection. It’s wise to create a dedicated _IoT suffixed wifi which can’t access your network or devices, but at the same time your other devices can ping them.
How?
This is a pretty solid guide of a home network setup here. It can be running a $50 EdgeRouter X or translated to other devices.
https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti%20Hom...
Edit: comments below have additional info on Tasmota and ESPHome
Just a small warning: make sure to check whether your device needs to be added to the Tuya cloud to get a local API key. I was only able to get "my" lamp working locally after registering it via the app and creating a developer account.
Another option can be flashing it with Tasmota: https://tasmota.github.io/docs/Tuya-Convert/
To make things even worse, first position above you devices is an ad (for their other devices) and it periodically suggests that I connect it to Amazon so some random people delivering packages have the power to enter my home.
Genuine question, how?????
My ultimate wish is to have only one of these apps (ie. the Home app) so I can control all devices.
For the Germans (maybe other countries as well): The Lidl smart home things are nearly all Zigbee based. So far no problems with them and they are, IMO, reasonably priced. I somehow trust Lidl more to not burn my house down than random Amazon sellers. They also sell a Zigbee gateway that phones home by default, but can be converted to local only, dumb mode that works fine with Home Assistant [1] with a tiny bit of soldering. I use these exclusively without problems, even the one I rooted for my parents works without any maintenance.
And now that Matter support is slowly trickling in, they should all be fully interoperable. Currently it's touch and go if a Ikea bulb works well with the Hue hub for example.
It was just too low quality. Motion sensors would activate later and/or less than other vendors etc. Stuff like that.
Ikea is great, Aqara and Sonoff works well as well. They arent much more expensive (if at all) than the Lidl stuff either.
List it cheep along with a warts and all discussion of it's problems. Means less waste as there's always someone who'll want it, people who are looking for the product hear about the limits upfront, and the company actually gets a real loss from you leaving (assuming it sells to someone who might have bought a new one).
Plus it's fun to try to convince enquirers why they shouldn't buy your item
I sort of have to assume in the case of large appliances that the manufacturer will drop support for it well before I want to replace it, and that if there is any sort of functionality fully gated behind an app, that it will become unusable to me at some point when I reset my phone and discover they’ve unpublished the app from the store.
I’d much rather buy a dumb garage door opener and bolt on that ratgd device mentioned in this post, than be beholden to the manufacturer’s whims and invariably godawful garbage horrible no-good app.
Protest with your wallet, buy from others, the sooner the hardware companies realize this is a stupid move (locking down), the sooner we'll have better integrations.
In my case, I bought a slightly-inferior product specifically for its HA integration; now that it's broken it's just an inferior product...
I normally leave it disconnected from the switch because I don’t need to open the door remotely and I am afraid that some exploit will have a Russian 13 year old opening and closing my door at 4am.
They never technically allowed it in the first place.
Homebridge and Home Assistant used a popular Python library that reverse-engineered the MyQ API from the Android app. Many companies couldn't care less until abuse ramps up, but given that Chamberlain (Blackstone-owned) has gone into rent-seeking mode all of a sudden (or an incident happened that they won't disclose but prompted them to take a hard look at this), they decided to turn the Cloudflare Super Bot Fight stuff way the hell up on their OIDC token exchange endpoint (you can still request auth codes).
I decided to abandon trying to get MyQ to work with Home Assistant (it would have required hours of trying to figure out what combination of headers would have passed the CF checkpoint) and ended up getting a Meross Smart Opener. It was shockingly easy to install (plug the relay device into the same pinouts that your wall door opener uses) and works even better than MyQ (in that you won't get a weird "close error" that prevents you from operating your door that not even MyQ customer service will clear)
---
I still use and recommend MyQ, however. The Amazon Key and Tesla integrations work great. If they had previously allowed API access but then rescinded it in favor of "providing a better experience" like Reddit is doing, then I'd feel differently. In this case, however, it feels like we took advantage of a backdoor for a long time and the club decided to finally put a lock on it. Shitty, but reasonable.
The next big one to watch out for is Ring.
Ring does not (will not?) support HomeKit. Lots of folks (myself included) have resorted to using Homebridge or Home Assistant as an alternative.
Both are using a library that reverse-engineered Ring's API (though Ring engineers supposedly contributed to it).
While the Homebridge plugin simply exposes device statuses and metrics and RTSP feeds for the cameras, Koush's scrypted NVR platform enables HomeKit Secure Recording for the cameras, which allows more adventurous users to skip paying for Ring Protect ($10/mo)
While I get a lot of value from Ring Protect and will continue to pay it, I really hope Ring doesn't decide to "improve the user experience" for us like Chamberlain did. I'd be really sad if that happens, since HomeKit is amazing and is much better than having a million apps on my phone that don't talk to each other.
How expensive pouring some concrete into a small hole in the ground would be? Or would this become real estate then, or otherwise require a construction permit?
The problem is that it's prohibitively expensive compared to just eating the cost of any thefts, keeping an eye on pickup times so you (or a family member) can take the package inside ASAP, and using pick-up for any truly expensive ($1k+) items when possible.
If Amazon want to leave packages securely, then I am more then happy for them to partner with mail carriers and other delivery services and come up with a common standard for an externally secure lockbox system*. But they're not getting an open door into my house.
The problem in the delivery space is everyone does whatever - there's no standard or common code for communicating secure delivery logic for a premises. You can come up with whatever and it just won't be used. But "give me access to inside your private property" is one of the more insane solutions given that a garage is not an unvaluable area, nor necessarily a non-hazardous one.
If I order something for delivery, it is the retailer's responsibility to deliver it to me. If they leave it where it is stolen before it's in my posession than that is not my problem.
Were it any other way I would not order anything online!
Literally the bottom of the Chamberlain website reads
> The Chamberlain Group LLC, the corporate parent company to LiftMaster, Chamberlain, Merlin and Grifco, is a global leader in access solutions and products. __We design and engineer residential garage door openers, commercial door operators and gate entry systems.__
Also, openers are also a common up-sale when other components are serviced or replaced. For example, if you get a garage door replaced, the installer will often recommend a new opener at the same time.
It provides a convenient service for both parties.
I realise that there are the porch pirates who are another issue entirely!
And they know that they can't just leave the package there, they have to find the correct door. And there's a flow in the Amazon delivery app to mark an incorrect geolocation, so they won't be penalized for taking longer time.
The app also has pictures of the location in question, to minimize the confusion.
From the homeowner's side, the garage door will be open for half a minute or so with nobody nearby. It's possible for a burglar to use this time to quickly run inside. But the probability of that is pretty low, and there'll be a camera recording of that.
Except that's not true at all. Amazon had my new house geolocated wrong (think robin instead of arden st in their system, even though I put the address in correct and it read back correct).
First delivery came, "delivered", not at my door... Contact CS, get a refund, continue.
"Ok, I'll setup key so they know it's wrong and deliver it in my garage."
Pieced together from video:
Second delivery arrives at wrong location, garage door opens...and was never closed. "delivered"
Took me contacting CS 5 times, with 5 failed deliveries, and doing an email bomb to get them to update my geo-location. Turned out it was literally across the fucking city, ~8 miles away.
The company could go out of business and shut down their servers. Or shut down the servers because they're no longer selling the product.
Sometimes incompetence is as bad or worse than malice. The company could break an API accidentally. Or the API only works intermittently. Or they could add poorly-implemented rate limiting that unintentionally affects multiple users when they share an IP via NAT.
What matters is that they provide proper documentation for their APIs, encourage devs to use them, and don't have a history of breaking old clients with new firmware updates (without very good security reasons).
But in general, OK - some things are better done via an on-line service. But it's the minority of cases - almost none of IoT devices have a legitimate reason to route control and diagnostics through the cloud.
It's an open source project. Stuff generally gets worked on by people who care about features. You seem to care about this. https://github.com/home-assistant/home-assistant.io
Related thread: https://news.ycombinator.com/item?id=37594377
That's cool to hear—I didn't consider we had that influence, though should've realized it after chatting with y'all, Ring/Doorbot, Particle/Spark, Pebble, etc.
Guess it took two generations to shake out the hardware startup mistakes. We were early and naïve, but we did ship, and the Twine servers remain up. You learned to focus the use case, and I still haven't. Go figure, I think there's still a space for a general-purpose physical computer, so we're doing it again: https://supermechanical.com/pickup
Funny that Kickstarter's history since is a hindrance, and we might go the Selfstarter route to produce the experience we want next time.
The only term that comes to my mind here is cancer.
Cards are $20. No programming fee, no handling fee, no processing fee. Yes, there are taxes and yes shipping things generally costs money. Users program keys themselves.
> As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
Keys are for valet and I keep mine in my glove box. The car boots up almost instantly.
However, if even that is too much you can make a Switchbot do almost anything. It's just an actuator that pokes buttons and is a premade product with a shell rather than a DIY thingy.
I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
My favorite example of whatever we are supposed to call this was John Carmack in 1997. From his 1997-12-09 .plan:
> Cyrix has a new processor that is significantly faster at single precision floating point calculations if you don't do any double precision calculations anywhere.
> Quake had always kept its timebase as a double precision seconds value, but I agreed to change it over to an integer millisecond timer to allow the global setting of single precision mode.
> We went through and changed all the uses of it that we found, but the routine that sends heartbeats to the master servers was missed.
> So, instead of sending a packet every 300 seconds, it is sending one every 300 MILLISECONDS.
> Oops.
> To a server, it won't really make a difference. A tiny extra packet three times a second is a fraction of the bandwidth of a player.
> However, if there are thousands of network games in progress, that is a LOT of packets flooding idsoftware.com.
> So, please download the new executable if you are going to run any servers (even servers started through the menus).
I did do some napkin math to quantify how much that bad traffic may have been: HA estimates between 6857-25576 intallations of the MyQ integration. Let's say 16k clients. HA makes it really easy to detect and "add" the integration (which counts as an installation even if it's not configured), so, that's definitely not all clients hitting the API. Let's say it's 50%, so 8k actually using it. Most users just notice myQ is broken. Let's say some fraction retry, which would look the same as an extra user from a volume perspective. Call it an even 10k users (including repeat users).
The most recent change is after they broke everything past the OAuth dance. Let's say the OAuth request is 1kB. The retry code retries up to 5 times with exponential backoff. Let's say 5 requests over 10 min.
(5 requests / 10 minutes) * 1 request/user * 10k users = 5k requests/minute, or 83 per second, amounting to 83kB/s inbound.
There's no reason to assume those requests would synchronize, but I'm sure there's something (let's say every single myQ user updated at the same time).
If what they're saying is true, sounds like actually malicious botnet wielders can ransom the living daylights out of them. Given 1Tbs DDoS attacks they'd only need a tiny fraction of the full bore ion cannon! ;-)
[1]: https://github.com/arraylabs/pymyq/blob/master/pymyq/request...
This is a problem with the service, not with the developer.
If the service (doesn't want) / (can't handle) something, then it should rate limit it's response.
If the service can't handle "0.2%" of it's clients making a 'not unreasonable' amount of requests, how will the service hold up against a hostile actor who aims to DDOS their service.
Absolutely. Used to work on the Identity team somewhere. Dev accidentally removed code that was supposed to cache a token on a very chatty service. Brought auth to its knees and called it DDoS.
You can go and engage him directly on the topic, maybe he'll present a perspective we haven't seen, or maybe he'll listen to your arguments and reconsider:
https://www.linkedin.com/in/dan-phillips-9a33831/
(and no, this is not doxing: his profile is public).
The ratgdo is more trustworthy, and it just connects (really easily, too, especially with the new v2.5 board) to the opener via the same contacts that the dry contact button does.
https://www.athom.tech/blank-1/garage-door-opener-for-esphom...
I used a local Meross install on my old garage doors, time to break them out, but ugh...
What a shit move to pull on your existing customers.
I would try to sue that manufacturer. I hope it we'll be pulled to a court.
This will most likely be a significant factor in though, though good luck getting them to admit it.
HA users will mostly be bypassing the app and therefore not providing revenue via ad impressions.
What brand is he moving to? Does it work with Home Assistant?
I can't recall the last time I saw a garage door that wasn't Chamberlain or one of the brands they own. At least in my area they seem to have a near-monopoly.
Just put it on the porch. Not everyone lives in an area with a package theft problem, let those folks work out their own solution but don't punish the rest of us.
There are plenty of places in the US where packages left on the porch aren't secure, but there are also plenty of places where it's completely fine and saves everyone time. I've never once had a package stolen off my porch anywhere from an apartment in the Bay Area to a house on 10 acres in rural Oregon. I really think that the places where package theft is rampant are the exception, not the rule.
I worked, like most folks, and people are not generally home. The pickup location took two hours to get to via public transit. That’s a four hour round trip. There was one and only one pickup location in the entire NYC region for fedex.
It made life impossible. Amazon came along and decided to take responsibility for losses directly and instructed carriers to leave packages and not reattempt delivery or hold them. Customers vastly preferred this, carriers too as they saved tons of money. Amazon got a reputation for being much more convenient to order from. Their losses as a percentage were low compared to essentially owning mail order due to the convenience. When I had packages stolen they immediately shipped a replacement no questions asked.
Amazon Key is an attempt to mitigate theft but also a lot of folks just feel uncomfortable with packages on their front step. The idea of leaving you garage slightly open for deliveries isn’t a new one, but the Key product improves on that by only opening for the delivery person and recording their interactions to ensure they don’t do something they shouldn’t.
I used it briefly but I didn’t like it because I have a workshop in my garage and I just didn’t want people seeing what I’m working on. I wasn’t worried they would rob me per se, just didn’t like showing my work in progress to random strangers. If it opened the garage slightly to allow the package delivery I would have kept it but it opened 100%.
I only have MyQ for Amazon Key. Fortunately Amazon also supports the Aladdin Connect - which works with all garage doors. And is fully supported in Home Assistant.
I have one on order and will be swapping out, bye bye Chamberlain.
Would be nice if this functionality could work with arbitrary openers via webhooks. You could even have a fancy auth flow that you trigger from your smart home dashboard so users don't have to know or care how it's implemented under the hood.
Sure, we're just a couple drops in the ocean, but eventually those drops can start to add up.
I see several other vendors / openers on the Amazon page for this service besides MyQ.
Genie being one of them, which seems to also support HA just fine
I think "abuse" is the wrong word here. I'm just trying to automate my garage door. If there was a way to do that over my local network, without touching their servers, then they'd never see any traffic from me.
I sometimes wonder if Tesla nerfed the homelink functionality in the car just to encourage people to pay monthly for the MyQ software solution. I gave up trying to get my Model 3 to open/close the door automatically for me because the range is just abysmal. Went back to using a push button remote on the visor that will open the door from half a block away.
Every country has these to some degree; I imagine they're most popular in places that 1. have colder climates, but 2. where people don't tend to drive (like Poland?) The US has some, but the suburban long-distance-commute car culture + generally not-too-bad climate, means that people in the US generally expect to pick up packages from further away, and so implementation of these in the US has lagged behind other countries.
However, my comment, and the one it was replying to, are talking about something else — a hypothetical concept of small lockers that serve single homes, given to the homeowner, to be located near the home's mailbox/mailslot. (Basically, logistics-provider-provided versions of these things that you can technically buy online — but where I've never seen anyone with one: https://www.amazon.ca/WeHere-Package-Delivery-Anti-Theft-Pas...).
And the thing about these is... they really aren't a good idea. They're not too big and heavy to just steal. Anyone who can walk up to your porch with a moving dolly can walk away with it.
I agree that per-household lockers are... tricky at best. But then, if we're talking homes, and thus presumably lawns in front of them, I wonder what are the difficulties of selling a multi-slot locker that would be bolted down to the ground (or perhaps a bunch of concrete filling a hole in the ground), and thus as easy to steal as a thick fence post or an ATM? Is this too expensive for homeowners?
Some older houses have passthroughs built into the walls for deliveries of milk or coal or ice. I’m surprised this feature hasn’t been resurrected for package deliveries.
But the US still seems to have some remnants of a high trust society, which has been only a temporary thing in many places, if at all.
Not having such a society adds frictions in all kind of interactions. In the end, that means cost. I can understand why people and company try to shift that cost when it comes up in areas where it wasn't present beforehand.
It's difficult to figure out exactly where the facilities are and you're not guaranteed the package won't still be on the original truck or on a new one. The facilities may only be open during the day, while you're at work.
Additionally, it's common that no delivery attempt is made at all -- the delivery driver will walk up to the door with a "we missed you we'll try again someday" slip already filled out and won't even knock.
The main reason we are cool with deliveries being left on the porch isn't that we trust our neighbors, it's that the alternative is so much worse.
when I lived in the urban core of a top 10 population US city, I still trusted my neighbors
another comment said the US still had "remnants" of a high trust society. I grew up in that high trust society. I am not old.
if our high trust society is gone, we should do whatever is necessary to get it back. It's clearly a better way to live.
It's not unknowable; FedEx and UPS at least will reattempt delivery every day for a certain number of days before giving up. At least that's the case in urban and suburban environments. Maybe you live somewhere rural where their policy is less clear?
> It's difficult to figure out exactly where the facilities are
No it's not. The tag they leave behind will often tell you, or you can enter the tracking number online and it'll tell you there. And usually it's the same place every time, so once you figure it out, you're good for future packages.
> and you're not guaranteed the package won't still be on the original truck or on a new one
This is the annoying thing. It's never clear when the package will actually get back to the facility (after they failed to deliver it to you), so you don't actually know if it'll be there when you show up. Many many years ago it was a simple matter of giving them a call, but nowadays you end up in customer support / phone menu hell, and it's incredibly difficult to talk to someone who is actually physically present at the facility.
> The main reason we are cool with deliveries being left on the porch isn't that we trust our neighbors, it's that the alternative is so much worse.
I'm absolutely not cool with this. I trust my neighbors just fine, but I don't trust all the random people who might be walking around, specifically looking for packages to steal.
I'd much rather have to drive over to a facility to pick up the package, or just wait until the next day for another delivery attempt, but most delivery drivers don't give me that choice.
If the package does get stolen (incredibly likely, if it's left outside), I'll usually have to wait several days for the merchant to ship a new one (because they figure it's possible it wasn't stolen, and want me to wait and see if it still gets delivered in a day or two). And then I have to wait for another shipping-time cycle.
No lol, you just enter the tracking number of the missed delivery tag into the carriers website and they tell you where to go pick it up.
I'm friends with all my neighbors but I find this practice completely bizarre.
It varies greatly depending on where you live. My sister lives in suburban Maryland, and leaving a package outside on a porch is just no big deal. The probability that it gets stolen is actually ridiculously low. In this case the high trust is completely warranted.
I live in San Francisco, and if a delivery person ever leaves a package outside, it's always a scramble to either get there to take it in, or find a neighbor who can do it for you. (I live in a 4-unit condo building, so we all try to look out for each other's packages when this happens.) It's just bizarre to me that delivery people aren't specifically instructed to never leave packages outside here. I suspect they may be, but they're overworked and don't want to have to add yet another package to their delivery schedule for the next day. And/or they may be evaluated on number of completed deliveries, no idea.
(On the flip side, there are some neighborhoods in SF where it's ok for a package to sit on a doorstep for a while. Not many, but... they exist.)
Places in the US that have high level of porch piracy also have high levels of gun control, and low levels of gun ownership.
You have to really want my $5 towel to risk your life doing that around my parts of the US
Yeah, in a city I would expect the mail person to leave a receipt in your mailbox.
In the countryside, though, that's not unheard of :-)
Just like I would easily leave my bike unattended and unlocked in the country side but not in a city.
To put things in perspective, it's common over here for people selling things on Facebook/Gumtree to just leave the item outside and have the buyer slide the cash under the doormat. It's less secure but way more convenient, since you don't need to be home to complete the transaction.
I've left tools and other semi-valuables in my unsecured carport, in clear sight from the street, on a main road, for years now and they've never gone missing.
My sister in law lost her iPhone in a public bathroom and got it back simply by calling it and working out a time and location to meet up with the person who found it.
These aren't just freak anecdotes, by the way, they're the norm.
You should really consider coming over here. We need more Saffas in Australia!
This obvs does not work for other delivery companies but now you can see an option in the order forms to allow the delivery company leave the package at the door (e.g. IKEA). Otherwise, it is just unthinkable that someone would leave the package at the door without ringing you and agreeing in advance.
Physically, they're about as secure as an Amazon cardboard box.
Not sure what effect this has but I live in an area with a lot of Ring (or other) front door cameras which is a rather severe disincentive to theft of packages left at the door (as well as mishandling of package delivery by the driver)
This is just conjecture, btw, I have no authoritative knowledge of their plans to do anything.
I'd guess it's more likely the opposite dynamic, where they'll get a bunch of early adopter types to sign up without thinking through the ramifications. And then after the honeymoon period, Amazon will start demanding those users file police reports for missing packages since from their system it now looks much more airtight that the package must have been stolen from the buyer.
I honestly can't think of a single person I know who routinely locks those doors.
Big pink house on Foo St. (#8-5-5)
or
Big red-and-yellow-striped house on Foo St. (#8-8-5)
or whatever colors they are? If they are the same color, repaint one of them.
As a bonus, this will completely throw off all the automated data brokers, idiots that use "KYC" as an excuse to want to know where you sleep, etc.
Alternatively put an apartment number on your house (there will be only one apartment, of course.)
One of you will be
855 Foo St. Apt. 1
The other will be
885 Foo St. Apt. A
This is the same thing that continuously requires me to use my "ZIP+4" for absolutely everything, even though as far as i can tell, there is zero point in ever using it unless one is literally doing metered US Mail.
If you write "885 Foo St. (blue house)" it will get standardized to "885 Foo St."
If you write "Blue house on Foo St. (eight eight five)" the standardizers will choke and it will be printed as-is.
Outside of activation, it is easy to use MS Office for Mac completely offline -- there's a checkbox for that in preferences. You will lose some marginal functionality, some of which I prefer to be disabled (like generating pdfs of your documents server-side instead of client-side).
It took me almost 3 days to find the problem. Microsoft changed that and between all "answers" there is only one single thread in the Microsoft forums that had the solution.
Some years ago, I activated some Office licenses using my company email; we never did any hosting with O365 or whatever was it's predecessor, and at the time, everything went fine. All I had to do was to create live account using that email address.
Which means, that you need to associate your existing account with an @outlook.com address. It seems, that Microsoft changed that requirement somewhere in 2020/2021.
Yes, previously Microsoft account with whatever email address was enough. But they changed that.
I stumbled upon that while upgrading to new hardware, which requires new activation of the Office products.
The Gaben has spoke: "piracy is more about convenience than price"
Just do it. You won't regret it. I also bought office 2016 cheap at some point in time. That's even better. Faster, nicer UI.. just to give you feedback xD
On neighbours, the carriers usually let you choose if you want this to happen, but it's just a normal part of life to accept (and hand over) your neighbour's parcels. I have done so dozens of times and had it happen for me, even in rougher areas where I barely knew the neighbours. I guess levels of interpersonal trust might be higher in Europe than the U.S.?
(That's before the blindingly obvious observation that even something provided by the government at no cost at point of use has a cost which is ultimately borne by the people.)
I think we'd also need to figure out some durable and stable way to reach a conclusion on "when should the software be published out of escrow?" that handles a bunch of the various edge cases. "What happens to devices that are one-time programmable? What devices are in-scope/out-of-scope? Does this apply to radio firmware as well as general CPU firmware? Is the software license changed alongside the release of code from escrow? Are signing keys also released? Is code released from escrow just because some individual use case is no longer supported by the mainline firmware? [Is a disagreement with a product decision enough to release the old code?]"
The second year there is much less work but they double the cost. You go along with that as it takes a lot of work on your part to engage a new escrow firm from scratch.
The next year they double it again. It's still demanded by your large corporate customers and you try to pass on the costs but they don't want to pay it.
At no point does "preventing random people in your garage" required a greedy middleman in the path between you and whoever you want to give your garage door access code.
Of course, I changed my code after that, but drivers still tried to get in with my code code. I opened countless tickets with Amazon to get this reference to my code removed from their system. They gaslit me many times saying it was removed. They were incredibly rude to me when told them they were lying to me, and now I sometimes get delivery drivers getting pissed off at me (for some reason) that the code doesn't work after they ring my doorbell.
What I want people to get from this story is, don't give Amazon your code. Get a separate delivery box instead or even a storm door works to hide most packages.
Yes and no. At the scale Amazon operates, I can see value in being able to automate the process rather than requiring each driver to find and operate the keypad for each garage.
Automation, if implemented perfectly (which it obviously won't be) also prevents one form of bad actor. An Amazon delivery driver who uses your code in the future to gain unauthorized access to your garage. Automation allows this code to be limited to a single use.
Not sure where you live, but every house I've lived in (USA, a few different states) during my entire life has had an exterior-quality door with exterior-quality lock, including deadbolt, between the house and garage.
In the one house I lived in that had a security system, that garage-to-interior door was also wired into the system and arming it would treat it like an exterior door.
Having said that, I still wouldn't want random delivery people entering my garage without my knowledge.
This was like 7+ years ago.
The more parties in a system, the more ossified it becomes. (Hello, healthcare)
Inevitably, the world changes... and now because there are so many intermediary layers the system as a whole is unable to adapt.
Then you're left with a system that can't be changed, that very efficiently does something different than what you need it to do.
Or, in a nutshell, most enterprise software older than 5 years.
I would say that almost all of it is, eg, disassembling our manufacturing and shipping it over seas - which ultimately eroded the middle class and jeopardized national security. But neither of those is on the balance sheets of the relevant company.
Anti-social short-term metricized business is the ultimate form of Taylorism — and in three generations, we can see that it’s an abysmal failure.
Sprinkling math on top doesn’t make reckless greed a good idea.
Quite possibly. I only thought this through wrt. software, as this is my field, but the overall method seems universal: turn concentrated work into disperse work, and throw it over the organizational boundary, so it looks like you've made the costs go away.
Add to it the time lost because software tends to be less reliable than its counterpart because multiple software interfaces tend to increase complexity. There are some things that software is wonderful for improving. But I don’t need a IoT stick of deodorant.
Additionally, I tried using an Aqara vibration/tilt sensor for more accurate "partially open" status reporting but it was a) not sensitive enough b) too unreliable c) too slow to update. I guess it's more meant for detecting impacts or falls.
I've also toyed with the idea to mount an ultrasonic distance sensor at the top of the (rolling) door, which could measure how far from the ceiling/far wall the top of the door is, but it'd be pretty bulky and problematic to power mounted on a moving part like a door.
I suspect that some of the the same reasons that lockers aren't economically feasible in most of the US is the same reason that the theft isn't a problem: low density. If you're a porch pirate, you need to expect that the value of your stolen goods covers at least your gas and time driving around stealing stuff, plus some risk premium for doing the crime. If the average value of a package is below this amount, the crime doesn't pay. There will still be instances where people haven't done this math, or crimes of opportunity, or just dense stretches where it does make sense depending on the price of gas, but it isn't a nationwide problem.
I get hundreds of packages per year (not an exaggeration) and as far as I know, exactly zero have ever been stolen. Missing packages are invariably delivered to someplace else that must have had a better vibe for the driver that day. (I’ll get pics of proof of delivery with a package that is clearly not at my house.)
In that environment, what problem do I have that could be solved by this, and how much effort (and aesthetics) am I willing to spend to solve it?
Now, if my house shared a wall with two other houses and people walked by my front door all the time, maybe I’d have a theft problem due to greater opportunities for it to happen.
Places with lawns probably don’t have nearly as much package theft just due to less foot traffic.
When this happens you have to go to a post office to get your mail.
But isn't the door property of the customer? In this case it is perfectly the customer's choice and right if they want to use the customer-facing API to let a delivery company in.
Not anymore. Now I get to pay $5/mo for IFTTT integration, after paying the premium for the WiFi-enabled version of the same device.
And when you're back from hiking the Alps your neighbor will have build a shed around it to protect it from the rain and moved in 10 of his pigs to keep it warm.
Unless of course your delivery guy tied your package to a special tree called Maibaum by mistake. Then you'll find a sign telling you that it has been redirected to one of the 5 villages called Kirchberg in your area.
But instead they just put a piece of paper in your mailbox that says 'you weren't home, we'll come back tomorrow'. Next day same thing. Only then can you go and pick it up at the post office.
Oh and there are many stories of people seeing the mail carrier defaulting to the piece of paper and not even knocking because of time pressure.
If the item fits in your mailbox (letter size), they do that.
If not, they knock, and leave a "we missed you" note if the package is insured. Or leave it on the doorstep if not.
If you get the note, you have to go the post office in two days, during normal office hours (9-5ish), or Saturday morning (9-12). If you don't make in a few days, they return to sender.
But this is only for USPS. If the package is FedEx/UPS/courier, it's the wild west. Sometimes they leave it. Sometimes they leave a note. Frequently they claim they attempted delivery but didn't. And if they miss you a few times, you have to pick it up at the distribution warehouse which could be a 30 min drive away. This is the worst - even for items you know need a signature, there's no guarantee they'll deliver - we ran into this a few months ago with some jewelry - delivery was schedule Monday 12-5pm, we waited in the living room (right by the door) and nobody came. Their system showed a failed attempt (courier lied). Repeated Tues. Called courier warehouse, they asked if we had doorbell video proving the delivery attempt was never made (WTactualFuck). Repeat on Wed. Item was returned to sender. We called sender, asked them to use USPS because private shipping can be a disaster. USPS is often a day slower, but it's fairly reliable.
Some areas have problems with package theft. Fortunately mine isn't one of them, so I'm ok with packages being left.
Anecdotally, in France, the parcels "delivered by Amazon" have hands down the best service. They're the only ones who've ever actually delivered the parcel to my door (I live in an apartment). If they can't leave the parcel in the mailbox, they'll call me up and ask what to do, usually offering to come back some other day if I'm not at home.
This is one of several reasons I no longer buy anything from Amazon. Not even if it's the cheapest source. Even if it gets to a Filiale, those are further than most of the shops that would sell similar items.
It's rare the Amazon sends something via them, but whenever they do, I expect to not get the package. And when I don't, I just call up Amazon support and complain about them and make it a point to mention I often have issues with that specific company. They usually offer to cancel the shipment and reship overnight. Don't know if they can actually control it or if it's coincidence, but all reshipments have been via Amazon.
They could afford to give away the openers if they could win that revenue stream.
And Amazon would dump them in a second if consumers could instead click "Link your Home Assistant for secure deliveries and get $0.30 digital credit". Or more likely, Amazon would throw directly wired Dash buttons at consumers to enable secure deliveries.
I don't know what Chamberlain has to gain by sticking it to that particular demo. For HA to be a threat to the "partnerships" like Amazon, it would have to have an audience sizeable enough that Amazon would consider incentivizing adoption.
I would say it seems dumb to piss off the most passionate fans of home automation when you're a vendor of equipment that such people might want to buy, but Chamberlain has such a stranglehold on the market that I think they figure that even if they royally piss off that 5% of the garage door opener market, those suckers (or their garage door installers) will be forced to buy the gear from them anyway.
It's too expensive and too unlikely to succeed, but I could sue Chamberlain now arguing that they have breached an implied contract and that the remedy I seek is for them to open-source their code.
Best case, I think you'd get your purchase price back. I'm not sure how you'd argue that remedy is insufficient, either - hence why my preference is to have the cause of action written into the law we're imagining here. It'd be even better if we can write in that the remedy for a degradation of the service is an open mechanism by which the user has sufficient level of control as to recreate their desired functionality.
Because the margins are incredibly low (thanks, Walmart and Amazon?), which means you need capital-heavy hyperefficient warehousing/distribution to even compete, which means you need scale, which means there's little competition to make things better.
I think there'd be a lot of room for innovation if you turned Amazon/Walmart/Home Depot's logistics into their own companies, then allowed people to put whatever between that and the customer that they wanted to.
Which is essentially what Amazon does now... the only difference is they get to control that link and the revenue flow from it.
Segregating market functions forevermore would go a long way towards returning competition to marketplaces, imho. (E.g. logistics|retail, advertising|everything, etc.)
They claim this, but my experience is that it's not true. VERY VERY often, it will be multiple days or up to a week before they attempt again. Sometimes they never attempt again, and a week or more later I get the notification that it's available to pick up at their depot. It's certainly not consistent enough to rely on.
https://www.core77.com/posts/103681/When-Houses-Had-Built-In...
Likewise, but even if it's actually locked, no lock is impenetrable, and a closed garage provides a thief with the privacy to pick it at leisure or even break down the door. Burglary deterrence advice sometimes includes tips like adjusting your landscaping so your front door is visible from the street and locking gates to your back yard. Letting the thief into your garage thoroughly defeats the point of that...
Also, I keep stuff (bikes) in the garage that I don't want stolen.
Most people keep cars in their garage. Which last I checked were usually more expensive than bikes.
Joke aside, people keep a lot of valuable stuff in garages. Hell, tool chests can easily be worth thousands of dollars and are easy to pawn.
Sure, but I've probably locked it barely more than twice.
I don't know if that would do much.
It's one thing to be sawing up a front door that is in plain sight of the street -- passer-bys might call the cops if they saw that.
But if you're doing it from inside a garage? You could shut the garage door and saw away. Nobody would report saw noises coming from a garage because that's super normal.
1. I know it's a broad generalization, also location-dependant
Since Amazon clearly has no idea what they are doing, I would put up a note next to the keypad saying “Amazon drivers: just drop the package, there is no code”
Amazon's problem is that they outsource the delivery and there is such a terrible turn-over problem with delivery drivers (and delivery contracting companies) that nothing works at their scale.
Nowadays that seems so hopelessly quaint.
I'm not sure what hell these jobs are that turns drivers into such shitty people, but I feel pretty confident that it is the system turning them into shitty delivery drivers rather than exclusively shitty people applying for delivery jobs.
No more anything like this "I sometimes get delivery drivers getting pissed off at me (for some reason) that the code doesn't work. You can cut into any their speech with "English, m****r, do you read it?".
No one will ever question it.
I once bought a book delivered to a company (where I dont work anymore) and this address cannot be deleted. Multi billion company. LOL
On a side note, Amazon's interface is so much worse than Allegro
No kidding. Allegro isn't perfect, and seems to get worse every iteration, but they're miles ahead. Amazon - they're down there with eBay, worse than AliExpress. I literally only order Kindle books from Amazon, and that's only because I mastered the "google a book, switch to Kindle edition, click the 'buy with one click' button" flow, which they managed to not break just yet.
Ergo, both things can be true: Amazon cleared it on their side (customer support sees it cleared) and the delivery drivers still see it (using the subcontractor's system).
Probably because nobody at the sub-contractor's (outsourced) IT/system saw fit to implement a "As a customer, I want to change my note after initially setting it" user story.
Remember, the S in IoT is for Security.
They could simplify their business logic by making sure local first is reliable, and internet access can be turned off, and supporting vendors making (user-controlled, upgradeable, etc) gateways that handle the cloud/internet/local handoff
The state of the environment that the IoT device is sensing or controlling, has to match local reality. Therefore, the state that's actually on the IoT's MCU is the true state that matters. (Any state stored cloud-side could be stale if the MCU is disconnected, or misses updates) Ergo, if the cloud service is showing or manipulating the state of the IoT device, it has to read or command the IoT in near realtime, implying some kind of constant/realtime connection.
This would be the same mechanism a local-first connection would use, right? What am I missing here?
This current model is a fucking failure.
Gig workers quite possibly don't, or at least it's a significant effort for them to.
Some are amazing, mail is delivered perfectly, etc.
Others cannot for the life of them match number to address, and it doesn't seem to matter who is delivering as the attitude spreads across the office.
I think a huge part of this is missing actionable feedback messages.
If USPS/UPS/FedEx had better channels for "my mail was screwed up" reporting, to a granularity necessary to isolate bad branches, I think things would clean themselves up.
As-is, customers learn to live with it and the mothership is unaware the branch is screwing up.
I've been thinking lately about how quickly the world has changed and I think it's a bit underappreciated. I mean cellphones only became a household item 20 years ago, smart phones about 15. Or closer to home, at least for me, generative models went from barely making small black and white human faces (Goodfellow invented GANs mid 2014) to being able to create some fucking good quality images on consumer hardware in a few minutes (not counting all the prompt engineering required. But unconditional is still pretty good). Not to mention that access to these things isn't homogeneously distributed and so rural and poorer regions tend to get thrown into the deep end rather than wade their way in. I think from that perspective a lot of drama makes sense. Especially when we're talking about how people are not very tech literate. Hell, I have a hard time convincing people in my CS PhD department that hate Facebook's spying to switch to Signal or even switch to FF (we see the same stuff here on HN. More excuses than explanations). If the "friction" (even if 90+% mental) is high among tech experts idk how novices can handle all this. At least with my family they're more willing to believe Facebook's app uses an always listening microphone rather than believe me when I explain that they can figure out you're friends and interested in gardening if you just stand next to someone or walk around with them for 30 minutes in the gardening section of Home Depot ¯\_(ツ)_/¯ (sorry, this took a tangent, but I know you think about some of these things too)
Regarding missed packages, are you talking about stolen packages? I've had a few cases where delivery was one day late and one time I got the wrong order (but got to keep the free groceries along with a full refund for my actual order) but I've never had a package just disappear altogether. Even Aliexpress orders that take 2-4 weeks from China eventually show up.
Then why so much effort is needed to stop package theft to the point of giving access to your house to strangers? Apparently getting package on your doorstep is not as convenient as you would like others to believe. Using such lockers is convenient and secure, giving package to recipient hands is secure but not convenient, leaving package at doorstep* is neither.
*or any other place convenient for whomever is delivering it
This is fairly complicated to do locally and securely. If any e-commerce website/app could add tracking numbers as PINs to your smart lock via the local network, that would be a security nightmare. You'd also have to provision domains for every smart lock so that every lock can get Let's Encrypt certs and accept requests from web browsers without configuration. Not to mention most tracking numbers are easily guessable because they consist of a destination code and an auto-increment integer.
Also a lot of companies don't assign a tracking number until the package gets transferred to the last mile carrier. Again, if you're willing to manually copy-paste the tracking number after you get the shipping notification every single time you order something, you're clearly not part of the target demographic
If the latest shipment of crap from Amazon/Temu went missing. Annoying, but you'd just tell them the package got stolen and get a replacement sent out.
The problem is that there are people who drives through residential areas looking for packages to steal, cars to break into, etc. and that occurs quite frequently, as caught on our security camera.
It doesn't take many motorized perpetrators to lower the overall confidence in how secure it is to leave packages outside, given how much range the porch pirates can cover in a single afternoon.
I've had a single-digit number of packages never delivered, most of them years ago, from Aliexpress (which, at least back then, had a very buyer-favoring dispute process, so I would get my money back with three clicks or so).
Only if I really needed that specific thing pretty badly today would I spend a few bucks and 20 minutes to drive over to come get it.
I ordered some physical thing, not that thing and a quest.
In the US all carriers drop packages at door (or in the building's locker if you live in an apartment complex). Some packages need to be signed (alcohol, nicotine, gun ammo, etc) but the vast majority of deliveries involve zero human interaction
Sort of. Note that I'm a city dweller, living in a flat in an apartment block.
This is a real problem; classical solutions involve having another household member receive the parcel, asking the delivery person to deliver to a neighbor who you know is OK with it (since I started working remotely, I frequently am that neighbor), having them drop the package in front of your door (undesirable, but works in case where there's an extra door between your flat and the staircase), or putting your place of work as delivery address (if your company is happy about it; some are not). Dedicated "package send/receive" stores became a thing, then started disappearing as grocery store chains became package drop points. And then came the parcel lockers.
I imagine this problem was the primary driver of mass, enthusiastic adoption of parcel lockers - for the last decade, I've had at least one within 5 minutes of home, and this let me pick the parcel up at my leisure.
These days, most packages we order go through lockers; the ones are don't are usually medical or plain heavy (10-20kg worth of cat litter, soft drinks, etc.). This works because I work remotely, and my wife is yet to return to work after post-partum period.