Don't Do It Lennar -- Talk To Me Instead
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-05-10 13:04 by Karl Denninger
in Editorial , 221 references Ignore this thread
Don't Do It Lennar -- Talk To Me Instead*
[Comments enabled]

So now Lennar is going to put "Alexa" in all their new homes.

That's ridiculous folks.

Look, I have ready-to-go, right now, the software interface necessary (including an app to control it all which is working, but still a bit rough in appearance) that gives you full control and monitoring of your home but does not give anything away to the cloud.

It's your damned house folks, not Amazon's, not Google's, and not Apple's.

HomeDaemon-MCP requires no outside connection at all, other than for you to control it.  It runs over SSL and talks to only you.  It's a master-slave system, so if you want a second controller in the garage or a rainproof box out near the pool or sprinkler gear (or both), that's fine -- they all work together.

It speaks standard Z-wave for thermostats, switches, motion detectors, energy management, locks and more.  It does passive security as you define it (e.g. "arm yourself 1 hour after the garage is closed if no movement is seen inside during that time), or pretty much anything else you want.

The homeowner can modify the event list in a nearly-indefinite fashion to what they want.

You can see and control it all from any web browser or an Android app (which I am about 90% done with functionality wise, and ~60-70% done appearance wise.)

It supports any number of users each with a separate set of defined permissions that allows for control over what a given user can see, change or both.

The builder or third-party installer who wants this can buy it wholesale from me, own it, and have a unique and entirely private advantage.  While you could probably teach Alexa how to do this (I'm sure I could write a "skill" to do so easily) you'd be nuts to do it because then authentication information has to be in he cloud somewhere and if' it's in there some jackass can steal it.

Don't buy a house with a "cloud" implementation of something like this and don't, for God's sake, install it either in an existing house.  You are literally giving away when you're home and the keys to your castle to an unknown set of people and that assumes nobody ever breaks into Amazon's, or whoever else's "cloud" gear.

That will happen, and when it does you're going to get robbed at best and home-invaded at worst since it becomes trivial for a bad guy to know everything they want to about when you're home and when you're not along with where you are in the house and if you're sleeping, for example.

No, No and NO!

Yes, this technology is cool, it saves energy and it's damned convenient.

It both saves money and adds tremendous convenience but you must never, ever link that to any sort of "cloud" or third-party environment.  Ever, if you give a damn about privacy and security in your house.

Instead if you're one of these firms in that space get ahold of me today (look to the right) and let's have a conversation.  You can own the real deal with only the homeowner having the data and access right here, right now, today.

No kidding, and if you buy it lock, stock and barrel you own it and your competitors do not.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info Don't Do It Lennar -- Talk To Me Instead in forum [Market-Ticker] * Item is pinned to the top of the forum
Attilahooper
Posts: 2829
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
I saw that headline - and scoffed. People will buy it because automation and alexa are the new cool. Probably 1% of 1% of people realize the implicatins or care. One of my managers, with a history in technology, uses lastpass. da fugg? I told him I would never put our customers account and passwords in the cloud. A seperate Keepass file on our own servers maybe.


----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
KeePass is VERY secure; I use it heavily and have for quite a while.

LastPass? Oh **** no. But will I store an ENCRYPTED KeePass file on the cloud? Sure. But no key, and I use a multipart one (password + key file), and that key file has never seen a machine not under my direct control.

Without it even the PASSWORD is useless.

The app that I've written doesn't store passwords ANYWHERE. It gets a login cookie and saves that as long as it's valid.

HomeDaemon-MCP can be set for whatever level of paranoia you wish. It never saves cookies on SD card; it generates them on the fly and keeps them in RAM, so if you restart it you have to sign back in -- and it can also be told how long a cookie is good for, at which point it automatically expires on the SERVER (forcing a new login.) You decide how paranoid you are, but even in the worst case the login and password is never exposed.

Whether you sign in via browser or app the credentials are passed over HTTPS and you get back a double-long randomly-generated cookie key that's valid for however long you wish it to be, but which can be cleared at any time. The passwords themselves are hashed on the server side of course as well.

I could EASILY have Alexa interface to HomeDaemon but doing that would mean you'd have to give Alexa credentials. **** that. You may as well leave the ****ing front door unlocked!

What I'm working on right now is getting the app power consumption down even though the network service is flagged as foreground, WITHOUT using Google's bull**** to wake up the network intent (which ALSO requires that you give away at least SOME knowledge to them.) That gets tricky on Android in order to keep the phone in "deep sleep" as much as possible, but it looks like I'm getting pretty good at it with the impact on a locked device being small yet the notification delay is only a couple of minutes if you have the phone locked and screen off.

----------
Winding it down.

Spanktron9
Posts: 4354
Incept: 2009-03-13

Reality.
Online
Report This As A Bad Post Add To Your Ignored User List
Aren't they really just buying (and selling) the brand recognition of "Alexa"?
If that is their goal, they sell more houses at a premium. Having their own branded system, even if superior, doesn't translate to $$ for a slackjawed Murican homebuyer.

----------
"Winter is coming." -Motto of House Stark
"Don't coast through life. Grab it by the hair and **** it half to death." - Jotapay
"Strong people are harder to kill than weak people, and more useful in general" - Mark Rippetoe
"Its like Calvinball."-MarvinMartian
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
I don't think so.... Since Alexa is just a thing you buy and anyone can. No differentiation value there.

----------
Winding it down.
Attilahooper
Posts: 2829
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
Yeah, I love keepass. It passed a couple of stringent european security audits. I may up my game w the key and password though.

I have been looking at Azure cognitive services recently, little time left over to code but super tempted to write a facial recognition script for the door bot. Use case -
- Sees a family member and asks to unlock door - you could have a secret phrase in case someone strongarms you into the house.
- Sees the postman - after registration of course, and tells him a funny joke. I like my postman.
- Sees a stranger and asks them to answer identity info
- Sees anyone, known or unknown, and announces their presence over whole house intercom

With image and speech there'a a whole lot of fun you could have, and it's pretty cheap too.

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
The cloud gives you the ability to do that sort of facial recognition stuff (since it's quite processor-intensive) BUT....

1. The biometric data is then not yours anymore. That's bad.
2. The command path isn't yours EITHER. That's worse.

It would be trivially easy to link HomeDaemon to something like Alexa since I intentionally made the interface for the app an extension of the existing web interface, which means you can pass a command to it (assuming you can authenticate) via an ordinary HTTP GET request. You can also (assuming, once again, you can authenticate) ask for all changes since time "X", and tell it for how long you want to have the reply "hang" to get you more changes (you don't want to renegotiate an SSL connection for EACH change; that's horridly wasteful, so for a short period of time you probably want to hang around speculatively before abandoning the link. If you're running off a timer firing -- such as a sleeping phone -- you want that "hang time" to be short and the requeue time to be reasonable, whereas if if you're in the foreground there are REAL efficiency benefits to allowing the hang time to be in the minutes range, since when you're in that state you get notifications within tenths of a second of when events occur.) What you get back from that is in standard HTML-5 streaming update format (which IMHO for this is superior to json since browsers all know how to do the streaming updates already.)

But IMO you have to be utterly INSANE to put authentication credentials in the cloud, or for that matter in persistent storage on the device -- or anywhere they can wind up in the cloud. If someone gets those credentials they now have complete access to your HOUSE!

----------
Winding it down.

Jcneall
Posts: 9
Incept: 2010-07-23

Houston
Report This As A Bad Post Add To Your Ignored User List
I REALLY hope you can get this out there. I would love to have many of these features but I don't want anything to do with Alexa or any cloud application. If I had the wherewithal, I'd buy it but with no technical infrastructure OR the Marketing mojo to locate buyers, it would go wasted.
Geckogm
Posts: 4461
Incept: 2007-06-26

Canyon Lake
Report This As A Bad Post Add To Your Ignored User List
To add to your point Gen there is now this, songs can spoof Alexa.

Quote:
Researchers at UC Berkeley have shown they can embed stealthy commands for popular voice assistants inside songs that can prompt platforms like Siri or Alexa to carry out actions without humans getting wise.

The research, reported earlier by The New York Times, is a more actionable evolution of something security researchers have been showing great interest in: fooling Siri.

Last year, researchers at Princeton University and Chinas Zhejiang University demonstrated that voice-recognition systems could be activated by using frequencies inaudible to the human ear. The attack first muted the phone so the owner wouldnt hear the systems responses, either. The technique, which the Chinese researchers called DolphinAttack, can instruct smart devices to visit malicious websites, initiate phone calls, take a picture or send text messages. While DolphinAttack has its limitations the transmitter must be close to the receiving device experts warned that more powerful ultrasonic systems were possible. That warning was borne out in April, when researchers at the University of Illinois at Urbana-Champaign demonstrated ultrasound attacks from 25 feet away. While the commands couldnt penetrate walls, they could control smart devices through open windows from outside a building.
The specific research emerging from Berkeley can hide commands to make calls or visit specific websites without human listeners being able to discern them. As capabilities widen for smart assistants that make it easier for users to send emails, messages and money with their voice, things like this are a bit worrisome.

These exploits are still in their infancy, as are the security capabilities of the voice assistants.

One takeaway is that digital assistant makers may have to get more serious about voice authentication so that they can determine with greater accuracy whether the owner of a device is the one voicing commands, and if not, lock down the digital assistant's capabilities. Amazon's Alexa and Google Assistant both offer optional features that lock down personal information to a specific user based on their voice pattern, meanwhile most sensitive info on iOS devices requires the device to be unlocked before it's accessed.

The potential here is nevertheless frightening and something that should be addressed early-on publicly. As we saw from some of Google's demonstrations with their Duplex software at I/O this week, the company's ambitions for their voice assistant are building rapidly and as the company begins to release Smart Display devices with its partners that integrate cameras, the potentials for abuse are widening.

This article originally appeared on TechCrunch.[\q]
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Geckogm - There's no "authentication" scheme that doesn't make the problem worse! Voiceprints in the cloud are just as bad as fingerprints, since you can't change them.

It's utterly insane to link home security OR CONTROL to anything in the cloud. I originally wrote the FIRST version of HomeDaemon because there was nothing that did half of what I wanted (back in 1999!) This version was rewritten because the hardware has gotten cheaper and better, and better code made it possible to run it on a $35 computer with both iron-hard security AND excellent performance -- something that couldn't be done in 1999.

Oh, and I STILL couldn't find anything that was capable of doing what I wanted to do!

----------
Winding it down.

Attilahooper
Posts: 2829
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
MS would never do anything with your biometric data <sarc off> I did look at some open source facial recognition projects, but the learning curve would be steep for me.
Another use case
- one could cobble an algorithm to detect someone scoping your house for a B&E. Based on some risk metrics, like nighttime, it could wake you up with an alert tone. Or if you could identify when a package is dropped, alert to a porch pirate and get sent video instead of reviewing after the fact.

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Attilahooper - Actually, that's already part of what HomeDaemon can do... smiley

Quite easily too....

(The power of a nearly-indefinitely extensible English-like language is not to be underestimated!)

----------
Winding it down.
Attilahooper
Posts: 2829
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
Well then, I must make some time to check it out.

Another suggestion for facial recognition
- someone comes to the door who is unrecognized, and AttilaHooper is not home, lock the doors and bring up the video door bot on the touch screens in the house.

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
It's not going to do facial recognition and similar things (on-board CPU requirements are very high to do that, even if only bursty) but it can be told to snap pictures from the Amcrest camera or execute a given command (which could be to dump an RTSP stream somewhere.)

One of things I did with the older version when I lived in Chicago was have it look at motion around the house in the evening or when nobody was home, and if it saw it in specific places it would drench your ass with the sprinklers smiley

----------
Winding it down.
Attilahooper
Posts: 2829
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
Ha ha ha, sprinklers are a fine idea, I was thinking of a couple of well placed paint ball sentry guns.

How about offloading FR to an optional compute node? Optional for those people that want it all? Or a digital ocean droplet? MS is offering a burst specific vm in azure as well. Or even modular so that functionality is supported with a minimum spec?

----------
I've retired and bought Shecky's - Welcome, have fun, **** **** up, let's get this party started
https://www.youtube.com/watch?v=ykZbxFub....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
There'd be nothing to prevent doing that; the software can execute arbitrary commands outside of the package, which can of course call something on another box. The callout is asynchronous so you'd want whatever it is to notify the controller when its got something (provided you have an authenticated connection that's easily done since you can execute an arbitrary event back on the controller, again assuming appropriate permissions.)

----------
Winding it down.
Ckaminski
Posts: 4624
Incept: 2011-04-08

Mass-Hole!
Online
Report This As A Bad Post Add To Your Ignored User List
How about offloading computations to the GPU?

https://petewarden.com/2014/08/07/how-to....

Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
It's not fast enough CK, and it has VERY limited RAM available to it. The other problem is that while the Pi's GPU can be potentially accessed there is NO public interface to it, which means if Broadcom changes the chip internally...... you be ****ed!

----------
Winding it down.

Anejo
Posts: 4
Incept: 2010-06-10

Report This As A Bad Post Add To Your Ignored User List
Hello, Tickerguy, I'm kinda sorta getting into the home automation kick, and have seen your references to your home hub from time to time, and from the description sounds excellent. How would it compare to something like Home Assist or openhab?
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well, you mean beyond not being written in Python in one case (yuck) and the other in Java (double-yuck!), both coming with all the baggage that is associated with same?

I mean, if you like writing literal code to do things, well, ok. I'm just not good with that, never mind that none of those were really designed with the small microcontroller (e.g. the Pi) in mind -- they'll run on it, but there are plenty of issues that come with doing so, they're non-trivial to get right, and virtually impossible to get right if not designed with that in mind from the outset.

----------
Winding it down.
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
There is quite a bit more incidentally, including some not-obvious issues that come up as soon as you want an app-style interface instead of a web-page style -- especially if you want the app to be able to know about changes asynchronously yet DO NOT want the cloud involved.

----------
Winding it down.
Anejo
Posts: 4
Incept: 2010-06-10

Report This As A Bad Post Add To Your Ignored User List
Absolutely, and it seems like there is quite a lot of activity in development of various implementations ongoing. While a quick scan of home automation aware device reviews on Amazon might convey a disappointing level of successful implementations in return for significant $$, it also gives a sense that the party is just getting started, and the field is full of opportunity. You might get the ball rolling with a "Freemium" rollout. From various forums and such word of mouth is quite an active influence in this sphere, and a lot of homebrewing interest.
Inline
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Not looking to sell onesies at all in reality....

----------
Winding it down.
Anejo
Posts: 4
Incept: 2010-06-10

Report This As A Bad Post Add To Your Ignored User List
God grant you, Winding it down, I hear you.
Tat668
Posts: 2889
Incept: 2007-09-09
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
It seems that Amazon is making itself into a non governmental agency in charge of ALL family's need. First was the key to your house "for secure delivery", and now your house security and environmental control! Amazon will want a national budget for their expense and the stock price at least as much as Hathaway. The post office has been working for they, now they can call the cops on you when you over use your air condition!smiley

----------
"This marks the beginning of the end."- Barack Obama 2-26-09
Login Register Top Blog Top Blog Topics FAQ