Still No Recognition
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2019-04-24 11:00 by Karl Denninger
in Small Business , 109 references Ignore this thread
Still No Recognition
[Comments enabled]

Once again, Google's Nest has been "penetrated."

Tara Thomas thought her daughter was just having nightmares.

"There's a monster in my room," Avery, who is almost three, would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realised her daughter's nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their California home.


Again Google (just like the rest of these folks) claim there was no real "penetration"; that a hacker "got the password" and "simply logged in."

Except.... that's the sort of half-truth that makes these events easily-dismissed by various large companies.

At the root of the issue is the fact that all of these "technologies" rely on the cloud in some way.  This gives the "bad guys" both a place to focus and a treasure to seek.

Worse, it makes the inevitable break-ins only somewhat known to the user.  In this particular case Avery detected it because the hackers were having fun at a little kid's expense.  What about when they're not; they're simply stealing all the data and using it to, oh, figure out whether you're home in order to break in and steal your nice bigscreen TV?

Which, of course, they can see on the camera and thus know it's there too.

Now that's target acquisition.

The answer to such stupidity is to not cloud the damn thing.  But if you don't "cloud" it then the companies can't steal the data "legitimately" under their "terms of service" and use it.

Which they all do, and which you're dumb enough to allow them to do.

Incidentally Google has this thing called the "SensorVault" that contains detailed information on location of every Android device and, as soon as you connect to any sort of service where the device ID forms part of what it looks at you have now linked it to person not just on a forward basis but backward to its original date of purchase!

It doesn't have to be that way.

HomeDaemon-MCP doesn't cloud anything.  It relies on a central server architecture for exactly one thing -- license checks.  That's it.  Everything else is under local control.  There is no central place to query for a list of user names and passwords, nor any centralized site to go attack and get credentials, plus the vector to your host because there is no central place where any of that is stored.

If you can't poke a central server and check a list of logins and passwords now you have to find the individual devices on the Internet one at a time.  That's billions of times harder than aiming a hacking tool at one place -- hard enough that unless you are personally being targeted it's not worth it.

All these companies talk about friction that reduces their "penetration."  That's a cute way of saying that you're so lazy you can't be bothered to lock the door on your house.  But you do lock the door -- right?  Why wouldn't you lock the digital door?

Why in the name of all that is Holy would you let some third party, no matter who it is, have the key to your house?  As soon as you allow some sort of "cloud" storage of same that's exactly what you've done.

These companies are not only ripping your data off and using it they're calling you stupid on top of it.

Further, recent changes in HomeDaemon-MCP have resolved two other minor potential vulnerabilities, including making stealing the physical SD card out of the base station worthless in that the network key for secure devices (e.g. door locks) is no longer available on it in a form that's useful if the card is physically stolen.  It's a relatively minor change but yet another one that matters when it comes to security.

HomeDaemon-MCP is still available for the entrepreneurial outfit that wants to actually solve problems and sell products and services instead of data-mining consumers and screwing them.  If you're interested in making money the old-fashioned way (that, is, not by deception) then email me at the address on the right sidebar.

View with responses (opens new window)