Problems -- And Answers (IoT; Home)
The Market Ticker - Commentary on The Capital Markets
Login or register to improve your experience
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives
Leverage, the book
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility; author(s) may have positions in securities or firms mentioned and have no duty to disclose same.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must be complete (NOT a "pitch"; those get you blocked as a spammer), include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-06-20 14:36 by Karl Denninger
in Small Business , 121 references Ignore this thread
Problems -- And Answers (IoT; Home) *
[Comments enabled]

I got 99 problems but secure control of my house isn't one of them.

In no particular order:

  • Problem: Cameras are great. The let you see inside your home when you're not there, along with the periphery.  The problem is that they're inherently insecure, the most-common protocol to view them has no security on the video whatsoever, all of them "phone home", they have low-powered CPUs in them for cost reasons, and they are made and designed in China with who-knows-what sort of back doors in their software.  Solution: HomeDaemon-MCP secures your cameras, making it possible to completely detach them from outside access.  You can obtain the "latest" (last movement) still or real-time video from them over a completely secure connection on your phone at any moment you desire -- from anywhere in the world, and if desired grab an "on demand" video clip to your mobile device.  In addition unlike the simple "if I see movement or detect sound" upload to an insecure cloud some faceless company owns and may use for marketing or other purposes (or almost-as-bad, on-site SD card storage that is trivially stolen by a burglar) HomeDaemon-MCP can, on any set of conditions you define (no matter how complex) upload a fully-secure video clip of a length you determine to a site you, and only you, control using industry-standard and accepted secure communications for use by yourself or the authorities in prosecuting criminal acts.

  • Problem: Locks and other access control devices (e.g. garage door openers) have AES-encrypted (highly secure) options for control, but the "pairing" process is fraught with risk.  Existing controllers poorly handle this, having intentionally sacrificed security on the altar of "convenience", making possible theft of the network security key after which any and all "encrypted" traffic could be intercepted or modified from more than 100' away -- more than enough to tamper with your house from next door or in the street.  This, theoretically at least, could allow a thief to command your door or garage to open for him!  Solution: HomeDaemon-MCP refuses to answer "S0" keying (the risky event) at high power intentionally, preventing key interception at long range with 100% certainty even if you are tricked into attempting to re-install a device.  Instead for S0 secure Z-wave nodes you remove the stick from the controller and pair it at the device itself, which reduces the potential range of interception to inches from hundreds of feet. 

  • Problem: Existing systems all rely on the "cloud" in some fashion or form.  But "cloud" computing is inherently insecure due to computer design priorities that put performance before security, never mind being fraught with the risk that if a server goes down hundreds of thousands or even millions of consumers lose monitoring and control access at once!  Then there are the "microphones" that are supposedly only listening for specific commands yet have been shown to record and send conversations to others without being told to to do so.  Answer: HomeDaemon-MCP never uses voice commands because voice commands are inherently insecure as a microphone must be on and listening all the time in order to detect the alleged "trigger" word or phrase.  This means a programming error or intentional misconduct by a vendor can trivially record, steal and use the contents of your most-intimate conversations -- those in your home (or even bedroom!)  We all have our phones with us today; unlocking yours and touching a screen requires two actions confirming your intent to do something, while denying interception and exploitation by either error or malice.

  • Problem: "Skills" loaded to a device from some third party inherently rely on trust you place in someone else to not misuse your data or worse, spy on you intentionally.  The incentives to violate your trust or spy on you are great and the penalties for firms caught misusing your data have never resulted in a single criminal prosecution of anyone, ever, in the history of these devices and companies.  There is no incentive for a firm not to do this sort of thing because any "penalty" is always limited to a fine (and then only rarely), which is simply passed on to you in the form of higher prices.  Solution: HomeDaemon-MCP is configured and controlled entirely by you or your chosen installer on a local basis in your home, with its configuration stored on a local SD card.  It relies on no external "skills" or code, ever.  You can always, as an administrator and the owner of your home, look at and verify what it is looking at and what actions it takes because unlike an opaque "skill" the configuration is all in an English-like language that is easily understood.

  • Problem: "Cloud" solutions to notifications and events are touted as "more friendly" yet sacrifice security and privacy on the altar of someone else's convenience, particularly when it comes to your mobile phone.  Answer: HomeDaemon-MCP's Android app has zero reliance on a "cloud" for anything, including real-time monitoring.  It provides notification of events as they occur within 90 seconds, even when your phone is asleep and in "low power" mode, and within one second when it's awake, frequently beating the delivery of a text message when sleeping and always beating it when the device is awake, and yet the app consumes only about 1% of your phone's battery power overnight to do so.

  • Problem: Storing passwords on a mobile device is fraught with risk for all the obvious reasons, yet most apps do exactly that, again for your convenience.  Answer: HomeDaemon-MCP's Android app never stores a password.  It instead obtains an authentication token of which you control the length of validity.  Further, a second, one-time use token is returned to the device which is valid for only one command after which it expires, preventing "injection" attacks launched from malicious web sites you may accidentally visit from working.  With no password stored by the app it's impossible to steal it since it's never stored, but only presented when necessary to obtain the authentication token.  Should you lose your mobile device logging out from any device (e.g. a web browser) instantly invalidates the access (and one-time-use) tokens, rendering the connection immediately secure from further access.

Got a desire to make a lot of money?  Then pay me a reasonable amount, own this wholesale (including source) and make a fortune. 

Email karl@denninger.net for more info, or look here.