Talking over the year in review on the Podcast, Tom Nardi and I were brainstorming what we thought was the single overarching trend in 2021, and we came up with many different topics: victories in the right to repair, increasingly dystopian service contracts, a flourishing of cyberdecks, and even greater prevalence of reverse engineering style hacks. And then we realized: they are all different faces of the same beast — people just want to own the devices that they own.
Like Dr. Jekyll and Mr. Hyde, our modern Internet-connected-everythings have two sides. On one side, we get so much additional functionality from having everything on the net. But on the other, if your car is always connected, it gives Toyota a means to make you pay a monthly fee to use a car fob, and if you have to use Cricut’s free online service to upload designs to the cutter, they can suddenly decide to start charging you. It allows Samsung to not only spy on whatever you’re currently watching on your smart TV, but to also brick it if they want to. More and more, we don’t actually own (in the sense of control) the devices that we own (in the sense of having purchased).
We don’t have to take it lying down. On the one hand, consumer protest made Cricut walk back their plans, and may do the same with Toyota. We can achieve a lot, collectively, by just talking about our grievances, and letting the firms in question know how we feel — naturally also with our wallets. But as hackers and all-around techie types, we can do even more. When something is broken because of a bad service, we can often fix it with firmware or by standing up our own version of the service. We can pwn them.
But there’s even more to the cyberdeck and the extreme DIY movements of the last few years than just the defense against lock-in or the liberating of hardware. There’s also the pride of truly owning something because you made it. Not just owning it because you bought it, or owning it because you control it, but owning it because you understand it and because you gave birth to it.
Whichever way you’re into owning your own, I think that’s the single overarching trend of 2021 — both on the positive and proactive side and the negative and reactive. Talking about it, reverse engineering it, or building it yourself, 2021 was the year of owning it.
I think the real lesson here is to not buy internet dependent goods. People like me knew they would be a disaster and they have proven to be just that. They take away control and have horrible security. If it’s going to be internet connected then a well designed (minimalistic) third-party extension/modification that allows you to self-host seems like the best option.
Yes, they can pretty well leave off the “smart” pitch. It’s not a selling point, not now anyway. “Smart” just means it’s going to monitor you and send analytics to the mother ship 24/7. “Smart” means crap like “operation prohibited” when you try to skip something. “Smart” means your thing turns into an ugly paper weight whenever it suits the suits.
Honestly, products claiming to be DUMB otoh, would get my attention. I want a Dumb car. A dumb television. A dumb toaster. Things that just do what they’re supposed to do, the same way every time. Things that don’t try to reinvent themselves every other day. Things that don’t hobble you at the whim of some board room.
I completely agree, and i’ve been doing so for almost always. I’m an engineer, a geek, I love all things technicals, but i’ve never bought the ‘smart’, ‘cloud’ and ‘internet anywahere’ thinguies..
Same for me. We have a technical background to understand how things
work, and we are aware of the risks and benefits involved. But most of the people are simply dumbfounded by the shiny dress used to wrap the (so called) new technologies like voice recognition and networking, while the real new stuff like data mining stays deep out ot sight.
People aren’t as dumb as you may think they are.
I have been caught out twice.
The first time was a long time ago and this sort of thing really wasn’t a thing then. It was an EyeFi SD card made by sandisk (from memory). It’s an SD card that had WiFi built in so I had it in my DSLR Camera so when I got home any new pictures taken would automatically download to my desktop PC. It had no functional need to use the internet but the software had to log into a server somewhere before it would work. That server got switched off. The company did a back-flip after customer complaints and released a new revision of the software but only for existing users. 12 months later – possibly even to the second – the card corrupted and couldn’t be re-used. I used it for collecting criminal evidence and a lot was lost.
The second time was more of an experiment. I bought a video doorbell. I knew there was a risk in the general sense of the way the world is going but hey, some nice parts for the parts box if it gets bricked.
The thing sends the video stream via the internet and then back to a smart phone via a so called encrypted connection even when the doorbell and smartphone are on the same local network. More often than not this connection takes five minutes or more to establish so it’s absolutely useless for it’s intended purpose. No one is going to stand at the door for five minutes.
The ding-dong (bluetooth) part works when it’s offline so the $100 video doorbell has the functionality of a $10 ding-dong doorbell.
**** TL;DR **** The important point is that none of this is disclosed on the packaging. In my country it’s a crime to gain financial advantage via deception, there are also associated consumer laws so I will follow up on this.
The consumer laws here aren’t too bad (not as good as Germany) but consumers don’t know how to act on them so they give up and marketers take advantage of this.
I agree. A lot of “smart” stuff is just annoying and a large hassle to deal with even in the short term.
I would much much more prefer if a lot of the “IoT” were “LNoT” (Local Network of Things) where it all just contacted a “smart home controller” on the local network. Preferably all of this should be in accordance to a unified standard so that it “just works”. (the local home server could be a raspberry pi, or some other device)
If more things were locally hosted, then yes, I would happily use a lot more “smart” things, since they would then actually be useful and reliable.
They can still have the “IoT” cloud based service as an option for those who desires that. I for one don’t desire that.
Though, a lot of applications don’t benefit in the slightest from being “smart”.
I would buy the “dumb” toaster before a “smart” one every single day.
I’m considering setting up an independent WiFi network in my house to attach video cameras and other IoT stuff that I don’t want connected to the Internet. A couple of old tablets or phones could be used to access it.
I like that term LNOT . That is the way I setup any of my home automation projects. I have two networks in the house. A local network for printers, servers, desktops, and SBCs. Then the internet connected network. This requires two interface cards for all machines that need access to both… but worth it to me. SBCs doing things are only connected to the LNOT. In fact my file server is also ‘disconnected’ from the internet most of the time. It only gets plugged in to the internet when I need to do a ‘apt update’ on it. This is manually disconnected again. When I used to have a Windows box it was always disconnected. Now, for the rare times we need Windows, I have it in a VM on the LNOT.
As for the nickel and dime servers in vehicles…. Just say no. We got along just fine without all the ‘features’ since the first car was invented and still we got from point A to point B.
Should read nickel and dime ‘services’….
To be fair, the term LNoT rolls of the tongue better than I expected.
But it would be nice if more “IoT” devices were LNoT instead, the manufacturer could just give it a name it displays on the network, have one track it down via the router or by some other program, and then adopt it into a server/controller or activate its “IoT” features if the end user so desires to rely on cloud services.
A lot of IoT stuff after all don’t need an internet connection to do their thing.
More fancy lighting, controlling of media centers, or even adjusting the thermostat is all things that can be done locally without an internet connection. Though, temperature adjustments could be done more preemptively if the weather forecast is available, same for a lot of other applications but that is why one has a controller in the network handling the system.
If you allow me to add some expressions for the modern age:
“everything as a service, everybody as our servants”
“this service is not for free, it is for fee”
@ [Danjovic]
Except that machines are our servants and WE are the slaves for the rich.
I had a home “whatever” server / firewall for at least 25 years go.
I’ve had an online (shared) server for at least 15 years. You can pickup a cheap “reseller” account and use it for personal use as long as you pay the bills and don’t abuse the server then they don’t care if it’s for personal use. Server markup from reseller to end user is ridiculous 400% to 1000%. Some large services are cheaper for end users but they find other ways to suck money out of you.
There is no need for anything I buy or “poses” to be dependent on someone else’s server.
Some product are utter crap for this.
I have an Orion video doorbell that has to go via the internet. It can take 20 minutes to successfully establish an encrypted feed via the internet to the camera. No one is going to wait that long. They have shot themselves in the foot. At $100 it literally provides no usable features over a $10 ding dong bell.
Well the cool thing about a lot of previous IoT devices and plenty of current ones use esp8266 and you can either write your own control firmware or use something like the excellent Tasmota.
Funny you should say you want a Dumb car (me, too). What has just been signed into law is a kill switch that allows the Government to shut off your car, to be installed in all new cars by 2026.
“Deep within (the President’s) recently signed infrastructure bill is a passage that will require automakers to begin including a ‘vehicle kill switch’ within the operating software of new cars. The measure has been positioned as a safety tool to help prevent drunk driving, and by 2026 the kill switch will be mandated on every new car sold in the United States.
“According to the Daily Caller, the legislation is frighteningly short on details. As per the documents, it’s known the proposed safety device will ‘passively monitor the performance of a driver of a motor vehicle to accurately identify whether that driver may be impaired.’
“In software terms, passively suggests the kill switch will always be running in the background and constantly monitoring the vehicle for deviation from normal driving habits…”
https://www.musclecarsandtrucks.com/biden-infrastructure-bill-vehicle-kill-switch-2026/
If you aren’t dead sure already that this functionality will experience rapid “mission creep” and will come to be steadily abused, your knowledge of history is sadly lacking.
Quote: “passively monitor the performance of a driver of a motor vehicle to accurately identify whether that driver may be impaired”
Impaired or desperately trying to avoid a drunk driver or pedestrian … perhaps a young child chasing a ball.
And when it comes to how well government departments protect their network security … anywhere you read “government” you can substitute “hacker”. Imagine what power this would be giving to a hacker of another government in cyber warfare.
i followed that back a few steps. However I couldn’t find any language in the bill cited, or within the bill the a troubling language, can be found. I’m not saying dismiss the reporting, nut I see no reason, to take it at face value either. Bob Barr’s style seems to be a blending Alex Jones, and Tucker Carlson. Kinda like the reporter doesn’t want us to easily to see, he facts
“I think the real lesson here is to not buy internet dependent goods.”
Darn, there goes the new router purchase. ;-)
You might be able to make an exception for that. 😁
Actually, this is the first thing you should NOT make an exception for. First thing when I got mine was to flash OpenWRT on it. Reason? All your traffic goes trough it.
When I got mine it was “advisable” to have an account on manufacturers website to access all its features. I noped out of that in a instant.
One problem is that many internet dependent things don’t advertise their internet dependence until after you purchase them. A few years ago I bought out the local Home Depot when they discontinued a line of IoT remote controlled electrical outlets, got eight of them for $4 apiece. I bought them because I knew from another forum that this model had ESP8266 onboard and could be reprogrammed. But before reflashing one I did check out how it worked with the factory firmware. It was completely dependent on a server in China for every function except the manual on/off touch button on the face of the outlet. And it sent everything, including your wifi credentials in plaintext, to that server. If you lost internet it would continue to work for a bit until it power cycled, at which point it would do nothing until it could phone home even if it could still connect to a wifi router. This was not noted anywhere on the box, on any of the promotional documents, or even in the instructions. It was just assumed that you would have internet access and if you didn’t, well why are you buying an IoT wall outlet?
interesting dicotomy for hackaday,where some hardware hackers
such as myself,do everything possible to limit the intrusion of
web based,algorythmic control and monitoring,as contrasted by
those with practical skills and fluency in programing and digital
control systems who are maximising the possibilities of processor based high tech and for the most part ignore the invasiveness of big data,or at least can grin,and get on with it,
though the latter are thankfull when I scrap the failed,digitaly contolled solinoid valve system on thier air compressor and replace it with a pressure regulator from an old water pump
and it works reliably.
As far as that goes,I have de-computered a few things now,but have yet to have someone computerise something analog as a refit that I can use.
ROFL @ [Elliot Williams]
Quote: ” … owning it because you understand it and because you gave birth to it”
A female would probably say the pain levels are probably like actually giving birth so some of the projects seen here!!!
This looks into surface-level outliers like DRM coffee makers or subscription car-starters. Unfortunately proprietary designs and planned obsolescence are also a form of rent-seeking* behavior.
Start with rechargeable power systems – you will find very few that simply allow you to replace the 18650 (or other) cells on your own. There is a whole swath of the tool industry that will nearly give you the tools if you buy the battery modules that need replacement every few years, although knock-offs whittle this away somewhat. Taken to a larger scale, planned obsolescence of phones and devices, their operating systems and related peripheral are exactly the same thing as well as abandoned support for devices as Windows etc. are superseded.
The overall growing trend is to sell the item, then charge you for the use of it and it’s beginning to percolate into other areas of manufacturing. Usually this leads to explicit rental/leasing, but we’ll see where it ends.
_______
Defined by Invstopedia as: “Rent seeking (or rent-seeking) is an economic concept that occurs when an entity seeks to gain added wealth without any reciprocal contribution of productivity”
love the art. as always!
Me too!
I actually recycle old Joe Kim favorites for these weekend newsletter posts. This one was from a story about DIY PC cases — where it also fits just right.
I’ve got a list of my favorites. I should just start writing the newsletters to fit the art instead!
Yes! You GET it! I frequently feel like a lone voice crying in the wilderness on this topic.
“Not just owning it because you bought it, or owning it because you control it, but owning it because you understand it and because you gave birth to it.” That is a major driving force behind the hours spent and sleep lost over things like what I call my ‘PiNet’.
Can it be done differently? Sure. Cheaper? Sure. Better? No, not really. And when it breaks, I can fix it. And in the long process of building it, I understand it, I know it, I own it. Exactly!
No cloud, no data sharing (with an exception of donated weather data to PWSweather.com).
My biggest challenge at this point is making sure anyone coming behind me can manage what I’ve built. Truth is, they’ll probably just replace it.
Thanks for sharing that article. I really enjoyed reading that.
Another stupid and even dangerous aspect of the “connected” world is the lack of alternative for the moments when the network is down or when your
phone battery ran out of juice.
Same for virtual money and bank apps. In Brazil there is a new bank service called PIX that allows limitless operation of your funds, and there is a spread of flash kidnaps where the criminals went
beyond cleaning the victim’s check and savings by contracting instant loans. All the money is transferred to cold accounts (and supposedly) to acquire crypto coins.
One can think: simply don’t use such apps. Many people don’t, but when that happens the criminals DO call your friends and familiars and use the victims as leverage to to have the familiars en friends to PIX them the money.
My point is: even those who are aware of the bad side of tecnology have already started to suffer the consequences of the world being shaped by the ones that don’t know or don’t care about privacy violation and personal security breachs as long as they can enjoy the comfort and the ease of machines doing stuff for them.
Agreed 100%.
I intend to setup an account in one of those “online-only” bank to use with PIX transactions, because people keep pestering me to accept payment in it, and I get tired of explaining that I do not have it, and do not want it, and then getting dragged into some conversation about why it is wonderful, etc etc, best thing since sliced bread. So it seems easier to set up a second account, not tied to the main bank account, just to receive these inconvenient payments.
One question that people simply do not answer, and always try to divert the question, is when I ask them how will they give some coins to a beggar on the street. Will they insist in the beggar having a pix address also ? :)
What I didn’t see in the article, and comments, is, actions to take.. Perhaps a blog where people can post useful information. Like products, that known to be susceptible to actuation taken by Toyota et. al. . Could be slippery slope if, knuckle heads knowingly post false information.
If you can afford the lawyers. Do you want to take on Toyota? They don’t care if they loose a case that costs them $100,000 and you $100,000, better get that second mortgage ready!
Greedy companies get all the blame for this and deservedly so. But I think there is another group to consider giving a piece of the blame too.
Network admins.
I think it’s been drilled into people’s minds that the internet is too scary a place to roam outside the LAN. Granted, running a full sendmail server without becoming a spam provider does require a bit of technical know how. But how many of these IoT devices, which currently depend on a corporate owned, centralized cloud server only require the ability to respond to a very small set of commands or just send a little telemetry? It’s not that hard to secure something so simple.
A lot of this stuff could be implemented with dynamic dns and a port forward in one’s router. It doesn’t have to be THAT scary. When I worked in tech support for a major internet provider a huge part of our job was walking people through setting up POP and SMTP in Outlook Express. We would each walk dozens of customers through it over the phone every day. Setting up a port forward in one’s router isn’t really any more complicated than that.
Better yet, imagine if every consumer router came with an MQTT broker installed much like they almost all have dynamic dns clients now. By default it would only talk on the LAN but once the user sets up the dynamic dns client one checks a box and it also automates grabbing a matching SSL certificate from Let’s Encrypt. Then the MQTT broker becomes available, only via SSL and only with a login account on the internet.
IoT devices would all talk MQTT and by default would expect the broker to be at the same address as the gateway as provided by DHCP. Android apps could then just take the user’s home domain name and login information. Then they could subscribe to various well known topics out of a database to discover the user’s devices and present a control panel. An advanced tab would give advanced users and DIYers an option to build up UIs for lesser-known or home-built devices much like the MQTT apps that exist now.
iPhone users… I don’t know. I guess they would just trade their kidney’s and first born children for some shiny devices that come pre-configured to talk to one another (and ONLY one another) from the factory like always.
lol.
Well that’s easy for someone from IT to say.
Consumer A: This one doesn’t work, Translation, I couldn’t understand the setup (because it was made to be secure)
Consumer B: This one works fine, I just plugged it in. Translation UPnP is enabled by default on my router. Hackers delight.
For many years my tasks included zone management. I’ve tried to explain DNS to other IT professionals and I really don’t understand why they find it so hard to understand. Maybe you can enlighten me on this one? It’s like your telling them the world is flat.
I don’t think the average hackaday user has a good understanding of DNS (let alone Dynamic DNS or DHCP) and that’s probably the reason we have a proliferation of IoT hosts / clients. So the HAD hacker doesn’t have to deal with DNS. Of course they have a basic understanding and for some a good understanding. But not so good by average.
You’ll find all sorts of coders here, C, C#, C++, RUST, Python, Arduino (Sketch), various platforms even ASM. But forget about Apache, PHP, CSS, HTML etc.
If you understand at least DHCP, DNS, PHP and you have a server (local, online or both) then you don’t need anyone else’s code to get your IoT device to work on the LAN (and not be dependent on the net) and use the net only for additional features as required. Hey even skip php as someone has already written the code for you.
It stands out as a big void in the HAD hacker skill-set.
Really if you have your own servers then just simple request / POST (JSON) would alleviate most of the security issues. So damn simple but yet so far away from what the average hacker does.
Ouch, that picture makes me cringe. It reminds me of an old friend who uses about that amount of force when working on computer hardware!
You don’t even own your cyberdeck – Limor Fried [of Adafruit] was just awarded the trademark for cyberdeck.
https://trademarks.justia.com/904/41/cyberdeck-90441259.html
hi andrew, i work with limor (and i founded hackaday) – we wanted to use the name “cyberdeck” in a product and made sure there were no issues at all for our specific use (our legal folks advise us to check with namings and more), there is no enforcement on this trademark by adafruit, or limor, or anything like that – we also have other trademarks that you can view at adafruit dot com slash trademarks – hope that clears it up and feel free to email me directly for anything else pt at adafruit dot com –
Wow, that puts me off buying anything from Adafruit!
It’s like something has been stolen from hackers.
hi rob – i work with limor (and i founded hackaday) – we wanted to use the name “cyberdeck” in a product and made sure there were no issues at all for our specific use (our legal folks advise us to check with namings and more), there is no enforcement on this trademark by adafruit, or limor, or anything like that – we also have other trademarks that you can view at adafruit dot com slash trademarks – hope that clears it up and feel free to email me directly for anything else pt at adafruit dot com –
No offense Phillip Torrone but all we legally have here as a post from you as a proxy for Limor Fried as a proxy for Adafruit on a forum post with no signature.
Nothing in your statement can be offered as defense for the use bu others of the TM. I’m not a legal person so for all I know that means that tech sites (including Hackaday) and member projects sites can’t use the word cyberdeck without placing themselves in a legally vulnerable position.
It’s all very well for you to say “we wont enforce” but it’s still the position of other businesses to choose for themselves if they want to be in a legally vulnerable position and potentialy susceptible to expensive litigation.
As an example: the issue with .gif format and LZW compression, Comuserve / Unisys said they wouldn’t enforce but the whole internet abandoned it’s most popular graphics format and went to .png
All said it’s a pleasure to see you drop by. I have been here since close to the beginning.
hi @ RÖB – the hackaday folks i guess could verify it’s me, either way – you’re right you’re not a legal person, me either! when we develop products and use a name like feather or cyberdeck we work with our lawyers to make sure it’s OK to use and sell a product with the name, check out adafruit dot com slash trademarks for the trademarks we use/have, feel free to email me to verify it’s me as well pt at adafruit dot com
Wonder what William Gibson thinks of this…