|
idiotsavant posted:uh what? You remote into a modern commercial BMS like any other computer, and if it was an older unit it'd use a dial-up modem. Actual commercial buildings have third-party temperature control and it works great given the right setup (and assuming a bunch of rear end in a top hat engineers don't program request macros to drive the temp in their areas down to 68 degrees). This isn't a temperature controller. It's something that interrupts the compressor from running when peak load needs to be shed. It's being operated using radio frequency over the power lines. They're typically referred to as a "DCU" or demand control unit. It doesn't seem like you are able to remember a time before the internet was used for everything, but this is from those times. I literally still have one on my house: 
|
#
?
Jun 20, 2021 15:10
|
|
|
|
| # ? May 10, 2024 15:12 |
|
|
Tuxedo Gin posted:TVs are worse than ever. You can't even buy a TV now that isn't full of bloat and they're starting to sneak in internet access requirements, microphones, and ads in the menus.
|
|
#
?
Jun 20, 2021 17:23
|
|
|
Motronic posted:This isn't a temperature controller. It's something that interrupts the compressor from running when peak load needs to be shed. It's being operated using radio frequency over the power lines. They're typically referred to as a "DCU" or demand control unit. OK, great, nice box on your house. The problem here isn't "the internet," because there's no meaningful gain in functionality, privacy, security, or anything else from running everything over a custom powerline-RF network (or custom wireless communication or anything else), and it's a lot cheaper and easier to just use the data connection that most everybody has in their homes now. The problem comes from companies that cut corners in system design, and in being allowed to sneak extra terms and conditions in fine print statements that their customers aren't equipped to parse even if they did bother to read the whole thing. The delivery mechanism for the bits is the least important part.
|
|
#
?
Jun 20, 2021 19:30
|
|
|
Space Gopher posted:OK, great, nice box on your house. You seem to almost grasp all the issues here, but not quite. Somehow you still believe that internet security is a thing that is possible for more than at a single point in time, and even that is arguable. The more third party access to devices in your own home plumbed to a network that is literally global (read: well beyond the scope of what is necessary for functions like this) is a risk factor. Abandonware devices that keep functioning as, say, a local thermostat but are still plumbed to the internet, devices that are still getting updates and plumbed to the internet for that matter, devices that are able to be exploited in a way where they can exploit other devices on your network....... And while I'm not going to go into details, a massive breach of these devices can be used to cause catastrophic damage to the grid. It's baffling that you would think any of this is a good idea in this thread and also in the context of the massive wave of internet based ransomware attacks to presumably professionally managed critical infrastructure and have such an opinion. Yes, I get it's cheaper. That's how we've ended up with all of these problems. Cheap doesn't always mean good, or even fit for purpose. Motronic fucked around with this message at 19:52 on Jun 20, 2021 |
|
#
?
Jun 20, 2021 19:50
|
|
|
There is no suggestion in the original article that the thermostats malfunctioned in any way, are insecure in general, were adjusted except at the direction of the utility, or that any of the adjustments were inconsistent with the agreement the guy opted in to. The guy is upset that his house was 78F / 25.6C, either because the description of the program was misleading, because he is an idiot, or both. This isn't vital infrastructure. It's an adjustment to a thermostat that is canceled as soon as someone physically at it touches a button. No utility equipment is relying on an adjustment happening or not. Using powerline communication instead of internet also isn't more secure in any real way. It is still a shared network with no physical access controls and transmissions across it would need to be authenticated exactly the same as on internet. It gets some geographical limitation because repurposing power lines for frequency ranges they weren't intended for is finicky and will just stop working once signals bump into some kinds of cabling and equipment. I would bet that old system doesn't have any security besides obscurity and that anyone in your city could watch and control it from a close-enough mains plug.
|
|
#
?
Jun 20, 2021 21:06
|
|
|
78 seems like a perfectly ok temperature to be at.
|
|
#
?
Jun 20, 2021 21:17
|
|
|
Motronic posted:You seem to almost grasp all the issues here, but not quite. Somehow you still believe that internet security is a thing that is possible for more than at a single point in time, and even that is arguable. The more third party access to devices in your own home plumbed to a network that is literally global (read: well beyond the scope of what is necessary for functions like this) is a risk factor. Abandonware devices that keep functioning as, say, a local thermostat but are still plumbed to the internet, devices that are still getting updates and plumbed to the internet for that matter, devices that are able to be exploited in a way where they can exploit other devices on your network....... If they care about security, it's perfectly possible to implement secure connections over the internet that are more than good enough for any reasonable commercial system. e: For an example, look at public cloud providers like AWS or Azure or even second-tier hosting like DigitalOcean. Crypto mining creates a huge and direct incentive to break into their systems, because you can turn seconds of compute time into tokens that can be easily laundered into cash. Despite that, there haven't been huge breaches of their systems that pointed all the machines in a datacenter at mining bitcoin or ethereum or whatever. Even if we assume that they'd never announce a Security Incident, we can also see that there haven't been big public consequences of people breaking into their systems. That's because they actually invest in security, and while they're not perfect, they manage to do a pretty good job at it. If they don't care about security, then you can absolutely get access to the systems that run their "separate" network by sending all_employees_salary.xlsx.exe to some random maintenance tech - or, probably, anyone else in the company. Assuming that you don't just have to find their open-to-the-world remote desktop to the maintenance console with the password "admin/admin," anyway. "The internet" is not the problem. The problem is that all the incentives in the market line up to make it much more profitable to ship buggy, broken, insecure garbage software and hardware, and to fool consumers rather than actually get their consent for anything. Space Gopher fucked around with this message at 21:44 on Jun 20, 2021 |
|
#
?
Jun 20, 2021 21:21
|
|
|
That's not wrong, but you need to look at the relative advantages and disadvantages. Something like AWS has a huge, huge security budget and spends a gigantic amount of effort on maintaining and improving security. As a result, the security is pretty drat good, though nothing is infallible. But we also must recognize that they don't have another option, you can't be a cloud provider without implicitly shouldering the risk of security breaches. With the Internet of Things or whatever the gently caress it's called, there *are* other options, and people should be considering the budget and resources they commit to security against the benefits provided by having things accessible online and the risks of a successful attack. In some cases, that calculation is going to result in things being online and properly secured with a big budget; in other cases, it's not worth the trouble. But what we can and should call out is anyone doing this without adequate concern for security and the risks involved.
|
|
#
?
Jun 20, 2021 23:30
|
|
|
withak posted:78 seems like a perfectly ok temperature to be at. considering the locale they're doing pretty good imho Delta-Wye fucked around with this message at 03:12 on Jun 21, 2021 |
|
#
?
Jun 20, 2021 23:38
|
|
|
withak posted:78 seems like a perfectly ok temperature to be at. No the gently caress it doesn't.
|
|
#
?
Jun 20, 2021 23:42
|
|
|
withak posted:78 seems like a perfectly ok temperature to be at. Extremely humidity dependent I would think. Indoor temperature should be between 68 and 75 in most "comfortable" scenarios.
|
|
#
?
Jun 20, 2021 23:53
|
|
|
I like it cold inside, personally, but if it's 100+ outside and 78 inside, that seems like one of those things you just have to live with. Like, if it's 65 inside and -40 outside (a more likely scenario where I live), that doesn't mean your heating doesn't work, it means it has limits and occasionally you have to compromise with mother nature.
|
|
#
?
Jun 21, 2021 00:06
|
|
|
PT6A posted:That's not wrong, but you need to look at the relative advantages and disadvantages. Something like AWS has a huge, huge security budget and spends a gigantic amount of effort on maintaining and improving security. As a result, the security is pretty drat good, though nothing is infallible. But we also must recognize that they don't have another option, you can't be a cloud provider without implicitly shouldering the risk of security breaches. Sure - my point here isn't that we should connect everything to the internet or that it's always and forever the best choice. In a lot of situations, though, internet connectivity is a credible contender. It's possible to build reliable, secure systems on top of the internet. In fact, it's not even that hard, as long as you commit to following known best practices rather than shipping proof-of-concept work out the door, and to providing full lifecycle support. And, just as important: if you have a lovely IoT system, taking the "I" out of the equation isn't actually going to solve your problems. At best, it might remove one attack surface, but if you're shipping a lovely product then you're going to have plenty of other places for vulnerabilities to hide. If the overall environment doesn't take security seriously, there will still be easy ways to get to those vulnerabilities and exploit them. The real problem is that there aren't any mechanisms that punish corner-cutting, and it's always more profitable to create tech nightmares that cut corners on security and functionality, violate privacy, and jam ads in everywhere. That's why people do it. The only way to solve the problem is by creating standards and regulations that hold manufacturers and service providers accountable for delivering garbage. Motronic seems to think that the problem is the internet, not lovely devices and business practices in general. But, even if you were to ban all directly internet-connected infrastructure tomorrow, it wouldn't solve any of the underlying issues. packetmantis posted:No the gently caress it doesn't. tough_desert_dweller.txt
|
|
#
?
Jun 21, 2021 01:40
|
|
|
Having residents electrical supply reliant on their Wi-Fi being active and having not changed the password seems like a customer support nightmare, and if it will stay on wouldn't that defeat the purpose of trying to manage load since hot days would just see people disconnecting the devices from their Wi-Fi?
|
|
#
?
Jun 21, 2021 02:23
|
|
|
Space Gopher posted:Motronic seems to think that the problem is the internet, not lovely devices and business practices in general. But, even if you were to ban all directly internet-connected infrastructure tomorrow, it wouldn't solve any of the underlying issues. You use terms like "attack surface" yet still don't get it. Go back and figure out what this means in regards to putting things on the internet vs basically any other method and work that into the risk calculations for how good is good enough. Now add to that calculation the other random devices on that shared network vs. no other types of devices other than those for this particular function. I've spent my entire career as a network engineer. What is informing your opinion?
|
|
#
?
Jun 21, 2021 02:25
|
|
|
Foxfire_ posted:There is no suggestion in the original article that the thermostats [...] are insecure in general it says they're IOT bullshit connected to the internet and made by a startup
|
|
#
?
Jun 21, 2021 02:45
|
|
|
Senor Tron posted:Having residents electrical supply reliant on their Wi-Fi being active and having not changed the password seems like a customer support nightmare, and if it will stay on wouldn't that defeat the purpose of trying to manage load since hot days would just see people disconnecting the devices from their Wi-Fi? 1) In normal situations, smooth load by scheduling when cooling load comes up. If an AC compressor is on average going to be running 20 mins out of every hour, stagger those so that the average demand is mostly constant instead of having a big spike when thermostats switch setpoints on the hour and AC cycles are synchronized with each other. End customer entirely doesn't care about that kind of scheduling. 2) In a high demand situation, cut load by adjusting a lot of houses' thermostats a little bit instead of doing full brownouts on a few areas. It gives them a demand-reducing lever besides cutting power entirely. If a thermostat drops out because of network problems, the utility loses the ability to adjust that one, but it doesn't cut electrical supply to that house or anything. The utility doesn't really care if they come up or down (or if people push the 'cancel adjustment' button on them), as long as on average a bunch are still there. At worst, they just revert to being dumb thermostats and the utility's load management is no worse off than it was to start with e: RPATDO_LAMD posted:it says they're IOT bullshit connected to the internet and made by a startup
|
|
#
?
Jun 21, 2021 02:53
|
|
|
It's amazing how you keep responding with backpedaling and goalpost moving, but aren't answering any questions I've asked. You've make it clear you think this is all totally fine. I and several others have pointed out why we think it's not, with examples of how this has recently gone wrong. You keep going back to saying how what happened here was fine. We're talking about more than this individual instance.
|
|
#
?
Jun 21, 2021 03:03
|
|
|
I'm a software developer with a specialization in cloud architecture and security and anybody willingly putting this in their house is out of their damned minds. Motronic speaks wisdom. There's more than a grain of truth in the whole "somebody dealing with computer security has two pieces of technology in their house" thing.
|
|
#
?
Jun 21, 2021 03:33
|
|
|
tracecomplete posted:There's more than a grain of truth in the whole "somebody dealing with computer security has two pieces of technology in their house" thing. And a baseball bat next to both in case one day they start talking back 
|
|
#
?
Jun 21, 2021 03:58
|
|
|
Space Gopher posted:If they care about security, it's perfectly possible to implement secure connections over the internet that are more than good enough for any reasonable commercial system.
|
|
#
?
Jun 21, 2021 04:03
|
|
|
HelloSailorSign posted:And a baseball bat next to both in case one day they start talking back If it’s the joke I’m thinking of, one is a non-internet printer and the other is a gun if the printer starts acting up. So…you were on the right page!
|
|
#
?
Jun 21, 2021 04:14
|
|
|
goatsestretchgoals posted:If it’s the joke I’m thinking of, one is a non-internet printer and the other is a gun if the printer starts acting up. So…you were on the right page! Yeah, that's the version I've always heard.
|
|
#
?
Jun 21, 2021 04:50
|
|
|
Motronic posted:You use terms like "attack surface" yet still don't get it. Go back and figure out what this means in regards to putting things on the internet vs basically any other method and work that into the risk calculations for how good is good enough. Now add to that calculation the other random devices on that shared network vs. no other types of devices other than those for this particular function. I'm a software developer. I'm not an infosec specialist but I've worked in all kinds of secure environments, including with payment data. Incidentally, credit card terminals are another example of IoT-ish devices that do highly sensitive business over the internet, and manage to mostly do alright, largely because credit card payments are a highly regulated industry! The idea that network segmentation is security - you set up a really good firewall to filter all the Bad Traffic out, and then everything inside the secure zone is Good and can be trusted - just doesn't work in an environment where spearphishing is prevalent, people deploy shadow remote admin tools all the time, and security appliances keep having problems. If you want actual security, you have to push it out to every application and endpoint. If you have infinite resources and need to deal with incredibly sophisticated attackers - say, you're the DoD - then you take that secure system and run the whole thing on an airgapped secure network like SIPRnet or JWICS. But, for ordinary commercial systems (which are almost always going to have some kind of route to the normal internet) I'd much rather have the application developers thinking "this host needs to stay patched and the application needs to validate every request, because it's exposed to the world" rather than "eh, who cares, it's an ~internal-only system~ and it can just accept sensitive commands over plaintext with no auth." Which is exactly what will happen, as long as there aren't strict controls in place. I sincerely doubt that your RF-powerline-controlled AC controller box system as a whole is any more secure than, say, a Nest thermostat. The fact that commands happen to go out over a relatively exotic network doesn't mean anything if the other end of that network is connected to the internet, and controlled by some outdated OS running an open remote desktop - which is exactly what I'd expect from a power company. The only thing that network segmentation gets you there is a false sense of security. UCS Hellmaker posted:It's worthless to use cloud computing for mining, the main things are CPU mining and they legit are useless compared to gpu and Asics. CPUs aren't worth anything on any token mining so using a huge data center isn't worth the effort (and it likely be caught fairly fast) If you could break into AWS or Azure infrastructure and allocate resources at your pleasure, you would have access to incredible numbers of GPUs and FPGAs (which can be set up as hardware Bitcoin miners easily; the code's on github). https://aws.amazon.com/ec2/instance-types/g3/ https://aws.amazon.com/ec2/instance-types/f1/ https://docs.microsoft.com/en-us/azure/virtual-machines/nct4-v3-series https://docs.microsoft.com/en-us/azure/virtual-machines/np-series In fact, if you were to push AWS creds into a public github repo, you'd find your account running miners very quickly - the attacks are fully automated. Here's an experiment where some folks deliberately put AWS keys into public source control. Time from the public commit to monero miners spinning up was six minutes - and five of those minutes were github's built-in delay. The attackers didn't use GPU or FPGA instances, but that's just because access to those instance types is gated behind a support request by default. You're right about the fundamental reason it's not worth it, though. Amazon and Microsoft pay attention to and invest in platform security, so exploits are rare, and anyone caught using them is kicked out quickly, before they could do anything like commandeer a few thousand GPUs for a few hours. Even individual account compromises usually get slapped with a quarantine policy. Which goes back to prove the larger point: it's completely possible to run high-value secure systems connected to the internet. All you have to do is give a drat about security. The problem with almost all IoT gear isn't the "internet" part, it's the "security" part.
|
|
#
?
Jun 21, 2021 04:52
|
|
|
Motronic posted:It's amazing how you keep responding with backpedaling and goalpost moving, but aren't answering any questions I've asked. It's gone wrong recently?
|
|
#
?
Jun 21, 2021 04:55
|
|
|
The article about the thermostats being raised is hilarious because 'woke up sweating' due to 78F is loving pussy rear end poo poo. 25C is a normal spring day in australia and loving nobody needs climate control. Americans are a bunch of loving babies. you do not need constant temperature control to surive. I turn my AC on for an hour, it cools my house then I turn it off again til its hot. just not having constant temperature control would probably give the grid the breathing room it needs. (USER WAS PUT ON PROBATION FOR THIS POST)
|
|
#
?
Jun 21, 2021 05:03
|
|
|
Cool story mate
|
|
#
?
Jun 21, 2021 05:13
|
|
|
Laserface posted:The article about the thermostats being raised is hilarious because 'woke up sweating' due to 78F is loving pussy rear end poo poo. Yeah, I mean even here, one time my place got up to 28C (82F) for a week or so. It sucked, but we had a heat wave and no AC and I had a south-facing apartment with no capability to get airflow in during the night (positive pressure in from the hallway), and miraculously I'm still here. Also, I don't live in a habitually hot climate. I'm not used to that sort of thing. In the winter, I'll go the the supermarket wearing a t-shirt in -10. If I can handle the heat, then anyone can. The Texas freeze was an actual issue because pipes were bursting and crap, we've had people die in heatwaves because it was 85+ continuously indoors, 78F is not a problem by comparison. "You're gonna be unpleasantly warm and that's what we need to do because our electrical grid is made mainly of bailing twine" is not what you want to hear, but it is a valid and safe short term solution as you work to unfuck the decades of neglect.
|
|
#
?
Jun 21, 2021 05:33
|
|
|
Laserface posted:The article about the thermostats being raised is hilarious because 'woke up sweating' due to 78F is loving pussy rear end poo poo. Imagine dick-swinging about this of all things, lmao.
|
|
#
?
Jun 21, 2021 05:55
|
|
|
Sadly not the world isn't solely composed of Australian ubermensch, but it's certainly true that cities can be built to better deal with heat without needing constant AC. In southern Spain, for example, cities are traditionally built with narrow streets covered with awnings that significantly lower the ambient temperature, and well-insulated houses and apartments that have shade features, tall ceilings, and a high albedo. Modern features like high-efficiency ceiling fans, heat pumps, and self-cooling solar panel arrays can go a long way to improve indoor climates without causing electric bills to spike. But one of the biggest things about this sort of issue is that Americans subsidize resource usage in many ways, and strongly resist any attempt to improve efficiency or curb wastage. Spanish household electricity costs nearly 2.5 times as much as the subsidized American cost - which is exactly why Americans never see any reason to invest in improvements. And this sort of thing is typical at all sorts of levels - without incentives to change behavior, people typically won't act out of mere social responsibility.
|
|
#
?
Jun 21, 2021 05:58
|
|
|
"This is America! I don't want your socialist energy-saving measures, I want capitalist subsidized electricity!" Also, don't go live in the literal desert and then complain it's a bit hot. I genuinely hope that the immense heatwaves in places like Las Vegas help some people realize that climate change is apparently A Thing and perhaps something should be done about it.
|
|
#
?
Jun 21, 2021 10:01
|
|
|
Feels like most of the houses that can't be cooled must have substandard or no insulation. It's not Texas but the temperature gets up to about 36C here every year and I don't think it's been above 25C in my non-AC apartment. Likewise we discovered due to management company dumbassery the underfloor heating was not working and in winter the temperature just dipped into the 19s.
|
|
#
?
Jun 21, 2021 12:15
|
|
|
Sagacity posted:Also, don't go live in the literal desert and then complain it's a bit hot. https://www.youtube.com/watch?v=4PYt0SDnrBE
|
|
#
?
Jun 21, 2021 14:04
|
|
|
Space Gopher posted:I sincerely doubt that your RF-powerline-controlled AC controller box system as a whole is any more secure than, say, a Nest thermostat. The fact that commands happen to go out over a relatively exotic network doesn't mean anything if the other end of that network is connected to the internet, and controlled by some outdated OS running an open remote desktop - which is exactly what I'd expect from a power company. The only thing that network segmentation gets you there is a false sense of security. Lol
|
|
#
?
Jun 21, 2021 14:08
|
|
|
Space Gopher posted:I'm a software developer. Yeah, that pretty much explains how and why you don't get this. The rest of that post it just......well, let's say it indicates you're so far away from understanding any of this that we don't even have a common language/frame of reference for me to be able to teach you. And you are unwilling to learn. Because it doesn't fit your very conveient-to-you world view. Keep that head in the sand. It just might work out.
|
|
#
?
Jun 21, 2021 15:56
|
|
|
Sagacity posted:"This is America! I don't want your socialist energy-saving measures, I want capitalist subsidized electricity!" Right? It just blows my mind sometimes to think about how much money the US spends subsidizing oil and gas, not to mention profligate consumption of water, timber, minerals, food, etc. The IMF estimates the US provided fossil fuel companies with $650 billion in 2015 (both direct payments and tax benefits, as well as the indemnity value for all the health and environmental damages those companies inflict but are protected from in court), and that's before considering the costs of state-provided infrastructure like all the roads, powerlines, and pipelines the industry needs to remain profitable, or the legal grants and mandates that keep prices low, provide mining and transportation access, ensure Americans keep building inefficient and car-dependent suburbs, protect the companies from lawsuits, and prohibit alternative investment. When even conservative groups like Forbes and the International Monetary Fund start raising eyebrows at the extreme levels of oil and gas subsidies by the US (second only to China in total, and much higher per capita), it's a real indictment of Americans touting free market principles as they gouge taxpayers and destroy our children's futures. https://www.forbes.com/sites/jamesellsmoor/2019/06/15/united-states-spend-ten-times-more-on-fossil-fuel-subsidies-than-education/amp/ Kaal fucked around with this message at 16:10 on Jun 21, 2021 |
|
#
?
Jun 21, 2021 15:57
|
|
|
Ok, you can have $15/hr* but a dude in India is gonna watch you on CCTV your entire shift and shout at you intermittently https://twitter.com/motherboard/status/1406995352180363269 * sorry, we can't afford $15/hr, surveillance is expensive.
|
|
#
?
Jun 21, 2021 21:41
|
|
|
Laserface posted:The article about the thermostats being raised is hilarious because 'woke up sweating' due to 78F is loving pussy rear end poo poo. Why do folks always post stupid poo poo like this? You never take into account important context like humidity, construction methods, ability to open windows, clothing requirements, job/activity types, current medications or whether the temperature changes are sudden or gradual. Everyone proposing actual suggestions are proposing policy solutions that cannot be done on the individual level. The lab I used to work in would have massive, massive issues when the ambient temp got above a certain point - all of the fridges, freezers and -80 freezers would go apeshit trying to keep coo land you'd have runaway temperature increases. I measured 100+ in the basement lab area more than once. And that's before all the PPE that was required. Sometimes you do need to keep poo poo at 68 or 65 degrees. Solkanar512 fucked around with this message at 22:58 on Jun 21, 2021 |
|
#
?
Jun 21, 2021 22:55
|
|
|
Presumably a commercial lab is not going to sign up for the program where someone else controls the AC.
|
|
#
?
Jun 22, 2021 00:36
|
|
|
|
| # ? May 10, 2024 15:12 |
|
|
Yeah, they're happier with having their systems ransomwared back to them.
|
|
#
?
Jun 22, 2021 00:43
|
|