cross-posted from: https://lemmy.world/post/32265822
xkcd #3109: Dehumidifier
Title text:
It’s important for devices to have internet connectivity so the manufacturer can patch remote exploits.
Transcript:
[A store salesman, Hairy, is showing Cueball a dehumidifier, with a “SALE” label on it. Several other unidentified devices, possibly other dehumidifier models, are shown in the store as well.]
Salesman: This dehumidifier model features built-in WiFi for remote updates.
Cueball: Great! That will be really useful if they discover a new kind of water.Source: https://xkcd.com/3109/
I have a rule that “Nothing will be automated that cannot be manually overridden.”
Well, actually it’s my wife’s rule but it’s a good rule nonetheless. As a result, there’s a big panel full of relays in the basement that is the “last mile” for anything climate control or security related.
There have been a few times when it’s been handy. Like when the exhaust fan isn’t working and I don’t want to debug the ESP32 controller today so I just flip it over to “Manual”.
That’s a great rule of thumb. So setup two switches. One for manual and one with a ESP32.
FYI I learned About VLANs that it is in no way „locked down“. I can spoof the MAC address of a known device from a specific VLAN and I’m in that VLAN. Yes your devices can’t reach the internet/other devices by default but it won’t stop a bad actor.
Depends on you hw. That seems rather poor implementation… I believe my TP switch might handle that, because it rejects traffic to its management interface from mac X from vlan 20 because it sees the same mac in vlan 10… (only vlan 20 is allowed for management)
That’s a very cool feature actually but how does it stop a hacker if he has obtained a trusted MAC address from another device and connect to vlan 20 directly while the real device is offline?
You configure vlans per physical port, so in a properly implemented system your attack won’t be possible. When the packet comes to the switch the vlan tag is added to it according to the configuration for the port it was received from.
Or are you talking about mac-vlans?
Ok maybe I don’t fully understand yet. Let’s say an access point has 3 SSIDs, lan, guest and iot each client on each SSID gets a vlan tag accordingly. So it’s only connected to a single physical port, i think that’s what confused me. But SSIDs are interfaces just like an physical port afaik so your analogy still stands. The security here is the WiFi password anything that connects to LAN gets a LAN vlan tag. but it’s not like anything that connects to any of the SSIDs can get the DHCP lease of some random device on any vlan cuz it got tagged before. Or am I missing something?
and this is why I have a completely separate physical network for my IOT stuff.
Well. The segmentation is to avoid security holes from Rogue third party devices. If you can access my pc vlan that only exists on my wired pcconnection, then you have indeed broken in to my domain. Letting the things that doesn’t give a shit about security have their own network is just sanity/sanitary.
Isn’t that what 802.1x is for? If you really want to lock down your network, there are options.
I’m aware you need a firewall (I used sonicwall professionally) vlans are for segmentation
Yes, VLAN is an IT convenience feature, you don’t need it just because it is a feature of the more expensive hardware.
Instead just establish separate L2s and operate proper L3 firewalls between them. For IoT devices, any kind of reliable potato will do just fine.
I just shopped for a humidifier, purposely avoided anything “smart”, I ended up with a really fucking simple one, it has a hydrostat and can aim to automatically reach a level you want (40-50-60), has 4 speed,1,2,3,auto and sleep.
And the whole thing is nothing else just a wicking filter sitting in water that has a fan pointed at it, I think Technology Connectios would be proud of my purchase.
I will have to disinfect and change filters, but no need for distilled water like with ultrasonic humidifiers, and I boil my water and let it cool back to room temperature before adding it to the humidifier, hopefully that will help with staving off build up of bacteria
I bought a Venta LW25 and couldn’t be happier. Simple and functional, good old German engineering
And it probably needs to connect using WEP
wpa2, but password limited to 10 characters. letters and numbers only, trying anything else crashes it, and you have to figure this out yourself
New kinds of water, you say? The marketing department is already on it and boy have I got news for you!
Wait… Is that heavy water?? /s
How about I hook you up with a brand new water softener on a 30 year lease but no payments in the first 5 years so it’ll be the next owner’s problem
Omfg it’s like solar panel companies…
So many damn houses with solar leases more expensive than just electricity
I just bought my first home and as soon as I’m decently unpacked I’m going to start my journey on self hosting.
Currently planning:
- Small i5 HP Pro SFF PC for hosting large apps (going to config for Linux and power it off until I get more mature
- Raspberry Pi4: pihole and home assistant
- Raspberry Pi4: NextCloud, Deck
- ZigBee router thing:
- Nest thermostat came with the house
- adding light bulbs and switches
- want a smart doorknob but the security bothers me. Schlage Connect™ Smart Deadbolt, Z-Wave Plus
- NAS
- Jellyfin
- JBOD on SFF?
- flashing old Netgear nighthawk into wwdrt
- OS Ticket to replace NextCloud Deck for a JIRA type solution to manage projects and major house items.
- ZigBee thermometers for better Nest accuracy
- ZigBee motion sensors for entry ways and bathroom
- smart plugs and motion sensors for basement TV lights
Not sure what else to add. Open to advice or suggestions.
I’ve watched enough Lock Picking Lawyer never to want a consumer ‘smart lock.’ Half of them can be opened with a magnet. Maybe commercial grade is better, but I’ve been locked out of my job after every power failure for the last 10 years, until someone comes along with a physical key.
Re homeassistant on a Pi: homeassistant does a lot of database transactions, so you may want to have db storage on something other than an SD card.
Good call. I was thinking of trying a 128GB usb3 stick I got. Maybe a ssd/nvme on a USB3 controller.
I have an old 2.5inch 500GB laptop HDD plugged into a USB/sata adaptor into my rasberry pi.
that’s been running flawlessly for 3 years and drops every concern with running HA on a pi
I have tentative plans to make my own smart lock by way of electric motor and commercial deadbolts with an RF scanner and a back up battery for emergency. It won’t be amazingly secure in a tech way, but I figure the combination of novelty and DIY should make it reliable.
That said, I gotta be that guy and remind everyone that all locks are security theatre and are not going to protect your house from the persistent or prepared. Your best defense is a combination of foresight and social engineering.
I’ve watched enough Lock Picking Lawyer never to want a consumer ‘smart lock.’
I’m gonna differ on this. The point of a lock is to control law-abiding access to your house. If someone wants in your house, they can attack your windows, doors, or even a wall if the lock is too strong. A smart lock let’s you open the door for a family member remotely, or set one time-access for your in-laws to come over and pickup a tool.
I wouldn’t use a smart lock for something hardened, like a bunker or a vault, but for a house and garage, it’s okay not to have the most bullet proof lock in the world.
I wish I had setup an identity management system sooner. Been self-hosting for years and about a year ago took the full plunge into setting up all my services behind Authentik. Its a game changer not having to deal with all the usernames and passwords.
In a similar vein, before Authentik, I used Vaultwarden to manage all my credentials. That was also a huge game changer with my significant other. Being able to have them setup their own account and then share credentials as an organization is super handy.
My SO is already using keepass locally. Used to be only a paper notebook. Data breach paranoia.
I plan to setup vaultwarden or keepassXC
If it’s something that’s vital, my mantra is pay to have someone else professional host it.
I’ll pay the $10/year for Bitwarden.
Great list! If you already have the Raspberry Pi devices, great. If you were going to buy some, I would look at thin clients instead. Low-power, cheaper, more powerful, can use real hard drives instead of SD cards or adapters, and x86 instead of ARM. I have an HP T630 I like but I hear good things about the Dell Wyse 5070 too.
I have:
- 2x pi4 4gb (bought them previously for octopi and pihole)
- Pi zero
- Several old laptops
- 2x SFF HPs
- 2x netbooks
- An old slim workstation
I work as a sysadmin so I’ve picked up a few things that wouldve gone to recycling.
My concern is power draw running 24/7 so I need wattage monitors and going to start with the Pi systems. Until I hit performance issues then migrate to a SFF.
Cameras.
Yeah that’s on the list. I want them hard wired though. Gotta hire an electrician to wire up the outside of the house.
My house has manual windows, manual locks, and a dumb garage door controller… because I work in IT.
I do have a few smart appliances (environment reporting) but they are only allowed on the banishment VLAN so they don’t get to interact with any single appliance inside my network. All they see is internet and nothing else.
The S in IoT stands for security
It got hacked and now I’m really, really dry.
We have water, heavy water, hydrogen infused water, nitrogen infused water, ice-9, h2o2…what will they think of next?!
i love it when my vacum makes a remote connction to a other countrye goverment that way i get tracked by mine and theres whatba time we live in
We do have more than one type of water, D20, HD0, HT0, T20, DTO, which are all different mixtures of Hydrogen, Deuterium and Tritium or in other words the hydrogen has more neutrons, there is also a different ionization for each of those, plus there are different phases of ice which are made from different pressure that is ice I-VII, and it’s not impossible for more types we don’t know about, then there is isotopic water that have different mass and reaction rates and it’s not impossible for other types that we just don’t know about or even to create other types.
Tldr: atoms and molecules are more varied and complex than you’d think.
Right, but none of them are new. They’ve all been around for billions of years.
