Partially responsible for this. (Sold Lockitron to Chamberlain in 2017 which became the basis for Amazon Key integrations.)
Contrary to the popular sentiment in a lot of the comments here, there’s not much value in the analytics. As we all painfully found out in the 2010’s, there are only two viable recurring revenue streams in the IoT space - charging for video storage and charging for commercial access. Chamberlain does both with the MyQ cameras and with the garage access program to partners like Amazon and Walmart. Both retailers have a fraud problem (discussed here https://news.ycombinator.com/item?id=38176891). “In garage delivery” promises dropping delivery fraud to zero - ie users falsely claiming package theft. That solution is worth millions to retailers, naturally Chamberlain would like a cut but only if they can successfully defend that chokepoint.
For historical reasons having to do with the security of three or four generations of wireless protocols used in garage doors they can’t (and products like ratgdo and OpenSesame exploit this.) Other industries such as automotive have a more secure chain of control over their encryption keys so one has to (for instance) go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Given the turnover in leadership there I’m not surprised the new guy needs to put their hand on the plate to see it’s hot, but there’s a reason this wasn’t implemented before and it wasn’t because of lack of discussion. I can see the temptation in going for monetization given their market share but I think this approach was ill conceived rather than fix foundational issues which would allow home users to integrate with 3rd party services and still charge industry partners for reducing incidences of fraud.
Amazon expects me to weaken my physical security posture to help them defend against an activity I don't engage in and is in no way my responsibility?
AND
Chamberlain expects me to weaken my digital security posture so they can run some opaque crap on my network¹ that I have very little observability into and even less control over so they can make money?
Money is one hell of a drug because they are high.
How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
[1] I have a default deny in AND out isolated vlan for crap like this, even if you don't have a network background try to set one up if your networking equipment is capable.
I find it odd that the standard policy is to leave packages unattended in any form in the first place. This is another one of those things that is not standard globally.
E.g for us in South Africa, this would be unthinkable, regardless of how much time it saves the delivery company. The only time a parcel is left at the door is when it's UberEats. Otherwise delivery is rescheduled if we don't physically collect parcels in person. This is partly an access issue (many houses/apartments/estates have gated access) and largely a trust/crime issue.
But the US still seems to have some remnants of a high trust society, which has been only a temporary thing in many places, if at all.
Not having such a society adds frictions in all kind of interactions. In the end, that means cost. I can understand why people and company try to shift that cost when it comes up in areas where it wasn't present beforehand.
In the US if a package is not left at the door you either have to wait an unknowable amount of time for another attempt, or you'd have to go to a facility to pick it up.
It's difficult to figure out exactly where the facilities are and you're not guaranteed the package won't still be on the original truck or on a new one. The facilities may only be open during the day, while you're at work.
Additionally, it's common that no delivery attempt is made at all -- the delivery driver will walk up to the door with a "we missed you we'll try again someday" slip already filled out and won't even knock.
The main reason we are cool with deliveries being left on the porch isn't that we trust our neighbors, it's that the alternative is so much worse.
Even if you don't fully trust them, it's still just a better way to live - if you have the luxury. I left money - change from a grocery run on my coffee table, and then had some friends over. It's not the remnants of a high trust society that let me not worry about that money being out, but financial privilege. That the < $100 wasn't worth my time to worry about. If one of my visitors took some/any/all of it, I wouldn't have gone hungry. I might not even have noticed. Just thought, huh, that's weird, and gone about my day. Others I know don't have that luxury, and would go hungry if it was their money that had gone missing. They're much less trusting, because they have to be.
If the latest shipment of crap from Amazon/Temu went missing. Annoying, but you'd just tell them the package got stolen and get a replacement sent out.
I live in US suburb and I also trust my neighbors. It's unlikely that my actual neighbors are stealing packages.
The problem is that there are people who drives through residential areas looking for packages to steal, cars to break into, etc. and that occurs quite frequently, as caught on our security camera.
It doesn't take many motorized perpetrators to lower the overall confidence in how secure it is to leave packages outside, given how much range the porch pirates can cover in a single afternoon.
I trust my neighbors and I have a slew of high res cameras monitoring the area. When there is theft my neighbors come to my house (located at the main entrance to the area), and I get them the relevant footage if I can find it. It’s only happened a few times but I think it helps build community trust.
I didn't say high trust is gone (although it certainly is in some areas), I said the reason we are cool with packages being left on our porches is the alternative is inconvenient.
Inconvenient and for much of the country, unnecessary. Even when living in the same county as Detroit (but not in the city limits), porch pirates weren't an issue.
> In the US if a package is not left at the door you either have to wait an unknowable amount of time for another attempt
It's not unknowable; FedEx and UPS at least will reattempt delivery every day for a certain number of days before giving up. At least that's the case in urban and suburban environments. Maybe you live somewhere rural where their policy is less clear?
> It's difficult to figure out exactly where the facilities are
No it's not. The tag they leave behind will often tell you, or you can enter the tracking number online and it'll tell you there. And usually it's the same place every time, so once you figure it out, you're good for future packages.
> and you're not guaranteed the package won't still be on the original truck or on a new one
This is the annoying thing. It's never clear when the package will actually get back to the facility (after they failed to deliver it to you), so you don't actually know if it'll be there when you show up. Many many years ago it was a simple matter of giving them a call, but nowadays you end up in customer support / phone menu hell, and it's incredibly difficult to talk to someone who is actually physically present at the facility.
> The main reason we are cool with deliveries being left on the porch isn't that we trust our neighbors, it's that the alternative is so much worse.
I'm absolutely not cool with this. I trust my neighbors just fine, but I don't trust all the random people who might be walking around, specifically looking for packages to steal.
I'd much rather have to drive over to a facility to pick up the package, or just wait until the next day for another delivery attempt, but most delivery drivers don't give me that choice.
If the package does get stolen (incredibly likely, if it's left outside), I'll usually have to wait several days for the merchant to ship a new one (because they figure it's possible it wasn't stolen, and want me to wait and see if it still gets delivered in a day or two). And then I have to wait for another shipping-time cycle.
> FedEx and UPS at least will reattempt delivery every day for a certain number of days before giving up
They claim this, but my experience is that it's not true. VERY VERY often, it will be multiple days or up to a week before they attempt again. Sometimes they never attempt again, and a week or more later I get the notification that it's available to pick up at their depot. It's certainly not consistent enough to rely on.
Here in Sweden, you can agree to let the delivery company just leave the package by the front door, but it's only common for low value things. Most things are delivered to your nearest post office counter (usually in your closest supermarket) and recently, to a locked postbox nearby which you unlock online with their app.
Here in Berlin Germany, packages are given to whichever neighbor in your apartment building happens to reply to the buzzer fastest, typically the ground floor ones. (Elevators are also uncommon.)
I'm friends with all my neighbors but I find this practice completely bizarre.
Here in Buxtehofen, Bavaria, packages are left dangling from trees with a sign saying "I've hung up your rolex, so it wont be dragged of by boars while you're on vacation".
And when you're back from hiking the Alps your neighbor will have build a shed around it to protect it from the rain and moved in 10 of his pigs to keep it warm.
Unless of course your delivery guy tied your package to a special tree called Maibaum by mistake. Then you'll find a sign telling you that it has been redirected to one of the 5 villages called Kirchberg in your area.
In Belgium the mail carrier is supposed to ring your doorbell and wait x time for you to open it and deliver the package to you.
But instead they just put a piece of paper in your mailbox that says 'you weren't home, we'll come back tomorrow'. Next day same thing. Only then can you go and pick it up at the post office.
Oh and there are many stories of people seeing the mail carrier defaulting to the piece of paper and not even knocking because of time pressure.
If the item fits in your mailbox (letter size), they do that.
If not, they knock, and leave a "we missed you" note if the package is insured. Or leave it on the doorstep if not.
If you get the note, you have to go the post office in two days, during normal office hours (9-5ish), or Saturday morning (9-12). If you don't make in a few days, they return to sender.
But this is only for USPS. If the package is FedEx/UPS/courier, it's the wild west. Sometimes they leave it. Sometimes they leave a note. Frequently they claim they attempted delivery but didn't. And if they miss you a few times, you have to pick it up at the distribution warehouse which could be a 30 min drive away. This is the worst - even for items you know need a signature, there's no guarantee they'll deliver - we ran into this a few months ago with some jewelry - delivery was schedule Monday 12-5pm, we waited in the living room (right by the door) and nobody came. Their system showed a failed attempt (courier lied). Repeated Tues. Called courier warehouse, they asked if we had doorbell video proving the delivery attempt was never made (WTactualFuck). Repeat on Wed. Item was returned to sender. We called sender, asked them to use USPS because private shipping can be a disaster. USPS is often a day slower, but it's fairly reliable.
Some areas have problems with package theft. Fortunately mine isn't one of them, so I'm ok with packages being left.
This is how it works with the French Post, with the exception that they never come back. Other providers do their own thing, and are more or less scrupulous. Some won't even bother to come over, they'll just say nobody was home and won't even leave a slip.
Anecdotally, in France, the parcels "delivered by Amazon" have hands down the best service. They're the only ones who've ever actually delivered the parcel to my door (I live in an apartment). If they can't leave the parcel in the mailbox, they'll call me up and ask what to do, usually offering to come back some other day if I'm not at home.
My case, they're often either not delivered at all (returned to sender or kept at a random Filiale) or if they are delivered it's to a different building that DHL guessed might have been mine.
This is one of several reasons I no longer buy anything from Amazon. Not even if it's the cheapest source. Even if it gets to a Filiale, those are further than most of the shops that would sell similar items.
Amazon doesn't usually ship with DHL in France. But there's another comically bad company, not sure how they're still in business.
It's rare the Amazon sends something via them, but whenever they do, I expect to not get the package. And when I don't, I just call up Amazon support and complain about them and make it a point to mention I often have issues with that specific company. They usually offer to cancel the shipment and reship overnight. Don't know if they can actually control it or if it's coincidence, but all reshipments have been via Amazon.
> But the US still seems to have some remnants of a high trust society
It varies greatly depending on where you live. My sister lives in suburban Maryland, and leaving a package outside on a porch is just no big deal. The probability that it gets stolen is actually ridiculously low. In this case the high trust is completely warranted.
I live in San Francisco, and if a delivery person ever leaves a package outside, it's always a scramble to either get there to take it in, or find a neighbor who can do it for you. (I live in a 4-unit condo building, so we all try to look out for each other's packages when this happens.) It's just bizarre to me that delivery people aren't specifically instructed to never leave packages outside here. I suspect they may be, but they're overworked and don't want to have to add yet another package to their delivery schedule for the next day. And/or they may be evaluated on number of completed deliveries, no idea.
(On the flip side, there are some neighborhoods in SF where it's ok for a package to sit on a doorstep for a while. Not many, but... they exist.)
First sentence was really surprising to me (Aussie), until you mentioned later that you're a Saffa. My in-laws took years to adjust after emigrating.
To put things in perspective, it's common over here for people selling things on Facebook/Gumtree to just leave the item outside and have the buyer slide the cash under the doormat. It's less secure but way more convenient, since you don't need to be home to complete the transaction.
I've left tools and other semi-valuables in my unsecured carport, in clear sight from the street, on a main road, for years now and they've never gone missing.
My sister in law lost her iPhone in a public bathroom and got it back simply by calling it and working out a time and location to meet up with the person who found it.
These aren't just freak anecdotes, by the way, they're the norm.
You should really consider coming over here. We need more Saffas in Australia!
Local post office evolved in Ireland recently and started offering parcel boxes to be installed next to the door. There are 2 keys and one of them allows the post office worker to open the box and put the parcel in.
This obvs does not work for other delivery companies but now you can see an option in the order forms to allow the delivery company leave the package at the door (e.g. IKEA). Otherwise, it is just unthinkable that someone would leave the package at the door without ringing you and agreeing in advance.
The main function is to obscure whether a package has been left or not, since the master keys were available online before An Post starred selling the boxes. Some DPD drivers use them too.
Physically, they're about as secure as an Amazon cardboard box.
A small level of friction can reduce a lot of issues though. Without being able to tell that a package has been delivered they have to break into or open random boxes and hope there's a package inside increasing the chances they're caught and wasting their time. It's the same kind of thing proof of work anti spam measures can work under, it adds a tiny friction to legitimate users but illegitimate users have to do tons of work to send their spam or in this case open a lot of boxes.
> I find it odd that the standard policy is to leave packages unattended in any form in the first place. This is another one of those things that is not standard globally.
Not sure what effect this has but I live in an area with a lot of Ring (or other) front door cameras which is a rather severe disincentive to theft of packages left at the door (as well as mishandling of package delivery by the driver)
Its a huge pain though. You have to be home all day waiting for a package or the delivery drivers have to work evenings/nights only or you have to go somewhere to pick it up. Drop off is much better if there's no obstacles like access or theft.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
I mean, they already do exactly this — this is what Amazon Lockers are. It's just only seemingly worth it to Amazon to deploy them to commercial customers, e.g. at post offices, in front of Whole Foods locations, in some very large apartment building complexes, etc.
(My own guess as to why the economics don't work out for individual residences, is that a hypothetical smaller locker — one small enough to fit on a porch — would also inherently be lightweight enough for thieves to just cart away wholesale.)
And yet somehow here in Poland we have like 5+ companies (InPost, Allegro, several delivery services and even Orlen - the gas station operator - of all things!) one-upping each other in placing parcel lockers on every flat piece of land that's too small for developers to build an apartment block on. I have 10+ of such lockers within 5 minutes walk of my apartment. Now how is that possible?
You're talking about the commercial parcel lockers — the ones that fit a whole neighbourhood's deliveries, that are therefore essentially big sturdy metal storage racks underneath — too big and heavy to just pick up and walk away with.
Every country has these to some degree; I imagine they're most popular in places that 1. have colder climates, but 2. where people don't tend to drive (like Poland?) The US has some, but the suburban long-distance-commute car culture + generally not-too-bad climate, means that people in the US generally expect to pick up packages from further away, and so implementation of these in the US has lagged behind other countries.
However, my comment, and the one it was replying to, are talking about something else — a hypothetical concept of small lockers that serve single homes, given to the homeowner, to be located near the home's mailbox/mailslot. (Basically, logistics-provider-provided versions of these things that you can technically buy online — but where I've never seen anyone with one: https://www.amazon.ca/WeHere-Package-Delivery-Anti-Theft-Pas...).
And the thing about these is... they really aren't a good idea. They're not too big and heavy to just steal. Anyone who can walk up to your porch with a moving dolly can walk away with it.
Fair enough. I got confused because you mentioned Amazon Lockers, which to my understanding, are the proper brand name of the kind of parcel lockers I mentioned, as deployed by Amazon.
I agree that per-household lockers are... tricky at best. But then, if we're talking homes, and thus presumably lawns in front of them, I wonder what are the difficulties of selling a multi-slot locker that would be bolted down to the ground (or perhaps a bunch of concrete filling a hole in the ground), and thus as easy to steal as a thick fence post or an ATM? Is this too expensive for homeowners?
As others have pointed out in this thread, the "porch pirate" problem is just kind of not a problem for most people/places. I've never heard of anyone I know having a package stolen off their porch. This is even living in relatively high-density (for the US) apartment complexes. Leaving stuff on the porch is basically good enough, so nobody is in a hurry to "fix" anything about it, except maybe Amazon themselves because even something that happens 0.1% of the time is a big enough problem when you operate at their scale.
I suspect that some of the the same reasons that lockers aren't economically feasible in most of the US is the same reason that the theft isn't a problem: low density. If you're a porch pirate, you need to expect that the value of your stolen goods covers at least your gas and time driving around stealing stuff, plus some risk premium for doing the crime. If the average value of a package is below this amount, the crime doesn't pay. There will still be instances where people haven't done this math, or crimes of opportunity, or just dense stretches where it does make sense depending on the price of gas, but it isn't a nationwide problem.
I get hundreds of packages per year (not an exaggeration) and as far as I know, exactly zero have ever been stolen. Missing packages are invariably delivered to someplace else that must have had a better vibe for the driver that day. (I’ll get pics of proof of delivery with a package that is clearly not at my house.)
In that environment, what problem do I have that could be solved by this, and how much effort (and aesthetics) am I willing to spend to solve it?
Now, if my house shared a wall with two other houses and people walked by my front door all the time, maybe I’d have a theft problem due to greater opportunities for it to happen.
Places with lawns probably don’t have nearly as much package theft just due to less foot traffic.
I'm in the US. Our neighborhood has a multi-slot locker like you describe. It has a small box per house and two larger boxes. The whole thing gets broken in to every couple years, after which the post office will not deliver anything until they fix it weeks later (and they're the only ones allowed to try).
When this happens you have to go to a post office to get your mail.
Some older houses have passthroughs built into the walls for deliveries of milk or coal or ice. I’m surprised this feature hasn’t been resurrected for package deliveries.
Dude you just replied to a comment about Amazon Lockers, one of many locker services that do exactly what you described in the US. If you combine all the companies (I dunno why you would), there's a lot more than 10 per 5 minute walk in a city
They're ubiquitous, but few prefer them over the convenience of delivery to the doorstep. Buyers are never responsible for missing packages so there's little incentive to use lockers unless you're buying a secret gift or live in a very sketchy neighborhood or your home is so far from the warehouses that same-day delivery is only available at the locker
I was going to counter it, but I guess same-day delivery is what makes this different from my experience. As a buyer, I'm incentivized to not miss packages, because I've already waited between 2 to 7 days for it, and I don't fancy doubling that time over a delivery dispute. But if my packages were all same-day delivered, I suppose I would give less of a damn.
Well not all of them, but I'd say half my packages are delivered same-day in the bay area and most of the rest are 1 day. It depends on your shopping habits and what products are popular in your area. "essentials" like cables, snacks, batteries, hot sauce, etc are always same-day while large items like microscopes can take 2 days
Regarding missed packages, are you talking about stolen packages? I've had a few cases where delivery was one day late and one time I got the wrong order (but got to keep the free groceries along with a full refund for my actual order) but I've never had a package just disappear altogether. Even Aliexpress orders that take 2-4 weeks from China eventually show up.
By missing here I meant missing the delivery, and having the package returned to sender, and/or stashed at the logistics center somewhere in the ass-end of a gravel road far out of town.
I've had a single-digit number of packages never delivered, most of them years ago, from Aliexpress (which, at least back then, had a very buyer-favoring dispute process, so I would get my money back with three clicks or so).
If a parcel I ordered to my house gets sent to a pickup point, there’s an extremely good chance that the sender will be taking that parcel back and I’ll do without or order another one.
Only if I really needed that specific thing pretty badly today would I spend a few bucks and 20 minutes to drive over to come get it.
I ordered some physical thing, not that thing and a quest.
Wait you have to be home for every delivery? How would someone with an on-site day job receive packages?
In the US all carriers drop packages at door (or in the building's locker if you live in an apartment complex). Some packages need to be signed (alcohol, nicotine, gun ammo, etc) but the vast majority of deliveries involve zero human interaction
> Wait you have to be home for every delivery? How would someone with an on-site day job receive packages?
Sort of. Note that I'm a city dweller, living in a flat in an apartment block.
This is a real problem; classical solutions involve having another household member receive the parcel, asking the delivery person to deliver to a neighbor who you know is OK with it (since I started working remotely, I frequently am that neighbor), having them drop the package in front of your door (undesirable, but works in case where there's an extra door between your flat and the staircase), or putting your place of work as delivery address (if your company is happy about it; some are not). Dedicated "package send/receive" stores became a thing, then started disappearing as grocery store chains became package drop points. And then came the parcel lockers.
I imagine this problem was the primary driver of mass, enthusiastic adoption of parcel lockers - for the last decade, I've had at least one within 5 minutes of home, and this let me pick the parcel up at my leisure.
These days, most packages we order go through lockers; the ones are don't are usually medical or plain heavy (10-20kg worth of cat litter, soft drinks, etc.). This works because I work remotely, and my wife is yet to return to work after post-partum period.
> They're ubiquitous, but few prefer them over the convenience of delivery to the doorstep. Buyers are never responsible for missing packages so there's little incentive to use lockers unless you're buying a secret gift or live in a very sketchy neighborhood or your home is so far from the warehouses that same-day delivery is only available at the locker
Then why so much effort is needed to stop package theft to the point of giving access to your house to strangers? Apparently getting package on your doorstep is not as convenient as you would like others to believe. Using such lockers is convenient and secure, giving package to recipient hands is secure but not convenient, leaving package at doorstep* is neither.
*or any other place convenient for whomever is delivering it
I gave several reasons why someone would want garage delivery. Services like walmart InHome are fairly common in the US. Consumers are willing to pay extra for the service and retailers like not having to refund stolen packages in sketchy neighborhoods
They'd be pretty easy to secure on a wood porch and only require minor power tools on a concrete porch to bolt down. Even if you only chained or cabled it to the railing that'd do a lot. Don't forget thieves won't know until they move the thing if there's even a package to steal.
Are you upset with Amazon for hypothetically refusing to deliver to your home unless you give them a virtual key fob to your garage?
Let’s just take a step back here and recognise that we’re asking online retailers to leave our deliveries outside our homes, with direct access to members of the public, but we’re also asking for them to assume responsibility if the packages are stolen.
Morally, in isolation, it’s not a very defensible position for the consumer to take. I personally don’t feel so bad about it when it’s Amazon — they can afford it, basically — but in general it’s not realistic for porch pirates to be anyone else’s problem except the consumer’s.
I think the point is that there's little reason to trust that you would not simply be robbed either by them leaving the garage open, or robbing it themselves.
If Amazon want to leave packages securely, then I am more then happy for them to partner with mail carriers and other delivery services and come up with a common standard for an externally secure lockbox system*. But they're not getting an open door into my house.
The problem in the delivery space is everyone does whatever - there's no standard or common code for communicating secure delivery logic for a premises. You can come up with whatever and it just won't be used. But "give me access to inside your private property" is one of the more insane solutions given that a garage is not an unvaluable area, nor necessarily a non-hazardous one.
If I order something for delivery, it is the retailer's responsibility to deliver it to me. If they leave it where it is stolen before it's in my posession than that is not my problem.
Were it any other way I would not order anything online!
something like 50% of the time I try to redirect a fedex package to walgreens (local drugstsore) the retailer has that feature disabled. I'm sure they have a great reason for it but it seems that putting the package unsigned on my doorstep is specifically the service that they are choosing and I do not have a choice nor do I get to find out about it until after the order has shipped.
> Amazon expects me to weaken my physical security posture to help them defend against an activity I don't engage in and is in no way my responsibility?
Most people get quite irked when someone steals their Amazon package between the time it was left at their door and the time they actually try to get the package. Hence for most people who occasionally receive Amazon packages when no one is home to quickly take it inside a way to let Amazon put the package in their locked garage is a benefit.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
Like Amazon Lockers? That's not as convenient as delivery to your home. Or do you mean they should provide lockers to individual homes?
I'm not sure that would work. If the home locker was not very heavy or very securely attached to something immovable package thieves would just steal the lockers.
> I'm not sure that would work. If the home locker was not very heavy or very securely attached to something immovable package thieves would just steal the lockers.
How expensive pouring some concrete into a small hole in the ground would be? Or would this become real estate then, or otherwise require a construction permit?
Don't be lazy - if renters offered a few grand to their landlord then they could; plus the cost of construction materials, inspection and labor.
The problem is that it's prohibitively expensive compared to just eating the cost of any thefts, keeping an eye on pickup times so you (or a family member) can take the package inside ASAP, and using pick-up for any truly expensive ($1k+) items when possible.
It's a feature that benefits Amazon more than the customer, but that's OK. Problem is, it comes with significant undisclosed extra costs, that GP listed. Were Amazon and Chamberlain to honestly disclose these costs, I doubt anyone would be willing to adopt this "feature" - which should be quite telling.
Labelling the garage delivery as only to Amazon's benefit is a bit disingenuous. Package theft is a pretty bad issue in many places so having deliveries dropped behind a locked door is also a benefit to the user.
As for your security concern it's not unfounded but if your garage is built like most in the US there's probably already a locking exterior grade door between it and the outside because a garage door isn't that great as a security barrier to begin with unless you remove the pull cord that unlocks the door from the carrier.
I also find a bit of irony given how much fraud there is on Amazon's own website. There's got to be far cheaper solutions that result in far higher revenues. Of course Chamberlain doesn't have access to this revenue stream, but I'm sure there are other things that they can do like charging for an API key or better yet, charging Amazon for an enterprise token (which users can disable!). Since it seems they're willing to take on the security risks... because the current solution clearly doesn't actually resolve the issue. I can't imagine anyone that understands how to use HA wouldn't understand how to use ratgdo so I'm not sure they're realistically changing revenue outcomes.
About Amazon, how fucking hard is it to use a fucking Naive Bayes classifier to just check if product title or description changes significantly? Hell, do it with Babbage or some other (not L)LM that's cheap as fuck. We already have clear leaks showing that they fuck over sellers with their price lockins, are you really hurting them more by dropping all those product reviews? You can also do way better by using an image classifier. I have a hard time believing a company that's bragging about how many robots it uses in its warehouses and replaces shitty support with even shittier LLMs is not going to actually result in higher profits by doing this. A few returns probably covers the cost because shipping is expensive (something they already don't get right. Haven't had 2 day prime delivered in 2 days since 2018...)
Also, anyone else find it weird that stores on Amazon don't list all their products? Like you can click on the store page from the product and then that product is nowhere to be found. Want to reduce scams? Force the listing of their entire product directory. I already can't rely on reviews, you just are making it harder to trust you.
I really do wish there was a halfway decent alternative to Amazon. Even Target and Walmart's online stores are more attractive, just limited. But this seems to be a generally sucky space and I don't understand why. Don't even get me started on NewEgg...
> Money is one hell of a drug because they are high.
They're so high they're even turning down higher profits. But I guess the issue is caring FAR more about short term profits (quarterly statements) than long term (hell, even a fucking year). I really don't get this metric hacking bullshit bureaucracy we've built (and its not just isolated to the US or the West).
> But [online retail] seems to be a generally sucky space and I don't understand why.
Because the margins are incredibly low (thanks, Walmart and Amazon?), which means you need capital-heavy hyperefficient warehousing/distribution to even compete, which means you need scale, which means there's little competition to make things better.
Oh I 100% agree. Natural monopolies are real things, and things I wish we would discuss a bit more seriously. Especially with their growing prevalence in the modern age. We still seem to be caught up in this dream that small startups can displace giants in every market. But you can't in things like online marketplaces, social media, ISPs, insurance (of any form), cell phones, streaming services, etc. Because when the product is the network, natural monopolies are going to rise and you can't really go around monopoly busting without just destroying the product itself. We've used monopolies in the past (e.g. AT&T gave us Bell Labs due to this deal), but we don't seem to take this seriously anymore and idk if we just don't have the energy or attention span to get even a little bit nuanced (which to be fair, we're often arguing before we can even introduce nuance despite that being needed to not fight). I mean to me it even seems like politics get shittier with scale due to natural monopolies (I don't want to hear how Europe has "multiple parties" they still only have 2 coalitions which is what US parties are actually closer to).
I'd love to see logistics shorn off from point of sale.
I think there'd be a lot of room for innovation if you turned Amazon/Walmart/Home Depot's logistics into their own companies, then allowed people to put whatever between that and the customer that they wanted to.
Which is essentially what Amazon does now... the only difference is they get to control that link and the revenue flow from it.
Segregating market functions forevermore would go a long way towards returning competition to marketplaces, imho. (E.g. logistics|retail, advertising|everything, etc.)
Lockitron! I remember chatting with your engineer about the WiFi radio we used in Twine. Good insight.
Ah, chokepoint capitalism. The problem with every company becoming a tech company is that they all expect unsustainable tech company growth. The strip mining of customers is also scaling up, so efficient that industries will destroy themselves. Can't wait until private equity owns the radios in my home, and controls not just the output but inputs.
Twine! You guys single handedly snowballed the Kickstarter revolution! Huge inspiration for us and Pebble in 2012 directly.
Your campaign felt like a “butterfly flapping its wings causing a hurricane” kind of moment. You inspired so many entrepreneurs of that time to take a risk and crowd fund which then inspired another generation. Some of whom ended up huge and going public like Peloton.
Regarding choke points - I don’t think they’re all bad. Sometimes certainly, but others it’s a defensible moat that forces an industry to specialize into various key players that serve integral roles. I’m thinking specifically of semiconductors with companies like Western Digital locking up storage, Qualcomm with radios, ARM with compute, Samsung/Hynix with memory, etc This creates a stable enough ecosystem to build various software abstractions on top.
The stability is nice, agreed, but it's inevitable that monopoly/monopsony gets abused. Samsung/Hynix were part of a price fixing cabal, Qualcomm's IP has been a boot on the neck of innovation, Western Digital has suffered multiple disasters that caused global storage shortages, and ARM is currently flipping the table with its licensing changes. We can have stability with open standards, too.
That's cool to hear—I didn't consider we had that influence, though should've realized it after chatting with y'all, Ring/Doorbot, Particle/Spark, Pebble, etc.
Guess it took two generations to shake out the hardware startup mistakes. We were early and naïve, but we did ship, and the Twine servers remain up. You learned to focus the use case, and I still haven't. Go figure, I think there's still a space for a general-purpose physical computer, so we're doing it again: https://supermechanical.com/pickup
Funny that Kickstarter's history since is a hindrance, and we might go the Selfstarter route to produce the experience we want next time.
So you're saying that retailers will pay Chamberlain to act as more or less a clearinghouse for package deliveries in my garage, and that in order to successfully operate this model Chamberlain needs to funnel all users through their proprietary channels in order to fully vet the delivery transaction? Or at least to prevent HA users from nibbling at Chamberlain's lunch with DIY equivalents? Do you think that they will pull back from this move given the pushback?
For retailers I want someone to verify that they are legitimate. I don't want random people in my garage. If someone enters my garage when I'm not home they better really be agents for WalMart/Amazon/target/UPS (as opposed to WolMort/Amozan/targit/USP...) , and whatever company does that does background checks on drivers. Probably they also need to have other cameras in their vehicles so that drivers trying to steal whatever valuables I have are not stolen. (as already pointed out, most people have an unlocked door from the garage to the house)
But that can be achieved by giving the retailer a one-off access code/secret which will be handed to the delivery driver by the retailer's company?
At no point does "preventing random people in your garage" required a greedy middleman in the path between you and whoever you want to give your garage door access code.
Many people already have a keypad mounted outside that will open the garage door. You can set up a guest code there and give to Amazon, or anyone you want. There is zero need for internet-enabled smartness in the garage door opener here.
I gave amazon my code for a Christmas present that absolutely could not have been stolen from my porch (as many other recently had). As a working man, I couldn't sit at home to wait for it. I was a little nervous, but I have cameras at least. I then removed all reference to this code from my account. Then, one driver entered while I was going about my day in there and saw me waiting with a hockey stick, as I was wondering who was breaking and entering, and Amazon wrongfully told him what my code was to get in and that it was OK to go in without my permission. I quickly understood what was happening and I think he did too, so I dropped the stick and he dropped the package. No harm, no foul.
Of course, I changed my code after that, but drivers still tried to get in with my code code. I opened countless tickets with Amazon to get this reference to my code removed from their system. They gaslit me many times saying it was removed. They were incredibly rude to me when told them they were lying to me, and now I sometimes get delivery drivers getting pissed off at me (for some reason) that the code doesn't work after they ring my doorbell.
What I want people to get from this story is, don't give Amazon your code. Get a separate delivery box instead or even a storm door works to hide most packages.
> and now I sometimes get delivery drivers getting pissed off at me (for some reason) that the code doesn't work after they ring my doorbell
Since Amazon clearly has no idea what they are doing, I would put up a note next to the keypad saying “Amazon drivers: just drop the package, there is no code”
I've got this large delivery box on my porch. Right next to the door. You see it when coming up the steps. About 1/3 of the time packages are left on the porch next to the box that has inch-high letters spelling "Deliveries". The page on Amazon for "delivery instructions" changes frequently, but there's no way to put on there anything about "delivery box". At least they now come to the correct door of the house - there's a place for that.
Amazon's problem is that they outsource the delivery and there is such a terrible turn-over problem with delivery drivers (and delivery contracting companies) that nothing works at their scale.
Circa 2010-2014ish, I had the same Amazon delivery driver for several years, and it was awesome! It was just this one guy who delivered all the Amazon packages to my neighborhood. Same guy in the same truck every time, and he got to know my family and we would chat and he would help me with gardening and give me advice on how to prune my trees.
Someone else said they put a sign requesting not to ring the doorbell. No, that doesn't work. My solution was to adhere a plastic cover to my doorbell so people can no longer press the button. Problem solved - mostly.. doesn't stop people from squeezing the plastic cover lol.
As if amazon drivers read the notes. I once left a giant note saying in capital letters "DO NOT RING DOORBELL, SLEEPING BABY AT HOME" and of course the absolute knobhead from Amazon had to ring the doorbell. Literally never shouted at anyone in my life before this.
A few times I've left a very big note that says "PLEASE KNOCK LOUDLY" while sitting in my livingroom facing the door just to never see the UPS or FedEx delivery person approach but get a text message about "no one responding" so they reschedule the pickup (and I can't pick it up at the hub a few miles down the road because it's closed...). One time I chased a driver who literally just threw a note on my door (no sign like other time) and very clearly did not knock. I mean I watched them... They just walked up, box in hand, put the note on the door, and walked away. Rushing. USPS also often won't deliver small packages that fit in my mailbox because "a car was in the way" (definitely not true) despite delivering larger packages to my apartment's office the same day/time...
I'm not sure what hell these jobs are that turns drivers into such shitty people, but I feel pretty confident that it is the system turning them into shitty delivery drivers rather than exclusively shitty people applying for delivery jobs.
Probably they are getting squeezed to deliver an impossible number of packages during their shift. Hence the stories about drivers peeing in bottles and such.
It seems to be a local branch culture thing. You see it with USPS offices too.
Some are amazing, mail is delivered perfectly, etc.
Others cannot for the life of them match number to address, and it doesn't seem to matter who is delivering as the attitude spreads across the office.
I think a huge part of this is missing actionable feedback messages.
If USPS/UPS/FedEx had better channels for "my mail was screwed up" reporting, to a granularity necessary to isolate bad branches, I think things would clean themselves up.
As-is, customers learn to live with it and the mothership is unaware the branch is screwing up.
I've watched the Fedex truck pull up to my house and the guy walk up to the door and slap a sticker on it for missed delivery. Didn't even bother to bring the box, knock, or ring the bell despite my car being in the driveway.
You see, a note may not prevent amazon drivers from doing what they do, but they lose their moral ground. Now they can be shouted at if they rang a doorbell or tried to use a code for a garage door.
No more anything like this "I sometimes get delivery drivers getting pissed off at me (for some reason) that the code doesn't work. You can cut into any their speech with "English, m****r, do you read it?".
If you've ever added "delivery notes" to an order, they're automatically shared with every subsequent order. Clear out the delivery notes on your next order.
> On a side note, Amazon's interface is so much worse than Allegro
No kidding. Allegro isn't perfect, and seems to get worse every iteration, but they're miles ahead. Amazon - they're down there with eBay, worse than AliExpress. I literally only order Kindle books from Amazon, and that's only because I mastered the "google a book, switch to Kindle edition, click the 'buy with one click' button" flow, which they managed to not break just yet.
I expect it's probably cached in some downstream sub-contractor's system.
Ergo, both things can be true: Amazon cleared it on their side (customer support sees it cleared) and the delivery drivers still see it (using the subcontractor's system).
Probably because nobody at the sub-contractor's (outsourced) IT/system saw fit to implement a "As a customer, I want to change my note after initially setting it" user story.
Could you have instead changed your code? It's generally best to assume that it's not possible to delete secrets once they are shared (after all, in worst case, the driver could have just remembered the code from the previous visit)
You’ve glossed over the most complicated part of this: “give it to Amazon”. There are so many things involved in that portion of the process that an internet enabled garage door solves, most importantly: not having a single code that can be used by anybody at any point in time until I manually go back and remove it.
You still need an API for getting new codes. If you're willing to switch apps and manually generate a new code every time you order something online, you likely don't order often enough to be relevant to any e-commerce company
The problem should be inverted - use the package tracking number as code. This way, every code is unique, hard to guess, and the delivery person has it literally printed on the box. Being able to update the lock with expected tracking numbers is something that could be done simply and via local network.
This is fairly complicated to do locally and securely. If any e-commerce website/app could add tracking numbers as PINs to your smart lock via the local network, that would be a security nightmare. You'd also have to provision domains for every smart lock so that every lock can get Let's Encrypt certs and accept requests from web browsers without configuration. Not to mention most tracking numbers are easily guessable because they consist of a destination code and an auto-increment integer.
Also a lot of companies don't assign a tracking number until the package gets transferred to the last mile carrier. Again, if you're willing to manually copy-paste the tracking number after you get the shipping notification every single time you order something, you're clearly not part of the target demographic
It’s not complicated at all. I get shipment notification from Amazon, tap in, copy tracking then paste into browser interface of iot thingy. I think you might be one of those guys who types 500 lines of code when 50 will do the job.
No you don’t. I enter code into browser of iOt thingy, set to expire midnight on delivery day, copy/paste to Amazon when placing order. NBD. I could even reuse the same one over and over if I want, just enable it when a delivery is due.
Okay, but the adoption rate of "let me create a code for my packages and give it to the Amazon person" is perhaps two or three orders of magnitude lower than if Amazon shows a bunch of call-to-actions for "link your myQ account for secure deliveries".
And if Chaimberlain charges Amazon $0.50 per door opened to enable that feature (which steers buyers towards Amazon and away from the manufacturer website, Walmart/target/eBay/random competitor that doesn't have that feature) that might be a bigger, recurring, higher-margin revenue stream than all of Chaimberlain's traditional manufacturing profits. Which would you rather have - $200 revenue for a $100 cost once in 20 years, or $0.50 per week for a few packets of data?
They could afford to give away the openers if they could win that revenue stream.
And Amazon would dump them in a second if consumers could instead click "Link your Home Assistant for secure deliveries and get $0.30 digital credit". Or more likely, Amazon would throw directly wired Dash buttons at consumers to enable secure deliveries.
That sounds plausible in theory, but it's still pretty weird to me though because Home Assistant is exclusively the domain of home automation geeks. There isn't even an off-the-shelf turnkey device to get into the ecosystem, you have to know what computers are (including scary things like "operating system" and "IP address") to even get started.
I don't know what Chamberlain has to gain by sticking it to that particular demo. For HA to be a threat to the "partnerships" like Amazon, it would have to have an audience sizeable enough that Amazon would consider incentivizing adoption.
I would say it seems dumb to piss off the most passionate fans of home automation when you're a vendor of equipment that such people might want to buy, but Chamberlain has such a stranglehold on the market that I think they figure that even if they royally piss off that 5% of the garage door opener market, those suckers (or their garage door installers) will be forced to buy the gear from them anyway.
> There is zero need for internet-enabled smartness in the garage door opener here.
Yes and no. At the scale Amazon operates, I can see value in being able to automate the process rather than requiring each driver to find and operate the keypad for each garage.
Automation, if implemented perfectly (which it obviously won't be) also prevents one form of bad actor. An Amazon delivery driver who uses your code in the future to gain unauthorized access to your garage. Automation allows this code to be limited to a single use.
> as already pointed out, most people have an unlocked door from the garage to the house
Not sure where you live, but every house I've lived in (USA, a few different states) during my entire life has had an exterior-quality door with exterior-quality lock, including deadbolt, between the house and garage.
In the one house I lived in that had a security system, that garage-to-interior door was also wired into the system and arming it would treat it like an exterior door.
Having said that, I still wouldn't want random delivery people entering my garage without my knowledge.
> Not sure where you live, but every house I've lived in (USA, a few different states) during my entire life has had an exterior-quality door with exterior-quality lock, including deadbolt, between the house and garage.
Likewise, but even if it's actually locked, no lock is impenetrable, and a closed garage provides a thief with the privacy to pick it at leisure or even break down the door. Burglary deterrence advice sometimes includes tips like adjusting your landscaping so your front door is visible from the street and locking gates to your back yard. Letting the thief into your garage thoroughly defeats the point of that...
Also, I keep stuff (bikes) in the garage that I don't want stolen.
This makes me feel like the whole thing is, in large part, meant as complementary product to security cameras. For example Ring cameras, oh so conveniently owned by Amazon.
Yeah I think people just aren't getting it and don't understand what all the data does and means. More importantly, I think they can't see that there are other options, which in some/many cases there realistically isn't (hacking your own solution doesn't count. Needs to be unskilled)
I've been thinking lately about how quickly the world has changed and I think it's a bit underappreciated. I mean cellphones only became a household item 20 years ago, smart phones about 15. Or closer to home, at least for me, generative models went from barely making small black and white human faces (Goodfellow invented GANs mid 2014) to being able to create some fucking good quality images on consumer hardware in a few minutes (not counting all the prompt engineering required. But unconditional is still pretty good). Not to mention that access to these things isn't homogeneously distributed and so rural and poorer regions tend to get thrown into the deep end rather than wade their way in. I think from that perspective a lot of drama makes sense. Especially when we're talking about how people are not very tech literate. Hell, I have a hard time convincing people in my CS PhD department that hate Facebook's spying to switch to Signal or even switch to FF (we see the same stuff here on HN. More excuses than explanations). If the "friction" (even if 90+% mental) is high among tech experts idk how novices can handle all this. At least with my family they're more willing to believe Facebook's app uses an always listening microphone rather than believe me when I explain that they can figure out you're friends and interested in gardening if you just stand next to someone or walk around with them for 30 minutes in the gardening section of Home Depot ¯\_(ツ)_/¯ (sorry, this took a tangent, but I know you think about some of these things too)
Maybe, but (and I say this as the author of an NVR [1]) security cameras only accomplish so much. It helps that in this case Amazon/etc. theoretically knows who opened your garage so with their cooperation (not a given), you should be able to match the video to the suspect, but even then it may not provide the expected standard of proof much less get your stuff back...
I think parent comment was saying the door exists, but many people leave it unlocked. I grew up leaving that garage-interior door open because that's where we put the litter box, at several different houses.
>every house I've lived in (USA, a few different states) during my entire life has had an exterior-quality door with exterior-quality lock, including deadbolt, between the house and garage.
Sure, but I've probably locked it barely more than twice.
> Not sure where you live, but every house I've lived in (USA, a few different states) during my entire life has had an exterior-quality door with exterior-quality lock, including deadbolt, between the house and garage.
I don't know if that would do much.
It's one thing to be sawing up a front door that is in plain sight of the street -- passer-bys might call the cops if they saw that.
But if you're doing it from inside a garage? You could shut the garage door and saw away. Nobody would report saw noises coming from a garage because that's super normal.
My in-laws have this, but mine, my parents, my siblings, my wife's siblings, and my neighbor all have a big window in that door. And none of them are ever locked.
How old are those houses? They probably are not compliant with current building codes[1], many places require your garage doors (and ceilings) to have higher fire resistance than the rest of the house. In my experience, fire-resistance correlates to sturdiness in doors.
1. I know it's a broad generalization, also location-dependant
Latest codes have backed off of that. Doors that can meet the old fire doors had closing springs set so strong the elderly couldn't open them (or couldn't get in with packages after getting it open)
I don't see anything in your comment that suggests the latest codes have backed from high fire resistance - which was the thrust of the comment you replied to (garage doors have become sturdier, and glass has low fire resistance)
Background checks don’t ensure trustworthy staff, they just select for only criminals who are slick enough to not get caught doing crime, or criminals who haven’t been caught yet. Their effectiveness is overstated.
I don't think they care about HA at all, but they do care about Amazon not going through them to get access, and from the API server's perspective, both look identical.
Personally, I hope that Amazon doesn't play ball. You can TRY and seek rent from the world's largest retailer, but you need them, they don't need you.
My main takeaway is that Amazon should offer a discount to deliver packages to buildings with staff to accept the packages. They never go missing, so less refunds, and the building staff does not charge Amazon to receive packages.
The business dynamics are pretty interesting, though. It could be that paying this company reduces missing packages so much that it actually saves Amazon money, which they pass on to consumers in terms of lower prices. Or, it could be that they charge $1 per access, and Amazon passes that on to the customer, and then people are disincentivized from using Amazon. Meanwhile, a competitor (say, Walmart?) brokers a deal where they hide that fee, and take enough customers away from Amazon that Amazon has to play ball (and now the price is $2 per access). Costs go up for everyone.
The phenomenon of partnerships like my hypothetical above are very interesting to me. Every so often I check what I can use my credit card rewards points for, and most of the offers, to me, seem like "failing retailer desperately needs a customer" rather than anything I actually want. Thus, the partnerships must be a pretty important tool for companies that are not in first place.
Finally, I think about the long term effects of this sort of thing. Everyone wants a % of every transaction. "Oh, you turned your lights on when someone came to deliver a package? Pay the manufacturer of the light bulb $1 and your electric company an extra $1." This will look like "economic growth" to each of those intermediaries, but in the end, they just devalued the dollar. ("Inflation.") We end up with bigger numbers, but actually decrease the amount of "value" floating around.
Curiously in this case, the impetus seems to be a problem that stems primarily from delivery companies squeezing their drivers to near-breaking point. In other words, we're talking about things becoming $1 or $2 more expensive overall, to feed a side industry dedicated to offsetting the negative consequences of exploiting delivery drivers.
The only term that comes to my mind here is cancer.
I am suspicious of the idea that fraud could somehow be reduced by allowing gig workers access to the interior of my home. Somehow this seems an awful lot like a multibillion dollar company offloading work on me.
> Somehow this seems an awful lot like a multibillion dollar company offloading work on me.
That's most of the tech industry in a nutshell. From the office suite through all the "self-service" web/mobile interfaces, self-service checkouts in stores, to stuff like this - it's all making you do the work that was previously done by full-time professionals. It's a net loss of efficiency, and it only looks otherwise because salaries of full-time professionals are legible to bean-counters, while the same workload redistributed in tiny bits to masses of people is invisible in balance sheets.
In short: I'm starting to believe that most of the "improvements" that came with software are actually just accounting tricks, and this is why actual performance gains don't seem to track expected gains.
Have gains not been accounting tricks since the 90s?
I would say that almost all of it is, eg, disassembling our manufacturing and shipping it over seas - which ultimately eroded the middle class and jeopardized national security. But neither of those is on the balance sheets of the relevant company.
Anti-social short-term metricized business is the ultimate form of Taylorism — and in three generations, we can see that it’s an abysmal failure.
Sprinkling math on top doesn’t make reckless greed a good idea.
> Have gains not been accounting tricks since the 90s?
Quite possibly. I only thought this through wrt. software, as this is my field, but the overall method seems universal: turn concentrated work into disperse work, and throw it over the organizational boundary, so it looks like you've made the costs go away.
Add to it the time lost because software tends to be less reliable than its counterpart because multiple software interfaces tend to increase complexity. There are some things that software is wonderful for improving. But I don’t need a IoT stick of deodorant.
> go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Off topic, but FWIW: Teslas don't in general use fobs (maybe you get one with an S or X?). You can buy one for $175 if you want, but in general the primary unlock mechanism is the app on your phone, with the effective root of trust held in an RFID wallet card (of which you can buy extras for $20 each).
That's a terrible idea, and it requires you to have both a smart phone and to have it charged and working to get into your own car. An phone crash can leave you stranded.
Why should the garage door manufacturer take a cut if a third-party wants to use/access my garage door (which sells for real money and isn't advertised as a rental).
If a homeowner wants to let Amazon, Walmart, etc to open their garage door, it should be up to him to provide them with an access token/secret/etc to enter, just like you can put a door keycode in the order notes. The interaction should be purely between him and the retailer and there is absolutely no need for some rent-seeking scum to be involved.
The disgusting business model you seem to be justifying is akin to house builders/contractors being perpetually owed a cut every time you invite over a guest into your house or they switch on the lights.
2. Through research they find user wants to interact with their smart device while outside of range of wifi/bluetooth.
3. Company builds device firmware and cloud infrastructure to support this goal.
4. Company wants to simplify business logic and doesn't provide local (wifi/bluetooth/zigbee) support. Online only can service both on-premise and off-premise.
5. Company needs to reduce costs and justify ongoing operational costs of supporting this cloud + device service.
7. insecure, opaque devices that have always-on internet connections, that owners cannot upgrade/fix/defend against and require external actors to protect (ISP's blackholing bad traffic)
Remember, the S in IoT is for Security.
They could simplify their business logic by making sure local first is reliable, and internet access can be turned off, and supporting vendors making (user-controlled, upgradeable, etc) gateways that handle the cloud/internet/local handoff
I don't disagree with you, since the company I work for supports both local network access to their devices as well as cloud access for when you are outside the home. But supporting both does not simplify business logic, it increases complexity. It introduces more states and failure points that your firmware devs and app devs need to account for.
A solution to that is to make the cloud-based service as dumb as possible, only operating as a NAT traversal helper and/or TURN relay, over which the local-only protocol is tunnelled.
I appreciate your response, and don't want to go too far off the thread here, but as a software developer/architect myself, how can that possibly be true?
The state of the environment that the IoT device is sensing or controlling, has to match local reality. Therefore, the state that's actually on the IoT's MCU is the true state that matters. (Any state stored cloud-side could be stale if the MCU is disconnected, or misses updates) Ergo, if the cloud service is showing or manipulating the state of the IoT device, it has to read or command the IoT in near realtime, implying some kind of constant/realtime connection.
This would be the same mechanism a local-first connection would use, right? What am I missing here?
Aside from all the small added complexities of swapping between local http polling vs mqtt pub/sub for both apps and devices, the big complexity is managing authorization. Think about how simple the device firmware gets to be if the only access pattern is a single secured mqtt channel for processing commands. Anything coming down that pipe comes from a cloud provider that has already negotiated who can and can't send those commands. When you open up local access the device itself now needs more code to manage authorization and all the attack surfaces that come along with that.
I'll argue the fucking garage opener shouldn't even be connected to the internet. It, like every other "smart home" device should be connected to a zigbee/z-wave/thread gateway that can be replaced when it gets old and the manufacturer can't/won't support the gateway anymore.
What's interesting is the "ongoing operational costs" should be calculated to NPV and rolled into the cost of the garage door one-time-purchase. We're talking about a $3-400 garage door opener not a $20 echo dot.
I don't actually find this model so disgusting as long as it's implemented in a non-restrictive way.
If a garage door manufacturer offers me a (free, local) API to fully control my door and allows me to check a box to let Amazon in, what, exactly, is the problem? Sure, I could also allow Amazon in without checking the box (assuming Amazon offers the appropriate integration and I'm willing to deal with maintaining my side of it), but it also seems okay for Amazon to pay the garage door opener company for the first-party version. Everybody wins.
Forcing the actual device owner to use a crappy cloud service is an entirely different story, but it's not required for the Amazon business model. Similarly, many video recording devices support ONVIF and have an optional paid first-party video storage. (And I imagine that quite a few commercial users demand the former -- no one who operates a concierge/security desk or a serious office building or a warehouse or an industrial site has the slightest interest in using four different first-party cloud offerings from four different vendors of their various gizmos that contain cameras. They are going to run one NVR, possibly with off-site backup, with one integrated system for viewing and analyzing the feeds. And they will pay handsomely for that, and they're paying that money to one of several established companies in the space, all of whom require at least token ONVIF or RTSP compliance, and they aren't about to kick any of that money over to the camera makers, because there is no shortage of competing camera makers.)
They are not giving me a free, local API. They are doing everything possible to make the API unusable except by their application, and they are throwing ads all over their app and using dark patterns to hid the open/close buttons until you scroll past the ads.
I just connected my garage door opener to Home Assistant by taking apart a paired remote and wiring the button to a Zigbee relay. They can't stop me, no part of this is connected to their cloud. In any case, smart home stuff should never rely on the cloud.
This is genius. As someone who is familiar-enough with minor electronics to fuck something up, but not confident enough to look at this photo and go for it—what am I trying to learn here? What are the terms I'm trying to google to figure out how to connect <electronic board> to <electronic board> via <wires>?
One of the articles on this mentioned "ratgdo" as a simple board to do most of the "make a button wirelessly available to homeassistant", I haven't tried it but searching on it gets you a lot of reasonably specific articles and videos.
The pictured solution is very easy and comes with directions (ratgdo).
However, if even that is too much you can make a Switchbot do almost anything. It's just an actuator that pokes buttons and is a premade product with a shell rather than a DIY thingy.
Maybe? How many people are switching out their garage door specifically for Key? Every new home I've experienced has no choice for which brand of garage door opener they use, the builder has standardized to a specific brand and often only updates the model whenever forced to.
Apartments? Businesses? Yeah, Chamberlain only sells garage door openers BUT Chamberlain Group[0] owns Chamberlain, LiftMaster, Merlin, and Grifco (I think they missed a "t" there).
Literally the bottom of the Chamberlain website reads
> The Chamberlain Group LLC, the corporate parent company to LiftMaster, Chamberlain, Merlin and Grifco, is a global leader in access solutions and products. __We design and engineer residential garage door openers, commercial door operators and gate entry systems.__
Garage doors openers have a life of 10-20 years. There are many many millions of existing homes that need new openers every year.
Also, openers are also a common up-sale when other components are serviced or replaced. For example, if you get a garage door replaced, the installer will often recommend a new opener at the same time.
Thanks for Lockitron, I still use it! Probably one of the few. At least Chamberlain has kept it running, which honestly I'm surprised at. I have been looking at other ones, and with this news I think it's time to do that.
> They are afraid a potential partner will use the automation meant for customers.
But isn't the door property of the customer? In this case it is perfectly the customer's choice and right if they want to use the customer-facing API to let a delivery company in.
A stressed out underpaid and overworked delivery driver is the last person I want in my garage. Verified deliveries are left at the wrong house, or the driver simply takes it with them after posting the porch picture. And I've seen boxes arrive that were forced open and the contents pulled out. But sure, it's the customers who are untrustworthy not the delivery people.
> A stressed out underpaid and overworked delivery driver is the last person I want in my garage.
Same, but this is irrelevant to the point GP was making. Some minority of people do want Amazon Key (and similar services), and those people are now unable to claim their package wasn't delivered once they sign up for the service.
Add those people up and you have something worth millions, even if there aren't many of them.
I live in a townhouse and I _love_ the Key deliveries into my garage. I've been using it since it was a closed beta, and I haven't had a problem with it.
It provides a convenient service for both parties.
True. Delivery drivers consistently deliver to my neighbor instead of myself. The last three digits of our addresses are 885 and 855, and they consistently confuse the two. They’re tired, overworked, underpaid, and I honestly don’t blame them. But I wouldn’t trust anyone in my garage/home when I’m not home. Not sure why these companies think that will actually work.
They think it will work because if you refuse to do it they won't refund your stolen package unless you file a police report, and convenience with huge downsides wins with consumers 99% of the time over effort with no downsides.
This is just conjecture, btw, I have no authoritative knowledge of their plans to do anything.
As things are, missing packages are not really a police matter for the recipient. Recipients don't actually know that a package was stolen, since it never made it into their possession. Amazon could certainly file police reports, but that requires a higher bar of evidence than throw-and-go delivery service provides, and either way it Doesn't Scale (TM).
I'd guess it's more likely the opposite dynamic, where they'll get a bunch of early adopter types to sign up without thinking through the ramifications. And then after the honeymoon period, Amazon will start demanding those users file police reports for missing packages since from their system it now looks much more airtight that the package must have been stolen from the buyer.
That’s not true, the garage typically has a full outdoor door with standard security (dead bolts, wired into the security system) the same as any other door as the interface door between the garage and the house. This is a code thing for a variety of reasons but primarily because the outdoor door is weatherized and provides a barrier against CO, but also for the precise reason that the garage door is not considered secure. The protocols for opening the door wirelessly are known insecure and municipalities have required outdoor doors at the interface due to the number of home invasions and burglaries through the garage.
Agreed. Our garages have always had three entries: one from the house, one via garage door, and a side door. Side door was always locked, garage door always closed (never locked though), and the door between house and garage not only almost never locked, but often flat out open because that's where we put the litter box.
It's functionally true. Thinking off the top of my head I can come up with at least a dozen examples growing up of friends w/ these doors. Not a single one was ever locked. Most of the time w/ school-age kids they would be left purposefully unlocked so the kids could let themselves in after school w/ the garage door PIN code.
I honestly can't think of a single person I know who routinely locks those doors.
I've lived in many houses in the US (eight, some new, some older, in five states) and only one had a deadbolt on the door from the garage to the house interior. All have had normal locks and were exterior-door-quality. So, definitely not a universal truth.
Not to mention... a car, as there's a car theft crisis nearly everywhere in the past 2-3 years. I consider the garage just another room in my home. I consider entering my garage akin to entering my house
This would work with only humans involved, but nearly everybody runs addresses through standardization now, and they would reject all of those as an incorrect address and usually require the user to enter a conforming one, including the (otherwise very clever) apartment number hack.
This is the same thing that continuously requires me to use my "ZIP+4" for absolutely everything, even though as far as i can tell, there is zero point in ever using it unless one is literally doing metered US Mail.
I'm sure that sometimes happens successfully as you describe, but having worked in ecommerce for a long time, many larger retailers will throw addresses like that either back at the customer until they "fix it" or to a queue where customer service will attempt to "fix it" including by calling you. The carriers (like FedEx etc.) really like standardized addresses. So this could result in delays in getting your order.
I've got an 80% hit rate at best across all carriers (in the US). I'm constantly trading mail with my neighbors due to mis-deliveries. It's a good thing we now have the option to go mostly paperless for important documents at least..
Subject to location service accuracy, which as we know, is ±1m... in movies, ±10m in reality... except more often it's ±50m or worse, because who knows why.
This can happen. A delivery person comes to a door, presses the button in their app, and nothing happens. So it's immediately obvious that they are at a wrong location.
And they know that they can't just leave the package there, they have to find the correct door. And there's a flow in the Amazon delivery app to mark an incorrect geolocation, so they won't be penalized for taking longer time.
The app also has pictures of the location in question, to minimize the confusion.
From the homeowner's side, the garage door will be open for half a minute or so with nobody nearby. It's possible for a burglar to use this time to quickly run inside. But the probability of that is pretty low, and there'll be a camera recording of that.
> And they know that they can't just leave the package there, they have to find the correct door.
Except that's not true at all. Amazon had my new house geolocated wrong (think robin instead of arden st in their system, even though I put the address in correct and it read back correct).
First delivery came, "delivered", not at my door... Contact CS, get a refund, continue.
"Ok, I'll setup key so they know it's wrong and deliver it in my garage."
Pieced together from video:
Second delivery arrives at wrong location, garage door opens...and was never closed. "delivered"
Took me contacting CS 5 times, with 5 failed deliveries, and doing an email bomb to get them to update my geo-location. Turned out it was literally across the fucking city, ~8 miles away.
Not at all. Since the app is linked to a system that opens your specific garage door, it will be obvious because they push the button and the door in front of them does not open.
My point is Amazon is blaming customers for fraud when it's the fault of a delivery mistake such as dropping the package at the wrong address. Or the drivers themselves stealing the packages.
This is infinitely more sensible than some crazy internet connected garage door opener scheme. Somehow I think it's far to sensible for modern culture though. Everyone's lost their minds.
I know it's a distraction and orthogonal to your point, but your statement of a "key fob for your Tesla for $300" is fallacious and incorrect. Tesla uses Phone Key with with the Tesla app as your primary method of unlocking the car, with a $20 NFC card as fallback, and the limit of paired phones is above any practical real-world use. If you want a keyfob as a status symbol, it's $175. (Mine is a desk ornament, it doesn't get used.)
Swap in a more traditional automaker, and your point remains correct.
Since you noted it, it’s actually very much part of my point. Tesla engages in price segmentation for replacement key fobs because they have key control. Perhaps even more aggressively than most other automakers short of VW Group. When done well it’s invisible to the user. I suspect by your (polite) comment that you may not be aware that’s going on here.
Premium users pay $300 to replace the fob on their Model S / Model X. Mid users pay $175 to replace the fob on the Model 3 / Model Y. And an entry level option exists for the cards. Plus programming fee. Handling fee. Local taxes. Processing fee. Etc :-)
Without control of their PKI anyone could self program a replacement for a few dollars as is the case with the garage door market.
As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
> And an entry level option exists for the cards. Plus programming fee. Handling fee. Local taxes. Processing fee. Etc :-)
Cards are $20. No programming fee, no handling fee, no processing fee. Yes, there are taxes and yes shipping things generally costs money. Users program keys themselves.
> As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
Keys are for valet and I keep mine in my glove box. The car boots up almost instantly.
> If you want a keyfob as a status symbol, it's $175. (Mine is a desk ornament, it doesn't get used.)
The keyfob is super-useful. It fits perfectly into that small jeans pocket (that was originally meant for watches), so you can trigger the trunk/frunk opening without taking the fob (or phone) out.
Yes, I mean surely Chamberlain could maintain a correct and official API endpoint for HomeAssistant users for the kopecks it would cost. It’s all a big money grab.
I was burned by this change. I don’t know if anyone at Chamberlain is reading this, but you guys have neighbors, users just wanna keep their home safe. You’re one TikTok away from a crisis when you do stuff that is anti-consumer.
Based on my local big box store and garage installer availability, Chamberlain has a de facto monopoly. They also pulled the rug out from under customers: that behavior had been in Home Assistant since 2017, and it's their own recent changes that caused the alleged "DDoS". They say it's to promote official products, but the company previously had a local hub that didn't require their cloud service and discontinued it.
The API breakage coincides pretty well with their brand new CTO, whose objective is apparently "transformation to a smart access software company".
It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
Good news: ratgdo, an ESP-based local solution works great. I hope the author is making a decent profit on the kits.
> It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
My favorite example of whatever we are supposed to call this was John Carmack in 1997. From his 1997-12-09 .plan:
> Cyrix has a new processor that is significantly faster at single precision floating point calculations if you don't do any double precision calculations anywhere.
> Quake had always kept its timebase as a double precision seconds value, but I agreed to change it over to an integer millisecond timer to allow the global setting of single precision mode.
> We went through and changed all the uses of it that we found, but the routine that sends heartbeats to the master servers was missed.
> So, instead of sending a packet every 300 seconds, it is sending one every 300 MILLISECONDS.
> Oops.
> To a server, it won't really make a difference. A tiny extra packet three times a second is a fraction of the bandwidth of a player.
> However, if there are thousands of network games in progress, that is a LOT of packets flooding idsoftware.com.
> So, please download the new executable if you are going to run any servers (even servers started through the menus).
That's fair. Maybe my security background is shining through here. I guess we used to have "slashdotting" but that doesn't generalize well :)
I did do some napkin math to quantify how much that bad traffic may have been: HA estimates between 6857-25576 intallations of the MyQ integration. Let's say 16k clients. HA makes it really easy to detect and "add" the integration (which counts as an installation even if it's not configured), so, that's definitely not all clients hitting the API. Let's say it's 50%, so 8k actually using it. Most users just notice myQ is broken. Let's say some fraction retry, which would look the same as an extra user from a volume perspective. Call it an even 10k users (including repeat users).
The most recent change is after they broke everything past the OAuth dance. Let's say the OAuth request is 1kB. The retry code retries up to 5 times with exponential backoff. Let's say 5 requests over 10 min.
(5 requests / 10 minutes) * 1 request/user * 10k users = 5k requests/minute, or 83 per second, amounting to 83kB/s inbound.
There's no reason to assume those requests would synchronize, but I'm sure there's something (let's say every single myQ user updated at the same time).
If what they're saying is true, sounds like actually malicious botnet wielders can ransom the living daylights out of them. Given 1Tbs DDoS attacks they'd only need a tiny fraction of the full bore ion cannon! ;-)
83 rps would be a challenge when hitting a Java EE app written to make use of tutorial-level ORM code without any caching or optimizations. An app where a request takes 300ms to resolve (pulling numbers out of hat for an average poorly written Java EE app; ignorantly assuming 300 ms are spent with 100% CPU utilization of a single core), would require a 24-core machine to keep up with 83 rps. Accounting for some peaks in usage (how about 5x around 7-8am?), 400 rps could make almost every morning an "all hands on deck" event for the ops?
> I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
This is a problem with the service, not with the developer.
If the service (doesn't want) / (can't handle) something, then it should rate limit it's response.
If the service can't handle "0.2%" of it's clients making a 'not unreasonable' amount of requests, how will the service hold up against a hostile actor who aims to DDOS their service.
> I've definitely seen "DDoS" used when there was no malice,
Absolutely. Used to work on the Identity team somewhere. Dev accidentally removed code that was supposed to cache a token on a very chatty service. Brought auth to its knees and called it DDoS.
>The API breakage coincides pretty well with their brand new CTO
You can go and engage him directly on the topic, maybe he'll present a perspective we haven't seen, or maybe he'll listen to your arguments and reconsider:
Odds are that whatever nice Chamberlain opener you want will have myQ built in because that's their business strategy. You can try getting a different brand if you're voting with your wallet -- but if all you care about is security: the Cloud connectivity is optional and you can just not connect it to WiFi.
The ratgdo is more trustworthy, and it just connects (really easily, too, especially with the new v2.5 board) to the opener via the same contacts that the dry contact button does.
I use the Athom one also, and putting a reed switch in the fully closed state, as well as in the fully open state allows me to reasonably determine where the door is. Might not be enough for your case, but for me it was enough to know that the door is “kinda open”, or “fully open”, or closed.
I did the same with a MHCOZY Zigbee dry contact relay and two Aqara door/window sensors. I use the dry contact relay for two doors, and have two more channels to use for other stuff if I need to.
Additionally, I tried using an Aqara vibration/tilt sensor for more accurate "partially open" status reporting but it was a) not sensitive enough b) too unreliable c) too slow to update. I guess it's more meant for detecting impacts or falls.
I've also toyed with the idea to mount an ultrasonic distance sensor at the top of the (rolling) door, which could measure how far from the ceiling/far wall the top of the door is, but it'd be pretty bulky and problematic to power mounted on a moving part like a door.
Getting status information from the door is the entire value prop from something like the ratgdo. It's the only reason I ordered one. Otherwise, momentary switches with HA integration are readily and cheaply available.
I'm happy to not have one of their devices but if they did this after I had installed it based on the fact that it works with HA then I'd definitely sue them for breach of contract or whatever else I can think of or to get a full refund.
What a shit move to pull on your existing customers.
I felt silly at first complaining to my wife I couldn’t get myQ working again, thinking I did something wrong after adding an automation. We tried to open the door (remote via hass) for my son when he got home but it didn’t work. Obviously it was something I did?(nope)
Then I watched the discussion on discord and realized I’m not alone albeit still a small percentage.
Then I see this as top post on hn.
It’s frustrating to have a company do this. I don’t agree with their choice. Plus forcing you to see ads whenever you open or close the door is Orwellian.
Now I need to somehow sell this device on eBay with hopes a large percentage still wants it.
The MyQ app sucks, though. Besides the dark pattern ad-forcing they do, I've also had the thing redraw while I was holding the button to open a door. Which meant the wrong door opened entirely - one that happens to be 20 miles from where I was standing. I have had this happen multiple times, it's ridiculous.
AFAIK yes, but to quote the article (which quotes the maintainer of the MyQ integration, Lash-L [0]), “We are playing a game of cat and mouse with MyQ and right now it looks like the cat is winning”
Yes, that's what they've done. The problem is that myQ keeps trying to fingerprint the device to check if the requests are coming from a real app before offering service.
I use Home Assistant and have this openner. My installer recommeneded it because he’s had happy customers like me who use home automation. I can tell you that I a) will never recommend or buy the brand again, and b) have already complained to my installer about his recommendation of this line (and he is moving to another brand).
I wish ratgdo a ton of success and have several on order.
On top of the lack of integration support, the MyQ app used to open garage doors is full of advertisements. It's ridiculous. I regret buying their products.
As discussed elsewhere in the thread, it seems that this would be the number two reason, the number one being trying to be the only service that can profit from in-garage deliveries.
Actually, some other commentator statet, that when he's about to open/close his garage door, he opens the official app and where there's been a "open/close" button is now a video ad and to reach the button, you have to scroll the screen until you reach it.
I would try to sue that manufacturer. I hope it we'll be pulled to a court.
To some extent, serving ads is like owning a money printer. I can't really get upset that everyone wants to own a money printer. I just hope that there is a backlash against ads someday, where they start having a negative effect. "Oh, Toyota is constantly advertising in my garage door app? I'm going to buy a Ford instead." People say that the US government defaulting on its debt would be the end of the world, but the real end of the world is one where advertisements stop working!
> have already complained to my installer about his recommendation of this line (and he is moving to another brand).
What brand is he moving to? Does it work with Home Assistant?
I can't recall the last time I saw a garage door that wasn't Chamberlain or one of the brands they own. At least in my area they seem to have a near-monopoly.
I don't blame your installer for recommending it. I've had a myQ opener since 2015 and it's been rock solid... it has been the most reliable home automation product I have ever owned, until now.
I don’t, and would happily use that installer again. =) But unless you give feedback on how the choices are working out how can you expect them to know and have a better choice next time? (Genie, is what I heard for the future… I’ll have to check further when/if it becomes relevant)
I also just left my installer a voicemail explaining that they are going out of their way to break compatibility with the software I use, and I recommend that they look for another brand, at least for folks who are interested in wifi connectivity.
Home Assistant should really maintain a list of actively hostile (and actively cooperative) manufacturers to make it easier to decide what to purchase.
That helps, but a remote integration doesn't _have_ to be hostile. I get that it's different from IoT, and most of my stuff is local Zigbee after learning the hard way, but my Home Assistant also talks to the Norwegian meteorological institute and Tailscale :)
One reason this is tricky to do is because up until let's say the last 6 months or so, myQ _wasn't_ hostile, even if it was Cloud-based. (I get that that aligns with your point! I'm not arguing with you there.)
And the company doesn't even have to be actively hostile for remote to be risky.
The company could go out of business and shut down their servers. Or shut down the servers because they're no longer selling the product.
Sometimes incompetence is as bad or worse than malice. The company could break an API accidentally. Or the API only works intermittently. Or they could add poorly-implemented rate limiting that unintentionally affects multiple users when they share an IP via NAT.
And a local integration can be hostile if it's not publicly documented and they can update it / make it go away with an over the air update.
What matters is that they provide proper documentation for their APIs, encourage devs to use them, and don't have a history of breaking old clients with new firmware updates (without very good security reasons).
Sure it can be local - in the sense that all control and scrapping lives on your machine.
But in general, OK - some things are better done via an on-line service. But it's the minority of cases - almost none of IoT devices have a legitimate reason to route control and diagnostics through the cloud.
Oh, that. I'm actually wondering if they are making this hard on purpose.
The obvious way to implement this would be to have a front-and-center filter for cloud/local, so that one could use it to check which brands to consider before buying new connected hardware. It's a use case people have been asking for years. It's the only reason one would want to access a searchable list through their own page (as opposed to googling "${brand name} home assistant").
> We understand that this impacts a small percentage of users, ...
Wow, what a contemptuous statement.
I have news for you, Chamberlain Group. You are not only alienating, being hostile and losing a "Small percentage of users" (most companies would prefer to call them "valued customers", but I get it). You are causing an enormous permanent damage to your own brand.
This is the own goal that Intel did with their Pentium FDIV bug. They were absolutely correct that it only impacted a small percentage of users. They still ended up losing their shirts over the problem.
As much as I want this to be true I kinda doubt it. People who install and configure home assistant are far and away niche users. Almost everyone with one of their products will just use a physical clicker or pair it with their car directly.
That doesn't need to happen for the Charlatan Group to struggle. Most current hardware companies are dependent on the customer to renew their hardware every 5 years.
Something that I don’t see people talking about here is that MyQ is the core/required integration component for Amazon Key in-garage delivery, a service used by millions of people to have their packages delivered to their garages instead of having them stolen off their porch. That’s why it needs Internet access. All the talk about how Chamberlain will go bankrupt because a comparatively small number of tech people stop using the product is fluff. I ran into the MyQ API problem with Homebridge a couple weeks ago, and I bought a unit from Meross that integrates directly with Apple HomeKit. I still have the MyQ installed because I _need_ it for Amazon deliveries. Yes, all the fury about ads and user hostility and probable polling requiring extra resources with no recompense is correct and justified. But at the end of the day, Chamberlain doesn’t care if they piss us off. They get all their money from the same people who think their phone screen is _supposed_ to be covered in ads on every page they visit, and they likely get TONS of money from Amazon.
Somewhat off topic but it is quite stunning to me that American carriers just leave the package at the door. I lived in different European countries and in all of them the expectation is that the mailman (official mail, or any of the services like dhl, ups, etc) will ring the bell. If you don't answer they will ring the neighbour and then take it back and either try again another day or you can go to a pickup point. Instead the U.S. has an entire category of devices to avoid package theft when the solution lies in holding carriers to account. I don't want to open the garage for Amazon or Bol or any other delivery company...
What you describe is how it worked in the US maybe 10 years ago too. But Amazon's free delivery race to the bottom made the cost of reattempts to deliver eliminate any margin. It's cheaper for Amazon to replace stolen shipments for a few people than to make multiple attempts to do re-delivery for many people. And creating a problem in order to charge people to solve the problem you created is a basic monopolist playbook move.
UPS used to do that. I hated it. If I'm not at home I have to wait another day to get my package, or drive across town to get it from the depot.
Just put it on the porch. Not everyone lives in an area with a package theft problem, let those folks work out their own solution but don't punish the rest of us.
Meanwhile, it is quite stunning to me that European carriers would intentionally mis-deliver (i.e. leave with a neighbor) packages rather than just leaving them on the porch! Over many years and many neighbors, I've had plenty who I would be happy to let receive my packages and plenty I would very much not. Likewise, I would be quite peeved as a permanent WFH-er to be the neighborhood final delivery guy.
There are plenty of places in the US where packages left on the porch aren't secure, but there are also plenty of places where it's completely fine and saves everyone time. I've never once had a package stolen off my porch anywhere from an apartment in the Bay Area to a house on 10 acres in rural Oregon. I really think that the places where package theft is rampant are the exception, not the rule.
Thanks, interesting insight. Here it's just a normal thing to do. Why not do my neighbour a favour? The mail carriers mostly are regulars (except for the new Amazon carriers) so if you refuse parcels they will also respect this and not bother you.
When I lived in NYC and like most didn’t own a car this was the way it worked (sans the neighbor, delivering a package to the wrong recipient is a big no no, and makes some huge assumptions about the neighbor, relationship to the neighbor, and sensitivity of the delivery). If you weren’t home you got a hang tag. They attempted redelivery a few times, held it for a while for pickup, then sent it back.
I worked, like most folks, and people are not generally home. The pickup location took two hours to get to via public transit. That’s a four hour round trip. There was one and only one pickup location in the entire NYC region for fedex.
It made life impossible. Amazon came along and decided to take responsibility for losses directly and instructed carriers to leave packages and not reattempt delivery or hold them. Customers vastly preferred this, carriers too as they saved tons of money. Amazon got a reputation for being much more convenient to order from. Their losses as a percentage were low compared to essentially owning mail order due to the convenience. When I had packages stolen they immediately shipped a replacement no questions asked.
Amazon Key is an attempt to mitigate theft but also a lot of folks just feel uncomfortable with packages on their front step. The idea of leaving you garage slightly open for deliveries isn’t a new one, but the Key product improves on that by only opening for the delivery person and recording their interactions to ensure they don’t do something they shouldn’t.
I used it briefly but I didn’t like it because I have a workshop in my garage and I just didn’t want people seeing what I’m working on. I wasn’t worried they would rob me per se, just didn’t like showing my work in progress to random strangers. If it opened the garage slightly to allow the package delivery I would have kept it but it opened 100%.
Interesting, it seems in the EU countries I lived in, a different solution emerged: the mail carriers cooperate with local corner shops (common in any EU city) and even supermarkets to serve as pick up points. In addition there are package lock boxes run by the mail carrier and distributed in central locations. I have never lived anywhere where I would have walked more than 10 minutes to the pickup, usually much less. The only issue I ever had was with a huge bulk parcel which I had to pick up at a depot, and a deouevry from china on which I had to pay duties. But that were 2 out of probably thousands of deliveries over the years.
On neighbours, the carriers usually let you choose if you want this to happen, but it's just a normal part of life to accept (and hand over) your neighbour's parcels. I have done so dozens of times and had it happen for me, even in rougher areas where I barely knew the neighbours. I guess levels of interpersonal trust might be higher in Europe than the U.S.?
This is how it used to work in the U.S., too, until the major carriers recently realized they can make that into a paid feature for the customer. Now you can't even request something to be held at the store or distribution center for pickup without a fee or subscription.
Yikes, I would never in a million years use a shipping service that delivered my packages to my neighbor, nor one that required me to go to a pickup point. WTF is the point of that? If I wanted to go somewhere to pick up my stuff, I'd just buy it from a store instead of ordering it online!
Most mail carriers (the majority of deliveries are carried by a national (ex) monopoly let you choose what you want to happen to your package. And we have many corner shops in EU cities and towns, and the mail companies have installed dedicated lockers as well in central locations, so a pickup point is usually 5 minute walk away. On the neighbour - for me that's normal. I guess we generally trust our neighbours more? We also do not have the strange U.S. laws that you can keep anything that arrives at your door, so it is normal for anyone to receive (and then hand over) neighbour's parcels. Like a real community...
Thanks for the long winded justification, but all of these are strictly worse than simply leaving my package at the doorstep. I'm 40 years old and in my entire life I have had exactly one package go missing after being delivered... that risk is not worth even considering "a 5 minute walk" to get every packages, nevermind having them delivered to random neighbors -- that's just beyond the pale, absolutely absurd.
I only have MyQ for Amazon Key. Fortunately Amazon also supports the Aladdin Connect - which works with all garage doors. And is fully supported in Home Assistant.
I have one on order and will be swapping out, bye bye Chamberlain.
> Something that I don’t see people talking about here is that MyQ is the core/required integration component for Amazon Key in-garage delivery, a service used by millions of people to have their packages delivered to their garages instead of having them stolen off their porch.
Would be nice if this functionality could work with arbitrary openers via webhooks. You could even have a fancy auth flow that you trigger from your smart home dashboard so users don't have to know or care how it's implemented under the hood.
I just called up the folks that installed my garage door, and recommended that they look for a different brand because of how hostile Chamberlain is being towards their customers. I'm not the only one doing that.
Sure, we're just a couple drops in the ocean, but eventually those drops can start to add up.
Devices that rely on cloud infrastructure should be required to carry an expiration date right on the box. "This item guaranteed to receive support until XX/XX/XX"
Unfortunately, this is just wishful thinking. Take an example where a company is going under. If such a law existed, it would be unenforceable as the company does not have the resources and know-how how to do such a thing. After they file for bankrupcy, there is no point in punishing them.
Software escrow processes could (partially) solve this, at an upfront cost for every company developing and selling such a device (meaning, at a price that will ultimately be paid by consumers).
All you need is an option you can set on a private repo in Github so that if you close your account or don't pay your fees for 3 months it automatically becomes public rather than gets deleted.
There is still a process cost to participate in any escrow process, both on an initial and on-going basis.
(That's before the blindingly obvious observation that even something provided by the government at no cost at point of use has a cost which is ultimately borne by the people.)
I don't disagree with either statement, but I think both of those are a price worth paying to avoid having hardware become e-waste because software support was stopped.
I think we'd also need to figure out some durable and stable way to reach a conclusion on "when should the software be published out of escrow?" that handles a bunch of the various edge cases. "What happens to devices that are one-time programmable? What devices are in-scope/out-of-scope? Does this apply to radio firmware as well as general CPU firmware? Is the software license changed alongside the release of code from escrow? Are signing keys also released? Is code released from escrow just because some individual use case is no longer supported by the mainline firmware? [Is a disagreement with a product decision enough to release the old code?]"
I agree as well, though I don't think we need to figure out all edge cases before the legislation is viable. All we need to do is allow any person who purchased said software a private cause of action in which they can petition a court to release the code. Then a judge could decide based on the merits of the person's need whether the code should be released or not.
I think that situation exists now, which is the essential root of the problem.
It's too expensive and too unlikely to succeed, but I could sue Chamberlain now arguing that they have breached an implied contract and that the remedy I seek is for them to open-source their code.
I disagree; I believe any lawsuit brought against Chamberlain today would be dismissed for lack of standing. Further, even if it wasn't, I think you would have a very hard time convincing the court that open sourcing their code is a reasonable remedy.
Best case, I think you'd get your purchase price back. I'm not sure how you'd argue that remedy is insufficient, either - hence why my preference is to have the cause of action written into the law we're imagining here. It'd be even better if we can write in that the remedy for a degradation of the service is an open mechanism by which the user has sufficient level of control as to recreate their desired functionality.
Professional escrow is not cheap. The first year, when you have to demonstrate a complete build and 'bring up' process with them the price seems pretty good as it's a lot of work. Funnily they don't seem to offer a multi year deal.
The second year there is much less work but they double the cost. You go along with that as it takes a lot of work on your part to engage a new escrow firm from scratch.
The next year they double it again. It's still demanded by your large corporate customers and you try to pass on the costs but they don't want to pay it.
Yeah open sourcing code sounds nice but that's the pipe dream of the tech literate. A real workable solution would be regulation defining and banning ewaste creation and consumer protection from vendors rug pulling product support. Penalizing deviant practices and incentivizing open industry standards.
That will only work for the code the company owns herself. But they can't open source code they licensed themselves, which means they can easily cheat the law by outsourcing their code.
Also a very good option. Ideally it should trigger immediately once a regression happens and at least 12 months prior to service eol (give users time to migrate)
I'd prefer to have antitrust regulation that stops this bundling of software with hardware from day 1 - ideally applying to both app software, and the embedded software on the device itself. When a product is going end of life, it seems awkward to enforce a requirement on companies and difficult to get traction for a libre development community.
once the company goes bankrupt there might be no one left to open source the leftovers if that's even legally possible due to NDAs, 3rd party licenses, etc.
Then it should be anticipated. Just like a company is required to pay employees what it owes them before it eventual shutdown, even in case of bankruptcy.
Unless it's security by obscurity, releasing the source code of the entire infrastructure should never result in all systems becoming compromised. So, assuming the API is run over HTTPS with authentication tokens, Chamberlain wouldn't need to (and should under no circumstances) release its SSL certificates' private keys. Instead, the firmware and server infrastructure should be easily modified by the user to point to their own servers (or get rid of intermediate servers and directly be usable on the local network, which is the only good solution anyway).
There are lots of devices these days that rely on cloud infrastructure, like Apple devices, Teslas. Its becoming more devices.
The same for software. Even Microsoft is going fully Cloud. Just had problems to activate my MS Office for Mac Business 2019, which I bought in physical. They now require on @outlook.com email address to be able to activate. Otherwise I can't use my "box" software.
They require Microsoft account, not an outlook.com address; though that address is an easy way to get the account. It is used for activation/license management, one nice feature is that you can yank a license on a dead device and use it with your new one.
Outside of activation, it is easy to use MS Office for Mac completely offline -- there's a checkbox for that in preferences. You will lose some marginal functionality, some of which I prefer to be disabled (like generating pdfs of your documents server-side instead of client-side).
Nope, a Microsoft account is not enough. It must be an @outlook.com address, or any registered company/school/university address.
It took me almost 3 days to find the problem. Microsoft changed that and between all "answers" there is only one single thread in the Microsoft forums that had the solution.
What does "any registered company/school/university address" mean?
Some years ago, I activated some Office licenses using my company email; we never did any hosting with O365 or whatever was it's predecessor, and at the time, everything went fine. All I had to do was to create live account using that email address.
The error message is along the lines: "You can't sign in here with a personal account. Use your work or school instead".
Which means, that you need to associate your existing account with an @outlook.com address. It seems, that Microsoft changed that requirement somewhere in 2020/2021.
Yes, previously Microsoft account with whatever email address was enough. But they changed that.
I stumbled upon that while upgrading to new hardware, which requires new activation of the Office products.
We are a small company. I don't use pirated software. I like on-premise software over cloud solutions. Adobe and Zoom ae the only cloud solutions we use. Zoom is obviously. But I look on how to get rid of Adobe, while Adobe Stock has no real competition as the bought Fotolia, which we used before.
Serious question: did you try pexels? for most of my stock photo needs they are okay (not great but okay), and all pictures are public domain and free of charge.
They don't have stock video tho. :(
I updated it to version 2010. Much much better. Jack Sparrow ahead:)
Just do it. You won't regret it. I also bought office 2016 cheap at some point in time. That's even better. Faster, nicer UI.. just to give you feedback xD
I remember reading about someone who could not brew coffee anymore because the cert on their "smart coffee maker" had expired and the business had gone under.. they discovered that by attempting to use wireshark, of all things, to take a peek. I thought "this moment right here is where people will catch up to it, no way we can go even further".
I highly recommend anyone having problems with this consider trying this free as in speech (and as in beer if you've got solderimg skills and an ESP laying around) solution: RatGDO [0]
40 bucks, HA, and about half an hour each (mostly fiddling with the ESP/shield pcb wiring inside the light cover of the opener from the awkward overhead-on-a-ladder position) for me to no-cloud smartify two chamberlain MyQ openers. Special sauce is that the device can MITM the "Security2.0+" signal and emulate the discrete functions of the wired wall remote, not just act as a dry contact relay on the motor.
Result is that separate entities are created not just for the door open(ing)-clos(ing) states, but also for the obstruction sensor and a separate switch to turn the opener's light on or off remotely, all exposed (as MQTT topics) in HA.
I think I have everything needed lying around in spare parts. Know of a guide for install? I tried building something similar years ago but got stuck on the software.
You may actually need a little bit of extra information to replicate a handful of traces (i.e.on breadbpard) present on the little PCB that the ratgdo software relies on to interface the espressif to the terminals of your opener.
It's not terribly complicated but for reasons that are polarizing to many in the garage-door-automation society, the author of the software, although leaving the code completely open source is averse to publishing schematics for the PCB board itself, so others have had to step in and reverse engineer these.
It appears that this project has gone from a very minor side hobby an actual business for the author, and the PCB schematics are pretty much the only IP moat he has, without them he's just providing a very easily (and cheaply) replicated PCB assembly service.
I believe, although I have not verified because I haven't tried this myself, that this site provides both the schematics you need as well as information necessary to Flash the software onto your ESP device.
We have nutriscore labels, excessive sugar labels, "smoking kills" labels...
Why not "This device does not support local cloudless control" and "This device does not allow 3rd party software access" labels too
Garage opener is a 10+ year device, expecting the company/cloud service to survive for that long and still be supported is too optimistic, but local control will still be usable, even if some 'adjustments' are needed.
Even if we assume that's true (I very much have my doubts), this is a totally self-inflicted problem as a result of bad design: there's no reason a garage door opener should rely on a remote server instead of local communication.
You don't even have to go so far as saying they should change the embedded software. Here is the problem:
> The MyQ integration was introduced in Home Assistant 0.39, and it's used by 3.1% of the active installations. Its IoT class is Cloud Polling.
"Cloud Polling", meaning they don't have a way for an API client to register for state change callbacks. I'm sure this is why there is so much traffic - if Home Assistant wants to support triggers based on state changes (eg door opening, turn on home lights), then it needs to repeatedly check the status so that it becomes aware of the change in a timely manner.
(Personally I only buy/use devices with local control, and generally cut them off from Internet access. Just saying though)
If it's not on a remote server, then how would you know when people leave/arrive at their homes? You'd miss out on so much sweet, monetizable personal information. Won't anyone think of corporate profits???
As they themselves admit in that statement: There used to be an official way to integrate locally, but they discontinued it (myQ Home Bridge) and they're hard to find today (inc. huge markups when available).
Perhaps they updated the statement since then, but they're not accusing them of "basically" DDOS: they literally say DDOS now. Which of course prompts the question: is the problem that the CTO doesn't understand what DDOS is, or are they intentionally painting HA as malicious somehow?
TBH, that's better, as that is a problem that could be fixed. Even if we had to switch to a tilt sensor and just retain control, that'd be much better than their approach.
IOW, this real reason is better than their dumb comment about "unauthorized use".
I installed Tailwind for my parents (it’s a little module that plugs into the motorized unit which allows the motorized unit to stay dumb) and it’s been flawless. Good app and good integration with smart services. I haven’t used their Home Asssistant integration but I can confirm their local control API works and I see that a HA integration exists. Tailwind is my model for what all smart home stuff should be.
I have one of these garage door openers, and their MyQ software is absolute garbage. I set up Home Assistant specifically to avoid it and now they've gone out of their way to break that.
I' absolutely pissed - I just called the folks who installed my garage door and explained the situation to them, and recommended that they look for a different brand for anyone that wants wi-fi access in the future.
It's hard to emphasize how different the mindset of the late 2000s Internet is to nowadays.
APIs were more readily available and open. Mashups were usually encouraged, so long as you didn't generate undue stress.
Nowadays its a million tiny business silos hoarding tediously-obscure-but-still-sometimes-useful data. And you have to prove that what you want to do with the API doesn't infringe on their ability to capitalize on it better.
The irony is that all the data is way more easily accessible from a technical POV now due to the prevalence of SPAs and REST, but the legal environment is significantly more dangerous.
One extra step I’ve learned to follow is to verify if needed, could the hardware be permanently redirected to a local server, and worst case reflagged with a different firmware or it can be redirected to remain local. The latter is sometimes easier if it’s a Tuya based device, which a lot of these unknown devices are.
One of the main things these “smart” devices do is use your internet connection. It’s wise to create a dedicated _IoT suffixed wifi which can’t access your network or devices, but at the same time your other devices can ping them.
How?
This is a pretty solid guide of a home network setup here. It can be running a $50 EdgeRouter X or translated to other devices.
Just a small warning: make sure to check whether your device needs to be added to the Tuya cloud to get a local API key. I was only able to get "my" lamp working locally after registering it via the app and creating a developer account.
Another one on the shame list. You can use the public api, but only if you send your local data through our dogshit online channels, so we can sell it later
I don’t understand how the MyQ app has such a high rating in the App Store. 4.8, 1.5M reviews. It’s so bare bones, no shortcut support, (obviously) no HomeKit, no widget, literally nothing to make the use easier or more convenient.
To make things even worse, first position above you devices is an ad (for their other devices) and it periodically suggests that I connect it to Amazon so some random people delivering packages have the power to enter my home.
There is a button that reliably opens and closes my garage door and it also gives me an accurate door state. So it is a 4 or a 5 for basic users like myself
That’s my suspicion with Philips Hue’s 4.6 rating on the iOS App Store. They’ve got to have gamed the system somehow - it’s not a good app, and their “you need an account now…for reasons” change is unpopular
Yepp, I have some IKEA buttons and they are just Zigbee devices. They also sell lamps etc., mostly Zigbee based from what I remember.
For the Germans (maybe other countries as well): The Lidl smart home things are nearly all Zigbee based. So far no problems with them and they are, IMO, reasonably priced. I somehow trust Lidl more to not burn my house down than random Amazon sellers. They also sell a Zigbee gateway that phones home by default, but can be converted to local only, dumb mode that works fine with Home Assistant [1] with a tiny bit of soldering. I use these exclusively without problems, even the one I rooted for my parents works without any maintenance.
Zigbee in general is great. If you want the more expensive stuff, Philips is the leader in that.
And now that Matter support is slowly trickling in, they should all be fully interoperable. Currently it's touch and go if a Ikea bulb works well with the Hue hub for example.
It’s not the same as MyQ here, but Philips (specifically Hue) recently pulled a similar move around requiring accounts. Thankfully it’s not as big of a deal for the HA crowd because the lights can be controlled directly via zigbee, but it certainly caused a kerfuffle in their ecosystem.
I'm not clear if people are really replacing a physical something here, but if you have an old smart home device which sucks, be sure to put it up on online marketplaces.
List it cheep along with a warts and all discussion of it's problems. Means less waste as there's always someone who'll want it, people who are looking for the product hear about the limits upfront, and the company actually gets a real loss from you leaving (assuming it sells to someone who might have bought a new one).
Plus it's fun to try to convince enquirers why they shouldn't buy your item
Honestly smart features in large/permanent appliances is something I explicitly avoid these days. The majority of smart home products I’ve bought over the last ten years have been somewhat disappointing if not outright rage inducing. I don’t want that in something that is difficult or expensive to replace.
I sort of have to assume in the case of large appliances that the manufacturer will drop support for it well before I want to replace it, and that if there is any sort of functionality fully gated behind an app, that it will become unusable to me at some point when I reset my phone and discover they’ve unpublished the app from the store.
I’d much rather buy a dumb garage door opener and bolt on that ratgd device mentioned in this post, than be beholden to the manufacturer’s whims and invariably godawful garbage horrible no-good app.
Once they broke Google Assistant integration, I decided to replace them and never use any of their products again. I use a lot of connected devices and this is the only company that has gone backwards in terms of interop over time.
I usually check up compatibility with Home Assistant and if the service is cloud or if it can work locally. If both check, they have a new customer, otherwise, there are plenty of brands and products out there.
Protest with your wallet, buy from others, the sooner the hardware companies realize this is a stupid move (locking down), the sooner we'll have better integrations.
Having been impacted by something similar (company changing their cloud and breaking my HA integration), I think that when companies do this, the least they could do is offer refunds/buy-back to impacted customers.
In my case, I bought a slightly-inferior product specifically for its HA integration; now that it's broken it's just an inferior product...
I built my own HA integration with a tilt sensor and a relay to trigger the button. I have a camera on the door, I wonder if I can use that to validate the switch.
I normally leave it disconnected from the switch because I don’t need to open the door remotely and I am afraid that some exploit will have a Russian 13 year old opening and closing my door at 4am.
I have my Home Assistant completely local, if I need to access it from outside, I open Wireguard VPN to my local network and do my business in Hassio locally.
They never technically allowed it in the first place.
Homebridge and Home Assistant used a popular Python library that reverse-engineered the MyQ API from the Android app. Many companies couldn't care less until abuse ramps up, but given that Chamberlain (Blackstone-owned) has gone into rent-seeking mode all of a sudden (or an incident happened that they won't disclose but prompted them to take a hard look at this), they decided to turn the Cloudflare Super Bot Fight stuff way the hell up on their OIDC token exchange endpoint (you can still request auth codes).
I decided to abandon trying to get MyQ to work with Home Assistant (it would have required hours of trying to figure out what combination of headers would have passed the CF checkpoint) and ended up getting a Meross Smart Opener. It was shockingly easy to install (plug the relay device into the same pinouts that your wall door opener uses) and works even better than MyQ (in that you won't get a weird "close error" that prevents you from operating your door that not even MyQ customer service will clear)
---
I still use and recommend MyQ, however. The Amazon Key and Tesla integrations work great. If they had previously allowed API access but then rescinded it in favor of "providing a better experience" like Reddit is doing, then I'd feel differently. In this case, however, it feels like we took advantage of a backdoor for a long time and the club decided to finally put a lock on it. Shitty, but reasonable.
The next big one to watch out for is Ring.
Ring does not (will not?) support HomeKit. Lots of folks (myself included) have resorted to using Homebridge or Home Assistant as an alternative.
Both are using a library that reverse-engineered Ring's API (though Ring engineers supposedly contributed to it).
While the Homebridge plugin simply exposes device statuses and metrics and RTSP feeds for the cameras, Koush's scrypted NVR platform enables HomeKit Secure Recording for the cameras, which allows more adventurous users to skip paying for Ring Protect ($10/mo)
While I get a lot of value from Ring Protect and will continue to pay it, I really hope Ring doesn't decide to "improve the user experience" for us like Chamberlain did. I'd be really sad if that happens, since HomeKit is amazing and is much better than having a million apps on my phone that don't talk to each other.
> Many companies couldn't care less until abuse ramps up
I think "abuse" is the wrong word here. I'm just trying to automate my garage door. If there was a way to do that over my local network, without touching their servers, then they'd never see any traffic from me.
I sometimes wonder if Tesla nerfed the homelink functionality in the car just to encourage people to pay monthly for the MyQ software solution. I gave up trying to get my Model 3 to open/close the door automatically for me because the range is just abysmal. Went back to using a push button remote on the visor that will open the door from half a block away.
wouldn't be surprised. that said, I have the homelink integration, and MyQ works much better for us because of where our garage is relative to our driveway.
Not at all surprising to me. Recently I got 3 new LiftMaster garage door openers with the built in cameras. Over the course of a few months the HomeLink connection to the box supplied remotes stopped working, never worked syncing to (multiple) HomeLink transmitters in vehicles, and the installer cited "supply chain issues" when I wanted a replacement. The only thing that worked was the MyQ app which was less good than just pushing the button. And of course the video for the cameras only worked with a damn SUBSCRIPTION after 30 days with no way to integrate them with a networked DVR system.
Just one of the most awful customer hostile products I've ever wasted money on.
I'm in the market for a garage door opener, incidentally. This narrows down my options, so glad I hadn't bought one yet - there's a chance I might have ended up with a Chamberlain if I had. Out of the question now!
ratgdo looks really nice! I've been controlling my garage door via dry contact on my Elk security system [1] and monitoring the door status via a separate rolling door reed sensor. [2] But from following the ratgdo link, I learned that my "Security+ 1.0" garage door opener has a RS-232 interface with a protocol that will tell you about door status and obstructions. That's better!
I just clicked ratgdo's buy link to support the nice, well-documented open-source [3] project. In truth though I have the right hardware sitting around here already, so I might just use that depending on how long the "back ordered" status lasts...
[1] There's a Home Assistant integration for the Elk M1 Gold with some Python library; I also have my own WIP Rust library for interacting with it here: <https://github.com/scottlamb/elkm1>
I wonder if there is a device that just taps into the open/close wires, with a sensor that will optically detect the distance along the track of the highest roller of the door, and attaches magnetically to the track. This solution would have first-class home assistant support and work across all door openers.
Why hasn't a non-crappy iot/smart hardware line and ecosystem emerged after years and years of "internet of shit" catastrophes such as this one? So many angry users are a market ripe for capturing, aren't they? Or maybe there aren't as many angry ones as it seems, and it's just a small portion of power users?
It is exactly this. Average Joe just downloads the MyQ app for remote control. Or uses Wyze, or Tapo, Kasa, etc, for whatever they buy. The number of people trying to get everything integrated into a single environment like Home Assistant is low. Which makes sense, because HA is a pain in the ass if you're not already technically inclined. Regular folks just don't have any appetite to deal with that.
ZWave. It a closed system, with hardware licensing, all that stuff. But it offers local control, at all times, exclusively. Zigbee is the fully-open version, but as such it's not a "hardware line" like ZWave is.
LOL. I have Chamberlain garage doors, and paid $30 for an Athom ESPhome preflash kit that includes a box, power supply and reed switches. Works great.
If there's one thing I'm dedicated to now, it's that all of these custom cloud IoT things are transient user hostile junk. If it's not open source and in my control, then it's not mine.
I’m recently in the market for a garage door opener I can automate (specifically close automatically after X time open) - does anyone have recommendations or is ratgdo the way to go?
Also I understand one of the reasons this isn’t a standard offering is because garage openers have a hard time not crushing things? Kind of surprised me.
I had a Z-Wave garage door opener which was wired to my old garage door opener's button switch port. The old unit's logic board started having issues, so I went ahead and replaced it with a cheap Chamberlain. I got the most basic unit thinking the one-button opener would be a basic switch style like old, but alas it is still some kind of serial connection. The Z-Wave controller can't effectively signal to it, but since it has a basic tilt sensor it can at least open the door state.
I'm thinking I'll just get a cheap garage door opener remote, solder the trigger pin to the button on the remote, and tape that to the ceiling next to the z-wave controller. Janky, but at least I'll be able to get it functional again to send the command.
I had it working with home assistant for a week before they pulled support.
Honestly I was always bothered that it used a cloud API at all. The device is right there in my house, on my own wifi. Why should it even phone home if I don't need it to?
They can lock you out of the API, but they can't stop you from installing hardwired devices that simulate a press of the open/close button.
I just chucked my MyQ device and replaced it with a Meross MSG100HK--it works perfectly and natively with HomeKit--no cloud service required. Incidentally, the latency is much lower too.
The device is basically a wifi-enabled, USB powered "dry contact" switch. You connect the pigtail in parallel with your existing wired open/close button. There's also a magnetic sensor (similar to what old door alarms used) that goes near the door to verify it has closed.
That Meross opener is rock solid. I've had one for almost two years now controlling two doors. Even with a marginal wifi signal it always just works.
Homebridge + HomeKit is also an excellent middle ground between Home Assistant and HomeKit alone w/o having to go with some cloud-based solution.
For example, I wanted my garage door to automatically open and close as I leave and arrive in my car. Here's how I did that.
I have a pair of dummy switches in Homebridge. One of those tracks the state of whether my phone is in CarPlay mode or not. I do this with a Siri Shortcut on my phone that toggles the "CarPlay status" dummy switch when my phone enters/exits CarPlay mode. The second dummy switch triggers my garage door to open/close whenever the dummy switch turns on/off. This is a work-around for the opener itself being a secure accessory which HomeKit won't operate w/o the phone being unlocked. The last piece of the puzzle is a HomeKit location-based automation: if my phone leaves my home location and the "CarPlay status" dummy switch is on, then set the garage door dummy switch to off; if my phone enters my home location and the "CarPlay status" dummy switch is on, then set the garage door dummy switch to on.
I drew the home location as tight as possible around my home. The door opens just as I'm pulling up to my home and I see it close just as I'm leaving.
As to why I don't just use the CarPlay garage door button: I mean, why automate anything? Also, if you have multiple garage doors, there seems to be no rhyme or reason to which door CarPlay gives you the button for.
As to why I don't just use the button on my rear view mirror: Again, why automate anything? My mirror also has 3 buttons and it's easy to accidentally press the wrong one.
I don’t understand why I can say if my garage door is open longer than 10 minutes between these hours close
The door. If someone leaves it open over night. Or during the working day.
I don't have an automated garage door opener. The only "garage" is as old as our historic house, and is a glorified shed. I would never put a car I cared about in it.
That said, I _do_ have an automated gate controller. The installer wanted some insane amount to connect it to wifi. Politely no. An esp32, a couple of relays, some reading in the installation manual about control circuits and a bit of custom code... And now the gate is on local wifi, easily integrated with HA, and nothing opaque about it.
Do garage door openers have the same sort of control circuits?
Of all the IoT contraptions and ecosystems, I hate garage door openers the most. My opener came with some sort of goofy base unit where you can hit the "close door" button and it'll sound an alarm, trigger close, and then the happy little LED shows you that it is indeed, closed.
My solution, after looking into every off-the-shelf option, was to take an esp32 running esp32home + Home Assistant and hot wire it to buttons and status LEDs on a remote + base unit and stick it on the shelf in the garage. It's not pretty, but it works reliably.
That's why all of my installed IoT devices are either custom-firmwared or can be as well as configured to be not "dialing home" to some nosey data collection and aggregation center.
Chamberlain... Which security level do you want? 7, 8, 9, 10, or 11 bits?
Not sure how the situation is today, but the ones I'm referring to can be brute-forced in a matter of minutes.
I wish I had known about ratgdo a few months ago. I spent a month trying to get a Meross smart garage door opener add on to work with the chamberlain that was already in my home, only to realize that the button was using some kind of obfuscated signaling, not just connecting the circuit. I ended up soldering a pair of wires to the button on the board in the button unit, and then connected my smart home stuff to those wires; worked like a champ. F** you Chamberlain; try blocking that.
They call out ratgo for its ability to speak the protocol and be a full replacement. But I cannot find an installation video to see how to keep my existing button (with its screen and controls) while also installing this. Does anyone have better documentation?
I’ve already soldered contacts to a garage door opener to a relay with esphome. That works well, but doesn’t give me as much info as theirs does. I also am at risk of the battery dying.
Is this "myQ ecosystem" the only way to interact with these garage doors? i.e. is there no way to communicate with them without involving the manufacturer's server?
Sort-of: the newer ones require the physical button to speak the same rolling code protocol the remotes do. So, yes: but you have to modify a real door opener. ratgdo has the advantage that it pretends to be said door opener.
My garage doors (purchased within the last year) have "regular" buttons / car remotes to open them, myQ was 100% optional. I basically use it as a way to alert me when the garage door opens (someone just came home, amazon is doing that semi-weird in-garage delivery thing, etc)
You would think a company would like to negotiate and be seen by a community as a positive company. I would not buy a product from them on principal after their statement. myQ could have engaged the home assistant maintainer and worked out, less API calls or something.
On a side note, i do love my home assistant, but ANYTHING that has to do with entry into my house is not and will not be automated, garage doors, door locks, etc. However that is my personal paranoia talking.
Why even buy a product like this anyway? Aren't there plenty of "dumb" smart garage door openers?
Aren't there plenty of great stand alone garage door openers that you can wire a smart relay or whatever into?
From what I can see there are plenty of "wifi garage door adaptor" options and everything looks to have pretty standard wiring, it's only not "plug and play" cause it's bare wires rather than plugs but it's essentially the same.
It's more like 'why not?'. It's still a dumb opener with a physical button and wireless remotes, and all the same third-party tricks work the same.
A nice thing about tight integration is that you don't need a bunch of extra wiring and a kludge to figure out door status. Minor annoyance, but real.
In any case, I'd wager a fair number of the people complaining about this don't even have the newer 'smart' openers, they have the original MyQ Internet Gateway or the newer MyQ Home Bridge. Liftmasters have been a very popular opener for decades.
Chamberlain Group products now officially on my blacklist. They join the ranks of Rivian, Tesla, any QVC marketed product, and social media (IG, FB, TT, …) marketed junk.
Could there be a suit against them over this? I bought one explicitly for home automation, and it seems them disabling it turns that into some sort of false advertising
I use HomeBridge but have also been noticing connectivity issues recently. Just ordered two of those Ratgdo devices, thanks. Sounds like a better solution anyway.
There's a key point on the data-mining-cloud-only route Chamberlain is taking: they were acquired by Blackstone a couple years ago [1], so not "family owned" anymore [2].
No doubt they want to exploit that data and begin integration with all their shady Real State business [3].
Their new CTO/Executive VP says in one of their PR news: "With Blackstone’s partnership, we will capitalize on new market opportunities". And a Senior Management Director says "...unique opportunity to build on its leadership position at the center of housing and e-commerce megatrends (...) expansion into connected homes, businesses and communities" [4].
Very alarming in times that big owners are trying also to force biometric data collection in their buildings (see Atlantic Plaza Towers) or are blindly giving information to agencies (see Amazon Ring cameras and the likes).
Now, the rant:
Of course, with one hand the CEO is donating to buy his name in institutions: "There is a Stephen Schwarzman building at the New York Public Library, a Schwarzman centre at Yale University and the Schwarzman College of Computing in Massachusetts. Soon, the University of Oxford will open the Schwarzman Centre for the Humanities, funded by the largest single donation it has ever received." [5] and the other is receiving billions from universities like UC to speculate in real state [6].
One would say it's curious how Schwarzman creates a huge publicity stunt with "biggest single donation 'since the Renaissance'" (£150m) [7], but why would be important to donate to Oxford, when they have almost £8b in endowments... [8]
it's not even anything fancy where you could argue that continuous software updated need to be done or similar
also pass a law that all smart home devices had to go through a hub, no direct internet connection allowed, uh put it under "reducing DDOS potential due to long term issues with internet connected smart home device security"
I fully agree, this is the reason I mostly buy Zigbee devices for my smart home. The problem with this rule is that there is already a device on the market that complies with it on paper, but not how you intended: Amazon Echo devices act as Zigbee gateways. While I never tried it, I bet it will not turn on your lights without calling the mothership.
If this rule were to become reality, vendors would just sell your their "mandatory" hubs that handle the calling home part. Smaller vendors would no longer be able to offer their ESP based devices, even though I can easily decloud them via ESPHome etc, if even necessary.
From a purely idealistic PoV, I guess the only way we achieve ownership as you described is if we require by law, with proper enforcement, that reasonable technical people are able to connect to the device on a local interface. But this has so many weasel words already, it would be ineffective and/or lead to regulatory capture ("implement this 600 page, 200$ ISO standard based on XML, don't mind the proprietary extensions ensuring no interop!").
For me, the way to have some degree of ownership of my smart home is doing research before buying to ensure the device either runs on Zigbee, has a local network interface and does not rely on the cloud even for initial configuration or can be flashed with Tasmota or ESPHome with minimal fuzz. I don't see this changing any time soon. It is sad that you need to have the knowledge and time to be able to "own" your smart home, but I at least can help my "tech support circle" where possible to make informed decisions.
I use (or used, I mostly have Lightwave switches instead of zigbee bulbs now) one of my Echo devices as a gateway, and sure it will call the mothership, but I really don't care about that as long as the switches and other devices themselves still works if/when I decide to tear out the Echos. To me they're not a problem, as long as they speak open protocols.
I think that part is more important than demanding a hub. Demanding that the device can connect to a local hub (where "can" means "can easily be reconfigured without going through the original manufacturer or requiring expensive tools"...) speaking open protocols (and specify clearly what "open protocol" means, to avoid your 600 page, 200$ ISO standard) is more important than requiring that they must connect to a local hub. Also necessary to specify that you can carry out all the functions of the device via open protocols, or you'll get bullshit where essentials get locked away.
Personally, I don't care if I have proprietary smart home devices. I do care that the maximum cost and hassle if a manufacturer goes "rogue" like in this linked article remains low. So each proprietary device in current use reduces my willingness to get another one. Currently, all of my devices can be controlled via open source, and though some of them (some cheap Govee led strips) do call home, there are open source to talk to them, and worst case I can literally cut them off with a pair of scissors and replace the controllers for a pittance if they ever become a nuisance, and that makes them an acceptable choice (though whenever there are multiple options I will look for the more open one).
> If this rule were to become reality, vendors would just sell your their "mandatory" hubs that handle the calling home part. Smaller vendors would no longer be able to offer their ESP based devices, even though I can easily decloud them via ESPHome etc, if even necessary.
No, what should become the reality is that only HARDWARE vendors that make a living off the hardware and some corollary service will have the incentives to be on the market, instead of the behemoths like Amazon or Google that just want to harvest your data with mostly loss leader products.
Yeah, I agree that this is what SHOULD happen. But I am far too cynical at this point to believe it WILL happen.
In our current system I see two ways to try to make this reality: 1) economic factors and 2) regulation. 1) will not happen, because the data is worth enough to big players that a small competitor can not compete on the hardware/software/service margins alone. You need to become as big and integrated as the current players to be able to offer similar features and prices. Sure, it is more choice, but the option is just as bad.
2) will not happen due to regulatory capture problems as I already stated. A big player can shoulder the burden of compliance easier than a small shop. Maybe, just maybe, there is hope if anti-trust actions split up the existing big players, but I am not holding my breath.
The third way, one small group of indomitable Gauls^Wnerds still holds out against the invaders, is what we currently have and what offers a little bit of hope to me. But I fear this will never become the norm.
> also pass a law that all smart home devices had to go through a hub, no direct internet connection allowed, uh put it under "reducing DDOS potential due to long term issues with internet connected smart home device security"
Assuming no authentication/encryption/intentional obfuscation shenanigans (which would need to be covered), I don't really care if it is forced to go through a local hub if only they were required to provide an easy mechanism for pointing the device at a local network endpoint.
The problem is it's routed through a central server.
> all smart home devices had to go through a hub
I think ultimately this is the only way to get it to even work properly, let alone last long enough that the next purchaser of a smart home can use it reliably. But it will also slow innovation and Big Tech will hate it.
Sigh. I'm otherwise perfectly happy with my Liftmaster openers. As long as HomeKit continues to work (and it should; I don't allow the bridge access to the Internet), I'm still happy. I did buy a ratgdo device as a backup, however. And when I buy new openers at some point off in the future, Chamberlain is off the list.
I have a MyQ on my door. Just use the basic app that came with it and like the notifications / door status.
Reading this is the first I've learned about ads in the app (sure enough, I looked and they are there now). This annoys me greatly as if the device bought and paid for isn't enough, so now they get to serve up ads...
I bought a free smart switches and haven't implemented snything with them yet. Part of it is because I don't want to actually deploy these things and then be stuck with some crappy proprietary app. Home Assistant looks pretty cool in that regard.
Are the device brand that are more adequate for Home Assistant?
The solution seems pretty clear - buy a 3rd party opener OR use a different vendor that does play nice.
I have a meross garage door opener that uses homelink (a standard that virtually ever garage door opener supports) to open/close the garage door with a sensor on the top of the door to detect when it's open and closed. It was $49. That's cheaper than myQ addons for chamberlain. It works with google home, ifttt and home assistant. (I have reminders set if the door is open for more than X minutes and if it is still open after a certain time of day).
Having to have "yet another app" (myQ) installed just to use a garage door is pretty ridiculous - if you're a power user you should understand the folly of using unofficial integrations and as an unofficial integration provider you should know you're walking on ice.
A garage door opener can be activated from the inside with a momentary pushbutton switch. It should be trivially easy to have a Raspberry Pi or similar wired in parallel, and have that running some code to enable remote operation by an app or service.
Now my setup of a Wemos D1 Mini with a relay to simulate a button press on the dumb wall mounted opener of my Chamberlain system doesn’t seem so bad. Even have sensors at either end of the track to tell the state of the door (open, closed, neither open nor closed but possibly anywhere).
https://paulwieland.github.io/ratgdo/ is a home assistant compatible board that emulates a garage door opener. It adds local control and is easy to setup.
I surmise part of the reason they did this is to protect revenue from "authorized" partners. I'm sure these partners are not happy paying money to Chamberlain so their customers have access to myQ while other unauthorized partners get free access.
I never bothered with the myQ bit and instead sacrificed one of the garage door opener remotes by wiring the button up to a relay (z-wave by Zooz) that I zip tied to the scaffold. It's worked great for the past 4 years in Home Assistant.
A gentle reminder that the Security+ and Security+ 2.0 RF protocols have been reverse engineered (https://github.com/argilo/secplus). While they are not the most secure thing in the world, you can build a custom RF transmitter (remote) that is network connected.
Having done some research into Chamberlain's products, I don't recommend anyone to use them if they have the choice.
I own a MyQ garage door opener and this is infuriating. We would be so much further along in home automation if companies were mandated to produce interoperable devices. Every appliance should expose its controls, events, and state in a standardized manner.
I don't know what such a mandate would look like. I just know that we're at least a decade behind where we should be because the market isn't getting it done.
Here's the solution for my hardware hacker homies. Buy a regular garage door remote, and wire it to an ESP8266. I'm going to do this for a cloud-free solution.
I've had nothing but bad experiences with Chamberlain in IoT integration discussions. I have since replaced all garage door openers I own with Genie/OHD.
Burglar App:- Drive up, open door, drive in, close door, load up, open door, drive out, close door = clean getaway. Advertise to burglars at top of screen....
But they're just actuated by radio signaling with some standard protocols, right? I mean, I don't have a garage and in this city probably never will, but my car still came from the factory garage-door controls built into the rear-view mirror. I assume it would take a bit of configuration to work with any given receiver, but I also infer it would work with most, otherwise they wouldn't have built it that way.
Is it hard to find an "IR blaster" equivalent for this kind of signaling? I'm just bewildered to understand why someone with the focus on self-hosted infrastructure that Home Assistant implies can still end up in a position where a third-party API restriction can pose a problem in controlling a locally installed device.
Ugh. Maybe I'm not too sorry not to have a garage - the workshop space would be nice, but a basement suffices, and at least parking where I do I can trust the street won't stop working.
1. My wife can check that we didn't forget to close it instead of driving 20 minutes back home to quell her nerves.
2. We can let a friend or neighbor into the garage (or into the house if we use the smart lock on the door inside the garage) when we're not home. Without giving permanent access to a key or PIN code.
My chamberlain remote pad opener from like 2012 has “burner” codes that operate a certain number of times, down to a single use. I have one programmed if I need to let someone in.
> 1. My wife can check that we didn't forget to close it instead of driving 20 minutes back home to quell her nerves.
Seems like a bit of an ill-adaptation. I used to want a smart door lock for exactly this reason, but instead I learned to be mindful when I close my dumb door...
To allow remote control. Of course this is silly and the real answer is to make you dependent on their app which shows you ads.
Also many smaller smart home device manufacturers with an app seem to be heading in the direction of wanting to expand into other smart home devices and lock you into their proprietary ecosystem, while the rest of the industry simultaneously seems to move towards more interoperability via things like the Matter protocol, presumably to make it easier to interact with various voice assistants without requiring an individual gateway for each one.
This is just another reason to distrust any smart home device that doesn't support ZigBee, Matter, or a similar purpose-built local protocol.
Maybe so people will get alarmed when the garage opens, while they are not at home? Or for them to open the garage remotely for deliveries, workers or visitors. Does this system support this?
"Dry contact" is what a button does—connect two leads together when it's being pressed, otherwise not. Older garage doors simply have a pair of wires for this that gets run to where you mount the button on the wall. You can just splice into that and have the microcontroller connect them when it wants to open/close.
I thought all garage doors had this, but from ratgdo's website I learned that the newer Security+ 2.0 ones don't. Possibly as part of the same money grab to prevent local/third-party; paulgerhardt's comment nicely explains the motivation for that. [1]
Of all the options we have, the RatGDO is the only one that taps into the serial connection to the Garage Door and circumvents the "security+" marketing gimmick. With it you get access to all the door metrics/controls. Door State, Door Position, Wireless Remote Lock/Unlock, Obstruction Status, Light Status. So you don't need any extra sensors and wires dangling around.
To each their own. The other options seem to work great for most people. But RatGDO will work best for me (And they arrive tomorrow. Stoked). I want to know exactly when my door starts to open. Not 10 seconds later when the tilt or reed sensors are triggered, because I want my exterior lights to come on immediately and voice notifications to not be delayed. Also I want to lock my wireless remotes out at night and when I'm away because my wife uses her garage for projects and parks outside with her remote in the car. Lastly I want something that appears the least messy.
My only minor concern is Chaimberland would somehow try and gimp this solution with a firmware update. My initial thoughts were that they would probably break the wall buttons in everyone's homes. I still don't believe they have the ability to update the wall button firmware to work with any changes to the software in the motor. Everyone started echoing that after I made an assumption about it, but I'm not 100% certain if it's the case or not. Alas it doesn't matter because I'm disconnecting my doors themselves from wifi, unpairing them from MyQ and deleting my account once my RatGDOs are wired up.
I can easily see the status of my garage door (open or closed) from anywhere. Solves the problem of "Did I forget to close the garage door?" (and the number of times the answer to that question is "Yes" is > 0).
I can open the door from anywhere to let someone in if they've forgotten their keys (times I've done this is > 0).
I can enter the house through the garage if I've forgotten my keys (times I've done this is > 0).
I have given access to my house to a houseguest without giving them a set of keys to my house; I easily revoked this access when they left.
This move by Chamberlain screams malice in order to squeeze more profits out of their platform. Either they come out with homekit integration for their existing hub or I'm ripping them out in favor of something like meross.
> Our customers rely on us to make access simple without sacrificing quality and reliability. Unauthorized app integrations, stemming from only 0.2% of myQ users, previously accounted for more than half of the traffic to and from the myQ system, and at times constituted a substantial DDOS event that consumed high quantities of resources.
Yeah, that sounds plausible, because:
- Home Assistant users are power users, thus more likely to actually use the devices in question;
- Official IoT software and integrations are uniformly shit, designed to discourage effective use (while maximizing data collection).
Thus, I read this statement as: "We're not happy that some of our customers decided to actually use the 'smart'/'connected' aspects of our product; our service-providing part was not ready to provide the service, and unlike the data collection part, it was never intended to."
The main reason why HA accounted for so many requests is probably because it was a polling integration, requesting data every 30 seconds from the server, while the official app either had push events when something changes, or it updated state when the app gets opened.
Why not... just allow HA receive callback events at that point when things change? I feel like this has an easy resolve that doesn't piss off your power user customers, and makes them encourage others to invest in your products, IE power users, and they'll come back because despite being a little extra engineering effort, they were glad you thought of them.
Why not simply allow HA to integrate on site rather than to have to go through some crappy service that likely will not last the lifetime of the doors in the first place?
That's also a good question, one reason I'd be okay with having callbacks is if your software that handles what to do is on a server somewhere else entirely, maybe you own multiple homes and don't want to run several on-premise servers when one could do, I'm also thinking of more than just whatever HA is doing and whatever a power user might do.
I bought MyQ's Homekit bridge to allow local integration with Home Assistant. It was a bit of a pain to set up initially, and it's stupid that I have a separate device when the openers themselves support wifi natively, but it's been rock-solid.
You know that "bit of a pain to set up initially" you mentioned? Yeah, I've had to do that repeatedly because its little pea-brain forgets every few months. It's been anything but rock-solid for me. I just gave up on it.
I initially bought the bridge because I thought a wireless relay spliced into the hardwired door switch would be too much trouble, so I'll spend a little and save some time. Boy, was I wrong.
I had a version of your experience, but it resolved magically. No idea why. I originally set up the integration, and it worked. Then I completely rebuilt HA at one point and had to redo the bridge config, and it just refused. All sorts of errors, it just refused to even see the doors. Frustrated, I chucked the device in my closet and forgot about it for a while.
Then a few months later I decided to try again and be very careful and deliberate, and ... it worked. Just like it was supposed to. Sigh. No idea what incantation I did right, but now it has been working for several years without a hitch.
I did recently buy a ratgdo (well, ordered it at least, it hasn't arrived). That's my backup plan if the Home Bridge decides to go tits up.
I've been lucky, I guess. After I got it set up, it's just worked—even across various configuration changes I've made to Home Assistant and my network infrastructure.
I'm not saying owners should be completely barred from modifying their systems but there are security implications to bypassing their centralized / cloud-based authentication.
It'd be possible for a knows-enough-to-be-dangerous customer to modify their system in such a way that they unwittingly allow unauthenticated local access. From my point of view, Chamberlain/MyQ should be totally indemnified in such scenarios but I'm not sure how murky the legalities would be in terms of getting judges/juries to accept "caveat emptor".
EDIT: Maybe there's a way to ensure customers have signed an indemnification agreement before unlocking local API access? I guess there'd also need to be a way to ensure/promote a factory reset if/when ownership/rentalship changes.
It happens all the time, no tech required, any time someone is foreclosed on.
I agree it's wiser to avoid such situations but a lot of people end up delegating this kind of responsibility. If enough of them end up burning their own fingers, that could go badly for a provider. Even if frivolous lawsuits weren't a thing, a spate of ignorant but angry social media posts could be very damaging.
Again, I'm not saying I necessarily have a solution or that hardware owners should have hurdles placed in their way. I'm just pointing out that in some ways the provider may be damned in one way if they do and damned in another way if they don't.
I suppose the IoT sub-sector will end up in similar proportions to other, older tech: Some vendors, analogous to e.g., Red Hat or Linode, will specialize in catering to enthusiasts / power-users and have fairly noncommittal / at-your-own-risk / no-warranty license agreements. However, if the past is any indication, most people will end up doing a lot of business in walled-garden analogs of Apple or Facebook.
That makes sense to me but I'm not sure your average judge/juror would see it so simply--especially given that in most cases it'd be a lot easier to tell if/when a deadbolt has been modified.
Good suggestion, but where and how does HA receive callbacks? I would guess that almost all HA instances are behind residential LANs and most aren't accessible on the public internet. You could use dynamic DNS and forward ports, but that's flaky, you might run into CGNAT, etc. And anyway, it's best if your HA instance isn't publicly addressable; mine is only accessible over my personal WireGuard VPN and I intend to keep it that way.
I'm sure this is a solvable and solved problem, but I do believe it is non-trivial, and potentially a major headache for a company to implement just to support a tiny niche of users. I'd be delighted to find out I'm wrong though!
And, unfortunately, the business case isn't there, since this weakens lock-in effects. I don't endorse this reason—that's why I run my own HA instance and don't buy or use any products that require the cloud or otherwise can't be operated entirely locally (including flashing Valetudo to my robot vacuum!).
If you pay for the home assistant cloud subscription (built into HA, ~5 USD/mo) they can provision custom callback URLs for you so you don’t have to expose your HA instance. I have this setup for certain integrations such as Samsung Smart Things.
It’s not a perfect solution since it costs money but it’s a nice alternative to exposing your HA instance or some other front end proxy to the internet.
Unfortunately it's not actually that different in effect -- Nabu Casa proxy the encrypted TCP connection, rather than terminating TLS and proxying HTTP, which is great for privacy but not so much for providing an extra layer of security on top of HA itself.
It is also much easier for those without easy access to extra static IP addresses. Given the target audience I think it's probably the right approach.
I don't think it's entirely devoid of security improvements---you need to know the webhook address in order to get access to talk to a HA instance which would be a lot more difficult than just port scanning for an open (perhaps unpatched) HA instance on the open internet. I would still prefer it though if things would expose a local API or speak MQTT however.
Open a TCP connection from the instance to the cloud service. I don't know about all consumer routers, but I just checked mine and the default TCP established timeout is 7440 seconds. Idle timeouts are supposed to be at least 2 hours.
If you served the entire US (130 million households) and had a 1 hour keepalive, that's only 36k packets per second, which is nothing.
You could also auto-train the idle timeout by using a pair of TCP connections. One uses a known good value while the other probes upwards until it finds its connections start getting closed (with some optional binary search fanciness), feeding new known good values back to the first.
MQTT is the solution for this. Note that the garage door openers talk MQTT to the myq service (over TLS with preshared keys). It should be possible to subscribe to events from your garage door opener(s) and also to send commands to it.
but MQTT alone doesn't solve the challenge for some Internet server to push messages to a Home Assistance instance running inside a home network / behind a router / behind a firewall / NAT unless a port is opened on the router, or long-polling is used.
I recently bought a Nuki smart-lock, purely because it offered MQTT support with auto home-assistant discovery. Vote with your wallets and we can have nice things.
Because that would require them to build a callback system for the 0.2%. I don't have this, but I'm guessing the app only checks if your garage is open when you open the app. That is if you don't have the app open and someone opens the door you don't get a notification.
If I recall correctly, Chamberlin had an optional accessory that added HomeKit support to garage door openers, and that was discontinued last year. Home Assistant is capable of acting as a HomeKit hub, allowing it to control HomeKit compatible devices locally that otherwise would've required a cloud connection.
Haha this is the company that has an undocumented encrypted wire protocol between the wired button and the opener so you have to use their button instead of a normal doorbell switch.
I would argue that letting HA define a callback URL or some way to receive those events instead of relying on polling would do it. But also, are they caching the responses? I have a weird feeling that the vendor is not caching enough, especially for data that changes insanely infrequently.
That’s definitely the high road solution. The low road solution would have been to start suing HA users under the CFAA. So I guess they took the middle road.
Possible answers would be for the company to create an official integration, using a change state trigger rather than a polling trigger - or possibly to throttle requests from a particular IP to a certain number per day to incentivise parsimonious usage
Absolutely. It would also be possible for them to create a local API that home assistant can call over the local network. The real problem is that the company just doesn't care.
HA even claim that it’s used as a test bed for many iot products, so it can often have integrations before any other platform. Kind of makes sense, give many cross platform integrations there are in it.
MyQ has built in integrations for Apple Smart Home and Alexa. I’m assuming in those situations the MyQ app passes state to those services so they don’t have to poll.
The problem is that these require some kind of server. Get one that just talks to HA over your local network.
Why in the hell does a garage door opener need a server?
Oh, data collection. And subscriptions. Nothing for the user.
I avoid any home automation thing that has any cloud backing that's not strictly optional. It's a strong anti-feature. In home stuff cloud means it won't work when the Internet is down, it spies on you, and it can become a brick or start requiring a subscription at any time.
It's a good thing the piggies invested in light infrastructure and good logs with their previous houses, the next version after brick will be even better!
This makes sense (and myQ’s privacy policy is a nightmare: https://www.myq.com/privacy-notice) but I’ve never understood how this particular bit of data is valuable to anyone. Any ideas?
I buy a garage door opener. That is the end of my transaction.
I buy a connected garage door opener. The provider knows my geolocation, my name, email address, socioeconomic status, even the phone I own. Inferences can be made on activity such as "they leave for work at 7am when garage door opens".
The collection of data doesn't need to be used specifically for reengaging me with Chamberlain. It is now an asset to the company that can be sold to others as outlined in their Information Sharing section. Which basically says "we share it with everyone".
Partners can be anyone from insurance companies to academic researchers. Remember that partners aren't limited to just one data set. They have the ability to ask multiple companies: "What data do you have for all occupants of houses in this geographic area?"
> Remember that partners aren't limited to just one data set. They have the ability to ask multiple companies: "What data do you have for all occupants of houses in this geographic area?"
Yup. And to make the issue clear: there is no such thing as "anonymized data", there's only "anonymized until correlated with enough related data sets".
* someone who drives frequently may rank higher for automotive products and services
* use to independently rank other statistics, i.e. someone with kids probably comes and goes more than a single person or non-child-rearing couple. Take the dataset where you know they have kids (and myQ) and see if you can detect the ones with kids using only myQ data (plus other statistics). If it allows you to infer this property accurately enough, profit.
* Someone who comes and goes a lot is most likely not physically disabled, so exclude them from those specific marketing materials.
* someone who is home a lot (hardly ever opens their garage door) might like to spend money on useless gadgets, try selling them IoT toasters
You can access the device when you're away from home if it's internet connected. Of course, the server doesn't need to be doing much besides proxying connections.
I'm quite confident my parents and the many people like them in the world would not find running VPN/Tailscale/ZeroTier to be "easy." Nor would they have any idea how to troubleshoot when those services have issues. Nor would they want to play intermediary between Tailscale and myQ customer support to figure out which one is broken and fix it.
Having options like this is great for powerusers, but the vast majority of people are not that. They need something that just works. Of course that still doesn't mean they need their garage door collecting telemetry data, but they need something more than a LAN-connected smart device.
My wife doesn't understand what I do on the computer all the time and she's pretty doubtful of my claim that server racks are normal household items. Nevertheless setting up the HA app on her phone with a Wireguard VPN was super simple and she's got a good handle on that.
That being said, setting up the HA and Wireguard server is definitely a more demanding experience. Although once setup it's pretty much a once and done sort of thing, and they're are integrated ready to go solutions available.
It would be nice to see something like "Geek Squad" offering that sort of service instead of just running AV software while trawling for nudes on customer laptops. No guesses on what's more profitable though.
Perhaps in general, but if the problem here is "I don't want a corporation to have access to when my garage door is open or closed" I can't fathom how "Give another corporation access to my entire network to troubleshoot my VPN and LAN configuration of my devices" is the solution?
The solution is to "give my tech whiz kid/neighbor/friend, or a local IT shop two blocks over, the responsibility of managing my home network".
This is where ideas like non-shit IoT, Right to Repair, Free (Libre) Software, and even "how to not fuck up foreign aid 101", all converge. The point isn't to make everyone their tech support. The point is to allow local communities to be more self-sufficient, able to manage technology on their own - as opposed to outsourcing everything to some faceless companies that have no attachment to any given community.
Note that this doesn't preclude business - on the contrary, local businesses are the fundamental part of any community larger than couple dozen people; the ideas converge not on everyone doing stuff pro bono, but on small, local businesses* doing things for their communities, accumulating and retaining know-how.
I wish more people from aforementioned movements realized their ultimate goal (at least in form that's possible in the real world) is the same, and joined forces.
If your mass-market commercial product needs this by design, you will fail. To successfully sell a product to the general public, it must work out of the box.
They exist, but they're expensive. And the products they sell are not really consumer devices, they are B2B products marketed at contractors.
They're really two different markets, the bulk of the home automation market doesn't want to spend $10K+ for a contractor to check the same feature boxes that something on the shelf at Home Depot can do for a 3-digit price tag. Labor is really expensive, so home automation contractors operate almost exclusively on the high-end of the market.
1) Home Assistant is not an officially sanctioned option by the devices and will run into technical issues regardless whether it's cloud hosted or not (as seen by the very post we're all commenting on).
2) Even if the above were not true, at that point you're back to an internet enabled smart home device system, and now we're simply picking which vendor to trust over the other. But in both cases, the option for the vendor to collect telemetry data about your usage of the products exists.
There is really no viable way for the typical consumer to be able to both have a good product experience for something like this, and to prevent a cloud vendor from having access to their data. Unless I'm missing something obvious.
> Even if the above were not true, at that point you're back to an internet enabled smart home device system
Home Assistant Cloud is essentially a TCP-level proxy (IOW Nabu Casa sees jack squat):
> The remote UI encrypts all communication between your browser and your local instance. Encryption is provided by a Let’s Encrypt certificate. Under the hood, your local Home Assistant instance is connected to one of our custom built UI proxy servers. Our UI proxy servers operate at the TCP level and will forward all encrypted data to the local instance.
> Routing is made possible by the Server Name Indication (SNI) extension on the TLS handshake. It contains the information for which hostname an incoming request is destined, and we forward this information to the matching local instance. To be able to route multiple simultaneous requests, all data will be routed via a TCP multiplexer. The local Home Assistant instance will receive the TCP packets, demultiplex them, decrypt them with the SSL certificate and forward them to the HTTP component.
> The source code is available on GitHub:
> SniTun - End-to-End encryption with SNI proxy on top of a TCP multiplexer
> hass-nabucasa - Cloud integration in Home Assistant
Yeah so this is why I said "no way for the typical consumer to have a product experience like this" because what you're saying is true, but not something an individual can rely on.
Typical consumers have no way of ensuring their UI is, in fact, encrypting the data and not farming it out. They cannot verify the source code themselves, because they don't have the technical skill set they'd need to do so (nor, frankly, the time). They're reliant on the goodwill of whoever packaged and installed the offering for them not doing anything to that offering.
Technical power users can circumvent this because they can build/install from source, verify keychains, read the source, etc. Non-technical users can't do this, and need someone to help them. That someone will most likely be in the form of a third party organization that does this in exchange for money. They're placing their trust in that third party.
The point I'm getting at is that, eventually, a consumer has to trust a third party who may have incentives that don't align with their own. They're just playing a game of which vendor to place that trust in. This is why centralization is still the predominant architecture choice for the overwhelming majority of products, even in a world where myriad decentralized solutions exist for almost everything. It turns out that having bespoke third parties run decentralized solutions for customers is often not a better product experience, and still has the same root problem even if it manifests in different ways.
> a consumer has to trust a third party who may have incentives that don't align with their own
That's true for literally anything, not just IoT security and privacy. I mean, even for highly technical users, one can't do everything from scratch, nor even check and control every single aspect: you gotta trust the the computer hardware or OS you're using isn't backdoored, you gotta trust the people that built the place you live in didn't put half the rebar actually needed or wired the whole thing backwards or with thinner-than-required wires, you gotta trust that the food you eat isn't going to make you sick...
Same for HASS, one could delegate trust to a specialist that would install a HA Green or Yellow box for them, just as they do for electrical wiring. HA is only "third party" because the IoT place lacks standards but is in essence no different than wiring stuff from different vendors, where "myriads of decentralised solutions" exist only because of standards, and for which decentralisation essentially means everyone is a third party to everyone else.
So I don't think dismissing HASS as third party is fair, and wiring IoT with virtual wires is no different than wiring a breaker box. If you don't know how to do it it can be dangerous, and so you delegate and trust someone to do their job properly.
> The point I'm getting at is that, eventually, a consumer has to trust a third party who may have incentives that don't align with their own. They're just playing a game of which vendor to place that trust in.
The problem is that approximately NONE of the commercial vendors are in any way trustworthy. They're really pushing hard the degree of abuse they inflict on the customers, and social immunity takes long time to build.
The ultimate solution IMO is to have people trust in people they can actually trust - that is, make the third parties local. A partner, a kid, a neighbor, a small company servicing the local community and physically located in it. At this scale, trust can be managed through tried-and-true social techniques humans are innately good at, and have successfully used for many thousands of years. This is how you make most of the tech industry and adjacent problems go away.
I suppose the vendor could sell a home server device, which runs some kind of Tailscale-like technology to make it available from the internet, and the app talks to that locally hosted server.
I refuse to use cloud services, and I use tail scale, but telling the average consumer to do this instead of using whatever app came with the device is not going to work for most people
Give access to a friend or family member when you're out of town.
Allow package deliverers to put a package in your garage instead of on your step.
When I had MyQ, I used it almost exclusively when I was on my motorcycle. I had it configured so that I could tap a button on my phone that tracked my location and enabled a geofence around my house so it would ping the MyQ to open when I got about a quarter mile from home. I called this my "riding home" mode. This saved me the trouble of having to get my gloves off and open the door through the app when I got to my driveway, and I didn't have to leave a garage door opener on/with my bike.
Putting aside the very legitimate use cases highlighted in other messages, a very simple one is: you're just arriving at home, but are still not (yet) connected to wifi.
These very practical daily occurrences can make devices incredibly annoying and frustrating for typical consumers who want it to just work.
For the "working around the yard" idea, I just got a keypad mounted near the garage door. It is wireless, it just acts like a remote which requires a pin before it sends the toggle command.
That's a nice to have feature. However there are cases when one wants to keep it open for hours or, as pointed by other replies, to open it to let somebody in. An edge case I just thought about: open it to let somebody delivery a package inside, possibly by looking at them with a camera, and then close it.
Homekit provides this as well, and by default is local only. There really is no excuse for these devices not to support homekit out of the box other than a money grab.
> Why in the hell does a garage door opener need a server?
Because the user is almost certainly installing the device behind a NAT with a dynamically assigned public IP. These are mass-market garage door openers, not devices targeted to those familiar with advanced network configuration.
I also avoid cloud connected IoT stuff. I have the luxury of doing so because I have IT skills. For those who do not, accessible alternatives simply don't exist.
Yeah, I always felt like the implementation wasn't that good. But, tbh, rate limiting them and saying "hey don't poll quite so much" would have been trivial compared to the approach they ultimately took.
And obviously people with HA will use it more than people that have to wait a ridiculous amount of time every time they open that stupid myq app. It was terrible.
> - Home Assistant users are power users, thus more likely to actually use the devices in question;
>50% traffic from 0.2% of the users is far too big of a discrepancy to just explain it away with powerusers. Customers too have to follow a fair level of usage.
> designed to discourage effective use (while maximizing data collection).
What valuable data can they collect, if nobody is using it?
> What valuable data can they collect, if nobody is using it?
What permissions does the app have? If it has location data so it can open/close the garage door based on proximity, it can probably collect your location whenever the phone is on and that can be sold to data brokers. That's just an example. There is potentially a trove of information the app could collect and sell and not just when the user has the app open.
Of course if the app is never installed it collects nothing. I wonder if the vendor requires the app to be installed for initial configuration.
And IAC, it would be preferable (to me) to have a device that works entirely locally.
I use the myq app to open my garage door open regularly. The app is slow to open and generally annoying. For example, the whole interface is initially blocked, so you tap to open and it doesn't register the tap, still doesn't register the tap, then finally it does.
I was not aware of there being ads in it, but I just looked, and you are absolutely right, there is an ad at the top. It looks like its for their home security camera.
Based on my experience with the company, I would not purchase additional products from them. Not based on my desire to use home automation or homekit, just on the fact that the app is poor.
The garage door openers themselves, however, which have battery backup and which open quietly and with a gradual slowing near the finish, are pretty decent. Mainly I wish they had a better, faster app, as the garage door is the smart home thing I used most (followed by maybe Rachio).
> I use the myq app to open my garage door open regularly.
It used to ask me to provide a rating every time I opened the app. I eventually added a negative rating because it kept asking even after I had answered "Do not ask me".
Yeah -- it is certainly quicker to use the keypad that I have outside the garage door than try and use their app. In particular, it keeps asking me for a username and password (which I can't remember because who remembers 16 character strings??).
As a former MyQ user, I can say definitively that this is accurate. There's a magnetic sensor that you put on the door for it to track the state of the door, so the app is always correct on whether it's open or closed.
Yes, but according to their statement, the official client seems to behave better than the HA-implementation. Maybe HA is brute forcing something, like pulling state every 10 seconds or so. And this is a legit complaint from their side if this is the case.
Sure, and because it was their problem, they made it the problem of those who gave them this problem, and pulled the plug.
But let's get real, 0.2 of customers are probably also matching around 0.2% of their income with those products. So it's probably not really a problem, short term.
Long term, they probably have damaged their brand hard, and missed out on some revenue from grassroot marketing. But that's a problem of future chamberlain. Today, the one responsible for this has solved their problems, calls it done and gets their paycheck.
And who knows, maybe next year they switch to Matter, get some good marketing from it, raise the sales and the victims from today are forgotten. That's business..
any home IoT solution without a cloud inbetween and which shall also be able to communicate with you while on the go requires a lot of technical expertise (and perpetual maintenance...). It is therefore not viable for the mass market.
Valuable data is in the eye of the beholder: such as burglars, home invaders, stalkers, panty-sniffers, voyeurs, blackmailers, robbers, kidnappers, spies, squatters, vagrants, wild teenagers and dumb adults that are scouting for their next juicy target.
One would think a reasonably decently written HTTP client with a server that responsibly responded with HTTP 429's when a client was polling too hard would be able to set a standard and enforce "good netizen" behavior.
This is bullshit. Their app is bloatware that they use to try to push additional services like Amazon home delivery etc. I mean it’s just a button, that’s all it needs to do.
I’m going to replace it with one of the recommended devices. This is such an overt money grab.
In the past the app has gone the lengths of make us try to use their own assistant (!).
Why the fuck would I ever want to use a voice assistant from my garage door provider? Seems like a desperate attempt to enter a market that doesn't even make sense for them as they currently are.
I do agree that their app works perfectly fine. And it's as responsive as HomeKit, but I don't want to have to launch 20 apps for my various devices.
In fact, after my initial irritation, I thought "at the end of the day, if they made a couple shortcuts available then I could still say <Hey Siri> Open the Garage door" – It's not perfect like homekit but it'll go a long way to placating many of us who don't want to keep launching a separate app.
At the end of the day this is a very reasonable business decision - an incredibly obvious and easy one.
Chamberlain/myQ makes very low cost (likely loss-leader) mass manufactured devices. Like anything else if you can identify 0.2% of your users leading to 50% of an issue you're having the reasonable thing to do (from a business perspective) is to just cut them loose. If this CTO or anyone at Chamberlain were to try to champion support for HA users people with the numbers would look at them like they are crazy. For 0.2% of the user base it barely justifies anything more than a 10 minute conversation with a foregone decision.
I use and love Home Assistant. While it's a "big deal" to techies and power users like us the total installed base (as these numbers show) is infinitesimally small when you zoom out and look at the total "smart home" market. There are 275k active Home Assistant installations[0]. This number is already tiny compared to myQ sales. Then you can check the myQ integration and see that it's only used by 3% of HA installs[1]. Home Assistant is insignificant to Chamberlain and Chamberlain is insignificant to Home Assistant.
For a device that sells for $30 8,250 HA installs is $247,500 of total device lifetime revenue. Chamberlain has $820m of revenue per year. Even if every one of these installs bought four devices that's less than $1m. They. Do. Not. Care.
Again, I don't love this either. It's a jerk move but when viewed through the eyes of a cold and calculating business it makes perfect sense. Frankly I'm surprised this decision didn't come sooner. Especially when you consider all of these awful commercial devices really want you to install their app so they can push who-knows-what and upsell at every possible opportunity. That's an entire revenue stream they will never tap into with users utilizing the API and few businesses can resist gobs of money they see as ripe for the taking. Sad but true and standard for nearly any business. Even more so for a de-facto monopoly like Chamberlain.
HA users and people here are outraged, and that is completely fair but with these numbers Chamberlain isn't even going to remotely feel this.
At the end of the day HA is extremely powerful and the ecosystem and maker-ish community around it is incredibly robust. A device with a contact sensor on door close/open and relay (or something) to toggle the door is trivial. It's what I've been using since before MyQ or anything like it was even on the market.
Just avoid the commercial "IoT/smart home" junk whenever possible.
Unofficial IoT software and integrations are not (much?) better. I wouldn't be at all surprised if this was partly due to a junk integration for this device cobbled together by an amateur and replicated by thousands more amateurs into their own ginormous pile of other junk YAMLs.
Why did that software work mostly fine most of the time since 2017? Even Chamberlain admits their blocking is deliberate. Even Chamberlain's external statements suggest this is part of their corporate strategy.
Why is Chamberlain's API so brittle it can't stand prodding from what they claim is a tiny fraction of users, even if those are misbehaving? Do you agree that comparing that to DDoS is ludicrous, and suggests either dishonesty or a fundamental misunderstanding of what "DDoS" means?
Any IOT device that requires the cloud for functionality is a trap.
I bought a Miku baby monitor specifically because of the 2 devices that offered a feature I wanted, Miku had no subscription fees. And they advertised that they never would. It cost $400.
Then they went bankrupt and during bankruptcy they sent out a proposal to start charging for previously free features. Then they retracted that proposal. Not sure if the judge shut that down, or what happened. But then they sold to a company conveniently created the day of the sale.
Within a month the new company forced out an over the air update that disabled most functionality until you pay them $10 a month (they went bankrupt in the first place because they did a normal over the air firmware update that bricked every single unit and had to replace them all).
Last time I checked they were still being advertised on Amazon as being subscription free.
Honestly I think we need regulation to force companies to purchase a bond to provide basic security and support for any IOT devices they sell for some number of years from the purchase date. I don’t see any sign of the market solving this anytime soon.
I had an internet connected baby monitor. In the end we decided to just get a local RF one and it is a far better experience. Pair it once, and it just works. Lower power. Very reliable. Coverage throughout the house without issue. No apps to crash in the background. No dropped streams. No needing to log in to the app. No worries about features getting taken away. No subscriptions. No having to send data out to the cloud just to pull it back down. Lower latency. Far easier to just hand the display unit to the baby sitter instead of trying to talk them into installing an app and sharing a login.
These days the local RF ones are very solid. Modern DECT-based systems use encryption and frequency hopping so once paired you're not realistically going to get someone listening in.
The only benefit I see for these cloud connected cameras is if you're out of the house and are going to check in on the baby sitter, but in the end I'm not even a big fan of that feature. There's tons of pros for the local RF ones and few negatives, and mostly a bunch of unknowns and concerns with the cloud ones.
My wife works nights and she likes to be able to check in occasionally. It’s also got a millimeter wave radar that shows a breathing graph.
My wife is a pediatric ER doctor and she thinks the breath tracking radar is stupid, but I like to be able to look over and see the graph because I’m a crazy person and otherwise I’d zoom in on the camera and stare at it until I see movement.
We went with an Owlet sock that we got pre-nerfing from the FDA to track breathing/O2. The internet connected monitor was actually the Owlet cam. It worked decently enough, but just headaches from it being a cloud connected camera pushed us to get an RF-based system when we wanted a second camera.
If it works for you, that's great. I'm not trying to yuck your yum, just sharing my own personal experiences.
It used to lol! But it’ll be a cold day in hell before I pay to use the thing I already bought.
We’re about to have our next baby and I have no idea what solution we’ll end up with. I might end up trying to hack the Miku. I used to be an embedded software guy long ago.
I recently bought a baby monitor - or more specifically, spent a couple hundred € on Ubiquity hardware - two cameras, NVR/host, and a PoE switch - and made one myself, because that's the only way I know of (after serious research and asking on HN) one can buy a wifi-enabled baby cam in Europe, that doesn't route video through some sketchy cloud. Baby cam vendors, fuck you all very much.
Especially that it was a new company deliberately disabling the devices, it sounds like a straightforward criminal CFAA violation. Of course, such laws are really only for persecuting little guys doing uppity things like trying to make scientific knowledge available to the public. Even if you could convince any six-degrees-of-golf-buddies prosecutor to take the case, I'm sure the malicious crackers have some fake contract to hide behind that claims a transferable right to remotely destroy your property.
I wonder if you could take them to small claims court. That's a potentially useful remedy, although pretty much everywhere, if they lose in small claims they can appeal it to regular civil court and make it prohibitively expensive to fight them.
I posted a comment here on HN not 60 days ago voicing concerns about Chamberlain MyQ's monetization push and received quite a bit of blowback from others explaining about how I was wrong. HN is quite a fickle place isn't it? Anyway as should be evident I was completely on the money.
Sounds to me like it's about time to publish some 3rd party firmware for the hubs/embedded controllers in the openers. Software developers who tolerate implementing consumer-hostile antipatterns all day long tend to be absolute shit at embedded systems security. At the end of the day it's just a garage door opener. The hardware is based on an FN-Link WiFi IOT module with fairly minimal customization. The door sensor is BLE. This shouldn't be too hard to root.
Chamberlain sound like dicks but to be fair, when we're talking about remotely opening doors that give access to people's houses, it seems fair enough IN PRINCIPLE for them to restrict access to the API to 'partners' and for them to have some sort of payment and maybe even approval process around who becomes a 'partner'. Obviously that sucks for open-source projects that can't afford to pay up. But it seems fair enough to put some payments or approval processes in the way here.
And why does it seem fair enough? The garage door is mine, not Chamberlain's (although that starts to be more and more debatable the farther into enshittification we go).
The gnashing of teeth here reads like software people trying to solve a simple hardware problem.
You don't need anyone's permission or API to control any garage door opener --- smart or dumb. The suggested "ratgo" device is one option but looks kinda overpriced to me.
Every garage door opener has 2 sets of dry contacts. One set controls the open/close function and normally connects to a physical button on the inside wall. This is easily shared with any other device. The other set is a limit switch that tells the motor to stop once the door is open. This too can be easily shared and read.
All that is required for full control is a wifi device with 1 output and 1 input that speaks Home Assistant. Sonoff or some other manufacturer must have an affordable one. If not, maybe I'll make one. It's not that hard with readily available hardware.
Contrary to the popular sentiment in a lot of the comments here, there’s not much value in the analytics. As we all painfully found out in the 2010’s, there are only two viable recurring revenue streams in the IoT space - charging for video storage and charging for commercial access. Chamberlain does both with the MyQ cameras and with the garage access program to partners like Amazon and Walmart. Both retailers have a fraud problem (discussed here https://news.ycombinator.com/item?id=38176891). “In garage delivery” promises dropping delivery fraud to zero - ie users falsely claiming package theft. That solution is worth millions to retailers, naturally Chamberlain would like a cut but only if they can successfully defend that chokepoint.
For historical reasons having to do with the security of three or four generations of wireless protocols used in garage doors they can’t (and products like ratgdo and OpenSesame exploit this.) Other industries such as automotive have a more secure chain of control over their encryption keys so one has to (for instance) go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Given the turnover in leadership there I’m not surprised the new guy needs to put their hand on the plate to see it’s hot, but there’s a reason this wasn’t implemented before and it wasn’t because of lack of discussion. I can see the temptation in going for monetization given their market share but I think this approach was ill conceived rather than fix foundational issues which would allow home users to integrate with 3rd party services and still charge industry partners for reducing incidences of fraud.