I typically do not like Google and a lot of ways the company acts and performs.
However, recently I moved into sysadmin-type work, partly doing work for state governments. Cybersecurity is really bad everywhere, and it’s scary,
and it’s frustrating how abstract and very theoretical all the risk is as it makes hard (justifiably) to take seriously.
Anyway, Google’s reputation with security is (fingers crossed) nothing short of “almost bulletproof”, and I’d love to see more IoT devices from them. With the recent rollout of Nest Security System, we’ve actually been advising lots of small businesses to combine this system, along with Nest cameras + fire alarms as a solution to actual physical security and fulfilling compliance alarms. Since Nest also does cellular backup in case of internet outage, we just hook everything up to an APC and the whole system can run for 10+ hours without power or internet.
Also also, Android security sucks. Not Google’s fault, but thank god they moved to making their own phones. Maybe that will encourage better behaviors from other manufacturers.
Android security is Google's fault. Any kidding yourself that might occur through believing that OEMs deserve any blame for an update mechanism (or lack thereof) in a system designed by Google is pretty easily discredited, especially when you consider it took Google five months to patch KRACK in the Pixel 2, when third party ROM authors did it in two days.
Also, Google's "reputation with security" needs some serious nuance: They are very good at preventing types of exploits they care about, but they are a literal joke when it comes to security that interfaces with submitted content and user choice. Consider that the Chrome Web Store is a literal cesspool of malware, and that a lot of websites blatantly try to force you to install extensions through the Chrome Web Store which steal your browsing data. Since extensions are permitted to request such a huge security hole, Google doesn't consider it their problem that extensions do it maliciously.
Because Google doesn't consider something they gave permission to do malicious things to be an exploit or vulnerability, Google can simultaneously claim that Chrome is the most secure browser, and it be literally the easiest browser to get malware with.
I can definitely agree with you that state level government security has a long way to go and is a pretty scary place. But Google can't fix it, because the biggest problem in government security is still humans, a security layer that Google has repeatedly demonstrated no understanding of.
Thanks for your reply, and that sucks to hear about Google.
My positive perception mainly comes from this super paranoid dude, Michael Bazzell: https://inteltechniques.com/experience.html. He both hates Google for their data collection and also respects it for their security practices.
Ugh I also hate to hear they’re doing the “we’re secure but who knows about our 3rd parties” practice. State IT does this as well. As long as you sign some contract with them that promises them you do NSA-style security, they’ll buy anything from you. Of course what 5-man IT shop wouldn’t sign a $20,000,000 IT contract when worst case, they get a bad audit and have to spend 50k really quickly to get
up to SOC II?
You can literally find a list of State IT contractors for most govs, and just go through them finding all the fly-by-night shops. That being said, the big vendors aren’t that much better either...
I am floored when I tell some vendor they can't do something because it isn't secure, and they look at me like nobody's ever told them that before. My general impression is "I can't seriously be the first person who's ever said this, can I?"
The thing people need to remember is that the CIA Director's AOL email account got hacked. In 2015. We are so far as a society from where we should be.
>Android security is Google's fault. Any kidding yourself that might occur through believing that OEMs deserve any blame for an update mechanism (or lack thereof) in a system designed by Google is pretty easily discredited
It would seem you still don't understand how Android is built. Google cannot update the phones made by other OEM's. OEM's download the Android source code, add their modifications and create their own forked version of Android. This is like asking Debian to update Redhat's Linux distribution. Blaming Google for the OEM's inability to update their own phones is disingenuous, but it does support your prime directive of disparaging Google every opportunity you get.
>especially when you consider it took Google five months to patch KRACK in the Pixel 2, when third party ROM authors did it in two days.
Those patches were provided by Google incidentally. Additionally, Google patched KRACK in Dec, 2017 on the Pixel phones. So where exactly did you get this 5 months?
>Also, Google's "reputation with security" needs some serious nuance: They are very good at preventing types of exploits they care about, but they are a literal joke when it comes to security that interfaces with submitted content and user choice. Consider that the Chrome Web Store is a literal cesspool of malware, and that a lot of websites blatantly try to force you to install extensions through the Chrome Web Store which steal your browsing data. Since extensions are permitted to request such a huge security hole, Google doesn't consider it their problem that extensions do it maliciously.
Could you point me to the malware on the Chrome Web Store? Since you claim it's a "literal cesspool of malware" it shouldn't be that difficult for you to point to those extensions. I look forward to those links.
I've learned not to try to argue with you, but yes. Google patched the Pixel 2 in December. The problem is... They were notified about KRACK in July. And Lineage had it fixed in... October, shortly after it went public.
> They just don't care about updates, otherwise they would remove certification access to any OEM not providing updates.
I think they care, but they can't do something about it. Because OEM's dislike updates.
Updates does not sell new phones.
Google on the other hand actually has it easier if all their devices are up to date. They do not need to maintain old code/branches whatever.
It's still Google's fault that they never had something in place to enforce it.
They basically wanted to have anybody on board of the OHA, so they needed to make tradeoffs in their contracts.
>Proving once again that Google Chrome extensions are the Achilles heel of what's arguably the Internet's most secure browser, a researcher has documented a malicious add-on that tricks users into installing it and then, he said, is nearly impossible for most to manually uninstall. It was available for download on Google servers until Wednesday, 19 days after it was privately reported to Google security officials, a researcher said.
>Researchers have uncovered four malicious extensions with more than 500,000 combined downloads from the Google Chrome Web Store, a finding that highlights a key weakness in what's widely considered to be the Internet's most secure browser. Google has since removed the extensions.
Google designed the Android update model, so is responsible for its consequences. They designed a different model for ChromeOS and it has worked much better.
I just wanted to throw out for folks this - nest secure does not appear to support fire monitoring via the protect with a Mo tutoring service -
The Nest Protect Smoke & CO sensor does not qualify as a 24 hour monitored fire protection device. This is due to the requirement from Nest that the user must first verify that the Nest protect fire alarm signal is or could be real before the monitoring service will receive the fire alarm signal and dispatch the fire department
--
This was a deal breaker for me using the nest eco system for home security -and- fire protection. Other systems don't suffer from this. It's too bad as I like the tech but it's not bulletproof yet.
I think this was the natural progression intended from the beginning and it's a good thing. I personally like the aggregation that Google is undergoing. All hardware under hardware, all cloud related under Google Cloud etc. I understand Kaggle is going to be part of Google Cloud as well. Which makes sense. There was a very large fragmentation of teams previously.
I really wish Google/Nest would end their corporate beef with Apple and integrate with HomeKit. What happened with the openness of Google?
Instead of buying Nest's entire line to outfit the house I'm building, I'm avoiding them completely even though I think their products are at the top of their class.
Nest isn't unique anymore... neither are their cameras... and they are late to the party with the doorbell. Do I think they are great products? Absolutely!! But they aren't in a position of leverage, the market is becoming commoditized, and forcing consumers to use only your app is a poor strategy. Especially considering it wasn't until a few weeks ago did Nest's app support iPhone X's new format, MONTHs after it was available to the public.
HomeKit is not using open standards. Google and Nest are. Your question should be reversed. Why doesn't Apple just use OpenThread or one of the competing open source IoT frameworks?
HomeKit was announced in June 2014, and released September 2014.
Thread was developed at Nest. The Thread Group was announced July 2014, far into HomeKit's R&D cycle. There wasn't much, or obvious, commercial support for for years. (Although to be fair, HomeKit has taken forever to get traction, too.)
I believe that at the time Apple was also concerned about the quality and security considerations of a Thread-like system. I can't prove or cite this, but having worked with Apple engineers who worked on MFi (ironically, I worked with them at Nest, not Apple), I'm skeptical of the narrative that it was devised as a revenue source. My sense from the culture of Apple when I was there (90s) and everything I see coming out of there more recently is that Apple tries to maintain standards of peripheral quality, security, and compatibility and that have been difficult to find in the Android ecosystem, say, although this has been detrimental in the case of HomeKit adoption and they've finally backed off.
Thread was developed in the Thread Group, and like any standardization body, was (and is) open for any company to join at a variety of membership levels.
All members had input in the specification, and subsequent specs.
I know you're being sarcastic, but for folks who are actually interested, you can request access to the Thread 1.1.1 specification here [1], and you can contribute to Nest's open-source implementation of Thread here [2]
Nobody, you got that all wrong. 802.15.4 and 6LoWPAN are established, quite mature standards. HomeKit is the (proprietary) challenger, that adds nothing but an ecosystem for Apple to profit from
Zwave is proprietary. Zigbee is "not really" open. There is no open implementation AFAIK, the application library (cluster library) is standardized and everyone is allowed to develop and sell compatible devices, yet you won't be able to fetch the code and deploy on the platform of your choice, AFAIK. In this regard Zwave and Zigbee are quite similar.
Almost all the mentioned standards are based on IEEE 802.15.4.
The difference between 6LoWPAN and and the rest of the mentioned "standards": 6LoWPAN is IPv6 "adapted"/compatible. Thread is based/extends on 6LoWPAN, and adds several missing features or replaces some parts, because similar to conventional Internet devices, you need something more than IPv6 to get things going.
Apple's playbook is to launch with APIs for internal use and then, frequently, open them. Examples include iOS support for third-party apps, third-party access to a number of watchOS 2.0 APIs, and third-party access to iOS APIs such NFC, Touch ID, camera overlays, etc. etc. Apple is also ruthless about omitting features (copy/paste, anyone?) from 1.0 releases.
This is in contrast to hardware support, which has tended to contract (floppy drives, CD drives, Ethernet cables, USB jacks, iPhone headphone jack).
It also makes sense to many of us who have done platform development and/or supported public APIs.
I'd want more evidence before concluding that HomePod's initial limitations are an M.O rather than an MVP.
They have had internal support for voice-controlling your music since iOS 1. They had a cross-application API that let you voice control arbitrary music apps on Mac OS since at least 10.4, probably earlier. Music has been a core feature of the iPhone since they day it launched.
It isn't an accident that they've failed to extend voice support to third parties after ten years. If they did plan to add it any time soon, they would have easily been able to get that to market before HomePod. They decided they'd rather continue trying to shove users into their subpar Music service, instead of supporting what users actually want and use.
Conclusion: Don't Buy unless the only audio service you ever use is Apple Music.
> Apple's modus operandi is to, for example, enforce Apple Music as the only native HomePod music service.
(emphasis mine). I think you mean "natively support". You can send anything you like via their proprietary airplay service (like chromecast). "Enforce" is appropriate for, say, their requirement that iOS apps come only via their app store.
Historically Apple, like others, play nice with standards when they are the underdog (the NeXT, and thus MacOS X.<small-integer>) was all about open standards like JPG, though they also paid the danegeld for things like the RTF and GIF licenses. The iPod not only supported mp3 but they openly encouraged ripping CDs. Hell, Steve Jobs paid us actual money to make gcc & objective-C++ gret on the NeXT (though he had a really good team already in place as well). Then as they gained more power they cared about openness less.
Google was similar; they have a better committment to open source than Apple does but also try to use their market muscle to do things like their own mobile page format.
In case I sound like an apologist, I also prefer open interoperability. But I am realistic about looking at the landscape.
Integrating with HomeKit requires adding a HomeKit specific chip to each device. It would require them to reengineer all their products and drive up the cost - it's Apple being closed here, not Google.
I agree it was a very poor decision that lost them a lot of ground to Alexa – but that was HomeKit 1.0. Apple dropped that requirement last year at WWDC.
"If you're interested in developing or manufacturing a HomeKit accessory that will be distributed or sold, your company must enroll in the MFi Program."
I understood this more as a management change (from all the rumors it looks like Nest was an extremely shitty place to work in) that might keep the Nest branding.
This is going to make it hard for direct product competitors to do business with Google now IMO. Before it was made very clear that the two groups were VERY separate within Alphabet.
So as a competitor (say a camera maker) you could feel somewhat OK partnering with Google Home integrations because there were legal protections that data, roadmaps, confidential info wouldn't be shared.
Now they're literally the same person, according to this. Ouch.
Politics still matters, from a legal data sharing perspective.
For instance, let's say I integrate a thermostat/camera/x device with Google Home/Assisstant. Based on # of users who connect devices and use the integration I could get some idea of user base/popularity/sales rate.
"On paper" there is separation between the two companies, and the agreement between Google and Thermostat Company A might say "data is not shared with any other entity within Alphabet".
Now that agreement is potentially null, since they might be the same thing now.
Or even things like "we're going to release a new product and want to integrate it with Google Home in advance, etc, etc".
Don't forget, the employees also had an easy time transferring between the companies. This "change" is just aligning the business structure with reality, not modifying reality.
Maybe it was changed recently, but they were very much kept apart from Google during the Fadell era - physically and to the degree of even having lesser benefits.
Nest was a Google subsidiary before Alphabet was formed. Across the street from their offices are Google offices. I've talked to Nest employees about their use of Google infrastructure, in a Google office.
It didn't seem like there was any more separation than you'd expect of the Android and chromecast groups, for example.
Nest is probably Google's strongest hardware brand (although it has some blemishes). I wonder what this looks like within Google?
Will Google HW products become branded under Nest? Will Nest remain specific to the home? Will the Nest brand be dropped entirely? Will things remain "separate-but-together?"
Will Nest Weave [1] become the default IoT offering from Google, superseding Android Things? Will Nest Weave run on GCP?
I'm guessing there is quite a bit of turf-warfare going on to determine the answers to those questions.
Mozilla's open source home automation project is a very big silver lining to this kind of news. Google has not shown any interest in creating a truly open platform, or in creating lower cost hardware alternatives (no not everyone wants an audiophile speaker in a simple home automation controller).
It's probably just my Stockholm syndrome of being 100% invested in Apple's ecosystem, but I'm kind of less interested in how open something is (because open often means "slow, takes forever to get anyone to agree"). I'm more concerned about companies actually having an attention span of more than a couple of years.
Is Mozilla's thing going to last for 10 years? Is HomeKit? HomeKit has a better chance. But look at things like Google Weave. What even happened with that?
All that said, HomeKit, even though it seems superior to everything else from a security standpoint, has been moving at a glacial pace. Hopefully this software authentication stuff will make a difference.
The only ecosystems that seem to be sort of thriving are closed, but extensible ones (Alexa, Google Home) and their originators seem incentivized to keep them going.
> The only ecosystems that seem to be sort of thriving are closed, but extensible ones (Alexa, Google Home) and their originators seem incentivized to keep them going.
It will be interesting to see how it plays out, but I think Amazon has a big advantage in that it has sold a massive number of Echo and Echo Dots and is fairly open in all respects except the actual voice data captured.
Right this is my point. The "openness" kind of doesn't matter in practical terms, mostly because the platform is SO extensible and everyone has integrated with it.
My only concern with this move is that Nest products might become less open as a result.
Apple, Google, and Amazon are developing competing ecosystems and Apple has been making/keeping theirs as closed as possible. Amazon has remained relatively open and Google has been somewhere between the two.
I get the feeling that Google would love to be a completely closed system and they seem to be moving in that direction.
FWIW, Nest products were never very open. I had one pre-Google acquisition, and there was never a way to talk to it that wasn't via Nest's own servers, even though it's on my network.
Of course, the likely thing is that Google will not go out of their way to make it possible to make Nest plugins for Alexa, Cortana, etc.
I guess that largely depends on your opinion of their current level of testing and Google's level of testing for their other hardware. Presently Nest utilizes the Centercode platform to manage a pool of beta testers.
> built with Google’s artificial intelligence and the Assistant at the core.
Thank god. Nest cameras' object detection leave a lot to be desired as of present. Like accuracy.
I was going to say that Nest products could use some Google software engineering polish—which they could—but then remembered the state of Music and many Play apps on iOS.
No, apparently Nest is still both a brand and a coherent unit, but instead of a direct subsidiary of Alphabet it will be a unit inside the larger Google Hardware unit.
I have their security suite (home unit, 2 door triggers (and it came with an outdoor cam). I love it. No issues, geofencing when I leave so I can enable the alarm (or when I come home). And the app is smooth as butter. I'm waiting for the doorbell now.
Failure to detect smoke: "Consumer Product Safety Commission: Nest Labs Recalls to Repair Nest Protect Smoke + CO Alarms Due to Failure to Sound Alert" [1]
Incorrect. If you examine the announcement you linked, the issue was a failure to alarm when smoke was detected (below UL's must-alarm threshold, above which the Protect ALWAYS alarmed) due to false detection of a hand-wave as part of the "Wave to Hush" feature. This feature was remotely disabled on all Protects via a software update.
> False alarms.
Not for a long time. The second-gen Protect, which has been out for years, includes much-improved smoke sensors and algorithms. This is reflected in its unusually-high 4.6 star Amazon rating [0].
> Those are Nest's worst product.
How did you reach this conclusion? In addition to its outstanding score on Amazon, the second-gen Protect is frequently recommended by professional reviewers [1][2][3].
Anecdotally, I have 3 first-gen Protects in my home (in addition to 2 second-gens) and have never had any false alarms (except when I forget to run the fan while cooking bacon, and fill the entire house with smoke...).
Perhaps it would be more convincing if these reports weren't over 3 years old. I own multiple Nest Protects, with no issues whatsoever. A year ago, I got pinged on my phone while we were out and about about a CO leak. Turned out we'd forgotten to turn the stove off. Without that ping, we'd probably only have come home a couple of hours later. That alone is worth their cost to me.
I always thought they were fairly pointless, until a friend convinced me of how much he really loves them, knowing the kids and dogs are safe, etc etc. I still don't quite "get" it, the connected thermostat makes sense, but based on his recommendation (and how I hate having to fight false alarms on our detectors-mounted-out-of-reach every 3-6mo due to burning something in the kitchen), I'm actually going to buy a stack of protects to replace our existing detectors.
I felt the same way. I never quite got understood shelling out $100 for a smoke detector when i need to buy 7 of them. It's just a smoke detector right? If i'm lucky it wont do anything for 10 years until i replace it. Why not just get a cheap one from the store.
We'll i bought one for the kitchen to try out. At some point my wife burned dinner and the alarm went off and notified my phone. It was that notification that made me realize, ah ha, i get it. This $100 purchase is giving me piece of mind. This thing is smart, and its protecting me. Not only that, i bet google put way more engineering into this then some cheap one.
Now that i have kids, i have piece of mind that nest protect is protecting my kids while they sleep. Might sound silly to some, but thats how i feel.
Yeah, the most important feature to me it's that I know exactly what they are trying to warn me about, they don't start screaming at me immediately and I know if one is going bad because the app tells me. Overall I love the experience, they are damn pricy though. If they could figure out a way to get them around $60 they would sell them like hotcakes.
I still don't see the point of the Nest thermostat. It takes seconds to adjust mine for the day, or just turn it low in the morning before work and up in the evening. It's such a minor improvement that I can do fine without it.
Imagine you’re lazy and on the couch and it’s cold and you don’t want to go upstairs to where the thermostat is to turn it up. I can just do it from my phone.
Are you still unable to see the point?
Imagine you live in a big family and people come and go all day long and no one remembers to turn the thermostat down when they’re the last person to leave.
Are you still unable to see the point?
(Sometimes it seems like “I don’t see the point” is code for “I can’t imagine a lifestyle different than my own”)
The rarity of when this would be useful is what gets me. I have a programmable timer on my thermostat that I set to turn on when I expect to be awake and in the house during the week.
If I leave the house for a few hours on the weekend, there isn't a big enough energy savings for turning it off. My range of comfortable temperatures is large enough that feeling cold while sitting on the couch and needing to turn the thermostat up a few degrees higher than normal doesn't sound plausible. Like wearing a wristwatch, this just seems like more trouble than it's worth.
After reading my post, I am surprised you fail to imagine a lifestyle different than your own where, for example, your time at home and away from home is unpredictable, and so a timer would not be helpful, but a geofencing system is.
I can imagine that lifestyle. I'm surprised you fail to understand how rare that lifestyle is. Most people who can afford a fancy thermostat work predictable hours.
Many of my tech industry peers are contractors with multiple in-person clients in different parts of the city. This often means they never know exactly what their schedule for the following day will look like. Some others travel 3-5 days per week, and the days they do it on vary too.
You might not be the target market. The value proposition was largely the attractive design, which is still significantly better than most thermostats. And in addition the UX is nicer, and the app is convenient every once a while (coming home from a long trip), but I think those may be secondary.
Definitely am not, I guess. UI? It's a thermostat, it needs to just be able to turn the boiler on and off when temperatures hit the mark. Long trip? My house heats up in less than 15 minutes. App? I'd rather not bother.
- Turn it off from bed when I forget to do it before going to sleep. My system is too loud for us to have it one while we sleep.
- Peace of mind that I didn't leave it on while outside the house. It just detects when our phones have left. Whatever savings that makes, too.
- Similarly, it starts when it detects our phones are about to enter the house, so when we get in the heater is already on to welcome us.
- No need to walk all the way to it, all freezing, first thing in the morning. If I need to wake up before it turns on automatically, I just tell it to turn on from bed.
I somewhat agree; I'm too much of a control freak to rely on "auto away" (if I leave the house, i just turn the damn thing down!), though i will say having it NOT turn the heat on at 5pm when we're getting home late for the day is nice.
I think many of the cost savings from auto-away would only be realized for the lazy/inattentive and particularly for those with air conditioning, which is far more expensive to run than heat.
Also, it's really nice to turn on the heat before arriving home when it's been off all weekend, or at the cabin for a weekend skiing. The difference between walking into a 38 degree house and a 50 degree house is pretty large.
You have to be physically present to do so. The Nest can be set over the Internet using a mobile app. That's a categorical difference. That's not worth hundreds of dollars to me, but it's a feature some people care about.
There's also the option to tie your heating system into your local utility provider's network. My utility pays $25/yr to let them turn down your heat a few times a month, when load is high. Combine that with a $100 rebate on the Nest, and actual cost to me can be recouped in a few years.
Not like default thermostats are free either, and a lot of them have mind-blowingly bad UX. "Just hold down these 4 buttons at once while hitting these two up arrows to adjust the time!"
It really seems dumb to have a thermostat at all. If I have a smart home, why not just have an app for controlling temperature settings? With a google home, I should be able to say "Set temp to 21".
A thermostat is the interface to the climate control system, how could you possible remove it from the system? Where would the temperature feedback come from?
Ha, yeah was a quick comment. To be clearer - Why do I need a temperature interface hanging on my wall? Why not split the device into two; a measurement device (small, portable) and a controller (remote control, app, voice controls).
I have a "wireless" thermostat (Honeywell Redlink) and there are a lot of problems you have to think through to make it work. In particular, what is the failure mode when the thermostat can't communicate with the furnace? What if your internet goes down and it can't communicate with your phone? You might need a different failsafe for when it's 0C vs 25C outside, but what if your exterior temp sensor stops working or can't communicate with the furnace? Not to mention the security implications of having an appliance on your network.
All these problems are made much simpler with a wired thermostat and battery backup. I wish it was easier, but in this case "smart" doesn't really buy you much energy or UX savings over a simple programmable wired device.
At the end of the day, something has to be wired to the A/C to provide control and the majority of houses today are already equipped with that wiring inside the home (usually into a wall). I don't think there's any rule that says you have to have this in a wall, but I'd be willing to bet most people will prefer having that fancy smart thermostat mounted in the same place the old one was (myself included).
If nothing else, I think it creates a sense of security in that they'll be able to still use it if they lose their controller or their phone dies.
You can cut a huge chunk of the cost out of the Nest if you drop the LCD, touchscreen glass, and fancy stainless steel housing.
It could be a simple plastic box with the CPU, radio, sensor and control relays inside, and then a hidden mechanical thermostat knob/control to use as a floor + emergency override if the internet cuts out or the phone goes away.
That said, there are devices that come extremely close to this, like the RadioThermostat CT-50. It has it's own HTTP API so you technically could operate it on your own.
Because home control / voice control is already established (Google Homoe, Alexa, etc). Why would I want a single voice controller when I can leverage the mesh of devices I already have around my home?
However, recently I moved into sysadmin-type work, partly doing work for state governments. Cybersecurity is really bad everywhere, and it’s scary, and it’s frustrating how abstract and very theoretical all the risk is as it makes hard (justifiably) to take seriously.
Anyway, Google’s reputation with security is (fingers crossed) nothing short of “almost bulletproof”, and I’d love to see more IoT devices from them. With the recent rollout of Nest Security System, we’ve actually been advising lots of small businesses to combine this system, along with Nest cameras + fire alarms as a solution to actual physical security and fulfilling compliance alarms. Since Nest also does cellular backup in case of internet outage, we just hook everything up to an APC and the whole system can run for 10+ hours without power or internet.
Also also, Android security sucks. Not Google’s fault, but thank god they moved to making their own phones. Maybe that will encourage better behaviors from other manufacturers.