Well, how about having a local API and have no calls at all to your cloud infrastructure? Probably too easy and you cannot lock people into your ecosystem.
From any practical standpoint, this makes so much sense.
Sometimes my Tesla fails to unlock for some reason and I have to disable my VPN and then stand next to it like a God damn idiot for 10 seconds while it calls it’s servers in fucking California to ask it to unlock my car.
As if I needed yet another reason to never ever own a Tesla.
My car has this crazy technology in it: You can stick the key in the door and twist and it’ll unlock. Even if the network is down or the battery is dead. Arcane, right?
Hell yes! My sister-in-law has your same year but the diesel version and that thing is a champ. It’s rated at 45 mpg on the highway but she typically gets 50+, even with nearly 200k miles on it.
I had a 2004 1.8t Jetta for 12 years but I swapped it for a Prius. I love the Prius features and fuel economy but I miss how damn quick that my Jetta was, plus I loved the interior color scheme.
Haha yeah there are other, more reliable methods but the “phone as a key” is also super convenient when it works properly, which is most of the time. It just would be a lot smarter if it worked locally.
…Or if there were an alternative option that didn’t rely on software and electronics is my point.
Cars have had electronic remote keyless entry for decades. It’s not new. Some of them even have phone apps that duplicate that functionality. No one but Tesla has been stupid enough to remove the keyhole, though.
I understood your point. My point is those electronics make it more convenient to use. Would I appreciate ALSO having a physical unlock mechanism? Sure. It also increases the attack surface.
Cars have had electronic remote keyless entry for decades.
I think it could definitely be possible to do locally, and I wouldn’t want a car where I have to connect to servers to connect to it. But I am also not sure I want a car that can be opened with a command on the car itself. The code to access your CAR being stored locally on the car itself, with no server side validation, does seem kinda scary. It’s one thing for someone to manage to get into your online login where you can change the password, it’s another for someone to literally be able to steal your car because they found a vulnerability. It being stored locally would mean people would reverse engineer it, they could potentially install a virus on your car to be able to gain access. Honestly, as a tech guy, I don’t trust computers enough to have it control my car.
The issue you are experiencing likely has nothing to do with the VPN. Network connectivity is not needed to unlock the car. I have been in places with no cell phone signal and it still works.
I do sometimes experience the same issue you are. If I wake up my phone, then it works. So it may be working for you not because you disabled the VPN, but because you woke up your phone and it then sent out the bluetooth signal to let the car know you were nearby.
It’s a bit of both! Certain commands to the car can be done locally via Bluetooth OR via Tesla servers. The tricky bit is that status always comes from the server. If you are on a VPN that is blocked (like I use NordVPN and it is often blocked) then the app can’t get status and as long as it can’t get status it may not even try a local command. It’s unclear to me under what circumstances it does local vs cloud commands, and it may have to do with a Bluetooth LE connection that you can’t really control.
When you don’t have service, or you’re on VPN, it may be worthwhile to try disabling and reenabling Bluetooth. I have had success with this before. If you’re using android, it seems like the widget also uses Bluetooth, so you could try adding the widget to your home screen and using that. You can also try setting the Tesla app to not be power controlled, so it never gets closed.
Either way, there’s a definite engineering problem here that feels like it should be fixed by Tesla. But I can at least confirm that, even in situations with zero connectivity, you should be able to perform basic commands like unlock and open trunk without data service.
I’m glad the people with this device are getting traction on using it with their HA, but holy hell this is a complete non-starter for me and I cannot understand why they got it in the first place. There’s no climate automation I would ever want that is worth a spying device connected to the internet and a spying app installed on my phone.
Probably more. Your app can use the local API then as well. And AWS is insanely expensive, especially if you forget to block log ingestion to Cloudwatch (ask me how I know).
I’m cynical so I assume they are turning a profit selling user data. So the lost money is not from AWS expenses but from not having installed apps to steal more data.
While at the same time closing all PRs indiscriminately, even the ones that are just trying to update the repo from its decades old JavaScript syntax (and get support in the comments)
I hate adware and nagware, but I respect it here. From the get-go you know this is a space where this person gets paid. This is just an extension of that.
It’s damage control, they realised what they did was getting them bad PR since news of it started spreading so they are attempting to remedy the bad PR through damage control
Oh absolutely agree, but this is where they can use it.
The dev can say that they obviously need an official plugin, and work with them on that because now they have 1,800 clones of an unofficial one that may not be optimized.
We also get to know that our tiny HA community has hit a critical mass large enough to get a corpo to freak out a bit
I did my part and sent them a “do this and I’ll never buy a Haier product” email. Corporations exist to maximize profits. Communities like ours just have to learn how to make it clear to them that shutting us out will hurt their profitability.
I think we should all be really proud of ourselves. We banded together and, regardless of WHY Haier is doing this, got them to open a line of communication. This is a huge win!
The whole point of spreading the word about an incident like this is to get public attention on it, and make the company realize that the way they’ve handled things was bad.
A letter like this indicates that they’ve realized they fucked up and they want to do things differently going forward. That doesn’t mean they’re suddenly trustworthy, but it does mean they can be negotiated with.
The correct response is to accept the offer of working together. We want to encourage companies to be cooperative and discourage insular, proprietary behavior. If you slap away the offered hand then you discourage future cooperation, and now you’re the roadblock to developing an open system.
When you start getting the results that you want, don’t respond with further hostility.
Keep pummeling them. There’s no integrity behind this, and going along will just let them get away with their bad behaviour.
They played the “We’ll sue your ass off” card first. That means it’s already in the legal realm, they never even triedto work with the OSS community, they basically said “fuck you” until the community replied, very clearly.
Had the community not responded by replicating the repo 1000+ times, and making a story about it, they would’ve continued down the path of slapping the little guy around.
They now realize they can’t compete with potentially 1000 people working on this, against them. They also fear they’ve pissed off some technophile who has some serious skills or connections. Wonder if they saw a sudden increase in probes on their internet interfaces.
Exactly this. I understand the cynicism, but it ultimately doesn’t matter what the motivation of a company walking back a poor decision is. We take the chance for mutual collaboration and hopefully everyone benefits.
On an individual level, that’s when people can evaluate if they still want to boycott and do whatever their own moral compass demands. But refusing to work together at this point just means we definitely don’t get the chance in the future to steer things in a better direction.
And even if the cooperation doesn’t last, it’s an opportunity for the open source developers to work with the product engineers and get direct information from them right now. There’s nothing as valuable as talking to the guy that actually designed the thing, or the guy who can make changes to the product code.
Even if that relationship doesn’t hold long term, the information gathered in the short term will be useful.
If I were part of this project this is what I’d be going for. Push the company to give you direct contact with the relevant engineers, right now while the negative public opinion is fresh and they’re most willing to make concessions, and then get as much out of that contact as you can. Take them at their word, make them actually back it up, take advantage of the offer to cooperate. Sort the rest of it out later.
It was October 2018 and I had just completed a 3-month rehab program at a state addiction clinic in Sweden. I was unemployed, staying with family, and had basically nothing going on.
With no drugs or other vices to pass the time, the days seemed impossibly long. I struggled to find activities to fill them. I enrolled in school for a while, but it wasn’t for me this time either. Eventually I turned to programming, since it’s always been my big interest in life.
Until that point, my career had been focused on web browsers (WebKit at Apple & Nokia). However, I had always been interested in low-level things so I began tinkering with some of that. I wrote a little ELF executable parser… And an Ext2 filesystem browser… And a little GUI framework with an event loop…
Out of this tinkering, an operating system began to take shape. I chose the name SerenityOS because I wanted to always remember the Serenity Prayer. I was quite worried about my future at the time, and I figured that this name would help me stay on the good path.
My general idea was to build my own dream system for daily use. It would be a combination of my two favorite computing paradigms: the 1990s GUI and the no-nonsense command-line of late-2000s Unix.
If you’re on Firefox on desktop/laptop, check out Bypass Paywall [0]. It was removed from the firefox add-on store due to a DMCA claim [1], but can be manually installed (and auto updates) from gitlab. The dev even provides instructions on how to add custom filters to uBlock Origin [2], so you don’t have to add another extension but still get some benefit.
Yeah, they can fuck off. When their opening salvo was threats and legal bluster, I don’t see why anyone should trust an alleged olive branch now. The right thing to do was not to send this email second.
I have to work with Haier in my business now as well ever since they bought GE. They’re a shitty company that goes back on their word constantly (at least within the B2B space), and nobody should be giving them one thin dime.
Respectfully, I disagree. Yes, indeed this first message is PR damage control, but there is something to be gained here for the FOSS community.
This backtrack sends the message out, discouraging other companies with legal departments from trying the same trick else they risk sales. If a positive resolution comes out of this (A. Andre’s project becomes officially supported by Haier with more features whilst being more efficient with API calls, or B. Haier develops a local API option) then it shows other companies there is value in working together with the FOSS community rather than viewing them as an adversary or as competition to be eliminated.
Nah, this is Haier trying to save face. They saw how the story went, that the repo was forked a thousand times in a few hours. They know their engineering team can’t win, long term, against dedicated, pissed off geeks.
Would they play nice with you if the tables were reversed? No.
They already played the legal card, engaging with them at this point would be extremely naive.
Fuck them. Now is the time to pummel them even harder. Making them eat their words is what will send a message to the rest of the jackasses designing garbage and tracking us relentlessly for access to what should be trivial to engineer features.
Generally, an engineer wants their product to work well and work efficiently. They put effort into a product, and it feels good to see people benefit from that work. The ones making the decisions have money on their mind. If a FOSS version of their paid platform costs them too much money, they will shut it down. Not because it was the engineers decision, but because the one’s making the decision likely don’t even know what github is and just know it’s taking away that sweet subscription money.
They both represent the company. The company came on strong all ban-hammery, the news flashed around, his repo got forked over a thousand times in a matter of hours.
Haier found themselves on the defensive suddenly, so they got one of their engineers to play nice.
They now know they have 300k users who are pissed at them. People are choosing other products over this already.
Fuck them. With a pineapple. Corporations aren’t people, I owe them no consideration, no courtesy, especially when they act like this.
Recently, we've observed a substantial increase in AWS calls attributed to your plugin, prompting the communication you previously received as standard protocol for our company, but as mentioned earlier, we are committed to transparency and keenly interested in collaborating with you not only to optimize your plugin in alignment with our cost control objectives,
i get it; their amazon account gets hit hard by some plugin data stream, they trace the source and kill it for monetary reasons. makes total sense. handled terrible, but still, i also completely understand getting some giant bill from amazon and freaking the fuck out.
Blacklists like these aggressively and unapologetically collect all privacy-focused email domains they find, including simple forwarding and tagging services. With more and more sites using these lists to reject or black-hole email addresses, it has become difficult to protect one’s self from spam and cross-site account tracking.
Dear web developers, please don’t use these lists. Well-intended or not, they are privacy and user-hostile.
Devs can use them to block DISPOSABLE mails, not PRIVACY legitimate emails. That’s why it is critical to remove privacy oriented email domains from such lists
I’m okay with people using burner email addresses to get my free content, I just need to be able to filter them out of my list so it doesn’t drive up bounces and hurt deliverability.
AWS SES, for example, is fucking rabid about bounces. Being able to filter out addresses you know are going to bounce is pretty important.
Can a list like this be used for anti-privacy measures? Absolutely! Does that mean we should never create lists like this? For me that depends on whether or not you think we should prevent encryption because bad actors can use it for bad purposes.
You’re getting into very sketchy territory by saying a dev who is using a public GitHub repo to solve their problems needs to take it down because of how others are abusing it. Should the original dev be punished by their email provider because they shouldn’t be allowed to use this? Should anything that has potential harm be required to be a private repo? Who gets to decide all of that?
In the interest of specifics, can you point to where this specific list has done harm? I spent a fair amount of time looking around to make sure I wasn’t going out on a limb for someone with neutral views.
You’re getting into very sketchy territory by saying a dev who is using a public GitHub repo to solve their problems needs to take it down
No, I don’t believe I said any such thing. Since you mention it, though, I think taking this list down and removing the false positives before bringing it back up would be the responsible thing to do.
In the interest of specifics, can you point to where this specific list has done harm?
I know from personal experience and investigation (both as a user and on the admin side) that there are now many cases of privacy-focused email addresses being rejected, or even worse, accepted and then silently black-holed, due to the domains being inappropriately added to lists like this one. I don’t know of a place where people report such cases so they can be documented in aggregate, but if I find one, I’ll be sure to bookmark it in case your question comes up again in the future.
So you’re lumping this resource into a bucket with other resources that were malicious but you have no direct connection from this resource to harm you claim it causes? You’re saying a dev using this list to allow people to download free content but prune emails to save his bounce rate is doing bad things and needs to convert their FOSS use-case to yours?
Who gets to decide? You didn’t answer that and in the interest of good faith I’ll pull that one down as the important one since it follows from the argument I feel you’re making.
You’ve ignored my questions attempting to flesh out your point and refuse to link this specific list to anything bad. I don’t think you understand good or bad faith. Good luck with that!
I feel like having different attributes for each domain might be helpful so that those services using the list can filter for just the things they care about such as burner emails, anonymous registration, whether it requires any email/phone verification, etc. Right now domains kind of have the problem of just being on the list or not, with no indication on why they might be a problem.
The beauty of open source code is that you can fork this project and add that. The repo maintainer seems to have a simple litmus test for whether or not something should be on the list: is it something that will cause a bounce for email distribution? That’s a really subjective test so you kinda have to talk to the repo maintainer about answering it. I suspect they feed it into a library, perhaps one of the ones linked, for use with their platform, so their problem is most likely solved.
When you have privacy settings, what you really have is a lie.
It starts out with good intentions, like those in this post, but eventually everyone forgets that the platform still sees your posts and does not give a shit about selling them.
I would rather acknowledge from the very beginning that this entire system is not private, so there is never such a misunderstanding.
Everyone should post and comment with caution, just like you use caution with what you say in public places.
The way you use caution saying something in a public place that you don’t want everyone to hear is by keeping your voice down so that only certain people can hear it. Without privacy settings there is no equivalent to that.
Sup. And all this data would still be federating, it has to be. That just means that some data-collecting company could make a fake instance and get everything together. Or someone could just fork it back.
Yes and they implement EVERYTHING in house. In case you haven’t heard they also started implementing a browser engine from scratch ladybird.dev just for fun. It kinda took off and they even got some nice donations, just to keep it going and see where it leads.
The “founders” youtube channel is quit interesting. Especially the monthly update videos if you want to keep up to date with the latest developments. inv.tux.pizza/channel/UC3ts8coMP645hZw9JSD3pqQ
The browser was at first only available in serentyOS itself but lately is available as a stand alone program running on other OSs as well. It’s still pretty early days, I am exited to see where all this leads tho!
It’s a work in progress. Most sites won’t work but some do. Check out this latest development update video: inv.tux.pizza/watch?v=giq5iXJntgQ&t=911 That link leads directly to the “demo segment” where he opens some sites.
github.com
Top