Comment by Tepix
3 days ago
Right now it's just a blob that you flash to your device to make it talk to a proprietary service. It is not yet "giving me complete control over my device data and settings." I can't change where it comnects to etc.
In fact - I don't even see a privacy policy on nolongerevil.com!
Hey, I can login at nolongerevil.com using my Microsoft-owned github login! And there's yet another company involved: clerk.com - yay?
"We are committed to transparency and the right-to-repair movement. The firmware images and backend API server code will be open sourced soon, allowing the community to audit, improve, and self-host their own infrastructure."
I look forward to it.
PS: Sorry for being so negative... perhaps the release should have been delayed until all of this is opened up.
I don't get the hate, it looks like they reverse-engineered the nest thermostat and wrote a firmware for it? That's super cool and the fact that an open source project doesn't have a privacy policy yet doesn't really matter at this point
> ...looks like they reverse-engineered the nest thermostat and wrote a firmware...
Not to diminish what this project has done, but they modified existing firmware to make it communicate with a different server. They've also implemented a server for the thermostat API.
It's pretty neat but, at this point, it's just a hacked firmware that talks to a different proprietary server.
Edit: It's not even a modification to the firmware binaries. They're just injecting /etc/hosts entries into the firmware[0]. If the Nest device just uses DNS to resolve these names then you wouldn't even need to modify the firmware-- just point it at a DNS server that's authoritative for the necessary names.
[0] https://github.com/codykociemba/NoLongerEvil-Thermostat/issu...
Does it not use TLS? Wouldn't the Nest have to trust a CA willing to issue certificates without proving ownership?
6 replies →
Piling-on to my comment here: They're using an exploit to get access to the filesystem of the device: https://wiki.exploitee.rs/index.php/Exploiting_Nest_Thermost...
It’s the “no longer evil” marketing without actually proving that “no longer evil.com” is in fact … from from evil.
I was assuming that I could point the nest data stream & control UI to my own hosted thing on eg my local NAS or docker farm. That’s what I think would warrant the moniker “free from evil” in this kind of strong privacy preserving marketing.
If they really want to show that they're building something that protects user privacy, they'd open source their backend server, and make it possible and easy to self-host it and point the modified firmware[0] at your own instance.
[0] They didn't write their own firmware; they hacked the stock firmware to redirect traffic from Google's servers to their own.
Edit: looks like they plan to open source the backend and enable self-hosting "soon". Hopefully that comes to pass!
Running open-source firmware someone's hacking on (which gets little to no testing) on a gas appliance that can burn your house down is probably not the best idea.
If you are paranoid about Nest being evil maybe stick to one of those Honeywell round hockey-puck things with the mercury inside.
Or use a Z-Wave/Zigbee thermostat from a reputable vendor (there aren't many) and control it from a gateway of your choice.
This is for people who have already bought a nest and got burnt by the deprecation of their online services. Of course they could get another thermostat but then that'd just be more stuff for the landfills.
4 replies →
It doesn’t just not have a privacy policy yet, but it’s not actually open source either. Honestly they probably fully intend on doing it, but it is important to point out that it is not yet open source.
> Open Source Commitment
>We are committed to transparency and the right-to-repair movement. The firmware images and backend API server code will be open sourced soon, allowing the community to audit, improve, and self-host their own infrastructure
> PS: Sorry for being so negative... perhaps the release should have been delayed until all of this is opened up.
This is one of the major problems with doing anything good online. People like this.
Hey, this is just normal behavior in the dark forest of proprietary software- if good things happen, they are out to get you, some angler out to get you.
Don't let perfection be the enemy of good