What is wrong with CQC?
- Thread starter Dean Roddey
- Start date
Dean Roddey
Senior Member
No, I'm not joking, and to know to turn the off switch off or to put into place serious protections you'd have to read the documentation and put in some effort to learn what's safe and what's not, which this thread sort of shows is not that likely since it takes a fair amount of learning curve. That's why there are so many homes out there that are dangerously exposed, and lots of hardware devices that are pretty much gateways into people's homes. It's a real problem. Given that most people would probably end up using it from outside the house, the issue is considerably worse.
Browsers typically use at best digest authentication, which is pretty trivial. If they are willing to learn about public key encryption and certificates they can set up their server so that at least their clients know they are actually talking to their real server, but most people would struggle with that. I struggled with it quite a bit myself. And that does nothing to protect the server from clients. Putting a certificate on the client for reverse authentication isn't much use since if the phone is stolen, then they have it.
You could do a little better with Websockets, but that didn't exist (fully baked) until relatively recently and wasn't supported by us to much more recently still. And Websockets requires an ongoing up connection to the server, which for many out of the house uses isn't necessarily practical. Something like simple, stateless HTTP query/response is probably more practical, but then you are back to trivial authentication.
Hey, Mr. Automation System Guy, my lawyer says you sold me a Trojan horse that let some hacker flood my house.
Browsers typically use at best digest authentication, which is pretty trivial. If they are willing to learn about public key encryption and certificates they can set up their server so that at least their clients know they are actually talking to their real server, but most people would struggle with that. I struggled with it quite a bit myself. And that does nothing to protect the server from clients. Putting a certificate on the client for reverse authentication isn't much use since if the phone is stolen, then they have it.
You could do a little better with Websockets, but that didn't exist (fully baked) until relatively recently and wasn't supported by us to much more recently still. And Websockets requires an ongoing up connection to the server, which for many out of the house uses isn't necessarily practical. Something like simple, stateless HTTP query/response is probably more practical, but then you are back to trivial authentication.
Hey, Mr. Automation System Guy, my lawyer says you sold me a Trojan horse that let some hacker flood my house.
The Department of Homeland Security also has recommendations for securing your web brower. https://www.us-cert.gov/publications/securing-your-web-browser#why
I looked at CQS a couple of years ago in search for a replacement for Homeseer because the later did not support HAI. I liked what I saw but stopped short from committing because I did not see an easy way to implement my own drivers. It may be easy, I don't know, but based on the information available at the time, it did not look like that. Eventually I have switched to Haiku which has the best app for HAI and solves the UI issue that Homeseer had, the API is json based, so it was easy to figure out.
I think CQS is a great HA software though, based on its functionality and reliability. Unfortunately, I think the world is heading towards a different concept of home automation, and we may soon loose all these great DIY products that we now are taking for granted and having a discussion about, such as this thread. They will be replaced by chinsy IoT gadgets, each with their own app that runs in the cloud and sucks your data. If you follow Leviton on twitter, you can easily imagine them shutting down HAI controller line and going the way of the winks and nests, because that is what attracts money from the investors (your data, and not your satisfaction, being the primary interest).
It is amazing to see how the whole companies are started these days to implement a single automation function (like water your plant via the phone, or get a notification when the door is open) at ridiculous valuations, and if you price every thing you can do with CQS at those numbers, it may end up with a price tag like a zillion dollars.
I think CQS is a great HA software though, based on its functionality and reliability. Unfortunately, I think the world is heading towards a different concept of home automation, and we may soon loose all these great DIY products that we now are taking for granted and having a discussion about, such as this thread. They will be replaced by chinsy IoT gadgets, each with their own app that runs in the cloud and sucks your data. If you follow Leviton on twitter, you can easily imagine them shutting down HAI controller line and going the way of the winks and nests, because that is what attracts money from the investors (your data, and not your satisfaction, being the primary interest).
It is amazing to see how the whole companies are started these days to implement a single automation function (like water your plant via the phone, or get a notification when the door is open) at ridiculous valuations, and if you price every thing you can do with CQS at those numbers, it may end up with a price tag like a zillion dollars.
Maybe good advice for browsing those Russian porn sites, but you can put your guard down a bit when just connected to the server in your home.BobS0327 said:
If you are very paranoid and have your own domain, get a cheap SSL certificate for your server. Or you can turn on the VPN. Its built into Macs and I think Windows as well, and phones and tablets support that also.
NeverDie
Senior Member
As an aside, not long ago I started a cocoontech thread to both cast a wide net and share information while researching how to bulletproof my browser. However, as you can tell from the relatively low view count, the topic doesn't yet seem to resonate much with home automation users: http://cocoontech.com/forums/topic/27552-most-secure-web-browsing-without-sacrificing-functionality/
Without it, your wife and/or your kids will eventually unwittingly thwart your protections and open the door to a blackhat. That said, I don't see much motivation for a blackhat to run riot with your automation system, unless there's money in it (e.g. a new form of ransomeware, as yet unrealized?)
Without it, your wife and/or your kids will eventually unwittingly thwart your protections and open the door to a blackhat. That said, I don't see much motivation for a blackhat to run riot with your automation system, unless there's money in it (e.g. a new form of ransomeware, as yet unrealized?)
The best sales pitch is that HA can save you money on lighting energy. With the consumption of good LED bulbs today even a $5 mechanical timer would never pay for itself in most lifetimes. I could just leave my lights on 24/7, cheaper, if I had a better blindfold to sleep with.
Years back when the programmable thermostats came out they made claims you could save 25% on your heating bill. This turned out to be closer to about 2-3%, if you are lucky, and spend more than that on equipment. Nest is pitching to an educated audience and mostly only selling to the techie geeks for it's "coolness", now. Most of us know the energy saving thing doesn't really happen by sitting in a cold house every evening after work
It's not hard to get into HA about $5k deep but it's really hard to break even on your investment, if not impossible. Selling the concept comes back to "great hobby and will absorb most of your time" and "It's cool" "You can impress your friends". Not a big calling card.
Years back when the programmable thermostats came out they made claims you could save 25% on your heating bill. This turned out to be closer to about 2-3%, if you are lucky, and spend more than that on equipment. Nest is pitching to an educated audience and mostly only selling to the techie geeks for it's "coolness", now. Most of us know the energy saving thing doesn't really happen by sitting in a cold house every evening after work
It's not hard to get into HA about $5k deep but it's really hard to break even on your investment, if not impossible. Selling the concept comes back to "great hobby and will absorb most of your time" and "It's cool" "You can impress your friends". Not a big calling card.
NeverDie
Senior Member
A lot of home upgrades get done that have no chance of ever breaking even: swimming pools, room expansions, a new kitchen, better landscaping, you name it. You may get some of your money back when you sell, but from what I've read almost never all of it, and sometimes very little of it. People mostly know that and do it anyway for other reasons, like improving their quality of life, or coolness like you said, or whatever. Also, compared to the cost of many, if not most, other home architectural upgrades, $5K isn't much. That said, I think most people would expect home automation that costs $5K to work pretty much flawlessly, much like most alarm systems do.LarrylLix said:The best sales pitch is that HA can save you money on lighting energy. With the consumption of good LED bulbs today even a $5 mechanical timer would never pay for itself in most lifetimes. I could just leave my lights on 24/7, cheaper, if I had a better blindfold to sleep with.
Years back when the programmable thermostats came out they made claims you could save 25% on your heating bill. This turned out to be closer to about 2-3%, if you are lucky, and spend more than that on equipment. Nest is pitching to an educated audience and mostly only selling to the techie geeks for it's "coolness", now. Most of us know the energy saving thing doesn't really happen by sitting in a cold house every evening after work
It's not hard to get into HA about $5k deep but it's really hard to break even on your investment, if not impossible. Selling the concept comes back to "great hobby and will absorb most of your time" and "It's cool" "You can impress your friends". Not a big calling card.
pete_c
Guru
Software automation here is a hobby and treated as said. The only value it adds (ROI) is keeping me busy; so it's a virtual ROI.
I don't use the software to manage my lighting these days rather its the OPII (as legacy as it is today). I never look much anymore.
My OmniPro II panel does keep the heartbeat of the home just fine without ever touching it or watching it or remote controlling with my cell phone. I still like walking up and turning on a light/lamp via a light switch in a room. I do trust it to function without my interaction if need be.
The software text to speech stuff is mostly ignored these days except when we have guests and has been turned down a few notches over the years; well and bugging my wife. Today my consoles have Microsoft SAPI and do their own stuff or whatever the mothership tells them to do.
I want what I do not see yet and that is a virtual AI entity that appears on my consoles and can converse and do stuff on it's own (but under my control).
Geez it was already on television shows in the 1960's and here we are now 50 years later and do not have it...well there are no hotels in space yet....ridiculous how slow technology is moving these days....
I don't use the software to manage my lighting these days rather its the OPII (as legacy as it is today). I never look much anymore.
My OmniPro II panel does keep the heartbeat of the home just fine without ever touching it or watching it or remote controlling with my cell phone. I still like walking up and turning on a light/lamp via a light switch in a room. I do trust it to function without my interaction if need be.
The software text to speech stuff is mostly ignored these days except when we have guests and has been turned down a few notches over the years; well and bugging my wife. Today my consoles have Microsoft SAPI and do their own stuff or whatever the mothership tells them to do.
I want what I do not see yet and that is a virtual AI entity that appears on my consoles and can converse and do stuff on it's own (but under my control).
Geez it was already on television shows in the 1960's and here we are now 50 years later and do not have it...well there are no hotels in space yet....ridiculous how slow technology is moving these days....
I use CQC so I did not vote in your poll, I think the PC based software Automation market is a dying market. I believe that the younger generations use traditional computers far less and that phones and tablets meet their needs. I think to survive in this space a company needs to build home automation appliances that connect to everything they control as painlessly as possible. I would like to see a poll of the average age of users of software programs like CQC, I am about a month and a half away from turning 55.
Dean Roddey
Senior Member
The whole IoT is one reason we have to be so careful about maintaining the kind of security and 'measure ten times, cut once' stance we do, because the commercial world will remain an area where products like ours are necessary. That in some ways may make it less interesting in the DIY world. But, if the DIY world (which was already small) is heading towards the uber-commodity, simplistic, bubble gum margins world, that's going to make it all the more important that we maintain that sort of position.
And certainly even in the residential pro install market, people having systems installed are typically going to go with more serious automation products. But, there also, the same security and Ps/Qs approach is necessary, because it's the installer's time and reputation on the line.
We don't get a huge amount of commercial work currently, but I imagine we make as much on that as we do from the DIY market, and only have to deal with a handful of people to do it.
This is not to say that CQC won't, in a round about way, compete in the lower end, hub based world. Now that Windows 10 is almost being given away, and it's on things like the Pi2 and others, some folks have expressed interest in using it (in a very fixed function way) as the engine in a hub type product. It wouldn't have been practical before, where for cost reasons it would have been Linux or nothing. But now it's reached a point where, with Windows 10, CQC could be the engine behind various things which only expose a small, focused portion of its functionality.
And I guess that, once advantage to our having structured the product in a very non-monolithic way, is that it becomes much easier to deploy anything from a very simple to a highly complex solution with the same product. If you make a simple product you can only attack simple problems. But if it's powerful but flexible and componentized then you can deploy the same product to solve problems at numerous levels.
Of course some folks might say well, why don't you do that now. But we just don't have the manpower to do that ourselves, particular on the hardware side. But now that other people are considering doing that part of it, and just licensing CQC, it becomes practical. And they can handle the marketing and documentation targeted towards that sort of product as well (and likely do it way better than us.)
And certainly even in the residential pro install market, people having systems installed are typically going to go with more serious automation products. But, there also, the same security and Ps/Qs approach is necessary, because it's the installer's time and reputation on the line.
We don't get a huge amount of commercial work currently, but I imagine we make as much on that as we do from the DIY market, and only have to deal with a handful of people to do it.
This is not to say that CQC won't, in a round about way, compete in the lower end, hub based world. Now that Windows 10 is almost being given away, and it's on things like the Pi2 and others, some folks have expressed interest in using it (in a very fixed function way) as the engine in a hub type product. It wouldn't have been practical before, where for cost reasons it would have been Linux or nothing. But now it's reached a point where, with Windows 10, CQC could be the engine behind various things which only expose a small, focused portion of its functionality.
And I guess that, once advantage to our having structured the product in a very non-monolithic way, is that it becomes much easier to deploy anything from a very simple to a highly complex solution with the same product. If you make a simple product you can only attack simple problems. But if it's powerful but flexible and componentized then you can deploy the same product to solve problems at numerous levels.
Of course some folks might say well, why don't you do that now. But we just don't have the manpower to do that ourselves, particular on the hardware side. But now that other people are considering doing that part of it, and just licensing CQC, it becomes practical. And they can handle the marketing and documentation targeted towards that sort of product as well (and likely do it way better than us.)
"Honey. Can we watch a movie on the media centre tonight?"
"Not tonight dear, I am testing some new HA stuff and if a phone call comes in and we become CPU bound I am afraid the sump pump detection program won't work and the house will flood."
"I thought this super CPU was multi-tasking?"
"It is but movie stream, MP4 decrypting, Home automation, VOIP, my VB9.8 compiler, and some of the bit-torrents I am downloading really taxes the virtual memory handler. We need to upgrade to a 256 bit virtual address bus memory bank switcher that the Municipal Processing Utility has approved for residents over the next few months as a trial."
"Remember the last time we bogged the CPU down our car wouldn't start in the morning with a dead battery and we couldn't call the taxi company to get to work or even call in late to work because the VOIP didn't work.?" We don't want that to happen again.**SIGH**"
" I wish they would bring the price of CPU's down so we could have a smaller processors to handle each task. Think of the interdependence reliability!"
"Oh well! You can't fight CPU Hall!"
