IMO a company should lose all control over technology once you've purchased it. Doesn't matter if it's "smart" or not. If the company wants to do something like telemetry, they can buy a license from you for that data. See how they like it when the tables are flipped.
Can't you trivially reframe the initial purchase as being subsidized by that license? Your $200 smart knife sharpener would be $300 if it weren't recording audio 24/7 (for VAD, surely!)
Then I invite them to offer such a product. I would love to buy e.g. YouTube premium, but as far as I know they still collect my data for advertising purposes, they just don't show the ads.
I think you frame it that way you need to offer the other version.
I do wonder how many people would buy non-spy versions of devices given the option. More specifically, what that differential in price would be too. At worst it would be interesting to have a price explicitly stating what our data is worth. Many people actually internalize that it's not that valuable, but doing this would make it explicit.
> I do wonder how many people would buy non-spy versions of devices given the option.
Depending on the discount for the spyware version, I'd guess close to zero. The general public has become completely numb to being spied on. It's hard to get someone to give up $50 (a real cost) for something nebulous like "very slightly less of your life is known by marketing companies".
I do not think the value difference is $100 ;-) In fact, the longer you use it, the more money they can make off of you. (In that sense, that $200 is already WAY too expensive to start ;-) )
So yeah, reversing this would make the most sense. The default is: local data only and not connected. They need to pay me to get data.
Just like car companies, phones, etc, should be forced to do that as well.
Sure, that's basically how Kindle pricing works ($X with ads, or $X+$Y without ads) and it's infinitely better having the choice. If Amazon ever gets rid of the without ad version they will lose me as a customer overnight.
Likewise, there are a whole lot of products that don't have an "unsubsidized" version that I simply refuse to purchase (or have purchased and returned after confirming that they will not work when locked in IOT jail where they can't talk to the internet.)
I would encourage you to partake in sharing files with your neighbor, and on the occasion you feel strongly you want to support something, get that subscription for a month or buy some merch or similar to show you really appreciate what you watched.
>If Amazon ever gets rid of the without ad version they will lose me as a customer overnight.
Didn't they already remove the option for a completely ad free prime video experience or am I hallucinating that? They have such a ridiculous hold on the e reader market I feel like it is just matter of the next down quarter.
They seem to own 75% of the market, and I think you can get pretty much every book on every device, right? Of course your existing library is locked-in; ideally, that'd be illegal.
Worse - they actually can remove books that you've purchased. Not only revoke license for future downloads - but actually remove them from your device.
We’ve lived with companies that didn’t need to take pics of my dick while I’m shitting to subsidize their operation for as long as companies were a thing. Anyone saying this dick pic status quo is inevitable and necessary is too VC-brained to be allowed to run a company.
Once again, I'm amazed some HN readers, like yourself, are unfamiliar with the basic tenets of the GDPR. (Hint: A company cannot provide a service on the condition that you provide unnecessary personal data or consent to spying)
If you work in a tech field, there is simply no reason for such ignorance.
It's not, things haven't gotten that much relatively cheaper (have you looked at phones? The biggest pieces of spyware you can buy?). This is a line corporations like to feed us so we feel guilty about being bad instead of putting that where it belongs: every CEO.
I haven't tried it personally because my particular model of vacuum has some complicated and potentially destructive procedure to get the required access, but there's quite a few models where it can be installed easily.
From my understanding (I might be wrong) the images are pre-built by the owner of the project right? I remember there being a form you fill and you receive a download link.
If that's the case what guarantees do I have there's no "funny business" on the image?
> ... because my particular model of vacuum has some complicated and potentially destructive procedure to get the required access
This right there is the root of the entire problem. We had IBM PC clones that you could recover and keep running for decades by easily replacing expansion cards, HDDs, RAM sticks, peripherals and even circuit components like caps, ICs and batteries. We used to partition our 50 GB HDD into a dozen little partitions and multiboot every conceivable OS out there. Now we have an oligarchic dystopia where even RAMs and batteries are soldered on and bonded with single-use resins instead of age-old screws. Even if you get through, you can't salvage or swap ICs because they're paired individually at device level. You can't reach the boot partition without a Ph.D in RevEng and a risk of still bricking the device 3 out of 4 times. And that's all for technological progress and security, they say! Those claims have as much credibility as their claims to making an honest living. It's weasel-speak, not engineering insight.
Modifying the device that you paid for should never be this complicated. Those greedy corpos are usurping the consumer's rights and wealth, plain and simple.
> (I have no skin in this game --- my vacuum is as dumb as they come, and can be fixed with basic machine shop tools.)
The real question is, is that still an option? If it is, then for how long? Sadly, there are several other product lines that have entirely crossed that line a while ago.
"From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware."
He should make these and sell them. It would be worth it to just drive it in "discovery" mode and give it the exact path to follow while cleaning. The constant inability to learn the floor plan is beyond annoying.
Depending on where he lives this might be illegal. Yes, we live in a cyberpunk dystopia where the manufacturer can break what you bought and then send you to jail for repairing it. You can read more about it here: https://consumerrights.wiki/w/Digital_Millennium_Copyright_A...
This shit is absolutely dystopian. The law must not just be reversed, manufacturers need to be taken to court for shoddy software. Insecure data collection and transmission should be treated the same as having unsafe electrical wiring. It is a defect that needs to be either fixed or the product recalled. As long as manufacturers are not just allowed to but rewarded for selling defective products this won't change. I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
>>>>> I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
Possession of the data needs to be illegal.
Here's how it could work. It's similar to how copyrights for music are enforced. A person whose data are found in someone's files or server can sue for "statutory" damages, which are levied on a per-offense basis.
>Here's how it could work. It's similar to how copyrights for music are enforced. A person whose data are found in someone's files or server can sue for "statutory" damages, which are levied on a per-offense basis.
That's not how copyright lawsuits work though. For the typical person torrenting, it's because they were caught in the act of torrenting (eg. they had a torrent client in the swarm connecting from an ip that was assigned to them). Otherwise it's a DMCA takedown and companies don't even bother suing. Nobody is getting their hard drives searched for illegal music and getting sued as a result.
That's right. I'm not talking about copyright, but about a new restriction on possession of the data. The only parallel is the use of statutory damages as a remedy.
What are the odds individuals learn their data has been found. What kind of damages could be awarded that would make hiring a lawyer and giving them 50% of winnings a worth while effort? I could also easily see individual cases combining to become class action reducing the winnings even further.
In other words, I find this a silly suggestion as it's just never going to work in the real world.
I seem to find out my data has been leaked in a breach every other month. I don't even care if I actually get the money for it, let it go to the class action lawyers. Life is good so long as the companies pay more than they make by holding the data.
There's an exemption from Section 1201 for "Computer programs that control devices designed primarily for use by consumers for diagnosis, maintenance, or repair of the device or system".
Are you allowed to share how you repaired the software? Because if not then what I said stands, he cannot sell these little Raspberry Pis or publish information on how people can build them themselves. That's one of the problems Louis Rossmann has been talking about in regards to the FULU bounty program.
I see in the "final rule" for 2024 (PDF) a section titled "11. Computer Programs—Repairs of
Devices Designed Primarily for Use by Consumers", although it seems to indicate that nothing changed, as opposed to telling you what stayed the same.
Never connected my Roomba to the internet and it has worked fine for the past several years. It insists that I should connect to it via the app to resolve the occasional minor issue, but I would always ignore those. It's starting to show its wear and it's probably time for a new vacuum. I'm not sure if I'll be able to bootstrap one without connectivity, nowadays. Any good recommendations out there?
Valetudo is the best out there. I rooted my Roborock, and connected it my home assistant. It's super useful without having to send data to the cloud. The only thing is the developers are severely limited by how many vacuums they can support. I recently bought a Dreame X50 and it's still not supported.
> I wish I had the abilities of the engineer, plus the time he could devote to the problem.
Ability is a matter of patience and persistence. And both are the results of motivation. Anyone can learn anything as long as they really want it. (barring disabilities like depression that destroy motivation. But some people use even that as an opportunity to learn new skills that in turn help them recover.) But Time is an entirely different matter. You can find time if you really want to, but life has other priorities too - including time doing nothing (rest). Finding the extra time in between all that will depend on your craftiness. That's the true skill here.
Thankful for people like this - with kids and family and work I’d probably have had this sit bricked for a year in my garage before finding time to tinker with it. Now I can just never buy any iLife product ever.
There is a significantly easier option (although still more work than just buying a vacuum and using it as the manufacturer intended): get one of the Valetudo supported vacuums[0]. This firmware replacement blocks telemetry and allows for near complete feature parity with the original firmware, and flashing is (usually) relatively simple. Certainly much simpler than the process described here.
Sure, but a cleaner coming twice is the same cost of a robot vacuum that will work for a couple of years, typically. They do an okay enough job, but they need to run daily, sometimes twice a day, to really keep up considering it's limitations.
People obviously find them useful. But I will reiterate a sibling comments recommendation, get one that can run Valetudo : https://github.com/Hypfer/Valetudo
When I bought my Roomba in 2013, it cost as much total as I pay my cleaning ladies to come once every two weeks. If your floors get dirty easily, it's not really going to get them spotless, but it'll get them far cleaner than they'd otherwise be.
But the cleaners do more than the floors. Vacuuming takes me about 20 minutes once a week. I don't really see the point when I live in a 2 bed apartment.
Considering some of these things can cost almost £1000. This firmly then lives in the total waste of money pile then. I will stick with my £50 tesco vacuum thank you.
I think it’s one of the most idiotic devices anyone could own. Buy a normal vacuum cleaner for half the price, spend 10 minutes a week vacuuming your apartment, and you won’t come home and find that your cleaning robot spent the afternoon choking on a shoelace.
> Buy a normal vacuum cleaner for half the price, spend 10 minutes a week vacuuming your apartment
You obviously don't have a pet or a baby.
Make that 15 minutes of vacuuming AND mopping 3 times a day for a baby.
Suddenly it seems very attractive to have a clean house while not having to find the time during the baby's sleep and nap time to do it manually.
You could argue the same for a dishwasher:
I used to only use a single fork, glass and pot (eat out of the pot). A dishwasher seemed like the most idiotic device anyone could own if that's all you need to rinse every day.
Until of course you add more people to that equation...(and maybe cook more than just pasta)
Because it is relatively expensive, totally unnecessary and decadent and probably doesn't do a particularly good job (as people have admitted in their replies to me).
Additionally much like people ubering a McDonalds when the drive through is less than a 2 minute drive away. It actually causes additional headaches (food is more likely to come col and/or incorrect) and complications that don't exist with simply just spending a few minutes not being lazy is actually easier.
Hypothetically, some people who own such an idiotic device might have pets that bring in lots of dirt from the fields, lose lots of hair, and get a little bit agitated by the normal vacuum cleaner but more or less ignore the robot vacuum.
Cats aren't that bothered by vacuum cleaners unless you come at them with it and they normally just run into another room. Never seen a dog that bothered by them.
That's always a good idea, but how many people have the resources to research these details? First of all you have to be aware that this issue even exists. Then you have to scrape the corners of the internet for whether an appliance has any anti-features, because no manufacturer will ever write "collects unsolicited data about you, we will break the appliance if you refuse us your personal information" on the box. And finally you need to be able to afford the time and patience for the whole process.
I don't own a smart vacuum cleaner because the trouble is not worth it to me. However, I can see smart vacuum cleaners being very good for elderly or disabled people, or someone who has very limited free time and could let the robot clean the house on its own while the owner is out. It is really disgusting that scumbag manufacturers are exploiting those people.
I'm reminded of when AWS us-east-1 went down and all the beds made by EightSleep (business model: Juicero for beds) became disabled. EightSleep put all the significant control for their beds in the cloud, doubtless because they couldn't or didn't know how to hire embedded engineers, and the only devs they could find were node.js flunkies who only knew how to do cloud. Looks like the makers of this vacuum did the same thing; they didn't know how or didn't want to build just enough smarts to do the localization and mapping itself, and said "fuck it, we'll do it in the cloud".
That's awfully generous. Forcing phone-home, remote control, data harvesting features to be always-on creates a huge amount of data that can be sold for a lot of money. It gets all the wrong people excited about investing and normalizing the level of intrusion into your privacy, with some faceless corporation harvesting gigabytes of data per month from the most intimate and vulnerable physical location in nearly anyone's life.
Yes, I was thinking he needs an attorney to file suit against them for intentionally damaging his property, and then charge them for the 'repair' which would be the months he probably spent fixing it at a top grade engineering salary.
The owner did not hack the vacuum, he blocked the IP address on his network for the telemetry server. Same thing tons of people do with Pi-Hole DNS blocking, for example.
There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.
> There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.
Just today: Setting up an old smartphone: "Google assistant cannot work on this device." The only choice was "back". Had to search on the internet the solution: do not connect to wi-fi.
> As the business running the servers of smart vacuums, if I saw an atypical device reporting in, without context, I too would kill that device.
If you want to block a device from accessing your servers because it's behaving in an odd way, such as this one that was contacting the update server but not the telemetry server, that's not entirely unreasonable. Sending it a command to modify its software to stop it from operating entirely is outrageous.
Why would a business have the power to decide what should and what shouldn't be homogeneous about the property of others? A transaction took place, property has legally changed hands and the former owner is exerting control over property that isn't theirs any more.
How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
And if you complain he kicks you and your wife out of the house you bought. And if you dare to close off the backdoor he sends you to jail.
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
I've seen this movie. Only, the twist was that the home was built 100+ years ago and the builder long since dead. The family living in the home currently had to resort to an exorcist.
Edit to say that the sarcasm is direct rebuttal with the preposterous nature of the hypothetical.
This is a cool article, and neat he got it working in the end.
One thing that is odd - if he blocked it calling home, it doesn't make sense that the kill code was issued remotely. It makes more sense that there is a line of code internally that kills the machine when it can't call home (which would be far less malicious).
That would in many ways be even worse because it means that if the manufacturer were to go out of business all of the stuff they sold would stop working. That's more malicious, not less.
He implied they were remoting in after he blocked network traffic. It could easilyl be a standard exception handling approache when it can't call home and fetch latest settings etc. It might not be malicious - not defending the architecture, just think that there is an assumption of intent here.
Whether they remote into his device or it kills itself is irrelevant except that if it's local code that's even worse, as they've programmed in future obsolescence. That is indefensible, full stop, do not pass go.
Well, no. You can't just revoke a license.
As far as owning the software in the device, I works would argue that you do own a copy of it. I'm sure there is some buried tos claiming you just own a license to run it, and I know this is still being litigated. But when the average person purchases someone their expectation is that they've purchased it, not licensed it.
I suspect this is not the full story. Why would someone waste their time manually disabling a device? That makes me think that this device was doing something malicous to their servers, enough to trip an alert.
To "encourage" the owner to re-enable the connectivity. Google threatens to ban your Youtube account if you block ads. Companies will go out of their way to nudge, push, or force you to keep the data collection (or ads) gravy train going.
I don't like it either but here we are
I want to buy privacy, but it's not offered.
I do wonder how many people would buy non-spy versions of devices given the option. More specifically, what that differential in price would be too. At worst it would be interesting to have a price explicitly stating what our data is worth. Many people actually internalize that it's not that valuable, but doing this would make it explicit.
Depending on the discount for the spyware version, I'd guess close to zero. The general public has become completely numb to being spied on. It's hard to get someone to give up $50 (a real cost) for something nebulous like "very slightly less of your life is known by marketing companies".
If you're buying a service and not a product, then the consumer has a right to know!
So yeah, reversing this would make the most sense. The default is: local data only and not connected. They need to pay me to get data.
Just like car companies, phones, etc, should be forced to do that as well.
Likewise, there are a whole lot of products that don't have an "unsubsidized" version that I simply refuse to purchase (or have purchased and returned after confirming that they will not work when locked in IOT jail where they can't talk to the internet.)
A couple of years ago, I subscribed to Peacock Premium (or whatever it was called). The selling point was access to all their library.
At that time, it was ad-free.
It is now packed with ads, and they want me to upgrade to “Peacock Squeal Like A Pig,” or whatever they call it.
Instead, I just canceled my subscription, and avoid any Peacock stuff, which isn’t difficult. They don’t have much I want to see.
I have a friend who pirates everything. I have always believed in paying for my media, but it’s become such a clusterfuck, that I can sympathize.
Didn't they already remove the option for a completely ad free prime video experience or am I hallucinating that? They have such a ridiculous hold on the e reader market I feel like it is just matter of the next down quarter.
Ironically they did that to 1984 book.
If you work in a tech field, there is simply no reason for such ignorance.
https://news.ycombinator.com/item?id=45503560
which points to the actual blog of the author on github, instead of a news coverage of it.
I haven't tried it personally because my particular model of vacuum has some complicated and potentially destructive procedure to get the required access, but there's quite a few models where it can be installed easily.
If that's the case what guarantees do I have there's no "funny business" on the image?
This right there is the root of the entire problem. We had IBM PC clones that you could recover and keep running for decades by easily replacing expansion cards, HDDs, RAM sticks, peripherals and even circuit components like caps, ICs and batteries. We used to partition our 50 GB HDD into a dozen little partitions and multiboot every conceivable OS out there. Now we have an oligarchic dystopia where even RAMs and batteries are soldered on and bonded with single-use resins instead of age-old screws. Even if you get through, you can't salvage or swap ICs because they're paired individually at device level. You can't reach the boot partition without a Ph.D in RevEng and a risk of still bricking the device 3 out of 4 times. And that's all for technological progress and security, they say! Those claims have as much credibility as their claims to making an honest living. It's weasel-speak, not engineering insight.
Modifying the device that you paid for should never be this complicated. Those greedy corpos are usurping the consumer's rights and wealth, plain and simple.
Good. You bought it, you own it.
(I have no skin in this game --- my vacuum is as dumb as they come, and can be fixed with basic machine shop tools.)
The real question is, is that still an option? If it is, then for how long? Sadly, there are several other product lines that have entirely crossed that line a while ago.
He should make these and sell them. It would be worth it to just drive it in "discovery" mode and give it the exact path to follow while cleaning. The constant inability to learn the floor plan is beyond annoying.
This shit is absolutely dystopian. The law must not just be reversed, manufacturers need to be taken to court for shoddy software. Insecure data collection and transmission should be treated the same as having unsafe electrical wiring. It is a defect that needs to be either fixed or the product recalled. As long as manufacturers are not just allowed to but rewarded for selling defective products this won't change. I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
Possession of the data needs to be illegal.
Here's how it could work. It's similar to how copyrights for music are enforced. A person whose data are found in someone's files or server can sue for "statutory" damages, which are levied on a per-offense basis.
That's not how copyright lawsuits work though. For the typical person torrenting, it's because they were caught in the act of torrenting (eg. they had a torrent client in the swarm connecting from an ip that was assigned to them). Otherwise it's a DMCA takedown and companies don't even bother suing. Nobody is getting their hard drives searched for illegal music and getting sued as a result.
In other words, I find this a silly suggestion as it's just never going to work in the real world.
https://bounties.fulu.org/
https://www.copyright.gov/1201/2024/
I see in the "final rule" for 2024 (PDF) a section titled "11. Computer Programs—Repairs of Devices Designed Primarily for Use by Consumers", although it seems to indicate that nothing changed, as opposed to telling you what stayed the same.
They have a list of supported vacuums
Ability is a matter of patience and persistence. And both are the results of motivation. Anyone can learn anything as long as they really want it. (barring disabilities like depression that destroy motivation. But some people use even that as an opportunity to learn new skills that in turn help them recover.) But Time is an entirely different matter. You can find time if you really want to, but life has other priorities too - including time doing nothing (rest). Finding the extra time in between all that will depend on your craftiness. That's the true skill here.
We should probably update this story to link directly to the hackers blog, they deserve the credit! https://codetiger.github.io/blog/the-day-my-smart-vacuum-tur...
[0] https://valetudo.cloud/pages/general/supported-robots.html
Maybe it is just me, but surely would be less effort to hire a cleaner and they can do more than just vacuuming.
I have a dog and need to vacuum at least once a day, currently.
Without a robot vacuum, Id go crazy.
You save the 20 minutes once a week.
That's it. That is the whole point. A slight convenience. I use one in a 1 bedroom apartment.
You obviously don't have a pet or a baby.
Make that 15 minutes of vacuuming AND mopping 3 times a day for a baby. Suddenly it seems very attractive to have a clean house while not having to find the time during the baby's sleep and nap time to do it manually.
You could argue the same for a dishwasher: I used to only use a single fork, glass and pot (eat out of the pot). A dishwasher seemed like the most idiotic device anyone could own if that's all you need to rinse every day. Until of course you add more people to that equation...(and maybe cook more than just pasta)
Additionally much like people ubering a McDonalds when the drive through is less than a 2 minute drive away. It actually causes additional headaches (food is more likely to come col and/or incorrect) and complications that don't exist with simply just spending a few minutes not being lazy is actually easier.
Ever been to Chesterton's Fence?
Hypothetically, some people who own such an idiotic device might have pets that bring in lots of dirt from the fields, lose lots of hair, and get a little bit agitated by the normal vacuum cleaner but more or less ignore the robot vacuum.
I don't own a smart vacuum cleaner because the trouble is not worth it to me. However, I can see smart vacuum cleaners being very good for elderly or disabled people, or someone who has very limited free time and could let the robot clean the house on its own while the owner is out. It is really disgusting that scumbag manufacturers are exploiting those people.
You see the same everywhere. Lawnmowers even. A goat is more user friendly.
I'm reminded of when AWS us-east-1 went down and all the beds made by EightSleep (business model: Juicero for beds) became disabled. EightSleep put all the significant control for their beds in the cloud, doubtless because they couldn't or didn't know how to hire embedded engineers, and the only devs they could find were node.js flunkies who only knew how to do cloud. Looks like the makers of this vacuum did the same thing; they didn't know how or didn't want to build just enough smarts to do the localization and mapping itself, and said "fuck it, we'll do it in the cloud".
Clearly automatic beds have some degree of embedded software. The decision to put the controls in the cloud was certainly a conscious one.
Isn't that the inverse of the Hanlon's razor? But I agree - the Occam's razor says that the inverse Hanlon's razor is most likely the case here.
There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.
Just today: Setting up an old smartphone: "Google assistant cannot work on this device." The only choice was "back". Had to search on the internet the solution: do not connect to wi-fi.
If you want to block a device from accessing your servers because it's behaving in an odd way, such as this one that was contacting the update server but not the telemetry server, that's not entirely unreasonable. Sending it a command to modify its software to stop it from operating entirely is outrageous.
Why would a business have the power to decide what should and what shouldn't be homogeneous about the property of others? A transaction took place, property has legally changed hands and the former owner is exerting control over property that isn't theirs any more.
How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
And if you complain he kicks you and your wife out of the house you bought. And if you dare to close off the backdoor he sends you to jail.
I've seen this movie. Only, the twist was that the home was built 100+ years ago and the builder long since dead. The family living in the home currently had to resort to an exorcist.
Edit to say that the sarcasm is direct rebuttal with the preposterous nature of the hypothetical.
One thing that is odd - if he blocked it calling home, it doesn't make sense that the kill code was issued remotely. It makes more sense that there is a line of code internally that kills the machine when it can't call home (which would be far less malicious).
Would it be? Whether the line of code is on the server or the device, what's the difference?
(CFAA charges)