shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

267
active users

#iot

6 posts6 participants1 post today

it's one thing to discontinue just one product - even that isn't good - but the entire lineup is a new level of bullshittery techcrunch.com/2025/07/10/belk

we really need a law that requires companies to opensource software and hardware of products they're going to stop supporting

TechCrunch · Belkin ends support for most Wemo devices and its Wemo app | TechCrunch
More from Sarah Perez 💙
This is why I got frustrated with #IoT after many years of enthusiasm.

In an ideal world, all devices should seamlessly talk to each other, with no need for too many bridges, apps and intermediaries. Just like a Web browser doesn't need proprietary bridges and adapters to render a website over HTTPS.

And, in some sense, some devices do - those that properly implement the Zigbee protocol and (even better) Z-Wave.

Matter was that other thing that everyone used to talk about, too much and for too long, but as I expected a couple of years ago it didn't really happen, or at least not a significative scale. That's because protocols and standards should come together organically, rooted in FOSS and blessed by the ISO/IEEE/IETF. Not scrapped together as an afterthought by a couple of big corporations that just want to solve the "how do I make my certified product talk to your certified product?" problem by proposing yet another competing standard, without even bothering to look at what solutions (like Zigbee/Z-Wave) are already working.

Unfortunately, despite my hopes, that standardization of the IoT landscape, that moment where everybody blesses and embraces the TCP/IP of IoT, hasn't really happened.

And the reason why it hasn't happened, and why most of the smart devices out there in 2025 still talk Wi-Fi over priorietary protocols, and require either a physical bridge or a virtual one in the form of a mobile app, and instead of wide compatibility offered by open standards they still rely on ridicolously outdated "Works with Alexa/SmartThings/Google Assistant" labels (which remind me of the "Works with Internet Explorer 6" GIF that many websites used to sport in the early 2000s), is the most boring one. It's because they want control.

A lightbulb or a switch that talks Zigbee can work with anything that supports Zigbee. You can flash an open firmware on a CC2531 microcontroller, plug it in your RPi, install zigbee2mqtt, and suddenly any open home automation platform (HomeAssistant, OpenHAB, Platypush...) will recognize it and allow you to control it.

This is amazing from a user's perspective, but it sucks from the perspective of a greedy business manager.

Because, if you can use HomeAssistant or Platypush to control your lightbulb, then the vendor can't make extra money by selling you a bridge.

They can't force you to connect another device to your network to sniff all that juicy Intranet traffic and send it back home.

They can't force you to install a mobile app that requires tons of permissions, so they can grab and sell your location data or your bathing habits to any data broker willing to pay for it every time you turn on the lights.

They can't lock you inside subscription plans, premium features or other recurring revenue traps.

They can't forcefully push background upgrades to your devices to make them even more effective in their primary task - spying on you.

In other words, giving you devices that work (and will always work) on top of truly open protocols means that these vendors will be akin to the retail shop that sells you a lightbulb because you need one, and doesn't expect to make any extra profits from it after your purchase.

And this idea is a nightmare for the current generation of business manager. WHERE IS MY YEARLY RECURRING REVENUE?? WHERE IS MY OWN ECOSYSTEM?? WHERE IS MY LOCK-IN AND UPSELL STRATEGY??

So that's why we've ended up in a state that is still as fragmented as it was 15 years ago. Because incentives were never aligned to force those vendors to put the user's interests at the center. And, when you don't have those incentives, products will inevitably and predictably enshittify over time.

For putting things in perspective on how big of a tragedy this is: can you imagine a world where some geeks at CERN hadn't decided to put together HTTP and give it away to the world?

A world where the Internet experience consists of a bunch of closed and mutually incompatible apps instead of largely mutually-compatible browsers, each implementing their own competing transport protocols, each with their own convention for identifying resources (no URLs), each resource using different markup languages, each app supporting only a limited set of domains, and each of them available only on a subscription plan?

Because that's exactly where we are with the IoT. And things could have been much better than this.

But you know what's another often forgotten problem with this business model?

That when you're locked inside of somebody else's ecosystem, and you have no alternatives but to use their software and hardware to interact with those devices, then all it takes for your expensive smart devices to become trashware is a new business manager who joins the company and says "this product line is not profitable enough, we need to cut it".

And the sad part is that this will inevitably happen to all the smart devices that you purchase and that don't support open protocols - unless you're strongly confident that the company that produces them will still be around in 10, 50 or 100 years.

What happens after that decision is usually a well-rehearsed protocol. An email is sent out to all customers announcing that their products will be discontinued and abandoned, and that the app will be pulled down from all the stores.

And these emails almost try to make you feel guilty - "how come you haven't yet thrown away all the electronic devices in your home that you purchased 10 years ago to buy some new ones? How are we supposed to make money if there are people like you that don't keep buying new smart switches from us every year?"

These emails usually contain a quite dismissive "we're sorry about any inconvenience caused by this decision, but....BYEEEE!!!"

A deadline is provided for the complete end-of-life of your product, and by then you're expected to just throw a device made of environmentally hazardous plastics, rare earths and heavy metals in a landfill, and go to your local store to buy a new one - all because a clueless greedy guy who just came out of a business school, and to whom it doesn't matter if you produce IoT devices or biscuits made of stone, complained about profitability and recurring revenue.

Luckily, if you are a Belkin user who still has some WeMo devices, you can still rely on Platypush to control them.

I made a plugin a while ago to interact with those devices without the mobile app https://docs.platypush.tech/platypush/plugins/switch.wemo.html (and this was actually one of the first plugins I developed, as I purchased those plugs more than 10 years ago).

It previously leveraged ouimeaux (an open-source project to interact with Belkin products put together through some extensive reverse engineering), but eventually I incorporated most of that implementation in Platypush itself after ouimeaux was discontinued.

I can't make promises about maintaining this long-term because I no longer use those devices (but they're safely stored in a cupboard, not in a landfill), but I still have them around if anyone needs supports for debugging stuff.

I wish that my industry was different. I wish that MBAs had kept clear of it. I wish that they had never tried to subjugate and pollute the purity of engineering with their perverse ideas on how to get rich while not giving people what they need. But here we are. So the best we can do is to reverse engineer and pirate the shit out of them, build and spread open and compatible implementations of their software and protocols, avoid all of their lock-in traps, keep your phone free of their crapware, and demand that hardware products that you install in your own home should only get obsolete when they physically break apart after several decades of continuous use - not because of software-enforced planned obsolescence.

There are some electrical sockets in my late grandpa's home that still do their job 80 years after being installed. I'd like my grandsons to also come to my house one day, and find out that the same devices that I use today are still working. Without me having to replace them every couple of years, without being locked out of them as soon as I stop to pay for a subscription, and without me embracing the same technology used 80 years ago by my grandpa as an alternative. Otherwise we can't really call it progress.

-#iot A SIM might seem like a small piece of the stack, but it controls everything from connectivity and compliance to cost and customer experience.
Choosing the best global IoT SIM: 7 essential considerations Internet of Things News
iottechnews.com/news/choosing-
via Instapaper

Internet of Things News · Choosing the best global IoT SIM: 7 essential considerations Internet of Things News %Choosing the best global IoT SIM: 7 essential considerations Internet of Things News

My old introduction was very outdated, so it's time to reintroduce myself:
#introduction

Hi 👋, I’m Laura.

I am a transfeminine person, somewhat in the middle of my transition. 🏳️‍⚧️ #trans #transbubble

A major part of my time I spend as a Postdoc in computer science, working on embedded AI and low-power IoT communication. #cs #TinyML #IoT #academia #science

Outside of work, I am active in the local #queer center (board member, GER: Vorstand), I enjoy playing board games, and I listen to too many #podcasts.

Emergent Connext and PLAATO are partnering with companies like Microsoft and Telenor to help farmers and brewers better access and monitor their data networks. Using technologies like LoRaWAN and -#IoT, these partnerships aim to make data collection and monitoring easier and more efficient, benefiting industries like agriculture and fermentation-based production.

iottechnews.com/news/how-farms
via Instapaper

Internet of Things News · How farms and breweries are using practical IoT to stay connectedFrom farms using LoRaWAN to monitor crops to breweries using PLCs, IoT proves its value when matched to real conditions and daily tasks.

🆕 blog! “Are Brother's Insecure Printers Illegal in the UK?”

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial…

👀 Read more: shkspr.mobi/blog/2025/07/are-b

#CyberSecurity #IoT #law #legal #Legislation

A padlock engraved into a circuit board.
Terence Eden’s Blog · Are Brother's Insecure Printers Illegal in the UK?
More from Terence Eden

Are Brother's Insecure Printers Illegal in the UK?

shkspr.mobi/blog/2025/07/are-b

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad0?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

  1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

  1. Passwords must be—

    a. unique per product; or

    b. defined by the user of the product.

  2. Passwords which are unique per product must not be—

    a. based on incremental counters;

    b. based on or derived from publicly available information;

    c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

    d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

  1. In this Part “relevant connectable product” means a product that meets conditions A and B.

  2. Condition A is that the product is—

    A. an internet-connectable product, or

    B. a network-connectable product.

  3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

  1. Computers

    1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt1. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly2.

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

  1. I'm not a lawyer. This is not legal advice. This is just my interpretation of what's going on. If in doubt, consult someone qualified. ↩︎

  2. With thanks to m'learned colleague Neil Brown who came to much the same conclusion ↩︎

  3. You can see the actions they've previously taken. Because PSTI is so new, there aren't any actions against insecure IoT devices - so we'll have to wait and see how they choose to proceed. ↩︎

A padlock engraved into a circuit board.
Terence Eden’s Blog · Are Brother's Insecure Printers Illegal in the UK?
More from Terence Eden

🆕 blog! “Review: Octopus Home Mini - Real-Time Smart Meter Monitoring”
★★☆☆☆

I unashamedly love my smart-meter. Rather than having my energy provider guesstimate my bill, or having to send manual readings each month, it automatically beams them back to its mothership. It also enables interesting things like variable energy…

👀 Read more: shkspr.mobi/blog/2025/06/revie

#electricity #energy #HomeAssistant #IoT #SmartHome

Tiny pink device.
Terence Eden’s Blog · Review: Octopus Home Mini - Real-Time Smart Meter Monitoring
More from Terence Eden

Have installed my first Zigbee “behind the switch” controller for a light with two switches. The controller by default expects switches to be momentary. To change the configuration to the more usual on-off switch you need to (checks notes) buy the manufacturer’s own Zigbee hub. So, f*ck open standards, huh? I’m severely under impressed with #Vesternet pulling this a-hole move because the devices themselves are clearly very well made.

"The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.

The FBI lists these IoC:

- The presence of suspicious marketplaces where apps are downloaded.

- Requiring Google Play Protect settings to be disabled.

- Generic TV streaming devices advertised as unlocked or capable of accessing free content.

- IoT devices advertised from unrecognizable brands.

- Android devices that are not Play Protect certified.

- Unexplained or suspicious Internet traffic.

The following adds context to above, as well as some added IoCs we have seen from our research."

eff.org/deeplinks/2025/06/fbi-

Electronic Frontier Foundation · FBI Warning on IoT Devices: How to Tell If You Are ImpactedOn June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered...

So idle thought, I am in need of a dead man's handle for my phone so that when I fall asleep listening to a podcast it stops. Ideally it should be unobtrusive enough that it doesn't keep me awake but fast enough that I don't have to scroll back 30 minutes to find where I was up to.

Surely such a thing must exist but I don't know the correct term for it. Alternatively I could build one but again clues would be helpful.