Be like me
Just replace all your tech every year and the problems will go away. You know you'll feel safer too. Come on get with the program now. The tech industry depends on you and your new kit will be secure for the better part of six months.
Pity the poor users of Logitech's Harmony smart home system: last year they were told the manufacturer was going to brick its Link hub and forced them to buy the latest version. This year, just in time for Christmas, it has effectively bricked that new hub for anyone using it to connect to other devices. "Logitech recently …
No - be like me
I just replaced my technology with bricks.
A firmware update bricks my device? It's still a brick.
A security flaw exposes my device to hackers allowing them to brick my device? It's still a brick.
It's weather proof, can be used for both offensive and defensive security and comes in a range of stylish colours.
These are undocumented unofficial APIs...
Means what exactly?
Presumably it means you think it's OK for Logitech - or any other manufacturer - to sell kit with such capabilities; knowing full well that it's a key feature; that their customers will want to make use of it, only for it to be trashed by unchallengeable dictate later on?
You're happy for the makers of all your stuff to treat you this way and be paid handsomely for the privilege yes?
Of course you are...
How can it be useful if its was never advertised, documented or, published. By non other than Logitech themselves? That's like saying Team 0verFl0w had found yet another flaw in the PS3/4 to allow anyone who cared enough to run unsigned code. Yeah it's sure is useful if you want to pirate Games, or run Homebrew. But, you wouldn't be bitching about S0NY releasing yet another useless Firmware update, ~For stability~. Now would you?
So what exactly makes S0NY a better company than say Logitech?
This post has been deleted by its author
"How can it be useful if its was never advertised, documented or, published..."
We got no beef with issuing security updates and the like but...
You mean to say that Logitech didn't know their kit would be used this way? Of course they did. It was probably decided early in the project's life that letting such compatibility remain would make it all the more desirable in the marketplace.
And even if this is not the case they certainly knew about it long before the supposed 3rd party security experts 'brought it their attention' - how could they not with a thriving community of enthusiasts/hackers right under their nose all that time? Did they not stop to think what that would imply?
The concept of 'accepted custom and practice' comes to bear here which makes Logitech responsible to a large extent. They ought not be so 'righteous after the event' or to have stuck the two fingers up. Nor should they have have pulled the rug...
They ought to have come up with something else (no - I don't know what that would be) that protected the expectation and investment of their customers.
> So what exactly makes S0NY a better company than say Logitech?
You mean the Sony that used to make great products like Trinitron screens, great prosumer camcorders and the like? But more recently seemed to specialize in things like music CDs with embedded rootkits, free game download with embedded rootkits, and that ghastly Securom game copy protection scheme that mostly seemed to excel at making my kids' favorite games stop working after any kind of hardware upgrade? That Sony?
I think it is likely that Sony and Logitech are neighbors in the same sewer.
It means that whatever device used leveraged APIs not intended for external use. People may have purchased the harmony product and other equipment to achieve their goals, but the APIs were never advertised as being a key feature or even a supported feature. Harmony has ever right under these conditions to close what they perceived to be a security hole. Frustration should be directed to the device using the undocumented APIs. Using undocumented APIs always come with a risk to the user of this APIs and if the APIs are closed down it is not the sources issue it is the consumers.
Yes, it would be great for Harmony to open these up or to create secure versions to be used (business decision), but it is also acceptable for them to close undocumented APIs because they are a preceived security risk. As a HUB user that did not leverage these undocumented APIs, if it truly has a security risk glad to hear they took action. I would be the first to call foul if these were supported documented APIs they decided to pull without an alternative, but in this case, I personally see it as well within their rights. Some Harm, but now foul.
If someone hacks some internal protocol or undocumented/supported external APIs and uses them there is always this risk no matter what company it is. People affected should be yelling at the company that leverages these APIs, not Harmony.
That is where I think we disagree. It did not remove a feature, it fixed a security hole that was being exploited. If it removed a feature that was advertised, supported, or even sudo supported than I would agree but that does not seem to be the case. Since the inception of software upgrades, this has always been the case. If part of their model is auto-updating their software, they do have a right to make changes to project their products. What if they did not do this and the security issue was exploited and as a result, more people were affected? I know as a customer using the product, I would not be too happy about that especially if I found out they did not patch it because people were using an undocumented API.
We have phones that are constantly being updated to fix security issues. If doing so breaks a hack or exploits an API whose purpose is internal and is being exploited by some Application that is found a way to get to it and that App breaks it is not the phone companies issue.. the developer of that App was going around the supported SDK to accomplish something that he felt was cool. he took a risk and it bit him. This has happened a number of times in the past and it sucks to be the consumer in the middle, but the device is not being used as intended or advertised.
Here is another good example.
A few years back DirectTV starting updating their boxes with software which included pirate boxes. Then one day (Super Bowl Sunday) they flipped the switch and Put up a "Game Over" on all the pirate boxes. Here is a case where someone found how to exploit DirecTV and DirectTV close the door on them.
I can even go back to OS/2 and single message queue fix that broke a huge number of applications because of a low-level change in an upgrade they did to fix a bug that people were exploiting or miscoding to.
I know I am not going to convenience the people whose equipment stopped working, but from my experience of 30 years developing and managing software projects I have been in situations where we have done just this, later to regret it but I knew at the beginning the risks and thought it was the right thing to do at the time it sucked when the party was over.
I have the same amount of experience and I'm thinking exactly the same!
If i sell you a sprocket that i day doodles and then a year later patch it to stop it doodling you have a case. If I patch it so it doesn't diddle anymore then that's tough titties. Ask for a diddler if that's what you want!
The other side of this is of course that I'm responsible for someone hacking your engine via my sprocket's undocumented diddler!
Looks like Harmony made a turnaround. Sounds like the Microsoft way of handling security. Close a door and then give you an option to bypass if. Sounded like the unsafe feature in C#. Wrap code with unsafe and go to town. Never been a fan of this type of approach, but definitely more customer-centric approach.
They should stick to mice and keyboards...Those are pretty good
In my experience Logitech mice are good to use when new, but every single one I've used has had a short service life at odds with its price point. I won't touch their stuff now.
So for me, the mice aren't that different to the Harmony hub. It worked great when it came out the box. But a couple of years later all you've got is a paperweight.
I've got several M525 mice that have lasted a couple years, at least. Including one that keeps getting knocked to the floor. Carpeted, fortunately.
I don't really keep track, but they don't seem to be going through batteries particularly quickly. I also use NiMH, FWIW.
I went through three Logitech G500 mice in under a year. The side buttons (the entire point of the G5) kept failing and somehow internally crossed with the left mouse button. Once the warranty on that ran out, I bought a G700, and bought the Best Buy extended warranty on it. That proved to be one of the best purchases ever! The warranty, not the mouse.
Over the two years, I probably exchanged the mouse 15 times. It would last a little over a month, and then the side button would break internally and come out.
It's like Logitech didn't expect anyone to actually use the extra buttons. They stick them on there, use them as a selling point, then apparently hope no one uses them, 'cause they're going to fail if you do. These were fairly pricey gaming mice, and while I was using the extra buttons, I wasn't being overly rough with the mice... not nearly as rough as you would expect a "gaming" mouse to take in stride.
Just before the warranty ran out, the store apparently discontinued the mouse, so my last exchange didn't work. They ended up refunding the purchase price of the mouse instead! I can't remember if they refunded the cost of the warranty too, but I ended up getting a couple of years of mouse rental for at most the cost of the warranty.
Before all that, I also had a G5 that developed another side button issue (got stuck in the pressed position) and a M400 non-gaming mouse whose largest side button simply quit doing anything. I didn't warranty those, so the warranties must have been finished before they failed.
The real question is why I kept buying Logitech. Why I bought the extended warranty on the G700, though, was quite obvious!
So, yeah, they were that bad, if you actually tried to use the extra buttons. I never had any issues with the main buttons or the LED/laser tracking bits. The extra buttons, though, were on borrowed time before you even got the box open. They're there to get sales, not to be used!
You are not supposed to hit the side buttons with a hammer! :) My G700 have lasted since early 2011 and it's been flawless apart from needing a new micro switch for the lmb after wearing it out. Apart from that I have had no issues at all with it and that is with heavy use. I guess they may well have changed the design of those parts to be cheaper though. What keeps me stuck with logitech though is the free spinning scroll-wheel that I can't fathom to live without now.
Over the two years, I probably exchanged the mouse 15 times. It would last a little over a month, and then the side button would break internally and come out ...
Just before the warranty ran out, the store apparently discontinued the mouse, so my last exchange didn't work. They ended up refunding the purchase price of the mouse instead! I can't remember if they refunded the cost of the warranty too, but I ended up getting a couple of years of mouse rental for at most the cost of the warranty ...
So how much of your life, to the nearest hour, did you devote to getting two years free use of an unacceptable mouse, rather than one which performed as you wanted?
I'm not sure why folks have so much trouble with their mice.
Mine gets food, water, fresh bedding, a squeaky toy, & plenty of HabiTrail tubes to play in & has lasted me many years of delighted, loyal service. It gets a little nervous when the cat jumps in my lap, but kitty knows the mouse is not for eating & to keep her claws off his balls.
Nope. I bailed on them years ago when a 6 month old expensive USB webcam became a micro door stop because they never issued drivers for the next version of Windows that came out shortly after I bought it. That sort of non-support turned me into a non-customer.
The Microsoft web cam I bought after that episode keeps going and going, even after many years of windows upgrades.
[quote] "These private local control APIs were never supported Harmony features. While it is unfortunate that customers using these unsupported features are affected by this fix, the overall security of our products and all of our customers is our priority."[/quote]
If you were relying undocumented/ unsupported APIs to do thing you have to realized that they could be turned off , or broken tomorrow.
"If you were relying undocumented/ unsupported APIs to do thing you have to realized that they could be turned off , or broken tomorrow."
This isn't unique to undocumented APIs. If you are relying on anything that accepts updates from or relies on a server you don't control, you have to realize that it can be turned off or broken tomorrow.
>If you are relying on anything that accepts updates from or relies on a server you don't control, you have to realize that it can be turned off or broken tomorrow.
Quite. While undocumented/unsupported APIs are a bad thing to tie your horse to it only highlights that in many of these systems you don't have control. It's like a PC game where they turn off the server and you can't play multiplayer, only this is important.
I was looking the other day at a WiFi powered switch. Only to realise the one I liked had its own app and server... you couldn't control the damn switch without going through some 2-bit company's server. At least with Google/Amazon et al you have a fair guess it won't disappear overnight.
At least with Google/Amazon et al you have a fair guess it won't disappear overnight.
No, they'll usually give you at least a few days notice ! BTW - try asking a Revolv user what they think of Google's approach to long term support ;-)
But yes, it's a problem if you buy into all this "online connected" tat - you are at the whim of some beancounter at some outside company who does not have your interests in mind.
"I was looking the other day at a WiFi powered switch. Only to realise the one I liked had its own app and server"
This is perhaps the thing that irritates me the most about these sorts of things (the Harmony is fully in this category): making them rely on a third party server does not give any benefits to the people using these devices. The entire reason companies do this is to be able to collect more data on you. That's it.
>making them rely on a third party server does not give any benefits to the people using these devices. The entire reason companies do this is to be able to collect more data on you. That's it.
That's not entirely true. They offer the ability to control your devices from your phone outside your house which has to go through some server fairly obviously. But then they don't give a second option for when you're ON your WiFi.
This could reasonably be attributed to laziness, and penny-pinching as well as malice. We should never lose focus on the fact that: Most of the time things suck this is not due to evil, but incompetence.
"They offer the ability to control your devices from your phone outside your house which has to go through some server fairly obviously."
But you can provide this capability without using a third party server. This is more complex to set up than the average user would be willing to tackle, but even that could be done like we used to do it in the old days: provide a third party server, but all it does is routing, connecting your two endpoints. There is no need for that server to be engaging in any business logic at all.
"This could reasonably be attributed to laziness, and penny-pinching as well as malice."
I don't think so, because the solution that these companies are selling is actually more complicated and expensive to produce and operate than the alternative (even if the alternative is running a routing server).
Device security already suffers from a rampant plague of Wetware Error whereby devices aren't installed with the latest security update. This problem occurs everywhere from regular users up through the largest of corporations and governments. To create a FEAR of updating is irresponsible and guaranteed to hurt the customers. Outrageously poor job, Logitech. (o_0)
There are alternative providers. Use them. It's also helpful to keep in mind that very, very few IOT devices are adequately secured. Rather, you can essentially guarantee that current IOT devices are going to be bot infected immediately after being connected to the Internet, making them a contributing factor in that other rampant plague of distributed denial of service (DDOS) attacks across the Internet, if not worse. Oh and expect your local area network (LAN) to be compromised as well, unless you've deliberately kept your IOT devices OFF your LAN. IOW: IOT remains a profound security nightmare at this time.
"To create a FEAR of updating is irresponsible and guaranteed to hurt the customers. Outrageously poor job, Logitech."
True, but let's be honest here: Logitech is not the only company that is making people hesitate to apply updates. The majority of the tech industry, and particularly the big players like Microsoft, are doing the exact same thing.
It's an entirely justified fear, and is why I no longer trust applications or most operating systems to autoupdate. In fact, on some platforms (such as Windows and anything mobile), I have to go so far as to firewall all applications off so they don't get all sneaky. We've reached a point in the industry where you must treat all tech, hardware and software, as malicious until it's proven otherwise.
I'm as much as a geek as anyone but let's face a few truths here. 99.99% (at least) of users won't even have known these undocumented APIs existed let alone used them. The APIs were a (potential) insecurity which could have lead to an attack. Imagine the headlines if they'd done nothing: Millions of home networks breached as manufacturer refused to close known security holes
This update is good for the vast number of users. It doesn't break a single advertised or documented feature of the device and it does actually make them a little bit more secure. Could Logitech have given advanced users the ability to reenable the APIs? Perhaps but then they'd be acknowledging they existed and would have faced calls to document and support the APIs and still would have come in for criticism in the case of an attack.
Right, and this is one of the main problems with software and devices that aren't under your control -- you can't trust them. Their features and capabilities may change without notice.
"This update is good for the vast number of users."
Perhaps so, but it only highlights the underlying problem: if you aren't a "most common denominator" user, then these systems are unacceptable.
>99.99% (at least) of users won't even have known these undocumented APIs existed let alone used them.
I don't know Harmony specifically but this might not be the case. These smart systems tend to be bought by more tech-savvy people because they are not simple to set up and use. I use the Honeywell Evohome system and there is quite a large community of people doing stuff with their APIs. Their APIs are unofficial but their own staff are involved in the community - and yet they also could just turn them off.
Same here! Heavily invested in the kit and that's why Logitech can go and do one. and i'm not surprised they've pulled a similar stunt again.
Also of course: getting out of the internet connected smart speaker market just as that market was really taking on? Smart.
Logitech were never a great fit for the Squeezebox products and their death was pretty inevitable once Sean Adams and Dean cashed out, but I'd give Logitech some credit for keeping the forum alive on their servers, agreeing to properly open-source the LMS server code and providing some level of tacit, informal updates and support via at least one of their employees in Switzerland. For a discontinued product line I think they've treated the Squeezebox users rather better than they seem to have stuffed the Harmony people (and yes, I'm still very happily running a mix of SB3s, Boom, Radio Slim / Logitech kit together with some re-purposed Jogglers and Pi's)
what else can you say? from being a cutting edge system, to an embarrassing mess of things that just ain't working any more.Bought I think 3 over the years and did not mind being on a bleeding edge moving forward, but now its in a state where it won't do what it says on the tin, and you can't manually try and correct anything.
This is why I am building my home automation so that I am in complete control. At the coal face are simple sensors and relays with arduino and rs485, and I plan to use the open source Mycroft to replace Amazon Echo. I will probably write the software myself or use something existing like home assistant.
It certainly looks like the way to go. Logitech is just one example of companies that don't actually care about providing you with a reliable service, they're all just faffing about, changing products and functionalities as soon as a new PHB takes office.
There is no long-term plan and no care of not disrupting the user experience.
It's all about getting the dough now, then screw you.
That is why I am convinced that true home automation is going to actually be open source - by the people, for the people. That will be the only thing that actually has a chance of working for more than 18 months.
...including anything about it on their official support forums... then this is likely a class action lawsuit to claim a refund. Much like when the PS3 dropped Linux support.
They will have to prove that this wasn't an advertised feature that people bought the product for, not just say it was never intended to exist.
On the other hand: Open Source, people - this is why you should be using it!
How is this a story?
A vendor locks out undocumented API's. Thats fair game. Cry me a river.
Hatmony supports IFTTT - if you want API integration use that and lobby for the publicly exposed API's to be expanded properly.
Not amazed with Logitech as I think they are slowly killing Harmony with neglect (particular on IFTTT and new devices) but these are features that were never sold, promoted or documented.
something that countless customers have used to implement their own home automation systems.
Really? From what I can see, people using home automation systems are pretty rare, and people implementing their own rarer still... And hobbyists who actually do implement their own systems should know the risks of relying on undocumented APIs, especially in a domain which is moving fast.
It's shit like this, that is the sole reason I will never give in to home automation. I'm quite capable of switching a light on/off and my heating is programmed to come on when needed and a simple press of a button will put in frost mode when I go away for a few days.
The last thing I want or need is some crappy app monitoring me just for the convenience of turning on a light and/or heating... It's also one of the reasons I'll never have any kind of alexa/siri/google device.
The problem is, there is no other option.
Harmony controllers and hubs really do work well. Unless you want to juggle multiple remote controllers, they are really the only possibility.
I'm using three of them - two for myself and one at my mother's house. They are very clever bits of kit, with a lot of flexibility.
I agree with the complaints about closing off undocumented APIs. I'm also an old Slim Devices user still. I have to keep one Windows box to program my Harmony controllers, although I'd really rather not. I don't consider Logitech to be faultless here.
But there is no-one else who does the job of Harmony controllers, even slightly.
Actually... purely for control of multiple bits of AV kit via IR I've found One-for-All remotes hacked / re-programmed via their JP1 interface to be much more usable than Harmony - and even more important so does my wife! Bought a Harmony ages ago (before Logitech bought them) and found it far more error-prone than OfA, especially if trying to control multiple devices through a macro. Bought a bunch of OfA 5's on sale some time back for £15 each and have been using them across a very wide range of devices, helped by an active and inventive community of JP1 hackers...
Anyone who has enough nouse to play with APIs, can do the following...
Get a Raspberry Pi, an enclosure, and install OpenRemote on it.
Yes, there is a cloud UI to set things up, but once you've got the config on the Pi, you can cut it off from t'interweb and it will still control anything in your house/network that you can make it talk to (from HTTP/JSON to raw TCP/UDP).
Mine runs on a NAS rather than a Pi, but talks to Philips Hue (which runs when no cloud is available), Lightwave (same), and direct to other devices on the LAN. It is a bit of effort to get going, but it's so worth it when you hear of crap like this!
Nearly 15 years ago we had a multi-property multi-zone randomized playlist control and EQ, BPM'd and automatic update plus content distribution with streaming music and comedy system that in someways is better than Spotify and Sonos or whatever. Then what happened. Living in the wrong country, banking and idiot politicians. #slimserverperlandphpMySQLHMTLm3uShellCron #redhat8 #p910ipartytricks
The CEO's received a complaint. It appears Little Bobby has been the victim of inappropriate content at 10AM in the Lobby toilets. Ahh, we pushed a update but there was a timing error. We'll the Mother is in my office and we're waiting to see you. #okaybigyin
So what do you think Logitech's legal position would be if it it continued to allow the undocumented API interface to continue in the light of the security concerns it has discovered? They would be royally screwed - and not just by the chattering masses on tech forums, but also by its much larger consumer base in computer interface equipment.
Come on people, you can't have it both ways - they discovered a security issue involving something they didn't even apparently intend as a feature of the equipment and have moved to close that potential security hole. With all of the jibber-jabber about on-line security - especially regarding home automation - do you think they could just ignore the issue? Harmony and home automation are a hardly Logitech's core business and this seems to be purely an issue for people using undocumented APIs, so not even a recognised part of their customer base.
I know it is good to write articles "sticking it to the man" (whoever today's "man" is), but written another way this could be seen as a responsible approach by a company prepared to take a hit to maintain the security of its products. There are two sides to every story.
This post has been deleted by its author
"So what do you think Logitech's legal position would be if it it continued to allow the undocumented API interface to continue in the light of the security concerns it has discovered? They would be royally screwed"
What are you talking about, there are thousands of things like wifi routers and cable modems with known holes you can drive a bus through that don't get a patch because they are a year old and and the new model is out. It's only that they want to keep selling the same one.
Can someone explain to an Infrastructure guy what the rules are with these kind of things please?
As a layman (for API's and development), it appears at first glance that this is entirely appropriate and fine behaviour from Logitech. They've been notified about a security hole in their product, and apparently one way of removing the vuln is to remove an API. The API isn't public and isn't documented. So presumably Logitech made changes internally so that their software which uses the private API no longer depends on it, and kills of the API.
Now a load of people are screaming because their "hacks" (applications, scripts etc.) which uses a private, undocumented API no longer works.
If the above statement are correct, then from an outsiders POV I don't see what Logitech have done that's so terribly wrong...
Is there some unwritten developer rule or code [of conduct] (pun half-intended) where API's don't get discontinued - even if they are private and undocumented - without a lot of notice to prevent these kinds of problems?
Thanks in advance
Disabling the API's is completely legal and likely reasonable, given the security concerns.
However, it also makes for really bad PR among a small but important part of their customer base.
The lost sales to the niche group over the next 5-10 years is probably dwarfed by the litigation potential.
why? were you planning on messing around with an undocumented API on it? If you use it as intended it works fine and is in a class of one.
It's a commercial product and there are always going to be edge cases that aren't supported but thats the difference between using something pre-built and going open sourcery on the problem.
Yes I preferred it when Logitech didn't own it but you cant have everything in this world - I can live with it. It still does 99% of what I want.
I don't use the remote, but I do use a number of Anywhere MX mice which are good. From what I'm reading here I should (a) buy a couple before they go out of business and (b) preserve the control software that's out right now before they go and mess that up too.
As for (c) never, ever buy a remote control from them, I once bought a Harmony device in the hope of making my parent's life easier. When I discovered I needed to inflict Silverlight on my system I used a work PC instead, and subsequently discovered that they had had succumbed to the "f*ck things up by introducing 'ease of use' " in a manner that made Microsoft look like mere amateurs. WTF is wrong with giving advanced users access to the straight mechanics underneath? Why do we have to suffer processes dreamt up by people with a personality disorder that must have been on drugs and alcohol simultaneously when they decided that their approach was sane? That may sound as if I'm talking about the team at Microsoft that invented the ribbon, but no, it's Logitech, a Swiss company that ought to have more sense when it comes to design. Alas, no. When (finally) configured it didn't work that well either, nor was it actually "you don't need a manual" easy, although it had the potential if all this "usabiliy" crap had not gotten in the way. It had a touch screen, it had buttons - the mechanics were present. The intelligence to make use of it, not so much.
It went back the next day, and that was the last time I touched any remote made by Logitech.
I recall when Logitech bought out Labtech, just to kill their competing products.
Labtech made some GREAT head sets, airline cockpit quality. But they killed it off, and only offered the $2 junk with various colors and prices not reflecting the poor quality.
Labtech, 3DFX, and so many others - good tech murdered by industrial greed. Stifling technology for greed.
I don't like Logitech - for their crappy business practices of buying and destroying companies, tech and peoples jobs.