Go analog.
A mechanical lock vendor makes a mistake, one series of locks break or can be unlocked. Criminals still have to find them.
A "smart" lock vendor makes a mistake, all locks are unlocked or broken. Criminals can compromise them remotely, with full location available.
@beyondmachines1 I want smart blinds and lights, but nothing for security should be online lmao.
My router runs NixOS btw.
I’m a car mechanic and that’s why I use a horse!
Your comment is proof you don’t work in IT as long as I do.
At some point you simply can’t laugh again and again about the same jokes and start to ask yourself if we as IT should really continue to laugh about all that bullshit or if we shouldn’t be the ones providing solutions.
@Kubiac
@Newk
So tell us what is your solution to the smart lock vendor leaking secrets or hardcoding API tokens that expose the entire product base and management cloud to full control of criminals?
Or just go bankrupt and shut down their servers?
The latest advice from the smart lock vendor when they did exactly that is
...
wait for it..
...
...
"install a mechanical lock"
For some of those things there are solutions. The rest our profession should be working on instead of bitching about it.
@Newk Still waiting for you to type up a solution here.
Answering "One has to work" means you don't have a solution.
You have a desire for someone to make a solution.
Did I ever say I have a solution to any of the details you imagine the original poster meant?
I just think it’s too easy and extreme to say fuck everything tech and life like an Amish.
I personally don’t use a smart lock. But I’d say the solution is not to not use them. The solution is for IT to develop a secure alternative. Don’t buy shit you don’t trust. Make something you trust.
@Newk I agree with you that things should be *much* better built. It's my daily quarrel with people at work.
As to trusting things or choosing to go analog, to each their own level of personal risk acceptance.
As long as they are aware of what the risks are, which also seems to be open for debate.
@odr_k4tana
A mechanical lock is safer because of the Swiss Cheese failure model, not because of security by obscurity. A mechanical lock cannot fail if the vendor goes out of business. You require physical access to tamper with such a lock...
But if you claim that digital locks are just as good, go for them.
We'll just publish the next fail fast events, like this one
https://beyondmachines.net/event_details/chirp-smart-locks-vulnerable-to-unauthorized-access-due-to-hardcoded-secrets-t-3-a-p-t
Chirp Systems' Android software for smart locks has critical vulnerabilities, including hard-coded passwords and private keys, which could allow unauthorized remote access. Despite an update claiming "bug fixes and improved stability," it remains uncertain if the vulnerabilities, including potentially insecure NFC-based alternatives, are fully resolved.
@beyondmachines1 Again: my crowbar won't care what kinda lock you have.
Swiss cheese models are all fun and games, but if your underlying threat model is wrong, it's useless.
Effectively, digital locks often offer more upsides than downsides, even in terms of security (not to mention usability, which btw is a prerequisite for security to be effective).
Btw: Publishing lock fails is good. They need to get fixed. Keep doing that. But analogue locks are plagued with problems, too (cf. lockpicking lawyer).
Analogue isn't safer/more secure. It's a different threat model.
@odr_k4tana @beyondmachines1 The threat model for hacking a smart lock involves relatively little effort to get into hundreds or thousands of houses where you know the location with little fuss or noise, and you will look to eyewitnesses like you might belong there.
For a physical lock and your crowbar? You have to use the crowbar for every house you want to break into and anyone who sees you will know what you’re doing.
1/2
@odr_k4tana @beyondmachines1 Also if a digital lock vendor goes out of business then *you* may be locked out of *your own* house because the software/firmware is dead. Not so with a physical lock.
2/2
@MisuseCase @beyondmachines1 You're assuming network/cloud dependencies. You're assuming people don't see me enter into an apartment I am not supposed to enter. You're assuming people see or hear me use the crowbar.
You're assuming I still have my physical key. You're assuming a neighborhood that knows each other well. You're assuming digital knowledge beyond simple use.
This is what your case depends on.
@odr_k4tana We see you claim to be a scholar on your profile.
Do share your threat model for public review.
So far you are just claiming someone else is wrong. Not really scholarly.
@beyondmachines1 this.
We don’t have nor gonna take any of that privacy eating crap into our home
Windows OS should be happy it doesn’t get overwritten as soon as it steps into the door (of my gf, mine does!)
@Monsterklatsch or a new car for that matter.
https://foundation.mozilla.org/en/privacynotincluded/categories/cars/
@beyondmachines1 Someone can also just throw a brick through my window, it has the same effect.
There is no defense against physical access.
@person
There are uses, for one "did i lock my door" 10 minutes after you drive away from home.
The problem is that the IT industry, as well noted by @Newk is in a state of constant "Move Fast/Break Things" MVP on a product that is dependent on internet connectivity, central management and power supply.
And the VAST majority of such companies fail within 5 years, or pivot to a new product leaving their old customers high and dry.
One should not be depending their daily access to their home on a developer having had their coffee, and a CEO not burning through the budget on partying and private jets.
@beyondmachines1 @RandallHawes I understand the impulse, but there are vast swathes of our lives that have “gone digital” relatively well. Few people only use cash and only shop at physical stores, for example. The problem isn’t “digital” per se, but that home/consumer products are generally terrible at security and privacy.
And physical systems with flaws can’t be easily upgraded (see all the easily compromised physical locks the LockpickingLawyer highlights).
no smart home crap.
I disagree. Scalability in crime is very dangerous. You don't need to look for Pink Panthers or Danny Oceans. You just need to look for a your favorite ransomware gang.
Criminals can profit by selling the the full location of the compromised locks on the dark web together with the master key access to that lock. Then local gangs will take over.
Also, criminals can ransom the company and people by locking out all the locks.
Yes, a locksmith will aleviate the second risk, but after an initial significant panic - including in some cases very dangerous situations (for example children or sick people locked in).
Nitrovenom
BeyondMachines 
vriesk (Jan Srz)
Krutonium://
Peter (Kirin)
Newk
Chris
Oliver D. Reithmaier
Beko Pharm (deprecated)
Artemis
Misuse Case
Ted Garrison
Suedioh77
stux⚡️
Monsterklatsch
Markus Feilner (has moved)
beaumains
Martin
gary
Someone 
Flametes
Michael Gemar
Enkiusz🇺🇦
Massi Alvioli
Shadowbottle
brett