eisy | home packaging ...

[NFLnut]

I'm fine with the AC. Just wish it was a little easier to get to sometimes.

[MWareman]

On 11/22/2022 at 6:42 AM, larryllix said:

However, I have always hated this "protected folder" crap they try to pass off as virus protection. It's my system and my computer. I don't need to log-in or give permission to myself to operate it. 

I agree that the 'Protected Folder' thing is no virus protection - but don't dismiss it. It is extremely good anti-ransomware protection. It prevents apps that you haven't authorized from being able to encrypt files within the folder - even if ransomware detonates from a drive-by download or accidental click on a malicious link. 

[MWareman]

On 11/23/2022 at 5:51 PM, xlurkr said:

Long live the AC!  It is powerful, and works great on a desktop.

-Tom

Pathological distain for all things Oracle from me - so the sooner the Java-based AC can die in a fire it won't be soon enough for me. 

(And yes, I know there are non-Oracle JVMs that can be used, but still....)

It shouldn't have to be either/or though. Keep the Java AC for those that enjoy it - but I don't see why a HTML5/CSS admin console shouldn't also be possible as an option. The legacy 'finder' should not be necessary - just use mdns. Certs are easy now with Lets Encrypt and certbot. 

[larryllix]

1 hour ago, MWareman said:

I agree that the 'Protected Folder' thing is no virus protection - but don't dismiss it. It is extremely good anti-ransomware protection. It prevents apps that you haven't authorized from being able to encrypt files within the folder - even if ransomware detonates from a drive-by download or accidental click on a malicious link. 

I know of a company that just got hit with ransomware and refused, costing them weeks of shutdown and months of cleaning it up maintenance that uses Windows PCs. It kept some specialists and the FBI and RCMP people busy for months. They basically had to scrap every computer (guessing about 50 desktops and a few servers) and start over with a new system as it was spreading repeatedly.  Protected folders didn't help them any. Agreed the virus has to be more complex.

It just means the trojan horses just have to attack the O/S security and not the apps at first. If the O/S can access the folders with software then the viruses can as well.

[MWareman]

7 hours ago, larryllix said:

I know of a company that just got hit with ransomware and refused, costing them weeks of shutdown and months of cleaning it up maintenance that uses Windows PCs. It kept some specialists and the FBI and RCMP people busy for months. They basically had to scrap every computer (guessing about 50 desktops and a few servers) and start over with a new system as it was spreading repeatedly.  Protected folders didn't help them any. Agreed the virus has to be more complex.

It just means the trojan horses just have to attack the O/S security and not the apps at first. If the O/S can access the folders with software then the viruses can as well.

The 'Protected Folders' default is setup for home users - it won't protect data on servers at all. It's not designed or intended to protect devices on a company network. Only home computers.

Edited November 26, 2022 by MWareman

[bpwwer]

11 hours ago, MWareman said:

It shouldn't have to be either/or though. Keep the Java AC for those that enjoy it - but I don't see why a HTML5/CSS admin console shouldn't also be possible as an option. The legacy 'finder' should not be necessary - just use mdns. Certs are easy now with Lets Encrypt and certbot. 

Are you volunteering to create a HTML5/CSS console?    Right now the main issue preventing that from happening is resources.   Creating the UI in HTML5 is a lot of work (at least it would be for me).  Since I've had to update and improve the UI for PG3 I think I have a pretty good understanding of how much effort it will take.

Certs are easy if you have a registered public DNS name.  But most folks are just using the random external IP address from their provider, creating a valid cert for a piece of equipment behind a router/firewall with a random external IP address is not so easy.  Doing it in a way that is automated even less so.

We've looked into creating valid (non self-signed) certificates for ISY/PG3 and while possible, the infrastructure needed to do so is beyond what we have resources for that this point.

[MWareman]

12 minutes ago, bpwwer said:

Are you volunteering to create a HTML5/CSS console?    Right now the main issue preventing that from happening is resources.   Creating the UI in HTML5 is a lot of work (at least it would be for me).  Since I've had to update and improve the UI for PG3 I think I have a pretty good understanding of how much effort it will take.

Certs are easy if you have a registered public DNS name.  But most folks are just using the random external IP address from their provider, creating a valid cert for a piece of equipment behind a router/firewall with a random external IP address is not so easy.  Doing it in a way that is automated even less so.

We've looked into creating valid (non self-signed) certificates for ISY/PG3 and while possible, the infrastructure needed to do so is beyond what we have resources for that this point.

Oh, I really wish I also had the time to do this..  . I absolutely understand the very significant work this involves. 

One of the other challenges from when I last considered taking something like this on was that certain functions are only available via the SOAP interface - which is a lot more challenging to work with. A HTML5/CSS console certainly would be way easier if 100% of needed operations were available over the REST API. For instance, CRUD operations on programs and scenes. If this were possible I know progress could be made on some basic parts of the functionality needed. 

Regarding the cert - a static hostname advertised over mDNS with a trusted cert bound to it would allow a 'default' to be shipped. However, this is a bad idea from a security standpoint (every device would have the same private key, bad bad bad...). I have not yet studied it yet - but Plex appears to have solved the trusted cert issue to some degree. Not sure the technical implementation though. I think it depends on a cloud hosted endpoint for the initial connection with a wildcard cert, and this is used to enroll the host 'on-prem' with it's own cert. This is a problem that a solution should be found for EISY and Polisy anyway for the Polyglot 3 web interface that currently is untrusted. 

[jec6613]

On 11/19/2022 at 5:21 PM, jkraus said:

• The Polisyt Pro version is just to add wifi to the router.  I have ethernet locally so no need to go Pro, correct?
• The ZMatter board is just a super upgraded USB dongle (long range and some other features for easily adding new Zwave devices), correct?
• I do not have to upgrade to the ZMatter, it would just be if I am having Zwave connection problems, correct?  or are there other major features or necessity to upgrade?
• The eisy is just the next version of the Policy box, correct?  Is the Zmatter board or function included?  any reason or necessity to upgrade to the eisy?
• My current Policy and Zwave USB dongles will not make me obsolete soon?

From what I've gathered:

1. Correct
2. No, it also contains ZigBee and Matter support.
3. Z-Wave 700 dongle support will be continued going forward, but not upgraded any more.  No need to upgrade if you're not having problems or don't want the new features.
4. More or less, it's much more powerful than Polisy, and the ZMatter is still a separate accessory for it (so if you buy it now for Polisy, you can move it to eISY).  There's still more info to come on this though.
5. Not anytime soon.  I'm sure eventually it'll be obsoleted, but since UDI moved to an x86 platform you have years of support still.

Personally I tend to stay pretty close to the cutting edge, mostly because I really value the upgrades in performance.

[bpwwer]

2 hours ago, MWareman said:

Regarding the cert - a static hostname advertised over mDNS with a trusted cert bound to it would allow a 'default' to be shipped. However, this is a bad idea from a security standpoint (every device would have the same private key, bad bad bad...). I have not yet studied it yet - but Plex appears to have solved the trusted cert issue to some degree. Not sure the technical implementation though. I think it depends on a cloud hosted endpoint for the initial connection with a wildcard cert, and this is used to enroll the host 'on-prem' with it's own cert. This is a problem that a solution should be found for EISY and Polisy anyway for the Polyglot 3 web interface that currently is untrusted. 

We've studied how Plex does it and it's a pretty clever solution.  But it does take setting up the cloud infrastructure to support it.  Long term, this may be the direction we take. 

Today, the PG3 UI is designed to be a local UI interface.  Hopefully people can trust their own network so that point to point communication on is not really a problem.  You can use PG3's self-signed certificate to encrypt the communication but if someone unauthorized as access to your network, that's not going to help much.

We are working on a solution, somewhat similar to what exist today for the ISY, to allow remote access to the PG3 UI. This is a bit less effort than setting up a Plex like solution.

The long term vision is to eventually combine the admin console and PG3 UI into one interface.  But this is far enough out that there's not even a timeline for it yet (so don't ask when).

[MWareman]

Thank you @bpwwer - very much appreciated. 

[gdb]

And ordered!

[TriLife]

29 minutes ago, gdb said:

And ordered!

Ditto!

[NFLnut]

I jumped. Ordered the Z-Matter USB, also. Noticed it says "Beta." Will this be upgradable to the final version? Also, does the Z-Matter USB come with the antennas?

[jduino]

Told myself I wouldn't do it..I'd wait a couple months...I'm weak, ordered the eisy and zmatter  Good timing, as my ISY is starting to get a bit overwhelmed lately...