It’s like if Ford outsourced faulty brake systems, had a bunch of cars crash because of it, and then say “it’s not our fault, we didn’t actually make the brake system”.
The power inverters were *not their property*. Remotely accessing them, without authorization and with the intent of disabling them, is a textbook CFAA felony.
Fuck 'em. Isolate your local net from the world and only let through devices you trust. Plenty of ways to do that, even at low expense. But you will have to make the effort or pay someone else to do it.
You buy a device from an intermediary and it phones home to a foreign jurisdiction. That sucks but I'm not sure what recourse you can realistically expect.
I bet some small-time installers that were sourcing on the grey market will go bankrupt because of this.
For example, we bought a built-in oven, and post-sale we discovered a sticker saying that by using the oven, we agreed to a EULA and binding arbitration, and to return it if we disagree.
I think that, had we decided to decline the previously-undisclosed EULA, the manufacturer should have had to either provide one that works as they advertised (no EULA) and with identical dimensions, or they should have had to replace our brand-new cabinets with ones that matched a competitor’s product (and incur a large multiple of the cost we paid for the oven).
There was an article on HN about a month ago, that two companies each have the ability to overload or shut down the entire grid in many parts of the states, just by their remote control of the solar panels and batterires.
They should be regulated like any other utility.
If you sell a complicated product dependent on other parties then you are taking on risks.
The short answer is: it's for load balancing, it can't be avoided.
If they add up to a percent or two of the local grid, then control is not necessary.
Also you could design a solar system to not backfeed.
The way it works today for common residential grid-ties is this:
1. Is grid up? Y/N
2. If Y, then supply excess locally-generated power to grid. (Someone will implicitly use it.)
3. If N, then turn off connection to grid. (Nobody's home and we don't want to hurt anybody.)
Here in Germany this works by specialised devices called "Funkrundsteuerempfänger" (rough translation: radio controlled receiver, according to Wikipedia[0] it's "radio teleswitch")
But in practice this almost always means connecting to the internet, because the simplest interface is wifi and data collection/display at the producer's servers. So any extra features == internet connection.
This is like asking people on the Internet how to safely mix random household cleaning chemicals. If you don't have the background to answer that yourself, you should not be doing household chemistry.
but this require a DMZ or a second external IP address (I have both with centurylink) because if it’s double nat on your home network. Thee devices can access your home network.
If my gateway were 192.168.1.1 , I just set that clients gateway as 192.168.1.254)
Misread your question. Sorry. Most of my devices I do want talking to the internet. Just not on my home IP.
Keep your [phone/PC/whatever] on one VLAN, with a NAT gateway, and they'll work just as they do now.
Keep the IoT Things inside of their own VLAN, without a gateway to the Internet.
And if a device like Home Assistant or whatever needs to exist on both VLANs in order to be useful, then: Make sure it isn't forwarding/routing/NATing packets.
---
The implementation details vary, but they needn't be particularly expensive.
What I do at home is run OpenWRT on a Pi 4 for my home routing purposes. It's fast enough for my needs and it's got simple GUI configuration options for VLAN. (Why OpenWRT? Because it's easy for me to puzzle out when I need to adjust something after a few months or a year -- I don't deal with routing every day, nor do I wish to. (Also SQM is a built-in, which always keeps WAN latency tolerable.))
From there, I've got cheap managed switches that enforce/insert VLAN tags where that is useful to me, so I can decide which physical ports are capable of talking to whichever VLANs.
And from there, I've got relatively inexpensive Mikrotik access points that are configured to provide different SSIDs for different VLANs.
It all works OK, though more enterprisey folks will almost certainly choose a very different path.
Can you give an example of tech devices that aren't manufactured in China?
(To bring this to the logical conclusion: So much for Internet access.) ;)
(From Chinese parts.)
That all tech devices are made in china is a myth propagated by the ignorant (or malicious).
From the raspberry pi (UK) to Samsung Galaxy (South Korea) it is trivial to find a product not made in China once you leave the low end of the market.
And now even the low end has alternatives if you spend some time and effort.
Name any category of product whatsoever and I will personally find you a non-Chinese alternative.
Even many things “made” in China are only really assembled in China. A computer that’s “made” in China is often just slapped together like a lego kit from pieces made in Thailand, South Korea, Germany, the US, Singapore and Taiwan (which isn’t a part of China).
The South Koreanan manufactured units are generally only sold in South Korea.
Without having put any specific thought into it, I always assumed that while designed in the UK they would be manufacturing them in Asia, so it's a pleasant surprise to find out that you're mostly right - the majority have been made in Wales (part of the UK)!
However some are made in Asia, including China. Quoting Wikipedia (plus the citation links):
> "Most Raspberry Pis are made in a Sony factory in Pencoed, Wales,[19] while others are made in China and Japan.[20][21]"
> [19] https://www.sonypencoed.co.uk/about/
> [20] https://www.zdnet.com/article/14-million-raspberry-pis-sold-...
The second link (20) is from 2017, with headline "Raspberry Pi: 14 million sold, 10 million made in the UK"
BUT. The software for the iPhone is made in the US. Which is why people buy it. All phones are black rectangles! The hardware does not matter that much. And the price to buy into the Apple software ecosystem is much higher than the sticker price of the iPhone, only some of which goes to China. So most of the reason someone buys a tech product, and most of the value, ie the software, is US made.
BUT #2: the solar inverter software is used as DRM. This should serve as EXTRA evidence for you that the SOFTWARE MATTERS and that the hardware is completely fungible.
It takes a little bit of setup, and less than $200. Anyone techy should do this; it's essentially maintenance free once running.
My (openWRT) router also has IPs on both subnets, and routes both LANs to the WAN. Restricting/throttling WAN bandwidth is easily managed in OpenWRT. Preventing WAN access is easily done by not providing a gateway in the DHCP assignment (pihole).
Obviously the big difference between this and a VLAN is that an ill-behaved device could still access the other subnet, and could still discover the gateway and route to the WAN. So far, none of the IoT crap on my restricted subnet has misbehaved.
The careful approach to IoT is to never connect a device to anything, dump the firmware, analyze it, reflash the EEPROM with patched TLS certificates (if necessary), write your own server implementation, let the IoT device join a dedicated IoT WiFi network, on that network run everything through a gateway pretending to be "the Internet", where the emulated server is running. Yep, it's this bad.
Of course, if the device or its malfunction cannot cause sufficient harm (e.g. it's a light, usually it's not worth to reverse engineer it) then just run it on a separate SSID and VLAN, with least access necessary to get it running (starting from blocking everything and allowing network by network until it works).
And, uh, if the device has a LTE or can use something like Amazon Sidewalk, it gets even trickier to keep it tame.
I don't have any solar power stuff, but I did this with my old cat feeder machine. In the process I discovered a service/backdoor SSH account, a system that does not encrypt p-frames at all before uploading data to the cloud, and a bunch of other things that made me happy I did not connect it to any public networks. Short conclusion: consider against with a camera or a microphone that runs on Tuya-developed firmware. Generalized conclusion: consider against IoT from any manufacturers you don't trust to fully respect your best interests, or aren't willing to audit first.
The downside is obvious, of course. And with every year more and more manufacturers tighten up their hardware, but I'm certain the crappy programming and service backdoors are all there, only ways to mess with the network traffic or firmware are clamped down.
To a significant extent I see this as a "buyer beware" situation. Now, a lot of people aren't even really aware of the problem nor knowledgeable enough to know what to look for, but I'd expect the majority of the HN audience is both aware of and able to understand the problem enough to be capable of looking out for and avoiding it.
I personally don't mind if a device uses internet connectivity to provide a useful service, but I refuse to buy anything that requires internet connectivity arbitrarily for functionality that could easily be performed locally. The first thing I do when I think a new IoT device might be neat is google "<product> Home Assistant" and see what comes up. If there's no integration or the integration is cloud based instead of local I probably won't buy it.
IoT devices are not necessities, most of them are either luxury items or disposable novelties. You can always just not buy them. There are certainly some categories, particularly in the residential market, where it may be harder to find an option you find agreeable but its far from impossible. If every major offering in a category is bad in this way, you almost certainly don't actually need that thing.
I wouldn’t go that far.
To best of my awareness, there are no good automatic cat feeders on the market - just crappy ones and tolerable ones.
This doesn’t mean they’re a some novelty gimmick I don’t really need. I’ve got two cats, one had developed a health condition that requires special diet - and I’d say that a feeders that track consumption and can recognize between two furry assholes and unlock only for the appropriate one, are basically a necessity for me here. Without those I would have to force unnatural feeding schedules on my cats, so I can watch them eating from their own bowls.
Even basic stuff like smart lights isn’t totally a gimmick. It’s not just a light with phone for a remote control, after all. Being smart enough to e.g. not blast at full brightness in my eyes if I need something at nighttime is not just a fancy thing, but good for sleeping hygiene.
Solar assistant has the bonus of interfacing your inverter with homeassistant, and letting it control the inverter/get signals from it (so you can do things like, if grid voltage drops to zero, do xyz)
For others, here’s the solarassistant compatability check page: https://solar-assistant.io/help/general/is-my-inverter-suppo...
Getting rid of excess energy in the grid can be just as hard a problem to solve as to deal with excess load, and being able to simply and very quickly remove some supply from the grid is very useful for that.
Otherwise they'd shut down the newly installed solar installation. I said, can you do that? Of course while talking, I changed the WiFi password.
Adding completely unused features just for fun isn't really a common business practice?
I could flash them with Valetudo and wire them up to Home Assistant, but doing so requires me to solder shit to the JTAG circuit and buy some niche hardware, which requires me to open up the vac and potentially brick it. I'm not risking that on a $1200 device.
What does it even mean for an app to be ".cn"? Apps typically aren't identified by DNS names. Did you have to download it from a .cn domain? Is it just a roundabout way of saying the app was Chinese?
Aren't they, at least on Android?
The gmail app is com.google.android.gm [1], and so on. The app ids are Java style reverse ordered dns names.
[1] https://play.google.com/store/apps/details?id=com.google.and...
Some systems like mine (Enphase) do a good job of letting the inverters operate independently of the monitoring/control software. But to do this, I believe they need to add data storage to the inverters themselves in order to log data during a controller "outage".
The only surprising thing here is they took an action to brick something instead of just abandoning it.
You're right, but I wouldn't say surprising. I do wonder what would happen if the units just stopped working outright one day and they're all intended to be gridded and nothing works properly anymore and the distributors are stumped and can't get ahold of anyone.
This already happened to me. Sort of.
Saw an advt for Air Jordans for $7. With a pic of actual Air Jordans. Thought to myself, "it's only $7, let's see what happens".
A very sorry looking pair of shoes arrived a couple weeks later. With "Air Jordan" printed on them. They weren't actual Air Jordans.
There was no way, absolutely no way, to get in touch with the Chinese company that did this.
(one year later: "Auction sells rare early Air Jordan prototype for $3 million")
Wilfully damaging someone else's property without permission of the current owner seems pretty malicious, regardless of whether the importers (or maybe someone who supplied to the importer) were in breach of a contract.
Even just building in the capability (assuming this wasn't installed via a generic software update, in which case I'd have some follow-up questions on the security against malware of these things) shows significant malicious intent.
Any idea how common this manufacturer is across the place?
I'm not from the states, but I do know that if my solar would be bricked, it would take me weeks to find out. I don't exactly check up on it and it's out of sight.
A number of the products used in off grid installs have invasive IOT remote access/administration.
It's only a matter of time until it leads to loss of life-- e.g. from people who freeze to death because they can't reconfigure or turn up a system without internet access which is out or doesn't work without power--, if it hasn't already.
It’s also the place where money ($$) is often the most constraining factor, so cheap amazon shit tends to be the norm.
Deye said something to the effect of "we have contractual obligations".
I think they're both at fault.
We can't hold Deye or Chinese companies culpable.
Moreover, this should serve as a warning shot for what could become a national security issue if we keep juggling international suppliers for critical infrastructure. They'll all have the capability of shutting down US electricity, which is unacceptable.
There's no reason we should be importing this stuff.
Pretty competitive too.
I also have an off grid cabin with a Victron inverter that is not on the Internet and never will be.
No, the takeaway is to not allow corps to have remote access to end-user owned devices in the first place.
This story of perfectly capable devices being bricked or having servers shut off has been told so many times with domestic (or friendly countries) companies it's laughable that the conclusion is 'do the same thing but onshore'.
(looks at election results)
Ok, tariffs. I guess tariffs are the new invisible hand.
And really, what we're talking here isn't domestic manufacturing. It's probably Mexican manufacturing.
Sol-Ark may not have pulled the trigger on bricking the inverters, but it certainly sounds like their legal actions pressed Deye's hand.
And then to shake down all the individuals who's inverters broke with a limited time opportunity to buy a brand new one from them....
Had there been no exclusivity agreement, I think we can agree that the inverters would not of been bricked for being located in the wrong regions.
I think the malice from Sol-Ark here is that they are only offering a limited time deal, which may pressure people to pay up before the courts clear this up.
Regardless of who shares the majority of the blame, Sol-Ark, Deye or 3rd party vendors, this could of been handled better by all parties involved, and should not have harmed end consumers in this way.
It seems deye either willfully or negligently ignore their contract they made with sol ark. Or their middle men in other countries did. Deye then punished the end users for deye’s lapses.
Where does solark get blame unless the exclusivity contract is what one objects to.
I like that you substituted a similar word while paraphrasing a common phrase and then used the opportunity to say “I didn’t mean what you thought I did. I meant something else but will not describe what that is exactly”
I can't really figure out what they did that was in breach of contract. As far as I understand it, they don't do business inside the areas affected, so there is no contract to speak of. Instead, their authorized resellers seem to be the ones installing for their hardware; I don't even think it's legal to sell their hardware if it doesn't comply with FCC/etc guidelines.
Is geo-blocking illegal? Am I entitled to a refund if I import American hardware that refuses to operate in my country?
I think people were risking a broken setup for a big discount, and now it's come back to bite them in the ass. If the units affected were official installations done by their American reseller, their reseller wouldn't be so ready to offer up free replacements.
If the product doesn't obviously communicate that it won't work in your country: yes.
Just imagine this kind of thing happening in a (probably not so distant) future in which a significant fraction of all electricity is being generated in a decentralized way, using devices such as this...
I know various hackers, back in the day, were congratulated for their "public service" of showing vulnerabilities. The problem is that we've to a network infrastructure that is only secure by piecemeal bug fixes and ad-hoc filtering and moved to situation where hacking is a (maximally shady) business.
Will things be different with power grid and other infrastructure because lives depend on it? I don't see any indications.
"The society at the stage of the integrated spectacle is characterized by five principal features: incessant technological renewal; fusion of State and economy; generalized secrecy, unanswerable lies; a perpetual present." Guy Debord, Commentaries on Society Of The Spectacle
People were buying Chinese inverters meant for the Chinese market off aliexpress on the gray market and shipping them to other countries. Deye decided to crack down on the behavior.
There’s nothing indicating this has anything to do with sol-Ark at this point other than them being the approved distributor of rebranded deye inverters in the US.
1. They're not properly licensed for other markets. Something equivalent to selling a radio transmitter in the US that's not registered with the FCC.
2. They price units outside of Asian markets much higher and don't want to allow/encourage arbitrage that they don't control.
This is definitely a case of "porqué no los dos" (or more).
> The contracts we sign with all dealers clearly stipulate that products that are not UL certified and listed by local power grid companies may not be sold or used in the United States, because the products do not meet US UL standards. If used in violation of this policy, the devices may pose significant-safety risks. To address this, Deye has built a verification mechanism into the devices. The pop-up alert is automatically triggered by the device’s authorization verification mechanism, rather than by any human intervention.
But there's plenty of ways to use solar inverters where neither of those factors applies.
And furthermore, you can buy tons of non-UL-certified junk at Harbor Freight and plug it in yourself. It's not like there's a magic forcefield at the border that these Deye units somehow slipped through. Using that as an explanation for disabling their hardware is so insubstantial as to be just this side of an outright lie.
And I'm astonished that the linked article isn't calling them out on it.
When the local building code requires that grid-connected devices are UL listed, then it becomes a legal requirement. I suspect this is probably the case in most jurisdictions across the US.
edit: NEC section 110.2 indicates all equipment must be "approved" and delegates this to the Authority Having Jurisdiction (AHJ) locally; and the majority of them are going to defer to a "NRTL" (Nominally Recognized Testing Laboratory, such as UL, CSA, ETL, etc) instead of doing all the expensive and tedious testing themselves. So when it comes to grid connections, some sort of approval is nearly always a de facto legal requirement.
Genuine question. Which of these options do we prefer? (Choose any number)
1. Deye proactively bricks all the devices
2. US governments compel Deye to brick the devices
3. Local authorities penalize people using the devices illegally
4. No one does anything
If something actually burns down, authorities will circulate a bulletin and move to #3.
Anyone using the hardware in an off-grid, mobile, or other situation where the cited regulations don't apply, should sue the crap out of #1 and I will contribute to a gofundme for their legal battering ram.
Now, people are without power and they have to go to Sol-Ark to get power restored, likely by paying through the nose.
Your question is really no different than asking why it's not legal for me photocopy books and ignore copyright.
Now, you can argue that country-specific licenses shouldn't be allowed; but they currently are.
Why should the manufacturer be concerned you tried to skirt the region restrictions they were very upfront exist?
If Sol-Ark is adding value and competitive differentiation, wouldn't that justify the price premium over the basic Deye product? Especially if Deye is not willing to offer its own support/warranty to customers?
Why does Sol-Ark need to create a more monopolistic landscape? Not being judgemental, genuinely curious. (Well, I know why Sol-Ark wants it. I guess the question is why we allow it).
Contempt of business model is legal, and vigilantism is not.
I think Daye broke US law when they destroyed law-fully purchased products inside USA. I hope the inverter owners bring a class-action lawsuit against Daye in the US. The court could block the sale of the company's products in USA until they restore the inverters and pay restitution.
> U.S. Supreme Court Holds that Books Printed and Sold Abroad May Be Freely Resold in the U.S. Because the Copyrights Are Exhausted Under the First-Sale Doctrine
In any case, it’s perfectly legal for me to make and sell a geo-locked device in another country, and it is the importer’s problem if fails to work elsewhere. That doesn’t tend to happen with physical books, obviously.
It sounds like Sol-Ark would have preferred that Deye not sold the products, and may even be able to sue Deye, but nobody illegally acquired anything.
But that’s an issue between the manufacturer and the distributors which can then sue each other for breach of contract, right? The “authorized reseller” thing shouldn’t matter to the end consumer, as soon as I have the product, it’s as legitimate as every other purchase.
Let's say a guy in China buys the product from Deye, who stipulates under Chinese law that this is only for use in China and not authorized for export. The guy sells it on to you in the US anyway (so let's call him a "scammer" for violating law and misrepresenting the product to you, and innocent consumer looking for a good deal).
Why should Deye respect your rights at all and not brick the device? What rights should you have under Chinese law? If they don't brick the device, how can they disincentivize the scammers at scale? Sure you can say they should prosecute and rely on the deterrent aspect of the penal system, but that is not really going to be effective.
Basically it boils down to what rights the victims of scammers and criminals have. If you unknowingly bought stolen diamonds, what rights do you have when the original owner comes knocking?
I helped a neighbor replace his Magnum system with Victron a couple years back; sadly, the former company has abandoned its roots and produces hardware that is neither well-designed nor robust. The documentation still smells like it was written based on some EE's napkin notes though.
That's assuming you can't just make do with node-red, which is a weird system, but is also available without touching ssh access, and comes preconfigured with everything you need to read (and write) to all connected Victron devices.
And other devices. I've got mine using the Pylontech battery protocol to read off the battery charge and start the generator on demand. Had to do that (instead of using the built-in generator start option) because the generator in question doesn't have an electronic starter.
If/when we have solar installed it will not be connected to the manufacturer or distributor's cloud systems.
Even devices that are pretty much for "self-hosting" are increasingly trying to sneak in cloud-connected back doors, like Synology DSM trying to sneak in cloud authentication to your local NAS. Stop trying to make the devices I bought for the purposes of having locally-managed devices depend on cloud services! My local network is not just a fucking gateway to cloud services!
The cloud is artificial, so it must be chemtrails, which explains why modern software feels like its giving me cancer. Wake up sheeple. /s
Probably the only electric vehicle manufacturer that isn't egregiously tech-bro-y and dripping in dark patterns.
That said, regulation probably won't solve my problem, because what I want are devices that are specifically not designed to just be cloud-connected thin-client devices. I doubt regulation is going to entirely prevent this class of device from existing. And it's only going to get worse: look at what Microsoft is doing, they're literally trying to shift Windows into being a fucking cloud service.
The problem is getting voters and legislators to buy into the idea that those values are important and not worth trading off.
This is endemic in the home automation space. Nearly everything is made and operated on Chinese soil. Like security cameras, or, in my case, our LiDAR and camera augmented robot vacuums.
Some components, like lights and switches, have (very) expensive American alternatives. Some support ZigBee or Matter and can be controlled locally. Many many others require cloud infrastructure operated outside of the US and become bricks without it.
I would love to see the US mandate ITAR for all IoT devices sold in the US. If anything, that will help prop up local alternatives like Matter since that will be way cheaper than building compliant cloud-connexted devices.
Maybe some more levels in the middle like "only connects to the internet for firmware updates" (yellow) and "doesn't require internet access for core functionality" (orange). Basically Nutri-Score [1] for hardware.
Imagine if a country could turn off power to US homes during a conflict. This is critical infrastructure we should be making at home.
and that's a minimum I'll settle on.
Or insurance that covers the complete refund cost of all assets sold. There are cases where you may be using 3rd party software that you license that you cannot open source. And, in that case, you're on the hook for refunding the cost of the item.
Also, cool beans that that is the minimum you'll settle on but how on earth would anyone enforce that? Open sourced software is not enough by far to make something work perpetually: the software will need to be run somewhere and most likely (since you are talking about some sort of net-connected software if this is relevant in the first place) will need security patching to keep up with CVEs. Who is going to pay for that? I don't think it will be the bankrupt entity that stopped existing 10 years ago.
I think wear-and-tear from usage falls under "until broken by me", which I see as intended to cover ordinary breakage that would exist even in absence of copyright and trade secrets.
> Also, cool beans that that is the minimum you'll settle on but how on earth would anyone enforce that?
A large part of the solution would be to stop enforcing copyright, patents, DMCA anti-circumvention clause, etc. in these cases. Companies can be legally compelled to release the server software with fines or restrictions on future sales for non-compliance. In case of bankruptcy, it can be obtained as part of the bankruptcy process going through the company's assets.
> Open sourced software is not enough by far to make something work perpetually: the software will need to be run somewhere and most likely (since you are talking about some sort of net-connected software if this is relevant in the first place) will need security patching to keep up with CVEs.
Some of these devices may legitimately need to be network-connected, but very few legitimately need to be Internet-connected. A local network with a Raspberry Pi running the server is likely fine in most cases.
> Who is going to pay for that? I don't think it will be the bankrupt entity that stopped existing 10 years ago.
I don't think the idea is to force someone to pay to keep servers up or actively maintain the software - but rather to remove artificial barriers in the way of owners/enthusiasts/repair-shops/etc. that already want to do so.
Unless we're applying this retroactively, it'd be an entity currently going through bankruptcy, and their obligation is just the hand-over the source code in its current state.
I think that firmware shouldn't ever be bound by license, meanwhile software should be bound by it but mandated to be updatable/replacable by user - even with custom one.
Then let manufacturers pick where they set the boundary - do they add extra complexity of updating and replacing software to the component? or do they go for licenseless firmware?
And if we assume that complying with the law somehow increases costs in the US market, people will still go buy the cheaper thing anyway. Which means you need to enforce the regulations on importing these things just as strictly as we regulate the import of cigarettes...
If you're comfortable with a datasheet, logic analyzer and know how modbus works, you're 60% of the way to a local telemetry solution... And you're also probably not representative of the typical customer.
But if your tec
E.g., it could have an embedded web server accessible only on the owner's local network, a local display panel, some USB thingy, etc.
Agreed. I do not believe a web server is even required for telemetry / stats.
I have inverters and power conditioners going back 15+ years that have menus that display ASCII text. Yeah, I have to up / down / left / right a bit and the screens are annoyingly small, but I get columns of numbers that are trivial to read. Some of the really old equipment require decoding numbers from a PDF off the website and some of the commercial proprietary gear may require a document paywalled behind a service tech but even that old stuff does not require a web server.
Modern inverters well most of them have massive screens that can make reading this info trivial without a web browser EG4, growatt, etc... I think it just requires more potential buyers and inverter owners to call up the company and request feature enhancements bigger screens, easier menus. Tell them you don't want dependency on Wifi, Internet, Cloud, Phone garbage. Even better get YT influencers to call them up. [1] Just a simple to read menu that the owner and local service tech can read.
Just me personally, I would also like to have options for an API to query from a trusted device and/or SNMP and the ability to define a syslog target or two for alerts. Even my Brother Laserjet has SNMP. I use that to detect power outages uptime via SNMP.
[1] - https://www.youtube.com/c/WillProwse/videos [youtuber videos][DIY solar setups][HN member]
You do see how it runs, you look in the sky and see the sun shining, maybe see a few LEDs on the side of a box, and see your electricity usage is lower / cheaper.
As to why people don't want to spend hours digging into "telemetry" and things of their appliances, that could be a difficult thing to explain to nerds who do like to.
I know people who wire up all sorts of monitors and ride their bike and calculate and graph how many watts they are producing and amount of oxygen their lungs are taking in blah blah. Other people just ride their bike to get to work.
I built my solar array myself - a big ground mount array, string inverters[0]. This went fine, and then a few years later, I started getting arc fault warnings. These were intermittent, but the inverter would respond by shutting down entirely, then gradually ramping power back up. In the heat of summer, it would often then arc fault again and shut down. However, it ran fine for the morning, and most of the afternoon. The power cuts were sometimes dramatic, sometimes less than noticeable. But it was faulting out.
Because I'd set up monitoring, I started getting emails about these events, and was able to run them down. Had I just been monitoring aggregate power use, I may very well have not noticed these. The inverters were somewhat less than helpful ("Arc Fault String A" means "Arc fault somewhere on the DC side"), and it took more than a bit of troubleshooting to run this down[1]. Eventually, thermal imaging made the problems clear - and, yes, there were real problems I was able to resolve[2]. Turns out, the panels I got cheap were a weird little niche of panels for a reason.
Without monitoring, I have no idea how long it would have taken for me to find this problem. I found another problem in my system (a bad connection in another panel leading to 1/3rd of the panel not producing any output) through thermal imaging, so that was useful.
But "Ensuring your solar inverters are doing what you want, without errors," is worth a good bit in a complicated system that may have 50 or 100 distinct connections, if not more, each one prone to potential problems.
[0]: https://www.sevarg.net/tag/solar2020/ [1]: https://www.sevarg.net/2022/07/16/sma-sunny-boy-arc-fault-tr... [2]: https://www.sevarg.net/2022/07/31/journey-to-the-center-of-t...
Basic status indicators and warnings in the form of lights on the side of the box, sure. Online telemetry and emails? Few people care. They'll use an app that draws graphs about a grand total of 4 times after they buy the system, and that's about the extent of it.
The web telemetry panel had multiple gaps throughout the day where energy generation dropped to 0, but having datapoints logged every 10 minutes didn't give out enough information to determine why that was happening.
It also had a current status endpoint which updated every 10 seconds. I wrote a python script to log those updates into a file, and eventually discovered the inverter was shutting down itself and waiting 5 minutes every time it found its grid voltage to be greater than 241V.
Installer wanted utility to lower the house's grid transformer tap, but needed authorization from Utility, who declined claiming it was already on the lowest tap possible. Cynically, i think they declined because lowering further would lower grid voltage at night below minimums they're contractually required to maintain.
Tried going into the manufacturer's website to see if a firmware update could solve this. Couldn't find firmware updates, but i did find a manual for their local monitoring app, including a password for installer-only settings, set to "123456".
The app doesn't include any functionality to change said password to something else, so i assume it's hardcoded. There was one change i could still legally do without violating anything - raising the grid shutdown threshold voltage from 241 to 242V. This change did get reflected in subsequent logs, so the settings panel is functional. I could technically increase that further (to a maximum of 275V), but that would expose me to liability.
Parents suggest contacting the inverter's distributor for support, and they asked for a password i was never given. Apparently the manufacturer is suppopsed to create accounts for installers/distributors buying directly from them, and i somehow bypassed that process when creating an account for myself, without even realizing it.
Some more clarification later, it turns out they can still remotely access the inverter with its serial number. After doing so, they "fixed" the issue without explaining how. Checking the installer settings interface, it turns out they just increased the grid overvoltage shutdown threshold to 275V right off the bat.
At least i got them on record saying they did that, so i'm technically in the clear. Still, having that kind of access was scary enough to want to make me disconnect the inverter from the internet.
Turns out its warranty (which only expires in 2036) has terms requiring it to stay connected to the internet. That's enough time to trigger WW3 and a resulting horus scenario (https://horusscenario.com/).
Until then, the best i can do is to throttle the inverter's internet connection to something like 10kbps, which isn't enough to prevent someone persistent enough from uploading new firmware.
Stories like this make me reconsider keeping it connected. I'm surprised we haven't seen inverter ransomware yet.
Does it define any requirements for the internet connection? What if the connection latency was, let's say, 1 week?
What can we do to modify capitalism so that this externality is correctly captured? I think most people, especially those who rely on these systems to do their jobs would tell you "I would gladly pay a premium to prevent outside influences from being able to brick my tractor (or whatever), if it's broken I want to be the one who has broken it." Is this something that could simply be solved by aggressive anti-trust? Surely this isn't the best future we can come up with.
This goes both for the malicious bricking of normal consumer devices, and attacks on critical infrastructure like this, except of course the punishment for the latter should be correspondingly more severe.
https://pemc.coop/bill-protecting-critical-infrastructure-si...
Sony BMG with the hidden DRM rootkit malware on their music CDs got some civil penalties but no criminal prosecution. Sony with the Playstation OtherOS removal had to pay a ridiculously low class action, no criminal prosecution. Lenovo got a slap on the wrist for putting an adware firmware bootkit into the machines, again civil only.
A lot of companies are still getting away with exfiltrating memory dumps by default as part of their error reporting, selling your location data, etc.
The only criminal prosecution (as in "butt in jail") for similar behavior that I'm aware of is Volkswagen's Dieselgate, and that was only prosecuted because it was seen as screwing over the US government, not consumers.
Calling this trade war invokes issues which may exist, but ignores more present dangers. Selling unlicensed radio equipment (--for example) into different economies has massive financial risks.
All they need to do is the same thing any manufacturer whose stuff ends up on a gray market does: "We're very sorry and we don't know how this happened. We'll work with regulators to better audit our export shipments in the future." This kind of thing happens all the time.
> U.S. Supreme Court Holds that Books Printed and Sold Abroad May Be Freely Resold in the U.S. Because the Copyrights Are Exhausted Under the First-Sale Doctrine.. The Kirtsaeng decision is significant to copyright owners, and it may also have important ramifications for patent owners who make and sell goods abroad that practice a U.S. patent.
https://www.iveticlaw.com/owning-vs-controlling-understandin...
> The first sale doctrine is a legal principle that limits the copyright owner's control over a particular copy of their work after it's been lawfully sold. This doctrine, in essence, acts to cut off the copyright owner's rights in the created work after the product is first sold (ie. when the copyright owner releases their work into the marketplace). Another way to describe it is that the copyright holder's right to control the distribution of their work goes away after the “first sale” of the work,(hence the name). In more straightforward and more practical terms, once you buy a book, CD, DVD, artwork or any other authorized copy of a copyrighted work, the copyright owner generally loses the right to control what you do with that specific copy. You can resell it, lend it, give it away, or even destroy it, without their permission.
Remote bricking requires software, which is sold under copyright law.
This also has nothing to do with exclusivity agreements arranged between companies, as seems to be the case here.
The 2013 U.S. Supreme Court case depended on a plaintiff that was making enough money on textbook arbitrage to fund a legal case all the way to the Supreme Court. It provided new clarity on book distribution and geographical "exclusivity".
If software enforcement of device distribution agreements affects a large enough flow of capital, then corner cases will accrue enough economic impact to be tested in courts. Manufacturers do not have carte blanche to manipulate hardware remotely, e.g. they cannot take actions that could injure humans. Where are the limits? For now, we have many opinions and few laws.
Metrics from an inverter, once upon a time, would have been a local web server in the device. Maybe with QR code printed on the device so the typical smartphone user could access it. Firmware updates ought to be physically "opt in" - like stick a USB stick or MicroSD card into the device and push a button.
Not some mysterious cloud that through legal issues, malice or sheer incompetence, can reach in and modify or delete functionality without warning.
My dishwasher has a little nag light to remind me I haven't connected it to my Wifi yet. I never will. It washes dishes just fine.
Opt in for major functionality, that is fine.
If the washing machine is already vulnerable than you'd want a security update.
None of the IoT devices we own have had an update that fixes a user facing bug, but most have had critical updates that break existing functionality.
Or just a regular serial port! For example, IEC 62056 [0] provides a fairly trivial standardized way to interact with an electricity meter using an IR reader head. Even easier, the DSMR standard outputs serial data via a 5V RJ12 connector [1]. You can connect that to a PC with a $5 USB-to-serial adapter, directly to a Raspberry Pi, or to one of a dozen $20 cloud dongle thingies.
Just mandate a serial interface, and the inverter itself doesn't need any kind of web interface whatsoever.
[0]: https://en.wikipedia.org/wiki/IEC_62056
[1]: https://jensd.be/1183/linux/read-data-from-the-belgian-digit...