zlacker

[return to "The Philips Hue ecosystem is collapsing"]
1. jmuguy+Ey[view] [source] 2023-09-27 03:03:39
>>pictur+(OP)
Can someone explain the Home Assistant anecdote regarding JS and curl | sudo sh? Does the author mean Home Assistant isn't secure? Or that there's some issue with the front end of it? Or something else?

Because imo... that is the answer. We have seen so many stupid closed ecosystems of home automation stuff come and go, I dunno why you'd mess with anything else at this point. In fact I just got another email reminder that Google is turning off the old Works with Nest stack. Remember Nest? Yeah...

◧◩
2. GuB-42+dr1[view] [source] 2023-09-27 10:41:21
>>jmuguy+Ey
Probably a misguided idea of security. There is nothing wrong with JS itself, in fact, as far as languages go, it is pretty secure due to the attention it gets by being what runs in web browsers.

As for "curl | sudo sh", yeah it looks scary, but it is not worse than downloading a .deb and then doing "sudo dpkg -i your.deb", or installing any downloaded binary on your machine for that matter. You may say something about signatures, but often, the public key you have to trust is on the same website you downloaded the .deb. In all these cases, TLS is the only thing protecting you. Going through a file you don't audit doesn't change anything, and in practice, almost no one does the audit, and few linux boxes have AV scanners.

Don't trust it? Run it a VM, container, or dedicated hardware, this is actually what they are suggesting.

[go to top]