Block HA from sending out passwords to third party

Mutt · March 5, 2021, 8:23pm

Errrr … !!

code-in-progress · March 5, 2021, 8:25pm

That’s the super secret Skynet version. Didn’t you know? lol

Mutt · March 5, 2021, 8:30pm

So … how long after ‘judgement day’ is that ?
I’m just trying to see how long I can go without building my bunker and stocking it with the essentials I’ll need (twinkies (apparently they never go off) 3 1/2 inch floppy disks (you always need a high-tech coaster) BetaMax Video tapes … cos it’s better technology than VHS (It JUST IS !!!) etc. )

code-in-progress · March 5, 2021, 8:33pm

You spelled Laserdisc wrong.

Mutt · March 5, 2021, 8:35pm

No, I chisel video information into ‘teak’ as it’s much more thermally stable and hard to ignite, reading it back is still a problem I’ve not yet solved though.

Edit: though not sure about woodworm …

MDSDM · March 5, 2021, 9:12pm

Opt~out/in Password check to third party?

If you prefer it as optional, pls vote. Better for the devs to hear the community.

samnewman86 · March 5, 2021, 9:34pm

You gave permission when you updated to 2021.3, having read the release notes. You had a choice

Dixey · March 5, 2021, 9:40pm

Ummm… the password checking thingie is not mentioned at all in the 2021.3 release notes.

samnewman86 · March 5, 2021, 9:44pm

Surprise surprise, if I use Password1, Password2, Password4 someone may be able to guess my 4th password.

Exactly why I create a random password for everything.

samnewman86 · March 5, 2021, 9:49pm

Sorry, it’s not a core feature it’s a supervisor feature and I got the version number wrong.

code-in-progress · March 5, 2021, 9:49pm

Actually, I didn’t because I did not update to 2021.3 nor do I run Supervisor. My fear is that this will come to Core and it is why I am highly vocal about this change.

samnewman86 · March 5, 2021, 9:52pm

It won’t come to core, because it’s part of supervisor.

code-in-progress · March 5, 2021, 9:55pm

That’s a bold statement. We, as users, honestly have no idea if it will come to Core or not as the basic premise is scanning secrets.yaml. The only difference between Core and Supervisor in this instance is that it is looping through installed add-ons first. If the devs think it’s a good security feature, it could easily be pushed into Core through a simple PR.

samnewman86 · March 5, 2021, 10:01pm

If it was coming to core it would have been in core to start with.

code-in-progress · March 5, 2021, 10:08pm

Again, that’s a bold statement. Like I said, if the devs feel like this is a good feature, it’s one they could easily port into Core.

maxym · March 5, 2021, 10:13pm

I wonder how you came to 1"something" (I’m not familiar with KB unit) per password for utf8. considering most passwords (especially weak ones which obviously are majority in the db) consist of ascii characters mostly, their length in bytes should be the same (or very similar) regardless charset.

123 · March 6, 2021, 12:25am

I would prefer to throttle the polling frequency. I’ve had success with Home Assistant Supervised on Debian. I’ve identified the code within Supervisor responsible for polling version.home-assistant.io and have increased the interval (i.e. decreased the polling frequency).

However, I also have an RPi3 running an instance of Home Assistant OS and it has an additional twist. Although it also runs my throttled Supervisor code, it still makes connection requests to version.home-assistant.io every 5 minutes. This behavior doesn’t exist in the instance of Home Assistant Supervised on Debian. The difference leads me to believe the underlying operating system in Home Assistant OS is making the repeated 5-minute requests. What exactly is doing it, I don’t know yet.

FWIW, it’s also possible to modify Supervisor’s code to eliminate the password-check feature but it’s less convenient than simply blocking api.pwnedpasswords.com.

EDIT

My hunch was correct. Here’s what is responsible for polling every 5 minutes:

github.com

home-assistant/operating-system/blob/e646650a7ee2b43827be4ee9b377d336e74feb18/buildroot-external/rootfs-overlay/etc/NetworkManager/NetworkManager.conf#L17


      
          [keyfile]
          unmanaged-devices=type:bridge;type:tun;type:veth
          
          [logging]
          backend=journal
          
          [connection]
          connection.mdns=2
          connection.llmnr=2
          
          [connectivity]
          uri=https://version.home-assistant.io/online.txt
          
          [device]
          wifi.scan-rand-mac-address=no

According to the documentation for Network Manager, the default polling frequency is 300 seconds (5 minutes).

http://manpages.ubuntu.com/manpages/bionic/man5/NetworkManager.conf.5.html

I really don’t need it to check Internet connectivity so frequently so that will be throttled as well.

Mutt · March 6, 2021, 1:53am

Seriously, that is worth the “Holmes Detective of the Week Award” if we even have one !

DavidFW1960 · March 6, 2021, 2:01am

It’s so funny the bloodletting in here over an issue for most people that would be solved just by switching to a secure password. Yeah it’s a nuisance but this whole discussion is deja vu when they removed the simple API password for HA itself and forced local users to use a username and password. The screaming and arguments were near identical.
Anyway, pissing in the wind can be entertaining to watch and here’s me all outa popcorn…

Mutt · March 6, 2021, 2:05am

You should have a popcorn delivery just prior the the new month release.
I have to admit, the level of “up roar” seems to reach a higher and higher crescendo as time passes …

Or is that just the consequences of Covid 19 lockdown ?