Updated to 3.1.4 and stil the same …
Loved the joke. Keep them coming
1 Like
Of course !!! Thanks !
According to tom_l’s post, the founder disagrees and the card’s author has been reprimanded.
One of the project’s trusted contributors made the product do something (in a very visible and public way) that the founder would have never allowed. It’s a breach of trust, regardless of the day it occurs on.
It’s also why the developer has made a public apology because he now also sees this incident in the proper context.
I’m keeping the damn version installed today on a basis of principle, people in here are missing a huge point which is they are always updating their system without knowing what they are putting into it, they simply “trust”.
Trust isn’t something you should have when dealing with home automation systems that you did not develop. I can take a joke, other people can’t, however, the blame for this falls 100% on them, they are the ones who updated “critical” systems without knowing what was inside.
There’s nothing to forgive, the code is not yours, people.
6 Likes
…went to a bad part of town.
…left their doors unlocked.
…wore the wrong clothes.
…loved the wrong people.
Disgusting.
Did you vet the windows software that runs your banking app?
Did you go to the it department of the bank and demand to see the code they use to make sure they are protecting your accounts?
Did you fully inspect the browser software that you log in to your credit card account with?
Did you review the code running on the keypad that controls your home security system?
Have you looked at the code of every app on the phone that knows literally every single thing about you including your location?
I didn’t think so…
The code is not yours…
2 Likes
I agree.
It was pretentious of me to blame the users - even partially.
I have removed that text from the release notes of the fix, but will not pretend I never wrote it.
Honestly, though, highlighting the risks was a part of my motivation when I introduced this change, since it has been a real concern of mine for a long time.
Therefore I often take the chance to try to bring attention to the possible vulnerabilities and explain that some things really should not be running on a critical system.
Card-mod have broken systems - many times - and will break systems in the future. Unintentionally those times just like this, and sometimes entirely unexpectedly due to third parties. The difference this time is that the breaking will fix itself.
And as I said in another topic: Everyone, attacks or name calling is not OK. Venting frustration and being upset about the situation definitely is. Do not report posts that are not breaking the rules to protect my feelings or whatever.
8 Likes
I understand your valid concern but drawing attention to the risk by publicly exploiting it wasn’t the only available option. I have the impression you are very experienced in card development so an alternative might have been to apply your expertise and propose mitigation strategies to the founder and development team. It seems like a more productive approach than what transpired.
Or did you already try that approach only to have it fall on deaf ears?
Unfortunately there’s nothing that can be done, and it is considered an acceptable risk.
Custom integrations will run arbitrary code on your backend, and custom lovelace plugins will run arbitrary code in your browser. There is no way around that.
It was of course not the only or even main motivation for the joke, though.
Nice work McLoven - appreciate your respect and ownership where it matters.
IMO, Home Assistant is by far the best home automation platform out there. Its open nature and community drives its utility. Of course this utility comes with potential trade-offs - stability, security, performance, etc. But HASS provides an extraordinary level of choice - lean towards stability and security by deploying supervised components, or accept some level of risk by expanding to less supervised community components. In all cases, I believe we users should work to understand, and accept, the level of risk we’ve taken - across all software we allow into our environment.
The overall HASS experience sits nicely between the antiseptic and slow-moving platforms like "Smart"Things, Google Home, etc. and the fast-moving-but-often-broken experiment that HASS was in its earlier days. Locking the platform into a corporate-but-safe box would be the worst thing to happen to this glorious solution, and I’ll gladly accept a few hours spent troubleshooting a developer’s goof as a tradeoff - god knows I’ve spent hours fixing my own goofs over here. Stay weird, McLoven.
1 Like
thank you immensely for that.
hopefully that humility trickles down to others.
I hope it is clear that I never thought you did anything maliciously and understand it was just a joke/lesson gone off the rails.
I appreciate the work you’ve done for the community and (still 
) use lots of your cards.
If we never made a mistake we wouldn’t be human.
3 Likes
Just for clarity and for the people who feel they missed out.
Here’s what I meant to happen:
Wonky crooked cards. Harmless fun for the entire family.
Up to three degrees of randomly applied rotation, meaning on a 4K screen with a card in panel mode stretched as far as it could go, a control could move up to 104 pixels (about one inch) out of place vertically. But that’s an extreme case.
What I did not anticipate:
The effect stacks in the automations page when many ha-card elements are used in parallell.
Also, apparently the rotation can cause bad performance on some devices.
What I absolutely did not anticipate:
Common browser behavior means applying a transform to an element makes it throw the render stacking rules to the wind, making context and dropdown menus unusable.
I learned a lot from this one… maybe it can be useful in more constructive ways…
I understand people being really upset about the last two things, and ask you to consider that bugs. It really was not my intent in any way.
Part of the problem is that card-mod has grown more powerful since I came up with the idea. I should have done more testing along the way.
6 Likes
Personally, I agree with the loss of trust situation, but not specifically directly with @thomasloven. Rather, he has highlighted a severe security defect in our HA installations. I don’t know exactly how to deal with the implications (except stopping use of HA and/or “non-official HA stuff” entirely, but @thomasloven has highlighted a serious issue and (likely) intentionally.
I think the community needs to figure out how to deal with the implications. I don’t agree that it is an acceptable risk. HA exists explicitly to eliminate random vendor control and security (and reliability) incompetence from our homes; that is its core raison d’être. You’re a good guy and this was fun, but next time it won’t be fun at all …
There isn’t anything that can be done. The choices are: Allow custom cards, or don’t allow custom cards. If you install a custom element, it’s going to have access to your system. There’s no way around that.
1 Like
I doubt that’s true. For example, one can establish multiple levels of trust even for community-contributed content and on a per release/update basis. Just as random example: 0=just released, 1=vetted/reviewed by at least 5 other users, 2=1+vetted/reviewed by at least 5 users with trust score > x, etc. There is already something like that in place, it’s just clearly not strong enough.
But until such time, no custom cards it is then. Which makes HA much less useable and useful, to the point of perhaps of not being used at all …
I don’t and I accept the risks, plus I have no other options to do so when it comes to banks.
Did you review the code running on the keypad that controls your home security system?
Nope, that’s why my home security is basic stuff like movement sensors and magnetic windows.
Have you looked at the code of every app on the phone that knows literally every single thing about you including your location?
Nope, because I don’t care, I accept the risks, however, I try to mitigate by controlling what info comes in and out of my phone with a firewall, but once again it’s my choice. And besides, if you use home assistant for anything critical like banking or home security like open doors and such, then I’m sorry but you are delusional about your capability of keeping yourself safe.
Also, stop comparing yourself to real victims. God people can be such little b***** sometimes.
1 Like
Careful