Partially responsible for this. (Sold Lockitron to Chamberlain in 2017 which became the basis for Amazon Key integrations.)
Contrary to the popular sentiment in a lot of the comments here, there’s not much value in the analytics. As we all painfully found out in the 2010’s, there are only two viable recurring revenue streams in the IoT space - charging for video storage and charging for commercial access. Chamberlain does both with the MyQ cameras and with the garage access program to partners like Amazon and Walmart. Both retailers have a fraud problem (discussed here https://news.ycombinator.com/item?id=38176891). “In garage delivery” promises dropping delivery fraud to zero - ie users falsely claiming package theft. That solution is worth millions to retailers, naturally Chamberlain would like a cut but only if they can successfully defend that chokepoint.
For historical reasons having to do with the security of three or four generations of wireless protocols used in garage doors they can’t (and products like ratgdo and OpenSesame exploit this.) Other industries such as automotive have a more secure chain of control over their encryption keys so one has to (for instance) go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Given the turnover in leadership there I’m not surprised the new guy needs to put their hand on the plate to see it’s hot, but there’s a reason this wasn’t implemented before and it wasn’t because of lack of discussion. I can see the temptation in going for monetization given their market share but I think this approach was ill conceived rather than fix foundational issues which would allow home users to integrate with 3rd party services and still charge industry partners for reducing incidences of fraud.
Amazon expects me to weaken my physical security posture to help them defend against an activity I don't engage in and is in no way my responsibility?
AND
Chamberlain expects me to weaken my digital security posture so they can run some opaque crap on my network¹ that I have very little observability into and even less control over so they can make money?
Money is one hell of a drug because they are high.
How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
[1] I have a default deny in AND out isolated vlan for crap like this, even if you don't have a network background try to set one up if your networking equipment is capable.
I find it odd that the standard policy is to leave packages unattended in any form in the first place. This is another one of those things that is not standard globally.
E.g for us in South Africa, this would be unthinkable, regardless of how much time it saves the delivery company. The only time a parcel is left at the door is when it's UberEats. Otherwise delivery is rescheduled if we don't physically collect parcels in person. This is partly an access issue (many houses/apartments/estates have gated access) and largely a trust/crime issue.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
I mean, they already do exactly this — this is what Amazon Lockers are. It's just only seemingly worth it to Amazon to deploy them to commercial customers, e.g. at post offices, in front of Whole Foods locations, in some very large apartment building complexes, etc.
(My own guess as to why the economics don't work out for individual residences, is that a hypothetical smaller locker — one small enough to fit on a porch — would also inherently be lightweight enough for thieves to just cart away wholesale.)
Are you upset with Amazon for hypothetically refusing to deliver to your home unless you give them a virtual key fob to your garage?
Let’s just take a step back here and recognise that we’re asking online retailers to leave our deliveries outside our homes, with direct access to members of the public, but we’re also asking for them to assume responsibility if the packages are stolen.
Morally, in isolation, it’s not a very defensible position for the consumer to take. I personally don’t feel so bad about it when it’s Amazon — they can afford it, basically — but in general it’s not realistic for porch pirates to be anyone else’s problem except the consumer’s.
> Amazon expects me to weaken my physical security posture to help them defend against an activity I don't engage in and is in no way my responsibility?
Most people get quite irked when someone steals their Amazon package between the time it was left at their door and the time they actually try to get the package. Hence for most people who occasionally receive Amazon packages when no one is home to quickly take it inside a way to let Amazon put the package in their locked garage is a benefit.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
Like Amazon Lockers? That's not as convenient as delivery to your home. Or do you mean they should provide lockers to individual homes?
I'm not sure that would work. If the home locker was not very heavy or very securely attached to something immovable package thieves would just steal the lockers.
Labelling the garage delivery as only to Amazon's benefit is a bit disingenuous. Package theft is a pretty bad issue in many places so having deliveries dropped behind a locked door is also a benefit to the user.
As for your security concern it's not unfounded but if your garage is built like most in the US there's probably already a locking exterior grade door between it and the outside because a garage door isn't that great as a security barrier to begin with unless you remove the pull cord that unlocks the door from the carrier.
I also find a bit of irony given how much fraud there is on Amazon's own website. There's got to be far cheaper solutions that result in far higher revenues. Of course Chamberlain doesn't have access to this revenue stream, but I'm sure there are other things that they can do like charging for an API key or better yet, charging Amazon for an enterprise token (which users can disable!). Since it seems they're willing to take on the security risks... because the current solution clearly doesn't actually resolve the issue. I can't imagine anyone that understands how to use HA wouldn't understand how to use ratgdo so I'm not sure they're realistically changing revenue outcomes.
About Amazon, how fucking hard is it to use a fucking Naive Bayes classifier to just check if product title or description changes significantly? Hell, do it with Babbage or some other (not L)LM that's cheap as fuck. We already have clear leaks showing that they fuck over sellers with their price lockins, are you really hurting them more by dropping all those product reviews? You can also do way better by using an image classifier. I have a hard time believing a company that's bragging about how many robots it uses in its warehouses and replaces shitty support with even shittier LLMs is not going to actually result in higher profits by doing this. A few returns probably covers the cost because shipping is expensive (something they already don't get right. Haven't had 2 day prime delivered in 2 days since 2018...)
Also, anyone else find it weird that stores on Amazon don't list all their products? Like you can click on the store page from the product and then that product is nowhere to be found. Want to reduce scams? Force the listing of their entire product directory. I already can't rely on reviews, you just are making it harder to trust you.
I really do wish there was a halfway decent alternative to Amazon. Even Target and Walmart's online stores are more attractive, just limited. But this seems to be a generally sucky space and I don't understand why. Don't even get me started on NewEgg...
> Money is one hell of a drug because they are high.
They're so high they're even turning down higher profits. But I guess the issue is caring FAR more about short term profits (quarterly statements) than long term (hell, even a fucking year). I really don't get this metric hacking bullshit bureaucracy we've built (and its not just isolated to the US or the West).
Lockitron! I remember chatting with your engineer about the WiFi radio we used in Twine. Good insight.
Ah, chokepoint capitalism. The problem with every company becoming a tech company is that they all expect unsustainable tech company growth. The strip mining of customers is also scaling up, so efficient that industries will destroy themselves. Can't wait until private equity owns the radios in my home, and controls not just the output but inputs.
Twine! You guys single handedly snowballed the Kickstarter revolution! Huge inspiration for us and Pebble in 2012 directly.
Your campaign felt like a “butterfly flapping its wings causing a hurricane” kind of moment. You inspired so many entrepreneurs of that time to take a risk and crowd fund which then inspired another generation. Some of whom ended up huge and going public like Peloton.
Regarding choke points - I don’t think they’re all bad. Sometimes certainly, but others it’s a defensible moat that forces an industry to specialize into various key players that serve integral roles. I’m thinking specifically of semiconductors with companies like Western Digital locking up storage, Qualcomm with radios, ARM with compute, Samsung/Hynix with memory, etc This creates a stable enough ecosystem to build various software abstractions on top.
So you're saying that retailers will pay Chamberlain to act as more or less a clearinghouse for package deliveries in my garage, and that in order to successfully operate this model Chamberlain needs to funnel all users through their proprietary channels in order to fully vet the delivery transaction? Or at least to prevent HA users from nibbling at Chamberlain's lunch with DIY equivalents? Do you think that they will pull back from this move given the pushback?
For retailers I want someone to verify that they are legitimate. I don't want random people in my garage. If someone enters my garage when I'm not home they better really be agents for WalMart/Amazon/target/UPS (as opposed to WolMort/Amozan/targit/USP...) , and whatever company does that does background checks on drivers. Probably they also need to have other cameras in their vehicles so that drivers trying to steal whatever valuables I have are not stolen. (as already pointed out, most people have an unlocked door from the garage to the house)
I don't think they care about HA at all, but they do care about Amazon not going through them to get access, and from the API server's perspective, both look identical.
Personally, I hope that Amazon doesn't play ball. You can TRY and seek rent from the world's largest retailer, but you need them, they don't need you.
My main takeaway is that Amazon should offer a discount to deliver packages to buildings with staff to accept the packages. They never go missing, so less refunds, and the building staff does not charge Amazon to receive packages.
The business dynamics are pretty interesting, though. It could be that paying this company reduces missing packages so much that it actually saves Amazon money, which they pass on to consumers in terms of lower prices. Or, it could be that they charge $1 per access, and Amazon passes that on to the customer, and then people are disincentivized from using Amazon. Meanwhile, a competitor (say, Walmart?) brokers a deal where they hide that fee, and take enough customers away from Amazon that Amazon has to play ball (and now the price is $2 per access). Costs go up for everyone.
The phenomenon of partnerships like my hypothetical above are very interesting to me. Every so often I check what I can use my credit card rewards points for, and most of the offers, to me, seem like "failing retailer desperately needs a customer" rather than anything I actually want. Thus, the partnerships must be a pretty important tool for companies that are not in first place.
Finally, I think about the long term effects of this sort of thing. Everyone wants a % of every transaction. "Oh, you turned your lights on when someone came to deliver a package? Pay the manufacturer of the light bulb $1 and your electric company an extra $1." This will look like "economic growth" to each of those intermediaries, but in the end, they just devalued the dollar. ("Inflation.") We end up with bigger numbers, but actually decrease the amount of "value" floating around.
I am suspicious of the idea that fraud could somehow be reduced by allowing gig workers access to the interior of my home. Somehow this seems an awful lot like a multibillion dollar company offloading work on me.
> Somehow this seems an awful lot like a multibillion dollar company offloading work on me.
That's most of the tech industry in a nutshell. From the office suite through all the "self-service" web/mobile interfaces, self-service checkouts in stores, to stuff like this - it's all making you do the work that was previously done by full-time professionals. It's a net loss of efficiency, and it only looks otherwise because salaries of full-time professionals are legible to bean-counters, while the same workload redistributed in tiny bits to masses of people is invisible in balance sheets.
In short: I'm starting to believe that most of the "improvements" that came with software are actually just accounting tricks, and this is why actual performance gains don't seem to track expected gains.
> go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Off topic, but FWIW: Teslas don't in general use fobs (maybe you get one with an S or X?). You can buy one for $175 if you want, but in general the primary unlock mechanism is the app on your phone, with the effective root of trust held in an RFID wallet card (of which you can buy extras for $20 each).
That's a terrible idea, and it requires you to have both a smart phone and to have it charged and working to get into your own car. An phone crash can leave you stranded.
Why should the garage door manufacturer take a cut if a third-party wants to use/access my garage door (which sells for real money and isn't advertised as a rental).
If a homeowner wants to let Amazon, Walmart, etc to open their garage door, it should be up to him to provide them with an access token/secret/etc to enter, just like you can put a door keycode in the order notes. The interaction should be purely between him and the retailer and there is absolutely no need for some rent-seeking scum to be involved.
The disgusting business model you seem to be justifying is akin to house builders/contractors being perpetually owed a cut every time you invite over a guest into your house or they switch on the lights.
2. Through research they find user wants to interact with their smart device while outside of range of wifi/bluetooth.
3. Company builds device firmware and cloud infrastructure to support this goal.
4. Company wants to simplify business logic and doesn't provide local (wifi/bluetooth/zigbee) support. Online only can service both on-premise and off-premise.
5. Company needs to reduce costs and justify ongoing operational costs of supporting this cloud + device service.
I don't actually find this model so disgusting as long as it's implemented in a non-restrictive way.
If a garage door manufacturer offers me a (free, local) API to fully control my door and allows me to check a box to let Amazon in, what, exactly, is the problem? Sure, I could also allow Amazon in without checking the box (assuming Amazon offers the appropriate integration and I'm willing to deal with maintaining my side of it), but it also seems okay for Amazon to pay the garage door opener company for the first-party version. Everybody wins.
Forcing the actual device owner to use a crappy cloud service is an entirely different story, but it's not required for the Amazon business model. Similarly, many video recording devices support ONVIF and have an optional paid first-party video storage. (And I imagine that quite a few commercial users demand the former -- no one who operates a concierge/security desk or a serious office building or a warehouse or an industrial site has the slightest interest in using four different first-party cloud offerings from four different vendors of their various gizmos that contain cameras. They are going to run one NVR, possibly with off-site backup, with one integrated system for viewing and analyzing the feeds. And they will pay handsomely for that, and they're paying that money to one of several established companies in the space, all of whom require at least token ONVIF or RTSP compliance, and they aren't about to kick any of that money over to the camera makers, because there is no shortage of competing camera makers.)
I just connected my garage door opener to Home Assistant by taking apart a paired remote and wiring the button to a Zigbee relay. They can't stop me, no part of this is connected to their cloud. In any case, smart home stuff should never rely on the cloud.
This is genius. As someone who is familiar-enough with minor electronics to fuck something up, but not confident enough to look at this photo and go for it—what am I trying to learn here? What are the terms I'm trying to google to figure out how to connect <electronic board> to <electronic board> via <wires>?
Maybe? How many people are switching out their garage door specifically for Key? Every new home I've experienced has no choice for which brand of garage door opener they use, the builder has standardized to a specific brand and often only updates the model whenever forced to.
Thanks for Lockitron, I still use it! Probably one of the few. At least Chamberlain has kept it running, which honestly I'm surprised at. I have been looking at other ones, and with this news I think it's time to do that.
A stressed out underpaid and overworked delivery driver is the last person I want in my garage. Verified deliveries are left at the wrong house, or the driver simply takes it with them after posting the porch picture. And I've seen boxes arrive that were forced open and the contents pulled out. But sure, it's the customers who are untrustworthy not the delivery people.
> A stressed out underpaid and overworked delivery driver is the last person I want in my garage.
Same, but this is irrelevant to the point GP was making. Some minority of people do want Amazon Key (and similar services), and those people are now unable to claim their package wasn't delivered once they sign up for the service.
Add those people up and you have something worth millions, even if there aren't many of them.
True. Delivery drivers consistently deliver to my neighbor instead of myself. The last three digits of our addresses are 885 and 855, and they consistently confuse the two. They’re tired, overworked, underpaid, and I honestly don’t blame them. But I wouldn’t trust anyone in my garage/home when I’m not home. Not sure why these companies think that will actually work.
I know it's a distraction and orthogonal to your point, but your statement of a "key fob for your Tesla for $300" is fallacious and incorrect. Tesla uses Phone Key with with the Tesla app as your primary method of unlocking the car, with a $20 NFC card as fallback, and the limit of paired phones is above any practical real-world use. If you want a keyfob as a status symbol, it's $175. (Mine is a desk ornament, it doesn't get used.)
Swap in a more traditional automaker, and your point remains correct.
Since you noted it, it’s actually very much part of my point. Tesla engages in price segmentation for replacement key fobs because they have key control. Perhaps even more aggressively than most other automakers short of VW Group. When done well it’s invisible to the user. I suspect by your (polite) comment that you may not be aware that’s going on here.
Premium users pay $300 to replace the fob on their Model S / Model X. Mid users pay $175 to replace the fob on the Model 3 / Model Y. And an entry level option exists for the cards. Plus programming fee. Handling fee. Local taxes. Processing fee. Etc :-)
Without control of their PKI anyone could self program a replacement for a few dollars as is the case with the garage door market.
As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
> If you want a keyfob as a status symbol, it's $175. (Mine is a desk ornament, it doesn't get used.)
The keyfob is super-useful. It fits perfectly into that small jeans pocket (that was originally meant for watches), so you can trigger the trunk/frunk opening without taking the fob (or phone) out.
Yes, I mean surely Chamberlain could maintain a correct and official API endpoint for HomeAssistant users for the kopecks it would cost. It’s all a big money grab.
I was burned by this change. I don’t know if anyone at Chamberlain is reading this, but you guys have neighbors, users just wanna keep their home safe. You’re one TikTok away from a crisis when you do stuff that is anti-consumer.
Based on my local big box store and garage installer availability, Chamberlain has a de facto monopoly. They also pulled the rug out from under customers: that behavior had been in Home Assistant since 2017, and it's their own recent changes that caused the alleged "DDoS". They say it's to promote official products, but the company previously had a local hub that didn't require their cloud service and discontinued it.
The API breakage coincides pretty well with their brand new CTO, whose objective is apparently "transformation to a smart access software company".
It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
Good news: ratgdo, an ESP-based local solution works great. I hope the author is making a decent profit on the kits.
> It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
My favorite example of whatever we are supposed to call this was John Carmack in 1997. From his 1997-12-09 .plan:
> Cyrix has a new processor that is significantly faster at single precision floating point calculations if you don't do any double precision calculations anywhere.
> Quake had always kept its timebase as a double precision seconds value, but I agreed to change it over to an integer millisecond timer to allow the global setting of single precision mode.
> We went through and changed all the uses of it that we found, but the routine that sends heartbeats to the master servers was missed.
> So, instead of sending a packet every 300 seconds, it is sending one every 300 MILLISECONDS.
> Oops.
> To a server, it won't really make a difference. A tiny extra packet three times a second is a fraction of the bandwidth of a player.
> However, if there are thousands of network games in progress, that is a LOT of packets flooding idsoftware.com.
> So, please download the new executable if you are going to run any servers (even servers started through the menus).
That's fair. Maybe my security background is shining through here. I guess we used to have "slashdotting" but that doesn't generalize well :)
I did do some napkin math to quantify how much that bad traffic may have been: HA estimates between 6857-25576 intallations of the MyQ integration. Let's say 16k clients. HA makes it really easy to detect and "add" the integration (which counts as an installation even if it's not configured), so, that's definitely not all clients hitting the API. Let's say it's 50%, so 8k actually using it. Most users just notice myQ is broken. Let's say some fraction retry, which would look the same as an extra user from a volume perspective. Call it an even 10k users (including repeat users).
The most recent change is after they broke everything past the OAuth dance. Let's say the OAuth request is 1kB. The retry code retries up to 5 times with exponential backoff. Let's say 5 requests over 10 min.
(5 requests / 10 minutes) * 1 request/user * 10k users = 5k requests/minute, or 83 per second, amounting to 83kB/s inbound.
There's no reason to assume those requests would synchronize, but I'm sure there's something (let's say every single myQ user updated at the same time).
If what they're saying is true, sounds like actually malicious botnet wielders can ransom the living daylights out of them. Given 1Tbs DDoS attacks they'd only need a tiny fraction of the full bore ion cannon! ;-)
> I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
This is a problem with the service, not with the developer.
If the service (doesn't want) / (can't handle) something, then it should rate limit it's response.
If the service can't handle "0.2%" of it's clients making a 'not unreasonable' amount of requests, how will the service hold up against a hostile actor who aims to DDOS their service.
> I've definitely seen "DDoS" used when there was no malice,
Absolutely. Used to work on the Identity team somewhere. Dev accidentally removed code that was supposed to cache a token on a very chatty service. Brought auth to its knees and called it DDoS.
>The API breakage coincides pretty well with their brand new CTO
You can go and engage him directly on the topic, maybe he'll present a perspective we haven't seen, or maybe he'll listen to your arguments and reconsider:
Odds are that whatever nice Chamberlain opener you want will have myQ built in because that's their business strategy. You can try getting a different brand if you're voting with your wallet -- but if all you care about is security: the Cloud connectivity is optional and you can just not connect it to WiFi.
The ratgdo is more trustworthy, and it just connects (really easily, too, especially with the new v2.5 board) to the opener via the same contacts that the dry contact button does.
I use the Athom one also, and putting a reed switch in the fully closed state, as well as in the fully open state allows me to reasonably determine where the door is. Might not be enough for your case, but for me it was enough to know that the door is “kinda open”, or “fully open”, or closed.
Getting status information from the door is the entire value prop from something like the ratgdo. It's the only reason I ordered one. Otherwise, momentary switches with HA integration are readily and cheaply available.
I'm happy to not have one of their devices but if they did this after I had installed it based on the fact that it works with HA then I'd definitely sue them for breach of contract or whatever else I can think of or to get a full refund.
What a shit move to pull on your existing customers.
I felt silly at first complaining to my wife I couldn’t get myQ working again, thinking I did something wrong after adding an automation. We tried to open the door (remote via hass) for my son when he got home but it didn’t work. Obviously it was something I did?(nope)
Then I watched the discussion on discord and realized I’m not alone albeit still a small percentage.
Then I see this as top post on hn.
It’s frustrating to have a company do this. I don’t agree with their choice. Plus forcing you to see ads whenever you open or close the door is Orwellian.
Now I need to somehow sell this device on eBay with hopes a large percentage still wants it.
I use Home Assistant and have this openner. My installer recommeneded it because he’s had happy customers like me who use home automation. I can tell you that I a) will never recommend or buy the brand again, and b) have already complained to my installer about his recommendation of this line (and he is moving to another brand).
I wish ratgdo a ton of success and have several on order.
On top of the lack of integration support, the MyQ app used to open garage doors is full of advertisements. It's ridiculous. I regret buying their products.
Actually, some other commentator statet, that when he's about to open/close his garage door, he opens the official app and where there's been a "open/close" button is now a video ad and to reach the button, you have to scroll the screen until you reach it.
I would try to sue that manufacturer. I hope it we'll be pulled to a court.
> have already complained to my installer about his recommendation of this line (and he is moving to another brand).
What brand is he moving to? Does it work with Home Assistant?
I can't recall the last time I saw a garage door that wasn't Chamberlain or one of the brands they own. At least in my area they seem to have a near-monopoly.
I don't blame your installer for recommending it. I've had a myQ opener since 2015 and it's been rock solid... it has been the most reliable home automation product I have ever owned, until now.
I don’t, and would happily use that installer again. =) But unless you give feedback on how the choices are working out how can you expect them to know and have a better choice next time? (Genie, is what I heard for the future… I’ll have to check further when/if it becomes relevant)
I also just left my installer a voicemail explaining that they are going out of their way to break compatibility with the software I use, and I recommend that they look for another brand, at least for folks who are interested in wifi connectivity.
Home Assistant should really maintain a list of actively hostile (and actively cooperative) manufacturers to make it easier to decide what to purchase.
That helps, but a remote integration doesn't _have_ to be hostile. I get that it's different from IoT, and most of my stuff is local Zigbee after learning the hard way, but my Home Assistant also talks to the Norwegian meteorological institute and Tailscale :)
One reason this is tricky to do is because up until let's say the last 6 months or so, myQ _wasn't_ hostile, even if it was Cloud-based. (I get that that aligns with your point! I'm not arguing with you there.)
Oh, that. I'm actually wondering if they are making this hard on purpose.
The obvious way to implement this would be to have a front-and-center filter for cloud/local, so that one could use it to check which brands to consider before buying new connected hardware. It's a use case people have been asking for years. It's the only reason one would want to access a searchable list through their own page (as opposed to googling "${brand name} home assistant").
> We understand that this impacts a small percentage of users, ...
Wow, what a contemptuous statement.
I have news for you, Chamberlain Group. You are not only alienating, being hostile and losing a "Small percentage of users" (most companies would prefer to call them "valued customers", but I get it). You are causing an enormous permanent damage to your own brand.
This is the own goal that Intel did with their Pentium FDIV bug. They were absolutely correct that it only impacted a small percentage of users. They still ended up losing their shirts over the problem.
As much as I want this to be true I kinda doubt it. People who install and configure home assistant are far and away niche users. Almost everyone with one of their products will just use a physical clicker or pair it with their car directly.
That doesn't need to happen for the Charlatan Group to struggle. Most current hardware companies are dependent on the customer to renew their hardware every 5 years.
Something that I don’t see people talking about here is that MyQ is the core/required integration component for Amazon Key in-garage delivery, a service used by millions of people to have their packages delivered to their garages instead of having them stolen off their porch. That’s why it needs Internet access. All the talk about how Chamberlain will go bankrupt because a comparatively small number of tech people stop using the product is fluff. I ran into the MyQ API problem with Homebridge a couple weeks ago, and I bought a unit from Meross that integrates directly with Apple HomeKit. I still have the MyQ installed because I _need_ it for Amazon deliveries. Yes, all the fury about ads and user hostility and probable polling requiring extra resources with no recompense is correct and justified. But at the end of the day, Chamberlain doesn’t care if they piss us off. They get all their money from the same people who think their phone screen is _supposed_ to be covered in ads on every page they visit, and they likely get TONS of money from Amazon.
Somewhat off topic but it is quite stunning to me that American carriers just leave the package at the door. I lived in different European countries and in all of them the expectation is that the mailman (official mail, or any of the services like dhl, ups, etc) will ring the bell. If you don't answer they will ring the neighbour and then take it back and either try again another day or you can go to a pickup point. Instead the U.S. has an entire category of devices to avoid package theft when the solution lies in holding carriers to account. I don't want to open the garage for Amazon or Bol or any other delivery company...
What you describe is how it worked in the US maybe 10 years ago too. But Amazon's free delivery race to the bottom made the cost of reattempts to deliver eliminate any margin. It's cheaper for Amazon to replace stolen shipments for a few people than to make multiple attempts to do re-delivery for many people. And creating a problem in order to charge people to solve the problem you created is a basic monopolist playbook move.
UPS used to do that. I hated it. If I'm not at home I have to wait another day to get my package, or drive across town to get it from the depot.
Just put it on the porch. Not everyone lives in an area with a package theft problem, let those folks work out their own solution but don't punish the rest of us.
Meanwhile, it is quite stunning to me that European carriers would intentionally mis-deliver (i.e. leave with a neighbor) packages rather than just leaving them on the porch! Over many years and many neighbors, I've had plenty who I would be happy to let receive my packages and plenty I would very much not. Likewise, I would be quite peeved as a permanent WFH-er to be the neighborhood final delivery guy.
There are plenty of places in the US where packages left on the porch aren't secure, but there are also plenty of places where it's completely fine and saves everyone time. I've never once had a package stolen off my porch anywhere from an apartment in the Bay Area to a house on 10 acres in rural Oregon. I really think that the places where package theft is rampant are the exception, not the rule.
When I lived in NYC and like most didn’t own a car this was the way it worked (sans the neighbor, delivering a package to the wrong recipient is a big no no, and makes some huge assumptions about the neighbor, relationship to the neighbor, and sensitivity of the delivery). If you weren’t home you got a hang tag. They attempted redelivery a few times, held it for a while for pickup, then sent it back.
I worked, like most folks, and people are not generally home. The pickup location took two hours to get to via public transit. That’s a four hour round trip. There was one and only one pickup location in the entire NYC region for fedex.
It made life impossible. Amazon came along and decided to take responsibility for losses directly and instructed carriers to leave packages and not reattempt delivery or hold them. Customers vastly preferred this, carriers too as they saved tons of money. Amazon got a reputation for being much more convenient to order from. Their losses as a percentage were low compared to essentially owning mail order due to the convenience. When I had packages stolen they immediately shipped a replacement no questions asked.
Amazon Key is an attempt to mitigate theft but also a lot of folks just feel uncomfortable with packages on their front step. The idea of leaving you garage slightly open for deliveries isn’t a new one, but the Key product improves on that by only opening for the delivery person and recording their interactions to ensure they don’t do something they shouldn’t.
I used it briefly but I didn’t like it because I have a workshop in my garage and I just didn’t want people seeing what I’m working on. I wasn’t worried they would rob me per se, just didn’t like showing my work in progress to random strangers. If it opened the garage slightly to allow the package delivery I would have kept it but it opened 100%.
This is how it used to work in the U.S., too, until the major carriers recently realized they can make that into a paid feature for the customer. Now you can't even request something to be held at the store or distribution center for pickup without a fee or subscription.
Yikes, I would never in a million years use a shipping service that delivered my packages to my neighbor, nor one that required me to go to a pickup point. WTF is the point of that? If I wanted to go somewhere to pick up my stuff, I'd just buy it from a store instead of ordering it online!
I only have MyQ for Amazon Key. Fortunately Amazon also supports the Aladdin Connect - which works with all garage doors. And is fully supported in Home Assistant.
I have one on order and will be swapping out, bye bye Chamberlain.
> Something that I don’t see people talking about here is that MyQ is the core/required integration component for Amazon Key in-garage delivery, a service used by millions of people to have their packages delivered to their garages instead of having them stolen off their porch.
Would be nice if this functionality could work with arbitrary openers via webhooks. You could even have a fancy auth flow that you trigger from your smart home dashboard so users don't have to know or care how it's implemented under the hood.
I just called up the folks that installed my garage door, and recommended that they look for a different brand because of how hostile Chamberlain is being towards their customers. I'm not the only one doing that.
Sure, we're just a couple drops in the ocean, but eventually those drops can start to add up.
Devices that rely on cloud infrastructure should be required to carry an expiration date right on the box. "This item guaranteed to receive support until XX/XX/XX"
There are lots of devices these days that rely on cloud infrastructure, like Apple devices, Teslas. Its becoming more devices.
The same for software. Even Microsoft is going fully Cloud. Just had problems to activate my MS Office for Mac Business 2019, which I bought in physical. They now require on @outlook.com email address to be able to activate. Otherwise I can't use my "box" software.
Readit News
Contrary to the popular sentiment in a lot of the comments here, there’s not much value in the analytics. As we all painfully found out in the 2010’s, there are only two viable recurring revenue streams in the IoT space - charging for video storage and charging for commercial access. Chamberlain does both with the MyQ cameras and with the garage access program to partners like Amazon and Walmart. Both retailers have a fraud problem (discussed here https://news.ycombinator.com/item?id=38176891). “In garage delivery” promises dropping delivery fraud to zero - ie users falsely claiming package theft. That solution is worth millions to retailers, naturally Chamberlain would like a cut but only if they can successfully defend that chokepoint.
For historical reasons having to do with the security of three or four generations of wireless protocols used in garage doors they can’t (and products like ratgdo and OpenSesame exploit this.) Other industries such as automotive have a more secure chain of control over their encryption keys so one has to (for instance) go to the dealer to buy a replacement key fob for your Tesla for $300 and not eBay for $5.
Given the turnover in leadership there I’m not surprised the new guy needs to put their hand on the plate to see it’s hot, but there’s a reason this wasn’t implemented before and it wasn’t because of lack of discussion. I can see the temptation in going for monetization given their market share but I think this approach was ill conceived rather than fix foundational issues which would allow home users to integrate with 3rd party services and still charge industry partners for reducing incidences of fraud.
AND
Chamberlain expects me to weaken my digital security posture so they can run some opaque crap on my network¹ that I have very little observability into and even less control over so they can make money?
Money is one hell of a drug because they are high.
How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
[1] I have a default deny in AND out isolated vlan for crap like this, even if you don't have a network background try to set one up if your networking equipment is capable.
E.g for us in South Africa, this would be unthinkable, regardless of how much time it saves the delivery company. The only time a parcel is left at the door is when it's UberEats. Otherwise delivery is rescheduled if we don't physically collect parcels in person. This is partly an access issue (many houses/apartments/estates have gated access) and largely a trust/crime issue.
I mean, they already do exactly this — this is what Amazon Lockers are. It's just only seemingly worth it to Amazon to deploy them to commercial customers, e.g. at post offices, in front of Whole Foods locations, in some very large apartment building complexes, etc.
(My own guess as to why the economics don't work out for individual residences, is that a hypothetical smaller locker — one small enough to fit on a porch — would also inherently be lightweight enough for thieves to just cart away wholesale.)
Let’s just take a step back here and recognise that we’re asking online retailers to leave our deliveries outside our homes, with direct access to members of the public, but we’re also asking for them to assume responsibility if the packages are stolen.
Morally, in isolation, it’s not a very defensible position for the consumer to take. I personally don’t feel so bad about it when it’s Amazon — they can afford it, basically — but in general it’s not realistic for porch pirates to be anyone else’s problem except the consumer’s.
Most people get quite irked when someone steals their Amazon package between the time it was left at their door and the time they actually try to get the package. Hence for most people who occasionally receive Amazon packages when no one is home to quickly take it inside a way to let Amazon put the package in their locked garage is a benefit.
> How about amazon builds (at their expense) an amazon controlled box, slap a mcu on, do authentication over nfc, rfid, etc etc. Offer it to customers free of charge, hell throw in a sweetener to get them to adopt.
Like Amazon Lockers? That's not as convenient as delivery to your home. Or do you mean they should provide lockers to individual homes?
I'm not sure that would work. If the home locker was not very heavy or very securely attached to something immovable package thieves would just steal the lockers.
As for your security concern it's not unfounded but if your garage is built like most in the US there's probably already a locking exterior grade door between it and the outside because a garage door isn't that great as a security barrier to begin with unless you remove the pull cord that unlocks the door from the carrier.
About Amazon, how fucking hard is it to use a fucking Naive Bayes classifier to just check if product title or description changes significantly? Hell, do it with Babbage or some other (not L)LM that's cheap as fuck. We already have clear leaks showing that they fuck over sellers with their price lockins, are you really hurting them more by dropping all those product reviews? You can also do way better by using an image classifier. I have a hard time believing a company that's bragging about how many robots it uses in its warehouses and replaces shitty support with even shittier LLMs is not going to actually result in higher profits by doing this. A few returns probably covers the cost because shipping is expensive (something they already don't get right. Haven't had 2 day prime delivered in 2 days since 2018...)
Also, anyone else find it weird that stores on Amazon don't list all their products? Like you can click on the store page from the product and then that product is nowhere to be found. Want to reduce scams? Force the listing of their entire product directory. I already can't rely on reviews, you just are making it harder to trust you.
I really do wish there was a halfway decent alternative to Amazon. Even Target and Walmart's online stores are more attractive, just limited. But this seems to be a generally sucky space and I don't understand why. Don't even get me started on NewEgg...
> Money is one hell of a drug because they are high.
They're so high they're even turning down higher profits. But I guess the issue is caring FAR more about short term profits (quarterly statements) than long term (hell, even a fucking year). I really don't get this metric hacking bullshit bureaucracy we've built (and its not just isolated to the US or the West).
Ah, chokepoint capitalism. The problem with every company becoming a tech company is that they all expect unsustainable tech company growth. The strip mining of customers is also scaling up, so efficient that industries will destroy themselves. Can't wait until private equity owns the radios in my home, and controls not just the output but inputs.
Your campaign felt like a “butterfly flapping its wings causing a hurricane” kind of moment. You inspired so many entrepreneurs of that time to take a risk and crowd fund which then inspired another generation. Some of whom ended up huge and going public like Peloton.
Regarding choke points - I don’t think they’re all bad. Sometimes certainly, but others it’s a defensible moat that forces an industry to specialize into various key players that serve integral roles. I’m thinking specifically of semiconductors with companies like Western Digital locking up storage, Qualcomm with radios, ARM with compute, Samsung/Hynix with memory, etc This creates a stable enough ecosystem to build various software abstractions on top.
Personally, I hope that Amazon doesn't play ball. You can TRY and seek rent from the world's largest retailer, but you need them, they don't need you.
My main takeaway is that Amazon should offer a discount to deliver packages to buildings with staff to accept the packages. They never go missing, so less refunds, and the building staff does not charge Amazon to receive packages.
The business dynamics are pretty interesting, though. It could be that paying this company reduces missing packages so much that it actually saves Amazon money, which they pass on to consumers in terms of lower prices. Or, it could be that they charge $1 per access, and Amazon passes that on to the customer, and then people are disincentivized from using Amazon. Meanwhile, a competitor (say, Walmart?) brokers a deal where they hide that fee, and take enough customers away from Amazon that Amazon has to play ball (and now the price is $2 per access). Costs go up for everyone.
The phenomenon of partnerships like my hypothetical above are very interesting to me. Every so often I check what I can use my credit card rewards points for, and most of the offers, to me, seem like "failing retailer desperately needs a customer" rather than anything I actually want. Thus, the partnerships must be a pretty important tool for companies that are not in first place.
Finally, I think about the long term effects of this sort of thing. Everyone wants a % of every transaction. "Oh, you turned your lights on when someone came to deliver a package? Pay the manufacturer of the light bulb $1 and your electric company an extra $1." This will look like "economic growth" to each of those intermediaries, but in the end, they just devalued the dollar. ("Inflation.") We end up with bigger numbers, but actually decrease the amount of "value" floating around.
That's most of the tech industry in a nutshell. From the office suite through all the "self-service" web/mobile interfaces, self-service checkouts in stores, to stuff like this - it's all making you do the work that was previously done by full-time professionals. It's a net loss of efficiency, and it only looks otherwise because salaries of full-time professionals are legible to bean-counters, while the same workload redistributed in tiny bits to masses of people is invisible in balance sheets.
In short: I'm starting to believe that most of the "improvements" that came with software are actually just accounting tricks, and this is why actual performance gains don't seem to track expected gains.
Off topic, but FWIW: Teslas don't in general use fobs (maybe you get one with an S or X?). You can buy one for $175 if you want, but in general the primary unlock mechanism is the app on your phone, with the effective root of trust held in an RFID wallet card (of which you can buy extras for $20 each).
Deleted Comment
If a homeowner wants to let Amazon, Walmart, etc to open their garage door, it should be up to him to provide them with an access token/secret/etc to enter, just like you can put a door keycode in the order notes. The interaction should be purely between him and the retailer and there is absolutely no need for some rent-seeking scum to be involved.
The disgusting business model you seem to be justifying is akin to house builders/contractors being perpetually owed a cut every time you invite over a guest into your house or they switch on the lights.
2. Through research they find user wants to interact with their smart device while outside of range of wifi/bluetooth.
3. Company builds device firmware and cloud infrastructure to support this goal.
4. Company wants to simplify business logic and doesn't provide local (wifi/bluetooth/zigbee) support. Online only can service both on-premise and off-premise.
5. Company needs to reduce costs and justify ongoing operational costs of supporting this cloud + device service.
6. We arrive at the current solution.
If a garage door manufacturer offers me a (free, local) API to fully control my door and allows me to check a box to let Amazon in, what, exactly, is the problem? Sure, I could also allow Amazon in without checking the box (assuming Amazon offers the appropriate integration and I'm willing to deal with maintaining my side of it), but it also seems okay for Amazon to pay the garage door opener company for the first-party version. Everybody wins.
Forcing the actual device owner to use a crappy cloud service is an entirely different story, but it's not required for the Amazon business model. Similarly, many video recording devices support ONVIF and have an optional paid first-party video storage. (And I imagine that quite a few commercial users demand the former -- no one who operates a concierge/security desk or a serious office building or a warehouse or an industrial site has the slightest interest in using four different first-party cloud offerings from four different vendors of their various gizmos that contain cameras. They are going to run one NVR, possibly with off-site backup, with one integrated system for viewing and analyzing the feeds. And they will pay handsomely for that, and they're paying that money to one of several established companies in the space, all of whom require at least token ONVIF or RTSP compliance, and they aren't about to kick any of that money over to the camera makers, because there is no shortage of competing camera makers.)
https://i.imgur.com/lNOXdhe.jpg
If you have a Chamberlain garage door opener and looking to connect it to HA you can do this too.
This is just more enshittification in order to exploit revenue channels other than direct sales.
Same, but this is irrelevant to the point GP was making. Some minority of people do want Amazon Key (and similar services), and those people are now unable to claim their package wasn't delivered once they sign up for the service.
Add those people up and you have something worth millions, even if there aren't many of them.
It doesn't work like this. Delivery workers use an app that opens the door, so if they are at a wrong location, it will be immediately apparent.
Swap in a more traditional automaker, and your point remains correct.
Premium users pay $300 to replace the fob on their Model S / Model X. Mid users pay $175 to replace the fob on the Model 3 / Model Y. And an entry level option exists for the cards. Plus programming fee. Handling fee. Local taxes. Processing fee. Etc :-)
Without control of their PKI anyone could self program a replacement for a few dollars as is the case with the garage door market.
As an aside, I find the fob useful for booting the car up prior to getting in, rather than waiting 40 seconds before the fly-by-wire shifter starts responding to commands to put it in gear.
The keyfob is super-useful. It fits perfectly into that small jeans pocket (that was originally meant for watches), so you can trigger the trunk/frunk opening without taking the fob (or phone) out.
I was burned by this change. I don’t know if anyone at Chamberlain is reading this, but you guys have neighbors, users just wanna keep their home safe. You’re one TikTok away from a crisis when you do stuff that is anti-consumer.
The API breakage coincides pretty well with their brand new CTO, whose objective is apparently "transformation to a smart access software company".
It's unclear if the CTO just doesn't understand that "DDoS" generally implies malice, or if they're intentionally using that language to blame users for using their product.
Good news: ratgdo, an ESP-based local solution works great. I hope the author is making a decent profit on the kits.
I've definitely seen "DDoS" used when there was no malice, such as when a developer accidentally releases a client that generates way more traffic than it was supposed to. Probably because we don't seem to have a good term for "event that at the server looks exactly like a malicious DDoS attack but was actually due to a mistake or to the server becoming unexpectedly popular" :-).
My favorite example of whatever we are supposed to call this was John Carmack in 1997. From his 1997-12-09 .plan:
> Cyrix has a new processor that is significantly faster at single precision floating point calculations if you don't do any double precision calculations anywhere.
> Quake had always kept its timebase as a double precision seconds value, but I agreed to change it over to an integer millisecond timer to allow the global setting of single precision mode.
> We went through and changed all the uses of it that we found, but the routine that sends heartbeats to the master servers was missed.
> So, instead of sending a packet every 300 seconds, it is sending one every 300 MILLISECONDS.
> Oops.
> To a server, it won't really make a difference. A tiny extra packet three times a second is a fraction of the bandwidth of a player.
> However, if there are thousands of network games in progress, that is a LOT of packets flooding idsoftware.com.
> So, please download the new executable if you are going to run any servers (even servers started through the menus).
I did do some napkin math to quantify how much that bad traffic may have been: HA estimates between 6857-25576 intallations of the MyQ integration. Let's say 16k clients. HA makes it really easy to detect and "add" the integration (which counts as an installation even if it's not configured), so, that's definitely not all clients hitting the API. Let's say it's 50%, so 8k actually using it. Most users just notice myQ is broken. Let's say some fraction retry, which would look the same as an extra user from a volume perspective. Call it an even 10k users (including repeat users).
The most recent change is after they broke everything past the OAuth dance. Let's say the OAuth request is 1kB. The retry code retries up to 5 times with exponential backoff. Let's say 5 requests over 10 min.
(5 requests / 10 minutes) * 1 request/user * 10k users = 5k requests/minute, or 83 per second, amounting to 83kB/s inbound.
There's no reason to assume those requests would synchronize, but I'm sure there's something (let's say every single myQ user updated at the same time).
If what they're saying is true, sounds like actually malicious botnet wielders can ransom the living daylights out of them. Given 1Tbs DDoS attacks they'd only need a tiny fraction of the full bore ion cannon! ;-)
[1]: https://github.com/arraylabs/pymyq/blob/master/pymyq/request...
This is a problem with the service, not with the developer.
If the service (doesn't want) / (can't handle) something, then it should rate limit it's response.
If the service can't handle "0.2%" of it's clients making a 'not unreasonable' amount of requests, how will the service hold up against a hostile actor who aims to DDOS their service.
Absolutely. Used to work on the Identity team somewhere. Dev accidentally removed code that was supposed to cache a token on a very chatty service. Brought auth to its knees and called it DDoS.
You can go and engage him directly on the topic, maybe he'll present a perspective we haven't seen, or maybe he'll listen to your arguments and reconsider:
https://www.linkedin.com/in/dan-phillips-9a33831/
(and no, this is not doxing: his profile is public).
The ratgdo is more trustworthy, and it just connects (really easily, too, especially with the new v2.5 board) to the opener via the same contacts that the dry contact button does.
https://www.athom.tech/blank-1/garage-door-opener-for-esphom...
I used a local Meross install on my old garage doors, time to break them out, but ugh...
Deleted Comment
What a shit move to pull on your existing customers.
Then I watched the discussion on discord and realized I’m not alone albeit still a small percentage.
Then I see this as top post on hn.
It’s frustrating to have a company do this. I don’t agree with their choice. Plus forcing you to see ads whenever you open or close the door is Orwellian.
Now I need to somehow sell this device on eBay with hopes a large percentage still wants it.
I wish ratgdo a ton of success and have several on order.
I would try to sue that manufacturer. I hope it we'll be pulled to a court.
This will most likely be a significant factor in though, though good luck getting them to admit it.
HA users will mostly be bypassing the app and therefore not providing revenue via ad impressions.
What brand is he moving to? Does it work with Home Assistant?
I can't recall the last time I saw a garage door that wasn't Chamberlain or one of the brands they own. At least in my area they seem to have a near-monopoly.
One reason this is tricky to do is because up until let's say the last 6 months or so, myQ _wasn't_ hostile, even if it was Cloud-based. (I get that that aligns with your point! I'm not arguing with you there.)
The obvious way to implement this would be to have a front-and-center filter for cloud/local, so that one could use it to check which brands to consider before buying new connected hardware. It's a use case people have been asking for years. It's the only reason one would want to access a searchable list through their own page (as opposed to googling "${brand name} home assistant").
What's the blocker here?
any takers?
Wow, what a contemptuous statement.
I have news for you, Chamberlain Group. You are not only alienating, being hostile and losing a "Small percentage of users" (most companies would prefer to call them "valued customers", but I get it). You are causing an enormous permanent damage to your own brand.
Deleted Comment
I am in the market for a new opener.. I just need the physical clicker.
I will not be buying one from this brand, as even if I do not need the HA functionality I no longer trust them as a company.
That doesn't need to happen for the Charlatan Group to struggle. Most current hardware companies are dependent on the customer to renew their hardware every 5 years.
Just put it on the porch. Not everyone lives in an area with a package theft problem, let those folks work out their own solution but don't punish the rest of us.
There are plenty of places in the US where packages left on the porch aren't secure, but there are also plenty of places where it's completely fine and saves everyone time. I've never once had a package stolen off my porch anywhere from an apartment in the Bay Area to a house on 10 acres in rural Oregon. I really think that the places where package theft is rampant are the exception, not the rule.
I worked, like most folks, and people are not generally home. The pickup location took two hours to get to via public transit. That’s a four hour round trip. There was one and only one pickup location in the entire NYC region for fedex.
It made life impossible. Amazon came along and decided to take responsibility for losses directly and instructed carriers to leave packages and not reattempt delivery or hold them. Customers vastly preferred this, carriers too as they saved tons of money. Amazon got a reputation for being much more convenient to order from. Their losses as a percentage were low compared to essentially owning mail order due to the convenience. When I had packages stolen they immediately shipped a replacement no questions asked.
Amazon Key is an attempt to mitigate theft but also a lot of folks just feel uncomfortable with packages on their front step. The idea of leaving you garage slightly open for deliveries isn’t a new one, but the Key product improves on that by only opening for the delivery person and recording their interactions to ensure they don’t do something they shouldn’t.
I used it briefly but I didn’t like it because I have a workshop in my garage and I just didn’t want people seeing what I’m working on. I wasn’t worried they would rob me per se, just didn’t like showing my work in progress to random strangers. If it opened the garage slightly to allow the package delivery I would have kept it but it opened 100%.
I only have MyQ for Amazon Key. Fortunately Amazon also supports the Aladdin Connect - which works with all garage doors. And is fully supported in Home Assistant.
I have one on order and will be swapping out, bye bye Chamberlain.
Would be nice if this functionality could work with arbitrary openers via webhooks. You could even have a fancy auth flow that you trigger from your smart home dashboard so users don't have to know or care how it's implemented under the hood.
Sure, we're just a couple drops in the ocean, but eventually those drops can start to add up.
I see several other vendors / openers on the Amazon page for this service besides MyQ.
Genie being one of them, which seems to also support HA just fine
Well, you could always strip it for copper, I guess...
That internet connection for cloud services for smart gear always costs someone.
Smart home devices that can’t be locally hosted or easily made to be locally hosted should be avoided.
There’s no reason a light switch that normally works for 10-20 years will only work for 2-5 due to cloud connectivity.
Luckily for the time being a lot of the providers can be reflashed with Tuyo based firmwares.
The same for software. Even Microsoft is going fully Cloud. Just had problems to activate my MS Office for Mac Business 2019, which I bought in physical. They now require on @outlook.com email address to be able to activate. Otherwise I can't use my "box" software.