That looks like a snapshot from the UniFi Network manager.
Based on my experiences with UniFi gear, which I like and am running right now, I’d take any of their DPI and threat detection stuff with a full meter cube of salt. It doesn’t even report local network flows and traffic statistics correctly.
The screenshot also shows fitbit, omegele, and even IMAP4 traffic.
My first guess would be that the Nest thermostat is now occupying an IP address that was formerly assigned to other devices. Now that the Nest thermostat is at that address, the old packets are mistakenly attributed to the Nest thermostat.
That about correlates with the amount I've shipped off to Backblaze from it. I don't even have Let's Encrypt doing anything on it, as it's fairly firewalled off from the rest of the world and thus can't pass the cert installation checks.
The UniFi DPI is worse than useless; it's misleading. Hell, you can't even see the time period those counters are for. It provides nothing actionable.
> It doesn’t even report local network flows and traffic statistics correctly.
For this _specific_ thing, I know why that is: when it comes to pure switching there's an ASIC that the OS can't read the memory of.
How it works is that the OS will compile down a vlan/port configuration and then pass it to the ASIC, after that the ASIC basically works autonomously and can't introspect packets in flight.
I discovered this for myself when I was trying to do some basic packet capture using one of their edgerouter-X's (which run linux). -- Ended up needing to use a laptop with a bridged network because it was impossible. :(
I feel they should either disable this and actually route and account for all the traffic (using more capable hardware if required), or not use real units implying some number of bits.
The pfSense router in front of it has no trouble handling gigabit line rate while actually tracking it, and was cheaper.
Really? I have a pfsense firewall and it struggles with gigabit over just one route (80% efficacy), I cant imagine it faring better if it had 5 or 8 gigabit streams at once like the ER-X or ER-lite.
I've always run mine on multi-core x64 SoCs and performance has been as expected. I won't touch their ARM offerings because everything I've seen has been woefully underpowered.
This looks like misleading FUD. I don't think it's fair to draw conclusions based on a random Tweet like this.
I suspect this is a flaw in the DPI system rather than Nest itself. It sounds like UniFi DPI inaccuracy is a known thing [0]. And, Omegle?? And zero bytes downloaded?
I just don't want to repeat what happened on HN a few weeks ago with that tweet about Apple refunds.
EDIT: for context, I'm taking the approach of legal systems, where what matters is not whether someone is guilty, but whether there is sufficient evidence for them to be treated as such. Sure, maybe they do send a few KB to Omegle, but this tweet is nowhere close to enough evidence to make that claim
Because software engineering is expensive so the guy who wrote the app got paid peanuts and told to implement the login in 2 hours because that's how many "story points" were attached to the story. If you take too long, it will show up on your performance review, so instead, I'll just drag in the random Facebook SDK just to enable login... and your data's gone to Facebook!
I think the point is that lots of non-facebook apps could implement non-facebook login and avoid Facebook all together but they don't for various non-technical reasons.
Lots of apps implement Facebook login in addition to their own login because users ask "How do I log in with Facebook?" and get upset when you tell them they can't.
I wonder how much flak you'd get for creating a "facebook login" that is just the signup workflow... if it's not in your DB, just push it as a new record for followup "signins"
Understandable for a startup, but once the company has been owned by Google for years they should have migrated to Google's OAuth by now right? Seems inexcusable for Google to leak user data to another company. Buying a Google product you would expect some data to be collected by Google, but definitely not Facebook.
They could have documented an API, which you could call directly. Many services which offer an SDK also offer a raw API which allows you to implement more advanced use cases, or can be used for platforms without SDK support. Or, if you simply don't want to use the SDK.
> how else do you plan to interface with FB if you don't use their SDK?
FB's API is HTTP-based over the public web. You could interface with it using any HTTP client, even if they didn't document the basic APIs.
In this case, the "Facebook SDK" refers to a library in whatever language you're using to connect to their API, which replaces a generic HTTP client in your code.
I was answering the question of "What is the business of the Facebook SDK doing in a thermostat app?". The though process is "Want to offer Facebook Login for Nest" -> "Need to use SDK for it" -> SDK talks to Facebook servers.
I have never used the facebook SDK (and have not used the Nest App in a long time) so I don't know personally.
> how else do you plan to interface with FB if you don't use their SDK?
It's standard web-based OAuth under the hood. You can (on a technological level) use the web flow that's intended for websites in a webview, but Facebook forbids it on a policy level.
Apart from all the other comments here - UniFi's network monitor being garbage, the app using the Facebook SDK for login, etc - the real reason your thermostat or fridge or cat feeder or vacuum cleaner sends data to an adversarial network is because it can. When you bought the device and skipped over the small print to get it to do what you bought it for without having to plough through half a bible's worth of legalese you, most likely unintentionally and unknowingly, gave it permission to do stuff like that. It would have been worded in woolly phrases about 'sharing data with partners' for the purpose of 'improving and personalising service' and possibly to 'present targeted offers from partners' but all that is just newspeak for milking your data for profiling and advertising purposes.
The solution is equally clear and simple: don't allow these things to access the 'net, put them behind a firewall which only allows traffic inside your own 'controller area network'. Use a VPN to tunnel into this CAN to set your temperature, feed the cat, mow the lawn and whatnot. If this sounds elaborate you might want to consider doing away with all this 'smart' functionality and just get a 'dumb' fridge/vacuum/cat/etc.
Based on my experiences with UniFi gear, which I like and am running right now, I’d take any of their DPI and threat detection stuff with a full meter cube of salt. It doesn’t even report local network flows and traffic statistics correctly.