Why a secure cloud service is an important consideration...

[Reef Monkie]

Network security in 2017 is more about managing risk than prevention, by moving to a cloud based solution you're taking the risk out of the home user and moving it to a managed data center. If anything I feel Neptune Systems should allow the user an option for multi-factor authentication like most consumer grade cloud services; that's where I feel they are lacking.

I understand where you are coming from and agree in part, especially the the part about security being managed risk. A secure network is a network that has no power supplied to it and no devices connected to it, anything else and there are risks attached. Port forwarding has risks attached, but so does adding a device to your network from a company in the aquarium business that wont answer basic questions about the actually safety and security of its own products.

Just stating 'we use the cloud so we are super duper easy and super secure' is meaningless. You ask a good question, where is the two-factor authentication, I asked if they had a independent audit of their code to 'prove' their devices were secure, someone else asked about transport layer security, and for that we get evasion and/or ignored.

As a simple home computer user I see computer security the way I do home security, it is weighing up risks vs costs and ease of use. I live in a apartment, I am not a celebrity, I don't have a large art collection, so I don't need a high-level alarm system or a escape room or anything beyond a decent lock on the door as I am not a above averagely attractive target compared to the rest of my neighbourhood. As long as my security is not worse than average I am safe for all practical purposes.

The same thinking applies to the security of my network, the way I see it my wi-fi is the weakest link in my security but its range is limited so the danger is limited. I chose a provider that gives me a fixed IP address and allows me to run any service I like as long as it does not impact their network or the security of others, I use port-forwarding for some services/devices/or software because it is easy and simple to set up, and the risk is on me instead of me relying on someone else's service, if something goes wrong I can only blame myself instead of being able to blame a corporation who will duck all responsibility anyway.

I am in the second decade of having these 'massive holes' in my security caused by port-forwarding and have never had a issue of any kind, this is not because I am some kind of computer expert but simply because there is nothing of value to gain from hacking my network, especially when weighed against the effort, managing risk as you say.

 

[EdsReefOdyssey]

Interesting thread, now I’m even more paranoid then I was before.

It is our opinion also that the customer should not be 100% dependent on the cloud-service. That is why the Apex has a built-in web server with a user interface that mirrors that of Apex Fusion. This way, even if your internet service is down, you can still access your Apex from your phone, tablet, computer, or any device with a web browser.

I just wanted to post this to help make things clearer the difference in operation between these two methods.

Can you see graphs and past readings when using a tablet to control the Apex offline? Or do you need to be online and using Fusion to do that?

My post IS meant to be informative (and create discussion) and I hope that it makes those seeking to make an informed purchasing decision take a deeper look at this particular topic. Because we feel it does matter.

Well you got your wish, this thread definitely created a discussion. My only problem with it is it should be in your Neptune sub-forum. You should have started a thread called Cloud Service vs Port Forwarding the pros and cons of both. That in my opinion would have been more “informative” and would have sounded less like a sales pitch.

 

[Terence]

Can you see graphs and past readings when using a tablet to control the Apex offline? Or do you need to be online and using Fusion to do that?

Works great in local mode - lots of ways to see your data:

Well you got your wish, this thread definitely created a discussion. My only problem with it is it should be in your Neptune sub-forum. You should have started a thread called Cloud Service vs Port Forwarding the pros and cons of both. That in my opinion would have been more “informative” and would have sounded less like a sales pitch.

The point was not to be a sales pitch - it was to be informative (from my point of view) and create discussion. Discussion amongst those that might not be in agreement is much better than discussion amongst all those who are already in your camp. That is the reason to talk about such wide reaching topics as this in this forum.

I do not believe that hobbyists like myself, who also work in the industry, should be relegated to simply posting in the sponsor thread. In fact, all that would do is send them into the shadows. Many on this forum (and quite possibly on this thread) are involved in the industry in one way or another - they just hide behind some sort of pseudonym or moniker. I prefer to not go that route. I wish others would do the same. It is one of the (few) areas where FB is much better than forums - people cannot (easily) hide behind anonymity on FB.

I for one would be fine with, as an example, the likes of Kevin Kohen of liveaquaria.com posting on a general fish forum why he believes certain methods for fish quarantine are best - and they happen to be the ones they use at liveaquaria. I am smart enough (and I think most visitors are) to know that there is a relationship (potential for bias) there and can listen to others' opinions and then come to my own understanding. To think otherwise is quite patronizing of the average forum member. Also, If he were only allowed to post such a discussion in their vendor forum, think of all those that would never see it - and should see it - because it is valuable information from an expert in a particular field.

I would love to hear @revhtree opinion on this.

 

[2Wheelsonly]

I think it was a good healthy discussion, a large number of reefers use these controllers as insurance policies and I would never in a million years invest in corals without one.

All good points from both sides but at the end of the day I feel their cloud solution is fantastic and one of the best free upgrades a consumer could ask for.

 

[TheEngineer]

Oh man... now people are spies from other companies in this thread? To whom specifically are you referring?

 

[Tristren]

This is the Aquarium Controller forum, and he started thread about something relevant to aquarium controllers. He has his job title in his signature and his company logo as his icon. There is no subterfuge here. I'm not seeing how this is a problem.

I know it's not likely to happen, but wouldn't it be great for all the rest of us if the "industry insiders" would really hash out these issues here where we can all see?

I know that I don't feel like going through all of the sponsor forums for the products I do and don't use to find any interesting pieces of information.

[Edit: also, looking at the aquarium controller forum, there's precious few non-apex threads anyway, unfortunately. It's practically an extra neptune forum.]

Tony

 

[Terence]

Oh man... now people are spies from other companies in this thread? To whom specifically are you referring?

No one. Just that it is certainly possible because of the quasi-anonymous system that forums use - as opposed to FB. Many (possibly most) individuals associated with the industry in some form (manufacturer, LFS employee, wholesale livestock employee, etc.) do not identify themselves as such by name or by their signature.

It is not about spying. But isn’t interesting that you know who I am, but no one knows who you (or most) are? So it is very easy to identify my potential bias - but not others.

 

[TheEngineer]

Check out the “What do you do for a living?” thread. It’s awesome the different things everyone on here does.

 

[TheEngineer]

I’ll add, I’ve enjoyed this conversation. I just wish it had started differently.

 

[Terence]

Check out the “What do you do for a living?” thread. It’s awesome the different things everyone on here does.

I know there are tons of great people here. But that thread still does not provide true identity. It would just be so much more helpful for people to understand who everyone is from their signature - or certainly their profile. Of course one could go figure out a lot by looking at whois records, google searches, etc., but why have to go through those hoops?

You are a long term Reef-Angel user and self-programmer of that unit. That affinity also gives you bias in a thread like this. Nothing wrong with that at all. Bias is normal. But it is bias that readers should understand just like the fact that I work for a manufacturer.

I think this forum-anonymity thing is just vestige of a day long since past. This is just my opinion. No spying or conspiracy implied.

 

[Reef Monkie]

I think it was a good healthy discussion, a large number of reefers use these controllers as insurance policies and I would never in a million years invest in corals without one.

All good points from both sides but at the end of the day I feel their cloud solution is fantastic and one of the best free upgrades a consumer could ask for.

I think controllers are a real innovation in fish keeping, I am amazed at the progress that is being made on that front in such a short space of time, but, there is no such thing as a free lunch, the cost of the cloud solution is factored in to the price of the product, as is every other cost a business makes. When companies tell you they are offering a free service that is just marketing speak for you paying for it in some other way.

 

[tj w]

@Terence, even though I may not agree with everything you say here I certainly respect your input and am grateful you engage with us here on R2R.

 

[TheEngineer]

You are a long term Reef-Angel user and self-programmer of that unit. That affinity also gives you bias in a thread like this. Nothing wrong with that at all. Bias is normal. But it is bias that readers should understand just like the fact that I work for a manufacturer.

Indeed I am an RA user and a fan. I’m also a DA RKL user and fan. I’ve expressed no opinions about hardware or software in this thread. I’ve expressed my opinion about the delivery of the original message. There’s no bias in that.

Thanks for googling me

 

[Tristren]

I know there are tons of great people here. But that thread still does not provide true identity. It would just be so much more helpful for people to understand who everyone is from their signature - or certainly their profile. Of course one could go figure out a lot by looking at whois records, google searches, etc., but why have to go through those hoops?

You seem to be saying that even asking /requiring people to self-identify as employees of a manufacturer /supplier /retailer wouldn't be sufficient.

You are a long term Reef-Angel user and self-programmer of that unit. That affinity also gives you bias in a thread like this. Nothing wrong with that at all. Bias is normal. But it is bias that readers should understand just like the fact that I work for a manufacturer.

Except that it is not just like you representing a manufacturer. A customer have an affinity and a bias towards or against a product or company is not the same thing as an employee or owner that has an interest in their company.

There is no conflict in the former, but clearly at least the appearance of possible conflict is present in the latter. And surely conflict of interest is what we're talking about.

I said above that I don't see any issue with this thread or its context. You are transparent about your interests and that addresses any concerns around conflict as far as I'm concerned. And I agree with you that if others participating have undisclosed interests that is unfortunate and taints the discussion.

And I do agree that customer loyalty or animosity is a bias that is relevant.

But I can't agree with the idea that consumers need to disclose any affinities they have. Hopefully everyone is contributing based on their different experiences with various products. That has to be assumed and understood as part of participating in any discussion and biases will become clear as conversations progress.

I think this forum-anonymity thing is just vestige of a day long since past. This is just my opinion. No spying or conspiracy implied.

 

[Terence]

@Tristren, I do not think that people should have to claim all of their brand affinities - absolutely not. And, yes, I do believe that if you work in the industry in any aspect, you should be required to have that in your profile. I do think that the world would be a slightly better place if on the internet there were no more vestiges of anonymity in forums such as this - for a myriad of reasons. If I know the identity of someone posting, I can easily find out more about them, why they might think the way they do, understand any natural bias they may have, etc. Also, when one cannot hide behind their anonymity, they tend to act a bit more like they do in the "real world".

Of course we have strayed off-topic, but I think for a good reason.

 

[Tristren]

@Tristren, I do not think that people should have to claim all of their brand affinities - absolutely not. And, yes, I do believe that if you work in the industry in any aspect, you should be required to have that in your profile. I do think that the world would be a slightly better place if on the internet there were no more vestiges of anonymity in forums such as this - for a myriad of reasons. If I know the identity of someone posting, I can easily find out more about them, why they might think the way they do, understand any natural bias they may have, etc. Also, when one cannot hide behind their anonymity, they tend to act a bit more like they do in the "real world".

Of course we have strayed off-topic, but I think for a good reason.

I take your point. The CBC News site (kind of like PBS but not really) banned anonymous posts in the comments section: http://www.cbc.ca/1.3496467

I don't know that hobbyist forums are where it's the most the problematic though.


Regards, Tony

 

[EdsReefOdyssey]

The point was not to be a sales pitch - it was to be informative (from my point of view) and create discussion. Discussion amongst those that might not be in agreement is much better than discussion amongst all those who are already in your camp. That is the reason to talk about such wide reaching topics as this in this forum.

I do not believe that hobbyists like myself, who also work in the industry, should be relegated to simply posting in the sponsor thread. In fact, all that would do is send them into the shadows. Many on this forum (and quite possibly on this thread) are involved in the industry in one way or another - they just hide behind some sort of pseudonym or moniker. I prefer to not go that route. I wish others would do the same. It is one of the (few) areas where FB is much better than forums - people cannot (easily) hide behind anonymity on FB.

I for one would be fine with, as an example, the likes of Kevin Kohen of liveaquaria.com posting on a general fish forum why he believes certain methods for fish quarantine are best - and they happen to be the ones they use at liveaquaria. I am smart enough (and I think most visitors are) to know that there is a relationship (potential for bias) there and can listen to others' opinions and then come to my own understanding. To think otherwise is quite patronizing of the average forum member. Also, If he were only allowed to post such a discussion in their vendor forum, think of all those that would never see it - and should see it - because it is valuable information from an expert in a particular field.

I would love to hear @revhtree opinion on this.

Go back and re-read your first post as a hobbyists. You use the word “Apex” 5 times in one paragraph, 11 times total. Does that sound like someone trying to be helpful or someone trying to sell you something?

I agree that hobbyists like yourself shouldnt be relegated to simply posting in the sponsor forum. But if you’re going to post in other forums you should try and do it as a hobbyist and not as a VP in Sales and Marketing from Neptune Systems. I look forward to reading more posts by hobbyist @Terence

 

[Ranjib]

Lots of great info here. I personally dont think theres something very unethical said in this thread. Thanks, @Terence @TheEngineer and everyone for sharing your opinions. I love all of your passion on this subject

My couple of thoughts, there are lots of statements /opinions made here, that without data is very subjective. Remember "fear is perceived, but risk is real", a reef keeping equivalent statement will be "dosing stuff without testing your current levels"

• Without hard data, its t difficult to claim that apex user base is representative of reef keeper's technical strength. A counter-argument can be made as: "A DIY hacker likely to understand things (and willing to take the associated risk) more than average apex user" - but again where is the data....
• I agree, without any further details, it is likely port forwarding and instructing the controller what to do is riskier than the controller dialing back home and getting instructions from a cloud end points
• This by no means makes the cloud service is safer than port forwarded hacks. We need more detail. A cloud-based solution that uses basic auth is likely to be less secure than a port forwarded system using ssh tunnel and two factor. Put another way, we need data on how the cloud integration is secured. Does it use https? where is the trust root? How does the device update its cert chain? is the device TPM backed...do you enforce some password strength. How you store the password on the other end? is it bcrypted on-rest, how it is transmitted (strength or encryption etc)
• I would challenge the argument that this kinda thing will be exploited to hack the aquarium controllers. These type of things are not scalable for hackers. All IoT hacks are done on lower level things, like NTP exploits, or a vulnerable version of webserver etc. Something thats more common, easily fingerprintable, and hence can be used to hack a large number of devices. Which makes me wonder, what are the chances a DIY port forwarded controller that is updated regularly is safer than a proprietary controller about which we know none, other than it does hooked up to network, and it does run pretty much the same software stack. Securing the devices involve defense in depth, not only the controller api but also all other network-bound services that are running inside the controller needs to be secured and stay up to date. It is this information, that to me can give better confidence in controller's security.
• No one has mentioned one key difference, if a port forwarded controller is hacked, only that controller is hacked, if a cloud based system is hacked, the attack surface covers all controller that might be using the cloud service as a command center.
• My last observation from all the past few years hack will be : It is unlikely we'll be able to safeguard our system if the attack vector is state-sponsored, and works at a low level. If we (controller software/devices) are not being hacked, it is likely because we are financially not that lucrative. All the big companies I have trusted my data with, have been hacked. This is not a false statement, from yahoo to equifax , everyone was hacked.

I would repeat, I personally believe that a cloud service based stuff should be safer than DIY thing, given no other details.. similar to sps requires more light and flow. But its vague and likely to wrong on many counts (many sps grown just fine under low light), and definitely not an authoritative statement if you take it reverse, e.g. "if you put more light and flow you'll have thriving sps" aka "using a cloud integration will make the controller more secure".,,, specifics are key.
my 2 cents