20 comments

[ 2.8 ms ] story [ 49.5 ms ] thread
That's great, but why don't you have HTTPS/SSL on your website, jeff?
Why is https necessary here?
It's not, but there's a serious trend towards a security-first mindset. IMO, the idea is that if everything is secured, nothing forgets to be secured, or is left un-secure accidentally.

There are also those who simply don't want people knowing what they're reading online, even if it's just programming blogs or other "harmless" stuff.

Agreed. You can't make a mistake when there's no decision to make.
Without https, a man in the middle could easily rewrite your website's content in different ways for different purposes, inject scripts, etc. Which at first sounds a little theoretical except that ISPs have actually done this to inject banner ads into unsecured pages (article's about a smaller ISP, but iirc Comcast has done this before as well): https://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-...
Comcast used this technique to notify me I was about to hit my 1TB monthly cap. In that case, I was happy that they did so.
Seems intrusive to me - wouldn't an email or text message have been a more appropriate channel to deliver that message?
Yeah, I just thought it was an interesting twist. Sometimes harmful techniques can be leveraged for good.
Let's hope the water utility doesn't decide to send out a spray of brown water when it's time to remind people to leave their taps open when the temperature goes below freezing
I was under the impression that I wouldn't care about somebody MITMing me, but you've made me see a number of things in that vein that would bother me.
And you just gave us their segment.io API key and google cloud manager authentication tokens.
You're right, I've fuzzed those out but anyone can still pull it out of the app. Seems like a bad idea to have those hardcoded client-side, so I'm not sure why Google requires developers to do this.

Edit: actually I think the value that is exposed is the token ID, not the token itself. I haven't used Google Cloud Manager before myself, so maybe someone can confirm.

Amazing, I've been wanting an API since I first got mine through the Kickstarter!
Been waiting for an API for years now, sadly don't expect one to come anytime soon. Luckily their private API is standards based and has year+ access tokens!
If you're looking for a cheap, hackable device with basic sleep tracking, I highly recommend the Xiaomi Mi Band (1 or 2). The protocol has been reverse engineered, so you can use a program like GadgetBridge to get all of your raw data out of the device.
The author also links to his student's analysis of a bunch of sleep trackers: http://sleep.cs.brown.edu/comparison/ which is quite interesting; the TL;DR is: it pretty much doesn't matter which one you choose; the data aren't particularly scientific but can be fun to look at.
A semi-decent heart rate monitor (even a Fitbit) is all you need to track sleep quality, I think. It's also much more reliable to detect when you fall asleep vs motion sensors (alone). If I have a good nights' sleep, my heart rate plummets quickly and pretty much flatlines for 7 hours.

I can see the difference if I've been drinking alcohol, if I was woken up in the night or if I'm ill. All of these things tend to produce either an elevated heart rate, or a heart rate that slowly declines over the night (rather than a steep initial drop).

The study is cool, but is there a comparison to a control instrument that can actually detect REM sleep? My conclusion from that graph was that none of those trackers are any good at telling you at which point you are in your sleep cycle, but most are OK at guessing your bedtime.