65 comments

[ 5.4 ms ] story [ 147 ms ] thread
> Businesses like Starbucks are rolling out Azure Sphere to secure its store equipment, which feeds back data points on the type of beans, coffee temperature, and water quality for every shot of espresso.

I understand detailed feedback on huge multi-million dollar industrial machines where proactive maintenance based upon massive ML datapoints can save unexpected downtimes with millions in damage, but on coffee machines?!

You could subtly vary these factors remotely (and per shop), then use a customer feedback form per shop to see which one makes people most happy. Perhaps you could combine this with the hardness/composition of the water so you get the right coffee every time.
If it means a guaranteed perfect cup of coffee then by all means why not? I hate when I go to a place I am used to getting decent coffee at and it comes out tasting terrible.
(1) Food safety issues could literally kill Starbucks

(2) Starbucks business depends on having those measurements for quality control

(3) Starbucks gets lots of vendor deals from partner companies because they are a well know brand and having them on board helps land more deals

(4) Hacker using the machines might be able to sabotage the stories; food poisoning, fires, etc

(5) The smarter the tech in store — less training required per employee on site.

(6) Starbucks has other plans for it, such as enabling customers to use their network for IoT devices

(6) etc.

>> The smarter the tech in store — less training required per employee on site

We know that the larger the attack surface the more likely is to get hacked so if Starbucks really cares about everything you said (i.e food safety issues) it should hire more people and less machines.

Have you met people? They’re really unreliable and inconsistent, especially on minimum wage.
How would more people make their coffee more consistent?

Starbucks is a massive chain people expect the same thing at any Starbucks they go to. People are very inconsistent, if the coffee tasted different at every Starbucks they would not be as large as they are.

Using that logic, all tech with vulnerabilities should be removed.

While I understand the urge want to humanize the process, give people jobs, this is not the way to do it.

Future of human employees inside of Starbucks is clearly focused on what the baristas do best as humans, being friendly person that’s humanize the experience of getting coffee.

As for including humans in food safety procedures, what exactly are you referring too? Inserting 30-60 IoT continuous environmental and systems monitoring sensors into a store clearing makes more sense that paying a human to be in the store 24/7 and writing it down on paper. If I am recalling correctly, Starbucks has already saved millions by not letting the on site employees control the HVAC systems.

I will offer an observation here: franchise production of food and drink relies upon homogeneity. Sometimes, people go out for something new, but often people want the same old thing. Someone across the country in a strange bed, where their accent sticks out, might want something familiar, and that is the experience of McDonald's in the United States. I could go from one corner of the country to another and the burgers would taste identical.

And so, people want replicable coffee drinks. And coffee can be a fickle beast to brew. Given that, unlike McDonald's which can freeze and ship, you must go from bean to drink on premise in a matter of minutes, I could see a focus on trying to ferret out a way to make that expensive cup taste the same from Portland, Oregon to Portland, Maine.

Oddly, globally, Starbucks around the world are not the same; for example, the percent of fat in the milk differs from region to region.
Yes, I think where an established culture exists in some boundaries that a franchise tries to grow into, it must adapt and offer its own variety within that. I know McDonald's would be different in, say, Japan, but it is likely the same within Japan.

It is a bit more startling in the United States because it is such a large country. Imagine crossing a reasonable fraction of the globe and the food is still the same! The comfort of the familiar is an incredibly strong lure and I believe it happens in ways that are so broad we can hardly see we are within them, like a bug on the surface of a tidal wave. Food and drink homogeneity is only one of the ways, but is likely one of the more primal. People of a certain age, when given Kosher-for-Passover Coke (still made with sugar) are delighted by the return to what they grew up with.

In any case, Starbucks wants a customer who, perhaps having had their fill of experimental recipes and lunches at new places, can reach for a stimulus just like they had before. It might mean a lot in an airport terminal after nights on a mattress you've never slept on before.

McDonald has very different menus in different regions, as does starbucks.

I remember visiting NY and being fascinated by many of the options I've never seen in other countries.

Yes. And your basic burger is still going to taste the same. The idea is that Item X is going to taste the same within a given region, typically a country, not that Y or Z will not be on offer.
In their Chicago HQ (ironically on Randolph Street), McDonald's has an "Global Menu" where they serve a rotating selection of items served around world. It seems that chicken is king in most other countries.
It isn't in the US? What's the top options then?
Most people get beef burgers at McD's in the US (at least, that's my impression).
> Given that, unlike McDonald's which can freeze and ship, you must go from bean to drink on premise in a matter of minutes, I could see a focus on trying to ferret out a way to make that expensive cup taste the same from Portland, Oregon to Portland, Maine.

There's a 2013 article on why 30% of Michelin-star restaurants went with Nespresso, which seems to have consistency down: https://www.grubstreet.com/2013/03/nespresso-sold-at-micheli...

I thought a lot of other large "fast food" retailers do the same for their equipment? Chik-fil-a does something similar for quality control and some predictive cooking if I recall correctly.
Well if your companies entire raison d'être is to serve coffee, then you’re gonna spend the cash to make sure your coffee machines are in tip-top shape.

It would be weird if Starbucks wasn’t investing in their coffee machines. Make me wonder what they were spending their money on.

I think this might be a barista thing. A while back an espresso machine with open source software was posted here.[0] It has all kinds of data. And I've seen baristas wanting very specific parameters for making coffee (e.g. making pour-over coffee with exact weights, volumes, temperatures, bean grind durations). I imagine (but of course could be wrong) there are baristas at the top in Starbucks who find this data important.

[0]: https://decentespresso.com/downloads

Soooo much money, what a time to be a sec-expert! </s>
If you manage it in a day... Even if you take a month.

Problem with these kind of things is you never know how much time you're gonna spend. I was pretty active in this scene when I was going to University and had nothing better to do. But now I don't want to risk a month of my time and potentially end up with nothing. I guess people who compete in these things already have an exploit at hand to start with.

Job-Security, meaning, its the Job of the Security to guide sec-experts to the exit, where they will be handed over to the police, for trying to break in, using a already known bug.

#FreeBlackHatsWithEveryFoundFlaw /s

This reminds me about pentesters being jailed awhile ago.
I am amused that MS has its own Linux flavor, but I won't make a joke about it. I won't mention previous attempts at embrace, extend and extinguish.

I want to focus on the IoT part.

Do not get me wrong. I am glad MS tries to show they care about security in IoT space. Heavens know I don't want to see Starbucks microwave botnet in 2021.

So I guess you don't believe in truly open source and free software. Where everyone, regardless of motive or position, has equal access to it.
Everyone has equal access, but that doesn't imply we ever have to trust anyone that uses or creates free software. You're free to make it, we're free to never use it and not trust you, and if there's anything of value, we'll ensure it gets into the hands of people we trust, and not you. (The use of 'you' here is in the imaginary 3rd person, not you specifically).
I did not argue that. I like their current efforts. But as with most things, best predictor of what people do is checking what they have done in the past. In this case, they have attempted to capture an emerging competing OS and effectively destroy it. I would be silly for me to simply forget the past.

They have access. I am not arguing against it. I have memory of what they have done. Should I just forget it?

It might well be embrace, extend, extinguish. But if so, in this instance it isn't Microsoft's doing it.

The embrace started long ago, with things like Samba, a free implementation of vfat, Wine and Active Directory. Extend also started long ago, with things like, getting gcc to run on it, cygwin, the LAMP stack, Firefox - lots of things that let Windows do things only Linux boxes could do, and for free.

Then came extinguish. WinCE followed by WinPhone, and now 1/2 of Azure runs Linux boxes which I guess pretty much signals the fate of Windows on the server arena. Whereas two decades ago most computers an end user interacted with run Windows now they don't.

Win win. Flag not captured: MSFT is secure! Flag captured: Linux is insecure.
It's actually a specific offer regarding two Microsoft initiatives, "the Pluton security subsystem or Secure World sandbox".

Almost as if they assume Linux can be breached, but not their fabulous software. ;)

That's really cynical. It could also just be that bounties like this are a useful way to improve security of software.

Linux's security isn't in question anymore, certainly not among developers who would be choosing whether to use Azure Sphere. Linux has been battle-tested for decades, and Linux already won. This is Microsoft embracing it, for better or for worse. And frankly I'd rather have a Microsoft Linux distro on my fridge than a slimmed down version of Windows.

I'd rather just have a plain old fridge, honestly, but we're talking about IoT OSes right now.

>That's really cynical.

Of course. This is Microsoft. The memory of the culture of Gates and Ballmer is not erased.

>And frankly I'd rather have a Microsoft Linux distro on my fridge than a slimmed down version of Windows

Referencing security of fridges reminded me of this https://www.youtube.com/watch?v=BnKpNVHw-TQ :)

I have to agree. The goal here is to have someone audit the system and still take the high ground regardless of the outcome. It's easy to give them the benefit of the doubt but the more likely answer is that they are hoping to find a way to undermine Linux or find a way to sell it to others and keep the money, this seems like phase one of that rollout.
Clearly they've put a lot of work into this and are willing to pay out for a "3rd party audit" so to speak.

But my schadenfreude is hoping for an outcome similar to what happened to an old co-worker of mine back in 2005.

He was a Windows nut and we were always in a friendly competition about which ecosystem was the better one. One time he had done a bunch of modifications to his own laptop OS, IDS, and tweaking services to have a slimmed down install with a web server. When he was happy he told me "tell your hacker buddies to try and hack this website hehe" :D

He had put up a simple website offering 1000 USD for hacking into the server it was hosted on. His own personal work laptop, with a bunch of other sensitive stuff on it.

I said, ok... And posted it on a certain mailing list that I won't mention.

We sat opposite each other and within 10 minutes I saw him bend down towards the screen with a worried look on his face. Tapping frantically on the keys.

Within another 10 minutes he had disconnected the computer from the internet and said the challenge was off. :D

Apparently his IDS had been throwing up warnings about md5 checksums being changed left and right. That's all we figured out about it. I was 16 years younger so he didn't want to share much more with me.

Any chance I can get the name of that mailing list via PM?
How about we stop using HN's comment section to tell irrelevant-to-the-story personal anecdotes? This is basically the top/most upvoted comment of every article. Surely I can't be the only one to notice this trend?
I don’t see why it’s a problem. If it’s the most up-voted, then clearly people find it interesting.
It's a problem exactly because it's up-voted, it's derailing. Happens on so many articles recently. Either derailing by a personal anecdote, or by the "middlebrow dismissal": https://news.ycombinator.com/item?id=4693920

Both are equally derailing. In this case, I would much rather the comments be about the actual OS in question or the trend of big companies crowdsourcing security (penetration testing).

One man's trash is another man's treasure. Otherwise we'd all be reading a website called Hacker Facts, not Hacker News.

These anecdotes provide societal context to the story. Why would Microsoft get the public to harden their product? Surely they have enough resources to do it themselves right?

Because many eyes make light work. Some people would obsess over trying to hack this OS, putting in far more effort than someone paid 9-5 to do it.

Not always what you want. I'm sure many people think the pun that the top 50 comments race to make on Reddit is the most hilarious thing in the world. But it also gets in the way of discussion as you have to scroll/collapse your way past.

I think we could do a lot worse than anecdotes, but what I find weird is how the anecdotes on HN are always so smug, like this one. "Heh, my old co-worker thought my 'little hacker buddies' couldn't hack his website ;b Let's just say they put quite a dent in it heh ;b."

Bit of an eye roll.

Admittedly I'm prone to posting stories and I'm thinking of not doing so / doing it less.

Look at this story. Some guy, who honestly seems to have pretty questionable judgment did a thing and it was a bad idea.

What does that really have to do with this challenge from MS about a custom version of Linux? I would say almost nothing.

HN is generally focused on thought provoking discussion. Anecdotes can be very thought provoking.
I feel like his choices by using a device that is for work ... kinda automatically makes me question what if anything we can learn from a technical perspective.

If his judgment is that bad on a basic level, how bad must it be on a technical level?

Many people confuse absence of evidence (of insecurity) with evidence of absence (of insecurity). Just look at the SARS-CoV-2 reporting in January and February, where every major media outlet copied stories about how the flu is much worse and that we should really be worrying about the flu. It was patently ridiculous to be making such assertions as the only thing certain at the time was the depth of our uncertainty.

The dilemma is that equating absence of evidence with evidence of absence is actually a good long-term strategy in our day-to-day lives. Without this strategy we'd be paralyzed by our own ignorance; particularly, paradoxically, those aware of their ignorance. It's a meta-skill to be able to identify when the heuristic should be discarded in favor of more rigorous analytical thinking. A capacity for analytical thinking isn't sufficient by itself, thus making such an error in judgement doesn't necessarily imply an absence of strong analytical thinking skills. (At least, that's what I tell myself ;)

More specifically I'd question the abilities of anyone who thinks they know about security who then exposes actual work material to some sort of uncontrolled test as described and honestly claims to be sure it is secure.

Anyone who knows about security understands that on a modern system there are so many layers of software / firmware, you never can be 100% sure (well I guess other than powering it off...).

(comment deleted)
Did not know they offered a custom Linux OS.

What is the strategy here, to make a Chromium like play where the project is open but for practical purposes everyone just uses Chrome? That might not be terrible for the ecosystem

Multiple custom Linux OSes at this point. WSL2 is a custom, mostly transparent Linux VM tailored to fit nicely on desktop windows for developers.

The play (as I see it) was that losing mobile really shook them, and now they have no sacred cows to protect. Developers want and need to develop on linux, so microsoft is making that happen so that they can keep selling software.

How do they usually run these?

Folks apply and then does MS provide each accepted applicant a separate target and some level of access to verify if they were successful?

Yocto-based. Nice, at least they're doing that part right.