Ask HN: Do you manage your family's digital safety?

163 points by arzmir ↗ HN
Most of my family members (nuclear and extended) have little interest in spending time to manage their digital selves. Amongst other things making sure they have control of their passwords and accounts in a safe matter.

I've lately decided to set up a 1Password Family Account to help at least my nuclear family into taking net security more serious.

- What steps did you take to make it simple enough for your family to care?

- Did you retain any restorative powers? As in keeping master passwords to certain things and/or emergency accesses like in LastPass?

- Which subjects spurred the most discussions and how did you solve it?

- Which items do you share amongst all family members?

Edit: Formatting

131 comments

[ 2.9 ms ] story [ 179 ms ] thread
> What steps did you take to make it simple enough for your family to care?

I did the same thing as in the office - embarrassed or annoyed them (in a small way) by using their lack of security. I changed desktop backgrounds, "stole" £20, sent emails with promises like "I'll wash your car" to people. I'd follow this up with a lecture on "if I can do this, imagine what some dodgy foreign hacker could do".

Constructively, I pay for the whole family's 1Password and Fastmail accounts. I am the admin. I'm patient and understanding when they do something wrong. And I limit the number of people I help to those I can really help.

We have a WhatsApp group where they can ask whether something is dodgy. They don't use it for chitchat, so anything that comes through, I treat urgently.

> We have a WhatsApp group where they can ask whether something is dodgy. They don't use it for chitchat, so anything that comes through, I treat urgently.

I really like that idea.

Until an older relative uses that same group for something completely unrelated.
This actually happened to me and I gave up. I support them through every channel now and the family whatsapp chat is a messy, happy heap of everything.
We have a separate chat group for that. It doesn’t work perfectly but it does work well enough.
Considering the privacy issues related to Whatsapp handling of personal data (e.g. contact info sent to Meta servers, message metadata collection, etc.), why not using Signal, Matrix, or something alike? Or is it too difficult for them to use something else than Whatsapp?
Not OP but they're likely using Whatsapp already.

I'm a big believer in Signal (I have a monthly contribution set up) but Whatsapp is far more common for most people to use.

I have convinced my older parents and siblings to all use Signal though, so I consider that a win.

I was just looking at Adam:One (DNSthingy), a comprehensive gateway with focus on filtering “bad things” add-on for Pfsense/BSD when I saw this post.

You got bigger problems after Password Managers.

Just polished up the transparent Squid/SquidProxy/custom-ICAP-servers-to-block-DNS-over-HTTPS/Default-Deny-firewall for my home.

It seems to me that we are losing the war on Zero-Trust home-based content filtering (with the onslaught of Webroot port 7777, and DNS-over-HTTPS, and even AVG 443 for DNS.

You all hear me? I am (and probably we are) losing control of the HomeLAN/home-net via the onslaughts via circumventions of Zero Trust Model.

And this new DNS RTYPE SVCB and HTTPS by Akamai CDN, Apple iPhone/iPad, Cloudflare, and BigIP/F5 is making this gateway (and me) losing it all.

https://filters.pluckeye.net

https://adamnet.works

https://docs.diladele.com/tutorials/transparently_filtering_...

https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https...

I preconfigure all windows machines in my family, and take away their local admin rights. No crapware installs, no disabling of updates or defender. No microsoft accounts.

They get firefox browser with adblocker preinstalled. I manage their important passwords (eg fastmail) and trained them to rely on firefox sync for the recoverable accounts.

I use MeshCentral for remote administration (amt)… its amazing for the price (free).

OPNsense firewall in all the homes. Unknown devices are isolated and egress over wireguard VPN.

a physical jail cell and a faraday cage and you'll only need to tighten the chains a little more!
Two of the four homes already have a faraday cage :)

It was built by a german chemicals company and the reinforced concrete blocks signals.

I rented a place where the walls were lined with chicken wire. They used it to hold the plaster to the lath. I ended up needing to run a POE wifi AP to each room.

When I moved out I told the landlord that he should use it as a selling point, as some people in the area had just tried (and failed) to sue the library for not respecting their wifi allergy.

this got me rolling on the floor,lol.
You may be surprised to learn that removing admin rights is no longer (and never really did) protect against app installs. Many developers have figured out they can just install into the user’s profile.

Only apps that truly need admin rights (that install services, etc.) would be blocked. Everything else is wide open.

The admin rights restriction on app installs was almost just a convention that people followed. Now that the app incentives have changed (malicious apps don’t try to take over the machine anymore, they just try to steal your data), admin rights restrictions are becoming irrelevant.

Not OP, but I'm surprised. So thank you.
Note however this is only partially true for single user devices, where lack of admin rights does prevent some attacker persistence, and is not at all true for multi user devices e.g. the shared family PC.
I’m not following which part you’re saying is untrue. The number of users on the machine is irrelevant as each user can install apps into their own user profile. Maybe they won’t have access to the other users’ data, but it’s enough to gain a foothold.

Persistence is easy enough with startup shortcuts or scheduled tasks in each profile.

Also, I’m not saying these apps have some kind of hidden malware, I’m saying they are operating as designed, and usually offer features in exchange for letting them do things like upload your address book, etc.

Firefox Sync is great for this. It's essentially a password manager, and if you install it on Android, you can use it as the default login information autofill app.

    > No microsoft accounts.
Good look with that from now on.
"good luck" you mean?

I'm asking because I do exactly the same: no admin accounts for my family on their own Windows machine (mother in law and wife etc.).

They're also using only local account. Is Microsoft banning local accounts?

Yes, they're removing local accounts. At least in Windows Home.

A Microsoft account and an internet connection will be required to use Windows.

I use Lastpass with my family. The Lastpass plugin for Chrome has been reliable and convenient for everyone. It took a lot of badgering on my part initially, but now everyone is used to the process. For emergency access, I have that stored safely and can access if necessary.
1Password family and encouraging rental insurance that includes some form of identity theft help is literally like the cheapest way you help people. Anything past that and I simply don't want to be responsible for things
In the same vein, what is the biggest risk vector? My general impression is that AV will NOT catch new malware 99% of the time. I am to the point where I don't keep ANY/identity personal info on my computer.
E-banking security. Configured a dedicated hardware laptop with default network policy outgoing to denied. Manually configured a very limited set of IPs for the banks sites used (no DNS server allowed, static resolution in /etc/hosts) and OS packages. Second step (or factor) done on a dedicated phone hardware too (no sim card used). Automatic browser startup at session open with tabs open for the banks website.

Been operational for a few years. Minimal maintenance. Great peace of mind.

- I configure all windows machines at home - Everyone gets adblockers - I configure all android phones at home, everyone gets an adblocker - Everyone runs malwarebytes - Everyone is briefed on these tools and to talk to me when installing rando software - 1password on phone and all computers, everyone should be generating PWs
I have a 1Password family account for my immediate family, and I let my mother have the fifth license.

My kids get locked down OS's and games, in addition to communications limits and screen time restrictions. But they're elementary age, so this is okay. The rules relax bit by bit as they get older.

For my extended family? Nothin. They're grown ups. I do host the family e-mail domain but there aren't any rules around that (well, they do have to pay for it...). We've had discussions about best practices, but the non-technical folks don't care ("so what if Google tracks me, I don't care") and the other half are technical and more than capable of managing their own digital lives.

I don't. my family is all adult individuals so we all do whatever we want and are able.

I do not go around imposing my beliefs upon them. They have their own problems to be bothered with mine too.

Yea... I can understand working with your significant other and managing your non-adult kids, but outside of that some of the comments here seem pretty invasive.
If you have high-value info to protect, you are somewhat exposed if other people in your house are sloppy with security.

Household shared threat models include:

- they download a trojan, it infects your shared printer, and copies all your documents to the bad guys

- their phone is compromised and its microphone listens to your conversations and keystrokes.

These are attacks against high-value targets. If you're just surfing Reddit, you probably don't care. But if you work for a tech company and have customer data or cloud logins on your machine, you should probably care.

Wouldn't most of these issues be addressed by the company managing their own work-issued laptop, presumably with an always-on VPN and full disk encryption? Same for work phones. Customer data and production cloud credentials should never be on a personal machine, period.

Printer could be an issue, I guess, but most tech jobs don't involve a lot of printing and if they do a USB only printer should be supplied by the company.

"The Personal Infosec & Security Checklist" https://www.goldfiglabs.com/guide/personal-infosec-security-...

Internet safety, DNS security, https://wrdrd.github.io/docs/consulting/kids #internet-safety #family-media-plan #screen-time-guidelines

Rclone supports encryption over top of like every cloud storage provider; and then what js could hit delete and confirm on our cloud storage, resulting in starting over from zero, like preppers, like bushcrafters - with DR bushcraft knives with flints (and hand-crank solar rechargeable FM/WX radio USB powerpacks) - like a low-budget made for TV Swiss Family Robinson: https://wrdrd.github.io/docs/tools#rclone

Ansible-molecule, DevSec baselines; your (1) Raspberry Pi SD card will fail, and probably before a thumbdrive or an SSD.

E2E: Cyph, Keybase has encrypted git repos; GitLab/Gitea does Issues with trackbacks: https://www.cyph.com/blog/cyph-pgp

PWD generates a printable substitution box: https://github.com/westurner/pwd

SGP: SuperGenPass https://github.com/chriszarate/supergenpass

JS implementations of SSS to do better than splitting a string in parts and printing some redundantly: https://github.com/topics/shamir-secret-sharing

"SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes" https://github.com/satoshilabs/slips/blob/master/slip-0039.m... :

> Shamir's secret-sharing provides a better mechanism for backing up secrets by distributing custodianship among a number of trusted parties in a manner that can prevent loss even if one or a few of those parties become compromised.

> However, the lack of SSS standardization to date presents a risk of being unable to perform secret recovery in the future should the tooling change. Therefore, we propose standardizing SSS so that SLIP-0039 compatible implementations will be interoperable.

I use bitwarden for my families account. My wife has her own that i setup and got working on her phone/browser. I wish she used it more but she DOES use it for the "org" account and shared info (cc, passwords etc).

Email i use on a gsuite legacy domain and have for a very long time. It allows us to move email around if needed. We still have some older gmail accounts as backup, but rarely use them. Ill probably move to something else, Mail in a box on a linode or protonmail. The problem is i havent found a 1:1 feature, between google voice for voicemail and junk phone #, and contact syncing.

On the network i manage that. Use opnsense with unifi for wifi and a few vlans. We dont have cable, so roku's/ROKU tvs get their own DMZ and we have plex and a few streaming services.

I also help manage my parents network. So they have a pfsense appliance (setup and bought well before all the nonsense) and it has a VPN connection to my house, with a similar Unifi wifi network.

All of our stuff is MFA enabled and i just handled the setup on her phone etc, gave and setup yubikeys etc.

Outside of my parents and wife/family, i dont really get involved. I really dont want to. My in-laws I have helped do things for like setup some wifi extenders etc. But their needs are more simple and dont require the complexity my parents do (that WFH and run a business from home with a larger layout.)

You must hurry with the Google apps domain, they are closing the grandfathered accounts 1st of June.

Mine was almost 20 years old.

Sorry...i apparently replied to myself today. Heres what I said to myself when actually trying to reply to you..oops.

I have already moved to workspace for now. There will be no charges until August or so. And then 50% off through August of 2023. So its....not awesome but gives me breathing room to find an alternative (Or just stay the course).

I will say one gotcha that got me...The dont allow Google Voice for workspace. If youhave a legacy account, even on the gsuite it should be fine, but you cant setup new service. And if you mark the payment account as "individual" you have NO options. If you set it as a business you could get google voice as a paid service.

Payment accounts cant be changed once setup. Which is crazy.

I have already moved to workspace for now. There will be no charges until August or so. And then 50% off through August of 2023. So its....not awesome but gives me breathing room to find an alternative (Or just stay the course).

I will say one gotcha that got me...The dont allow Google Voice for workspace. If youhave a legacy account, even on the gsuite it should be fine, but you cant setup new service. And if you mark the payment account as "individual" you have NO options. If you set it as a business you could get google voice as a paid service.

Payment accounts cant be changed once setup. Which is crazy.

Nuclear: Everything apple, preferably iOS where possible and locked down if required.

Everyone else: not my circus, not my monkey.

I have done zero or little past basic configuration and have had no issues or surprises.

I was literally looking for a MDM family solution - I have looked at Jamf pro etc but frankly it's a lot for family use (it's like 140 per person per year.)

There seems like a good OSS project - a bit of WMI a bit of bash - so I am interested if anyone has a idea.

Have a look at ManageEngine MDM. Their free tier is good for up to 25 devices. The interface is a bit weird/confusing at first, but I've been using it for a few years and it seems to work well.
Here we go...

All secure tasks like handling of IDs, banking, trading, etc. must be done through managed Linux workstations (Landscape with master image), or managed VDI. Keepass is used to store credentials. There is a network storage accessible only to those workstations containing important documents. A second storage area is avaliable for unmanaged and Windows devices.

Windows devices have Group Policy set for update settings, but generally users can do whatever they like. Mobile devices are expected to be patched but they have free reign. Haven't found a good management solution for Windows and mobile yet.

Wifi uses EAP-TLS, no exceptions and no guest devices permitted. As a result IOT and smart home devices are not allowed on the network since they don't support EAP-TLS. Certificates are issued per device and allow access to different services like VPN etc.

I currently don't have managed switches so mobile devices and personal workstations do share the same network as my servers and such, but all local services like network storage are encrypted and require authentication. Ideally I'd have VLAN segregation, but this will have to wait for the next network upgrade.

Daddy Daddy my friend wants to connect her Ipad to the internet, what's the wifi password? Not fooling me hackerrr
It's funny explaining to non-techies why I don't have a Wifi password, since they immediately think I'm crazy for leaving it open. Then I have to explain certificates...
+ Family 1Password so everyone can securely manage passwords and share logins

+ Network is covered by pihole (and in exchange, plex/jellyfin/etc access works nicely)

+ Smart home stuff is managed by me. Everyone has admin rights but shared terminals (eg kitchen panel) are unpriviledged users.

+ Everyone has a home directory on the homelab they can back up to with as much space as they want (4tb+). I help them set it up if they ask.

+ Haven't done this yet but would like some kind of network level monitoring for threats (viruses, cryptominers, etc)

Things intentionally not done:

+ I don't install anything on folks devices.. at all, but never without their consent and without them having an off switch.

+ We have cams but everyone can turn them off and view recordings. Recordings are kept only for a short timeframe. Cams are all visible/known.

+ I intentionally collect no logs of dns or other stuff. When I do occasionally need to debug an issue, I let everyone know I am flipping on logs for a few minutes.

Empower users, don't control them.

This assumes some kind of knowledge your users have.

I install whatever I can to control/centralize the devices of my wife and parents. The less they know the better. Because your know, I am the 24/7/365 all-knowing support.

I do not do this with my teen kids. They can manage their stupid themselves. Until recently I had them tracked in Google maps but not anymore. They do see me though.

> The less they know the better.

I have found the opposite to be true. If I push them to invest and understand, they are more likely to fix their own problems. I play tech support very infrequently and usually it's just initial onboarding - "Hey, how do I watch movies?"

My users can reset their own passwords, reboot devices, and some of them can even restart stuff on the server.

There's a dashboard with all of our links, so I don't get the "What's the url for..." stuff.

I keep quick docs in the family notes.

Usually my only problem makers are game servers since those are always a bit less than stable once loaded up with mods.

Some people learn, some don't. Generalizing how tech savy people are, can or even want to be is a futile effort
People learn when they have motivation.

If you always do everything for them, tell them it's complicated or easy to mess up.. well then yeah, they aren't going to learn.

Tech knowledge is not special compared to any other kind of knowledge. You don't have to be "tech savvy" to be a self sufficient user.

I do not want to learn to fix my car, there is a service for that. I have exactly zero interest in cars apart from driving them to go from A to B.

Some people feel thr same with computrts.

And I do not argue with my parents or wife, weak as I am, just fix the stuff and hope for the best :)

I have a similar setup at my house. The kids are on devices I do exert more control over (customized per child) but it is known that if they want to acquire their own devices they can set them up however they like at which point they will be responsible for their own security (on which I am happy to consult). My oldest is saving up to buy her own tablet, but I have an outstanding offer on the table to purchase any parts or components for any of them that want to attempt building their own device.
I make everybody get it out of the way now and post full nudes online so that we cannot be blackmailed.

Jokes aside,

> making sure they have control of their passwords and accounts in a safe matter.

This looks like two requirements. Control your passwords and accounts and safeguard them. Because saving via Chrome, though unpopular, is quite safe but you give up control.

I've found this to be useful lately as I go through and take control of my login credentials:

https://mullvad.net/en/blog/2021/11/15/forget-your-passwords...

My worry is still web vulnerabilities, opsec

opening a malicious pdf on their main machine or a malicious website

the one time all their sensitive info compromises their main gmail/apple account

How is it even possible to help our extremely vulnerable elderly parents and then our very young family members, nephews, nieces

We've probably all been pwned at least once, and we're the more cautious/aware of the population, how do the helpless even fare? Besides locking them down in the apple eco and idk vetting every file/website they use?

Anybody trying 1.1.1.1 for families?
The number one thing that we do is use an assumed name and address (and phone number) for all online interactions.

If it's not a government agency, it doesn't get any real info.

So, for instance, Amazon has a made-up name and our PO BOX and our "junk" number from Twilio.

As I have mentioned here many, many times:

This is possible because VISA/MC do not verify cardholder name. They make it seem like they do and merchants think that they do ... but they do not. You can just enter "Mickey Mouse" and it will work just fine.[1][2]

Lyft, opentable, Toasttab, Apple ... none of them have ever seen our real names or addresses.

[1] This is not true of AMEX - they do verify cardholder name the way people think they do.

[2] There is a very rare, seldom used "verified by visa" step that some online merchants used to use (mostly in Europe) that did verify cardholder name ... but I have not seen it in years ...

Maybe you're a very high profile individual that this matters beyond paranoia? I've always used my name for signups, and I have a very unique name, probably the only one on the whole planet. It has affected my life in no meaningful / noticeably negative way.
> Maybe you're a very high profile individual that this matters beyond paranoia?

You can call it paranoia. I'd call it a healthy value of privacy.

Nothing stops a company from taking your name from your credit card and using it to build/sell shadow profiles except their word. Companies' words aren't worth shit.

The reason I do this is that there are fascinating and unpredictable interactions between behavior and identity that extend out into the indeterminate future.

If we assume this information persists forever - and we might as well - it represents infinite liability and risk whereas the mitigations I have proposed cost almost nothing.

Or, to put it another way, it's very cheap insurance.

Life is finite
A life span is finite, but your life during the life span is infinite.

See chaos theory's infinitely long line in a finite-sized circle

(comment deleted)
You're saying the word "unpredictable" but with cognitive dissonance, because you are predicting disaster.

If it is truly unpredictable, then you may be diminishing something which may actually be beneficial and necessary in the future.

This obfuscated data which may or may not be linked to you (or the lack of data entirely, a void which certainly is linked to you) is itself forever persistent and represents its own infinite liability.

Not to say that you're wrong or right, just pointing out that your claim of somehow rising above this system is bogus. No matter what we do, our mark (be it a shadow profile or a void) is left, and perceptions will form around it that cannot be predicted.

Or even worse -- behaviors that attempt to hide identity may in the future be the exact sort of thing they use to do forensic sweeps. Unfortunately, I think that is just as likely as anything else.
Collecting personal data is insidious: it doesn't manifest itself until it does. It's no different from having your password leaked, or from having your mortgage application rejected for opaque reasons.

The data is there, silently, stored for a future use which may come at an unpredictable time.

Can you guarantee that will be the case at any point in the future?
Just curious - do you have Lyft pick you up or drop you off at your house/apt or do you avoid that as well? I think of that action as different from payment information verification.
don't use Lyft or Uber. Why would I want a company to keep track where I'm going linked to my credit card. It is creepy.
Yes, sure. But he mentioned Lyft so I asked.
"Just curious - do you have Lyft pick you up or drop you off at your house/apt or do you avoid that as well?"

We live on a ranch at the end of a 2 mile private road.

Lyft is something we use in the city or while traveling.

However, I do understand the spirit of your question and I don't have formal practices for these kind of things.

Like a sibling comment said, life is short ...

In Europe your payment will most likely fail if your name doesn't match your card's and often even if your address doesn't match the address on your card.

Sad.

Also, knowing how bureaucratic Europe is, I can totally see myself having a warranty claim rejected because of a name mismatch.
Whose name the warranty is in and who pays for the warranty should not be required to be identical.
There are plenty of non-transferable warranties out there.
That's not the point. The point is that one person should absolutely 100% be capable of paying for a warranty for a third party. That's not transferring a warranty; that's guaranteeing payment.
I always type something random in the cardholder field and it was never rejected. European cards and websites. The store can see what you entered in that field though through the payment gateway.
Is this a disaster waiting to happen if visa/mc one day flip the switch on name verification?

Beyond that, for the type of tracking and fingerprinting done today, how relevant is your name actually?

For a lot of stuff your credit card number is the reliable join key anyway
> Is this a disaster waiting to happen if visa/mc one day flip the switch on name verification?

Doesn't even have to be that big of a policy change; if Facebook gets suspicious about you using a fake name or various other scenarios, they'll lock your account until you provide a scan of a passport or state ID.

You are assuming that a person who is cautious about privacy, uses facebook. Unlikely. However, I have been in that alley. I renamed my facebook account yearly, until it got blocked indeed. But then again, there are some great ID .psd templates out there:P solved it immediately.
I cite Facebook as a specific example I'm aware of. There's no reason Amazon or Apple (which the parent poster indicates they use) couldn't request similar docs with the threat of an account revocation.
And how and why exactly would rsync care about that?

Amazon account gets blocked? He gets a new one. If they block him because they check the PO box against blocked accounts, he gets a new PO box too. Sure it's a hassle because he probably uses it for other stuff too. But nothing really preventing him from doing the fake name+PO box thing for a small likelihood of this ever happening and he'd probably gladly just get a new on if it ever did and there was no other way to convince them.

Same with Apple. Apple id gets blocked? Get a new one. I somehow doubt he's bought (err, sorry, rented) thousands of dollars worth of digital content on either platform that would discourage this. Streaming is fine as you can stream the same stuff again on the new account.

Merchants can and do check names but it’s not mandatory for a charge. Credit card number and expiration dates are the only required info.
> So, for instance, Amazon has a made-up name and our PO BOX and our "junk" number from Twilio.

If you're worried about the government prying, using a fake name on a PO box is a great way to rouse suspicion and investigations into whether or not you're doing something nefarious with the post.

> If it's not a government agency, it doesn't get any real info.

I don't think rsync is worried about government prying.

We don't use a fake name on the PO BOX. It is the vendor (like Amazon) that gets a fake name (and our po box).

The post office (quasi-government agency) knows who we are.

All the big tech companies almost certainly have your real name on file. Im assuming its very easy to buy large datasets matching real name,cc and email.

The only really private way to use these services would be using something like burnermail.io and crypto.

I can understand this sentiment. I certainly do it for some things (like reddit accounts, or things to do with say....gaming online, steam etc).

For most things though I dont mind too much about things that are already public anyhow. Like name, address etc.

That said for services that extend beyond that, If i feel the need to go that far i just dont participate. Like facebook for example.

I do carry a google voice number. That is the only thing a company, service or basically anything that gets typed into a computer gets. It has signifigantly cut down on spam calls to my actual cell phone, which friends and family do have.

The biggest security vulnerability is the human element. Proper education on phishing and the dissemination of personal information trumps all else, IMO.
I'm the annoying uncle at christmas telling everyone to use Bitwarden.
Entire family is Apple devices, and I actually set up MDM to manage them (ManageEngine's free tier lets you manage 25 devices). WiFi settings, enforced updates, FileVault encryption, etc all managed via MDM policies. Using Cloudflare Gateway (free) for DNS. Sophos XG Home firewall for router/VPN/etc.

I also put a basic 2-bay Synology NAS in the basement, and everyone's laptops are set to back up via Time Machine automatically.

if only we'd expand the scope beyond the nuclear family, we'd be a much better society
Got 1Password family plan 2 or 3 years ago. Still waiting for the wife and I to be able to sit down so I can get her set up with it. I use it. My wife says she wants to use it and we remind ourselves to do it whenever there's a cybersecurity horror-story... but then it never happens.

Also, got some yubi-keys which I use for aws and gmail. Still have a raincheck for my wife to try those.

Yes, I told her it's not hard to get started, she could do it herself if she wanted to, but she wants to discuss it at length and spend time on it (I agree with that, but geez, it's hard to do stuff like this). Taxes are a nightmare enough for us.

I knew when I saw the title here that there would be multiple stories of folks who have gone ABOVE AND BEYOND AND THEN SOME, HN-style. Ain't going to happen in my house.