Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Says Samsung's Tizen OS Is The Worst Code He's Ever Seen (vice.com)

Posted by BeauHD on from the bold-statements-and-accusations dept.

Samsung has been working on its Tizen operating system for several years now, implementing it into its various televisions and smartwatches. According to a report from Motherboard, the OS isn't receiving a lot of praise in the security department. Israeli researcher Amihai Neiderman has found 40 unknown zero-day vulnerabilities in Tizen, adding that it may be the worst code he's ever seen. From the report: "It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software." All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app -- Samsung's version of Google Play Store -- which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV. Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it. Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in. Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.

109 comments

  1. Found the LUDDITE! by Anonymous Coward · · Score: 1, Funny

    This just means Tizen is the appiest apperating app! Only LUDDITES would hate app-day apps!

    Apps!

    1. Re:Found the LUDDITE! by Anonymous Coward · · Score: 0

      Oh, stop tizen...

    2. Re: Found the LUDDITE! by Anonymous Coward · · Score: 0

      Proudly made in Asia :)

  2. Asian corporate culture... by Type44Q · · Score: 2

    Asian corporate culture seems to get in the way of cranking-out good code; I wonder of that's because their management fails to realize that programming is as much an art as a science...

    1. Re:Asian corporate culture... by Zaelath · · Score: 5, Insightful

      It's an engineering problem.

      Engineering proof of correctness: Does it work when I try to use it as designed?
      Security proof of correctness: Does it fail open when I try to use it not as designed?

      I've seen the same thing with firewalls; does it (the thing you're trying to access) work now? Ok the rules must be right then: "Allow any any" usually does it.

    2. Re:Asian corporate culture... by GumphMaster · · Score: 2

      I suspect that hitting a price point and a market date, something not unique to Asian manufacturers, does far more damage than any regional corporate culture. Money spent on the Tizen OS, beyond something that works well enough to sell, makes Samsung no more money and gets funded accordingly (up-front and afterward to fix the mess).

      --
      Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
    3. Re: Asian corporate culture... by Type44Q · · Score: 2

      That would certainly explain the "quality" of Microsoft products.

    4. Re:Asian corporate culture... by Anonymous Coward · · Score: 1

      This has nothing to do with Asian, but with EVERY corporate culture, Microsoft, apple had the same problem, they just had to get their shit together after many many years of criticisms, and outrage from their customers...
      Also, stupid statements like "worst code he's ever see" only makes me know that such "expert" has not seen much code actually.
      More than half OS projects on GitHub are a stinking pile of shit, If they let me see that Tizen code, I can show at least a 100 projects with demonstrably consistent worst code.

    5. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      pay just enough to get the crap out the door. if it sells pump some of the revenue back into fixing bugs. If it doesn't you didn't waste the effort fixing the bugs only to not sell enough to justify it. Win win.

    6. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      Holy fuck. There's an article about terrible security in an IT product, and your only comment is to connect this to "Asian corporate culture"? Seriously? Have you used the horrendous crap produced by programmers in the US, India, etc.?

    7. Re: Asian corporate culture... by rtb61 · · Score: 1

      To be fair, the Samsung OS comes, sort of free with the device, all they can see is Android. M$ well it comes out crap on purpose so they can sell it again and again, only this time more secure and more stable and more reliable versus prior products original release, the new wrinkle is of course far more privacy invasive and they are now selling you. The next big thing will of course be the Google vs Apple vs M$ VPN wars (M$ is kind of screwed right from the outset, impossible for them to sell privacy now, who would be gullible enough to believe it, they now sit alongside the slime of the US Senate and Congress and it's corrupt sick incumbent privacy invasive telecoms, it is going to get real ugly now). Imagine M$ securing PCs from the invasiveness of ISPs because scarcity is profit in capitalism, so your private data is more profitable if M$ blocks access to it, hence the VPN wars.

      Of course once competent companies become incompetent when blinded by greed, imagine super hackable products and potentially exploding batteries, what a combination.

      --
      Chaos - everything, everywhere, everywhen
    8. Re:Asian corporate culture... by gravewax · · Score: 1

      corporate culture? bullshit, it is poor engineering/training practises. too many developers think they understand security because they are "good" developers, the reality is unless you are specifically trained in secure development practises then chances are you suck at secure coding.

    9. Re: Asian corporate culture... by Anonymous Coward · · Score: 0

      Probably bad on purpose. Their government has to watch everything you do.

    10. Re:Asian corporate culture... by gweihir · · Score: 2

      Actually, this is "bad engineering", because good engineering also looks at how it behaves under non-standard conditions and then you get security as a characteristic that can be tested and verified. I see the same thing when doing security evaluations and IT security engineering. People stop thinking when "it works" (not that many developers think a lot in the first place). A consequence is that you find, for example, all the "Web Application Worst Practices" in (custom) enterprise software. Add to that that management often stops funding when "it works" and hence cleanup is not performed at all, and you have a disaster in the making. Not that security is the only thing were this is going on. Performance, reliability, recovery from problems, documentation, maintenance, etc. are all done pretty badly and often with minimal or no understanding of what is important and what is not.

      A lot of that is due to "follow the ritual" (without understanding) mind-sets, were rituals are things like programming languages and paradigms, OSes, frameworks, interface technologies, etc. In the end, to an actual engineer, concrete technologies matter little (basically they can stand in your way more or less so and that may make them harder to use or even prevent reaching some goals, but that is it), what you do with them is all-important. Most developer these days seem to think that it is the opposite, i.e. just pray at the altar of the right tech and the result will be good. That is of course very far from the truth, and an approach that is is founded in belief, not observation of reality. It is religious in nature, not scientific. Until that changes fundamentally, the practice of creating software cannot be considered an engineering-discipline, although some people manage to use it as one even today. These people tend to not put up with bad working conditions, low salaries and incompetent bosses though.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      WTF is Asian corporate culture? Sure, there are similarities between Korean and Japanese companies, but there are also huge differences. And that is not even getting into the rest of Asia, which is even more markedly different, even on South Korea's doorstep let alone further out in India and Indonesia.

    12. Re:Asian corporate culture... by gweihir · · Score: 1

      Also, stupid statements like "worst code he's ever see" only makes me know that such "expert" has not seen much code actually.
      More than half OS projects on GitHub are a stinking pile of shit, If they let me see that Tizen code, I can show at least a 100 projects with demonstrably consistent worst code.

      While I sort-of agree to that, keep in mind that a security expert that understands security _and_ can code and read code with a reasonable level of expertise is already part of a small elite of the field. Yes, it is that bad.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Asian corporate culture... by TwistyLittlePassages · · Score: 1

      Asian? Does this apply to the corporate culture overseeing code writing in the Bangalore office, the one in Noida, or the one in Delhi? http://www.samsung.com/in/abou...

    14. Re: Asian corporate culture... by Anonymous Coward · · Score: 0

      Yeah, damn that Asian *cough*elonmuskgooglefacebookchatbotSjeffbezosmissiontomarsAIinternetofthingsetc*cough* hyperbole.

      We INVENTED not ready for prime time. They ripped us off *again*. :P

    15. Re:Asian corporate culture... by Zaelath · · Score: 1

      Yeah, I was a little unkind...

    16. Re: Asian corporate culture... by Anonymous Coward · · Score: 0

      India is in Asia, genius.

    17. Re:Asian corporate culture... by nnull · · Score: 1

      Partially. From someone that buys equipment, I can tell you Asian manufacturers have little to no written manuals, procedures, maintenance programs, real lack of any real control diagrams and just plain hard to communicate because they really don't care about you once you buy their equipment. I constantly have their sale guys visit my place and attempt to try to convince me how much cheaper it will be if I buy their stuff. They sell to clients that are too dumb to realize their machine actually costs them more in the long run (Enjoy giving that asian guy a free vacation every time your machine breaks down) versus buying equipment from a reputable manufacturer who actually have all of the above I've written and more, driving your operating costs down dramatically. Most Asian equipment ends up having you to invent all of the above yourself.

      So the whole Samsung Tizen code being full of security blunders and horrible SDK that is practically useless is no surprise to me.

    18. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      Ikr? Overbroad generalizations are a problem of western culture. *ducks*

    19. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      Bullshit. You're just scared shitless of Asia's tech growth.

    20. Re: Asian corporate culture... by Anonymous Coward · · Score: 0

      He is compared to you. He understands that we are not talking about geography, while you do not. It takes a very special kind of special to be reading about corporate culture and think this is a georgaphy discussion. "Asian corporate culture" means Korea, China, Japan. This is well understood by adults who have a job.

      Asia in this case does not mean all of Asia, just like "European" corporate culture does not include Bolgaria/Poland/ShitholeX+1. India is not included on that list. "Indian corporate culture" is its own thing, and is quite different, Just like thieving tits-out club-dressed at the office Romania is different than take 4 months a year off and close the bank for lunch lazy France. Thailand is not included, nor is Indonesia. You seem to not know this basic thing, although you do seem to know what the basic continents are.

      Us adults have well defined terms used and understood. You don't agree with how they are defined? The world doesn't give a fuck about your opinion. I am going to guess you have successfully passed the 4th grade, but have not yet had a real job, so your knowledge and vernacular are lacking. This is not the site for you small one. The site you want is reddit, where you will battle wits with other unarmed twits. Here - it's not for you. We do welcome you to stay though, because things you write are quite entertaining for us, and every crowd like to have someone at whom they laugh.

      Now go ahead, please tell me Canadians are Americans and be detailed in your reasoning. I was just kidding before - we care about your opinion and will redefine language according to your smart thoughts.

    21. Re: Asian corporate culture... by coteriescavenger · · Score: 0

      I can tell by your writing that you're a natural coder. And, I can tell by your last sentence that that gets in the way when you're dealing with people.

    22. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      Yes? Those are places in Asia.

    23. Re:Asian corporate culture... by gweihir · · Score: 1

      Given that what you described is often accurate, no problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    24. Re: Asian corporate culture... by gweihir · · Score: 1

      I can tell by your writing that you're a natural coder. And, I can tell by your last sentence that that gets in the way when you're dealing with people.

      Actually, it does not. The trick is to be an expensive consultant, and suddenly people listen to you and make sure you can work. Of course, in order to be that type of consultant, you must have pretty good people skills as well. I do know people for which your analysis is completely accurate though.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    25. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      Speaking of culture causing trouble, the Motherboard site refuses to load without JS and cookies.

      Forget that. Say no to stalking. These people are a threat. Cavity searches for all of them. Labor costs are high, get your dog to help.

    26. Re:Asian corporate culture... by thegarbz · · Score: 1

      Asian corporate culture seems to get in the way of cranking-out good code

      It does nothing of the sort. There's plenty good code from various Asian countries (most of which have very varied corporate culture by the way).

      Just nothing good from Samsung. But then I'm not surprised either. Samsung seem to be fantastic at bogging down their hardware with their code. Their TVs are the only ones with quad core processors and still the longest to actually start when you turn them on. The majority of exploits seem to come on them. And I won't ever forget their attempts at coding their own file system (RFS) for the Samsung Galaxy S which was so slow that the Android OS would routinely offer to force close locked up apps while they were doing I/O functions.

      Samsung just need to fire their entire software department, starting with the top. The rest of the company and indeed the entire country does just fine.

    27. Re: Asian corporate culture... by Anonymous Coward · · Score: 1

      I wrote the code that lets you see AC's real names, Darren.

    28. Re:Asian corporate culture... by Anonymous Coward · · Score: 0

      https://web.archive.org/web/20...

      I remember reading that log a few years ago. It covers quite a few Tizen issues and is surprisingly relevant today.

      Tizen isn't Meego 2.0 (completely different codebase and devs). It isn't better than Android (look/act like Android is all important). Despite the Linux Foundation trappings, it is 100% controlled by Samsung. It screws over devs with its SDK license.

      I don't develop for Tizen. With the way things are, I don't see that changing any time soon.

    29. Re:Asian corporate culture... by TwistyLittlePassages · · Score: 1

      My implication was that Korean corporate culture (which the OP also implied, but could have phrased better) likely had little influence on the quality of the code in Tizen OS because it was mainly written by Indians living in India. Regardless of what your coveted 2nd grade geography textbook says about them being all in the same category, Asian culture != South Korean culture != Indian culture. Thanks for the "ha-ha you spelled something wrong I win!" type post. it's been enriching to read for all of us.

  3. One question answered by 93+Escort+Wagon · · Score: 1

    We now know where Samsung falls on the H-1B question.

    --
    #DeleteChrome
  4. News, Not-news by EndlessNameless · · Score: 1

    A major multinational corporation is pushing cut-rate garbage?

    Maybe if the outcry is loud enough, Samsung will either fix it or abandon it.

    They built the crap in the first place, so it's clear they won't bother without some outside pressure.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:News, Not-news by slashrio · · Score: 1

      It's a corporation successfully trying to kill off the Linux component in phones.

      --
      "Trump!!", the new Godwin.
    2. Re:News, Not-news by stealth_finger · · Score: 1

      It's a corporation successfully trying to kill off the Linux component in phones.

      With software in TVs?

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    3. Re:News, Not-news by slashrio · · Score: 1

      Ok, everywhere. :)

      --
      "Trump!!", the new Godwin.
  5. what about overheating the battery by Anonymous Coward · · Score: 0

    Oh wait there's an 8 point check for that...probably same check for the software. Print out code, drop printout on ground, soak with water, dry printout, sit on paper, flip paper in air, hit paper with hand, transcribe paper back to code...yep still works...we're good...ship it.

  6. Unknown zero-day vulnerabilities by nuckfuts · · Score: 1

    As opposed to known zero-day vulnerabilities?

    1. Re: Unknown zero-day vulnerabilities by Anonymous Coward · · Score: 1

      You joke, but it's true. I can guarantee someone on that team knew this code had a vulnerability and we're ignored.

    2. Re: Unknown zero-day vulnerabilities by TheRaven64 · · Score: 1

      I didn't RTFA, but is Tizen still using Enlightenment? There's a great Daily WTF about that code which, unfortunately, doesn't scratch the surface of what it does dangerously wrong. If it does, I'd be very surprised at only 40 zero-days.

      --
      I am TheRaven on Soylent News
    3. Re: Unknown zero-day vulnerabilities by Anonymous Coward · · Score: 0

      The Daily WTF is full of the kind of people who think they're genius master programmers because they know both Java and C#. I wouldn't trust their opinion as far as I could throw it (if it was written on a stone tablet).

    4. Re: Unknown zero-day vulnerabilities by Anonymous Coward · · Score: 0

      Which is pretty much entirely true in this case.

  7. Not surprised by gman003 · · Score: 5, Interesting

    I was once asked by my boss to tinker with Tizen, see if it was usable, since a client was soliciting bids for an app they wanted to run on Samsung's smartwatch.

    After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote, and that the specific app the client was hoping for was literally impossible. The SDK itself was one of the worst programs I've used in many years - horrendously slow, crash-prone and cluttered in the way typical of early-00s Windows apps.

    Needless to say, I am not surprised on multiple levels. First, that Tizen is insecure in addition to being slow and useless. Second, that nobody's taken a serious look at its security, since most people stop looking at it far before security starts to matter.

    1. Re:Not surprised by drinkypoo · · Score: 1

      After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote,

      Moblin (which Intel put as much effort into ripping out all the non-intel support from as doing anything else) begat Meego (which was never usable) which begat Tizen. It would be shocking if it weren't a complete clusterfuck.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Not widely used on phones "yet" by davidwr · · Score: 1

    Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.

    "Yet" - and now "never will be" - we hope.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re: Not widely used on phones "yet" by Anonymous Coward · · Score: 0

      I doubt that. I fully expect Samsung to completely ditch Android/Google within a few years.

  9. Embedded computing and security by Opportunist · · Score: 5, Interesting

    Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.

    First of all, there is no history of security in embedded. Because until very recently, there was absolutely no reason or need to even consider security an issue. You were dealing with closed, if not hermetically sealed systems. They could more often than not not even receive updates, let alone communicate with other embedded devices. Even "sophisticated" devices like TVs, not even talking about the "dumb" ones like washing machines or dishwashers. It's been only about a decade that TVs have a connection that's bidirectional. And "real" internet on TVs only arrived a generation of TVs ago.

    And for all the other embedded gadgets, that whole "connectivity" thing is still very much bleeding edge.

    And all that in devices for which until very recently, again, every byte mattered. Computer programmers are used to Mega- and Gigabytes of ram at their disposal, with embedded, you're in some areas still talking KB. Especially when it comes to low-cost devices where you can't just stuff in more ram and faster ICs because they'd simply cost too much. Yes, a part costing maybe a buck or two is "too expensive" here.

    Put that together and add exactly ZERO experience with security among embedded developers (for all the reasons above) and you most likely understand why this is a HUGE problem that will bite us in the rear. Actually, it's already biting.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Embedded computing and security by Anonymous Coward · · Score: 0

      Excellent point. Also, the fact that embedded designs are [or were] built for very specific applications, like controlling a microwave oven. IE: not speaking to your fridge over IP.

      In the entire history of computing, security has largely been an afterthought. Getting something to function is a big enough challenge without the added difficulty of "security-from-the-ground-up". Time to market wins everytime, and the past is riddled with examples of inferiour designs claiming the victory by saturating the space early.

    2. Re:Embedded computing and security by Snotnose · · Score: 3, Interesting

      Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.

      I beg to differ. I've been an embedded software engineer since the early 80s. In 2000 I got a contract from the guy who owned the George Foreman Grill. He wanted an appliance that would mount to the underside of kitchen cabinets, have internet, CD/DVD playback, HiFi quality sound, and connect to a recipe database via 802.11. One of the first things we worried about was security. 802.11 was new back then, nobody really knew how it would work out. The screen would fold down so the user could watch the videos.
      Security came up in every meeting. We knew about it, understood the risks, and didn't know what the hell to do but knew we needed to try.

      Project crashed and burned because he wanted to sell it for $999.95, and we couldn't get the BOM under $1k.

      Every project I've worked on since has had security as a high priority. Lessee, what have I done since then? Um, cellphone base station, cellphone games, electronic ticketing system (take a ticket, now serving #32, you have #38), automated IC testing, muxing MPEG2 streams from multiple satellites into a custom stream, cellphones. Every one of these security has been a top issue.

    3. Re: Embedded computing and security by Anonymous Coward · · Score: 0

      User name checks out.

    4. Re: Embedded computing and security by Anonymous Coward · · Score: 0

      gee thanks for that Batman.

    5. Re: Embedded computing and security by Anonymous Coward · · Score: 0

      Was that the Icebox? I had one...

    6. Re:Embedded computing and security by thegarbz · · Score: 1

      First of all, there is no history of security in embedded. Because until very recently, there was absolutely no reason or need to even consider security an issue.

      Please don't lump everything "embedded" under one big banner. We've been hooking "embedded" systems to the internet for the best part of 20+ years now. There's always been a requirement to consider security.

    7. Re:Embedded computing and security by Anonymous Coward · · Score: 0

      It's pretty obvious to all of us that, assuming what you say is true, your firm is the exception. Dumb devices never cared. Smart devices have a horrific security record. Until very recently, it's been nearly guaranteed that every smart device has glaring security problems, and they're almost all for devices where security is very important.

    8. Re:Embedded computing and security by lexman098 · · Score: 1

      Security was a top issue in the electronic ticketing system? Did they think someone was going to research and exploit some 0-day just to cut in line?

    9. Re:Embedded computing and security by Anonymous Coward · · Score: 0

      I love hearing personal stories & involvements, especially stories about 'back then'.
      Reminds me that yeah somebody real has touched thee concepts that, today, are praised or scolded in the news.
      thanks!

    10. Re:Embedded computing and security by phorm · · Score: 1

      I've always been of the mind that low-resource situations are often *better* for security. If you have a very tight, resource-conservative ecosphere, then there's no reason it can't also be a very tight security-conscious ecosphere. When you start throwing massive pools of memory etc resources, then a lot of people just assume that they'll never hit on limits, so you end up with situations where - instead of doing things to allocate and check sane amounts of memory - you just end up with high limits "hey, let's make a two gigabyte array/string/etc, because nobody will ever use that much" (until they do, or somebody writes a hack depending on the overflow of the array, etc).

    11. Re:Embedded computing and security by Opportunist · · Score: 1

      That's less a problem than cutting corners when it comes to sanity checks due to timing or program memory constraints.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:Embedded computing and security by phorm · · Score: 1

      True enough, but one would hope that on any "official" modules or API's this stuff isn't done or gets cleaned out.

  10. known unknowns by Anonymous Coward · · Score: 0

    The Boondocks / Pulp Fiction has the answer

  11. Enlightenment WM author ? by Hall · · Score: 3, Interesting

    Going way to this site's "nerd" days, people should be familiar with the window-manager-then-a-desktop-environment-under-development-for-a-decade-and-a-half called Enlightenment. It's main developer - Rasterman - worked at Samsung and had a lot to do with this OS. I don't know if he's still involved or not but I haven't heard anything about this OS since he mentioned it years ago.

    1. Re:Enlightenment WM author ? by Narcocide · · Score: 1

      He still works there but AFAIK he is just responsible for features/performance of the UI toolkit stuff. I don't think OS-level security is really in his jurisdiction.

    2. Re:Enlightenment WM author ? by Anonymous Coward · · Score: 0

      Going way to this site's "nerd" days, people should be familiar with the window-manager-then-a-desktop-environment-under-development-for-a-decade-and-a-half called Enlightenment. It's main developer - Rasterman - worked at Samsung and had a lot to do with this OS. I don't know if he's still involved or not but I haven't heard anything about this OS since he mentioned it years ago.

      That explains a lot about Enlightenment.

  12. Really, The worst? by BarbaraHudson · · Score: 0
    "Tizen OS is the worst code I've ever seen"

    "Challenge accepted!" - Microsoft, Mozilla, tons of app store (cr)apps, several bloated antivirus companies ...

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re: Really, The worst? by Anonymous Coward · · Score: 0

      Fact is it takes at least a big team of researchers months to find 40 zero days in Firefox or Windows 10. It took only one to find them in Tizan OS.

    2. Re:Really, The worst? by Anonymous Coward · · Score: 1

      yeah...no you are just mod point whoring. Microsoft and Mozilla have security bugs but they actually have good coding practises and both educate developers on secure coding practises. If anything they are some of the better examples of secure coding practises, doesn't make them perfect but they certainly would not be listed as some of the worst. bloat also doesn't indicate bad security code.

    3. Re: Really, The worst? by BarbaraHudson · · Score: 1

      Fact is, we're not just talking about zero-day exploits. Try to stay at least a bit on topic.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    4. Re:Really, The worst? by BarbaraHudson · · Score: 1

      I'm stuck at the karma cap - I don't do mod point whoring. The fact is, when code is so slow and bloated, and keeps grabbing more and more ram, and becomes less and less responsive, you don't have to be a security researcher to know the code behind it is shit compared to competitors. You don't have to be a researcher at all to know the code is shit.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    5. Re:Really, The worst? by Carewolf · · Score: 1

      "Tizen OS is the worst code I've ever seen"

      "Challenge accepted!" - Microsoft, Mozilla, tons of app store (cr)apps, several bloated antivirus companies ...

      Anything that isn't Open Source, would rise to the challenge. When you work as a consultant and see real world production code, you can't sleep well at night.

  13. malicious code to his Samsung TV.... by Anonymous Coward · · Score: 0

    dunno why but that made me lol ;)

  14. Similar experience by Ecuador · · Score: 4, Informative

    Similar experience, I thought maybe I'd look up at Tizen apps "for fun" and after about a day or so I was certain it was not going to be any sort of fun! Well, unless S&M is your thing... And here is an educational article about the EFL libraries you get to use when designing native Tizen apps.

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Similar experience by TheRaven64 · · Score: 4, Informative
      Actually, the Daily WTF article is not particularly educational when it comes to EFL. It covers the obvious surface detail of what the developers do dangerously wrong. There are far worse things under the surface.

      I had a chat to some of the Enlightenment devs at FOSDEM a few years ago. They were very proud of their new object system and IDL, which they thought would make it easy to bridge higher-level languages with their libraries. Unfortunately, their IDL exposed C types and nothing but C types as arguments. Their example had a char* parameter and a char* return. I asked them a few questions:

      How do I know if it's and input or output (or both) parameter?

      Is its length another argument (and, if so, in what units) or is it NULL-terminated?

      Is there ownership transfer involved (i.e. is the caller still responsible for freeing the argument or does the callee take that responsibility? Is the caller responsible for freeing the return value and if so must they call free() or some other cleanup function)?

      Is this an array of bytes or a string (i.e. should I map it to a string or data object in another language), if it's a string, what encoding does it expect and is that a global property or specified explicitly?

      Apparently none of these questions had occurred to them and they didn't even understand why you'd want to know the answers to about half of them. The worst thing for me is that not only are these all important for bridging with higher-level languages, you need to know most of this information to be able to correctly use a C API, and they weren't putting it in the documentation and didn't even have consistent conventions (and therefore only need to document the exceptions). That was when I learned to avoid EFL like the plague. It may have improved since then, but I doubt it - good developers only reinvent the wheel after they've looked at existing ones and understood their flaws. The EFL developers are vaguely aware of square wheels and decided to try triangular ones as a replacement.

      --
      I am TheRaven on Soylent News
    2. Re:Similar experience by Anonymous Coward · · Score: 0

      Its really time some of this stuff is simply put out to pasture. Enlightenment is a solution looking for a problem these days. When the original windows manager project got started 20 years ago it was 1997. Desktop PCs had between 64megs or RAM and sub 200Mhz clock. That was big expensive system too. Most people were running a lot less. At the same time a lot of software was starting to get heavy. In the windows world everything had gone 32-bit protected memory, virtual devices drivers, and systems were being bogged down with OEM crapware, in was that were never possible on the DOS/Win3.x stack.

        UNIX was still run on big machines most of us never got to play much with. In Linux land people were starting to want to run X all the time, instead of only when need. X was always heavy comparatively speaking to the Windows 3.x / MacOS alternatives. I am not suggesting X isn't a superior architecture Windows 3.x or OS7 etc, that could do more and was more stable, but it did need more computer. In terms of X GUIs / window managers at the time they were proprietary (CDE), bare bones (TWM), or hogs GnuStep / early Gnome. E was an attempt to deliver all the gilts and glamor of GnuStep and Gnome without the cost. It was a reactionary! It was not forward looking in terms of realizing computer power was about to explode, and the cost of a little more controlled and managed stack would soon pay dividends in stability, flexibility, and ease of development as a target. The place for a thin set of C primitives in terms of desktop user interfaces was about to rapidly shrink.

      They have essentially made the same mistaken assumptions about embedded. A RPi today is more powerful than that 1997 era PC and most cell phones are more powerful than that. The embedded world can afford to run GTK or QT. Heck it can afford to run and entire UI written in fully managed Java! EFL is a dead end.

    3. Re:Similar experience by Anonymous Coward · · Score: 0

      I don't know but maybe you should check as it seems they have notations like own() to indicate that ownership was transferred and explicitly define strings as string.

  15. Tizen OS remote-code execution by najajomo · · Score: 1

    No one could be that incompetent, I figure such vulnerabilities are baked-in from the outset under the direction of the state security apparatus.

  16. "smart" devices, not so smart.. by Anonymous Coward · · Score: 0

    we already knew that. the manufacturers know that too, but the masses that buy them, don't. they will just keep pumping out the future zombies because people keep buying them. profit today with the hope that the (too-short) warranties expire before the code gets blown to bits.

  17. Depends upon your definition of "widely used" by Anonymous Coward · · Score: 0

    Re: "Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet."

    Because of the customer cost point for a Tizen phone, it is incredibly popular in india/SE Asia/Asia. Please define "not widely used".
    Having done some development for Tizen phones: SMACK is annoying to developers; I have not looked at it from a security perspective to see if it is effective.
    Recall that Samsung is a HARDWARE DEVICE vendor. Their focus is on selling huge volumes of low-cost widgets. Ranging from Washer/Dryer machine, to Galaxy phones, etc. Software security is not a relative priority for them.

  18. Tizen is summed up nicely by this TheDailyWTF post by fistacorpse · · Score: 5, Interesting

    https://what.thedailywtf.com/t...

  19. Re:Tizen is summed up nicely by this TheDailyWTF p by Noble713 · · Score: 1

    Mod parent up. I too had a short-liven interest in Tizen development....until I read the above article. Not to mention that the SDK was unstable, with limited instructions, and didn't work well on a RPi either.

  20. Re:Tizen is summed up nicely by this TheDailyWTF p by gweihir · · Score: 1

    Well, looks like a lot of wheels have been reinvented really badly here. The sign of utterly incompetent engineering and utterly incompetent management that does not know how to identify and hire good engineers and then let them work.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  21. Lawsuit in 3.. 2... 1... by LVSlushdat · · Score: 1

    Watch Samsung sue said researcher.. Gotta keep those liars err lawyers busy ya know...

    --
    THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
  22. ha ha by Anonymous Coward · · Score: 0

    And of course we are all going to take the word of an isreali working for a Russian "security" company..

  23. Re:Tizen is summed up nicely by this TheDailyWTF p by Anonymous Coward · · Score: 0

    Well no wonder the number of third party apps has been so lackluster on Tizen. Looks like I bought the wrong watch...

  24. This story seems suspicious by Anonymous Coward · · Score: 0

    A single unknown security researcher uncovers 40 critical security holes... it's not remotely possible, and seems more like an attempt at throwing dirt at Samsung and making their products seem unreliable and dangerous to use. Is his work being paid by Big Electronics in the west, perhaps?

    1. Re:This story seems suspicious by Megane · · Score: 2

      This is Tizen, see above discussion about the TDWTF thread. The amazing part is that he found 40 of them without going insane. It may be fish in a barrel, but it's fish in a barrel made out of wood spat from the very mouth(s) of Cthulhu. That's how bad Tizen is.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  25. Re: Tizen is summed up nicely by this TheDailyWTF by Anonymous Coward · · Score: 0

    That describes Samsung to a tee , when I worked with them . Apparently "innovate" got translated to "cut corners, pirate software, and copy the superficiality of others good ideas" when translated into Korean

  26. crying to the bank by harvey+the+nerd · · Score: 1

    One can only wonder if there are large reveneus in selling separate, compiled accesses to China, USA, Russia and Israel, among others.

  27. Re: Tizen is summed up nicely by this TheDailyWTF by gweihir · · Score: 1

    Urgh. My condolences and congratulations for getting out.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  28. Re:Tizen is summed up nicely by this TheDailyWTF p by Anonymous Coward · · Score: 0

    TBH, only like three devices come with Tizen. Two phones released in India, and a few smartwatches.

    Samsung isn't exactly pushing it. How do you expect developers to follow?

  29. Re:Tizen is summed up nicely by this TheDailyWTF p by Megane · · Score: 1
    I wanted to emphasize this. This is not new to regular visitors to TDWTF. Enlightenment, which Tizen is based on, is horrible. Fundamentally horrible, as in at the very core of its API, its basic object type is a typedef to void*. So everything you call expects to be passed void pointer references to objects. Which of course will accept any kind of pointer, no matter where it came from.

    The Ravenous Bugblatter Beast of Tizen is a mind-bogglingly stupid codebase. It has almost no capacity for Enlightenment and is therefore surprised by virtually everything that happens to it. Here is an example of how stupid it is: it thinks that if you can't see its pointer types, it can't see you.

    Its behaviour would be quite endearing if it wasn't spoilt by this one thing: it is the most violently crappy codebase in the Galaxy. A void*, a void*, a void*.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  30. Uncalled for by Anonymous Coward · · Score: 0

    It's like taking an undergraduate and letting him program your software

    What he described was an issue of critical thinking, not knowledge, experience, or education. Quality of code design has virtually no correlation with education or experience. One software architect went so far as to say he would rather have someone who uses nothing but anti-patterns and has never programmed before but has has strong reasoning skills designing his software than someone who only uses patterns perfectly and is highly experienced.

  31. Rubbish by prefec2 · · Score: 1

    How can he say such rubbish as a scientist. Has he seen all code of everything? What are his metrics? Don't get me wrong. The Tizen code could be one of the worst code there is. This is a fair hypothesis, but then you have to provide proof. At least some metrics on implementation errors, complexity, patterns etc.

    1. Re:Rubbish by Hognoxious · · Score: 1

      How can he say such rubbish as a scientist. Has he seen all code of everything?

      Your post is the stupidest I've read today. I'm not claiming to have read them all (though I doubt it would change if I did).

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re: Rubbish by Zero__Kelvin · · Score: 1

      He found 40 Zero Days, and you actually posted that comment? If I find 40 design flaws in a car engine would you argue that the car could still be awesome because I didn't evaluate the rest of the car?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:Rubbish by prefec2 · · Score: 1

      It is nice that you are giving any details to your conclusion. I thought we do not want to indulge in bullshit based on feelings and rather use evidence to come to conclusions. For a summary (even on /.) it is necessary to give a little more than just a "biggest rubbish ever"-claim. If he found flaws he could have provided something like: We found 100 security flaws in the code in 1000 LOC c-code.

    4. Re:Rubbish by Hognoxious · · Score: 1

      he didn't claim "ever". That's my point, you thick cunt.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    5. Re: Rubbish by Hognoxious · · Score: 1

      No, he's claiming that your conclusion is wrong because you didn't evaluate every other car in the world, even if your claim was only based on the ones you've seen.

      Set theory's clearly not his thing.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    6. Re: Rubbish by Zero__Kelvin · · Score: 1

      The design is wrong not the implementation, so looking at 1 *is* looking at all of them.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  32. Well, it's a Samsung product by OneHundredAndTen · · Score: 1

    When it comes to making it explosive, one way or another, you can rely on Samsung.

  33. Re:Tizen is summed up nicely by this TheDailyWTF p by Anonymous Coward · · Score: 0

    it's basic object type is a typedef to void*

    Indeed just quote whatever you read on the internet. It has to be true. Did you actually check to see if such crazy claims are correct? In further news I read an article that says your mother is a Walrus and the British eat their first born. I read it on the internet. It has to be true!

    Which of course will accept any kind of pointer, no matter where it came from

    Which would be correct if the first statement were true. But hey. I guess we all know how much you bother to fact check before spouting whatever you feel like - seemingly about as much as Trump does.

  34. Re:Tizen is summed up nicely by this TheDailyWTF p by Carewolf · · Score: 1

    https://what.thedailywtf.com/t...

    Yeah, the first thing I though when reading the story was:

    "SPANK SPANK SPANK! Naughty programmer!"

    (a Tizen error code)

  35. Is this what made WikiLeaks Vault 7 possible? by Anonymous Coward · · Score: 0

    For some reason the CIA zeroed in on Samsung devices in particular...

  36. Re:Tizen is summed up nicely by this TheDailyWTF p by Grishnakh · · Score: 1

    The sign of utterly incompetent engineering and utterly incompetent management that does not know how to identify and hire good engineers and then let them work.

    Doesn't this describe most tech companies these days? The open-plan office is proof of incompetent management.