If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware. However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.
The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.
The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.
How can a company be _so_ ignorant of it's own abilities. I mean the main problem is getting a proper case and interfacing with iOS. The rest is just a wristwatch sized computer with Bluetooth. Give a good engineer some time and it'll find a way to resize the screen. It probably won't be perfect, but hey what do you expect?
The problem inside those companies is that three problems come together. First of all, you have people to stupid to realise that they are wrong. Second, the people who know a bit more, don't interfere with bad decisions for various reasons. Third, people who actually know what they are doing will be worn out struggling against the idiots and simply leave the company.
Granted, this is an extreme example, but it happens quite often. There are 'idiot companies' out there. They are the ones thinking that OPC is a good idea. They are the ones basing their company on some VBA scripts.
In lighter cases you get all those little gadget which require you to have some complex software products to use them, and which will end on the dump once installing the software is more effort than the device is worth.
Well, those routers typically don't last longer than 5 years either because of obsolescence or hardware failure. And embedded systems which need to care about the time can easily be written in a way so they will work with "negative" times. So with a bit of care there won't be a problem.
In Germany the problem is far worse as there's a whole industry about suing people.
The solution is fairly simple. You install a router which connects the wireless network to a VPN. This VPN is connected to all other routers so you have a VPN between all wireless devices. This VPN is also connected to a server which routes your traffic to another server in Slovenia, a place with far less lawyers. This server also has the "zap-Skript" which temporarily blocks people apparently doing filesharing.
The routers require no special configuration. They auto configure via the network. The wireless mesh network, as well as the VPN are Layer2 based and are administered via IPv6 link-local addresses. This makes it easy to deploy.
We just need _so_ much more fuel than plants could produce. Even if we use high efficiency plants like hemp we don't have enough fertile ground to grow enough plants.
Plants are really inefficient when it comes to turning sunlight into carbohydrates. That's simply just a by-product of their life.
Although the finance sector bubble may have burst (well for many companies it was a very soft kind of bursting) we now have a new Web 2.0 bubble in which companies without a business model (i.e. Instagram) are suddenly worth _lots_ of money. So in a few years/months (who knows) this new web 2.0 bubble will burst, and just like we had lots of useless unemployed untalented web designers after that, we'll have lots of useless unemployed app designers then.
Yes, Java is bad in that regard. That does matter less however since Oracle has officially declared Java to be dead a few years ago. They claimed that "Java will not be the next Cobol", saying that it will not reach a stable version you can just run code on for decades.
The problem with that sort of bytecode is that it has no advantages over native code. I mean I can understand Javascript which will now typically be compiled to native code at runtime. What you gain from that is platform independence (it's all text) and the source code.
Seriously, get a computer in front of your hospital infrastructure which has Internet access (or a modem) on one side and runs ssh or something. Then you simply log in via your portable computer. Nothing will be cached, nothing will be local, just use your portable computer like you would use any terminal.
That's not rocket science, it already worked in the 1980s, just go and watch "Wargames" and you will even learn about much of the security involved.
it all depends on the situation. C++ is kinda singled out by being to complex.
Currently I'd go for this: bash (or whatever shell you like) for file/text table oriented tasks Assembler for small embedded systems (i.e. =ARM) Forth if you can use it instead of C C for simple network tasks without string processing node.js for complex network tasks with string processing Lazarus/Pascal for GUI software Lisp/Prolog for symbolic computations
All of those are more or less platform independent. Beware of shops which are standardising on a single language in order to save costs or anything like that. The "perfect language" has not yet been invented and probably will never be. Languages trying that usually fail.
The good thing about C is that it doesn't try to be a high level programming language. It tries to be "comfortable assembler". That's why you will so often find people implementing concepts from other languages in C. For example the Windows window message management (for things like mouse clicks and key presses) is just like Smalltalk. C doesn't try to be a full programming language, it tries to be a blank slate.
C#, VB at all compile to some proprietary bytecode which is not only a bit slower than native code, but also requires a _huge_.net runtime.... which is not even common on Windows systems. Huge systems also tend to break.
On the other hand, there are systems like Lazarus where you have a component library compatible to Delphi made by the same guy who designed the library for C#. You write your program, and you simply compile it for just about any platform. At work we have Linux, MacOSX (Intel) and even Win32. We could just as well compile it for Android or Windows CE, it doesn't matter and you always get native code running on the bare system with native controls which always look like they are supposed to do. That is normal, write once compile everywhere. And it has been for decades now. (Outside of the Windows Fanboy community of course)
First of all start with parts which are proven to be reliable. For example Linux or OpenBSD.
Then think of your security risks. What is your problem. Do you not want your data to get out? Do you want to provide services even if the world ends? Thos are all different kinds of problems requiring different solutions.
Then get your processes straight. How do you install software? If it's google X free download, click on the first link and download it to install it, you might want to re-think them. Who has access to the machine.
Then make your system as minimal as possible. Don't install any services or software packages you don't need.
Then, and perhaps actually earlier, how is your physical security. Do you have multiple armed guards to prevent the attacker from entering? How secure are they against social engineering?
If that seems overblown to you, just get your average Linux distribution (like Xubuntu) and install it with software harddisk encryption. That should be good enought.
Actually one idea is to make tiny little nuclear power plants for your backyard... what could possibly go wrong?
But yes, the future is decentralisation. In Germany for example PV systems are already about as expensive as power from the grid. In deed there are some businesses already going mostly off grid as they only need power when the sun is shining. (think of restaurants near the water, they are essentially closed when the sun is not shining as there are no guests)
Another example are small gas-powered power plants some companies install to get their electricity. Usually they also connect their neighbourhood up to the waste heat.
Decentralisation will happen as it makes more and more sense for the individual. Plus there are no laws which need to be changed or new technologies which need to be invented, and no new monopolies to be created. (It's not like there are many companies producing Thorium Power plants)
Well the problem with web apps is that they are usually hard to install and set up. For example for Squirrelmail requires you to install both Apache and PHP in addition to having an IMAP setup. Plus modern IMAP clients allow you to access your mail even when you are off-line.
Plus IMAP works fine in high latency situations, and it can do a sort of "push" service, which allows you to get your e-mail instantly without the need to poll.
Again, depending on your situation you may make different trade-offs. For example in large companies the administrative overhead of webmail may not be a problem since you have a dedicated IT department.
Of course you can keep your e-mail on foreign servers... but that's like leaving heaps of cash in a hotel room.
I mean sure, on paper wages in the US look high, but then again there's next to no social security. There's no mandatory health insurance, there's little public infrastructure. In some places you even need to have a car.... at least that's what the typical prejudices say.
The great thing about modern VoIP deskphones is that they offer much of the flexibility of a smartphone without the hassle of constantly needing to replace them. For example there are now phones which have button extensions which can issue plain HTTP requests. So it's trivial to use them to turn the lights on and off. The phones also allow you to use VPN tunnels, so you have at least some security mobile phones won't provide you.
Again you could do that with mobile phones, or even PCs, but putting it into a "desk phone" case ensures that nobody will mess with it and that it will last for some time. You'll never need to upgrade the hardware because you upgraded the operating system to run some piece of software since you don't run much of your own software on those. They are designed to be semi-dumb terminals. (Some modern VoIP offer you a simple sort of Web-browser, deliberately non compatible with html)
Well yes of course. Those should never be connected to anything else, but...
a) That software is often so bad/insecure it doesn't work reliably. b) Many software vendors in that area require you to have license keys... which come in the form of files.... which opens the USB attack vector.
Physical security sounds like a good idea on paper, but then again it's of no use when you press the "brake" button and the system simply will not respond within a second. As on the new ICE-3 designed by Siemens.
OK, unfortunately the video is not really informative. Remote execution means that the attacker was able to tell the other system to run commands. One common method (stack overflow) works like this: (In C) you have a local variable, for example to hold a string. Imagine it's 10 characters long, and you want to write 20 characters into it. It's obvious that you overwrite something. Since local variables are on the stack, you overwrite parts of it. The stack also stores the return address of the function call. If you overwrite this, you can make the function "jump back" to wherever you want... even to the string you just gave it. So instead of the function returning to the main program, it executes the machine code you gave it in your string. The standard article on this is: http://phrack.org/issues.html?issue=49&id=14#article
Sometimes particularly badly designed systems will even just take a command and execute it, but that is rare.
Heap Spraying is to get strings into the memory, for example to be executed by the stack overflow method. It's useful since on some systems the simple method doesn't work.
Arbitrary File Download means that the attacker was somehow able to tell the victim to arbitrarily download a file. This can be used to overwrite files (e.g. the screensaver, or configuration files) or to make life easier for the attacker.
Session hijacking means that you can take over a session, for example of a logged in user. So you are able to impersonate the logged in user.
How do system updates or license updates work then? Keep in mind those systems often are Windows systems running huge amounts of software on them like SQL-servers or.net frameworks. And the software often has 1990s style licensing systems running which might need regular license keys to stay up to date. This was apparently the most common infection vector for Stuxnet.
Todays SCADA systems are less and less designed to allow for that. Another obvious point would be that those systems need to boot from read-only memory. Sounds trivial yes, but just try that with Windows.
Some of those systems are based on a technology called OPC. That's OLE for Process Control. Over the network it runs on DCOM. Of course unencrypted and usually without authentication because it's already hard enough to get it running somehow. Of course those are Windows-only solutions. And of course, those systems are often so complex and badly made that updates are next to impossible.
There is currently no knowledge about security in those companies. They simply don't understand it. I've been in companies which had that problem, and believe me, it's very frustrating and fruitless to talk to such people. Their strategy simply seems to come up with the most breathtaking "arguments" to keep you silent. Common "arguments" are, "Windows 9x is secure as nobody writes malware for it anymore", or "NetBEUI is secure because it's not routable".
What we need is a cultural change in SCADA implementations, but that's not easy to do.
While in the past many companies there were actually headed by engineers who understood what they did, those companies are more and more headed by MBAs. They don't understand technology that's why they come up with business models like "renting e-Books". That's also why there is next to no progress in the mobile sector for example. And that's the reason why we still have to deal with horribly bad and insecure computer systems.
Then again fewer and fewer people with technical skills want to work in the US, so the remaining companies will eventually have to move out in order to get workers.
Slashdot Mirror
If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware.
However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.
The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.
The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.
How can a company be _so_ ignorant of it's own abilities.
I mean the main problem is getting a proper case and interfacing with iOS. The rest is just a wristwatch sized computer with Bluetooth. Give a good engineer some time and it'll find a way to resize the screen. It probably won't be perfect, but hey what do you expect?
The problem inside those companies is that three problems come together.
First of all, you have people to stupid to realise that they are wrong.
Second, the people who know a bit more, don't interfere with bad decisions for various reasons.
Third, people who actually know what they are doing will be worn out struggling against the idiots and simply leave the company.
Granted, this is an extreme example, but it happens quite often. There are 'idiot companies' out there. They are the ones thinking that OPC is a good idea. They are the ones basing their company on some VBA scripts.
In lighter cases you get all those little gadget which require you to have some complex software products to use them, and which will end on the dump once installing the software is more effort than the device is worth.
if you want to be successful as a language, you need to go open source.
Well, those routers typically don't last longer than 5 years either because of obsolescence or hardware failure.
And embedded systems which need to care about the time can easily be written in a way so they will work with "negative" times. So with a bit of care there won't be a problem.
In Germany the problem is far worse as there's a whole industry about suing people.
The solution is fairly simple. You install a router which connects the wireless network to a VPN. This VPN is connected to all other routers so you have a VPN between all wireless devices.
This VPN is also connected to a server which routes your traffic to another server in Slovenia, a place with far less lawyers. This server also has the "zap-Skript" which temporarily blocks people apparently doing filesharing.
The routers require no special configuration. They auto configure via the network. The wireless mesh network, as well as the VPN are Layer2 based and are administered via IPv6 link-local addresses. This makes it easy to deploy.
For management there's a nifty system called "Netmon" which you can see, for example here:
http://netmon.freifunk-ol.de/routerlist.php
http://netmon.freifunk-ol.de/map.php
That time_t is 64 bits now on modern machines, only 32 bit machines overflow soon...ish. And even when they overflow, there are simple patches.
Absolutely. Or at least we'd have to move to more sustainable forms of energy gathering like wind or solar.
We just need _so_ much more fuel than plants could produce. Even if we use high efficiency plants like hemp we don't have enough fertile ground to grow enough plants.
Plants are really inefficient when it comes to turning sunlight into carbohydrates. That's simply just a by-product of their life.
Although the finance sector bubble may have burst (well for many companies it was a very soft kind of bursting) we now have a new Web 2.0 bubble in which companies without a business model (i.e. Instagram) are suddenly worth _lots_ of money.
So in a few years/months (who knows) this new web 2.0 bubble will burst, and just like we had lots of useless unemployed untalented web designers after that, we'll have lots of useless unemployed app designers then.
Yes, Java is bad in that regard. That does matter less however since Oracle has officially declared Java to be dead a few years ago. They claimed that "Java will not be the next Cobol", saying that it will not reach a stable version you can just run code on for decades.
The problem with that sort of bytecode is that it has no advantages over native code. I mean I can understand Javascript which will now typically be compiled to native code at runtime. What you gain from that is platform independence (it's all text) and the source code.
Seriously, get a computer in front of your hospital infrastructure which has Internet access (or a modem) on one side and runs ssh or something.
Then you simply log in via your portable computer. Nothing will be cached, nothing will be local, just use your portable computer like you would use any terminal.
That's not rocket science, it already worked in the 1980s, just go and watch "Wargames" and you will even learn about much of the security involved.
it all depends on the situation. C++ is kinda singled out by being to complex.
Currently I'd go for this:
bash (or whatever shell you like) for file/text table oriented tasks
Assembler for small embedded systems (i.e. =ARM)
Forth if you can use it instead of C
C for simple network tasks without string processing
node.js for complex network tasks with string processing
Lazarus/Pascal for GUI software
Lisp/Prolog for symbolic computations
All of those are more or less platform independent.
Beware of shops which are standardising on a single language in order to save costs or anything like that. The "perfect language" has not yet been invented and probably will never be. Languages trying that usually fail.
The good thing about C is that it doesn't try to be a high level programming language. It tries to be "comfortable assembler". That's why you will so often find people implementing concepts from other languages in C. For example the Windows window message management (for things like mouse clicks and key presses) is just like Smalltalk. C doesn't try to be a full programming language, it tries to be a blank slate.
C#, VB at all compile to some proprietary bytecode which is not only a bit slower than native code, but also requires a _huge_ .net runtime.... which is not even common on Windows systems. Huge systems also tend to break.
On the other hand, there are systems like Lazarus where you have a component library compatible to Delphi made by the same guy who designed the library for C#. You write your program, and you simply compile it for just about any platform. At work we have Linux, MacOSX (Intel) and even Win32. We could just as well compile it for Android or Windows CE, it doesn't matter and you always get native code running on the bare system with native controls which always look like they are supposed to do.
That is normal, write once compile everywhere. And it has been for decades now. (Outside of the Windows Fanboy community of course)
First of all start with parts which are proven to be reliable. For example Linux or OpenBSD.
Then think of your security risks. What is your problem. Do you not want your data to get out? Do you want to provide services even if the world ends? Thos are all different kinds of problems requiring different solutions.
Then get your processes straight. How do you install software? If it's google X free download, click on the first link and download it to install it, you might want to re-think them. Who has access to the machine.
Then make your system as minimal as possible. Don't install any services or software packages you don't need.
Then, and perhaps actually earlier, how is your physical security. Do you have multiple armed guards to prevent the attacker from entering? How secure are they against social engineering?
If that seems overblown to you, just get your average Linux distribution (like Xubuntu) and install it with software harddisk encryption. That should be good enought.
Actually one idea is to make tiny little nuclear power plants for your backyard... what could possibly go wrong?
But yes, the future is decentralisation. In Germany for example PV systems are already about as expensive as power from the grid. In deed there are some businesses already going mostly off grid as they only need power when the sun is shining. (think of restaurants near the water, they are essentially closed when the sun is not shining as there are no guests)
Another example are small gas-powered power plants some companies install to get their electricity. Usually they also connect their neighbourhood up to the waste heat.
Decentralisation will happen as it makes more and more sense for the individual. Plus there are no laws which need to be changed or new technologies which need to be invented, and no new monopolies to be created. (It's not like there are many companies producing Thorium Power plants)
Yes, but believe me, you don't want to have PHP on your system. You simply don't.
Well the problem with web apps is that they are usually hard to install and set up. For example for Squirrelmail requires you to install both Apache and PHP in addition to having an IMAP setup. Plus modern IMAP clients allow you to access your mail even when you are off-line.
Plus IMAP works fine in high latency situations, and it can do a sort of "push" service, which allows you to get your e-mail instantly without the need to poll.
Again, depending on your situation you may make different trade-offs. For example in large companies the administrative overhead of webmail may not be a problem since you have a dedicated IT department.
Of course you can keep your e-mail on foreign servers... but that's like leaving heaps of cash in a hotel room.
The only E-Mail program so far which actually is so slow it cannot keep up with my typing!
I mean sure, on paper wages in the US look high, but then again there's next to no social security. There's no mandatory health insurance, there's little public infrastructure. In some places you even need to have a car.... at least that's what the typical prejudices say.
The great thing about modern VoIP deskphones is that they offer much of the flexibility of a smartphone without the hassle of constantly needing to replace them.
For example there are now phones which have button extensions which can issue plain HTTP requests. So it's trivial to use them to turn the lights on and off.
The phones also allow you to use VPN tunnels, so you have at least some security mobile phones won't provide you.
Again you could do that with mobile phones, or even PCs, but putting it into a "desk phone" case ensures that nobody will mess with it and that it will last for some time. You'll never need to upgrade the hardware because you upgraded the operating system to run some piece of software since you don't run much of your own software on those. They are designed to be semi-dumb terminals. (Some modern VoIP offer you a simple sort of Web-browser, deliberately non compatible with html)
Well yes of course. Those should never be connected to anything else, but...
a) That software is often so bad/insecure it doesn't work reliably.
b) Many software vendors in that area require you to have license keys... which come in the form of files.... which opens the USB attack vector.
Physical security sounds like a good idea on paper, but then again it's of no use when you press the "brake" button and the system simply will not respond within a second. As on the new ICE-3 designed by Siemens.
OK, unfortunately the video is not really informative.
Remote execution means that the attacker was able to tell the other system to run commands. One common method (stack overflow) works like this:
(In C) you have a local variable, for example to hold a string. Imagine it's 10 characters long, and you want to write 20 characters into it. It's obvious that you overwrite something. Since local variables are on the stack, you overwrite parts of it. The stack also stores the return address of the function call. If you overwrite this, you can make the function "jump back" to wherever you want... even to the string you just gave it. So instead of the function returning to the main program, it executes the machine code you gave it in your string.
The standard article on this is:
http://phrack.org/issues.html?issue=49&id=14#article
Sometimes particularly badly designed systems will even just take a command and execute it, but that is rare.
Heap Spraying is to get strings into the memory, for example to be executed by the stack overflow method. It's useful since on some systems the simple method doesn't work.
Arbitrary File Download means that the attacker was somehow able to tell the victim to arbitrarily download a file. This can be used to overwrite files (e.g. the screensaver, or configuration files) or to make life easier for the attacker.
Session hijacking means that you can take over a session, for example of a logged in user. So you are able to impersonate the logged in user.
How do system updates or license updates work then? .net frameworks. And the software often has 1990s style licensing systems running which might need regular license keys to stay up to date. This was apparently the most common infection vector for Stuxnet.
Keep in mind those systems often are Windows systems running huge amounts of software on them like SQL-servers or
Todays SCADA systems are less and less designed to allow for that. Another obvious point would be that those systems need to boot from read-only memory. Sounds trivial yes, but just try that with Windows.
Some of those systems are based on a technology called OPC. That's OLE for Process Control. Over the network it runs on DCOM. Of course unencrypted and usually without authentication because it's already hard enough to get it running somehow.
Of course those are Windows-only solutions. And of course, those systems are often so complex and badly made that updates are next to impossible.
There is currently no knowledge about security in those companies. They simply don't understand it. I've been in companies which had that problem, and believe me, it's very frustrating and fruitless to talk to such people. Their strategy simply seems to come up with the most breathtaking "arguments" to keep you silent. Common "arguments" are, "Windows 9x is secure as nobody writes malware for it anymore", or "NetBEUI is secure because it's not routable".
What we need is a cultural change in SCADA implementations, but that's not easy to do.
While in the past many companies there were actually headed by engineers who understood what they did, those companies are more and more headed by MBAs. They don't understand technology that's why they come up with business models like "renting e-Books". That's also why there is next to no progress in the mobile sector for example. And that's the reason why we still have to deal with horribly bad and insecure computer systems.
Then again fewer and fewer people with technical skills want to work in the US, so the remaining companies will eventually have to move out in order to get workers.