Badware in the firmware all over the place This is really no surprise: embedded system vendors aren't good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you'd expect from something written in the last 20 minutes of Friday afternoon. And it'll be no surprise to The Register's readers that the bugs land in all …
But no longer facing the prospect of waking up on another wet autumn morning with a weta sitting on the pillow? That I can live without forever
[it was only a relatively little young tree weta, hatched out in the garden hedge and on its big O.E. to see the world. And it's a beautiful miracle of nature. And they only eat small insects, form loving pair bonds for life, and raise god-fearing children of Amish tendencies who show a touching respect for their elders. But I don't believe for a moment that it was more scared than I was; that ain't possible]
Oh god yes. Being able to walk into the average cave and *not* see long feelers waving at head height is a nice change. Cave wetas might be small, but they really know how to advertise in low light conditions. Bloody heart attack material.
> a weta sitting on the pillow
They look a lot like their African cousins - Johannesburg's Parktown prawn. Does the weta also have the attractive habit of squirting corrosive black gunk from its nether regions when threatened?
when I lived there, first weta encounter putting on a wetsuit to go surfing, trying to catch up with my surfing buddies, in a rush, got one arm in the wetsuit, over my shoulder and then the other arm... a bit of loose thread or something right down at the bottom of the arm, pushed my hand through to look at my hand and the loose material, only to see a two inch weta in my palm articulating wildly menacing gestures. Cue scream, heart attack, jump five feet in the air much to the amusement of my mates.
second encounter, driving to distant surf spot, on the last 100km leg of the journey which was largely metal (gravel) roads with sections of dirt track. Stereo blaring, sun shining, windows down, cruising at 80kph, then in it came, only an inch long this time, flew straight into the side of my face, then bounced off the inside of the car into the windscreen, then panicked and started articulating wildly menacing gestures and flying into the windscreen and bouncing back into my face, as they do. Cue scream, freak out, attempt to stop the car in a straight line with dust clouds going everywhere, then let the friggin thing out into the wild.
Nothing to do with that. The picture is typical of embedded programming.
Updates? What updates. OS and 3rd party components are used at base versions and never updated. In fact there is no way to update them. There is nobody in the company keeping track of security issues with them either. No security awareness, no defensive programming, no... This is for _BOTH_ onshore and offshore. It comes with the territory.
However, the whole thing is proudly embedded (I have wished many times to embed the keyboard of one of these jockeys in his skull).
"When programming went offshore..."
I'm very interested to see how exactly do you intend to tie that into the fact that one of the listed "vulnerabilities" is lighttpd, which is, you know, the go-to webserver on OpenWRT for basically anything more elaborate than running LuCI, its own web admin GUI; if even that isn't secure enough, what exactly are embedded engineers supposed to do? Write their very own http server perhaps...? Yeah, that always works great, as securobods keep telling us...
As ever, marketing appears to be part of the problem... You pick up a [generic web device] somewhere, and oooh, look how pretty the box is, and look how well designed the device looks, and wow, 8 megapixels [or whatever], that must be good because it's actually got the word 'mega' in it...
The customer can't visibly know how shoddy the firmware or drivers or software is, and therefore can't select their purchase on this criteria, therefore no incentive for manufacturers to improve. Just keep focusing on design and hardware specs and churning out new products, etc...
What's needed is some kind of certification scheme for tested & hardened firmware and a commitment for driver / software updates over a particular period.
For instance, wouldn't it be good if you purchased say, a new phone, and it was visibly guaranteed to be patched in a timely manner for 2 years. That could then drive competition between vendors. Buy a phone [or printer or whatever today] and you're completely blind to any ongoing commitment for the product's lifecycle from the manufacturer. Welcome to our disposable 'fuck the environment' economy.
This is what happens when you put the www in everything. Embedded devs aren't accustomed to fending off continuous network attacks. Web devs are used to it and it's still whack-a-mole. In theory embedded would have the advantage of tight code with minimal dependencies, but actually the embedded scene is full of noobs running wild with "easy dev tools" that make wordpress look rock solid. Apparently the same people who can't even make a simple non-IOTified digital thermometer anymore are making webified IOT gadgets too.
Seems a whole generation of engineers missed the memo: just because you can doesn't mean you should. (And so did management and marketing. Jesus Christ, weren't they the ones who started that mantra?)
The code usually has the quality of Sat morn at 3am, after the bars close at 2am.
Embedded pgmrs still think in terms of a hidden serial port, with a fixed password, that service will plug a rs232 cable in to tweak the gadget, every 3 to 5 years. Not IOT.
Somewhere, I have an old picture of a highway warning sign "hacked" with a serial cable, warning of "Zombies Ahead".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
