Samsung's created a new IoT OS, and it's a dumpster fire


#1

Originally published at: http://boingboing.net/2017/04/05/tizen.html


#2

[quote=“doctorow, post:1, topic:98318, full:true”]
Neiderman says no programmers use this function today because it’s flawed, yet the Samsung coders “are using it everywhere.”[/quote]

I’m afraid strcpy() is still widely used in C programming. Even though checking boundaries and using strncpy() or more advanced methods will be gaining ground.


#3

#4

I’m afraid strcpy() is still widely used in C programming.

Right? I read that line and laughed. I suspect it’s some subtle security analyst black humor, because he has to know that that’s not true.


#5

Well, I for one am glad that the trump administration is concerned, even tangentially, about this kind of stuff because we need some protection against this sort of…

What was I saying? Oh, right, I was screaming into the abyss. Guess I’ll just keep doing that…


#6

Especially since there are valid reasons to use it. If you actually do know that the buffers are big enough (say, you’re putting the date at the start of everything, which always follows the form xx-xx-xxxx:) then there’s no reason to not use strcpy then a strncat/strlcat for the part that varies.


You Monster
#7


#8

Unfortunately using /'s will break certain things a lot of the time; that’s why you often see dates in that form or in MMDDYY/DDMMYY :frowning:


#9

I don’t care about the hyphens.

It’s the year going last that offended me.


#10

I don’t care if the NSA knows that I binge watch Canadian Parliament!


#11

Hey! How’d you get that picture of my finances!


#12

#YYYYMMDD OR DEATH! 


#13

I’m a subcontractor for The Iluminatti.


#14

buffer overflow becomes an interesting choice of words in the context of a washing machine.


#15

[quote]real production environments[/quote]There’s a vicious quip to be made about here open source development.


#16

Is this a project manager asleep at the wheel or what?

But most of the vulnerabilities he found were actually in new code written specifically for Tizen within the last two years. Many of them are the kind of mistakes programmers were making twenty years ago, **indicating that Samsung lacks basic code development and review practices to prevent and catch such flaws**.

Can we now expect every handset manufacturer to roll out their own “Open source” IOT code? I suppose that’s good in that the code can be evaluated, but where are the internal controls? How did Samsung not catch this?


#17

Well I guess it should finally demonstrate that they don’t copy Apple in everything


#18

Man, Samsung and their fetish for shitty proprietary OS. Exploding phones aside, they produce some pretty good hardware, but it’s always rigged with their shit software. Why do they insist on doing that?

I shudder remembering their last attempt at an OS, Bada. That was a steaming pile of shit as well. Let it be.


#19
  1. “not invented here”
  2. trying to save royalty payments

Just guesses.


#20

Are royalty payments for vanilla Android that costly? I have no idea I have to admit.
Samsung basically owns a good part of South Korea, so I imagine it’s more of an ego thing than them not being able to afford royalties.