
Samsung's Tizen is riddled with security flaws, amateurishly written - curt15
https://arstechnica.com/gadgets/2017/04/samsungs-tizen-is-riddled-with-security-flaws-amateurishly-written/
======
throw81001
Tizen was/is mostly built out of a Samsung subsidiary in Warsaw, Poland.
(Several thousand software engineers in total.) I worked with Polish software
engineers for a western company that used the same outsourcing method during
the same time that Tizen was being built. We had hires from Samsung and they
had hires from us.

I think that what I witnessed at our company (which I won't name) is
representative for what Samsung saw.

The stereotypical development model was one where individual developers were
perceived as lego blocks that could be moved from one area to another about as
the project(s) progressed without any regard for the individual contributors
accumulated knowledge. Large volumes of contributors ("bug resolvers") were
valued over smaller, coherent teams with smarter contributors.

There was also a disturbing amount of machoismo surrounding everything -
nothing could be questioned; everything was a of sense pride to someone.

(What I heard from the local engineering managers supports the above.)

~~~
throw81001
My assessment after having a few years perspective:

\- There's quite a big span between the average level to high level to top
level when it comes to polish devs. Specifically, it goes a lot lever than
what I'm used to. It goes high too, though, but those individuals are not
necessarily cheaper than a western european employee of the same calibre
(probably similar).

\- (Engineering) Management culture is totally whacko and quite a bit behind
the western world. I blame the machoismo.

~~~
dgregd
There are a lot of good software engineers in Warsaw, working at various
companies. However most of companies here doesn't care that much about top
talent. They just want to pay an average salary and that's all.

It is very rare that Warsaw devs that write good quality code are compensated
appropriately.

------
contingencies
In Samsung HQ in Suwon, Korea, back in 2010 in the leadup to the launch of the
Galaxy device series, each individual OS had its own literal skyscraper in the
HQ campus. One for BadaOS, one for Android, one for Windows Mobile. I don't
think they communicated at all, as a general rule. Even in the Android one
where I was working, the whole floor was nominal software guys but only one
knew how to compile the firmware everyone was working on! They actually had to
fly in a team of low-level programmers from Samsung India to get the device
firmware up to speed in time for the hardware launch. It was an extremely
interesting organization to spend a few days in from an anthropological
perspective, but I left swearing that if the experience was a vision of the
future I wanted no part of it.

------
thomask0
Should not come as a surprise...

[https://what.thedailywtf.com/topic/15687/code-review-
maledic...](https://what.thedailywtf.com/topic/15687/code-review-malediction)

[https://what.thedailywtf.com/topic/15001/enlightened](https://what.thedailywtf.com/topic/15001/enlightened)

~~~
coldtea
>
> [https://what.thedailywtf.com/topic/15001/enlightened](https://what.thedailywtf.com/topic/15001/enlightened)

Actually it's the author of the rant that comes of as totally uninformed and
with unwarranted snark to boot.

[https://what.thedailywtf.com/topic/15001/enlightened/242](https://what.thedailywtf.com/topic/15001/enlightened/242)

~~~
graton
Not when I read the replies to that reply.

    
    
      @Carsten_Haitzler said:
    
      as for the "you bitch" comment. that does not appear anywhere inside efl at asll. i can only assume you are full of bullshit here as with a lot of the prior "facts" you have disclosed, as a grep through our codebase for efl and elementary shows no such string:
    
      core/efl.git - EFL core libraries
      evas - change error out from bitch to complain - cosmetic changeHEADmaster
      committer Carsten Haitzler (Rasterman) raster@rasterman.com	2015-03-11 12:59:01 (GMT)
    
      F#*k off.

~~~
coldtea
> _Not when I read the replies to that reply._

Even more so after one reads the replies.

Perhaps we didn't read the same reply?

Because the response you've posted:

1) only addresses one of the tens of points in the reply -- the others still
being valid.

2) while true, it is still irrelevant from a technical standpoint (not to
mention softened in the subsequent version anyway).

3) At worst, the Evas author failed to grep the right version for it. Whereas
the ranter, at best, fails to understand C coding, failed to consult
documentation that was right there, complaints for valid behavior, cites
several wrong facts about the behavior of the code (like the supposed "512"
object limit), and closes with the BS "it will take man-years" to build a
sample simplistic media player with the lib (using a ready made codecs/media
player widget component).

Evas/Eve etc have some questionable design decisions, and not the best
documentation. But the original post is full of crap in almost every aspect,
and with unwarranted language to boot.

~~~
tigershark
Are you an EFL developer or the author? I have read the whole 19 pages of
comments, plus the sister thread on os news, and you are the only one that
can't understand all the problems in that ball of sh*t apart from the EFL
author and his coworker. In any case I would prefer to lose an hand than to
work with someone like you for which writing non type-safe C code, with 40
vulnerabilities discovered by a single researcher, is perfectly fine.

------
59nadir
Maybe Samsung has a running bet with Huawei over how much crappy code you can
push to how many devices. Huawei is still very likely winning, as they had
that period when they had to rewrite most of their router software after being
outed as having stolen Cisco's code. They just plain wrote the same shit, but
replaced everything good with about 2 bad things instead.

------
demarq
Is it that big industrial corporations are bad at creating code? Toyota,
samsung, synaptic.

I'm really beggining to think that code should be left to smaller and medium
sized outfits. i.e samsung should buy or hire a small startup to independently
develop and grow their next ecosystem. Large enterprises just seem too clumsy
pull pull it off unless they wholly dedicate themselves to developing that one
piece of technology.

~~~
itcmcgrath
The counter arguments include Google, Apple, Microsoft, etc.

I think the big vs small comparison is flawed. I've seen some atrocious code
produced by small/medium sized outfits. My fondest memory including auditing
code from a 3 person outfit who's code quite literally setup an RPC on the
server that executed any string it was sent, verbatim, against a database that
handled money.

~~~
demarq
Those counter examples were all software startups. And have very very
different cultures to other corporations their size due to their roots.

~~~
pducks32
Is Samsung at this point really _that_ different in terms of semantics from
those examples though. Obviously they are all unique and Samsung's location
makes a big impact on their culture but like they hire a similar intelligence
echelon of people right? I don't know much about the internals of Samsung so
maybe I'm missing something.

------
alimbada
I'm very tempted to buy a Samsung TV (primarily for the the low input lag
times which makes them good for gaming) and I plan to keep it offline (no WiFi
or Ethernet connection), using a Chromecast and a HTPC+Kodi instead for
streaming. With that in mind, should I be worried about security flaws?

~~~
MatthaeusHarris
Depends on your threat model.

From TFA: Another attack on Samsung Smart TVs was published last week that
used malicious commands embedded in broadcast TV signals.

So, even if it's airgapped, a tv that's been compromised in this way is
effectively a hostile general-purpose computer with a wifi card running inside
your house.

If this is something you would do for a Klondike bar, then go ahead. I'll keep
my dumb TV and my Kodi box, though.

~~~
scorpioxy
Agreed. These "smart" TVs mostly run outdated and buggy software which are
difficult if not impossible to update either because of technical limitations
or because the manufacturer doesn't care enough after getting your money.

So why bother with a "smart" TV if you're going to be using an external
computer anyway. Saving a few hundred dollars to spend on that external
computer seems like a better investment. I run a "dumb" big LG TV hooked up to
a raspberry pi running Kodi via LibreElec. I'm very happy with the set up in
terms of functionality and price.

Edit: the attack via signal is linked from the article, reading now.

~~~
alimbada
> _So why bother with a "smart" TV if you're going to be using an external
> computer anyway. Saving a few hundred dollars to spend on that external
> computer seems like a better investment._

I'm in the market for a 4k TV with low input lag. If you look at input lag
tests (e.g., [http://uk.rtings.com/tv/tests/inputs/input-
lag](http://uk.rtings.com/tv/tests/inputs/input-lag)) you'll see that every
single TV listed there is a smart TV, at least in the 43"-50" range anyway. In
fact, are there even such things as "dumb" TVs anymore?

That said, I've done some more research and realised tha the LG UH6 __* range
is actually also pretty good for low input lags and runs webOS to boot so I
think I 'll go for an LG instead.

------
danpalmer
This doesn't surprise me. A company I used to work for fielded a team at most
Pwn2Own competitions, and it was widely regarded as "not good sport" to take
on a Samsung phone because they were so bad.

------
jolux
Is anyone the least surprised by this?

~~~
danso
...Yes? I mean, Samsung is a big enough company with big enough profits to
attract talented candidates and also be selective:

[https://www.quora.com/How-would-you-prepare-for-the-
Samsung-...](https://www.quora.com/How-would-you-prepare-for-the-Samsung-
interview-Can-seniors-share-their-experiences-What-all-must-we-do)

Furthermore, their mobile business is mature and well-known enough that even
if they were staffed with complete amateurs whose legacy code was awful,
Samsung has been a prominent player for a long time in terms of tech-biz-
years. The chances are significant that they have among their ranks a wise-
enough manager to realize that it's time to tackle technical debt. Or, in lieu
of that, that Samsung would've by now had a come-to-Security-Jesus security
fuckup traumatic enough to force a thorough audit and revamp.

Clearly that hasn't happened here so I'm interested in learning the details as
they come out.

~~~
djfumberger
Maybe then security is less to do with individuals and more so company culture
?

~~~
jolux
I would think that's pretty obvious but I guess not.

------
arrakeen
thankfully, due to the Wayland protocol, an attacker will not be able to take
a screenshot of the device without direct user input.

------
mihaela
I was hoping Samsung would do something with Tizen as opposed to Android.
Sorry to hear this.

------
Jabbles
Theory: Samsung is just funding Tizen development to gain leverage over
Android

~~~
saagarjha
Wasn't the main reason why they wrote Tizen? Because Google was pushing them
around too much?

------
ArtDev
Samsung should have used Intel Appup instead.

~~~
astrodust
Symbian! PonyOS! TempleOS! MS-DOS!

~~~
widforss
Meego Harmattan :'(

~~~
girvo
In my alternate dream universe, my Nokia N9 continued to exist and be
upgraded...

------
iamacynic
everything i've ever purchased from samsung has broken. i just don't even
consider their gear now.

~~~
stuaxo
They have always had nice hardware and terrible, terrible software - way back
in the J2ME days Samsung were the bain of my life.

~~~
Neliquat
Exactly. I love my galaxy but rooted and flashed it immediately. The bloatware
was uncomfortably pervasive, specifically on my carrier. I have other samsung
devices, and have had few non firmware issues.

------
newsat13
I can't believe there are still string overflow bugs. Might be a good idea to
invest sometime in Rust. On a side note, I have been looking for a good doc on
how I can slowly migrate my existing code base step-by-step to Rust. A total
rewrite is out of question, we would rather ship our product step by step.
Does anyone know of such a doc?

~~~
steveklabnik
[https://github.com/carols10cents/rust-out-your-c-
talk](https://github.com/carols10cents/rust-out-your-c-talk)

[http://blog.adamperry.me/rust/2016/06/11/baby-steps-
porting-...](http://blog.adamperry.me/rust/2016/06/11/baby-steps-porting-musl-
to-rust/)

~~~
newsat13
Thanks!

