
Home entertainment implementations are pretty appalling - jdub
http://mjg59.dreamwidth.org/31178.html
======
ryandrake
This article and the earlier Samsung "smart" TV article [1] confirm my own
observation that 99% of software running on consumer electronics devices
(particularly set top media players and wireless routers) is utter crap,
thrown together carelessly, probably at the last minute, by hardware people
who have no clue about software. Again and again, you can see the same
low/broken functionality and lack of polish (watch any media player as it
changes video modes, for example. flash flash flash jump flash). The only
redeeming quality of these software distributions is that their appalling
security make them easy to root, at least allowing those who know better to go
in and either fix things or install third party software written by people who
give a damn.

It's like these companies spend a year getting the hardware ready, then at the
last minute realize it needs software. So they find some monkey to barely
manage to get ARM Linux slapped on to it so they can ship something.

It's gotten to the point where I really appreciate the attitude from some of
the new up-and-coming set-top box manufacturers who basically say on their web
site, "Screw it, we're a hardware company, here's how to get root and do it
properly.", e.g. [2]

1:
[https://news.ycombinator.com/item?id=7616420](https://news.ycombinator.com/item?id=7616420)
2: [http://www.pivosgroup.com/](http://www.pivosgroup.com/)

~~~
noonespecial
I expected Apple TV to come in and crush it, rather like they did to the
smartphone industry. It wasn't so long ago that I had a motorola flip phone
that could play MP3s. _One. At. A. Time._

Apple TV is one of the better set-tops, but still far short of its potential.
I attribute this to a "first we build the locks, then if there's anything
left, we'll build the house" mentality forced on them by media companies. I
wouldn't be surprised if every manufacturer more or less suffered from this
and leaving in easy rootability is a form of subtle rebellion.

~~~
dirkgently
> I expected Apple TV to come in and crush it, rather like they did to the
> smartphone industry.

Good luck unlocking/hacking an Apple device.

~~~
ANTSANTS
The jailbreaking scene seems to do a pretty good job of it.

~~~
jpollock
There isn't a working jailbreak for AppleTV3. People have injected themselves
into the existing apps changing where they look for video, but that's
different to having local root.

~~~
ANTSANTS
Ok, but the GP said "Good luck unlocking/hacking an Apple device" not "... an
Apple TV 3", implying that Apple devices are impenetrable fortresses of doom
or something.

Full-blown iOS devices get jailbroken pretty quickly. I assume the difference
here is that no one cares about the Apple TV, so there's little incentive to
hack it (exaggeration, but the difference in Apple TV owners vs. iPhone owners
is probably several orders of magnitude). Even if you did hack it, what's the
point? There's no hard drive to store your pirated videos, and IIRC these
things can stream videos from your PC out of the box anyway. If you're gonna
install XBMC and bypass the Apple TV interface completely, why get an Apple TV
in the first place?

~~~
dirkgently
Good points. I should've been clearer. I meant the scene is not such that
there is enough work done that a relatively non-techie person can sift through
the jailbreaking community work and apply it him/herself.

------
rogerbinns
I recently bought a Panasonic camera - in the compact travel zoom class. One
feature is wifi support, where for example it can upload pictures to your
computer. There are several places the camera lets you enter text such as
names in face recognition, and in SSIDs. But for some unfathomable reason a
Panasonic engineer added extra code so that spaces are disabled for wifi
passwords. This was actual extra effort, and completely and utterly wrong.
Spaces are allowed, every domestic access point I use has them, and everything
else is perfectly happy with them including iOS, Android, Windows, Linux, Mac,
Playstation 3, Nintendo Wii, and Roku. Oh and Panasonic TVs and bluray players
(the "smart" ones).

It is impossible for Panasonic to find out about this or do anything about it,
because like many companies they value interaction with their customers so
little that it is outsourced to the lowest bidder. Those companies business
model is to give out the same answers to the same questions over and over
again. They cannot cope with an answer they don't already have. The one
Panasonic uses in the US is even worse, refusing to tell Panasonic about the
issue. They also have a cunning system where links to surveys after chats
don't work, and the phone survey won't recognise giving them low scores!

If anyone is curious I wrote about the whole saga at
[http://www.rogerbinns.com/blog/support-
tale.html](http://www.rogerbinns.com/blog/support-tale.html)

~~~
userbinator
_Five_ buttons, all for spaces? That would already be a sign to me that
whoever designed that UI wasn't really thinking straight...

And I'm almost willing to bet that not letting you enter spaces might be the
result of a "security fix" because they pass the contents of that field,
unescaped, directly through to a wifi configuration shell script, and someone
doing some testing discovered that spaces would "cause things to break", so
the solution was to disallow spaces instead of performing escaping on the
password string.

Also related: [http://thedailywtf.com/Articles/Securing-Secure-
Security.asp...](http://thedailywtf.com/Articles/Securing-Secure-
Security.aspx)

Edit: while Googling around for some other devices that might have this
interesting issue, I found... [https://github.com/xbianonpi/xbian-package-
config-xbmc/issue...](https://github.com/xbianonpi/xbian-package-config-
xbmc/issues/12)

Why is escaping input such a difficult concept to comprehend?

~~~
kalleboo
> Five buttons, all for spaces? That would already be a sign to me that
> whoever designed that UI wasn't really thinking straight...

It's a sign to me that they're extremely lazy, or their code is so bad that
making small exceptions are very difficult/brittle.

[http://imgb.mp/jvs.jpg](http://imgb.mp/jvs.jpg)

"Now that we're translating this UI to English, what do we do with all these
buttons that aren't needed?" "Too much work trapping into the UI drawing code
to hide them, let's just remap them to something else... how about space!
That's harmless!"

~~~
userbinator
I see what looks like the Japanese equivalents of single and double quote,
full stop and comma, so it's still a bit puzzling why the English version
doesn't have those there.

~~~
kalleboo
The "single and double" quote are actually Dakuten and Handakuten, which are
essential parts of the language
[http://en.wikipedia.org/wiki/Dakuten](http://en.wikipedia.org/wiki/Dakuten)

Good point about the punctuation.

------
dredmorbius
The problems extant in home entertainment products are only reflected
throughout the rest of the "Internet of Things" ecosystem. Or as I prefer to
think of it: security threat vector channel.

Consider: You've got a slew of products for which rapid iteration and
obsolescence is a key attribute, profit margins are slim, cost pressures are
immense, talent is limited (and not attracted by time and cost pressures),
parts availability is arbitrary, capricious, and liable to change with little
notice or reason (we've seen in the GM ignition switch recall what the
implications of even a minor parts change can be, in a slightly different
space).

A few years back I had the distinct pleasure of attempting to configure and
deploy a major enterprise vendor's storage product on what the sales team
promised, but the support team denied at pain of abuse to my firm, was
supported under our OS. The company shall remain nameless, but rhymes with
"hell".

What I eventually established was:

• The vendor itself had little or no real understanding of the equipment or
its configuration.

• The documentation for the underlying technologies (all, as it happens, open
source free software), ranged from quite good to abysmal. One README file
consisted entirely of the text "Good things to read here.". We were less than
gruntled.

• True support was actually a pass-through to the OS vendor, who, it turned
out, wasn't in fact the source of our OS. We'd been sold something which
didn't in fact exist (real support).

And that was for high-end enterprise-grade hardware.

The situation for the consumer-grade stuff, especially the _cheap_ consumer-
grade stuff, is far, far worse.

Which is why I want the products I buy to have the absolute minimal amount of
technology in them as possible or necessary. It's fewer opportunities to foul
up.

~~~
rossjudson
I hate myself for saying this, but perhaps the only way to wake up these
manufacturers is to make them liable for leaving the "security door" wide
open. If they've followed good practices and at least _tried_ to get things
right, that should be a strong defense. But if they've completely _ignored_
security, then they should be at risk too.

~~~
dredmorbius
That will likely be a part of it. Though finding pockets to go after may be
difficult as well: hardware and software components are already modular, there
is the developer, the manufacturer, and often a "brand" who effectively
purchases the tech and tosses a logo on it (Apple is an exception to this
rule). To say nothing of transnational jurisdictions.

The complexity problem extends to the legal side as well. Much as I think
liability could help, it's going to be hard to apply, particularly with lay
attorneys, judges, and juries.

------
atmosx
Apparently in order for a home network, with modern appliances to be secure
you need to be at least a _geek_ these days.

You probably need a router that runs OpenWRT, Linux or BSD like
caramobola2[1], to configure manually in order to monitor incoming and
outgoing connections, blocking suspicious traffic.

Then you probably need something that can run XBMC[2] as a home entertainment
system (atom HTPC works like a charm, I have one). Then a flashed dreambox PVR
which runs linux too and you can do a lot of things but most importantly
monitor everything.

So basically, anything that runs proprietary software is a security concern.
Strangely, the more corporations try to build walled gardens the bigger the
security risk is.

[1] [http://8devices.com/carambola-2](http://8devices.com/carambola-2)

[2] [http://xbmc.org/](http://xbmc.org/)

------
jackalope
_This software has been written without any concern for security, and it
listens on the network by default._

This dawned on me when I intended to switch over to FIOS due to problems with
my cable internet connection. I moved all of my media and gaming devices
first, then abruptly stopped, wondering why I would want to share a network
with a bunch of devices I had no reason to trust. I know I can isolate them on
my home network, and may eventually get around to it, but in the meantime, I'm
using separate connections to different ISPs (which provides other benefits,
as well).

~~~
Silhouette
_...wondering why I would want to share a network with a bunch of devices I
had no reason to trust. I know I can isolate them on my home network..._

Unfortunately, it's actually quite difficult to do that properly with a
typical broadband/WiFi box as supplied by most ISPs (at least here in the UK)
by default. You need to step up to business-grade gear in most cases, which is
both more expensive and beyond the technical knowledge of most consumers, and
even then some otherwise respectable devices are regrettably lacking in
flexibility when it comes to VLAN configuration and the like. I'm looking
forward to the day when standard home user boxes allow you to do things like
isolating certain physical ports or wireless networks by default, so hopefully
running untrusted devices on independent networks becomes routine.

Even then, there's still the problem that if you want to watch some sort of
streaming content off the Internet, whichever device(s) have that external
connectivity could also pose a privacy risk if they have access to whichever
devices are acting as home media servers. DLNA seems like a step in the right
direction for connecting up home media devices, but I haven't seen much
evidence of a robust security model being implemented so far.

------
Zarathust
I previously worked in a company where the main product was an IP camera. Most
of the team was building a windows client to interface with the camera and I
was a one man army to handle the software onboard. I'd say that most software
people don't know what is hard with hardware (no pun intended, seriously).

Most of your time is spent around finding libraries that can be compiled for
your board or fixing device drivers because of that slight board modification
the hardware guys did. You also have to figure out how the proprietary
hardware encoders work and make them work properly. If the documentation
doesn't fit the implementation? Well you have this contact under nda agreement
that will eventually say "I don't know either, have you asked in the forums?"
after 2 weeks of back and forth. Also sometimes your device would just reboot
and you'll spend time arguing with the hardware guys that linux don't just
reboot for no reason. Did I mention having to worry about how your 64mb of ram
get allocated and in which DSP pool?

Eventually, you'll find time to write code that will cause your device to do
something meaningful.

Writing software for hardware is much harder than it seems, because you have
to worry about all those things you take for granted when working with a x86
desktop. You can't upgrade often after shipping, so testing focuses on
critical bugs instead of usability. I do agree than spending more resources
would make sense, but consider this : Hiring a DSP specialist to get an H264
encoder to work would cost 80k$ in Montreal in 2007. This is something that is
now free with newer chips, but just getting the hardware to work used to drain
a lot of resources. Larger companies could have more money for that, but I do
not know how they work internally so I can't speak for them.

------
bananas
Spot on. I'm currently arguing with a retailer over a Toshiba television which
can't play mp4 files reliably. It crashed and hangs regularly.

They want to send it for repair because to be honest they are fucking morons
and however much explaining I do they don't realise that the manufacturer
doesn't support any kind of firmware update. I want my money back so am having
to take them to small claims court in the UK to force a refund under the sale
of goods act because the item is not fit for purpose.

Between this and a Bravia EX which is buggy as hell I'm tempted to just buy
something that will run a Linux based media center with a PC TFT and say fuck
it to consumer appliances.

~~~
VLM
"consumer appliances."

All converged appliances suck, and probably always will, and the consumers are
figuring it out, which will be the doom of the "convergence" meme.

Non-converged appliances usually work pretty well. My dumb TV displays
whatever the HDMI flings at it, the separate optically connected surround
sound system works beautifully, the computer hooked up to them just does its
thing.

~~~
bananas
Spot on. I agree. I really miss the old Trinitron that this Bravia replaced. I
hung onto that unit for nearly a decade and it never skipped a beat.

------
userbinator
The manufacturer could've made it more secure, but then you wouldn't be able
to change the region code like that or do anything else to be in _control_
your device... security cuts both ways.

~~~
M2Ys4U
The only way to _really_ be sure that you control your devices is to use
free/open source software.

~~~
drdaeman
Not really. FLOSS is about being in control of your software (being able to
legally modify and distribute things), not making any guarantees about
software behavior (including security).

Indeed, source code availability (much weaker than FLOSS) is very useful in
software analysis. Nonetheless, while in most cases this is just tedious and
boring work, one can still validate proprietary binary blobs. Obviously, that
only applies to countries where reverse engineering is legal.

~~~
M2Ys4U
If you can't modify/replace the software on your device, do you really
_control_ that device?

In my opinion, validation/analysis is a necessary but insufficient condition
for control.

~~~
drdaeman
One can modify proprietary blobs, too. It's just insanely more complicated due
to necessity to reverse engineer things and not universally legal.

------
CapitalistCartr
The only way to implement network-connected appliances safely is with open-
source. It doesn't have to be under a permissive license, but it does have to
allow the end user to change the code. Anything that is network-connected
-HAS- to be update-able and independently verifiable. Anything less is a risk
to all of us, like biologically unstable organisms released into a city would
be.

~~~
krapp
I think issues like the heartbleed bug demonstrate that open source is not
necessarily a credible defense against either incompetence or malice.

~~~
startling
Heartbleed was discovered and fixed.

~~~
krapp
Eventually, it was disclosed publicly and fixed, yes. But the standard set of
arguments for open source and 'all bugs being shallow' would have expected it
to be caught and fixed almost immediately.

I'm not arguing that open source isn't a better system, just that it's not a
guarantee of safety when compared to closed source in this regard - both
systems have to have competent people actually caring enough to pore over the
code and provide fixes. Consumers cannot be expected to manually review and
audit every line of code in their networked devices, nor (apparently) can they
reliably depend on someone else to do it for them.

~~~
SEJeff
Coverity and several other metrics seem to all conclude that over all, open
source code is still more bug free than proprietary code.

[http://www.zdnet.com/coverity-finds-open-source-software-
qua...](http://www.zdnet.com/coverity-finds-open-source-software-quality-
better-than-proprietary-code-7000028514/)

If you seriously think that all bugs in open source are found and magically
fixed immediately, I suspect you should try working as a community member /
contributor of an open source software project.

~~~
krapp
>If you seriously think that all bugs in open source are found and magically
fixed immediately

I don't think that at all. But, the heartbleed bug is an example of one which
should have been, by all rights. It wasn't due to some complex crypto
implementation, or an arcane syntactical edge case in C. It was a pointer bug.
It was a simple, critical fault in a bit of software which had a lot of very
qualified eyes on it, which a lot of people here would ridicule as a matter of
course.

Now why, if something like that can happen with code most hackers and open
source proponents care passionately about, should it be taken for granted that
enough people are going to be validating dvd player and smart tv firmware for
the end result to be better for the average end user than expecting whoever
the manufacturer hires to do it?

~~~
SEJeff
Actually, per the actual OpenSSL maintainers, there are precious few eyes on
the OpenSSL code.

[http://www.theguardian.com/technology/2014/apr/11/heartbleed...](http://www.theguardian.com/technology/2014/apr/11/heartbleed-
developer-error-regrets-oversight)

From Robin Segglelman, the maintainer who "accidentally" added the heartbleed
bug:

""" ... OpenSSL is definitely under-resourced for its wide distribution. It
has millions of users but only very few actually contribute to the project."
"""

I really think you should try joining and open source community and
contributing some code. Then I suspect you'll understand that it is just as
hard as any proprietary code (like that which I work on for $day_job). The
difference is that Open Source code, even critical stuff that runs the
internet, is often woefully understaffed and over expected to be perfect.

~~~
krapp
I stand corrected then.

>I really think you should try joining and open source community and
contributing some code.

I have, not often though. Certainly not to anything critical.

