Samsung's Tizen is riddled with security flaws, amateurishly written (arstechnica.com)
Tizen was/is mostly built out of a Samsung subsidiary in Warsaw, Poland. (Several thousand software engineers in total.) I worked with Polish software engineers for a western company that used the same outsourcing method during the same time that Tizen was being built. We had hires from Samsung and they had hires from us.

I think that what I witnessed at our company (which I won't name) is representative for what Samsung saw.

The stereotypical development model was one where individual developers were perceived as lego blocks that could be moved from one area to another about as the project(s) progressed without any regard for the individual contributors accumulated knowledge. Large volumes of contributors ("bug resolvers") were valued over smaller, coherent teams with smarter contributors.

There was also a disturbing amount of machoismo surrounding everything - nothing could be questioned; everything was a of sense pride to someone.

(What I heard from the local engineering managers supports the above.)


My assessment after having a few years perspective:

- There's quite a big span between the average level to high level to top level when it comes to polish devs. Specifically, it goes a lot lever than what I'm used to. It goes high too, though, but those individuals are not necessarily cheaper than a western european employee of the same calibre (probably similar).

- (Engineering) Management culture is totally whacko and quite a bit behind the western world. I blame the machoismo.


There are a lot of good software engineers in Warsaw, working at various companies. However most of companies here doesn't care that much about top talent. They just want to pay an average salary and that's all.

It is very rare that Warsaw devs that write good quality code are compensated appropriately.


In Samsung HQ in Suwon, Korea, back in 2010 in the leadup to the launch of the Galaxy device series, each individual OS had its own literal skyscraper in the HQ campus. One for BadaOS, one for Android, one for Windows Mobile. I don't think they communicated at all, as a general rule. Even in the Android one where I was working, the whole floor was nominal software guys but only one knew how to compile the firmware everyone was working on! They actually had to fly in a team of low-level programmers from Samsung India to get the device firmware up to speed in time for the hardware launch. It was an extremely interesting organization to spend a few days in from an anthropological perspective, but I left swearing that if the experience was a vision of the future I wanted no part of it.


Should not come as a surprise...

https://what.thedailywtf.com/topic/15687/code-review-maledic...

https://what.thedailywtf.com/topic/15001/enlightened


> https://what.thedailywtf.com/topic/15001/enlightened

Actually it's the author of the rant that comes of as totally uninformed and with unwarranted snark to boot.

https://what.thedailywtf.com/topic/15001/enlightened/242


The responses in that thread give me a headache, has the daily wtf forum always been such a wasteland? One of the replies is "someone posted your software to the daily wtf so there MUST be a problem with your software, you should just accept it and here's how you should respond". Maddening


Yes.

And they even scold the author of the software for responding in an emotional tone, while the whole "wtf" rant was full of personal attacks (and misunderstanding C programming, not bothering with facts etc).

And thusly, a website originally created for people to point to actual coding WTFs by incompetent programmers is running posts by incompetent users, voted by other incompetent users.


Seriously? The EFL author flatly denied to have "bitch" in the error message, posting even the grep results, while silently changing the error message from "bitch" to "complain" hoping that no one would notice it. Obviously git history doesn't lie like him. And he was the one that wrote that error message. In the meantime he started attacking the author of the post on that forum with meaningless arguments. And you have the courage to say that the incompetence is in the forum users rather than in such person that is so full of sh*t to just outrightly lie in front of everyone?


Not when I read the replies to that reply.

  @Carsten_Haitzler said:

  as for the "you bitch" comment. that does not appear anywhere inside efl at asll. i can only assume you are full of bullshit here as with a lot of the prior "facts" you have disclosed, as a grep through our codebase for efl and elementary shows no such string:

  core/efl.git - EFL core libraries
  evas - change error out from bitch to complain - cosmetic changeHEADmaster
  committer Carsten Haitzler (Rasterman) raster@rasterman.com	2015-03-11 12:59:01 (GMT)

  F#*k off.


>Not when I read the replies to that reply.

Even more so after one reads the replies.

Perhaps we didn't read the same reply?

Because the response you've posted:

1) only addresses one of the tens of points in the reply -- the others still being valid.

2) while true, it is still irrelevant from a technical standpoint (not to mention softened in the subsequent version anyway).

3) At worst, the Evas author failed to grep the right version for it. Whereas the ranter, at best, fails to understand C coding, failed to consult documentation that was right there, complaints for valid behavior, cites several wrong facts about the behavior of the code (like the supposed "512" object limit), and closes with the BS "it will take man-years" to build a sample simplistic media player with the lib (using a ready made codecs/media player widget component).

Evas/Eve etc have some questionable design decisions, and not the best documentation. But the original post is full of crap in almost every aspect, and with unwarranted language to boot.


Are you an EFL developer or the author? I have read the whole 19 pages of comments, plus the sister thread on os news, and you are the only one that can't understand all the problems in that ball of sh*t apart from the EFL author and his coworker. In any case I would prefer to lose an hand than to work with someone like you for which writing non type-safe C code, with 40 vulnerabilities discovered by a single researcher, is perfectly fine.


Reading through some of these replies further down the thread, they seem to confirm the basic notion that EFL docs are really poor. Examples:

> key names - no - we didn't document it, but it'll be the same set as you get in x11. we emulate it elsewhere. yes- maybe we should explicitly document that but to date no one has actually complained

> if its a const char * of course you don't free - if it's a char * return (example) it'll be documented as to how to free it. if its' objects - objects stay alive until you delete them ... or the canvas they live in is deleted, or an object that has taken ownership is deleted (and objects that take ownership are in charge of deletion). it's the same throughout efl - its similar to gtk in that sense. it hasn't been explicitly documented i guess because it's a convention that is common enough.

On dynamic typing, and checking object types - and why it's a warning rather than hard error when a type doesn't match what's expected:

> default is to march on and recover with a complaint - the complaint is your signal to enable this next time you run and hunt down the detail. ... mostly the errors are harmless. the majority of code marches on fine - thus prefer staying alive over suddenly falling over.


A little bit more context I had to go look up: the response is also dated 11 Mar 2015


And as the author of the code writes 2-4 times, he looked for the literally mentioned quote and didn't find it -- he even posted the grep results.

He only found that it was "bitch" (single word) later from a later corrected comment and fixed it (out in the open, in the the public code repository in any way).

In any case, again, not technical, not a WTF, and not pertaining to the actual code/implementation.


The author of the code is the one who added that word to the code in the first place. You'd think he might remember that, even if the wording of the complaint was off.

https://git.enlightenment.org/legacy/evas.git/commit/src/lib...

https://git.enlightenment.org/legacy/evas.git/commit/src/lib...

If he does not, that invites the question of how many similar error messages are there in the code. Note that this is something that actually gets printed to stdout - in other words, if there's a bug in your app (or EFL, for that matter), your end user might see that message. I would dare say that's a pretty big WTF.


As bad as the author comes off in that exchange, Mr. Haitzler comes off worse. Nobody should respond to their customers like that, least of all in a public forum, regardless of the provocation.


He is not a customer, he just works for a company that has adopted the (open source) framework.

And even a customer is not some holy being that gets to behave in any way they like and it has to be accepted "regardless of the provocation". What he wrote has FUD and professionally damaging to mr. Haitzler (as a programmer), while also wrong in most aspects.

Nobody should just bend over for someone (even a "customer") "regardless of the provocation". Besides FUD and insults, should the "regardless" also allow for sexual or racist comments from a customer?

And speaking of duties, does the company (Samsung) see well to an employee of them bad-mouthing their OS and choices on some random forum?


To further clarify my position: I believe that rules of decorum, including responses to breaches in decorum, should govern not just traditional customer-business relationships, but user-developer and open-source community relationships as well – particularly the higher up the open-source ladder you go. Good business practice often means good community practice as well, and a healthy community is more likely to attract and retain good developers.

Now I am aware that several leaders of several major open-source communities do not consider such restraint to be necessary or even desirable. They're of course welcome to manage their communities as they see fit. I think it's a mistake though, and I believe it will lead inevitably to serious issues in those communities, if indeed it hasn't already.


I presumed from his post that he had actually developed with the framework in question. In which case, he is a user of the framework, and, as far as I'm concerned, a customer to the developers of the framework.

Unless you have evidence to the contrary...?

> Nobody should just bend over for someone...

There is a world of difference between being assertive (which is fine) and being dismissive and belittling (which is not). Mr. Haitzler went way over the line. He thought that tit for tat was appropriate. It is not.

By the way, given the rather suggestive way you phrased this, you might want to check your own use of sexualized comments before criticizing someone else's.


EFL is open source software, BSD licenced. The original author of the comment is not a customer. It's some uninformed person trashing the good work someone has made available to them for free. This attitude makes me want to stop writing open source, it's disgusting to see.


If even one third of what the original author was complaining is true (and judging by the response, it's way more than that), I don't see how EFL can be called "good work" in good conscience. Bad code and bad design don't get a free pass on account of being open source.


I can't comment on the specific details, I've never used EFL, but in general, when encountering problems with open source software you can do one of two things:

1. Write a long and angry rant about how terrible the software is on a public forum.

2. File issues, participate in the community, ask questions on the mailing list, submit pull requests to improve the docs, try and understand the design decisions behind the software you're using - it's possible that the author knows more about the problem than you, and there are perfectly good reasons for why things are as they are.

One of these things is more productive than the other.


In this case, the rant is not talking about minor bugs that can be fixed with a few (or even a few hundred) lines of code. It's talking about major design defects.

I do have to note, though, that the options are actually:

1. Use something else that's better.

2. <same as what you wrote above>

Based on everything I've read about EFL, including responses from its devs, #1 is by far the most productive choice you can make in these circumstances.

The rant is not really an option as such. It's just a way for someone to vent their frustration, which people occasionally need when dealing with problems like that in order to make themselves feel sane again. You can rant first, but you still have a choice of #1 or #2.

I also have to note that, for the author of the rant, neither was an option, because they weren't working on a project where they had a choice of framework - they were working on Tizen, and had to use EFL, that choice being made for them. I also doubt that their manager would allow them to use some of their work hours to go fix bugs in EFL, even assuming its maintainers would agree that these things are bugs (which they clearly didn't) - they had their own backlog and schedule. So they did the rant because they felt like they needed it, and they didn't really have the option of either #1 or #2 to fix anything.


Advising/warning other people to not start using bad quality frameworks is also a way to be productive.

Why plug every hole in a colander when you can use a bowl from another supplier?


I understand you're upset. But does that make Mr. Haitzler's response OK in your book?


I can emphasise with his response, I don't know if I'd respond in that way myself.


Having watched more than one of my code babies be slaughtered by my colleagues in my career, I can certainly empathize as well. But I still think he came off poorly in that exchange.


That response has plenty of WTFs of its own, e.g.:

> efl checks object validity by looking at the first 4 bytes of the memory of the object. in here is a "magic number" that indicates both type and that the object isn't freed or garbage memory.


Maybe Samsung has a running bet with Huawei over how much crappy code you can push to how many devices. Huawei is still very likely winning, as they had that period when they had to rewrite most of their router software after being outed as having stolen Cisco's code. They just plain wrote the same shit, but replaced everything good with about 2 bad things instead.


Is it that big industrial corporations are bad at creating code? Toyota, samsung, synaptic.

I'm really beggining to think that code should be left to smaller and medium sized outfits. i.e samsung should buy or hire a small startup to independently develop and grow their next ecosystem. Large enterprises just seem too clumsy pull pull it off unless they wholly dedicate themselves to developing that one piece of technology.


The counter arguments include Google, Apple, Microsoft, etc.

I think the big vs small comparison is flawed. I've seen some atrocious code produced by small/medium sized outfits. My fondest memory including auditing code from a 3 person outfit who's code quite literally setup an RPC on the server that executed any string it was sent, verbatim, against a database that handled money.


Those counter examples were all software startups. And have very very different cultures to other corporations their size due to their roots.


Is Samsung at this point really _that_ different in terms of semantics from those examples though. Obviously they are all unique and Samsung's location makes a big impact on their culture but like they hire a similar intelligence echelon of people right? I don't know much about the internals of Samsung so maybe I'm missing something.


Samsung is primarily home appliances corporation. Maybe their management treats TVs as "devices that display TV broadcasts" and phones as "devices for talking over distance". In this worldview there are no things like "bugs", "vulnerabilities", "software updates". Software inside these devices is at the same concern as prints on cardboard box. These devices, including phones, are sold at home appliance stores where "shop assistants" say you things like "That's Ultra Mega HD Super", "8 Cores and water resistant case" and once appliance is sold it is sold and no more problem of company. If it turns on and display pictures then it works.


Hardware manufacturers have always been bad at writing software. Especially in certain Far East cultures where software engineering is traditionally not even considered "real engineering".


I'm very tempted to buy a Samsung TV (primarily for the the low input lag times which makes them good for gaming) and I plan to keep it offline (no WiFi or Ethernet connection), using a Chromecast and a HTPC+Kodi instead for streaming. With that in mind, should I be worried about security flaws?


Depends on your threat model.

From TFA: Another attack on Samsung Smart TVs was published last week that used malicious commands embedded in broadcast TV signals.

So, even if it's airgapped, a tv that's been compromised in this way is effectively a hostile general-purpose computer with a wifi card running inside your house.

If this is something you would do for a Klondike bar, then go ahead. I'll keep my dumb TV and my Kodi box, though.


Agreed. These "smart" TVs mostly run outdated and buggy software which are difficult if not impossible to update either because of technical limitations or because the manufacturer doesn't care enough after getting your money.

So why bother with a "smart" TV if you're going to be using an external computer anyway. Saving a few hundred dollars to spend on that external computer seems like a better investment. I run a "dumb" big LG TV hooked up to a raspberry pi running Kodi via LibreElec. I'm very happy with the set up in terms of functionality and price.

Edit: the attack via signal is linked from the article, reading now.


> So why bother with a "smart" TV if you're going to be using an external computer anyway. Saving a few hundred dollars to spend on that external computer seems like a better investment.

I'm in the market for a 4k TV with low input lag. If you look at input lag tests (e.g., http://uk.rtings.com/tv/tests/inputs/input-lag) you'll see that every single TV listed there is a smart TV, at least in the 43"-50" range anyway. In fact, are there even such things as "dumb" TVs anymore?

That said, I've done some more research and realised tha the LG UH6* range is actually also pretty good for low input lags and runs webOS to boot so I think I'll go for an LG instead.


This doesn't surprise me. A company I used to work for fielded a team at most Pwn2Own competitions, and it was widely regarded as "not good sport" to take on a Samsung phone because they were so bad.


Is anyone the least surprised by this?


...Yes? I mean, Samsung is a big enough company with big enough profits to attract talented candidates and also be selective:

https://www.quora.com/How-would-you-prepare-for-the-Samsung-...

Furthermore, their mobile business is mature and well-known enough that even if they were staffed with complete amateurs whose legacy code was awful, Samsung has been a prominent player for a long time in terms of tech-biz-years. The chances are significant that they have among their ranks a wise-enough manager to realize that it's time to tackle technical debt. Or, in lieu of that, that Samsung would've by now had a come-to-Security-Jesus security fuckup traumatic enough to force a thorough audit and revamp.

Clearly that hasn't happened here so I'm interested in learning the details as they come out.


I interviewed for a position with one of their Smart TV software development teams. They gave me a simple-ish problem to solve. It needed to be C++ code, it needed to contain no mistakes (although they wouldn't give me a list of what they'd consider "mistakes"), and it had to be done in a plain text editor while talking to the interviewer on the phone.

I took from their "perfect on the first try" requirement for interviewing that their strategy for handling technical debt was supposed to be "don't create technical debt".


Maybe then security is less to do with individuals and more so company culture ?


I would think that's pretty obvious but I guess not.


Samsung and security problems go together like peanut-butter and jelly or PHP and MySQL.


thankfully, due to the Wayland protocol, an attacker will not be able to take a screenshot of the device without direct user input.


I was hoping Samsung would do something with Tizen as opposed to Android. Sorry to hear this.


Theory: Samsung is just funding Tizen development to gain leverage over Android


Wasn't the main reason why they wrote Tizen? Because Google was pushing them around too much?


Samsung should have used Intel Appup instead.


Symbian! PonyOS! TempleOS! MS-DOS!


TempleOS would be an improvement.


Meego Harmattan :'(


In my alternate dream universe, my Nokia N9 continued to exist and be upgraded...


everything i've ever purchased from samsung has broken. i just don't even consider their gear now.


They have always had nice hardware and terrible, terrible software - way back in the J2ME days Samsung were the bain of my life.


Exactly. I love my galaxy but rooted and flashed it immediately. The bloatware was uncomfortably pervasive, specifically on my carrier. I have other samsung devices, and have had few non firmware issues.


I've got a TV from them, 8 years old now. The connection from the component cables is slightly "iffy", but everything else has been solid as a rock. I've had 2 Samsung bluray players. The first was a refurb and still works 90% of the time, but the 10% instances are read errors from the disk drive. After 7 years of use, I was happy with it for the price I paid. The replacement player seems OK so far, although there were a lot of "features" to disable. My Galaxy Nexus is still my favorite phone. I'd pay a lot for that phone, but with upgraded guts.


I can't believe there are still string overflow bugs. Might be a good idea to invest sometime in Rust. On a side note, I have been looking for a good doc on how I can slowly migrate my existing code base step-by-step to Rust. A total rewrite is out of question, we would rather ship our product step by step. Does anyone know of such a doc?


https://github.com/carols10cents/rust-out-your-c-talk

http://blog.adamperry.me/rust/2016/06/11/baby-steps-porting-...


Thanks!




