<https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf> This describes a lot of attacks, starting with a Linux server victim. Sounds like juicy stuff. I didn't find it so. It didn't clearly say what vulnarabilities were being exploited. The article hinted that a foothold was established via brute-force password guessing at logins. My servers only allow SSH logins, so this would not work on my machines. Does anyone still use passwords for logins facing the internet? Consumer crap (wireless routers, baby monitors, ...), I guess. After the login, a kernel module is installed. Where does the privilege come from? An unmentioned hole? There is a claim that this stuff is widespread and has been for a long time. I don't think any quantitative evidence is revealed.
On 5/9/20 5:22 PM, D. Hugh Redelmeier via talk wrote:
This describes a lot of attacks, starting with a Linux server victim. Sounds like juicy stuff. I didn't find it so.
It didn't clearly say what vulnarabilities were being exploited.
The article hinted that a foothold was established via brute-force password guessing at logins. My servers only allow SSH logins, so this would not work on my machines. Does anyone still use passwords for logins facing the internet? Consumer crap (wireless routers, baby monitors, ...), I guess.
There are buffer overflow hacks that crop up on a semi-regular basis. There are sloppy PHP,Ruby,Perl,Python,C,C++ ... programmers who do things that allow arbitrary command execution. There are occasional bugs that allow privilege escalation. There are bugs that allow data to be extracted from virtual machines running on some hypervisors. There have been bugs in cryptography protocols that have allowed information extraction and other attacks. These tend to get plugged but often the software running on real systems does not get updated nearly enough. I had a system hacked 20 years ago from having a system accidentally running sendmail which had a buffer overflow problem. It can easily happen and not just through bad passwords.
After the login, a kernel module is installed. Where does the privilege come from? An unmentioned hole?
All you need is a single set UID script with 777 permissions and I know of at least 1 company that would run chmod -R 777 /somedir to get around having to manage user/group ids. Also over the years there have been privilege escalation bugs.
There is a claim that this stuff is widespread and has been for a long time. I don't think any quantitative evidence is revealed.
Most all the above are sloppy systems admin and apply to just about every OS not just Linux. I found the repetition of the words "Open Source" a bit annoying. And the citing of hacks up to 10 years old. But I am sure the intent of the document is to scare people into buying BlackBerry security services. Its clearly trading on the current trend in China bashing. I have no doubt that China is sponsoring state hacking but then so is just about every other country in the world so in Canada we should be worried about China, Russia, U.S.A. equally. There are also criminals and corporate sponsored hackers to worry about. Add to that political groups aggressively targeting opposing political groups in the same country. There is WAY more to worry about than just China. I would say it was a crappy "dog whistle messaging" kind of article that is trying to leverage current fears to push a business agenda.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Sat, 9 May 2020 23:10:12 -0400 Alvin Starr via talk <talk@gtalug.org> wrote: <snip> absolutely agree with everything you said.
Its clearly trading on the current trend in China bashing. I have no doubt that China is sponsoring state hacking but then so is just about every other country in the world so in Canada we should be worried about China, Russia, U.S.A. equally. There are also criminals and corporate sponsored hackers to worry about. Add to that political groups aggressively targeting opposing political groups in the same country. There is WAY more to worry about than just China. I would say it was a crappy "dog whistle messaging" kind of article that is trying to leverage current fears to push a business agenda.
it is weird that everyone is becoming very nationalistic in a time where the planet faces various crises as humanity. the small brains are still dividing the world into little pockets and the little pockets are more increasingly isolating themselves and now waging war with other pockets in a clash to control the most resources and generally fuck other pockets as much as possible. people everywhere are changing, what all of us are becoming is disgusting, if we were better, we would see this more clearly, but we are not. in the words of the Greatest President that has ever lived of the Greatest, Best, Strongest or Richest Country in the world, Donald Trump : "It is what it is"
On 2020-05-09 5:22 p.m., D. Hugh Redelmeier via talk wrote:
<https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf> ... There is a claim that this stuff is widespread and has been for a long time. I don't think any quantitative evidence is revealed.
Blackberry == QNX these days, and a company that exists to sell "not Linux" might reasonably have a hate on for a free OS. ISTR an embedded compiler company a few years ago used to come out with quite amusing "GCC = Death" hot takes. That's not to say they're producing bad products (the last time I used QNX it was quite lovely and rock solid) but it's not going to lose them any money to diss Linux. It's not like Blackberry's selling many phones right now ... /ducks Stewart
On Sun, 10 May 2020 at 13:38, John Moniz via talk <talk@gtalug.org> wrote:
Don't think QNX was ever a phone OS.
On Sun, May 10, 2020 at 01:41:41PM -0400, Scott Allen via talk wrote:
On Sun, 10 May 2020 at 13:38, John Moniz via talk <talk@gtalug.org> wrote:
Don't think QNX was ever a phone OS.
It was an excellent phone OS (far better than android) but no one wanted to support it with apps which pretty much killed its chances of staying around, so it didn't. -- Len Sorensen
---------- Original Message ---------- From: Lennart Sorensen via talk <talk@gtalug.org> Date: May 11, 2020 at 11:08 AM
On Sun, May 10, 2020 at 01:41:41PM -0400, Scott Allen via talk wrote: > On Sun, 10 May 2020 at 13:38, John Moniz via talk <talk@gtalug.org> > wrote: > > Don't think QNX was ever a phone OS. > > https://en.wikipedia.org/wiki/BlackBerry_10
It was an excellent phone OS (far better than android) but no one wanted to support it with apps which pretty much killed its chances of staying around, so it didn't.
Is BB10 any closer to QNX than Android is to Linux? It sounds like I'm wrong but thought they both evolved far enough from their roots to have their own name. John.
-- Len Sorensen --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Mon, May 11, 2020 at 11:35:18AM -0400, John Moniz via talk wrote:
Is BB10 any closer to QNX than Android is to Linux? It sounds like I'm wrong but thought they both evolved far enough from their roots to have their own name.
Well BB10 of course had a GUI framework for apps, which I don't think had anything to do with QNX, although I am not sure if QNX ever had any particular GUI interface in particular. I have seen a number of different ones running on top of QNX over the years. Certainly a shell on a BB10 device looked a lot more likq QNX than I have ever seen on an android device. Android apps are java based, BB10 seems to be C++ or javascript/QML for the most part. I guess that implies BB10 is QT based for the GUI. Android's runtime has nothing to do with other Linux systems at all. It only uses the kernel. -- Len Sorensen
| From: Lennart Sorensen via talk <talk@gtalug.org> | | Well BB10 of course had a GUI framework for apps, which I don't think | had anything to do with QNX, although I am not sure if QNX ever had | any particular GUI interface in particular. I have seen a number of | different ones running on top of QNX over the years. The "Photon MicroGUI". I don't know if it is currently supported. I remember reading an ad in Byte (I think) a long time ago (obviously) from QNX (before RIM bought them). They offered a floppy-size bootable system with this GUI. This is probably it: <https://www.youtube.com/watch?v=K_VlI6IBEJ0> <https://archive.org/details/QNX_incredible_1.44m_demo_v4.0> Pretty amazing size for the PC world, even then. Not so amazing to the original Mac, Amiga, Atari ST, or CoCo III users.
On 2020-05-11 01:55 PM, D. Hugh Redelmeier via talk wrote:
I remember reading an ad in Byte (I think) a long time ago (obviously) from QNX (before RIM bought them). They offered a floppy-size bootable system with this GUI. This is probably it:
I have every paper issue of Byte on the shelf behind me. I don't recall seeing videos in any of them. ;-)
On 2020-05-11 02:02 PM, James Knott wrote:
On 2020-05-11 01:55 PM, D. Hugh Redelmeier via talk wrote:
I remember reading an ad in Byte (I think) a long time ago (obviously) from QNX (before RIM bought them). They offered a floppy-size bootable system with this GUI. This is probably it:
I have every paper issue of Byte on the shelf behind me. I don't recall seeing videos in any of them. ;-)
I just pulled out the Aug. 1990 issue of Byte and found, on page 281, "The QNX operating system - A real time Unix-like operating system for the low-end PC" by Tom Yager. At the end of the article is contact info for Quantum Software Systems, in Kanata, complete with phone number.
---------- Original Message ---------- From: James Knott via talk <talk@gtalug.org> Date: May 11, 2020 at 2:02 PM
On 2020-05-11 01:55 PM, D. Hugh Redelmeier via talk wrote: > I remember reading an ad in Byte (I think) a long time ago (obviously) > from QNX (before RIM bought them). They offered a floppy-size > bootable system with this GUI. This is probably it: > > <https://www.youtube.com/watch?v=K_VlI6IBEJ0>
I have every paper issue of Byte on the shelf behind me. I don't recall seeing videos in any of them. ;-)
They're byte size videos.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Mon, May 11, 2020 at 01:55:21PM -0400, D. Hugh Redelmeier via talk wrote:
The "Photon MicroGUI". I don't know if it is currently supported.
I remember reading an ad in Byte (I think) a long time ago (obviously) from QNX (before RIM bought them). They offered a floppy-size bootable system with this GUI. This is probably it:
<https://www.youtube.com/watch?v=K_VlI6IBEJ0>
<https://archive.org/details/QNX_incredible_1.44m_demo_v4.0>
Pretty amazing size for the PC world, even then. Not so amazing to the original Mac, Amiga, Atari ST, or CoCo III users.
I remember those floppies. The fact it included networking and a browser and some other apps was quite impressive. But yes as an Amiga user, it was only slightly impressive. -- Len Sorensen
On 2020-05-11 1:55 p.m., D. Hugh Redelmeier via talk wrote:
from QNX (before RIM bought them). They offered a floppy-size bootable system with this GUI. This is probably it:
Thanks for the link. First time I've seen the GUI for QnX. As a programmer I really liked the mechanism for passing messages between tasks. I've seen other libraries try to emulate it for Linux. -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
On 2020-05-10 01:38 PM, John Moniz via talk wrote:
I have a Blackberry Android phone. Don't think QNX was ever a phone OS.
According to this, Blackberry 10 is based on QNX., https://en.wikipedia.org/wiki/BlackBerry_10
On Sun, 10 May 2020 at 11:01, James Knott via talk <talk@gtalug.org> wrote:
On 2020-05-10 10:05 AM, Stewart C. Russell via talk wrote:
Blackberry == QNX these days
Didn't they move to Android a few years back, at least for some models?
Yep. In 2016, they contracted out building of phones to TCL. https://www.theverge.com/2016/9/28/13088362/blackberry-stop-making-phones (I always somewhat double-take when I see anything branded TCL, for the obvious reason!) The deal with TCL ends this August, so it's not evident that they'll have any hardware offerings anymore. The Playbook was interesting in this regard; the kernel was QNX, but it had an Android layer, and that would have been an interesting take on "doing Android" in the marketplace; I don't think that strategy made it to any of the phone offerings. I'm wrong on that, it turns out; "Blackberry 10" was indeed QNX underneath... https://en.wikipedia.org/wiki/BlackBerry_10 There were around a dozen phones released (some not actually released) on "Blackberry 10" between 2013 and 2015, and later editions did indeed have an Android "runtime" to allow running some Android apps. So I suppose we could say it's both a dessert wax, and a floor topping ;-) -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
| From: Christopher Browne via talk <talk@gtalug.org> | The Playbook was interesting in this regard; the kernel was QNX, but it had | an Android | layer, The Playbook ran proto BB10 OS. BB promised an update to BB10 but reneged. That was the first and last BB product I purchased. Grrr. Like Palm/HP WebOS, their phone/tablet OS was fine but their ecosystem attracted few 3rd party developers. So only a minority of consumers saw the value. Adding an emulator has often seemed to be a sign of a company with trouble attracting developers. And that strategy doesn't work because it gives the developers an easy way of supporting the hardware without committing to it. An exception: if the company owns the new platform and the emulated platform. Examples: Windows emulating DOS, 64-bit x86 emulating 32-bit x86, 32-bit x86 emulating 16-bit x86. Another exception: if the emulation is a lot cheaper than the real thing. Think of the Multics emulator on your PC. Or the terminal emulator. BlackBerry also sells software for enterprises to manage phones and things. I think that they even do OK (too lazy to check). QNX is (I think) quite a solid system. It has a serious niche in the automotive world. My guess is that it will be crushed by Linux. - QNX is better for real-time things - QNX can be a lot leaner than Linux - Linux's development model is a lot better for collaboration and for innovation without permission. BB does use Linux internally. Or did, last time I knew anything about them. I don't see how that could change.
On Mon, May 11, 2020 at 12:45:57AM -0400, D. Hugh Redelmeier via talk wrote:
The Playbook ran proto BB10 OS. BB promised an update to BB10 but reneged.
That was the first and last BB product I purchased. Grrr.
Like Palm/HP WebOS, their phone/tablet OS was fine but their ecosystem attracted few 3rd party developers. So only a minority of consumers saw the value.
Oh yes the OS running LG televisions these days.
Adding an emulator has often seemed to be a sign of a company with trouble attracting developers. And that strategy doesn't work because it gives the developers an easy way of supporting the hardware without committing to it.
An exception: if the company owns the new platform and the emulated platform. Examples: Windows emulating DOS, 64-bit x86 emulating 32-bit x86, 32-bit x86 emulating 16-bit x86.
Another exception: if the emulation is a lot cheaper than the real thing. Think of the Multics emulator on your PC. Or the terminal emulator.
BlackBerry also sells software for enterprises to manage phones and things. I think that they even do OK (too lazy to check).
QNX is (I think) quite a solid system. It has a serious niche in the automotive world. My guess is that it will be crushed by Linux.
- QNX is better for real-time things
- QNX can be a lot leaner than Linux
- Linux's development model is a lot better for collaboration and for innovation without permission.
BB does use Linux internally. Or did, last time I knew anything about them. I don't see how that could change.
A lot of automitive designs use QNX. There are some moving from other realtime OSs to QNX since it seems to be the best supported and flexible these days. If you need realtime, Linux isn't a good choice (it is a choice of course, just not good at it). And of course some companies fear GPL. -- Len Sorensen
On 2020-05-11 12:45 a.m., D. Hugh Redelmeier via talk wrote:
QNX is (I think) quite a solid system. It has a serious niche in the automotive world. My guess is that it will be crushed by Linux.
- QNX is better for real-time things
- QNX can be a lot leaner than Linux
I liked QnX. It used a micro kernel architecture. I used it on 286, and later 386, based computers when I was working for a market research company back in the DOS era pre-Windows. I used versions 2 and 3 of it. GUI stuff wasn't added to QnX until version 4. I never used QnX version 4. The 386 and 486 computers were fast enough that I was able to port the entire system to DOS only. I don't often hear about QnX. Interesting to hear of it used in a commercial product. -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
On Mon, May 11, 2020 at 11:55:27AM -0400, Kevin Cozens via talk wrote:
I liked QnX. It used a micro kernel architecture. I used it on 286, and later 386, based computers when I was working for a market research company back in the DOS era pre-Windows. I used versions 2 and 3 of it. GUI stuff wasn't added to QnX until version 4. I never used QnX version 4. The 386 and 486 computers were fast enough that I was able to port the entire system to DOS only. I don't often hear about QnX. Interesting to hear of it used in a commercial product.
Well according to a press release from last june, QNX CAR is in over 150 million cars in the infotainment system, (and dashboard management in many cases since those are often combined now). They list Audi, BMW, Ford, GM, Honda, Hyundai, Jaguar, Land Rover, KIA, Maserati, Mercedes-Benzh, Porche, Toyota and Volkswagen as users of it. And that's just QNX CAR, not counting all their other variants for other markets. -- Len Sorensen
On Mon, May 11, 2020 at 12:45:57AM -0400, D. Hugh Redelmeier via talk wrote:
Like Palm/HP WebOS, their phone/tablet OS was fine but their ecosystem attracted few 3rd party developers. So only a minority of consumers saw the value.
Ecosystem... I hear this a lot but don't understand it. My old phone died, and I'm looking for a new phone. The apps that I use are already "builtin" in all phones (be it, Android, iPhone, or old BlackBerry). So, my next phone will be based on price and quality. That's it! -- William Park <opengeometry@yahoo.ca>
On Mon, May 11, 2020 at 12:32 PM William Park via talk <talk@gtalug.org> wrote:
On Mon, May 11, 2020 at 12:45:57AM -0400, D. Hugh Redelmeier via talk wrote:
Like Palm/HP WebOS, their phone/tablet OS was fine but their ecosystem attracted few 3rd party developers. So only a minority of consumers saw the value.
Ecosystem... I hear this a lot but don't understand it. My old phone died, and I'm looking for a new phone. The apps that I use are already "builtin" in all phones (be it, Android, iPhone, or old BlackBerry). So, my next phone will be based on price and quality. That's it!
How in the bleeping blazes does one determine quality in the mess that is the 'stupid' phone market today? Regards
On 2020-05-11 03:07 PM, o1bigtenor via talk wrote:
Ecosystem... I hear this a lot but don't understand it. My old phone died, and I'm looking for a new phone. The apps that I use are already "builtin" in all phones (be it, Android, iPhone, or old BlackBerry). So, my next phone will be based on price and quality. That's it!
How in the bleeping blazes does one determine quality in the mess that is the 'stupid' phone market today?
Same way as anything else, reputation. Google phones tend to be good quality. Same with Samsung (other than batteries ;-)). In my experience LG tends not to be the best. iPhones may be OK quality, but are overpriced. BTW, I have had 3 Google smart phones, a Nexus 1 made by HTC, Nexus 5, LG and Pixel 2, HTC. The 2 HTC made phones were very good quality. The LG, not so much. I also had an LG computer monitor that I wasn't thrilled with.
participants (13)
-
ac -
Alvin Starr -
Christopher Browne -
D. Hugh Redelmeier -
James Knott -
John Moniz -
john.moniz@sympatico.ca
-
Kevin Cozens -
lsorense@csclub.uwaterloo.ca -
o1bigtenor -
Scott Allen -
Stewart C. Russell -
William Park