• (nodebb)

    It occurs to me to suggest that when your company shifts from physico-mechanical products to software-defined products (as at Inilock), software development suddenly becomes an essential core competency, and one you don't have. Hiring consultants to help you develop the core competency is OK. Hiring them to do the work is not OK.

  • ThunderBird89 (unregistered)

    Oh my dog. That is EERILY similar to how the smart lock my company bought (to avoid having to hand out physical keys to everyone) functioned. Or did not function, a lot of the time.

    We ended up ditching the native control architecture and just running a homebrewed smart home system internally, which now works a lot better and is infinitely more stable.

  • Sauron (unregistered)

    These consultants went out and build [...] a homegrown TCP protocol

    WTF? Was the TCP protocol too standard for them? Are there even reasonable use cases for rolling out one's own mutant version of the internet standard protocols for something like that?

    it would broadcast out the new configuration to all the locks via a homegrown TCP protocol. It would read the data from the database, convert it to XML, blast the XML across a TCP socket to each client

    Sending XML files over TCP? If only someone had created, I don't know, maybe HTTP. I mean, this is ridiculous, if they really needed to work at the TCP level, serializing their data in a format like XML is just cumbersome.

    but when Christian cashes his checks for being a consultant, he at least knows he made things better.

    And he may need to spend part of that money on therapy, so I don't know if it was worth it. Massive trainwrecks of toxic software probably leave deep traumas.

  • (nodebb)

    They used an MS-SQL database. I'm surprised they didn't opt for an Access solution. (or an Excel spreadsheet, for that matter.)

  • (nodebb)

    So let me get this straight. As someone who deals with security, and is very, very skeptical of IoT connected systems that are not core-internet devices (washing machines, tumble driers, microwaves, fridgets, etc.) and ESPECIALLY those which deal with security (Alarms, door locks, etc.) - they rolled their own TCP network stack...

    They. Rolled. Their. Own. TCP. Network. Stack.

    That means it was effectively unsecured. Ready to be MITM'd to fuck and back, and totally unfit for purpose.

    And people wonder why I won't give up my keys. At least lockpicking takes practice and effort.

  • TS (unregistered) in reply to Steve_The_Cynic

    Or you take over a company that already has the core competency.

  • Zed (unregistered) in reply to Peter Street

    Little click out of one, two is binding...

  • (nodebb) in reply to Peter Street

    They. Rolled. Their. Own. TCP. Network. Stack.

    It sounds to me like they at least didn't do that, and it was just a custom protocol sitting directly on top of TCP. I've seen network stacks done from raw (mostly because the hardware on which they were running didn't have space for anything more standard) and it wasn't pretty and it was an awkward mess to debug. Being able to use someone else's networking code is a huge benefit; there are even hardware accelerators for those who feel reasonably flush with cash.

    Using your own TCP-based protocol is still rather dodgy, but isn't nearly as bad as redoing the whole thing on top of UDP or direct Ethernet frames. Don't go there!

  • LZ79LRU (unregistered) in reply to dkf

    Using your own TCP-based protocol is still rather dodgy, but isn't nearly as bad as redoing the whole thing on top of UDP or direct Ethernet frames. Don't go there!

    Oh come on now. Who are we to judge. I say let he who has not implemented their own TCP on nothing but raw hardware, real or emulated cast the first stone. Hell I did mine in LUA of all languages.

  • (nodebb) in reply to Sauron

    I don't think he meant they replaced TCP, I think he meant "homegrown TCP-based protocol", i.e. they designed their own application protocol. Or in this case, it sounds like a non-protocol -- it just sends each XML document as a single write() to the TCP socket, and the client performs a single read() and tries to parse it.

  • Jere (unregistered)

    So, we can probably rest assured that the system was built on top of a cryptographically sound PKI architecture.

  • Deeseearr (unregistered) in reply to TS

    Or you take over a company that already has the core competency.

    And then fire everybody, and bring in consultants to help you make sense of the mess.

    That's just good business, right?

  • Brian (unregistered) in reply to Steve_The_Cynic
    It occurs to me to suggest that when your company shifts from physico-mechanical products to software-defined products (as at Inilock), software development suddenly becomes an essential core competency, and one you don't have.

    Sounds familiar. I used to work at a company that produced avionics devices, and it was clear they had a very hardware-first mindset. They even had their own manufacturing facility on-site. The software that ran all their expensive gadgets, and the devs who wrote it, were generally treated as somewhere between an afterthought and a necessary evil.

  • (nodebb) in reply to Sauron

    I mean yes. the reason is billable hours. Writing your own garbage = more time spent coding = more $$$

  • Pablo (unregistered) in reply to Zed

    Nothing on four, unhandled exception on five...

  • Duke of New York (unregistered)

    Of course there wasn't CI/CD and it's a fluke that there was a source repository. Both assume an ongoing support team.

  • Worf (unregistered)

    Did anyone else think after all that work developing the lock that LockPickingLawyer will come around and be inside the building within seconds?

    I mean, most smart locks generally are horrendously bad so there probably was a gigantic security hole that would let someone into their system if they knew where to look.

    Or for those people whose systems locked up and thus locked out, LPL would show them how to get in without needing pesky keys or anything.

  • Splatmandeux (unregistered) in reply to dkf

    My favorite paradigm is implementing TCP with UDP. Because parsing byte-streams is hard yo (*). We're talking message ordering, retransmit timeouts, CRC checks, keep-alives, etc. In UDP, over bog-standard ethernet on a closed network. (**)

    Very popular in industries with lots of mechanical engineers shanghaied into software development. Especially ones that involve very heavy objects traveling at high speeds.

    (*) UDP presents a pseudo-record-oriented interface vs TCP's stream-of-bytes. For amateur programmers, it's easier because you don't have to deal with framing your byte stream, or deal with 'short-read' cases from the BSD socket APIs

    (**) Every one of these points is already handled by TCP natively.

  • LPL (unregistered) in reply to Pablo

    And we're in. With a buffer overflow, and a fail-open as a result of the unhandled exception in the exception handler.

    Now let's repeat that to show it wasn't a fluke.

  • (nodebb)

    Hardware oriented industries that take software as after though or necessarily evil? Hey, welcome to your typical big auto company conglomerate. All the "legacy" ones that can't seem to understand modern cars are basically computers on wheels.

    To make it worse, add layers of management who have "solved" the problem by adding a CAN bus and then subcontract all the parts to external entities. They are all iso9001 certified and using a standard protocol, so it will all be fine, right? See,'ma, don't even need integration tests!

  • (nodebb) in reply to Ralf

    Seems familiar. I am working on a long running automotive industry simulation project. Though not on the "necessary evil" level, we don't have a single software-first person involved, so insights like the necessity of reproducible automated testing came slowly.

    Sadly this means that the software wasn't written with unit tests in mind and mutable global state is everywhere, making creating them for anything but utility functions a nightmare.

    Also, prototypes going straight into production and then being "bug fixed" with new features, often suffering from simplifying assumptions of the early prototype stage.

    Which, again, are risky to fix because of the lack of automated testing.

    And this isn't even with "software as an afterthought". More like "mathematicians and engineers can program so let them".

    Yes, we can program, but with rare exceptions we have no clue about software development aspects, like clean Interfaces, why not to slap extra option flags on existing code if it can be avoided, etc.

  • aj (unregistered)

    Code monkeys who throws an entire data structure into TCP socket send() and expect it back complete on the other side by calling recv() are so ubiquitous that I check that at the first moment some networked widget fails. In my job these widgets controls dangerous and/or expensive physical things...

  • Dr Spooner built my spear (unregistered) in reply to Sauron

    "And he may need to spend part of that money on therapy, so I don't know if it was worth it. Massive trainwrecks of toxic software probably leave deep traumas."

    OTOH there are those out there who enjoy this sort of work: taking an ugly codebase of a dysfunctional system and making it moderately functional. It even more fun if you can take great swathes of code and pour them down the metaphorical toilet because you're replaced them with standard commercial building blocks.

    Hats off to Christian, and long may he ride.

  • (nodebb) in reply to Domin Abbus

    MS SQL server is actually the second best mid-tier relational ACID DB out there behind Postgres, considering standard conformity, performance and cost. I has nothing to do with Access :D

  • Officer Johnny Holzkopf (unregistered) in reply to DocMonster

    This is what you get, i. e., what you have to spend, if you fail to hire and pay (!) qualified and skilled programmers who are able to work on whatever your company produces (be it a product or a service), or who are able to quickly learn those skills required. In reality, you'll often find unskilled and disinterested "code typers" who can only fail at any given task. The idea of involving HPCs to solve that mess (even / especially if the mess has been generated by previous HPCs) is not a solution. Reality shows this. All the time. Nobody seems to care. Poor souls like Christian then have to deal with it. Additional motivation (aside of $$$) can be provided by good old-fashioned PHB pep talk: "Make it work! Now! Type faster! I want to see results, what am I paying you for?!"

  • (nodebb) in reply to dkf

    Sometimes it can actually be surprisingly effective. I was asked to analyse a TCP... well not so much a stack but maybe two plates on top of each other, that some embedded systems guys with a severe case of NIH-ism had written. It was actually remarkably robust because it didn't support 99% of what's in any normal TCP stack, the attack surface was close to zero because there was nothing there to attack.

  • (nodebb) in reply to Jere

    No, re-read the OP again, it actually worked a lot of the time, so there can't have been any PKI present.

  • (nodebb)

    TRWTF is outsourcing the defining core aspect of their business to one-time contractors. They REALLY had it coming.

  • (nodebb) in reply to Allexxann

    TRWTF is outsourcing the defining core aspect of their business to one-time contractors. They REALLY had it coming.

    Maybe they had heard that outsourcing to low-salary countries is a bad idea and thought that outsourcing to HPCs solves the issue, because, as we all know, money = quality.

  • (nodebb) in reply to R3D3

    From the context it's implied their HPC were from a low-salary country.

  • sad (unregistered)
    Comment held for moderation.

Leave a comment on “Picking Your Consultants”

Log In or post as a guest

Replying to comment #:

« Return to Article