[Interest] Roland Qml

Roland Hughes roland at logikalsolutions.com
Tue Jul 14 13:24:45 CEST 2020


On 7/14/20 5:00 AM, interest-request at qt-project.org wrote:
>> Let us not forget that QML+JavaScript is completely insecure in the
>> OpenSource world. All of that JavaScript gets stuffed into the binary
>> you ship as free text. Anyone with a decent text editor can read/extract
>> your super secret proprietary algorithms. Worse yet, anyone with enough
>> patience can change a binary in the field.
> Then use some filesystem-level protection mechanism like dm-verity.
>
> That will prevent replacing the binaries altogether, whether done by the way
> of editing some text inside or by recompiling.
>
> PS: QML is usually not found in clear text inside the binary because rcc
> attempts to compress and text compresses really well. You need to actually
> reverse engineer to find the compressed text content. It's not very difficult,
> but it is one step up from trivial.

When I was at a client site just over a year ago they were using an 
off-shore team that tried to do 100% of the project in QML and 
JavaScript because you can find those people for absolutely no money. 
They have no formal education with respect to computer science. Just 
read half a "Teach Yourself How to Be Totally Useless or Less in 24 
Hours" type book on JavaScript and hung out a shingle. I opened the 
binary with, I think SublimeText, perhaps KATE, doesn't matter, just a 
text editor. There it was. All the JavaScript code. I know because in 
the other frame I was looking at the actual source. The developer 
sitting beside me didn't believe me. He used Eclipse for everything. 
Ba-da-bing ba-da-boomb there it was.

This is the identity theft (or worse) security breach Qt has unleashed 
upon the world. There is no safety in the environment. Things have been 
dumbed down so people with no formal training can purchase a license and 
ticking time bombs are being released every day.

I lay awake at night filled with complete dread about the medical 
devices previously and currently being developed using dirt cheap low 
skilled off-shore teams because they are "priced right" trying to do the 
entire thing in QML and JavaScript. A token few will even believe that 
one & done OpenSource security is actually secure so they won't 
optically isolate network communications from the actual device via an 
I/O appliance with its own processor and memory. They get in, open up 
the binary with a text editor, change what the JavaScript does, then 
save the binary.

To the doctors and nurses it looks like the 100+- other of these devices 
the hospital has. This one, at random intervals, kills patients. It will 
be months and perhaps thousands of dead patients before anyone suspects 
anything, depending on the device. Something like a ventilator people 
don't have high survival rates being on in the first place. An infusion 
pump for a cancer patient would attract slightly more suspicion by 
offing cancer patients where the disease was caught early.

All because the JavaScript was brought along in the binary as text.

How about all of those "apps" in the app stores written by people with 
no formal training "because they can" with QML? They won't kill people, 
but they could make the Equifax breach look small time.

-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593

http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
http://www.logikalblog.com
http://www.interestingauthors.com/blog



More information about the Interest mailing list