[Interest] Roland Qml
Roland Hughes
roland at logikalsolutions.com
Tue Jul 14 13:24:45 CEST 2020
On 7/14/20 5:00 AM, interest-request at qt-project.org wrote:
>> Let us not forget that QML+JavaScript is completely insecure in the
>> OpenSource world. All of that JavaScript gets stuffed into the binary
>> you ship as free text. Anyone with a decent text editor can read/extract
>> your super secret proprietary algorithms. Worse yet, anyone with enough
>> patience can change a binary in the field.
> Then use some filesystem-level protection mechanism like dm-verity.
>
> That will prevent replacing the binaries altogether, whether done by the way
> of editing some text inside or by recompiling.
>
> PS: QML is usually not found in clear text inside the binary because rcc
> attempts to compress and text compresses really well. You need to actually
> reverse engineer to find the compressed text content. It's not very difficult,
> but it is one step up from trivial.
When I was at a client site just over a year ago they were using an
off-shore team that tried to do 100% of the project in QML and
JavaScript because you can find those people for absolutely no money.
They have no formal education with respect to computer science. Just
read half a "Teach Yourself How to Be Totally Useless or Less in 24
Hours" type book on JavaScript and hung out a shingle. I opened the
binary with, I think SublimeText, perhaps KATE, doesn't matter, just a
text editor. There it was. All the JavaScript code. I know because in
the other frame I was looking at the actual source. The developer
sitting beside me didn't believe me. He used Eclipse for everything.
Ba-da-bing ba-da-boomb there it was.
This is the identity theft (or worse) security breach Qt has unleashed
upon the world. There is no safety in the environment. Things have been
dumbed down so people with no formal training can purchase a license and
ticking time bombs are being released every day.
I lay awake at night filled with complete dread about the medical
devices previously and currently being developed using dirt cheap low
skilled off-shore teams because they are "priced right" trying to do the
entire thing in QML and JavaScript. A token few will even believe that
one & done OpenSource security is actually secure so they won't
optically isolate network communications from the actual device via an
I/O appliance with its own processor and memory. They get in, open up
the binary with a text editor, change what the JavaScript does, then
save the binary.
To the doctors and nurses it looks like the 100+- other of these devices
the hospital has. This one, at random intervals, kills patients. It will
be months and perhaps thousands of dead patients before anyone suspects
anything, depending on the device. Something like a ventilator people
don't have high survival rates being on in the first place. An infusion
pump for a cancer patient would attract slightly more suspicion by
offing cancer patients where the disease was caught early.
All because the JavaScript was brought along in the binary as text.
How about all of those "apps" in the app stores written by people with
no formal training "because they can" with QML? They won't kill people,
but they could make the Equifax breach look small time.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
http://www.logikalblog.com
http://www.interestingauthors.com/blog
More information about the Interest
mailing list