23 comments

[ 0.18 ms ] story [ 57.8 ms ] thread
> Linux can be made to run — just barely — in as little as 4MB of RAM

Yep we have come a long way from Slackware 2.0. How times change.

I have been following Azure Sphere since the early days, but what I still miss from all available documentation and presentations, is what Microsoft is doing at C level for a platform whose selling point is security.

I would expect them to take this opportunity to push Checked C, or hardware pointer tagging (like on SPARC) into mainstream.

Fat pointers, capabilities, something like that seem feasible https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/.

The problem is all that is nice and cool, but the real world IoT is about Chinese cams by Dahua of MIRAI fame and ESP32 modules with barely working WPA. Because the price is low, and that's what matters at scale.

I am fully aware that cheap always trumps quality, until we get a couple of big lawsuits that finally force governments to put some regulation in place.
I hope there's another route, because we all know perfectly well what the strengthening of power leads to.

What if perfectly secure, formally proved and verified code would be simultaneously the cheapest to produce, considering developers time, code performance and other business metrics? What if the guy in Shenzhen would download not the bunch of C libraries from Github and hack it until it don't crash for at least 5 minutes on the new version of the SoC, but download instead a Coq code, proved by best and brightest Stanford researchers, and just tweak the hardware spec a little - then generate the fastest possible assembly code from it, with test, quick and automagically? What if another guy in Shenzhen, who need to hack a bunch of IPs to build that SoC as fast as possible, and tape it out before other guys, would do the same to generate the RTL - not because it's cool or right, or anything - but because it's faster and cheaper than hacking Verilog and write all the test scripts to verify the SoC don't hang up too often.

Maybe we need a dozen of projects like https://deepspec.org for make it happen, but I think there's no another way to really change the state of affairs.

I think the big win is that now instead of every IoT company trying to figure out how they can update endpoint devices, the company that has been doing endpoint device updates for 20 years will give it to you as a service if you use their platform.
I'm gonna repost comment made by niftich year ago because it's spot on:

    Internet of Things isn't about people hooking up jailbroken Kindles to 
    one-way mirrors to show the weather. It's not about Ardunios and
    Raspberry Pis being used to collect some data, move some servos, 
    and make a blog post about it. It's about big money to be made 
    by introducing new monetization channels in places there were none before.
(For some reason I was downvoted -4 last time)
I think this definition is too limiting. I do agree with data collection part though.

Webcams, thermostats, bulbs, wrist watches, tv...

Basically any electronics we have used since forever without issues would now need to be connected to the internet. Mostly for zero consumer benefit.

For most of these, Ardunios and Raspberry PIs would be overkill.

Oh you should check out resin.io
> Initially, the Azure Sphere OS team tried using SSH server with a fixed root password for security

Umm, what??

It's so bad out there Alex.

Tanks are running around with hardcoded admin passwords and most devices use unencrypted, unauthenticated busses. Often multi-master.

Why? Because it's easier.

That's it.

And for a while it was fine because bridgeware wasn't a thing and we hadn't started connecting everything to the internet.

Morris Worm happened in 1988 thanks to C's "security features", yet little has been done, beyond putting band aids on top of band aids.

Maybe I get to see some kind of "Safe C" actually being adopted in the UNIX world, before the 50 years' anniversary of the Worm.

50 years from 1988 is 2038, I think we'll all be busy running around trying to figure out if we have anything still running on 32bit hardware ;).
I was being sarcastic as I am sceptic about the industry at large actually caring about without a couple of massive lawsuits.

Cheap always trumps quality unless there are some legal requirements going on.

(nested 2 links from OP)

https://m.seeedstudio.com/productDetail/3052

> This Azure Sphere development kit can be only used for prototyping. It cannot be built into a product for commercial distribution. It cannot be re-sold or used as part of a production environment ... The software included in this product contains copyrighted software that is licensed under the GPL, LGPL or other open source license

Can GPL software be restricted by use case?

> To use the MT3620 Dev Board for Azure Sphere, you’ll need a Windows 10 PC

What's the timeline for allowing use of Ubuntu or Red Hat Linux to develop for Microsoft Linux with Azure Sphere?

I think they mean that the prototype hardware cannot be built into a product.
It requires you to click a checkmark box for "I agree to the restrictions" to add it to your cart. I suppose that's what they consider to be restricting your usage to their approved use cases, not copyright.
That link is blue (similar to hyperlink) but it doesn't have Terms & Conditions or other text that defines a legal agreement. Unclear what is being asked or agreed.
Only after you've agreed to it does it popup the text "This development board can be only used for prototyping, it cannot be built into a product for commercial distribution. It cannot be re-sold or used as part of a production environment."

I suspect adding anything about restrictions was a last-minute job for Seeed, and it's probably not something given too much effort on their part. Realistically, an $85 devboard isn't going to end up being built into production items. And they're probably going to be a low enough quantity item for Seeed that they can manually look into any instances where someone has ordered more than 3 or 4 and just stop sending any more to them if it really rises up to being enough of a problem for Microsoft to complain.

The restriction must be on the hardware part of the development kit. I don't see how they could forbid anybody to copy the software.
So what is Azure Sphere? I read their website and I tried really hard to get past the corporate bullshit speak, but in the end I had to give up. It's just meaningless mumbo-jumbo.

So what is it, exactly? Something to do with IoT and cloud... but what??