DSL-3780 Interim Conclusions

Unsurprisingly the D-Link is still at the same firmware level. It would be a shock if it were otherwise. Thus far it looks like this supports the myth that ISPs don’t care about security. But it is a myth, or at least in the case of the ISPs I’ve used, just take a look at the network the other side of your router. There are other things Talk Talk provide aimed at end user understanding and behaviour which demonstrate it is a fallacy too.

The reality is Talk Talk will have a very good picture of what the primary security risks are for the bulk of end users. So they’re set up to deal with or mitigate those first.

As to the inappropriate nature of the responses I’ve had. Well the reality is most people who phone them up with a resemblance of a technical security report will think that their bug should be treated as a critical one. And so the manager was handling me based on the presumption I was such a person. When in fact all I was trying to do was the equivalent of phone in a patch for inclusion in the next build. There are no commonly recognised grounds for expecting Talk Talk to have procedures to deal with it.

However, the grounds for it are recognised and accepted throughout the free and open source software communities of which I’m a member. If you’re going to ship a product containing free and open source software then those communities have every right to judge you by their standards. This case definitely falls far short of those. Reasons, however understandable are not automatically adequate excuses and this is such a case.

[diary] DSL-3780 Talk Talk ‘can’t’ fix it [edit’]

Don’t make the mistake of thinking this is wonderful news, but Talk Talk called to close the DSL-3780 helpdesk call ‘because we’ve fixed the problem, your router now works.’ This is, of course, complete balderdash brought on by running a ‘basic router problem’ helpdesk script. The DSL-3780 I have is a special to Talk Talk build and comes preconfigured so they can reload the latest firmware and default settings from their end – for the technical using TR069. All that had happened was they flagged my router for the overnight reload job. It couldn’t possibly have worked because like anybody with any sense I’d replaced the insecure router with a Buffalo WBMR-HP-G300H loaded with the latest DD-WRT. Further Talk Talk automatically push the latest firmware release to these devices as it becomes available, so mine was already at the latest level documented on web.

Which after being put on hold many times for her to get help choosing which call centre script to run on me next was the net of what she was offering. In the process I was told baldly that Talk Talk can’t (i.e. won’t) fix the problem with the firmware. Therefore a refresh is all that is on offer.

It should go without saying there was no sign of a meaningful record of my conversation with the ‘manager’ during this call.

[edit follows]
However it has to be said to be said there’s a very long shot today’s ‘can’t’ could simply be one helpdesk person’s reliance on stupendously inappropriate call centre training and scripts aimed at typical end users who are fond of frankly fanciful theories as to the nature of computer problems. So I’ll have to wait for Talk Talk to reload this firmware and test again just on the off chance they’ve done the entirely counter intuitive thing and achieved a patch cycle time not normally associated with home router support.

[diary] On Needing a Sledgehammer

My disability apportions me a healthy dose of randomness. Accordingly this weekend I had a firtle in my ISP provided broadband home router and the GPL source bundle for it duly downloaded from the manufacturer. There in and amongst the build configuration files was the setup for two backdoor admin logins complete with passwords in clear. A bit of testing proved they were extant in the router as shipped.

So in search of what one is supposed to do about such things I consulted the relevant pages at CERT. ‘The vendor’ they say. Of course there’s no magic high priority contact for security matters when it comes to home routers. Thus after a journey involving an esupport website bug, the manufacturer’s 10p/min support line referring me to my ISP, the first call I made to my ISP being disconnected by someone who didn’t seem to understand what a security bug is, and another person who evidenced lack of comprehension I finally ended up speaking to a manager in my ISPs helpdesk router section.

He expressed patent disinterest and came up with a spurious logic rationalisation for there being no need to fix it. I reached for the sledgehammer of promising publicity if the matter was not pursued. The result was a change of tack and some reassurances in a tone which wasn’t exactly convincing. Nor has anyone with a more appropriate technical or security brief at the ISP subsequently contacted me to confirm they’ve received the report and are actioning it. I have, therefore, little confidence that the matter is being dealt with correctly.

Better name and shame then, the router is the D-Link DSL-3780 as shipped by Talk Talk who were the ISP I spoke to. Technical details of the vulnerability are available in response to signed GPG email. My fingerprint is AB3F DF36 512E 1EE1 9055 A8C9 62C6 5508 B625 C793. Use the email address at this domain in the key.

[diary] Cross development targeting retro computers from GNU/Linux

Real Life™ saw fit to reward me with two OKish days this week. First time in ages. Last time I confidently told a friend I planned to do x y and z in the coming weeks with this wonderful new progress. This time I just did my chores the first day and settled down to hobbies on the second.

The first hobby activity was reading an 1153 manual for a few hours. I’m not entirely convinced that any has gone in. But, that’s the way it works with me, I recall things as I need them not from some idle desire to remember.

The second was looking into cross developing for my two retro computers from Trisquel GNU/Linux. Earlier in the year I’d established that the Atari ST has a libre/free emulator hatari in the Trisquel repos. Which can be used with EmuTOS a free ROM replacement that is near enough. And I found a Trisquel compatible repo with a cross development gcc toolchain and some libraries including SDL. However, since hatari lacks the feature I haven’t been able to find a gdbserver for the Atari ST. So another chunk of today was spent reading Embecosm’s excellent HOWTO on the GDB serial line protocol. The idea is to start with a gdbserver for the ST itself rather than build it into hatari as in the final analysis the real hardware might throw something up that’s been missed in the emulator. Doing something with fewer dependencies first to learn from first seems more sensible, adding it to hatari can come later. Also it’s ‘good experience’ for when I come to do the same for the BBC Model B, as there are no libre ROM replacements for that. So it’s going to be on the baremetal regardless.

[tnmoc] ATMega2560 timers

I need to program the timers on the Arduino Mega2560.  I took a different route through Arduino.cc today, or may be their wiki has been updated.  So there’s some timer code for others in the Mega series.  It’s a matter of porting that to the ATMega2560 chip on my Arduino.

Downloaded and read the existing code to familiarize myself with it.  I also studied the libavr docs and did a search for an openocd config file for the ATMega2560 in case I need to use my JTAG for debugging of the library.

[discordian] Helping the government

Dear Sisters and other siblings,

As you will have gathered from government Internet scrubbing initiatives such as PRISM and Mastering the Internet the problem of waste data has become severe.  It is therefore important for every Pope[1] to send their waste data to the government for disposal.

Firstly, read and unread emails should be forwarded to an account with one of the no fee email providers you have created specially for the purpose.  From there they should, at a minimum, be forwarded to your democratic representative(s) with ‘For Government Disposal’ as the subject line.

Secondly for any other data you have license to copy without charge, such as your photos, create a zip or tarball and make a BitTorrent of it.  Post the torrent file somewhere prominent clearly marked ‘For Government Disposal.’

Thirdly, with social networking and other online accounts you are discontinuing simply make ‘For Government Disposal’ your last post / microblog stream / status etc. entry.

Yours,

Pope Archibaldess IV

[1] You will recall that all humans are Discordian Popes.

[tnmoc] Selectric RPM part 2

Peter’s had a meter on the Selectric that is at TNMOC and reports an approximate mean of 500 RPM for the op shaft.  That gives us 0.120 seconds per cycle. Slower than the Wikipedia figure.  A good job he measured it if there is any chance there might be a problem in the 1131 from wrong test device timings.

[tnmoc] Selectric RPM

Real Life™ again. If it is any comfort I’m doing a lot better at getting to port and safety when this particular well known storm blows than many similarly disabled people.

Been through the Theory of Ops and Adjustment Theory manuals.  The nearest we get to an RPM is the motor to cycle shaft / op shaft gearing ratio in Theory of Ops.  However, a quick search finds the Wikipedia Daisywheel page quoting 13.4 CPS for Selectric printing speed.  FWIW not what I remember, but then I was only told once in passing so that’s not going to be very reliable.  Let’s hope Wikipedia is not only precise but accurate.

13.4 CPS assuming one revolution per character gives us one cycle in .0746 seconds.  I can calculate the make break times from there.

[tnmoc] Tricky Switches

I’m trying to workout the exact coding needed for CB RESP on the test device. Now my memory is I was told all the carriage events listed in the circuit diagram fragment below are signaled. However, that doesn’t sit well with the wiring for them being in series.

1053 Carriage Switches

An email discussion with Olly last night dug out the fact that the IBM circuit diagrams use their own standard for symbols not  the common one.  So what exactly do those little circles on the top and bottom switches mean?  The upshot is that it looks like I’m going to have to get out the meter and hand cycle tool to work out what actually happens with the coding of those switches.

[tnmoc] 1053 pinout

I’ve been correcting the pin assignments for the Arduino after re-reading pages ZA101 and ZW101 of the 1131 & 1153 circuit diagrams which you can download from http://bitsavers.informatik.uni-stuttgart.de/pdf/ibm/1130/fe/1131-B/.

From the table on the top left of page ZA101 you will note that all connections lead to or from ZW101. This is in turn the circuit diagram for the 1053. What I worked out today was that the rows in the table should be read left to right as the signal direction (i.e. from … to). I did the first draft of the pin assignments from ZW101, and what I missed was that several of the lines on the diagram don’t lead to any connection. They’re marked as NOT USED in either coloumn 2 or column 5 of the ZA101 table.

The pin assignments now look like:

/* ========= PINS ============================ */

/* Note names in the comments are from the circuit diagram –
indicates active low, and, + active high. INPUT and OUTPUT are
relative to the Arduino */

/* —– A SIDE – from the 1131 main computer —– */
const int A_SELECT_T1 = 2; /* The -SELECT T1 line, Tilt 1 latch,
Not activating this causes a tilt
value 1 on the golfball. INPUT */
const int A_SELECT_T2 = 3; /* The -SELECT T2 line, Tilt 2
latch. Not activating this causes
a tilt value 2 on the golfball.
Combined with T1 can add to a
value 3. INPUT */
const int A_SELECT_R1 = 4; /* The -SELECT R1 line, Rotate 1
latch. Not activating this causes
a rotate value of 1 on the
golfball. INPUT */
const int A_SELECT_R2 = 5; /* The -SELECT R2 line, Rotate latch
, Not activating this causes a
value 2 rotate. Can add to R1,
R2A, and R5 INPUT */
const int A_SELECT_R2A = 6; /* The -SELECT R2A line, Rotate
latch. Not activating this causes
an additional value 2 to rotate
used with R2 to get to rotates 4,
5, -2, & -1, INPUT */
const int A_SELECT_R5 = 7; /* The -SELECT R5 line, a printer
rotate latch. Not activating this
causes -5 rotate value. INPUT */
const int A_SELECT_AUX = 8; /* The -SELECT AUX line, believed to
cause a character print cycle on
printer, INPUT */
const int A_LINEFEED = 9; /* The -LINE FEED line, INPUT */
const int A_TAB = 10; /* The -TAB line, INPUT */
const int A_CRLF_EOL = 11; /* The -CR-LF AND EOL line, INPUT */
const int A_UP_SHIFT = 12; /* The -UP SHIFT line, INPUT,
INPUT */
const int A_DOWN_SHIFT = 13; /* The -DOWN SHIFT line, INPUT */
const int A_EOL = 14; /* The +TWR END OF LINE line, flow
control?, OUTPUT */
const int A_CB_RESP = 15; /* The -TWR CB RESPONSE line, flow
control, OUTPUT */
/* Neither of the following two are used on the connector — see p. ZA101*/
/* const int A_CRLF_INLK = XX; /\* The +TWR CAR RET INLK line, flow */
/* control, OUTPUT *\/ */
/* const int A_CRLFT_INLK = XX; /\* The +TWR CRLFT INLK line, flow */
/* control, OUTPUT *\/ */
const int A_SPACE = 16; /* The -SPACE line, used to print a
SPACE character. INPUT */
const int A_BACKSPACE = 17; /* The -BACKSPACE line, used to cause
a BACKSPACE, INPUT */
const int A_BLACK_SHIFT = 18; /* The -BLACK RIBBON SHIFT line,
INPUT */
const int A_EOF = 19; /* The -TWR END OF FORMS line, flow
control, OUTPUT */
const int A_CRLFT_INLK = 20; /* The +TWR CRLFT INLK line, flow
control, OUTPUT */
const int A_RED_SHIFT = 21; /* The -RED RIBBON SHIFT line,
INPUT */
/* Neither of the following two are used on the connector — see p. ZA101*/
/* const int A_SINGLE_LF = XX; /\* *\/ */
/* const int A_DOUBLE_LF = XX; */

/* —– B SIDE – to the Selectric 1053 Console Printer —– */
const int B_SELECT_T1 = 22; /* The -SELECT T1 line, Tilt 1 latch,
Not activating this causes a tilt
value 1 on the golfball. OUTPUT */
const int B_SELECT_T2 = 23; /* The -SELECT T2 line, Tilt 2
latch. Not activating this causes
a tilt value 2 on the golfball.
Combined with T1 can add to a
value 3. OUTPUT */
const int B_SELECT_R1 = 24; /* The -SELECT R1 line, Rotate 1
latch. Not activating this causes
a rotate value of 1 on the
golfball. OUTPUT */
const int B_SELECT_R2 = 25; /* The -SELECT R2 line, Rotate latch
, Not activating this causes a
value 2 rotate. Can add to R1,
R2A, and R5 OUTPUT */
const int B_SELECT_R2A = 26; /* The -SELECT R2A line, Rotate
latch. Not activating this causes
an additional value 2 to rotate
used with R2 to get to rotates 4,
5, -2, & -1, OUTPUT */
const int B_SELECT_R5 = 27; /* The -SELECT R5 line, a printer
rotate latch. Not activating this
causes -5 rotate value. OUTPUT */
const int B_SELECT_AUX = 28; /* The -SELECT AUX line, believed to
cause a character print cycle on
printer, OUTPUT */
const int B_LINEFEED = 29; /* The -LINE FEED line, OUTPUT */
const int B_TAB = 30; /* The -TAB line, OUTPUT */
const int B_CRLF_EOL = 31; /* The -CR-LF AND EOL line, OUTPUT */
const int B_UP_SHIFT = 32; /* The -UP SHIFT line, OUTPUT,
OUTPUT */
const int B_DOWN_SHIFT = 33; /* The -DOWN SHIFT line, OUTPUT */
const int B_EOL = 34; /* The +TWR END OF LINE line, flow
control?, OUTPUT */
const int B_CB_RESP = 35; /* The -TWR CB RESPONSE line, flow
control, INPUT */
/* Neither of the following two are used on the connector — see p. ZA101*/
/* const int B_CRLF_INLK = XX; /\* The +TWR CAR RET INLK line, flow */
/* control, INPUT *\/ */
/* const int B_CRLFT_INLK = XX; /\* The +TWR CRLFT INLK line, flow */
/* control, INPUT *\/ */
const int B_SPACE = 36; /* The -SPACE line, used to print a
SPACE character. OUTPUT */
const int B_BACKSPACE = 37; /* The -BACKSPACE line, used to cause
a BACKSPACE, OUTPUT */
const int B_BLACK_SHIFT = 38; /* The -BLACK RIBBON SHIFT line,
OUTPUT */
const int B_EOF = 39; /* The -TWR END OF FORMS line, flow
control, INPUT */
const int B_CRLFT_INLK = 40; /* The +TWR CRLFT INLK line, flow
control, INPUT */
const int B_RED_SHIFT = 41; /* The -RED RIBBON SHIFT line,
OUTPUT */
/* Neither of the following two are used on the connector — see p. ZA101*/
/* const int B_SINGLE_LF = XX; /\* *\/ */
/* const int B_DOUBLE_LF = XX; */

I’m certain the SELECT_T* and SELECT_R* lines operate the golf ball rotate and tilt. SELECT_AUX I think activates the print cycle once these are selected. UP_SHIFT and DOWN_SHIFT must operate the shift arm which causes a 180 degree rotation of the golfball to give upper / lower case and extra specials. CRLF_EOL, TAB, SPACE, BACKSPACE, LINEFEED are individual control lines for the appropriate character or character sequence. RED_SHIFT and BLACK_SHIFT obviously change the part of the ribbon that’s used to print so red ink or black ink. The EOL (end of line) and EOF (end of forms) should be self explanatory signals. I expect the 1053 asserting EOL will cause a CRLF_EOL to be asserted by the 1131.

CRLFT_INLK is I think flow control for when carriage return, linefeed or tab tie up the printer mechanism for a time. However, the T might also mean ‘transfer’ for ‘carriage transfer’ which IIRC was the term for any carriage movement which has the mechanism occupied and unable to do anything else. This might mean CRLFT_INLK has to be asserted when SELECT_AUX is fired for a print cycle. However, for a first pass I’m betting that role is the sole duty of CB_RESP.