Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
In the off chance anybody from Rode sees this: This makes me want to purchase your gear. Don't change it.
It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!
Funny you mention that, because my first thought when reading that he submitted a report to the vendor was that they'd "fix" the problem by requiring firmware uploads to be signed (in which case it's "secure" because only their service techs have access to the private key, IOW, security by sternly worded written policy).
I’m guilty of using my Zoom R16 in a similar fashion; as USB audio interface most of the time for a couple of inputs.
The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.
It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.
I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)
I had to upgrade the firmware in my HP printer a couple years ago.
It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.
I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.
Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.
My favorite firmware update story is a time when I had to reflash firmware on an old IBM Fibre Channel/SCSI gateway because it had become corrupted and wouldn't boot.
Fortunately the first stage bootloader (which may have been in ROM) was intact, and had debugging commands that allowed reading and writing bytes of memory one at a time, and to jump to a specific memory address.
After using IDA to find the compressed firmware in the update blob and figure out how the update process worked, I was then able to use an expect script to use bootloader commands to slowly poke the firmware and the code that decompressed and copied the updated firmware to flash (extracted from the firmware itself after decompressing it with zlib) into RAM a byte at a time, then to jump to the uploaded code to finish the installation.
Worked like a charm, and enabled me to continue using the device for several years until I no longer had a use for it.
I think my favorite is wifi access points that support tftp to load a firmware image (with some kind of hardware switch to enable this state). These can be made effective unbrickable and it's really nice for experimenting.
I'm not sure if it was what OP meant, but it's arguably a good availability technique (as long as you can generate the checksum, that is). Like, if I want to run custom firmware and flash it, having a checksum which verifies that the firmware isn't corrupted may help prevent bricking.
I think it should be locked down to require some kind of physical button input to enable the commands, putting it in some kind of "DFU" mode. Otherwise anything with USB access could brick your device by flashing a bad firmware.
I agree that it shouldn't have SSH enabled, but I do like that the firmware isn't encrypted or signed, so it's not hard to mod it, at no cost to thr manufacturer
It's highly unlikely that the people behind an attack like this would come out (non-anonimously) and take credit. And it's unlikely they'll be caught. So does it matter to most peoplee if it's Russians, Americans, Iranians, North Koreans, or some other country?
If you're a 3-letter agency, you'd want to know and potentially arrest them, but as a random guy on the internet, or even a maintainer, I really don't think it matters.
So if it came out that the NSA was attempting to put backdoors in consumer password managers, it wouldn't change the context of the side channel attack? How about if it was a company (like Google)? It seemed like an unserious question because I can't understand how someone would think something like that wouldn't change the situation.
> So if it came out that the NSA was attempting to put backdoors in consumer password managers, it wouldn't change the context of the side channel attack?
Not really, we already know that NSA attempts shit like this all the time, if that came out, it'd be the same as the Snowden leaks meaning, a bunch of nerds going "Huh, who could have predicted this?". I don't see the point in it being Russia, China or the US, I'd like it as much if the US did it as Russia, so that's why I asked why it matters.
I've wanted to get a Framework for a long time now, but their lack of shipping to Israel (and active prevention of using Freight forwarders) has prevented me.
If they were willing to sell me the 13 Pro, I'd sell my Yoga Pro 7 in a heartbeat to replace with a 13 Pro
What I wanted (and to an extent still do) is extreme simplicity and OS level minimalism. I was hoping to understand everything up to the browser, really. My interest in this has been renewed since AI: I have a sense that extreme simplicity may be the only viable approach for security in FLOSS if AI tilts the scales in favour of throwing cash (and therefore tokens) at problems.
Initially about 15 years ago because the laptop I bought did not have kernel support for the mobile gpu so I could not run a graphical desktop for a while, so I added kernel support for framebuffer on my GPU myself which was only a 7 line change (upstreamed to kernel) and then realized the framebuffer plus tmux and I was kind of set apart from youtube, so I wrote a one liner to pull raw video content from youtube and stream to the framebuffer with mplayer.
Overall I found there was almost nothing to do my job that actually required a GUI so did not bother fixing it.
The only software I tend to use today is a terminal and a browser, and graphical browsers are a hellscape of cookie approval prompts and ads and tracking. Thankfully today a local LLM can go to the web and fetch whatever content for me, so I am once again phasing out my use of web browsers.
> The only software I tend to use today is a terminal and a browser
i'm exactly in the same situation. for this reason i run on dwm and no DE. but i'd like to phase out some of my web browsing, for the same reasons you mentioned. could you please elaborate on your local LLM setup and how you use it to substitute web browsing?
"Can you setup a daily job to monitor and download youtube videos from any channels listed in subscriptions.txt"
"Can you setup a daily job to search for any articles on supply chain attacks, format them as normalized markdown files and store them under Research/supply-chain ?"
"Can you go find me a good price on some used DDR5 ram from a reputable seller?"
Etc etc.
Use agents to bring the internet to you.
Can do basically anything with a Strix Halo board at home.
interesting. i can definitely think of similar use cases. but can all of this be accomplished with local LLMs? do you run it on expensive hardware? are there specific models, agent frameworks and other tooling you recommend?
btw as another strategy to avoid web browsing i've been relying a lot on content being delivered as email newsletters. seems like it would also be easy to process that using LLMs
It's not for me, but I can see the appeal - minimalism, distraction elimination, geek cred, and the sort of flow state one gets from working in a low latency, high muscle memory environment.
I've assisted my grandparents with the same UIs many times, it's just harder to learn things the older you are.
For example, there was a service my gradmother used pretty frequently, which required a password change once every 6 months. She memorized the regular login flow, but she always called us for help when the flow broke and asked her to invent a new password, provide the old password, and confirm with an SMS code.
None of it is inherintly complex or difficult, but when you're at that age, and not super tech-savvy to begin with, computers are super confusing.
Yup, I'm working a lot with Jetsons, and having the Orin NX on 22.04 is quite limiting sometimes, even with the most basic things. I got a random USB Wi-Fi dongle for it, and nope! Not supported in kernel 5.15, now have fun figuring out what to do with it.
Yes. The free version is very generous. Most non-professionals won’t ever need a license for Resolve Studio.
BMD’s entire game here is that they are a hardware company first.
They hook you in with some really good software - and when you start getting in to professional workflows that requires specialized hardware (I.e. capture cards, I/O devices etc) you’re locked in to needing to use BMD hardware.
So it doesn’t cost them a great deal to offer the free version to most people because they have to have the software anyway to support the hardware.
Also, while they certainly make a profit on the studio licenses, it seems to be largely because offering those advanced features have costs they can’t eat. For example, the official (and expensive) Apple ProRes encoder SDKs, and advanced tech behind their noise reduction plugins among others.
It's generous but limited in some aspects.
True 4k resolution is not supported (or at least wasn't the last time I checked).
It also didn't support H.265 4:2:2 files.
I guess once you reach the level where you need to work on these types of files, it would be warranted to pay the very reasonable price for Resolve.
reply