Sunday, April 17, 2011

Dodging counterfeit electronic components is far more difficult than in the past, parts are getting harder to spot.


Medical Electronics Design magazine has posted an article that everyone needs to read: Dodging counterfeit electronic components is far more difficult than in the past. "The counterfeiters are becoming increasing harder to detect. Unfortunately, the devices they're selling aren't getting any better."

I've already pointed out that the counterfeiting issue has gotten so bad that the politicians have gotten involved.

Vala a modern language for embedded, validated with VCC for C?


I'm always in search of the mythical 'Silver-Bullet' language that will let all of us write bug free software for our Embedded Systems. This week I came across Vala. Vala is a new programming language that aims to bring modern programming language features to GNOME developers, its syntax is taken from C# amd Java. What piqued my interest is that Vala is a front end that compiles to native C code. So there is some hope that it would be run on an Embedded Micro, tho it would have to have some beefy memory to support GObject.
Some of the features of Vala are:
  • Assertions and Contract Programming.
  • Signals/Asynchronous Methods; With asynchronous methods it is possible to do programming without any blocking. [Yes, the masochistic could do this with raw function pointers.]
  • Anonymous Methods / Closures.
  • Multi-Threading.
  • Resource Control.
Still there are a few kinks I see in Vala. The Vala Tutorial gives some examples of where the language will let you shoot yourself in the foot. A language should do all it can to prevent errors by the programmer. If we want to use a language that lets us shoot ourselves in the foot we can keep using forty year old C, or Programming A Problem-Oriented-Language by Charles H. Moore, written ~ June 1970.

I don't know how close Vala's asynchronous queues are to a true message passing system like Erlang. Hopefully close enough to have to avoid the whole issues of threads and locks, but I don't think this is the case from look at a bit of the code. Threads and locks simply do not scale, especially after you get past about 64 cores. Linux multi-core scalability is a good paper to start with on the issue. I'd like to see a language similar to Vala that enforced single assignment variables and true message passing, that complied down to something that ran on our small micros.

Chips with 144 independent F18A computers are just starting to come on the market now, so we collectively need to get our acts together on doing multi-core programming, without archaic notions of shared variables, threads and locks.

Something else I came across this week over at CodePlex was VCC from Microsoft: "VCC is a mechanical verifier for concurrent C programs. VCC takes a C program, annotated with function specifications, data invariants, loop invariants, and ghost code, and tries to prove these annotations correct. If it succeeds, VCC promises that your program actually meets its specifications."

I wonder how you could convince Vala to output VCC annotated source code to feed VCC to prove a 144 core program is correct on one of Chucks Chips? I do realize chips from Chuck Moore will be using Forth...

Anyone want to buy my Small-C Handbook collection?

My wife and I keep working at downsizing our home. We are tired of having our lives determined by "stuff". Move it from 'there' to 'here', spend time to inventory, dust it, move it back, etc. All of which takes time from our goals in Life.

[The Small-C book set below has found a new home, so they are no longer available.]

Anyway if anyone wants the following set of books I'll send them to whomever wants to pay for their shipping. I'll only ship to the Continental US, sorry. About five pounds shipping weight.
I just can't bring myself to toss this in the trash as they are still good teaching tools, and Jim Hendrix says Small-C is still being ported to devices to this day.
  • The Small-C Handbook by James E. Hendrix.
  • Small-Mac User's Manual for CP/M Release 1.2.
  • Small-Tools User's Manual for CP/M and MS/PC-DOS Release 1.2.
  • Dr. Dobb's Handbook of C. 700+ page hardback in like new condition.
  • Dr. Dobb's Journal A small C Compiler for the 8080's and Runtime Library for the Small C Compiler by Ron Cain. Reprint, with permission, from the May and September, 1980 issues of Dr. Dobb's Journal.
While I'm in a selling mood, if anyone wants to acquire the domain name dsPIC.org for any dsPIC projects send me an email. Don't really use it, and it is just more "stuff" that needs maintenance once in a while.

NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE Released. Yep, its on your router.

On Friday the administration released their authoritative document on NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE; Enhancing Online Choice, Efficiency, Security, and Privacy. We covered this a few months ago: National Strategy for Trusted Identities in Cyberspace (NSTIC) on your router?, where I wondered if they would account for Embedded Devices.

The answers to that question is yes. From the examples given they clearly indented this to be implemented at the device hardware level, using Smart Grid Meters as the example and "... a trust framework for the identification of computer network cards...mobile phone...". Clicking on the image in the Commerce Blog shows an Ice Maker in a refrigerator, in image #4! Note that is is the one in the blog index you must click, not the one in the press release, they are the same picture, but only the first one brings up the seven flash-based images. Also take note of the comment under the press release.

Note that this NSTIC "Identity Ecosystem" system is already different than the Federal Identity, Credential, and Access Management (FICAM) Roadmap; NSTIC Objective 2.3 disagrees with me. Makes me wonder why NSTIC is not good enough for them? Let the conspiracy theories begin... Why are we being taxed to pay for both? We also get to pay more in local taxes for our schools "...school also acts as an [NSTIC] attribute provider...", nothing comes for free.

  • Secure authentication between the power company and the meter prevents criminals from deploying fraudulent meters to steal electricity
  • Trusted hardware modules ensure that the hardware and software configurations on the meter are correct.
  • The meter validates that instructions and periodic software upgrades actually come from the power company.

At least they seem to be promoting the use of open standards, do they mean Open Source?: "The effort to develop technical standards should use open, transparent fora and leverage existing, market-recognized guidance on assessing required authentication...".

Alas as of now there is no real details as to what is actually being implemented, nothing more than block diagrams of high level 'warm and fuzzy' ideas, nothing like requirements and specifications so far:

Objective 2.1:

Implement the private-sector elements of the Identity
Ecosystem. The Strategy can only succeed if the private sector voluntarily implements the Identity Ecosystem and only if it makes business sense to do so. The vast majority of the Identity Ecosystem will be built by the private sector, and almost all of the Identity Ecosystem's subjects, relying parties, identity providers, attribute providers, and accreditation authorities will be in the private sector.

The private sector is already providing many services that, if they choose, could be a part of the Identity Ecosystem We encourage these providers to participate in the development of the Identity Ecosystem Framework and the implementation of the Identity Ecosystem, to ensure that both incorporate these providers' knowledge and experience.

To support the private sector, the Federal Government will work to promote and incentivize [SIC] both innovation in the marketplace and the private sector's implementation of the Identity Ecosystem in accordance with the Identity Ecosystem Framework.

There is "NSTIC Implementation" Solicitation Number: SB1341-11-NSTIC if you want to get on the Interested Vendor List. So far no one there strikes me as representing our Embedded interests.

The following seems like more Orwellian Doublespeak to me. How do you have a trusted identity (at the network card level?) and remain anonymous?:

Identity proofing (verifying the identity of an individual) and the quality of identity source documents have a profound impact on establishing trusted digital identities, but the Strategy does not prescribe how these processes and documents need to evolve.

Lastly, the Strategy does not advocate for the establishment of a national identification card or system. Nor does the Strategy seek to circumscribe the ability of individuals to communicate anonymously or pseudonymously, which is vital to protect free speech and freedom of association Instead, the Strategy seeks to provide to individuals and organizations the option of interoperable and higher-assurance credentials to supplement existing options, like anonymity or pseudonymity.

http://nstic.us is a joint effort of non-profits, corporations and individuals to jumpstart[SIC] a wide-open, nationwide discussion of the government's proposed "National Strategy on Trusted Identities in Cyberspace" (NSTIC) system. They have the entire strategy in HTML, complete with embedded citable links to the paragraph level. In your tweet, blog post, article, etc, use their HTML version to facilitate dialog on any facet of the strategy, and include the link to the section or paragraph you are discussing so everybody
can follow along.

Also the organization Identity Finder paints a bleak picture of what can go wrong if this system is not implemented perfectly, (Do we have perfect software yet?) NSTIC's Effect on Privacy and Security:

  • New ways to covertly collect personal information, and new markets to commoditize Users' identities.
  • New, powerful credentials that will subject individuals to new risks of identity theft.
  • Identity Ecosystem Participants may not need to comply with industry baseline security or privacy protocols.
  • An enhanced Identity "Marketplace" which enables Participants to profit from the sale of human identities.
  • The Identity Ecosystem "Marketplace" would continue to be opaque to users, and may create a false sense of control, privacy, and security among Users who are unaware that their identities are subject to sale without their knowledge.
  • A User who opts out of the Ecosystem may also inadvertently lose privacy protections.
  • New, powerful NSTIC identity credentials will enable the same functionality as an Internet "Power of Attorney," without the procedural safeguards offline Powers of Attorney provide.

The official links and pronouncements follow:

Kevin S. Xu, Press Assistant Department of Commerce Office of
Public Affairs, sent out the following email on Friday, April
15th, 2011, the traditional Income Tax Day where the government
takes more than fifty percent of your income; I'm Taxed Enough
Already how about you? What is the message they are trying to
send by tying this date to this announcement I wonder? Might have
to do with April 19th being the archival date for the
solicitation, SB1341-11-NSTIC, so fewer people can get in on the
action, which was issued in March?

PREPARED REMARKS FOR COMMERCE SECRETARY GARY LOCKE

Release of the National Strategy for Trusted Identities in Cyberspace | Washington, D.C. April 15, 2011.

[Makes me wonder prepared by whom? {Paragraph spacing is all wonky is the original email, I did not try to duplicate it here.}]

Thank you, Ann, for that kind introduction, and thanks to the U.S. Chamber of Commerce for hosting today's event.

I also want to welcome the many innovators, trade associations, companies, and consumer advocates that are represented here as we mark another important milestone on our mission to build a more secure online environment.

President Obama has made promoting innovation a centerpiece of his economic agenda - and there is perhaps no segment of the economy that has seen more innovation than IT and the Internet.

Fifteen years ago, we saw the dawn of the commercial Internet.

Flash forward to 2011.

Nowadays, the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet:

  • Consumers pay their utility bills from their smart phones;
  • People download movies, music and books online; and
  • Companies, from the smallest local store to the largest multinational corporation, order goods, pay vendors and sell to customers via the Internet.

U.S. companies have led at every stage of the Internet revolution, from:

  • Web browsing and e-commerce technology; to
  • Search and social networking.

But at critical junctures, the US government has helped enable and support private sector innovation in the Internet space:

  • In the early 1990s, the government opened the door for commercialization of the Net;
  • In the late 1990s, the government's promotion of an open
    and public approach to Internet policy helped ensure the Net could grow organically and that companies could innovate freely; and
  • Recently, we've promoted the rollout of broadband facilities and new wireless connections in remote parts of the country.

Today, we take another major step - this one to ensure that the Internet's security features keep up with the many different types of online transactions people now engage in.

The fact is that the "old" password and user-name combination we often use to verify people is no longer good enough. It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft.

This is why the Internet still faces something of a "trust" issue. And it will not reach its full potential - commercial or otherwise - until users and consumers feel more secure than they do today when they go online. President Obama recognized this problem long-ago, which is why the administration's Cyberspace Policy Review called for the creation of an "Identity Ecosystem," where:

  • Individuals and organizations can complete online
    transactions with greater confidence; and
  • They can trust the identities of each other and the integrity of the systems that process those transactions.

I am proud to announce that the President has signed - and that, today, we are publishing - the National Strategy for Trusted Identities in Cyberspace, or NSTIC.

The Strategy is the result of many months of consultation with the public, including innovators and private sector representatives like you in the audience. I'm optimistic that NSTIC will jump-start a range of private-sector initiatives to enhance the security of online transactions. This strategy will leverage the power and imagination of entrepreneurs in the private sector to find uniquely American solutions. Other countries have chosen to rely on government-led initiatives to
essentially create national ID cards.

We don't think that's a good model, despite what you might have read on blogs frequented by the conspiracy theory set.

To the contrary, we expect the private sector to lead the way in fulfilling the goals of NSTIC.

Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it.

And we want to set a floor for privacy protection that is higher than what we see today, without placing a ceiling on the potential of American innovators to make additional improvements over time. Behind you are a number of firms exhibiting technologies and applications that can make a real difference in our future, and some are already out in the market today. At the end of today's event, you'll have an opportunity to see all of them, but let me take a minute to highlight two in particular.

Each year, medical researchers make discoveries that save lives and improve the well-being of those afflicted with disease.

Part of this rigorous scientific research is the review and approval of clinical trials, such as the Cancer Therapy Evaluation Program run by the National Institutes of Health.

To conduct these trials, paper signatures are needed for approvals at every turn.

This adds hundreds of dollars of cost - and more importantly, weeks of time that could be better spent getting patients into treatment more quickly. But the system has been stuck in paper as the world moves digital for a simple reason: because there has been no reliable way to verify identity online. Passwords just won't cut it here, as they are too insecure and the stakes are too high to risk fraud. The good news is that today, NIH has come together with private sector groups - including patient advocates, researchers and pharmaceutical firms - to eliminate this inefficient paper system through new identity technology that enables all sides to trust the transaction.

With trusted identities, patients can be enrolled more quickly in potentially life-saving therapy programs, saving hundreds of dollars per transaction. Trusted identities enable:

  • Trials to run faster;
  • Researchers to spend more time in the lab; and
  • A faster and cheaper way to move new therapies from the lab to the treating cancer patients.

At the other end of the identity spectrum, we have the scourge of ID and data theft, with phishing schemes being among the most prevalent.

Every second, phishing emails show up in people's inboxes, asking unwitting consumers to type their username and password into a fraudulent site.

In the audience today is Kimberly Bonney, a consumer from Bethesda, Maryland, who was victimized by one of these schemes last year.

She received an e-mail that she thought was from her Internet service provider, telling her that her account was in danger of being closed. The email asked that she provide her password, which she did.

Then, her co-workers, fellow members of her church, and her landlord began receiving emails that appeared to be from her stating that she was overseas and in need of a $2,800 loan to fly back to the United States.

It was a fraudulent e-mail of course.

Kimberly had become one of the 8.1 million Americans who were victims of identity theft or fraud last year. These crimes cost us some $37 billion a year.

But companies are introducing technologies that can help us turn the tide. At least one leader in the U.S. technology sector has come up with a simple solution to stop scammers from accessing their customers' accounts with just a stolen password.

They've recently rolled out a simple tool where verification codes are sent over the mobile phone network to a user's smart-phone or wirelessly connected computer - and when they want to access their online accounts, they have this additional and incredibly simple layer of protection.

I urge you to walk around this room to see for yourself how stronger authentication technology can protect against identity theft and cybercrime.

This is a difficult challenge. We're trying to improve security, convenience and privacy all at once.

That's why it's so important that we are leveraging the power and imagination of entrepreneurs in the private sector.

And the Commerce Department - led by Jeremy Grant at NIST - is staffing up to facilitate these private sector efforts.

I'm looking forward to learning of your future successes - perhaps you can send me an email - an authenticated email - describing those successes to my new email address at the U.S. embassy in China - that is, if I'm confirmed of course. Thank you again for your support, and now let me turn it over to Jane Lute, who is the Deputy Secretary of the Department of Homeland Security.

Jane has over 30 years of military and senior executive experience, having served at the United Nations, on the National Security Council and in the United States Army. She understands how integral cyber security is to our national security, and I'd like to bring her up here to offer a few thoughts...



# # #

The The Commerce Blog has other related items:

"A public-private steering group will ensure that accreditation authorities" translated, in my cynical mind, to an other 'fee', the latest way to get around Taxation Without Representation, that we must pay out of our hard-earned money.



"The nine most terrifying words in the English language are, 'I'm from the government and I'm here to help.'"



Ronald Reagan 40th president of US (1911 - 2004)

Saturday, April 9, 2011

Altium (Protel) Relocates From Sydney Australia to Shanghai China

I know a few people that use Altium or the older Protel, circuit board layout package. Though you might find of interest that Altium has announced they are moving the company to Shanghai China.

Former Altium employ David L. Jones of EEBlog confirms this:

"They [Altium] are moving, lock stock and barrel, to China, and as a result, a whole bunch of people were made redundant or laid off...I don't know the exact numbers, but it's a lot,...The idea is to move all their R&D to China, and pretty much start again." -- David L. Jones as quoted on The Amp Hour.

A couple of other related items with some different background:

The Altium Press Release says: "Altium plans to expand its R&D team over time by drawing on the talent pool in China".

I recently spent some time with someone who had been doing some consulting for a company in China that developed Cellphones. His description of the development process in China was, ammm, unkind. His description went something like this: The Chinese developers had no access to Internet. They had no idea what "good code" should look like [Sadly, from seeing code on Internet, it seems like a lot of people that do have Internet don't get know either]. After a new developer gained some experience they were promoted to management, and a new inexperienced developer was brought in to replace him [No evidence to support there are any female developers involved here. Are females smart enough to stay out of this field or they are never born with the 'Knack' (Dilbert[TM] reference)?]. Any developer that wanted to keep doing development, because they enjoyed it, was seen as lazy by the culture from not getting promoted to management.

The developers always wanted to know "the fastest way" to do something and had no interest in learning "the best way" to do something.

In the end the company did ship Cellphones that some how did work. Is that all that maters? I hope not... Is this one company representative of all development in China? I hope not...

Hopefully this move by Altium will drive a lot more interest to Open Source packages like gEDA and PCB.

Changing subjects a bit, I spent a bit of time with Dave Jones at Renesas Devcon 2010. Dave kept insisting that I looked exactly like Altium's CEO Nick Martin. Actually I though Nick looked like my father.

In Q2 of 2011 I has planing on designing in some Renesas Micros. Now with the earthquake in Japan and the on going after-shocks that have been predicted could continue for a year or more, designing in any Japan based part does not seem like a prudent business move. What do you think?