Disclaimer

The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Monday, March 07, 2016

Sharing paalettes/UIX between different devices

I bought a refurbished iPad mini, and am currently using Quadro with both iPhone and iPad. This is good.

What is not good is that I cannot copy or move palettes friom iPhone to iPad.  I cannot even share, via the insecure sharing facility.  (If I try to share, I get told "incompatible device').

Now, I know that the GUI properties are different. The iPad has a bigger screen, etc.  But function code should be identical, and also colors.  Possibly icons would be different, but one can hope that that may npt be the case.

But I was hoping that I would be at least able to have the iPhone palettes on the iPad, as a starting point.

Unfortunately, it looks like I will have to recreate every function, every pad design and color, from scratch.   

This sucks, and is a very big reason why I have written my own UIX extender - or, rather, ported an old UIX that I wrote ears ago to Mac's GUI scripting.    Mine is not as pretty as Quadro, but it allows backup, reuse, and version control.

Quadro says:

DisclaimerAlthough we are already working on a better multi-device palette support, which will have different modes and automatic management for the pads layout, for the moment it's still up to you to create palettes that span across multiple devices.


I get this.  But I want to emphasize that Quadro should add the ability to copy pads, with functions, colors, labels, and possibly icons, between different devices as soon as possible.   Do not delay that for more complete automatic management, etc.

I say again:  not having the ability to reuse pads between different devices is a veery big reason not to use Quadro at all.

---

As for different GUI properties:

The iPhone app "Keypad" allows a keypad layout to be scrolled horizontally and vertically   This allows reuse between portrait and landscape rotations on the phone.


Security Implications of Sharing Palettes · Quadro

Quadro - UI extension software that allows an iPhone or iPad to be used as a touchscreen extension for a Mac or Windows PC, with common commands mapped to touchscreen "pads" - allows the "palettes" of macro-pad-definitions to be shared.



It looks like a shared pad is visible to the entire web.



I hope not writeable...



I, and Quadro, really need to think about the security implications of such promiscuous sharing.



Obviously should not share any palette definitions that contain passwords, e.g. passwords to log into ... wifi nets, apps, etc.



Perhaps slightly less obvious, but should be apparent to anyone who thinks in the slightest about security and privacy: palette/pads that automatically save to particular folders, e.g. in email or  web browser, may themselves be security/privacy exposures:  the very NAME of the folder corresponding to a company-secret project may be a secret.   Or, similarly, the fact that an engineer is doing web.research on a particular topic may disclose new product directions.



Similarly, many companies dislike having employee email addresses unnecessarily exposed.  So palette/pad shortcuts that forward to particular email addresses are an exposure.



If you don't like thinking about company security, think about personal privacy. Imagine that the user is researching some deeply private and/or embarrassing medical condition.



---



Is this a real risk?   Well, the unique part of the URL that is provided for sharing seems to be no more than 5 ascii letters - and possibly less.  E.g. 5*8=40 bits of (in)security.  Quite likely to be brute forceable,



Q: does Quadro have an intrusion detection system, looking for bad guys probing all combinations of 5 ascii letters?



---



What happens if you have accidentally shared a palette with a password or other sensitive information?  



I cannot see any way to delete a shared palette from the Quadro company servers once it has been shared.



---



Wishlist:  allow a user to tag particular pads as being sensitive, unshareable.  And prevent any palettes holding such a tainted pad from being shared.



But the main wishlist would be to use much longer URLs, long enough to discourage brute force attacks.   Possibly with length selectable - short URLs for sharing of non-sensitive palettes, long URLs for sharing of sensitive palettes (at the cost of being much harder to type).



With the wsih after that being to do proper challenge/response,





---



How to cope with the insecurity of this palette sharing?



The only thing that I can really imagine is to try to be ver strict about